OctoberTHREATS 2024

January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(186) October(0) November(0) December(0) | BATTLEFIELD UKRAINE

DATE	NAME	CATEGORY	SUBCATE	INFO
30.10.24	Jumpy Pisces Engages in Play Ransomware	RANSOMWARE	RANSOMWARE	Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident.
30.10.24	CrossBarking	EXPLOIT	VULNEREBILITY	“CrossBarking” — Exploiting a 0-Day Opera Vulnerability with a Cross-Browser Extension Store Attack
30.10.24	Rampant Phishing	CAMPAIGN	PHISHING	You’re Invited: Rampant Phishing Abuses Eventbrite
30.10.24	CryptoAiToolsv0.7	CRYPTOCURRENCY	CRYPTOCURRENCY	A Python toolkit to create and manage crypto trading bots
29.10.24	CVE-2024-7474	VULNEREBILITY	CVE	(CVSS score: 9.1) - An Insecure Direct Object Reference (IDOR) vulnerability that could allow an authenticated user to view or delete external users, resulting in unauthorized data access and potential data loss
29.10.24	CVE-2024-7475	VULNEREBILITY	CVE	(CVSS score: 9.1) - An improper access control vulnerability that allows an attacker to update the SAML configuration, thereby making it possible to log in as an unauthorized user and access sensitive information
29.10.24	Operation Magnus	OPERATION	OPERATION	On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and META infostealers.
29.10.24	Breaking the Barrier: Post-Barrier Spectre Attac	PAPERS	PAPERS	The effectiveness of transient execution defenses rests on obscure model-specific operations that must be correctly implemented in microcode and applied by software. In this paper, we study branch predictor invalidation through.
29.10.24	Breaking the Barrier	VULNEREBILITY	CPU	Speculation barriers, in this case barriers that stop previously learned predictions from being used, are critical for computer software and cloud infrastructure to run securely.
29.10.24	CloudScout	APT	APT	ESET researchers discovered a previously undocumented toolset used by Evasive Panda to access and retrieve data from cloud services
28.10.24	UNC5812	GROUP	GROUP	Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives
28.10.24	BeaverTail	MALWARE	PYTHON	Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview
28.10.24	CVE-2024-38202	VULNEREBILITY	CVE	Windows Update Stack Elevation of Privilege Vulnerability Recently updated
28.10.24	CVE-2024-21302	VULNEREBILITY	CVE	Windows Secure Kernel Mode Elevation of Privilege Vulnerability
28.10.24	Gun Campaign	CAMPAIGN	CAMPAIGN	TeamTNT’s Docker Gatling Gun Campaign
28.10.24	Qilin	RANSOMWARE	RANSOMWARE	New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion
28.10.24	Multi-Turn Context Jailbreak Attack on Larg	PAPERS	PAPERS	Large language models (LLMs) have significantly enhanced the performance of numerous applications, from intelligent conversations to text generation. However, their inherent security vulnerabilities have become an increasingly significant challenge, especially with respect to jailbreak attacks.
28.10.24	CVE-2024-38094	VULNEREBILITY	CVE	Microsoft SharePoint Remote Code Execution Vulnerability
28.10.24	CVE-2024-47575	VULNEREBILITY	CVE	A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests.
28.10.24	Lazarus APT	APT	APT	The Crypto Game of Lazarus APT: Investors vs. Zero-days
28.10.24	CVE-2024-20481	VULNEREBILITY	CVE	Cisco Adaptive Security Appliance and Firepower Threat Defense Software Remote Access VPN Brute Force Denial of Service Vulnerability
28.10.24	Grandoreiro	MALWARE	BANKING	Grandoreiro, the global trojan with grandiose goals
28.10.24	Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach	CRYPTOCURRENCY	CRYPTOCURRENCY	Trend Micro researchers recently observed a malicious actor targeting Docker remote API servers to deploy the SRBMiner cryptominer and mine XRP cryptocurrency.
28.10.24	CVE-2024-38812	VULNEREBILITY	CVE	VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)
28.10.24	End-to-End Encrypted Cloud Storage in the Wild: A Broken Ecosyst	PAPERS	PAPERS	Cloud storage is ubiquitous: Google Drive, Dropbox, and OneDrive are household names. However, these services do not provide end-to-end encryption (E2EE), meaning that the provider has access to the data stored on their servers. The promise of end-to-end encrypted cloud storage is that users can have the best of both worlds, keeping control of their data using cryptographic techniques, while still benefiting from low-cost storage solutions.
28.10.24	Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations	BIGBROTHER	BIGBROTHER	Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations
28.10.24	ClickFix	CAMPAIGN	SOCIAL	ClickFix tactic: The Phantom Meet
28.10.24	Latrodectus	MALWARE	LOADER	Analyzing Latrodectus: The New Face of Malware Loaders
28.10.24	CVE-2024-8260	VULNEREBILITY	CVE	A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.
28.10.24	Gophish Framework	PHISHING	CAMPAIGN	Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
28.10.24	Crypt Ghouls	GROUP	GROUP	Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia
28.10.24	CVE-2024-37383	VULNEREBILITY	CVE	Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability.
27.10.24	CVE-2024-9487	VULNEREBILITY	CVE	3.14.2: Security fixes
27.10.24	Water Makara	GROUP	GROUP	Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware
27.10.24	FASTCash	MALWARE	LINUX	Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks.
27.10.24	TrickMo	MALWARE	BANKING	Expanding the Investigation: Deep Dive into Latest TrickMo Samples
27.10.24	DarkVision RAT	MALWARE	RAT	DarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals.
27.10.24	CVE-2024-38178	VULNEREBILITY	CVE	Scripting Engine Memory Corruption Vulnerability
27.10.24	OperationCodeonToast	OPERATION	OPERATION	AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)
27.10.24	EDRSilencer	TOOL	HACKING	Trend Micro's Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity.
27.10.24	CVE-2024-9486	VULNEREBILITY	CVE	VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
27.10.24	SideWinder	APT	GROUP	Beyond the Surface: the evolution and expansion of the SideWinder APT group
27.10.24	Cicada3301	RANSOMWARE	RANSOMWARE	Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group
27.10.24	UAT-5647	GROUP	APT	UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants
27.10.24	Multiple vulnerabilities affecting Palo Alto Networks Expedition	ALERTS	VULNEREBILITY	Multiple vulnerabilities affecting Palo Alto Networks Expedition have been disclosed this month. The reported flaws (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467) have been rated between CVSS 7.0 and CVSS 9.9 and include a mix of command injection, cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities.
27.10.24	CVE-2024-47575 - Fortinet FortiManager Missing Authentication vulnerability	ALERTS	VULNEREBILITY	CVE-2024-47575 is a Zero-day vulnerability affecting Fortinet FortiManager, that has been disclosed just this month. The vulnerability has been rated with a critical CVSS score of 9.8. If successfully exploited, it could allow remote unauthenticated attackers to execute arbitrary code via specially crafted requests.
27.10.24	Parano Stealer	ALERTS	VIRUS	Parano Stealer is another "run-of-the-mill" infostealer variant recently observed in the wild. This Python-based malware has functionality to collect and exfiltrate various information from the compromised endpoints, including: credentials, cookies, miscellaneous data stored in web browsers, cryptocurrency wallets, system information or data from various 3rd party applications like Steam, Telegram or Discord.
27.10.24	Liberium RAT malware	ALERTS	VIRUS	Liberium RAT (also known as ShadowRoot) is a malware variant recently advertised for sale on hacking forums. The malware has the capabilities allowing the attackers remote access to the vulnerable endpoints, file management operations, registry manipulation as well as theft of system related information and other confidential data.
27.10.24	CVE-2024-38094 - Microsoft SharePoint Deserialization vulnerability exploited in the wild	ALERTS	VULNEREBILITY	CVE-2024-38094 is a deserialization vulnerability affecting Microsoft SharePoint, which was initially disclosed and patched back in July 2024. The flaw rated with a CVSS score of 7.2 arises from the product deserializing data without enough verification that the resulting data output will be valid.
27.10.24	Prometei botnet activity	ALERTS	BOTNET	New Prometei botnet activity has been reported in the wild. The botnet has been historically used mostly for Monero cryptomining operations but with time the attackers behind it updated the botnet capabilities to conduct even more complex attacks, allowing for a full control over the infected machines a well as additional arbitrary payload deployments.
27.10.24	DarkComet Backdoor	ALERTS	VIRUS	DarkComet is a powerful Remote Access Trojan (RAT) that remains a significant threat because of its stealthy operations and comprehensive functionality. It enables attackers to remotely control infected devices, exfiltrate sensitive data, and deploy further malware. It can evade detection by altering file attributes, manipulating registry keys and escalating privileges.
27.10.24	Threat actors distribute WarmCookie malware via various campaigns	ALERTS	VIRUS	WarmCookie is malware that has been observed being distributed through various campaigns, including malicious emails. This malware provides initial access to a compromised victim and is used to establish persistence. Additional functionality associated with WarmCookie includes remote command execution, file system manipulation, and payload delivery, among others.
27.10.24	Crystal Rans0m: Rust-Based Hybrid Ransomware	ALERTS	RANSOM	Crystal Rans0m is a Rust-based hybrid ransomware that combines file encryption with data-stealing capabilities that has been observed targeting Italy and Russia. The malware can steal browser data, Discord tokens, Steam files, Riot Games data and utilizes Discord webhooks for data exfiltration.
27.10.24	CVE-2024-9680 - Mozilla Firefox Remote Code Execution vulnerability	ALERTS	VULNEREBILITY	CVE-2024-9680 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Mozilla Firefox and Thunderbird software. The vulnerability has been assigned a critical CVSS score of 9.8 and arises from a "use-after-free" flaw in the animation timeline component of the browser.
27.10.24	Phemedrone Stealer	ALERTS	VIRUS	Phemedrone is an open-source infostealer variant observed being distributed in the wild this year. The malware is written in C# and has the functionality to collect and exfiltrate various sensitive information such as login credentials, data stored in browsers, cookies, credit card information, cryptocurrency wallets, files stored in "My Documents" folders or data from other 3rd party apps such as Steam, Discord or Telegram.
27.10.24	Phemedrone Stealer	ALERTS	VIRUS	Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration.
27.10.24	Akira Ransomware Evolution: A move towards cross-platform adaptability	ALERTS	RANSOM	Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration.
27.10.24	Ghostpulse Malware: Shifting tactics from PNGs to Pixel values	ALERTS	VIRUS	According to recent reports, Ghostpulse malware has evolved its tactics by shifting from hiding its encrypted configuration and payload in the IDAT chunk of PNG files, to embedding it directly within the pixel values themselves to evade detection. In recent campaigns, attackers have employed social engineering techniques such as CAPTCHA validations to deceive users which ultimately triggers malicious commands via Windows keyboard shortcuts.
27.10.24	CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential vulnerability	ALERTS	VULNEREBILITY	CVE-2024-28987 is a recently disclosed hardcoded credential vulnerability affecting the SolarWinds Web Help Desk (WHD) software. The flaw is rated as critical (CVSS score 9.1 and if successfully exploited could allow remote unauthenticated attackers to access internal software functionality and modify data.
27.10.24	Threat actors abusing open-source phishing framework to deliver RATS	ALERTS	VIRUS	A recent report by (CTA) member Cisco Talos has recently disclosed a new phishing campaign abusing the open-source phishing readiness assessment framework named 'Gophish' to deploy one of two attack chains. The first uses Pidief infected Office docs to deploy a newly discovered PowerShell RAT dubbed 'PowerRAT' while the second employs malicious HTML files and GOLoader to deploy DCRAT.
27.10.24	IcePeony: China-linked APT group targeting Southeast Asian governments	ALERTS	APT	A recently identified APT group linked to China dubbed IcePeony has been detected conducting malware campaigns targeting government agencies and institutions in countries such as India, Mauritius, and Vietnam. The group's attack vector often involves SQL injection, leading to compromises via web shells and backdoors that utilize custom malware like "IceCache" to infiltrate networks.
27.10.24	Lumma Stealer delivered via Fake CAPTCHA	ALERTS	VIRUS	Researchers are monitoring an ongoing phishing campaign where attackers appear to have upped their tactics from traditional phishing to incorporating the use of fake CAPTCHA pages and exploiting legitimate software. The intention being to eventually lure users into executing a payload called Lumma Stealer. This infostealing malware is a MaaS (Malware-as-a-Service) variant that steals sensitive data such as passwords and cryptocurrency information.
27.10.24	Phishing Campaign Delivering Wiper Malware	ALERTS	PHISHING	A recent campaign was observed by researchers where threat actors were seen targeting Israeli organizations, by impersonating a certain antivirus vendor and sending out phishing emails warning of state-backed threats. The emails include a link to a fake program that downloads a malware called Wiper, designed to erase data.
27.10.24	Phishing attack aims at Meta Ads Professionals with Quasar RAT	ALERTS	PHISHING	A malware campaign targeting job seekers and digital marketing professionals has been reported. The campaign specifically focuses on Meta Ads professionals and is believed to be driven by a Vietnamese Threat Actor. The attack chain begins with a phishing email containing an archive attachment that disguises a malicious LNK file as a PDF. When opened, the LNK file triggers PowerShell commands that lead to the download and execution of additional scripts, ultimately resulting in the delivery of the Quasar RAT payload.
27.10.24	ClickFix Tactic: New malware campaigns preying on Google Meet users	ALERTS	CAMPAIGN	Various malware campaigns utilizing the emerging ClickFix tactic have been reported since June 2024. One such campaign distributing infostealers through fake Google Meet pages, a popular video communication service has been reported in the wild. Users are lured by emails that appear to be legitimate Google Meet invitations for work meetings, conferences, or other significant events.
27.10.24	Recent malicious activities attributed to the UAT-5647 threat group	ALERTS	GROUP	According to the report published by Cisco Talos, UAT-5647 threat group has been targeting entities in Ukraine and Poland in their most recent campaigns. The threat actors have been distributing two distinct downloader variants called RustyClaw and MeltingClaw, a new RomCom malware variant dubbed SingleCamper, as well as DustyHammock and ShadyHammock backdoors.
27.10.24	Emerging Stealer Variants: Divulge, DedSec, and Duck Stealers	ALERTS	VIRUS	Multiple stealers have been observed being advertised on hacker forums, GitHub, and Telegram, all developed and promoted by the same entity. Notable variants include Divulge Stealer (a copy of Umbral), DedSec Stealer (based on Doenerium), and Duck Stealer (a derivative of AZStealer).
27.10.24	TrickMo targeting Android users with fake lock-screen	ALERTS	VIRUS	Security researchers have recently disclosed a new variant of TrickMo, a mobile banking trojan that targets Android and iOS users. This new variant comes with some new functionality in addition to the existing capabilities, such as screen recording, remote control, and permissions granting.
27.10.24	Lockbit ransomware pretender targets macOS and Windows environments for data theft	ALERTS	RANSOM	A new campaign leveraging a malware variant disguised as Lockbit ransomware has been reported in the wild. The GO-based malware targets both macOS and Windows users in attempts to encrypt and exfiltrate confidential data. The stolen information is uploaded to Amazon AWS S3 buckets controlled by the attacks. The malware encrypts user files, deletes shadow copies on the infected machines and appends .abcd extension to the encrypted files. The ransomware then changes the desktop wallpaper to one copied over from Lockbit 2.0 attacks. This action is clearly a tactic meant to pressure the victims in paying the demanded ransom.
27.10.24	Microsoft Windows Kernel TOCTOU Race Condition Vulnerability (CVE-2024-30088)	ALERTS	VULNEREBILITY	CVE-2024-30088 is a Time-Of-Check Time-Of-Use (TOCTOU) race condition vulnerability in the Microsoft Windows Kernel. It arises when the state of a resource is modified between its validation (check) and actual use, allowing attackers to exploit the gap for privilege escalation.
27.10.24	Leafperforator APT group expands operations into the Middle East and Africa	ALERTS	APT	Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings.
27.10.24	Meduza Stealer	ALERTS	VIRUS	Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings.
27.10.24	New Linux variant of FASTCash malware discovered	ALERTS	VIRUS	A new Linux variant of the FASTCash malware (a tool which CISA has attributed to North Korea) has been discovered. FASTCash is malware that is implanted within compromised networks and leveraged to perform unauthorized banking transactions.
27.10.24	CVE-2024-44849 - Qualitor Remote Code Execution (RCE) vulnerability	ALERTS	VULNEREBILITY	CVE-2024-44849 is a critical (CVSS: 9.8) Remote Code Execution (RCE) vulnerability in Qualitor, which is a platform for managing customer service processes and centralizing services. This exploit allows remote code execution (RCE) through an arbitrary file upload in Qualitor version before 8.24.
27.10.24	ThunderKitty malware	ALERTS	VIRUS	ThunderKitty is a GO-based open-source infostealer variant seen in the wild. The malware has the functionality to collect miscellaneous information from infected machines including banking details, Discord session tokens, cookies, browser history and other data stored in the browsers, etc. ThunderKitty implements several evasion and anti-analysis techniques, VM environment and Debugger presence detection as well as persistence mechanisms.
27.10.24	CVE-2024-45519 - Remote Command Execution vulnerability in Zimbra Collaboration Suite	ALERTS	VULNEREBILITY	CVE-2024-45519 is a recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS) affecting versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1. The flaw stems from user input sanitation failure that if successfully exploited might allow the unauthenticated attackers to execute arbitrary code within the context of the vulnerable Zimbra installations.
27.10.24	INTERLOCK Ransomware	ALERTS	RANSOM	A new ransomware actor, going by the name INTERLOCK, has recently emerged in the threat landscape. This group appears to employ a double-extortion tactic. On successful compromise, encrypted files are appended with the ".interlock" extension.
27.10.24	Attackers still using SHTML files to target recipients with phishing	ALERTS	PHISHING	Symantec has recently observed a new phishing campaign using attached SHTML files disguised as import and or payment forms. The messages attempt to entice users to open the attached files to resolve import or billing issues. If the recipient opens the form they are greeted with a fake 'DHL' login page the exfiltrates the entered credentials to a private Telegram channel for the attacker to use later.
27.10.24	MiyaRat: The latest tool from the Bitter APT group	ALERTS	VIRUS	The Bitter APT group, recognized for its sophisticated cyber espionage activities targeting East and South Asia, has been observed deploying a new malware known as MiyaRat. This malware is capable of collecting system information, capturing screenshots, performing file uploads and downloads, and exfiltrating data to its command-and-control (C2) server, where it waits for further instructions.
27.10.24	CVE-2024-43363 - Cacti RCE vulnerability	ALERTS	VULNEREBILITY	CVE-2024-43363 is a remote code execution (RCE) vulnerability in Cacti, a network monitoring and fault management framework. Successful flaw exploitation happens via log poisoning on the vulnerable instances. This exploitation could ultimately allow the attackers for arbitrary command execution. The vulnerability has been fixed in product version 1.2.28 or higher.
27.10.24	Abuse of Code-Signing Certificates in Lumma Stealer deployment via HijackLoader	ALERTS	VIRUS	A malware campaign has been observed deploying Lumma Stealer using HijackLoader. The attack vector employs a "fake CAPTCHA" to lure users into executing a PowerShell payload that downloads a ZIP archive containing either a DLL or a signed HijackLoader binary.
27.10.24	CoreWarrior Malware	ALERTS	VIRUS	Researchers investigated a malware named CoreWarrior and found that this variant aggressively spreads by creating numerous copies, connecting to various IP addresses, opening multiple backdoor access points, and intercepting Windows UI elements for surveillance purposes.
27.10.24	Core Werewolf utilizes AutoIt loader and Telegram for Cyber attacks	ALERTS	VIRUS	The Core Werewolf threat actor group, which primarily targets Russia's defense industry and critical infrastructure, has been observed using new tools including an AutoIt loader and delivering malicious files via Telegram in addition to email.
27.10.24	ErrorFather Android Trojan	ALERTS	VIRUS	Cerberus Android banking trojan came to light in 2019, and this variant utilizes a multi-stage dropper to deploy its payload and can execute financial fraud through remote attacks, keylogging, and overlay tactics. The emergence of ErrorFather highlights the persistent danger of repurposed malware, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered.
27.10.24	Demodex targeting American telecommunications	ALERTS	VIRUS	APT group 'Squash' has been reported to be utilizing Demodex to target American telecommunications providers. Demodex, a rootkit, is used to establish persistence and then files with fake file headers (PNG, JPEG and WAV have been observed) are used to help evade detection and utilized to establish C2 communications.
27.10.24	CVE-2024-43573 - Microsoft Windows MSHTML Platform spoofing vulnerability	ALERTS	VULNEREBILITY	CVE-2024-43573 is a spoofing vulnerability that has been recently disclosed as part of the October 2024 Patch Tuesday. The vulnerability is affecting Microsoft Windows MSHTML Platform. Assigned with the CVSS score of 6.5 (Moderate) the flaw might allow attackers to execute arbitrary code within the context of the vulnerable application.
27.10.24	New Pronsis Loader malware leveraged for Lumma Stealer and Latrodectus delivery	ALERTS	VIRUS	Pronsis Loader is a new malware variant leveraged recently in campaigns delivering Lumma Stealer and Latrodectus payloads. The malware utilizes executables compiled in JPHP programming language, which is a Java implementation of PHP.
27.10.24	LemonDuck: The evolving Multi-Platform cryptomining malware	ALERTS	VIRUS	LemonDuck, a well-known cryptomining malware, has evolved into a multi-platform threat and has been observed exploiting SMB vulnerabilities, particularly EternalBlue, as part of its attack vector to gain network access.
27.10.24	CVE-2024-7954 - Remote Code Execution vulnerability in SPIP Porte Plume Plugin	ALERTS	VULNEREBILITY	CVE-2024-7954 is a critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability in porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16. SPIP is free software content management system (CMS) for publishing websites
27.10.24	Lynx ransomware - a formidable cyber-extortion threat	ALERTS	RANSOM	A new research published by Palo Alto Networks Unit 42 indicates that the ransomware variant known as Lynx shares a significant portion of its source code with the INC ransomware. The threat operators of Lynx have actively targeted organizations in various sectors (architecture, real estate, retail, and financial/environmental services) in the U.S. and UK. This ransomware operates using a RaaS model, and is disseminated through a variety of attack vectors (deceptive phishing mails, malicious downloads to infect users systems, and hacking forums etc.). Once afflicted with Lynx ransomware the victim(s) data is exfiltrated before encryption following the double extortion approach to obtain a ransom payment.
27.10.24	CVE-2024-43572 - Microsoft Windows Management Console RCE vulnerability	ALERTS	VULNEREBILITY	CVE-2024-43572 is a Microsoft Windows Management Console remote code execution (RCE) vulnerability recently disclosed and patched as part of the October 2024 Patch Tuesday. The vulnerability is exploited through execution of specially crafted malicious Microsoft Saved Console (MSC) files.
27.10.24	Perfctl malware campaign exploiting RocketMQ vulnerability hits Linux Servers worldwide	ALERTS	VULNEREBILITY	A Perfctl malware campaign targeting millions of Linux servers worldwide has been observed. The campaign exploits the CVE-2023-33246 RocketMQ vulnerability. The malware employs rootkits for stealth and process masquerading along with TOR for command and control (C2) communication. As the final payload, it deploys a cryptominer alongside proxy hijacking software. Additionally, the malware utilizes temporary directories and modified system utilities to evade detection.
27.10.24	Kransom ransomware targets gamers by imitating Honkai: Star Rail installer	ALERTS	RANSOM	Reports indicate that Honkai: Star Rail, a popular role-playing game, is being exploited by a new ransomware dubbed Kransom. This ransomware spreads through drive-by-download campaigns, enticing victims by masquerading the malicious binary as a legitimate StarRail game installer and employing valid digital certificates. Upon execution, the malicious DLL is loaded using a dynamic-link library (DLL) side-loading technique, initiating the ransomware’s encryption process.
27.10.24	Havoc Framework	ALERTS	VIRUS	Researchers have found that cybercriminals are increasingly leveraging pen testing tools like the Havoc framework to evade security systems. This tool is less recognized than others, such as Cobalt Strike or Metasploit, which makes it harder to spot. The Mysterious Werewolf group is using strategies similar to the Mythic framework, and phishing emails that mimic legitimate organizations remain a common tactic for gaining unauthorized access.
27.10.24	CleanUpLoader Leveraged By Rhysida	ALERTS	VIRUS	A recent report shed light on a loader/backdoor known as "CleanUpLoader," used by the double-extortion ransomware actor "Rhysida" as an initial vector of infection. It is typically disguised as software installers like Microsoft Teams or Google Chrome. The loader facilitates communication with multiple command-and-control (C2) servers, allowing Rhysida to establish persistence and perform data exfiltration.
27.10.24	New Ivanti CSA vulnerabilities exploited in the wild	ALERTS	VULNEREBILITY	Ivanti has published a new security advisory regarding three recently disclosed Ivanti CSA (Cloud Services Application) vulnerabilities. The reported vulnerabilities are as follows.
27.10.24	Lua-based malware variants target the educational sector	ALERTS	VIRUS	There has been a recent surge in Lua-based malware targeting students, specifically targeted attacks capitalizing on popular games within the student gamer community who are searching for gaming cheats. Fake game cheats are being leveraged by threat actors to trick users into downloading this malware.
27.10.24	Horus Protector	ALERTS	VIRUS	A new malware distribution service has been uncovered called Horus Protector that claims to be a Fully Undetectable (FUD) crypter and distributes various malware families, including AgentTesla, Remcos, Snake, and NjRat. The service distributes malware using a .zip file that contains a VBE script and gathers information from users' machines to transmit to its server.
27.10.24	Threat actors associated with North Korea target tech job seekers with malware	ALERTS	APT	The Contagious Interview campaign started in 2023 and is perpetuated by threat actors associated with North Korea. Recent activity has been observed that can be tied to this campaign with threat actors posing as job recruiters and luring victims into supposed interviews.
27.10.24	A Recent PhantomLoader Campaign	ALERTS	VIRUS	PhantomLoader is a malware that disguises itself as a legitimate 32-bit DLL for a certain antivirus software and was recently found posing as “PatchUp.exe,” a genuine component of the software. The malicious loader was observed using binary patching and self-modifying techniques to load rust-based malware dubbed SSLoad into memory.
27.10.24	Malvertising campaign leads to malicious Windows and Mac payloads	ALERTS	VIRUS	A recently published report identified a campaign whereby advertisers are pushing ads for utility software, such as Slack or Notion, which lead to downloads of malicious payloads. The advertisers registered under existing businesses and distributed ads that target both Windows and Mac users.
27.10.24	Yunit Stealer - an infostealing malware with geofencing capabilities	ALERTS	VIRUS	Yunit Stealer is a malware variant recently distributed in the wild. Yunit has extensive infostealing capabilities including theft and exfiltration of credentials, credit card data, cryptocurrency wallets, cookies, auto-fill data and others. The collected information is exfiltrated via Discord or Telegram webhooks back to the attackers.
27.10.24	Vilsa Stealer	ALERTS	VIRUS	Vilsa Stealer is a new infostealer malware variant identified in the wild. The malware has the functionality to exfiltrate miscellaneous confidential data from the infected machine including: browser data, credentials, autofill data, cookies, banking information, cryptocurrency wallets, Discord tokens and Telegram data, among others.
27.10.24	Falcon Keylogger	ALERTS	VIRUS	Falcon is a keylogger variant recently active in the wild. Older samples of this malware date back even to 2019 while the latest observed are from just last month. Falcon has the functionality to record keystrokes on the infected machine, collect system information, screenshots, etc. The collected data is consecutively exfiltrated to the C2 servers controlled by the attackers.
27.10.24	Nunu Stealer malware	ALERTS	VIRUS	Nunu Stealer is a recently discovered Python-based infostealing malware variant which is based off an older Akira Stealer strain. The functionality includes exfiltration of various confidential information such as banking details, credit card data, credentials, autofill data stored in browsers, cookies, 3rd app session data, Discord tokens, cryptocurrency wallets and more. Nunu can be potentially used by attackers to compromise various user accounts and leverage those for further intrusions.
27.10.24	VeilShell: A new threat from North Korea's Vedalia APT group	ALERTS	APT	According to reports, threat actors linked to North Korea have been deploying a previously undocumented backdoor and remote access trojan (RAT) called VeilShell in a campaign targeting Southeast Asian countries. This activity is attributed to the Vedalia APT group (aka APT37, ScarCruft, Reaper)
27.10.24	SmartLoader Delivering Lumma Stealer	ALERTS	VIRUS	SmartLoader has been traced back to July 2024, involving a private GitHub account called "user-attachments." It starts with a zip archive containing four files: compiler.exe, conf.txt, Launcher.bat, and lua51.dll. The user runs Launcher.bat, which executes compiler.exe with conf.txt, triggering SmartLoader and deploying Lumma Stealer.
27.10.24	Key Group: Targeting Russian users with evolving ransomware	ALERTS	RANSOM	The Key Group is a financially motivated ransomware group that primarily targets Russian users and is known for negotiating with victims via Telegram. Like other groups that leverage leaked ransomware builders, Key Group predominantly utilizes the Chaos ransomware builder, among others, and operates a GitHub repository for its command and control (C2) infrastructure.
27.10.24	BabyLockerKZ - MedusaLocker Ransomware variant	ALERTS	RANSOM	BabyLockerKZ ransomware is a variant of MedusaLocker which has been active since 2023. This variant uses many of the same TTPs as seen in previous MedusaLocker attacks (publicly available tools, custom tools, lolbins, chat and leak sites).
27.10.24	Silver Oryx Blade - a new banking malware targeting Brazil	ALERTS	VIRUS	Silver Oryx Blade is a new banking trojan discovered by the researchers from Scitum. The malware prevalently targets victims from Brazil and attempts to steal banking information from the compromised machines. The infection chain is initiated via phishing emails leveraging financial or tax related lures.
27.10.24	Gorilla Botnet: A new global threat based on Mirai code	ALERTS	BOTNET	Reports indicate a surge in activity from a new botnet family called Gorilla Botnet, which is targeting telecommunications, universities, and the gaming industry worldwide. This botnet is a modified version of the Mirai source code and is compatible with various CPU architectures, including ARM, MIPS, x86_64, and x86. It boasts advanced DDoS attack methods and employs multiple techniques for persistence.
27.10.24	CeranaKeeper APT Campaign	ALERTS	APT	A recent CeranaKeeper APT campaign was observed by researchers. This China-linked threat actor targets government entities in Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group continuously updates its tools, such as backdoors, to evade detection and exploits cloud services like Dropbox and OneDrive for custom solutions.
27.10.24	Fake Update Campaign Delivering WarmCookie Malware	ALERTS	CAMPAIGN	A new campaign in France is using compromised websites to distribute the WarmCookie backdoor through fake update prompts for popular applications like Google Chrome and Java. This tactic, employed by the threat group 'SocGolish', tricks users into downloading malicious software masquerading as legitimate updates for browsers and applications like Java and VMware.
27.10.24	Defi Ransomware	ALERTS	RANSOM	Defi is the newest malware variant from the Makop ransomware family. The malware encrypts user files and appends .defi1328 to them, alongside of a developers' email address and a victim's unique ID. The ransom note is dropped in form of text file called "README-WARNING.txt" within various on the disk.
27.10.24	Stonefly threat group continues to launch extortion attacks against US targets	ALERTS	GROUP	Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward.
27.10.24	K4Spreader and Hadooken Latest Attacks	ALERTS	VULNEREBILITY	Recent research identified an infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities (CVE-2017-10271 and CVE-2020-14883). The attacker used Python and Bash scripts to deploy K4Spreader malware, which delivered the Tsunami backdoor and a cryptominer.
27.10.24	New Rast ransomware threat targets Chinese government entities	ALERTS	RANSOM	A new ransomware threat called Rast has been identified, specifically targeting Chinese government entities. The attack vector includes RDP brute-forcing and exploiting N-day vulnerabilities to gain access to border servers, followed by the manual deployment of ransomware components.
27.10.24	Active malware campaign targeting Russian energy companies and Electronics suppliers	ALERTS	CAMPAIGN	A new malware campaign targeting Russian energy companies and electronic component suppliers has been observed. The malware spreads through email attachments or Yandex Disk links, using RAR archives that contain LNK files to download and execute malicious HTA files. These files generate VBS scripts that ensure persistence via registry keys and scheduled tasks.
27.10.24	CVE-2024-43461 - Windows MSHTML Platform Spoofing vulnerability exploited in the wild	ALERTS	VULNEREBILITY	CVE-2024-43461 is a Windows MSHTML spoofing vulnerability recently disclosed as part of the September 2024 Patch Tuesday. Successful exploiting of this flaw might allow attackers to execute arbitrary code within the context of the application. This flaw has been reported as being exploited in zero-day attacks in conjunction with another MSHTML vulnerability from July - CVE-2024-38112.
27.10.24	North Korean hackers target Cryptocurrency users on LinkedIn with RustDoor malware	ALERTS	CRYPTOCURRENCY	In early September, the FBI warned of North Korean threat actors targeting the crypto industry. A campaign has been reported where these actors attempt to lure potential victims on LinkedIn to deliver RustDoor malware. One user was approached by someone impersonating a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) technology firm, supported by professional-looking websites to enhance the legitimacy of the fake entities.
27.10.24	CVE-2024-6670 - Progress WhatsUp Gold SQL Injection vulnerability	ALERTS	VULNEREBILITY	CVE-2024-6670 is a recently disclosed SQL Injection vulnerability affecting Progress WhatsUp Gold, which is a well known network monitoring software. Successful exploitation of this flaw could allow an unauthenticated attacker to retrieve the user's encrypted passwords. The vulnerability has also been added to the "Known Exploited Vulnerabilities Catalog" by CISA, following reports of active exploitation in conjunction with another WhatsUp Gold vulnerability CVE-2024-6671.
27.10.24	Vulnerabilities in the Common UNIX Printing System (CUPS)	ALERTS	VULNEREBILITY	Symantec is aware of multiple vulnerabilities in the Common UNIX Printing System (CUPS) on UNIX-based systems, where an attacker could exploit certain configurations to gain unauthorized access and perform remote code execution (RCE), particularly by leveraging the cups-browsed service.
27.10.24	Advanced Rhadamanthys Infostealer: AI-Driven threats to Cryptocurrency security	ALERTS	VIRUS	A new version of Rhadamanthys Infostealer with advanced features including the use of artificial intelligence (AI) for optical character recognition (OCR) has been reported.
27.10.24	DCRat (aka Dark Crystal RAT) Trojan Malware	ALERTS	VIRUS	DCRat (aka Dark Crystal RAT) is a modular remote access Trojan available as malware-as-a-service since 2018. It can execute commands, log keystrokes, and exfiltrate data. Recently, it was delivered using HTML smuggling, which embeds and obfuscates the payload within HTML to evade security measures.