Cybersecurity researchers have found “backdoor-like behavior” within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.

Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

“Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware,” John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.

“The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods.”

images from Hacker News

Improperly deactivated and abandoned Salesforce Sites and Communities (aka Experience Cloud) could pose severe risks to organizations, leading to unauthorized access to sensitive data.

Data security firm Varonis dubbed the abandoned, unprotected, and unmonitored resources “ghost sites.”

“When these Communities are no longer needed, though, they are often set aside but not deactivated,” Varonis Threat Labs researchers said in a new report shared with The Hacker News.

images from Hacker News

Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices.

Specifically, the flaw – dubbed Migraine and tracked as CVE-2023-32369 – could be abused to get around a key security measure called System Integrity Protection (SIP), or “rootless,” which limits the actions the root user can perform on protected files and folders.

“The most straight-forward implication of a SIP bypass is that […] an attacker can create files that are protected by SIP and therefore undeletable by ordinary means,” Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said.

Even worse, it could be exploited to gain arbitrary kernel code execution and even access sensitive data by replacing databases that manage Transparency, Consent, and Control (TCC) policies.

images from Hacker News

Finding threat actors before they find you is key to beefing up your cyber defenses. How to do that efficiently and effectively is no small task – but with a small investment of time, you can master threat hunting and save your organization millions of dollars.

Consider this staggering statistic. Cybersecurity Ventures estimates that cybercrime will take a $10.5 trillion toll on the global economy by 2025. Measuring this amount as a country, the cost of cybercrime equals the world’s third-largest economy after the U.S. and China. But with effective threat hunting, you can keep bad actors from wreaking havoc on your organization.

This article offers a detailed explanation of threat hunting – what it is, how to do it thoroughly and effectively, and how cyber threat intelligence (CTI) can bolster your threat-hunting efforts.

images from Hacker News

The threat actor known as Dark Pink has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023.

This includes educational entities, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew’s continued focus on high-value targets.

Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with attacks targeting entities primarily located in East Asia and, to a lesser extent, in Europe.

The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts.

images from Hacker News

The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets.

Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant).

“These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult,” security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said.

Some of the impersonated apps spotted so far include AstraChat, Devolutions’ Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.

RomCom RAT was first chronicled by Palo Alto Networks Unit 42 in August 2022, linking it to a financially motivated group deploying Cuba Ransomware (aka COLDDRAW). It’s worth noting that there is no evidence to suggest that the ransomware gang has any connection or affiliation with the Republic of Cuba.

images from Hacker News