FISA

  A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud.The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available. These browser programs were advertised as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. The oldest add-on, Dark Mode, was published on October 25, 2024, offering the ability to enable a dark theme for all websites. The full list of the browser add-ons : Free VPN,  Screenshot                                                                              ...

  Recent data  shows third-party and supply chain breaches — including software supply chain attacks — now cost an average of $4.91 million per incident, and take 267 days to resolve. This isn’t surprising, considering how vendor usage has evolved over the last several years. Many businesses manage sprawling networks of suppliers, each with their own technology partners, security protocols and potential vulnerabilities. A weakness in any part of this extended armor can expose an entire organization to devastating breaches.  But there are actionable steps organizations can take to regain visibility over their supplier ecosystems and proactively manage related cyber risk.   Overall, supply chain and procurement professionals should implement rigorous vetting criteria for supplier partners, in order to maintain oversight of what systems and software connect to their network.  The first step is to ensure suppliers follow established cybersecurity standards, includin...

  The hyperconnected world has made it easier than ever for businesses and consumers to exchange documents, approve transactions, and complete critical financial workflows with just a click. Digital file sharing and electronic signature platforms used widely across banking, real estate, insurance, and everyday business operations, have become essential to how modern organizations move at speed. But that same convenience creates an opening for cyber criminals. Email security researchers at Check Point have recently uncovered a phishing campaign where attackers impersonate file-sharing and e-signature services to deliver finance-themed lures that look like legitimate notifications. In this incident, attackers sent over  40,000 phishing emails  targeting roughly  6,100 customers  over the past two weeks. All malicious links were funneled through https://url.za.m.mimecastprotect.com, increasing trust by mimicking familiar redirect flows. The hyperconnected world has...

  A cyber threat group affiliated with Hamas has been conducting espionage across the Middle East. " Wirte " — tracked by Palo Alto's Unit 42 as "Ashen Lepus" — has been spying on regional government bodies and diplomatic entities since 2018. Lately, it's been expanding its interests into countries less directly associated with the Israel-Palestine conflict, like Oman and Morocco. And to match its broadening scope, Wirte has invented a new malware suite with a variety of features useful for evading cybersecurity programs. "When the group first started they used very simple tools — it didn't seem like the people behind the group had a lot of technical know-how," say Unit 42 researchers, who requested anonymity for this article. "However, over the years we've seen this group evolve their tools and techniques; we're now observing an evolution and enhancement in their capabilities." Hamas's New Malware & TTPs T...

  Artificial intelligence (AI) agents are a breeze to create using Microsoft Copilot Studio, and almost just as easy to manipulate into divulging sensitive corporate data. Despite broad security concerns about AI agents, last year, Microsoft decided to allow even totally nontechnical users to deploy their own autonomous bots. You don't need to know how to code at all now — using a simple graphical interface, employees can spin up robots that automate business processes, integrate with other business platforms, and can perform customer-facing functions. There's a certain lack of shock factor, then, in a new Tenable report detailing just how insecure these agents can be. In a simple experiment, researchers created a basic agent, and then very easily demonstrated how it could be coaxed into spilling private data and granting attackers other silly powers. "These tools can naively become a massive risk due to their level of access, ability to perform actions, a...

  A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. The malicious activity was uncovered recently, and security researchers found that the operator used a malicious file posing as a .PNG image. The VSCode Market is Microsoft’s official extensions portal for the widely used VSCode integrated development environment (IDE), allowing developers to extend its functionality or add visual customizations. Due to its popularity and potential for high-impact supply-chain attacks, the platform is constantly targeted by threat actors with evolving campaigns. ReversingLabs, a company specializing in file and software supply-chain security, found that the malicious extensions come pre-packaged with a ‘ node_modules ’ folder to prevent VSCode from fetching dependencies from the npm registry when installing them. Inside the bundled folder, th...

  Introduction: A Vulnerability Hidden in Plain Sight Online platforms increasingly rely on verification systems to stop fake accounts and fraudulent activities. Yet a new study by University of Cambridge researchers reveals that one of the most widely used security methods, SMS verification can be bypassed for just a few cents , calling into question the effectiveness of this defense. Their findings highlight a growing challenge in the fight against online fraud. SMS Verification: Not as Secure as We Think Most websites, apps, and social platforms request a phone number and send a one-time SMS code during registration. This method is supposed to prove that a user is legitimate. However, the Cambridge team found that cheap disposable phone numbers can bypass this process entirely , making it extremely easy for fraudsters to operate at scale. Key points from the research: Fake accounts can be created using SMS activation services for less than 30 cents per number. In some...