Chinese-sponsored groups are using the popular Brickstorm backdoor to access and gain persistence in government and tech firm networks, part of the ongoing effort by the PRC to establish long-term footholds in agency and critical infrastructure IT environments, according to a report by U.S. and Canadian security offices.

The post China Hackers Using Brickstorm Backdoor to Target Government, IT Entities appeared first on Security Boulevard.

A threat group dubbed ShadyPanda exploited traditional extension processes in browser marketplaces by uploading legitimate extensions and then quietly weaponization them with malicious updates, infecting 4.3 million Chrome and Edge users with RCE malware and spyware.

The post ShadyPanda’s Years-Long Browser Hack Infected 4.3 Million Users appeared first on Security Boulevard.

Veza Security was recently valued at more than $800 million after raising $108 million in Series D funding.

The post ServiceNow to Acquire Identity Security Firm Veza in Reported $1 Billion Deal  appeared first on SecurityWeek.

The Swiss cybersecurity firm will scale its R&D, sales and marketing teams as it pursues expansion across Europe.

The post Saporo Raises $8 Million for Identity Security Platform appeared first on SecurityWeek.

Two technologies — one for public safety, one for controlled entry — show why trust in facial recognition must be earned, not assumed.

The post Facial Recognition’s Trust Problem appeared first on SecurityWeek.

The FBI says that account takeover scams this year have resulted in 5,100-plus complaints in the U.S. and $262 million in money stolen, and Bitdefender says the combination of the growing number of ATO incidents and risky consumer behavior is creating an increasingly dangerous environment that will let such fraud expand.

The post FBI: Account Takeover Scammers Stole $262 Million this Year appeared first on Security Boulevard.

According to the Thales Consumer Digital Trust Index 2025, global confidence in digital services is slipping fast. After surveying more than 14,000 consumers across 15 countries, the findings are clear: no sector earned high trust ratings from even half its users. Most industries are seeing trust erode — or, at best, stagnate. In an era..

The post The Trust Crisis: Why Digital Services Are Losing Consumer Confidence appeared first on Security Boulevard.

The Russian state-sponsored group behind the RomCom malware family used the SocGholish loader for the first time to launch an attack on a U.S.-based civil engineering firm, continuing its targeting of organizations that offer support to Ukraine in its ongoing war with its larger neighbor.

The post Russian-Backed Threat Group Uses SocGholish to Target U.S. Company appeared first on Security Boulevard.

The cybersecurity startup plans to use the seed funding to accelerate product expansion and global growth.

The post Opti Raises $20 Million for Identity Security Platform appeared first on SecurityWeek.

A look at why identity security is failing in the age of deepfakes and AI-driven attacks, and how biometrics, MFA, PAD, and high-assurance verification must evolve to deliver true, phishing-resistant authentication.

The post How AI Threats Have Broken Strong Authentication  appeared first on Security Boulevard.

Huntress threat researchers are tracking a ClickFix campaign that includes a variant of the scheme in which the malicious code is hidden in the fake image of a Windows Update and, if inadvertently downloaded by victims, will deploy the info-stealing malware LummaC2 and Rhadamanthys.

The post Attackers are Using Fake Windows Updates in ClickFix Scams appeared first on Security Boulevard.

SitusAMC, a services provider with clients like JP MorganChase and Citi, said its systems were hacked and the data of clients and their customers possibly compromised, sending banks and other firms scrambling. The data breach illustrates the growth in the number of such attacks on third-party providers in the financial services sector.

The post Hack of SitusAMC Puts Data of Financial Services Firms at Risk appeared first on Security Boulevard.

Explore secure methods for signing into online accounts, including SSO, MFA, and password management. Learn how CIAM solutions enhance security and user experience for enterprises.

The post Signing In to Online Accounts appeared first on Security Boulevard.

Agencies with the US and other countries have gone hard after bulletproof hosting services providers this month, including Media Land, Hypercore, and associated companies and individuals, while the FiveEyes threat intelligence alliance published BPH mitigation guidelines for ISPs, cloud providers, and network defenders.

The post U.S., International Partners Target Bulletproof Hosting Services appeared first on Security Boulevard.

An attack on the app of CRM platform-provider Gainsight led to the data of hundreds of Salesforce customers being compromised, highlighting the ongoing threats posed by third-party software in SaaS environments and illustrating how one data breach can lead to others, cybersecurity pros say.

The post Salesforce: Some Customer Data Accessed via Gainsight Breach appeared first on Security Boulevard.

AI has given cybercriminals the ability to operate like Fortune‑500‑scale marketing departments—except their product is account takeover, data theft, and identity fraud.

The post AI Is Supercharging Phishing: Here’s How to Fight Back appeared first on SecurityWeek.

The company will use the investment to accelerate product development, expand go-to-market operations, and hire new talent.

The post Apono Raises $34 Million for Cloud Identity Management Platform appeared first on SecurityWeek.

Leveraging AI, ConductorOne’s platform secures and manages millions of human, non-human, and AI identities.

The post ConductorOne Raises $79 Million in Series B Funding appeared first on SecurityWeek.

The Evolution of Kronos Malware

The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.

After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.

Kronos made yet another resurgence — this time combined with ransomware — and in late 2022 IBM Security Trusteer saw an increase in Kronos malware activity in Mexico. In these attacks, it was used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.

A Brief Review of the Kronos Malware Attack in Mexico

The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).

This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.

The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call to an external resource and inject a malicious JavaScript payload. Once the malicious chrome extension is installed, if the user attempts to access one of the targeted Mexican financial institutions, the extension will inject malicious JavaScript with the name: “8vZ9d1-ad.js” or “ok.js”:

This payload can then be used to steal sensitive information from the victim’s device.

Stealthy Web Injection Capabilities

During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.

Example for Web-Inject:

Once a user is infected with the Kronos malware, the malware may wait for the user to enter their login credentials on a targeted website. At this point, the JavaScript component of the malware will begin to inject itself into the victim’s web browser, displaying a fake loading animation (commonly known as a “loader gif”) in order to obscure the fact that the user’s information is being stolen. This technique is commonly used by malware to avoid detection and increase the likelihood of successfully stealing sensitive information from the victim:

The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.

Main JavaScript function:

Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:

The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.

Example: hxxps://tomolina.top/uadmin/gate.php?pl=token&link=hsbc_mx1.1

C&C Panel (uadmin)

The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.

Inside C&C (uadmin):

The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:

Main page:

Main Token Page:

This page contains logs of infected victims, including:

• The last time the victim connected to the targeted bank.
• The victim’s IP address.
• Device information (e.g., operating system and web browser type).
• The name of the targeted bank that the attacker has configured.
• Quick data showing the victim’s login credentials.
• The “redirect” feature, which redirects all existing and new bots to present links on each page.
• The “block” feature, which blocks access to the page after the user enters their credentials.
• Comments from the C&C owner.

• Statistics on the number of infected bots and other metrics.
• A list of infected bots, including their IP addresses and other details.
• The ability to remotely control infected bots.
• The ability to export logs of stolen information.
• Settings for the stealer component of the malware.
• A blacklist of web pages that the malware should not target.

Targeted Financial Institution: Mexico Region

During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.

IOC:

In this instance, we were able to successfully retrieve Indicator of Compromise (IOC) from the JavaScript configuration file located at “8vZ9d1-ad.js”.

• hxxps://dlxfreight.bid/mx/
• hxxps://dlxfreight.bid/w1Q5DXr7te/gate.php
• hxxps://pnlbanorte.dlxfreight.bid
• hxxps://dlxfreight.bid/
• hxxp://tomolina[.]top/
• hxxps://facturacionmexico.net/choa.php
• hxxps://dlxfreightmore.com

How to Stay Safe from Kronos

To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.

If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.

It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.

To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.

The post Kronos Malware Reemerges with Increased Functionality appeared first on Security Intelligence.

On September 19, 2022, an 18-year-old cyberattacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer’s worst nightmare.

In addition, the malicious actor claimed responsibility for a similar security breach affecting ride-sharing company Uber just a week prior. According to reports, they infiltrated the company’s Slack by tricking an employee into granting them access. Then, they spammed the employees with multi-factor authentication (MFA) push notifications until they gained access to internal systems, where they could browse the source code.

Incidents like the Rockstar and Uber hacks should serve as a warning to all CISOs. Proper security must consider the role info-hungry actors and audiences can play when dealing with sensitive information and intellectual property.

Stephanie Carruthers, Chief People Hacker for the X‑Force Red team at IBM Security, broke down how the incident at Uber happened and what helps prevent these types of attacks.

“But We Have MFA”

First, Carruthers believes one potential and even likely scenario is the person targeted at Uber may have been a contractor. The hacker likely purchased stolen credentials belonging to this contractor on the dark web — as an initial step in their social engineering campaign. The attacker likely then used those credentials to log into one of Uber’s systems. However, Uber had multi-factor authentication (MFA) in place, and the attacker was asked to validate their identity multiple times.

According to reports, “TeaPot” contacted the target victim directly with a phone call, pretended to be IT, and asked them to approve the MFA requests. Once they did, the attacker logged in and could access different systems, including Slack and other sensitive areas.

“The key lesson here is that just because you have measures like MFA in place, it doesn’t mean you’re secure or that attacks can’t happen to you,” Carruthers said. “For a very long time, a lot of organizations were saying, ‘Oh, we have MFA, so we’re not worried.’ That’s not a good mindset, as demonstrated in this specific case.”

As part of her role with X-Force, Carruthers conducts social engineering assessments for organizations. She has been doing MFA bypass techniques for clients for several years. “That mindset of having a false sense of security is one of the things I think organizations still aren’t grasping because they think they have the tools in place so that it can’t happen to them.”

Social Engineering Tests Can Help Prevent These Types of Attacks

According to Carruthers, social engineering tests fall into two buckets: remote and onsite. She and her team look at phishing, voice phishing and smishing for remote tests. The onsite piece involves the X-Force team showing up in person and essentially breaking and entering a client’s network. During the testing, the X-Force teams attempt to coerce employees into giving them information that would allow them to breach systems — and take note of those who try to stop them and those who do not.

The team’s remote test focuses on an increasingly popular method: layering the methods together almost like an attack chain. Instead of only conducting a phishing campaign, this adds another step to the mix.

“What we’ll do, just like you saw in this Uber attack, is follow up on the phish with phone calls,” Carruthers said. “Targets will tell us the phish sounded suspicious but then thank us for calling because we have a friendly voice. And they’ll actually comply with what that phishing email requested. But it’s interesting to see attackers starting to layer on social engineering approaches rather than just hoping one of their phishing emails work.”

She explained that the team’s odds of success go up threefold when following up with a phone call. According to IBM’s 2022 X-Force Threat Intelligence Index, the click rate for the average targeted phishing campaign was 17.8%. Targeted phishing campaigns that added phone calls (vishing, or voice phishing) were three times more effective, netting a click from 53.2% of victims.

What Is OSINT — and How It Helps Attackers Succeed

For bad actors, the more intelligence they have on their target, the better. Attackers typically gather intelligence by scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly-documented online activities, attackers can easily profile an organization or employee.

Carruthers says she’s spending more time today doing OSINT than ever before. “Actively getting info on a company is so important because that gives us all of the bits and pieces to build that campaign that’s going to be realistic to our targets,” she said. “We often look for people who have access to more sensitive information, and I wouldn’t be surprised if that person (in the Uber hack) was picked because of the access they had.”

For Carruthers, it’s critical to understand what information is out there about employees and organizations. “That digital footprint could be leveraged against them,” she said. “I can’t tell you how many times clients come back to us saying they couldn’t believe we found all these things. A little piece of information that seems harmless could be the cherry on top of our campaign that makes it look much more realistic.”

Tangible Hack Prevention Strategies

While multi-factor authentication can be bypassed, it is still a critical security tool. However, Carruthers suggests that organizations consider deploying a physical device like a Fido2 token. This option shouldn’t be too difficult to manage for small to medium-sized businesses.

“Next, I recommend using password managers with long, complex master passwords so they can’t be guessed or cracked or anything like that,” she said. “Those are some of the best practices for applications like Slack.”

Of course, no hacking prevention strategies that address social engineering would be complete without security awareness. Carruthers advises organizations to be aware of attacks out in the wild and be ready to address them. “Companies need to actually go through and review what’s included in their current training, and whether it’s addressing the realistic attacks happening today against their organization,” she said.

For example, the training may teach employees not to give their passwords to anyone over the phone. But when an attacker calls, they may not ask for your password. Instead, they may ask you to log in to a website that they control. Organizations will want to ensure their training is always fresh and interactive and that employees stay engaged.

The final piece of advice from Carruthers is for companies to refrain from relying too heavily on security tools. “It’s so easy to say that you can purchase a certain security tool and that you’ll never have to worry about being phished again,” she said.

The key takeaways here are:

• Incorporate physical devices into MFA. This builds a significant roadblock for attackers.
• Try to minimize your digital footprint. Avoid oversharing in public forums like social media.
• Use password managers. This way, employees only need to remember one password.
• Bolster security awareness programs with particular focus on social engineering threats. Far too often, security awareness misses this key element.
• Don’t rely too heavily on security tools. They can only take your security posture so far.

Finally, it’s important to reiterate what Carruthers and the X-Force team continue to prove with their social engineering tests: a false sense of security is counterproductive to preventing attacks. A more effective strategy combines quality security practices with awareness, adaptability and vigilance.

Learn more about X-Force Red penetration testing services here. To schedule a no-cost consult with X-Force, click here.

The post An IBM Hacker Breaks Down High-Profile Attacks appeared first on Security Intelligence.