January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(0) October(0) November(0) December(0)
DATE | NAME | CATEGORY | SUBCATE | INFO |
31.8.24 | AA24-242A #StopRansomware: RansomHub Ransomware | REPORT | Ransomware | #StopRansomware: RansomHub Ransomware |
31.8.24 | Insecure Platform Key (PK) used in UEFI system firmware signature | ALERT | ALERT | A vulnerability in the user of hard-coded Platform Keys (PK) within the UEFI framework, known as PKfail, has been discovered. |
31.8.24 | NoteMark < 0.13.0 - Stored XSS | WebApps | Multiple | |
31.8.24 | Gitea 1.22.0 - Stored XSS | WebApps | Multiple | |
31.8.24 | Invesalius3 - Remote Code Execution | WebApps | Python | |
31.8.24 | Windows TCP/IP - RCE Checker and Denial of Service | DoS | Windows | |
31.8.24 | 2024-08-30 - Approximately 11 days of server scans and probes | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
31.8.24 | 2024-08-29 - Phishing email and traffic to fake webmail login page | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
31.8.24 | 2024-08-26 - GuLoader for Remcos RAT | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
31.8.24 | 2024-08-12 - XLoader/Formbook infection | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
31.8.24 | Corona Mirai variant distributed via vulnerability exploitation | BOTNET | Mirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek. | |
31.8.24 | LummaC2 Stealer variant spread via PowerShell execution | VIRUS | LummaC2 infostealer has been reported as being distributed in a recent campaign leveraging obfuscated PowerShell commands. LummaC2 is a C-based infostealing malware often sold under the Malware-as-a-Service (MaaS) model. This malware primary functionality is to steal confidential data from the infected endpoints and exfiltrate it to the C2 servers controlled by the attackers. | |
31.8.24 | Middle East targeted by malware using fake Palo Alto VPN | VIRUS | A malware campaign targeting organizations in the Middle East has been reported, where attackers use a fake Palo Alto GlobalProtect VPN client to deceive users. This malware employs advanced techniques, including a cleverly disguised command-and-control (C2) infrastructure and tools like Interactsh to communicate with specific hostnames and monitor infection progress. It can execute PowerShell commands, manage processes, and encrypt data. | |
31.8.24 | VIRUS | X-FILES is a stealer malware written in C that is actively advertised on underground forums, with ongoing enhancements. Like many other infostealers, it aims to steal and exfiltrate sensitive information from infected systems including browser data, cookies, passwords, autofill data, credit card information, and cryptocurrency wallet details. | ||
31.8.24 | CVE-2024-38653 - XXE vulnerability in Ivanti Avalanche | VULNEREBILITY | CVE-2024-38653 is a high severity (CVSS score 7.5) XML External Entity (XXE) vulnerability affecting SmartDeviceServer in Ivanti Avalanche, which is an enterprise endpoint management solution allowing for centralized device management within an organization. | |
31.8.24 | Iranian threat actor Elfin deploys 'Tickler' backdoor | VIRUS | Iranian threat actor Elfin (aka APT33, Peach Sandstorm) has been observed deploying a new custom multi-stage backdoor dubbed Tickler. This malware has targeted government, defense, satellite, and oil and gas sectors in the U.S. and the United Arab Emirates (UAE). | |
31.8.24 | Phishing campaign targets Japan Labor Union Workers | PHISHING | A phishing campaign targeting Japanese workers affiliated with labor unions has been observed. The e-crime actor is impersonating 労働金庫 (Rōdō Kinko), commonly known as Rokin, and the 全国労働金庫協会 (National Association of Labour Banks or Zenkoku Rōdō Kinko Kyōkai), which are part of Japan's unique financial system designed to serve the financial needs of workers. | |
30.8.24 | Voldemort | CAMPAIGN | CAMPAIGN | The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” |
30.8.24 | GreenCharlie | APT | GROUP | GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware |
30.8.24 | Masquerades | MALWARE | Backdoor | Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool |
30.8.24 | Malicious npm Packages | HACKING | Malware | North Korea Still Attacking Developers via npm |
30.8.24 | SLOW#TEMPEST | CAMPAIGN | APT | From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users |
30.8.24 | CVE-2023-22527 | VULNEREBILITY | CVE | Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem |
30.8.24 | noMu Backdoor | MALWARE | Backdoor | APT Attack Case Analysis Report Using noMu Backdoor |
30.8.24 | APT32 | APT | APT | Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders |
30.8.24 | APT29 | APT | APT | State-backed attackers and commercial surveillance vendors repeatedly use the same exploits |
30.8.24 | CVE-2023-41993 | VULNEREBILITY | CVE | A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023) |
30.8.24 | CVE-2024-4671 | VULNEREBILITY | CVE | A use-after-free flaw in Chrome's Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024) |
30.8.24 | CVE-2024-5274 | VULNEREBILITY | CVE | A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024) |
29.8.24 | A new Snake Keylogger variant | VIRUS | A new Snake Keylogger malware variant has been reported by the researchers from Fortinet. The malware is spread via phishing in form of malicious .xls attachments. The distributed Excel files contain an exploit for an old WordPad RTF vulnerability CVE-2017-0199. The attackers also leverage .hta files, VBscript and PowerShell code within the attack chain of this campaign. | |
29.8.24 | Advanced dropper distributes 'Angry Stealer' infostealer via Telegram | VIRUS | An advanced dropper binary has been identified, designed to deploy an information stealer known as 'Angry Stealer,' which is actively promoted on Telegram and other online platforms. Angry Stealer targets sensitive data such as browser information, cryptocurrency wallets, VPN credentials, and system details, exfiltrating this data via Telegram. | |
29.8.24 | Godzilla webshell deployment campaign | CAMPAIGN | A new Godzilla webshell deployment campaign has been reported in the wild. The attackers are targeting organizations running ASP.NET instances with vulnerable environment settings and leverage ViewState function to distribute malicious webshells into the victim's environment. | |
29.8.24 | Czech Republic officials hit by malware campaign using NATO-themed lures | VIRUS | A malware campaign targeting government and military officials in the Czech Republic has been reported. The threat actor behind this operation is believed to have Russian origins and heavily relied on open-source offensive tools. | |
29.8.24 | Critical vulnerability CVE-2023-22527 exploited for cryptomining activities | VULNEREBILITY | According to reports, the critical vulnerability CVE-2023-22527 is actively being exploited in the wild. This vulnerability is a severe OGNL injection flaw in Atlassian Confluence Data Center and Server. Threat actors are exploiting it for cryptojacking, transforming compromised systems into cryptomining networks. The attack vector includes deploying shell scripts and XMRig miners while maintaining persistence through cron jobs. | |
29.8.24 | US voters targeted in phishing campaign | PHISHING | With the US Presidential Election just a few months away and the press reporting allegations of cyber intrusions affecting the campaigns, we reviewed new domains registered between 1 May and 12 August 2024 containing strings "harris", "walz", or "trump" in the domain. Domains with "vance" in them were excluded due to that string being found in many English words and domains unrelated to the election. | |
29.8.24 | Rocinante mobile malware | Rocinante is a malware variant observed prevalently in campaigns targeted at mobile users in Brazil. Functionality-wise Rocinante has the ability to steal information via keylogging, initiate remote access sessions, simulate swipe movements or touche events on the infected device. The malware might also be leveraged for phishing attacks by displaying bogus login websites and thus targeting the theft of banking credentials. | ||
29.8.24 | Emerging loader Emmental spreads malware via disguised binaries | VIRUS | A loader called Emmental has been detected in use, being distributed in disguised Windows binaries since February 2024. This loader employs HTA files and utilizes traditional email phishing tactics, including fake videos, to target organizations worldwide. It has been part of several campaigns globally using the Bunny.net CDN provider and WebDAV servers to distribute various malware payloads, such as CryptBot, AsyncRAT, Lumma, Meduza stealer, Xworm, and SectopRAT. The functionality of this tool matches the capabilities advertised in underground markets. | |
29.8.24 | New macOS variant of the HZ RAT backdoor emerges | VIRUS | A new macOS variant of the HZ RAT backdoor has been discovered in the wild. According to recent reports, the malware is targeting users of the enterprise messenger DingTalk and the messaging platform WeChat. | |
29.8.24 | AA24-241A Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | REPORT | REPORT | Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations |
29.8.24 | CVE-2024-7029 | VULNEREBILITY | CVE | Commands can be injected over the network and executed without authentication. |
29.8.24 | Fortra FileCatalyst Workflow Static HSQLDB Password | VULNEREBILITY | CVE | Fortra Catalyst Workflow contains a static HSQLDB password that can be used by a remote attacker to access the service with administrative access. |
28.8.24 | CVE-2024-38856 | VULNEREBILITY | CVE | Apache OFBiz Incorrect Authorization Vulnerability |
28.8.24 | CVE-2024-6386 | VULNEREBILITY | CVE | The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. |
28.8.24 | HZ Rat | MALWARE | MacOS | HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat |
27.8.24 | Versa Director Zero-Day Exploitation | VULNEREBILITY | Zero-Day | Taking the Crossroads: The Versa Director Zero-Day Exploitation |
27.8.24 | Phishing campaign targeting users in Asia Pacific regions | CAMPAIGN | Symantec has recently observed a phishing campaign targeting users in Asia Pacific regions. This campaign utilizes HTML files that post the ill-gotten credentials to 3rd party hosting services, in this case nocodeform[.]io. The messages are delivered from either a 'postmaster' or 'MAILER-DAEMON' address in an effort to obscure themselves. | |
27.8.24 | SVG-Based Phishing Campaign Hits LATAM Industries Email Credentials | CAMPAIGN | In early August, Symantec observed an actor targeting multiple companies in Latin America across the retail, legal, dairy, finance, energy, and automobile manufacturing sectors. The goal was to collect email credentials, which are likely to fuel the initial access broker markets and lead to further compromises with varying impacts, including financial theft, cyber espionage, and ransomware attacks. | |
27.8.24 | Phishing campaign targets VPN users with Cheana Infostealer malware | CAMPAIGN | A phishing campaign targeting users downloading VPN software has been reported. As part of the campaign, a phishing site masquerading as a WarpVPN provider is hosted to distribute stealer malware for different operating system platforms. The malware, dubbed Cheana Stealer, collects and exfiltrates various types of information such as in-browser stored data, cookies, passwords, cryptocurrency wallets, and cryptocurrency browser extensions. The Linux and macOS versions have the additional capability of stealing SSH keys and Keychain data. | |
27.8.24 | Dolphin Loader: The new malware-as-a-service threat exploiting RMM tools | VIRUS | Dolphin Loader is a new Malware-as-a-Service (MaaS) loader that was first observed in July 2024 being sold on Telegram. It is used to distribute various malware payloads, such as SectopRAT, LummaC2, and Redline, primarily through drive-by downloads. | |
27.8.24 | Attackers Spreading Malware via Infected Websites | VIRUS | Researchers have discovered malware that spreads by disguising itself as a browser update on infected websites. When users visit these sites, they are prompted to download a malicious file posing as a browser update for Chrome or Firefox. These files can be in various formats like EXE, ZIP, APPX, or VHD. The VHD file contains a hidden shortcut (LNK) that executes PowerShell commands and connects to the attacker's C2 server. | |
27.8.24 | SpyNote Variant Lurks In South Africa Impersonating Two Major Banks | VIRUS | Symantec has recently identified a variant of the SpyNote Android Remote Access Trojan in South Africa's mobile threat landscape. A threat actor is impersonating two major financial institutions, Nedbank and Absa, in an attempt to lure users into installing the malware on their devices, leading to financial losses due to unauthorized transactions, identity theft, and the compromise of sensitive personal information. | |
27.8.24 | Cthulhu Stealer | VIRUS | Researchers have recently observed another malware-as-a-service (MaaS) that targets Mac users dubbed Cthulhu. This malware gets delivered as a disk image (DMG) with platform-specific binaries and developed in GoLang. It masquerades as legitimate software to trick users into opening the DMG, then uses macOS's 'osascript' tool to prompt for their password and gain unauthorized access. | |
27.8.24 | CVE-2024-0519 | VULNEREBILITY | CVE | Out-of-bounds memory access in V8 |
27.8.24 | CVE-2024-2886 | VULNEREBILITY | CVE | Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024) |
27.8.24 | CVE-2024-2887 | VULNEREBILITY | CVE | Type confusion in WebAssembly (demonstrated at Pwn2Own 2024) |
27.8.24 | CVE-2024-3159 | VULNEREBILITY | CVE | Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024) |
27.8.24 | CVE-2024-4671 | VULNEREBILITY | CVE | Use-after-free in Visuals |
27.8.24 | CVE-2024-4761 | VULNEREBILITY | CVE | Out-of-bounds write in V8 |
27.8.24 | CVE-2024-4947 | VULNEREBILITY | CVE | Type confusion in V8 |
27.8.24 | CVE-2024-5274 | Type confusion in V8 | ||
27.8.24 | CVE-2024-7971 | VULNEREBILITY | CVE | Type confusion in V8 |
27.8.24 | CVE-2024-39717 | VULNEREBILITY | CVE | The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. |
27.8.24 | VULNEREBILITY | AI | Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information | |
27.8.24 | CVE-2024-40766 | VULNEREBILITY | CVE | SonicOS Improper Access Control Vulnerability |
26.8.24 | CVE-2024-27132 | VULNEREBILITY | CVE | Cross-site Scripting in MLFlow |
26.8.24 | CVE-2024-31214 | VULNEREBILITY | CVE | (CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution |
26.8.24 | CVE-2024-24809 | VULNEREBILITY | CVE | (CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type |
26.8.24 | NGate | MALWARE | Android | NGate Android malware relays NFC traffic to steal cash |
25.8.24 | Aurba 501 - Authenticated RCE | WebApps | Linux | |
25.8.24 | HughesNet HT2000W Satellite Modem - Password Reset | WebApps | Hardware | |
25.8.24 | Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure | WebApps | Hardware | |
25.8.24 | Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass | WebApps | Hardware | |
25.8.24 | Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config | WebApps | Hardware | |
25.8.24 | Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass | WebApps | Hardware | |
25.8.24 | Helpdeskz v2.0.2 - Stored XSS | WebApps | PHP | |
25.8.24 | Calibre-web 0.6.21 - Stored XSS | WebApps | Multiple | |
25.8.24 | sedexp | MALWARE | Linux | Unveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules |
24.8.24 | CVE-2021-33044 | VULNEREBILITY | CVE | (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability |
24.8.24 | CVE-2021-33045 | VULNEREBILITY | CVE | (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability |
24.8.24 | CVE-2021-31196 | VULNEREBILITY | CVE | (CVSS score: 7.2) - Microsoft Exchange Server Information Disclosure Vulnerability |
24.8.24 | CVE-2022-0185 | VULNEREBILITY | CVE | (CVSS score: 8.4) - Linux Kernel Heap-Based Buffer Overflow Vulnerability |
24.8.24 | Peaklight downloader malware activity reported | VIRUS | Peaklight is a new PowerShell-based downloader variant identified by researchers from Mandiant. The malware has been used in recent campaigns distributing various payloads including Lumma infostealer, ShadowLadder and CryptBot. The attackers leverage malicious .lnk files disguised as video files as well as JavaScript droppers within the multi-staged attack chain. | |
24.8.24 | CVE-2024-4885 - Progress Software WhatsUp Gold RCE vulnerability | VULNEREBILITY | CVE-2024-4885 is a recently disclosed critical (CVSS score 9.8) unauthenticated remote code vulnerability affecting Progress Software WhatsUp Gold, which is a network monitoring software. The exploitation of the bug might allow unauthenticated attackers to execute arbitrary commands with iisapppool/nmconsole privileges. | |
24.8.24 | Sedexp Linux malware uses udev rules for persistence | VIRUS | Sedexp is a recently identified threat affecting Linux environments. Sedexp malware has been reported to leverage udev rules for the purpose of establishing persistence on the infected machine. Udev is a device manager system on Linux that allows for management of device nodes in the /dev directory. | |
24.8.24 | PG_MEM - malware targeting PostgreSQL servers for cryptomining | VIRUS | PG_MEM is a new malware variant observed recently in the wild. The campaign distributing this malware leverages brute force attacks against vulnerable PostgreSQL database servers. Once the attackers obtain access to the server, an attempt is made to establish persistence by creating a new privileged account. Later on, the threat actors initiate system discovery and deliver the PG_MEM dropper payload that ultimately delivers a XMRig cryptominer to the infected machine. | |
24.8.24 | Qilin ransomware | RANSOMWARE | RANSOMWARE | Qilin ransomware caught stealing credentials stored in Google Chrome |
24.8.24 | PEAKLIGHT | MALWARE | Downloader | PEAKLIGHT: Decoding the Stealthy Memory-Only Malware |
23.8.24 | CMoon: A .NET-based malware worm in Russian gas sector | VIRUS | CMoon, a .NET-based malware worm, was discovered on the website of a compromised Russian gasification and gas supply company. This malware disguises itself as legitimate regulatory documents and replaces various website links with links to malicious executables. | |
23.8.24 | Casbaneiro in the UAE: Impersonating Sharjah Ports Authority | GROUP | In cybersecurity, ports and related authorities are high-value targets for threat actors due to their integral roles in global supply chains and connections to industries such as transportation, logistics, energy, and government sectors. Crooks often disguise themselves as port authorities to lure other industries into phishing scams or social engineering attacks. | |
23.8.24 | NGate - a novel Android malware able to relay NFC data to the attackers | VIRUS | A new campaign leveraging Android malware dubbed NGate has been targeting users of Czech banks. NGate uses a novel technique to relay NFC (near field communication) data from the victims' payment cards via the compromised Android phones and over to the attackers' devices. | |
23.8.24 | North Korean group puNK exploits Windows shortcuts to deploy Lilith RAT | VIRUS | A previously unidentified North Korean threat actor group dubbed puNK has been detected using Windows shortcut (LNK) files to distribute malware. When executed, these LNK files download AutoIt scripts from the attacker’s server, which subsequently fetch the final payload, the Lilith RAT. The Lilith RAT, written in C++, is an open-source remote control software that facilitates additional remote operations. | |
23.8.24 | Insom ransomware | RANSOM | Insom malware is the latest variant from the Makop ransomware family. The malware encrypts user files and appends .Insom extension to the renamed file names. A unique victim ID and a malware developers' email address is also appended to the file name. The malware has the functionality to remove volume shadow copies from the infected endpoint. | |
23.8.24 | Toll Road Smishing Scams Increasingly Target U.S. Drivers | PHISHING | The U.S. has an extensive network of toll roads, bridges, and tunnels, and toll services are used to fund the maintenance and development of infrastructure without relying solely on state and federal taxes. | |
23.8.24 | TodoSwift: New macOS threat masquerading as a PDF | VIRUS | A new macOS malware dubbed TodoSwift has been identified as disguising itself as a PDF download. The threat actor, likely from North Korea, employs a dropper application developed using Swift/SwiftUI. The dropper deceives users by presenting a seemingly legitimate PDF related to Bitcoin pricing. | |
23.8.24 | North Korean-based threat actor develops MoonPeak RAT | VIRUS | MoonPeak is a somewhat recently discovered remote access Trojan (RAT) which has been attributed to North Korean-based threat actors. This RAT is a variant of the open-source XenoRAT malware and has seen multiple evolutions. Cisco Talos researchers have published an analysis of MoonPeak along with related threat actor infrastructure. | |
23.8.24 | Cthulhu | MALWARE | MacOS | From the Depths: Analyzing the Cthulhu Stealer Malware for macOS |
23.8.24 | FM11RF08S | MALWARE | Backdoor | MIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoors |
23.8.24 | CVE-2024-28987 | VULNEREBILITY | CVE | Web Help Desk Hardcoded Credential Vulnerability (CVE-2024-28987) |
23.8.24 | CVE-2024-20399 | VULNEREBILITY | CVE | A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. |
23.8.24 | ALBeast | VULNEREBILITY | CVE | The Hunt for ALBeast: A Technical Walkthrough |
22.8.24 | CVE-2024-0519 | VULNEREBILITY | CVE | Out-of-bounds memory access in V8 |
22.8.24 | CVE-2024-2886 | VULNEREBILITY | CVE | Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024) |
22.8.24 | CVE-2024-2887 | VULNEREBILITY | CVE | Type confusion in WebAssembly (demonstrated at Pwn2Own 2024) |
22.8.24 | CVE-2024-3159 | VULNEREBILITY | CVE | Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024) |
22.8.24 | CVE-2024-4671 | VULNEREBILITY | CVE | Use-after-free in Visuals |
22.8.24 | CVE-2024-4761 | VULNEREBILITY | CVE | Out-of-bounds write in V8 |
22.8.24 | CVE-2024-4947 | VULNEREBILITY | CVE | Type confusion in V8 |
22.8.24 | CVE-2024-5274 | VULNEREBILITY | CVE | Type confusion in V8 |
22.8.24 | CVE-2024-7971 | VULNEREBILITY | CVE | Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
22.8.24 | LiteSpeed Cache | VULNEREBILITY | CVE | Critical Privilege Escalation in LiteSpeed Cache Plugin |
22.8.24 | CVE-2024-6800 | VULNEREBILITY | CVE | An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. |
22.8.24 | CVE-2024-6337 | VULNEREBILITY | CVE | An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. |
22.8.24 | CVE-2024-7711 | VULNEREBILITY | CVE | An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. |
22.8.24 | PG_MEM | MALWARE | CRYPTOCURRENCY | PG_MEM: A Malware Hidden in the Postgres Processes |
22.8.24 | CVE-2024-38206 | VULNEREBILITY | CVE | Microsoft Copilot Studio Information Disclosure Vulnerability |
21.8.24 | MoonPeak | MALWARE | RAT | MoonPeak malware from North Korean actors unveils new details on attacker infrastructure |
21.8.24 | Styx | MALWARE | Stealer | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove |
21.8.24 | TodoSwift | MALWARE | MacOS | TodoSwift Disguises Malware Download Behind Bitcoin PDF |
21.8.24 | Quasar RAT (aka BlotchyQuasar) Malspam Targeting Italian Banks | VIRUS | Threat researchers have recently observed an email spam campaign spreading Quasar RAT malware which is primarily targeting Italy. The campaign uses deceptive emails that mimic official communications from the Ministry of the Interior, complete with their logos. While the malware and C2 servers remain the same, the URLs for downloading the malicious files have been updated. The malware specifically targets users of certain Italian banks. | |
21.8.24 | Cybercriminals' Relentless Use of Fake CVs to Breach Corporate Defenses | CRIME | There is a long list of social engineering tactics in the cybersecurity world, and while it is always fluctuating, some methods are well-established such as sending fake CVs. This tactic involves emailing a fake Curriculum Vitae (CV) and motivation letter, often targeting HR departments or managers. | |
21.8.24 | QWERTY Stealer: New infostealer variant | VIRUS | QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. The malware is capable of performing various checks for the presence of debugging or virtualized environments before execution and has the capability to download additional payloads. | |
21.8.24 | Styx Stealer malware | VIRUS | Styx Stealer is a new infostealing malware variant discovered by the researchers from Checkpoint. The malware has the functionality to exfiltrate various data from Chromium-based browsers including cookies, credentials, banking details, cryptocurrency wallets, files with pre-defined extensions, Telegram and Discord sessions, among others. | |
21.8.24 | New Msupedge backdoor employs communication via DNS traffic | VIRUS | A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan. The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen. | |
21.8.24 | A new and emerging malware dubbed UULoader | ALERTS | VIRUS | Recent research has observed a malware campaign with an increase in the use of malicious .msi files, which, while not common, are known as a method of malware distribution. The new malware strain identified is 'UULoader,' used to deliver next-stage payloads such as Gh0st RAT and Mimikatz. It is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users. |
21.8.24 | CVE-2024-6220 | VULNEREBILITY | CVE | (CVSS score: 9.8) - An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin that allows unauthenticated attackers to upload arbitrary files on the affected site's server, ultimately resulting in code execution |
21.8.24 | CVE-2024-6467 | VULNEREBILITY | CVE | (CVSS score: 8.8) - An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information |
21.8.24 | CVE-2024-5441 | VULNEREBILITY | CVE | (CVSS score: 8.8) - An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server and execute code |
21.8.24 | CVE-2024-6411 | VULNEREBILITY | CVE | (CVSS score: 8.8) - A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers, with Subscriber-level access and above, to update their user capabilities to that of an Administrator |
21.8.24 | pwish | HACKING | PHISHING | Be careful what you pwish for – Phishing in PWA applications |
21.8.24 | UTG-Q-010 | GROUP | GROUP | UTG-Q-010: Targeted Attack Campaign Against the AI and Gaming Industry |
21.8.24 | WireServing | EXPLOIT | EXPLOIT | "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services |
21.8.24 | CharmingCypress | MALWARE | Families | CharmingCypress: Innovating Persistence |
21.8.24 | TA453 | GROUP | GROUP | Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset |
21.8.24 | BlindEagle | APT | APT | BlindEagle flying high in Latin America |
21.8.24 | CVE-2024-23897 | VULNEREBILITY | CVE | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. |
21.8.24 | UULoader | MALWARE | Loader | Meet UULoader: An Emerging and Evasive Malicious Installer. |
21.8.24 | NUMOZYLOD | MALWARE | Maas | Finding Malware: Unveiling NUMOZYLOD with Google Security Operations |
21.8.24 | Xeon Sender | TOOL | Phishimg/Spam | Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials |
21.8.24 | CVE-2024-38193 | VULNEREBILITY | CVE | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
21.8.24 | FIN7 | APT | APT | FIN7: The Truth Doesn't Need to be so STARK |
20.8.24 | RedLine Stealer Impersonates Oil and Gas Company, Targets Key Sectors in Vietnam | VIRUS | Symantec has recently observed a RedLine Stealer malspam campaign in which an actor is impersonating a leading oil and gas company in Vietnam specializing in exploration and production activities. Both local and international companies in Vietnam across various sectors - including oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel industries - are being targeted. | |
20.8.24 | Ailurophile Infostealer | VIRUS | Ailurophile is a new PHP-based infostealer variant recently identified in the wild. The malware is advertised online and sold via a subscription model. Ailurophiles' capabilities include theft of data stored in browsers including auto-fill information, cookies, credentials, banking details, browsing history and cryptocurrency wallets. The infostealer can also exfiltrate data files from the compromised machines according to a predefined search criteria such as keywords in filenames or specific extensions. | |
20.8.24 | Fake Apps target Indian government's PM Kisan Yojana beneficiaries | VIRUS | The PM Kisan Yojana is a historic initiative by the Indian government that is currently benefiting around eight crore farmers across India. Every year, eligible farmers receive a total of INR 6,000, which is distributed in three equal installments of INR 2,000 each. | |
20.8.24 | Hawk Eye Ransomware | RANSOM | A ransomware actor that goes by the name "Hawk Eye" has been observed in the wild. Files that have been successfully encrypted are appended with a random 4-character extension. The ransom note (read_it.txt) is dropped in various folders, and the desktop wallpaper is changed to a white hawk on a black background. | |
20.8.24 | Crypto Investment Scams Posing as Tesla | CRYPTOCURRENCY | A recent report reveals that attackers are exploiting Tesla's name to promote cryptocurrency scams. These scammers have registered domains containing 'Tesla' to deceive users into visiting malicious links. The links lead to the download of a harmful Android application, which is promoted on social platforms such as YouTube and Telegram. | |
20.8.24 | Threat actor Damselfly conducts campaigns against the U.S. and Israel | APT | Damselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals. | |
20.8.24 | BANSHEE Infostealer | VIRUS | Just this month, a new macOS malware called "BANSHEE Stealer" was discovered, created by Russian threat actors. It affects both x86_64 and ARM64 macOS systems and poses a significant threat by targeting crucial system information, browser data, and cryptocurrency wallets. | |
20.8.24 | New Gafgyt botnet variant observed in the wild | BOTNET | A new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency. | |
20.8.24 | New ValleyRAT malware distribution campaign | VIRUS | A new ValleyRAT malware distribution campaign targeted at Chinese speakers has been reported by researchers from Fortinet. The attackers behind this campaign rely on various components including shellcode being executed for reflective DLL loading and a beaconing module used for fetching of additional components. The payload of the campaign - ValleyRAT is a multi-staged malware variant with capabilities including monitoring of user activities, screenshot grabbing, plugin execution, arbitrary file download and others. | |
20.8.24 | Cyclops Go-based malware | VIRUS | Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. | |
17.8.24 | .env Files to Breach Cloud Accounts in Extortion Campaign | INCIDENT | Cloud Computing | Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments |
16.8.24 | SharpRhino | MALWARE | RAT | SharpRhino – New Hunters International RAT Identified by Quorum Cyber |
16.8.24 | Tusk | CAMPAIGN | Malware | Tusk: unraveling a complex infostealer campaign |
16.8.24 | ValleyRAT | MALWARE | RAT | A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers |
16.8.24 | Cuckoo | MALWARE | MacOS | Update: Cuckoo Malware Evolves |
16.8.24 | BANSHEE | MALWARE | MacOS | Beyond the wail: deconstructing the BANSHEE infostealer |
16.8.24 | Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement | ALERT | ALERT | Multiple hosted, outbound SMTP servers are vulnerable to email impersonation. This allows authenticated users and certain trusted networks to send emails containing spoofed sender information. |
16.8.24 | Cyclops Go-based malware | VIRUS | Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. | |
16.8.24 | Pupy RAT distributed in recent UTG-Q-010 APT campaign | VIRUS | Pupy RAT malware has been reported to be distributed in a new campaign attributed to the UTG-Q-010 threat group. The attackers leverage phishing messages containing cryptocurrency lures or emails masqueraded as job resumes. The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment. | |
16.8.24 | Discovery of tools and batch scripts targeting Windows and Linux systems | HACKING | According to a recent DFIR report, a range of threat actor tools has been found that can bypass security defenses like Windows Defender and Malwarebytes, delete backups, and disable systems. Among the discovered tools were Ngrok for proxy services and SystemBC, along with two well-known command-and-control frameworks: Sliver and PoshC2. | |
16.8.24 | Malspam attacks target AnyDesk and Microsoft Teams | VIRUS | Researchers recently found another campaign which starts with an email bomb and then involves a phone call via Microsoft Teams. The attacker persuades victims to download AnyDesk, a remote access tool, which allows them to take control of the victim's computer. Once they have control, the attacker runs malicious payloads and steals data from the system. | |
16.8.24 | New macOS malware uses SwiftUI and OpenDirectory API for credential theft | VIRUS | A new multi-stage macOS stealer malware has been recently reported. The malware exhibits many traits such as the following: | |
16.8.24 | .shop gTLD becomes a new favorite to spread waves of cryptocurrency spam emails | SPAM | Lately, .shop gTLD has been heavily abused by threat actors to spread cryptocurrency spam emails. Shop gTLD (generic top-level domain) was launched in 2016 and is specially designed for online shopping or e-commerce platforms and can be used by retailers and e-commerce stores, among others. | |
16.8.24 | Datablack ransomware | RANSOM | Datablack is a new ransomware variant observed in the wild. The malware exhibits similarities to ransomware strains from the Proton malware family. Datablack encrypts user files and appends .Datablack extension to the renamed file name. The ransom note is dropped in form of a text file called #Recovery.txt, where attackers ask the victims to contact them via email addresses provided for further instructions regarding data decryption. | |
16.8.24 | Gigabud mobile malware shows links to the Golddigger trojan | VIRUS | A new variant of the Gigabud Android malware has been observed in the wild. While the initial strain of this malware has been known since at least 2023, the distribution of the new variant has expanded and now it targets various countries across the world. The malware is often spread via phishing websites masqueraded as Google Play Store or sites impersonating various banks or governmental entities. | |
16.8.24 | CVE-2024-38856 - Apache OFBiz Pre-Authentication RCE vulnerability | VULNEREBILITY | CVE-2024-38856 is a recently disclosed critical (CVSS score 9.8) pre-authentication remote code execution vulnerability affecting Apache OFBiz versions up to 18.12.14. The vulnerability originates from a flaw in the override view functionality. Once exploited it allows unauthenticated attackers with remote code execution via crafted requests. | |
16.8.24 | Allarich Ransomware | RANSOM | A new ransomware dubbed Allarich has emerged recently in the ransomware landscape. It encrypts files, appending the ".allarich" extension to them, and changes the desktop wallpaper. After completing the encryption process, the ransomware generates a ransom note titled "README.txt." | |
16.8.24 | Phishing campaign impersonates Google Safety Centre | CAMPAIGN | A phishing campaign reportedly impersonating the Google Safety Centre is deceiving users into downloading a malicious file disguised as Google Authenticator. This file installs two types of malware: Latrodectus, a downloader that executes commands from a C&C server, and ACR Stealer, which employs Dead Drop Resolver to obscure its C&C server details. The campaign showcases advanced evasion techniques amid ongoing efforts to refine the malware. | |
16.8.24 | Actor240524's spear-phishing campaign targets Azerbaijan and Israel with ABCloader | GROUP | A spear-phishing campaign by a new threat actor, Actor240524, targeting Azerbaijan and Israel has been observed. Users are lured with disguised government official documents containing embedded VBA macros that deliver the ABCloader payload upon execution. ABCloader decrypts and loads an ABCsync DLL, which then communicates with the C2 server for remote commands. The malware employs anti-sandbox and anti-debug techniques to evade detection. | |
16.8.24 | Phishing Attack Delivers 0bj3ctivity Stealer via Discord CDN | PHISHING | A phishing attack has been reported involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. The attack uses a Discord CDN link containing a malicious JavaScript file with an embedded PowerShell script to deploy additional payloads. The Ande Loader is used for both initial infection and persistence. The stealer exfiltrates sensitive data from browsers to either Telegram or a C2 server and includes anti-debug and anti-VM capabilities. | |
16.8.24 | Grayfly evolves its attack vectors with new loaders and tactics | VIRUS | Grayfly(also known as Earth Baku) has been observed expanding its reach from the Indo-Pacific region to a global scale, targeting sectors such as healthcare, media, government, education, and more. In a recent campaign, the threat actor leveraged public-facing applications like IIS servers for initial access and deployed the Godzilla webshell for control. | |
16.8.24 | DeathGrip: Emergence of a new Ransomware-as-a-Service | RANSOM | A new Ransomware-as-a-Service (RaaS) called DeathGrip ransomware has emerged in the expanding ransomware threat landscape. Promoted through Telegram and other underground forums, DeathGrip RaaS offers aspiring threat actors on the dark web sophisticated ransomware tools, including LockBit 3.0 and Chaos builders. Their payloads, created using leaked ransomware builders, are already being observed in real-world attacks, enabling individuals with minimal technical skills to deploy fully developed ransomware attacks. | |
16.8.24 | Spoofed Australian Taxation Office (ATO) email notifications appear in phish runs | SPAM | The Australian Taxation Office (ATO) is Government of Australia's revenue collection authority. Recently, Symantec has observed phishing attempts mimicking ATO, enticing users to open fake notification emails. The email mentions that a notice of assessment requires user's immediate attention due to an ongoing scheduled maintenance. | |
16.8.24 | CVE-2024-40628/CVE-2024-40629 - JumpServer File Read and Upload vulnerabilities | VULNEREBILITY | CVE-2024-40628 and CVE-2024-40629 are recently disclosed file reading and uploading vulnerabilities affecting the JumpServer Ansible module. Successful exploitation of the flaw might allow low-privilege accounts with access to read/write files in the Celery container, posing both risk of sensitive information disclosure as well as potential arbitrary code execution within the context of the affected application. | |
16.8.24 | Phishers targeting users in South Korea with tax receipts | PHISHING | Symantec has observed a phishing campaign targeting users in South Korea. The attack attempts to impersonate major account firms sending tax receipts/invoices in order to lure recipients into opening the attachment. The attachment, likely in a bid to fool intended victims, also shares a name with the Nation Tax Service in South Korea, 'NTS_eTaxInvoice.html' | |
15.8.24 | CVE-2024-38173 | VULNEREBILITY | CVE | Microsoft Outlook Remote Code Execution Vulnerability |
15.8.24 | CVE-2024-38198 | VULNEREBILITY | CVE | Windows Print Spooler Elevation of Privilege Vulnerability |
15.8.24 | CVE-2024-38202 | VULNEREBILITY | CVE | (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability |
15.8.24 | CVE-2024-21302 | VULNEREBILITY | CVE | (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability |
15.8.24 | CVE-2024-38199 | VULNEREBILITY | CVE | (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability |
15.8.24 | CVE-2024-38213 | VULNEREBILITY | CVE | (CVSS score: 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability |
15.8.24 | CVE-2024-38107 | VULNEREBILITY | CVE | (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability |
15.8.24 | CVE-2024-38106 | VULNEREBILITY | CVE | (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability |
15.8.24 | CVE-2024-38193 | VULNEREBILITY | CVE | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
15.8.24 | CVE-2024-38178 | VULNEREBILITY | CVE | (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability |
15.8.24 | CVE-2024-38189 | VULNEREBILITY | CVE | (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability |
15.8.24 | CVE-2024-7570 | VULNEREBILITY | CVE | (CVSS score: 8.3) - Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user |
15.8.24 | CVE-2024-7569 | VULNEREBILITY | CVE | (CVSS score: 9.6) - An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information |
15.8.24 | Actor240524 | GROUP | APT | New APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel |
15.8.24 | ArtiPACKED | HACKING | HACKING | ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts |
15.8.24 | RansomHub | RANSOMWARE | RANSOMWARE | Ransomware attackers introduce new EDR killer to their arsenal |
15.8.24 | Gafgyt | BOTNET | BOTNET | Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments |
15.8.24 | River of Phish | CAMPAIGN | Phishing | SPEAR-PHISHING CASES FROM EASTERN EUROPE 2022-2024A TECHNICAL BRIEF |
15.8.24 | CVE-2024-5916 | VULNEREBILITY | CVE | (CVSS score: 6.0) - An information exposure vulnerability in PAN-OS software that enables a local system administrator to access secrets, passwords, and tokens of external systems |
15.8.24 | CVE-2024-5915 | VULNEREBILITY | CVE | (CVSS score: 5.2) - A privilege escalation (PE) vulnerability in the GlobalProtect app on Windows devices that enables a local user to execute programs with elevated privileges |
15.8.24 | CVE-2024-28986 | VULNEREBILITY | CVE | SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability (CVE-2024-28986) |
15.8.24 | Earth Baku | CAMPAIGN | CAMPAIGN | A Dive into Earth Baku’s Latest Campaign |
15.8.24 | GhostWrite | PAPERS | CPU | RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzi |
15.8.24 | GhostWrite | VULNEREBILITY | CPU | RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzi |
13.8.24 | CVE-2024-33892 | VULNEREBILITY | CVE | (CVSS score: 7.4) - Information leakage through cookies |
13.8.24 | CVE-2024-33893 | VULNEREBILITY | CVE | (CVSS score: 2.1) - XSS when displaying the logs due to improper input sanitization |
13.8.24 | CVE-2024-33894 | VULNEREBILITY | CVE | (CVSS score: 1.0) - Execution of several processes with elevated privileges |
13.8.24 | CVE-2024-33895 | VULNEREBILITY | CVE | (CVSS score: 4.4) - Usage of a unique key to encrypt the configuration parameters |
13.8.24 | CVE-2024-33896 | VULNEREBILITY | CVE | (CVSS score: 3.3) - Code injection due to improper parameter blacklisting |
13.8.24 | CVE-2024-33897 | VULNEREBILITY | CVE | (CVSS score: N/A) - A compromised devices could be used to request a Certificate Signing Request (CSR) from Talk2m for another device, resulting in an availability issue |
13.8.24 | Compromising Microsoft's AI Healthcare Chatbot Service | INCIDENT | AI | Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources. |
13.8.24 | CVE-2024-7589 | VULNEREBILITY | CVE | OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. |
13.8.24 | APT trends report Q2 2024 | ANALÝZA | APT | For over six years now, Kaspersky’s Global Research and Analysis Team (GReAT) has been sharing quarterly updates on advanced persistent threats (APTs). |
11.8.24 | Devika v1 - Path Traversal via 'snapshot_path' | WebApps | Python | |
11.8.24 | Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path | Local | Windows | |
11.8.24 | SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path | Local | Windows | |
11.8.24 | Oracle Database 12c Release 1 - Unquoted Service Path | Local | Windows | |
11.8.24 | Ivanti vADC 9.9 - Authentication Bypass | WebApps | Multiple | |
11.8.24 | Bonjour Service 'mDNSResponder.exe' - Unquoted Service Path Privilege Escalation | Exploit | Local | Windows |
11.8.24 | QuickShell | EXPLOIT | EXPLOIT | QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share |
11.8.24 | CVE-2024-38272 | VULNEREBILITY | CVE | (CVSS score: 7.1) - A vulnerability that allows an attacker to bypass the accept file dialog on Windows |
11.8.24 | CVE-2024-38271 | CVE | (CVSS score: 5.9) - A vulnerability that forces a victim to stay connected to a temporary Wi-Fi connection created for sharing | |
11.8.24 | 2024-08-08 - Sixteen days of server scans and probes | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
11.8.24 | 2024-07-23 - Eight days of server scans and probes | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
10.8.24 | Breaching AWS Accounts Through Shadow Resources | VULNEREBILITY | CVE | The cloud seems complex, but it's what happens behind the scenes that really complicates things. Some services utilize others as resources as part of their logic/operation. Interestingly enough, it turns out that this could lead to catastrophic results if done unsafely. |
10.8.24 | CVE-2024-38200 | CVE | Microsoft Office Spoofing Vulnerability | |
10.8.24 | CVE-2024-27459 | CVE | The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges. | |
10.8.24 | CVE-2024-24974 | CVE | The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service. | |
10.8.24 | CVE-2024-27903 | CVE | OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | |
10.8.24 | CVE-2024-1305 | CVE | tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space | |
10.8.24 | OpenVPN vulnerabilities | CVE | Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE | |
10.8.24 | CVE-2023-50809 | CVE | A vulnerability in the Sonos One Gen 2 Wi-Fi stack that does not properly validate an information element while negotiating a WPA2 four-way handshake, leading to remote code execution | |
10.8.24 | CVE-2023-50810 | CVE | In certain Sonos products before Sonos S1 Release 11.12 and S2 release 15.9, a vulnerability exists in the U-Boot component of the firmware that allow persistent arbitrary code execution with Linux kernel privileges. A failure to correctly handle the return value of the setenv command can be used to override the kernel command-line parameters and ultimately bypass the Secure Boot implementation. This affects PLAY5 gen 2, PLAYBASE, PLAY:1, One, One SL, and Amp. | |
10.8.24 | Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities | CVE | Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition. | |
9.8.24 | English-Spanish Speaking Ransomware Actor Targets Linux Machines | RANSOM | Symantec has recently observed a Linux Ransomware variant binary that appears to be connected to a English and Spanish-speaking Double-extortion Ransomware actor. At this time, their modus-operandi remains unclear, but the ransomware exhibits the following behavior. | |
9.8.24 | Cryptocurrency-themed lure sites used for phishing attacks | CRYPTOCURRENCY | Threat actors are creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of cryptocurrency wallet brands like MetaMask, WalletConnect, Coinbase, Trezor, Ledger, Bitget, Exodus, Phantom, and others. These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typo-squatter subdomains like the following. | |
9.8.24 | New malspam campaigns delivering multiple Trojans | SPAM | A number of malspam campaigns were seen which delivered various Trojans by attempting to exploit an old Microsoft Office vulnerability. CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file. The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload. We observed GuLoader, Remcos RAT, and Sankeloader infostealer as payloads. | |
9.8.24 | Sora AI-themed branding used to distribute malware | AI | Threat Actors have created various phishing sites that impersonate official Sora platforms to lure victims into downloading files disguised as legitimate Sora software in order to distribute harmful payloads, including data stealers and cryptocurrency miners. When users attempt to install what is believed to be authentic application(s), the files trigger malicious processes that compromise the victim’s system. | |
9.8.24 | Phish emails impersonate UK's Health and Safety Executive (HSE) to lure email users | PHISHING | Health and Safety Executive (HSE) is a British public provider of health and safety solutions to various professionals and organizations. Lately, Symantec has observed phish runs that impersonate Health and Safety Executive (HSE) guidelines, especially the strategy outlined for 2022-2032, to steal credentials. | |
9.8.24 | New file-less ransomware variant Cronus discovered | RANSOM | A new file-less ransomware variant dubbed Cronus has been reported as part of a malware campaign. Users are lured with documents masquerading as PayPal receipts. These documents contain malicious embedded VBA macros that, when executed, download a PowerShell loader. The loader then uses reflective DLL loading to deploy the ransomware DLL, aiming to evade detection. | |
9.8.24 | RHADAMANTHYS Stealer Targeting Users in Israel | VIRUS | RHADAMANTHYS stealer, active since 2013 and offered as Malware-as-a-Service, recently began targeting Israeli users with Hebrew phishing emails containing a malicious RAR attachment. The RAR file, posing as a notification from "Calcalist" or "Mako," (two prominent businesses in Israel) extracts three components - a malicious executable, a DLL file, and a support file. Upon execution, RHADAMANTHYS employs anti-analysis techniques to avoid detection and initiates a multi-staged infection process to establish a presence on the compromised system. | |
9.8.24 | 0.0.0.0 Day | EXPLOIT | EXPLOIT | 0.0.0.0 Day: Exploiting Localhost APIs From the Browser |
9.8.24 | Downgrade Attacks | HACKING | Attack | Windows Downdate: Downgrade Attacks Using Windows Updates |
9.8.24 | CVE-2024-21302 | CVE | (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability | |
9.8.24 | CVE-2024-38202 | CVE | (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability | |
9.8.24 | StopRansomware BlackSuit (Royal) Ransomware | RANSOMWARE | RANSOMWARE | The advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content are noted. |
9.8.24 | CVE-2024-4885 | CVE | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges. | |
8.8.24 | SbaProxy leveraged to hijack legitimate antivirus software | EXPLOIT | A recent report detailed how threat actors are leveraging a tool dubbed 'SbaProxy' disguised as a legitimate anti-virus software component to be able to create a proxy connection through a C2 server. The tool is distributed with malicious intent and in multiple formats such as DLLs, EXEs, and PowerShell scripts, which makes it challenging to detect due to its authentic look and advanced functionality. | |
8.8.24 | Lynx Ransomware | RANSOM | Lynx is another double-extortion ransomware actor that has been fairly active in recent weeks and has claimed multiple companies as victims on their website. They claim to have a strict policy against targeting governmental organizations, hospitals, non-profits, and other sectors vital to society. | |
8.8.24 | Malware campaign exploits secureserver.net domain to deploy banking trojan | CAMPAIGN | A new banking trojan malware campaign is exploiting the secureserver.net domain to target Spanish and Portuguese-speaking regions. The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. | |
8.8.24 | Chameleon trojan targets hospitality Industry | VIRUS | A new Chameleon mobile banking Trojan campaign has been reported targeting the hospitality industry. Employees of a Canadian restaurant chain with international operations were lured by a deceptive app masquerading as a legitimate CRM application. | |
8.8.24 | Zola - a new Proton ransomware variant | RANSOM | Zola is a recently discovered variant from the Proton ransomware family. The ransomware is written in C++ and employs a multi-threaded encryption process. Upon encryption the malware appends .zola extension to the encrypted files. Zola will also attempt to encrypt files on any network devices if present. | |
8.8.24 | How Malicious Actors Are Leveraging Cloud Services | GROUP | The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure. | |
8.8.24 | Italian campaign targeting certified email users delivers Vidar infostealer | CAMPAIGN | The Vidar infostealer has been observed as the payload of a recent malspam campaign targeting users in Italy. The campaign was distributed to users of certified email mailboxes and delivered a JavaScript downloader via a link in the email. The JavaScript was responsible for downloading and executing a PowerShell script which in turn leads to the final payload. | |
8.8.24 | Mispadu (aka URSA) Trojan Malware | VIRUS | Mispadu Stealer (aka Ursa) was recently observed in another malspam campaign targeting systems configured with Spanish or Portuguese as their language settings. Similar to their previous campaigns, a spam email themed as an overdue invoice serves as the initial vector, it then lures users to download a malicious ZIP file. | |
7.8.24 | SLUBStick | EXPLOIT | Linux | SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel |
7.8.24 | CVE-2024-42008 | CVE | A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header | |
7.8.24 | CVE-2024-42009 | CVE | A cross-site scripting flaw that arises from post-processing of sanitized HTML content | |
7.8.24 | CVE-2024-42010 | CVE | An information disclosure flaw that stems from insufficient CSS filtering | |
7.8.24 | GoGra | MALWARE | Backdoor | Cloud Cover: How Malicious Actors Are Leveraging Cloud Services |
7.8.24 | CrowdStrike Reveals | INCIDENT | INCIDENT | External Technical Root Cause Analysis — Channel File 29 |
7.8.24 | Chameleon | MALWARE | Mobil Trojan | Chameleon is back in Canada and Europe |
7.8.24 | XDSpy phishing campaign targets organizations in Russia and Moldova | PHISHING | A phishing malware campaign by a threat actor dubbed XDSpy has been reported targeting organizations in Russia and Moldova. The attack chains typically use spear-phishing emails with archive attachments containing agreement-related lures to deploy a primary malware module called XDDown. | |
7.8.24 | Spike in activity delivering Magniber ransomware | RANSOM | A spike in activity leading up to the infection with the Magniber ransomware has been observed in the wild. Attackers spreading this malware variant are known to leverage various delivery methods including malvertisements, delivery via cracked software installers or exploitation of known vulnerabilities, etc. | |
7.8.24 | OSX and Windows malware spread under the disguise of meeting or productivity software | VIRUS | Ongoing campaigns spreading malware under the disguise of meeting or productivity applications have been reported in the wild. Some recent examples include attacks masquerading under the productivity app called Wasper or the Clusee meeting application. | |
7.8.24 | HeadLace backdoor distributed by the Swallowtail APT | VIRUS | The latest research from Palo Alto reports on recent HeadLace backdoor distribution campaign being attributed to the Swallowtail APT (aka Fighting Ursa, APT28). The attackers have been leveraging car-for-sale phishing lures in efforts to distribute the malicious payloads. | |
7.8.24 | Persistent IRATA attacks in Italy | SPAM | Their modus operandi hasn't changed much over that period; they mainly leverage malicious SMS (smishing) messages containing URL redirections to their malicious apps as the vector of infection. They constantly rotate their social engineering tactics, with Symantec having observed multiple Italian financial services being abused for masquerading purposes. | |
7.8.24 | Are faxes still relevant? This credential harvesting campaign thinks so | CAMPAIGN | Symantec has recently observed a phishing campaign impersonating fax notifications. These notifications include subjects similar to 'Incoming Fax Delivered for user**@****.com' and instructs users to open the attached HTML and enter their credentials in order to view the fax. | |
7.8.24 | Lumma Stealer via Social Media and AI-Related Lure | VIRUS | There's been reports of a malvertising scam in which cybercriminals hijacked social media pages to promote fake AI photo editors, ultimately tricking users into downloading a prevalent but run-of-the-mill stealer known as Lumma. | |
7.8.24 | Trust (Crypto) Wallet users targeted with a new phishing wave | CRYPTOCURRENCY | Trust Wallet is a crypto wallet that provides its users services such as buying, selling, storing, swapping and managing their cryptocurrencies. Lately, Symantec has observed phish runs that impersonate Trust Wallet services and entice users to open fake notification emails. | |
7.8.24 | BITSLOTH Backdoor | VIRUS | BITSLOTH is a Windows backdoor that researcher have uncovered in Latin America that exploits the Background Intelligent Transfer Service (BITS) for command-and-control operations. According to the report, it has been developed over several years, can log keystrokes, capture screens, and gather extensive data. | |
6.8.24 | Moonstone Sleet | GROUP | GROUP | Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access |
| 6.8.24 | CVE-2024-38856 | CVE | Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. | |
6.8.24 | Android Security Bulletin—August 2024 | OS | Android | The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-08-05 or later address all of these issues. |
| 6.8.24 | LianSpy | MALWARE | Android | LianSpy: new Android spyware targeting Russian users |
5.8.24 | STRRAT | MALWARE | RAT | Bloody Wolf strikes organizations in Kazakhstan with STRRAT commercial malware |
5.8.24 | CVE-2024-6242 | ICS | Vulnerebility | Rockwell Automation Logix Controllers |
5.8.24 | BlankBot | MALWARE | Android Banking | BlankBot - a new Android banking trojan with screen recording, keylogging and remote control capabilities |
5.8.24 | StormBamboo | MALWARE | Backdoor | StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms |
4.8.24 | Panamorfi | CAMPAIGN | DDOS | A New Discord DDoS Campaign |
3.8.24 | Increased Activity Against Apache OFBiz CVE-2024-32113 | SANS | SANS | As part of its extensive project portfolio, the Apache Foundation supports OFBiz, a Java-based framework for creating ERP (Enterprise Resource Planning) applications. OFBiz appears to be far less prevalent than commercial alternatives. However, just as with any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical. |
3.8.24 | APT28 | APT | APT | Today, APT28 is consistently attributed to GRU Unit 26165, 85th Main Special Service Centre (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU). This attribution is mainly based on an indictment unsealed by the US Department of Justice (DoJ) in 2018. |
3.8.24 | Fighting Ursa | APT | APT | A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat (APT). |
3.8.24 | APT41 | APT | APT | APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike |
3.8.24 | BITSLOTH | MALWARE | Backdoor | BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor |
3.8.24 | BlankBot Mobile banking trojan targeting Turkish users | VIRUS | BlankBot is a new mobile banking Trojan variant that has emerged on the threat landscape, primarily targeting Turkish users. BlankBot abuses Android Accessibility services to gain full control over and collect information from the infected device. | |
3.8.24 | NetSupport RAT Campaign | VIRUS | NetSupport Manager has been weaponized by threat actors to perform malicious activities and executes as a Remote Access Trojan (RAT). Over time various campaigns have been identified each instance building on the previous in attempts to evolve evasion techniques through multiple obfuscation updates. | |
3.8.24 | AutoIT scripts leveraged by the latest Konni RAT malware | VIRUS | Konni RAT malware observed in a recent distribution campaign has been leveraging AutoIT scripts for detection evasion. The attack chain includes the use of .LNK files contained within .zip archives. The .lnk shortcut files are often disguised as documents and have double extensions present, for example ".hwp.lnk". | |
3.8.24 | Spike of activity observed for the Neshuta malware | VIRUS | During the last month Symantec observed a spike of activity attributed to the Neshuta (aka Neshta) malware family. Neshuta is an older file infector variant that's been observed in the threat landscape space as early as 2005. It's main function is to prepend virus code to executable files and collect basic system information. | |
3.8.24 | Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks | APT | As reported by researchers from Cisco Talos, Grayfly threat group (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution. | |
3.8.24 | Bloody Wolf delivers STRRAT malware | VIRUS | A malware campaign by the APT group dubbed Bloody Wolf targeting organizations in Kazakhstan has been reported. The attackers are sending phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies. | |
3.8.24 | Mandrake mobile spyware | VIRUS | A new variant of the Mandrake mobile spyware has been distributed via several apps hosted on the Google Play store. The oldest of the apps called AirFS was first uploaded to the store back in 2022 and remained available for download up until March this year. | |
3.8.24 | TgRAT malware returns with a Linux variant | VIRUS | TgRAT is a malware variant discovered back in 2022 and initially targeting the Windows systems. Earlier this month a Linux version of this RAT has been observed as being distributed in the wild. Upon infection of the targeted machine the malware is used to execute arbitrary commands/scripts, collect screenshots or extract user files from the compromised host. TgRAT is controlled by the attackers via a Telegram bot | |
2.8.24 | SARA Android Ransomware Targets Vietnamese Mobile Users in Fake App Scheme | RANSOM | Android lockers and ransomware were prevalent a couple of years ago, especially during the RansomLock craze. Today, while they remain in the mobile threat landscape, their prevalence has dwindled. These threats typically lock users out of their devices and display a ransom message, demanding payment to regain access with an unlock code. | |
2.8.24 | DeerStealer malware spread via fake Google Authenticator websites | VIRUS | A new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The malware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the Github repository. | |
2.8.24 | SMS Stealer - extensive Android malware distribution campaign | VIRUS | An ongoing large-scale operation distributing a Android malware variant called SMS Stealer has been reported to infect mobile devices across the world. The campaign has been active since at least 2022 and targeting victims in 113 countries. | |
2.8.24 | ModiLoader malware campaign targeting Small and Medium-Sized Business (SMB) in Poland | VIRUS | Modiloader (aka DBatLoader) malware has been deployed in a recent campaigns targeting Small and Medium-Sized Business (SMB) in Poland, Italy and Romania. Modiloader has been spread via malicious email attachments in various file formats such as .img, .tar, .rar or .iso. Modiloader is a Delphi-based malware used to download and execute final payloads delivered to the compromised machines. The payload usually varies and the reported campaigns have been executing malware from Agent Tesla, Remcos or Formbook families. | |
2.8.24 | DoNot APT Targeting Pakistani Android Mobile Users | APT | APT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. The primary objective of these threat actors is to access confidential information and intellectual property. Their techniques include encryption and fileless malware to evade detection. | |
2.8.24 | Protection Highlight: Ransomware-as-a-Service Evolution, Impact, Mitigation | RANSOM | Malware evolution in the threat landscape is the singular reason cybersecurity professionals can’t rest, and Ransomware-as-a-Service (RaaS) is no different. From its first known form in 2012 as Reveton to the most recent inception of Eldorado ransomware, with early incidents reportedly raking in amounts of $400K USD a month to modern-day data breaches costing over $1M and sometimes far in excess of that figure. | |
2.8.24 | Leafperforator campaign exploits Pakistan’s Maritime Affairs documents to spread JavaScript malware | CAMPAIGN | A new malware campaign by the Leafperforator (also known as SideWinder) threat actor, utilizing enhanced tactics and techniques has been reported. This threat actor relies on spear-phishing emails and targets Asian countries. In the latest campaign, users are tricked with documents related to employee termination or salary cuts, leading them to open a disguised file. This file exploits a known security flaw (CVE-2017-0199) to establish contact with a malicious domain masquerading as Pakistan's Directorate General Ports and Shipping. The domain then retrieves an RTF file exploiting CVE-2017-11882, leading to the delivery of JavaScript malware. | |
2.8.24 | Phishing Campaign: Malicious HTML attachment mimics OneDrive to deploy malware Scripts | PHISHING | A new phishing campaign using image files that mimic a Microsoft OneDrive page has been reported. Users are targeted through phishing emails with HTML attachments. When these attachments are opened, they display an image resembling a OneDrive page and show an error indicating a connection issue with the OneDrive cloud service. | |
2.8.24 | Recent activities attributed to the UNC4393 threat group | GROUP | The threat actor dubbed UNC4393 has been active in the threat landscape since at least 2022. The group has been known to leverage a wide variety of malware variants and custom tools in their attacks including Basta ransomware, KnotWrap dropper, KnotRock tool, DawnCry dropper or the PortYard tunneler. | |
2.8.24 | Exela Stealer continues to be distributed in the wild | VIRUS | Exela Stealer is a Python-based malware initially discovered in the threat landscape just last year. New campaigns distributing this infostealer continue to be observed in the wild in recent weeks. | |
2.8.24 | Flame Stealer malware | VIRUS | Flame Stealer is a new C/C++based infostealing malware variant advertised for sale on Discord and Telegram. The malware has the functionality to collect and exfiltrate various information about the infected machine, Discord tokens, clipboard data, credentials, banking information and browser cookies, among others. | |
2.8.24 | Sitting Ducks | ATTACK | Domain | Researchers at Infoblox and Eclypsium have discovered that a powerful attack vector in the domain name system (DNS) is being widely exploited across many DNS providers. |
2.8.24 | BingoMod | MALWARE | RAT | BingoMod: The new android RAT that steals money and wipes data |
2.8.24 | ERIAKOS | CAMPAIGN | Scam | "ERIAKOS" Scam Campaign: Detected by Recorded Future’s Payment Fraud Intelligence Team |
2.8.24 | Certification | DigiCert Revocation Incident (CNAME-Based Domain Validation) | ||
2.8.24 | CAMPAIGN | The Securonix Threat Research team has been monitoring the threat actors behind the ongoing investigation into the DEV#POPPER campaign, we have identified additional malware variants linked to the same North Korean threat actors using similar, stealthy malicious code execution tactics, though now with much more robust capabilities. | ||
2.8.24 | GROUP | Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies | ||
2.8.24 | RAT | A trojan for Linux with a wide range of functions and the ability to be remotely controlled via a Telegram bot. The source code is written in Go and encrypted with RSA. | ||
2.8.24 | RAT | At the first stage, the dropper checks the parameters (arguments) used for its launch: this impacts the intermediate persistence stage. If there are input arguments, the add_payload stage begins (named after the function that performs it). | ||
2.8.24 | SMS | Unmasking the SMS Stealer: Targeting Several Countries with Deceptive Apps | ||
2.8.24 | APT | Turla: A Master’s Art of Evasion | ||
2.8.24 | Spyware | Mandrake spyware sneaks onto Google Play again, flying under the radar for two years | ||
2.8.24 | Loader | Phishing targeting Polish SMBs continues via ModiLoader | ||
2.8.24 | PHISHING | OneDrive Pastejacking: The crafty phishing and downloader campaign | ||
2.8.24 | PHISHING | OneDrive Pastejacking: The crafty phishing and downloader campaign | ||
2.8.24 | CVE | VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. | ||
2.8.24 | CVE | Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132. | ||