Unit 42 uncovers JavaGhost’s evolving AWS attacks. Learn how this threat actor uses phishing, IAM abuse, and advanced…

Unit 42 uncovers JavaGhost’s evolving AWS attacks. Learn how this threat actor uses phishing, IAM abuse, and advanced evasion techniques, and find out how to detect and respond.

Researchers at Palo Alto Networks’ Unit 42 have been tracking a persistent threat actor, designated TGR-UNK-0011, which they have confidently attributed to the group known as JavaGhost. As per their investigation, shared with Hackread.com, this group has been active for over half a decade and has recently shifted its focus from website defacement to conducting financially motivated phishing campaigns, particularly targeting cloud environments.

Initially, JavaGhost’s activities, documented on website defacement registries, primarily revolved around altering the content of websites. However, Unit 42’s investigations conducted between 2022 and 2024 revealed that attackers were actively exploiting misconfigurations within organizations’ Amazon Web Services (AWS) environments to launch phishing attacks.

It is worth noting that these attacks did not result from vulnerabilities within AWS itself, but from the exposure of long-term access keys due to configuration errors within the targeted organizations. 

The group’s methodology involves leveraging compromised AWS credentials to gain initial access via the command-line interface (CLI). To evade detection, they avoid the commonly used “GetCallerIdentity” API call, and instead, use “GetServiceQuota,” “GetSendQuota,” and “GetAccount” to blend in with normal AWS activity, avoiding common detection triggers.

Researchers observed that their toolset can also be identified by the use of python urllib3 during the GetSigninToken events. Once inside, they generate temporary credentials and console access using “GetFederationToken” with an “allow all” policy, granting them maximum control.

To establish their phishing infrastructure, JavaGhost manipulates Amazon Simple Email Service (SES) and WorkMail. They create multiple SES email identities, modify DKIM settings, and adjust Virtual Delivery Manager (VDM) and Mail-from attributes. Additionally, they configure AWS WorkMail Organizations and create user accounts, generating various SES and AWS Directory Service (DS) events within CloudTrail logs.

_Create Amazon WorkMail_ Directory Automatically Create Events (Source: Unit 42)  

New WorkMail User Creation (Source: Unit 42)

JavaGhost creates new SMTP credentials for sending emails, which leads to the creation of new identity and access management (IAM) users and groups. They also establish IAM users for long-term persistence, often with administrator privileges, and in more recent attacks, create IAM roles with trust policies that allow access from attacker-controlled AWS accounts.  

SMTP Credentials Retrieval Example (Source: Unit 42)

A unique calling card of the group is the creation of EC2 security groups named “Java\_Ghost” with the description “We Are There But Not Visible.” They also attempt to leave AWS Organizations and enable all AWS regions, indicating a desire to remove security constraints. 

“Accessing the console via this methodology obfuscates their identity and allows them easier visibility into the resources within an AWS account. Since attackers rarely create temporary credentials to access the AWS console URL, these methods often bypass detection,” researchers noted in their report.

The evolution of JavaGhost’s tactics, from simple access key usage to sophisticated evasion techniques, highlights the group’s increasing sophistication. However, their actions are traceable through CloudTrail logs (a tactic historically employed by Scattered Spider) specifically by examining user agent strings indicating the use of the Python urllib3 library. Moreover, to stay protected from similar attacks targeting AWS environments, organizations should implement a multi-layered security approach. Avoid long-term keys, rotate them, review policies, and monitor for unusual API calls and IAM activity.

Roger Grimes, data-driven defence evangelist at KnowBe4 commented on the latest development stating, “This is another example of how not doing the basics better can hurt you. When clouds took over a decade ago, “experts’ worried about all the new cloud-specific attacks we would see and become accustomed to. But what has proven true over time is that the same things that plague us in on-premise environments for over 2-3 decades are still what plague us in cloud environments. In this case, overly permissive permissions and social engineering. Social engineering is responsible for 70% – 90% of successful attacks. Overly permissive permissions are also a top threat (but surpassed also by vulnerability exploits and stolen credentials),” said Roger.

He further suggested that “If you want to keep hackers and their malware creations out, concentrate on the long-time basics, not just as part of everything you are doing, but primarily what you are doing. If you’re not stopping social engineering, exploits against unpatched vulnerabilities, credential theft (79% of the time through social engineering), and misconfigurations, of which overly permissive permissions are one type, then you aren’t going to stop hackers. The only difference now is you need to learn how to do it in both on-premises and cloud environments. But the threats are the same.”

1.  ShinyHunters, Nemesis Exposed After AWS S3 Leak
2.  Hackers Use Fake PoCs on GitHub to Steal AWS Keys
3.  Tunneling Flaws Put VPNs, CDNs, Routers at Risk Globally
4.  FUNNULL Unmasked: AWS Abused for Global Cybercrime
5.  Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets

Top/Featured Image via Pixabay/TheDigitalArtist

JavaGhost Uses Amazon IAM Permissions to Phish Organizations

Boston and Tel Aviv, United States, 4th March 2025, CyberNewsWire

**Boston and Tel Aviv, United States, March 4th, 2025, CyberNewsWire**

Pathfinder AI expands Hunters’ vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation and response.

**Hunters**, the leader in next-generation SIEM, today announced **Pathfinder AI**, a major step toward a more AI-driven SOC. Building on Copilot AI, which is already transforming SOC workflows with LLM-powered investigation guidance, Hunters is introducing its Agentic AI vision, designed to autonomously enhance detection, investigation, and response. Agentic AI will launch soon, with ongoing innovations to further streamline security operations.

> “Hunters has already made a significant impact on our security operations by reducing manual investigations, streamlining data ingestion, and improving threat visibility. With Pathfinder AI, we’re enhancing efficiency and response times through AI-driven detection explanations and automated investigative guidance. This innovation continues to strengthen Emburse’s security posture with cutting-edge AI-powered threat intelligence.” — Casey Sword, Endpoint Security Architect, Emburse

**How AI is Shaping the Future of Security Operations**

Security investigations are complex and unpredictable—each alert triggers multiple investigative steps, creating an overwhelming number of possible paths. Traditional automation follows rigid workflows, often leaving analysts stuck chasing false leads while real threats slip through.

AI changes the equation. Unlike static rule-based automation, Agentic AI dynamically adapts, prioritizing critical threats, filtering out noise, and continuously refining investigations to keep security teams focused and efficient.

To stay ahead of evolving threats, SOCs need two key AI-driven capabilities:

*   **Copilot AI** – Enhances analyst workflows with automated data analysis, report generation, and guided investigations.
*   **Agentic AI** – Delivers autonomous threat detection, investigation, and response, reducing manual workloads and accelerating decision-making.

By leveraging specialized AI agents that collaborate in real time, security teams can move beyond manual triage and fragmented investigations—operating faster, smarter, and with greater precision.

**Hunters Pathfinder AI**

From day one, Hunters was founded with the vision of embedding analyst intelligence into the SIEM—automating triage and investigation to maximize efficiency and accuracy. With years of experience refining AI-driven security operations, they are uniquely positioned to lead the AI-driven SOC transformation, leveraging the deep expertise to deliver automation at scale.

As Hunters Pathfinder AI continues to evolve, they are expanding its capabilities in two key areas: AI-Assisted SOC and AI-Driven SOC. These advancements will further reduce manual workloads while enhancing detection, investigation, and response.

**AI-Assisted SOC with Copilot AI**

*   Lead Summarization – AI-generated summaries that provide analysts with immediate and comprehensive context on security events.
*   Guided Investigation Workflows – Suggests next steps across the entire attack surface.
*   Natural Language Querying – Enables SOC analysts to interact with the system using conversational AI to retrieve insights efficiently.
*   Custom Detection Authoring – Helps analysts refine detections with guided logic and iterative fine-tuning.
*   Threat Classification – AI evaluates signals and context to determine whether a threat is benign or malicious, reducing manual triage time.

**AI-Driven SOC with Agentic AI**

*   Autonomous Triage and Classification – AI-driven agents investigate every threat, classifying incidents and providing full investigation reports.
*   Self-Optimizing Detections – Machine learning models continuously refine detection accuracy based on real-world attack data.
*   Automated Root Cause Analysis – AI correlates attack signals across multiple sources to provide full attack narratives.

> “Pathfinder AI is a game-changer for SOC teams, allowing us to deliver on our promise of making security operations more effective in the fight against cyber threats. By combining Copilot AI and Agentic AI, we are not just automating tasks but enabling security teams to focus on what truly matters—stopping real threats before they cause harm.” — Ian Forrest, VP of Product, Hunters

**The Road Ahead**

Hunters remains committed to pushing the boundaries of SOC automation with AI-driven investigations, automated response mechanisms, and deeper AI capabilities. Pathfinder AI represents the next advancement toward a faster, smarter, and more effective security operations center and will be delivered in the upcoming months.

For more details, users can explore Hunters’ **blog post** and **join the webinar** about this announcement on March 5th, 2025.

**About Hunters**

Hunters empowers SOC teams with AI-driven automation, maximizing efficiency without large security budgets. As a next-gen SIEM, the Hunters SOC Platform integrates Agentic AI, Copilot AI, machine learning, and graph-based correlation to automate detection, investigation, and response. Trusted by Cimpress, OpenLane, and The RealReal, Hunters delivers built-in detections, AI-driven investigations, and security expert support from Team Axon.

For more information, users can visit **Hunters Security**.

**Contact**

**Ada Filipek**  
**Hunters**  
**\[email protected\]**

Hunters Announces New AI Capabilities with Pathfinder AI for Smarter SOC Automation

A new malware threat called Zhong Stealer has surfaced from China, and it’s already slipping into businesses through…

A new malware threat called Zhong Stealer has surfaced from China, and it’s already slipping into businesses through an unexpected entry point – customer support chats. This info-stealing malware is currently infiltrating fintech companies by exploiting support agents, but the bigger concern is its adaptability. 

Zhong Stealer can easily be repurposed to target any industry that relies on customer support teams – hospitality, healthcare, retail, and beyond. If your business has a customer-facing team, it could easily be the next target. 

Let’s take a closer look at how this malware operates and what businesses can do to stop future attacks before they escalate.

**How Zhong Stealer Works**

Cybercriminals behind Zhong Stealer don’t rely on complex exploits or high-tech hacking tools to break into businesses. Instead, they use a low-effort but highly effective scam that plays on human nature: urgency, confusion, and frustration.

As noted by ANY.RUN researchers, the attack unfolds in a calculated, repetitive pattern designed to wear down customer support agents:

1.  **A new support ticket appears** but the sender’s account is brand new and completely empty. There’s no history, no past interactions, just a vague request for help.
2.  **The attacker types in broken language**, usually Chinese, making the conversation difficult to follow. This adds an element of confusion and makes the request seem more urgent.
3.  **A ZIP file is attached**, supposedly containing screenshots or other necessary details for the request. The attacker insists the support agent must open it to understand the issue.
4.  **If the agent hesitates, the attacker becomes increasingly frustrated**, pressuring them to act. 

Suspicious ZIP files with Chinese characters

Running Zhong Stealer in a secure and isolated environment, such as the ANY.RUN sandbox revealed its behaviour almost immediately. View the sandbox analysis here: Sandbox session with Zhong Stealer

Malicious file analyzed inside ANY.RUN sandbox

After running the analysis, we can see in the upper-right corner of the screen that the ANY.RUN sandbox immediately flagged the file and its activities as malicious, highlighting it in red.

This allows security teams to instantly recognize threats without needing deep technical expertise – the fastest and simplest way to determine if a suspicious file or link contains malware.

Malicious activity detected by ANY.RUN sandbox

Give your team the power to identify and stop cyber threats before they spread. Sign up for a 14-day free trial with ANY.RUN today! Start Your Free Trial

During the analysis session, we can also see how Zhong Stealer downloads additional components to continue the attack:

Zhong Stealer downloading additional components inside ANY.RUN sandbox

After all the preparations, Zhong Stealer starts with credentials theft and data exfiltration. By clicking on the malicious behaviour inside ANY.RUN’s sandbox we can see all the main techniques and tactics used by Zhong Stealer. 

Detailed analysis of malicious behaviour inside ANY.RUN sandbox

From this analysis, we can see how Zhong Stealer maintains persistence on an infected system. Its primary method is adding a registry key to make sure that the malware automatically runs every time the system starts. 

If the registry entry is removed, Zhong has a backup plan: it uses a scheduled task to relaunch itself, making it harder to fully eliminate.

Persistence mechanism discovered inside a safe environment

Once persistence is secured, Zhong shifts its focus to the real goal: harvesting credentials and browser extension data. 

By targeting stored login information, it can steal sensitive business and personal data before the victim even realizes they’ve been compromised.

Zhong Stealer starts scanning Edge to steal sensitive data

Finally, after stealing sensitive data, Zhong connects to its command-and-control (C2) server in Hong Kong to send the stolen information back to the attackers.

**How to Protect Your Business from Zhong Stealer**

Zhong Stealer proves that malware can slip into businesses through unexpected channels, like customer support chats. 

The easiest way to check whether a file is malicious is to analyze it with tools like ANY.RUN sandbox. Thanks to its user-friendly interface, anyone can use it, even without technical expertise, making it a great solution for all team members. 

Simply upload the file into the secure sandbox environment, run the analysis, and see the verdict. If malicious activity is detected, the file should be reported immediately.

You can also download a well-structured report containing all the attack details, making it easier to share findings with security teams, IT staff, or decision-makers.

With ANY.RUN, businesses can:

*   **Quickly analyze suspicious files and links** in a safe, controlled environment without risk to internal systems.
*   **See real-time malware behavior**, including persistence techniques, data theft attempts, and communication with external servers.
*   **Identify threats instantly**, with flagged malicious activity highlighted for easy recognition.
*   **Prevent infections before they happen** by proactively checking files before employees open them.

New Chinese Zhong Stealer Infects Fintech via Customer Support

Artificial Intelligence is a tool that is currently changing how businesses approach digital marketing and SEO. Explore how your business can transform with AI-powered SEO services here.

Over 70% of marketers and small business owners in the world today use AI for SEO. That’s a staggering amount. Right? Well, AI is changing how businesses approach digital marketing. It enables systems to evaluate massive data, determine patterns, and make decisions with little or no human intervention.

So, now businesses can easily automate and optimise key aspects of SEO, such as keyword research, content creation, and website analysis. This allows businesses to get high search rankings and organic traffic more efficiently than with traditional methods. Let’s learn more about this below.

**Table of Contents**

1.  The integration of artificial intelligence in SEO
    1.  Automation of keyword research
    2.  Optimisation of technical SEO
    3.  Content optimisation and creation
2.  Enhancing user experience through AI-driven strategies
3.  Predictive analytics: forecasting trends with AI
4.  Automating routine SEO tasks using machine learning
5.  Case studies: success stories of AI in SEO
    1.  Bankrate.com
    2.  Rocky Brands
    3.  STACK Media
    4.  RELATED TOPICS

****The integration of artificial intelligence in SEO****

As mentioned earlier, many businesses are adopting the use of AI for SEO. They do so in several ways, including the following:

****Automation of keyword research****

Before AI, keyword research used to involve the tiring work of analysing volume and competition metrics. That’s not the case anymore. Now tools such as Ahrefs and SEMrush use machine learning to predict keyword trends.

This is more efficient and faster than the traditional methods of keyword research. AI quickly analyses a vast amount of data to identify relevant keywords, long-tail phrases, and competitor strategies.

So, it ensures a more targeted content creation. For instance, businesses currently focusing on SEO in Spain, use AI to get more targeted Spanish keywords. Then, they incorporate the keywords in their content to ensure higher search rankings and organic traffic.

****Optimisation of technical SEO****

You can now use AI to automate your technical SEO tasks. This includes identifying technical issues, such as slow loading times and defective links. What’s more, you can use AI to get an insight into where you need to improve your website.

Therefore, AI can help your website shine. This means that it can help you identify and fix issues that can affect your search engine ranking and things like bounce rate.

****Content optimisation and creation****

Today, many businesses use artificial intelligence to develop SEO-driven strategies. Any leading digital marketing agency, such as Seeders, will confirm that AI significantly simplifies and accelerates the process of content optimization and creation. For example, AI-powered tools like Frase, Clearscope, and Surfer SEO help analyze top-ranking content. They provide recommendations on keywords, structure, and readability.

What does this indicate? It means that you don’t have to do the tiring research work daily. AI can do it for you. In addition to the research, AI can help you write great pieces of content. Remember, it all lies in how you prompt it to write.

****Enhancing user experience through AI-driven strategies****

Have you ever gotten the feeling that Google knows what you think before you finish typing? Well, that’s the power of AI. Today, SEO isn’t just about stuffing keywords into articles or hoping your content will land on the first page.

It’s about semantic search and user intent. What’s more, AI ensures that businesses can deliver more personalised, intuitive, and efficient interactions. It does this by doing the following:

*   Analysing user behaviour and past interactions to ensure personalised content and experiences. For example, Amazon and Netflix will give you product or content recommendations based on your unique history. So this ensures better user engagement.

*   Using chatbots to provide instant responses to user queries. This helps to reduce wait times and ensure better customer support.

*   Predicting customer preferences. This ensures that marketing efforts are more personalised.

****Predictive analytics: forecasting trends with AI****

AI doesn’t just focus on history. It can also help you predict the future. AI uses statistical models, data analytics, and machine learning to predict the future. The best part? Its predictions are often accurate and can help your business stay ahead in competitive markets.

Therefore, you can use AI to analyse industry trends, social media sentiments and economic indicators. Then, use the data received to predict market shifts. At the same time, you can use that data to adjust your digital marketing strategies to ensure they align with future demands.

The benefits of using AI in predictive analytics are that:

*   It offers real-time insights.
*   It analyses large datasets quickly
*   It helps businesses to optimise their marketing efforts.
*   It ensures minimal error. So businesses can make decisions quickly.

****Automating routine SEO tasks using machine learning****

As mentioned earlier, machine learning is one of the things that AI uses to make predictive analytics. Apart from that, machine learning can be used to automate routine SEO tasks. This includes doing things like:

*   Analysing search trends, competitor rankings, and user intent to generate high-performing keywords. So, businesses that use AI for keyword research can stay ahead of trends and search terms.

*   Automating content audits to ensure that content aligns well with search engine algorithms.

*   Providing real-time suggestions for content optimisation, including areas where you can improve readability.

*   Identifying gaps in existing content and suggesting topics to improve search rankings by filling these gaps.

*   Identifying technical SEO issues, like broken links and page speed problems. Then providing ways to solve them.

*   Optimising images by automatically generating alt texts.

****Case studies: success stories of AI in SEO****

Many sites have successfully used AI to improve their SEO performance. They include:

****Bankrate.com****

Bankrate.com has successfully used AI to drive thousands of visits each month to their website. This website uses AI to create responses to questions that have specific limitations, such as “What is Financial Liquidity?” and “What is the Contribution Margin?”

So, when done right, AI content can help you achieve success. And Bankrate.com has proven that. The site also uses a human touch to fact-check and rewrite where necessary.

****Rocky Brands****

Rocky Brands is another company that has managed to successfully use AI for SEO. It has implemented the use of BrightEdge tools for formulating effective SEO strategies.

After the implementation of these AI tools, Rocky Brand experienced an increase of YOY revenue by 74%, search revenue by 30% and new users by 13%.

****STACK Media****

STACK Media also collaborated with BrightEdge to enhance their web traffic. This collaboration involved identifying high search volume keywords, analysing SERP visibility, and conducting competitive research.

1.  Top SEO Agencies in the UK: Expert Insights
2.  Best SEO Experts to Follow on Twitter (X) in 2025
3.  How to Improve Your SEO through Enhanced Web Security
4.  SEO vs. PPC: Choosing the Right Strategy for Your Business
5.  16 Best SaaS SEO Experts That Will Help You Dominate Online

Featured Image via Pexels/Matheus Bertelli

AI-powered SEO services: revolutionizing digital marketing

San Francisco, California, 3rd March 2025, CyberNewsWire

**San Francisco, California, March 3rd, 2025, CyberNewsWire**

With the growing importance of security compliance for startups, more companies are seeking to achieve and maintain compliance with frameworks like SOC 2, ISO 27001 & GDPR. Bubba AI, Inc. is building a comprehensive solution for these organizations to easily integrate compliance workflows and build their own customized processes through an open-source alternative to existing GRC (Governance, Risk, and Compliance) automation platforms.

The company is positioning itself to address the compliance needs of organizations ranging from early-stage startups to established enterprises. Bubba AI’s flagship product, Comp AI, offers a built-in risk register, and policies required for frameworks while also allowing companies to build their compliance workflows using building blocks provided by the platform.

**Introducing Comp AI**

Comp AI is an open-source alternative to GRC automation platforms like Vanta and Drata. The platform includes several key features designed to automate compliance with frameworks such as SOC 2:

*   A built-in risk register to help companies identify, document, and assess potential security risks
*   Out-of-the-box security policies for modern companies, complete with an AI-powered editor for customization
*   A comprehensive vendor management suite for tracking, assessing, and identifying third-party vendors
*   Automated evidence-collection tools that reduce the manual burden of compliance documentation

The open source nature of Comp AI differentiates it from existing solutions in the market, allowing for greater community involvement, customization, and cost savings for companies on their compliance journey.

**The Value of Open Source Compliance Solutions**

Bubba AI was founded in late 2024 by Lewis Carhart. Carhart recognized a significant gap in the market for affordable, flexible compliance automation tools that could serve the needs of a wide range of companies.

> “While building at previous companies, I experienced firsthand how painful and resource-intensive the compliance process can be, especially for smaller organizations. The existing solutions were either prohibitively expensive or lacked the flexibility we needed. I wanted to create an open source platform that democratizes access to compliance automation”, Lewis Carhart commented.

This experience led Carhart to develop Comp AI as an open source alternative that could help organizations of all sizes achieve SOC 2 compliance without breaking the bank or getting locked into proprietary systems.

**The Ambitious Goal**

Bubba AI has set an ambitious target: helping 100,000 companies achieve compliance with cyber security frameworks like SOC 2, ISO 27001 & GDPR by 2032. This goal reflects the growing importance of security certifications as businesses increasingly handle sensitive customer data and face stricter regulatory requirements.

> “We believe that strong security practices shouldn’t be a luxury that only well-funded companies can afford. By providing an open source solution, we’re removing barriers to entry and empowering organizations to build robust security programs regardless of their size or resources”, said Lewis Carhart.

The company plans to build a community around its open-source platform, encouraging contributions and extensions that can benefit the broader business ecosystem.

**About Bubba AI**

Bubba AI, Inc. was founded at the end of 2024. Its mission is clear: help 100,000 companies get compliant with common cyber security frameworks by 2032. To do this, Bubba AI, Inc. is launching its first product – Comp AI, an open-source alternative to Vanta & Drata.

**Contact**

**Founder**  
**Lewis Carhart**  
**Bubba AI, Inc.**  
**\[email protected\]**

Bubba AI, Inc. is launching Comp AI to help 100,000 startups get SOC 2 compliant by 2032.

Cybercriminals pose as IT support, using fake calls and Microsoft Teams messages to trick users into installing ransomware through email floods and remote access.

Cybersecurity researchers at Trend Micro are warning about a new scam where cybercriminals pose as tech support to gain access to victims’ computers. But this isn’t just another spam email scheme; attackers are flooding inboxes and even reaching out through Microsoft Teams to trick people into letting them in. Once inside, they deploy ransomware from groups like Black Basta and Cactus.

****Here’s how it works:****

Victims first get bombarded with a flood of emails. Shortly after, someone claiming to be from the IT department contacts them through Microsoft Teams or even a phone call. This “helper” then convinces the user to grant them remote access to their computer, often using a legitimate program called Quick Assist, which is built into Windows to allow remote tech support.

Once inside, the scammer downloads files that seem harmless at first but are secretly combined and unpacked to install a backdoor called BackConnect. Hidden in OneDrive, this backdoor gives attackers full control over the infected system.

It’s worth noting that the Black Basta gang was previously flagged in December 2024 for a similar modus operandi, using email bombing to target Microsoft Teams users. However, at that time, the group was deploying Zbot and DarkGate malware instead.

According to Trend Micro’s latest technical report, recent incidents analyzed by the company show a strong connection between this BackConnect malware and the notorious Black Basta ransomware group, which reportedly made over $100 million from victims in 2023. There’s even evidence suggesting some members of Black Basta have moved over to another ransomware gang called Cactus, as the methods used in recent Cactus attacks are strikingly similar.

These attacks have been particularly active since October 2024, primarily hitting organizations in North America, with the United States suffering the most. The manufacturing sector, followed by finance, investment consulting, and real estate, have been frequent targets for Black Basta.

Screenshot of the email address used by the attacker (Via Trend Micro)

In some cases, after establishing their backdoor, attackers have been seen using more advanced methods to spread through a network, even targeting specialized systems like ESXi hosts used for running virtual machines. They use tools like WinSCP to move files around and have been caught preparing to encrypt files before being stopped. Leaked internal chats from Black Basta reveal the group sees security tools like Trend Micro as a significant hurdle, showing they are actively trying to find ways around them.

> BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind. 😉 pic.twitter.com/6So7dl7xXn
> 
> — PRODAFT (@PRODAFT) February 20, 2025

What makes these attacks effective is not necessarily the complexity of the software used, but the way attackers manipulate people. By mixing social engineering with the abuse of genuine software and cloud services, they make their malicious actions look like normal computer activity. It highlights that cybersecurity isn’t just about having the right software, but also about being aware of how criminals try to deceive people.

****What You Should and Should NOT Do!****

If you’re a Microsoft Teams user, don’t panic if you suddenly get flooded with emails. Instead, contact your system administrator to ensure these emails are blocked immediately and your device is scanned regularly. Report any suspicious emails or calls from unknown third parties posing as “helpers” to your cybersecurity team.

Remember, you don’t need a helper if you never asked for one; especially when the ‘helper’ is the one who caused the problem in the first place.

Fake IT Support Calls Trick Microsoft Teams Users into Installing Ransomware

Security questionnaires take a lot of time and repetitively answering the same questions manually chews up business time…

Security questionnaires take a lot of time and repetitively answering the same questions manually chews up business time but automation can make the process faster. In this article, we will see what is security questionnaire automation and how you can use it to reduce response time.

**Table of Contents**

1.  Why Automate Security Questionnaires?
2.  Steps to Automate Security Questionnaires
3.  1\. Centralize Your Security Documentation
4.  2\. Use a Standardized Response Library
5.  3\. Take Advantage of Automation Tools
6.  4\. Integrate with Compliance and Security Systems
7.  5\. Assign Roles and Responsibilities
8.  Benefits of Automating Security Questionnaires
9.  How to Get Started with Automation?
10.  Conclusion 

Security questionnaire automation is the method of using technology to automate and accelerate the filling out of security questionnaires. Rather than repeatedly answering the same compliance and security questions manually, companies use automation software to auto-populate answers, handle document requests, and unify security policies easily.

****Why Automate Security Questionnaires?****

Automation accelerates the process and makes it less stressful and more efficient. Following are the reasons why companies are opting for automation:

*   **Saves Time:** It decreases the time taken to fill out questionnaires.
*   **Improves Accuracy:** Avoids human error and inconsistencies.
*   **Enhances Productivity:** Allows security teams to concentrate on critical tasks.
*   **Speeds Up Vendor Assessments:** Helps in quicker deal closures by minimizing delays.

****Steps to Automate Security Questionnaires****

Here are some steps to automate the security questionnaires:

****1\. Centralize Your Security Documentation****

Establish a centralized location for all security policies, certifications, and compliance documents. This allows easy pulling of answers in a rush.

*   Keep documents in a safe cloud-based environment.
*   Control and limit access to authorized staff.
*   Update documents frequently to account for changes in security controls.

****2\. Use a Standardized Response Library****

The majority of security questionnaires use similar questions. Rather than duplicating effort every time:

*   Develop a pre-approved response library.
*   Classify answers according to compliance frameworks (SOC 2, ISO 27001, GDPR, etc.).
*   Make answers concise, clear, and current.

****3\. Take Advantage of Automation Tools****

There are various tools to automate security questionnaires. These tools are able to:

*   Auto-populate answers based on previous submissions.
*   Provide the most appropriate answers based on your response library.
*   Integrate with compliance management platforms.

Popular automation tools are:

*   OneTrust – Orchestrates compliance and security questionnaires.
*   SecurityScorecard – Automates vendor risk assessments.
*   Loopio – Centralizes security questionnaire responses.

****4\. Integrate with Compliance and Security Systems****

Integrate your automation tool with current security systems. This guarantees:

*   Real-time synchronization of data.
*   Automatic updates when security policies are modified.
*   Quicker and more precise questionnaire answers.

****5\. Assign Roles and Responsibilities****

Human supervision is still important despite automation. Designate particular roles:

*   Security Team: Verifies responses for correctness.
*   Legal Team: Guarantees compliance with laws.
*   IT Team: Handles integration with security tools.

Well-defined accountability avoids mistakes and guarantees quality responses.

****Benefits of Automating Security Questionnaires****

The four benefits of automating security questionnaires are:

**1\. Quick Response Time**

No longer the rush to look for information. Automation drastically minimizes response time and enables companies to seal deals in less time.

**2\. Uniformity of Responses**

Automated processes provide uniform and accurate responses to every questionnaire, hence it minimizes confusion and misinterpretation.

**3\. Lower Security Team Workload**

Automation liberates security teams from repetitive security questions to undertake more strategic initiatives.

**4\. Higher Client and Partner Trust**

Quick and reliable security questionnaire responses show clients that your company prioritizes cybersecurity and compliance.

****How to Get Started with Automation?****

If you’re new to automation, start with these simple steps:

*   Audit your current questionnaire process. Identify bottlenecks.
*   Choose an automation tool that fits your needs and budget.
*   Build a response library with pre-approved answers.
*   Train your team on how to use automation tools effectively.
*   Continuously update responses to keep up with security changes.

****Conclusion** **

Security questionnaires do not have to be challenging. Companies can save time, increase accuracy, and expedite vendor approvals after automating the process of security questionnaires. The secret is to consolidate data, utilize automation tools, and institute human review. The outcome includes a quicker, more well structured security questionnaire process for all.

Featured, Top Image via Freepik

How to Automate Security Questionnaires and Reduce Response Time

FortiGuard Labs discovers an advanced attack using modified Havoc Demon and SharePoint. Explore the attack's evasion techniques and security measures.

A new cyberattack campaign discovered by FortiGuard Labs, Fortinet’s threat intelligence and research unit, leverages a combination of social engineering, multi-stage malware, and the manipulation of trusted cloud services to achieve control over compromised systems.

According to FortiGuard’s investigation, shared with Hackread.com ahead of its publishing on Monday, the campaign targets Microsoft Windows users and has a high severity level. Their most crucial observation is that the attackers have innovated by integrating a modified version of the Havoc framework, Havoc Demon Agent, with the Microsoft Graph API, effectively hiding their malicious communications within the legitimate traffic of well-known cloud services.

For your information, Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to obtain full control of the target system.

The initial point of entry for this attack is a carefully crafted phishing email, which contains an HTML attachment designed to deceive the recipient into executing a malicious PowerShell command.

The Phishing Email (Source: FortiGuard Labs)

Through a technique known as “ClickFix,” in which users are tricked into executing malicious commands, the attachment presents a fake error message, prompting the recipient to copy and paste a seemingly harmless command into their system’s terminal. However, this command initiates a chain of events that leads to the downloading/execution of further malicious scripts, which are strategically hosted on a SharePoint site, probably to obscure the malicious operation within a trusted cloud environment.

The initial PowerShell script performs checks to evade sandbox detection and then proceeds to download/execute a Python script, also hosted on SharePoint. This Python script acts as a shellcode loader and injects and executes a malicious DLL, KaynLdr, which reflectively loads an embedded DLL, and further complicates analysis by using API hashing.

The core of the attacker’s C2 infrastructure relies on the modified version of the Havoc Demon DLL as it leverages the Microsoft Graph API to establish communication channels that blend seamlessly with legitimate cloud traffic. The “SharePointC2Init” function within the DLL obtains access tokens for the Microsoft Graph API and creates two files within the victim’s SharePoint document library, each named with a unique identifier derived from the compromised system.

These files act as channels for transmitting victim information and receiving C2 commands, while the entire communication is handled by the modified “TransportSend” function and encrypted using AES-256 in CTR mode. The agent then parses and executes these commands, which include a wide range of post-exploitation capabilities, such as information gathering, file operations, and token manipulation.

FortiGuard Labs’s discovery highlights the evolution of open-source C2 frameworks to create new, difficult-to-detect attacks and the growing need for adopting advanced security measures against such attacks.

“In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands,” FortiGuard’s researchers concluded.

The attack Flow (Source: FortiGuard Labs)

In a comment to Hackread.com, Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based application security provider, noted that hackers are using trusted Microsoft services to evade detection, showing a high level of sophistication, but what stands out is that their attack method requires more manual action from the victim than usual.

_“_These bad actor groups aim for obfuscation so they can achieve their goals. It’s not unusual to see them use open-source frameworks, however, the use of legitimate Microsoft services shows a level of sophistication that is concerning. Using those services allows them to hide in plain sight and have the benefits of being trusted servers,_“_ Thomas explained. _“_What is surprising about this is the level of manual intervention needed on the victim for the attack to be a success. Usually with these campaigns, the bad actors want as little interaction as possible on the victim’s part aside from clicking on a link._“_

New Malware Campaign Exploits Microsoft Graph API to Infect Windows

Firefox’s new Terms of Use spark user backlash over data rights. Learn how Mozilla responded to concerns about…

Firefox’s new Terms of Use spark user backlash over data rights. Learn how Mozilla responded to concerns about broad language and possible data misuse.

In the Internet era, where our online activities leave behind a trail of data, trust between users and the software they use is more important than ever. That trust is often buried in long legal agreements and complex terms and conditions, but it can quickly disappear if people feel their privacy is being violated. Mozilla, a company historically lauded for its commitment to user privacy, recently found itself at the center of such a trust dispute.

What happened is that the Firefox browser introduced new Terms of Use, which instead of promoting clarity, sparked a major controversy. The update meant to “formalize” user agreements, triggered a wave of user backlash, driven by language perceived as overly broad and potentially granting the company extensive rights over user data. Despite the company’s insistence that the terms were intended to clarify existing data practices and formalize user agreements, the unclear wording caused a lot of confusion and pushback.

The issue centered on a specific clause that granted Mozilla a “nonexclusive, royalty-free, worldwide license” to use information inputted or uploaded through Firefox. Critics, including figures from rival browser companies, interpreted this as an attempt to claim ownership of user data and potentially monetize it for purposes like AI development or targeted advertising. Mozilla, however, refuted these interpretations, stating that the new terms did not signify a change in how user data is handled.

> W T Fhttps://t.co/ifx7R9rBMV
> 
> "When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of… https://t.co/Zvbif4TWzz
> 
> — BrendanEich (@BrendanEich) February 27, 2025

In response to the intense criticism, Mozilla clarified its intentions and provided further explanations for the controversial wording as well as revised the clause with clearer wording. Here’s the difference between the original and revised clause:

**Previous:** “When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.”

**Revised:** “You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content.”

Talking to TechCrunch, the company’s VP of Communications, Brandon Borrman, emphasized that the license was necessary to enable basic browser functionalities, such as processing user input. They stressed that the terms did not grant them ownership of user data or the right to use it beyond the scope outlined in their existing Privacy Notice.

According to Mozilla’s explanation of the reasoning behind the specific terms used, “Nonexclusive” was intended to indicate that users retain the right to use their data independently, “Royalty-free” reflected the browser’s free nature, and “worldwide” acknowledged its global availability. The company also confirmed that user data is not sent to third-party AI companies and that any data shared with advertisers is de-identified or aggregated.

The situation has raised fundamental questions about data ownership and the boundaries of digital consent. The initial confusion and backlash emphasize the potential consequences of poorly worded terms, even when intentions are benign. Still, Mozilla’s swift response and subsequent revisions demonstrate the company’s attempt to address user concerns and maintain trust.

1.  Mozilla Rushes to Fix Critical Flaw in Firefox and Thunderbird
2.  Mozilla permanently shuts down Notes & Send over malicious use
3.  Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature
4.  Google & Mozilla ban Avast security extensions over data snooping
5.  Mozilla’s ‘Track This’ lets you choose fake identity to deceive advertisers

Mozilla Tweaks Firefox Terms After Uproar Over Data Use Language

QR phishing is on the rise, tricking users into scanning malicious QR codes. Learn how cybercriminals exploit QR codes and how to protect yourself.

QR codes have become an everyday convenience, allowing quick access to websites, payment platforms, and digital menus with a simple scan. However, as their popularity has grown, so has the interest of cybercriminals looking to exploit them. A not-so-new but lesser-known wave of phishing attacks known as “QR phishing” or “quishing” is on the rise, tricking unsuspecting users into scanning malicious codes that can steal personal information, install malware, or redirect to fraudulent websites.

****How QR Phishing Works****

Cybercriminals have found multiple ways to manipulate QR codes for their scams. One of the most common methods involves placing fake QR codes over legitimate ones. This can happen at restaurants, parking meters, or public spaces where businesses commonly use QR codes for services. When a user scans the fake code, they might be taken to a website that looks legitimate but is designed to steal login credentials, financial information, or other sensitive data.

A real-time example of a malicious QR code on a parking meter in Kirklees, West Yorkshire, England. (Via  Kirklees Council)

Another approach involves sending QR codes via email or text messages, claiming to be from a trusted source like a bank, delivery service, or tech support team. These messages often create a sense of urgency, telling users that their account has been compromised or that they must verify a payment. Once scanned, the user is unknowingly handing over their private information to hackers.

According to Online QR Code, a QR code generating tool, there are different types of QR codes and almost every type of code can be abused by scammers. This means that no matter how a QR code is presented, on a poster, in an email, or even on an official-looking document; there’s always a risk if the source isn’t verified.

****Why QR Phishing Is So Effective****

QR phishing works so well because QR codes themselves don’t immediately show where they lead. Unlike a traditional link, which allows users to hover over and preview the URL, scanning a QR code often takes users directly to the intended site without any immediate warning. On mobile devices, where most QR scans happen, this makes it even easier for scammers to operate undetected.

Additionally, many people trust QR codes because they are widely used by legitimate businesses and organizations. Scammers take advantage of this trust by placing their malicious codes in places where people wouldn’t normally question their authenticity. This is why even the FBI had to issue warnings about QR phishing.

****How to Protect Yourself from QR Phishing****

While QR phishing is a growing threat, there are simple steps you can take to stay safe:

1.  **Verify Before Scanning** – If you see a QR code in a public place, check for signs of tampering. If a sticker looks like it’s been placed over another code, avoid scanning it.
2.  **Preview the URL** – Some smartphone cameras and QR scanner apps allow you to preview the link before opening it. If the URL looks suspicious or doesn’t match the expected destination, don’t proceed.
3.  **Avoid Scanning Codes from Emails or Texts** – Be cautious with QR codes sent via email or text, especially if the message is unexpected or urgent. Instead of scanning, visit the official website of the organization by typing the address directly into your browser.
4.  **Use a QR Code Scanner with Security Features** – Some security apps and QR scanners come with built-in protection that can detect and warn users about malicious links.
5.  **Check for HTTPS and Official Domains** – If you do scan a QR code, look at the URL before entering any personal information. Legitimate websites should have “https” in the address, and the domain should match the official website of the company.
6.  **Be Skeptical of Unsolicited QR Codes** – If you receive a QR code claiming to offer a prize, discount, or urgent security alert, treat it with suspicion. Scammers often use these tactics to lure victims into scanning.
7.  **Keep Your Phone’s Security Updated** – Ensure that your phone’s operating system and security software are up to date. This can help prevent malware infections from malicious sites.

QR codes aren’t going away anytime soon. They’ve become a vital tool in marketing, payments, and everyday interactions. But just like with email phishing and other cyber threats, awareness is key to staying safe. By taking a few extra seconds to verify the source of a QR code before scanning, you can protect yourself from falling victim to these increasingly sophisticated scams.

1.  YouTube Scammers Rake in $600K with QR Codes
2.  Hackers Exploit QR Codes with QRLJacking for Malware
3.  Unicode QR Code Phishing Bypasses Traditional Security
4.  QR Code Scam: Fake Voicemails Hit 1000 Users in 14 Days
5.  Top Barcode Scanner app infected 10m users with malware

Source

HackRead