The project is part of a wider Endpoint Detection and Response effort called Sanctum. It shows how defenders can use Windows Minifilters to spot and interrupt malicious file encryption before user data is damaged.

How the Detection Method Works

At the center of this approach is a Windows feature known as a file system filter driver. This driver operates between user applications and the storage system, meaning every file operation — creating, modifying, or renaming files — passes through it.

Researcher 0xflux describes this layer as a control point. Because all file activity flows through it, the system can monitor behavior in real time and step in when something suspicious happens.

Although the developer initially planned to build the driver in Rust, the lack of proper filter driver support led to the project being written in C instead.

What Signals Indicate Ransomware

The Sanctum driver registers system callbacks so it gets notified when certain file actions occur. The proof-of-concept focuses on two important Windows file events.

One event tracks when programs request access to files with write or delete permissions. A process rapidly opening many files with these permissions can signal the start of mass encryption.

The second event is more central to this PoC. It triggers when file information changes, such as when a file is renamed. Ransomware often renames files after encryption, adding a new extension to mark them as locked.

In this demo, the driver watches for a specific extension tied to a known LockBit variant.

How the System Identifies the Attacker

When a rename event occurs, the driver uses Windows APIs to read the full file name and compare the new extension with known ransomware patterns.

If a match appears, the system does more than log the event. It also determines which process made the change. Using internal functions, it retrieves the process ID and the program name responsible. This gives defenders precise visibility into which application is behaving maliciously.

Right now, the tool mainly records suspicious activity, acting as a detailed monitoring system. However, future versions could go further.

The researcher suggests adding real-time entropy analysis to detect encryption as it happens. Another potential feature is freezing or terminating the threads of a malicious process immediately after detection.

This project shows how moving defenses deeper into the Windows kernel can provide faster response and greater visibility than traditional antivirus solutions that operate at higher system levels.

The post Using Windows Minifilters to Identify Ransomware Activity appeared first on First Hackers News.

The appearance of Osiris highlights how ransomware operations continue to evolve. The attack shows careful planning and execution, reflecting the methods typically used by well-established cybercrime groups rather than opportunistic attackers.

Instead of relying only on obvious malware, the attackers combined trusted Windows features with specialized tools to move through the network. This blend allowed them to maintain access, gather credentials, and prepare systems for encryption while staying largely unnoticed.

Investigators traced the activity after noticing similarities with earlier Inc ransomware operations. These included shared tooling patterns and familiar data theft techniques.

Sensitive information was taken before encryption using cloud-based transfer utilities, confirming a double-extortion strategy.

Driver-Level Attacks and Security Disabling

A key element of the intrusion was the use of a rogue driver known as Poortry, also referred to as Abyssworker. Disguised as legitimate security software, the driver was introduced to undermine system protections.

Through a bring-your-own-vulnerable-driver (BYOVD) method, the attackers gained deep system access and shut down security tools without drawing immediate attention. This technique has become increasingly common because it allows ransomware operators to bypass endpoint defenses effectively.

What sets this case apart is that the driver appears to be custom-built rather than reused from public sources, suggesting strong technical skills within the group. Additional utilities were deployed to scan the environment and keep remote control of compromised systems.

Once their position was secured, the attackers launched the ransomware, encrypting files with strong cryptography and blocking recovery by stopping critical services and removing backup snapshots. The overall operation points to a highly capable and experienced ransomware group behind Osiris.

The post New Osiris Ransomware Campaign Exploits Living-off-the-Land Tools appeared first on First Hackers News.

First observed in December 2023, DragonForce quickly positioned itself as a serious Ransomware-as-a-Service (RaaS) operation. The group publicly promotes itself as a cartel and runs a service called “Ransombay,” allowing affiliates to request customized payloads and configurations.

DragonForce Ransomware

DragonForce operates under a structured RaaS model that was openly promoted in mid-2024 on underground forums. The group actively recruits a wide range of partners, including initial access brokers and independent penetration testers, offering affiliates up to 80% of ransom payments.

The operation does not exist in isolation. Code analysis shows that DragonForce is heavily derived from leaked LockBit 3.0 (Black) and Conti source code. Some samples demonstrate over 90% similarity with LockBit, strongly indicating reuse of the leaked LockBit builder combined with Conti-style logic.

Infrastructure overlaps and code reuse have also linked DragonForce to other ransomware groups such as BlackLock and RansomHub. In one incident, DragonForce operators even compromised BlackLock’s own leak site through a misconfiguration, exposing internal data.

Technical Design and Encryption Behavior

Internally, DragonForce uses custom string obfuscation, decrypting strings only at runtime. File encryption is based on the ChaCha8 stream cipher, with a unique session key generated per file.

Before encryption completes, DragonForce appends a metadata block to each file. This metadata contains the encrypted session key, encryption mode, file size, and additional flags required for recovery. Depending on file type and size, the ransomware applies full, partial, or header-only encryption, prioritizing performance while still disrupting critical systems such as databases and virtual machine images.

Network-based encryption capabilities allow DragonForce to scan private IP ranges, connect over SMB, and selectively target network shares while skipping administrative paths like ADMIN$. Optional features also allow the malware to rename files, change file icons, and replace the desktop wallpaper with ransom-themed imagery.

Decryptors for Windows and ESXi Victims

A significant development came when the S2W Threat Research and Intelligence Center (TALON) obtained DragonForce decryptors during threat-hunting operations. These tools are victim-specific and are not universal decryptors.

Decryptor Capabilities (Summary List)

• Separate decryptors for Windows and ESXi
• Uses embedded RSA-4096 private keys to recover ChaCha8 session keys
• Supports both local and network share decryption
• ESXi decryptors validate files using a per-victim build key
• Fully restores original files by removing appended metadata

Because DragonForce embeds the encryption keys within file metadata (protected by RSA), possession of the correct private key enables full data recovery for affected victims.

Recommendations

Organizations should treat DragonForce as a mature and evolving ransomware threat with strong ties to established ransomware families.

Recommended actions include:

• Monitor for LockBit and Conti-style indicators, including file structure similarities
• Harden initial access vectors, especially exposed services and stolen credentials
• Restrict SMB access and apply network segmentation
• Maintain offline, immutable backups for Windows and ESXi environments
• Engage incident response teams early if DragonForce activity is suspected

While the available decryptors offer hope for some victims, they are limited in scope. Prevention, early detection, and strong recovery planning remain the most reliable defenses against DragonForce attacks.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post DragonForce Ransomware Targets ESXi and Windows Systems appeared first on First Hackers News.

Day One of Pwn2Own Ireland 2025 concluded with an extraordinary showcase of cybersecurity talent, as researchers demonstrated 34 unique zero-day vulnerabilities across a wide range of consumer devices.
The exploits earned participants a combined payout of $522,500, marking one of the most successful opening days in the competition’s history.

Hosted by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own is renowned for uncovering security flaws in real-world products. This year’s event stood out for its 100% success rate, with every single exploit attempt succeeding on the first day — a rare achievement in competitive hacking.

Teams Dominate Smart Home and NAS Devices

The first day featured 17 exploitation attempts targeting various connected devices including printers, routers, smart home systems, and NAS (Network-Attached Storage) units from major global manufacturers.

Team DDOS, made up of Bongeun Koo and Evangelos Daravigkas, took an early lead by chaining together eight vulnerabilities to compromise both a QNAP Qhora-322 router and a QNAP TS-453E NAS device.
Their impressive “SOHO Smashup” demonstration earned them $100,000 in prize money and 10 Master of Pwn points, placing them among the top contenders early in the event.

Smart Home Devices Fall to Expert Exploits

Several popular smart home products were also successfully compromised, including the Philips Hue Bridge, Synology ActiveProtect DP320, and Home Assistant Green.

Sina Kheirkhah from the Summoning Team stood out for participating in multiple successful exploits, including a powerful attack against the Synology ActiveProtect Appliance DP320 that earned an additional $50,000 in rewards.

In one of the most notable demonstrations, researcher DMDung of STAR Labs exploited a single out-of-bounds access vulnerability to take control of the Sonos Era 300 smart speaker — achieving the highest single-device payout of $50,000 and securing five Master of Pwn points.

Consumer printers were not spared from the day’s onslaught of exploits. Both Canon and HP devices were successfully hacked, highlighting ongoing concerns about the security of office and home printers.

The Canon imageCLASS MF654Cdw was a particularly popular target, with four different teams exploiting it using combinations of heap-based and stack-based buffer overflow vulnerabilities.
Meanwhile, Team Neodyme executed a stack-based buffer overflow on the HP DeskJet 2855e, earning $20,000 for their exploit.

The post Hackers Expose 34 Zero-Day Flaws at Pwn2Own Ireland 2025 — Over $522,000 Awarded on Day One appeared first on First Hackers News.

• SSRF (Server-Side Request Forgery) to coerce backend servers into making arbitrary requests.
• CRLF injection to insert custom headers into requests.
• Request smuggling to access internal endpoints and upload malicious templates.

This attack abuses the ability of JSP files to load untrusted stylesheets, allowing arbitrary code execution. Persistent HTTP connections are used to chain multiple requests, increasing reliability and reducing detection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog. The agency has warned that the vulnerability has already been used in ransomware campaigns. All federal agencies have been ordered to apply security patches by October 27, 2025.

Security experts have raised alarms that mass exploitation is expected within days. Cl0p has already targeted multiple organizations since August, stealing sensitive data and issuing extortion emails.

Organizations using Oracle EBS are being strongly advised to patch immediately, conduct threat hunts, and strengthen access controls. Delays in remediation could lead to significant data breaches, financial loss, and operational disruption.

SEO Keywords included: Oracle E-Business Suite, CVE-2025-61882, Cl0p ransomware, remote code execution, SSRF, CRLF injection, WatchTowr Labs, CrowdStrike, CISA KEV, cybersecurity vulnerability, patch advisory.

The post Critical Oracle EBS Vulnerability CVE-2025-61882 Actively Exploited by Cl0p Ransomware Group appeared first on First Hackers News.

Arctic Wolf observed multiple incidents where SonicWall Secure Mobile Access (SMA) appliances were accessed despite OTP-based MFA being active. In each case, multiple OTP challenges were issued, but attackers still authenticated successfully, suggesting they had access to the correct OTP codes.

Background: Zero-Day Vulnerability and CVE-2024-40766

These incidents follow a wave of Akira ransomware attacks earlier this year that exploited an unknown vulnerability in SonicWall’s SMA VPN appliances. At the time, the method of initial access was unclear. However, SonicWall later confirmed the attackers were exploiting a zero-day vulnerability, now tracked as CVE-2024-40766, involving improper access control in the web management interface.

A patch was released in August 2024, and SonicWall urged customers to upgrade to the latest versions of SonicOS 7.1.1-7040 / 7.0.1-5146 and SMA 100 firmware to mitigate the issue. They also advised administrators to reset all user credentials for impacted VPN portals, particularly those not integrated with Active Directory.

However, Arctic Wolf’s new findings indicate that the threat actors may have already harvested OTP seed data during prior compromises—making even patched devices vulnerable if credentials were not rotated.

OTP MFA Bypass: What Researchers Observed

According to Arctic Wolf’s investigation:

• In multiple breach incidents, VPN user logins occurred with OTP MFA enabled.
• Multiple OTP prompts were issued, yet the login was ultimately successful.
• This behavior suggests that the attackers possessed valid OTP secrets or were able to generate valid tokens at will.
• The exploitation was not due to a new vulnerability, but likely stemmed from previously compromised credentials and OTP seeds.

This theory is supported by a June 2024 report from Google’s Threat Analysis Group (TAG) and Mandiant, which detailed how another threat group, UNC6148, used stolen OTP seeds to bypass MFA on SonicWall SMA 100 series devices—even when those systems were fully patched.

Post-Breach Activity: Fast and Aggressive Lateral Movement

Once initial access was achieved, Akira operators wasted no time escalating privileges and moving laterally within victim networks. Arctic Wolf reports that:

• Internal network scanning typically began within 5 minutes of VPN login.
• Attackers used tools like Impacket, RDP, and Active Directory enumeration utilities including:

• dsquery
• SharpShares
• BloodHound

• A high-priority target was the Veeam Backup & Replication server, a critical system used for managing backup infrastructure.The threat actors deployed custom PowerShell scripts to:
• Extract and decrypt credentials from Veeam, MSSQL, and PostgreSQL databases.
• Retrieve Data Protection API (DPAPI) secrets to further compromise systems.

The post Akira Ransomware Now Breaches MFA‑Protected SonicWall VPNs, Researchers Warn appeared first on First Hackers News.

Initial access is gained through vulnerabilities in exposed FortiGate servers. Network reconnaissance is conducted using tools like Advanced IP Scanner. Legitimate signed drivers, such as ThrottleBlood.sys, are abused in conjunction with custom executables like All.exe to terminate protected security processes. Customized variants, including Allpatch2.exe, are deployed based on victim environment scans for enhanced defense evasion.

Group Policy Objects (GPO) are manipulated via management console tools and encoded PowerShell scripts to identify domain controllers. Privilege escalation is achieved with PowerRun.exe, while registries are modified to disable authentication controls. Lateral movement is facilitated by PsExec and persistent access is maintained through AnyDesk for command-and-control operations.

Data exfiltration is performed over encrypted channels using WinSCP, with Nmap employed for comprehensive network scanning. Ransomware payloads are deployed via the NETLOGON share, requiring specific password parameters. Backup services, databases, and security processes are aggressively terminated, while forensic artifacts like shadow copies and event logs are deleted to hinder recovery efforts.

The cybersecurity threat posed by The Gentlemen underscores the urgency for robust protections against ransomware exploitation. Internet-facing services must be fortified, and adaptive tactics in enterprise security are essential to mitigate breaches in critical sectors.

The post Gentlemen Ransomware: Exploiting Drivers and Policies in Sophisticated Cyber Attacks appeared first on First Hackers News.

SCATTERED SPIDER, an eCrime adversary, has recently expanded its targeting to include the aviation sector, alongside its established focus on the insurance and retail industries, according to observations by CrowdStrike Services.

During Q2 2025, SCATTERED SPIDER primarily targeted U.S.-based insurance and retail companies, as well as U.K.-based retail entities. However, incidents in late June 2025 involving U.S.-based airlines revealed tactics, techniques, and procedures (TTPs) consistent with the group’s known operations.

Overview of SCATTERED SPIDER TTPs

In nearly all observed incidents in 2025, the adversary employed help desk voice-based phishing to compromise Microsoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts. SCATTERED SPIDER operators consistently succeeded in impersonating legitimate employees by accurately answering help desk verification questions during calls made to request password or multifactor authentication (MFA) resets.

After gaining access to Entra ID, SSO, and VDI accounts, SCATTERED SPIDER typically pivots to integrated software-as-a-service (SaaS) applications. They leverage access to these platforms to locate data that can facilitate lateral movement – such as network architecture diagrams, VPN instructions, or files containing credentials- as well as to support extortion or other monetization efforts.

The adversary used help desk voice-based phishing in almost all observed 2025 incidents to compromise Microsoft Entra ID, single sign-on (SSO), and virtual desktop infrastructure (VDI) accounts. SCATTERED SPIDER operators routinely accurately respond to help desk verification questions when impersonating legitimate employees in calls made to request password and/or multifactor authentication (MFA) resets.

SCATTERED SPIDER typically pivots from compromised Entra ID, SSO, and VDI accounts to integrated software-as-a-service (SaaS) applications. They use access to these platforms to search for data that may enable lateral movement (such as network architecture diagrams, VPN instructions, or text files containing credentials), extortion, or other monetization activity.

Recent SCATTERED SPIDER activity has revealed several additional tactics, techniques, and procedures (TTPs), including:

• Active Directory (AD) Reconnaissance: The adversary conducted reconnaissance on on-premises systems using tools such as ADExplorer, ADRecon.ps1, and the Get-ADUser PowerShell cmdlet to gather domain information.
• VMware vCenter Exploitation: SCATTERED SPIDER leveraged access to VMware vCenter to create unmanaged virtual machines (VMs). They frequently attached domain controller virtual machine disks to these VMs to extract the ntds.dit Active Directory database for credential theft.
• Use of Legitimate Tunneling and Proxy Tools: The group installed various protocol-tunneling and proxy tools on VMware vCenter and their own VMs, including:
  • Chisel (configured to communicate with trycloudflare[.]com subdomains)
  • MobaXterm
  • ngrok
  • Pinggy
  • Rsocx
  • Teleport
• Email Manipulation for Stealth: SCATTERED SPIDER manually deleted emails (using HardDelete, SoftDelete, and MoveToDeletedItems operations) and created mail transport rules (via Set-TransportRule) to delete or redirect alerts about suspicious account activity. In one instance, the adversary redirected such notifications to an attacker-controlled googlemail[.]com address.
• AWS Data Exfiltration: They used S3 Browser to enumerate and access victims’ AWS S3 buckets, as evidenced by AWS CloudTrail events like ListBuckets and ListObjects, and exfiltrated data to remote attacker-controlled S3 buckets.

SCATTERED SPIDER Assessment

SCATTERED SPIDER’s primary objective is to deploy ransomware within a victim’s VMware ESXi infrastructure. If the attack is contained before ransomware execution, the adversary often resorts to threatening to leak stolen data publicly and issues a ransom demand as part of a double extortion strategy.

This threat actor frequently targets multiple organizations within the same industry in a short period. However, their targeting is not strictly industry-specific. For example, CrowdStrike Services responded to a SCATTERED SPIDER incident involving a retail organization during a period when the group was primarily focusing on insurance sector entities.

Common Attack Methods

• Social Engineering: Engaging IT help desks and privileged users through sophisticated phone-based impersonation tactics.
• SIM Swapping & Credential Theft: Compromising victims’ mobile phone accounts to bypass SMS-based multifactor authentication (MFA).
• Abuse of Legitimate Remote Access Tools: Utilizing tools such as TeamViewer, AnyDesk, and others for persistent remote access.
• VMware Infrastructure Compromise: Gaining access to vCenter and ESXi environments to enable ransomware deployment.
• Cloud Lateral Movement: Exploiting cloud identity providers to move laterally across cloud environments.
• Data Exfiltration: Extracting sensitive data prior to ransomware deployment to enable double extortion tactics.

Common Targets:

• VMware vCenter and ESXi virtualization environments
• Cloud identity providers such as Azure AD/Entra ID, AWS IAM, Google Cloud Identity, and Okta
• Privileged access management systems and administrator accounts
• VPNs and remote access solutions
• Backup and recovery systems
• Help desk and IT support personnel

SCATTERED SPIDER’s advanced social engineering, rapid pivoting between environments, and multi-layered extortion techniques make it a persistent and formidable threat across industries.

CrowdStrike Customers: Enable Falcon Platform Features

CrowdStrike customers can strengthen their security posture by deploying priority log sources, activating correlation rules, and integrating cloud security. These actions help maximize detection capabilities, enhance visibility, and improve response times – all within the unified CrowdStrike Falcon® platform.

Falcon Next-Gen SIEM: Critical Log Source Integration

Endpoint customers must enable log ingestion connectors and the appropriate parser to ensure critical logs are properly ingested into CrowdStrike Falcon® Next-Gen SIEM for effective detection of compromise.

Highest Priority Logs to Ingest for Detecting SCATTERED SPIDER Activity:

• Microsoft Entra ID (Azure AD): For monitoring identity-based attacks, including suspicious logins and MFA changes.
• Virtual Desktop Infrastructure (VDI) Logs: To detect unauthorized access and abuse of virtual environments.
• VPN and Remote Access Logs: To identify unusual access patterns and potential lateral movement.
• VMware vCenter and ESXi Logs: For visibility into infrastructure compromise and unauthorized VM creation.
• Cloud Provider Logs (AWS, Azure, GCP): To detect exfiltration, IAM abuse, and cloud lateral movement.
• Email Gateway and Microsoft 365 Logs: To catch phishing, transport rule changes, and mailbox manipulation.
• Help Desk and Ticketing System Logs: To detect social engineering attempts and password reset requests.

Infrastructure Monitoring – Highest Priority Log Sources

To effectively detect SCATTERED SPIDER activity and other advanced threats, CrowdStrike recommends prioritizing the ingestion of the following infrastructure log sources into Falcon® Next-Gen SIEM:

• VMware vCenter and ESXi Logs
  Essential for detecting manipulation of virtual infrastructure, such as the creation of unauthorized virtual machines, access to domain controller disks, and other signs of compromise.
• Firewall Logs
  Critical for identifying network-based attack patterns, lateral movement, unauthorized connections, and data exfiltration routes.
• DNS Logs
  Vital for spotting suspicious domain queries related to command-and-control (C2) infrastructure, tunneling, and potential data exfiltration attempts.
• Web Proxy Logs
  Used to monitor unusual or unauthorized web traffic that may indicate exfiltration, access to phishing sites, or other malicious behavior.

Enabling ingestion of these log sources and ensuring proper parsing and correlation in Falcon Next-Gen SIEM significantly enhances your ability to detect and respond to SCATTERED SPIDER and other threat actor behaviors.

Identity and Access Monitoring – Critical Log Sources

To enhance detection of identity-based attacks – especially those used by adversaries like SCATTERED SPIDER—CrowdStrike recommends ingesting the following log sources into Falcon® Next-Gen SIEM:

• SSO Platform Logs
  Track authentication anomalies, such as unusual login patterns, geolocation mismatches, or login attempts from new devices—key indicators of credential compromise or session hijacking.
• Entra ID (Azure AD) Sign-on and Audit Logs
  Monitor for identity-focused attack techniques, including MFA fatigue, suspicious password resets, privilege escalation, and unusual administrative activity.
• Privileged Access Management (PAM) Application Logs
  Detect unauthorized use of privileged accounts, credential misuse, and abnormal access to high-value systems.

Ingesting and correlating these identity-related logs within Falcon Next-Gen SIEM provides deep visibility into attacker behaviors and supports early detection of compromise through identity misuse.

Cloud and SaaS Applications – Essential Log Sources

To detect and respond to adversary activity in cloud environments and software-as-a-service (SaaS) platforms, CrowdStrike recommends ingesting the following logs into Falcon® Next-Gen SIEM:

• AWS CloudTrail, Google Cloud Logs, and Azure Activity Logs
  Monitor for cloud resource manipulation, unauthorized access, IAM policy changes, and suspicious configuration modifications that may indicate lateral movement or initial compromise.
• Critical SaaS Application Logs
  Enable logging for business-critical SaaS platforms (e.g., Microsoft 365, Salesforce, ServiceNow, Workday) to detect application-level threats, such as unauthorized data access, unusual login patterns, transport rule modifications, or data exfiltration attempts.

Integrating these cloud and SaaS logs with Falcon Next-Gen SIEM enhances visibility into attacker actions across hybrid environments and strengthens your ability to detect SCATTERED SPIDER’s common cloud-focused tactics.

Deploy Critical Correlation Rule Templates in Falcon® Next-Gen SIEM

To strengthen your monitoring and detection posture against advanced threats like SCATTERED SPIDER, deploying Correlation Rule Templates (CRTs) is essential. After enabling log ingestion, the following CRTs should be prioritized.

VMware Infrastructure Protection

Essential for detecting unauthorized virtual environment activity:

• VMware – vCenter
  • Virtual Machine Created with Recently Uploaded ISO
  • Sensitive Resource Search
• VMware – ESXi
  • Successful Login to the ESXi Host Client Web Admin Interface
  • New IP for SSH Login Detected
  • SFTP Server Enabled

Entra ID Identity Protection

Crucial rules for detecting identity-related threats:

• Microsoft – Entra ID – Risky Sign-in
• Admin Deleted MFA Authentication Method
• Bulk Download User List
• Temporary Access Pass Added to User Account
• Global Administrator Role Assigned

Falcon Shield: Priority Integration Deployment

Falcon Shield, CrowdStrike’s cloud application security module, delivers real-time threat detection across SaaS and cloud platforms with preconfigured High and Medium severity alerts. To maximize its effectiveness:

Prioritize Integration With:

Core SaaS Applications

• Microsoft 365 Suite: Exchange, SharePoint, OneDrive, Teams
• Microsoft Defender: For security event correlation
• Google Workspace: Visibility into Google Cloud activity

Security Platform Integrations

• Enhanced Falcon Integration: For maximum native detection
• Zscaler Cloud Security: Secure web gateway & CASB visibility
• CyberArk PAM: Monitor privileged access and anomalies

Business-Critical Applications

• Snowflake: Detect unauthorized data access or exfiltration
• Workday: Monitor HR-related data access and changes
• GitHub: Track repository access and IP theft risks
• Confluence: Detect suspicious queries and content searches
• Salesforce: Monitor CRM activity and access patterns

Falcon Cloud Security: Comprehensive Cloud Visibility

Registering tenants and deploying asset collectors provides visibility into cloud-based threats and rogue asset creation.

Cloud Tenant Registration

• Register AWS, Azure, and Google Cloud tenants
• Enable automated alerting for suspicious resource creation
• Enforce continuous compliance monitoring

VMware Asset Inventory Collector

• Deploy to all vCenter devices
• Detect unmanaged or rogue VMs
• Track infrastructure changes and ensure automated asset classification

Proactive Hardening and Monitoring Recommendations

Identity Protection

• Enforce phishing-resistant MFA (avoid SMS-based MFA)
• Isolate privileged accounts
• Restrict help desk-initiated MFA enrollments
• Strengthen password reset procedures

Detection and Monitoring

• Continuously track:
  • Authentication anomalies
  • Admin actions
  • Network traffic to critical systems
• Enable behavioral analytics and application usage monitoring
• Monitor for suspicious search terms and unusual data access

Infrastructure Security

• Secure and segment VMware environments
• Block unauthorized remote access tools
• Apply least privilege in cloud setups
• Disable legacy authentication protocols

Incident Readiness

• Maintain isolated, immutable backups
• Develop and test incident response playbooks
• Conduct regular threat simulations and assessments
• Train IT/help desk staff to identify and respond to social engineering attacks

Conclusion

A layered defense strategy using the CrowdStrike Falcon® platform, combined with foundational security hardening practices, significantly enhances protection against SCATTERED SPIDER and similar advanced adversaries. By enabling critical integrations, deploying priority rules, and proactively securing your identity, infrastructure, and cloud environments, organizations can reduce their exposure and respond more effectively to sophisticated threats.

The post CrowdStrike Services has observed SCATTERED SPIDER escalating its attacks across multiple industries appeared first on First Hackers News.

Google’s Threat Intelligence Group has identified multiple cybersecurity breaches in American insurance companies, all consistent with Scattered Spider’s signature tactics. Previously targeting UK and U.S. retailers—including prominent names like Marks & Spencer, Harrods, and Co-op—this hacker collective is now pivoting to a new vertical insurance.

What Is Scattered Spider?

Scattered Spider—also known by aliases like UNC3944, 0ktapus, Scatter Swine, Starfraud, and Muddled Libra—is a decentralized hacking coalition specializing in ransomware, social engineering, and SIM-swapping attacks. Their campaigns often begin with deceptive communications—calls, SMS or email—targeted at help desks or call centers to bypass multi-factor authentication and gain unauthorized access.

Recent Intrusions Impacting Major Insurers

Several high-profile U.S. insurance organizations, including Erie Insurance and Philadelphia Insurance Companies, have reported network outages and suspicious activity dating from early to mid-June. Both incidents involved emergency shutdowns of internal systems, telephony infrastructure, and customer portals.

• Erie Insurance detected abnormal network behavior on June 7, disrupting services and initiating a forensic investigation in partnership with law enforcement.
• Philadelphia Insurance Companies (PHLY) reported unauthorized access around June 9, isolating systems to contain the breach while working with external cybersecurity experts.

Attack Methods: A Sophisticated Social Engineering Campaign

Scattered Spider employs a highly coordinated and deceptive set of cyberattack strategies, primarily centered around advanced social engineering. One of their most common tactics is help-desk impersonation, where attackers fabricate convincing stories to manipulate support staff into resetting login credentials, granting unauthorized access. They also exploit MFA fatigue—also known as MFA bombing—by continuously sending multi-factor authentication requests until users inadvertently approve access out of frustration or confusion. In addition, SIM swapping and phishing are used to hijack mobile numbers or steal login credentials, enabling intrusions into cloud platforms and endpoint devices. Once deep access is achieved, the group often proceeds to deploy powerful ransomware strains like DragonForce, RansomHub, and Qilin, encrypting critical data and demanding ransom for its release. These methods highlight Scattered Spider’s expertise in blending psychological manipulation with technical precision.

Why the Insurance Sector Is at Risk

• Sector-by-Sector Strategy: Scattered Spider typically targets one industry intensely before moving on.
• Human Vulnerabilities: Insurance firms rely heavily on call centers and legacy identity systems—prime targets for social engineering .
• Rich Data & Customer Trust: Access to sensitive financial and personal data makes insurers lucrative for cybercriminals.

Proactive Defense Strategies

To strengthen cyber resilience, Google and Mandiant recommend that insurance firms should:

• Implement Zero‑Trust Identity Controls: Segregate user identities, enforce strong password policies, and integrate phishing-resistant MFA.
• Enhance Helpdesk Authentication: Use challenge-response scripts, photo verification, or voice recognition before resetting passwords.
• Train Staff in Social Engineering Awareness: Educate on tactics like MFA bombing and pretexted calls.
• Monitor for Anomalous Access: Flag logins from unusual locations or residential IPs—especially post-reset.
• Conduct Regular Forensic Readiness: Maintain log review, incident playbooks, and partnerships with third-party cybersecurity firms.

The post Scattered Spider Hackers Shift Focus to U.S. Insurance Firms: Expert Analysis appeared first on First Hackers News.

Agenda Ransomware

The Agenda ransomware group, also known as Qilin, has intensified its activity since late 2024 by deploying a stealthy new tool called NETXLOADER. Protected by .NET Reactor 6, this loader uses heavy obfuscation, making it difficult to analyze and detect.

NETXLOADER delivers malware like Agenda ransomware and SmokeLoader directly into memory, bypassing traditional security tools using dynamic API calls and memory manipulation. It leverages deceptive domains such as bloglake7[.]cfd to distribute disguised payloads and uses randomized file names to appear legitimate.

The code is packed with confusing method names and hidden instructions, hooking into system libraries at runtime to execute its payload. Researchers who managed to deobfuscate it found AES-based decryption routines and memory execution using functions like VirtualAlloc and CreateThread.

SmokeLoader adds to the evasion, using anti-analysis tricks to detect virtual environments and debugging tools. It targets Windows Vista or newer systems and injects itself into explorer.exe for persistence and privilege escalation.

This combination of tools shows a strategic shift by Agenda, focusing on stealth, cross-platform compatibility through Rust, and custom packing methods to increase their chances of success across a wide range of targets.

Trend Micro’s Vision One platform has played a key role in detecting and stopping these threats, giving businesses vital threat intelligence and tools to stay ahead.

As Agenda evolves, organizations need strong security layers, strict access controls, and continuous monitoring to defend against these advanced attacks.

The post Agenda Ransomware Adds SmokeLoader & NETXLOADER appeared first on First Hackers News.