{"id":181109,"date":"2026-01-23T12:52:00","date_gmt":"2026-01-23T17:52:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/23\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-4\/"},"modified":"2026-01-24T00:20:15","modified_gmt":"2026-01-24T05:20:15","slug":"the-good-the-bad-and-the-ugly-in-cybersecurity-week-4","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/23\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-4\/","title":{"rendered":"The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 4"},"content":{"rendered":"<p><a href=\"https:\/\/www.sentinelone.com\/blog\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-4-7\/\">The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 4<\/a><\/p>\n<p><a href=\"https:\/\/www.sentinelone.com\/blog\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-4-7\/\">https:\/\/www.sentinelone.com\/blog\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-4-7\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-01-23 12:52:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.sentinelone.com\">www.sentinelone.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\t\t\t\t\t\t\t\t\tThe Good | Authorities Expose RaaS Leaders, Prosecute Identity Hackers &#038; Tighten EU Cybersecurity Rules<br \/>\nLaw enforcement in Ukraine and Germany have moved to dismantle Black Basta ransomware gang, confirming its leader and placing him on Europol and Interpol wanted lists. Identified as Oleg Evgenievich Nefedov, the Russian national is also known online as kurva, Washington, and S.Jimmi.<br \/>\nPolice have also arrested two alleged Black Basta affiliates accused of breaching networks, cracking credentials, escalating privileges, and preparing ransomware attacks.<br \/>\nInvestigators link Nefedov in a secondary role associated with the now-defunct Conti syndicate, confirming Black Basta\u2019s evolution into a major ransomware-as-a-service (RaaS) operation responsible for hundreds of extortion incidents since 2022.<br \/>\nPolice raid residence of suspected affiliates (Source: cyberpolice.gov.ua)<br \/>\nIn the United States, Nicholas Moore, has pleaded guilty to breaching electronic filing systems tied to the Supreme Court of the United States, AmeriCorps, and the Department of Veterans Affairs. Prosecutors note that he repeatedly accessed the Supreme Court\u2019s restricted system in 2023 using stolen credentials. He also breached AmeriCorps and veterans\u2019 accounts, stealing and leaking sensitive personal and health data. Moore took to Instagram under the account @ihackedthegovernment to post screenshots of his victims\u2019 information. He has since confessed to one count of computer fraud, punishable by one year in prison and a $100,000 fine.<br \/>\nNew cybersecurity legislation proposed by the European Commission mandates the removal of high-risk suppliers from telecom networks and shoring up defenses against state-backed and criminal cyber threats targeting critical infrastructure. The plan builds on shortcomings in the EU\u2019s voluntary 5G Security Toolbox, originally designed to limit member\u2019s reliance on high-risk vendors. It also grants the Commission authority to coordinate EU-wide risk assessments across 18 critical sectors, strengthens ICT supply chain security, and streamlines voluntary certification schemes to improve resilience and technological sovereignty.<br \/>\nThe Bad | Contagious Interview Attackers Leverage Visual Studio Code to Deploy Backdoors<br \/>\nDPRK-linked threat actors behind the ongoing Contagious Interview campaign are evolving their tactics by using malicious Microsoft Visual Studio Code projects to deliver backdoors.<br \/>\nIn new research, the attackers are seen masquerading as recruiters conducting job assessments, instructing targets to clone repositories from platforms like GitHub and open them in VS Code. Once opened, specially crafted task configuration files automatically execute, fetching obfuscated JavaScript payloads hosted on Vercel domains and deploying multi-stage malware.<br \/>\nAfter the user grants trust in VS Code, its tasks.json file can automatically run embedded commands (Source: Jamf)<br \/>\nThis novel technique, first seen last month, leverages VS Code\u2019s runOn: folderOpen\u00a0feature to trigger execution whenever a project is accessed. Earlier variants delivered the BeaverTail and InvisibleFerret implants, while newer versions disguise droppers as benign spell-check dictionaries to achieve remote code execution.<br \/>\nAs part of the final payload, the backdoor logic establishes a continuous execution loop to harvest basic host information and fingerprints systems before executing attacker-supplied code. In some cases, additional scripts are downloaded minutes later to beacon frequently to a remote server, run further commands, and erase traces of activity. Researchers note that parts of the malware may be AI-assisted due to its code structure and inline comments.<br \/>\nTargets are typically software engineers, especially those working in the cryptocurrency, blockchain, and fintech sectors, where access to source code, credentials, and digital assets is valuable. Parallel research shows similar abuse of VS Code tasks to deploy backdoors, cryptominers, and credential-stealing modules via multiple fallback methods.<br \/>\nDPRK-based threat actors are rapidly experimenting with various delivery methods to increase the success of their attacks. Developers can counter the threat by continuing to scrutinize third-party repositories, carefully review task configurations, and install only trusted dependencies.<br \/>\nThe Ugly | Attackers Target Misconfigured Training Apps to Access Cloud Environments<br \/>\nThreat actors are targeting misconfigured web applications like DVWA and OWASP Juice Shop to infiltrate cloud environments of Fortune 500 companies and their security vendors.<br \/>\nThese intentionally vulnerable apps, designed for security training and internal testing, are exposed publicly and tied to privileged cloud accounts, creating a perfect storm of risks advantageous to attackers. Researchers have found nearly 2000 live, exposed apps, many linked to overly permissive identity access management (IAM) roles on AWS, GCP, and Azure, often using default credentials.<br \/>\nAttackers are leveraging the apps to deploy crypto miners, webshells, and persistence mechanisms. About 20% of found DVMA instances contain malicious artifacts, including XMRig cryptocurrency miners and a self-restoring watchdog.sh script that downloads additional AES-256-encrypted tools and removes competing miners.<br \/>\nPHP webshells like filemanager.php are also being deployed, allowing file operations and command execution, sometimes with indicators hinting at the operators\u2019 origin.<br \/>\nXMRig mining Monero to xmr[.]kryptex[.]network resulting in the attacker keeping 100% of the proceeds (Source: Pentera)These exposed credentials could provide attackers full access to S3 buckets, GCS, and Azure Blob Storage, meaning attackers have read and write permissions to Secrets Manager, can interact with container registries, and obtain admin cloud privileges.<br \/>\nWith these attacks active in the wild, organizations are urged to take steps to minimize their risk profile. Key defenses include maintaining a resource inventory, isolating test environments, and enforcing least-privilege IAM roles. By also replacing default credentials and automating resource expiration, organizations can eliminate systemic blind spots in non-production systems.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 4 https:\/\/www.sentinelone.com\/blog\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-4-7\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":181110,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.sentinelone.com\/wp-content\/uploads\/2026\/01\/GBU_week4_2026_1.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,32],"class_list":["post-181109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181109"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=181109"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181109\/revisions"}],"predecessor-version":[{"id":181111,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/181109\/revisions\/181111"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/181110"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=181109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=181109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=181109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}