cross-posted from: https://lemmy.sdf.org/post/45081057

Archived

Oct 31, 2025Ravie LakshmananMalware / Threat Intelligence

A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025.

The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday.

"The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said.

[...]

https://archive.is/LeS5L

Running suspicious software in a virtual machine seems like a basic precaution to figure out whether said software contains naughty code. Unfortunately it’s generally rather easy to detect whether or not one’s software runs inside a VM, with [bRootForce] going through a list of ways that a VirtualBox VM can be detected from inside the guest OS. While there are a range of obvious naming issues, such as the occurrence of the word ‘VirtualBox’ everywhere, there many more subtle ways too.

Demonstrated is the PoC ‘malware’ application called Al-Khaser, which can be used to verify one’s anti-malware systems, such as when trying to unleash a debugger on a piece of malware, run it inside a VM, along with many more uses. Among its anti-virtualization features are specific registry key names and values, file system artefacts, directory names, MAC addresses, virtual devices, etc.

In order to squeeze by those checks, [bRootForce] created the vbox_stealth shell script for Bash-blessed systems in order to use the VirtualBox Manager for the renaming of hardware identifier, along with the VBoxCloak project’s PowerShell script that’s used inside a Windows VirtualBox guest instance to rename registry keys, kill VirtualBox-specific processes, and delete VirtualBox-specific files.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Running suspicious software in a virtual machine seems like a basic precaution to figure out whether said software contains naughty code. Unfortunately it’s generally rather easy to detect whether or not one’s software runs inside a VM, with [bRootForce] going through a list of ways that a VirtualBox VM can be detected from inside the guest OS. While there are a range of obvious naming issues, such as the occurrence of the word ‘VirtualBox’ everywhere, there many more subtle ways too.

...

In order to squeeze by those checks, [bRootForce] created the vbox_stealth shell script for Bash-blessed systems in order to use the VirtualBox Manager for the renaming of hardware identifier, along with the VBoxCloak project’s PowerShell script that’s used inside a Windows VirtualBox guest instance to rename registry keys, kill VirtualBox-specific processes, and delete VirtualBox-specific files.

I've been exploring a cryptographic concept I can't find an existing name for, and I'd appreciate the community's insight. While I suspect it's overly redundant or computationally heavy, initial testing suggests performance isn't immediately crippling. I'm keen to know if I'm missing a fundamental security or design principle.

The Core Concept

Imagine nesting established, audited cryptographic protocols (like Signal Protocol and MLS) inside one another, not just for transport, but for recursive key establishment.

1. Layer 1 (Outer): Establish an encrypted channel using Protocol A (e.g., Signal Protocol) for transport security.
2. Layer 2 (Inner): Within the secure channel established by Protocol A, exchange keys and establish a session using a second, distinct Protocol B (e.g., MLS).
3. Layer 3 (Deeper): Within the secure channel established by Protocol B, exchange keys and establish a third session using a deeper instance of Protocol A (or a third protocol).

This creates an "encryption stack."

Key Exchange and Payload Encryption

• Key Exchange: Key material for a deeper layer is always transmitted encrypted by the immediate outer layer. A round-robin approach could even be used, where keys are exchanged multiple times, each time encrypted by the other keys in the stack, though this adds complexity.
• Payload Encryption: When sending a message, the payload would be encrypted sequentially by every layer in the stack, from the deepest inner layer (Layer N) out to the outermost layer (Layer 1).

Authenticity & Verification

To mitigate Man-in-the-Middle (MITM) attacks and ensure consistency across the layers, users could share a hash computed over all the derived public keys/session secrets from each established layer. Verifying this single combined hash would validate the entire recursive key establishment process.

The Question for the Community

Given that modern protocols like Signal and MLS are already robustly designed and audited:

1. Are there existing cryptographic terms for this concept of recursively nesting key exchanges? Is this a known (and perhaps discarded) pattern?
2. What are the fundamental security trade-offs? Does this genuinely add a measurable security margin (e.g., against a massive quantum break on one algorithm but not the other) or is it just security theater due to the principle of "more is not necessarily better"?
3. What are the practical and theoretical cons I may be overlooking, beyond computational overhead and complexity? Is there a risk of creating cascading failure if one layer is compromised?

I'm prototyping this idea, and while the overhead seems tolerable so far, I'd appreciate your technical critique before considering any real-world deployment.

my wording before AI transcription:

i dont know how to describe it more elegantly. i hope the title doesnt trigger you.

i was thinking about a concept and i couldnt find anything online that matched my description.

im sure AI is able to implement this concept, but i dont see it used in other places. maybe its just computationally heavy and so considered bad-practice. its clearly quite redundent... but id like to share. i hope you can highlight anything im overlooking.

in something like the Signal-protocol, you have an encrypted connection to the server as well as an additional layer of encryption for e2e encryption... what if we used that signal-protocol encrypted channel, to then exchange MLS encryption keys... an encryption protocol within an encryption protocol.

... then, from within the MLS encrypted channel, establish an additional set of keys for use in a deeper layer of the signal protocol. this second layer is redundent.

you could run through the "encryption stack" twice over for something like a round-robin approach so each key enchange has been encrypted by the other keys. when encrypting a payload you would be encrypting it it in order of the encryption-stack

for authenticity (avoiding MITM), users can share a hash of all the shared public keys so it can verify that the encryption key hashes match to be sure that each layer of encryption is valid.

this could be very complicated to pull off and unnessesary considering things like the signal, mls, webrtc encryption should already be sufficiently audited.

what could be the pros and cons to do this?... im testing things out (just demo code) and the performance doesnt seem bad. if i can make the ux seamless, then i would consider rolling it out.

same question on reddit (has some responses): https://www.reddit.com/r/crypto/comments/1oi4xqt/multiprotocol_cascading_roundrobin_cipher

In December 2024, the UN General Assembly adopted the United Nations Convention against Cybercrime — the first international treaty on criminal justice in more than two decades.

The adoption of the document was the result of five years of negotiations among UN Member States, with the participation of experts, civil society, academia, and the private sector.

UN Secretary-General António Guterres called the adoption of the Convention “a decisive step” in global efforts to ensure safety online.

On 25 October, the Convention will be opened for signature at an official ceremony in Hanoi, Viet Nam. It will enter into force 90 days after ratification by 40 States.

Global response to global threat

The new document establishes a common international framework for combating cybercrime. It introduces unified definitions, investigation standards, and mechanisms for assisting victims — including compensation, restitution, and removal of illegal content.

States will implement these measures in accordance with their national legislation but within agreed international principles. And perhaps, with this Convention, a new era will begin — one in which a single wrong letter in a website address will no longer cost you everything.

The United Nations Office on Drugs and Crime (UNODC) leads the UN response to cybercrime with training and support to countries across the world.

The Vienna-based agency draws upon its specialized expertise on criminal justice systems to provide technical assistance in prevention and awareness-raising, legislative reform, revamping of law enforcement capabilities, international cooperation, forensic support as well as in data collection, research and analysis on cybercrime.

The name, that is.

I was curious if Burp Suite's Dafydd Stuttard was Welsh, which led me to his AMA video.

PortSwigger was his handle when he was starting out, and was a pun about the fortified wine from Portugal and port scanners.

That vid also answers who is Peter Wiener.

The makers of BIND, the Internet’s most widely used software for resolving domain names, are warning of two vulnerabilities that allow attackers to poison entire caches of results and send users to malicious destinations that are indistinguishable from the real ones.

The vulnerabilities, tracked as CVE-2025-40778 and CVE-2025-40780, stem from a logic error and a weakness in generating pseudo-random numbers, respectively. They each carry a severity rating of 8.6. Separately, makers of the Domain Name System resolver software Unbound warned of similar vulnerabilities that were reported by the same researchers. The unbound vulnerability severity score is 5.6

cross-posted from: https://lemmy.sdf.org/post/44445362

Archived

• Notorious hacking group Salt Typhoon has likely been targeting Telecom orgs
• Researchers identified tactics previously used by the group
• Salt Typhoon breached up to 8 US telecom networks in a huge cyber-espionage campaign

[...]

A new report from Darktrace claims the [Chinese hacking group Salt Typhoon] has been observed, "targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits."

The early stage intrusion activity detected mirrors previous Salt Typhoon tactics, such as the prolific attacks on up to 8 different telecom organizations in a far reaching and potent multi-year campaign which resulted in the group stealing information from millions of American telecom customers using a high severity Cisco flaw to gain access and eventually collect traffic from the networks devices were connected to.

[...]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

How did the changes in the binary test files tests/files/bad-3-corrupt_lzma2.xz and tests/files/good-large_compressed.lzma, and the makefile change in m4/build-to-host.m4) manifest to the Debian maintainer? Was there a chance of noticing something odd?

I just watched "Decentralized Authentication is Our Only Hope" and the dude presented a new method of authentication that went over my head. Back when reading SQRL my first thought was "damn, that's genius".

My credentials lie pretty far from cybersecurity and I'm way out of date on auth (OAuth I understand, but not webauthn and FIDO, etc.), so if somebody could maybe explain why SQRL didn't catch on, that'd be great. Was it too complciated? Did something better come along? Just general inertia?

The Microsoft Digital Defense Report 2025 provides an in-depth look at the current state of cybersecurity, emerging threats, and the future of digital defense. The report is structured around three key areas:

Current Threat Landscape: It highlights the current cybersecurity landscape, including the rise of state-sponsored threats, advanced persistent threats (APTs), ransomware, and the increased use of AI in cyber attacks. It discusses the growing trend of cyber threats targeting cloud services, supply chains, and IoT devices.

The report also mentions the evolving threat landscape in the context of the war in Ukraine, emphasizing the impact of cyber warfare and espionage on global digital security.

Emerging Trends and Technologies: The report covers the impact of AI and machine learning on both cybersecurity and cyber threats. On one hand, AI is being used to enhance threat detection and response, but it's also being used by malicious actors to launch more sophisticated attacks.

It discusses the challenges and opportunities in securing the metaverse, including new attack vectors and the need for new security paradigms in virtual and augmented reality environments.

There's also an emphasis on the role of 5G and edge computing in the future of digital defense, highlighting both the potential for improved security (through improved connectivity and data processing capabilities) and new vulnerabilities. Defense Strategies and Recommendations: Microsoft advocates for a shift towards more proactive and predictive approaches to cybersecurity, including the use of AI and automation for threat detection and incident response.

It stresses the importance of a "defense-in-depth" strategy that combines multiple layers of security, including identity and access management, endpoint security, and cloud security.

The report highlights the need for collaboration between the public and private sectors, as well as across international borders, to combat the increasingly globalized nature of cyber threats.

It also touches on the importance of securing software supply chains, enhancing user education and awareness, and the role of cybersecurity as a core aspect of business continuity and resilience planning.

Special Focus on Government and Industry Responses: The report offers insights into how governments and industries worldwide are responding to these threats, including legislative and regulatory efforts, international cooperation, and industry best practices.

It discusses the role of national cybersecurity agencies and international organizations in setting standards and coordinating responses to global threats. There's also a focus on the importance of addressing the skills gap in cybersecurity, with recommendations for education and training programs to ensure there are enough skilled professionals to meet the growing demand.

Future Outlook: Microsoft provides a forward-looking perspective on what the next few years might hold, including predictions for how AI, quantum computing, and the evolution of digital infrastructure might shape both threats and defenses. It also outlines the need for continuous innovation in cybersecurity technologies and practices to stay ahead of threats.

The Microsoft Digital Defense Report 2025 serves as a comprehensive guide for organizations and governments looking to understand the current state of cybersecurity and prepare for future threats, emphasizing collaboration, innovation, and a proactive approach to digital defense.

(Summary by Apertus PublicAI)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

https://archive.ph/g1RBd