January(137)  February(207)  March(430) April(317) May(278)  June(186)

i

DATE

NAME

CATEGORY

SUBCATE

INFO

30.4.24 MUDDLING MEERKAT:
THE GREAT FIREWALL
MANIPULATOR
REPORT REPORT THE GREAT FIREWALL MANIPULATOR
30.4.24 MUDDLING MEERKAT Operation Operation A CUNNING OPERATOR: MUDDLING MEERKAT AND CHINA’S GREAT FIREWALL
30.4.24 New DragonForce Ransomware variant ALERTS Ransom A new variant of ransomware called DragonForce has been observed using a leaked ransomware builder from the LockBit ransomware group.DragonForce Ransomware targets victim(s) with the intent of extortion. The threat actor typically employs a double extortion tactic by locking the victim(s) out of their infected machines and exfiltrating data before encryption. If the victim(s) fail to meet the demands imposed, the threat actor will release the data to others via the dark web.
30.4.24 Security vendor applications impersonated in recent malware campaign ALERTS Virus Impersonating legitimate applications is a common tactic observed in attack campaigns. Among the simpler methods of impersonation is to convince a victim to execute content by leveraging a legitimate filename. In a recent report published by Sophos, they have identified activity in which attackers are modifying legitimate binaries of security vendors to launch newly embedded malicious payloads. It should be noted that modifying such files will break digital signatures and conversely de-legitimize the applications.
30.4.24 Ziraat Stealer disguised as data recovery tool ALERTS Virus The Ziraat Stealer, a .NET infostealer, has been discovered masquerading as a Data Recovery tool. This malware is capable of extracting passwords and credentials from browsers, social media platforms, and various email applications. Moreover, it can conduct screenshot and keylogging activities. Classified as a specialized Remote Access Trojan (RAT), this malicious software has the ability to extract sensitive information from compromised systems.
30.4.24 Rising trend of FakeBat malware campaigns, exploiting MSIX installers and malvertising ALERTS Virus Many campaigns involving the FakeBat malware have been reported recently, showing an increasing trend. FakeBat utilizes multiple delivery tactics, with malvertising being the primary strategy. This involves exploiting online advertising platforms, including Google Ads, to spread the malware. What makes FakeBat unique is that the threat actor uses MSIX installers packaged with heavily obfuscated PowerShell code.
30.4.24 CVE-2017-8570  Vulnerebility CVE Microsoft Office Remote Code Execution Vulnerability
30.4.24 CVE-2024-29021 Vulnerebility CVE (CVSS score: 9.1) - The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server-Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code execution as root on the target machine.
30.4.24 CVE-2024-28189  Vulnerebility CVE (CVSS score: 10.0) - A patch bypass for CVE-2024-28185 that stems from the use of the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox.
30.4.24 CVE-2024-28185  Vulnerebility CVE (CVSS score: 10.0) - The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox
30.4.24 CVE-2024-27322 Vulnerebility CVE Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
30.4.24 DEV#POPPER Campaign Campaign ANALYSIS OF DEV#POPPER: NEW ATTACK CAMPAIGN TARGETING SOFTWARE DEVELOPERS LIKELY ASSOCIATED WITH NORTH KOREAN THREAT ACTORS
27.4.24 Flowise 1.6.5 - Authentication Bypass

Exploit

WebApps TypeScript
27.4.24 Laravel Framework 11 - Credential Leakage

Exploit

WebApps PHP
27.4.24 SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)

Exploit

WebApps PHP
27.4.24 Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution

Exploit

WebApps PHP
27.4.24 FlatPress v1.3 - Remote Command Execution

Exploit

WebApps PHP
27.4.24 Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation

Exploit

Remote Linux_x86-64
27.4.24 CVE-2024-29966 Vulnerebility CVE Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation that appear as the appliance's root password. The vulnerability could allow an unauthenticated attacker full access to the Brocade SANnav appliance.
27.4.24 CVE-2024-29963 Vulnerebility CVE Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries.
27.4.24 CVE-2024-29961 Vulnerebility CVE A vulnerability affects Brocade SANnav before v2.3.1 and v2.3.0a. It allows a Brocade SANnav service to send ping commands in the background at regular intervals to gridgain.com to check if updates are available for the Component. This could make an unauthenticated, remote attacker aware of the behavior and launch a supply-chain attack against a Brocade SANnav appliance.
27.4.24 CVE-2024-29960 Vulnerebility CVE In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav.
27.4.24 CVE-2024-2859  Vulnerebility CVE By default, SANnav OVA is shipped with root user login enabled. While protected by a password, access to root could expose SANnav to a remote attacker should they gain access to the root account.
27.4.24 Brokewell Malware Android Brokewell: do not go broke from new banking malware!
27.4.24 CVE-2024-3400 Vulnerebility CVE A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
27.4.24 CVE-2024-27956 Vulnerebility CVE Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
27.4.24 CVE-2024-21338 Vulnerebility CVE Windows Kernel Elevation of Privilege Vulnerability
27.4.24 Kaolin RAT Malware RAT From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
27.4.24 Multiple vulnerabilities in OpenMetadata ALERTS VULNEREBILITY  OpenMetadata is an open source metadata platform that can be used for data discovery, cataloging and collaboration. According to a recent report, threat actors have been exploiting critical vulnerabilities including authentication bypass and SpEL Expression Injections in OpenMetadata in efforts leading to deployment of cryptomining software. The recently disclosed OpenMetadata vulnerabilities include CVE-2024-28253, CVE-2024-28254, CVE-2024-28255, CVE-2024-28847, and CVE-2024-28848 and affect product versions prior to 1.3.1. If successfully exploited, the discussed vulnerabilities might allow unauthenticated remote attackers to achieve remote code execution (RCE) on affected instances.
27.4.24 KageNoHitobito ransomware ALERTS Ransom KageNoHitobito ransomware came on the scene in March 2024. This is a no frills ransomware with basic old school functionality; file encryption (only on the local drive), drops ransom notes, and requires interaction with the attack group via Tor. There are no indications of any data theft for extortion functions. Data shows that this ransomware has been seen in multiple countries across the world.
27.4.24 Brokewell mobile malware ALERTS Virus Brokewell is a new mobile malware variant discovered in the wild. According to a recent report, the malware is delivered to Android users via a fake Google Chrome browser update package. The malware features extensive infostealing functionalities including hardware information collection, credential exfiltration, call logs retrieval, audio capture, screen streaming, capture of taps, swipes and text inputs as well other various remote access and device takeover capabilities.
27.4.24 Amadey malware family remains an active threat in the landscape ALERTS Virus Amadey is an infostealer variant enriched with additional functionalities allowing it to download and execute malicious payloads such as ransomware. While this malware family has been known for a relatively long time, new Amadey samples are found in the wild almost every day. Modular architecture combined with both infostealing and payload loading capabilities allow for this malware to be used in miscellaneous of campaigns by different threat groups. Amadey is known to be distributed via a wide variety of ways including malicious attachments, drive-by-downloads masqueraded as cracked software, malvertising or exploit kits.
25.4.24 SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaign ALERTS APT  A new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. Clicking these links will download and install the SSLoad malware, then this DLL-based loader will deploy further backdoors and payloads, including a Cobalt Strike beacon to establish connection to the attacker's C2 servers to exfiltrate system and user information.
25.4.24 SpyNote campaign using Vietnam's National Public Service as bait ALERTS APT  SpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. In a recent campaign, Symantec observed the threat (DỊCH VỤ CÔNG.apk) masquerading as an official app from Vietnam's National Public Service web platform, which offers extensive online public services for both citizens and businesses.
25.4.24 APT43 exploits Dropbox in TutorialRAT distribution campaign ALERTS APT  The APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. This campaign appears to be an extension of APT43's BabyShark threat campaign and employs typical spear-phishing techniques, including the use of shortcut (LNK) files. TutorialRAT is a C#-based remote control program that functions as an infostealer, collecting and exfiltrating device and users' personal information .
25.4.24 CryptBot among the infostealer variants distributed in latest CoralRaider campaign ALERTS Virus According to a recent report, three distinct infostealers variants Cryptbot, LummaC2 and Rhadamanthys have been distributed in a newly discovered campaign attributed to the threat actor known as CoralRaider. The threat actors have been leveraging Content Delivery Network (CDN) cache as a malware delivery mechanism. The new variant of CryptBot malware has the functionality to steal a wide variety of data from the compromised machines. It targets data exfiltration from web browsers, cryptocurrency wallets, authenticator apps and password managers.
25.4.24 Seedworm exploits Atera Agent in a spear-phishing Campaign ALERTS CAMPAIGN  Seedworm (also known as MuddyWater), is actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent in its spear-phishing campaign. The actor leverages Atera's 30-day free trial offers to create agents registered with compromised email accounts, enabling remote access to targeted systems without establishing their own command-and-control (C2) infrastructure. Atera offers extensive remote control capabilities via its web UI, including file upload/download, interactive shell access, and AI-powered command assistance. The threat actor utilizes free file hosting platforms to host their RMM installers, distributing them via spear-phishing emails.
25.4.24 Fake Job App Steals SMS Messages From Oil Industry Job Seekers ALERTS Mobil Symantec has recently observed a malicious actor targeting mobile users who are looking for jobs in the oil industry. They have created a fake application ([company name] Jobs.apk) that has the appearance of being from a significant player in the oil industry of Bahrain and the Middle East. Users who are successfully lured into installing the app are asked to input their phone numbers into a form. Unbeknownst to them, the malicious actors will actually monitor and steal all their SMS messages.
25.4.24 More Fake MetaMask Android Apps Circulating, Targeting Users' Wallets ALERTS Virus More fake MetaMask Android applications have been observed targeting mobile users' wallet via phishing tactics, all of which are being hosted on malicious domains mimicking MetaMask and leveraging typosquatting techniques. It's most likely that these apps are being spread via malicious SMS. 
25.4.24 GooseEgg, a post-explotation malware ALERTS Virus Researchers at Microsoft have reported on ongoing activities of the Russian-based threat actor Forest Blizzard identified by Symantec as Swallowtail (aka STRONTIUM) utilizing a custom tool dubbed GooseEgg. This activity has been taking place since at least 2020 and possibly as early as 2019. The tool exploits a vulnerability in the Windows Print Spooler service (CVE-2022-38028) to gain SYSTEM-level privileges and steal credentials from compromised networks. The recently observed campaign targets government, non-governmental, education, and transportation sector organizations primarily in Ukraine, Western Europe, and North America.
25.4.24 CVE-2024-20353 Vulnerebility CVE (CVSS score: 8.6) - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
25.4.24 CVE-2024-20359 Vulnerebility CVE (CVSS score: 6.0) - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
25.4.24 ArcaneDoor Campaign Spy ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
25.4.24 Pupy RAT Malware RAT Analysis of Pupy RAT Used in Attacks Against Linux Systems
25.4.24 FROZEN#SHADOW Attack Campaign Campaign Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
25.4.24 GuptiMiner Malware Cryptocurrency GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
24.4.24 CoralRaider Malware Stealer Suspected CoralRaider continues to expand victimology using three information stealers
24.4.24 Dependency Confusion Attack Attack Dependency confusion (also known as dependency repository hijacking, substitution attack, or repo jacking for short) is a software supply chain attack that substitutes malicious third-party code for a legitimate internal software dependency. There are various approaches to creating this kind of attack vector, including:
23.4.24 The State of Stalkerware in
 2023–2024
Cyber SECURELIST The annual Kaspersky State of Stalkerware report aims to contribute to awareness and a better understanding of how people around the world are impacted by digital stalking. Stalkerware is commercially available software that can be discreetly installed on smartphone devices, enabling a perpetrator to monitor an individual’s private life without their knowledge.
23.4.24 Kapeka backdoor ALERTS ALERTS Kapeka is a recently identified backdoor variant leveraged in malicious campaigns targeted at various entities from Eastern Europe since at least 2022. It is believed that this backdoor has been distributed by the threat group known as Sandworm. Kapeka backdoor is coded in C++ and contains capabilities for victim's machine fingerprinting, shell command execution, read/write file operations or launch of arbitrary payloads, among others. Kapeka has also functionalities to upgrade the backdoor binaries or to completely remove itself from the infected endpoint.
23.4.24 Sharpil RAT malware - possible precursor to Sharp Stealer ALERTS ALERTS Sharpil is a new Remote Access Trojan (RAT) discovered in the threat landscape. This C#-based malware features basic infostealing functionality including system info collection and data gathering from various web browsers. Once on the infected machine Sharpil initiates connection to the attackers via a Telegram bot. Sharpil exhibits some code similarities with another recently identified malware variant called Sharp Stealer. This variant has been reported as being advertised for sale on Telegram, and it possesses some enhanced capabilities when compared to Sharpil RAT.
23.4.24 APT28 APT APT Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
23.4.24 ToddyCat APT APT We continue covering the activities of the APT group ToddyCat.This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.
22.4.24 Core Werewolf APT group targets Russian defense organizations in espionage campaign ALERTS APT  Espionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. The attack utilized a malicious document as bait, purportedly meant for the presentation of state awards to special forces soldiers. However, the document is actually a 7zSFX archive containing a legitimate remote access tool, UltraVNC. Upon extraction, the malware creates copies of a decoy document and the UltraVNC executable, schedules tasks to run the executable, and establishes a connection to a designated server.
22.4.24 Megazord Ransomware ALERTS Ransom Megazord ransomware is a Rust-based malware that targets healthcare, education, and government entities. The initial attack vector includes spear-phishing emails as well as exploiting vulnerable services. Tools such as RDP and advanced IP scanners are used for lateral movement. Once compromised, Megazord terminates multiple processes and services, and encrypts local volumes and files
22.4.24 OfflRouter observed infecting Ukrainian DOC files ALERTS Virus Threat researchers have recently discovered OfflRouter infections in various DOC files observed in the wild. These documents contain VBA code that, once opened, downloads an executable file which begins to look for other DOC files on the machine to infect as well as search for additional plugins on removable drives.
22.4.24 Redline Stealer Malware Stealer A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior.
20.4.24 2024-04-18 - Word macro --> SSLoad --> Cobalt Strike Malware traffic Malware traffic Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.
20.4.24 PAN-OS CVE-2024-3400 Vulnerebility CVE On April 10, 2024 Palo Alto Networks Product Security Incident Response Team (PSIRT) learned of a suspicious exfiltration attempt at a customer site from Volexity's Steven Adair. Our Palo Alto Networks Product Security Research Lead Christopher Ganas and Unit 42's Threat Research Lead Kyle Wilhoit immediately investigated the issue with Volexity's team.
20.4.24 Updating CrushFTP v11 Vulnerebility CVE CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a DMZ in front of their main CrushFTP instance are protected with its protocol translation system it utilizes. (CREDIT:Simon Garrelou, of Airbus CERT)
20.4.24 Coreid (aka Fin7) uses backdoor against US Automaker victims ALERTS APT  A recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. According to the report, the campaign leveraged spearphishing emails against selected targets by socially engineering content related to free online scanning tools. The victim would be coerced into following a link to a typosquatted domain related to a legitimate online scanner.
20.4.24 APT Group exploits Web3 gaming hype in campaign for cryptocurrency earnings ALERTS APT  A campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. Users are enticed to visit the main webpages of these projects to download the software. Once installed, the software further infects devices with infostealer malware. Depending on the operating system, the malware variants include Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro.
20.4.24 Akira ransomware remains an active threat on the landscape ALERTS Ransom Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) regarding a number of targeted activities observed for the Akira ransomware. Akira is a ransomware family seen on the threat landscape since at least 2023.
20.4.24 XAgent spyware targeting iOS devices ALERTS Virus An XAgent spyware targeting iOS devices has been identified, linked to the Swallowtail group (APT28). Primarily targeting political and government entities in Western Europe, XAgent possesses capabilities for remote control and data exfiltration. It can gather information on users' contacts, messages, device details, installed applications, screenshots, and call records.
19.4.24 CVE-2020-3259 Vulnerebility CVE A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information.
19.4.24 CVE-2023-20269 Vulnerebility CVE A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.
19.4.24 Akira Ransomware Ransomware Akira is swiftly becoming one of the fastest-growing ransomware families thanks to its use of double extortion tactics, a ransomware-as-a-service (RaaS) distribution model, and unique payment options.
19.4.24 Deuterbear Malware Loader Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
19.4.24 BlackTech  Campaign Cyberespionage Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
19.4.24 Malware campaign distributing MadMxShell backdoor via masquerade websites ALERTS CAMPAIGN  A new backdoor called MadMxShell has surfaced as part of a malware campaign. The threat actors responsible for the campaign are hosting masquerade websites that impersonate legitimate IP scanner software sites. Employing tactics such as typosquatting and SEO poisoning, they attract users through Google Ads. The backdoor utilizes DNS MX queries for command and control (C2) communication, aiming to evade memory forensics security solutions. The malware provides attackers with unauthorized access to compromised systems, allowing them to execute commands, exfiltrate data, and carry out other malicious activities.
19.4.24 CR4T malware implant distributed in the DuneQuixote campaign ALERTS Virus Malicious campaign dubbed DuneQuixote has been reported to distribute new variants of the CR4T malware implant. The campaign targets various organizations and entities in the Middle East. CR4T malware comes in two different strains, one written in C/C++ and the other one in the Golang programming language. The malware functionality focuses on granting the attackers with access to the infected endpoints, enabling remote command execution and arbitrary file upload/download capabilities.
19.4.24 Mamont Android banking trojan ALERTS Virus Mamont is a recently identified banking trojan for Android. The malware has been distributed disguised as a Google Chrome installer package. Mamont has the functionality to collect information about the infected device. It can exfiltrate selected messages and intercept new messages, sending them back to attackers' controlled Telegram channel. The malware has the capability to examine the content of the messages as it is focused on those related to any financial or monetary transactions.
19.4.24 StopRansomware: Akira Ransomware Ransomware Ransomware Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.
19.4.24 2024-04-17 - TA578 pushes SSLoad malware Malware traffic Malware traffic Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
19.4.24 OfflRouter Malware VBA Macro OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal
19.4.24 FIN7 Group APT Threat Group FIN7 Targets the U.S. Automotive Industry
19.4.24 CR4T  Malware Backdoor CR4t Malware: A Shape-Shifting Threat — Threat Intelligence Report
19.4.24 DuneQuixote Campaign Campaign DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware
18.4.24 SoumniBot Malware Android Banking SoumniBot: the new Android banker’s unique techniques
18.4.24 CVE-2024-28847 Vulnerebility CVE (CVSS score: 8.8) - A Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4)
18.4.24 CVE-2024-28848 Vulnerebility CVE (CVSS score: 8.8) - A SpEL injection vulnerability in GET /api/v1/policies/validation/condition/<expr> (fixed in version 1.2.4)
18.4.24 CVE-2024-28253 Vulnerebility CVE (CVSS score: 8.8) - A SpEL injection vulnerability in PUT /api/v1/policies (fixed in version 1.3.1)
18.4.24 CVE-2024-28254 Vulnerebility CVE (CVSS score: 8.8) - A SpEL injection vulnerability in GET /api/v1/events/subscriptions/validation/condition/<expr> (fixed in version 1.2.4)
18.4.24 CVE-2024-28255  Vulnerebility CVE (CVSS score: 9.8) - An authentication bypass vulnerability (fixed in version 1.2.4)
18.4.24 MadMxShell Malware Backdoor Malvertising campaign targeting IT teams with MadMxShell
18.4.24 Kapeka Malware Backdoor Kapeka: A novel backdoor spotted in Eastern Europe
18.4.24 Google Firebase and Clearbit abused in Phishing campaigns ALERTS CAMPAIGN Phishing actors employ a plethora of tactics to make their phishing attempts more persuasive, ranging from hosting services to social engineering. Among host services, abusing Google Firebase has been prevalent due to its ease of use, free hosting, scalability, and domain customization features. These attributes make it an appealing platform for phishing actors seeking to host and distribute fraudulent content with minimal effort and cost.
18.4.24 TP-Link Archer AX21 CVE-2023-1389 still being exploited by botnets ALERTS VULNEREBILITY Last year an unauthenticated command injection vulnerability, CVE-2023-1389, was disclosed for the web management interface of the TP-Link Archer AX21 (AX1800) router. Despite this vulnerability being reported and remediated, numerous campaigns still exploit it. Recent attacks have been observed utilizing various botnets including Moobot, Miroi, AGoent, and Gafgyt. As botnets are known to target IoT vulnerabilities users should install the latest updates and follow manufacturer remediation steps. 
17.4.24 Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models Alert Alert Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. For example, an attacker could use this feature to trojanize a popular model, save it, and redistribute it, tainting the supply chain of dependent AI/ML applications.
17.4.24 CVE-2024-1852 - WordPress WP-Members Membership Plugin vulnerability ALERTS VULNEREBILITY CVE-2024-1852 is a high severity cross-site scripting (XSS) vulnerability affecting WordPress WP-Members Membership Plugin. Successful exploitation of this vulnerability could allow unauthenticated attackers to inject arbitrary web scripts into vulnerable pages. If executed in the context of an administrator, the exploitation of this flaw could additionally lead to redirection of the site visitors to malicious URLs or further compromise. The vulnerability has been addressed in version 3.4.9.3 of the plugin.
17.4.24 SoumniBot - Android banking malware ALERTS Virus SoumniBot is a new banking malware variant for Android. This malware has been reported to target mobile users from Korea. SoumniBot leverages several techniques to evade detection such as invalid compression method value, invalid manifest size or long XML namespace names. Functionality-wise this android malware can collect information about the infected device, contact data, SMS/MMS messages, and exfiltrate digital certificates issued by Korean banks that are stored on the device.
17.4.24 Rincrypt Ransomware ALERTS Ransom Rincrypt is one more run-of-the-mill ransomware variant recently observed on the threat landscape. When executed, it targets files with the specific extensions according to a pre-defined list. The malware appends the encrypted files with “.rincrypt” extension. Upon completed encryption process a ransom note file called "READ THIS.txt" is dropped onto the desktop of the infected machine. It contains an email address for the victims to contact for further instructions.
17.4.24 Tax-Themed phishing campaign deploys XWorm RAT ALERTS Virus An email phishing campaign has been reported deploying the Remote Access Trojan (RAT) XWorm. The attack begins with an HTML tax document attachment. Upon opening, it triggers the download of a JavaScript file which then executes a PowerShell script. This script is equipped with features to terminate running processes, manage decoy PDF files, disable User Account Control (UAC), and ultimately deliver the XWorm payload.
17.4.24 Risen Ransomware ALERTS Ransom A ransomware actor known as "Risen" has been detected in the wild. According to their ransom note ($Risen_Note.txt and $risen_guide.hta), the threat actors appear to employ double-extortion tactics by threatening to sell or leak stolen information if the ransom payment is not made. Encrypted files will have an extension added to them, following this format: [actor's email address, TELEGRAM:actor's ID].random ID. Victims are provided with two email addresses, a Telegram ID, and a blog URL (hosted on the Tor network) as means of contact.
17.4.24 CVE-2023-1389 Vulnerebility CVE Unauthenticated Command Injection in TP-Link Archer AX21 (AX1800)
17.4.24 Cerber Ransomware Ransomware Cerber Ransomware: Dissecting the three heads
17.4.24 CVE-2023-22518 Vulnerebility CVE All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account.
17.4.24 Connect:fun REPORT REPORT Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
17.4.24 Connect:fun Campaign Campaign In a new threat briefing, Forescout Research – Vedere Labs details an exploitation campaign targeting organizations running Fortinet’s FortiClient EMS which is vulnerable to CVE-2023-48788. We are designating this campaign Connect:fun because of the use of ScreenConnect and Powerfun as post-exploitation tools – our first-ever named campaign.
17.4.24 CVE-2023-48788 Vulnerebility CVE A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
17.4.24 2024-04-15 - Contact Forms campaign pushing SSLoad malware Malware traffic Malware traffic Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
16.4.24 SteganoAmor Campaign Campaign SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
16.4.24 CVE-2023-36052  Vulnerebility CVE Azure CLI REST Command Information Disclosure Vulnerability
16.4.24 LeakyCLI Vulnerebility CVE LeakyCLI: AWS and Google Cloud Command-Line Tools Can Expose Sensitive Credentials in Build Logs
16.4.24 SteganoAmor campaign attributed to TA558 threat group ALERTS Group A new malicious campaign dubbed as SteganoAmor has been attributed to the TA558 threat actor. The attackers have been leveraging steganography techniques by concealing malicious code inside image files. TA558 is a threat group know to target tourism and hospitality sectors with extensive focus on targets located in Latin America. In their attacks the group continues to leverage an old Microsoft Office Equation Editor vulnerability from 2017 - CVE-2017-11882. The observed delivered payloads might vary and include malware from Remcos, Agent Tesla, Formbook, Guloader, Lokibot, Xworm and several other families.
16.4.24 L00KUPRU Ransomware ALERTS Ransom L00KUPRU is a new Xorist ransomware variant recently discovered in the wild. The malware encrypts user files and adds the .L00KUPRU extension to them.The attackers drop a ransom noted as a text file called "HOW TO DECRYPT FILES.txt" and demand payment in Bitcoin cryptocurrency. Additionally, the ransom note is displayed in a pop-up window on the desktop providing the victims with contact details of the attackers as well as BTC wallet address for payments.
16.4.24 SolarMarker malware campaign adapts with PyInstaller for obfuscation ALERTS Virus A SolarMarker malware campaign has been observed utilizing PyInstaller to obfuscate first-stage PowerShell scripts instead of Inno Setup and PS2EXE, showcasing the adaptability of threat actors in evading detection mechanisms targeting SolarMarker. SolarMarker is typically spread through attacks involving Search Engine Optimization Poisoning (SEO-Poisoning). In this observed campaign, users were tempted to download a disguised PDF document from a website impersonating a reputed South Californian Medical University.
16.4.24 Hive0051c malware campaign distributing GammaLoad in Ukraine ALERTS Virus Hive0051c has been observed conducting a malware campaign distributing the GammaLoad malware in Ukraine. The attack vector employed phishing emails containing Ukrainian-language lure documents targeting military and government entities. The GammaLoad backdoor presents the risk of various follow-on payloads, facilitated by independent C2 fallback channels. Hive0051c utilized synchronized DNS fluxing across multiple channels to rotate infrastructure and maintained several active C2 clusters.
16.4.24 Muddled Libra Group Group Muddled Libra also uses the legitimate scalability and native functionality of CSP services to create new resources to assist with data exfiltration. All CSPs have terms of service (TOS) policies that explicitly prohibit activities like those performed by Muddled Libra.
16.4.24 Lighttpd Vulnerebility CVE Important changes
16.4.24 CVE-2024-31497 Vulnerebility CVE In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures.
16.4.24 FatalRAT Distributed Through Fake Cryptocurrency App Website ALERTS Virus A new malicious campaign has been identified where the attackers attempt to distribute FatalRAT malware via a webpage masqueraded as a legitimate cryptocurrency application download website specifically designed for Chinese users. Once the RAT payload is installed, it can steal personal information from victims and perform keylogging activities.
16.4.24 Fake Anti Radar App SpyNote RAT Targets French Drivers ALERTS Virus Speed cameras are quite prevalent in France, and their numbers have increased significantly over the years as part of road safety measures. They are deployed in various locations, including highways, urban areas, and rural roads, to monitor and enforce speed limits. These cameras are often placed strategically in areas prone to speeding or high accident rates, such as near schools, construction zones, and dangerous curves.
16.4.24 XploitSPY Android malware ALERTS Virus An active malicious campaign dubbed "eXotic Visit" has been recently spreading a customized variant of the XploitSPY Android malware. The campaign, which reportedly started way back in 2021, has been delivering malicious apps hosted on either dedicated websites or the Google Play store. Most recent variants of this malware incorporate code updates regarding obfuscation, emulator detection and use of native libraries to hide attacker information, among others. XploitSPY has the functionality to extract call logs, contacts and text messages from the infected device. It can also take pictures, record audio or send SMS messages, etc.
15.4.24 LightSpy Malware ios LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India
15.4.24 Operation MidnightEclipse Operation Operation A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.
15.4.24 OpenClinic GA 5.247.01 - Path Traversal (Authenticated)

Exploit

WebApps PHP
15.4.24 OpenClinic GA 5.247.01 - Information Disclosure

Exploit

WebApps PHP
15.4.24 Jenkins 2.441 - Local File Inclusion

Exploit

WebApps Java
15.4.24 djangorestframework-simplejwt 5.3.1 - Information Disclosure

Exploit

WebApps Python
15.4.24 BMC Compuware iStrobe Web - 20.13 - Pre-auth RCE

Exploit

WebApps JSP
15.4.24 Stock Management System v1.0 - Unauthenticated SQL Injection

Exploit

WebApps PHP
15.4.24 Online Fire Reporting System OFRS - SQL Injection Authentication Bypass Exploit WebApps PHP
15.4.24 Savsoft Quiz v6.0 Enterprise - Stored XSS

Exploit

WebApps PHP
13.4.24 Signed backdoor found in screen mirroring software ALERTS Virus A recent report identified a signed backdoor present in LaiXi Android screen mirroring software. According to the report, attackers abused the Microsoft Windows Hardware Compatibility Program to get the malware signed. The malware contains an embedded freeware proxy server, likely intended to watch and potentially manipulate network traffic.
13.4.24 XZ Utils Backdoor Malware Backdoor XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities
13.4.24 Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) Exploit WebApps PHP
13.4.24 WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)

Exploit

WebApps PHP
13.4.24 WBCE 1.6.0 - Unauthenticated SQL injection Exploit WebApps PHP
13.4.24 Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - "sort" parameter

Exploit

WebApps PHP
13.4.24 PrusaSlicer 2.6.1 - Arbitrary code execution Exploit Local Multiple
13.4.24 PopojiCMS Version 2.0.1 - Remote Command Execution

Exploit

WebApps PHP
13.4.24 Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS) Exploit WebApps PHP
13.4.24 HTMLy Version v2.9.6 - Stored XSS

Exploit

WebApps PHP
13.4.24 Ray OS v2.6.3 - Command Injection RCE(Unauthorized) Exploit WebApps Python
13.4.24 Terratec dmx_6fire USB - Unquoted Service Path

Exploit

Local Windows_x86-64
13.4.24 MinIO < 2024-01-31T20-20-33Z - Privilege Escalation Exploit Remote Go
13.4.24 GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload

Exploit

WebApps PHP
13.4.24 Open Source Medicine Ordering System v1.0 - SQLi Exploit WebApps PHP
13.4.24 Daily Expense Manager 1.0 - 'term' SQLi

Exploit

WebApps PHP
13.4.24 Best Student Result Management System v1.0 - Multiple SQLi Exploit WebApps PHP
13.4.24 Human Resource Management System v1.0 - Multiple SQLi

Exploit

WebApps PHP
13.4.24 Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass Exploit Remote Hardware
13.4.24 Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload Exploit WebApps PHP
13.4.24 AnyDesk 7.0.15 - Unquoted Service Path

Exploit

Local Windows
13.4.24 Quick CMS v6.7 en 2023 - 'password' SQLi

Exploit

WebApps PHP
12.4.24 LightSpy malware implant ALERTS Virus LightSpy is a modular surveillance tool with variants supporting both Android and iOS platforms. This malware implant has functionality to exfiltrate private user information, GPS location data, SMS messages, messenger apps data, phone call history and others. LightSpy has also capabilities allowing it to comprehensively track browser history on the infected device, remotely execute shell commands and record voice over IP (VOIP) call sessions.
12.4.24 Rhadamanthys malware deployments attributed to TA547 ALERTS Virus A new Rhadamanthys infostealer deployment campaign attributed to the TA547 threat actor has been discovered in the wild. The campaign targets a wide range of industries in Germany. In their attacks, the attackers leverage .zip archives containing malicious .lnk files that once executed trigger PowerShell scripts leading to Rhadamanthys infection on the compromised endpoint. The deployed malware payload has various capabilities including collection and exfiltration of confidential user data such as credentials, cookies etc.
12.4.24 Credit Card Skimmer Hidden in Fake Facebook Pixel Tracker Hacking Credit Card Skimmer In recent months, we have encountered a number of cases where attackers inject malware into website software that allows for custom or miscellaneous code — for example, the miscellaneous scripts area of the Magento admin panel, or WordPress plugins such as Custom CSS & JS.
12.4.24 DarkBeatC2 Campaign APT DarkBeatC2: The Latest MuddyWater Attack Framework
12.4.24 CVE-2024-3400 Vulnerebility CVE A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
12.4.24 TA547 Group Group Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer
11.4.24 Pupy RAT continues to be used in attacks against Linux systems ALERTS Virus Pupy RAT continues to be leveraged in attacks conducted by miscellaneous threat operators. The malware has various functionalities including upload/download of files, remote command execution, information theft, keylogging and screenshot capture among others. While Pupy RAT is known to target both Windows and Linux systems, recently reported campaigns have seen usage of the Linux variant of this malware against targets in Asia.

11.4.24

Multiple programming languages fail to escape arguments properly in Microsoft Windows Alert Alert Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment.

11.4.24

April 9, 2024—KB5036893 (OS Builds 22621.3447 and 22631.3447)

Windows 11 Update

Windows 11 Update

The new end date is June 24, 2025 for Windows 11, version 22H2 Enterprise and Education editions. Home and Pro editions of version 22H2 will receive non-security preview updates until June, 26, 2024.

11.4.24

April 9, 2024—KB5036892 (OS Builds 19044.4291 and 19045.4291)

Windows 10 Update

Windows 10 Update

IMPORTANT The following editions of Windows 10, version 21H2 will reach end of service on June 11, 2024: Windows 10 Enterprise and Education,Windows 10 IoT Enterprise, Windows 10 Enterprise multi-session,

After that date, these devices will not receive monthly security and quality updates. These updates contain protections from the latest security threats.

11.4.24

Metasploit Meterpreter observed in attacks targeting vulnerable Redis servers

ALERTS

HACKING

Meterpreter is an advanced Metasploit attack payload leveraged in penetration testing that uses in-memory DLL injection stagers. The tool has been known to be exploited by various threat actors for a long while now. In a recently reported campaign, Meterpreter has been observed being deployed to vulnerable or misconfigured Redis servers. The attackers have also been using a privilege escalation tool called PrintSpoofer. Meterpreter deployment to vulnerable servers is an initial attack step that might lead to deployment of further arbitrary payloads such as cryptominers or ransomware.

11.4.24

Nitrogen malware delivery campaign

ALERTS

CAMPAIGN

A new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. Nitrogen uses DLL sideloading to infect the targeted system. Once deployed this malware is generally used to gain initial access allowing network compromise and additional arbitrary payload deployments.

11.4.24

Open Source Medicine Ordering System v1.0 - SQLi

Exploit

WebApps

PHP

11.4.24

Daily Expense Manager 1.0 - 'term' SQLi

Exploit

WebApps

PHP

11.4.24

Best Student Result Management System v1.0 - Multiple SQLi

Exploit

WebApps

PHP

11.4.24

Human Resource Management System v1.0 - Multiple SQLi

Exploit

WebApps

PHP

11.4.24

Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass

Exploit

Remote

Hardware

11.4.24

Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload

Exploit

WebApps

PHP

11.4.24

AnyDesk 7.0.15 - Unquoted Service Path

Exploit

Local

Windows

11.4.24

Quick CMS v6.7 en 2023 - 'password' SQLi

Exploit

WebApps

PHP

11.4.24

BatCloak

Malware

FUD Engine

Analyzing the FUD Malware Obfuscation Engine BatCloak

11.4.24

Trick Developers Detected in an Open Source Supply Chain Attack

Hacking

Hacking

In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub's search functionality, and using meticulously crafted repositories to distribute malware.

11.4.24

CVE-2023-45590

Vulnerebility CVE

[FortiClient Linux] Remote Code Execution due to dangerous nodejs configuration

11.4.24

Virtual Invaders

Group

Group

There is no indication that this campaign is linked to any known group; however, we are tracking the threat actors behind it under the moniker Virtual Invaders.

11.4.24

XploitSPY RAT

Malware

RAT

eXotic Visit campaign: Tracing the footprints of Virtual Invaders

11.4.24

eXotic Visit

Campaign

Android

ESET researchers uncovered the eXotic Visit espionage campaign that targets users mainly in India and Pakistan with seemingly innocuous apps

11.4.24

Raspberry Robin

Campaign

Virus

Raspberry Robin Now Spreading Through Windows Script Files

10.4.24

Residual Attack Surface of Cross-privilege Spectre v2

Attack

CPU

We present InSpectre Gadget, an in-depth Spectre gadget inspector that uses symbolic execution to accurately reason about exploitability of usable gadgets. Our tool performs generic constraint analysis and models knowledge of advanced exploitation techniques to accurately reason over gadget exploitability in an automated way.

10.4.24

Linux kernel on Intel systems is susceptible to Spectre v2 attacks

Alert

Alert

A new cross-privilege Spectre v2 vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered.

10.4.24

Smoke

Malware

Backdoor

Smoke and (screen) mirrors: A strange signed backdoor

10.4.24

CVE-2024-26234 

Vulnerebility CVE

(CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability

10.4.24

CVE-2024-29988 

Vulnerebility CVE

(CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass Vulnerability

10.4.24

CVE-2024-21412

Vulnerebility CVE

Internet Shortcut Files Security Feature Bypass Vulnerability

10.4.24

CVE-2024-29990 

Vulnerebility CVE

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

10.4.24

BatBadBut

Vulnerebility CVE

BatBadBut: You can't securely execute commands on Windows

10.4.24

CVE-2024-24576

Vulnerebility CVE

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.

9.4.24

SpyNote mobile malware spread under the disguise of INPS Mobile application

ALERTS

Virus

A recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. INPS (National Institute for Social Security) is the main social security organisation in Italy and the INPS Mobile app gives INPS users access to various consultation and documentation services. The malicious app disguised as INPS mobile is distributed via a phishing page that resembles the official INPS website. The SpyNote malware payload has various capabilities including keylogging, SMS theft, screenshot grabbing, call recording or installation of additional arbitrary payloads.

9.4.24

Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services

ALERTS

Virus

A new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. The advertisements lead victims to download malicious software disguised as desktop versions of the mentioned AI programs. Nova Stealer, Rilide Stealer V4, Vidar and IceRAT were among the infostealing payloads distributed in this campaign, which have been known to target users from various European countries.

9.4.24

Starry Addax

Group

Group

Starry Addax targets human rights defenders in North Africa with new malware

9.4.24

CVE-2023-6320

Vulnerebility CVE

vulnerability lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint.

9.4.24

CVE-2023-6319

Vulnerebility CVE

A third vulnerability allows operating system command injection by manipulating a library responsible with showing music lyrics.

9.4.24

CVE-2023-6318

Vulnerebility CVE

Another vulnerability allows attackers to elevate the access they gained in the first step to root and fully take over the device

9.4.24

CVE-2023-6317

Vulnerebility CVE

vulnerability that lets an attacker bypass the authorization mechanism in WebOS versions 4 through 7. By setting a variable, the attacker can add an extra user to the TV set

9.4.24

ScrubCrypt

Malware

Crypto

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins

9.4.24

CVE-2024-3273

Vulnerebility CVE

A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely.

9.4.24

CVE-2024-3272

Vulnerebility CVE

A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials.

9.4.24

V8 Sandbox

Security

Security

The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space ("the sandbox"), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).

8.4.24

CVE-2023-7102, New Zero-Day vulnerability in Barracuda's ESG Appliance exploited

ALERTS

VULNEREBILITY

A Chinese threat actor, UNC4841, has been reported exploiting a new zero-day vulnerability identified as CVE-2023-7102 in Barracuda Email Security Gateway (ESG) appliances. The threat actor utilized an Arbitrary Code Execution (ACE) vulnerability within a third-party Perl module called 'Spreadsheet ParseExcel' to deploy a specially crafted Excel email attachment targeting a limited number of ESG devices. Barracuda has observed new variants of SEASPY and SALTWATER malware being deployed on these ESG devices.

8.4.24

New phishing run spoofs International Card Services (ICS)

ALERTS

PHISHING

Symantec has observed a new wave of phish runs spoofing International Card Services BV to steal credentials. In this run, threat actors have not hyperlinked the phishing URL but included it in plain text along with the email content. As the call to action in this phishing run, the email recipients are asked to to validate their email address. Interestingly for this supposed email validation process, the victims are required to copy and paste the actual phishing URL in the browser or type manually. The victims are served with credential harvesting webpages once the phishing URL opens in web browser.

8.4.24

TISAK Ransomware

ALERTS

Ransom

TISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. Upon completed encryption process a ransom note text file called Tisak_Help.txt is dropped within the encrypted locations on the infected machine. The malware has the functionality to stop various system processes and services as well as delete volume shadow copies. The threat actors behind this ransomware variant threaten the victims with data publication if the requested ransom demands are not met.

8.4.24

Spoofed Adobe Creative Cloud email notifications appear in phish runs

ALERTS

PHISHING

Adobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. Lately, Symantec has observed phishing runs that impersonate Adobe Creative Cloud and entice users to open fake notifications emails. The email body content is kept short and mentions a pending document stored in the cloud. These phish emails make an attempt to lure users to open and click on phish URLs. Upon clicking on the phish URLs presented in the email content, the victims are served with credential harvesting webpages.

8.4.24

CVE-2023-41266 A path traversal vulnerability in Qlik Sense Enterprise under active exploitation

ALERTS

VULNEREBILITY

CVE-2023-41266 is a path traversal vulnerability affecting Qlik Sense Enterprise. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. Symantec's network protection technology, Intrusion Prevention System (IPS) has picked up scans based on threat landscape monitoring, which indicate a recent uptick in exploitation of this vulnerability. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

8.4.24

Xamalicious Android malware

ALERTS

Virus

Xamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. The malware has been previously distributed by various apps hosted on Google Play and some other 3rd party platforms. Xamalicious has the functionality to collect information about the infected device including hardware info, list of installed applications, geolocation info and network provider data, among others. Second stage payload might allow the attackers to take full control of the infected device and to perform additional fraudulent tasks.

8.4.24

Binance Turkey Users Lured with MASAK Audit Scare

ALERTS

Crime

More Binance smishing is being observed around the world, and in a recent example, Symantec has observed an actor targeting Turkish Binance users. The social engineering tactic in the messages is different from other, more generic ones. Here they bait users with account issues (preventing them from buying, selling, and transferring crypto) related to an audit conducted by the Financial Crimes Investigation Board (MASAK) – a regulatory authority in Turkey responsible for combating money laundering and terrorism financing. 

8.4.24

Continuous activities of UAC-0099 threat group against Ukraine

ALERTS

Group

"UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives, .LNK files masqueraded as WordPad documents as well as PowerShell scripts and a LoanPage VBS malware payload. UAC-0099 has also been observed to leverage exploitation of a known WinRAR CVE-2023-38831 vulnerability within the infection chain of their attacks.

8.4.24

Bandook malware - an older threat remains active in the wild

ALERTS

Virus

Bandook is a remote access trojan discovered way back in 2007. While it is quite an old malware family, new variants of Bandook reemerge in the wild with new distribution campaigns to this day. In one recent such run, Bandook has been spread with help of malicious PDF files leading to download of password-protected 7z archives that once extracted will deliver the Bandook payload. Upon infection the malware will execute commands received from the attacker-controlled C2 servers. The payload has also more capabilities allowing it to download additional arbitrary modules and executables.

8.4.24

Malicious SMS Targets BDO Unibank users

ALERTS

Virus

Banco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, Symantec has observed recurrent malicious SMS in which actors are attempting to lure the bank's mobile users into providing sensitive information that will eventually lead to financial theft. This campaign, while it mostly affects consumers, has also been observed targeting corporate users.

8.4.24

No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam Campaign

ALERTS

Virus

Usually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going. In a recent example, an Agent Tesla malspam campaign caught Symantec's attention, with the actor impersonating Riyad Bank – a major financial institution in Saudi Arabia and one of the largest banks in the country by assets.

8.4.24

Truist Bank users targeted with new phishing emails

ALERTS

PHISHING

Truist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. The email content mentions about a "temporary hold" placed on your account that can be lifted after a proper verification is completed. It entices the user to click on the "Verify now" phish URL ready to steal credentials.

8.4.24

MetaStealer distributed via malvertising

ALERTS

Virus

MetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. Recently the malware has been also seen being delivered via means of malvertising. Upon clicking on the ads, the victim gets redirected to malware landing pages masqueraded as download portals for AnyDesk or Notepad++ software. MetaStealer has the functionalities to collect various information from local browsers, steal credentials, cryptowallets, extract data from miscellaneous 3rd party applications and more.

8.4.24

New variant of Chameleon Android malware allows for biometric authentication bypass

ALERTS

Virus

Chameleon is an Android banking malware that first emerged at the beginning of 2023. The malware has been used in earlier campaigns targeting Android users in Australia and in Poland and has been distributed under the disguise of banking or cryptocurrrency apps. Chameleon's capabilities include keylogging, SMS harvesting, credential theft and cookie stealing, among others. The most recently discovered variant of this malware allows the attackers to bypass the biometric authentication on the infected device, forcing it to fallback to standard authentication means such as PIN entry and unlock the device.

8.4.24

Operation HamsaUpdate

ALERTS

Operation

Operation HamsaUpdate is a recently identified campaign targeting Israeli customers using F5’s network devices. The attackers have been reported to leverage wiper malware targeting Windows servers (variant called Hatef) as well as Linux platform (variant called Hamsa).

8.4.24

Fictitious OnlyFans premium mobile app revealed as SpyNote

ALERTS

Virus

OnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. Yet, the intriguing dichotomy lies in its content, which ventures into the NSFW (Not Safe For Work) territory. Many users, while capitalizing on the platform's income potential, inadvertently tread a fine line that might lead them onto Santa's naughty list.

8.4.24

Old MS Office vulnerability CVE-2017-11882 still leveraged for Agent Tesla delivery

ALERTS

VULNEREBILITY

CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. Successful exploitation of this flaw might allow attackers for remote code execution on the infected machines. Agent Tesla is a malware family observed to be still leveraging this old vulnerability in some of the recent campaigns.

8.4.24

Movable Type API CVE-2021-20837 vulnerability under active exploitation

ALERTS

VULNEREBILITY

CVE-2021-20837 is a critical (CVSS score 9.8) command injection vulnerability affecting Movable Type API. If successfully exploited, this vulnerability enables remote code execution.

8.4.24

GuLoader campaign: From Seoul to Brussels

ALERTS

Virus

GuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. In fact, this actor has been orchestrating a substantial campaign in South Korea over the past three weeks in three waves, recently shifting focus to Belgium.

8.4.24

Xray Ransomware

ALERTS

Ransom

Xray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. Upon successful encryption, files will be appended with a .Xray extension.

8.4.24

New phishing run spoofs Mexican Postal Service (Correos de Mexico)

ALERTS

PHISHING

Symantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. The reason for not delivering the package is stated as "failure to pay custom duties".

8.4.24

TA544 activities involving IDAT Loader

ALERTS

Virus

A new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. In their latest campaigns, the attackers have been leveraging new variants of the IDAT Loader malware to deliver various payloads such as Remcos RAT or SystemBC malware.

8.4.24

JaskaGO infostealer for Windows and macOS

ALERTS

Virus

JaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, cryptowallets and others. Collected data is compressed into a .zip archive and forwarded to attackers C2 servers. Beside the info-stealing functionality JaskaGO can also execute shell commands received from attackers as well as download and run additional payloads.

8.4.24

Splunk Remote Code Execution (RCE) vulnerability CVE-2023-46214

ALERTS

VULNEREBILITY

CVE-2023-46214 is a recently disclosed remote code execution (RCE) vulnerability affecting Splunk Enterprise platform. Due to a flaw in processing of user-supplied extensible stylesheet language transformations (XSLT), remote attackers might be able to upload malicious XSLT resulting in remote code execution on the affected Splunk instance.

8.4.24

Zimbra Collaboration XSS vulnerability CVE-2023-37580

ALERTS

VULNEREBILITY

CVE-2023-37580 is a recently disclosed 0-day (CVSS score: 6.1) Cross-Site Scripting vulnerability affecting Zimbra Collaboration suite. Successful exploitation of the vulnerability may allow an attacker to compromise the confidentiality and integrity of the target system by means of malicious scripts injection.

8.4.24

Play Ransomware - latest attacks against enterprises

ALERTS

Ransom

Symantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. Play ransomware has been discovered back in June 2022, and since that time it has been used in multiple high-profile attacks.

8.4.24

"No One Was Home" themed Evri phishing emails are making the rounds

ALERTS

PHISHING

Evri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. These emails entice the users to click phishing URLs in order to reschedule the delivery as "no one was home". The phishing URLs are constructed using hijacked domains and with a sole purpose of stealing credentials.

8.4.24

CVE-2023-49070 Apache OFBiz RCE vulnerability

ALERTS

VULNEREBILITY

CVE-2023-49070 is a critical (CVSS score 9.8) pre-auth remote code execution vulnerability in Apache OFBiz. Successful exploitation of the vulnerability grants the attacker complete control over the server, allowing them to steal sensitive data, disrupt operations, or even launch further attacks against the organization’s network. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

8.4.24

African based telecommunications organizations targeted by Iranian Seedworm group

ALERTS

APT

The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, which occurred in November 2023, leveraged some new and some existing features previously attributed to Seedworm.

8.4.24

Fake NordVPN Installer Delivering SecTopRAT

ALERTS

Virus

While monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. This malware is pretty much the same as many stealers that abuse both Discord and Telegram to report to the actors and exfiltrate stolen information.

8.4.24

Latrodectus

Malware

Downloader

Latrodectus: This Spider Bytes Like Ice

8.4.24

SecTopRAT

Malware

RAT

Bing ad for NordVPN leads to SecTopRAT

7.4.24

CVE-2024-3273

Vulnerebility CVE

A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection

7.4.24

CVE-2024-20720

Vulnerebility CVE

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.

6.4.24

HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Alert

Alert

HTTP allows messages to include named fields in both header and trailer sections. These header and trailer fields are serialised as field blocks in HTTP/2, so that they can be transmitted in multiple fragments to the target implementation.

6.4.24

Quick CMS v6.7 en 2023 - 'password' SQLi

Exploit

WebApps

PHP

6.4.24

Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)

Exploit

WebApps

PHP

6.4.24

Computer Laboratory Management System v1.0 - Multiple-SQLi

Exploit

WebApps

PHP

6.4.24

ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path

Exploit

Local

Windows

6.4.24

Axigen < 10.5.7 - Persistent Cross-Site Scripting

Exploit

WebApps

PHP

6.4.24

Gibbon LMS v26.0.00 - SSTI vulnerability

Exploit

WebApps

PHP

6.4.24

Casdoor < v1.331.0 - '/api/set-password' CSRF

Exploit

WebApps

Go

6.4.24

Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Exploit

Local

Windows

6.4.24

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

Exploit

WebApps

PHP

6.4.24

Smart School 6.4.1 - SQL Injection

Exploit

WebApps

PHP

6.4.24

CE Phoenix v1.0.8.20 - Remote Code Execution

Exploit

WebApps

PHP

6.4.24

Elementor Website Builder < 3.12.2 - Admin+ SQLi

Exploit

WebApps

PHP

6.4.24

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

Exploit

WebApps

PHP

6.4.24

Daily Habit Tracker 1.0 - Broken Access Control

Exploit

WebApps

PHP

6.4.24

Daily Habit Tracker 1.0 - SQL Injection

Exploit

WebApps

PHP

6.4.24

Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

Exploit

WebApps

PHP

6.4.24

Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)

Exploit

WebApps

PHP

6.4.24

Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection

Exploit

WebApps

PHP

6.4.24

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

Exploit

WebApps

PHP

6.4.24

FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

Exploit

WebApps

PHP

6.4.24

FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)

Exploit

WebApps

PHP

6.4.24

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

Exploit

Local

Windows

6.4.24

Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

Exploit

WebApps

PHP

6.4.24

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

Exploit

WebApps

PHP

6.4.24

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

Exploit

WebApps

PHP

6.4.24

GL-iNet MT6000 4.5.5 - Arbitrary File Download

Exploit

Remote

Hardware

6.4.24

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

Exploit

Local

Windows

6.4.24

OpenCart Core 4.0.2.3 - 'search' SQLi

Exploit

WebApps

PHP

6.4.24

ASUS Control Center Express 01.06.15 - Unquoted Service Path

Exploit

Local

Windows

6.4.24

Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

Exploit

WebApps

PHP

6.4.24

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

Exploit

WebApps

PHP

5.4.24

New JsOutProx malware variant observed in campaigns targeted at financial sector

ALERTS

Virus

A new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. While in the past the group has been using GitHub repositories to host the malicious payloads, the latest attacks leverage repositories on the GitLab platform instead.

5.4.24

Byakugan malware

ALERTS

Virus

Byakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. The malware receives commands from a remote C2 server that also acts as attacker's control panel. Byakugan's functionality includes keylogging, screen capture, coin mining, theft of information stored in the web browsers and arbitrary file download, among others.

5.4.24

Phorpiex malware campaign targets finance sector in Europe and North America

ALERTS

Virus

A malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. As part of the attack, shortcut files with embedded malicious macros are used to infect user systems and download additional malware payloads. Phorpiex can work without an active C2 server and is mainly used to steal cryptocurrency using the crypto-clipping technique.

5.4.24

Indonesia – Wedding invites used as lure by an SMS thief

ALERTS

Spam

In mid-2023, an actor have been observed sending SMS messages to mobile users in Indonesia, enticing them to install an application posing as a wedding invitation. Over the past few months, more of these malicious applications have been detected. The malware's primary goal is to collect SMS messages and send them to the author's Telegram channel via a Telegram bot API.

5.4.24

Latrodectus malware

ALERTS

Virus

Latrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. The loader is mostly used in the initial stages of the attacks to execute remote commands and to download additional payloads. Notably, its distribution campaigns exhibit similarities with previous IcedID operations in techniques and infrastructure usage.

5.4.24

Backdoor code found in XZ Utils library

ALERTS

Virus

On March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. The malicious code, tracked as CVE-2024-3094, is embedded in XZ Utils versions 5.6.0 and 5.6.1. and could allow remote, malicious actors to break sshd authentication and gain unauthorized access to the entire impacted system.

5.4.24

MacOS Users targeted with Infostealers

ALERTS

Virus

MacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. This website installs an infostealer capable of extracting users' keychain data, credentials stored in web browsers, and information from cryptocurrency wallets.

5.4.24

TA588 continues espionage activities in Latin America

ALERTS

Group

The TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. This malware is equipped with functionalities for harvesting sensitive data and gaining remote control over compromised systems.

5.4.24

YouTube Hijacking: Rise in Attack Campaigns Distributing Infostealers

ALERTS

Hack

An increase in attack campaigns utilizing YouTube has been observed, with threat actors hijacking existing popular YouTube accounts to distribute Vidar and LummaC2 Infostealer malwares. Users are lured with videos purporting to offer cracked versions of everyday programs like Adobe. Links provided in the comments section lead to malicious packages uploaded to MediaFire. Consequently, users unwittingly become infected by downloading and executing malicious code instead of the desired program.

5.4.24

CVE-2024-21893

Vulnerebility CVE

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

5.4.24

CVE-2024-21887

Vulnerebility CVE

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

5.4.24

CVE-2023-46805

Vulnerebility CVE

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

5.4.24

UTA0178

Group

Group

While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting.

5.4.24

Rhadamanthys

Malware

Stealer

Rhadamanthys Malware Disguised as Groupware Installer (Detected by MDS)

5.4.24

JSOutProx RAT

Papers

Papers

Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies

5.4.24

JSOutProx

Malware

Tool

Resecurity has detected a new version of JSOutProx, targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim's machine.

5.4.24

Byakugan

Malware

infostealer

Byakugan – The Malware Behind a Phishing Attack

5.4.24

VietCredCare 

Malware

Stealer

Extra credit: VietCredCare information stealer takes aim at Vietnamese businesses

5.4.24

CoralRaider

Group

Group

CoralRaider targets victims’ data and social media accounts

5.4.24

AGENT TESLA

Malware

RAT

AGENT TESLA TARGETING UNITED STATES & AUSTRALIA: REVEALING THE ATTACKERS’ IDENTITIES

5.4.24

StrelaStealer

Malware

Stealer

SonicWall Capture Labs threat research team has observed an updated variant of StrelaStealer. StrelaStealer is an infostealer malware known for targeting Spanish-speaking users and focuses on stealing email account credentials from Outlook and Thunderbird.

5.4.24

Sync-Scheduler

Malware

Stealer

This study provides a detailed overview of Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. This paper explores the workings of Sync-Scheduler, how it avoids detection, and creates a strong payload.

5.4.24

Rhadamanthys

Malware

Stealer

Recently Updated Rhadamanthys Stealer Delivered in Federal Bureau of Transportation Campaign

4.4.24

CVE-2024-2758

Vulnerebility CVE

Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately.

4.4.24

CVE-2024-27983

Vulnerebility CVE

4.4.24

CVE-2024-28182

Vulnerebility CVE

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream.

4.4.24

CVE-2023-45288

Vulnerebility CVE

4.4.24

CVE-2024-30255

Vulnerebility CVE

4.4.24

CVE-2024-27919 

Vulnerebility CVE

Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded.

4.4.24

CVE-2024-31309

Vulnerebility CVE

4.4.24

CVE-2024-24549

Vulnerebility CVE

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

4.4.24

CVE-2024-27316

Vulnerebility CVE

4.4.24

CVE-2024-2653

Vulnerebility CVE

amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.

4.4.24

VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Alert

Alert

HTTP allows messages to include named fields in both header and trailer sections. These header and trailer fields are serialised as field blocks in HTTP/2, so that they can be transmitted in multiple fragments to the target implementation

4.4.24

HTTP/2 ‘Rapid Reset’ DDoS attack

Attack

HTTP

A number of Google services and Cloud customers have been targeted with a novel HTTP/2-based DDoS attack which peaked in August. These attacks were significantly larger than any previously-reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second.

4.4.24

HTTP/2 CONTINUATION Flood

Attack

HTTP

tl;dr: Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation.

4.4.24

CVE-2024-22023

Vulnerebility CVE

SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow) and CVE-2024-22023 (XML entity expansion or XXE) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

4.4.24

CVE-2024-22053

Vulnerebility CVE

(CVSS score: 8.2) - A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

4.4.24

CVE-2024-22052 

Vulnerebility CVE

(CVSS score: 7.5) - A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.

4.4.24

CVE-2024-21894

Vulnerebility CVE

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code.

4.4.24

CVE-2024-29748

Vulnerebility CVE

Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

4.4.24

CVE-2024-29745 

Vulnerebility CVE

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.

3.4.24

Mispadu

Malware

Banking

Breaking Boundaries: Mispadu's Infiltration Beyond LATAM

3.4.24

CVE-2024-2879

Vulnerebility CVE

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

3.4.24

Napoli Ransomware

ALERTS

Ransom

Napoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints.

3.4.24

Emergence of new Vultur banking trojan variant in mobile threat landscape

ALERTS

Virus

A newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. In the recent campaign, victims are lured into installing a trojanized version of a security app via a link sent through SMS, along with instructions provided via a phone call.

3.4.24

Indonesian Businesses Targeted in an Agent Tesla Campaign

ALERTS

Virus

Symantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries.

2.4.24

XZ Backdoor

Malware

Backdoor

Everything I Know About the XZ Backdoor

2.4.24

UNAPIMON

Malware

Backdoor

Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

2.4.24

Cuckoobees

Operation

Operation

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation

2.4.24

CVE-2024-3094

Vulnerebility CVE

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.

2.4.24

Earth Freybug

Group

Group

This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.

2.4.24

VenomRAT

Malware

RAT

VenomRAT: A remote access tool with dangerous consequences

1.4.24

PROXYLIB

Malware

APP

Satori Threat Intelligence Alert: PROXYLIB and LumiApps Transform Mobile Devices into Proxy Nodes

1.4.24

Vultur

Malware

Android

Android Malware Vultur Expands Its Wingspan