• IT leaders reporting burnout and stress, Google Workspace report finds
• Generative AI is becoming more important to solutions and threats
• Legacy tech is putting organizations at risk

It probably won’t come as a huge surprise that burnout is a significant concern for IT workers and security leaders, but new research from Google Workspace has claimed most are more worried about their teams being overwhelmed.

The company's report found nearly half (43%) saw being overwhelmed as a serious concern, showing current approaches are unsustainable for many businesses.

Overall, the report found nearly all (96%) of organizations said they were confident in their security posture, yet 81% reported experiencing at least one security incident per year, showing there is much work left to be done.

Ever-present threats

The threat landscape is changing thanks to AI, and security teams are seeing more incidents than ever. The new research shows that 81% of organizations see at least one threat per year, with the average being 8 per year.

This may not sound like much, but when the average cost of a data breach is now $4.45 million, even one incident per year can cripple an organization if they're not properly protected.

Some risky behaviors were uncovered in the report, with 63% of respondents using unlicensed generative AI tools on a weekly basis, and almost half (48%) trust unlicensed gen AI tools to help them deal with threats.

As might be expected, AI is at the forefront of security concerns, and while 93% of security decision makers are worried about incidents, the top breach issue is from generative AI attacks, with nearly a third (31%) identifying this as a primary concern.

Gen AI as a security tool is also gaining traction, with 59% of security decision-makers seeing it as a key tool in combating evolving threats.

Legacy tech was also identified as a major issue, which 75% of IT leaders say is leaving them ill-equipped to handle modern security threats. Nearly two-thirds (59%) of organizations admitted relying on outdated technology had hinders their security preparedness, and 71% said legacy technology has left them less prepared for the future.

"The evidence from our research is clear: Organizations don’t need more security products, they need more secure products," noted Andy Wen, Senior Director of Product Management, Security, Google Workspace.

"If they’re going to stave off a barrage of sophisticated attacks in the future, they need to move away from outdated solutions and approaches that were designed for the desktop era. They need to embrace secure-by-design solutions that address the modern threat landscape and the way we work now."

You might also like

• Take a look at our pick of the best AI tools
• AI is making threats harder to detect
• Check out our choices for best malware removal

• WhatsApp and Facebook Messenger to be banned for internal NatWest communications
• You can still reach customer service through WhatsApp
• The Financial Conduct Authority issued fines to Morgan Stanley for irretrievable conversations

One of the UK’s largest banks has banned employees from using instant messaging apps such as WhatsApp, Skype, and Facebook Messenger.

NatWest had previously asked workers to ensure they used ‘approved channels’, but has now gone one step further and made messaging platforms inaccessible from company-issued devices.

Whilst WhatsApp and Facebook Messenger are encrypted, they can also be set to disappear or can be difficult to retrieve, but financial institutions must be in line with record-keeping regulations, and have retrievable communications.

Robust regulations

"Like many organisations, we only permit the use of approved channels for communicating about business matters, whether internally or externally," a statement from NatWest confirmed.

The Financial Conduct Authority is reportedly paying particular attention to the issue of unmonitored communications, which prompted NatWest to take actions to protect itself in regards to the regulations.

The rules are aimed at preventing market abuse and misconduct, but the use of third party messaging apps has made them harder to enforce, especially with an increased number of people working from home. The bank still offers WhatsApp as a means of contact for customers and for assistance with banking enquiries, but the platform is banned for internal communications.

This comes after a huge fine was handed to Morgan Stanley of almost £5.5 million when Ofgem determined the bank had breached rules on recorded communications after staff used WhatsApp for trading communications.

Many Brits will remember the recent COVID inquiry revealed a mass deletion of WhatsApp messages by Government ministers and officials, on an ‘industrial scale’.

Former Prime Minister Boris Johnson told the inquiry he lost around 5,000 messages, which were never recovered - illustrating the unreliable nature of third party messaging apps (and politicians).

Via BBC

You might also like

• Take a look at our pick of the best laptop for working from home
• The EU wants to scan your WhatsApp chats—and privacy experts are furious
• Check out our choices for best encrypted messagins apps for Android

• The latest draft of the UN Cybercrime Convention faces key vote
• The US is set to support the treaty
• Human rights advocates say the convention will make it easier for authoritarian regimes to expand surveillance

A new draft of the UN Cybercrime Convention is set to face a key vote, and the Biden administration is reportedly set to support the treaty, despite criticism from digital rights organizations and human rights campaigners.

The convention is the first piece of legally binding legislation from the UN regarding cybersecurity, and its supporters hope to use it to establish a global framework for states to use to investigate and prevent cybercrime.

However, not only does Cisco think the treaty falls short of sufficiently protecting basic human rights, but some campaigners have said this convention will actually make it easier for authoritarian regimes to abuse their power and expand policing and surveillance.

Extensive deliberation

US officials confirmed there had been consultations with allied states and reviewed hundreds of written submissions from non-government organizations, and ultimately ‘decided to remain with consensus’.

A contributing factor to the support from the US was the need to influence later amendments and updates to the treaty, which would be made easier by support from the early stages.

A group of Democratic senators recently wrote the treaty could “legitimize efforts by authoritarian countries” to censor and surveil internet users and political activists.

“While the executive branch’s efforts to steer this treaty in a less-harmful direction are commendable, more must be done to keep the convention from being used to justify such actions,” the senators said in a joint letter to the Secretary of State, Attorney General, and others.

A primary concern for digital rights groups is that the treaty doesn’t focus on crimes committed against computer systems, such as ransomware. Instead, the legislation focuses on digital communication systems, and could be used as an extension of police surveillance powers rather than protecting internet users and companies from cybercrime.

Via Politico

You might also like

• Take a look at our pick of the best ransomware protection tools around
• The United Nations is drawing up a new treaty to fight cybercrime
• Check out our choices for best antivirus removal software

• Some firms had their Windows Server unexpectedly upgraded to new 2025 version
• Microsoft blames third-party tools after widespread issues reported
• Some are claiming there was a bug on Microsoft's side

Microsoft's recent launch of Windows Server 2025 appears to still be causing aftershocks after many companies said they were automatically upgraded to the new software.

Multiple Windows Server 2019 and 2022 systems were reportedly unexpectedly upgraded to Windows Server 2025 overnight, and Microsoft and third-party patch management service providers are now shifting blame amongst themselves.

The bug now finally appears to be fixed, but Microsoft is yet to explain to its customers how the upgrade can be rolled back.

Procedural error

"Some devices upgraded automatically to Windows Server 2025 (KB5044284). This was observed in environments that use third-party products to manage the update of clients and servers," Microsoft explained. "Please verify whether third-party update software in your environment is configured not to deploy feature updates. This scenario has been mitigated."

In other words, it’s not Microsoft - it’s you. The company also added the update had the "DeploymentAction=OptionalInstallation" tag, which patch management tools should read as being an optional, rather than recommended update.

Upgrading to a brand new operating system comes with many questions and risks, and in this case, some companies didn’t even have the necessary license.

Microsoft didn’t name any names, but BleepingComputer found many of Heimdal’s clients were affected by the issue. The company blamed the bug on a “procedural error on Microsoft’s side, both with the speed of release and the classification.” In total, 7% of its customers received the unwanted upgrade. At press time, there were no details on how to roll the update back.

KB5044284 is a cumulative update, part of Microsoft’s Patch Tuesday effort, and Windows Server 2025 was supposed to be an optional update.

This optional update is, in fact, the latest release in Microsoft's Windows Server lineup, introducing several advanced features designed to improve security, performance, and hybrid cloud capabilities. Notable features include hotpatching, enhanced storage and GPU support, and stronger AI and machine learning capabilities.

You might also like

• Amazon confirms employee data stolen after third-party MOVEit breach
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers spotted a brand new Ymir ransomware
• This new strain teamed up with a group deploying infostealers
• There is a chance that the entire operation was done by a single actor

Two hacking groups have been recently observed working together to infect a victim - one to establish initial persistence and steal information, and one to encrypt the systems and demand a ransomware payment.

Researchers from Kaspersky recently investigated one such incident in Colombia, where the unnamed company first got infected by RustyStealer, an infostealing malware capable of grabbing login credentials, sensitive files, and more.

This part of the attack was likely conducted by one set of criminals who, once their part was done, handed the access over to a second group.

Single actor?

The second group first made sure its encryptor doesn’t trigger any antivirus or antimalware alarms. To that end, they installed different tools, such as Process Hacker and AdvancedIP Scanner. “Eventually, after reducing system security, the adversary ran Ymir to achieve their goals,” the researchers conclude.

Ymir is the name of both the encryptor and the threat actor behind it, and is also a relatively new entrant in the ransomware space. The malware is quite unique, too, in that it operates entirely from memory, taking advantage of different functions such as ‘malloc’, ‘memove’, and ‘memcmp’ to prevent being detected.

While teamwork is not a foreign word in the world of cybercrime, there is also a slight possibility that this entire operation was done by a single actor. In that case, it would mark an entirely different approach to ransomware attacks, and possibly a notable shift in how ransomware attacks are conducted.

"If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups," Kaspersky researcher Cristian Souza said.

In any case, it is possible that Ymir will grow into a formidable threat actor, infecting more companies in the months to come.

Via The Hacker News

You might also like

• Halliburton hit by cyberattack disrupting operations
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Set Forth confirms suffering a data breach in May 2023
• Roughly 1.5 million people were affected by the incident
• Set Forth offers 12 months of identity theft protection

American debt services company Set Forth has confirmed suffering a data breach incident in which sensitive information on more than a million people was stolen.

In a data breach notification letter sent to affected customers, the company said it identified “suspicious activity” on its systems on May 21 2024.

After implementing its incident response protocols, and engaging third-party forensic experts which investigated the incidents, the company determined that some personal information from its customers, as well as their spouses, co-applicants, or dependents, was stolen.

Defending the premises

The data stolen in the attack includes people’s names, postal addresses, birth dates, and social security numbers. In a subsequent filing with the Office of the Maine Attorney General, Set Forth confirmed that 1.5 million people were affected by this breach.

At press time, there was no information on who might have stolen the archives. No threat actors have yet assumed responsibility for the break-in.

To prevent similar incidents from happening in the future, Set Forth outlined a number of implementations, including enhanced endpoint monitoring, a global password reset, and additional security controls. Furthermore, the company is now offering identity theft protection services for affected individuals for 12 months, through Cyberscout.

“Again, at this time, there is no evidence that your information has been misused. However, we encourage you to take full advantage of this service offering,” Set Forth concluded in its letter.

In the meantime, multiple law firms have started looking into the matter, to see if there is grounds for a class-action lawsuit.

Via Cybernews

You might also like

• Halliburton hit by cyberattack disrupting operations
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Halliburton confirmed losses in 8-K filing with the SEC
• Ransomware attack attributed to RansomHub occured in summer 2024
• The crooks stole some sensitive data, but the details are still unknown

Halliburton confirmed the ransomware attack which recently hit the company cost the business $35 million in losses.

The oil giant shared the news via a quarterly financial report, filed with the US Securities and Exchange Commission (SEC).

In late August 2024, the company reported discovering an unauthorized third party in its systems, which forced it to take certain systems offline. As a result, its operations were limited, and certain clients disconnected, causing the company to lose millions of dollars.

Stealing data

Soon after the breach was announced, a threat actor called RansomHub assumed responsibility for the attack. This group gained notoriety after the Change Healthcare breach, having been confirmed as the affiliate that forced the healthcare giant to part ways with more than $20 million in ransom.

Unfortunately for the hackers, they never saw any of that money, since the ransomware’s operators, ALPHV, took all the loot and disappeared into the digital wilderness.

Still, RansomHub said it stole sensitive data from Halliburton, something the company also confirmed in a subsequent 8-K form. However, there is no word on the type of data stolen, or its amount.

"We experienced a $0.02 per share impact to our adjusted earnings from lost or delayed revenue due to the August cybersecurity event and storms in the Gulf of Mexico," commented Jeff Miller, Chairman, President, and CEO at Halliburton.

"Our full year expectations for free cash flow and cash return to shareholders remain unchanged, and we expect both to accelerate in the fourth quarter."

Halliburton is a global American multinational corporation that provides products and services to the energy industry, especially in oil and gas exploration, development, and production. It is present in more than 70 countries, and earns more than $20 billion in revenue. It currently employs more than 45,000 people.

Via BleepingComputer

You might also like

• D-Link says it won’t fix a serious security flaw affecting 60,000 older NAS devices
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Hot Topic data breach effects continue to emerge
• Leaked dataset reportedly includes encrypted credit card numbers
• Threat actor 'Satanic' has claimed responsibility

Breach notification site Have I Been Pwned has confirmed the personal data of 56,904,909 users was found online, leaked from Hot Topic, Torrid, and Box Lunch customers.

Threat actor ‘Satanic’ claimed responsibility for the breach, which was allegedly carried out through an infostealer infection, and made possible by weak security practices.

The dataset is reportedly on sale for $20,000 (although this has since been lowered to $4,000) and the hackers are demanding a $100,000 ransom from Hot Topic to remove the listing from the forums. Apparently, no notifications have been sent to customers as of yet.

Risk of identity theft

The leak reportedly occurred on October 19, but the data spans back all the way to 2011, so if you’ve used the Hot Topic website since then, we recommend being vigilant with your information just in case.

The data is said to have included email addresses, encrypted credit card numbers, physical addresses, and email addresses.

Reports suggest an employee's device was infected with malware, which resulted in the theft of more than 240 credentials, leading to the extensive data breach.

When a person is affected by a data breach, the worry is that a threat actor may purchase their details and use them to commit identity theft. We’ve listed the best identity theft protections to help keep you safe.

Via BleepingComputer

You might also like

• Take a look at our pick of the best antivirus software
• What to do after a data breach?
• Check out our choices for best malware removal software

• Crooks are embedding malicious links in Microsoft Visio files
• The files are distributed via compromised email accounts
• The goal of the campaign is to steal Microsoft 365 login credentials

Security researchers from Perception Point have spotted a new two-step phishing campaign aiming to steal people’s Microsoft 365 login credentials. It includes compromised email accounts, compromised SharePoint accounts, and some convincing - but fake - purchase orders.

The attack starts with a hacked Microsoft SharePoint account, where the criminals would upload a file using Microsoft Visio - the company's tool for making professional diagrams and charts, creating files with the .VSDX extension.

The crooks would embed a malicious URL in this file leading to a fake Microsoft 365 login page. Victims that make it this far usually try to log into their accounts, thus sharing the login credentials with the attackers.

Abusing people's email accounts

Then, the attackers would compromise someone’s email account, and use it to distribute the phishing messages. Since these emails would be coming from otherwise legitimate sources, they are very likely to make it past any email security protections. The body of the message itself is your usual phishing content, sharing a fake purchase order, or something similar.

In some cases, the crooks would also share another email message as an attachment (.EMI files), all in an attempt to hide the malicious intent lurking in the SharePoint account. When it comes to obfuscations, the crooks added another layer in the Visio file itself - the call to action leading to the fake login page can only be clicked while holding the Control (CTRL) button on the keyboard.

“Asking for the Ctrl key press input relies on a simple interaction that a human user can perform, effectively bypassing automated systems that are not designed to replicate such behaviors,” Perception Point explained in its research.

We don’t know exactly how many companies were targeted, or fell victim to this attack, but the researchers claim they are in the hundreds, and are located all around the world.

You might also like

• Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A new phishing campaign was recently spotted, distributing an Excel file
• The file drops a fileless version of the Remcos RAT on the device
• Remcos can steal sensitive files, log keys, and more

Hackers have been seen distributing a fileless version of the Remcos Remote Access Trojan (RAT), which they then use to steal sensitive information from the target devices using hijacked spreadsheet software.

In a technical analysis, researchers from Fortinet said they observed threat actors sending out phishing emails with the usual purchase order theme. Attached with the email is a Microsoft Excel file, built to exploit a remote code execution vulnerability found in Office (CVE-2017-0199). When triggered, the file will download an HTML Application (HTA) file from a remote server, and launch it via mshta.exe.

The downloaded file will pull a second payload from the same server, which will run the initial anti-analysis and anti-debugging, after which it will download and run Remcos RAT.

Remcos returns

For its part, Remcos was not always considered malware. It was built as a legitimate, commercial software, used for remote administration tasks. However, it was hijacked by cybercriminals, in the same way Cobalt Strike was hijacked, and is nowadays mostly used for unauthorized access, data theft, and espionage. Remcos can log keystrokes, capture screenshots, and execute commands on infected systems.

But this version of Remcos gets dropped directly into the device’s memory: "Rather than saving the Remcos file into a local file and running it, it directly deploys Remcos in the current process's memory," Fortinet explained. "In other words, it is a fileless variant of Remcos."

Phishing via email continues to be one of the most popular ways cybercriminals infect devices with malware, and steal sensitive information. It is cheap to execute, and performs well, making it a highly efficient attack vector. The best way to defend against phishing is to use common sense when reading emails, and to be extra wary when downloading and running any attachments.

You might also like

• Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Crooks can merge multiple ZIP archives into a single file
• Archiver software rarely reads, or displays, all of the merged archives
• As a result, crooks can sneak malware onto a device

Hackers are using ZIP file concatenation to bypass security solutions and infect their targets with malware through email messages, experts have warned.

A report from cybersecurity researchers Perception Point outline how they recently observed one such campaign while analyzing a phishing attack.

ZIP file concatenation is a type of attack in which multiple ZIP files are merged into one, in order to trick the archiver programs and antivirus solutions.

Mitigating the problem

As Perception Point explains, the crooks would create two (or more) ZIP archives - one completely benign, maybe holding a clean .PDF file, or something similar, and one carrying the malware. Then, they would append the ZIP files into a single file which, while being shown as one file, contains multiple central directories pointing to different sets of file entries.

Different archivers, such as Winzip, WinRaR, 7zip, and others, handle these types of files differently, allowing crooks to move past cybersecurity solutions and infect the target device. 7zip, for example, only reads the first ZIP archive, which could lead to compromise. It could warn the user about additional data, though. WinRaR reads all ZIP structures and will reveal the malware, while Windows File Explorer only displays the second ZIP archive.

In practice, that would mean the crooks would send out the usual phishing email, “warning” the victim of a pending invoice, or an undelivered parcel. The victim would download and run the attachment, and unknowingly get infected with a trojan, or similar malware.

Perception Point argues that “traditional detection tools” often fail to unpack and fully parse such ZIP files, and suggests its proprietary solution (who woulda thunk?).

“By analyzing every layer recursively, it ensures that no hidden threats are missed, regardless of how deeply they are buried – deeply nested or concealed payloads are revealed for further analysis.”

However, simply being careful with email attachments and not downloading things from unconfirmed sources should keep you secure anyway.

Via BleepingComputer

You might also like

• Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A critical vulnerability has been found in multiple D-Link models
• Since the devices have reached end-of-life status, they won't be patched
• Mitigations are available, although users are advised to replace the devices

D-Link says it won’t fix a critical vulnerability plaguing tens of thousands of network-attached storage (NAS) devices because they have reached their end of life.

Recently, a vulnerability with a 9.2 severity score (critical) was found in multiple models of D-Link NAS devices. Tracked as CVE-2024-10914 it was described as a command injection exploit that allows threat actors to inject arbitrary shell commands. By sending a specially crafted HTTP GET request to the device, the crooks could cause significant system compromise, remotely.

While the researchers say the exploitation is somewhat difficult since the complexity of an attack is relatively high, they did stress that there is a publicly available exploit out there.

Mitigating the problem

In total, there are more than 60,000 endpoints out there that could be compromised via this flaw, it was further explained. That includes multiple models, such as:

DNS-320 Version 1.00
DNS-320LW Version 1.01.0914.2012
DNS-325 Version 1.01, Version 1.02
DNS-340L Version 1.08

Most of these seem to be used by small and medium-sized businesses, it was added.

Since there will be no patch, D-Link advises users to retire the old devices and replace them with newer, supported models. For those that cannot do that at the moment, it is advised to isolate the endpoints from the public internet and place them under stricter access conditions.

A NAS device is a dedicated data storage unit connected to a network, allowing multiple users and devices to access and store data centrally. It provides secure file sharing, data backup, and storage, making it ideal for both home and business use. NAS devices are typically easy to set up and scale, offering RAID support and other protections against data loss.

Cybercriminals frequently target NAS devices because they often hold sensitive data, including personal documents, financial information, and business files. By compromising NAS systems, attackers can steal, encrypt, or delete valuable data, with ransomware being a common threat.

Via BleepingComputer

You might also like

• Thousands of D-Link NAS devices have serious backdoor security issues
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now