Latest news with #cyberattack
Zawya
41 minutes ago
- Zawya
Kaspersky: Advanced Persistent Threat (APT41) targets Southern African organisation in espionage attack
Kaspersky Managed Detection and Response experts ( have observed a cyber espionage attack on an organisation in Southern African and have linked it to the Chinese-speaking APT41 group. Although the threat actor has shown limited activity in Southern Africa, this incident reveals that the cyber attackers have targeted government IT services in one of the countries in the region, attempting to steal sensitive corporate data — including credentials, internal documents, source code, and communications. APT (Advanced Persistent Threat) is a category of threat actors known for carrying out concerted, stealthy, and ongoing attacks against specific organisations, as opposed to opportunistic, isolated incidents that account for most cybercriminal activity. The adversaries' techniques observed during the attack in Southern Africa allowed Kaspersky to attribute it to the Chinese-speaking APT41 group with a high confidence. The primary goal of the attack was cyber espionage, which is typical for this threat actor. The attackers attempted to collect sensitive data from the machines they compromised within the organisation's network. It is noteworthy that APT41 typically has been showing quite limited activity in the Southern African region. APT41 specialises in cyber espionage and targets organisations across various industries, including telecommunications providers, educational and healthcare institutions, IT, energy, and other sectors, with known activity in at least 42 countries. Based on Kaspersky experts' analysis, the attackers may have gained access to the organisation's network through a web server exposed to the Internet. Using a credential harvesting technique – known in professional terms as registry dumping – the attackers obtained two corporate domain accounts: one with local administrator rights on all workstations and another belonging to a backup solution, which had domain administrator privileges. These accounts allowed the attackers to compromise additional systems within the organisation. One of the stealers used for data collection was a modified Pillager utility, designed for exporting and decrypting data. The attackers compiled its code from an executable file into a Dynamic Link Library (DLL). With it, they aimed to gather saved credentials from browsers, databases, administrative tools, as well as project source code, screenshots, active chat sessions and their data, email correspondence, lists of installed software, operating system credentials, Wi-Fi credentials, and other information. The second stealer used during the attack was Checkout. In addition to saved credentials and browser history, it was also capable of collecting information on downloaded files and browser-stored credit card data. The attackers also used the RawCopy utility and a version of Mimikatz compiled as a Dynamic Link Library (DLL) to dump registry files and credentials, as well as Cobalt Strike for Command and Control (C2) communication on compromised hosts. 'Interestingly, as one of their C2 communication channels besides Cobalt Strike, the attackers chose the SharePoint server within the victim's infrastructure. They communicated with it using custom C2 agents connected with a web-shell. They may have chosen SharePoint because it was an internal service already present in the infrastructure and unlikely to raise suspicion. Moreover, in that case, it probably offered the most convenient way to exfiltrate data and control compromised hosts through a legitimate communication channel,' explains Denis Kulik, Lead SOC Analyst at Kaspersky Managed Detection and Response service. 'In general, defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure. It is essential to maintain full security coverage across all systems with solutions capable of automatically blocking malicious activity at an early stage — and to avoid granting user accounts excessive privileges,' comments Denis Kulik. To mitigate or prevent similar attacks, organisations are advised to follow these best practices: Ensure that security agents are deployed on all workstations within the organisation without exception, to enable timely incident detection and minimise potential damage. Review and control service and user account privileges, avoiding excessive rights assignments – especially for accounts used across multiple hosts within the infrastructure. To protect the company against a wide range of threats, use solutions from the Kaspersky Next ( product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing. Adopt managed security services by Kaspersky such as Compromise Assessment ( Managed Detection and Response (MDR) ( and / or Incident Response ( covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers. Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organisation. The latest Kaspersky Threat Intelligence ( will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner. A detailed analysis of the incident is available on Securelist ( Kaspersky Managed Detection and Response service monitors suspicious activity and helps organisations respond swiftly to minimise impact. This is a part of Kaspersky Security Services, a team delivering hundreds of information security projects every year for Fortune Global 500 organisations: incident response, managed detection, SOC consulting, red teaming, penetration testing, application security, digital risks protection. Distributed by APO Group on behalf of Kaspersky. For further information please contact: Nicole Allman nicole@ Social Media: Facebook: X: YouTube: Instagram: Blog: About Kaspersky: Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
Al Arabiya
42 minutes ago
- Al Arabiya
Microsoft Releases Urgent Fix for Sharepoint Vulnerability Being Used in Global Cyberattacks
Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some federal agencies. The company issued an alert to customers Saturday saying it was aware of the zero-day exploit—where hackers take advantage of a previously unknown vulnerability—being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software. Cyber criminals often use zero-day exploits to steal sensitive data and passwords. The vulnerability also could allow hackers to access services connected to SharePoint including OneDrive and Teams. The company said in its blog post that it discovered at least dozens of systems were compromised around the world. Security engineers stated the attacks occurred in waves on July 18 and 19. Although the scope of the attack is still being assessed the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched.
The Independent
an hour ago
- The Independent
Microsoft releases urgent fix for Sharepoint vulnerability being used in global cyberattacks
Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some federal agencies. The company issued an alert to customers Saturday saying it was aware of the zero-day exploit — where hackers take advantage of a previously unknown vulnerability — being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software. Cyber criminals often use zero-day exploits to steal sensitive data and passwords. The vulnerability also could allow hackers to access services connected to SharePoint, including OneDrive and Teams. The company said in its blog post that it discovered at least dozens of systems were compromised around the world. Security engineers stated the attacks occurred in waves on July 18 and 19. Although the scope of the attack is still being assessed, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched.
The Independent
3 hours ago
- Business
- The Independent
What caused the Alaska Airlines IT outage and what are my rights if my flight was cancelled?
For the third time in 15 months, Alaska Airlines grounded planes due to a major IT crash. The carrier requested a system-wide ground stop for its aircraft and that of its subsidiary, Horizon Air, on Sunday evening, with services resuming about three hours later. The airline has remained tight-lipped about the causes of the system paralysis, but separately on Sunday, Microsoft flagged "active attacks" on server software used by businesses, Reuters reported. It added that Google and Palo Alto Networks have been warning that the " Scattered Spider" teen hacking group has an interest in the aviation sector. In June, Hawaiian Airlines and Canada's WestJet Airlines were hit by cyber attacks, and Australia's Qantas experienced a data breach earlier this month. However, the cause of Alaska's outage could be internal. Alaska suffered a malfunction in its weight and balance calculation system in April 2024 that grounded the fleet. Then in September 2024, the carrier grounded flights in Seattle briefly due to "significant disruptions" from an unspecified technology problem that was resolved within hours. Alaska Airlines said on X at 3am EST: "Alaska Airlines has resolved its earlier IT outage and has resumed operations. "We sincerely apologize for the inconvenience, and encourage guests to check your flight status before heading to the airport." In response, passengers complained about delays and a lack of customer service. X user Jack Gillin wrote: "Why haven't you answered my customer care calls? It's been more than four hours since I made my inquiry." Another complained: "Been on the phone on hold with your customer services for almost three hours and no one has picked up." Another revealed that after waiting for a flight for five hours, it was cancelled, with the airline unable to help with booking local accommodation. Passengers who experienced a delay are entitled to a rebooking on the same airline or a partner carrier at no additional cost. If the delay is longer than three hours, they are entitled to a meal or meal voucher and complimentary hotel stays for overnight delays. This is because IT outages have been deemed "controllable" by the US Department of Transportation. Airlines are not obliged to compensate passengers due to events outside their control, such as storms or bird strikes.
Argaam
3 hours ago
- Argaam
Cyberattack hits Microsoft servers, threatens thousands of global organizations
Microsoft servers have been targeted in a large-scale cyberattack, with unidentified hackers exploiting a vulnerability in the company's SharePoint systems, raising concerns over potential security breaches worldwide. The Windows developer acknowledged the flaw in a statement and released a new security update to curb active attacks on on-premises servers, confirming that additional updates are in development. The US Cybersecurity and Infrastructure Security Agency (CISA) explained that the loophole allows attackers to execute code and access file systems and internal settings, according to Bloomberg. Cybersecurity firm Censys reported that more than 10,000 organizations using SharePoint servers are at risk, most of them based in the United States, followed by the Netherlands, the United Kingdom, and Canada. Palo Alto Networks warned that the attacks are real and pose a serious threat. Reports from outlets such as The Washington Post confirmed the breach has affected US federal and government agencies, universities, energy companies, and a telecom firm in Asia. This incident adds to a growing series of cyber intrusions targeting Microsoft systems. Back in March, the company warned that Chinese hackers were exploiting remote management tools and cloud applications to spy on institutions inside the US and abroad.
