January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(186) October(0) November(0) December(0) | BATTLEFIELD UKRAINE
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
|
29.11.2024 |
OPERATION |
"Operation Undercut"Shows Multifaceted Nature of SDA’s Influence Operations |
||
|
29.11.2024 |
PHISHING |
Trustwave SpiderLabs has been actively monitoring the rise of Phishing-as-a-Service (PaaS) platforms, which are increasingly popular among threat actors. |
||
|
29.11.2024 |
CVE |
A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). |
||
|
28.11.2024 |
HACKING |
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft |
||
|
28.11.2024 |
LOADER |
Gaming Engines: An Undetected Playground for Malware Loaders |
||
|
28.11.2024 |
INCIDENT |
An Update on Recent Cyberattacks Targeting the US Wireless Companies |
||
|
28.11.2024 |
CVE |
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. |
||
|
27.11.2024 |
BOOTKIT |
Bootkitty: Analyzing the first UEFI bootkit for Linux |
||
|
27.11.2024 |
APT |
Attacks by the attack group APT-C-60 using legitimate services |
||
|
27.11.2024 |
BOTNET |
Matrix Unleashes A New Widespread DDoS Campaign |
||
|
26.11.2024 |
CVE |
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. |
||
|
26.11.2024 |
CVE |
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. |
||
|
26.11.2024 |
CVE |
(CVSS score: 9.8) - A use-after-free vulnerability in Firefox's Animation component (Patched by Mozilla in October 2024) |
||
|
26.11.2024 |
CVE |
(CVSS score: 8.8) - A privilege escalation vulnerability in Windows Task Scheduler (Patched by Microsoft in November 2024) |
||
|
26.11.2024 |
GROUP |
RomCom exploits Firefox and Windows zero days in the wild |
||
|
26.11.2024 |
RAT |
Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries |
||
|
26.11.2024 |
GROUP |
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions |
||
|
26.11.2024 |
CVE |
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon." |
||
|
25.11.2024 |
ATTACK |
The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform |
||
|
25.11.2024 |
ROOTKIT |
When Guardians Become Predators: How Malware Corrupts the Protectors |
||
|
23.11.2024 |
GROUP |
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON |
||
|
22.11.2024 |
APT |
Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell |
||
|
22.11.2024 |
GROUP |
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY |
||
|
22.11.2024 |
GROUP |
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike |
||
|
22.11.2024 |
STEALER |
Malicious packages for AI integration containing infostealer malware were found in the Python Package Index repository. |
||
|
22.11.2024 |
CVE |
CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) |
||
|
22.11.2024 |
CVE |
CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface |
||
|
21.11.2024 |
LINUX BACKDOOR |
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine |
||
|
21.11.2024 |
GROUP |
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine |
||
|
21.11.2024 |
MALWARE |
Attacks on Ukraine’s Energy Infrastructure: Harm to the Civilian Population |
||
|
21.11.2024 |
CVE |
Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. |
||
|
21.11.2024 |
STEALER |
Python NodeStealer Targets Facebook Ads Manager with New Techniques |
||
|
20.11.2024 |
NFC |
Ghost Tap: New cash-out tactic with NFC Relay |
||
|
19.11.2024 |
CVE |
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. |
||
|
19.11.2024 |
CVE |
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system’s real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3). |
||
|
19.11.2024 |
CVE |
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable. |
||
|
19.11.2024 |
CVE |
Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps. |
||
|
19.11.2024 |
GROUP |
Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector |
||
|
19.11.2024 |
CVE |
(CVSS score: 8.8) - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content |
||
|
19.11.2024 |
CVE |
(CVSS score: 6.1) - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content |
||
|
19.11.2024 |
CVE |
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework |
||
|
19.11.2024 |
BOTNET |
One Sock Fits All: The use and abuse of the NSOCKS botnet |
||
|
19.11.2024 |
RANSOMWARE |
Helldown Ransomware: an overview of this emerging threat |
||
|
19.11.2024 |
CVE |
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. |
||
|
19.11.2024 |
LOADER |
Babble Babble Babble Babble Babble Babble BabbleLoader |
||
|
18.11.2024 |
LOADER |
The Abuse of ITarian RMM by Dolphin Loader |
||
|
18.11.2024 |
RAT |
LodaRAT: Established Malware, New Victim Patterns |
||
|
18.11.2024 |
RAT |
Mr.Skeleton RAT - new malware based on the njRAT code |
||
|
18.11.2024 |
CVE |
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. |
||
|
16.11.2024 |
CVE |
CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) |
||
|
16.11.2024 |
GROUP |
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA |
||
|
16.11.2024 |
STEALER |
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA |
||
|
15.11.2024 |
RAT |
Malware Spotlight: A Deep-Dive Analysis of WezRat |
||
|
15.11.2024 |
STEALER |
New PXA Stealer targets government and education sectors for sensitive information |
||
|
15.11.2024 |
CVE |
PostgreSQL PL/Perl environment variable changes execute arbitrary code |
||
|
15.11.2024 |
CVE |
(CVSS score: 9.9) - Palo Alto Networks Expedition OS Command Injection Vulnerability |
||
|
15.11.2024 |
CVE |
(CVSS score: 9.3) - Palo Alto Networks Expedition SQL Injection Vulnerability |
||
|
14.11.2024 |
DNS |
DNS Predators Hijack Domains to Supply their Attack Infrastructure |
||
|
14.11.2024 |
DOWNLOADER |
Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes |
||
|
14.11.2024 |
CVE |
CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild |
||
|
13.11.2024 |
GROUP |
Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity |
||
|
13.11.2024 |
CAMPAIGN |
Iranian “Dream Job” Campaign 11.24 |
||
|
13.11.2024 |
CVE |
(CVSS score: 6.5) - Windows NTLM Hash Disclosure Spoofing Vulnerability |
||
|
13.11.2024 |
CVE |
(CVSS score: 8.8) - Windows Task Scheduler Elevation of Privilege Vulnerability |
||
|
13.11.2024 |
CVE |
(CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device |
||
|
13.11.2024 |
CVE |
(CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number |
||
|
13.11.2024 |
CVE |
(CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution |
||
|
13.11.2024 |
CVE |
(CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it |
||
|
12.11.2024 |
CVE |
(CVSS score: 5.1) - Privilege escalation to NetworkService Account access |
||
|
12.11.2024 |
CVE |
(CVSS score: 5.1) - Limited remote code execution with the privilege of a NetworkService Account access |
||
|
12.11.2024 |
MacOS |
APT Actors Embed Malware within macOS Flutter Applications |
||
|
12.11.2024 |
STEALER |
Ymir: new stealthy ransomware in the wild |
||
|
11.11.2024 |
LOADER |
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign |
||
|
11.11.2024 |
AI |
EXPLOIT |
Machine Learning Bug Bonanza – Exploiting ML Services |
|
|
08.11.2024 |
BOTNET |
Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave |
||
|
08.11.2024 |
RAT |
Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT |
||
|
08.11.2024 |
STEALER |
Roblox Developers Targeted with npm Packages Infected with Skuld Infostealer and Blank Grabber |
||
|
08.11.2024 |
LINUX |
CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging |
||
|
08.11.2024 |
CVE |
Android Framework Privilege Escalation Vulnerability |
||
|
08.11.2024 |
CVE |
CyberPanel Incorrect Default Permissions Vulnerability |
||
|
08.11.2024 |
CVE |
Nostromo nhttpd Directory Traversal Vulnerability |
||
|
08.11.2024 |
CVE |
Palo Alto Expedition Missing Authentication Vulnerability |
||
|
08.11.2024 |
CRYPTO |
BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence |
||
|
07.11.2024 |
EXPLOIT |
CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits |
||
|
07.11.2024 |
TROJAN |
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency |
||
|
07.11.2024 |
CVE |
A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points could allow an unauthenticated, remote attacker to perform command injection attacks with root privileges on the underlying operating system. |
||
|
07.11.2024 |
EXPLOIT |
Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2 |
||
|
06.11.2024 |
TROJAN |
Threat Campaign Spreads Winos4.0 Through Game Application |
||
|
06.11.2024 |
BANKING |
ToxicPanda: a new banking trojan from Asia hit Europe and LATAM |
||
|
05.11.2024 |
CVE |
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. |
||
|
05.11.2024 |
MALWARE |
Typosquat Campaign Targeting npm Developers |
||
|
05.11.2024 |
CVE |
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
||
|
04.11.2024 |
ANDROID |
As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new variant of a well-known malware previously reported by ThreatFabric and Kaspersky. |
||
|
04.11.2024 |
CVE |
(CVSS score: 7.5) - A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the server (Fixed in version 0.1.47) |
||
|
04.11.2024 |
CVE |
(CVSS score: 8.2) - An out-of-bounds read vulnerability that could cause the application to crash by means of the /api/create endpoint, resulting in a DoS condition (Fixed in version 0.1.46) |
||
|
04.11.2024 |
CVE |
(CVSS score: 7.5) - A vulnerability that causes resource exhaustion and ultimately a DoS when invoking the /api/create endpoint repeatedly when passing the file "/dev/random" as input (Fixed in version 0.1.34) |
||
|
04.11.2024 |
CVE |
(CVSS score: 7.5) - A path traversal vulnerability in the api/push endpoint that exposes the files existing on the server and the entire directory structure on which Ollama is deployed (Fixed in version 0.1.46) |
||
|
1.11.24 |
A new variant of the Android malware called FakeCall has been observed in the wild. The attackers behind this malware employ voice phishing (vishing) techniques in order to trick victims into disclosing sensitive information such as credentials or banking information. |
|||
|
1.11.24 |
Sauron is a new ransomware variant recently found in the wild. The malware appends ".sauron" extension to the encrypted files. The ransom note is dropped in form of a text file called "#HowToRecover.txt" on the affected machines. The attackers request to contact them via the provided email address and the ransom is demanded in form of Bitcoin cryptocurrency payment. |
|||
|
1.11.24 |
UNC5812 campaigns against Ukraine with Android and Windows malware |
A recent report highlighted activity attributed to a suspected Russian threat actor identified as UNC5812. The activity involved distributions of Android and Windows malware targeting Ukranian military recruits. The intent of the campaign was not only to engage in espionage but also attempt to negatively influence support for pro-Ukranian forces. |
||
|
1.11.24 |
A new campaign delivering the Bumblebee loader has been reported this month. Bumblebee is a highly sophisticated downloader variant discovered initially back in 2022. The malware has been spread across a multitude of malicious campaigns and used for the delivery and execution of miscellaneous payloads such as Cobalt Strike, ransomware, etc. |
|||
|
1.11.24 |
CVE-2024-40711 is a recently disclosed critical (CVSS score 9.8) deserialization vulnerability affecting the Veeam Backup and Replication software in version 12.1.2.172 or older. If successfully exploited the flaw might provide unauthenticated attackers with remote code execution (RCE) on the vulnerable systems. |
|||
|
1.11.24 |
A campaign involving a malicious Android app called "Lounge Pass" targeting air travelers at Indian airports has been observed. Distributed through fake domains, the app intercepts and forwards SMS messages from victims' devices to cybercriminals, leading to significant financial losses. |
|||
|
1.11.24 |
Adware Campaign uses Fake CAPTCHA to deliver Lumma and Amadey malware |
Threat actors are increasingly using fake CAPTCHA as an initial attack vector. A recent adware campaign is targeting online users by presenting them with fake CAPTCHA or update prompts. Attackers are leveraging ad networks to redirect victims to compromised sites that host these social engineering lures. |
||
|
1.11.24 |
TeamTNT targets cloud-native environments in new Cryptojacking campaign |
A new campaign by the cryptojacking group TeamTNT has been reported targeting cloud-native environments for cryptocurrency mining and reselling compromised servers. They exploit exposed Docker daemons to deploy Sliver malware, cyber worms and cryptominers, gaining access through exposed Docker ports and using compromised Docker Hub accounts to spread malware and rent out victims' computational power. |
||
|
1.11.24 |
Rekoobe malware found potentially targeting TradingView users |
An open directory has been discovered hosting Rekoobe malware, potentially aimed at targeting TradingView users along with other cyber espionage campaigns. Rekoobe is a versatile backdoor previously deployed by APT31 and other adversaries engaged in cyber espionage and data theft. |
||
|
1.11.24 |
Daggerfly targets Taiwanese entities with new CloudScout Toolset |
China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. This toolset can retrieve data from various cloud services by leveraging stolen web session cookies. Additionally, CloudScout integrates seamlessly with MgBot, Evasive Panda's signature malware framework. |
||
|
1.11.24 |
Daggerfly targets Taiwanese entities with new CloudScout Toolset |
Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
||
|
1.11.24 |
Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
|||
|
1.11.24 |
A researcher recently identified a multi-stage cyberattack targeting the healthcare industry, initiated through a ZIP file containing a malicious shortcut (.lnk) file, likely spread via phishing emails. When executed, the LNK file runs a PowerShell command that downloads additional payloads including scripts and BAT files from a remote server. |
|||
|
1.11.24 |
SECURITY |
SECURITY |
Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards. With that in mind we are announcing updates that will go into effect before Recall (preview) ships to customers on June 18. |
|
|
1.11.24 |
PHISHING KIT |
Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit |
||
|
1.11.24 |
iOS |
In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. |
||
|
1.11.24 |
Rare Case of Privilege Escalation Patched in LiteSpeed Cache Plugin |
VULNEREBILITY |
This blog post is about the LiteSpeed plugin vulnerability. If you’re a LiteSpeed user, please update the plugin to at least version 6.5.2. |
|