Recently, Check Point Research observed threat actors using GitHub to achieve initial infections by utilizing new methods.
Previously, GitHub was used to distribute malicious software directly, with a malicious script downloading either raw encrypted scripting code or malicious executables. Their tactics have now changed and evolved. Threat actors now operate a network of “Ghost” accounts that distribute malware via malicious links on their repositories and encrypted archives as releases. This network not only distributes malware but also provides various other activities that make these “Ghost” accounts appear as normal users.
Read more…
Source: Check Point
Related:
- Automatic disruption of human-operated attacks through containment of compromised user accounts
October 11, 2023
Based on incidents analyzed by Microsoft, it can take only a single hop from the attacker’s initial access vector to compromise domain admin-level accounts. For instance, an attacker can target an over-privileged service account configured in an outdated and vulnerable internet-facing server. Highly privileged user accounts are arguably the most important assets for attackers. Compromised domain ...
- Israelis Form Citizen Cyber Brigades Amid Mounting Digital Attacks
October 11, 2023
Israel’s large cybersecurity base is mobilizing to protect the country’s digital borders from hackers in the wake of a cross-border attack over the weekend that left more than 1,200 people dead and 100 more taken hostage. Members of the country’s large technology community formed the all-volunteer Israel Tech Guard to search for hostages and missing people ...
- Assessed Cyber Structure and Alignments of North Korea in 2023
October 10, 2023
Historically Mandiant has made assessments on the Democratic People’s Republic of Korea’s (DPRK) cyber program based on Mandiant responses to intrusions, defector accounts, and OSINT reporting, in conjunction with government disclosures of DPRK units and motivation information. These assessments were generalizations and as new activity, such as cryptocurrency-focused units, emerged it blended the efforts from DPRK ...
- How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
October 10, 2023
A number of Google services and Cloud customers have been targeted with a novel HTTP/2-based DDoS attack which peaked in August. These attacks were significantly larger than any previously-reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second. The attacks were largely stopped at the edge of our network by Google’s ...
- FBI and CISA Release Update on AvosLocker Advisory
October 10, 2023
Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA), #StopRansomware: AvosLocker Ransomware (Update) to disseminate known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. This release ...
- ‘Gay furry hackers’ brag of second NATO break-in, steal and leak more data
October 10, 2023
On Sunday, the SiegedSec crew claimed it broke into six NATO web portals: the alliance’s Joint Advanced Distributed Learning e-learning website; the NATO Lessons Learned Portal, from which the gang said it stole 331 documents; the Logistics Network Portal (588 documents and other files); the Communities of Interest Cooperation Portal; the NATO Investment Division Portal ...