CyberSecurityBoard
Sponsor Register Login

Cyble Discovers Cyberattack Using VSCode For Remote Access

Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated campaign that starts with a suspicious .LNK file and uses Visual Studio Code (VSCode) to establish persistence and remote access – and installs the VSCode command line interface (CLI) if VSCode isn’t found on the victim machine. The script checks if VSCode is already installed on the system by looking for the directory at “%LOCALAPPDATA%\microsoft\VScode.” If the directory isn’t found, the script downloads the VSCode Command Line Interface (CLI) from a Microsoft source: “hxxps://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli[.]zip.” Once downloaded, the file is extracted, and the executable file “code.exe” is placed into the “%LOCALAPPDATA%\microsoft\VScode” directory.

This Cyber News was published on thecyberexpress.com. Publication date: Wed, 02 Oct 2024 05:43:05 +0000


Cyber News related to Cyble Discovers Cyberattack Using VSCode For Remote Access

Cyble Discovers Cyberattack Using VSCode For Remote Access - Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated campaign that starts with a suspicious .LNK file and uses Visual Studio Code (VSCode) to establish persistence and remote access – and installs the VSCode command ...
7 months ago Thecyberexpress.com
VSCode extensions found downloading early-stage ransomware - It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft's store for an extensive ...
1 month ago Bleepingcomputer.com
Understanding Each Link of the Cyberattack Impact Chain - It's often difficult to fully appreciate the impact of a successful cyberattack. Other consequences aren't so obvious - from a loss of customer trust and potential business to stolen data that may surface as part of another cyberattack years later. ...
1 year ago Securityboulevard.com
Malicious VSCode extensions infect Windows with cryptominers - Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. If you have installed any of the nine extensions mentioned in the ...
1 month ago Bleepingcomputer.com
Python-Based Malware Slithers Into Systems via Legit VS Code - "The [threat actor (TA)] leverages a [VS Code] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the ...
7 months ago Darkreading.com Mustang Panda
VSCode extensions with 9 million installs pulled over security risks - Microsoft has removed two popular VSCode extensions, 'Material Theme – Free' and  'Material Theme Icons – Free,' from the Visual Studio Marketplace for allegedly containing malicious code. One of the researchers, Amit Assaraf, says ...
2 months ago Bleepingcomputer.com
Microsoft apologizes for removing VSCode extensions used by millions - Microsoft has reinstated the 'Material Theme – Free' and 'Material Theme Icons – Free' extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn't actually malicious. According to Astorino, the ...
1 month ago Bleepingcomputer.com
CVE-2023-46248 - Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the ...
1 year ago
Cyberattack on health services provider impacts 5 Canadian hospitals - A cyberattack on shared service provider TransForm has impacted operations in five hospitals in Ontario, Canada, impacting patient care and causing appointments to be rescheduled. TransForm is a not-for-profit, shared service organization founded by ...
1 year ago Bleepingcomputer.com
Hackers exploit Aiohttp bug to find vulnerable networks - The ransomware actor 'ShadowSyndicate' was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. Aiohttp is an open-source library built on top of Python's asynchronous I/O ...
1 year ago Bleepingcomputer.com CVE-2024-23334 Cactus
Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems - U.S. mortgage lending giant Mr. Cooper was breached in a cyberattack that caused the company to shut down IT systems, including access to their online payment portal. Mr. Cooper is a mortgage lending company based out of Dallas, Texas, that employs ...
1 year ago Bleepingcomputer.com
Aiohttp Vulnerability in Attacker Crosshairs - Hackers are apparently attempting to exploit a recently patched Aiohttp vulnerability that could impact thousands of servers worldwide, according to threat intelligence firm Cyble. Aiohttp is an open source asynchronous HTTP client/server framework ...
1 year ago Securityweek.com CVE-2024-23334 Cactus
Memorial University recovers from cyberattack, delays semester start - The Memorial University of Newfoundland continues to deal with the effects of a cyberattack that occurred in late December and postponed the start of classes in one campus. MUN is the largest public university in Atlantic Canada, with an academic and ...
1 year ago Bleepingcomputer.com Dragonforce
Nissan is investigating cyberattack and potential data breach - Japanese car maker Nissan is investigating a cyberattack that targeted its systems in Australia and New Zealand, which may have let hackers access personal information. Details of the attack have not been published but the company informed customers ...
1 year ago Bleepingcomputer.com
Hackers Turned Visual Studio Code As A Remote Access Tool - After successfully intercepting the exfiltrated data the threat actors exploit unauthorized access through GitHub’s authentication system by navigating to “hxxps://github[.]com/login/device” and utilizing stolen alphanumeric ...
7 months ago Cybersecuritynews.com
US mortgage lender loanDepot confirms ransomware attack - Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption. LoanDepot is a major nonbank mortgage lender in the United States, with over $140 billion in ...
1 year ago Bleepingcomputer.com Akira
Guardians of Finance: loanDepot Confronts Alleged Ransomware Offensive - Among the leading lenders in the United States, loanDepot has confirmed that the cyber incident it announced over the weekend was a ransomware attack that encrypted data. In the United States, LoanDepot is one of the biggest nonbank mortgage lenders. ...
1 year ago Cysecurity.news
CVE-2022-35975 - The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using ...
2 years ago
Long Beach, California turns off IT systems after cyberattack - The Californian City of Long Beach is warning that they suffered a cyberattack on Tuesday that has led them to shut down portions of their IT network to prevent the attack's spread. Long Beach is the home to approximately 460,000 people and is the ...
1 year ago Bleepingcomputer.com
Ace Hardware says 1,202 devices were hit during cyberattack - Ace Hardware confirmed that a cyberattack is preventing local stores and customers from placing orders as the company works to restore 196 servers. Ace Hardware is a hardware store retailer-owned cooperative that operates 17 distribution centers and ...
1 year ago Bleepingcomputer.com LockBit
CVE-2021-21415 - Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS ...
2 years ago
Health Care Network in Crisis: Cyberattack Shuts Down Operations Across US - In a statement released Thursday evening by Ascension Hospital, a nonprofit network based in St. Louis with 140 hospitals across 19 states, it was also reported that electronic health records, some phone systems, as well as several systems used to ...
11 months ago Cysecurity.news Black Basta
CVE-2024-56083 - Cognition Devin before 2024-12-12 provides write access to code by an attacker who discovers the https://vscode-randomly_generated_string.devinapps.com URL (aka the VSCode live share URL) for a specific "Use Devin's Machine" session. For example, ...
4 months ago Tenable.com
Protecting credentials against social engineering: Cyberattack Series - Our story begins with a customer whose help desk unwittingly assisted a threat actor posing as a credentialed employee. In this fourth report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a ...
1 year ago Microsoft.com
American Family Insurance confirms cyberattack is behind IT outages - Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week. American Family Insurance is an insurance company focusing on commercial and ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)