Google warns of a Russian cyber espionage and influence campaign targeting military recruits in Ukraine to hinder the country's mobilization efforts. A Telegram user named "Civil Defense" has been distributing allegedly free software to find Ukrainian military recruiters, but it is actually platform-specific malware. The software would install commodity malware and a decoy mapping application on Android devices that do not have Google Play Protect enabled. According to Google, the operation has delivered the Android backdoor "CraxsRat" and the "SunSpinner" malware to victims.

The "Chrome-App-Bound-Encryption-Decryption" tool released by cybersecurity researcher Alexander Hagenah can bypass Google's new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. He released the tool after noticing that others were discovering similar bypasses. The tool does what multiple infostealer operations have added to their malware, but its public availability puts Chrome users who store sensitive data in their browsers at risk.

One of the most significant challenges associated with Artificial Intelligence (AI) hallucinations in cybersecurity is that the error can result in an organization failing to recognize a potential threat. An AI hallucination occurs when a Large Language Model (LLM), such as a generative AI tool, provides an incorrect answer. The answer could be completely wrong or fabricated, such as making up a non-existent research paper. This article continues to discuss the concept of AI hallucinations and how they can affect cybersecurity.

The "TeamTNT" cryptojacking group is behind a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. According to Assaf Morag, director of threat intelligence at Aqua, the group is targeting exposed Docker daemons to deploy the "Sliver" cyber worm and cryptominers. They are using compromised servers and Docker Hub as the infrastructure for spreading malware. This article continues to discuss the new cloud attacks launched by the TeamTNT hacker group.

The Advanced Persistent Threat (APT) group "Evasive Panda" developed a toolset named "CloudScout," which has been targeting Taiwanese institutions to steal cloud-based data. The attacks involved CloudScout exploiting session cookies stolen by MgBot plugins to access Google Drive, Gmail, and Outlook accounts without direct authentication. This article continues to discuss findings regarding Evasive Panda's CloudScout toolset.

Attackers could use a new technique to evade Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, resulting in Operating System (OS) downgrade attacks. According to SafeBreach researcher Alon Leviev, this bypass enables attackers to deploy custom rootkits capable of neutralizing security controls, hiding processes and network activity, maintaining stealth, and more by loading unsigned kernel drivers. This article continues to discuss the OS downgrade flaw.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have disclosed that hackers affiliated with the People's Republic of China (PRC) breached US commercial telecommunications service providers. At the beginning of October, it was revealed that "Salt Typhoon," a Chinese hacking group, breached Verizon, AT&T, and Lumen Technologies. This article continues to discuss warnings regarding Chinese hackers breaching telecommunications providers.

The "Fog" and "Akira" ransomware operators are using SonicWall Virtual Private Network (VPN) accounts to breach corporate networks. They are suspected of exploiting a critical SSL VPN access control flaw. SonicWall patched the SonicOS flaw in late August 2024, but a week later warned of active exploitation. At the same time, researchers at Arctic Wolf reported observing the exploitation of the vulnerability by Akira ransomware affiliate to gain initial access to victim networks.

Researchers at Netskope Threat Labs warn of an increase in phishing pages created with the website builder tool Webflow, as threat actors continue to exploit legitimate services such as Cloudflare and Microsoft Sway for their own benefit. According to Netskope Threat Labs researcher Jan Michael Alcantara, the campaigns target sensitive information from Coinbase, MetaMask, Phantom, and other cryptocurrency wallets. They also target credentials for multiple company webmail platforms and Microsoft 365 login credentials.

The "Black Basta" ransomware operation now uses Microsoft Teams to pose as corporate help desks contacting employees about a spam attack. Since April 2022, Black Basta has launched hundreds of ransomware attacks on corporations. Due to a series of "embarrassing" data breaches, the Conti cybercrime syndicate shut down in June 2022 and split into several groups, including Black Basta. This article continues to discuss new findings regarding the Black Basta ransomware.