All news with #trend micro tag

🛡️ Trend Micro disclosed a zero-day in its Apex One on-premises server (CVE-2026-34926), a directory traversal flaw that can let a local attacker with administrative access inject malicious code to be deployed to agents. The vendor noted the bug is restricted to on-prem installations and requires prior admin credentials, but observed at least one attempted exploitation in the wild. CISA added the vulnerability to its actively exploited list and ordered federal agencies to patch by June 4, while Trend Micro also released fixes for seven related SEP agent privilege escalation issues.

🔒 Trend Micro researchers disclosed a previously undocumented Linux implant dubbed Quasar Linux RAT (QLNX) that targets developers and DevOps credentials to establish a stealthy foothold. The fileless loader masquerades as kernel threads, erases logs, and persists via seven or more mechanisms such as systemd, crontab and .bashrc injection. Its credential harvester extracts secrets from high-value files including .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json and .env, enabling registry poisoning, cloud access or CI/CD pivoting. QLNX also installs PAM inline-hook backdoors, a userland LD_PRELOAD rootkit and an eBPF kernel component to hide artifacts while supporting 58 remote commands and data exfiltration.

🐧 Quasar Linux (QLNX) is a newly disclosed modular Linux RAT that converts compromised hosts into a resilient peer-to-peer attack mesh. It bundles kernel-level rootkit techniques, PAM-based authentication backdoors, and fileless persistence to hide activity and survive remediation. Trend Micro’s analysis notes the binary even embeds C source for its PAM backdoor and LD_PRELOAD rootkit. The implant communicates over raw TCP, HTTP, and HTTPS (with TLS for TCP and HTTPS) and Trend Micro has published IOCs while applying protections for Trend Vision One customers.

🐧 Trend Micro researchers revealed a previously undocumented Linux implant named Quasar Linux (QLNX) that targets software developers by compromising development and DevOps environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX dynamically compiles rootkit and PAM backdoor modules on the host, runs fileless in memory, and employs multiple persistence methods while wiping logs and spoofing process names to remain stealthy. The toolkit includes a 58-command RAT, credential harvesting (SSH keys, cloud configs, and /etc/shadow), kernel eBPF hiding, surveillance, lateral movement, and in-memory injection; Trend Micro provided IoCs but attribution and prevalence remain unclear.

🔒 AWS Network Firewall supports expanded managed rule groups from AWS Marketplace partners, allowing rule groups to include up to 10 million domain indicators and 1 million IP addresses. Partners including Infoblox, Lumen, and ThreatSTOP are adding protections for high-risk domains, command-and-control blocking, and sanctions compliance. Managed rules from sellers like Check Point, Fortinet, Rapid7, and Trend Micro provide ready-to-deploy, continuously updated protections and are now available in additional regions.

🔒 Europol coordinated an international law enforcement operation that disrupted Tycoon2FA, a prolific phishing-as-a-service platform that intercepted credentials and session cookies via reverse proxies to bypass MFA and hijack authenticated sessions. Authorities seized 330 domains and removed control panels and phishing pages across multiple countries, with technical disruption led by Microsoft and support from private partners including Trend Micro and Cloudflare. The action aims to curb tens of millions of monthly phishing messages and protect nearly 100,000 targeted organizations while urging defenders to revoke active sessions and monitor for unauthorized access.

⚠️ Trend Micro has released patches for two critical Apex One management console vulnerabilities (CVE-2025-71210 and CVE-2025-71211) that enable path traversal leading to remote code execution on Windows systems. The fixes are included in SaaS updates and Critical Patch Build 14136, which also addresses high-severity agent issues on Windows and macOS. Exploitation requires access to the management console, so externally exposed consoles should apply source restrictions and other access controls. Customers are urged to install updates promptly to reduce risk.

🔒 At Pwn2Own Automotive 2026 in Tokyo, researchers chained 37 zero-day vulnerabilities and collected $516,500 in cash awards on the first day. Teams including Synacktiv Team, Fuzzware.io, PetoWorks, and Team DDOS gained root access on targets such as the Tesla Infotainment System, Sony XAV-9500ES, multiple EV chargers, and other IVI systems. Vendors have 90 days to issue patches before Trend Micro's Zero Day Initiative publicly discloses the reported flaws.

⚠️ Trend Micro detailed a campaign using a new information stealer, Evelyn Stealer, that abuses the Visual Studio Code extension ecosystem to harvest developer secrets. Malicious extensions drop a downloader DLL (Lightshot.dll) which launches a staged executable (runtime.exe) and injects the stealer into a legitimate process (grpconv.exe) to run in memory. The malware collects credentials, cookies, crypto wallets, screenshots, Wi‑Fi data and system metadata, then exfiltrates compressed archives to an attacker-controlled FTP server.

🔒 In the CEO Outlook 2026 survey, Trend Micro CEO Eva Chen describes how rapid AI adoption and expanding cloud footprints are transforming the cyberthreat landscape and elevating business risk. She flags rising ransomware, supply-chain exposures and AI-enabled attacks, and urges firms to prioritize automation, XDR and cloud security. Chen also stresses the role of channel partners and talent development in building resilience against increasingly sophisticated threats.

🛡️ Trend Micro has released a security update for Apex Central after vulnerability management vendor Tenable identified multiple serious flaws affecting all on-premises builds earlier than 7190. The most severe is a 9.8-rated LoadLibraryEX issue that can allow an unauthenticated attacker to force the server to load and execute an attacker-controlled DLL as SYSTEM. Two additional high-severity, unauthenticated flaws can cause denial-of-service. Trend Micro urges customers to apply build 7190 and review remote access controls immediately.

🔒Trend Micro has released a patch for a critical remote code execution vulnerability (CVE-2025-69258) affecting Apex Central on-premises consoles. A LoadLibraryEX weakness could allow unauthenticated attackers to inject malicious DLLs into MsgReceiver.exe (listening on TCP port 20001) and execute code as SYSTEM without user interaction. Tenable reported the flaw, published technical details and proof-of-concept code, and Trend Micro issued Critical Patch Build 7190 — which also addresses two related DoS flaws — urging customers to apply updates and review remote access and perimeter security.

🔒 Trend Micro has released patches for on-prem Apex Central for Windows to fix multiple flaws, including a critical remote code execution (CVE-2025-69258, CVSS 9.8) that can allow an attacker to load a malicious DLL via LoadLibraryEX. Two additional denial-of-service issues (CVE-2025-69259 and CVE-2025-69260, both CVSS 7.5) were also addressed. Tenable reported the vulnerabilities and notes MsgReceiver.exe (listening on TCP port 20001) is implicated. Customers should apply updates and review remote access controls and perimeter defenses.

🤖 Trend Micro's Rachel Jin warns that the rapid evolution of AI is outpacing static security controls and forcing defenders to embrace automation and context-aware defenses. She notes LLMs update frequently and attackers leverage that pace to craft tailored phishing, automate tasks and scale operations. Jin stresses that visibility into AI usage, agents and infrastructure is essential and recommends an AI security blueprint to map risk, consolidate tooling and prioritize scarce budgets.

🛡️ In a recent interview Trend Micro COO Kevin Simzer described how a digital twin — a virtual replica built from enterprise telemetry — lets organizations run safe, comprehensive red-team simulations across real-world topologies. The approach enables what-if analyses, testing of security controls and architectural changes without risk to production systems. Simzer also noted additions like agentic capabilities to automate SIEM integration and Trend's plan to train proprietary AI models from its historical threat data.

🔐 Interpol-led Operation Sentinel, run from October 27 to November 27 across 19 countries, resulted in 574 arrests and the recovery of $3 million tied to business email compromise, extortion, and ransomware. Investigators decrypted six ransomware strains and removed more than 6,000 malicious links. Private-sector partners such as Trend Micro, TRM Labs and Team Cymru supported attribution, takedowns and freezing of proceeds. Multiple country-level seizures and arrests targeted prolific scam infrastructures in West and Central Africa.

🚨 Trend Micro warns agentic AI will increasingly automate attacks next year, with state-backed actors leading innovation before cybercriminals adopt the approach. Researchers say agentic systems — capable of taking autonomous actions — could chain discovery, exploitation and persistence steps, enabling less-skilled operators to run complex intrusions. The firm urges defenders to treat agents as privileged users and apply least-privilege, monitoring and assume-breach practices.

🔒 Trend Micro is previewing Trend Vision One AI Security Package, a comprehensive suite due at AWS re:Invent in early December that aims to protect the full AI application stack from development through runtime. The offering combines continuous model scanning and automated AI guardrails and leverages Nvidia BlueField3 hardware acceleration. It also assembles tools such as AI Security Blueprint, Risk Insights, cloud and container security, file protection with NetApp support, an agentic SIEM with AWS native logs, and Zero Trust AI access controls.

🔐 Qilin ransomware operators have been observed using the Windows Subsystem for Linux (WSL) to execute Linux ELF encryptors on compromised Windows hosts, allowing them to bypass many Windows-focused EDR solutions. Trend Micro and Cisco Talos report attackers enable or install WSL, transfer payloads with WinSCP, and launch the ELF encryptor via Splashtop (SRManager.exe). Affiliates also deploy signed vulnerable drivers and DLL sideloading to disable security tools and escalate privileges, while the encryptor targets VMware ESXi environments.

🛡️ Trend Micro reports that the Agenda (Qilin) ransomware group is running a Linux-based encryptor on Windows hosts to evade Windows-only detections. The actors abused legitimate RMM and file-transfer tools — including ScreenConnect, Splashtop, Veeam, and ATERA — to maintain persistence, move laterally, and execute payloads. They combined social engineering, credential theft, SOCKS proxy injection, and BYOVD driver tampering to disable EDR and compromise backups, impacting more than 700 victims since January 2025.