January(137)  February(207)  March(430) April(242)

DATE

NAME

CATEGORY

SUBCATE

INFO

31.3.24VulturMalwareAndroidThe authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device.
31.3.24Atomic StealerMalwareMacOSInfostealers continue to pose threat to macOS users
30.3.24liveSite Version 2019.1 - Remote Code Execution

Exploit

WebAppsPHP
30.3.24WinRAR version 6.22 - Remote Code Execution via ZIP archive

Exploit

RemoteWindows
30.3.24Dell Security Management Server <1.9.0 - Local Privilege Escalation

Exploit

LocalLinux
30.3.24Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure

Exploit

RemoteHardware
30.3.24RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 - Denial of Service

Exploit

DoSHardware
30.3.24Broken Access Control - on NodeBB v3.6.7

Exploit

WebAppsMultiple
30.3.24Purei CMS 1.0 - SQL Injection

Exploit

WebAppsPHP
30.3.24Workout Journal App 1.0 - Stored XSS

Exploit

WebAppsPHP
30.3.24Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)

Exploit

RemoteMultiple
30.3.24LimeSurvey Community 5.3.32 - Stored XSS

Exploit

WebAppsPHP
30.3.24Nagios XI Version 2024R1.01 - SQL Injection

Exploit

WebAppsMultiple
30.3.24Wallos < 1.11.2 - File Upload RCE

Exploit

WebAppsPHP
30.3.24Tourism Management System v2.0 - Arbitrary File Upload

Exploit

WebAppsPHP
30.3.24LBT-T300-mini1 - Remote Buffer Overflow

Exploit

RemoteLinux
30.3.24MobileShop master v1.0 - SQL Injection Vuln.

Exploit

WebAppsPHP
30.3.24Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS

Exploit

WebAppsPHP
30.3.24SPA-CART CMS - Stored XSS

Exploit

WebAppsPHP
30.3.24Craft CMS 4.4.14 - Unauthenticated Remote Code ExecutionExploitWebAppsPHP
30.3.24CVE-2024-20767 - Adobe ColdFusion vulnerabilityALERTSVulnerebilityCVE-2024-20767 is a directory traversal vulnerability in Adobe ColdFusion, which is a development platform for building and deploying web and mobile applications. If successfully exploited, this vulnerability allows unauthenticated remote attackers to read arbitrary files on the system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.
30.3.24Sync-Scheduler InfostealerALERTSVirusA Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. The malware employs file-nesting techniques to conceal its presence and is equipped with anti-analysis and defense evasion techniques. Upon compromising systems, it searches through users' personal directories for office documents such as Word, PowerPoint, and Excel files.
30.3.24WarzoneRAT malware re-emerges with new samplesALERTSVirusWarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. The malware functionality allows for remote control, remote shell and file operations, credential theft, keylogging, UAC bypass and more. Back in February 2024 the FBI dismantled the Warzone RAT malware operation and seized the infrastructure associated to this threat.
30.3.24TheMoon malware targets thousands of insecure routersALERTSVirusA new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, particularly those manufactured by Asus, along with other IoT devices. After compromising these devices, the malware utilizes them to route traffic through a proxy service known as Faceless.
30.3.24Beware of FlightNightALERTSVirusA new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. Named FlightNight because of its use of Slack channels named "FlightNight" it is likely the work of the same threat actor.
30.3.24CVE-2024-3094

Vulnerebility

CVE

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code
30.3.24TheMoonMalwareWormLinksys Worm ("TheMoon") Captured
30.3.24CVE-2024-1086

Vulnerebility

CVE

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.
30.3.24WallEscape

Vulnerebility

CVE

Unraveling WallEscape: A Linux Vulnerability Exposing User Passwords and Hijacking Clipboards
30.3.24CVE-2024-28085

Vulnerebility

CVE

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.)
30.3.24DarculaPhishingPhaaSOut of the shadows – ’darcula’ iMessage and RCS smishing attacks target USPS and global postal services
30.3.24DinodasRATMalwareRATDinodasRAT Linux implant targeting entities worldwide
28.3.24Dropper disguised as legitimate PuTTy SoftwareALERTSVirusA threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website. This ad raised suspicion due to the domain name, which was unrelated to PuTTY.
28.3.24Mispadu Stealer extends its reachALERTSVirusMispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. While originally this malware has been mostly targeting LATAM countries, the recently observed activity shows European countries to be targeted this time around as well.
28.3.24Qilin ransomware remains an active threat in the landscapeALERTSRansomQilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. Qilin is known to be distributed under a Ransomware-as-a-Service (RaaS) model with its operators often employing double extortion tactics.
28.3.24SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilitiesALERTSVirusRecent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. One malware variant, SnowLight, is a C-based downloader for Linux, used by the threat actors to download and execute secondary payloads on the infected machines. GoreVerse, GoHeavy and SuperShell are payload variants distributed by UNC5174 in the reported campaigns.
28.3.24Operation FlightNightOperationCyberSpyOperation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign
28.3.24CVE-2023-29357

Vulnerebility

CVE

Microsoft SharePoint Server Elevation of Privilege Vulnerability
28.3.24CVE-2023-24955 

Vulnerebility

CVE

Microsoft SharePoint Server Remote Code Execution Vulnerability
28.3.24CVE-2024-21388

Vulnerebility

CVE

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
28.3.24CVE-2024-21388

Vulnerebility

CVE

“CVE-2024-21388”- Microsoft Edge’s Marketing API Exploited for Covert Extension Installation
28.3.24CVE-2023-48022

Vulnerebility

CVE

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
28.3.24ShadowRayCampaignAIShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild
28.3.24NARWHAL SPIDERGroupAPTNARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.
28.3.24Agent TeslaMalwareLoaderAgent Tesla's New Ride: The Rise of a Novel Loader
27.3.24Stately Taurus APT Campaign Targeting Asian CountriesALERTSAPTResearchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file.
27.3.24VCURMS and STRRAT being delivered via links in spam messagesALERTSVirusA java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration.
27.3.24ZENHAMMER: Rowhammer Attacks AttackCPUon AMD Zen-based Platforms
27.3.24I-SoonHacking FirmHacking FirmUnmasking I-Soon | The Leak That Revealed China’s Cyber Operations
27.3.24Earth KrahangGroupAPTEarth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
27.3.24RedAlphaCampaignCampaignRecorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling.
27.3.24Earth Lusca GroupAPTEarth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
27.3.24BRONZE VINEWOODGroupAPTDETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN
27.3.24EvilOSXMalwareosx
27.3.24Trochilus RATMalwareRATTrochilus is a C++ written RAT, which is available on GitHub.
26.3.24VCURMS and STRAT being delivered via links in spam messagesALERTSVirusA java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration.
26.3.24VCURMS and STRRAT being delivered via links in spam messagesALERTSVirusA java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration.
26.3.24New backdoor WineLoaderALERTSVirusPhishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. WineLoader is a new backdoor variant that shares features similar to that of BurntBatter, BeatDrop, and MuskyBeat which are associated with APT29. Once deployed, WineLoader collects and exfiltrates gathered information from the infected machine (victim's username, process name, device name etc.) to the C2. The C2 can determine to execute additional modules to perform further tasks like establishing persistence.
26.3.24New remote control backdoor leveraging malicious drivers emerges in ChinaALERTSVirusIn a recent campaign observed in China, a new remote control backdoor was distributed. The threat actors behind the campaign utilized malicious kernel-mode drivers to carry out exploitation activities. The backdoor exhibited various capabilities, including disabling anti-virus software, stealing keyboard inputs, and downloading additional malware files such as miners and rootkits from command-and-control (C2) servers for execution. This campaign underscores the expectation that threat actors will continue to utilize rootkits to conceal malicious code from security tools, thereby weakening defenses and evading detection for extended periods of time.
26.3.24Emergence of Mirai Nomi in the Threat LandscapeALERTSBotnetA new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats.
26.3.24CVE-2023-48788

Vulnerebility

CVE

(CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability
26.3.24CVE-2021-44529

Vulnerebility

CVE

(CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
26.3.24CVE-2019-7256

Vulnerebility

CVE

(CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability
26.3.24Generic and Automated Drive-by GPU Cache Attacks
from the Browser
PapersPapersGeneric and Automated Drive-by GPU Cache Attacks from the Browser
26.3.24Lord Nemesis StrikesGroupHacktivism“Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector
26.3.24TA450GroupAPTSecurity Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
24.3.24SpringtailGroupAPTSpringtail APT group abuses valid certificate of known Korean public entity
24.3.24KimsukyGroupAPTThe Updated APT Playbook: Tales from the Kimsuky threat actor group
23.3.24Implementations of UDP-based application protocols are vulnerable to network loopsAlertAlertA novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources.
23.3.24GoFetch AttackAttackside-channel attack GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs).
23.3.24minaliC 2.0.0 - Denied of Service

Exploit

RemoteWindows
23.3.24CSZCMS v1.3.0 - SQL Injection (Authenticated)

Exploit

WebAppsPHP
23.3.24HNAS SMU 14.8.7825 - Information Disclosure

Exploit

RemoteHardware
23.3.24Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi

Exploit

WebAppsPHP
23.3.24Simple Task List 1.0 - 'status' SQLi

Exploit

WebAppsPHP
23.3.24Blood Bank 1.0 - 'bid' SQLi

Exploit

WebAppsPHP
23.3.24Employee Management System 1.0 - 'admin_id' SQLi

Exploit

WebAppsPHP
23.3.24Quick.CMS 6.7 - SQL Injection Login Bypass

Exploit

WebAppsPHP
23.3.24xbtitFM 4.1.18 - Multiple Vulnerabilities

Exploit

WebAppsPHP
23.3.24TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password

Exploit

RemoteHardware
23.3.24TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure

Exploit

RemoteHardware
23.3.24TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection

Exploit

RemoteHardware
23.3.24Backdrop CMS 1.23.0 - Stored XSS

Exploit

WebAppsPHP
23.3.24Atlassian Confluence < 8.5.3 - Remote Code Execution

Exploit

WebAppsMultiple
23.3.24Gibbon LMS < v26.0.00 - Authenticated RCE

Exploit

WebAppsPHP
23.3.24ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE

Exploit

WebAppsPHP
23.3.24TYPO3 11.5.24 - Path Traversal (Authenticated)

Exploit

WebAppsPHP
23.3.24WEBIGniter v28.7.23 - Stored XSS

Exploit

WebAppsPHP
23.3.24WordPress File Upload Plugin < 4.23.3 - Stored XSS

Exploit

WebAppsPHP
23.3.24vm2 - sandbox escape

Exploit

LocalMultiple
23.3.24UPS Network Management Card 4 - Path Traversal

Exploit

WebAppsPHP
23.3.24Nokia BMC Log Scanner - Remote Code Execution

Exploit

WebAppsLinux
23.3.24Karaf v4.4.3 Console - RCE

Exploit

WebAppsJava
23.3.24LaborOfficeFree 19.10 - MySQL Root Password Calculator

Exploit

LocalWindows
23.3.24Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated)

Exploit

WebAppsPHP
23.3.24KiTTY 0.76.1.13 - Command Injection

Exploit

LocalWindows
23.3.24KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow

Exploit

LocalWindows
23.3.24KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow

Exploit

LocalWindows
23.3.24GitLab CE/EE < 16.7.2 - Password Reset

Exploit

RemoteJava
23.3.24Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)

Exploit

RemoteHardware
23.3.24Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)

Exploit

RemoteHardware
23.3.24SolarView Compact 6.00 - Command Injection

Exploit

RemoteHardware
23.3.24Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)

Exploit

RemoteHardware
23.3.24JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)

Exploit

RemoteJava
23.3.24SnipeIT 6.2.1 - Stored Cross Site Scripting

Exploit

WebAppsMultiple
23.3.24VMware Cloud Director 10.5 - Bypass identity verification

Exploit

RemoteMultiple
23.3.24Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE

Exploit

WebAppsHardware
23.3.24Client Details System 1.0 - SQL Injection

Exploit

WebAppsPHP
23.3.24OSGi v3.7.2 (and below) Console - RCE

Exploit

WebAppsMultiple
23.3.24OSGi v3.8-3.18 Console - RCE

Exploit

WebAppsMultiple
23.3.24Human Resource Management System 1.0 - 'employeeid' SQL Injection

Exploit

WebAppsPHP
23.3.24QUARTERRIGMalwareDropperHere, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.
23.3.24BEATDROPMalwareDropperAccording to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed.
23.3.24ROOTSAWMalwareSpyBackchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
23.3.24WINELOADER MalwareLoaderAPT29 Uses WINELOADER to Target German Political Parties
22.3.24UNC302GroupGroupBRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies
22.3.24CVE-2023-46747

Vulnerebility

CVE

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
22.3.24Sign1 MalwareMalwareJavaScriptSign1 Malware: Analysis, Campaign History & Indicators of Compromise
22.3.24Revenge RATMalwareRATRevenge RAT via malicious PPAM in Latin America, Portugal and Spain
22.3.24AceCryptor MalwareRATInsight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries
22.3.24StealcMalwareLoaderStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023.
22.3.24StrelaStealer MalwareStealerStrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server.
22.3.24AcidRainMalwareWipperA MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.
22.3.24AcidPourMalwareWipperAcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine
22.3.24z0MinerHackingExploitz0Miner Exploits Korean Web Servers to Attack WebLogic Server
22.3.24AndroxGh0stMalwareAndroidAndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio.
22.3.24UNC3886GroupGroupUNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support.
22.3.24UNC5221GroupGroupWhile Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting.
22.3.24CVE-2023-41724

Vulnerebility

CVE

CVE-2023-41724 (Remote Code Execution) for Ivanti Standalone Sentry
22.3.24CVE-2024-1597

Vulnerebility

CVE

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability.
22.3.24Loop DoSAttackApplication-Layer ProtocolsLoop DoS: New Denial-of-Service Attack targets Application-Layer Protocols

20.3.24

CVE-2024-27198

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

20.3.24

PureCrypter

Malware

Crypter

According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers

20.3.24

Smoke Loader

Malware

Loader

Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor

20.3.24

WhiteSnake Stealer

Malware

Stealer

WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous

20.3.24

Taurus Stealer

Malware

Stealer

The GlorySprout or a Failed Clone of Taurus Stealer

20.3.24

KONO DIO DA

Malware

CoinMiner

CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers

20.3.24

AcidRain

Malware

Wiper

A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.

20.3.24

NetSupportManager RAT

Malware

RAT

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance.

20.3.24

Operation PhantomBlu

Operation

Phishing

A malware campaign employs new TTPs and behaviors to evade detection and deploy NetSupport RAT.

20.3.24

DEEP#GOSU

Operation

Operation

Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware

20.3.24

Andariel

Group

Group

Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions

20.3.24

ROKRAT

Malware

RAT

APT37's ROKRAT HWP Object Linking and Embedding

18.3.24

CVE-2024-25155

Vulnerebility

CVE

In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.

18.3.24

CVE-2024-25154

Vulnerebility

CVE

Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.

18.3.24

CVE-2024-25153

Vulnerebility

CVE

A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.

18.3.24

SVG

Malware

Malware

Scalable Vector Graphics (SVG) files are a popular format for web graphics because they can be resized without losing quality. However, cybercriminals are now exploiting SVGs to deliver malware, posing a new threat to unsuspecting users.

18.3.24

AZORult

Malware

Stealer

From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites

18.3.24

CVE-2024-2172

Vulnerebility

CVE

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

18.3.24

STEELHOOK

Malware

Stealer

PowerShell script

18.3.24

IRONJAW

Malware

Stealer

the malware was used previously in campaigns from July through August, and September 2023

18.3.24

CREDOMAP

Malware

JavaScript

The government computer emergency response team of Ukraine CERT-UA detected a malicious document "Nuclear Terrorism A Very Real Threat.rtf", opening of which will lead to the download of an HTML file and the execution of JavaScript code (CVE-2022-30190), which will ensure the download and launching the CredoMap malware.

18.3.24

OCEANMAP

Malware

Backdoor

X-Force’s analysis revealed that OCEANMAP has a strong overlap in both technique and .NET implementation. Several of the functions used in OCEANMAP were repurposed from the original CREDOMAP stealer and used as a base to build the new persistent backdoor.

18.3.24

MASEPIE

Malware

Python

Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus

18.3.24

ITG05 

Group

Group

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

18.3.24

CVE-2023-23397

Vulnerebility

CVE

Microsoft Outlook Elevation of Privilege Vulnerability

17.3.24404 KeyloggerMalwareKeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard.
17.3.24RisePro stealer MalwareStealerRisePro stealer targets Github users in “gitgub” campaign
17.3.24CPU hardware utilizing speculative execution may be vulnerable to speculative race conditionsAlertAlertA Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.
17.3.24BunnyLoader 3.0MalwareLoaderInside the Rabbit Hole: BunnyLoader 3.0 Unveiled
16.3.24GhostRacePapersVulnerebilityGhostRace: Exploiting and Mitigating Speculative Race Conditio
16.3.24GHOSTRACEVulnerebilityCPUGhostRace (CVE-2024-2193) is a new attack combining speculative execution and race conditions, two very challenging class of attacks.
16.3.24CVE-2024-2193

Vulnerebility

CVE

A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.
14.3.24CVE-2023-5528

Vulnerebility

CVE

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
14.3.24CVE-2024-0778

Vulnerebility

CVE

A vulnerability, which was classified as critical, has been found in Uniview ISC 2500-S up to 20210930. Affected by this issue is the function setNatConfig of the file /Interface/DevManage/VM.php. The manipulation of the argument natAddress/natPort/natServerPort leads to os command injection. The exploit has been disclosed to the public and may be used.
14.3.24Pelmeni WrapperMalwareWrapperPelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)
14.3.24RedCurl MalwareCyberSpyUnveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
14.3.24zgRATMalwareRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.
14.3.24Botnet FenixBOTNETBOTNETBotnet Fenix: New botnet going after tax payers in Mexico and Chile
14.3.24CyberGateMalwareRATAccording to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to the victim’s system.
14.3.24Planet StealerMalwareStealerPlanet Stealer is a recently identified infostealing malware variant. This Go-based malware has been advertised for sale on underground forums. Planet Stealer targets theft of miscellaneous data from the infected endpoints, including user credentials, browser cookies, cryptowallets, session data, configuration files from various communicator apps and software launchers, etc.
14.3.24DBatLoaderMalwareLoaderLatest DBatLoader Uses Driver Module to Disable AV/EDR Software
14.3.24APT-C-36GroupAPTSince April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.
14.3.24Tweaks StealerMalwareStealerTweaks Stealer Targets Roblox Users Through YouTube and Discord
14.3.24Phemedrone StealerMalwareStealerUnveiling Phemedrone Stealer: Threat Analysis and Detections
14.3.24MispaduMalwareBankingAccording to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft.
14.3.24DarkGateMalwareLoaderFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts.
14.3.24CVE-2024-21412

Vulnerebility

CVE

CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
14.3.24DarkCasinoGroupAPTDarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.
14.3.24CVE-2023-48788

Vulnerebility

CVE

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
13.3.24PixPirateMalwareAndroidPixPirate: The Brazilian financial malware you can’t see
13.3.24STRRATMalwareRATSTRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.
13.3.24VCURMSMalwareJavaRecently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java downloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT).
13.3.24CVE-2024-21407

Vulnerebility

CVE

Windows Hyper-V Remote Code Execution Vulnerability
13.3.24CVE-2024-21408

Vulnerebility

CVE

Windows Hyper-V Denial of Service Vulnerability
13.3.24CVE-2024-21400

Vulnerebility

CVE

Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
13.3.24CVE-2024-26170

Vulnerebility

CVE

Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
13.3.24CVE-2024-21433

Vulnerebility

CVE

Windows Print Spooler Elevation of Privilege Vulnerability
13.3.24CVE-2024-26198

Vulnerebility

CVE

Microsoft Exchange Server Remote Code Execution Vulnerability
13.3.24CVE-2024-21334 

Vulnerebility

CVE

Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
12.3.24BIPClipMalwarePyPI RL has discovered a campaign using PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases, which are used for wallet recovery.
12.3.24CVE-2024-1071

Vulnerebility

CVE

 
12.3.24CVE-2024-1468

Vulnerebility

CVE

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
12.3.24Copybara Fraud OperationCampaignOperationOn top of this fraud operation architecture, TAs exploit Social Engineering techniques for distributing the Copybara banking trojan, which typically involves smishing and vishing techniques, leveraging native-speaker operators. In particular, several samples reveal TAs distributing Copybara through seemingly legitimate apps, utilizing logos of well-known banks and names that sound authentic, such as “Caixa Sign Nueva”, “BBVA Codigo”, “Sabadell Codigo”.
12.3.24CHAVECLOAKMalwareBankingFortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware. Notably, CHAVECLOAK is specifically designed to target users in Brazil, aiming to steal sensitive information linked to financial activities.
11.3.24Sitecore - Remote Code Execution v8.2

Exploit

WebAppsASPX
11.3.24Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier - Arbitrary File Read

Exploit

WebAppsMultiple
11.3.24WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover

Exploit

WebAppsPHP
11.3.24Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass

Exploit

LocalWindows
11.3.24Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR

Exploit

WebAppsHardware
11.3.24Hide My WP < 6.2.9 - Unauthenticated SQLi

Exploit

WebAppsPHP
11.3.24Akaunting < 3.1.3 - RCE

Exploit

WebAppsPHP
11.3.24Ladder v0.0.21 - Server-side request forgery (SSRF)

Exploit

WebAppsGo
11.3.24DataCube3 v1.0 - Unrestricted file upload 'RCE'

Exploit

WebAppsPHP
11.3.24Numbas < v7.3 - Remote Code Execution

Exploit

WebAppsNodeJS
11.3.24TP-Link TL-WR740N - Buffer Overflow 'DOS'

Exploit

WebAppsHardware
11.3.24GLiNet - Router Authentication Bypass

Exploit

WebAppsHardware
11.3.24elFinder Web file manager Version - 2.1.53 Remote Command Execution

Exploit

WebAppsPHP
11.3.24CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution

Exploit

WebAppsPHP
11.3.24CVE-2023-50071 - Multiple SQL Injection

Exploit

WebAppsPHP
11.3.24Lot Reservation Management System - Unauthenticated File Disclosure

Exploit

WebAppsPHP
11.3.24Lot Reservation Management System - Unauthenticated File Upload and Remote Code Execution

Exploit

WebAppsPHP
11.3.24kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition

Exploit

WebAppsPHP
11.3.24Neontext Wordpress Plugin - Stored XSS

Exploit

WebAppsPHP
11.3.24Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019 - Stored XSS

Exploit

WebAppsHardware
11.3.24Easywall 0.3.1 - Authenticated Remote Command Execution

Exploit

WebAppsMultiple
11.3.24R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure

Exploit

RemoteHardware
11.3.24GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit

Exploit

RemoteHardware
11.3.24TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution

Exploit

RemoteHardware
11.3.24GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit

Exploit

RemoteHardware
11.3.24GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit

Exploit

RemoteHardware
11.3.24Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)

Exploit

RemoteHardware
11.3.24A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc

Exploit

LocalMultiple
11.3.24Boss Mini 1.4.0 - local file inclusion

Exploit

WebAppsPHP
11.3.24Magento ver. 2.4.6 - XSLT Server Side Injection

Exploit

WebAppsMultiple
11.3.24TPC-110W - Missing Authentication for Critical Function

Exploit

RemoteHardware
11.3.24Enrollment System v1.0 - SQL Injection

Exploit

RemotePHP
11.3.24AC Repair and Services System v1.0 - Multiple SQL Injection

Exploit

RemotePHP
11.3.24Windows PowerShell - Event Log Bypass Single Quote Code Execution

Exploit

LocalWindows_x86-64
11.3.24Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection

Exploit

RemotePHP
11.3.24Simple Student Attendance System v1.0 - Time Based Blind SQL Injection

Exploit

RemotePHP
11.3.24Real Estate Management System v1.0 - Remote Code Execution via File Upload

Exploit

RemotePHP
11.3.24Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload

Exploit

RemotePHP
11.3.24Petrol Pump Management Software v.1.0 - SQL Injection

Exploit

RemotePHP
11.3.24Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file

Exploit

RemotePHP
11.3.24Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting

Exploit

RemotePHP
11.3.24WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection

Exploit

WebAppsPHP
11.3.24(shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes]

Exploit

LocalLinux
11.3.24Blood Bank v1.0 - Multiple SQL Injection

Exploit

WebAppsPHP
11.3.24Saflok - Key Derication Function Exploit

Exploit

LocalHardware
11.3.24WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS)

Exploit

WebAppsPHP
11.3.24WP Rocket < 2.10.3 - Local File Inclusion (LFI)

Exploit

WebAppsPHP
11.3.24Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit)

Exploit

WebAppsMultiple
11.3.24TEM Opera Plus FM Family Transmitter 35.45 - XSRF

Exploit

RemoteHardware
11.3.24TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution

Exploit

RemoteHardware
11.3.24Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)

Exploit

WebAppsPHP
11.3.24Executables Created with perl2exe < V30.10C - Arbitrary Code Execution

Exploit

RemoteMultiple
11.3.24Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin

Exploit

WebAppsPHP
11.3.24Automatic-Systems SOC FL9600 FastLine - Directory Transversal

Exploit

WebAppsPHP
11.3.24SuperStoreFinder - Multiple Vulnerabilities

Exploit

WebAppsPHP
11.3.24Moodle 4.3 - Insecure Direct Object Reference

Exploit

WebAppsPHP
11.3.24Zoo Management System 1.0 - Unauthenticated RCE

Exploit

WebAppsPHP
11.3.24dawa-pharma 1.0-2022 - Multiple-SQLi

Exploit

WebAppsPHP
11.3.24IBM i Access Client Solutions v1.1.2 - 1.1.4, v1.1.4.3 - 1.1.9.4 - Remote Credential Theft

Exploit

RemoteWindows_x86-64
11.3.24Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'

Exploit

RemoteMultiple
11.3.24Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS'

Exploit

DoSMultiple
11.3.24Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration

Exploit

RemoteMultiple
11.3.24FAQ Management System v1.0 - 'faq' SQL Injection

Exploit

RemotePHP
11.3.24Flashcard Quiz App v1.0 - 'card' SQL Injection

Exploit

RemotePHP
11.3.24Online Shopping System Advanced - Sql Injection

Exploit

WebAppsPHP
11.3.24taskhub 2.8.7 - SQL Injection

Exploit

WebAppsPHP
11.3.24comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset

Exploit

WebAppsPHP
11.3.24Simple Inventory Management System v1.0 - 'email' SQL InjectionExploitRemotePHP
11.3.24BianLian Ransomware
Group
REPORTRansomwareBianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].
11.3.24BianLianGroupRansomwareBianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022.
11.3.24BianDoorMalwareBackdoor 
11.3.24CVE-2023-42793

Vulnerebility

CVE

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
11.3.24CVE-2024-27198

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
11.3.24CVE-2024-1403

Vulnerebility

CVE

In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.
11.3.24MAGNET GOBLINGroupGroupMagnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published.
9.3.24Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacksAlertAlertKontrol and Elock locks are electronic locks that utilize firmware provided by Sciener. This firmware works in tandem with an app, called the TTLock app, which is also produced by Sciener.
8.3.24CVE-2024-20338

Vulnerebility

CVE

A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.
8.3.24CVE-2024-20337

Vulnerebility

CVE

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
8.3.24CRLF InjectionAttackOSThe term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
8.3.24CVE-2024-20338

Vulnerebility

CVE

A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.
8.3.24CVE-2024-20337

Vulnerebility

CVE

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
8.3.24CRLF InjectionAttackOSThe term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
8.3.24CVE-2024-20338

Vulnerebility

CVE

A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device.
8.3.24CVE-2024-20337

Vulnerebility

CVE

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
8.3.24QEMU Emulator ExploitedExploitExploitCyberattackers tend to give preference to legitimate tools when taking various attack steps, as these help them evade detection systems while keeping malware development costs down to a minimum.
8.3.24JasminRansomwareRansomwareGoodWill Ransomware? Or Just Another Jasmin Variant?
8.3.24CVE-2024-27199

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
8.3.24CVE-2024-27198

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
7.3.24MgBotMalwareBotMy Tea’s not cold. An overview of China’s cyber threat
7.3.24Evasive PandaGroupAPTEvasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.
7.3.24SnakeMalwareInfoStealerIn this Threat Analysis Report, Cybereason Security Services dives into the Python Infostealer, delivered via GitHub and GitLab, that ultimately exfiltrates credentials via Telegram Bot API or other well known platforms.
7.3.24WogRATMalwareRATAhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. Said malware supports both the PE format that targets the Windows system and the ELF format that targets the Linux system.
7.3.24TA4903GroupPhishingTA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids
7.3.24QuishingHackingMobilQR codes have had a great run in the past few years, diffusing into almost every aspect of our lives, from looking at restaurant menus and paying for products or services online and offline to accessing websites with greater ease. While the positives of QR codes are clearly visible, both from a business and user perspective, their usage has some pitfalls.
7.3.248220 Mining GroupGroupCryptocurrencyReturned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software.
7.3.24Abyss LockerRansomwareRansomwareOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
7.3.24Spinning YARNCampaignCampaignSpinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence
7.3.24SpyNoteMalwareRATThe malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code
7.3.24BlackCat (ALPHV) AttackRansomwareRansomwareExplore the thwarted cyber extortion attempt by the BlackCat ransomware group, unraveled by Sygnia’s Incident Response team in mid-2023.
6.3.24CVE-2024-22255

Vulnerebility

CVE

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
6.3.24CVE-2024-22254

Vulnerebility

CVE

VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.
6.3.24CVE-2024-22253

Vulnerebility

CVE

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
6.3.24CVE-2024-22252

Vulnerebility

CVE

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
6.3.24GhostSecGroupRansomwareGhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.
6.3.24UNC1945GroupAPTUNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks.
6.3.24APT32GroupAPTCyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.
6.3.24OceanLotusMalwareOSXAccording to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.
6.3.24CVE-2024-23296

Vulnerebility

CVE

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
6.3.24CVE-2024-23225

Vulnerebility

CVE

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
6.3.24KimsukyGroupAPTJOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky
6.3.24CVE-2024-1709

Vulnerebility

CVE

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
6.3.24CVE-2024-1708

Vulnerebility

CVE

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
6.3.24TODDLERSHARKMalwareVBSTODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
5.3.24BEWARE THE SHALLOW
WATERS: SAVVY
SEAHORSE LURES VICTIMS
TO FAKE INVESTMENT
PLATFORMS THROUGH
FACEBOOK ADS
REPORTREPORTDNS threat actors never cease to surprise us. Every day, we learn about creative, new campaigns they have devised to exploit victims. Investment scams are one of these. The US Federal Trade Commission reported that more money was lost to investment scams in the US during 2023 than any other type of scam, totaling over USD $4.6 billion dollars stolen from victims
5.3.24PASS-THE-HASH ATTACKAttackPtHPass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session.
5.3.24TA577GroupGroupTA577’s Unusual Attack Chain Leads to NTLM Data Theft
5.3.24CVE-2024-23917

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
5.3.24CVE-2024-27199

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
5.3.24CVE-2024-27198

Vulnerebility

CVE

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
4.3.24ShadowBankinginYour Pocket:ExposingAndroidApp UsedbyMoneyMulesREPORTREPORTA money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions.
4.3.24Fast Adversarial Attacks on Language Models In One GPU Minute PapersPapersIn this paper, we introduce a novel class of fast, beam search-based adversarial attack (BEAST) for Language Models (LMs).
4.3.24Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMsPapersPapersWe demonstrate how images and sounds can be used for indirect prompt and instruction injection in multi-modal LLMs.
4.3.24ComPromptMizedAttackAIComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications
4.3.24CACTUSRansomwareRansomwareCACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks
2.3.24MAR-10448362-1.v1 Volt TyphoonCERTCERTCISA received three files for analysis obtained from a critical infrastructure compromised by the People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon.
2.3.24CVE-2019-3568

Vulnerebility

CVE

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.
2.3.24Scattered SpiderGroupHackingScattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.
2.3.24CryptoChameleonCryptocurrencyPhishingCryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack
2.3.24GUloader MalwareLoaderGUloader Unmasked: Decrypting the Threat of Malicious SVG Files
2.3.24BlackTechGroupCyberSpyBlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.
2.3.24BIFROSEMalwareRATThe Art of Domain Deception: Bifrost's New Tactic to Deceive Users
2.3.24CVE-2023-46805

Vulnerebility

CVE

(CVSS score: 8.2) - Authentication bypass vulnerability in web component
2.3.24CVE-2024-21887 

Vulnerebility

CVE

(CVSS score: 9.1) - Command injection vulnerability in web component
2.3.24CVE-2024-21888 

Vulnerebility

CVE

(CVSS score: 8.8) - Privilege escalation vulnerability in web component
2.3.24CVE-2024-21893

Vulnerebility

CVE

(CVSS score: 8.2) - SSRF vulnerability in the SAML component
2.3.24CVE-2024-22024 

Vulnerebility

CVE

(CVSS score: 8.3) - XXE vulnerability in the SAML component
2.3.24GOLDEN TICKETAttackAttackA Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.) by accessing user data stored in Microsoft Active Directory (AD).
2.3.24Golden SAMLAttackAttackGolden SAML, an attack technique that exploits the SAML single sign-on protocol, was used as a post-breach exploit, compounding the devastating SolarWinds attack of 2020—one of the largest breaches of the 21st century.
2.3.24Peach Sandstorm GroupAPTOur analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.
2.3.24LightBasinGroupAPTUNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks.
2.3.24GTPDOORMalwareBackdoorGTPDOOR - A novel backdoor tailored for covert access over the roaming exchange
2.3.24CVE-2024-21338

Vulnerebility

CVE

Windows Kernel Elevation of Privilege Vulnerability NewRecently updated
2.3.24WINELOADERMalwareLoaderEuropean diplomats targeted by SPIKEDWINE with WINELOADER
1.3.24UNC3886GroupGroupUNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support.
1.3.24CVE-2024-21887

Vulnerebility

CVE

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
1.3.24CVE-2024-21893

Vulnerebility

CVE

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
1.3.24MINIBIKE

Malware

BackdoorA custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.
1.3.24MINIBUSMalwareBackdoorA custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE
1.3.24LIGHTRAILMalwareBackdoorA tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure
1.3.24TortoiseshellGroupGroupA previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018.
1.3.24Bohrium GroupGroupBohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India.
1.3.24UNC1549 BigBrotherCyberSpyWhen Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors