January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(109) October(0) November(0) December(0)
DATE | NAME | CATEGORY | SUBCATE | INFO |
14.9.24 | About the security content of visionOS 1.3 | VULNEREBILITY | CVE | This document describes the security content of visionOS 1.3. |
14.9.24 | TrickMo | MALWARE | Banking | A new TrickMo saga: from Banking Trojan to Victim's Data Leak |
14.9.24 | CVE-2024-6671 | VULNEREBILITY | CVE | In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. |
14.9.24 | CVE-2024-6670 | VULNEREBILITY | CVE | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. |
14.9.24 | Hadooken | MALWARE | Linux | Hadooken Malware Targets Weblogic Applications |
13.9.24 | Mekotio and Mispadu malware distributed during Gecko Assault campaign | VIRUS | A new malicious campaign dubbed Gecko Assault has been reported by the researchers from SCILabs. The threat actors have been distributing two different payloads belonging to the URSA/Mispadu and the Mekotio malware families. | |
13.9.24 | AutoIt-based credential flusher leveraged alongside StealC infostealer | VIRUS | A new campaign delivering the StealC infostealer malware has been observed in the wild. The initial stages of the attack use Amadey malware for loading the infostealer onto the targeted endpoints. In conjunction to the delivered StealC payload, the attackers are leveraging an AutoIt-based credential flusher malware. | |
13.9.24 | Hadooken - Linux malware targeting Weblogic servers | VIRUS | Hadooken is a new Linux malware variant targeting Oracle Weblogic servers. In the initial attack stages the threat actors exploit known vulnerabilities, server misconfigurations or use weak or otherwise compromised credentials to get access to the targeted environments. Upon execution on the vulnerable server instances Hadooken drops two distinct payloads - Tsunami malware and another binary used for mining cryptocurrency. | |
13.9.24 | ShrinkLocker Ransomware: Leveraging BitLocker for encryption and system disruption | RANSOM | ShrinkLocker is a recently discovered ransomware that exploits BitLocker, a legitimate Windows feature, to encrypt data and lock users out of their systems. Unlike traditional ransomware, ShrinkLocker uses BitLocker's secure boot partition to make decryption extremely difficult. | |
13.9.24 | New Phishing Campaign Exploiting CapCut | PHISHING | CapCut, a popular video editor, is being exploited in phishing attacks. The latest campaign involves a malicious package that includes a legitimate CapCut app, JamPlus build utility, and a harmful ".lua" script. Running the app triggers JamPlus to execute the script, which then downloads and runs a final payload from a remote server. | |
13.9.24 | Veaty and Spearal: Emerging malware in recent campaign against Iraqi Government | VIRUS | A new malware family, Veaty and Spearal, has been reported by Check Point, a CTA member, as being used in a campaign targeting Iraqi government infrastructure. The malware employs several techniques, including a passive IIS backdoor, DNS tunneling, and command-and-control (C2) communication through compromised email accounts. | |
13.9.24 | Ajina.Banker | MALWARE | Banking | Ajina attacks Central Asia: Story of an Uzbek Android Pandemic |
13.9.24 | MALWARE | TV | Void captures over a million Android TV boxes | |
13.9.24 | Proxyjacking | CAMPAIGN | CRYPTOCURRENCY | From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking |
13.9.24 | Spearal | MALWARE | ISS Backdoor | Targeted Iranian Attacks Against Iraqi Government Infrastructure |
13.9.24 | Veaty | MALWARE | ISS Backdoor | Targeted Iranian Attacks Against Iraqi Government Infrastructure |
13.9.24 | OilRig | APT | APT | Targeted Iranian Attacks Against Iraqi Government Infrastructure |
13.9.24 | Quad7 | BOTNET | BOTNET | A glimpse into the Quad7 operators’ next moves and associated botnets |
13.9.24 | DragonRank | GROUP | GROUP | DragonRank, a Chinese-speaking SEO manipulator service provider |
13.9.24 | Yet Another Silly Stealer (YASS) Infostealer | VIRUS | A new infostealer, being referred to as 'Yet Another Silly Stealer' (YASS), has been observed. While it shares some features with CryptBot, YASS also has distinct characteristics. The research compares YASS to CryptBot, emphasizing YASS's unique code and its delivery via a multi-stage downloader called MustardSandwich. This downloader, executed through a Windows LNK file, involves two JScript stages and two PowerShell stages, with the first PowerShell script run via an ActiveXObject. | |
13.9.24 | BLX (aka XLABB) Stealer activity | VIRUS | BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. BLX is an open-source malware actively distributed via Telegram and other platforms. Functionality-wise the malware is capable of stealing confidential data from compromised endpoints. The exfiltration efforts focus on data such as credentials, information stored in browsers, 3rd party applications accounts, Discord tokens, cryptocurrency wallets and others. | |
13.9.24 | SEO manipulation leveraged for PlugX and BadIIS malware delivery | VIRUS | A new malicious campaign attributed to the DragonRank threat group has been discovered by researchers from Cisco Talos. The attackers have been reported to leverage search engine optimization (SEO) manipulation techniques to deploy malicious webshells, collect information off the infected systems as well as to deliver PlugX and BadIIS malware payloads. | |
13.9.24 | Ransomware activity surge observed in second quarter of 2024 | RANSOM | Ransomware activity increased markedly in the second quarter of 2024 as attackers seemingly recovered their momentum following the disruption experienced in late 2023 and early 2024. Analysis of data from ransomware leak sites found that ransomware actors claimed 1,310 attacks in the second quarter of 2024, a 36% increase on the first quarter of this year. This was the second highest amount of attacks claimed in a quarter by ransomware operators, short of the record 1,488 attacks claimed in the third quarter of 2023. | |
13.9.24 | Linux SSH servers targeted by new SuperShell malware variant | VIRUS | SuperShell malware variant has been observed in a recent campaign targeted at vulnerable or otherwise misconfigured Linux SSH servers. The malware is Go-based and has the functionality to act as a reverse shell effectively allowing the attackers remote control and remote code execution on the infected machine. The servers compromised with use of SuperShell malware are likely to be used later by the attackers for the purpose of cryptomining or DDoS attacks. | |
13.9.24 | ScRansom Ransomware | Researchers have found that the CosmicBeetle group is now using a new ransomware dubbed ScRansom, replacing their old Scarab ransomware. They are targeting small and medium businesses worldwide and are copying LockBit's style in their ransom notes and websites. CosmicBeetle is suspected to be affiliated with RansomHub, a recently active ransomware gang that has been increasing its operations since March 2024. | ||
13.9.24 | VSCode abused by Chinese APT group | APT | Stately Taurus, a Chinese APT group that carries out cyber-espionage attacks, has abused Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. This threat actor used VSCode’s embedded reverse shell feature to gain a foothold in target networks to execute arbitrary code and deliver additional payloads. The leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. | |
13.9.24 | New variant of Cicada3301 ransomware found in the wild | RANSOM | According to a recent report from Palo Alto, Repellent Scorpius is a new ransomware-as-a-service (RaaS) group responsible for the delivery of a ransomware variant dubbed Cicada3301. The threat actors have been observed to leverage a variety of Living-Off-the-Land (LOTL) tools in their attacks. Among them PsExec for ransomware execution and Rclone tool used for data exfiltration. | |
13.9.24 | Mekotio and BBTok malware remain active among the banking trojans targeting LATAM | VIRUS | Mekotio and BBTok malware variants remain active among the banking trojan families distributed lately across the Latin America region. The malware is usually spread via phishing campaigns utilizing business- or judicial-themed lures. The spam emails leverage either links leading to malicious archive downloads or use malicious attachments directly within the spam emails. While Mekotio is an older malware variant, BBTok was initially discovered just in 2020. Both variants target similar geographical locations and attempt to exfiltrate credentials and sensitive information in order to carry out unauthorized banking operations. | |
13.9.24 | Threat actors spoof An Post Ireland services to steal credentials | CRIME | Symantec has identified a new wave of phishing attacks that impersonate An Post Ireland services to steal credentials. An Post Ireland is a state owned postal service provider in Ireland. In this campaign, phishing emails are disguised as parcel notifications to reschedule deliveries or check parcel details. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | |
13.9.24 | SpyAgent: Mobile malware stealing cryptocurrency wallets through image scanning | VIRUS | A new mobile malware called SpyAgent has been identified targeting mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is a 12-word phrase used to recover cryptocurrency wallets. These secret phrases are highly valuable to threat actors because gaining access to them enables them to restore your wallet on their own devices and steal all the funds stored within. | |
13.9.24 | Emerging Loki Backdoor variant employs Mythic Framework and Havoc Techniques | VIRUS | A new version of the Loki backdoor has been discovered targeting Russian organizations. This variant is compatible with the Mythic framework and utilizes various techniques from the Havoc framework, which complicates analysis. The updated variant is divided into a loader and a DLL. The loader gathers system information from the compromised machine, uploads it to the attacker’s C2 server, and retrieves the DLL in response. The DLL is then loaded into memory to download additional payloads and carry out further attacks. | |
11.9.24 | Latrodectus campaign impersonates Antivirus software to deploy remote payloads | CAMPAIGN | A campaign deploying Latrodectus malware, disguised as a legitimate antivirus vendor, has been reported. The initial attack vector involves phishing and malicious ads. Latrodectus functions as a backdoor, allowing the execution of remote commands and the deployment of malicious payloads such as Brute Ratel C4. It employs common techniques for persistence, including the use of the Windows Component Object Model (COM) and employs TLS certificates for communication with its command-and-control (C2) server. | |
11.9.24 | CVE-2024-45195: Remote Code Execution (RCE) vulnerability in Apache OFBiz | VULNEREBILITY | CVE-2024-45195 is a high-severity (CVSS: 7.5) Remote Code Execution (RCE) vulnerability in Apache OFBiz, a comprehensive suite of business applications. An attacker could likely exploit this vulnerability by framing a specially designed URL that bypasses authentication protocols. If successfully exploited, this vulnerability will allow remote attackers to execute malicious code on the server, potentially leading to complete system compromise. | |
11.9.24 | Ongoing exploitation of CVE-2024-36401 in OSGeo GeoServer GeoTools | VULNEREBILITY | Multiple campaigns are exploiting a recently disclosed security flaw in OSGeo GeoServer GeoTools. The vulnerability, identified as CVE-2024-36401 (with a CVSS score of 9.8), is a critical remote code execution bug that allows malicious actors to take control of affected instances. This flaw has been leveraged to deploy GOREVERSE, a reverse proxy server designed to connect with a command-and-control (C2) server for post-exploitation activities. | |
11.9.24 | TIDRONE activities in Taiwan | GROUP | In recent news, the TIDRONE group has been targeting Taiwan's military and satellite industries, focusing on drone manufacturers. Using malicious tools like CXCLNT and CLNTEND, the group enables data theft, credential dumping, and user control bypass. According to reports, their Tactics, Techniques, and Procedures (TTPs) include supply chain attacks via ERP software, pointing towards espionage motives. | |
11.9.24 | Babylon open-source RAT targets Malaysia | VIRUS | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | |
11.9.24 | Babylon open-source RAT targets Malaysia | VIRUS | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | |
11.9.24 | ToneShell Backdoor Targets IISS Summit | VIRUS | A cyber espionage campaign involving the ToneShell backdoor, attributed to Mustang Panda, has been reported targeting attendees of the 2024 IISS Defense Summit in Prague. The attack leverages a malicious PIF file disguised as summit documents to gain access to sensitive defense discussions. The malware achieves persistence via registry run keys and scheduled tasks and communicates with a C2 server in Hong Kong using raw TCP that mimics TLS. | |
11.9.24 | BlindEagle strikes Colombia's Insurance sector with Quasar RAT variant | VIRUS | BlindEagle, an advanced persistent threat actor, has been observed targeting Colombia’s insurance sector with the BlotchyQuasar Remote Access Trojan (RAT). The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google Drive accounts. | |
11.9.24 | Crimson Palace | CAMPAIGN | APT | Crimson Palace returns: New Tools, Tactics, and Targets |
11.9.24 | Earth Preta | CAMPAIGN | APT | Earth Preta Evolves its Attacks with New Malware and Strategies |
11.9.24 | CVE-2024-38014 | VULNEREBILITY | CVE | (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability |
11.9.24 | CVE-2024-38217 | VULNEREBILITY | CVE | (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability |
11.9.24 | CVE-2024-38226 | VULNEREBILITY | CVE | (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability |
11.9.24 | CVE-2024-43491 | VULNEREBILITY | CVE | (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability |
11.9.24 | CVE-2024-29847 | VULNEREBILITY | CVE | (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. |
11.9.24 | CosmicBeetle | GROUP | RANSOMWARE | CosmicBeetle steps up: Probation period at RansomHub |
11.9.24 | PIXHELL | ATTACK | ATTACK | PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via ‘Singing Pixels?/P> |
11.9.24 | RAMBO | ATTACK | ATTACK | RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM |
9.9.24 | BlindEagle | APT | APT | BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar |
9.9.24 | Mustang Panda | APT | APT | Chinese APT Abuses VSCode to Target Government in Asia |
9.9.24 | WhisperGate | MALWARE | Wrapper | WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022. |
9.9.24 | RAMBO | ATTACK | ATTACK | RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM |
9.9.24 | EUCLEAK | ATTACK | ATTACK | Side-Channel Attack on the YubiKey 5 Seri |
9.9.24 | CVE-2024-32896 | VULNEREBILITY | CVE | there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
9.9.24 | CVE-2024-42057 | VULNEREBILITY | CVE | A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through |
9.9.24 | CVE-2024-7261 | VULNEREBILITY | CVE | The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) |
9.9.24 | CVE-2024-7591 | VULNEREBILITY | CVE | Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above |
9.9.24 | Android SpyAgent | MALWARE | Android | New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition |
9.9.24 | Loki | MALWARE | Backdoor | Loki: a new private agent for the popular Mythic framework |
9.9.24 | Unit 29155 | GROUP | Military group | Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
9.9.24 | TIDRONE | MALWARE | Military Malware | TIDRONE Targets Military and Satellite Industries in Taiwan |
8.9.24 | CVE-2024-41622 | VULNEREBILITY | CVE | Remote Command Execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface. (CVSS v3 score: 9.8 "critical") |
8.9.24 | CVE-2024-44340 | VULNEREBILITY | CVE | RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (authenticated access requirement reduces the CVSS v3 score to 8.8 "high"). |
8.9.24 | CVE-2024-44341 | VULNEREBILITY | CVE | RCE vulnerability via the lan(0)_dhcps_staticlist parameter, exploitable through a crafted POST request. (CVSS v3 score: 9.8 "critical") |
8.9.24 | CVE-2024-44342 | VULNEREBILITY | CVE | RCE vulnerability via the wl(0).(0)_ssid parameter. (CVSS v3 score: 9.8 "critical") |
8.9.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Dissecting the Cicada |
8.9.24 | COVERTCATCH | MALWARE | Python | North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams |
8.9.24 | CVE-2024-40766 | VULNEREBILITY | CVE | SonicOS Improper Access Control Vulnerability |
8.9.24 | CVE-2024-36401 | EXPLOIT | EXPLOIT | Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 |
7.9.24 | CVE-2024-44000 | VULNEREBILITY | CVE | Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin |
7.9.24 | CVE-2024-45195 | VULNEREBILITY | CVE | Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. |
7.9.24 | Tropic Trooper | APT | Tropic Trooper spies on government entities in the Middle East | |
7.9.24 | Veeam Security Bulletin (September 2024) | VULNEREBILITY | CVE | All vulnerabilities disclosed in this section were discovered during internal testing (unless otherwise indicated) and affect Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds. |
6.9.24 | Tropic Trooper unleashes new China Chopper variant and Crowdoor loader | APT | Tropic Trooper, a Chinese-speaking APT group, has been reported targeting Middle Eastern government entities in a cyber espionage campaign. The attackers focused on systems related to human rights studies, using a new China Chopper variant deployed on a compromised Umbraco CMS server. The group employed DLL hijacking to load malicious payloads, including Crowdoor, a loader linked to the SparrowDoor backdoor. | |
6.9.24 | Spammers abusing uncommon TLDs | SPAM | Symantec has recently observed a new phishing campaign being delivered from recently created domains designed to steal credentials and/or banking information. In this campaign we have observed over 200 newly registered domains, most of these domains are registered with uncommon TLDs such as '.best', '.rest' or '.shop'. The subjects and message content attempt to lure recipients in with promises of dubious health products. | |
6.9.24 | Formbook Targets Global Sectors with Fake RFQ from Chemical-Oil Joint Venture | VIRUS | Symantec has recently observed a Formbook actor impersonating a major joint venture between a global chemical company based in Germany and a national oil and gas company from Malaysia. In this malicious email campaign, they're targeting companies across multiple countries and various industry sectors, including: | |
6.9.24 | Acab Infostealer | VIRUS | Acab is a Python-based infostealing malware variant recently observed in the wild. The malware shows some code similarities to another variant known as 1312 Stealer. Acab has the functionality to extract various confidential information from infected endpoints including credentials, banking information, crypto-wallet data, application data/tokens, various information stored in web browsers and others. | |
6.9.24 | CVE-2024-5932 - GiveWP WordPress Plugin vulnerability | VULNEREBILITY | CVE-2024-5932 is a recently disclosed vulnerability affecting GiveWP plugin, which is a Donation and Fundraising Platform plugin for WordPress. The flaw allows for malicious injection within the vulnerable version of the plugin, up to 3.14.1. Successfully exploitation of this flaw might allow unauthenticated attackers to inject an arbitrary PHP Object which can further lead up to arbitrary code execution within the context of the vulnerable application. A patched version 3.14.2 of the plugin has been already released. | |
6.9.24 | MacroPack generated payloads distributed in latest campaigns | CAMPAIGN | A payload generation framework called MacroPack has been leveraged to create miscellaneous payloads in a series of malicious activities recently observed by the researchers from Cisco Talos. The attackers have been using Word, Excel or PowerPoint lures that once opened run malicious MacroPack VBA code that ultimately leads to the final payload delivery and execution. Among the distributed payloads were Brute Ratel and Havoc post-exploitation tools as well as a new variant of the PhantomCore RAT. | |
6.9.24 | KTLVdoor backdoor leveraged by the Funnelweb APT | VIRUS | A new Golang-based backdoor dubbed KTLVdoor has been discovered by researchers from Trend Micro. The malware has been attributed to the Funnelweb APT (also known as Earth Lusca). KTLVdoor is a highly obfuscated malware that comes in variants supporting both Windows and Linux platforms. Functionality-wise the malware is capable of running commands and shellcode received from the C2 servers, various file and directory operations on the infected machine including file download/upload, among others. | |
6.9.24 | SLOW#TEMPEST campaign targets Chinese entities | CAMPAIGN | A recently identified malware campaign named SLOW#TEMPEST was uncovered targeting Chinese entities. The attack chain starts by way of malspam attachments in the form of zip files which are bundled with a shortcut lnk file in addition to dll/exe files. Successful execution of the available content leads to the establishment of a foothold in the targeted environment. Through this position, the attackers can execute further TTPs to accomplish their goals (such as credential harvesting, lateral movement, persistence and privilege escalation). | |
6.9.24 | Latrodectus 1.4: New version unveiled with advanced capabilities | VIRUS | A newer version of the Latrodectus downloader has been observed, featuring enhancements like a new string deobfuscation method, a revised C2 endpoint, and two additional backdoor commands. The infection chain begins with a heavily obfuscated JavaScript file, which uses numerous comments to inflate file size and complexity, complicating analysis. The malware then extracts and executes hidden code, subsequently downloading and installing an MSI file from a remote server. This MSI file loads an obfuscated DLL to perform its malicious tasks. | |
5.9.24 | Emansrepo infostealer | VIRUS | Researchers from Fortinet reported on a new Python-based infostealer variant dubbed Emansrepo. This malware has been distributed via phishing campaigns masquerading the malicious emails as purchase invoices or orders. The initial attack chain stage varies depending on the campaign and may leverage different attachments such as .html or .7z. The dropped Emansrepo payload has the functionality to collect miscellaneous confidential data from the compromised endpoints including credentials, banking information, crypto-wallets, browser and download history, autofill data as well as exfiltrate text/document files from various on-disk locations. | |
5.9.24 | Zharkbot malware | VIRUS | Zharkbot is a C++based malware loader variant being dropped by Amadey trojan in some recently observed campaigns. Zharkbot employs various anti-analysis, anti-VM and sandbox detection/evasion techniques. Once on the compromised machine, the malware will attempt to set up persistence by copying itself to the temp folder and setting up a scheduled task execution. Zharkbot has the functionality to download and execute arbitrary payloads on the infected endpoints. | |
5.9.24 | CVE-2024-24809 & CVE-2024-31214 vulnerabilities affecting Traccar 5 | VULNEREBILITY | CVE-2024-24809 and CVE-2024-31214 are recently disclosed vulnerabilities affecting Traccar 5 which is an open-source GPS tracking system. The vulnerabilities are rated as CVSS score: 8.5 and CVSS score: 9.7 respectively. Successful exploitation in the affected product versions 5.1 through 5.12 could provide unauthenticated attackers with path traversal and unrestricted upload of arbitrary files. This exploitation could potentially lead to further compromise such as remote code execution on the affected instances. Product vendor has already released patch addressing the vulnerabilities in product version 6.0. | |
5.9.24 | CVE-2024-22319 - JNDI Injection Vulnerability in IBM Operational Decision Manager | VULNEREBILITY | CVE-2024-22319 is a critical (CVSS: 9.8) JNDI injection vulnerability in IBM Operational Decision Manager. IBM ODM is a comprehensive decision automation solution that helps organizations automate and optimize their decision-making processes. Attackers can exploit this flaw by injecting malicious code into an unchecked argument passed to a specific API through JNDI (Java Naming and Directory Interface). | |
5.9.24 | Stone Wolf campaign targets Russian firms with Meduza Stealer malware | CAMPAIGN | A malicious campaign by the Stone Wolf threat actor targeting Russian firms has been reported. The attackers use phishing emails impersonating a legitimate industrial automation provider to deliver the Meduza Stealer malware. The attack vector involves an archive containing a legitimate document alongside a malicious link to download and execute the Stealer payload. This malware collects and exfiltrates credentials, system information, and application data from compromised systems. | |
5.9.24 | WailingCrab: A WikiLoader variant exploiting VPN Spoofs | VIRUS | A recent report from Palo Alto reveals that WailingCrab, a variant of WikiLoader, is being distributed through SEO poisoning and spoofed GlobalProtect VPN software. This campaign primarily targets the U.S. higher education and transportation sectors. The attack vector involves multiple stages like DLL sideloading, shellcode injection, and using MQTT for command and control. Attackers employ various evasion techniques such as fake error messages, process checks, and encryption. The loader's advanced tactics also leverage compromised WordPress sites and cloud-based Git repositories for infrastructure. | |
5.9.24 | Luxy Infostealer | VIRUS | Luxy is a recently discovered malware variant with both infostealing and ransomware capabilities. Luxy collects various confidential information from the compromised machines including credentials, browser data, cookies, cryptocurrency wallets, etc. The ransomware module is used to encrypt files on the infected endpoint using AES256 algorithm. The ransom note dropped after the completed encryption asks the victims for ransom payment and for them to contact the attackers via Discord. | |
5.9.24 | Cybercriminals Target Malaysia’s Digital Lifestyle with SpyNote | VIRUS | Around the world, E-commerce (shopping), service-oriented (food delivery, ride-hailing, and on-demand services), digital payment and deal aggregator android applications are highly popular. They have become integral to the digital lifestyle, meeting the growing demand for convenient, cost-effective services across various markets. These apps cater to consumers' needs for efficiency, accessibility, and savings, making them essential tools in everyday life. | |
5.9.24 | CVE-2024-7593 - Ivanti Virtual Traffic Manager (vTM) Authentication Bypass vulnerability | VULNEREBILITY | CVE-2024-7593 is a critical (CVSS score 9.8) XML authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM). Successful exploitation of this flaw could allow the attackers to bypass authentication and create new administrative users. Such compromise could potentially lead later to arbitrary code execution within the context of the vulnerable application. Product vendor has already released patch addressing this vulnerability in the updated software versions. | |
5.9.24 | RAZR Ransomware | RANSOM | RAZR is a recently identified ransomware variant that abuses web hosting service called PythonAnywhere for hosting the malicious binaries. The malware uses AES-256 algorithm for encryption and appends .raz extension to the filenames. The ransom note is dropped in form of a text file README.txt in which the attackers also threaten that the confidential files have not only been encrypted but also exfiltrated. | |
5.9.24 | Macropack | HACKING | Malware | Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads |
5.9.24 | KTLVdoor | MALWARE | Backdoor | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion |
5.9.24 | CVE-2024-20439 | VULNEREBILITY | CVE | (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system |
5.9.24 | CVE-2024-20440 | VULNEREBILITY | CVE | (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API |
5.9.24 | APT Lazarus | APT | APT | APT Lazarus: Eager Crypto Beavers, Video calls and Games |
5.9.24 | RansomHub Ransomware | RANSOMWARE | RANSOMWARE | #StopRansomware: RansomHub Ransomwa |
5.9.24 | CVE-2024-7261 | VULNEREBILITY | CVE | The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. |
5.9.24 | Revival Hijack | HACKING | HACKING | Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk |
5.9.24 | CVE-2024-32896 | VULNEREBILITY | CVE | there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
5.9.24 | WikiLoader | MALWARE | Loader | Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant |
5.9.24 | Head Mare | GROUP | GROUP | Head Mare: adventures of a unicorn in Russia and Belarus |
5.9.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis |
5.9.24 | Rocinante | MALWARE | Trojan | Rocinante: The trojan horse that wanted to fly |