DATE

NAME

Info

CATEG.

WEB

Attacker Abuses Victim Resources to Reap Rewards from Titan Network

In this blog entry, we discuss how an attacker took advantage of the Atlassian Confluence vulnerability CVE-2023-22527 to connect servers to the Titan Network for cryptomining purposes.

Vulnerebility blog

Trend Micro

Unmasking Prometei: A Deep Dive Into Our MXDR Findings

How does Prometei insidiously operate in a compromised system? This Managed Extended Detection and Response investigation conducted with the help of Trend Vision One provides a comprehensive analysis of the inner workings of this botnet so users can stop the threat in its tracks before it inflicts damage to the system.

BotNet blog

Trend Micro

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.

Cryptocurrency blog

Trend Micro

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware.

Malware blog

Trend Micro

Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network 

Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777).

Hacking blog

Microsoft Blog

New Iranian-based Ransomware Group Charges $2000 for File Retrieval

The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment.

Ransom blog

SonicWall

Command Injection and Local File Inclusion in Grafana: CVE-2024-9264

The SonicWall Capture Labs threat research team became aware of a critical vulnerability in Grafana, assessed its impact and developed mitigation measures. Grafana is a multi-platform open-source analytics and visualization solution that can produce charts, graphs and alerts according to the data.

Vulnerebility blog

SonicWall

New Iranian-based Ransomware Group Charges $2000 for File Retrieval

The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment.

Ransom blog

SonicWall

Code Injection in Spring Cloud: CVE-2024-37084

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability.

Vulnerebility blog

SonicWall

A Look Into Embargo Ransomware, Another Rust-based Ransomware

Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid.

Malware blog

SonicWall

HORUS Protector Part 1: The New Malware Distribution Service

Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others.

Malware blog

SonicWall

VMWare vCenter Server CVE-2024-38812 DCERPC Vulnerability

CVE-2024-38812 is a critical heap-overflow vulnerability identified in VMware vCenter Server’s implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted packets, potentially leading to remote code execution (RCE). The vulnerability, classified under CWE-122 (Heap-based Buffer Overflow), arises when memory allocated in the heap is improperly overwritten, leading to unpredictable behavior that could be exploited.

Vulnerebility blog

SonicWall

Insecure Deserialization in Veeam Backup and Replication: CVE-2024-40711

The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors.

Vulnerebility blog

SonicWall

Jumpy Pisces Engages in Play Ransomware

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).

Ransom blog

Palo Alto

Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction

This article introduces a simple and straightforward technique for jailbreaking that we call Deceptive Delight. Deceptive Delight is a multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content.

AI blog

Palo Alto

Jumpy Pisces Engages in Play Ransomware

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).

Ransom blog

Palo Alto

Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. A bypass of Gatekeeper could leave the user unprotected from risky applications that may attempt to execute malicious content.

OS Blog

Palo Alto

Talos IR trends Q3 2024: Identity-based operations loom large

Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.

Cyber blog

Cisco Blog

Threat actors use copyright infringement phishing lure to deploy infostealers

* Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. * The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the

Phishing blog

Cisco Blog

Threat Spotlight: WarmCookie/BadSpace

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Malware blog

Cisco Blog

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.

Malware blog

Cisco Blog

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits. For Snort coverage that can detect the exploitation of

Vulnerebility blog

Cisco Blog

Writing a BugSleep C2 server and detecting its traffic with Snort

This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.

Cyber blog

Cisco Blog

How LLMs could help defenders write better and faster detection

Can LLM tools actually help defenders in the cybersecurity industry write more effective detection content? Read the full research

AI blog

Cisco Blog

Highlighting TA866/Asylum Ambuscade Activity Since 2021

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Cyber blog

Cisco Blog

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities

BigBrother blog

Cisco Blog

Protecting major events: An incident response blueprint

Go behind the scenes with Talos incident responders and learn from what we've seen in the field.

Incident blog

Cisco Blog

Ghidra data type archive for Windows driver functions

Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types.

Malware blog

Cisco Blog

Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

Vulnerebility blog

Cisco Blog

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Vulnerebility blog

Cisco Blog

Are hardware supply chain attacks “cyber attacks?”

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process.

Hacking blog

Cisco Blog

Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks

Have you ever wondered why there are so many vulnerable drivers and what might be causing them to be vulnerable? Do you want to understand why some drivers are prone to crossing security boundaries and how we can stop that?

Vulnerebility blog

Checkpoint

Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum

Beginning in early August, Check Point Research observed a cyber-enabled disinformation campaign primarily targeting Moldova’s government and education sectors. Acting ahead of Moldova’s elections on October 20th, attackers behind this campaign likely seek to foster negative perceptions of European values and the EU membership process in addition to Moldova’s current pro-European leadership, with the intent of influencing the outcome of the upcoming fall elections and national referendum.

BigBrother blog

Checkpoint

From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind.

Vulnerebility blog

Project Zero

The Windows Registry Adventure #4: Hives and the registry layout

To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system

Vulnerebility blog

Project Zero

Effective Fuzzing: A Dav1d Case Study

Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, and it was assigned CVE-2024-1580.

Vulnerebility blog

Project Zero

MacOS Malware Surges as Corporate Usage Grows

As more companies adopt macOS for their corporate needs, attackers are adapting their techniques to get what they want

OS Blog

Trelix

Cyber Threats Targeting the US Government During the Democratic National Convention

Trellix global sensors detected increased threat activities during the days that the Democratic National Convention (DNC) was held in August 2024, culminating into a massive spike in detections halfway through the convention. Our data indicate that these threat activities targeted a wide range of US government organizations, including regional democratic causes, state legislative offices, legislative data centers, election boards, local law enforcement agencies, and public transportation networks.

BigBrother blog

Trelix

Month in security with Tony Anscombe – October 2024 edition

Election interference, American Water and the Internet Archive breaches, new cybersecurity laws, and more – October saw no shortage of impactful cybersecurity news stories

Cyber blog

Eset

How to remove your personal information from Google Search results

Have you ever googled yourself? Were you happy with what came up? If not, consider requesting the removal of your personal information from search results.

Cyber blog

Eset

Don't become a statistic: Tips to help keep your personal data off the dark web

You may not always stop your personal information from ending up in the internet’s dark recesses, but you can take steps to protect yourself from criminals looking to exploit it

Cyber blog

Eset

Tony Fadell: Innovating to save our planet | Starmus highlights

As methane emissions come under heightened global scrutiny, learn how a state-of-the-art satellite can pinpoint their sources and deliver the insights needed for targeted mitigation efforts

Security blog

Eset

CloudScout: Evasive Panda scouting cloud services

ESET researchers discovered a previously undocumented toolset used by Evasive Panda to access and retrieve data from cloud services

APT blog

Eset

ESET Research Podcast: CosmicBeetle

Learn how a rather clumsy cybercrime group wielding buggy malicious tools managed to compromise a number of SMBs in various parts of the world

Cyber blog

Eset

Embargo ransomware: Rock’n’Rust

Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit

Ransom blog

Eset

Google Voice scams: What are they and how do I avoid them?

Watch out for schemes where fraudsters trick people into sharing verification codes so they can gain access to their phone numbers

Spam blog

Eset

Threat actors exploiting zero-days faster than ever – Week in security with Tony Anscombe

The average time it takes attackers to weaponize a vulnerability, either before or after a patch is released, shrank from 63 days in 2018-2019 to just five days last year

Exploit blog

Eset

Protecting children from grooming | Unlocked 403 cybersecurity podcast (ep. 7)

“Hey, wanna chat?” This innocent phrase can take on a sinister meaning when it comes from an adult to a child online – and even be the start of a predatory relationship

Cyber blog

Eset

Quishing attacks are targeting electric car owners: Here’s how to slam on the brakes

Ever alert to fresh money-making opportunities, fraudsters are blending physical and digital threats to steal drivers’ payment details

Hacking blog

Eset

Aspiring digital defender? Explore cybersecurity internships, scholarships and apprenticeships

The world needs more cybersecurity professionals – here are three great ways to give you an ‘in’ to the ever-growing and rewarding security industry

Cyber blog

Eset

GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe

GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe

Hacking blog

Eset

ESET Research shares new findings about Telekopye, a scam toolkit used to defraud people on online marketplaces, and newly on accommodation booking platforms

Telekopye transitions to targeting tourists via hotel booking scam

Spam blog

Eset

Cyber insurance, human risk, and the potential for cyber-ratings

Could human risk in cybersecurity be managed with a cyber-rating, much like credit scores help assess people’s financial responsibility?

Cyber blog

Eset

Mind the (air) gap: GoldenJackal gooses government guardrails

ESET Research analyzed two separate toolsets for breaching air-gapped systems, used by a cyberespionage threat actor known as GoldenJackal

BigBrother blog

Eset

The complexities of attack attribution – Week in security with Tony Anscombe

Attributing a cyberattack to a specific threat actor is a complex affair, as evidenced by new ESET research published this week

Cyber blog

Eset

Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

ESET Research details the tools and activities of a new China-aligned threat actor, CeranaKeeper, focusing on massive data exfiltration in Southeast Asia

APT blog

Eset

Why system resilience should mainly be the job of the OS, not just third-party applications

Building efficient recovery options will drive ecosystem resilience

OS Blog

Eset

Cybersecurity Awareness Month needs a radical overhaul – it needs legislation

Despite their benefits, awareness campaigns alone are not enough to encourage widespread adoption of cybersecurity best practices

Cyber blog

Eset

Gamaredon's operations under the microscope – Week in security with Tony Anscombe

ESET research examines the group's malicious wares as used to spy on targets in Ukraine in the past two years

Cyber blog

Eset