Researchers have uncovered two malicious Chrome extensions with over 900,000 users that steal ChatGPT and DeepSeek chat conversations along with browsing data, sending this information to remote servers. These extensions impersonate legitimate tools, request permissions under false pretenses, and exfiltrate sensitive data, posing significant privacy and security risks. The discovery highlights the growing threat of prompt poaching and the need for users to be cautious about extension permissions and sources.
Hackers linked to Cl0p exploited a zero-day flaw in Oracle's E-Business Suite to breach dozens of organizations, using sophisticated malware and extortion tactics, with ongoing assessments of the full scope of the attack.
A threat actor exploited a vulnerability in the Salesloft Drift integration to exfiltrate sensitive Salesforce data using compromised OAuth credentials, prompting immediate security measures and urging organizations to review logs, rotate credentials, and enhance threat hunting efforts.
The FBI and international agencies warn that the cybercriminal group Scattered Spider has adapted its tactics, now using sophisticated social engineering, legitimate remote access software, and new malware like DragonForce to infiltrate organizations, exfiltrate data, and deploy ransomware rapidly. They target sectors like retail, insurance, and aviation, often exfiltrating data to multiple sites and quickly deploying ransomware such as DragonForce, especially targeting VMware ESXi servers. Despite recent arrests slowing their activity, authorities advise organizations to strengthen defenses through offline backups, multi-factor authentication, and application controls.
Researchers uncovered 'EchoLeak,' a critical zero-click vulnerability in Microsoft 365 Copilot that allows silent exfiltration of sensitive data through prompt injection, highlighting emerging risks in AI-integrated enterprise systems. Microsoft fixed the flaw in May, with no evidence of exploitation, but the attack demonstrates the need for enhanced defenses against LLM scope violations.
Over 8 million Android users have been affected by SpyLoan malware embedded in over a dozen loan apps on the Google Play Store, according to McAfee Labs. These apps, which target users in various countries by offering quick loans, use social engineering to extract sensitive information and permissions, leading to potential extortion and financial loss. Despite some apps being removed or modified to comply with Google Play policies, the threat persists as these apps share a common framework for data encryption and exfiltration. Users are advised to scrutinize app permissions and developer legitimacy to mitigate risks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive for federal agencies to search for signs of compromise and take preventive measures following the recent Microsoft breach, attributed to a Russian nation-state group. The breach led to the theft of email correspondence with the company, posing severe risks to government entities. CISA has urged affected parties to analyze exfiltrated emails, reset compromised credentials, and ensure security for privileged Microsoft Azure accounts. All federal agencies have been notified, and impacted organizations are advised to apply stringent security measures. CISA has also released a new malware analysis system, Malware Next-Gen, for organizations to submit suspicious artifacts for analysis.
Researchers have discovered two techniques that allow attackers to bypass audit logs or generate less severe entries when downloading files from Microsoft SharePoint, potentially enabling silent data exfiltration. The first technique takes advantage of SharePoint's "Open in App" feature to avoid generating a "FileDownloaded" event in audit logs, while the second involves spoofing the User-Agent string to make file downloads appear as data syncing events. Microsoft has added these flaws to a patch backlog for future fixing, so SharePoint admins should monitor for unusual access activity and device introductions while awaiting patches.
The OMG Cable, dubbed the world's "most dangerous USB cable," has been updated to include even more advanced capabilities. These innocent-looking cables, which resemble regular iPhone charging cables, can capture keystrokes, steal credentials, exfiltrate data, and plant malware without the user's knowledge. The cables can be controlled remotely through a WiFi access point and are designed for researchers and red-teams testing enterprise defenses. However, they are readily available online and pose a significant risk if they fall into the wrong hands. Users are advised to only use authorized cables and be cautious when plugging in unknown devices.
The Quasar RAT, an open-source remote access trojan, has been observed using DLL side-loading to evade detection and steal data from compromised Windows hosts. The malware disguises itself as legitimate files, such as ctfmon.exe and calc.exe, to exploit the trust placed in them by the Windows environment. By leveraging DLL side-loading, the trojan executes its own payloads by planting spoofed DLL files. The attack begins with an ISO image file containing renamed binaries, which initiate the loading of malicious code concealed within a disguised DLL file. The trojan establishes connections with a remote server to send system information and enables remote access to the compromised endpoint. The initial access vector used by the threat actor is unclear, but phishing emails are a likely dissemination method. Users are advised to be cautious of suspicious emails, links, and attachments.
ToddyCat, an advanced persistent threat (APT) actor, has been linked to a new set of malicious tools for data exfiltration, revealing insights into their tactics and capabilities. Kaspersky discovered this new arsenal, which includes loaders, a file collection tool, a Dropbox uploader, and an archive exfiltration tool. ToddyCat also utilizes custom scripts, a passive backdoor, Cobalt Strike, and compromised credentials for lateral movement. Check Point has revealed that government and telecom entities in Asia have been targeted by a similar campaign using "disposable" malware, with infrastructure overlapping with ToddyCat's operations.
Microsoft has linked the ongoing exploitation of a critical flaw in the Progress Software MOVEit Transfer application to the Lace Tempest threat actor. The group is known for exploiting different zero-day flaws to siphon data and extort victims. The flaw, CVE-2023-34362, allows attackers to authenticate as any user and gain access to the database and execute arbitrary code. At least 3,000 exposed hosts are believed to be utilizing the MOVEit Transfer service. Users are recommended to apply vendor-provided patches as soon as possible to secure against potential risks.
Hackers are exploiting a newly discovered vulnerability in Ipswitch's MOVEit Transfer managed file transfer (MFT) software to launch mass data exfiltration attacks. The vulnerability could lead to escalated privileges and potential unauthorized access to the environment. The affected software is used by thousands of organizations around the world, and more than 2,500 MOVEit Transfer servers are discoverable on the internet. Security researchers have observed evidence of exploitation and data theft from at least four separate incidents. Progress has urged users to disable internet traffic to their MOVEit Transfer environment and apply the necessary updates.
MacStealer is a new information-stealing malware that primarily affects macOS devices running Catalina and later on M1 and M2 CPUs. It uses Telegram as a command-and-control platform to exfiltrate data and can steal iCloud Keychain data, passwords, and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. The malware is propagated as a DMG file and is still a work in progress, with the malware authors planning to add features to capture data from Apple's Safari browser and the Notes app. To mitigate such threats, it's recommended that users keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.
