January(137) February(207) March(430) April(317) May(278) June(186)
|
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 31.3.24 | Vultur | Malware | Android | The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. |
| 31.3.24 | Atomic Stealer | Malware | MacOS | Infostealers continue to pose threat to macOS users |
| 30.3.24 | liveSite Version 2019.1 - Remote Code Execution | WebApps | PHP | |
| 30.3.24 | WinRAR version 6.22 - Remote Code Execution via ZIP archive | Remote | Windows | |
| 30.3.24 | Dell Security Management Server <1.9.0 - Local Privilege Escalation | Local | Linux | |
| 30.3.24 | Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure | Remote | Hardware | |
| 30.3.24 | RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 - Denial of Service | DoS | Hardware | |
| 30.3.24 | Broken Access Control - on NodeBB v3.6.7 | WebApps | Multiple | |
| 30.3.24 | Purei CMS 1.0 - SQL Injection | WebApps | PHP | |
| 30.3.24 | Workout Journal App 1.0 - Stored XSS | WebApps | PHP | |
| 30.3.24 | Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) | Remote | Multiple | |
| 30.3.24 | LimeSurvey Community 5.3.32 - Stored XSS | WebApps | PHP | |
| 30.3.24 | Nagios XI Version 2024R1.01 - SQL Injection | WebApps | Multiple | |
| 30.3.24 | Wallos < 1.11.2 - File Upload RCE | WebApps | PHP | |
| 30.3.24 | Tourism Management System v2.0 - Arbitrary File Upload | WebApps | PHP | |
| 30.3.24 | LBT-T300-mini1 - Remote Buffer Overflow | Remote | Linux | |
| 30.3.24 | MobileShop master v1.0 - SQL Injection Vuln. | WebApps | PHP | |
| 30.3.24 | Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS | WebApps | PHP | |
| 30.3.24 | SPA-CART CMS - Stored XSS | WebApps | PHP | |
| 30.3.24 | Craft CMS 4.4.14 - Unauthenticated Remote Code Execution | Exploit | WebApps | PHP |
| 30.3.24 | CVE-2024-20767 - Adobe ColdFusion vulnerability | ALERTS | Vulnerebility | CVE-2024-20767 is a directory traversal vulnerability in Adobe ColdFusion, which is a development platform for building and deploying web and mobile applications. If successfully exploited, this vulnerability allows unauthenticated remote attackers to read arbitrary files on the system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
| 30.3.24 | Sync-Scheduler Infostealer | ALERTS | Virus | A Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. The malware employs file-nesting techniques to conceal its presence and is equipped with anti-analysis and defense evasion techniques. Upon compromising systems, it searches through users' personal directories for office documents such as Word, PowerPoint, and Excel files. |
| 30.3.24 | WarzoneRAT malware re-emerges with new samples | ALERTS | Virus | WarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. The malware functionality allows for remote control, remote shell and file operations, credential theft, keylogging, UAC bypass and more. Back in February 2024 the FBI dismantled the Warzone RAT malware operation and seized the infrastructure associated to this threat. |
| 30.3.24 | TheMoon malware targets thousands of insecure routers | ALERTS | Virus | A new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, particularly those manufactured by Asus, along with other IoT devices. After compromising these devices, the malware utilizes them to route traffic through a proxy service known as Faceless. |
| 30.3.24 | Beware of FlightNight | ALERTS | Virus | A new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. Named FlightNight because of its use of Slack channels named "FlightNight" it is likely the work of the same threat actor. |
| 30.3.24 | CVE-2024-3094 |
CVE |
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code | |
| 30.3.24 | TheMoon | Malware | Worm | Linksys Worm ("TheMoon") Captured |
| 30.3.24 | CVE-2024-1086 |
CVE |
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. | |
| 30.3.24 | WallEscape |
CVE |
Unraveling WallEscape: A Linux Vulnerability Exposing User Passwords and Hijacking Clipboards | |
| 30.3.24 | CVE-2024-28085 |
CVE |
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) | |
| 30.3.24 | Darcula | Phishing | PhaaS | Out of the shadows – ’darcula’ iMessage and RCS smishing attacks target USPS and global postal services |
| 30.3.24 | DinodasRAT | Malware | RAT | DinodasRAT Linux implant targeting entities worldwide |
| 28.3.24 | Dropper disguised as legitimate PuTTy Software | ALERTS | Virus | A threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website. This ad raised suspicion due to the domain name, which was unrelated to PuTTY. |
| 28.3.24 | Mispadu Stealer extends its reach | ALERTS | Virus | Mispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. While originally this malware has been mostly targeting LATAM countries, the recently observed activity shows European countries to be targeted this time around as well. |
| 28.3.24 | Qilin ransomware remains an active threat in the landscape | ALERTS | Ransom | Qilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. Qilin is known to be distributed under a Ransomware-as-a-Service (RaaS) model with its operators often employing double extortion tactics. |
| 28.3.24 | SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilities | ALERTS | Virus | Recent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. One malware variant, SnowLight, is a C-based downloader for Linux, used by the threat actors to download and execute secondary payloads on the infected machines. GoreVerse, GoHeavy and SuperShell are payload variants distributed by UNC5174 in the reported campaigns. |
| 28.3.24 | Operation FlightNight | Operation | CyberSpy | Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign |
| 28.3.24 | CVE-2023-29357 |
CVE |
Microsoft SharePoint Server Elevation of Privilege Vulnerability | |
| 28.3.24 | CVE-2023-24955 |
CVE |
Microsoft SharePoint Server Remote Code Execution Vulnerability | |
| 28.3.24 | CVE-2024-21388 |
CVE |
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | |
| 28.3.24 | CVE-2024-21388 |
CVE |
“CVE-2024-21388”- Microsoft Edge’s Marketing API Exploited for Covert Extension Installation | |
| 28.3.24 | CVE-2023-48022 |
CVE |
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment | |
| 28.3.24 | ShadowRay | Campaign | AI | ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild |
| 28.3.24 | NARWHAL SPIDER | Group | APT | NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer. |
| 28.3.24 | Agent Tesla | Malware | Loader | Agent Tesla's New Ride: The Rise of a Novel Loader |
| 27.3.24 | Stately Taurus APT Campaign Targeting Asian Countries | ALERTS | APT | Researchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file. |
| 27.3.24 | VCURMS and STRRAT being delivered via links in spam messages | ALERTS | Virus | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. |
| 27.3.24 | ZENHAMMER: Rowhammer Attacks | Attack | CPU | on AMD Zen-based Platforms |
| 27.3.24 | I-Soon | Hacking Firm | Hacking Firm | Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations |
| 27.3.24 | Earth Krahang | Group | APT | Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks |
| 27.3.24 | RedAlpha | Campaign | Campaign | Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. |
| 27.3.24 | Earth Lusca | Group | APT | Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections |
| 27.3.24 | BRONZE VINEWOOD | Group | APT | DETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN |
| 27.3.24 | EvilOSX | Malware | osx | |
| 27.3.24 | Trochilus RAT | Malware | RAT | Trochilus is a C++ written RAT, which is available on GitHub. |
| 26.3.24 | VCURMS and STRAT being delivered via links in spam messages | ALERTS | Virus | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. |
| 26.3.24 | VCURMS and STRRAT being delivered via links in spam messages | ALERTS | Virus | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. |
| 26.3.24 | New backdoor WineLoader | ALERTS | Virus | Phishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. WineLoader is a new backdoor variant that shares features similar to that of BurntBatter, BeatDrop, and MuskyBeat which are associated with APT29. Once deployed, WineLoader collects and exfiltrates gathered information from the infected machine (victim's username, process name, device name etc.) to the C2. The C2 can determine to execute additional modules to perform further tasks like establishing persistence. |
| 26.3.24 | New remote control backdoor leveraging malicious drivers emerges in China | ALERTS | Virus | In a recent campaign observed in China, a new remote control backdoor was distributed. The threat actors behind the campaign utilized malicious kernel-mode drivers to carry out exploitation activities. The backdoor exhibited various capabilities, including disabling anti-virus software, stealing keyboard inputs, and downloading additional malware files such as miners and rootkits from command-and-control (C2) servers for execution. This campaign underscores the expectation that threat actors will continue to utilize rootkits to conceal malicious code from security tools, thereby weakening defenses and evading detection for extended periods of time. |
| 26.3.24 | Emergence of Mirai Nomi in the Threat Landscape | ALERTS | Botnet | A new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats. |
| 26.3.24 | CVE-2023-48788 |
CVE |
(CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability | |
| 26.3.24 | CVE-2021-44529 |
CVE |
(CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability | |
| 26.3.24 | CVE-2019-7256 |
CVE |
(CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability | |
| 26.3.24 |
Generic and Automated Drive-by GPU Cache Attacks from the Browser |
Papers | Papers | Generic and Automated Drive-by GPU Cache Attacks from the Browser |
| 26.3.24 | Lord Nemesis Strikes | Group | Hacktivism | “Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector |
| 26.3.24 | TA450 | Group | APT | Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign |
| 24.3.24 | Springtail | Group | APT | Springtail APT group abuses valid certificate of known Korean public entity |
| 24.3.24 | Kimsuky | Group | APT | The Updated APT Playbook: Tales from the Kimsuky threat actor group |
| 23.3.24 | Implementations of UDP-based application protocols are vulnerable to network loops | Alert | Alert | A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources. |
| 23.3.24 | GoFetch Attack | Attack | side-channel attack | GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs). |
| 23.3.24 | minaliC 2.0.0 - Denied of Service | Remote | Windows | |
| 23.3.24 | CSZCMS v1.3.0 - SQL Injection (Authenticated) | WebApps | PHP | |
| 23.3.24 | HNAS SMU 14.8.7825 - Information Disclosure | Remote | Hardware | |
| 23.3.24 | Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi | WebApps | PHP | |
| 23.3.24 | Simple Task List 1.0 - 'status' SQLi | WebApps | PHP | |
| 23.3.24 | Blood Bank 1.0 - 'bid' SQLi | WebApps | PHP | |
| 23.3.24 | Employee Management System 1.0 - 'admin_id' SQLi | WebApps | PHP | |
| 23.3.24 | Quick.CMS 6.7 - SQL Injection Login Bypass | WebApps | PHP | |
| 23.3.24 | xbtitFM 4.1.18 - Multiple Vulnerabilities | WebApps | PHP | |
| 23.3.24 | TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password | Remote | Hardware | |
| 23.3.24 | TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure | Remote | Hardware | |
| 23.3.24 | TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection | Remote | Hardware | |
| 23.3.24 | Backdrop CMS 1.23.0 - Stored XSS | WebApps | PHP | |
| 23.3.24 | Atlassian Confluence < 8.5.3 - Remote Code Execution | WebApps | Multiple | |
| 23.3.24 | Gibbon LMS < v26.0.00 - Authenticated RCE | WebApps | PHP | |
| 23.3.24 | ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE | WebApps | PHP | |
| 23.3.24 | TYPO3 11.5.24 - Path Traversal (Authenticated) | WebApps | PHP | |
| 23.3.24 | WEBIGniter v28.7.23 - Stored XSS | WebApps | PHP | |
| 23.3.24 | WordPress File Upload Plugin < 4.23.3 - Stored XSS | WebApps | PHP | |
| 23.3.24 | vm2 - sandbox escape | Local | Multiple | |
| 23.3.24 | UPS Network Management Card 4 - Path Traversal | WebApps | PHP | |
| 23.3.24 | Nokia BMC Log Scanner - Remote Code Execution | WebApps | Linux | |
| 23.3.24 | Karaf v4.4.3 Console - RCE | WebApps | Java | |
| 23.3.24 | LaborOfficeFree 19.10 - MySQL Root Password Calculator | Local | Windows | |
| 23.3.24 | Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated) | WebApps | PHP | |
| 23.3.24 | KiTTY 0.76.1.13 - Command Injection | Local | Windows | |
| 23.3.24 | KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow | Local | Windows | |
| 23.3.24 | KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow | Local | Windows | |
| 23.3.24 | GitLab CE/EE < 16.7.2 - Password Reset | Remote | Java | |
| 23.3.24 | Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) | Remote | Hardware | |
| 23.3.24 | Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE) | Remote | Hardware | |
| 23.3.24 | SolarView Compact 6.00 - Command Injection | Remote | Hardware | |
| 23.3.24 | Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE) | Remote | Hardware | |
| 23.3.24 | JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) | Remote | Java | |
| 23.3.24 | SnipeIT 6.2.1 - Stored Cross Site Scripting | WebApps | Multiple | |
| 23.3.24 | VMware Cloud Director 10.5 - Bypass identity verification | Remote | Multiple | |
| 23.3.24 | Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE | WebApps | Hardware | |
| 23.3.24 | Client Details System 1.0 - SQL Injection | WebApps | PHP | |
| 23.3.24 | OSGi v3.7.2 (and below) Console - RCE | WebApps | Multiple | |
| 23.3.24 | OSGi v3.8-3.18 Console - RCE | WebApps | Multiple | |
| 23.3.24 | Human Resource Management System 1.0 - 'employeeid' SQL Injection | WebApps | PHP | |
| 23.3.24 | QUARTERRIG | Malware | Dropper | Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader. |
| 23.3.24 | BEATDROP | Malware | Dropper | According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. |
| 23.3.24 | ROOTSAW | Malware | Spy | Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations |
| 23.3.24 | WINELOADER | Malware | Loader | APT29 Uses WINELOADER to Target German Political Parties |
| 22.3.24 | UNC302 | Group | Group | BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies |
| 22.3.24 | CVE-2023-46747 |
CVE |
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |
| 22.3.24 | Sign1 Malware | Malware | JavaScript | Sign1 Malware: Analysis, Campaign History & Indicators of Compromise |
| 22.3.24 | Revenge RAT | Malware | RAT | Revenge RAT via malicious PPAM in Latin America, Portugal and Spain |
| 22.3.24 | AceCryptor | Malware | RAT | Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries |
| 22.3.24 | Stealc | Malware | Loader | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. |
| 22.3.24 | StrelaStealer | Malware | Stealer | StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. |
| 22.3.24 | AcidRain | Malware | Wipper | A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems. |
| 22.3.24 | AcidPour | Malware | Wipper | AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine |
| 22.3.24 | z0Miner | Hacking | Exploit | z0Miner Exploits Korean Web Servers to Attack WebLogic Server |
| 22.3.24 | AndroxGh0st | Malware | Android | AndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio. |
| 22.3.24 | UNC3886 | Group | Group | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. |
| 22.3.24 | UNC5221 | Group | Group | While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. |
| 22.3.24 | CVE-2023-41724 |
CVE |
CVE-2023-41724 (Remote Code Execution) for Ivanti Standalone Sentry | |
| 22.3.24 | CVE-2024-1597 |
CVE |
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. | |
| 22.3.24 | Loop DoS | Attack | Application-Layer Protocols | Loop DoS: New Denial-of-Service Attack targets Application-Layer Protocols |
|
20.3.24 |
CVE |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible |
||
|
20.3.24 |
Crypter |
According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers |
||
|
20.3.24 |
Loader |
Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor |
||
|
20.3.24 |
Stealer |
WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous |
||
|
20.3.24 |
Stealer |
The GlorySprout or a Failed Clone of Taurus Stealer |
||
|
20.3.24 |
CoinMiner |
CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers |
||
|
20.3.24 |
Wiper |
A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems. |
||
|
20.3.24 |
RAT |
Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. |
||
|
20.3.24 |
Phishing |
A malware campaign employs new TTPs and behaviors to evade detection and deploy NetSupport RAT. |
||
|
20.3.24 |
Operation |
Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware |
||
|
20.3.24 |
Group |
Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions |
||
|
20.3.24 |
RAT |
APT37's ROKRAT HWP Object Linking and Embedding |
||
|
18.3.24 |
CVE |
In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag. |
||
|
18.3.24 |
CVE |
Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage. |
||
|
18.3.24 |
CVE |
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells. |
||
|
18.3.24 |
Malware |
Scalable Vector Graphics (SVG) files are a popular format for web graphics because they can be resized without losing quality. However, cybercriminals are now exploiting SVGs to deliver malware, posing a new threat to unsuspecting users. |
||
|
18.3.24 |
Stealer |
From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites |
||
|
18.3.24 |
CVE |
The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator. |
||
|
18.3.24 |
Stealer |
PowerShell script |
||
|
18.3.24 |
Stealer |
the malware was used previously in campaigns from July through August, and September 2023 |
||
|
18.3.24 |
JavaScript |
The government computer emergency response team of Ukraine CERT-UA detected a malicious document "Nuclear Terrorism A Very Real Threat.rtf", opening of which will lead to the download of an HTML file and the execution of JavaScript code (CVE-2022-30190), which will ensure the download and launching the CredoMap malware. |
||
|
18.3.24 |
Backdoor |
X-Force’s analysis revealed that OCEANMAP has a strong overlap in both technique and .NET implementation. Several of the functions used in OCEANMAP were repurposed from the original CREDOMAP stealer and used as a base to build the new persistent backdoor. |
||
|
18.3.24 |
Python |
Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus |
||
|
18.3.24 |
Group |
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns |
||
|
18.3.24 |
CVE |
Microsoft Outlook Elevation of Privilege Vulnerability |
||
| 17.3.24 | 404 Keylogger | Malware | Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. |
| 17.3.24 | RisePro stealer | Malware | Stealer | RisePro stealer targets Github users in “gitgub” campaign |
| 17.3.24 | CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions | Alert | Alert | A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. |
| 17.3.24 | BunnyLoader 3.0 | Malware | Loader | Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled |
| 16.3.24 | GhostRace | Papers | Vulnerebility | GhostRace: Exploiting and Mitigating Speculative Race Conditio |
| 16.3.24 | GHOSTRACE | Vulnerebility | CPU | GhostRace (CVE-2024-2193) is a new attack combining speculative execution and race conditions, two very challenging class of attacks. |
| 16.3.24 | CVE-2024-2193 |
CVE |
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. | |
| 14.3.24 | CVE-2023-5528 |
CVE |
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | |
| 14.3.24 | CVE-2024-0778 |
CVE |
A vulnerability, which was classified as critical, has been found in Uniview ISC 2500-S up to 20210930. Affected by this issue is the function setNatConfig of the file /Interface/DevManage/VM.php. The manipulation of the argument natAddress/natPort/natServerPort leads to os command injection. The exploit has been disclosed to the public and may be used. | |
| 14.3.24 | Pelmeni Wrapper | Malware | Wrapper | Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor) |
| 14.3.24 | RedCurl | Malware | CyberSpy | Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence |
| 14.3.24 | zgRAT | Malware | RAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets. |
| 14.3.24 | Botnet Fenix | BOTNET | BOTNET | Botnet Fenix: New botnet going after tax payers in Mexico and Chile |
| 14.3.24 | CyberGate | Malware | RAT | According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to the victim’s system. |
| 14.3.24 | Planet Stealer | Malware | Stealer | Planet Stealer is a recently identified infostealing malware variant. This Go-based malware has been advertised for sale on underground forums. Planet Stealer targets theft of miscellaneous data from the infected endpoints, including user credentials, browser cookies, cryptowallets, session data, configuration files from various communicator apps and software launchers, etc. |
| 14.3.24 | DBatLoader | Malware | Loader | Latest DBatLoader Uses Driver Module to Disable AV/EDR Software |
| 14.3.24 | APT-C-36 | Group | APT | Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. |
| 14.3.24 | Tweaks Stealer | Malware | Stealer | Tweaks Stealer Targets Roblox Users Through YouTube and Discord |
| 14.3.24 | Phemedrone Stealer | Malware | Stealer | Unveiling Phemedrone Stealer: Threat Analysis and Detections |
| 14.3.24 | Mispadu | Malware | Banking | According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. |
| 14.3.24 | DarkGate | Malware | Loader | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. |
| 14.3.24 | CVE-2024-21412 |
CVE |
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign | |
| 14.3.24 | DarkCasino | Group | APT | DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property. |
| 14.3.24 | CVE-2023-48788 |
CVE |
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets. | |
| 13.3.24 | PixPirate | Malware | Android | PixPirate: The Brazilian financial malware you can’t see |
| 13.3.24 | STRRAT | Malware | RAT | STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird. |
| 13.3.24 | VCURMS | Malware | Java | Recently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java downloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT). |
| 13.3.24 | CVE-2024-21407 |
CVE |
Windows Hyper-V Remote Code Execution Vulnerability | |
| 13.3.24 | CVE-2024-21408 |
CVE |
Windows Hyper-V Denial of Service Vulnerability | |
| 13.3.24 | CVE-2024-21400 |
CVE |
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability | |
| 13.3.24 | CVE-2024-26170 |
CVE |
Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability | |
| 13.3.24 | CVE-2024-21433 |
CVE |
Windows Print Spooler Elevation of Privilege Vulnerability | |
| 13.3.24 | CVE-2024-26198 |
CVE |
Microsoft Exchange Server Remote Code Execution Vulnerability | |
| 13.3.24 | CVE-2024-21334 |
CVE |
Open Management Infrastructure (OMI) Remote Code Execution Vulnerability | |
| 12.3.24 | BIPClip | Malware | PyPI | RL has discovered a campaign using PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases, which are used for wallet recovery. |
| 12.3.24 | CVE-2024-1071 |
CVE |
||
| 12.3.24 | CVE-2024-1468 |
CVE |
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |
| 12.3.24 | Copybara Fraud Operation | Campaign | Operation | On top of this fraud operation architecture, TAs exploit Social Engineering techniques for distributing the Copybara banking trojan, which typically involves smishing and vishing techniques, leveraging native-speaker operators. In particular, several samples reveal TAs distributing Copybara through seemingly legitimate apps, utilizing logos of well-known banks and names that sound authentic, such as “Caixa Sign Nueva”, “BBVA Codigo”, “Sabadell Codigo”. |
| 12.3.24 | CHAVECLOAK | Malware | Banking | FortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware. Notably, CHAVECLOAK is specifically designed to target users in Brazil, aiming to steal sensitive information linked to financial activities. |
| 11.3.24 | Sitecore - Remote Code Execution v8.2 | WebApps | ASPX | |
| 11.3.24 | Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier - Arbitrary File Read | WebApps | Multiple | |
| 11.3.24 | WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover | WebApps | PHP | |
| 11.3.24 | Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass | Local | Windows | |
| 11.3.24 | Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR | WebApps | Hardware | |
| 11.3.24 | Hide My WP < 6.2.9 - Unauthenticated SQLi | WebApps | PHP | |
| 11.3.24 | Akaunting < 3.1.3 - RCE | WebApps | PHP | |
| 11.3.24 | Ladder v0.0.21 - Server-side request forgery (SSRF) | WebApps | Go | |
| 11.3.24 | DataCube3 v1.0 - Unrestricted file upload 'RCE' | WebApps | PHP | |
| 11.3.24 | Numbas < v7.3 - Remote Code Execution | WebApps | NodeJS | |
| 11.3.24 | TP-Link TL-WR740N - Buffer Overflow 'DOS' | WebApps | Hardware | |
| 11.3.24 | GLiNet - Router Authentication Bypass | WebApps | Hardware | |
| 11.3.24 | elFinder Web file manager Version - 2.1.53 Remote Command Execution | WebApps | PHP | |
| 11.3.24 | CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution | WebApps | PHP | |
| 11.3.24 | CVE-2023-50071 - Multiple SQL Injection | WebApps | PHP | |
| 11.3.24 | Lot Reservation Management System - Unauthenticated File Disclosure | WebApps | PHP | |
| 11.3.24 | Lot Reservation Management System - Unauthenticated File Upload and Remote Code Execution | WebApps | PHP | |
| 11.3.24 | kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition | WebApps | PHP | |
| 11.3.24 | Neontext Wordpress Plugin - Stored XSS | WebApps | PHP | |
| 11.3.24 | Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019 - Stored XSS | WebApps | Hardware | |
| 11.3.24 | Easywall 0.3.1 - Authenticated Remote Command Execution | WebApps | Multiple | |
| 11.3.24 | R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure | Remote | Hardware | |
| 11.3.24 | GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit | Remote | Hardware | |
| 11.3.24 | TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution | Remote | Hardware | |
| 11.3.24 | GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit | Remote | Hardware | |
| 11.3.24 | GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit | Remote | Hardware | |
| 11.3.24 | Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated) | Remote | Hardware | |
| 11.3.24 | A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc | Local | Multiple | |
| 11.3.24 | Boss Mini 1.4.0 - local file inclusion | WebApps | PHP | |
| 11.3.24 | Magento ver. 2.4.6 - XSLT Server Side Injection | WebApps | Multiple | |
| 11.3.24 | TPC-110W - Missing Authentication for Critical Function | Remote | Hardware | |
| 11.3.24 | Enrollment System v1.0 - SQL Injection | Remote | PHP | |
| 11.3.24 | AC Repair and Services System v1.0 - Multiple SQL Injection | Remote | PHP | |
| 11.3.24 | Windows PowerShell - Event Log Bypass Single Quote Code Execution | Local | Windows_x86-64 | |
| 11.3.24 | Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection | Remote | PHP | |
| 11.3.24 | Simple Student Attendance System v1.0 - Time Based Blind SQL Injection | Remote | PHP | |
| 11.3.24 | Real Estate Management System v1.0 - Remote Code Execution via File Upload | Remote | PHP | |
| 11.3.24 | Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload | Remote | PHP | |
| 11.3.24 | Petrol Pump Management Software v.1.0 - SQL Injection | Remote | PHP | |
| 11.3.24 | Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file | Remote | PHP | |
| 11.3.24 | Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting | Remote | PHP | |
| 11.3.24 | WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection | WebApps | PHP | |
| 11.3.24 | (shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] | Local | Linux | |
| 11.3.24 | Blood Bank v1.0 - Multiple SQL Injection | WebApps | PHP | |
| 11.3.24 | Saflok - Key Derication Function Exploit | Local | Hardware | |
| 11.3.24 | WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS) | WebApps | PHP | |
| 11.3.24 | WP Rocket < 2.10.3 - Local File Inclusion (LFI) | WebApps | PHP | |
| 11.3.24 | Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit) | WebApps | Multiple | |
| 11.3.24 | TEM Opera Plus FM Family Transmitter 35.45 - XSRF | Remote | Hardware | |
| 11.3.24 | TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution | Remote | Hardware | |
| 11.3.24 | Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) | WebApps | PHP | |
| 11.3.24 | Executables Created with perl2exe < V30.10C - Arbitrary Code Execution | Remote | Multiple | |
| 11.3.24 | Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin | WebApps | PHP | |
| 11.3.24 | Automatic-Systems SOC FL9600 FastLine - Directory Transversal | WebApps | PHP | |
| 11.3.24 | SuperStoreFinder - Multiple Vulnerabilities | WebApps | PHP | |
| 11.3.24 | Moodle 4.3 - Insecure Direct Object Reference | WebApps | PHP | |
| 11.3.24 | Zoo Management System 1.0 - Unauthenticated RCE | WebApps | PHP | |
| 11.3.24 | dawa-pharma 1.0-2022 - Multiple-SQLi | WebApps | PHP | |
| 11.3.24 | IBM i Access Client Solutions v1.1.2 - 1.1.4, v1.1.4.3 - 1.1.9.4 - Remote Credential Theft | Remote | Windows_x86-64 | |
| 11.3.24 | Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure' | Remote | Multiple | |
| 11.3.24 | Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS' | DoS | Multiple | |
| 11.3.24 | Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration | Remote | Multiple | |
| 11.3.24 | FAQ Management System v1.0 - 'faq' SQL Injection | Remote | PHP | |
| 11.3.24 | Flashcard Quiz App v1.0 - 'card' SQL Injection | Remote | PHP | |
| 11.3.24 | Online Shopping System Advanced - Sql Injection | WebApps | PHP | |
| 11.3.24 | taskhub 2.8.7 - SQL Injection | WebApps | PHP | |
| 11.3.24 | comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset | WebApps | PHP | |
| 11.3.24 | Simple Inventory Management System v1.0 - 'email' SQL Injection | Exploit | Remote | PHP |
| 11.3.24 |
BianLian Ransomware Group |
REPORT | Ransomware | BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566]. |
| 11.3.24 | BianLian | Group | Ransomware | BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. |
| 11.3.24 | BianDoor | Malware | Backdoor | |
| 11.3.24 | CVE-2023-42793 |
CVE |
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | |
| 11.3.24 | CVE-2024-27198 |
CVE |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | |
| 11.3.24 | CVE-2024-1403 |
CVE |
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. | |
| 11.3.24 | MAGNET GOBLIN | Group | Group | Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. |
| 9.3.24 | Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks | Alert | Alert | Kontrol and Elock locks are electronic locks that utilize firmware provided by Sciener. This firmware works in tandem with an app, called the TTLock app, which is also produced by Sciener. |
| 8.3.24 | CVE-2024-20338 |
CVE |
A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. | |
| 8.3.24 | CVE-2024-20337 |
CVE |
A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. | |
| 8.3.24 | CRLF Injection | Attack | OS | The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. |
| 8.3.24 | CVE-2024-20338 |
CVE |
A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. | |
| 8.3.24 | CVE-2024-20337 |
CVE |
A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. | |
| 8.3.24 | CRLF Injection | Attack | OS | The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. |
| 8.3.24 | CVE-2024-20338 |
CVE |
A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. | |
| 8.3.24 | CVE-2024-20337 |
CVE |
A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. | |
| 8.3.24 | QEMU Emulator Exploited | Exploit | Exploit | Cyberattackers tend to give preference to legitimate tools when taking various attack steps, as these help them evade detection systems while keeping malware development costs down to a minimum. |
| 8.3.24 | Jasmin | Ransomware | Ransomware | GoodWill Ransomware? Or Just Another Jasmin Variant? |
| 8.3.24 | CVE-2024-27199 |
CVE |
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | |
| 8.3.24 | CVE-2024-27198 |
CVE |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | |
| 7.3.24 | MgBot | Malware | Bot | My Tea’s not cold. An overview of China’s cyber threat |
| 7.3.24 | Evasive Panda | Group | APT | Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations. |
| 7.3.24 | Snake | Malware | InfoStealer | In this Threat Analysis Report, Cybereason Security Services dives into the Python Infostealer, delivered via GitHub and GitLab, that ultimately exfiltrates credentials via Telegram Bot API or other well known platforms. |
| 7.3.24 | WogRAT | Malware | RAT | AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. Said malware supports both the PE format that targets the Windows system and the ELF format that targets the Linux system. |
| 7.3.24 | TA4903 | Group | Phishing | TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids |
| 7.3.24 | Quishing | Hacking | Mobil | QR codes have had a great run in the past few years, diffusing into almost every aspect of our lives, from looking at restaurant menus and paying for products or services online and offline to accessing websites with greater ease. While the positives of QR codes are clearly visible, both from a business and user perspective, their usage has some pitfalls. |
| 7.3.24 | 8220 Mining Group | Group | Cryptocurrency | Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. |
| 7.3.24 | Abyss Locker | Ransomware | Ransomware | On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. |
| 7.3.24 | Spinning YARN | Campaign | Campaign | Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence |
| 7.3.24 | SpyNote | Malware | RAT | The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code |
| 7.3.24 | BlackCat (ALPHV) Attack | Ransomware | Ransomware | Explore the thwarted cyber extortion attempt by the BlackCat ransomware group, unraveled by Sygnia’s Incident Response team in mid-2023. |
| 6.3.24 | CVE-2024-22255 |
CVE |
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. | |
| 6.3.24 | CVE-2024-22254 |
CVE |
VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox. | |
| 6.3.24 | CVE-2024-22253 |
CVE |
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. | |
| 6.3.24 | CVE-2024-22252 |
CVE |
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. | |
| 6.3.24 | GhostSec | Group | Ransomware | GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS. |
| 6.3.24 | UNC1945 | Group | APT | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. |
| 6.3.24 | APT32 | Group | APT | Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. |
| 6.3.24 | OceanLotus | Malware | OSX | According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies. |
| 6.3.24 | CVE-2024-23296 |
CVE |
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. | |
| 6.3.24 | CVE-2024-23225 |
CVE |
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. | |
| 6.3.24 | Kimsuky | Group | APT | JOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky |
| 6.3.24 | CVE-2024-1709 |
CVE |
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. | |
| 6.3.24 | CVE-2024-1708 |
CVE |
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | |
| 6.3.24 | TODDLERSHARK | Malware | VBS | TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant |
| 5.3.24 |
BEWARE THE SHALLOW WATERS: SAVVY SEAHORSE LURES VICTIMS TO FAKE INVESTMENT PLATFORMS THROUGH FACEBOOK ADS |
REPORT | REPORT | DNS threat actors never cease to surprise us. Every day, we learn about creative, new campaigns they have devised to exploit victims. Investment scams are one of these. The US Federal Trade Commission reported that more money was lost to investment scams in the US during 2023 than any other type of scam, totaling over USD $4.6 billion dollars stolen from victims |
| 5.3.24 | PASS-THE-HASH ATTACK | Attack | PtH | Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session. |
| 5.3.24 | TA577 | Group | Group | TA577’s Unusual Attack Chain Leads to NTLM Data Theft |
| 5.3.24 | CVE-2024-23917 |
CVE |
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible | |
| 5.3.24 | CVE-2024-27199 |
CVE |
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | |
| 5.3.24 | CVE-2024-27198 |
CVE |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | |
| 4.3.24 | ShadowBankinginYour Pocket:ExposingAndroidApp UsedbyMoneyMules | REPORT | REPORT | A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions. |
| 4.3.24 | Fast Adversarial Attacks on Language Models In One GPU Minute | Papers | Papers | In this paper, we introduce a novel class of fast, beam search-based adversarial attack (BEAST) for Language Models (LMs). |
| 4.3.24 | Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs | Papers | Papers | We demonstrate how images and sounds can be used for indirect prompt and instruction injection in multi-modal LLMs. |
| 4.3.24 | ComPromptMized | Attack | AI | ComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications |
| 4.3.24 | CACTUS | Ransomware | Ransomware | CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks |
| 2.3.24 | MAR-10448362-1.v1 Volt Typhoon | CERT | CERT | CISA received three files for analysis obtained from a critical infrastructure compromised by the People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon. |
| 2.3.24 | CVE-2019-3568 |
CVE |
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. | |
| 2.3.24 | Scattered Spider | Group | Hacking | Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing. |
| 2.3.24 | CryptoChameleon | Cryptocurrency | Phishing | CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack |
| 2.3.24 | GUloader | Malware | Loader | GUloader Unmasked: Decrypting the Threat of Malicious SVG Files |
| 2.3.24 | BlackTech | Group | CyberSpy | BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. |
| 2.3.24 | BIFROSE | Malware | RAT | The Art of Domain Deception: Bifrost's New Tactic to Deceive Users |
| 2.3.24 | CVE-2023-46805 |
CVE |
(CVSS score: 8.2) - Authentication bypass vulnerability in web component | |
| 2.3.24 | CVE-2024-21887 |
CVE |
(CVSS score: 9.1) - Command injection vulnerability in web component | |
| 2.3.24 | CVE-2024-21888 |
CVE |
(CVSS score: 8.8) - Privilege escalation vulnerability in web component | |
| 2.3.24 | CVE-2024-21893 |
CVE |
(CVSS score: 8.2) - SSRF vulnerability in the SAML component | |
| 2.3.24 | CVE-2024-22024 |
CVE |
(CVSS score: 8.3) - XXE vulnerability in the SAML component | |
| 2.3.24 | GOLDEN TICKET | Attack | Attack | A Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.) by accessing user data stored in Microsoft Active Directory (AD). |
| 2.3.24 | Golden SAML | Attack | Attack | Golden SAML, an attack technique that exploits the SAML single sign-on protocol, was used as a post-breach exploit, compounding the devastating SolarWinds attack of 2020—one of the largest breaches of the 21st century. |
| 2.3.24 | Peach Sandstorm | Group | APT | Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. |
| 2.3.24 | LightBasin | Group | APT | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. |
| 2.3.24 | GTPDOOR | Malware | Backdoor | GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange |
| 2.3.24 | CVE-2024-21338 |
CVE |
Windows Kernel Elevation of Privilege Vulnerability NewRecently updated | |
| 2.3.24 | WINELOADER | Malware | Loader | European diplomats targeted by SPIKEDWINE with WINELOADER |
| 1.3.24 | UNC3886 | Group | Group | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. |
| 1.3.24 | CVE-2024-21887 |
CVE |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. | |
| 1.3.24 | CVE-2024-21893 |
CVE |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. | |
| 1.3.24 | MINIBIKE | Backdoor | A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure. | |
| 1.3.24 | MINIBUS | Malware | Backdoor | A custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE |
| 1.3.24 | LIGHTRAIL | Malware | Backdoor | A tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure |
| 1.3.24 | Tortoiseshell | Group | Group | A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. |
| 1.3.24 | Bohrium | Group | Group | Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. |
| 1.3.24 | UNC1549 | BigBrother | CyberSpy | When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors |