January(137)  February(207)  March(430) April(317) May(278)  June(237)  July(216)  August(316) September(186) October(24) November(114) December(126)

DATE

NAME

INFO

CATEGORY

SUBCATE

31.3.24 Vultur The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Malware Android
31.3.24 Atomic Stealer Infostealers continue to pose threat to macOS users Malware MacOS
30.3.24 liveSite Version 2019.1 - Remote Code Execution PHP

Exploit

WebApps
30.3.24 WinRAR version 6.22 - Remote Code Execution via ZIP archive Windows

Exploit

Remote
30.3.24 Dell Security Management Server <1.9.0 - Local Privilege Escalation Linux

Exploit

Local
30.3.24 Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure Hardware

Exploit

Remote
30.3.24 RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 - Denial of Service Hardware

Exploit

DoS
30.3.24 Broken Access Control - on NodeBB v3.6.7 Multiple

Exploit

WebApps
30.3.24 Purei CMS 1.0 - SQL Injection PHP

Exploit

WebApps
30.3.24 Workout Journal App 1.0 - Stored XSS PHP

Exploit

WebApps
30.3.24 Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) Multiple

Exploit

Remote
30.3.24 LimeSurvey Community 5.3.32 - Stored XSS PHP

Exploit

WebApps
30.3.24 Nagios XI Version 2024R1.01 - SQL Injection Multiple

Exploit

WebApps
30.3.24 Wallos < 1.11.2 - File Upload RCE PHP

Exploit

WebApps
30.3.24 Tourism Management System v2.0 - Arbitrary File Upload PHP

Exploit

WebApps
30.3.24 LBT-T300-mini1 - Remote Buffer Overflow Linux

Exploit

Remote
30.3.24 MobileShop master v1.0 - SQL Injection Vuln. PHP

Exploit

WebApps
30.3.24 Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS PHP

Exploit

WebApps
30.3.24 SPA-CART CMS - Stored XSS PHP

Exploit

WebApps
30.3.24 Craft CMS 4.4.14 - Unauthenticated Remote Code Execution PHP Exploit WebApps
30.3.24 CVE-2024-20767 - Adobe ColdFusion vulnerability CVE-2024-20767 is a directory traversal vulnerability in Adobe ColdFusion, which is a development platform for building and deploying web and mobile applications. If successfully exploited, this vulnerability allows unauthenticated remote attackers to read arbitrary files on the system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. ALERTS Vulnerebility
30.3.24 Sync-Scheduler Infostealer A Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. The malware employs file-nesting techniques to conceal its presence and is equipped with anti-analysis and defense evasion techniques. Upon compromising systems, it searches through users' personal directories for office documents such as Word, PowerPoint, and Excel files. ALERTS Virus
30.3.24 WarzoneRAT malware re-emerges with new samples WarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. The malware functionality allows for remote control, remote shell and file operations, credential theft, keylogging, UAC bypass and more. Back in February 2024 the FBI dismantled the Warzone RAT malware operation and seized the infrastructure associated to this threat. ALERTS Virus
30.3.24 TheMoon malware targets thousands of insecure routers A new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, particularly those manufactured by Asus, along with other IoT devices. After compromising these devices, the malware utilizes them to route traffic through a proxy service known as Faceless. ALERTS Virus
30.3.24 Beware of FlightNight A new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. Named FlightNight because of its use of Slack channels named "FlightNight" it is likely the work of the same threat actor. ALERTS Virus
30.3.24 CVE-2024-3094 Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code

Vulnerebility

CVE

30.3.24 TheMoon Linksys Worm ("TheMoon") Captured Malware Worm
30.3.24 CVE-2024-1086 A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

Vulnerebility

CVE

30.3.24 WallEscape Unraveling WallEscape: A Linux Vulnerability Exposing User Passwords and Hijacking Clipboards

Vulnerebility

CVE

30.3.24 CVE-2024-28085 wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.)

Vulnerebility

CVE

30.3.24 Darcula Out of the shadows – ’darcula’ iMessage and RCS smishing attacks target USPS and global postal services Phishing PhaaS
30.3.24 DinodasRAT DinodasRAT Linux implant targeting entities worldwide Malware RAT
28.3.24 Dropper disguised as legitimate PuTTy Software A threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website. This ad raised suspicion due to the domain name, which was unrelated to PuTTY. ALERTS Virus
28.3.24 Mispadu Stealer extends its reach Mispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. While originally this malware has been mostly targeting LATAM countries, the recently observed activity shows European countries to be targeted this time around as well. ALERTS Virus
28.3.24 Qilin ransomware remains an active threat in the landscape Qilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. Qilin is known to be distributed under a Ransomware-as-a-Service (RaaS) model with its operators often employing double extortion tactics. ALERTS Ransom
28.3.24 SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilities Recent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. One malware variant, SnowLight, is a C-based downloader for Linux, used by the threat actors to download and execute secondary payloads on the infected machines. GoreVerse, GoHeavy and SuperShell are payload variants distributed by UNC5174 in the reported campaigns. ALERTS Virus
28.3.24 Operation FlightNight Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign Operation CyberSpy
28.3.24 CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability

Vulnerebility

CVE

28.3.24 CVE-2023-24955  Microsoft SharePoint Server Remote Code Execution Vulnerability

Vulnerebility

CVE

28.3.24 CVE-2024-21388 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Vulnerebility

CVE

28.3.24 CVE-2024-21388 “CVE-2024-21388”- Microsoft Edge’s Marketing API Exploited for Covert Extension Installation

Vulnerebility

CVE

28.3.24 CVE-2023-48022 Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

Vulnerebility

CVE

28.3.24 ShadowRay ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild Campaign AI
28.3.24 NARWHAL SPIDER NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer. Group APT
28.3.24 Agent Tesla Agent Tesla's New Ride: The Rise of a Novel Loader Malware Loader
27.3.24 Stately Taurus APT Campaign Targeting Asian Countries Researchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file. ALERTS APT
27.3.24 VCURMS and STRRAT being delivered via links in spam messages A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. ALERTS Virus
27.3.24 ZENHAMMER: Rowhammer Attacks on AMD Zen-based Platforms Attack CPU
27.3.24 I-Soon Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations Hacking Firm Hacking Firm
27.3.24 Earth Krahang Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks Group APT
27.3.24 RedAlpha Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. Campaign Campaign
27.3.24 Earth Lusca  Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections Group APT
27.3.24 BRONZE VINEWOOD DETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN Group APT
27.3.24 EvilOSX Malware osx
27.3.24 Trochilus RAT Trochilus is a C++ written RAT, which is available on GitHub. Malware RAT
26.3.24 VCURMS and STRAT being delivered via links in spam messages A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. ALERTS Virus
26.3.24 VCURMS and STRRAT being delivered via links in spam messages A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. ALERTS Virus
26.3.24 New backdoor WineLoader Phishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. WineLoader is a new backdoor variant that shares features similar to that of BurntBatter, BeatDrop, and MuskyBeat which are associated with APT29. Once deployed, WineLoader collects and exfiltrates gathered information from the infected machine (victim's username, process name, device name etc.) to the C2. The C2 can determine to execute additional modules to perform further tasks like establishing persistence. ALERTS Virus
26.3.24 New remote control backdoor leveraging malicious drivers emerges in China In a recent campaign observed in China, a new remote control backdoor was distributed. The threat actors behind the campaign utilized malicious kernel-mode drivers to carry out exploitation activities. The backdoor exhibited various capabilities, including disabling anti-virus software, stealing keyboard inputs, and downloading additional malware files such as miners and rootkits from command-and-control (C2) servers for execution. This campaign underscores the expectation that threat actors will continue to utilize rootkits to conceal malicious code from security tools, thereby weakening defenses and evading detection for extended periods of time. ALERTS Virus
26.3.24 Emergence of Mirai Nomi in the Threat Landscape A new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats. ALERTS Botnet
26.3.24 CVE-2023-48788 (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability

Vulnerebility

CVE

26.3.24 CVE-2021-44529 (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability

Vulnerebility

CVE

26.3.24 CVE-2019-7256 (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability

Vulnerebility

CVE

26.3.24 Generic and Automated Drive-by GPU Cache Attacks
from the Browser
Generic and Automated Drive-by GPU Cache Attacks from the Browser Papers Papers
26.3.24 Lord Nemesis Strikes “Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector Group Hacktivism
26.3.24 TA450 Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign Group APT
24.3.24 Springtail Springtail APT group abuses valid certificate of known Korean public entity Group APT
24.3.24 Kimsuky The Updated APT Playbook: Tales from the Kimsuky threat actor group Group APT
23.3.24 Implementations of UDP-based application protocols are vulnerable to network loops A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources. Alert Alert
23.3.24 GoFetch Attack GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs). Attack side-channel attack
23.3.24 minaliC 2.0.0 - Denied of Service Windows

Exploit

Remote
23.3.24 CSZCMS v1.3.0 - SQL Injection (Authenticated) PHP

Exploit

WebApps
23.3.24 HNAS SMU 14.8.7825 - Information Disclosure Hardware

Exploit

Remote
23.3.24 Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi PHP

Exploit

WebApps
23.3.24 Simple Task List 1.0 - 'status' SQLi PHP

Exploit

WebApps
23.3.24 Blood Bank 1.0 - 'bid' SQLi PHP

Exploit

WebApps
23.3.24 Employee Management System 1.0 - 'admin_id' SQLi PHP

Exploit

WebApps
23.3.24 Quick.CMS 6.7 - SQL Injection Login Bypass PHP

Exploit

WebApps
23.3.24 xbtitFM 4.1.18 - Multiple Vulnerabilities PHP

Exploit

WebApps
23.3.24 TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password Hardware

Exploit

Remote
23.3.24 TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure Hardware

Exploit

Remote
23.3.24 TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection Hardware

Exploit

Remote
23.3.24 Backdrop CMS 1.23.0 - Stored XSS PHP

Exploit

WebApps
23.3.24 Atlassian Confluence < 8.5.3 - Remote Code Execution Multiple

Exploit

WebApps
23.3.24 Gibbon LMS < v26.0.00 - Authenticated RCE PHP

Exploit

WebApps
23.3.24 ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE PHP

Exploit

WebApps
23.3.24 TYPO3 11.5.24 - Path Traversal (Authenticated) PHP

Exploit

WebApps
23.3.24 WEBIGniter v28.7.23 - Stored XSS PHP

Exploit

WebApps
23.3.24 WordPress File Upload Plugin < 4.23.3 - Stored XSS PHP

Exploit

WebApps
23.3.24 vm2 - sandbox escape Multiple

Exploit

Local
23.3.24 UPS Network Management Card 4 - Path Traversal PHP

Exploit

WebApps
23.3.24 Nokia BMC Log Scanner - Remote Code Execution Linux

Exploit

WebApps
23.3.24 Karaf v4.4.3 Console - RCE Java

Exploit

WebApps
23.3.24 LaborOfficeFree 19.10 - MySQL Root Password Calculator Windows

Exploit

Local
23.3.24 Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated) PHP

Exploit

WebApps
23.3.24 KiTTY 0.76.1.13 - Command Injection Windows

Exploit

Local
23.3.24 KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow Windows

Exploit

Local
23.3.24 KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow Windows

Exploit

Local
23.3.24 GitLab CE/EE < 16.7.2 - Password Reset Java

Exploit

Remote
23.3.24 Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) Hardware

Exploit

Remote
23.3.24 Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE) Hardware

Exploit

Remote
23.3.24 SolarView Compact 6.00 - Command Injection Hardware

Exploit

Remote
23.3.24 Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE) Hardware

Exploit

Remote
23.3.24 JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) Java

Exploit

Remote
23.3.24 SnipeIT 6.2.1 - Stored Cross Site Scripting Multiple

Exploit

WebApps
23.3.24 VMware Cloud Director 10.5 - Bypass identity verification Multiple

Exploit

Remote
23.3.24 Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE Hardware

Exploit

WebApps
23.3.24 Client Details System 1.0 - SQL Injection PHP

Exploit

WebApps
23.3.24 OSGi v3.7.2 (and below) Console - RCE Multiple

Exploit

WebApps
23.3.24 OSGi v3.8-3.18 Console - RCE Multiple

Exploit

WebApps
23.3.24 Human Resource Management System 1.0 - 'employeeid' SQL Injection PHP

Exploit

WebApps
23.3.24 QUARTERRIG Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader. Malware Dropper
23.3.24 BEATDROP According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. Malware Dropper
23.3.24 ROOTSAW Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations Malware Spy
23.3.24 WINELOADER  APT29 Uses WINELOADER to Target German Political Parties Malware Loader
22.3.24 UNC302 BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies Group Group
22.3.24 CVE-2023-46747 Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Vulnerebility

CVE

22.3.24 Sign1 Malware Sign1 Malware: Analysis, Campaign History & Indicators of Compromise Malware JavaScript
22.3.24 Revenge RAT Revenge RAT via malicious PPAM in Latin America, Portugal and Spain Malware RAT
22.3.24 AceCryptor Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries Malware RAT
22.3.24 Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. Malware Loader
22.3.24 StrelaStealer StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Malware Stealer
22.3.24 AcidRain A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems. Malware Wipper
22.3.24 AcidPour AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine Malware Wipper
22.3.24 z0Miner z0Miner Exploits Korean Web Servers to Attack WebLogic Server Hacking Exploit
22.3.24 AndroxGh0st AndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio. Malware Android
22.3.24 UNC3886 UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Group Group
22.3.24 UNC5221 While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Group Group
22.3.24 CVE-2023-41724 CVE-2023-41724 (Remote Code Execution) for Ivanti Standalone Sentry

Vulnerebility

CVE

22.3.24 CVE-2024-1597 pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability.

Vulnerebility

CVE

22.3.24 Loop DoS Loop DoS: New Denial-of-Service Attack targets Application-Layer Protocols Attack Application-Layer Protocols

20.3.24

CVE-2024-27198

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Vulnerebility

CVE

20.3.24

PureCrypter

According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers

Malware

Crypter

20.3.24

Smoke Loader

Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor

Malware

Loader

20.3.24

WhiteSnake Stealer

WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous

Malware

Stealer

20.3.24

Taurus Stealer

The GlorySprout or a Failed Clone of Taurus Stealer

Malware

Stealer

20.3.24

KONO DIO DA

CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers

Malware

CoinMiner

20.3.24

AcidRain

A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.

Malware

Wiper

20.3.24

NetSupportManager RAT

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance.

Malware

RAT

20.3.24

Operation PhantomBlu

A malware campaign employs new TTPs and behaviors to evade detection and deploy NetSupport RAT.

Operation

Phishing

20.3.24

DEEP#GOSU

Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware

Operation

Operation

20.3.24

Andariel

Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions

Group

Group

20.3.24

ROKRAT

APT37's ROKRAT HWP Object Linking and Embedding

Malware

RAT

18.3.24

CVE-2024-25155

In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.

Vulnerebility

CVE

18.3.24

CVE-2024-25154

Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.

Vulnerebility

CVE

18.3.24

CVE-2024-25153

A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.

Vulnerebility

CVE

18.3.24

SVG

Scalable Vector Graphics (SVG) files are a popular format for web graphics because they can be resized without losing quality. However, cybercriminals are now exploiting SVGs to deliver malware, posing a new threat to unsuspecting users.

Malware

Malware

18.3.24

AZORult

From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites

Malware

Stealer

18.3.24

CVE-2024-2172

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

Vulnerebility

CVE

18.3.24

STEELHOOK

PowerShell script

Malware

Stealer

18.3.24

IRONJAW

the malware was used previously in campaigns from July through August, and September 2023

Malware

Stealer

18.3.24

CREDOMAP

The government computer emergency response team of Ukraine CERT-UA detected a malicious document "Nuclear Terrorism A Very Real Threat.rtf", opening of which will lead to the download of an HTML file and the execution of JavaScript code (CVE-2022-30190), which will ensure the download and launching the CredoMap malware.

Malware

JavaScript

18.3.24

OCEANMAP

X-Force’s analysis revealed that OCEANMAP has a strong overlap in both technique and .NET implementation. Several of the functions used in OCEANMAP were repurposed from the original CREDOMAP stealer and used as a base to build the new persistent backdoor.

Malware

Backdoor

18.3.24

MASEPIE

Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus

Malware

Python

18.3.24

ITG05 

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

Group

Group

18.3.24

CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

Vulnerebility

CVE

17.3.24 404 Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. Malware Keylogger
17.3.24 RisePro stealer RisePro stealer targets Github users in “gitgub” campaign Malware Stealer
17.3.24 CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Alert Alert
17.3.24 BunnyLoader 3.0 Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled Malware Loader
16.3.24 GhostRace GhostRace: Exploiting and Mitigating Speculative Race Conditio Papers Vulnerebility
16.3.24 GHOSTRACE GhostRace (CVE-2024-2193) is a new attack combining speculative execution and race conditions, two very challenging class of attacks. Vulnerebility CPU
16.3.24 CVE-2024-2193 A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.

Vulnerebility

CVE

14.3.24 CVE-2023-5528 A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

Vulnerebility

CVE

14.3.24 CVE-2024-0778 A vulnerability, which was classified as critical, has been found in Uniview ISC 2500-S up to 20210930. Affected by this issue is the function setNatConfig of the file /Interface/DevManage/VM.php. The manipulation of the argument natAddress/natPort/natServerPort leads to os command injection. The exploit has been disclosed to the public and may be used.

Vulnerebility

CVE

14.3.24 Pelmeni Wrapper Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor) Malware Wrapper
14.3.24 RedCurl Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence Malware CyberSpy
14.3.24 zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets. Malware RAT
14.3.24 Botnet Fenix Botnet Fenix: New botnet going after tax payers in Mexico and Chile BOTNET BOTNET
14.3.24 CyberGate According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to the victim’s system. Malware RAT
14.3.24 Planet Stealer Planet Stealer is a recently identified infostealing malware variant. This Go-based malware has been advertised for sale on underground forums. Planet Stealer targets theft of miscellaneous data from the infected endpoints, including user credentials, browser cookies, cryptowallets, session data, configuration files from various communicator apps and software launchers, etc. Malware Stealer
14.3.24 DBatLoader Latest DBatLoader Uses Driver Module to Disable AV/EDR Software Malware Loader
14.3.24 APT-C-36 Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. Group APT
14.3.24 Tweaks Stealer Tweaks Stealer Targets Roblox Users Through YouTube and Discord Malware Stealer
14.3.24 Phemedrone Stealer Unveiling Phemedrone Stealer: Threat Analysis and Detections Malware Stealer
14.3.24 Mispadu According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. Malware Banking
14.3.24 DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. Malware Loader
14.3.24 CVE-2024-21412 CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign

Vulnerebility

CVE

14.3.24 DarkCasino DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property. Group APT
14.3.24 CVE-2023-48788 A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Vulnerebility

CVE

13.3.24 PixPirate PixPirate: The Brazilian financial malware you can’t see Malware Android
13.3.24 STRRAT STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird. Malware RAT
13.3.24 VCURMS Recently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java downloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT). Malware Java
13.3.24 CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability

Vulnerebility

CVE

13.3.24 CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability

Vulnerebility

CVE

13.3.24 CVE-2024-21400 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

Vulnerebility

CVE

13.3.24 CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability

Vulnerebility

CVE

13.3.24 CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability

Vulnerebility

CVE

13.3.24 CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability

Vulnerebility

CVE

13.3.24 CVE-2024-21334  Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

Vulnerebility

CVE

12.3.24 BIPClip RL has discovered a campaign using PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases, which are used for wallet recovery. Malware PyPI
12.3.24 CVE-2024-1071  

Vulnerebility

CVE

12.3.24 CVE-2024-1468 The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Vulnerebility

CVE

12.3.24 Copybara Fraud Operation On top of this fraud operation architecture, TAs exploit Social Engineering techniques for distributing the Copybara banking trojan, which typically involves smishing and vishing techniques, leveraging native-speaker operators. In particular, several samples reveal TAs distributing Copybara through seemingly legitimate apps, utilizing logos of well-known banks and names that sound authentic, such as “Caixa Sign Nueva”, “BBVA Codigo”, “Sabadell Codigo”. Campaign Operation
12.3.24 CHAVECLOAK FortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware. Notably, CHAVECLOAK is specifically designed to target users in Brazil, aiming to steal sensitive information linked to financial activities. Malware Banking
11.3.24 Sitecore - Remote Code Execution v8.2 ASPX

Exploit

WebApps
11.3.24 Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier - Arbitrary File Read Multiple

Exploit

WebApps
11.3.24 WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover PHP

Exploit

WebApps
11.3.24 Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass Windows

Exploit

Local
11.3.24 Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR Hardware

Exploit

WebApps
11.3.24 Hide My WP < 6.2.9 - Unauthenticated SQLi PHP

Exploit

WebApps
11.3.24 Akaunting < 3.1.3 - RCE PHP

Exploit

WebApps
11.3.24 Ladder v0.0.21 - Server-side request forgery (SSRF) Go

Exploit

WebApps
11.3.24 DataCube3 v1.0 - Unrestricted file upload 'RCE' PHP

Exploit

WebApps
11.3.24 Numbas < v7.3 - Remote Code Execution NodeJS

Exploit

WebApps
11.3.24 TP-Link TL-WR740N - Buffer Overflow 'DOS' Hardware

Exploit

WebApps
11.3.24 GLiNet - Router Authentication Bypass Hardware

Exploit

WebApps
11.3.24 elFinder Web file manager Version - 2.1.53 Remote Command Execution PHP

Exploit

WebApps
11.3.24 CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution PHP

Exploit

WebApps
11.3.24 CVE-2023-50071 - Multiple SQL Injection PHP

Exploit

WebApps
11.3.24 Lot Reservation Management System - Unauthenticated File Disclosure PHP

Exploit

WebApps
11.3.24 Lot Reservation Management System - Unauthenticated File Upload and Remote Code Execution PHP

Exploit

WebApps
11.3.24 kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition PHP

Exploit

WebApps
11.3.24 Neontext Wordpress Plugin - Stored XSS PHP

Exploit

WebApps
11.3.24 Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019 - Stored XSS Hardware

Exploit

WebApps
11.3.24 Easywall 0.3.1 - Authenticated Remote Command Execution Multiple

Exploit

WebApps
11.3.24 R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure Hardware

Exploit

Remote
11.3.24 GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit Hardware

Exploit

Remote
11.3.24 TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution Hardware

Exploit

Remote
11.3.24 GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit Hardware

Exploit

Remote
11.3.24 GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit Hardware

Exploit

Remote
11.3.24 Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated) Hardware

Exploit

Remote
11.3.24 A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc Multiple

Exploit

Local
11.3.24 Boss Mini 1.4.0 - local file inclusion PHP

Exploit

WebApps
11.3.24 Magento ver. 2.4.6 - XSLT Server Side Injection Multiple

Exploit

WebApps
11.3.24 TPC-110W - Missing Authentication for Critical Function Hardware

Exploit

Remote
11.3.24 Enrollment System v1.0 - SQL Injection PHP

Exploit

Remote
11.3.24 AC Repair and Services System v1.0 - Multiple SQL Injection PHP

Exploit

Remote
11.3.24 Windows PowerShell - Event Log Bypass Single Quote Code Execution Windows_x86-64

Exploit

Local
11.3.24 Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection PHP

Exploit

Remote
11.3.24 Simple Student Attendance System v1.0 - Time Based Blind SQL Injection PHP

Exploit

Remote
11.3.24 Real Estate Management System v1.0 - Remote Code Execution via File Upload PHP

Exploit

Remote
11.3.24 Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload PHP

Exploit

Remote
11.3.24 Petrol Pump Management Software v.1.0 - SQL Injection PHP

Exploit

Remote
11.3.24 Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file PHP

Exploit

Remote
11.3.24 Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting PHP

Exploit

Remote
11.3.24 WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection PHP

Exploit

WebApps
11.3.24 (shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] Linux

Exploit

Local
11.3.24 Blood Bank v1.0 - Multiple SQL Injection PHP

Exploit

WebApps
11.3.24 Saflok - Key Derication Function Exploit Hardware

Exploit

Local
11.3.24 WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS) PHP

Exploit

WebApps
11.3.24 WP Rocket < 2.10.3 - Local File Inclusion (LFI) PHP

Exploit

WebApps
11.3.24 Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit) Multiple

Exploit

WebApps
11.3.24 TEM Opera Plus FM Family Transmitter 35.45 - XSRF Hardware

Exploit

Remote
11.3.24 TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution Hardware

Exploit

Remote
11.3.24 Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) PHP

Exploit

WebApps
11.3.24 Executables Created with perl2exe < V30.10C - Arbitrary Code Execution Multiple

Exploit

Remote
11.3.24 Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin PHP

Exploit

WebApps
11.3.24 Automatic-Systems SOC FL9600 FastLine - Directory Transversal PHP

Exploit

WebApps
11.3.24 SuperStoreFinder - Multiple Vulnerabilities PHP

Exploit

WebApps
11.3.24 Moodle 4.3 - Insecure Direct Object Reference PHP

Exploit

WebApps
11.3.24 Zoo Management System 1.0 - Unauthenticated RCE PHP

Exploit

WebApps
11.3.24 dawa-pharma 1.0-2022 - Multiple-SQLi PHP

Exploit

WebApps
11.3.24 IBM i Access Client Solutions v1.1.2 - 1.1.4, v1.1.4.3 - 1.1.9.4 - Remote Credential Theft Windows_x86-64

Exploit

Remote
11.3.24 Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure' Multiple

Exploit

Remote
11.3.24 Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS' Multiple

Exploit

DoS
11.3.24 Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration Multiple

Exploit

Remote
11.3.24 FAQ Management System v1.0 - 'faq' SQL Injection PHP

Exploit

Remote
11.3.24 Flashcard Quiz App v1.0 - 'card' SQL Injection PHP

Exploit

Remote
11.3.24 Online Shopping System Advanced - Sql Injection PHP

Exploit

WebApps
11.3.24 taskhub 2.8.7 - SQL Injection PHP

Exploit

WebApps
11.3.24 comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset PHP

Exploit

WebApps
11.3.24 Simple Inventory Management System v1.0 - 'email' SQL Injection PHP Exploit Remote
11.3.24 BianLian Ransomware
Group
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566]. REPORT Ransomware
11.3.24 BianLian BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. Group Ransomware
11.3.24 BianDoor   Malware Backdoor
11.3.24 CVE-2023-42793 In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

Vulnerebility

CVE

11.3.24 CVE-2024-27198 In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Vulnerebility

CVE

11.3.24 CVE-2024-1403 In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.

Vulnerebility

CVE

11.3.24 MAGNET GOBLIN Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. Group Group
9.3.24 Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks Kontrol and Elock locks are electronic locks that utilize firmware provided by Sciener. This firmware works in tandem with an app, called the TTLock app, which is also produced by Sciener. Alert Alert
8.3.24 CVE-2024-20338 A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.

Vulnerebility

CVE

8.3.24 CVE-2024-20337 A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

Vulnerebility

CVE

8.3.24 CRLF Injection The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. Attack OS
8.3.24 CVE-2024-20338 A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.

Vulnerebility

CVE

8.3.24 CVE-2024-20337 A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

Vulnerebility

CVE

8.3.24 CRLF Injection The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. Attack OS
8.3.24 CVE-2024-20338 A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.

Vulnerebility

CVE

8.3.24 CVE-2024-20337 A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

Vulnerebility

CVE

8.3.24 QEMU Emulator Exploited Cyberattackers tend to give preference to legitimate tools when taking various attack steps, as these help them evade detection systems while keeping malware development costs down to a minimum. Exploit Exploit
8.3.24 Jasmin GoodWill Ransomware? Or Just Another Jasmin Variant? Ransomware Ransomware
8.3.24 CVE-2024-27199 In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Vulnerebility

CVE

8.3.24 CVE-2024-27198 In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Vulnerebility

CVE

7.3.24 MgBot My Tea’s not cold. An overview of China’s cyber threat Malware Bot
7.3.24 Evasive Panda Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations. Group APT
7.3.24 Snake In this Threat Analysis Report, Cybereason Security Services dives into the Python Infostealer, delivered via GitHub and GitLab, that ultimately exfiltrates credentials via Telegram Bot API or other well known platforms. Malware InfoStealer
7.3.24 WogRAT AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. Said malware supports both the PE format that targets the Windows system and the ELF format that targets the Linux system. Malware RAT
7.3.24 TA4903 TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids Group Phishing
7.3.24 Quishing QR codes have had a great run in the past few years, diffusing into almost every aspect of our lives, from looking at restaurant menus and paying for products or services online and offline to accessing websites with greater ease. While the positives of QR codes are clearly visible, both from a business and user perspective, their usage has some pitfalls. Hacking Mobil
7.3.24 8220 Mining Group Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. Group Cryptocurrency
7.3.24 Abyss Locker On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. Ransomware Ransomware
7.3.24 Spinning YARN Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence Campaign Campaign
7.3.24 SpyNote The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code Malware RAT
7.3.24 BlackCat (ALPHV) Attack Explore the thwarted cyber extortion attempt by the BlackCat ransomware group, unraveled by Sygnia’s Incident Response team in mid-2023. Ransomware Ransomware
6.3.24 CVE-2024-22255 VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Vulnerebility

CVE

6.3.24 CVE-2024-22254 VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.

Vulnerebility

CVE

6.3.24 CVE-2024-22253 VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Vulnerebility

CVE

6.3.24 CVE-2024-22252 VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Vulnerebility

CVE

6.3.24 GhostSec GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS. Group Ransomware
6.3.24 UNC1945 UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. Group APT
6.3.24 APT32 Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. Group APT
6.3.24 OceanLotus According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies. Malware OSX
6.3.24 CVE-2024-23296 A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Vulnerebility

CVE

6.3.24 CVE-2024-23225 A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Vulnerebility

CVE

6.3.24 Kimsuky JOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky Group APT
6.3.24 CVE-2024-1709 ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Vulnerebility

CVE

6.3.24 CVE-2024-1708 ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Vulnerebility

CVE

6.3.24 TODDLERSHARK TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant Malware VBS
5.3.24 BEWARE THE SHALLOW
WATERS: SAVVY
SEAHORSE LURES VICTIMS
TO FAKE INVESTMENT
PLATFORMS THROUGH
FACEBOOK ADS
DNS threat actors never cease to surprise us. Every day, we learn about creative, new campaigns they have devised to exploit victims. Investment scams are one of these. The US Federal Trade Commission reported that more money was lost to investment scams in the US during 2023 than any other type of scam, totaling over USD $4.6 billion dollars stolen from victims REPORT REPORT
5.3.24 PASS-THE-HASH ATTACK Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session. Attack PtH
5.3.24 TA577 TA577’s Unusual Attack Chain Leads to NTLM Data Theft Group Group
5.3.24 CVE-2024-23917 In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible

Vulnerebility

CVE

5.3.24 CVE-2024-27199 In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Vulnerebility

CVE

5.3.24 CVE-2024-27198 In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Vulnerebility

CVE

4.3.24 ShadowBankinginYour Pocket:ExposingAndroidApp UsedbyMoneyMules A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions. REPORT REPORT
4.3.24 Fast Adversarial Attacks on Language Models In One GPU Minute In this paper, we introduce a novel class of fast, beam search-based adversarial attack (BEAST) for Language Models (LMs). Papers Papers
4.3.24 Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs We demonstrate how images and sounds can be used for indirect prompt and instruction injection in multi-modal LLMs. Papers Papers
4.3.24 ComPromptMized ComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications Attack AI
4.3.24 CACTUS CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks Ransomware Ransomware
2.3.24 MAR-10448362-1.v1 Volt Typhoon CISA received three files for analysis obtained from a critical infrastructure compromised by the People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon. CERT CERT
2.3.24 CVE-2019-3568 A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

Vulnerebility

CVE

2.3.24 Scattered Spider Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing. Group Hacking
2.3.24 CryptoChameleon CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack Cryptocurrency Phishing
2.3.24 GUloader GUloader Unmasked: Decrypting the Threat of Malicious SVG Files Malware Loader
2.3.24 BlackTech BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Group CyberSpy
2.3.24 BIFROSE The Art of Domain Deception: Bifrost's New Tactic to Deceive Users Malware RAT
2.3.24 CVE-2023-46805 (CVSS score: 8.2) - Authentication bypass vulnerability in web component

Vulnerebility

CVE

2.3.24 CVE-2024-21887  (CVSS score: 9.1) - Command injection vulnerability in web component

Vulnerebility

CVE

2.3.24 CVE-2024-21888  (CVSS score: 8.8) - Privilege escalation vulnerability in web component

Vulnerebility

CVE

2.3.24 CVE-2024-21893 (CVSS score: 8.2) - SSRF vulnerability in the SAML component

Vulnerebility

CVE

2.3.24 CVE-2024-22024  (CVSS score: 8.3) - XXE vulnerability in the SAML component

Vulnerebility

CVE

2.3.24 GOLDEN TICKET A Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.) by accessing user data stored in Microsoft Active Directory (AD). Attack Attack
2.3.24 Golden SAML Golden SAML, an attack technique that exploits the SAML single sign-on protocol, was used as a post-breach exploit, compounding the devastating SolarWinds attack of 2020—one of the largest breaches of the 21st century. Attack Attack
2.3.24 Peach Sandstorm Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. Group APT
2.3.24 LightBasin UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. Group APT
2.3.24 GTPDOOR GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange Malware Backdoor
2.3.24 CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability NewRecently updated

Vulnerebility

CVE

2.3.24 WINELOADER European diplomats targeted by SPIKEDWINE with WINELOADER Malware Loader
1.3.24 UNC3886 UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Group Group
1.3.24 CVE-2024-21887 A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vulnerebility

CVE

1.3.24 CVE-2024-21893 A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Vulnerebility

CVE

1.3.24 MINIBIKE A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.

Malware

Backdoor
1.3.24 MINIBUS A custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE Malware Backdoor
1.3.24 LIGHTRAIL A tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure Malware Backdoor
1.3.24 Tortoiseshell A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Group Group
1.3.24 Bohrium Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. Group Group
1.3.24 UNC1549 When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors BigBrother CyberSpy