Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The activity has been attributed to APT28 (aka BlueDelta), which was attributed to a "sustained"

iT4iNT SERVER Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations VDS VPS Cloud #APT28 #CyberSecurity #CredentialStealing #ThreatHunting #RussianCyber

Malicious Go Package Disguised as SSH Tool Steals Credentials via Telegram  Researchers have uncovered a malicious Go package disguised as an SSH brute-force tool that secretly collects and transmits stolen credentials to an attacker-controlled Telegram bot. The package, named golang-random-ip-ssh-bruteforce, first appeared on June 24, 2022, and was linked to a developer under the alias IllDieAnyway. Although the GitHub profile tied to this account has since been removed, the package is still accessible through Go’s official registry, raising concerns about supply chain security risks for developers who might unknowingly use it.  The module is designed to scan random IPv4 addresses in search of SSH services operating on TCP port 22. Once it detects a running service, it attempts brute-force login using only two usernames, “root” and “admin,” combined with a list of weak and commonly used passwords. These include phrases such as “root,” “test,” “password,” “admin,” “12345678,” “1234,” “qwerty,” “webadmin,” “webmaster,” “techsupport,” “letmein,” and “Passw@rd.” If login succeeds, the malware immediately exfiltrates the target server’s IP address, username, and password through Telegram’s API to a bot called @sshZXC_bot, which forwards the stolen information to a user identified as @io_ping. Since Telegram communications are encrypted via HTTPS, the credential theft blends into ordinary web traffic, making detection much more difficult.  The design of the tool helps it remain stealthy while maximizing efficiency. To bypass host identity checks, the module disables SSH host key verification by setting ssh.InsecureIgnoreHostKey as its callback. It continuously generates IPv4 addresses while attempting concurrent logins in an endless loop, increasing the chances of finding vulnerable servers. Interestingly, once it captures valid credentials for the first time, the malware terminates itself. This tactic minimizes its exposure, helping it avoid detection by defenders monitoring for sustained brute-force activity.  Archival evidence suggests that the creator of this package has been active in the underground hacking community for years. Records link the developer to the release of multiple offensive tools, including an IP port scanner, an Instagram parser, and Selica-C2, a PHP-based botnet for command-and-control operations. Associated videos show tutorials on exploiting Telegram bots and launching SMS bomber attacks on Russian platforms. Analysts believe the attacker is likely of Russian origin, based on the language, platforms, and content of their activity.  Security researchers warn that this Trojanized Go module represents a clear supply chain risk. Developers who unknowingly integrate it into their projects could unintentionally expose sensitive credentials to attackers, since the exfiltration traffic is hidden within legitimate encrypted HTTPS connections. This case underscores the growing threat of malicious open-source packages being planted in widely used ecosystems, where unsuspecting developers become conduits for large-scale credential theft.

Malicious Go Package Disguised as SSH Tool Steals Credentials via Telegram #Bruteforceattack #Credentialstealing #DataBreach

North Korean dev hijacks dormant Waves repositories, slips credential-stealing code in wallet updates A North Korean developer gained elevated privileges inside Waves Protocol’s Keeper-Wallet cod...

#Finance #code #credentialstealing #Dev #dormant #hijacks […]

[Original post on zephyrnet.com]

Incredibile a dirsi, ma le campagne di #phishing mirato e il #credentialstealing ha prodotto un aumento degli attacchi in Italia per il mese di marzo.

Grazie #ACN che li proteggi e grazie #GarantePrivacy che li sanzioni a dovere!

@sonoclaudio.ransomnews.online @garantepiracy.it

Cybercriminals Shift Tactics Towards Stealth and Identity Theft: IBM X-Force 2025 Report   iThe IBM X-Force 2025 Threat Intelligence Index highlights a growing trend of cybercriminals adopting more covert attack strategies. Drawing from analysis of over 150 billion security events daily across 130+ countries, the report notes an 84% spike in email-delivered infostealers in 2024 compared to the previous year. This surge signals a marked pivot towards credential theft, even as enterprise-targeted ransomware attacks show a notable decline. “Cybercriminals are most often breaking in without breaking anything – capitalising on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said IBM cybersecurity services global managing partner Mark Hughes. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernising authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.” The report found that critical infrastructure organisations bore the brunt of attacks, accounting for 70% of incidents handled by IBM X-Force last year. More than a quarter of these breaches exploited system vulnerabilities. Data theft (18%) overtook encryption-based attacks (11%) as the preferred method, reflecting improvements in detection tools and increased law enforcement pressure, which have forced threat actors to rethink their strategies. Asia and North America emerged as the primary targets, together representing almost 60% of all global attacks. Asia faced 34% of the incidents, while North America encountered 24%. For the fourth consecutive year, the manufacturing industry remained the most impacted sector, attributed to its sensitivity to operational disruptions and susceptibility to ransomware. Emerging AI-related threats also garnered attention. Although no major AI-focused attacks surfaced in 2024, security teams are racing to find and patch vulnerabilities before they are exploited. A critical remote code execution flaw within an AI development framework is expected to gain traction in 2025 as adoption grows. Experts warn that attackers may soon develop dedicated toolkits aimed specifically at AI systems, underlining the urgent need to secure AI infrastructure.Persistent challenges in critical infrastructure security largely stem from outdated technologies and delayed patch management. IBM X-Force revealed that vulnerabilities accounted for over 25% of exploited incidents. Analyzing discussions on dark web forums showed that four of the ten most talked-about CVEs were associated with advanced threat groups, including state-sponsored actors, escalating the risks of disruption and extortion. Research in collaboration with Red Hat Insights found that over 50% of Red Hat Enterprise Linux users had not patched at least one critical vulnerability, with 18% leaving five or more critical CVEs unaddressed. Moreover, ransomware variants like Akira, Lockbit, Clop, and RansomHub have expanded their capabilities to affect both Windows and Linux systems. A sharp rise in phishing campaigns distributing infostealers was another key finding, with a 180% jump compared to 2023. The use of credential phishing and infostealers enables hackers to swiftly exfiltrate sensitive information while maintaining a low profile. While ransomware still accounted for 28% of malware attacks in 2024, its overall prevalence declined compared to previous years. Cybercriminals are increasingly shifting towards identity-based attacks, adapting to countermeasures that have made traditional ransomware operations more difficult.

Cybercriminals Shift Tactics Towards Stealth and Identity Theft: IBM X-Force 2025 Report #Credentialstealing #CyberSecurity #Cybersecurity