January(137)  February(207)  March(430) April(317) May(278)  June(186)

DATE

NAME

CATEGORY

SUBCATE

INFO

April 9, 2024—KB5036893 (OS Builds 22621.3447 and 22631.3447)

The new end date is June 24, 2025 for Windows 11, version 22H2 Enterprise and Education editions. Home and Pro editions of version 22H2 will receive non-security preview updates until June, 26, 2024.

April 9, 2024—KB5036892 (OS Builds 19044.4291 and 19045.4291)

IMPORTANT The following editions of Windows 10, version 21H2 will reach end of service on June 11, 2024: Windows 10 Enterprise and Education,Windows 10 IoT Enterprise, Windows 10 Enterprise multi-session,

After that date, these devices will not receive monthly security and quality updates. These updates contain protections from the latest security threats.

Metasploit Meterpreter observed in attacks targeting vulnerable Redis servers

Meterpreter is an advanced Metasploit attack payload leveraged in penetration testing that uses in-memory DLL injection stagers. The tool has been known to be exploited by various threat actors for a long while now. In a recently reported campaign, Meterpreter has been observed being deployed to vulnerable or misconfigured Redis servers. The attackers have also been using a privilege escalation tool called PrintSpoofer. Meterpreter deployment to vulnerable servers is an initial attack step that might lead to deployment of further arbitrary payloads such as cryptominers or ransomware.

Nitrogen malware delivery campaign

A new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. Nitrogen uses DLL sideloading to infect the targeted system. Once deployed this malware is generally used to gain initial access allowing network compromise and additional arbitrary payload deployments.

Open Source Medicine Ordering System v1.0 - SQLi

Daily Expense Manager 1.0 - 'term' SQLi

Best Student Result Management System v1.0 - Multiple SQLi

Human Resource Management System v1.0 - Multiple SQLi

Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass

Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload

AnyDesk 7.0.15 - Unquoted Service Path

Quick CMS v6.7 en 2023 - 'password' SQLi

BatCloak

Analyzing the FUD Malware Obfuscation Engine BatCloak

Trick Developers Detected in an Open Source Supply Chain Attack

In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub's search functionality, and using meticulously crafted repositories to distribute malware.

CVE-2023-45590

[FortiClient Linux] Remote Code Execution due to dangerous nodejs configuration

Virtual Invaders

There is no indication that this campaign is linked to any known group; however, we are tracking the threat actors behind it under the moniker Virtual Invaders.

XploitSPY RAT

eXotic Visit campaign: Tracing the footprints of Virtual Invaders

eXotic Visit

ESET researchers uncovered the eXotic Visit espionage campaign that targets users mainly in India and Pakistan with seemingly innocuous apps

Raspberry Robin

Raspberry Robin Now Spreading Through Windows Script Files

Residual Attack Surface of Cross-privilege Spectre v2

We present InSpectre Gadget, an in-depth Spectre gadget inspector that uses symbolic execution to accurately reason about exploitability of usable gadgets. Our tool performs generic constraint analysis and models knowledge of advanced exploitation techniques to accurately reason over gadget exploitability in an automated way.

Linux kernel on Intel systems is susceptible to Spectre v2 attacks

A new cross-privilege Spectre v2 vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered.

Smoke

Smoke and (screen) mirrors: A strange signed backdoor

CVE-2024-26234 

(CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability

CVE-2024-29988 

(CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass Vulnerability

CVE-2024-21412

Internet Shortcut Files Security Feature Bypass Vulnerability

CVE-2024-29990 

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

BatBadBut

BatBadBut: You can't securely execute commands on Windows

CVE-2024-24576

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.

SpyNote mobile malware spread under the disguise of INPS Mobile application

A recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. INPS (National Institute for Social Security) is the main social security organisation in Italy and the INPS Mobile app gives INPS users access to various consultation and documentation services. The malicious app disguised as INPS mobile is distributed via a phishing page that resembles the official INPS website. The SpyNote malware payload has various capabilities including keylogging, SMS theft, screenshot grabbing, call recording or installation of additional arbitrary payloads.

Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services

A new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. The advertisements lead victims to download malicious software disguised as desktop versions of the mentioned AI programs. Nova Stealer, Rilide Stealer V4, Vidar and IceRAT were among the infostealing payloads distributed in this campaign, which have been known to target users from various European countries.

Starry Addax

Starry Addax targets human rights defenders in North Africa with new malware

CVE-2023-6320

vulnerability lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint.

CVE-2023-6319

A third vulnerability allows operating system command injection by manipulating a library responsible with showing music lyrics.

CVE-2023-6318

Another vulnerability allows attackers to elevate the access they gained in the first step to root and fully take over the device

CVE-2023-6317

vulnerability that lets an attacker bypass the authorization mechanism in WebOS versions 4 through 7. By setting a variable, the attacker can add an extra user to the TV set

ScrubCrypt

ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins

CVE-2024-3273

A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely.

CVE-2024-3272

A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials.

V8 Sandbox

The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space ("the sandbox"), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).

CVE-2023-7102, New Zero-Day vulnerability in Barracuda's ESG Appliance exploited

A Chinese threat actor, UNC4841, has been reported exploiting a new zero-day vulnerability identified as CVE-2023-7102 in Barracuda Email Security Gateway (ESG) appliances. The threat actor utilized an Arbitrary Code Execution (ACE) vulnerability within a third-party Perl module called 'Spreadsheet ParseExcel' to deploy a specially crafted Excel email attachment targeting a limited number of ESG devices. Barracuda has observed new variants of SEASPY and SALTWATER malware being deployed on these ESG devices.

New phishing run spoofs International Card Services (ICS)

TISAK Ransomware

TISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. Upon completed encryption process a ransom note text file called Tisak_Help.txt is dropped within the encrypted locations on the infected machine. The malware has the functionality to stop various system processes and services as well as delete volume shadow copies. The threat actors behind this ransomware variant threaten the victims with data publication if the requested ransom demands are not met.

Spoofed Adobe Creative Cloud email notifications appear in phish runs

Adobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. Lately, Symantec has observed phishing runs that impersonate Adobe Creative Cloud and entice users to open fake notifications emails. The email body content is kept short and mentions a pending document stored in the cloud. These phish emails make an attempt to lure users to open and click on phish URLs. Upon clicking on the phish URLs presented in the email content, the victims are served with credential harvesting webpages.

CVE-2023-41266 A path traversal vulnerability in Qlik Sense Enterprise under active exploitation

CVE-2023-41266 is a path traversal vulnerability affecting Qlik Sense Enterprise. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. Symantec's network protection technology, Intrusion Prevention System (IPS) has picked up scans based on threat landscape monitoring, which indicate a recent uptick in exploitation of this vulnerability. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

Xamalicious Android malware

Xamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. The malware has been previously distributed by various apps hosted on Google Play and some other 3rd party platforms. Xamalicious has the functionality to collect information about the infected device including hardware info, list of installed applications, geolocation info and network provider data, among others. Second stage payload might allow the attackers to take full control of the infected device and to perform additional fraudulent tasks.

Binance Turkey Users Lured with MASAK Audit Scare

More Binance smishing is being observed around the world, and in a recent example, Symantec has observed an actor targeting Turkish Binance users. The social engineering tactic in the messages is different from other, more generic ones. Here they bait users with account issues (preventing them from buying, selling, and transferring crypto) related to an audit conducted by the Financial Crimes Investigation Board (MASAK) – a regulatory authority in Turkey responsible for combating money laundering and terrorism financing. 

Continuous activities of UAC-0099 threat group against Ukraine

"UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives, .LNK files masqueraded as WordPad documents as well as PowerShell scripts and a LoanPage VBS malware payload. UAC-0099 has also been observed to leverage exploitation of a known WinRAR CVE-2023-38831 vulnerability within the infection chain of their attacks.

Bandook malware - an older threat remains active in the wild

Malicious SMS Targets BDO Unibank users

Banco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, Symantec has observed recurrent malicious SMS in which actors are attempting to lure the bank's mobile users into providing sensitive information that will eventually lead to financial theft. This campaign, while it mostly affects consumers, has also been observed targeting corporate users.

No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam Campaign

Usually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going. In a recent example, an Agent Tesla malspam campaign caught Symantec's attention, with the actor impersonating Riyad Bank – a major financial institution in Saudi Arabia and one of the largest banks in the country by assets.

Truist Bank users targeted with new phishing emails

Truist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. The email content mentions about a "temporary hold" placed on your account that can be lifted after a proper verification is completed. It entices the user to click on the "Verify now" phish URL ready to steal credentials.

MetaStealer distributed via malvertising

MetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. Recently the malware has been also seen being delivered via means of malvertising. Upon clicking on the ads, the victim gets redirected to malware landing pages masqueraded as download portals for AnyDesk or Notepad++ software. MetaStealer has the functionalities to collect various information from local browsers, steal credentials, cryptowallets, extract data from miscellaneous 3rd party applications and more.

New variant of Chameleon Android malware allows for biometric authentication bypass

Chameleon is an Android banking malware that first emerged at the beginning of 2023. The malware has been used in earlier campaigns targeting Android users in Australia and in Poland and has been distributed under the disguise of banking or cryptocurrrency apps. Chameleon's capabilities include keylogging, SMS harvesting, credential theft and cookie stealing, among others. The most recently discovered variant of this malware allows the attackers to bypass the biometric authentication on the infected device, forcing it to fallback to standard authentication means such as PIN entry and unlock the device.

Operation HamsaUpdate

Operation HamsaUpdate is a recently identified campaign targeting Israeli customers using F5’s network devices. The attackers have been reported to leverage wiper malware targeting Windows servers (variant called Hatef) as well as Linux platform (variant called Hamsa).

Fictitious OnlyFans premium mobile app revealed as SpyNote

OnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. Yet, the intriguing dichotomy lies in its content, which ventures into the NSFW (Not Safe For Work) territory. Many users, while capitalizing on the platform's income potential, inadvertently tread a fine line that might lead them onto Santa's naughty list.

Old MS Office vulnerability CVE-2017-11882 still leveraged for Agent Tesla delivery

CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. Successful exploitation of this flaw might allow attackers for remote code execution on the infected machines. Agent Tesla is a malware family observed to be still leveraging this old vulnerability in some of the recent campaigns.

Movable Type API CVE-2021-20837 vulnerability under active exploitation

CVE-2021-20837 is a critical (CVSS score 9.8) command injection vulnerability affecting Movable Type API. If successfully exploited, this vulnerability enables remote code execution.

GuLoader campaign: From Seoul to Brussels

GuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. In fact, this actor has been orchestrating a substantial campaign in South Korea over the past three weeks in three waves, recently shifting focus to Belgium.

Xray Ransomware

Xray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. Upon successful encryption, files will be appended with a .Xray extension.

New phishing run spoofs Mexican Postal Service (Correos de Mexico)

Symantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. The reason for not delivering the package is stated as "failure to pay custom duties".

TA544 activities involving IDAT Loader

A new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. In their latest campaigns, the attackers have been leveraging new variants of the IDAT Loader malware to deliver various payloads such as Remcos RAT or SystemBC malware.

JaskaGO infostealer for Windows and macOS

JaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, cryptowallets and others. Collected data is compressed into a .zip archive and forwarded to attackers C2 servers. Beside the info-stealing functionality JaskaGO can also execute shell commands received from attackers as well as download and run additional payloads.

Splunk Remote Code Execution (RCE) vulnerability CVE-2023-46214

CVE-2023-46214 is a recently disclosed remote code execution (RCE) vulnerability affecting Splunk Enterprise platform. Due to a flaw in processing of user-supplied extensible stylesheet language transformations (XSLT), remote attackers might be able to upload malicious XSLT resulting in remote code execution on the affected Splunk instance.

Zimbra Collaboration XSS vulnerability CVE-2023-37580

CVE-2023-37580 is a recently disclosed 0-day (CVSS score: 6.1) Cross-Site Scripting vulnerability affecting Zimbra Collaboration suite. Successful exploitation of the vulnerability may allow an attacker to compromise the confidentiality and integrity of the target system by means of malicious scripts injection.

Play Ransomware - latest attacks against enterprises

Symantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. Play ransomware has been discovered back in June 2022, and since that time it has been used in multiple high-profile attacks.

"No One Was Home" themed Evri phishing emails are making the rounds

Evri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. These emails entice the users to click phishing URLs in order to reschedule the delivery as "no one was home". The phishing URLs are constructed using hijacked domains and with a sole purpose of stealing credentials.

CVE-2023-49070 Apache OFBiz RCE vulnerability

CVE-2023-49070 is a critical (CVSS score 9.8) pre-auth remote code execution vulnerability in Apache OFBiz. Successful exploitation of the vulnerability grants the attacker complete control over the server, allowing them to steal sensitive data, disrupt operations, or even launch further attacks against the organization’s network. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

African based telecommunications organizations targeted by Iranian Seedworm group

The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, which occurred in November 2023, leveraged some new and some existing features previously attributed to Seedworm.

Fake NordVPN Installer Delivering SecTopRAT

While monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. This malware is pretty much the same as many stealers that abuse both Discord and Telegram to report to the actors and exfiltrate stolen information.

Latrodectus

SecTopRAT

CVE-2024-3273

CVE-2024-20720

HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Quick CMS v6.7 en 2023 - 'password' SQLi

Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)

Computer Laboratory Management System v1.0 - Multiple-SQLi

ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path

Axigen < 10.5.7 - Persistent Cross-Site Scripting

Gibbon LMS v26.0.00 - SSTI vulnerability

Casdoor < v1.331.0 - '/api/set-password' CSRF

Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

Smart School 6.4.1 - SQL Injection

CE Phoenix v1.0.8.20 - Remote Code Execution

Elementor Website Builder < 3.12.2 - Admin+ SQLi

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

Daily Habit Tracker 1.0 - Broken Access Control

Daily Habit Tracker 1.0 - SQL Injection

Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)

Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

GL-iNet MT6000 4.5.5 - Arbitrary File Download

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

OpenCart Core 4.0.2.3 - 'search' SQLi

ASUS Control Center Express 01.06.15 - Unquoted Service Path

Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

New JsOutProx malware variant observed in campaigns targeted at financial sector

A new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. While in the past the group has been using GitHub repositories to host the malicious payloads, the latest attacks leverage repositories on the GitLab platform instead.

Byakugan malware

Byakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. The malware receives commands from a remote C2 server that also acts as attacker's control panel. Byakugan's functionality includes keylogging, screen capture, coin mining, theft of information stored in the web browsers and arbitrary file download, among others.

Phorpiex malware campaign targets finance sector in Europe and North America

A malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. As part of the attack, shortcut files with embedded malicious macros are used to infect user systems and download additional malware payloads. Phorpiex can work without an active C2 server and is mainly used to steal cryptocurrency using the crypto-clipping technique.

Indonesia – Wedding invites used as lure by an SMS thief

In mid-2023, an actor have been observed sending SMS messages to mobile users in Indonesia, enticing them to install an application posing as a wedding invitation. Over the past few months, more of these malicious applications have been detected. The malware's primary goal is to collect SMS messages and send them to the author's Telegram channel via a Telegram bot API.

Latrodectus malware

Latrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. The loader is mostly used in the initial stages of the attacks to execute remote commands and to download additional payloads. Notably, its distribution campaigns exhibit similarities with previous IcedID operations in techniques and infrastructure usage.

Backdoor code found in XZ Utils library

On March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. The malicious code, tracked as CVE-2024-3094, is embedded in XZ Utils versions 5.6.0 and 5.6.1. and could allow remote, malicious actors to break sshd authentication and gain unauthorized access to the entire impacted system.

MacOS Users targeted with Infostealers

MacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. This website installs an infostealer capable of extracting users' keychain data, credentials stored in web browsers, and information from cryptocurrency wallets.

TA588 continues espionage activities in Latin America

The TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. This malware is equipped with functionalities for harvesting sensitive data and gaining remote control over compromised systems.

YouTube Hijacking: Rise in Attack Campaigns Distributing Infostealers

An increase in attack campaigns utilizing YouTube has been observed, with threat actors hijacking existing popular YouTube accounts to distribute Vidar and LummaC2 Infostealer malwares. Users are lured with videos purporting to offer cracked versions of everyday programs like Adobe. Links provided in the comments section lead to malicious packages uploaded to MediaFire. Consequently, users unwittingly become infected by downloading and executing malicious code instead of the desired program.

CVE-2024-21893

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

CVE-2023-46805

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

UTA0178

While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting.

Rhadamanthys

Rhadamanthys Malware Disguised as Groupware Installer (Detected by MDS)

JSOutProx RAT

Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies

JSOutProx

Resecurity has detected a new version of JSOutProx, targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim's machine.

Byakugan

Byakugan – The Malware Behind a Phishing Attack

VietCredCare 

Extra credit: VietCredCare information stealer takes aim at Vietnamese businesses

CoralRaider

CoralRaider targets victims’ data and social media accounts

AGENT TESLA

AGENT TESLA TARGETING UNITED STATES & AUSTRALIA: REVEALING THE ATTACKERS’ IDENTITIES

StrelaStealer

SonicWall Capture Labs threat research team has observed an updated variant of StrelaStealer. StrelaStealer is an infostealer malware known for targeting Spanish-speaking users and focuses on stealing email account credentials from Outlook and Thunderbird.

Sync-Scheduler

This study provides a detailed overview of Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. This paper explores the workings of Sync-Scheduler, how it avoids detection, and creates a strong payload.

Rhadamanthys

Recently Updated Rhadamanthys Stealer Delivered in Federal Bureau of Transportation Campaign

CVE-2024-2758

Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately.

CVE-2024-27983

CVE-2024-28182

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream.

CVE-2023-45288

CVE-2024-30255

CVE-2024-27919 

Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded.

CVE-2024-31309

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

CVE-2024-27316

CVE-2024-2653

amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.

VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks

HTTP allows messages to include named fields in both header and trailer sections. These header and trailer fields are serialised as field blocks in HTTP/2, so that they can be transmitted in multiple fragments to the target implementation

HTTP/2 ‘Rapid Reset’ DDoS attack

A number of Google services and Cloud customers have been targeted with a novel HTTP/2-based DDoS attack which peaked in August. These attacks were significantly larger than any previously-reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second.

HTTP/2 CONTINUATION Flood

tl;dr: Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation.

CVE-2024-22023

SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow) and CVE-2024-22023 (XML entity expansion or XXE) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

CVE-2024-22053

(CVSS score: 8.2) - A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

CVE-2024-22052 

(CVSS score: 7.5) - A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.

CVE-2024-21894

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code.

CVE-2024-29748

Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2024-29745 

In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software potentially exposes authentication tokens during the token validation process. This exposure happens when either Splunk Enterprise runs in debug mode or the JsonWebToken component has been configured to log its activity at the DEBUG logging level.

Mispadu

Malware

Banking

Breaking Boundaries: Mispadu's Infiltration Beyond LATAM

CVE-2024-2879

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

Napoli Ransomware

ALERTS

Ransom

Napoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints.

Emergence of new Vultur banking trojan variant in mobile threat landscape

ALERTS

Virus

A newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. In the recent campaign, victims are lured into installing a trojanized version of a security app via a link sent through SMS, along with instructions provided via a phone call.

Indonesian Businesses Targeted in an Agent Tesla Campaign

ALERTS

Virus

Symantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries.

XZ Backdoor

Malware

Backdoor

Everything I Know About the XZ Backdoor

UNAPIMON

Malware

Backdoor

Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

Cuckoobees

Operation

Operation

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation

CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.

Earth Freybug

Group

Group

This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.

VenomRAT

Malware

RAT

VenomRAT: A remote access tool with dangerous consequences

PROXYLIB

Malware

APP

Satori Threat Intelligence Alert: PROXYLIB and LumiApps Transform Mobile Devices into Proxy Nodes

Vultur

Android Malware Vultur Expands Its Wingspan