A new hybrid Machine Learning (ML) model exploitation technique called "Sleepy Pickle" has highlighted the Pickle format's security risks. According to Trail of Bits, the attack weaponizes the ubiquitous format used to package and distribute ML models in order to corrupt the model, thus threatening an organization's downstream customers. Security researcher Boyan Milanov emphasizes that Sleepy Pickle is a stealthy and novel attack on the ML model itself instead of the underlying system.

According to a new Trend Micro report, a backdoor in Executable and Linkable Format (ELF) files used by Chinese hackers has been incorrectly identified as a variant of existing malware for years. Trend Micro introduced "Noodle RAT," a Remote Access Trojan (RAT) used by Chinese-speaking groups involved in espionage or cybercrime. Noodle RAT, also known as "ANGRYREBEL" or "Nood RAT," has been active since at least 2018. This article continues findings regarding Noodle RAT.

Police in Kyiv have recently identified a 28-year-old man suspected of working with big-name Russian ransomware groups to make their malware undetectable.  According to the Ukranian Cyber Police, the Kharkiv native collaborated with Conti and LockBit to deliver cryptor technology designed to obfuscate ransomware payloads so they remained undetectable to anti-malware tools.  The technology was used at the end of 2021 to infect the computer networks of a Dutch multinational in the Netherlands and Belgium for the Conti ransomware-as-a-service group.

Hackers could gain access to website servers, bypassing the security feature that locks users out after three incorrect password entries. If successful, the attackers can have unlimited attempts to guess passwords and gather information for any accounts on the server. Jeremiah Blocki, an associate professor of computer science at Purdue University's College of Science, is trying to develop a system that makes logon computation relatively fast and inexpensive for website owners while making it costly enough regarding time and memory for hackers.

With a new phishing kit, red teams and cybercriminals can create Progressive Web Apps (PWAs) with convincing corporate login forms aimed at stealing credentials. A PWA is a web-based app built with HTML, CSS, and JavaScript that can be installed from a website like a desktop application. Mr.d0x, a security researcher, has developed a new phishing toolkit that demonstrates how to create PWAs to display corporate login forms, including a fake address bar that shows the normal corporate login URL. This article continues to discuss the new phishing toolkit involving PWAs.

"Coathanger," a piece of malware designed specifically to live on Fortinet's FortiGate appliances, may still be present on many devices. The Dutch Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) reported in February 2024 that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a FortiOS pre-auth Remote Code Execution (RCE) vulnerability and launched Remote Access Trojan (RAT) malware to create a persistent backdoor. The Coathanger RAT survived reboots and firmware upgrades.

A Windows backdoor, dubbed "WarmCookie" by Elastic Security Labs, gives attackers entry into targeted systems. Following initial access, they move on to ransomware delivery and system compromise. Starting in late April, the backdoor has been distributed in a phishing campaign called "REF6127." The phishing emails use recruitment and potential jobs as lures. This article continues to discuss findings regarding the WarmCookie malware.

According to Symantec, the "Black Basta" ransomware group may have exploited a recently patched Windows privilege escalation vulnerability. The Windows error reporting service privilege escalation vulnerability allows an attacker to gain system privileges. Symantec found evidence that the Black Basta group may have exploited this vulnerability as a zero-day. The company discovered a tool that exploits the flaw to start a shell with administrative privileges.

Fortinet recently announced patches for multiple vulnerabilities in FortiOS and other products, including several flaws leading to code execution.  The most severe vulnerability is CVE-2024-23110 (CVSS score of 7.4), which collectively tracks multiple stack-based buffer overflow security defects in the platform’s command line interpreter.  Successful exploitation of the high-severity flaw may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments.

GuidePoint Security has discovered that the "Scattered Spider" cybercrime group is an affiliate of the "RansomHub" Ransomware-as-a-Service (RaaS) operator. Based on observed tactics, techniques, and procedures (TTPs), the researchers believe that at least some of Scattered Spider, a former ALPHV/BlackCat affiliate, is now running ransomware with RansomHub. This article continues to discuss Scattered Spider's link to RansomHub.