Researchers discover a new smuggling attack that bypasses PowerShell security protection and AMSI detection; AMD launches urgent investigation into confidential data leak | Niu Lan

Hot Spot Observation

FTC files lawsuit against Adobe over subscription service fraud

Recently, the U.S. Federal Trade Commission (FTC) has filed a lawsuit in federal court, accusing software giant Adobe and its two executives, Maninder Sawhney and David Wadhwani, of deceptive behavior in subscription service plans. The FTC stated that Adobe hid important terms such as early termination fees (ETFs) during the subscription process and deliberately set up a complicated cancellation process to hinder consumers from canceling their subscriptions. In addition, the FTC claimed that Adobe's customer service also deliberately obstructed users from canceling their subscriptions, resulting in continued billing. In response to these allegations, the FTC asked the court to impose a variety of relief measures on Adobe and its executives, including permanent injunctions, civil penalties, and consumer compensation.

Adobe disputed the FTC's allegations, saying that the subscription service is flexible, convenient and cost-effective, and users can choose the plan that suits them best. Adobe said the terms and cancellation process of the subscription agreement are transparent, and said it will refute the FTC's allegations in court. This is not the first time that Adobe has been questioned by regulators for allegedly improper use of user privacy data. Previously, the company was strongly opposed for mentioning in its terms of service that it would access user content to train artificial intelligence, and was eventually forced to change the relevant terms.

Original link:

https://www.bleepingcomputer.com/news/legal/ftc-files-complaint-against-adobe-for-deceptive-cancellation-practices/

Researchers discover new smuggling attack that bypasses PowerShell security and AMSI detection

Recently, researchers have discovered a new ScriptBlock smuggling attack technique that can effectively bypass PowerShell's security logging and AMSI (Anti-Malware Scan Interface) detection. This attack technique takes advantage of the characteristics of ScriptBlock in PowerShell and tricks the security mechanism by cleverly manipulating AST (Abstract Syntax Tree) and Extent (String representation of ScriptBlock), thereby executing malicious code without being recorded in the log.

It is reported that the reason why this attack method is successful is mainly because PowerShell's security mechanism is implemented only through the scope of ScriptBlock. PowerShell will not log any ScriptBlock before it is executed for the first time. The researchers took advantage of this feature and created a seemingly harmless ScriptBlock that actually performed malicious operations without being detected by any logs or AMSI. They even successfully bypassed AMSI detection by creating a ScriptBlock using C#.

The ScriptBlock smuggling attack technique allows unauthorized users or threat actors to bypass various antivirus software and EDR detection, thereby executing malicious code without being detected. This attack method can be further upgraded to more complex attack methods such as command hooking. Security experts said that to deal with this attack, it is necessary to further improve the security mechanism of PowerShell and strengthen the monitoring and detection of AST and Extent. At the same time, users should also be vigilant and use PowerShell scripts of unknown origin with caution.

Original link:

https://cybersecuritynews.com/scriptblock-smuggling-bypass-security/

AMD launches urgent investigation into confidential data leak

Recently, the American multinational semiconductor company Advanced Micro Devices (AMD) was allegedly hacked by the hacker group IntelBroker, resulting in the leakage of a large amount of sensitive information involving AMD employees and products. IntelBroker posted on the dark web forum that it had successfully hacked into AMD and revealed a large amount of stolen data, including AMD's ROM, firmware, source code, attribute files, employee database, customer database, financial information, and future product plans.

At present, AMD has issued an official announcement regarding this data leak: “AMD attaches great importance to this incident and will spare no effort to protect data security. The company is working closely with law enforcement agencies and third-party partners to thoroughly investigate this incident and assess the potential impact of the stolen data.” Although AMD has not yet specified the specific cause of the attack, it is reported that the incident occurred in June 2024 and may have a significant impact on AMD's business operations, customer cooperation and market position.

Original link:

Network attacks

BlackSuit extortion gang leaks Kansas City police officers' private data on the dark web

Original link:

Romanian government and financial institutions' websites were temporarily paralyzed due to DDos attacks

Recently, due to a large-scale distributed denial of service (DDoS) attack launched by hacker groups such as NoName, HackNet, Cyber ​​Dragon and Terminus, the operation of some websites in Romania has been severely affected, including the Romanian government portal, the stock exchange and financial institutions such as banks. Although the extent of the damage is not yet fully clear, there are reports that government websites, the National Bank of Romania, the Aedificium Housing Bank and the Bucharest Stock Exchange’s website have all experienced serious accessibility issues, ranging from “403 Forbidden” errors to extended loading times, which indicate that the system may have been interrupted or compromised.

Although NoName has issued a statement on this, the targeted organization has not yet officially released a statement, which leaves room for doubt on the severity and authenticity of the attack claims. To mitigate this type of DDoS attack, long-term cloud protection tools as well as specialized software and filtering tools are required. In addition, patching vulnerabilities and avoiding opening carefully crafted phishing emails are also necessary cyber hygiene practices.

Original link:

New OPIX ransomware encrypts files using random strings

Recently, researchers discovered a new type of ransomware, dubbed OPIX. This ransomware encrypts user files with a random string of characters and adds a “.OPIX” extension to the file name. Once a victim is infected, they will see a ransom note on the screen, asking them to contact the attacker via a specified email or Telegram within 48 hours, otherwise their stolen data will be sold to competitors and made public on the dark web. OPIX is usually spread through social engineering techniques such as scams, where malware is disguised as normal content such as executable files, documents, archives, etc. Once the victim opens these files, the ransomware will be launched and encrypt the data. This type of ransomware is usually difficult to decrypt, and even paying the ransom does not ensure that the files can be fully restored.

In order to protect your files from OPIX ransomware, security experts recommend that users regularly back up important data to multiple different locations, such as remote servers, disconnected storage devices, etc. At the same time, be cautious when receiving emails or messages, and do not easily click on unknown links or open attachments. In addition, using VMware Carbon Black Cloud's reputation service can help block the operation of known, suspicious and potentially unwanted programs and delay the execution of cloud scans.

Original link:

https://cybersecuritynews.com/new-opix-ransomware-encrypting-files/

A new phishing attack service ONNX is targeting Microsoft 365 accounts in the financial industry

Recently, a new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts of employees of financial companies. The platform uses QR codes in PDF attachments to trick victims into entering login credentials and two-factor authentication (2FA) tokens to gain control of their accounts. Researchers at EclecticIQ found that ONNX is likely a renamed version of the Caffeine phishing toolkit operated by MRxC0DER, a threat actor in the Middle East. ONNX attacks became active in February 2024 and mainly targeted employees of banks, credit unions, and private financing companies. These attacks deceive victims by sending PDF files with Adobe or Microsoft themes by impersonating the human resources department, tricking them into scanning QR codes and entering account credentials on phishing webpages.

ONNX provides cybercriminals with a powerful and cost-effective phishing platform with an operations center on Telegram, providing customers with an intuitive interface to manage phishing operations. ONNX also leverages encrypted JavaScript code, Cloudflare services, and bulletproof hosting to evade detection. The platform offers four different subscription tiers, ranging from $150 to $400 per month, targeting different levels of phishing needs. To combat this threat, experts recommend that administrators take a number of measures, including blocking PDF and HTML attachments from untrusted sources, disabling access to HTTPS websites using expired certificates, and enabling FIDO2 hardware security keys for high-risk accounts. EclecticIQ also shared some YARA rules that can be used to detect PDF files containing malicious QR codes.

Original link:

https://www.bleepingcomputer.com/news/security/onnx-phishing-service-targets-microsoft-365-accounts-at-financial-firms/

Industry News

Prosimo and Palo Alto Networks to Enhance Application Security in Multi-Cloud Environments

According to media CRN, Prosimo recently reached a cooperation with Palo Alto Networks to enhance the security of workloads and applications across multi-cloud environments by integrating Prosimo's full-stack cloud transmission platform with Palo Alto's Prisma Cloud solution, aiming to protect application access by embedding zero-trust principles. Mani Ganesan, vice president of products at Prosimo, said that this cooperation enables enterprises to deploy Palo Alto firewalls closer to workloads, allowing context-aware routing, reducing unnecessary firewall usage and related costs while maintaining security. This is where context awareness comes in, assuming that something is PCI-compliant and requires this level of security. Prosimo will route traffic to the firewall through all contexts so that the firewall can do its job. The partnership will also enable Prosimo to provide a centralized deployment model for Palo Alto firewalls in the form of a centralized virtual private cloud for east-west or north-south traffic, or a distributed model that deploys firewalls in each virtual private cloud.

Original link:

https://www.scmagazine.com/brief/prosimo-partners-with-palo-alto-to-up-multicloud-security

Mend.io launches intelligent DevOps security tool

It is reported that Mend.io recently launched an application security tool MendAI, which can identify the code generated by artificial intelligence models and expand its software composition analysis tool to provide detailed AI model version control and update information. This enhancement helps organizations manage licensing, compatibility and compliance issues in the context of software bills of materials. Mend.io has indexed more than 35,000 publicly available large language models to help complete this process.

In this regard, Jeffery Martin, vice president of product at Mend.io, emphasized the importance of these tools for data science teams that use machine learning operational workflows. These teams often lack cybersecurity expertise, which makes AI-generated code vulnerable to exploitation. Therefore, DevSecOps teams must have the ability to identify and manage potentially vulnerable AI-generated code. As the use of AI-generated code grows, DevSecOps teams must address the resulting AI security issues.

Original link:

https://www.scmagazine.com/brief/mend-io-rolls-out-devops-ai-security-tool

Qi'anxin Group and China Telecom Shaanxi Company reached a strategic cooperation

Recently, Qi'anxin Group and China Telecom Shaanxi Company signed a strategic cooperation agreement in Xi'an. The two parties will carry out comprehensive strategic cooperation in the fields of endogenous security, government and enterprise ICT, joint innovation and industry voice, and jointly build a security service business ecosystem with strategic synergy, complementary advantages, resource sharing and win-win development, promote both parties to create greater economic and social benefits in their respective fields, and create a new pattern of industrial development.

Shangguan Yafei, Party Secretary and General Manager of Shaanxi Telecom, said: China Telecom has increased its layout in the security field in recent years, established Chenan Technology Company, Quantum Company, etc., and promoted the deep integration of quantum technology with 5G, cloud network, pan-intelligent terminals and platform applications, and built the country's only network attack protection platform “Yun Dike” with full network coverage and global reach. In Shaanxi, Tianyi Cloud ranks first in the share of Xinchuang Cloud and Government Cloud. All these have laid a good foundation for the success of our cooperation. It is hoped that the two sides will further expand the depth and breadth of cooperation, help Shaanxi Telecom improve its own network security capabilities, and jointly explore and deepen “endogenous security, government and enterprise ICT fields, security joint innovation, AI artificial intelligence security, security threat intelligence and other fields to provide customers with better security services.

Original link:

https://mp.weixin.qq.com/s/v94XkWAFg-VxMLETk37BsA