The Hacker News.

"FIN 7, FIN 8, and others use Ragnar Loader for persistent access to ransomware operations."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 08 March 2025, 2123 UTC.

Content and Source:  https://thehackernews.com.

Please check link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

 

FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

Mar 07, 2025

Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil). "Ragnar Loader plays a key role in keeping access to compromised systems, helping attackers stay in networks for long-term operations," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. "While it's linked to the Ragnar Locker group, it's unclear if they own it or just rent it out to others. What we do know is that its developers are constantly adding new features, making it more modular and harder to detect." Ragnar Loader, also referred to as Sardonic, was first documented by Bitdefender in August 2021 in connection with an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S. It's said to have been put to use ...

Red Report 2025: Analyzing the Top ATT&CK Techniques Used by 93% of Malware

Picus SecurityThreat Detection / Adversary Simulation

Discover the Top 10 MITRE ATT&CK® techniques behind 93% of attacks and learn how to defend against them.

Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide

Mar 07, 2025 Malvertising / Open Source

Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information. The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors that are known to distribute remote access or information-stealing malware via phishing, search engine optimization (SEO), or malvertising. "The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team said . "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack." The most signifi...

Webinar: Learn How ASPM Transforms Application Security from Reactive to Proactive

Mar 07, 2025 Software Security / AppSec

Are you tired of dealing with outdated security tools that never seem to give you the full picture? You're not alone. Many organizations struggle with piecing together scattered information, leaving your apps vulnerable to modern threats. That's why we're excited to introduce a smarter, unified approach: Application Security Posture Management (ASPM). ASPM brings together the best of both worlds by connecting your code insights with real-time runtime data. This means you get a clear, holistic view of your application's security. Instead of reacting to threats, ASPM helps you prevent them. Imagine reducing costly retrofits and emergency patches with a proactive, shift-left strategy—saving you time, money, and stress. Join Amir Kaushansky, Director of Product Management at Palo Alto Networks, as he walks you through how ASPM is changing the game. In this free webinar , you'll learn to: Close the Security Gaps: Understand why traditional AppSec tools fall short and how ASPM fills ...

What PCI DSS v4 Really Means – Lessons from A&F Compliance Journey

Mar 07, 2025 Payment Security / Compliance

Access on-demand webinar here Avoid a $100,000/month Compliance Disaster March 31, 2025: The Clock is Ticking. What if a single overlooked script could cost your business $100,000 per month in non-compliance fines? PCI DSS v4 is coming, and businesses handling payment card data must be prepared. Beyond fines, non-compliance exposes businesses to web skimming , third-party script attacks, and emerging browser-based threats. So, how do you get ready in time? Reflectiz sat down with Abercrombie & Fitch (A&F), for a no-holds-barred discussion about the toughest PCI DSS v4 challenges. Kevin Heffernan, Director of Risk at A&F, shared actionable insights on: What worked (and saved $$$) What didn't (and cost time & resources) What they wish they had known earlier ➡ Watch the Full PCI DSS v4 Webinar Now (Free On-Demand Access – Learn from A&F's Compliance Experts) What's Changing in PCI DSS v4.0.1? PCI DSS v4 introduces stricter security standards—especial...

This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions

Mar 07, 2025 Malware / Blockchain

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries. The package in question is set-utils , which has received 1,077 downloads to date. It's no longer available for download from the official registry. "Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads)," software supply chain security company Socket said . "This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets." The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account. Besides embedding the attacker's RSA public key to...

U.S. Secret Service Seizes Russian Garantex Crypto Exchange Website

Mar 07, 2025 Cryptocurrency / Ransomware

A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022. "The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's Office for the Eastern District of Virginia under the authority of 18 U.S.C. §§ 981 and 982," reads a seizure banner on the website. The operation was carried out in coordination with the U.S. Department of Justice's Criminal Division, the Federal Bureau of Investigation, Europol, the Dutch National Police, the German Federal Criminal Police Office (Bundeskriminalamt aka BKA), the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. Founded in 2019, Garantex was previously subject to U....

The New Ransomware Groups Shaking Up 2025

Mar 03, 2025Threat Intelligence / Incident Response

In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023.  After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incidents (33% of the year's total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95 in 2024. New Ransomware Groups to Watch In 2023 there were just 27 new groups. 2024 saw a dramatic rise with 46 new groups detected. As the year went on the number of groups accelerated with Q4 2024 having 48 groups active.  Of the 46 new ransomware groups in 2024, RansomHub became dominant, exceeding LockBit's activity. At Cyberint, now a Check Point Company, the research team is constantly researching the latest ransomware groups and analyzing them for potential impact. This blog will look at 3 new players, the aforementioned RansomHub, Fog and Lynx and examine their impact in 202...

Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist

Mar 07, 2025 Security Breach / Cryptocurrency

Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts. The multi-signature (multisig) platform , which has roped in Google Cloud Mandiant to perform a forensic investigation, said the attack is the work of a hacking group dubbed TraderTraitor , which is also known as Jade Sleet, PUKCHONG, and UNC4899 . "The attack involved the compromise of a Safe{Wallet} developer's laptop ('Developer1') and the hijacking of AWS session tokens to bypass multi-factor authentication ('MFA') controls," it said . "This developer was one of the very few personnel that had higher access in order to perform their duties." Further analysis has determined that the threat actors broke into the developer...

PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors

Mar 07, 2025 Threat Intelligence /Vulnerability

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025. "The attacker has exploited the vulnerability CVE-2024-4577 , a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday. "The attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' for-post exploitation activities." Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan. It all starts with the threat actors exploiting the CVE-2024-4577 vulnerability to gain initial access and run PowerShell scripts to execute the Cobalt Strike reverse HTTP shellcode payload to grant themselves persistent remote access to the compromised endpoint. Th...

Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

Mar 06, 2025 Data Security / Software Security

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25015 , carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests," the company said in an advisory released Wednesday. Prototype pollution vulnerability is a security flaw that allows attackers to manipulate an application's JavaScript objects and properties, potentially leading to unauthorized data access, privilege escalation, denial-of-service, or remote code execution.  The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It has been addressed in version 8.17.3. That said, in Kibana versions from 8.15.0 and prior to 8.17....

EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing

Mar 06, 2025 Malware / Ransomware

The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT . "EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions," Outpost24 KrakenLabs said in a new report shared with The Hacker News. "Furthermore, the threat actor has also made use of third-party Pay-Per-Install (PPI) distribution services." The cybersecurity company described the threat actor as a hacking group that makes operational security errors and as someone who incorporates exploits for popular security flaws into their attack campaigns. EncryptHub, also tracked by Swiss cybersecurity company PRODAFT as LARVA-208, is assessed to have become active towards the end of June 2024, relying on a variety of approaches ranging from SMS phishing (smishing) to voice phishing (vishing) in an at...

Outsmarting Cyber Threats with Attack Graphs

Mar 06, 2025 Threat Intelligence / Network Security

Cyber threats are growing more sophisticated, and traditional security approaches struggle to keep up. Organizations can no longer rely on periodic assessments or static vulnerability lists to stay secure. Instead, they need a dynamic approach that provides real-time insights into how attackers move through their environment. This is where attack graphs come in. By mapping potential attack paths, they offer a more strategic way to identify and mitigate risk. In this article, we'll explore the benefits, types, and practical applications of attack graphs. Understanding Attack Graphs An attack graph is a visual representation of potential attack paths within a system or network. It maps how an attacker could move through different security weaknesses - misconfigurations, vulnerabilities, and credential exposures, etc. - to reach critical assets. Attack graphs can incorporate data from various sources, continuously update as environments change, and model real-world attack scenarios. ...