H January(270) February(364) March(400) April(276) May(343) June(373) July(336) August(388) September(287) October(58) November(67) December(107)
DATE | NAME | Info | CATEG. | WEB |
2.11.24 | Attacker Abuses Victim Resources to Reap Rewards from Titan Network | In this blog entry, we discuss how an attacker took advantage of the Atlassian Confluence vulnerability CVE-2023-22527 to connect servers to the Titan Network for cryptomining purposes. | Vulnerebility blog | |
2.11.24 | Unmasking Prometei: A Deep Dive Into Our MXDR Findings | How does Prometei insidiously operate in a compromised system? This Managed Extended Detection and Response investigation conducted with the help of Trend Vision One provides a comprehensive analysis of the inner workings of this botnet so users can stop the threat in its tracks before it inflicts damage to the system. | BotNet blog | |
2.11.24 | Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach | In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. | Cryptocurrency blog | |
2.11.24 | Attackers Target Exposed Docker Remote API Servers With perfctl Malware | We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. | Malware blog | |
2.11.24 | Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network | Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). | Hacking blog | Microsoft Blog |
2.11.24 | New Iranian-based Ransomware Group Charges $2000 for File Retrieval | The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment. | Ransom blog | SonicWall |
2.11.24 | Command Injection and Local File Inclusion in Grafana: CVE-2024-9264 | The SonicWall Capture Labs threat research team became aware of a critical vulnerability in Grafana, assessed its impact and developed mitigation measures. Grafana is a multi-platform open-source analytics and visualization solution that can produce charts, graphs and alerts according to the data. | Vulnerebility blog | SonicWall |
2.11.24 | New Iranian-based Ransomware Group Charges $2000 for File Retrieval | The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment. | Ransom blog | SonicWall |
2.11.24 | Code Injection in Spring Cloud: CVE-2024-37084 | The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
2.11.24 | A Look Into Embargo Ransomware, Another Rust-based Ransomware | Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid. | Malware blog | SonicWall |
2.11.24 | HORUS Protector Part 1: The New Malware Distribution Service | Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others. | Malware blog | SonicWall |
2.11.24 | VMWare vCenter Server CVE-2024-38812 DCERPC Vulnerability | CVE-2024-38812 is a critical heap-overflow vulnerability identified in VMware vCenter Server’s implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted packets, potentially leading to remote code execution (RCE). The vulnerability, classified under CWE-122 (Heap-based Buffer Overflow), arises when memory allocated in the heap is improperly overwritten, leading to unpredictable behavior that could be exploited. | Vulnerebility blog | SonicWall |
2.11.24 | Insecure Deserialization in Veeam Backup and Replication: CVE-2024-40711 | The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors. | Vulnerebility blog | SonicWall |
2.11.24 | Jumpy Pisces Engages in Play Ransomware | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius). | Ransom blog | Palo Alto |
2.11.24 |
Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction | This article introduces a simple and straightforward technique for jailbreaking that we call Deceptive Delight. Deceptive Delight is a multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content. | AI blog | Palo Alto |
2.11.24 |
Jumpy Pisces Engages in Play Ransomware | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius). | Ransom blog | Palo Alto |
2.11.24 |
Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism | Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. A bypass of Gatekeeper could leave the user unprotected from risky applications that may attempt to execute malicious content. | OS Blog | Palo Alto |
2.11.24 | Talos IR trends Q3 2024: Identity-based operations loom large | Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance - read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions. | Cyber blog | Cisco Blog |
2.11.24 | Threat actors use copyright infringement phishing lure to deploy infostealers | * Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. * The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the | Phishing blog | Cisco Blog |
2.11.24 | Threat Spotlight: WarmCookie/BadSpace | WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. | Malware blog | Cisco Blog |
2.11.24 | Threat actor abuses Gophish to deliver new PowerRAT and DCRAT | Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. | Malware blog | Cisco Blog |
2.11.24 | NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities | Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits. For Snort coverage that can detect the exploitation of | Vulnerebility blog | Cisco Blog |
2.11.24 | Writing a BugSleep C2 server and detecting its traffic with Snort | This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. | Cyber blog | Cisco Blog |
2.11.24 | How LLMs could help defenders write better and faster detection | Can LLM tools actually help defenders in the cybersecurity industry write more effective detection content? Read the full research | AI blog | Cisco Blog |
2.11.24 | Highlighting TA866/Asylum Ambuscade Activity Since 2021 | TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020. | Cyber blog | Cisco Blog |
2.11.24 | UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants | Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities | BigBrother blog | Cisco Blog |
2.11.24 | Protecting major events: An incident response blueprint | Go behind the scenes with Talos incident responders and learn from what we've seen in the field. | Incident blog | Cisco Blog |
2.11.24 | Ghidra data type archive for Windows driver functions | Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types. | Malware blog | Cisco Blog |
2.11.24 | Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project | Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments. | Vulnerebility blog | Cisco Blog |
2.11.24 | Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities | The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity. | Vulnerebility blog | Cisco Blog |
2.11.24 | Are hardware supply chain attacks “cyber attacks?” | It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process. | Hacking blog | Cisco Blog |
2.11.24 | Breaking Boundaries: Investigating Vulnerable Drivers and Mitigating Risks | Have you ever wondered why there are so many vulnerable drivers and what might be causing them to be vulnerable? Do you want to understand why some drivers are prone to crossing security boundaries and how we can stop that? | Vulnerebility blog | Checkpoint |
2.11.24 | Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum | Beginning in early August, Check Point Research observed a cyber-enabled disinformation campaign primarily targeting Moldova’s government and education sectors. Acting ahead of Moldova’s elections on October 20th, attackers behind this campaign likely seek to foster negative perceptions of European values and the EU membership process in addition to Moldova’s current pro-European leadership, with the intent of influencing the outcome of the upcoming fall elections and national referendum. | BigBrother blog | Checkpoint |
2.11.24 | From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code | In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. | Vulnerebility blog | Project Zero |
2.11.24 | The Windows Registry Adventure #4: Hives and the registry layout | To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system | Vulnerebility blog | Project Zero |
2.11.24 | Effective Fuzzing: A Dav1d Case Study | Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, and it was assigned CVE-2024-1580. | Vulnerebility blog | Project Zero |
2.11.24 | MacOS Malware Surges as Corporate Usage Grows | As more companies adopt macOS for their corporate needs, attackers are adapting their techniques to get what they want | OS Blog | Trelix |
2.11.24 | Cyber Threats Targeting the US Government During the Democratic National Convention | Trellix global sensors detected increased threat activities during the days that the Democratic National Convention (DNC) was held in August 2024, culminating into a massive spike in detections halfway through the convention. Our data indicate that these threat activities targeted a wide range of US government organizations, including regional democratic causes, state legislative offices, legislative data centers, election boards, local law enforcement agencies, and public transportation networks. | BigBrother blog | Trelix |
2.11.24 | Month in security with Tony Anscombe – October 2024 edition | Election interference, American Water and the Internet Archive breaches, new cybersecurity laws, and more – October saw no shortage of impactful cybersecurity news stories | Cyber blog | |
2.11.24 | How to remove your personal information from Google Search results | Have you ever googled yourself? Were you happy with what came up? If not, consider requesting the removal of your personal information from search results. | Cyber blog | |
2.11.24 | Don't become a statistic: Tips to help keep your personal data off the dark web | You may not always stop your personal information from ending up in the internet’s dark recesses, but you can take steps to protect yourself from criminals looking to exploit it | Cyber blog | |
2.11.24 | Tony Fadell: Innovating to save our planet | Starmus highlights | As methane emissions come under heightened global scrutiny, learn how a state-of-the-art satellite can pinpoint their sources and deliver the insights needed for targeted mitigation efforts | Security blog | |
2.11.24 | CloudScout: Evasive Panda scouting cloud services | ESET researchers discovered a previously undocumented toolset used by Evasive Panda to access and retrieve data from cloud services | APT blog | |
2.11.24 |
ESET Research Podcast: CosmicBeetle | Learn how a rather clumsy cybercrime group wielding buggy malicious tools managed to compromise a number of SMBs in various parts of the world | Cyber blog | |
2.11.24 | Embargo ransomware: Rock’n’Rust | Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit | Ransom blog | |
2.11.24 |
Google Voice scams: What are they and how do I avoid them? | Watch out for schemes where fraudsters trick people into sharing verification codes so they can gain access to their phone numbers | Spam blog | |
2.11.24 | Threat actors exploiting zero-days faster than ever – Week in security with Tony Anscombe | The average time it takes attackers to weaponize a vulnerability, either before or after a patch is released, shrank from 63 days in 2018-2019 to just five days last year | Exploit blog | |
2.11.24 | Protecting children from grooming | Unlocked 403 cybersecurity podcast (ep. 7) | “Hey, wanna chat?” This innocent phrase can take on a sinister meaning when it comes from an adult to a child online – and even be the start of a predatory relationship | Cyber blog | |
2.11.24 | Quishing attacks are targeting electric car owners: Here’s how to slam on the brakes | Ever alert to fresh money-making opportunities, fraudsters are blending physical and digital threats to steal drivers’ payment details | Hacking blog | |
2.11.24 | Aspiring digital defender? Explore cybersecurity internships, scholarships and apprenticeships | The world needs more cybersecurity professionals – here are three great ways to give you an ‘in’ to the ever-growing and rewarding security industry | Cyber blog | |
2.11.24 | GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe | GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe | Hacking blog | |
2.11.24 | ESET Research shares new findings about Telekopye, a scam toolkit used to defraud people on online marketplaces, and newly on accommodation booking platforms | Telekopye transitions to targeting tourists via hotel booking scam | Spam blog | |
2.11.24 | Cyber insurance, human risk, and the potential for cyber-ratings | Could human risk in cybersecurity be managed with a cyber-rating, much like credit scores help assess people’s financial responsibility? | Cyber blog | |
2.11.24 | Mind the (air) gap: GoldenJackal gooses government guardrails | ESET Research analyzed two separate toolsets for breaching air-gapped systems, used by a cyberespionage threat actor known as GoldenJackal | BigBrother blog | |
2.11.24 | The complexities of attack attribution – Week in security with Tony Anscombe | Attributing a cyberattack to a specific threat actor is a complex affair, as evidenced by new ESET research published this week | Cyber blog | |
2.11.24 | Separating the bee from the panda: CeranaKeeper making a beeline for Thailand | ESET Research details the tools and activities of a new China-aligned threat actor, CeranaKeeper, focusing on massive data exfiltration in Southeast Asia | APT blog | |
2.11.24 | Why system resilience should mainly be the job of the OS, not just third-party applications | Building efficient recovery options will drive ecosystem resilience | OS Blog | |
2.11.24 | Cybersecurity Awareness Month needs a radical overhaul – it needs legislation | Despite their benefits, awareness campaigns alone are not enough to encourage widespread adoption of cybersecurity best practices | Cyber blog | |
2.11.24 | Gamaredon's operations under the microscope – Week in security with Tony Anscombe | ESET research examines the group's malicious wares as used to spy on targets in Ukraine in the past two years | Cyber blog | |
1.11.24 | Inside Iran's Cyber Playbook: AI, Fake Hosting, and Psychological Warfare | U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 | BigBrothers | |
1.11.24 | Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned | Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone | Incindent | |
1.11.24 | Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft | Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly | BotNet | |
1.11.24 | Microsoft Delays Windows Copilot+ Recall Release Over Privacy Concerns | Microsoft is further delaying the release of its controversial Recall feature for Windows Copilot+ PCs, stating it's taking the time to | OS | |
1.11.24 | New Phishing Kit Xiū gǒu Targets Users Across Five Countries With 2,000 Fake Sites | Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the | Phishing | |
1.11.24 | New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics | Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its | OS | |
1.11.24 | LottieFiles Issues Warning About Compromised "lottie-player" npm Package | LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to | Hack | |
1.11.24 | LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites | A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated | Vulnerebility | |