Cybercriminals are advertising a new macOS malware that they claim is capable of stealing a wide range of data from compromised systems.  The malware is called Banshee Stealer and is believed to have been developed by Russian threat actors.  The malware is advertised on cybercrime forums for $3,000 per month.  Researchers at Elastic Security Labs analyzed the new macOS malware.

Independent researcher Matt Burch presented findings on "financial" or "enterprise" ATMs used in banks and other large institutions at the DEF CON hacking conference. Burch highlighted six flaws in ATM-maker Diebold Nixdorf's widely used security solution, Vynamic Security Suite (VSS). The vulnerabilities, which the company says are now patched, could have enabled attackers to bypass an unpatched ATM's hard drive encryption and gain complete control of the machine.

Security experts urge Windows system administrators to patch a pre-auth Remote Code Execution (RCE) vulnerability in the Windows TCP/IP stack, warning that zero-click exploitation is highly likely. Not many technical details have been released on the vulnerability, tracked as CVE-2024-38063. However, Microsoft's documentation suggests that a worm-like attack is possible on the latest versions of its flagship operating system. According to Microsoft, an unauthenticated attacker could repeatedly send IPv6 packets, including specially crafted packets, to a Windows machine, allowing RCE.

Selections by dgoff

​Pub Crawl summarizes sets of publications that have been peer-reviewed and presented at Science of Security (SoS) conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view the corresponding list of publications. Submissions and suggestions are welcome.

A new attack vector in GitHub Actions artifacts, called "ArtiPACKED," could be used to take over repositories and access organizations' cloud environments. According to Yaron Avita, a researcher at Palo Alto Networks' Unit 42, misconfigurations, together with security vulnerabilities, can result in artifacts leaking tokens, both of third-party cloud services and GitHub tokens. Malicious actors with access to these artifacts could compromise the services to which these secrets grant access. This article continues to discuss findings regarding the GitHub vulnerability ArtiPACKED.

Researchers at FortiGuard Labs have uncovered a sophisticated "ValleyRAT" malware campaign targeting Windows users in China. The threat actors behind the campaign seek to take over compromised machines. ValleyRAT primarily targets e-commerce, finance, sales, and management companies. The campaign involves the use of heavy shellcode to directly execute its components in memory, reducing its footprint. This article continues to discuss key findings regarding the new ValleyRAT campaign.

According to security researchers at Dragos, there was a significant increase in ransomware attacks on industrial organizations in the second quarter of 2024 compared to the previous quarter.  The researchers noted that 29 of the 86 ransomware groups known to target industrial organizations were still active in the second quarter, an increase from the 22 groups observed launching attacks in the first quarter.

"RansomHub" ransomware operators are now using new malware named "EDRKillShifter" to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. Sophos security researchers discovered EDRKillShifter in May 2024 during a ransomware investigation. It deploys a legitimate, vulnerable driver on targeted devices in order to escalate privileges, disable security solutions, and more. The method is widely used by different threat actors, including financially motivated ransomware gangs and state-sponsored hacking groups.

EPFL researchers in computer and communication sciences discovered 31 critical security vulnerabilities in the Android system and developed ways to mitigate some of them. The different security flaws found by the researchers enable the theft of fingerprints, face data, and other sensitive data that could be stored on one's phone, such as credit card numbers. This article continues to discuss the EPFL researchers' discovery of numerous security flaws in Android's most privileged components.

According to security researchers at Chainalysis, ransomware actors are set for their highest-grossing year on record in 2024 after crypto inflows in the first half of the year reached $460m.  The researchers noted that in 2023, ransomware groups made over $1bn after reaching $449m by the end of June.  So far this year, the largest ever single ransom payment has been recorded, $75m to the Dark Angels group.