DATE

NAME

Info

CATEG.

WEB

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors.

APT blog

Trend Micro

MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks

Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.

Exploit blog

Trend Micro

FedRAMP ATO Boosts Zero Trust for Federal Agencies

Trend Vision One™ for Government has obtained a FedRAMP Authorization to Operate (ATO). This milestone enables Federal government customers to leverage Trend’s platform to rapidly stop adversaries and control their cybersecurity risk posture.

BigBrother blog

Trend Micro

Python-Based NodeStealer Version Targets Facebook Ads Manager

In this blog entry, Trend Micro’s Managed XDR team discuss their investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram.

Malware blog

Trend Micro

Link Trap: GenAI Prompt Injection Attack

Prompt injection exploits vulnerabilities in generative AI to manipulate its behavior, even without extensive permissions. This attack can expose sensitive data, making awareness and preventive measures essential. Learn how it works and how to stay protected.

AI blog

Trend Micro

Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration

Unit 42 researchers have discovered new security vulnerabilities in the Azure Data Factory Apache Airflow integration. Attackers can exploit these flaws by gaining unauthorized write permissions to a directed acyclic graph (DAG) file or using a compromised service principal.

Vulnerebility blog

Palo Alto

Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation

This article analyzes a new packer-as-a-service (PaaS) called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and began sales in February 2024. We have identified examples of malware samples created by this service based on strings found in several development samples the operators used to test their work.

Malware blog

Palo Alto

Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams

Threat actors frequently exploit trending events like global sporting championships to launch attacks, including phishing and scams. Because of this, proactive monitoring of event-related domain abuse is crucial for cybersecurity teams.

Phishing blog

Palo Alto

Threat Assessment: Howling Scorpius (Akira Ransomware)

Emerging in early 2023, the Howling Scorpius ransomware group is the entity behind the Akira ransomware-as-a-service (RaaS), which has consistently ranked in recent months among the top five most active ransomware groups. Its double extortion strategy significantly amplifies the threat it poses. Unit 42 researchers have been monitoring the Howling Scorpius ransomware group over the past year.

Ransom blog

Palo Alto

Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware

Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius. Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries.

Ransom blog

Palo Alto

Lynx Ransomware: A Rebranding of INC Ransomware

In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK.

Ransom blog

Palo Alto

Remote Code Execution Vulnerability in WhatsUp Gold (CVE-2024-46909): Analysis and Mitigation

OverviewThe SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in Progress WhatsUp Gold, assessed its impact and developed mitigation measures. WhatsUp G...

Vulnerebility blog

SonicWall

Strela Stealer Targeting Ukraine Alongside Other European Countries

OverviewThe SonicWall Capture Labs threat research team has been tracking Strela Stealer for a long time. Our research shows that Strela Stealer remained active throughout 2024. We recently identified...

Malware blog

SonicWall

Critical SQL Injection Vulnerability in SuiteCRM (CVE-2024-36412)

OverviewSonicWall Capture Labs threat research team became aware of the threat CVE-2024-36412, assessed its impact and developed mitigation measures for this vulnerability.CVE-2024-36412 is a critical...

Vulnerebility blog

SonicWall

Trojan Disguised as VPN Client Exploits Users with Fake Cisco AnyConnect Installer

This week, the SonicWall Capture Labs threat research team analyzed a PDF file with a link to download a copy of a well-known VPN client. This PDF file appears to have been distributed via spam email and has a link to download Cisco AnyConnect. However, no VPN client was installed upon execution – instead, it downloaded a Trojan that constantly connected to various remote servers.

Malware blog

SonicWall

Russian Ransomware Known As "Assignment" Leaves Victims Helpless

The SonicWall Capture Labs threats research team has been tracking a recently released Russian ransomware known as “Assignment”. The malware is written in Go and contains a large amount of debugging information that was left in by the author. As expected, the malware encrypts files and demands payment for file retrieval. The cost of decryption is 0.222 bitcoin— which is roughly $21,500.00 at the time of writing this alert. However, there is no way to contact the operator to obtain a decryptor.

Ransom blog

SonicWall

HTML Phishing On the Rise: Analyzing New Threat Vectors

This week, the SonicWall Capture Labs Threat Research Team observed a significant increase in HTML phishing threats. The prevalence of phishing campaigns targeting Microsoft Office and Adobe Cloud users is rising, with attackers focusing on stealing individual account passwords within various organizations. Many of these campaigns primarily targeted Chinese-speaking users.

Hacking blog

SonicWall

Inside Akira Ransomware’s Rust Experiment

Check Point Research analyzed the construction and control flow of Akira ransomware’s Rust version that circulated in early 2024, which has specific features uniquely targeting ESXi server. Our analysis demonstrates how Rust idioms, boilerplate code, and compiler strategies come together to account for the complicated assembly.

Ransom blog

Checkpoint

Gaming Engines: An Undetected Playground for Malware Loaders

Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal.

Malware blog

Checkpoint

Malware Spotlight: A Deep-Dive Analysis of WezRat

Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. The group has been held responsible for several recent cyber operations in the US, France, Sweden, and Israel.

Malware blog

Checkpoint

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of WIRTE threat actor, previously associated with the Hamas-affiliated group Gaza Cybergang, despite the ongoing war in the region.

BigBrother blog

Checkpoint

CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits

Check Point Research is tracking an ongoing, large scale and sophisticated phishing campaign deploying the newest version of the Rhadamanthys stealer (0.7). We dubbed this campaign CopyRh(ight)adamantys.

Malware blog

Checkpoint

Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor notorious for persistently targeting Indian government organizations, diplomatic personnel, and military facilities. APT36 has conducted numerous cyber-espionage campaigns against Windows, Linux, and Android systems.

APT blog

Checkpoint

The evolution and abuse of proxy networks

Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.

Security blog

Cisco Blog

Exploring vulnerable Windows drivers

This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers.

Vulnerebility blog

Cisco Blog

Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities

The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Vulnerebility blog

Cisco Blog

Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found

Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader. These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular a

Vulnerebility blog

Cisco Blog

Something to Read When You Are On Call and Everyone Else is at the Office Party

Its mid-December, if you’re on-call or working to defend networks, this newsletter is for you. Martin discusses the widening gap between threat and defences as well as the growing problem of home devices being recruited to act as proxy servers for criminals.

Cyber blog

Cisco Blog

MC LR Router and GoCast unpatched vulnerabilities

Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. For Snort coverage that can detect the explo

Vulnerebility blog

Cisco Blog

The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight

Ever wonder what an extroverted strategy security nerd does? Wonder no longer! This week, Joe pontificates on his journey at Talos, and then is inspired by the people he gets to meet and help.

Cyber blog

Cisco Blog

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform

By Philippe Laulheret ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of p

Vulnerebility blog

Cisco Blog

ESET Research Podcast: Telekopye, again

Take a peek into the murky world of cybercrime where groups of scammers who go by the nickname of 'Neanderthals’ wield the Telekopye toolkit to ensnare unsuspecting victims they call 'Mammoths'

Cyber blog

Eset

Unwrapping Christmas scams | Unlocked 403 cybersecurity podcast (ep. 9)

ESET's Jake Moore reveals why the holiday season is a prime time for scams, how fraudsters prey on victims, and how AI is supercharging online fraud

Cyber blog

Eset

Cybersecurity is never out-of-office: Protecting your business anytime, anywhere

While you're enjoying the holiday season, cybercriminals could be gearing up for their next big attack – make sure your company's defenses are ready, no matter the time of year

Cyber blog

Eset

ESET Threat Report H2 2024: Key findings

ESET Chief Security Evangelist Tony Anscombe looks at some of the report's standout findings and their implications for staying secure in 2025

Cyber blog

Eset

ESET Threat Report H2 2024

A view of the H2 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts

Cyber blog

Eset

Black Hat Europe 2024: Hacking a car – or rather, its infotainment system

Our ‘computers on wheels’ are more connected than ever, but the features that enhance our convenience often come with privacy risks in tow

Cyber blog

Eset

Black Hat Europe 2024: Why a CVSS score of 7.5 may be a 'perfect' 10 in your organization

Aggregate vulnerability scores don’t tell the whole story – the relationship between a flaw’s public severity rating and the specific risks it poses for your company is more complex than it seems

Cyber blog

Eset

Black Hat Europe 2024: Can AI systems be socially engineered?

Could attackers use seemingly innocuous prompts to manipulate an AI system and even make it their unwitting ally?

Cyber blog

Eset

How cyber-secure is your business? | Unlocked 403 cybersecurity podcast (ep. 8)

As cybersecurity is a make-or-break proposition for businesses of all sizes, can your organization's security strategy keep pace with today’s rapidly evolving threats?

Cyber blog

Eset

Are pre-owned smartphones safe? How to choose a second-hand phone and avoid security risks

Buying a pre-owned phone doesn’t have to mean compromising your security – take these steps to enjoy the benefits of cutting-edge technology at a fraction of the cost

Cyber blog

Eset

Philip Torr: AI to the people | Starmus Highlights

We’re on the cusp of a technological revolution that is poised to transform our lives – and we hold the power to shape its impact

AI blog

Eset

Achieving cybersecurity compliance in 5 steps

Cybersecurity compliance may feel overwhelming, but a few clear steps can make it manageable and ensure your business stays on the right side of regulatory requirements

Cyber blog

Eset

CVE-2024-55956: Zero-Day Vulnerability in Cleo Software Could Lead to Data Theft

A zero-day vulnerability, tracked as CVE-2024-55956, has been discovered in 3 Cleo products and is being exploited by CL0P ransomware group, leading to potential data theft

Vulnerebility blog

Cybereason

Your Data Is Under New Lummanagement: The Rise of LummaStealer

In this Threat Analysis report, Cybereason investigates the rising activity of the malware LummaStealer.

Malware blog

Cybereason

Stellar Discovery of A New Cluster of Andromeda/Gamarue C2

In this Threat Analysis report, Cybereason investigates incidents relating to the Andromeda backdoor and a new cluster of C2 servers

Malware blog

Cybereason

Malicious Life Podcast: Operation Snow White, Part 2

Scientology spies were trained in all covert operations techniques: surveillance, recruiting agents, infiltrating enemy lines, and blackmail. However, a suspicious librarian and a determined FBI agent brought the largest single spy operation in US government history to an end.

BigBrother blog

Cybereason

THREAT ANALYSIS: Beast Ransomware

In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.

Ransom blog

Cybereason

CUCKOO SPEAR Part 2: Threat Actor Arsenal

In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.

Phishing blog

Cybereason

Malicious Life Podcast: Operation Snow White, Part 1

In 1963, the FDA raided the headquarters of a budding new and esoteric religion - The Church of Scientology. In response to this and similar incidents to come, the church's founder - an eccentric science fiction author named L. Ron Hubbard - would go on to lead the single largest known government infiltration operation in United States history.

BigBrother blog

Cybereason

CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective

In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.

Phishing blog

Cybereason

The Windows Registry Adventure #5: The regf file format

As previously mentioned in the second installment of the blog post series ("A brief history of the feature"), the binary format used to encode registry hives from Windows NT 3.1 up to the modern Windows 11 is called regf. In a way, it is quite special, because it represents a registry subtree simultaneously on disk and in memory, as opposed to most other common file formats.

Hacking blog

Project Zero

The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit

Earlier this year, Google's TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered, and the hypothesized ITW exploit strategy gleaned from the logs.

Exploit blog

Project Zero

Windows Tooling Updates: OleView.NET

This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution.

OS Blog

Project Zero

Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

Recently, one of the projects I was involved in had to do with video decoding on Apple platforms, specifically AV1 decoding. On Apple devices that support AV1 video format (starting from Apple A17 iOS / M3 macOS), decoding is done in hardware

OS Blog

Project Zero

Safeguarding Election Integrity: Threat Hunting for the U.S. Elections

With 2024 being a major election year globally, the stakes for election security were and remain high. More than 60 countries, including the United States, Mexico, India, and Indonesia, held elections and engaged nearly 2 billion voters. The U.S. general election on November 5th, 2024, drew significant attention due to concerns over potential interference and cybersecurity threats.

BigBrother blog

Trelix

Hacktivist Groups: The Shadowy Links to Nation-State Agendas

The recent conflicts between Ukraine and the Middle East have seen a surge in hacktivist activity, with groups aligned with both sides engaging in cyberattacks. In this blog we will cover a large set of Hacktivist groups.

BigBrother blog

Trelix

Anatomy of Celestial Stealer: Malware-as-a-Service Revealed

During proactive hunting, Trellix Advanced Research Center found samples belonging to Celestial Stealer, a JavaScript-based infostealer which is packaged either as an Electron application or as a NodeJS single application for Windows 10 and Windows 11 operating system. It is a Malware-as-a-Service (MaaS) advertised on the Telegram platform. The stealer is marketed as a FUD (fully undetectable).

Malware blog

Trelix

Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now

On November 18th, the US Justice Department unsealed criminal charges against a Russian national for allegedly administering the sale, distribution, and operation of Phobos ransomware. Phobos is considered an evolution of Dharma Ransomware (aka CrySIS). Code similarities and ransom notes suggest that the creators are either the same or closely connected.

Ransom blog

Trelix

When Guardians Become Predators: How Malware Corrupts the Protectors

We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us?

Malware blog

Trelix