BLOG 2024 AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog 2024 2023
H January(21) February(46) March(44) April(33) May(35) June(67) July(84) August(0) September(0) October(0) November(0) December(0)
DATE | NAME | Info | CATEG. | WEB |
21.12.24 | The evolution and abuse of proxy networks | Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse. | Security blog | |
21.12.24 | Exploring vulnerable Windows drivers | This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. | Vulnerebility blog | |
21.12.24 | Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities | The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” | Vulnerebility blog | |
21.12.24 | Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found | Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader. These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular a | Vulnerebility blog | |
21.12.24 | Something to Read When You Are On Call and Everyone Else is at the Office Party | Its mid-December, if you’re on-call or working to defend networks, this newsletter is for you. Martin discusses the widening gap between threat and defences as well as the growing problem of home devices being recruited to act as proxy servers for criminals. | Cyber blog | |
21.12.24 | MC LR Router and GoCast unpatched vulnerabilities | Cisco Talos' Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. For Snort coverage that can detect the explo | Vulnerebility blog | |
21.12.24 | The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight | Ever wonder what an extroverted strategy security nerd does? Wonder no longer! This week, Joe pontificates on his journey at Talos, and then is inspired by the people he gets to meet and help. | Cyber blog | |
21.12.24 | Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform | By Philippe Laulheret ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of p | Vulnerebility blog | Cisco Blog |
21.12.24 | ESET Research Podcast: Telekopye, again | Take a peek into the murky world of cybercrime where groups of scammers who go by the nickname of 'Neanderthals’ wield the Telekopye toolkit to ensnare unsuspecting victims they call 'Mammoths' | Cyber blog | |
21.12.24 | Unwrapping Christmas scams | Unlocked 403 cybersecurity podcast (ep. 9) | ESET's Jake Moore reveals why the holiday season is a prime time for scams, how fraudsters prey on victims, and how AI is supercharging online fraud | Cyber blog | |
21.12.24 | Cybersecurity is never out-of-office: Protecting your business anytime, anywhere | While you're enjoying the holiday season, cybercriminals could be gearing up for their next big attack – make sure your company's defenses are ready, no matter the time of year | Cyber blog | |
21.12.24 | ESET Threat Report H2 2024: Key findings | Cyber blog | ||
21.12.24 | ESET Threat Report H2 2024 | A view of the H2 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts | Cyber blog | |
21.12.24 | Black Hat Europe 2024: Hacking a car – or rather, its infotainment system | Our ‘computers on wheels’ are more connected than ever, but the features that enhance our convenience often come with privacy risks in tow | Cyber blog | |
21.12.24 | Black Hat Europe 2024: Why a CVSS score of 7.5 may be a 'perfect' 10 in your organization | Aggregate vulnerability scores don’t tell the whole story – the relationship between a flaw’s public severity rating and the specific risks it poses for your company is more complex than it seems | Cyber blog | |
21.12.24 | Black Hat Europe 2024: Can AI systems be socially engineered? | Could attackers use seemingly innocuous prompts to manipulate an AI system and even make it their unwitting ally? | Cyber blog | |
21.12.24 | How cyber-secure is your business? | Unlocked 403 cybersecurity podcast (ep. 8) | As cybersecurity is a make-or-break proposition for businesses of all sizes, can your organization's security strategy keep pace with today’s rapidly evolving threats? | Cyber blog | |
21.12.24 | Are pre-owned smartphones safe? How to choose a second-hand phone and avoid security risks | Buying a pre-owned phone doesn’t have to mean compromising your security – take these steps to enjoy the benefits of cutting-edge technology at a fraction of the cost | Cyber blog | |
21.12.24 | Philip Torr: AI to the people | Starmus Highlights | We’re on the cusp of a technological revolution that is poised to transform our lives – and we hold the power to shape its impact | AI blog | |
21.12.24 | Achieving cybersecurity compliance in 5 steps | Cybersecurity compliance may feel overwhelming, but a few clear steps can make it manageable and ensure your business stays on the right side of regulatory requirements | Cyber blog | |
21.12.24 |
CVE-2024-55956: Zero-Day Vulnerability in Cleo Software Could Lead to Data Theft |
A zero-day vulnerability, tracked as CVE-2024-55956, has been discovered in 3 Cleo products and is being exploited by CL0P ransomware group, leading to potential data theft | ||
21.12.24 |
Your Data Is Under New Lummanagement: The Rise of LummaStealer |
In this Threat Analysis report, Cybereason investigates the rising activity of the malware LummaStealer. | ||
21.12.24 |
In this Threat Analysis report, Cybereason investigates incidents relating to the Andromeda backdoor and a new cluster of C2 servers | |||
21.12.24 |
Scientology spies were trained in all covert operations techniques: surveillance, recruiting agents, infiltrating enemy lines, and blackmail. However, a suspicious librarian and a determined FBI agent brought the largest single spy operation in US government history to an end. | |||
21.12.24 |
In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform. | |||
21.12.24 |
In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques. | |||
21.12.24 |
In 1963, the FDA raided the headquarters of a budding new and esoteric religion - The Church of Scientology. In response to this and similar incidents to come, the church's founder - an eccentric science fiction author named L. Ron Hubbard - would go on to lead the single largest known government infiltration operation in United States history. | |||
21.12.24 |
CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective |
In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques. | ||
21.12.24 |
As previously mentioned in the second installment of the blog post series ("A brief history of the feature"), the binary format used to encode registry hives from Windows NT 3.1 up to the modern Windows 11 is called regf. In a way, it is quite special, because it represents a registry subtree simultaneously on disk and in memory, as opposed to most other common file formats. | |||
21.12.24 |
The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit |
Earlier this year, Google's TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered, and the hypothesized ITW exploit strategy gleaned from the logs. | ||
21.12.24 |
This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution. | |||
21.12.24 |
Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst |
Recently, one of the projects I was involved in had to do with video decoding on Apple platforms, specifically AV1 decoding. On Apple devices that support AV1 video format (starting from Apple A17 iOS / M3 macOS), decoding is done in hardware | ||
21.12.24 |
Safeguarding Election Integrity: Threat Hunting for the U.S. Elections |
With 2024 being a major election year globally, the stakes for election security were and remain high. More than 60 countries, including the United States, Mexico, India, and Indonesia, held elections and engaged nearly 2 billion voters. The U.S. general election on November 5th, 2024, drew significant attention due to concerns over potential interference and cybersecurity threats. | ||
21.12.24 |
Hacktivist Groups: The Shadowy Links to Nation-State Agendas |
The recent conflicts between Ukraine and the Middle East have seen a surge in hacktivist activity, with groups aligned with both sides engaging in cyberattacks. In this blog we will cover a large set of Hacktivist groups. | ||
21.12.24 |
During proactive hunting, Trellix Advanced Research Center found samples belonging to Celestial Stealer, a JavaScript-based infostealer which is packaged either as an Electron application or as a NodeJS single application for Windows 10 and Windows 11 operating system. It is a Malware-as-a-Service (MaaS) advertised on the Telegram platform. The stealer is marketed as a FUD (fully undetectable). | |||
21.12.24 |
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now |
On November 18th, the US Justice Department unsealed criminal charges against a Russian national for allegedly administering the sale, distribution, and operation of Phobos ransomware. Phobos is considered an evolution of Dharma Ransomware (aka CrySIS). Code similarities and ransom notes suggest that the creators are either the same or closely connected. | ||
21.12.24 |
When Guardians Become Predators: How Malware Corrupts the Protectors |
We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us? | ||
2.11.24 |
Attacker Abuses Victim Resources to Reap Rewards from Titan Network |
In this blog entry, we discuss how an attacker took advantage of the Atlassian Confluence vulnerability CVE-2023-22527 to connect servers to the Titan Network for cryptomining purposes. | ||
2.11.24 |
How does Prometei insidiously operate in a compromised system? This Managed Extended Detection and Response investigation conducted with the help of Trend Vision One provides a comprehensive analysis of the inner workings of this botnet so users can stop the threat in its tracks before it inflicts damage to the system. | |||
2.11.24 |
Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach |
In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. | ||
2.11.24 |
Attackers Target Exposed Docker Remote API Servers With perfctl Malware |
We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. | ||
2.11.24 |
Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network |
Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). | ||
2.11.24 |
New Iranian-based Ransomware Group Charges $2000 for File Retrieval |
The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment. | ||
2.11.24 |
Command Injection and Local File Inclusion in Grafana: CVE-2024-9264 |
The SonicWall Capture Labs threat research team became aware of a critical vulnerability in Grafana, assessed its impact and developed mitigation measures. Grafana is a multi-platform open-source analytics and visualization solution that can produce charts, graphs and alerts according to the data. | ||
2.11.24 |
New Iranian-based Ransomware Group Charges $2000 for File Retrieval |
The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment. | ||
2.11.24 |
The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability. | |||
2.11.24 |
A Look Into Embargo Ransomware, Another Rust-based Ransomware |
Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid. | ||
2.11.24 |
HORUS Protector Part 1: The New Malware Distribution Service |
Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others. | ||
2.11.24 |
CVE-2024-38812 is a critical heap-overflow vulnerability identified in VMware vCenter Server’s implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted packets, potentially leading to remote code execution (RCE). The vulnerability, classified under CWE-122 (Heap-based Buffer Overflow), arises when memory allocated in the heap is improperly overwritten, leading to unpredictable behavior that could be exploited. | |||
2.11.24 |
Insecure Deserialization in Veeam Backup and Replication: CVE-2024-40711 |
The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors. | ||
2.11.24 |
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius). | |||
2.11.24 |
Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction |
This article introduces a simple and straightforward technique for jailbreaking that we call Deceptive Delight. Deceptive Delight is a multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content. | ||
2.11.24 |
Jumpy Pisces Engages in Play Ransomware |
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius). | ||
2.11.24 |
Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism |
Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. A bypass of Gatekeeper could leave the user unprotected from risky applications that may attempt to execute malicious content. | ||
2.11.24 |
Talos IR trends Q3 2024: Identity-based operations loom large |
Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions. | ||
2.11.24 |
Threat actors use copyright infringement phishing lure to deploy infostealers |
* Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. * The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the | ||
2.11.24 |
WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. | |||
2.11.24 |
Threat actor abuses Gophish to deliver new PowerRAT and DCRAT |
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. | ||
2.11.24 |
NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities |
Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits. For Snort coverage that can detect the exploitation of | ||
2.11.24 |
Writing a BugSleep C2 server and detecting its traffic with Snort |
This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. | ||
2.11.24 |
How LLMs could help defenders write better and faster detection |
Can LLM tools actually help defenders in the cybersecurity industry write more effective detection content? Read the full research | ||
2.11.24 |
TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020. | |||
2.11.24 |
UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants |
Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities | ||
2.11.24 |
Go behind the scenes with Talos incident responders and learn from what we've seen in the field. | |||
2.11.24 |
Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types. | |||
2.11.24 |
Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments. | |||
2.11.24 |
Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities |
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity. | ||
2.11.24 |
It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process. | |||
2.11.24 |
Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks |
Have you ever wondered why there are so many vulnerable drivers and what might be causing them to be vulnerable? Do you want to understand why some drivers are prone to crossing security boundaries and how we can stop that? | ||
2.11.24 |
Beginning in early August, Check Point Research observed a cyber-enabled disinformation campaign primarily targeting Moldova’s government and education sectors. Acting ahead of Moldova’s elections on October 20th, attackers behind this campaign likely seek to foster negative perceptions of European values and the EU membership process in addition to Moldova’s current pro-European leadership, with the intent of influencing the outcome of the upcoming fall elections and national referendum. | |||
2.11.24 |
From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code |
In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. | ||
2.11.24 |
The Windows Registry Adventure #4: Hives and the registry layout |
To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system | ||
2.11.24 |
Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, and it was assigned CVE-2024-1580. | |||
2.11.24 |
As more companies adopt macOS for their corporate needs, attackers are adapting their techniques to get what they want | |||
2.11.24 |
Cyber Threats Targeting the US Government During the Democratic National Convention |
Trellix global sensors detected increased threat activities during the days that the Democratic National Convention (DNC) was held in August 2024, culminating into a massive spike in detections halfway through the convention. Our data indicate that these threat activities targeted a wide range of US government organizations, including regional democratic causes, state legislative offices, legislative data centers, election boards, local law enforcement agencies, and public transportation networks. | ||
2.11.24 | ||||
2.11.24 |
How to remove your personal information from Google Search results | |||
2.11.24 |
Don't become a statistic: Tips to help keep your personal data off the dark web | |||
2.11.24 |
Tony Fadell: Innovating to save our planet | Starmus highlights | |||
2.11.24 | ||||
2.11.24 |
||||
2.11.24 |
Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit | |||
2.11.24 |
||||
2.11.24 |
Threat actors exploiting zero-days faster than ever – Week in security with Tony Anscombe | |||
2.11.24 |
Protecting children from grooming | Unlocked 403 cybersecurity podcast (ep. 7) | |||
2.11.24 |
Quishing attacks are targeting electric car owners: Here’s how to slam on the brakes | |||
2.11.24 |
Aspiring digital defender? Explore cybersecurity internships, scholarships and apprenticeships | |||
2.11.24 |
GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe |
GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe | ||
2.11.24 |
Telekopye transitions to targeting tourists via hotel booking scam | |||
2.11.24 |
Cyber insurance, human risk, and the potential for cyber-ratings | |||
2.11.24 |
Mind the (air) gap: GoldenJackal gooses government guardrails | |||
2.11.24 |
The complexities of attack attribution – Week in security with Tony Anscombe | |||
2.11.24 |
Separating the bee from the panda: CeranaKeeper making a beeline for Thailand | |||
2.11.24 |
Why system resilience should mainly be the job of the OS, not just third-party applications |
Building efficient recovery options will drive ecosystem resilience | ||
2.11.24 |
Cybersecurity Awareness Month needs a radical overhaul – it needs legislation | |||
2.11.24 |
Gamaredon's operations under the microscope – Week in security with Tony Anscombe | |||
28.9.24 |
AI-driven insights for managing emerging threats and minimizing organizational risk | |||
28.9.24 |
Discover how to use the Cybersecurity Compass to foster effective conversations about cybersecurity strategy between non-technical and technical audiences, focusing on the phases of before, during, and after a breach. | |||
28.9.24 |
2024 SonicWall Threat Brief: Healthcare’s Escalating Cybersecurity Challenge |
SonicWall’s 2024 Healthcare Threat Brief reveals at least 14 million U.S. patients affected by malware breaches, as outdated systems leave healthcare providers vulnerable to evolving ransomware threats - underscoring the need for MSPs/MSSPs. | ||
28.9.24 |
Secure Access Unlocked: Exploring WNM 4.5 and Service Provider Monthly Program |
Learn about exciting updates in WNM 4.5 plus new additions to our service provider program! | ||
28.9.24 |
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors |
Unit 42 researchers have been tracking the activity of an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors via infected Python software packages. We’ve named these infected software packages PondRAT. We’ve also found Linux variants of POOLRAT, a known macOS remote administration tool (RAT) previously attributed to Gleaming Pisces (aka Citrine Sleet, distributor of AppleJeus). Based on our research into both RAT families, we assess that the new PondRAT is a lighter version of POOLRAT. | ||
28.9.24 |
We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and unique code obfuscation methods in addition to those seen in previous versions of RomCom 3.0 and PEAPOD (RomCom 4.0). | |||
28.9.24 |
Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz |
We have been monitoring a widely popular phishing-as-a-service (PhaaS) platform named Sniper Dz that primarily targets popular social media platforms and online services. A large number of phishers could be using this platform to launch phishing attacks, since the group behind this kit has thousands of subscribers on its Telegram channel. Our research revealed over 140,000 phishing websites associated with the Sniper Dz PhaaS platform over the past year. | ||
28.9.24 |
Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities. | |||
28.9.24 |
Check Point Research (CPR) uncovered a malicious app on Google Play designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively. The app used a set of evasion techniques to avoid detection and remained available for nearly five months before being removed. | |||
28.9.24 |
10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More |
DLL Hijacking — a technique for forcing legitimate applications to run malicious code — has been in use for about a decade at least. In this write-up we give a short introduction to the technique of DLL Hijacking, followed by a digest of several dozen documented uses of that technique over the past decade as documented by MITRE. | ||
28.9.24 |
Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam |
Many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. | ||
28.9.24 |
Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023 |
ESET Research has conducted a comprehensive technical analysis of Gamaredon’s toolset used to conduct its cyberespionage activities focused in Ukraine | ||
28.9.24 | ||||
28.9.24 |
Time to engage: How parents can help keep their children safe on Snapchat | |||
21.9.24 |
Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware |
Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are... | ||
21.9.24 |
How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections |
Trend Micro tracked this group as Water Bakunawa, behind the RansomHub ransomware, employs various anti-EDR techniques to play a high-stakes game of hide and seek with security solutions. | ||
21.9.24 |
This is the third blog in an ongoing series on Rogue AI. Keep following for more technical guidance, case studies, and insights | |||
21.9.24 |
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC |
We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China. | ||
21.9.24 |
Vulnerabilities in Cellular Packet Cores Part IV: Authentication |
Our research reveals two significant vulnerabilities in Microsoft Azure Private 5G Core (AP5GC), both of which have now been resolved and are discussed in this blog post. | ||
21.9.24 |
Overview The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-20017, assessed its impact and developed mitigation measures for the vulnerability. CVE-2024-20017 is a critical zero-click vulnerability with a CVSS 3.0 score | |||
21.9.24 |
Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool |
This article discusses the discovery of a new post-exploitation red team tool called Splinter that we found on customer systems using Advanced WildFire’s memory scanning tools. Penetration testing toolkits and adversary simulation frameworks are often useful for identifying potential security issues in a company's network. | ||
21.9.24 |
FBI, CISA warning over false claims of hacked voter data – Week in security with Tony Anscombe |
With just weeks to go before the US presidential election, the FBI and the CISA are warning about attempts to sow distrust in the electoral process | ||
21.9.24 |
Influencing the influencers | Unlocked 403 cybersecurity podcast (ep. 6) | |||
21.9.24 | ||||
21.9.24 | ||||
21.9.24 | ||||
21.9.24 |
In this blog, we will provide an overview of the Iranian threat landscape and discuss the tools, tactics and techniques used by these groups. | |||
14.9.24 |
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities |
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671. | ||
14.9.24 |
Earth Preta Evolves its Attacks with New Malware and Strategies |
In this blog entry, we discuss our analysis of Earth Preta’s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign. | ||
14.9.24 |
CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective |
In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques | ||
14.9.24 |
Unit 42 researchers recently found that Stately Taurus abused the popular Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. Stately Taurus is a Chinese advanced persistent threat (APT) group that carries out cyberespionage attacks. | |||
14.9.24 |
Key Group Russian Ransomware Gang Uses Extensive Multi-purpose Telegram Channel |
The SonicWall Capture Labs threat research team has been recently tracking ransomware known as Key Group. Key Group is a Russian-based malware threat group that was formed in early 2023. | ||
14.9.24 |
Hold – Verify – Execute: Rise of Malicious POCs Targeting Security Researchers |
While investigating CVE-2024-5932, a code injection vulnerability in the GiveWP WordPress plugin, our team encountered a malicious Proof of Concept (POC) targeting cybersecurity professionals. This has become a growing threat to cybersecurity professionals from threat actors to achieve their motives, such as crypto mining, data exfiltration and backdoor installation | ||
14.9.24 |
Microsoft’s September 2024 Patch Tuesday has 79 vulnerabilities, of which 30 are Elevation of Privilege. SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2024 and has produced coverage for 9 of the reported vulnerabilities. | |||
14.9.24 |
Targeted Iranian Attacks Against Iraqi Government Infrastructure |
Check Point Research discovered a new set of malware called Veaty and Spearal that was used in attacks against different Iraqi entities including government networks. | ||
14.9.24 |
DragonRank, a Chinese-speaking SEO manipulator service provider |
Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation | ||
14.9.24 |
Talos' Nick Biasini discusses the biggest shifts and trends in the threat landscape so far. We also focus on one state sponsored actor that has been particularly active this year, and talk about why defenders need to be paying closer attention to infostealers. | |||
14.9.24 |
Vulnerability in Tencent WeChat custom browser could lead to remote code execution |
While this issue was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported it to the vendor. | ||
14.9.24 |
Watch our new documentary, "The Light We Keep: A Project PowerUp Story" |
The Light We Keep documentary tells the story of the consequences of electronic warfare in Ukraine and its effect on power grids across the country. | ||
14.9.24 |
A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. | |||
14.9.24 |
CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges. | |||
14.9.24 |
September’s monthly round of patches from Microsoft included 79 vulnerabilities, seven of which are considered critical. | |||
14.9.24 |
The best and worst ways to get users to improve their account security |
In my opinion, mandatory enrollment is best enrollment. | ||
14.9.24 |
Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads |
The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. | ||
14.9.24 |
CosmicBeetle joins the ranks of RansomHub affiliates – Week in security with Tony Anscombe |
ESET research also finds that CosmicBeetle attempts to exploit the notoriety of the LockBit ransomware gang to advance its own ends | ||
14.9.24 | ||||
14.9.24 |
CosmicBeetle, after improving its own ransomware, tries its luck as a RansomHub affiliate | |||
11.9.24 |
Fake recruiter coding tests target devs with malicious Python packages |
RL found the VMConnect campaign continuing with malicious actors posing as recruiters, using packages and the names of financial firms to lure developers. | ||
7.9.24 |
Our research reveals that an unidentified threat cluster we named TIDRONE have shown significant interest in military-related industry chains, particularly in the manufacturers of drones. | |||
7.9.24 |
Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command |
Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection. | ||
7.9.24 |
Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion |
While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. | ||
7.9.24 |
CVE-2024-23119: Critical SQL Injection Vulnerability in Centreon |
Overview The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-23119, assessed its impact and developed mitigation measures for this vulnerability. CVE-2024-23119 is a high-severity SQL Injection vulnerability in Centreon, impacting Centreon | ||
7.9.24 |
Bitcoin ATM scams skyrocket – Week in security with Tony Anscombe |
The schemes disproportionately victimize senior citizens, as those aged 60 or over were more than three times as likely as younger adults to fall prey to the scams | ||
7.9.24 | ||||
7.9.24 |
The key considerations for cyber insurance: A pragmatic approach | |||
7.9.24 |
Sometimes there’s more than just an enticing product offer hiding behind an ad | |||
1.9.24 |
North Korean threat actor Citrine Sleet exploiting Chromium zero-day |
Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE). | ||
31.8.24 |
Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence |
Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. | ||
31.8.24 |
This issue of AI Pulse is all about agentic AI: what it is, how it works, and why security needs to be baked in from the start to prevent agentic AI systems from going rogue once they’re deployed. | |||
31.8.24 |
Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool |
Threat actors are targeting users in the Middle East by distributing sophisticated malware disguised as the Palo Alto GlobalProtect tool. | ||
31.8.24 | Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem | A technical analysis on how CVE-2023-22527 can be exploited by malicious actors for cryptojacking attacks that can spread across the victim’s system. | ||
31.8.24 | CVE-2024-7928: FastAdmin Unauthenticated Path Traversal Vulnerability | The SonicWall Capture Labs threat research team became aware of an unauthenticated directory traversal vulnerability affecting FastAdmin installations. Identified as CVE-2024-7928 and with a moderate score of 5.3 CVSSv3, the vulnerability is more severe than it initially appears. | ||
31.8.24 | This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. | |||
31.8.24 | TLD Tracker: Exploring Newly Released Top-Level Domains | We investigated 19 new top-level domains (TLDs) released in the past year, which revealed large-scale phishing campaigns, distribution of potentially unwanted programs, torrenting websites, and even pranking and meme campaigns. | ||
31.8.24 | The Emerging Dynamics of Deepfake Scam Campaigns on the Web | Our researchers discovered dozens of scam campaigns using deepfake videos featuring the likeness of various public figures, including CEOs, news anchors and top government officials. | ||
31.8.24 | Autoencoder Is All You Need: Profiling and Detecting Malicious DNS Traffic | To improve our detection of suspicious network activity, we leveraged a deep learning method to profile and detect malicious DNS traffic patterns. | ||
31.8.24 | Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments | Unit 42 researchers found an extortion campaign's cloud operation that successfully compromised and extorted multiple victim organizations. It did so by leveraging exposed environment variable files (.env files) that contained sensitive variables such as credentials belonging to various applications. | ||
31.8.24 | ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts | This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments. | ||
31.8.24 | Unmasking ViperSoftX: In-Depth Defense Strategies Against AutoIt-Powered Threats | Explore in-depth defense strategies against ViperSoftX with the Trellix suite, and unpack why AutoIt is an increasingly popular tool for malware authors | ||
31.8.24 | August 2024 Bug Report: Explore seven critical vulnerabilities—Ivanti vTM, Windows CLFS, Apache OFBiz, and more. Stay ahead of the threats, patch now! | |||
31.8.24 | In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. Read the full analysis. | |||
31.8.24 | As we head into the final third of 2024, we caught up with Talos' Nick Biasini to ask him about the biggest shifts and trends in the threat landscape so far. Turns out, he has two major areas of concern. | |||
31.8.24 | The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks | Fuzzing has long been one of our favorite ways to search for security issues or vulnerabilities in software, but when it comes to fuzzing popular systems used in ICS environments, it traditionally involved a custom hardware setup to fuzz the code in its native environment. | ||
31.8.24 | Any vulnerability in an RTOS has the potential to affect many devices across multiple industries. | |||
31.8.24 | Fuzzing µCOS protocol stacks, Part 2: Handling multiple requests per test case | This time, I’ll discuss why this approach is more challenging than simply substituting a socket file descriptor with a typical file descriptor. | ||
31.8.24 | Fuzzing µC/OS protocol stacks, Part 3: TCP/IP server fuzzing, implementing a TAP driver | This is the final post in the three-part series that details techniques I used to fuzz two µC/OS protocol stacks: µC/TCP-IP and µC/HTTP-server. | ||
31.8.24 | It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price. | |||
31.8.24 | Stealing cash using NFC relay – Week in Security with Tony Anscombe | The discovery of the NGate malware by ESET Research is another example of how sophisticated Android threats have become | ||
31.8.24 | Analysis of two arbitrary code execution vulnerabilities affecting WPS Office | |||
31.8.24 | ||||
31.8.24 | Exploring Android threats and ways to mitigate them | Unlocked 403 cybersecurity podcast (ep. 5) | |||
24.8.24 | How Trend Micro Managed Detection and Response Pressed Pause on a Play Ransomware Attack | Using the Trend Micro Vision One platform, our MDR team was able to quickly identify and contain a Play ransomware intrusion attempt. | ||
24.8.24 | Enterprises have gone all-in on GenAI, but the more they depend on AI models, the more risks they face. Trend Vision One™ – Zero Trust Secure Access (ZTSA) – AI Service Access bridges the gap between access control and GenAI services to protect the user journey. | |||
24.8.24 | Explore how generative AI is transforming cybersecurity and enterprise resilience | |||
24.8.24 | This is the first blog in a series on Rogue AI. Later articles will include technical guidance, case studies and more. | |||
24.8.24 | The SonicWall Capture Labs threat research team became aware of an account takeover vulnerability in Cisco’s Smart Software Manager (SSM), assessed its impact and developed mitigation measures for the vulnerability. | |||
24.8.24 | Understanding CVE-2024-38063: How SonicWall Prevents Exploitation | CVE-2024-38063 is a critical remote code execution vulnerability in Windows systems with the IPv6 stack, carrying a CVSS score of 9.8. This zero-click, wormable flaw allows attackers to execute arbitrary code remotely via specially crafted IPv6 packets, potentially leading to full system compromise. | ||
24.8.24 | MoonPeak malware from North Korean actors unveils new details on attacker infrastructure | Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” | ||
24.8.24 | How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions | An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsoft's applications to gain their entitlements and user-granted permissions. | ||
24.8.24 | PWA phishing on Android and iOS – Week in security with Tony Anscombe | Phishing using PWAs? ESET Research's latest discovery might just ruin some users' assumptions about their preferred platform's security | ||
24.8.24 | ||||
24.8.24 | How regulatory standards and cyber insurance inform each other | |||
24.8.24 | Be careful what you pwish for – Phishing in PWA applications | ESET analysts dissect a novel phishing method tailored to Android and iOS users | ||
17.8.24 | Mario movie malware might maliciously mess with your machine | There are probably few among us who, never have they ever, downloaded questionable content. Whether it was a hit song in the Napster era or a Blockbuster movie you found on a “special” site online, you can probably think of at least one occasion when you got access to something from a, shall we say, less than reputable source. | ||
17.8.24 | Microsoft’s 2024 Patch Tuesday has 87 vulnerabilities, 36 of which are Elevation of Privilege vulnerabilities. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of 2024 and has produced coverage for ten of the reported vulnerabilities | |||
17.8.24 | This post presents our research on a methodology we call BOLABuster, which uses large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities. By automating BOLA detection at scale, we will show promising results in identifying these vulnerabilities in open-source projects. | |||
17.8.24 | Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities | Server-Side Template Injection (SSTI) vulnerabilities refer to weaknesses in web applications which attackers can exploit to inject malicious code into server-side templates. This allows them to execute arbitrary commands on the server, potentially leading to unauthorized data access, server compromise, or exploitation of additional vulnerabilities. | ||
17.8.24 | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove | Check Point Research (CPR) recently uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. Even though it only recently appeared, it has already been noticed in attacks, including those targeting our customers. | ||
17.8.24 | Talos discovers 11 vulnerabilities between Microsoft, Adobe software disclosed on Patch Tuesday | Eight of the vulnerabilities affect the license update feature for CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11. | ||
17.8.24 | How a BEC scam cost a company $60 Million – Week in security with Tony Anscombe | Business email compromise (BEC) has once again proven to be a costly issue, with a company losing $60 million in a wire transfer fraud scheme | ||
17.8.24 | ||||
17.8.24 | ||||
17.8.24 | ||||
10.8.24 | 60 Hurts per Second – How We Got Access to Enough Solar Power to Run the United States | The electricity grid – the buzzing, crackling marvel that supplies the lifeblood of modernity - is by far the largest structure humanity ever built. It’s so big, in fact, that few people even notice it, like a fish can’t see the ocean. | ||
10.8.24 | A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat (APT). | |||
10.8.24 | Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed. | |||
10.8.24 | Sustained Campaign Using Chinese Espionage Tools Targets Telcos | Attackers were heavily focused on telecoms operators in a single Asian country. | ||
10.8.24 | Cloud Cover: How Malicious Actors Are Leveraging Cloud Services | In the past year, there has been a marked increase in the use of legitimate cloud services by attackers, including nation-state actors. | ||
10.8.24 | A fake website seemingly distributing WinRar, a data compression, encryption, and archiving tool for Windows, has been seen also hosting malware. This fake website closely resembles the official website, uses typosquatting, and capitalizes on internet users who might incorrectly type the URL of this well-known archiving application. | |||
10.8.24 | SonicWall Discovers Second Critical Apache OFBiz Zero-Day Vulnerability | The SonicWall Capture Labs threat research team has discovered a pre-authentication remote code execution vulnerability in Apache OFBiz being tracked as CVE-2024-38856 with a CVSS score of 9.8. This is the second major flaw SonicWall has discovered in Apache OFBiz in recent months, the first coming in December 2023. | ||
10.8.24 | Protecting SmartPLC Devices from Critical Hardcoded Credential Vulnerability CVE-2024-28747 | Protecting SmartPLC Devices from Critical Hardcoded Credential Vulnerability CVE-2024-28747 | ||
10.8.24 | Protect Your Network: Mitigating the Latest Vulnerability (CVE-2024-5008) in Progress WhatsUp Gold | The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in Progress WhatsUp Gold, assessed its impact and developed mitigation measures. WhatsUp Gold is a software that monitors every connected device in the network, providing visibility into the IT infrastructure. It also has the functionality to swiftly pinpoint and resolve issues in the infrastructure by utilizing its intuitive workflows and system integrations. | ||
10.8.24 | This blog will share a tried and tested method for dealing with thousands of unknown functions in a given file to significantly decrease the time spent on analysis while improving accuracy. Once all theory is covered, an instance of the Golang based qBit stealer is analyzed with the demonstrated techniques to show what happens when the theory is put into practice. | |||
10.8.24 | Resilient Security Requires Mature Cyber Threat Intelligence Capabilities | We recently had the opportunity to support an important industry effort to advance threat intelligence, led by our partners at Intel 471. Trellix, along with 25+ cyber leaders, launched a new maturity model for cyber threat intelligence (CTI). | ||
10.8.24 | Black Hat USA 2024 recap – Week in security with Tony Anscombe | Unsurprisingly, many discussions focused on the implications of the recent CrowdStrike outage, including the lessons it may have offered for bad actors | ||
10.8.24 | ||||
10.8.24 | Black Hat USA 2024: How cyber insurance is shaping cybersecurity strategies | |||
10.8.24 | Why tech-savvy leadership is key to cyber insurance readiness | |||
3.8.24 | GeoServer RCE Vulnerability (CVE-2024-36401) Being Exploited In the Wild | The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in GeoServer, assessed its impact and developed mitigation measures. GeoServer is a community-driven project that allows users to share and edit geospatial data | ||
3.8.24 | Protecting SmartPLC Devices from Critical Hardcoded Credential Vulnerability CVE-2024-28747 | The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-28747, a vulnerability in SmartPLC devices, assessed its impact and developed mitigation measures for this vulnerability. | ||
3.8.24 | Phishing campaign exploits Microsoft OneDrive users with sophisticated social engineering, manipulating them into executing a malicious PowerShell script. | |||
3.8.24 | ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups. | |||
3.8.24 | In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. | |||
3.8.24 | There is no real fix to the security issues recently found in GitHub and other similar software | The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software. | ||
3.8.24 | This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat. | |||
3.8.24 | A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP. | |||
3.8.24 | AI and automation reducing breach costs – Week in security with Tony Anscombe | Organizations that leveraged AI and automation in security prevention cut the cost of a data breach by US$2.22 million compared to those that didn't deploy these technologies, according to IBM | ||
3.8.24 | The cyberthreat that drives businesses towards cyber risk insurance | |||
3.8.24 | ||||
3.8.24 | ||||
27.7.24 | Security awareness and measures to detect and prevent sophisticated risks associated with QR code-based phishing attacks (quishing) | |||
27.7.24 | Trend Experts Weigh in on Global IT Outage Caused by CrowdStrike | On July 19, 2024, a large-scale outage emerged affecting Windows computers for many industries across the globe from financial institutions to hospitals to airlines. The source of this outage came from a single content update from CrowdStrike. | ||
27.7.24 | Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma | Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more. | ||
27.7.24 | The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409 | We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems. | ||
27.7.24 | This blog will focus on the threat actor’s background and previous actions, the attack chain, and the wiper’s internals and reused code. | |||
27.7.24 | Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies | Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. | ||
27.7.24 | Proactive Protection: How SonicWall's security operations center (SOC) safeguards MSPs around the clock. | |||
27.7.24 | Critical Splunk Vulnerability CVE-2024-36991: Patch Now to Prevent Arbitrary File Reads | The SonicWall Capture Labs threat research team became aware of an arbitrary file read vulnerability affecting Splunk Enterprise installations. Identified as CVE-2024-36991 and given a CVSSv3 score of 7.5, the vulnerability is more severe than it initially appeared. | ||
27.7.24 | Volcano Demon Group Targets Idealease Inc. Using LukaLocker Ransomware | The SonicWall Capture Labs threats research team has recently been tracking new ransomware known as LukaLocker. | ||
27.7.24 | When tackling a new vulnerability research target, especially a closed-source one, I prioritize gathering as much information about it as possible. This gets especially interesting when it's a subsystem as old and fundamental as the Windows registry. | |||
27.7.24 | Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework with over 81,000 stars on GitHub: | |||
27.7.24 | The ransomware group RA Group, now known as RA World, showed a noticeable uptick in their activity since March 2024. About 37% of all posts on their dark web leak site have appeared since March, suggesting this is an emerging group to watch. This article describes the tactics, techniques and procedures (TTPs) used by RA World. | |||
27.7.24 | This network is a highly sophisticated operation that acts as a Distribution as a Service (DaaS). It allows threat actors to share malicious links or malware for distribution through highly victim-oriented phishing repositories. | |||
27.7.24 | We propose a new injection technique: Thread Name-Calling, and offer the advisory related to implementing protection. | |||
27.7.24 | Seeing a “blue screen of death,” often with code that looks indecipherable, has been ingrained into our heads that it’s a “hack." | |||
27.7.24 | Telegram for Android hit by a zero-day exploit – Week in security with Tony Anscombe | Attackers abusing the "EvilVideo" vulnerability could share malicious Android payloads via Telegram channels, groups, and chats, all while making them appear as legitimate multimedia files | ||
27.7.24 | Building cyber-resilience: Lessons learned from the CrowdStrike incident | |||
27.7.24 | ESET researchers have discovered threats abusing the success of the Hamster Kombat clicker game | |||
27.7.24 | Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android | |||
27.7.24 | How a signed driver exposed users to kernel-level threats – Week in Security with Tony Anscombe | |||
27.7.24 | Beyond the blue screen of death: Why software updates matter | |||
27.7.24 | ||||
20.7.24 | ClickFix Deception: A Social Engineering Tactic to Deploy Malware | McAfee Labs has discovered a highly unusual method of malware delivery, referred to by researchers as the “Clickfix” infection chain. The attack chain begins with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal. | ||
20.7.24 | Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched. | |||
20.7.24 | Trend Experts Weigh in on Global IT Outage Caused by CrowdStrike | On July 19, 2024, a large-scale outage emerged affecting Windows computers for many industries across the globe from financial institutions to hospitals to airlines. The source of this outage came from a single content update from CrowdStrike. | ||
20.7.24 | Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma | Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more. | ||
20.7.24 | The Potential Impact of the OpenSSH Vulnerabilities CVE-2024–6387 and CVE-2024-6409 | We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems. | ||
20.7.24 | Trend Micro partners with IBM to offer advanced threat detection and response for protecting critical infrastructures running on IBM Power servers | |||
20.7.24 | In 2023, the cryptocurrency industry faced a significant increase in illicit activities, including money laundering, fraud, and ransomware attacks. Ransomware attacks were especially prevalent and profitable for attackers. However, other forms of criminal activity also saw a rise. | |||
20.7.24 | Container Breakouts: Escape Techniques in Cloud Environments | Container escapes are a notable security risk for organizations, because they can be a critical step of an attack chain that can allow malicious threat actors access. We previously published one such attack chain in an article about a runC vulnerability. | ||
20.7.24 | Beware of BadPack: One Weird Trick Being Used Against Android Devices | This article discusses recent samples of BadPack Android malware and examines how this threat’s tampered headers can obstruct malware analysis. We also review the effectiveness of various freely available tools for analyzing BadPack Android Package Kit (APK) files. | ||
20.7.24 | NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS | MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. This parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal. | ||
20.7.24 | It's best to just assume you’ve been involved in a data breach somehow | Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers. | ||
20.7.24 | A study of a sophisticated Chinese browser injector that leaves more doors open! | |||
20.7.24 | Small but mighty: Top 5 pocket-sized gadgets to boost your ethical hacking skills | |||
20.7.24 | Hello, is it me you’re looking for? How scammers get your phone number | |||
20.7.24 | Should ransomware payments be banned? – Week in security with Tony Anscombe | |||
13.7.24 | Cloudflare’s updated 2024 view on Internet cyber security trends spanning global traffic insights, bot traffic insights, API traffic insights, and client-side risks... | |||
13.7.24 | Euro 2024’s impact on Internet traffic: a closer look at finalists Spain and England | Here we examine how UEFA Euro 2024 football matches have influenced Internet traffic patterns in participating countries, with a special focus on the two finalists, Spain and England, on their journey to the final... | ||
13.7.24 | Cloudflare Zaraz adds support for server-side rendering of X and Instagram embeds | We are thrilled to announce Cloudflare Zaraz support for server-side rendering of embeds from X and Instagram. This allows for secure, privacy-preserving, and performant embedding without third-party JavaScript or cookies, enhancing security, privacy, and performance on your website... | ||
13.7.24 | Welcome to the 18th edition of the Cloudflare DDoS Threat Report. Released quarterly, these reports provide an in-depth analysis of the DDoS threat landscape as observed across the Cloudflare network. This edition focuses on the second quarter of 2024... | |||
13.7.24 | The RADIUS protocol is commonly used to control administrative access to networking gear. Despite its importance, RADIUS hasn’t changed much in decades. We discuss an attack on RADIUS as a case study for why it’s important for legacy protocols to keep up with advancements in cryptography... | |||
13.7.24 | French elections: political cyber attacks and Internet traffic shifts | Check the dynamics of the 2024 French legislative elections, the surprising election results’ impact on Internet traffic changes, and the cyber attacks targeting political parties... | ||
13.7.24 | UK election day 2024: traffic trends and attacks on political parties | Here, we explore the dynamics of Internet traffic and cybersecurity during the UK’s 2024 general election, highlighting late-day traffic changes and a post-vote attack on a political party... | ||
13.7.24 | On June 27, 2024, a small number of users globally may have noticed that 1.1.1.1 was unreachable or degraded. The root cause was a mix of BGP (Border Gateway Protocol) hijacking and a route leak... | |||
13.7.24 | First round of French election: party attacks and a modest traffic dip | How Cloudflare mitigated DDoS attacks targeting French political parties during the 2024 legislative elections, as detailed in our ongoing election coverage... | ||
13.7.24 | Declare your AIndependence: block AI bots, scrapers and crawlers with a single click | To help preserve a safe Internet for content creators, we’ve just launched a brand new “easy button” to block all AI bots. It’s available for all customers, including those on our free tier... | ||
13.7.24 | In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild. | |||
13.7.24 | Cactus is another variant in the ransomware family. It exploits VPN vulnerability(CVE-2023-38035) to enter into an internal organization network and deploys varies payloads for persistence(Scheduled Task/Job), C2 connection via RMM tools(Anydesk.exe) and encryption. | |||
13.7.24 | The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution | ViperSoftX uses CLR to embed and execute PowerShell commands within AutoIt, seamlessly integrating malicious functions while evading detection with an AMSI bypass. | ||
13.7.24 | Cracking Cobalt Strike: Taking Down Malicious Cybercriminal Infrastructure with Threat Intelligence | Trellix and global law enforcement dismantle malicious Cobalt Strike infrastructure, enhancing cybersecurity and protecting critical sectors. Learn about our fight against cybercrime. | ||
13.7.24 | Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant | The SonicWall RTDMI ™ engine has recently protected users against the distribution of the “6.6” variant of DarkGate malware by a phishing email campaign containing PDF files as an attachment. DarkGate is an advanced Remote Access Trojan that has been widely active since 2018. The RAT has been marketed as Malware-as-a-Service in underground forums, and threat actors are actively updating its code. The malware supports a wide range of features, including (Anti-VM Anti-AV Delay Execution multi-variant support and process hollowing, etc.), which are controlled by flags in the configuration data. | ||
13.7.24 | Microsoft’s July 2024 Patch Tuesday has 138 vulnerabilities, 59 of which are Remote Code Execution. The SonicWall Capture Lab’s threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2024 and has produced coverage for 7 of the reported vulnerabilities. | |||
13.7.24 | The SonicWall Capture Labs threat research team became aware of an XML External Entity Reference vulnerability affecting Adobe Commerce and Magento Open Source. It is identified as CVE-2024-34102 and given a critical CVSSv3 score of 9.8. Labeled as an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability and categorized as CWE-611, this vulnerability allows an attacker unauthorized access to private files, such as those containing passwords. Successful exploitation could lead to arbitrary code execution, security feature bypass, and privilege escalation. | |||
13.7.24 | In 2023, the cryptocurrency industry faced a significant increase in illicit activities, including money laundering, fraud, and ransomware attacks. Ransomware attacks were especially prevalent and profitable for attackers. However, other forms of criminal activity also saw a rise. | |||
13.7.24 | Cybersecurity teams are well-equipped to handle threats to technology assets that they manage. But with unmanaged devices providing ideal spots for attackers to lurk unseen, network detection and response capabilities have become vitally important. | |||
13.7.24 | Cybersecurity is a growing concern in today's digital age, as more sensitive information is stored and transmitted online. With the rise of cryptocurrencies, there has also been a rise in crypto-crimes, which pose a significant threat to the security of both individuals and businesses. | |||
13.7.24 | With every week bringing news of another AI advance, it’s becoming increasingly important for organizations to understand the risks before adopting AI tools. This look at 10 key areas of concern identified by the Open Worldwide Application Security Project (OWASP) flags risks enterprises should keep in mind through the back half of the year. | |||
13.7.24 | This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware. | |||
13.7.24 | This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a formidable challenge for sandboxes attempting to analyze the malware. | |||
13.7.24 | The Contrastive Credibility Propagation (CCP) algorithm is a novel approach to semi-supervised learning (SSL) developed by AI researchers at Palo Alto Networks to improve model task performance with imbalanced and noisy labeled and unlabeled data. | |||
13.7.24 | In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically. | |||
13.7.24 | Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. | |||
13.7.24 | Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs | Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers. | ||
13.7.24 | Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time. | |||
13.7.24 | Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling | Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments. | ||
13.7.24 | In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials. | |||
13.7.24 | Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos. | |||
13.7.24 | 15 vulnerabilities discovered in software development kit for wireless routers | Talos researchers discovered these vulnerabilities in the Jungle SDK while researching other vulnerabilities in the LevelOne WBR-6013 wireless router. | ||
13.7.24 | Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities | This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities. | ||
13.7.24 | Understanding IoT security risks and how to mitigate them | Cybersecurity podcast | As security challenges loom large on the IoT landscape, how can we effectively counter the risks of integrating our physical and digital worlds? | ||
13.7.24 | ||||
6.7.24 | Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective | In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly. | ||
6.7.24 | Mekotio Banking Trojan Threatens Financial Systems in Latin America | We’ve recently seen a surge in attacks involving the Mekotio banking trojan. In this blog entry, we'll provide an overview of the trojan and what it does. | ||
6.7.24 | The SonicWall Capture Labs threat research team became aware of a path traversal vulnerability in SolarWinds Serv-U, assessed its impact and developed mitigation measures. | |||
6.7.24 | Not If, But When: The Need for a SOC and Introducing the SonicWall European SOC | When you think about cyber threats or attacks, what comes to mind? It’s easy to associate cyberattacks with large enterprises since those are the attacks that frequently make the news. | ||
6.7.24 | The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time. | |||
6.7.24 | In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share examples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same profile hosted on a public code repository. | |||
6.7.24 | Cryptographic attacks, even more advanced ones, are often made more difficult to understand than they need to be. Sometimes it’s because the explanation is “too much too soon” — it skips the simple general idea and goes straight to real world attacks with all their messy details. | |||
6.7.24 | Social media and teen mental health – Week in security with Tony Anscombe | Social media sites are designed to make their users come back for more. Do laws restricting children's exposure to addictive social media feeds have teeth or are they a political gimmick? | ||
6.7.24 | No room for error: Don’t get stung by these common Booking.com scams | |||
6.7.24 | ||||
6.7.24 | Hijacked: How hacked YouTube channels spread scams and malware | |||
6.7.24 | Key trends shaping the threat landscape in H1 2024 – Week in security with Tony Anscombe | |||
29.6.24 | Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework | We recently discovered a new threat actor group that we dubbed Void Arachne. This group targets Chinese-speaking users with malicious Windows Installer (MSI) files in a recent campaign. | ||
29.6.24 | Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer | We analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto miner. | ||
29.6.24 | ICO Scams Leverage 2024 Olympics to Lure Victims, Use AI for Fake Sites | In this blog we uncover threat actors using the 2024 Olympics to lure victims into investing in an initial coin offering (ICO). | ||
29.6.24 | AI coding companions are keeping pace with the high-speed evolution of generative AI overall, continually refining and augmenting their capabilities to make software development faster and easier than ever before. | |||
29.6.24 | To test the effectiveness of managed services like our Trend Micro managed detection and response offering, MITRE Engenuity™ combined the tools, techniques, and practices of two globally notorious bad actors: menuPass and ALPHV/BlackCat. | |||
29.6.24 | The latest Omdia Vulnerability Report shows Trend Micro™ Zero Day Initiative™ (ZDI) spearheaded 60% of 2023 disclosures, underscoring its role in cybersecurity threat prevention. | |||
29.6.24 | Explore the need for going beyond built-in Microsoft 365 and Google Workspace™ security based on email threats detected in 2023. | |||
29.6.24 | The latest MITRE Engenuity ATT&CK Evaluations pitted leading managed detection and response (MDR) services against threats modeled on the menuPass and BlackCat/AlphV adversary groups. | |||
29.6.24 | StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe | The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. | ||
29.6.24 | This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. | |||
29.6.24 | This post reviews strategies for identifying and mitigating potential attack vectors against virtual machine (VM) services in the cloud. | |||
29.6.24 | In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. | |||
29.6.24 | RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS | Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. | ||
29.6.24 | SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques | Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. | ||
29.6.24 | Snowflake isn’t an outlier, it’s the canary in the coal mine | By Nick Biasini with contributions from Kendall McKay and Guilherme Venere Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform. Adversaries obtained stolen login | ||
29.6.24 | Multiple vulnerabilities in TP-Link Omada system could lead to root access | Affected devices could include wireless access points, routers, switches and VPNs. | ||
29.6.24 | Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia | The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. | ||
29.6.24 | A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop. | |||
29.6.24 | More on the recent Snowflake breach, MFA bypass techniques and more. | |||
29.6.24 | Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more | As the second entry in our “Exploring malicious Windows drivers” series, we will continue where the first left off: Discussing the I/O system and IRPs. | ||
29.6.24 | Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks | |||
29.6.24 | How we can separate botnets from the malware operations that rely on them | A botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group. | ||
29.6.24 | Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models | At Project Zero, we constantly seek to expand the scope and effectiveness of our vulnerability research. | ||
29.6.24 | When tackling a new vulnerability research target, especially a closed-source one, I prioritize gathering as much information about it as possible. | |||
29.6.24 | A view of the H1 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts | |||
29.6.24 | Cyber insurance as part of the cyber threat mitigation strategy | |||
29.6.24 | ||||
29.6.24 | The long-tail costs of a data breach – Week in security with Tony Anscombe | |||
29.6.24 | ||||
29.6.24 | Hacktivism is evolving – and that could be bad news for organizations everywhere | |||
29.6.24 | ||||
15.6.24 | Microsoft Incident Response tips for managing a mass password reset | When an active incident leaves systems vulnerable, a mass password reset may be the right tool to restore security. This post explores the necessity and risk associated with mass password resets. | ||
15.6.24 | How to achieve cloud-native endpoint management with Microsoft Intune | In this post, we’re focusing on what it really takes for organizations to become fully cloud-native in endpoint management—from the strategic leadership to the tactical execution. | ||
15.6.24 | The four stages of creating a trust fabric with identity and network security | The trust fabric journey has four stages of maturity for organizations working to evaluate, improve, and evolve their identity and network access security posture. | ||
15.6.24 | Since late 2023, Microsoft has observed an increase in reports of attacks focusing on internet-exposed, poorly secured operational technology (OT) devices. | |||
15.6.24 | Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups | This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. | ||
15.6.24 | Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project. | ||
15.6.24 | In this blog entry, our researchers provide an analysis of TargetCompany ransomware’s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution. | |||
15.6.24 | In its ninth year, the annual SANS Threat Hunting Survey delves into global organizational practices in threat hunting, shedding light on the challenges and adaptations in the landscape over the past year. | |||
15.6.24 | You may have EDR, but did you know you can add threat detection and response to improve a SecOps team’s efficiency and outcomes - read more. | |||
15.6.24 | Explore AI-Driven Cybersecurity with Trend Micro, Using NVIDIA NIM | Discover Trend Micro's integration of NVIDIA NIM to deliver an AI-driven cybersecurity solution for next-generation data centers. | ||
15.6.24 | The Lifecycle of a Threat: The Inner Workings of the Security Operations Center | See how SonicWall’s SOC handles a threat from discovery all the way to resolution in this detailed blog. | ||
15.6.24 | Microsoft’s June 2024 Patch Tuesday has 49 vulnerabilities, 24 of which are Elevation of Privilege. | |||
15.6.24 | Decoding Router Vulnerabilities Exploited by Mirai: Insights from SonicWall’s Honeypot Data | SonicWall recently identified a significant increase in Mirai honeypot activity. In this deep dive, we explore the evolution of Mirai, who is most at risk and the best ways to mitigate attacks. | ||
15.6.24 | Critical Path Traversal Vulnerability in Check Point Security Gateways (CVE-2024-24919) | The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. | ||
15.6.24 | Android's open-source ecosystem has led to an incredible diversity of manufacturers and vendors developing software that runs on a broad variety of hardware | |||
15.6.24 | DarkGate is back, if it ever left, with the latest version, the number 6, which includes new distribution methods, anti-analysis techniques and features. | |||
15.6.24 | Operation Celestial Force employs mobile and desktop malware to target Indian entities | Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. | ||
15.6.24 | Only one critical issue disclosed as part of Microsoft Patch Tuesday | The lone critical security issue is a remote code execution vulnerability due to a use-after-free issue in the HTTP handling function of Microsoft Message Queuing. | ||
15.6.24 | How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe | The spyware, called AridSpy by ESET, is distributed through websites that pose as various messaging apps, a job search app, and a Palestinian Civil Registry app | ||
15.6.24 | ||||
15.6.24 | ||||
15.6.24 | 560 million Ticketmaster customer data for sale? – Week in security with Tony Anscombe | |||
8.6.24 | Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks | Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult. | ||
8.6.24 | This week, the SonicWall Capture Labs Research team analyzed a sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago. | |||
8.6.24 | Critical Path Traversal Vulnerability in Check Point Security Gateways (CVE-2024-24919) | The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. | ||
8.6.24 | Decoding Router Vulnerabilities Exploited by Mirai: Insights from SonicWall’s Honeypot Data | SonicWall recently identified a significant increase in Mirai honeypot activity. In this deep dive, we explore the evolution of Mirai, who is most at risk and the best ways to mitigate attacks. | ||
8.6.24 | Over the past few months, we have been monitoring the increasing abuse of BoxedApp products in the wild. | |||
8.6.24 | The job hunter’s guide: Separating genuine offers from scams | $90,000/year, full home office, and 30 days of paid leave, and all for a job as a junior data analyst – unbelievable, right? This and many other job offers are fake though – made just to ensnare unsuspecting victims into giving up their data. | ||
8.6.24 | The murky world of password leaks – and how to check if you’ve been hit | |||
8.6.24 | What happens when facial recognition gets it wrong – Week in security with Tony Anscombe | |||
1.6.24 | STATIC UNPACKING FOR THE WIDESPREAD NSIS-BASED MALICIOUS PACKER FAMILY | Packers or crypters are widely used to protect malicious software from detection and static analysis. | ||
1.6.24 | LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader | Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.” Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups. | ||
1.6.24 | Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application. | |||
1.6.24 | AI in HR: Is artificial intelligence changing how we hire employees forever? | Much digital ink has been spilled on artificial intelligence taking over jobs, but what about AI shaking up the hiring process in the meantime? | ||
1.6.24 | ||||
1.6.24 | Beyond the buzz: Understanding AI and its role in cybersecurity | |||
25.5.24 | A Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. | |||
25.5.24 | BAD KARMA, NO JUSTICE: VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL | Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations. | ||
25.5.24 | Sharp Dragon’s (Formerly referred to as Sharp Panda) operations continue, expanding their focus now to new regions – Africa and the Caribbean. | |||
25.5.24 | From trust to trickery: Brand impersonation over the email attack vector | Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. | ||
25.5.24 | Mandatory reporting for ransomware attacks? – Week in security with Tony Anscombe | As the UK mulls new rules for ransomware disclosure, what would be the wider implications of such a move, how would cyber-insurance come into play, and how might cybercriminals respond? | ||
25.5.24 | Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries | |||
25.5.24 | ||||
25.5.24 | Untangling the hiring dilemma: How security solutions free up HR processes | |||
18.5.24 | In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. | |||
18.5.24 | This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. | |||
18.5.24 | PDF (Portable Document Format) files have become an integral part of modern digital communication. Renowned for their universality and fidelity, PDFs offer a robust platform for sharing documents across diverse computing environments | |||
18.5.24 | Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. | |||
18.5.24 | The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. | |||
18.5.24 | Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression. | |||
18.5.24 | Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. | |||
18.5.24 | A new alert system from CISA seems to be effective — now we just need companies to sign up | Under a pilot program, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s KEV catalog. | ||
18.5.24 | The who, where, and how of APT attacks – Week in security with Tony Anscombe | This week, ESET experts released several research publications that shine the spotlight on a number of notable campaigns and broader developments on the threat landscape | ||
18.5.24 | To the Moon and back(doors): Lunar landing in diplomatic missions | |||
18.5.24 | ||||
18.5.24 | ||||
11.5.24 | Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution | Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. | ||
11.5.24 | We spoke to climate scientist Katharine Hayhoe about intersections between climate action, human psychology and spirituality, and how to channel anxiety about the state of our planet into meaningful action | |||
11.5.24 | In it to win it! WeLiveSecurity shortlisted for European Security Blogger Awards | |||
11.5.24 | It's a wrap! RSA Conference 2024 highlights – Week in security with Tony Anscombe | |||
11.5.24 | ||||
11.5.24 | How to inspire the next generation of scientists | Unlocked 403: Cybersecurity podcast | |||
11.5.24 | The hacker’s toolkit: 4 gadgets that could spell security trouble | |||
4.5.24 | It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise | Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. | ||
4.5.24 | Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. | |||
4.5.24 | Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files. | |||
4.5.24 | Nutland says he goes into every engagement or new project with a completely open mind and a blank slate — using his background investigating terror operations to find out as much as he can about a particular adversary’s operation. | |||
4.5.24 | Organizations that fall victim to a ransomware attack are often caught between a rock and a hard place, grappling with the dilemma of whether to pay up or not | |||
4.5.24 | ||||
4.5.24 | MDR: Unlocking the power of enterprise-grade security for businesses of all sizes | We spoke to Astronomy magazine editor-in-chief David Eicher about key challenges facing our planet, the importance of space exploration for humanity, and the possibility of life beyond Earth | ||
4.5.24 | How space exploration benefits life on Earth: Q&A with David Eicher | The investigation uncovered at least 40,000 phishing domains that were linked to LabHost and tricked victims into handing over their sensitive details | ||
28.4.24 | Talos IR trends: BEC attacks surge, while weaknesses in MFA persist | Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. | ||
28.4.24 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. | ||
28.4.24 | Suspected CoralRaider continues to expand victimology using three information stealers | Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host. | ||
28.4.24 | Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe | |||
28.4.24 | Gripped by Python: 5 reasons why Python is popular among cybersecurity professionals | |||
28.4.24 | What makes Starmus unique? A Q&A with award-winning filmmaker Todd Miller | |||
28.4.24 | The vision behind Starmus – A Q&A with the festival’s co-founder Garik Israelian | |||
28.4.24 | Protecting yourself after a medical data breach – Week in security with Tony Anscombe | |||
20.4.24 | The Windows Registry Adventure #2: A brief history of the feature | Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. | ||
20.4.24 | The Windows Registry Adventure #1: Introduction and research results | In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. | ||
20.4.24 | Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was... | |||
20.4.24 | OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal | The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. | ||
20.4.24 | Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials | Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the identification of these attacks. Cisco Talos is actively monitoring a global increase in brute | ||
20.4.24 | The many faces of impersonation fraud: Spot an imposter before it’s too late | What are some of the most common giveaway signs that the person behind the screen or on the other end of the line isn’t who they claim to be? | ||
20.4.24 | ||||
20.4.24 | ||||
13.4.24 | Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 | Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly. | ||
13.4.24 | Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. | |||
13.4.24 | Starry Addax targets human rights defenders in North Africa with new malware | Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. | ||
13.4.24 | Vulnerability in some TP-Link routers could lead to factory reset | There are also two out-of-bounds write vulnerabilities in the AMD Radeon user mode driver for DirectX 11. | ||
13.4.24 | eXotic Visit includes XploitSPY malware – Week in security with Tony Anscombe | Almost 400 people in India and Pakistan have fallen victim to an ongoing Android espionage campaign called eXotic Visit | ||
13.4.24 | Beyond fun and games: Exploring privacy risks in children’s apps | |||
13.4.24 | eXotic Visit campaign: Tracing the footprints of Virtual Invaders | |||
13.4.24 | ||||
6.4.24 | THE ILLUSION OF PRIVACY: GEOLOCATION RISKS IN MODERN DATING APPS | Dating apps often use location data, to show users nearby and their distances. However, openly sharing distances can lead to security issues. | ||
6.4.24 | BEYOND IMAGINING – HOW AI IS ACTIVELY USED IN ELECTION CAMPAIGNS AROUND THE WORLD | Deepfake materials (convincing AI-generated audio, video, and images that deceptively fake or alter the appearance, voice, or actions of political candidates) are often disseminated shortly before election dates to limit the opportunity for fact-checkers to respond. | ||
6.4.24 | AGENT TESLA TARGETING UNITED STATES & AUSTRALIA: REVEALING THE ATTACKERS’ IDENTITIES | When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted. | ||
6.4.24 | In recent months, Check Point Research (CPR) has been closely monitoring the activity of a Chinese-nexus cyber espionage threat actor who is focusing on Southeast Asia, Africa, and South America. | |||
6.4.24 | Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. | |||
6.4.24 | Adversaries are leveraging remote access tools now more than ever — here’s how to stop them | While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. | ||
6.4.24 | The devil is in the fine print – Week in security with Tony Anscombe | Temu's cash giveaway where people were asked to hand over vast amounts of their personal data to the platform puts the spotlight on the data-slurping practices of online services today | ||
6.4.24 | ||||
6.4.24 | ||||
31.3.24 | On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. | |||
31.3.24 | Unit 42 researchers have discovered a new Broken Object Level Authorization (BOLA) vulnerability that impacts Grafana versions from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. | |||
31.3.24 | RDP remains a security concern – Week in security with Tony Anscombe | Much has been written about the risks that poorly-secured RDP connections entail, but many organizations continue to leave themselves at risk and get hit by data breaches as a result | ||
31.3.24 | Cybercriminals play dirty: A look back at 10 cyber hits on the sporting world | |||
31.3.24 | ||||
31.3.24 | Cybersecurity starts at home: Help your children stay safe online with open conversations | |||
23.3.24 | StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. | |||
23.3.24 | Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention | This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens | ||
23.3.24 | Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor | This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). | ||
23.3.24 | ETHEREUM’S CREATE2: A DOUBLE-EDGED SWORD IN BLOCKCHAIN SECURITY | Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. | ||
23.3.24 | New details on TinyTurla’s post-compromise activity reveal full kill chain | We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. | ||
23.3.24 | Netgear wireless router open to code execution after buffer overflow vulnerability | There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. | ||
23.3.24 | The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions | Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. | ||
23.3.24 | Threat actors leverage document publishing sites for ongoing credential and session token theft | Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. | ||
23.3.24 | “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years | In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. | ||
23.3.24 | Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word | Research conducted by Cisco Talos last year uncovered multiple vulnerabilities rated as low severity despite their ability to allow for full arbitrary code execution. | ||
23.3.24 | There are a few reasons why we’re so ready to jump to the “it’s a cyber attack!” | |||
23.3.24 | Another Patch Tuesday with no zero-days, only two critical vulnerabilities disclosed by Microsoft | March’s Patch Tuesday is relatively light, containing 60 vulnerabilities — only two labeled “critical.” | ||
23.3.24 | It’s important to be vigilant about tax-related scams any time these deadlines roll around, regardless of what country you’re in, but it’s not like you need to be particularly more skeptical in March and April. | |||
23.3.24 | AceCryptor attacks surge in Europe – Week in security with Tony Anscombe | The second half of 2023 saw massive growth in AceCryptor-packed malware spreading in the wild, including courtesy of multiple spam campaigns where AceCryptor packed the Rescoms RAT | ||
23.3.24 | ||||
23.3.24 | A prescription for privacy protection: Exercise caution when using a mobile health app | |||
17.3.24 | This article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader infrastructure and an overview of its capabilities. | |||
17.3.24 | Healthcare still a prime target for cybercrime gangs – Week in security with Tony Anscombe | Healthcare organizations remain firmly in attackers' crosshairs, representing 20 percent of all victims of ransomware attacks among critical infrastructure entities in | ||
17.3.24 | Threat intelligence explained | Unlocked 403: A cybersecurity podcast | |||
17.3.24 | ||||
17.3.24 | Election cybersecurity: Protecting the ballot box and building trust in election integrity | |||
9.3.24 | Muddled Libra stands at the intersection of devious social engineering and nimble technology adaptation. | |||
9.3.24 | MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES | Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. | ||
9.3.24 | GhostSec’s joint ransomware operation and evolution of their arsenal | Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. | ||
9.3.24 | The 3 most common post-compromise tactics on network infrastructure | We discuss three of the most common post-compromise tactics that Talos has observed in our threat telemetry and Cisco Talos Incident Response (Talos IR) engagements. | ||
9.3.24 | The bulk of her career was with a manufacturing company working as a security and email administrator, but she uses her criminal justice degree daily now with Talos IR helping to track down bad actors or helping customers understand adversaries’ motivation and tactics. | |||
9.3.24 | APT attacks taking aim at Tibetans – Week in security with Tony Anscombe | Evasive Panda has been spotted targeting Tibetans in several countries and territories with payloads that included a previously undocumented backdoor ESET has named Nightdoor | ||
9.3.24 | ESET researchers uncover strategic web compromise and supply-chain attacks targeting Tibetans | |||
9.3.24 | Top 10 scams targeting seniors – and how to keep your money safe | |||
9.3.24 | Irresistible: Hooks, habits and why you can’t put down your phone | Struggle to part ways with your tech? You’re not alone. Here’s why your devices are your vices. | ||
3.3.24 | Palo Alto Networks customers are better protected from the malware samples in this tutorial through Cortex XDR and XSIAM. | |||
3.3.24 | The Art of Domain Deception: Bifrost's New Tactic to Deceive Users | First identified in 2004, Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. | ||
3.3.24 | We explore cloud lateral movement techniques in all three major cloud providers: Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure, highlighting their differences compared to similar techniques in on-premises environments. | |||
3.3.24 | TimbreStealer campaign targets Mexican users with financial lures | Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. | ||
3.3.24 | Deceptive AI content and 2024 elections – Week in security with Tony Anscombe | As the specter of AI-generated disinformation looms large, tech giants vow to crack down on fabricated content that could sway voters and disrupt elections taking place around the world this year | ||
3.3.24 | Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses | |||
3.3.24 | ||||
3.3.24 | ||||
25.2.24 | Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns | On Feb. 16, 2024, someone uploaded data to GitHub that included possible internal company communications, sales-related materials and product manuals belonging to the Chinese IT security services company i-Soon, also known as Anxun Information Technology. | ||
25.2.24 | Dynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to use today. | |||
25.2.24 | 2024 Unit 42 Incident Response Report: Navigating the Shift in Cybersecurity Threat Tactics | Our annual survey of incident data from more than 250 organizations and more than 600 incidents provides a Unit 42 perspective on the current state of security exposures. | ||
25.2.24 | Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) | Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. | ||
25.2.24 | Rising Threats: Cybersecurity landscape faces an unprecedented surge in ransomware attacks, with 1 in every 10 organizations globally being targeted in 2023. | |||
25.2.24 | TinyTurla-NG in-depth tooling and command and control analysis | Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. | ||
25.2.24 | How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity | While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context. | ||
25.2.24 | Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns | Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. | ||
25.2.24 | PSYOP campaigns targeting Ukraine – Week in security with Tony Anscomber | Coming in two waves, the campaign sought to demoralize Ukrainians and Ukrainian speakers abroad with disinformation messages about war-related subjects | ||
25.2.24 | ||||
25.2.24 | Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war | |||
25.2.24 | Watching out for the fakes: How to spot online disinformation | |||
18.2.24 | Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon) | Insidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. | ||
18.2.24 | This article provides technical analysis on a zero-day vulnerability affecting QNAP Network Attached Storage (NAS) devices. | |||
18.2.24 | THE RISKS OF THE #MONIKERLINK BUG IN MICROSOFT OUTLOOK AND THE BIG PICTURE | Recently, Check Point Research released a white paper titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations. | ||
18.2.24 | This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. | |||
18.2.24 | How are attackers using QR codes in phishing emails and lure documents? | QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after. | ||
18.2.24 | Cyber-insurance and vulnerability scanning – Week in security with Tony Anscombe | Here's how the results of vulnerability scans factor into decisions on cyber-insurance and how human intelligence comes into play in the assessment of such digital signals | ||
18.2.24 | ||||
18.2.24 | The art of digital sleuthing: How digital forensics unlocks the truth | |||
18.2.24 | Deepfakes in the global election year of 2024: A weapon of mass deception? | |||
10.2.24 | The ransomware landscape experienced significant transformations and challenges in 2023. | |||
10.2.24 | Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time. | |||
10.2.24 | New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization | Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. | ||
10.2.24 | You’ve probably heard the phrase, “Attackers don’t hack anyone these days. They log on.” In this blog, we describe the various tools and techniques bad actors are using to steal credentials so they can 'log on' with valid account details, and outline our recommendations for defense. | |||
10.2.24 | OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges | Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. | ||
10.2.24 | Ransomware payments hit a record high in 2023 – Week in security with Tony Anscombe | Called a "watershed year for ransomware", 2023 marked a reversal from the decline in ransomware payments observed in the previous year | ||
10.2.24 | ||||
10.2.24 | Left to their own devices: Security for employees using personal devices for work | |||
10.2.24 | Could your Valentine be a scammer? How to avoid getting caught in a bad romance | |||
4.2.24 | Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. | |||
4.2.24 | ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery Campaign | Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs) and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions. | ||
4.2.24 | Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. | |||
4.2.24 | During our research discovering threats in legitimate network traffic, activity generated by a certain type of Android Package Kit (APK) files kept hitting our radar. This activity led us to conduct an in-depth investigation on the associated APK files. Our research revealed a family of malicious APKs targeting Chinese users that steals victim information and conducts financial fraud. | |||
4.2.24 | Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter. | |||
4.2.24 | OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges | Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Ve | ||
4.2.24 | Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers | Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. | ||
4.2.24 | Grandoreiro banking malware disrupted – Week in security with Tony Anscombe | The banking trojan, which targeted mostly Brazil, Mexico and Spain, blocked the victim’s screen, logged keystrokes, simulated mouse and keyboard activity and displayed fake pop-up windows | ||
4.2.24 | ||||
4.2.24 | ESET Research Podcast: ChatGPT, the MOVEit hack, and Pandora | |||
4.2.24 | ESET takes part in global operation to disrupt the Grandoreiro banking trojan | |||
4.2.24 | ||||
4.2.24 | Blackwood hijacks software updates to deploy NSPX30 – Week in security with Tony Anscombe | |||
4.2.24 | ||||
4.2.24 | NSPX30: A sophisticated AitM-enabled implant evolving since 2005 | |||
4.2.24 | Break the fake: The race is on to stop AI voice cloning scams | |||
20.1.24 | This campaign is unique in its methodology, employing a source spoofing technique to target a broad spectrum of token holders. It specifically focuses on more than 100 highly popular projects, aiming its attacks at token holders. | |||
20.1.24 | A traffic direction system (TDS) nicknamed Parrot TDS has been publicly reported as active since October 2021. Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. This TDS is easily identifiable by keywords found in the injected JavaScript that we will explore to show the evolution of this threat. | |||
20.1.24 | Why many CISOs consider quitting – Week in security with Tony Anscombe | The job of a CISO is becoming increasingly stressful as cybersecurity chiefs face overwhelming workloads and growing concerns over personal liability for security failings | ||
20.1.24 | ||||
20.1.24 | Is Temu safe? What to know before you ‘shop like a billionaire’ | |||
20.1.24 | The 7 deadly cloud security sins and how SMBs can do things better | |||
14.1.24 | During our research discovering threats in legitimate network traffic, activity generated by a certain type of Android Package Kit (APK) files kept hitting our radar. | |||
14.1.24 | Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. | |||
14.1.24 | Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer | Malware, like many complex software systems, relies on the concept of software configuration. Configurations establish guidelines for malware behavior and they are a common feature among the various malware families we examine. | ||
14.1.24 | For a malware researcher, analyst, or reverse engineer, the ability to alter the functionality of certain parts of code is a crucial step, often necessary to reach a meaningful result during the analysis process. | |||
14.1.24 | New decryptor for Babuk Tortilla ransomware variant released | Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. | ||
14.1.24 | Lessons from SEC's X account hack – Week in security with Tony Anscombe | The cryptocurrency rollercoaster never fails to provide a thrilling ride – this week it was a drama surrounding the hack of SEC's X account right ahead of the much-anticipated decision about Bitcoin ETFs | ||
14.1.24 | A peek behind the curtain: How are sock puppet accounts used in OSINT? | |||
14.1.24 | Attack of the copycats: How fake messaging apps and app mods could bite you | |||
14.1.24 | Love is in the AI: Finding love online takes on a whole new meaning | Is AI companionship the future of not-so-human connection – and even the cure for loneliness? | ||
14.1.24 | ||||
14.1.24 | Cybersecurity trends and challenges to watch out for in 2024 – Week in security with Tony Anscombe | |||
14.1.24 | ||||
14.1.24 | Say what you will? Your favorite speech-to-text app may be a privacy risk |