All news with #trellix tag

🔒 RansomHouse has claimed responsibility for last week's intrusion into Trellix's source code repository, publishing a small set of images as proof of access to the vendor's appliance management system. Trellix confirmed unauthorized access on May 1 and said it immediately engaged leading forensic experts and notified law enforcement. The company reported no evidence so far that its source code release or distribution process was affected and continues to investigate.

🔒 Trellix disclosed on May 4 that threat actors gained unauthorized access to a portion of its source code repository and that it has notified law enforcement while working with leading forensic experts. The company, formed from the merger of McAfee Enterprise and FireEye, said it has found no evidence that its source code release or distribution process was affected or exploited. Trellix sells threat intelligence and AI-powered detection services including NDR and EDR and will share further details once the investigation concludes.

🔒Trellix disclosed unauthorized access to a portion of its source code repository and says it is working with outside forensic experts to investigate the incident. The company reports it has found no evidence so far that the accessed code was altered, exploited, or that its release and distribution processes were affected, and it has notified law enforcement. Trellix intends to share further details as appropriate once the investigation concludes. Formed from McAfee Enterprise and FireEye, Trellix protects over 200 million endpoints and serves more than 50,000 customers, and this event follows recent breaches at other security vendors.

🔐 Trellix has confirmed an incident that allowed unauthorized access to a portion of its source code repository. The company said it recently identified the compromise, engaged leading forensic experts, and notified law enforcement while pursuing an internal investigation. Trellix did not disclose the specific data accessed or an attribution, but stated there is currently no evidence that its source code was released, distributed, or exploited. Additional information will be shared as the investigation progresses.

🛡️ Trellix researchers describe a wormable cryptojacking campaign that lures victims with pirated software bundles to deploy a custom XMRig miner and a modular dropper that acts as installer, watchdog, payload manager, and cleaner. The binary uses command-line mode switching to install, restart, monitor, or self-destruct and contains a time-based logic bomb that triggers decommissioning after December 23, 2025. The actors abuse a flawed driver, WinRing0x64.sys (CVE-2020-14979), in a BYOVD chain to escalate privileges and boost RandomX hashrate by an estimated 15–50%. Responders advise blocking vulnerable drivers, scanning for artifacts, restricting removable media execution, enforcing least privilege, and applying relevant patches.

🛡️ Trellix uncovered a multi-stage cryptojacking campaign that spreads via pirated software installers and deploys a customized XMRig miner alongside a stateful controller. The dropper installs a primary Explorer.exe controller and multiple watchdog processes for persistence, with a hardcoded expiry of December 23, 2025. Attackers load a signed vulnerable driver (WinRing0x64.sys/CVE-2020-14979) to gain kernel access and disable CPU prefetchers, boosting Monero RandomX performance by an estimated 15–50%. Researchers observed connections to the Kryptex pool and recommend enabling Microsoft's vulnerable driver blocklist, restricting USB access and blocking known mining pool traffic.

🔒 Cybercriminals are increasingly using browser-in-the-browser (BitB) attacks to harvest Facebook credentials, researchers at Trellix report. Attackers distribute phishing emails with spoofed, shortened links and present a fake in-browser pop-up that mimics the Facebook login — even hardcoding the real Facebook URL and displaying a bogus CAPTCHA to boost credibility. Victims are prompted for personal details and then asked to confirm their password; enabling two-factor authentication and avoiding embedded links can mitigate these scams.

🔐 Over the past six months, threat actors have increasingly used the Browser-in-the-Browser (BitB) technique to harvest Facebook credentials, according to Trellix. Attacks display realistic fake login pop-ups implemented with iframes and often leverage URL shorteners and reputable cloud hosts like Netlify and Vercel to evade detection. Campaigns impersonate law firms, copyright notices, and Meta security alerts, adding counterfeit CAPTCHA pages to increase legitimacy. To reduce risk, avoid embedded links, enable two-factor authentication, and verify whether login windows can be dragged outside the browser to detect BitB.

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.