HOT NEWS 2024 JULY January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(186) October(24) November(114) December(126) | HOT NEWS 2026 HOT NEWS 2025 HOT NEWS 2024
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
|
29.7.24 |
The threat actor known as Hive0137 has been leveraging Large Language Models (LLM) in their recent attacks. LLM is a form of generative AI designed to understand and generate human-like text. The Hive0137 group is known for their malware distribution attacks that often lead to ransomware infections. |
AI |
||
|
29.7.24 |
CVE-2024-40348 is a recently disclosed directory traversal vulnerability affecting Bazaar (version 1.4.3) which is an open source version control software. Successful exploitation of the flaw might allow unauthenticated attackers to perform directory traversal on the vulnerable system, leading to unauthorized access to system directories and sensitive files. |
|||
|
29.7.24 |
Scammers exploit Hamster Kombat’s popularity with malicious farm bot tools |
With the rise in popularity of the Telegram clicker game Hamster Kombat, scamsters are increasingly targeting players. Enthusiasts are attracted by the promise of significant rewards linked to the introduction of a new cryptocoin by the game's creators. |
||
|
29.7.24 |
A ransomware actor calling themselves OceanCorp has been observed in the wild targeting single machines. At this time, according to their ransom note (OceanCorp.txt), this actor does not perform double-extortion tactics, meaning they do not threaten to leak or sell data. |
|||
|
29.7.24 |
Vietnam campaign: Android Spyware Masquerades as Techcombank |
Groups and individuals around the world have been using SpyNote, a popular Android remote access trojan, for the past few years, and its prevalence shows no signs of decreasing. E-crime and targeted campaigns against both enterprises and consumers are observed on a daily basis. |
||
|
29.7.24 |
“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails |
Phishing |
||
|
29.7.24 |
Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT |
RAT |
||
|
28.7.24 |
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules. |
RAT |
||
|
28.7.24 |
Lost in the Fog: A New Ransomware Threat |
RANSOMWARE |
||
|
28.7.24 |
ShadowRoot Ransomware Targeting Turkish Businesses |
RANSOMWARE |
||
|
28.7.24 |
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks |
GROUP |
||
|
28.7.24 |
PKfailJuly 2024 Research Report |
REPORT |
||
|
28.7.24 |
New PlugX campaigns utilising Steam |
CAMPAIGN |
||
|
28.7.24 |
Unplugging PlugX: Sinkholing the PlugX USB worm botnet |
BOTNET |
||
|
27.7.24 |
Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure |
Stealer |
||
|
27.7.24 |
Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure |
Stealer |
||
|
27.7.24 |
GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware |
AI |
||
|
27.7.24 |
Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65): |
SANS |
||
|
27.7.24 |
Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65): |
Stealer |
||
|
27.7.24 |
Threat Actor uses MSHTML flaw to distribute Atlantida InfoStealer |
A malware campaign conducted by the threat actor known as Void Banshee, which distributes the Atlantida InfoStealer, has been reported. The attack exploits CVE-2024-38112, an MSHTML vulnerability, by abusing .URL files to execute through disabled Internet Explorer. |
||
|
27.7.24 |
SeleniumGreed is a recently disclosed cryptomining operation observed in the wild. The campaign targets exposed versions of Selenium Grid which is a component in Selenium open-source automation framework used for testing web applications. |
|||
|
27.7.24 |
Zilla is the latest Crysis/Dharma ransomware observed in the threat landscape. The malware encrypts user data and appends .ZILLA extension to the encrypted files. Alongside this custom extension, also a unique ID and the email address of the threat actors is added. |
|||
|
27.7.24 |
Phishing campaign targeted at users in India attributed to the Smishing Triad group |
Fortinet researchers reported on a recent phishing operation targeting mobile users in India. The attack has been attributed to a threat group known as the Smishing Triad, known previously to be targeting various countries across the world with similar smishing runs. |
||
|
27.7.24 |
Continuous espionage activities attributed to the Stonefly APT |
Symantec Security Response is aware of the recent joint alert from CISA, FBI and several other partners concerning a number of recent targeted activities attributed to the Stonefly APT group (also known as Andariel or DarkSeoul). |
||
|
27.7.24 |
Malware campaign exploits SEO poisoning to target W2 Form seekers |
A malware campaign has been reported targeting users searching for W2 forms through SEO poisoning techniques. Victims are redirected to spoofed IRS websites, where they are lured into downloading a masqueraded JS file disguised as a W2 form. |
||
|
27.7.24 |
Russian-linked malware campaign targeting Indian political entities |
A malware campaign believed to be orchestrated by a Russian-linked threat actor is reportedly targeting entities interested in Indian political affairs. Victims are lured with .LNK files disguised as genuine office documents. |
||
|
27.7.24 |
Handala Hack: What We Know About the Rising Threat Actor |
GROUP |
||
|
27.7.24 |
CrowdStrike’s Falcon agent caused downtime for millions of computers across the globe beginning July 19. This event caused panic and chaos, which threat actors quickly latch on to gain an edge over defenders. |
Wipper |
||
|
27.7.24 |
Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. |
GROUP |
||
|
27.7.24 |
langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py. |
CVE |
||
|
27.7.24 |
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. |
CVE |
||
|
26.7.24 |
Another ransomware group that employs double-extortion tactics has been making the rounds in the already crowded ransomware threat landscape. Calling themselves RADAR, the group compromises machines, encrypts the files, and appends them with a .[random8characters] extension. |
|||
|
26.7.24 |
Smishing in Japan – Utilities, financial services and shipping top lures |
Smishing, or SMS phishing, is increasingly becoming a favored tactic for cybercriminals due to the widespread use of mobile devices and generally high open rates of SMS messages compared to emails. |
||
|
26.7.24 |
Atlantida Stealer among the malware variants spread by Stargazer Goblin threat group |
Atlantida Stealer has been determined as one of several malware payloads spread recently in a malware distribution campaign attributed to the threat actor known as Stargazer Goblin. Other payloads spread via this malware delivery service dubbed as Stargazers Ghost Network included RedLine, Lumma Stealer, Rhadamanthys and RisePro. |
||
|
26.7.24 |
There has been a rise in cyber attacks using Large Language Models (LLMs) to generate malicious code. Symantec's Team has observed phishing campaigns where LLM-generated scripts download harmful payloads like Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). |
AI |
||
|
26.7.24 |
There was a recent surge in activity from the group called UAC-0057 (aka GhostWriter). In this campaign, attackers are distributing Word documents that are macro-enabled with the intention of launching a malware loader known as PicassoLoader. This malicious loader is capable of deploying a Cobalt Strike Beacon onto the victim's machine. |
|||
|
26.7.24 |
ConfusedFunction: A Privilege Escalation Vulnerability Impacting GCP Cloud Functions |
CVE |
||
|
26.7.24 |
APT45: North Korea’s Digital Military Machine |
APT |
||
|
26.7.24 |
In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. |
CVE |
||
|
26.7.24 |
Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins |
CVE |
||
|
26.7.24 |
(CVSS score: 7.5) - Due to a logic error, lookups that triggered serving stale data and required lookups in local authoritative zone data could have resulted in an assertion failure |
VULNEREBILITY |
||
|
26.7.24 |
(CVSS score: 7.5) - Validating DNS messages signed using the SIG(0) protocol could cause excessive CPU load, leading to a denial-of-service condition. |
VULNEREBILITY |
||
|
26.7.24 |
(CVSS score: 7.5) - It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing |
VULNEREBILITY |
||
|
26.7.24 |
(CVSS score: 7.5) - A malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients |
VULNEREBILITY |
||
|
25.7.24 |
Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android |
Social site |
||
|
25.7.24 |
The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel C4 and an enhanced version of PGoShell |
GROUP |
||
|
25.7.24 |
Remediation and Guidance Hub: Falcon Content Update for Windows Hosts |
INCIDENT |
||
|
25.7.24 |
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed |
CVE |
||
|
25.7.24 |
ACR Stealer is an information stealer advertised by a threat actor operating under the pseudonym SheldIO, on Russian-speaking cybercrime forums. It is sold as a Malware-as-a-Service (MaaS) since March 2024. |
Stealer |
||
|
25.7.24 |
As recently reported by researchers from Trend Micro, a new Linux variant of the infamous Play ransomware has been observed to target the ESXi servers. Prior to execution, the malware runs checks to confirm that it is running within an ESXi environment. Play ransomware will also attempt to power off all running ESXi virtual machines before proceeding with the encryption process. |
|||
|
25.7.24 |
A new variant of LummaC2 has been observed exploiting the 'Steam' gaming platform. This variant now obtains dynamic C2 domains on demand, a departure from its previous technique of embedding C2 details within the sample itself. The malware stores a Steam URL, specifically a Steam account profile page, as executable code. |
|||
|
25.7.24 |
A new variant of the .NET-based Jellyfish Loader malware has been found in the wild. The malware has been reported as being distributed via a malicious .LNK file execution. |
|||
|
25.7.24 |
CVE-2024-4879 - ServiceNow Jelly Template Injection vulnerability |
CVE-2024-4879 is a recently disclosed critical template injection vulnerability (CVSS score 9.3) affecting ServiceNow, which is a popular platform for digital business transformation. Successful exploitation of the flaw might allow the unauthenticated remote attackers to gain access and execute arbitrary code within the context of the Now Platform. |
||
|
25.7.24 |
BianLian is a ransomware threat actor that has been active since mid-2022, specifically targeting the infrastructure sector in the US and Australia. As part of its attack vector, the threat actor typically exploits RDP credentials acquired through third parties or phishing to gain initial access. |
|||
|
25.7.24 |
Threat actors continue to exploit CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen that was reported and patched in February 2024. |
|||
|
25.7.24 |
Keylogging is a pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. |
SANS |
||
|
25.7.24 |
Microsoft Internet Explorer Use-After-Free Vulnerability |
CVE |
||
|
25.7.24 |
Twilio Authy Information Disclosure Vulnerability |
CVE |
||
|
24.7.24 |
Following the recent outage which affected computers running Microsoft operating systems across the globe, attackers are continuously exploiting the incident to lure users into accessing malicious links or launching malware-laden files. A new attack linked to this incident has been discovered involving a Word document containing macros that execute and download an unidentified stealer dubbed Daolpu. |
|||
|
24.7.24 |
Phishing is an all-too-common type of social engineering attack that attempts to steal user data by sending fraudulent communications, usually via email or SMS, which appear to come from a legitimate source. Phishing is predominantly employed at the first stage in a malware attack, whether the ultimate objective is reconnaissance or compromise. |
|||
|
24.7.24 |
Braodo: A new Python-based Infostealer in the cyber threat landscape |
A new infostealer, named Braodo, has been observed circulating in the ever-evolving threat landscape. It is distributed through an archive file that includes a BAT file. When executed, this BAT file connects to GitHub to download a secondary BAT file and a ZIP archive containing the final Braodo infostealer payload. |
||
|
24.7.24 |
The Daggerfly (aka Evasive Panda, Bronze Highland) threat group, which has been active for at least a decade, has made some significant updates to their toolset. Symantec’s Threat Hunter Team has published a report providing details regarding Daggerfly tools such as the modular malware framework MgBot, Macma, a modular macOS backdoor, and a recently observed multi-stage backdoor identified as Suzafk. |
|||
|
24.7.24 |
Threat Actor FIN7 (also tracked under the names Carbon Spider, the Carbanak Group, and Sangria Tempest) is known for its proficiency in sophisticated campaigns and engineering attacks to gain initial access to corporate networks. |
|||
|
24.7.24 |
New variants of BlackSuit ransomware have been observed in the wild, employing deceptive tactics to evade detection. Recently, they masqueraded as fake Qihoo 360 antivirus installers to deceive victims. Once installed, the malware encrypts user files and appends the .blacksuit extension. |
|||
|
24.7.24 |
A new strain of ransomware dubbed CyberVolk has been reported. This ransomware is written in C/C++ and features a unique encryption algorithm developed entirely by the group behind the malware. |
|||
|
24.7.24 |
Researchers at Palo Alto Networks have provided an analysis of the RA World Ransomware group. This group has been active since 2023 and has targeted victims worldwide across multiple industries. |
|||
|
24.7.24 |
In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. |
|||
|
24.7.24 |
FakeApp Campaign: South Korea's Financial Institutions' Mobile Users Targeted |
In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. |
||
|
24.7.24 |
Recently the APT group Seedworm has been observed deploying a previously undocumented backdoor named Bugsleep, primarily via a phishing campaign with PDFs containing malicious links targeting organizations in the Middle East. Once deployed this new backdoor allows attackers to execute remote commands and exfiltrate files to the C&C server. |
|||
|
24.7.24 |
Tag-100: Emerging threat actor exploiting appliance vulnerabilities |
A new threat actor, dubbed Tag-100, has been reported targeting government and private sector entities worldwide. This threat actor exploits vulnerabilities in appliances to initiate its attacks and has been observed exploiting known vulnerabilities in appliances such as Citrix NetScaler. |
||
|
24.7.24 |
Copybara is a banking Trojan affecting Android mobile devices and has been observed targeting users in Italy. Threat actors use previously obtained contact details and portray themselves as bank employees to socially engineer victims into downloading the malicious application by way of SMS phishing and voice phishing, also known as smishing and vishing respectively. |
|||
|
24.7.24 |
NullBulge exploiting code repositories in AI and Gaming Sectors |
n response to the threat actors exploiting security vulnerabilities in AI and gaming-focused entities, a new group dubbed NullBulge has been reported. |
AI |
|
|
24.7.24 |
A recent report has revealed that the National Health Insurance Fund (NEAK) based in Hungary was targeted by attackers who aimed to deploy Lokibot malware. |
|||
|
24.7.24 |
Over the past few weeks, multiple campaigns have been reported, carried out by the China-linked APT group Grayfly also known as APT41. |
|||
|
24.7.24 |
New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) |
In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported. |
SANS |
|
|
24.7.24 |
New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) |
CVE |
||
|
24.7.24 |
Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma |
macOS |
||
|
24.7.24 |
A secret Disinformation Campaign targetingU.S.Congress and Taxpayers conductedbyU.S.Government agencies |
REPORT |
||
|
24.7.24 |
Daggerfly: Espionage Group Makes Major Update to Toolset |
Espionage |
||
|
24.7.24 |
When it comes to website security, sometimes the most innocuous features can become powerful tools in the hands of attackers |
Steal Credit Cards |
||
|
24.7.24 |
Impact of FrostyGoop ICS Malware on Connected OT Systems |
ICS |
||
|
23.7.24 |
This groundbreaking report
unveils the discovery of a technology suite and its connection to |
PAPERS |
||
|
23.7.24 |
GAMBLING IS NO GAME: DNS LINKS BETWEEN CHINESE ORGANIZED CRIME AND SPORTS SPONSORSHIPS |
GROUP |
||
|
23.7.24 |
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. |
HACKING |
||
|
23.7.24 |
Fake Browser Updates Lead to BOINC Volunteer Computing Software |
Malware |
||
|
23.7.24 |
Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma |
Ransomware |
||
|
20.7.24 |
WHY THE PRC FAILS TO BACK ITS CLAIMS OF WESTERN ESPIONAGE |
REPORT |
||
|
20.7.24 |
‘AuKill’ EDR killer malware abuses Process Explorer driver |
Tool |
||
|
20.7.24 |
BugSleep is a backdoor designed to execute the threat actors’ commands and transfer files between the compromised machine and the C&C server. The backdoor is currently in development, with the threat actors continuously improving its functionality and addressing bugs. |
Backdoor |
||
|
19.7.24 |
A new variant of the BeaverTail malware has been reported, distributed via a macOS DMG file that mimics the legitimate video call service MiroTalk. This campaign is linked to North Korean hackers targeting job seekers. The updated malware is a native Mach-O executable capable of stealing sensitive data from web browsers and cryptocurrency wallets. |
|||
|
19.7.24 |
APT17 Campaign: New variants of 9002 RAT targeting Italian government entities |
A malware campaign by the APT17 group has been reported, distributing newer variants of 9002 RAT. The campaign specifically targets government entities and Italian companies. Users are lured with a link to a masqueraded Italian government domain, purportedly to download a Skype installer. |
||
|
19.7.24 |
A recent phishing campaign was observed by researchers targeting Ukrainian defense enterprises on the topic of Unmanned Aerial Vehicle (UAV) purchasing. The distributed email includes a ZIP attachment with a PDF file containing a malicious link. |
|||
|
19.7.24 |
RDPWrapper and Tailscale leveraged in recent malspam campaign |
Researchers have uncovered a multi-stage cyberattack campaign starting with a malicious zip file containing a .lnk shortcut file that was likely spread via phishing emails. Upon execution, the .lnk file downloads a PowerShell script enabling threat actors access via RDP. |
||
|
19.7.24 |
Threat researchers have identified a new ransomware called ShadowRoot which targets businesses in Turkey. The attack starts with a PDF attachment sent via suspicious emails from the "internet[.]ru" domain. If a user clicks on the embedded links within the PDF, it triggers the download of an executable payload that proceeds to encrypt files. Encrypted files have their extensions changed to ".shadowroot". |
|||
|
19.7.24 |
Symantec has observed a phishing malware campaign targeting government entities in Ukraine. Based on the attack vector and behavior, Symantec believes UNC4814, a suspected Russian threat actor, is responsible for the campaign. The threat actor initiates attacks by sending phishing emails with HTA files attached, masquerading as bills and payment notifications. |
|||
|
19.7.24 |
Zero-Day Exploit: Malicious .url Files Leveraging CVE-2024-38112 on Windows |
An ongoing campaign targeting Windows users has been observed. Threat actors distribute phishing emails containing Windows Internet Shortcut files with a .url extension. |
||
|
19.7.24 |
Solarwinds ARM CreateFile Directory Traversal Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM UserScriptHumster Exposed Dangerous Method Remote Command Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Directory Traversal Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Traversal Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Traversal and Information Disclosure Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Exposed Dangerous Method Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
SolarWinds ARM Internal Deserialization Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability |
CVE |
||
|
19.7.24 |
We have released our Snowflake threat hunting guide, which contains guidance and queries for detecting abnormal and malicious activity across Snowflake customer database instances. |
REPORT |
||
|
19.7.24 |
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion |
GROUP |
||
|
19.7.24 |
APT41 Has Arisen From the DUST |
APT |
||
|
19.7.24 |
A Comprehensive Look at the Updated Infection Chain of Ghost Emperor’s Demodex Rootkit. |
Rootkit |
||
|
19.7.24 |
APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. |
Shell |
||
|
19.7.24 |
OilAlpha Malicious Applications Target Humanitarian Aid Groups Operating in Yemen |
Mobil App |
||
|
19.7.24 |
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. |
INCIDENT |
||
|
18.7.24 |
A tool used in Qilin ransomware attacks known as "Killer Ultra" was recently uncovered by researchers. |
|||
|
18.7.24 |
A new stealer malware dubbed Noxious Stealer was recently identified by researchers. |
|||
|
18.7.24 |
Specially crafted HTML files allow for abuse of Windows search |
Attackers have been recently observed abusing Windows search in order to redirect users to malware. |
||
|
18.7.24 |
Improperly configured Jenkins Script Console instances (such as Jenkins Groovy plugin) have been weaponized by attackers leading to criminal activities such as the deployment of cryptocurrency miners, and backdoors to gather sensitive information. |
|||
|
18.7.24 |
Afrihost is a South African Internet Service Provider (ISP) that offers services such as ADSL broadband, wireless, mobile services, and web hosting. |
|||
|
18.7.24 |
CVE-2024-36401 (CVSS score: 9.8) is a vulnerability in OSGeo GeoServer GeoTools, with evidence of active exploitation. |
|||
|
18.7.24 |
Threat researchers discovered malware disguised as cracked versions of MS Office. |
|||
|
18.7.24 |
BadPack is a method observed in malware which targets Android mobile devices. |
|||
|
18.7.24 |
HotPage: Story of a signed, vulnerable, ad-injecting driver |
Adware |
||
|
18.7.24 |
SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts |
AI |
||
|
18.7.24 |
TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies |
GROUP |
||
|
18.7.24 |
(CVSS score: 9.8) - Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability |
CVE |
||
|
18.7.24 |
(CVSS score: 8.6) - SolarWinds Serv-U Path Traversal Vulnerability |
CVE |
||
|
18.7.24 |
(CVSS score: 6.5) - VMware vCenter Server Incorrect Default File Permissions Vulnerability |
CVE |
||
|
18.7.24 |
North Korean Hackers Update BeaverTail Malware to Target MacOS Users |
Stealer |
||
|
17.7.24 |
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. |
CVE |
||
|
17.7.24 |
Italian government agencies and companies in the target of a Chinese APT |
APT |
||
|
17.7.24 |
FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks |
APT |
||
|
16.7.24 |
Threat researchers have identified Quasar RAT malware being distributed via a private Home Trading System (HTS), a tool that allows investors to trade from their own PCs. However, the HTS (aka HPlus) used in these attacks is unsearchable and its provider remains unknown. |
|||
|
16.7.24 |
An ongoing campaign has revealed a stealer malware initially distributed through Word documents. This malware infects computers, retrieves the device’s IP address, and subsequently sends the user’s browser information to a dedicated command-and-control (C2) server operated by the attackers, with the data customized for different countries. |
|||
|
16.7.24 |
CVE-2024-36991 - Path Traversal vulnerability in Splunk Enterprise |
CVE-2024-36991 (CVSS: 7.5 High) is a path traversal vulnerability in Splunk Enterprise, a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data, helping organizations derive insights from this data. |
||
|
16.7.24 |
NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS |
Backdoor |
||
|
16.7.24 |
MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign |
GROUP |
||
|
16.7.24 |
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks |
GROUP |
||
|
16.7.24 |
OSGeo GeoServer GeoTools Eval Injection Vulnerability |
CVE |
||
|
15.7.24 |
How SYS01 Stealer Will Get Your Sensitive Facebook Info |
Stealer |
||
|
15.7.24 |
Since early 2024, an ongoing phishing campaign has been targeting Spanish speakers, distributing a new remote access trojan (RAT) known as Poco RAT. |
|||
|
15.7.24 |
Since February 2024, researchers have been tracking the evolving threat actor CRYSTALRAY. The group was observed to leverage the use of a network mapping tool called SSH-Snake, a self-modifying worm malware which exploits compromised SSH credentials to spread through networks. |
|||
|
15.7.24 |
In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild. |
RANSOMWARE |
||
|
14.7.24 |
CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools |
GROUP |
||
|
13.7.24 |
The core of the RADIUS protocol predates modern secure cryptographic design. Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5. In fact, RADIUS appears to have received notably little security analysis given its ubiquity in modern networks. |
PAPERS |
||
|
13.7.24 |
Blast-RADIUS, an authentication bypass in the widely used RADIUS/UDP protocol, enables threat actors to breach networks and devices in man-in-the-middle MD5 collision attacks. |
PROTOCOL |
||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated) |
|||
|
13.7.24 |
Poultry Farm Management System v1.0 - Remote Code Execution (RCE) |
|||
|
13.7.24 |
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers |
INCIDENT |
||
|
13.7.24 |
DarkGate: Dancing the Samba With Alluring Excel Files |
RAT |
||
|
13.7.24 |
Use-after-free vulnerability in lighttpd version 1.4.50 and earlier |
A use-after-free vulnerability in lighttpd in versions 1.4.50 and earlier permits a remote, unauthenticated attacker to trigger lighttpd to read from invalid pointers in memory. The attacker can use crafted HTTP Requests to crash the web server and/or leak memory in order to access sensitive data. |
ALERT |
|
|
13.7.24 |
A vulnerability in the RADIUS protocol allows an attacker allows an attacker to forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This vulnerability results from a cryptographically insecure integrity check when validating authentication responses from a RADIUS server. |
ALERT |
||
|
12.7.24 |
2024-06-25 - Latrodectus infection with BackConnect and Keyhole VNC |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
|
|
12.7.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
12.7.24 |
2024-06-17 - Google ad --> fake unclaimed funds site --> Matanbuchus with Danabot |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
|
|
12.7.24 |
OilAlpha continues to target Arabic-speaking entities, as well as those interested in humanitarian organizations and NGOs operating in Yemen. According to reports, users are lured to a deceptive web portal that mimics the generic login interfaces of humanitarian organizations such as CARE International and the Norwegian Refugee Council, with the aim of stealing credentials. |
|||
|
12.7.24 |
Vultur Campaign: Clothing Retailer Brand Abused in Fake App Scheme |
Brands of all genres are constantly abused by cybercriminals to target specific demographics, and financial institutions are usually the ones most impersonated. |
||
|
12.7.24 |
Threat researchers recently discovered a new loader dubbed DodgeBox. This loader shares significant traits with StealthVector, which is associated with the Chinese APT group APT41 / Earth Baku. |
|||
|
12.7.24 |
Tax-Themed Android Malware Targeting Uzbekistan Mobile Users |
Taxes have been and continue to be prevalently used in social engineering tactics around the world to trick users (both consumers and enterprises) into deploying malware on their machines, entangling themselves in BEC scams, inputting sensitive data into phishing websites, and more. |
||
|
12.7.24 |
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. |
CVE |
||
|
12.7.24 |
This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile. |
CVE |
||
|
12.7.24 |
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. |
CVE |
||
|
11.7.24 |
Despite group disruptions, ransomware activity not decreasing |
In a newly released report, Symantec’s Threat Hunter Team shares insight into observed ransomware activity. The data shows that despite disruptions affecting Lockbit and Noberus groups and a downward trend between the last quarter of 2023 and the first quarter of 2024, activity is still on the rise. |
||
|
11.7.24 |
ViperSoftX: Evolving tactics from Torrent software lures to eBook disguises |
ViperSoftX is an infostealer that continues to evolve and enhance its tactics and techniques. Initially, attackers leveraged pirated versions of popular software to lure users, often distributed through torrent sites. |
||
|
11.7.24 |
GuardZoo: Android spyware targeting middle eastern defense entities |
An Android spyware dubbed GuardZoo has been observed targeting defense entities in the Middle East. It is believed to be associated with the Houthi rebel faction in Yemen. |
||
|
11.7.24 |
Symantec is aware of a remote code execution vulnerability (CVE-2024-29510) in the "Ghostscript" document conversion toolkit used on Linux systems. |
|||
|
11.7.24 |
The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex. |
Anti-ransom |
||
|
11.7.24 |
GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6 |
CVE |
||
|
11.7.24 |
Patch or Peril: A Veeam vulnerability incident |
INCIDENT |
||
|
11.7.24 |
DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1 |
Loader |
||
|
11.7.24 |
New Malware Campaign Targeting Spanish Language Victims |
RAT |
||
|
10.7.24 |
Water Sigbin exploits vulnerabilities to deliver cryptocurrency miner |
The threat actor Water Sigbin (aka 8220 Gang) has exploited vulnerabilities in the Oracle WebLogic Server ( CVE-2017-3506 and CVE-2023-21839) to deliver a cryptocurrency miner called XMRing to the compromised systems. |
||
|
10.7.24 |
In this bulletin however we'll talk about sideloading as it relates to the cybersecurity field. MITRE defines sideloading attacks in T1574.002 as a type of (search order) Hijack Execution Flow, which exploits the way Windows applications load DLLs. |
|||
|
10.7.24 |
Microsoft Office Remote Code Execution Vulnerability |
CVE |
||
|
10.7.24 |
Windows Hyper-V Elevation of Privilege Vulnerability |
CVE |
||
|
10.7.24 |
Windows MSHTML Platform Spoofing Vulnerability |
CVE |
||
|
10.7.24 |
.NET and Visual Studio Remote Code Execution Vulnerability |
CVE |
||
|
10.7.24 |
Huione Guarantee: The multi-billion dollar marketplace used by online scammers |
SPAM |
||
|
10.7.24 |
The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution |
Malware |
||
|
10.7.24 |
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling |
CVE |
||
|
9.7.24 |
A recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware. |
|||
|
9.7.24 |
In early 2024, threat researchers exposed the DarkGate campaign, exploiting CVE-2024-21412 via fake software installers. Afterwards, the APT group Water Hydra used the same vulnerability to target financial traders with the DarkMe RAT, bypassing SmartScreen. |
|||
|
9.7.24 |
RADIUS is almost thirty years old, and uses cryptography based on MD5. Given that MD5 has been broken for over a decade, what are the implications for RADIUS? Why is RADIUS still using MD5? |
Protocol |
||
|
9.7.24 |
Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective |
CRYPTOCURRENCY |
||
|
9.7.24 |
Lookout Discovers Houthi Surveillanceware Targeting Middle Eastern Militaries |
Android |
||
|
9.7.24 |
People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action |
APT |
||
|
8.7.24 |
Caught in the Net: Using Infostealer |
In this proof-of-concept (PoC) report, we used Recorded Future Identity Intelligence’s vast trove of information stealer (“infostealer”) malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and arrive at geographic and behavioral trends for the most popular sources |
PAPERS |
|
|
8.7.24 |
Eldorado Ransomware: The New Golden Empire of Cybercrime? |
RANSOM |
||
|
8.7.24 |
StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe |
Stealer |
||
|
8.7.24 |
Satanstealer is a new open source infostealing malware shared on GitHub. The malware collects and exfiltrates various types of information such as browser cookies, passwords, registered phone numbers, and email client details. |
Stealer |
||
|
8.7.24 |
‘Poseidon’ Mac stealer distributed via Google ads |
Stealer |
||
|
8.7.24 |
0bj3ctivity is an infostealer variant first observed last year in campaigns targeting Italy. A new campaign delivering this malware yet again to Italian users has been reported by CERT-AGID. |
Stealer |
||
|
8.7.24 |
A new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection. |
Stealer |
||
|
8.7.24 |
Kematian-Stealer : A Deep Dive into a New Information Stealer |
Stealer |
||
|
8.7.24 |
CloudSorcerer – A new APT targeting Russian government entities |
APT |
||
|
8.7.24 |
A new botnet, dubbed Zergeca and written in Golang, has been observed in the wild. In addition to conducting distributed denial-of-service (DDoS) attacks, the botnet includes several other features such as proxy-based obfuscation. |
|||
|
8.7.24 |
Beware of Orcinius trojan's multi-stage attack via Dropbox and Google docs |
Beware of the Orcinius trojan malware! It's a multi-stage trojan reported to utilize Dropbox and Google Docs as part of its attack vector for downloading secondary payloads. |
||
|
8.7.24 |
A new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection. |
|||
|
8.7.24 |
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected. |
CVE |
||
|
8.7.24 |
Gogs through 0.13.0 allows deletion of internal files. |
CVE |
||
|
8.7.24 |
Gogs through 0.13.0 allows argument injection during the previewing of changes. |
CVE |
||
|
8.7.24 |
Gogs through 0.13.0 allows argument injection during the tagging of a new release. |
CVE |
||
|
8.7.24 |
Mekotio Banking Trojan Threatens Financial Systems in Latin America |
Banking |
||
|
5.7.24 |
Mekotio is a banking trojan active in the threat landscape since at least 2015 and targeting predominantly the Latin America region. |
|||
|
5.7.24 |
Nigeria features a vibrant religious landscape with multiple different faiths shaping the country. |
|||
|
5.7.24 |
Fake sex tapes remain a common social engineering lure used by malware actors due to their ability to evoke strong emotions potentially resulting in impulsive actions. |
|||
|
5.7.24 |
CVE-2024-37051 is a recently disclosed critical vulnerability impacting Jetbrains IntelliJ integrated development environment (IDE) apps. |
|||
|
5.7.24 |
LukaLocker is a newly seen offering from a ransomware group dubbed Volcano Demon. Recently observed attacks were prefaced by exfiltration of data using harvested credentials. |
|||
|
5.7.24 |
GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks |
Loader |
||
|
5.7.24 |
New Threat: A Deep Dive Into the Zergeca Botnet |
BOTNET |
||
|
5.7.24 |
PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution |
ICS |
||
|
5.7.24 |
PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure |
ICS |
||
|
4.7.24 |
Former reports detailed how AsyncRAT malware is usually distributed via file extensions such as .chm, .wsf, and .lnk. |
|||
|
4.7.24 |
CosmicSting (CVE-2024-34102) - XXE vulnerability is targeting Adobe Commerce and Magento |
CVE-2024-34102 is a critical (CVSS: 9.8) XML External Entity Reference (XXE) vulnerability in Adobe commerce and Magento, which are popular E-commerce platforms. |
||
|
4.7.24 |
CVE-2024-29849 - Veeam Backup Enterprise Manager authentication bypass vulnerability |
CVE-2024-29849 is a recently disclosed critical authentication bypass vulnerability (CVSS score 9.8) affecting Veeam Backup Enterprise Manager. |
||
|
4.7.24 |
CVE-2024-36104 - Path Traversal vulnerability in Apache OFBiz |
CVE-2024-36104 is a Path traversal vulnerability in Apache OFBiz, which is a comprehensive suite of business applications. |
||
|
4.7.24 |
k4spreader: New malware tool used by '8220' Chinese threat actor group |
A new malware tool known as k4spreader has been observed being used by the '8220' Chinese threat actor group in recent campaigns. |
||
|
4.7.24 |
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems |
Spyware |
||
|
3.7.24 |
A Brief History of SmokeLoader, Part 2 |
Loader |
||
|
3.7.24 |
A Brief History of SmokeLoader, Part 1 |
Loader |
||
|
3.7.24 |
Exposing FakeBat loader: distribution methods and adversary infrastructure |
Loader |
||
|
3.7.24 |
Kimsuky Group's New Backdoor Appears (HappyDoor) |
Backdoor |
||
|
3.7.24 |
Xctdoor Malware Used in Attacks Against Korean Companies (Andariel) |
Backdoor |
||
|
3.7.24 |
Symantec is aware of the "regreSSHion" vulnerability (CVE-2024-6387), which is a critical remote code execution (RCE) flaw in OpenSSH. |
|||
|
3.7.24 |
Protection Highlight: CVE-2024-4577 PHP-CGI Argument Injection Vulnerability |
PHP is a general-purpose server scripting language and a powerful scripting tool for making dynamic and interactive Web pages. |
||
|
3.7.24 |
Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims. |
|||
|
3.7.24 |
CVE-2024-31982 is a recently disclosed remote code execution (RCE) vulnerability affecting XWiki, which is a popular open-source and Java-based wiki platform. |
|||
|
2.7.24 |
Indirector: High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predict |
This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs. |
CPU |
|
|
2.7.24 |
High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predictor |
introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake). |
CPU |
|
|
2.7.24 |
||||
|
2.7.24 |
||||
|
2.7.24 |
||||
|
2.7.24 |
||||
|
2.7.24 |
Cisco NX-OS Software CLI Command Injection Vulnerability |
CVE |
||
|
2.7.24 |
Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications |
CVE |
||
|
2.7.24 |
Renewed malicious activity associated to the Datebug APT (aka. Transparent Tribe or APT36) has been reported by researchers from Sentinel One |
|||
|
2.7.24 |
Poseidon is a new infostealer variant targeting the macOS platform. The malware is an evolution of the older variant known as RodStealer. |
|||
|
2.7.24 |
MerkSpy malware payload delivered through exploitation of CVE-2021-40444 vulnerability |
Researchers from Fortinet have reported on a new campaign delivering the MerkSpy malware. |
||
|
2.7.24 |
Researchers have reported a new stealer-type malware dubbed Kematian. |
|||
|
2.7.24 |
ZainCash, a comprehensive mobile wallet service licensed under the Central Bank of Iraq, designed to provide a variety of digital financial services, has become one of the latest Fintech brands abused by cybercriminals. |
|||
|
1.7.24 |
CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts |
Android |
||
|
1.7.24 |
Beware of Snowblind: A new Android malware |
Android |
||
|
1.7.24 |
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server |
CVE |
||
|
1.7.24 |
2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973) |
CVE |