SOC Goulash<p>It's been a packed 24 hours in the cyber world, with major disruptions to phishing operations, nation-state actors leveraging AI, significant breaches impacting critical infrastructure and financial services, and a notable resentencing in a high-profile cybercrime case. Let's dive in:</p><p>Recent Cyber Attacks and Breaches 🚨</p><p>- UK telco Colt Technology Services is still reeling from an August cyberattack, with recovery efforts now expected to stretch into late November. The Warlock ransomware group is claiming responsibility, and the incident is suspected to have originated from SharePoint exploits.<br>- The Jaguar Land Rover (JLR) cyberattack continues to send "shockwaves" through the UK automotive supply chain, with supplier Autins reporting a 55% share price drop and production halts. This highlights the significant economic security implications of attacks on critical industrial players.<br>- Venture capital firm Insight Partners has begun notifying over 12,000 individuals about a ransomware breach that occurred in October, with servers encrypted in January. The attack, initiated via a sophisticated social engineering campaign, led to the exfiltration of sensitive personal, banking, and tax information.<br>- SonicWall has warned customers to reset credentials after a security breach of its MySonicWall.com platform exposed firewall configuration backup files. Threat actors used brute-force attacks to access these files, which contain encrypted passwords and other data that could significantly aid firewall exploitation.<br>- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Salesloft Drift OAuth tokens. This extensive data theft, linked to the "Scattered Lapsus$ Hunters" collective, involved scanning source code for secrets and exfiltrating sensitive customer support ticket data.</p><p>💻 The Register | <a href="https://go.theregister.com/feed/www.theregister.com/2025/09/17/uk_telco_colts_cyberattack_recovery/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">go.theregister.com/feed/www.th</span><span class="invisible">eregister.com/2025/09/17/uk_telco_colts_cyberattack_recovery/</span></a><br>🗞️ The Record | <a href="https://therecord.media/jlr-cyber-shockwave-auto-sector" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/jlr-cyber-shoc</span><span class="invisible">kwave-auto-sector</span></a><br>🤖 Bleeping Computer | <a href="https://www.bleepingcomputer.com/news/security/vc-giant-insight-partners-warns-thousands-after-ransomware-breach/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/vc-giant-insight-partners-warns-thousands-after-ransomware-breach/</span></a><br>🤖 Bleeping Computer | <a href="https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/</span></a><br>🤫 CyberScoop | <a href="https://cyberscoop.com/sonicwall-cyberattack-customer-firewall-configurations/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cyberscoop.com/sonicwall-cyber</span><span class="invisible">attack-customer-firewall-configurations/</span></a><br>🤖 Bleeping Computer | <a href="https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/</span></a></p><p>Threat Actor Activity and AI in Cybercrime 🕵️</p><p>- Microsoft and Cloudflare have successfully disrupted RaccoonO365, a major Phishing-as-a-Service (PhaaS) operation, by seizing 338 domains and associated infrastructure. The financially motivated group, tracked as Storm-2246, stole over 5,000 Microsoft 365 credentials from 94 countries, often preceding malware and ransomware attacks.<br>- The notorious Scattered Spider group has resurfaced, shifting its focus to the financial sector despite recent claims of "going dark" alongside other cybercrime groups. ReliaQuest observed a targeted intrusion against a US banking organisation, where initial access was gained via social engineering and Azure AD self-service password reset, followed by lateral movement and credential dumping.<br>- North Korean Kimsuky hackers (APT43) are leveraging OpenAI's ChatGPT to generate deepfake military ID cards for phishing campaigns targeting South Korean defence institutions. This demonstrates a growing trend of nation-state actors using generative AI to create highly convincing forgeries and enhance social engineering tactics.<br>- The RevengeHotels group is also employing AI to boost its attacks on hotels, primarily in Brazil and Latin America, using phishing emails to deliver the VenomRAT remote access trojan. The use of large language models has enabled the hackers to produce cleaner, more structured malicious code, making their payment card data theft campaigns more effective.</p><p>📰 The Hacker News | <a href="https://thehackernews.com/2025/09/raccoono365-phishing-network-shut-down.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/09/racc</span><span class="invisible">oono365-phishing-network-shut-down.html</span></a><br>🤖 Bleeping Computer | <a href="https://www.bleepingcomputer.com/news/security/microsoft-and-cloudflare-disrupt-massive-raccoono365-phishing-service/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/microsoft-and-cloudflare-disrupt-massive-raccoono365-phishing-service/</span></a><br>📰 The Hacker News | <a href="https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/09/scat</span><span class="invisible">tered-spider-resurfaces-with.html</span></a><br>💻 The Register | <a href="https://go.theregister.com/feed/www.theregister.com/2025/09/17/scattered_spider_bank_attack/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">go.theregister.com/feed/www.th</span><span class="invisible">eregister.com/2025/09/17/scattered_spider_bank_attack/</span></a><br>🗞️ The Record | <a href="https://therecord.media/north-korea-kimsuky-hackers-phishing-fake-military-ids-chatgpt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/north-korea-ki</span><span class="invisible">msuky-hackers-phishing-fake-military-ids-chatgpt</span></a><br>🗞️ The Record | <a href="https://therecord.media/hackers-payment-data-guests-steal" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/hackers-paymen</span><span class="invisible">t-data-guests-steal</span></a></p><p>New Vulnerability: DDR5 Rowhammer ⚠️</p><p>- Researchers from Google and ETH Zurich have discovered a new class of Rowhammer vulnerability, dubbed "Phoenix" (CVE-2025-6202), affecting DDR5 memory modules. This attack, while computationally expensive, can corrupt data in adjacent memory cells, posing a risk to data integrity and potentially enabling privilege escalation.<br>- The vulnerability stems from repeatedly accessing specific rows of memory cells, which can degrade data in neighbouring cells, a known issue that DDR5 was thought to be more resistant to without additional refresh management commands.<br>- While AMD has released a BIOS update to protect systems using its processors, the discovery highlights the ongoing challenge of securing modern memory architectures and the need for system builders to implement robust defences like JEDEC's Per-Row Activation Counting (PRAC).</p><p>💻 The Register | <a href="https://go.theregister.com/feed/www.theregister.com/2025/09/17/ddr5_dram_rowhammer/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">go.theregister.com/feed/www.th</span><span class="invisible">eregister.com/2025/09/17/ddr5_dram_rowhammer/</span></a></p><p>Legal and Regulatory Developments ⚖️</p><p>- The founder of BreachForums, Conor Brian Fitzpatrick (Pompompurin), has been resentenced to three years in prison for his role in running the cybercrime forum and possessing child sexual abuse material (CSAM). This follows an appeals court vacating his initial lenient sentence of 17 days time served.<br>- Fitzpatrick pleaded guilty to access device conspiracy, access device solicitation, and possession of CSAM, and has agreed to forfeit over 100 domain names, electronic devices, and cryptocurrency. The resentencing underscores the severity of his crimes, which involved facilitating the sale of over 14 billion individual records.</p><p>📰 The Hacker News | <a href="https://thehackernews.com/2025/09/doj-resentences-breachforums-founder-to.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/09/doj-</span><span class="invisible">resentences-breachforums-founder-to.html</span></a><br>💻 The Register | <a href="https://go.theregister.com/feed/www.theregister.com/2025/09/17/breachforums_founder_prison/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">go.theregister.com/feed/www.th</span><span class="invisible">eregister.com/2025/09/17/breachforums_founder_prison/</span></a></p><p>Data Privacy Win Against Big Tech 🔒</p><p>- A California federal judge has rejected Meta's attempt to overturn a jury verdict finding the tech giant liable for illegally obtaining sensitive reproductive health data from millions of women via the Flo period tracking app. The ruling confirms Meta directly acquired user communication content in real-time without proper consent.<br>- The judge's unusually harsh wording called Meta's attempt to nullify the verdict "improper," reinforcing the significance of this case as one of the first major verdicts on how big tech handles sensitive health data. This could pave the way for further litigation and increased scrutiny of data collection practices.</p><p>🗞️ The Record | <a href="https://therecord.media/judge-rejects-meta-attempt-overturn-flo-privacy-lawsuit" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/judge-rejects-</span><span class="invisible">meta-attempt-overturn-flo-privacy-lawsuit</span></a></p><p>Linux Arm64 and UEFI Secure Boot 🐧</p><p>- The adoption of UEFI Secure Boot for Linux on Arm64 devices presents a more fragmented landscape compared to x86, primarily due to the diversity of Arm chip manufacturers and their firmware implementations. While the UEFI specification is architecture-independent, its practical application varies significantly.<br>- Many Arm devices rely on the u-boot bootloader, which offers UEFI compliance but requires users to create and deploy their own certificates and keys, unlike the x86 world where Microsoft-signed shims are common.<br>- While some Linux distributions like Debian, Ubuntu, and SUSE offer out-of-the-box Secure Boot support on Arm with Microsoft keys, others like Fedora and RHEL require manual certificate deployment or disabling Secure Boot initially, highlighting ongoing integration challenges.</p><p>💻 The Register | <a href="https://go.theregister.com/feed/www.theregister.com/2025/09/17/uefi_secure_boot_for_linux/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">go.theregister.com/feed/www.th</span><span class="invisible">eregister.com/2025/09/17/uefi_secure_boot_for_linux/</span></a></p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> <a href="https://infosec.exchange/tags/NationState" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NationState</span></a> <a href="https://infosec.exchange/tags/APT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APT</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/Rowhammer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rowhammer</span></a> <a href="https://infosec.exchange/tags/DDR5" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DDR5</span></a> <a href="https://infosec.exchange/tags/DataBreach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataBreach</span></a> <a href="https://infosec.exchange/tags/IncidentResponse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IncidentResponse</span></a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybercrime</span></a> <a href="https://infosec.exchange/tags/Legal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Legal</span></a> <a href="https://infosec.exchange/tags/DataPrivacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataPrivacy</span></a> <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://infosec.exchange/tags/UEFI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UEFI</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a></p>
#uefi
8 posts3 participants0 posts today
Secure Boot: ja oder nein?
Vor ein paar Tagen ist das Zertifikat von Microsofts Secure Boot abgelaufen. In diesem Artikel geht es um die Bedeutung, Einordnung, Meinung, und darum, wie ihr es mit Secure Boot haltet.
GNU/Linux.chSecure Boot: ja oder nein?Vor ein paar Tagen ist das Zertifikat von Microsofts Secure Boot abgelaufen. In diesem Artikel geht es um die Bedeutung, Einordnung, Meinung, und darum, wie ihr es mit Secure Boot haltet.
Petya, NotPetya, und neu: HybridPetya
Wir hatten den Erpresser Petya, für den die Hintermänner später einen Generalschlüssel veröffentlichten. Wir hatten NotPetya, der unter dem Deckmantel eines Erpressers in Wirklichkeit die Daten unrettbar zerstörte. Neu im Zoo ist ein Schätzchen, das den Namen HybridPetya erhalten hat. Er teilt viele Merkmale mit seinem Vorbild, kann zusätzlich aber in UEFI SecureBoot umgehen. Natürlich nutzt der dafür eine Sicherheitslücke in Windows aus, was sonst? Er wurde bisher nicht in der freien Wildbahn gesichtet, aber immerhin bei Virustotal.
https://www.pc-fluesterer.info/wordpress/2025/09/15/petya-notpetya-und-neu-hybridpetya/
www.pc-fluesterer.infoPetya, NotPetya, und neu: HybridPetya | pc-flüsterer bremen
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
A new ransomware called HybridPetya has been discovered, combining features of Petya and NotPetya with advanced UEFI-based system capabilities. It encrypts the Master File Table on NTFS partitions and can install a malicious EFI application to compromise UEFI systems. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not yet observed in the wild, HybridPetya demonstrates sophisticated techniques including UEFI bootkit functionality and Secure Boot bypass. It may be a proof-of-concept but highlights the growing trend of UEFI-based threats. The malware allows key reconstruction, potentially functioning as regular ransomware rather than being purely destructive like NotPetya.
Pulse ID: 68c81ed99da4be41ed428184
Pulse Link: https://otx.alienvault.com/pulse/68c81ed99da4be41ed428184
Pulse Author: AlienVault
Created: 2025-09-15 14:12:41
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
Pulse ID: 68c7c6f479da6c591fd7a298
Pulse Link: https://otx.alienvault.com/pulse/68c7c6f479da6c591fd7a298
Pulse Author: Tr1sa111
Created: 2025-09-15 07:57:40
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
HybridPetya Ransomware Bypass UEFI Secure Boot
The newly identified HybridPetya ransomware demonstrates the ability to bypass UEFI Secure Boot protections by exploiting a previously disclosed vulnerability (CVE-2024-7344).
Pulse ID: 68c5681e83f02a26e30dc630
Pulse Link: https://otx.alienvault.com/pulse/68c5681e83f02a26e30dc630
Pulse Author: cryptocti
Created: 2025-09-13 12:48:30
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
HybridPetya: o novo ransomware que ignora o Secure Boot do Windows para atacar o seu PC
https://tugatech.com.pt/t71765-hybridpetya-o-novo-ransomware-que-ignora-o-secure-boot-do-windows-para-atacar-o-seu-pc
TugaTechHybridPetya: o novo ransomware que ignora o Secure Boot do Windows para atacar o seu PC Uma nova e perigosa estirpe de ransomware, batizada de HybridPetya, foi descoberta e tem a capacidade de contornar uma das mais importantes funcionalidades de
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
HybridPetya, a new ransomware discovered on VirusTotal, combines features of Petya and NotPetya while adding UEFI system compatibility. It encrypts the Master File Table on NTFS partitions and can compromise UEFI-based systems by installing a malicious EFI application. A variant exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. Unlike NotPetya, HybridPetya allows key recovery, functioning as regular ransomware. While not yet observed in the wild, its technical capabilities, including MFT encryption and Secure Boot bypass, make it noteworthy for future threat monitoring.
Pulse ID: 68c4759460f86dece26ac18f
Pulse Link: https://otx.alienvault.com/pulse/68c4759460f86dece26ac18f
Pulse Author: AlienVault
Created: 2025-09-12 19:33:40
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Rufus recebe nova versão com o tão aguardado Modo Escuro e suporte para o Windows 11 25H2 https://tugatech.com.pt/t71668-rufus-recebe-nova-versao-com-o-tao-aguardado-modo-escuro-e-suporte-para-o-windows-11-25h2
TugaTechRufus recebe nova versão com o tão aguardado Modo Escuro e suporte para o Windows 11 25H2 O Rufus, a ferramenta de eleição para quem precisa de criar pens USB de arranque, acaba de receber uma importante atualização na sua versão 4.10 beta, trazendo
heise+ | Raspberry-Pi-Chef Eben Upton verrät im Gespräch Zukunftsideen
Kommende Raspis sollen mehr USB-C-Funktionen und eine UEFI-Firmware bekommen. Die eigene Linux-Distro wird weiter gepflegt.
c't MagazinRaspberry-Pi-Chef Eben Upton verrät im Gespräch ZukunftsideenKommende Raspis sollen mehr USB-C-Funktionen und eine UEFI-Firmware bekommen. Die eigene Linux-Distro wird weiter gepflegt.
I've just installed "generic" Fedora 42 workstation on my OrangePi5+ thanks to EDK2 and it works very well out of the box (display, GPU, Ethernet, USB).
How come this thing is not more widely used? A generic distro running mainline Linux kernel : this is the user experience I would like to see on more ARM SBCs!