23.05.2025

CSO Online 23.05.2025 3:29

Intelligence and cybersecurity agencies from 10 countries has warned in a joint advisory that a cyberespionage group operated by the Russian military intelligence service, the GRU, has been targeting logistics and IT companies for the past three years. Known in the security industry as APT28 and Fancy Bear, the threat actor has been launching attacks against these targets using a variety of initial access tactics including password spraying, spearphishing and exploitation of vulnerabilities in popular software.

“As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 [of the Russian GRU 85th GTsSS] expanded its targeting of logistics entities and technology companies involved in the delivery of aid,” the advisory read. “These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.”

The targets included dozens of government organizations and commercial entities involved in goods transportation on air, sea and rail. This included defense industry companies, shipping and logistics companies, air traffic management agencies and IT services firms. The countries targeted were Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the US.

Attacks go back three years

The targeting of these entities started in February 2022 when the report authoring agencies noted an increase in cyber operations by Russian threat actors, including APT28. After compromising a target, the attackers performed follow-up targeting of their business partners, exploiting the business trust relationships to gain access.

“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting,” the advisory stated.

The hackers often compromised small office/home office (SOHO) routers in proximity to their targets and used them as proxies for their malicious activity as to hide their true geolocation. Anonymization networks like Tor and VPNs were also used.

Credential guessing and spearphishing

The attackers used brute-force credential guessing techniques, also known as password spra

Krebs Security 22.05.2025 23:53
The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

Heise Security 22.05.2025 15:52
Tausende Domains, Steam-Profile und Telegram-Kanäle nutzten die Malware-Betreiber – das ist vorerst vorbei. Europol lobt die Zusammenarbeit mit Microsoft.

Golem 22.05.2025 14:40
Der Sina Cloud Security Layer ist die erste Technologie, die das Komponentenzulassungsverfahren des BSI erfolgreich durchlaufen hat. (Cloud-Dienste, Datenschutz)

Infosecurity Magazine 22.05.2025 14:00
The unpatched vulnerabilities, with a CVSS score of 8.6 to 10.0, can lead to remote code execution via authentication bypass

Heise Security 22.05.2025 12:27
Man habe viele Daten, oft scheitere es aber in der Ermittlungsarbeit an Personalengpässen und Regulierungslücken, so Teilnehmer des Fachforums "Small Data".

Infosecurity Magazine 22.05.2025 12:00
West Lothian Council confirmed that ransomware attackers have stolen personal and sensitive information held on its education network

Heise Security 22.05.2025 10:23
Ein Sicherheitsupdate schließt eine Schwachstelle in der SAML-Bibiliothek Samlify. Attacken sollen vergleichsweise einfach sein.

CSO Online 22.05.2025 6:00

Softwaresicherheit beginnt beim Hersteller – nicht beim Nutzer.Pingingz – shutterstock.com

Die Aussagen von Jen Easterly, bis Januar 2025 Direktorin der US-Bundesbehörde CISA (Cybersecurity and Infrastructure Security Agency), bringen es auf den Punkt: „Sichere Software ist nicht billig oder einfach umzusetzen – aber es ist der einzig gangbare Weg, um IT-Systeme nachhaltig zu schützen.“

Easterly zog in der Vergangenheit auch immer wieder Parallelen zur Automobilindustrie der 1960er Jahre: einer Branche, die Geschwindigkeit, Optik und Kostenoptimierung über Sicherheit stellte – und die Verantwortung den „Verrückten am Steuer“ zuschob. Das 1965 von Ralph Nader veröffentlichte Buch „Unsafe at Any Speed“ (deutscher Titel: Unsicher bei jeder Geschwindigkeit) leitete schließlich einen tiefgreifenden Wandel in der Automobilindustrie ein. Er argumentierte, dass die Branche, solange sie sich selbst regulieren darf, weiterhin Design, Kosten und geplante Obsoleszenz über die Sicherheit und die Interessen der Verbraucher stellen würde.

Diese Logik findet sich auch in der heutigen Softwarebranche. Entwickler setzen auf Geschwindigkeit und Design – Sicherheit spielt dagegen meist nur eine nachgelagerte Rolle. Gleichzeitig wird bei Vorfällen gerne den Anwendern die Schuld gegeben: Sie hätten die Systeme falsch bedient. Dieses Narrativ verkennt die eigentliche Ursache: fehleranfällige und nicht ausreichend abgesicherte Softwareprodukte.

Kunden müssen Druck machen

Wie Easterly betont, reicht es nicht, Sicherheitsprobleme immer nur im Nachhinein zu bekämpfen. Es braucht ein grundsätzliches Umdenken – in der Branche, aber auch auf Kundenseite. Die von der CISA gestartete Secure-by-Design-Initiative ist daher ein wichtiger Schritt, um Anbieter stärker in die Pflicht zu nehmen.

Auch auf europäischer Ebene zeichnet sich ein Umdenken ab: Der EU Cyber Resilience Act legt erstmals verbindliche Cybersicherheitsanforderungen für Hersteller von Hard- und Software fest – mit Fokus auf sichere Produkte über den gesamten Lebenszyklus. Ergänzend verpflichtet die NIS2-Richtlinie Unternehmen aus kritischen Sektoren zu einem deutlich höheren Sicherheitsniveau – inklusive Lieferkettenkontrollen.

Lesetipp: Security by Design – So gelingt sichere Softwareentwicklung

Beide Maßnahmen setzen klare Signale: Sicherheit soll kein freiwilliges Add-on mehr sein, sondern Standard. Gleichzeitig müssen aber

Spiegel Online 21.05.2025 15:06
Westliche Geheimdienste warnen gemeinsam vor Angriffen mutmaßlich russischer Staatshacker auf westliche Logistik- und Technologiefirmen. Wer die Ukraine unterstützt, solle davon ausgehen, »im Zielspektrum zu sein«.

CSO Online 21.05.2025 13:51

A known crew of cybercriminals has weaponized the widely used, open-source KeePass password manager with malware to steal passwords and lock down computers for ransom.

Victims were tricked through Bing advertisements to install the trojanized software, KeeLoader, only to have their credentials siphoned and their systems hijacked, according to a WithSecure research.“In February 2025, WithSecure’s Incident Response team responded to a ransomware attack,“ said WithSecure researchers in a report. ”While performing analysis on the artifacts used in the attack, WithSecure Threat Intelligence (W/TI) discovered a previously undocumented,trojanised malware loader being deployed to drop post-exploitation malware, and exfiltrate cleartext password manager databases.“

In a months-long campaign, threat actors were found using the modified KeePass, recompiled with trusted certificates, with normal password management features in addition to a Cobalt Strike beacon exfiltrating password databases in cleartext.

A familiar face with a hidden sting

It looked like KeePass, it acted like KeePass, but under the hood, KeeLoader was anything but. The trojanized installer was cleverly promoted through Bing ads, pointing to fake KeePass websites, luring unsuspecting users as legitimate software.

“The malicious software was advertised online and waited for victims who believed it was a legitimate password manager,” said Boris Cipot, senior security engineer at Black Duck. “Once a victim installed the malicious password manager, downloaded and deployed the Cobalt Strike tool for command and control, and exported the existing KeePass password database in clear text, the attackers gained access to networks, VPNs, and cloud services.”

It is essential to ensure uncompromised trust in software and to know the software you use, be it commercial or open source, know where it comes from and make sure that it is legit before you apply it to your own development or to your computer, Cipot added.

WithSecure said that the Cobalt Strike watermarks used in this campaign are linked to an IAB that is believed to be associated with Black Basta ransomware attacks in the past.

WithSecure’s Incident Response team was called in after ransomware encrypted VMware ESXi datastores at a European IT provider. The attackers had used stolen KeePass credentials to access hypervisors directly, bypassing individual VMs and launching a fast-moving, w

The Hacker News 21.05.2025 13:25
Continuous Integration and Continuous Delivery/Deployment (CI/CD) refers to practices that automate how code is developed and released to different environments. CI/CD pipelines are fundamental in modern software development, ensuring code is consistently tested, built, and deployed quickly and efficiently.
While CI/CD automation accelerates software delivery, it can also introduce security

The Hacker News 21.05.2025 12:30
It takes just one email to compromise an entire system. A single well-crafted message can bypass filters, trick employees, and give attackers the access they need. Left undetected, these threats can lead to credential theft, unauthorized access, and even full-scale breaches. As phishing techniques become more evasive, they can no longer be reliably caught by automated solutions alone.
Let’s take

Heise Security 21.05.2025 9:57
Ein Ransomware-Angriff hat in einem Netzwerk von mehreren medizinischen Zentren in Ohio zu einem "systemweiten Technologie-Ausfall" geführt.

CSO Online 21.05.2025 4:27

Threat actors continue to find ways of hijacking domains thanks to poor DNS record-keeping and misconfigurations by administrators, a hole that CSOs have to plug or risk financial or reputational damage to their organizations.

The latest example of the risk came in a report today from Infoblox on a threat actor it calls Hazy Hawk, which it says took over the subdomains of the US Centers for Disease Control and Prevention (CDC) in February and used them to host dozens of URLs that pointed to porn videos. This person or gang has been finding gaps in DNS records since at least December 2023, victimizing large universities and international firms.

“Hazy Hawk finds gaps in DNS records that are quite challenging to identify,” says the report, “and we believe they must have access to commercial passive DNS services to do so.”

The hijacked domains are used to host large numbers of URLs that send users to sites hosting scams and malware by way of different traffic distribution systems (TDSs), the report says.

The integration of malicious push notifications to fool end users in the attack chain acts as a force multiplier, it adds. These notifications try to convince employees to click on a link to update their anti-virus, turn on their firewall, or contact Microsoft support. The links, of course, download malware or lead to sites demanding payment for support.

“Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or ‘highbrow’ cybercrime,” the report says. “Instead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact. Hazy Hawk is indicative of the lengths scam artists will go to get a portion of the multi-billion-dollar fraud market.”

Abandoned site

In the case of the CDC, Infoblox believes the centre had abandoned an Azure-hosted website or content bucket it was using, but didn’t tell the DNS management admin. That allowed the threat actor to find what experts call the site’s “dangling” DNS record.

The problem involves the complex way DNS records point to an IP address. What’s called an A record maps a website name to one or more IP addresses. What’s called a CNAME record maps a name to another name. It’s used when, for examp

Krebs Security 20.05.2025 23:30
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.

Infosecurity Magazine 20.05.2025 17:45
The Venice.ai chatbot gained traction in hacking forums for its uncensored access to advanced models

CSO Online 20.05.2025 16:06

In ihrem Wettlauf um Produktivitätssteigerungen durch generative KI übersehen die meisten Unternehmen die damit verbundenen Sicherheitsrisiken.Summit Art Creations – Shutterstock.com

Laut einer Studie des Weltwirtschaftsforums, die in Zusammenarbeit mit Accenture durchgeführt wurde, versäumen es 63 Prozent der Unternehmen, die Sicherheit von KI-Tools vor deren Einsatz zu überprüfen. Dadurch gehen sie eine Reihe von Risiken für ihr Unternehmen ein.

Dies gilt sowohl für handelsübliche KI-Lösungen als auch für interne Implementierungen, die in Zusammenarbeit mit Softwareentwicklungsteams erstellt wurden. So zeigt der Tricentis 2025 Quality Transformation Report, dass Organisationen überwiegend auf die Verbesserung der Liefergeschwindigkeit (45 Prozent) und weniger auf die Verbesserung der Softwarequalität (13 Prozent) ausgerichtet sind. Ein Drittel (32 Prozent) der Befragten gibt allerdings zu, dass minderwertige Software wahrscheinlich zu häufigeren Sicherheitsverletzungen oder Compliance-Verstößen führen wird.

Doch diese Verstöße werden immer häufiger. Der kürzlich veröffentlichte Cybersecurity Readiness Index von Cisco ergab, dass 86 Prozent der Unternehmen im vergangenen Jahr einen KI-bezogenen Sicherheitsvorfall erlebt haben. Weniger als die Hälfte (45 Prozent) glauben, dass ihr Unternehmen über die internen Ressourcen und das Fachwissen verfügt, um umfassende KI-Sicherheitsbewertungen durchzuführen.

Die häufigsten KI-Sicherheitsrisiken

Wenn KI-Anwendungen vor ihrer Einführung nicht ausreichend getestet werden, sind Unternehmen einer Reihe von Schwachstellen ausgesetzt, die sich laut den von CSO befragten Experten erheblich von den Risiken herkömmlicher Software unterscheiden. Hier sind die häufigsten.

Datenoffenlegung

KI-Systeme verarbeiten oft große Mengen sensibler Informationen. Ohne robuste Tests können Unternehmen übersehen, wie leicht diese Daten durch ungesicherte Speicherung, zu großzügige API-Antworten oder schlechte Zugriffskontrollen verloren gehen können.

„Viele KI-Systeme nehmen während der Inferenz Benutzerdaten auf oder speichern Kontextinformationen für die Fortführung der Session“, erklärt Peter Garraghan, Geschäftsführer und Mitbegründer des KI-Sicherheitstesters Mindgard. „Wenn die Datenverarbeitung nicht überprüft wird, besteht ein hohes Risiko von Datenlecks durch Modellausgaben, Log-Exposure oder den Missbrauch fein abgestimmter Daten

Schneier on Security 20.05.2025 13:05
A DoorDash driver stole over $2.5 million over several months:
The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the others involved had created. Devagiri would then mark the undelivered orders as complete and prompt DoorDash’s system to pay the driver accounts. Then he’d switch those same orders back to “in process” and do it all over again. Doing this “took less than five minutes, and was repeated hundreds of times for many of the orders,” writes the US Attorney’s Office…

CSO Online 20.05.2025 10:01

In 2019, Russian threat actors began targeting Texas-based business software provider SolarWinds. What started as a dry run to inject malware into SolarWinds’ networks evolved into the boldest software supply chain hack ever, ultimately spreading malicious backdoors to SolarWinds’ blue-chip business customers and marking a miserable milestone in cybersecurity history.

The widespread damage caused by the incident caught the attention of US federal authorities, including the US Securities and Exchange Commission (SEC), which launched an investigation into the publicly traded company.

In October 2023, the SEC filed charges against SolarWinds and, in unprecedented action, its CISO, Timothy G. Brown, for misleading investors by not disclosing “known risks” and failing to accurately represent the company’s cybersecurity measures, among other communications-related offenses.

The charges against SolarWinds and Brown were complex, and the judge overseeing the case dismissed most of them last year. On the eve of the RSA conference this year, SolarWinds and Brown petitioned the court for a summary judgment to dismiss the remaining charges.

The SEC lawsuit, premised on statements made by SolarWinds and Brown, serves as an object lesson for CISOs that what they say or write in the course of their jobs could be fodder for litigation.

“The US Securities and Exchange Commission’s complaint against SolarWinds and one of its cyber professionals, Timothy G. Brown, is a high-profile example of the things we want to avoid,” Mike Serra, senior counsel at Cisco, said in kicking off a panel, “Guarding Your Words: Legal Risks for Cyber Professionals,” at this year’s RSA Conference in San Francisco.

While formal communications can expose CISOs to legal liability, informal and unofficial communications pose an even greater danger.

“So, you should be careful with what you post online,” Tim Brown told CSO. “You should be careful about any information you share about the company you’re working with or its posture. You should be careful with what things are said in public and not expand too much.”

Choose your words carefully

The charges against Brown shook up the CISO community and served as an extreme reminder that words matter. The legal ordeal Brown has gone through “is obviously awful and thankfully rare,” Matt Jones, partner at WilmerHale, said during the RSA panel. But it illustrates how “the l

Heise Security 20.05.2025 9:02
Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab.