cross-posted from: https://mander.xyz/post/43813312

Chinese espionage crew 'Ink Dragon' expands its snooping activities into European government servers

In the last few months, the China-linked threat Ink Dragon's activities show increased focus on government targets in Europe in addition to continued activities in Southeast Asia and South America.

Web archive link

Here is the original (technical) report: Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

...

These attacks begin with Ink Dragon probing security weaknesses, such as misconfigured Microsoft IIS and SharePoint servers, to gain access to victims' environments. This tactic, as opposed to abusing zero-days or other high-profile vulnerabilities, helps attackers fly under the radar and reduces their chances of being caught.

Ink Dragon then scoops up credentials and uses existing accounts to infiltrate targets, tactics that help the gang blend in with normal network traffic.

"This stage is typically characterized by low noise and spreads through infrastructure that shares the same credentials or management patterns," Check Point's researchers said in a Tuesday blog.

Once Ink Dragon finds an account with domain-level access, the spies set to work establishing long-term access across high-value systems, installing backdoors and implants that store credentials and other sensitive data.

...

In addition to their new targets and relay node activity, Check Point says the cyber spies have also updated their FinalDraft backdoor so that it blends in with common Microsoft cloud activity, hiding its command traffic inside mailbox drafts.

The new version also lets the malware check in during business hours - so as not to draw unwanted after-hour attention - and can more efficiently transfer large files with minimal noise.

...

The threat hunters' investigation into Ink Dragon also uncovered similar, stealth activity by another China-linked espionage crew RudePanda, which "had quietly entered several of the same government networks," they wrote.

While the two groups are unrelated, they both abused the same server vulnerability to gain access to the same IT environments. This also illustrates the changing tactics among other government-sponsored cyber squads, including not only Beijing-backed crews, but also those from Russia.

...

Dozens of government and university websites belonging to cities, towns, and public agencies across the country are hosting PDFs promoting AI porn apps, porn sites, and cryptocurrency scams; dozens more have been hit with a website redirection attacks which lead to animal vagina sex toy ecommerce pages, penis enlargement treatments, automatically-downloading Windows program files, and porn.

“Sex xxx video sexy Xvideo bf porn XXX xnxx Sex XXX porn XXX blue film Sex Video xxx sex videos Porn Hub XVideos XXX sexy bf videos blue film Videos Oficial on Instagram New Viral Video The latest original video has taken the internet by storm and left viewers in on various social media platforms ex Videos Hot Sex Video Hot Porn viral video,” reads the beginning of a three-page PDF uploaded to the website of the Irvington, New Jersey city government’s website.

Archive: http://archive.today/tgD57

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

cross-posted from: https://scribe.disroot.org/post/5953090

Archived version

Here is the original Cisa report: BRICKSTORM Backdoor

...

Chinese hackers are using a strain of malware to attack governments in several countries and maintain long-term access, according to U.S. and Canadian cybersecurity officials.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security published an advisory on Thursday outlining the BRICKSTORM malware based off an analysis of eight samples taken from victim organizations.

...

“BRICKSTORM is a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen.

The advisory includes indicators of compromise and detections organizations can use to tell if they have been impacted by the campaign involving the malware. The malware is used “for long-term persistence on victim systems,” according to U.S. agencies.

...

The goal of the campaign is to steal valuable intellectual property and sensitive data — with a particular focus on the email inboxes of senior company leaders, according to Mandiant. The company attributed the campaign to a threat actor they previously accused of abusing vulnerabilities in firewall products from tech company Ivanti.

...

Record-Breaking DDoS Attacks Mark 2025 Q3 as Aisuru Botnet Emerges

The Aisuru botnet dominated the DDoS threat landscape in Q3 2025, commanding an army of 1-4 million infected devices and launching unprecedented attacks that peaked at 29.7 Tbps and 14.1 billion packets per second[^1]. Cloudflare's autonomous systems blocked 8.3 million DDoS attacks during the quarter, averaging 3,780 attacks per hour - a 15% increase from Q2 and 40% year-over-year[^1].

The Rise of Aisuru

The botnet targeted telecommunications providers, gaming companies, hosting providers, and financial services, causing widespread Internet disruption even when organizations weren't direct targets[^1]. Parts of Aisuru are now offered as botnets-for-hire, enabling attackers to "inflict chaos on entire nations" for just hundreds to thousands of dollars[^1].

Attack Statistics

• 1,304 hyper-volumetric attacks in Q3 alone (54% increase from Q2)
• Attacks over 100 million packets per second up 189%
• Attacks exceeding 1 Tbps increased 227%
• 4% of HTTP attacks exceeded 1 million requests per second[^15]

Industry Impacts

DDoS attacks against AI companies surged 347% month-over-month in September 2025, coinciding with increased public concern over AI risks[^1]. The Mining, Minerals & Metals industry jumped 24 spots in target rankings amid EU-China tensions over rare earth minerals and EV tariffs[^1].

Geographic Trends

Indonesia maintained its position as the leading source of DDoS attacks globally, holding the top spot for a full year. The country's share of HTTP DDoS attack traffic has grown by 31,900% since 2021[^1].

Attack Types

UDP floods led network-layer attacks with a 231% quarterly increase, followed by DNS floods, SYN floods, and ICMP floods[^1]. Nearly 70% of HTTP DDoS attacks came from known botnets, with 20% originating from fake or headless browsers[^1].

[^1]: Cloudflare - Cloudflare's 2025 Q3 DDoS threat report
[^15]: Security Affairs - Cloudflare mitigates record 29.7 Tbps DDoS attack by the AISURU botnet

cross-posted from: https://lemmy.zip/post/54305624

Open source React executes malicious code with malformed HTML—no authentication needed.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also.

🎁 Here’s a little end-of-year gift backed with Sightings from Vulnerability-Lookup ! A small step into 2026.

The year is almost over, so we’ve wrapped up a fresh Sightings Forecast — looking at how sightings evolve across social platforms, code repositories, and structured feeds. All monitored through our tools[1] and enriched by our fantastic community[2].

👉 Read the full report:

https://www.vulnerability-lookup.org/2025/12/02/end-of-year-threat-intelligence-sightings-forecast/

The goal: track how sightings evolve over time and provide an adaptive short-term forecast for several key sources monitored by Vulnerability-Lookup.

Our methodology combines weekly historical trends with daily adaptive models. Depending on the underlying slope, we apply either a Logistic Growth model (for rising trends) or an Exponential Decay model (for declining activity).

🔍 Key takeaways

Social platforms like the Fediverse and Bluesky show highly event-driven, volatile patterns, reflecting real-time community discussions.

Structured sources such as MISP Projec, The Shadowserver Foundation, and Nuclei offer more stable and reliable signals, ideal for validated intelligence.

Early detection: Social sources provide fast but noisy signals. Not to ignore.

Reliability: Structured intelligence confirms and contextualizes threats.

Better planning: Adaptive forecasting enables informed prioritization and workload management.

Balanced visibility: Combining heterogeneous sources gives stronger situational awareness.

📚 References

• [1] Automation tools: https://www.vulnerability-lookup.org/user-manual/sightings/#automation-tools
• [2] Be part of the community: https://vulnerability.circl.lu/user/signup
• Daily dumps: https://vulnerability.circl.lu/dumps/
• Forecasting project: https://github.com/vulnerability-lookup/TARDISsight

💶🇪🇺 Funding

This work is part of the EU-funded FETTA initiative, strengthening cross-European collaboration on threat intelligence.

https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/how-to-participate/org-details/999999999/project/101128030/program/43152860/details

cross-posted from: https://mander.xyz/post/42887934

Web archive link

The accelerating cyber threats facing Ireland demands “an aggressive response” by the State, according to the country’s cyber bosses.

The National Cyber Security Centre (NCSC) said criminal cyber gangs and hackers, aligned to states like China and Russia, pose a “significant threat” to Ireland’s national security.

This is because Ireland is a host to some of the world’s largest tech providers and cloud computing facilities as well as the worsening geopolitical situation and the threat posed to Europe resulting from Russia’s war of aggression in Ukraine.

The centre said it “regularly observes state-aligned threat actors carrying out scanning and other reconnaissance activities” targeting Irish government and State-owned networks.

...

Publishing its 2025 National Cyber Risk Assessment, the NCSC said Ireland was at risk from cyber attacks on “shared critical infrastructure”, such as gas and electricity pipelines connecting Ireland to the UK and France.

...