Cybersecurity Exploit Techniques

🇨🇳🇺🇸 Chinese “𝐤𝐢𝐥𝐥 𝐬𝐰𝐢𝐭𝐜𝐡𝐞𝐬” capable of crippling power grids have been found in equipment at US solar farms, - The Times The devices, including hidden cellular radios, were discovered in Chinese inverters used to connect solar panels and wind turbines to grids worldwide. ❗️ These hidden cellular radios could be activated remotely to cripple power grids in the event of a confrontation between China and the West Engineers in American solar farms have found "𝐤𝐢𝐥𝐥 switches" in Chinese-made components, which raised severe fears that Beijing might have the power to manipulate supplies or "physically destroy" grids across the US, #UK and #Europe as per a report. Unauthorized communication devices were discovered inside some solar power inverters, reported Reuters. The devices, not mentioned in product documentation, were found by US experts who strip equipment hooked to grids to check for security issues. 🔍 Currently, energy officials are trying to find the risks posed by the small communication devices in power inverters, which are an integral part of renewable energy systems that connect them to the power grid. Though inverters are made in a way that allows remote access for updates and maintenance, the utility companies using them usually install firewalls to prevent direct communication back to China 🎤 Former director of the #USA National #Security Agency, Mike Rogers said, "We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption," adding, "I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue," quoted Daily Mail. In our endless efforts to reach #Sustainability goals by installing cheap solar panels, have we made our #Energy sectors vulnerable to outside forces who care not for #environment in the slightest? #Journalism

𝗪𝗵𝗮𝘁 𝗵𝗮𝗽𝗽𝗲𝗻𝘀 𝗶𝗳 𝘁𝗵𝗲 𝗽𝗮𝗻𝗲𝗹𝘀 𝗽𝗼𝘄𝗲𝗿𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗰𝗶𝘁𝘆 𝗮𝗿𝗲 𝗾𝘂𝗶𝗲𝘁𝗹𝘆 𝘀𝗽𝘆𝗶𝗻𝗴 𝗼𝗻 𝘆𝗼𝘂? A recent discovery in the US—spyware embedded in solar panels, most of them sourced from China—should be front page news everywhere. But the silence is deafening. 𝗔𝘂𝘀𝘁𝗿𝗮𝗹𝗶𝗮 𝗴𝗲𝘁𝘀 𝗼𝘃𝗲𝗿 𝟵𝟬% 𝗼𝗳 𝗶𝘁𝘀 𝘀𝗼𝗹𝗮𝗿 𝗽𝗮𝗻𝗲𝗹𝘀 𝗳𝗿𝗼𝗺 𝗖𝗵𝗶𝗻𝗮. 𝗘𝘂𝗿𝗼𝗽𝗲? 𝗡𝗼𝘁 𝗳𝗮𝗿 𝗯𝗲𝗵𝗶𝗻𝗱. 𝗧𝗵𝗲 𝗽𝗿𝗶𝗰𝗲 𝗶𝘀 𝗴𝗼𝗼𝗱, 𝘁𝗵𝗲 𝘁𝗲𝗰𝗵 𝗶𝘀 𝘀𝗹𝗶𝗰𝗸, 𝗮𝗻𝗱 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲 𝘄𝗮𝗻𝘁𝘀 𝘁𝗼 𝗴𝗼 𝗴𝗿𝗲𝗲𝗻, 𝗳𝗮𝘀𝘁. But what if you’re not just buying clean energy, but also an invisible backdoor? Security used to mean locking the server room. Now it means checking if your grid has been compromised before the lights even turn on. This isn’t fearmongering. It’s a reminder that “cheap and easy” can have invisible costs—especially when critical infrastructure is on the line. If you’re in renewables, procurement, or national security: Are you ready to bet your country’s grid on an untrusted supply chain? Or will you start asking the tougher questions before the breach hits home? The future is bright—but only if we remember to keep an eye on what’s powering it. https://lnkd.in/eqxPYRKR

AI-powered malware isn’t science fiction—it’s here, and it’s changing cybersecurity. This new breed of malware can learn and adapt to bypass traditional security measures, making it harder than ever to detect and neutralize. Here’s the reality: AI-powered malware can: 👉 Outsmart conventional antivirus software 👉 Evade detection by constantly evolving 👉 Exploit vulnerabilities before your team even knows they exist But there’s hope. 🛡️ Here’s what you need to know to combat this evolving threat: 1️⃣ Shift from Reactive to Proactive Defense → Relying solely on traditional tools? It’s time to upgrade. AI-powered malware demands AI-powered security solutions that can learn and adapt just as fast. 2️⃣ Focus on Behavioral Analysis → This malware changes its signature constantly. Instead of relying on patterns, use tools that detect abnormal behaviors to spot threats in real time. 3️⃣ Embrace Zero Trust Architecture → Assume no one is trustworthy by default. Implement strict access controls and continuous verification to minimize the chances of an attack succeeding. 4️⃣ Invest in Threat Intelligence → Keep up with the latest in cyber threats. Real-time threat intelligence will keep you ahead of evolving tactics, making it easier to respond to new threats. 5️⃣ Prepare for the Unexpected → Even with the best defenses, breaches can happen. Have a strong incident response plan in place to minimize damage and recover quickly. AI-powered malware is evolving. But with the right strategies and tools, so can your defenses. 👉 Ready to stay ahead of AI-driven threats? Let’s talk about how to future-proof your cybersecurity approach.

I was analysing this remcos malware, and I noticed that it is using a digital signature associated with AnyDesk. This is a common tactic used by malware authors to bypass security controls and make their malicious software appear legitimate. Key Observation: • The malware is using an Anydesk digital signature, likely to avoid detection by security tools. • This highlights the importance of verifying digital signatures and not assuming legitimacy based solely on a signature's presence. • Malware authors are increasingly using stolen or fraudulent certificates to enhance their attacks and bypass security controls. #MalwareAnalysis #DigitalSignature #CyberSecurity #Remcos #AnyDesk #ThreatDetection #Infosec #CertificateAbuse #Malware #CyberThreats #ThreatHunting #CodeSigning #InfoSecCommunity #MalwareResearch #SecurityControls #IncidentResponse

THREAT CAMPAIGN: HOW APT44 EMPLOYED TOR-BASED C2 AND SSH/RDP BACKDOORS VIA EMBEDDED POWERSHELL SCRIPT IN A TROJANIZED ACTIVATION TOOL ℹ️ Researchers detail a cyber espionage campaign by the Russian-linked Sandworm APT group (a.k.a. APT44), targeting Ukrainian Windows users. The attackers distribute trojanized Microsoft Key Management Service (KMS) activation tools and fake Windows updates to deliver a malware loader named BACKORDER, which subsequently deploys the Dark Crystal Remote Access Trojan (DcRAT). This malware enables the exfiltration of sensitive data and facilitates cyber espionage activities. ℹ️ Key Points: 📍 DISTRIBUTION METHOD ■ The malicious KMS activators are disseminated through password-protected ZIP files on torrent platforms, masquerading as tools to bypass Windows licensing. This tactic exploits the prevalence of unlicensed software in Ukraine, where an estimated 70% of state sector software is unlicensed. 📍 MALWARE FUNCTIONALITY ■ Upon execution, the fake activator presents a counterfeit Windows activation interface while the BACKORDER loader operates covertly. BACKORDER disables Windows Defender, adds exclusion rules, and employs Living Off the Land Binaries (LOLBINs) to evade detection. ■ It then downloads and executes DcRAT, which collects data such as screenshots, keystrokes, browser credentials, FTP credentials, system information, and saved credit card details. Persistence is maintained through scheduled tasks that regularly launch the malicious payload. 📍 EMBEDDED POWERSHELL SCRIPT ■ Tor-based C2 enabled stealthy communication with infected hosts, obscuring attacker infrastructure and making detection difficult. ■ RDP backdoor setups ensured interactive control by enabling Remote Desktop, adding hidden user accounts, and modifying firewall rules to evade security monitoring. ■ OpenSSH deployment facilitated encrypted backdoor access, allowing attackers to bypass conventional authentication controls. This creates an additional remote channel for the attackers beyond the RDP backdoor. 📍 ATTRIBUTION TO SANDWORM ■ The campaign is linked to Sandworm based on factors including the use of ProtonMail accounts in WHOIS records, overlapping infrastructure, consistent TTPs, and the reuse of BACKORDER, DcRAT, and TOR network mechanisms. Additionally, debug symbols referencing a Russian-language build environment further support this attribution. ℹ️ This operation underscores the risks associated with using pirated software, particularly in regions with high rates of unlicensed software usage. By embedding malware in widely used programs, adversaries can conduct large-scale espionage, data theft, and network compromise, posing significant threats to national security and critical infrastructure. Report: https://lnkd.in/dTZDcNHV #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

>> Are hidden radios putting our clean-energy assets at risk? ⚠️ According to a recent 𝐑𝐞𝐮𝐭𝐞𝐫𝐬 report, U.S. investigators have found “rogue communication devices”—undocumented cellular radios—inside some Chinese-made solar inverters and batteries, allowing them to punch straight through plant firewalls and potentially shut down or even damage equipment. Source: Reuters, “Ghost in the machine? Rogue communication devices found in Chinese inverters,” 14 May 2025. Link at the end of the post Mike Rogers, a former NSA Director put it plain and simple: “China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption.” 𝐖𝐡𝐲 𝐢𝐭 𝐦𝐚𝐭𝐭𝐞𝐫𝐬 📈 Sheer exposure: Chinese firms supply about 70% of global PV inverters and almost 80% of lithium-ion batteries —including much of the PCS hardware that ties BESS to the grid. 🪫Grid vulnerability made real: The Iberian blackout last month reminded us how cascading faults can ripple across interconnected networks. Add a deliberate remote shutdown and the stakes multiply. A bipartisan U.S. bill had already proposes banning federal purchases of Chinese batteries by 2027; utilities and regulators on both sides of the Atlantic are now scrutinising inverter firmware and potentially hidden radios. What do you think - Is the energy industry ignoring real risks to our grid stability or could this be just a misunderstanding - after all, modern inverters are incredibly complex gadgets with layers upon layers of interconnected systems... https://lnkd.in/eFaZc_pK

🚨 APT28 introduces LLM-powered malware: LAMEHUG CERT-UA has just published details of a new campaign targeting Ukraine’s defence and security sector. The malware, dubbed LAMEHUG, is particularly noteworthy: it integrates a large language model (Qwen-2.5-Coder-32B-Instruct via Hugging Face API) directly into its operations. Instead of relying solely on hard-coded commands, the malware sends natural-language prompts to the LLM, which then generates system commands on the fly – enabling reconnaissance, file discovery, and data staging for exfiltration. Stolen data is then pushed out via SFTP or HTTP POST to attacker-controlled servers. This represents an interesting – and concerning – evolution in tradecraft: ♦️Adversaries are co-opting legitimate AI services to increase flexibility and evade static detections. ♦️Outbound traffic to trusted platforms (like Hugging Face) can mask malicious activity. ♦️ The use of LLMs in malware may reduce development time and increase adaptability mid-campaign. 📌 Takeaways for defenders: 🔍 Monitor for unusual API calls to LLM providers from endpoints 🔍 Treat external AI integrations as you would any third-party service – apply the same scrutiny and controls. 🔍 Phishing remains the initial vector: user awareness and attachment filtering still matter. This is likely just the beginning of adversaries experimenting with AI in offensive operations. https://lnkd.in/eugZtYar #aisecurity #dfir #cti

This is eye opening, if what is mentioned is true. - U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. - Chinese companies are required by law to cooperate with China's intelligence agencies, giving the government potential control over Chinese-made inverters connected to foreign grids, experts said. - The rogue components provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences, the two people said. - "Ten years ago, if you switched off the Chinese inverters, it would not have caused a dramatic thing to happen to European grids, but now the critical mass is much larger," 1KOMMA5° Chief Executive Philipp Schröder said. - “China's dominance is becoming a bigger issue because of the growing renewables capacity on Western grids and the increased likelihood of a prolonged and serious confrontation between China and the West," he said. - The European Solar Manufacturing Council estimates over 200 GW of European solar power capacity is linked to inverters made in China - equivalent to more than 200 nuclear power plants. - “If you remotely control a large enough number of home solar inverters, and do something nefarious at once, that could have catastrophic implications to the grid for a prolonged period of time," said Uri Sadot cyber security program director at Israeli inverter manufacturer SolarEdge Technologies - In November, solar power inverters in the U.S. and elsewhere were disabled from China, highlighting the risk of foreign influence over local electricity supplies and causing concern among government officials, three people familiar with the matter said. - The incident led to a commercial dispute between inverter suppliers S** - **k and D**e, the people said. - NATO, the 32-country Western security alliance, said China's efforts to control member states' critical infrastructure - including inverters - were intensifying. "We must identify strategic dependencies and take steps to reduce them," said a NATO official. Ministry of New and Renewable Energy (MNRE) Reuters - The Hindu - NATO

𝗛𝗶𝗱𝗱𝗲𝗻 𝗧𝗵𝗿𝗲𝗮𝘁𝘀 𝗶𝗻 𝗢𝘂𝗿 𝗦𝗼𝗹𝗮𝗿 𝗦𝘆𝘀𝘁𝗲𝗺𝘀: 𝗧𝗶𝗺𝗲 𝘁𝗼 𝗪𝗮𝗸𝗲 𝗨𝗽 Engineers in U.S. solar farms have discovered 𝘂𝗻𝗮𝘂𝘁𝗵𝗼𝗿𝗶𝘇𝗲𝗱 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗱𝗲𝘃𝗶𝗰𝗲𝘀 𝗵𝗶𝗱𝗱𝗲𝗻 𝗶𝗻𝘀𝗶𝗱𝗲 𝗖𝗵𝗶𝗻𝗲𝘀𝗲-𝗺𝗮𝗱𝗲 𝗶𝗻𝘃𝗲𝗿𝘁𝗲𝗿𝘀. 𝗧𝗵𝗲𝘀𝗲 "𝗸𝗶𝗹𝗹 𝘀𝘄𝗶𝘁𝗰𝗵𝗲𝘀" 𝗰𝗼𝘂𝗹𝗱 𝗮𝗹𝗹𝗼𝘄 𝗿𝗲𝗺𝗼𝘁𝗲 𝘀𝗵𝘂𝘁𝗱𝗼𝘄𝗻𝘀, 𝗯𝗹𝗮𝗰𝗸𝗼𝘂𝘁𝘀, 𝗼𝗿 𝗲𝘃𝗲𝗻 𝗽𝗵𝘆𝘀𝗶𝗰𝗮𝗹 𝗱𝗮𝗺𝗮𝗴𝗲 𝘁𝗼 𝘁𝗵𝗲 𝗽𝗼𝘄𝗲𝗿 𝗴𝗿𝗶𝗱. As nations ramp up renewable energy adoption, are we unknowingly handing control of critical infrastructure to foreign powers? Security experts are calling for immediate reviews. The UK has already urged a pause and audit of imported green tech. Clean energy should empower nations—not leave them vulnerable. Should we rethink how and where we source our renewable tech? Let’s talk about balancing climate goals with national security. #EnergySecurity #SolarPower #Renewables #CyberSecurity #NationalSecurity #China #Inverters #GridSafety #CleanEnergy #Geopolitics

🏹 Hunting #Suspicious Signed Executables with Malware Bazaar code signing block list I've noticed an increasing trend of #malware moving to signed to appear more legitimate (or stealing a code #signing #certificate and using this as a means of evading defenses). I tried to track some manually on Github but this proved to be an overwhelming task and decided to look at more scalable options. Malware Bazaar maintains a list of code signing certificates used by #Threat actors, we can ingest this as #KQL and look for the signers/issuers across our #MDE Estate. This proves to be a much more scalable way of #hunting. As you can probably guess I am a big fan of augmenting KQL with externaldata. Got another upcoming post on another cool free feature of MalwareBazaar 😎 let CodeSigningBlockList = externaldata (line: string) [@'https://bazaar . abuse . ch/export/csv/cscb/'] with (format=txt, ignoreFirstRecord=true); CodeSigningBlockList | where line !startswith "#" | extend all=split(replace_string(line,@'"',""),',') //easier than parse line | extend CertificateSerialNumber = all[1] | extend SignerHash = tostring(all[2]) //Thumbprint, may not be same algorithm in both tables | extend Signer= (tostring(all[4])) | extend Issuer = tostring(all[5]) | project-away line,all | join DeviceFileCertificateInfo on Signer //Join unique records to devicefilecert events, showing results if the cert has been seen by MDE //| join kind=leftouter DeviceProcessEvents on SHA1 //| join kind=leftouter DeviceFileEvents on SHA1 #Sentinel #Cyber #ThruntAndChill #Cybersecurity #SOC #SIEM #Microsoft