Lmst

Wormable #XMRig campaign leverages #BYOVD and timed kill switch for stealth
https://securityaffairs.com/188388/malware/wormable-xmrig-campaign-leverages-byovd-and-timed-kill-switch-for-stealth.html
#securityaffairs #hacking #malware

📢 S2W analyse le ransomware DragonForce, son RaaS « RansomBay » et ses variantes Windows/Linux
📝 Source : S2W (TALON) — Dans « Inside the Ecosystem, Operations: DragonForce », S2W dresse un panorama techn...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-16-s2w-analyse-le-ransomware-dragonforce-son-raas-ransombay-et-ses-variantes-windows-linux/
🌐 source : https://medium.com/s2wblog/inside-the-ecosystem-operations-dragonforce-11048db4cbb0
#BYOVD #DragonForce #Cyberveille

#Reynolds #ransomware uses #BYOVD to disable security before encryption
https://securityaffairs.com/187869/security/reynolds-ransomware-uses-byovd-to-disable-security-before-encryption.html
#securityaffairs #hacking #malware

Reynolds ransomware embeds a BYOVD driver to disable security tools before encryption — trusted drivers turned into attack enablers. Defense must look below the surface. 🚗💣 #BYOVD #Ransomware

https://thehackernews.com/2026/02/reynolds-ransomware-embeds-byovd-driver.html

Black Basta is bundling BYOVD techniques into ransomware payloads — abusing legit drivers to kill defenses before detonation. When trust is weaponized, detection must go deeper. 💣🧠 #BYOVD #Ransomware

https://www.darkreading.com/threat-intelligence/black-basta-bundles-byovd-ransomware-payload

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got updates on several significant breaches, some deep dives into nation-state tradecraft, critical actively exploited vulnerabilities, and important regulatory shifts. Let's get stuck in:

Recent Cyber Attacks and Breaches ⚠️

- Spain's Ministry of Science has partially shut down its IT systems following a "technical incident". A threat actor, 'GordonFreeman', claimed responsibility, alleging an Insecure Direct Object Reference (IDOR) vulnerability granted them full admin access and allowed the exfiltration of personal records, emails, and application data.
- Romania's national oil pipeline operator, Conpet, confirmed a cyberattack disrupted parts of its IT infrastructure and took its website offline. While oil transport operations (OT systems) remained functional, the Qilin ransomware group has claimed responsibility, listing Conpet on their leak site and alleging the theft of nearly one terabyte of data.
- Photo-sharing platform Flickr is notifying users of a potential data breach stemming from a vulnerability in a third-party email service provider. The incident may have exposed users' real names, email addresses, Flickr usernames, IP addresses, general location data, and account activity, though passwords and payment card numbers were not compromised.
- An Illinois man, Kyle Svara, pleaded guilty to hacking nearly 600 women's Snapchat accounts between May 2020 and February 2021. He used social engineering to phish access codes, then downloaded private photos, which he kept, sold, or traded online. Svara also admitted to hacking accounts at the request of a former university track coach previously convicted of sextortion.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/
🗞️ The Record | https://therecord.media/romania-conpet-oil-pipeline-ransomware-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/flickr-discloses-potential-data-breach-exposing-users-names-emails/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/06/flickr_emails_users_about_data_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-nearly-600-womens-snapchat-accounts/
🗞️ The Record | https://therecord.media/illinois-man-pleads-guilty-snapchat-nude-photo-hacks

New Threat Research on Threat Actors, Malware, and Techniques 🛡️

- Palo Alto Networks Unit 42 has uncovered TGR-STA-1030, a previously undocumented Asian state-backed cyber espionage group that has breached at least 70 government and critical infrastructure organisations across 37 countries since January 2024. The group uses phishing to deliver a dual-stage Diaoyu Loader, which then deploys Cobalt Strike, and also exploits N-day vulnerabilities in various software.
- Norway's domestic security agency (PST) confirmed that the Chinese state-sponsored espionage campaign, Salt Typhoon, has compromised network devices within Norwegian organisations. This campaign, known for targeting telecommunications and critical infrastructure, highlights an increasing threat from foreign intelligence services, particularly from China, Russia, and Iran, which are employing hybrid tactics to undermine Norway's resilience.
- Cisco Talos researchers have detailed DKnife, a China-nexus gateway-monitoring and adversary-in-the-middle (AitM) framework active since at least 2019. This Linux-based toolkit, comprising seven implants, performs deep packet inspection, manipulates traffic, and delivers malware like ShadowPad and DarkNimbus via routers and edge devices, primarily targeting Chinese-speaking users.
- Threat actors are weaponising a Windows kernel driver from the legitimate forensic tool EnCase to disable security products, despite its digital certificate being revoked over a decade ago. This bring-your-own-vulnerable-driver (BYOVD) technique exploits gaps in Windows' Driver Signature Enforcement, allowing older, unsigned drivers to load and terminate EDR processes before detection.
- Germany's domestic intelligence agency (BfV) and Federal Office for Information Security (BSI) are warning of suspected state-sponsored threat actors targeting high-ranking individuals in Germany and Europe through Signal account hijacking. These attacks use social engineering, not malware, to trick targets into sharing Signal PINs for full account takeover or scanning QR codes to link attacker-controlled devices for chat monitoring.

📰 The Hacker News | https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html
🗞️ The Record | https://therecord.media/norawy-intelligence-discloses-salt-typhoon-attacks
📰 The Hacker News | https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework-targets-routers-for-traffic-hijacking-malware-delivery.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/encase-driver-weaponized-edr-killers-persist
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/

Vulnerabilities and Active Exploitation 🚨

- CISA is warning that ransomware actors are actively exploiting CVE-2026-24423, a critical remote code execution (RCE) vulnerability in SmarterMail (versions prior to build 9511). The flaw allows unauthenticated RCE via the ConnectToHub API, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch or remove the product by February 26, 2026.
- The experimental AI agent social platform 'Moltbook' publicly exposed its entire user database, including secrets, PII, and API keys, due to an unsecured internal database. Furthermore, the underlying OpenClaw agent platform's 'ClawHub' marketplace was found to contain 283 skills (7.1% of the total) that leak sensitive credentials via prompt injection, and 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration.
- Indirect prompt injection attacks against OpenClaw agents have been demonstrated, allowing attackers to backdoor user machines and steal sensitive data or perform destructive operations. This is particularly concerning due to AI agents' integrations with productivity tools like Google Workspace and Slack, enabling attackers to deliver malicious prompts that can lead to the deployment of C2 beacons for long-term remote access.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-smartermail-rce-flaw-used-in-ransomware-attacks/
🕶️ Dark Reading | https://www.darkreading.com/cyber-risk/agentic-ai-moltbook-security-risks
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/05/openclaw_skills_marketplace_leaky_security/

Threat Landscape Commentary 🌍

- Cloudflare reported a significant surge in DDoS attacks in Q4 2025, with volumes jumping 31% from the previous quarter and 58% year-over-year, totalling 47.1 million attacks. The UK experienced an unwelcome leap of 36 places to become the world's sixth-most targeted location, with financial services, telecoms, IT, and gambling/gaming sectors being primary targets.
- A new tool, KEV Collider, has been developed by Tod Beardsley (former CISA KEV section chief) to help security teams better triage CISA's Known Exploited Vulnerabilities (KEV) Catalog. The tool combines KEV data with other metrics like CVSS and EPSS scores, and Metasploit automation status, to provide a more relevant and prioritised view of vulnerabilities, acknowledging that the KEV list isn't a universal "must-patch" for all organisations.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/06/uk_climbs_up_ddos_hit/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/data-tool-triage-exploited-vulnerabilities-make-kev-catalog-more-useful

Regulatory Issues and Changes 🏛️

- CISA has issued Binding Operational Directive 26-02, mandating U.S. Federal Civilian Executive Branch (FCEB) agencies to identify and remove end-of-life (EOL) network edge devices that no longer receive security updates from manufacturers. Agencies have three months to inventory these devices and 12-18 months to decommission and replace them, aiming to mitigate significant risks posed by advanced threat actors exploiting unsupported hardware.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-replace-end-of-life-edge-devices/
📰 The Hacker News | https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html

AI for Vulnerability Discovery 🤖

- Anthropic's latest large language model (LLM), Claude Opus 4.6, has demonstrated impressive capabilities by discovering over 500 previously unknown high-severity security flaws in major open-source libraries, including Ghostscript, OpenSC, and CGIF. The model was able to identify these vulnerabilities without task-specific tooling or specialised prompting, showcasing its advanced coding, code review, and debugging skills.

📰 The Hacker News | https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity-flaws-across-major-open-source-libraries.html

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #Vulnerability #RCE #ActiveExploitation #AI #DataBreach #SocialEngineering #DDoS #IncidentResponse #InfoSec #CISA #EDR #BYOVD #SupplyChainSecurity

📢 Black Basta intègre un driver vulnérable (BYOVD) directement dans son payload
📝 Selon Security.com (Symantec and Carbon Black), une récente campagne de Black Basta se distingue par l’intégration d’un composant d’évasion (BYO...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-06-black-basta-integre-un-driver-vulnerable-byovd-directement-dans-son-payload/
🌐 source : https://www.security.com/threat-intelligence/black-basta-ransomware-byovd
#BYOVD #Black_Basta #Cyberveille

📢 Intrusion via SonicWall et BYOVD : un driver EnCase révoqué utilisé pour neutraliser les EDR
📝 Source: Huntress — Début février 2026, Huntress a répondu à une intrusion où des identifiants SonicWall SSLVPN compromis ont servi d’accès ini...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-04-intrusion-via-sonicwall-et-byovd-un-driver-encase-revoque-utilise-pour-neutraliser-les-edr/
🌐 source : https://www.huntress.com/blog/encase-byovd-edr-killer
#BYOVD #EDR #Cyberveille

📢 Osiris : nouveau ransomware détecté contre un opérateur franchisé de restauration en Asie du Sud-Est
📝 Selon l’enquête de Symantec et de la Carbon Black Threat Hunter Team, une nouvelle famille de ransomware baptisée...
📖 cyberveille : https://cyberveille.ch/posts/2026-01-26-osiris-nouveau-ransomware-detecte-contre-un-operateur-franchise-de-restauration-en-asie-du-sud-est/
🌐 source : https://www.security.com/threat-intelligence/new-ransomware-osiris
#BYOVD #IOC #Cyberveille

📰 New 'Osiris' Ransomware Borrows TTPs from Medusa and Inc Gangs, Uses Signed Driver to Kill AV

New Osiris ransomware borrows TTPs from Medusa & Inc gangs. 🐍 It uses a custom-signed driver ('Poortry') to kill EDR/AV before encrypting files. Also uses Rclone for data theft. #Ransomware #Osiris #BYOVD #ThreatIntel

🔗 https://cyber.netsecops.io/articles/new-osiris-ransomware-linked-to-medusa-and-inc-gang-ttps/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

📰 New 'Gentlemen' Ransomware Group Deploys Advanced GPO and BYOVD Attacks

New 'Gentlemen' ransomware group emerges, using advanced tactics like GPO modification for mass deployment and 'Bring Your Own Vulnerable Driver' (BYOVD) to bypass security. Double extortion attacks are on the rise. 🎩 #Ransomware #Gentlemen #BYOVD ...

🔗 https://cyber.netsecops.io/articles/new-gentlemen-ransomware-group-emerges-with-double-extortion-tactics/?utm_source=mastodon&utm_medium=social…

📢 DeadLock: un nouveau loader BYOVD exploite CVE-2024-51324 pour tuer l’EDR et chiffrer Windows
📝 Cisco Talos (Threat Spotlight) publie une analyse d’une campagne de ransomware DeadLock menée par un acteur financ...
📖 cyberveille : https://cyberveille.ch/posts/2025-12-10-deadlock-un-nouveau-loader-byovd-exploite-cve-2024-51324-pour-tuer-ledr-et-chiffrer-windows/
🌐 source : https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/
#BYOVD #CVE_2024_51324 #Cyberveille

DeadLock ransomware now uses a new BYOVD loader exploiting Baidu driver CVE-2024-51324 to terminate EDR processes at the kernel level. Pre-encryption PowerShell scripting disables defenses and wipes shadow copies before deploying custom time-based encryption.
https://www.technadu.com/deadlock-ransomware-uses-new-byovd-loader-exploiting-driver-vulnerability-to-disable-edr/615498/

#Cybersecurity #Ransomware #BYOVD #DeadLock #EDR #ThreatIntel

DeadLock Ransomware Uses New BYOVD Loader Exploiting Driver Vulnerability to Disable EDR

📰 DeadLock Ransomware Uses Vulnerable Baidu Driver to Blind EDRs

DeadLock ransomware evolves, using a novel BYOVD attack to disable EDRs. 🛡️ The campaign exploits a vulnerable Baidu AV driver (CVE-2024-51324) to gain kernel-level control and kill security processes. #Ransomware #BYOVD #CyberSecurity #DeadLock

🔗 https://cyber.netsecops.io/articles/deadlock-ransomware-deploys-byovd-tactic-to-disable-edr/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

10 популярных техник обхода EDR

Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.

https://habr.com/ru/companies/securityvison/articles/973172/

#edr #byovd #lolbas #обход_защиты #обход_антивируса

📢 DragonForce: un cartel RaaS multivariant cible Windows, Linux et ESXi avec BYOVD et double extorsion
📝 Selon Trend Micro, cette analyse détaille l’évolution et les techniq...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-02-dragonforce-un-cartel-raas-multivariant-cible-windows-linux-et-esxi-avec-byovd-et-double-extorsion/
🌐 source : https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-dragonforce
#BYOVD #DragonForce #Cyberveille

[Перевод] Техники обхода систем обнаружения: маскировка путей и BYOVD

Вакансии по пентесту всё чаще требуют не только понимания принципов работы ключевых СЗИ (WAF, EDR, NAC), но и практических навыков их обхода. То же самое касается EDR/AV. В реальных отчётах о кибератаках также регулярно упоминается, как злоумышленники обходят средства защиты и остаются незамеченными. Предлагаем рассмотреть пару приемов таких обходов и проверить, готовы ли ваши системы защиты к подобным вызовам.

https://habr.com/ru/companies/cloud4y/articles/962456/

#информационная_безопасность #edr #системы_защиты #мониторинг #маскировка_путей #byovd #символические_ссылки

🚨 EDR-Redir exploit uses Windows’ Bind & Cloud Filter drivers to redirect or isolate EDR folders from user mode - no kernel privileges required.

Demoed by TwoSevenOneT, it breaks Elastic Defend, Sophos, and even disables Defender via CFAPI corruption.

Minifilter abuse is becoming the new weak link in EDR design.

💬 Thoughts on how vendors should adapt?
Follow TechNadu for continuous

#ThreatResearch and #EDREvasion updates.
#InfoSec #CyberSecurity #EDR #BYOVD #WindowsSecurity #MalwareAnalysis #RedTeam

New EDR-Redir Tool Breaks EDR Exploiting Bind Filter and Cloud Filter Driver

📢 Agenda/Qilin déploie un ransomware Linux sur Windows via outils RMM et BYOVD
📝 Selon Trend Micro Research, une campagne sophistiquée d’Agenda (Qilin) combine des leurres de type fa...
📖 cyberveille : https://cyberveille.ch/posts/2025-10-24-agenda-qilin-deploie-un-ransomware-linux-sur-windows-via-outils-rmm-et-byovd/
🌐 source : https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html
#Agenda_Ransomware #BYOVD #Cyberveille

It's been a bit quiet over the last 24 hours, but we have a significant update on the Akira ransomware group's evolving tactics, particularly their ability to bypass MFA on SonicWall VPNs. Let's dive in:

Akira Ransomware Bypassing MFA on SonicWall VPNs ⚠️

- Akira ransomware affiliates are actively breaching SonicWall SSL VPNs, successfully authenticating even when one-time password (OTP) multi-factor authentication is enabled.
- This bypass is believed to stem from the use of credentials and OTP seeds previously stolen via the improper access control vulnerability CVE-2024-40766, allowing threat actors to regain access even after devices have been patched.
- Once inside, Akira moves quickly, performing internal network scanning, enumerating Active Directory, targeting Veeam servers for credential extraction, and employing Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks to disable endpoint protection. Admins are urged to reset all VPN credentials on any device that previously used vulnerable firmware.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts/

#CyberSecurity #ThreatIntelligence #Ransomware #Akira #SonicWall #VPN #MFA #Vulnerability #CVE202440766 #BYOVD #IncidentResponse #InfoSec

#BYOVD

Client Info