ALERTS JULY 2024


HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY  | March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67)


DATE

NAME

CATEGORY

SUBCATE

INFO

29.7.24

Hive0137 threat group leverages LLM in recent attacksALERTSAIThe threat actor known as Hive0137 has been leveraging Large Language Models (LLM) in their recent attacks. LLM is a form of generative AI designed to understand and generate human-like text. The Hive0137 group is known for their malware distribution attacks that often lead to ransomware infections.

29.7.24

CVE-2024-40348 - Bazaar Directory Traversal vulnerability ALERTSVULNEREBILITYCVE-2024-40348 is a recently disclosed directory traversal vulnerability affecting Bazaar (version 1.4.3) which is an open source version control software. Successful exploitation of the flaw might allow unauthenticated attackers to perform directory traversal on the vulnerable system, leading to unauthorized access to system directories and sensitive files.

29.7.24

Scammers exploit Hamster Kombat’s popularity with malicious farm bot toolsALERTSSPAMWith the rise in popularity of the Telegram clicker game Hamster Kombat, scamsters are increasingly targeting players. Enthusiasts are attracted by the promise of significant rewards linked to the introduction of a new cryptocoin by the game's creators.

29.7.24

OceanSpy RansomwareALERTSRANSOMA ransomware actor calling themselves OceanCorp has been observed in the wild targeting single machines. At this time, according to their ransom note (OceanCorp.txt), this actor does not perform double-extortion tactics, meaning they do not threaten to leak or sell data.

29.7.24

Vietnam campaign: Android Spyware Masquerades as TechcombankALERTSCAMPAIGNGroups and individuals around the world have been using SpyNote, a popular Android remote access trojan, for the past few years, and its prevalence shows no signs of decreasing. E-crime and targeted campaigns against both enterprises and consumers are observed on a daily basis.

27.7.24

Threat Actor uses MSHTML flaw to distribute Atlantida InfoStealerALERTSVIRUSA malware campaign conducted by the threat actor known as Void Banshee, which distributes the Atlantida InfoStealer, has been reported. The attack exploits CVE-2024-38112, an MSHTML vulnerability, by abusing .URL files to execute through disabled Internet Explorer.

27.7.24

SeleniumGreed cryptomining operationALERTSCRYPTOCURRENCYSeleniumGreed is a recently disclosed cryptomining operation observed in the wild. The campaign targets exposed versions of Selenium Grid which is a component in Selenium open-source automation framework used for testing web applications.

27.7.24

Zilla Ransomware - a recent Crysis variantALERTSRANSOMZilla is the latest Crysis/Dharma ransomware observed in the threat landscape. The malware encrypts user data and appends .ZILLA extension to the encrypted files. Alongside this custom extension, also a unique ID and the email address of the threat actors is added.

27.7.24

Phishing campaign targeted at users in India attributed to the Smishing Triad groupALERTSPHISHINGFortinet researchers reported on a recent phishing operation targeting mobile users in India. The attack has been attributed to a threat group known as the Smishing Triad, known previously to be targeting various countries across the world with similar smishing runs.

27.7.24

Continuous espionage activities attributed to the Stonefly APT ALERTSAPTSymantec Security Response is aware of the recent joint alert from CISA, FBI and several other partners concerning a number of recent targeted activities attributed to the Stonefly APT group (also known as Andariel or DarkSeoul).

27.7.24

Malware campaign exploits SEO poisoning to target W2 Form seekersALERTSEXPLOITA malware campaign has been reported targeting users searching for W2 forms through SEO poisoning techniques. Victims are redirected to spoofed IRS websites, where they are lured into downloading a masqueraded JS file disguised as a W2 form.

27.7.24

Russian-linked malware campaign targeting Indian political entitiesALERTSVIRUSA malware campaign believed to be orchestrated by a Russian-linked threat actor is reportedly targeting entities interested in Indian political affairs. Victims are lured with .LNK files disguised as genuine office documents.

26.7.24

RADAR RansomwareALERTSRANSOMAnother ransomware group that employs double-extortion tactics has been making the rounds in the already crowded ransomware threat landscape. Calling themselves RADAR, the group compromises machines, encrypts the files, and appends them with a .[random8characters] extension.

26.7.24

Smishing in Japan – Utilities, financial services and shipping top luresALERTSSPAMSmishing, or SMS phishing, is increasingly becoming a favored tactic for cybercriminals due to the widespread use of mobile devices and generally high open rates of SMS messages compared to emails. Campaigns continue to proliferate around the world, and in some countries such as Japan, they are increasing exponentially with actors using utilities, financial services, and shipping as top lures.

26.7.24

Atlantida Stealer among the malware variants spread by Stargazer Goblin threat groupALERTSVIRUSAtlantida Stealer has been determined as one of several malware payloads spread recently in a malware distribution campaign attributed to the threat actor known as Stargazer Goblin. Other payloads spread via this malware delivery service dubbed as Stargazers Ghost Network included RedLine, Lumma Stealer, Rhadamanthys and RisePro. As reported by researchers from Checkpoint, the attackers responsible for this operation have been leveraging compromised Github repositories and Wordpress sites to distribute archives containing the malicious binaries.

26.7.24

The increasing incidence of threats utilizing AIALERTSAIThere has been a rise in cyber attacks using Large Language Models (LLMs) to generate malicious code. Symantec's Team has observed phishing campaigns where LLM-generated scripts download harmful payloads like Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). This highlights the misuse of LLMs in cybercrime.

26.7.24

PicassoLoader MalwareALERTSVIRUSThere was a recent surge in activity from the group called UAC-0057 (aka GhostWriter). In this campaign, attackers are distributing Word documents that are macro-enabled with the intention of launching a malware loader known as PicassoLoader. This malicious loader is capable of deploying a Cobalt Strike Beacon onto the victim's machine.

25.7.24

New Linux Play ransomware targets ESXi serversALERTSRANSOMAs recently reported by researchers from Trend Micro, a new Linux variant of the infamous Play ransomware has been observed to target the ESXi servers. Prior to execution, the malware runs checks to confirm that it is running within an ESXi environment. Play ransomware will also attempt to power off all running ESXi virtual machines before proceeding with the encryption process. .PLAY extension is added to the encrypted files and ransomware note is dropped in the VM's root directories. Some of the network infrastructure used by this Linux Play variant has been previously observed in attacks attributed to the threat actor known as Prolific Puma.

25.7.24

LummaC2 variant exploiting Steam for dynamic C2 domainsALERTSVIRUSA new variant of LummaC2 has been observed exploiting the 'Steam' gaming platform. This variant now obtains dynamic C2 domains on demand, a departure from its previous technique of embedding C2 details within the sample itself. The malware stores a Steam URL, specifically a Steam account profile page, as executable code. Upon accessing this page, it parses a specific <tag> to extract a string, which is then decrypted to reveal the C2 domain.

25.7.24

New variant of the Jellyfish Loader observed in the wildALERTSVIRUSA new variant of the .NET-based Jellyfish Loader malware has been found in the wild. The malware has been reported as being distributed via a malicious .LNK file execution.

25.7.24

CVE-2024-4879 - ServiceNow Jelly Template Injection vulnerabilityALERTSVULNEREBILITYCVE-2024-4879 is a recently disclosed critical template injection vulnerability (CVSS score 9.3) affecting ServiceNow, which is a popular platform for digital business transformation. Successful exploitation of the flaw might allow the unauthenticated remote attackers to gain access and execute arbitrary code within the context of the Now Platform. The vulnerability has been already addressed in the patched software versions released by the application vendor.

25.7.24

BianLian Ransomware changes strategyALERTSRANSOMBianLian is a ransomware threat actor that has been active since mid-2022, specifically targeting the infrastructure sector in the US and Australia. As part of its attack vector, the threat actor typically exploits RDP credentials acquired through third parties or phishing to gain initial access. They deploy custom malware written in the Go programming language and utilize remote management and access software such as AnyDesk, Atera Agent, TeamViewer, etc., for persistence.

25.7.24

Threat Actors continue to exploit CVE-2024-21412ALERTSVULNEREBILITYThreat actors continue to exploit CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen that was reported and patched in February 2024.

24.7.24

Malware-laden Word Document Delivering Daolpu StealerALERTSVIRUSFollowing the recent outage which affected computers running Microsoft operating systems across the globe, attackers are continuously exploiting the incident to lure users into accessing malicious links or launching malware-laden files. A new attack linked to this incident has been discovered involving a Word document containing macros that execute and download an unidentified stealer dubbed Daolpu.

24.7.24

Protection Highlight: ScriptNNALERTSPHISHINGPhishing is an all-too-common type of social engineering attack that attempts to steal user data by sending fraudulent communications, usually via email or SMS, which appear to come from a legitimate source. Phishing is predominantly employed at the first stage in a malware attack, whether the ultimate objective is reconnaissance or compromise.

24.7.24

Braodo: A new Python-based Infostealer in the cyber threat landscapeALERTSVIRUSA new infostealer, named Braodo, has been observed circulating in the ever-evolving threat landscape. It is distributed through an archive file that includes a BAT file. When executed, this BAT file connects to GitHub to download a secondary BAT file and a ZIP archive containing the final Braodo infostealer payload.

24.7.24

Daggerfly group updates their toolsetALERTSGROUPThe Daggerfly (aka Evasive Panda, Bronze Highland) threat group, which has been active for at least a decade, has made some significant updates to their toolset. Symantec’s Threat Hunter Team has published a report providing details regarding Daggerfly tools such as the modular malware framework MgBot, Macma, a modular macOS backdoor, and a recently observed multi-stage backdoor identified as Suzafk.

24.7.24

FIN7 has a versatile attack arsenalALERTSGROUPThreat Actor FIN7 (also tracked under the names Carbon Spider, the Carbanak Group, and Sangria Tempest) is known for its proficiency in sophisticated campaigns and engineering attacks to gain initial access to corporate networks.

24.7.24

BlackSuit Ransomware poses as fake Antivirus InstallerALERTSRANSOMNew variants of BlackSuit ransomware have been observed in the wild, employing deceptive tactics to evade detection. Recently, they masqueraded as fake Qihoo 360 antivirus installers to deceive victims. Once installed, the malware encrypts user files and appends the .blacksuit extension.

24.7.24

CyberVolk RansomwareALERTSRANSOMA new strain of ransomware dubbed CyberVolk has been reported. This ransomware is written in C/C++ and features a unique encryption algorithm developed entirely by the group behind the malware.

24.7.24

RA World Ransomware groupALERTSRANSOMResearchers at Palo Alto Networks have provided an analysis of the RA World Ransomware group. This group has been active since 2023 and has targeted victims worldwide across multiple industries.

24.7.24

RA World Ransomware groupALERTSRANSOMIn recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign.

24.7.24

FakeApp Campaign: South Korea's Financial Institutions' Mobile Users TargetedALERTSCAMPAIGNIn recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign.

24.7.24

New backdoor spreading in Seedworm malspam campaignALERTSCAMPAIGNRecently the APT group Seedworm has been observed deploying a previously undocumented backdoor named Bugsleep, primarily via a phishing campaign with PDFs containing malicious links targeting organizations in the Middle East. Once deployed this new backdoor allows attackers to execute remote commands and exfiltrate files to the C&C server.

24.7.24

Tag-100: Emerging threat actor exploiting appliance vulnerabilitiesALERTSGROUPA new threat actor, dubbed Tag-100, has been reported targeting government and private sector entities worldwide. This threat actor exploits vulnerabilities in appliances to initiate its attacks and has been observed exploiting known vulnerabilities in appliances such as Citrix NetScaler.

24.7.24

Copybara Android malwareALERTSVIRUSCopybara is a banking Trojan affecting Android mobile devices and has been observed targeting users in Italy. Threat actors use previously obtained contact details and portray themselves as bank employees to socially engineer victims into downloading the malicious application by way of SMS phishing and voice phishing, also known as smishing and vishing respectively.

24.7.24

NullBulge exploiting code repositories in AI and Gaming SectorsALERTSAIn response to the threat actors exploiting security vulnerabilities in AI and gaming-focused entities, a new group dubbed NullBulge has been reported.

24.7.24

Health Insurance Fund (NEAK) Targeted with Lokibot MalwareALERTSVIRUSA recent report has revealed that the National Health Insurance Fund (NEAK) based in Hungary was targeted by attackers who aimed to deploy Lokibot malware.

24.7.24

Grayfly is targeting and compromising multiple sectorsALERTSAPTOver the past few weeks, multiple campaigns have been reported, carried out by the China-linked APT group Grayfly also known as APT41.

19.7.24

New variant of BeaverTail malware targets job seekersALERTSVIRUSA new variant of the BeaverTail malware has been reported, distributed via a macOS DMG file that mimics the legitimate video call service MiroTalk. This campaign is linked to North Korean hackers targeting job seekers. The updated malware is a native Mach-O executable capable of stealing sensitive data from web browsers and cryptocurrency wallets.

19.7.24

APT17 Campaign: New variants of 9002 RAT targeting Italian government entitiesALERTSAPTA malware campaign by the APT17 group has been reported, distributing newer variants of 9002 RAT. The campaign specifically targets government entities and Italian companies. Users are lured with a link to a masqueraded Italian government domain, purportedly to download a Skype installer.

19.7.24

UAC-0180 Phishing Campaign Targeting UkrainianALERTSGROUPA recent phishing campaign was observed by researchers targeting Ukrainian defense enterprises on the topic of Unmanned Aerial Vehicle (UAV) purchasing. The distributed email includes a ZIP attachment with a PDF file containing a malicious link.

19.7.24

RDPWrapper and Tailscale leveraged in recent malspam campaignALERTSCAMPAIGNResearchers have uncovered a multi-stage cyberattack campaign starting with a malicious zip file containing a .lnk shortcut file that was likely spread via phishing emails. Upon execution, the .lnk file downloads a PowerShell script enabling threat actors access via RDP.

19.7.24

ShadowRoot RansomwareALERTSRANSOMThreat researchers have identified a new ransomware called ShadowRoot which targets businesses in Turkey. The attack starts with a PDF attachment sent via suspicious emails from the "internet[.]ru" domain. If a user clicks on the embedded links within the PDF, it triggers the download of an executable payload that proceeds to encrypt files. Encrypted files have their extensions changed to ".shadowroot".

19.7.24

Phishing malware campaign targeting Ukrainian Government entities linked to Russian Threat Actor UNC4814ALERTSPHISHINGSymantec has observed a phishing malware campaign targeting government entities in Ukraine. Based on the attack vector and behavior, Symantec believes UNC4814, a suspected Russian threat actor, is responsible for the campaign. The threat actor initiates attacks by sending phishing emails with HTA files attached, masquerading as bills and payment notifications. 

19.7.24

Zero-Day Exploit: Malicious .url Files Leveraging CVE-2024-38112 on WindowsALERTSEXPLOITAn ongoing campaign targeting Windows users has been observed. Threat actors distribute phishing emails containing Windows Internet Shortcut files with a .url extension.

18.7.24

Killer Ultra MalwareALERTSVIRUSA tool used in Qilin ransomware attacks known as "Killer Ultra" was recently uncovered by researchers. It disables endpoint detection and response (EDR) and antivirus (AV) tools, using a Zemana driver to terminate their processes.

18.7.24

Noxious StealerALERTSVIRUSA new stealer malware dubbed Noxious Stealer was recently identified by researchers. This Python-based open-source tool, currently hosted on GitHub, possesses several capabilities such as collecting sensitive user data including billing details, emails, phone numbers, tokens, as well as system information such as cookies, browsing history, and WiFi passwords.

18.7.24

Specially crafted HTML files allow for abuse of Windows searchALERTSSPAMAttackers have been recently observed abusing Windows search in order to redirect users to malware. The attack begins by sending the targets malspam with specially crafted HTML files that are designed to abuse the built-in Windows search functionality, once these files are opened they redirect to an externally hosted site to download malware of the attackers choice.

18.7.24

Jenkings Script Console exploited for cryptocurrency miningALERTSCRYPTOCURRENCYImproperly configured Jenkins Script Console instances (such as Jenkins Groovy plugin) have been weaponized by attackers leading to criminal activities such as the deployment of cryptocurrency miners, and backdoors to gather sensitive information.

18.7.24

Phishing campaign impersonating Afrihost servicesALERTSCAMPAIGNAfrihost is a South African Internet Service Provider (ISP) that offers services such as ADSL broadband, wireless, mobile services, and web hosting. Recently, Symantec has observed phishing campaigns impersonating Afrihost services. These campaigns involve fake notification emails that urge recipients to update their payment methods to avoid service interruption.

18.7.24

CVE-2024-36401: Vulnerability in OSGeo GeoServer GeoToolsALERTSVULNEREBILITYCVE-2024-36401 (CVSS score: 9.8) is a vulnerability in OSGeo GeoServer GeoTools, with evidence of active exploitation. GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

18.7.24

Malware disguised as cracked versions of MS OfficeALERTSVIRUSThreat researchers discovered malware disguised as cracked versions of MS Office. It spreads through downloads and torrents, enabling attackers to control infected systems via updates. The malware adapts installation methods based on the presence of V3 security software. It uses the task scheduler for persistence, ensuring it remains active even if detected.

18.7.24

BadPack method used in Android malwareALERTSVIRUSBadPack is a method observed in malware which targets Android mobile devices. The authors of BadPack manipulate header information of the APK file format which effectively breaks the file and prevents manual analysis.

16.7.24

Quasar RAT delivered via Home Trading SystemALERTSVIRUSThreat researchers have identified Quasar RAT malware being distributed via a private Home Trading System (HTS), a tool that allows investors to trade from their own PCs. However, the HTS (aka HPlus) used in these attacks is unsearchable and its provider remains unknown.

16.7.24

Malicious Word Document Spreading Stealer MalwareALERTSVIRUSAn ongoing campaign has revealed a stealer malware initially distributed through Word documents. This malware infects computers, retrieves the device’s IP address, and subsequently sends the user’s browser information to a dedicated command-and-control (C2) server operated by the attackers, with the data customized for different countries.

16.7.24

CVE-2024-36991 - Path Traversal vulnerability in Splunk EnterpriseALERTSVULNEREBILITYCVE-2024-36991 (CVSS: 7.5 High) is a path traversal vulnerability in Splunk Enterprise, a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data, helping organizations derive insights from this data.

15.7.24

Poco RAT phishing campaign targeting Spanish speakersALERTSVIRUSSince early 2024, an ongoing phishing campaign has been targeting Spanish speakers, distributing a new remote access trojan (RAT) known as Poco RAT.

15.7.24

CRYSTALRAY's Ongoing Operations Leveraging SSH-SnakeALERTSGROUPSince February 2024, researchers have been tracking the evolving threat actor CRYSTALRAY. The group was observed to leverage the use of a network mapping tool called SSH-Snake, a self-modifying worm malware which exploits compromised SSH credentials to spread through networks.

12.7.24

OilAlpha targets Arabic-speaking humanitarian NGOs in YemenALERTSAPTOilAlpha continues to target Arabic-speaking entities, as well as those interested in humanitarian organizations and NGOs operating in Yemen. According to reports, users are lured to a deceptive web portal that mimics the generic login interfaces of humanitarian organizations such as CARE International and the Norwegian Refugee Council, with the aim of stealing credentials.

12.7.24

Vultur Campaign: Clothing Retailer Brand Abused in Fake App SchemeALERTSCAMPAIGNBrands of all genres are constantly abused by cybercriminals to target specific demographics, and financial institutions are usually the ones most impersonated.

12.7.24

DodgeBox Loader Loading MoonWalk BackdoorALERTSVIRUSThreat researchers recently discovered a new loader dubbed DodgeBox. This loader shares significant traits with StealthVector, which is associated with the Chinese APT group APT41 / Earth Baku.

12.7.24

Tax-Themed Android Malware Targeting Uzbekistan Mobile UsersALERTSVIRUSTaxes have been and continue to be prevalently used in social engineering tactics around the world to trick users (both consumers and enterprises) into deploying malware on their machines, entangling themselves in BEC scams, inputting sensitive data into phishing websites, and more.

11.7.24

Despite group disruptions, ransomware activity not decreasingALERTSRANSOMIn a newly released report, Symantec’s Threat Hunter Team shares insight into observed ransomware activity. The data shows that despite disruptions affecting Lockbit and Noberus groups and a downward trend between the last quarter of 2023 and the first quarter of 2024, activity is still on the rise.

11.7.24

ViperSoftX: Evolving tactics from Torrent software lures to eBook disguisesALERTSVIRUSViperSoftX is an infostealer that continues to evolve and enhance its tactics and techniques. Initially, attackers leveraged pirated versions of popular software to lure users, often distributed through torrent sites.

11.7.24

GuardZoo: Android spyware targeting middle eastern defense entitiesALERTSVIRUSAn Android spyware dubbed GuardZoo has been observed targeting defense entities in the Middle East. It is believed to be associated with the Houthi rebel faction in Yemen.

11.7.24

Ghostscript (CVE-2024-29510)ALERTSVULNEREBILITYSymantec is aware of a remote code execution vulnerability (CVE-2024-29510) in the "Ghostscript" document conversion toolkit used on Linux systems.

10.7.24

Water Sigbin exploits vulnerabilities to deliver cryptocurrency minerALERTSCRYPTOCURRENCYThe threat actor Water Sigbin (aka 8220 Gang) has exploited vulnerabilities in the Oracle WebLogic Server ( CVE-2017-3506 and CVE-2023-21839) to deliver a cryptocurrency miner called XMRing to the compromised systems.

10.7.24

Protection Highlight: Recent Sideloading AttacksALERTSHACKINGIn this bulletin however we'll talk about sideloading as it relates to the cybersecurity field. MITRE defines sideloading attacks in T1574.002 as a type of (search order) Hijack Execution Flow, which exploits the way Windows applications load DLLs.

9.7.24

Popular sticky-note installers trojanized to push malwareALERTSVIRUSA recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware.

9.7.24

Recent Water Hydra APT Activity Exploiting CVE-2024-21412ALERTSAPTIn early 2024, threat researchers exposed the DarkGate campaign, exploiting CVE-2024-21412 via fake software installers. Afterwards, the APT group Water Hydra used the same vulnerability to target financial traders with the DarkMe RAT, bypassing SmartScreen.

8.7.24

Zergeca: A new Golang botnet with advanced capabilitiesALERTSBOTNETA new botnet, dubbed Zergeca and written in Golang, has been observed in the wild. In addition to conducting distributed denial-of-service (DDoS) attacks, the botnet includes several other features such as proxy-based obfuscation.

8.7.24

Beware of Orcinius trojan's multi-stage attack via Dropbox and Google docsALERTSVIRUSBeware of the Orcinius trojan malware! It's a multi-stage trojan reported to utilize Dropbox and Google Docs as part of its attack vector for downloading secondary payloads.

8.7.24

Neptune StealerALERTSVIRUSA new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection.

5.7.24

Mekotio malware targets banking users in Latin AmericaALERTSVIRUSMekotio is a banking trojan active in the threat landscape since at least 2015 and targeting predominantly the Latin America region.

5.7.24

Religion as Bait: AndroRAT Targets Nigerian Mobile UsersALERTSVIRUSNigeria features a vibrant religious landscape with multiple different faiths shaping the country.

5.7.24

Fake Sex Tapes of Turkish Celebrities Fuel SpyNote SpreadALERTSVIRUSFake sex tapes remain a common social engineering lure used by malware actors due to their ability to evoke strong emotions potentially resulting in impulsive actions.

5.7.24

CVE-2024-37051 - JetBrains IntelliJ IDEs vulnerabilityALERTSVULNEREBILITYCVE-2024-37051 is a recently disclosed critical vulnerability impacting Jetbrains IntelliJ integrated development environment (IDE) apps.

5.7.24

LukaLocker ransomware distributed by Volcano Demon groupALERTSRANSOMLukaLocker is a newly seen offering from a ransomware group dubbed Volcano Demon. Recently observed attacks were prefaced by exfiltration of data using harvested credentials.

4.7.24

Disguised e-book delivering AsyncRATALERTSVIRUSFormer reports detailed how AsyncRAT malware is usually distributed via file extensions such as .chm, .wsf, and .lnk. Attackers disguise malware as 'survey' content in document files and more recently as e-books.

4.7.24

CosmicSting (CVE-2024-34102) - XXE vulnerability is targeting Adobe Commerce and MagentoALERTSVULNEREBILITYCVE-2024-34102 is a critical (CVSS: 9.8) XML External Entity Reference (XXE) vulnerability in Adobe commerce and Magento, which are popular E-commerce platforms.

4.7.24

CVE-2024-29849 - Veeam Backup Enterprise Manager authentication bypass vulnerabilityALERTSVULNEREBILITYCVE-2024-29849 is a recently disclosed critical authentication bypass vulnerability (CVSS score 9.8) affecting Veeam Backup Enterprise Manager.

4.7.24

CVE-2024-36104 - Path Traversal vulnerability in Apache OFBizALERTSVULNEREBILITYCVE-2024-36104 is a Path traversal vulnerability in Apache OFBiz, which is a comprehensive suite of business applications.

4.7.24

k4spreader: New malware tool used by '8220' Chinese threat actor groupALERTSGROUPA new malware tool known as k4spreader has been observed being used by the '8220' Chinese threat actor group in recent campaigns.

3.7.24

RegreSSHion (CVE-2024-6387)ALERTSVULNEREBILITYSymantec is aware of the "regreSSHion" vulnerability (CVE-2024-6387), which is a critical remote code execution (RCE) flaw in OpenSSH.

3.7.24

Protection Highlight: CVE-2024-4577 PHP-CGI Argument Injection VulnerabilityALERTSVULNEREBILITYPHP is a general-purpose server scripting language and a powerful scripting tool for making dynamic and interactive Web pages. CVE-2024-4577 is a high-severity (CVSS: 9.8) argument injection vulnerability affecting PHP when running in CGI mode.

3.7.24

Apple IDs Targeted in US Smishing CampaignALERTSHACKINGPhishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims.

3.7.24

CVE-2024-31982 - XWiki RCE vulnerabilityALERTSVULNEREBILITYCVE-2024-31982 is a recently disclosed remote code execution (RCE) vulnerability affecting XWiki, which is a popular open-source and Java-based wiki platform.

2.7.24

Datebug APT continues to spread CapraRAT Android malwareALERTSAPTRenewed malicious activity associated to the Datebug APT (aka. Transparent Tribe or APT36) has been reported by researchers from Sentinel One.

2.7.24

Poseidon infostealer targeting macOSALERTSVIRUSPoseidon is a new infostealer variant targeting the macOS platform. The malware is an evolution of the older variant known as RodStealer.

2.7.24

MerkSpy malware payload delivered through exploitation of CVE-2021-40444 vulnerabilityALERTSVIRUSResearchers from Fortinet have reported on a new campaign delivering the MerkSpy malware. The threat actors behind this campaign have been leveraging an older Microsoft MSHTML RCE vulnerability - CVE-2021-40444 for payload distribution.

2.7.24

Kematian StealerALERTSVIRUSResearchers have reported a new stealer-type malware dubbed Kematian. This PowerShell-based tool is used for covertly accessing and transferring data from Windows systems.

2.7.24

Fake ZainCash App Steals Mobile User DataALERTSVIRUSZainCash, a comprehensive mobile wallet service licensed under the Central Bank of Iraq, designed to provide a variety of digital financial services, has become one of the latest Fintech brands abused by cybercriminals.