cybersecurity

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

The Russian influence operations Doppelganger and Operation Undercut utilized several tactics to spread content on X, TikTok, 9gag, and Americas Best Pics and Videos

The Russian disinformation operations known as Doppelganger and Operation Undercut promoted content attacking Ukraine, Europe, and the United States using nine different languages and four platforms. On X, thousands of accounts were created to post pro-Kremlin content in addition to promoting redirect links to fake media websites. The network relied on trending hashtags and bot-like accounts to share the content to reach wider audiences. On TikTok, at least twenty-four accounts posted hundreds of videos that garnered millions of views, often relying on AI-generated narration and content masking to evade detection. Identical video content also appeared on online platforms 9gag and Americas Best Pics and Videos.

Operation Doppelganger is a Russian malign information operation known for impersonating reputable media outlets, targeting users with fake articles that promote Russia’s narratives. The DFRLab, other organizations, tech companies, and governments previously covered the operation’s multiple and ongoing iterations targeting various countries on different platforms since August 2022. Operation Undercut runs in parallel to Doppelganger, prompting similar narratives using AI-edited videos and images, along with screenshots from legitimate media outlets taken out of context to undermine Ukraine. The operation has been attributed to at least three Russian companies under sanctions, including the Social Design Agency, Structura and ANO “Dialog”, allegedly with support from cybercriminal syndicates like the AEZA group.

We collected data from X between December 12, 2024, to February 12, 2025, and observed Doppelganger activity primarily in French, German, Polish, English, and Hebrew. We also found some content in Turkish, Polish, Ukrainian, and Russian. We observed three main types of Doppelganger posts: posts with four captioned images, posts with one video or infographic, and posts with links that redirect to Doppelganger websites. As of February 21, 2025, 95 percent of accounts associated with the four captioned images posts and 73 percent of accounts associated with the single video/image posts in our sample had been suspended by X.

• Cisco Talos discovered multiple cyber espionage campaigns that target government, manufacturing, telecommunications and media, delivering Sagerunex and other hacking tools for post-compromise activities.
• Talos attributes these attacks to the threat actor known as Lotus Blossom. Lotus Blossom has actively conducted cyber espionage operations since at least 2012 and continues to operate today.
• Based on our examination of the tactics, techniques, and procedures (TTPs) utilized in these campaigns, alongside the deployment of Sagerunex, a backdoor family used exclusively by Lotus Blossom, we attribute these campaigns to the Lotus Blossom group with high confidence.
• We also observed Lotus Blossom gain persistence using specific commands to install their Sagerunex backdoor within the system registry and configuring it to run as a service on infected endpoints.
• Lotus Blossom has also developed new variants of Sagerunex that not only use traditional command and control (C2) servers but also use legitimate, third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail as C2 tunnels.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation.

The malware employs several methods to avoid detection, such as:

• Using benign-looking file names for operating
• Hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family
• Deploying proprietary encryption algorithms to hide communication and configuration information

Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.

This article will cover aspects of this new Linux malware, including installation, obfuscation and evasion features. We will also discuss its capabilities and indicators of compromise (IoCs), to help others identify this threat on their systems too.

Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups.

In line with the public service announcement issued by the FBI regarding North Korean social engineering attacks, we have also witnessed several such social engineering attempts, targeting job-seeking software developers in the cryptocurrency sector.

In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update, as well as a previously undocumented macOS variant of a malware family known as Koi Stealer. During our investigation, we observed rare evasion techniques, namely, manipulating components of macOS to remain under the radar.

The characteristics of these attackers are similar to various reports during the past year of North Korean threat actors targeting other job seekers. We assess with a moderate level of confidence that this attack was carried out on behalf of the North Korean regime.

This article details the activity of attackers within compromised environments. It also provides a technical analysis of the newly discovered Koi Stealer macOS variant and depicts the different stages of the attack through the lens of Cortex XDR.

• There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.
• Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
• Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
• Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
• There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

I'm (finally) moving our organization towards more decision-based risk analysis rather than just "it's risk! omg!" Starting with software reviews in the acquisition process.

What are folks using for quantitative modeling? I'm thinking simple models that take into account organizational track record (aka number of x incidents in y timespan), industry track record (average of z incidents) and some kind of weighting factor.

I have a few options. I can hire a contractor to build some excel models for us. I can spend some money on a software tool, with some work if it's more than $1k. Or I can invest in books / pluralsight / etc to teach myself quantitative analysis, which will take longer to get done.

What're you folks using for this kind of stuff?

• PDF.

• DeceptiveDevelopment targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers.
• Active since at least November 2023, this operation primarily uses two malware families – BeaverTail (infostealer, downloader) and InvisibleFerret (infostealer, RAT).
• DeceptiveDevelopment’s tactics, techniques, and procedures (TTPs) are similar to several other known North Korea-aligned operations.

Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are likely native Russian speakers.

We’ve identified hundreds of victims of this attack in Russia, several in Belarus, and additional incidents in other countries. We believe that the attackers are primarily targeting organizations in Russia and Belarus, while the other victims were incidental—perhaps researchers using sandbox environments or exit nodes of Tor and VPN networks.

At the beginning of 2024, several cybersecurity vendors published reports on Angry Likho. However, in June, we detected new attacks from this group, and in January 2025, we identified malicious payloads confirming their continued activity at the moment of our research.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.

Signal's popularity among common targets of surveillance and espionage activity—such as military personnel, politicians, journalists, activists, and other at-risk communities—has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfil a range of different intelligence requirements. More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques. In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats.

We are grateful to the team at Signal for their close partnership in investigating this activity. The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future. Update to the latest version to enable these features.

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites.

In this report, we analyze how the attacker evades detection and launches a sophisticated execution chain, employing a wide range of defense evasion techniques.

How to visualize #server #metrics in #RealTime via #TCP in @LabPlot ?

@labplot@lemmy.kde.social @sysadmin@lemmy.world @sysadmin@lemmy.ml @cybersecurity

The purpose of this simple tutorial is not to position #LabPlot against dedicated applications, but rather to show how its "Live Data" functionality can be used to read and visualize data in real time.

👉 https://docs.labplot.org/en/tutorials/live/_data/tutorials/_live/_data/_server/_monitoring/_via/_tcp.html

#DevOps #SysAdmin #LiveData #data #FreeSoftware #Linux #OpenSource #InfoSec #CyberSecurity #Python #Cloud #Data #security #Business #Software #Ubuntu