Newsletters

A Chinese cyber-espionage group named MirrorFace (aka Earth Kasha, APT10) is abusing the Windows Sandbox virtual environment to hide the execution of its malware on infected systems.

Attacks incorporating Windows Sandbox have been taking place since 2023 and represent the first known case of Windows Sandbox abuse since its release in December 2018.

As the name hints, the feature allows Windows users to start an isolated sandbox where they can temporarily install/test apps and then shut down the virtual environment without impacting the main OS and their data.

Security firms, open-source experts, and academics are warning about a new supply chain vector they're calling slopsquatting.

The technique's name is a combination of terms like AI slop and typosquatting.

It revolves around the increasing use of AI coding tools to generate blocks of source code that may sometimes make their way into production systems.

The politically-motivated dismissal of the head of both NSA and US Cyber Command will be extremely damaging to the agencies, their relationships with allies and for US national security.

General Timothy Haugh was sacked last Thursday from his leadership positions at NSA and Cyber Command after a far-right conspiracy theorist urged his removal in a meeting with President Donald Trump. The NSA's civilian deputy, Wendy Noble, was also removed together with five National Security Council Staff. Per The Washington Post:

On X, Loomer claimed Trump responded to her call for the firings:

An unnamed hacker (or maybe a hacker group, who knows) has leaked internal data from Media Land, one of today's largest bulletproof web hosting providers.

The leaked files contain information on the company's past customers, what type of services they contracted, and what was hosted on the platform.

Threat intel firm Prodaft believes the attacker is the same threat actor that hacked and leaked internal chats from the BlackBasta ransomware group in mid-February.

A wave of credential-stuffing attacks targeted Australian pension funds last week, resulting in the theft of some customer retirement funds.

The attacks targeted superannuation accounts, a private pension fund system used in Australia where employees store money that is made available to them when they retire.

Five major superannuation pension funds confirmed the attacks.

Google has been secretly working on a new super-secure mode for Android that's inspired by Apple's iPhone Lockdown Mode.

According to a placeholder documentation page and based on analysis of Android beta images, the new feature is named the Android Advanced Protection Mode (AAPM).

Just like Lockdown Mode, the AAPM is not intended for regular Android users and was specifically designed for high-risk individuals who may face threats from oppressive regimes, advanced spyware, and rogue network surveillance attacks.

Fraudulent North Korean IT workers are pivoting into new regions as it becomes more difficult for them to get jobs in the United States. The bad news is they are also employing new tactics that make them more dangerous. 

For several years North Korea has used IT workers to raise revenue for the regime in addition to its cryptocurrency hacking efforts. These workers use fake identities and seek legitimate remote jobs across a range of industries. They are paid wages, but also leverage their privileged access to enable cyber intrusions. 

In a report released this week Google's Threat Intelligence Group said North Korean IT workers were widening their global operations, with a "notable focus" on Europe. This report, and similar research from insider risk management firm DTEX, were covered by Catalin Cimpanu in our sister publication Risky Bulletin. Catalin's write-up covers the history of the IT worker scam, who has been affected and resources to help identify potential North Korean workers.

North Korean IT worker schemes have expanded globally and are now heavily targeting European companies after a crackdown from US authorities last year.

Towards the end of 2024, North Korean workers started creating fake personas tailored for the European job market and seeking IT jobs at European small and large tech giants.

In a report this week, Google's security teams say they've spotted at least 12 fake personas linked to the Pyongyang regime.

Hackers are abusing a little-known WordPress feature named Must Use Plugins to install and hide malware from site administrators.

Also known as mu-plugins, the Must Use Plugins feature was added to the WordPress CMS in 2022.

Plugins placed in a special folder named /mu-plugins are automatically installed and enabled on a website without users needing to manually approve them.

The French government conducted last week a large-scale phishing test on over 2.5 million middle and high school students.

The test included a link in their school's digital workspace that advertised cheats and cracked games that redirected students to a phishing awareness video.

According to CNIL, France's privacy watchdog, over 210,000 students clicked the link, representing roughly one in twelve students.