HOT NEWS 2024(2588) January(137) February(207) March(430) April(317) May(278) June(237) July(216) August(316) September(186) October(24) November(114) December(126) ALL(2588) | HOT NEWS 2026(156) HOT NEWS 2025(3125) HOT NEWS 2024(2588)
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
|
31.12.24 |
In 24, a malicious actor exploited Uzum's brand in a series of campaigns targeting mobile users in Uzbekistan. |
|||
|
31.12.24 |
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. |
VULNEREBILITY |
||
|
31.12.24 |
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. |
VULNEREBILITY |
||
|
31.12.24 |
Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration |
VULNEREBILITY |
||
|
30.12.24 |
Ficora and Capsaicin botnets leverage old vulnerabilities for distribution |
According to the researchers from Fortinet, two Linux botnet variants Ficora and Capsaicin have been distributed in recently observed campaigns. |
||
|
28.12.24 |
Skuld Infostealer malware continues to target developers via npm registry |
A malware campaign deploying the Skuld infostealer via the npm registry has been reported, targeting developers with ambiguous packages. |
||
|
28.12.24 |
Gosar is a recently identified Golang-based variant of the Quasar backdoor. |
|||
|
28.12.24 |
Latest XWorm distribution campaign targets the hospitality sector |
A new campaign distributing the XWorm commodity malware has been reported in the wild. |
||
|
28.12.24 |
Recent I2PRAT malware variant leverages anonymous peer-to-peer network communication |
The latest I2PRAT malware variant has been observed to leverage I2P anonymous peer-to-peer network for the purpose of C2 communication. |
||
|
28.12.24 |
The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. |
VULNEREBILITY |
||
|
28.12.24 |
OtterCookie, a new malware used by Contagious Interview |
JavaScript |
||
|
28.12.24 |
Cloud Atlas seen using a new tool in its attacks |
GROUP |
||
|
28.12.24 |
CVE-24-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet |
VULNEREBILITY |
||
|
28.12.24 |
Botnets Continue to Target Aging D-Link Vulnerabilities |
BOTNET |
||
|
28.12.24 |
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial number if physically adjacent and sniffing the RAW WIFI signal. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses an inherently dangerous function which could allow an attacker to send a malicious MQTT message resulting in devices executing arbitrary OS commands. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could give attackers the ability to force Ruijie's proxy servers to perform any request the attackers choose. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow MQTT clients connecting with device credentials to send messages to some topics. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x uses weak credential mechanism that could allow an attacker to easily calculate MQTT credentials. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a feature that could enable attackers to invalidate a legitimate user's session and cause a denial-of-service attack on a user's account. |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a a feature that could enable sub accounts or attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services |
VULNEREBILITY |
||
|
26.12.24 |
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a weak mechanism for its users to change their passwords which leaves authentication vulnerable to brute force attacks. |
VULNEREBILITY |
||
|
26.12.24 |
An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", |
VULNEREBILITY |
||
|
26.12.24 |
BellaCPP: Discovering a new BellaCiao variant written in C++ |
Malware |
||
|
26.12.24 |
Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials. |
VULNEREBILITY |
||
|
26.12.24 |
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). |
VULNEREBILITY |
||
|
26.12.24 |
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. |
VULNEREBILITY |
||
|
26.12.24 |
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces |
PHAAS |
||
|
22.12.24 |
HeartCrypt was originally discovered through underground forums and reported by security researchers in February and March 24. |
Crypto |
||
|
22.12.24 |
The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). |
RAT |
||
|
21.12.24 |
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware |
Backdoor |
||
|
21.12.24 |
On Wednesday, December 11, 24, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. |
BOTNET |
||
|
21.12.24 |
ASEC recently identified a new DDoS malware strain targeting Linux servers while monitoring numerous external attacks. |
HACKING |
||
|
21.12.24 |
(CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability |
VULNEREBILITY |
||
|
21.12.24 |
(CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability |
VULNEREBILITY |
||
|
21.12.24 |
(CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability |
VULNEREBILITY |
||
|
21.12.24 |
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability |
VULNEREBILITY |
||
|
21.12.24 |
(CVSS score: 9.8) - A pre-auth SQL injection vulnerability in the email protection feature that could lead to remote code execution, |
VULNEREBILITY |
||
|
21.12.24 |
(CVSS score: 9.8) - A weak credentials vulnerability arising from a suggested and non-random SSH login passphrase for High Availability (HA) |
VULNEREBILITY |
||
|
21.12.24 |
(CVSS score: 8.8) - A post-auth code injection vulnerability in the User Portal that allows authenticated users to gain remote code execution. |
VULNEREBILITY |
||
|
21.12.24 |
(CVSS score: 8.8), an authenticated command injection flaw that has also been fixed in FortiWLM 8.6.6, to obtain remote code execution in the context of root. |
VULNEREBILITY |
||
|
21.12.24 |
[FortiWLM] Unauthenticated limited file read vulnerability |
VULNEREBILITY |
||
|
18.12.24 |
Effective Phishing Campaign Targeting European Companies and Organizations |
Phishing |
||
|
18.12.24 |
File upload logic in Apache Struts is flawed. |
VULNEREBILITY |
||
|
18.12.24 |
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks |
APT |
||
|
18.12.24 |
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. |
VULNEREBILITY |
||
|
18.12.24 |
Sha zhu pan scam uses AI chat tool to target iPhone and Android users |
SPAM |
||
|
18.12.24 |
Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion |
RAT |
||
|
18.12.24 |
Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads |
Backdoor |
||
|
17.12.24 |
Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. |
GROUP |
||
|
17.12.24 |
BITTER APT Targets Chinese Government Agency |
APT |
||
|
17.12.24 |
Until 2016, the foreign security manufacturer Forcepoint disclosed the existence of the Manlinghua organization for the first time |
RAT |
||
|
17.12.24 |
Bitter Group Launches New Trojan Miyarat, Domestic Users Become Primary Ttargets |
RAT |
||
|
17.12.24 |
CoinLurker: The Stealer Powering the Next Generation of Fake Updates |
STEALER |
||
|
17.12.24 |
Careto is back: what’s new after 10 years of silence? |
APT |
||
|
17.12.24 |
(CVSS score: 7.4) - Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel (Patched by Adobe in March 24) |
CVE |
||
|
17.12.24 |
(CVSS score: 7.8) - Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges (Patched by Microsoft in June 24) |
CVE |
||
|
17.12.24 |
DrayTek Routers Exploited in Massive Ransomware Campaign: Analysis and Recommendations |
EXPLOIT |
||
|
16.12.24 |
“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising |
MALWARETISING |
||
|
16.12.24 |
“A Digital Prison”: Surveillance and the suppression of civil society in Serbia |
ANDROID |
||
|
16.12.24 |
Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercrimals |
BACKDOOR |
||
|
16.12.24 |
New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9 |
BACKDOOR |
||
|
16.12.24 |
BADBOX Botnet Is Back |
BOTNET |
||
|
14.12.24 |
New Yokai Side-loaded Backdoor Targets Thai Officials |
BACKDOOR |
||
|
14.12.24 |
NodeLoader Exposed: The Node.js Malware Evading Detection |
LOADER |
||
|
14.12.24 |
Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials |
GROUP |
||
|
13.12.24 |
openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. |
CVE |
||
|
13.12.24 |
Team82 obtained a sample of a custom-built IoT/OT malware called IOCONTROL used by Iran-affiliated attackers to attack Israel- and U.S.-based OT/IoT devices. |
IoT |
||
|
13.12.24 |
PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers. |
ROOTKIT |
||
|
12.12.24 |
Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT |
ANDROID |
||
|
12.12.24 |
Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT |
ANDROID |
||
|
12.12.24 |
Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. |
APT |
||
|
12.12.24 |
Unauthorized access to iCloud: analyzing an iOS vulnerability that could expose sensitive data to attackers |
CVE |
||
|
12.12.24 |
Unauthorized Plugin Installation/Activation in Hunk Companion |
CVE |
||
|
11.12.24 |
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine |
GROUP |
||
|
11.12.24 |
Upgraded Kazuar Backdoor Offers Stealthy Power |
BACKDOOR |
||
|
11.12.24 |
Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation |
HACKING |
||
|
11.12.24 |
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass |
CVE |
||
|
11.12.24 |
Inside Zloader’s Latest Trick: DNS Tunneling |
TROJAN |
||
|
11.12.24 |
Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus |
SPYWARE |
||
|
11.12.24 |
Likely China-based Attackers Target High-profile Organizations in Southeast Asia |
APT |
||
|
11.12.24 |
(CVSS score: 10.0) - An authentication bypass vulnerability in the admin web console of Ivanti CSA before 5.0.3 that allows a remote unauthenticated attacker to gain administrative access |
CVE |
||
|
11.12.24 |
(CVSS score: 9.1) - A command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3 that allows a remote authenticated attacker with admin privileges to achieve remote code execution |
CVE |
||
|
11.12.24 |
(CVSS score: 9.1) - An SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.3 that allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements |
CVE |
||
|
11.12.24 |
(CVSS score: 9.1) - An argument injection vulnerability in Ivanti Connect Secure before version 22.7R2.4 |
CVE |
||
|
11.12.24 |
(CVSS score: 9.1) - A command injection vulnerability in Ivanti Connect Secure before version 22.7R2.3 |
CVE |
||
|
11.12.24 |
(CVSS score: 8.8) - An insecure permissions vulnerability in Ivanti Sentry before versions 9.20.2 and 10.0.2 or 10.1.0 |
CVE |
||
|
10.12.24 |
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can |
CVE |
||
|
10.12.24 |
AppLite: A New AntiDot Variant Targeting Mobile Employee Devices |
BANKING |
||
|
10.12.24 |
Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels |
APT |
||
|
10.12.24 |
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers |
APT |
||
|
10.12.24 |
Operation Tainted Love | Chinese APTs Target Telcos in New Attacks |
APT |
||
|
09.12.24 |
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware |
RANSOMWARE |
||
|
09.12.24 |
PROXY.AM Powered by Socks5Systemz Botnet |
BOTNET |
||
|
07.12.24 |
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows |
STEALER |
||
|
06.12.24 |
iVerify Mobile Threat Investigation Uncovers New Pegasus Samples |
MOBILE |
||
|
06.12.24 |
Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats |
AI |
||
|
06.12.24 |
(CVSS score: 7.2) - An insufficient sanitization issue in MLflow that leads to a cross-site scripting (XSS) attack when running an untrusted recipe in a Jupyter Notebook, |
CVE |
||
|
06.12.24 |
(CVSS score: 7.5) - An unsafe deserialization issue in H20 when importing an untrusted ML model, potentially resulting in RCE |
CVE |
||
|
06.12.24 |
(CVSS score: 7.5) - A path traversal issue in MLeap when loading a saved model in zipped format can lead to a Zip Slip vulnerability, |
CVE |
||
|
06.12.24 |
Unveiling RevC2 and Venom Loader |
LOADER |
||
|
06.12.24 |
BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure |
DROPPER |
||
|
06.12.24 |
DroidBot: Insights from a new Turkish MaaS fraud operation |
ANDROID |
||
|
06.12.24 |
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) |
CVE |
||
|
05.12.24 |
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks |
EXPLOIT KIT |
||
|
05.12.24 |
Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 24 |
PHISHING |
||
|
05.12.24 |
(CVSS score: 10.0) - An incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property |
CVE |
||
|
05.12.24 |
(CVSS score: 7.5) - An improper restriction of XML External Entity (XXE) reference vulnerability that could allow a remote, |
CVE |
||
|
05.12.24 |
(CVSS score: 9.8) - An improper authentication vulnerability that allows a remote, unauthenticated attacker to create accounts, |
CVE |
||
|
05.12.24 |
(CVSS score: 7.5) - A path traversal vulnerability in the web management interface that could allow an attacker to download or |
CVE |
||
|
04.12.24 |
Snowblind: The Invisible Hand of Secret Blizzard |
APT |
||
|
04.12.24 |
Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage |
ESPIONAGE |
||
|
04.12.24 |
From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. |
CVE |
||
|
04.12.24 |
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, |
CVE |
||
|
04.12.24 |
The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox |
EXPLOIT |
||
|
03.12.24 |
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject |
CVE |
||
|
03.12.24 |
(CVSS score: 5.6) - An insufficient certificate validation vulnerability impacting Palo Alto Networks GlobalProtect for Windows, macOS, |
CVE |
||
|
03.12.24 |
(CVSS score: 7.1) - A vulnerability impacting SonicWall SMA100 NetExtender Windows client that could allow an attacker to execute |
CVE |
||
|
03.12.24 |
Analysis of Kimsuky Threat Actor's Email Phishing Campaign |
APT |
||
|
03.12.24 |
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT |
RAT |
||
|
03.12.24 |
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT |
RAT |
||
|
02.12.24 |
SmokeLoader Attack Targets Companies in Taiwan |
LOADER |
||
|
02.12.24 |
SpyLoan: A Global Threat Exploiting Social Engineering |
SPYWARE |
||
|
29.11.24 |
"Operation Undercut"Shows Multifaceted Nature of SDA’s Influence Operations |
OPERATION |
||
|
29.11.24 |
Trustwave SpiderLabs has been actively monitoring the rise of Phishing-as-a-Service (PaaS) platforms, which are increasingly popular among threat actors. |
PHISHING |
||
|
29.11.24 |
A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), |
CVE |
||
|
28.11.24 |
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft |
HACKING |
||
|
28.11.24 |
Gaming Engines: An Undetected Playground for Malware Loaders |
LOADER |
||
|
28.11.24 |
An Update on Recent Cyberattacks Targeting the US Wireless Companies |
INCIDENT |
||
|
28.11.24 |
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. |
CVE |
||
|
27.11.24 |
Bootkitty: Analyzing the first UEFI bootkit for Linux |
BOOTKIT |
||
|
27.11.24 |
Attacks by the attack group APT-C-60 using legitimate services |
APT |
||
|
27.11.24 |
Matrix Unleashes A New Widespread DDoS Campaign |
BOTNET |
||
|
26.11.24 |
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing |
CVE |
||
|
26.11.24 |
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' |
CVE |
||
|
26.11.24 |
(CVSS score: 9.8) - A use-after-free vulnerability in Firefox's Animation component (Patched by Mozilla in October 2024) |
CVE |
||
|
26.11.24 |
(CVSS score: 8.8) - A privilege escalation vulnerability in Windows Task Scheduler (Patched by Microsoft in November 2024) |
CVE |
||
|
26.11.24 |
RomCom exploits Firefox and Windows zero days in the wild |
GROUP |
||
|
26.11.24 |
Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries |
RAT |
||
|
26.11.24 |
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions |
GROUP |
||
|
26.11.24 |
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. |
CVE |
||
|
25.11.24 |
The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform |
ATTACK |
||
|
25.11.24 |
When Guardians Become Predators: How Malware Corrupts the Protectors |
ROOTKIT |
||
|
23.11.24 |
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON |
GROUP |
||
|
22.11.24 |
Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell |
APT |
||
|
22.11.24 |
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY |
GROUP |
||
|
22.11.24 |
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike |
GROUP |
||
|
22.11.24 |
Malicious packages for AI integration containing infostealer malware were found in the Python Package Index repository. |
STEALER |
||
|
22.11.24 |
CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) |
CVE |
||
|
22.11.24 |
CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface |
CVE |
||
|
21.11.24 |
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine |
LINUX BACK. |
||
|
21.11.24 |
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine |
GROUP |
||
|
21.11.24 |
Attacks on Ukraine’s Energy Infrastructure: Harm to the Civilian Population |
MALWARE |
||
|
21.11.24 |
Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. |
CVE |
||
|
21.11.24 |
Python NodeStealer Targets Facebook Ads Manager with New Techniques |
STEALER |
||
|
20.11.24 |
Ghost Tap: New cash-out tactic with NFC Relay |
NFC |
||
|
19.11.24 |
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. |
CVE |
||
|
19.11.24 |
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, |
CVE |
||
|
19.11.24 |
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable. |
CVE |
||
|
19.11.24 |
Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. |
CVE |
||
|
19.11.24 |
Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector |
GROUP |
||
|
19.11.24 |
(CVSS score: 8.8) - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content |
CVE |
||
|
19.11.24 |
(CVSS score: 6.1) - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content |
CVE |
||
|
19.11.24 |
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). |
CVE |
||
|
19.11.24 |
One Sock Fits All: The use and abuse of the NSOCKS botnet |
BOTNET |
||
|
19.11.24 |
Helldown Ransomware: an overview of this emerging threat |
RANSOMWARE |
||
|
19.11.24 |
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. |
CVE |
||
|
19.11.24 |
Babble Babble Babble Babble Babble Babble BabbleLoader |
LOADER |
||
|
18.11.24 |
The Abuse of ITarian RMM by Dolphin Loader |
LOADER |
||
|
18.11.24 |
LodaRAT: Established Malware, New Victim Patterns |
RAT |
||
|
18.11.24 |
Mr.Skeleton RAT - new malware based on the njRAT code |
RAT |
||
|
18.11.24 |
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. |
CVE |
||
|
16.11.24 |
CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) |
CVE |
||
|
16.11.24 |
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA |
GROUP |
||
|
16.11.24 |
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA |
STEALER |
||
|
15.11.24 |
Malware Spotlight: A Deep-Dive Analysis of WezRat |
RAT |
||
|
15.11.24 |
New PXA Stealer targets government and education sectors for sensitive information |
STEALER |
||
|
15.11.24 |
PostgreSQL PL/Perl environment variable changes execute arbitrary code |
CVE |
||
|
15.11.24 |
(CVSS score: 9.9) - Palo Alto Networks Expedition OS Command Injection Vulnerability |
CVE |
||
|
15.11.24 |
(CVSS score: 9.3) - Palo Alto Networks Expedition SQL Injection Vulnerability |
CVE |
||
|
14.11.24 |
DNS Predators Hijack Domains to Supply their Attack Infrastructure |
DNS |
||
|
14.11.24 |
Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes |
DOWNLOADER |
||
|
14.11.24 |
CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild |
CVE |
||
|
13.11.24 |
Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity |
GROUP |
||
|
13.11.24 |
Iranian “Dream Job” Campaign 11.24 |
CAMPAIGN |
||
|
13.11.24 |
(CVSS score: 6.5) - Windows NTLM Hash Disclosure Spoofing Vulnerability |
CVE |
||
|
13.11.24 |
(CVSS score: 8.8) - Windows Task Scheduler Elevation of Privilege Vulnerability |
CVE |
||
|
13.11.24 |
(CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device |
CVE |
||
|
13.11.24 |
(CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number |
CVE |
||
|
13.11.24 |
(CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution |
CVE |
||
|
13.11.24 |
(CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it |
CVE |
||
|
12.11.24 |
(CVSS score: 5.1) - Privilege escalation to NetworkService Account access |
CVE |
||
|
12.11.24 |
(CVSS score: 5.1) - Limited remote code execution with the privilege of a NetworkService Account access |
CVE |
||
|
12.11.24 |
APT Actors Embed Malware within macOS Flutter Applications |
MacOS |
||
|
12.11.24 |
Ymir: new stealthy ransomware in the wild |
STEALER |
||
|
11.11.24 |
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign |
LOADER |
||
|
11.11.24 |
Machine Learning Bug Bonanza – Exploiting ML Services |
AI |
EXPLOIT |
|
|
08.11.24 |
Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave |
BOTNET |
||
|
08.11.24 |
Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT |
RAT |
||
|
08.11.24 |
Roblox Developers Targeted with npm Packages Infected with Skuld Infostealer and Blank Grabber |
STEALER |
||
|
08.11.24 |
CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging |
LINUX |
||
|
08.11.24 |
Android Framework Privilege Escalation Vulnerability |
CVE |
||
|
08.11.24 |
CyberPanel Incorrect Default Permissions Vulnerability |
CVE |
||
|
08.11.24 |
Nostromo nhttpd Directory Traversal Vulnerability |
CVE |
||
|
08.11.24 |
Palo Alto Expedition Missing Authentication Vulnerability |
CVE |
||
|
08.11.24 |
BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence |
CRYPTO |
||
|
07.11.24 |
CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits |
EXPLOIT |
||
|
07.11.24 |
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency |
TROJAN |
||
|
07.11.24 |
A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points could allow an unauthenticated |
CVE |
||
|
07.11.24 |
Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2 |
EXPLOIT |
||
|
06.11.24 |
Threat Campaign Spreads Winos4.0 Through Game Application |
TROJAN |
||
|
06.11.24 |
ToxicPanda: a new banking trojan from Asia hit Europe and LATAM |
BANKING |
||
|
05.11.24 |
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 |
CVE |
||
|
05.11.24 |
Typosquat Campaign Targeting npm Developers |
MALWARE |
||
|
05.11.24 |
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. |
CVE |
||
|
04.11.24 |
As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new variant of a well-known malware previously reported by ThreatFabric and Kaspersky. |
ANDROID |
||
|
04.11.24 |
(CVSS score: 7.5) - A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the server (Fixed in version 0.1.47) |
CVE |
||
|
04.11.24 |
(CVSS score: 8.2) - An out-of-bounds read vulnerability that could cause the application to crash by means of the /api/create endpoint, resulting in a DoS condition (Fixed in version 0.1.46) |
CVE |
||
|
04.11.24 |
(CVSS score: 7.5) - A vulnerability that causes resource exhaustion and ultimately a DoS when invoking the /api/create endpoint repeatedly when passing the file "/dev/random" as input (Fixed in version 0.1.34) |
CVE |
||
|
04.11.24 |
(CVSS score: 7.5) - A path traversal vulnerability in the api/push endpoint that exposes the files existing on the server and the entire directory structure on which Ollama is deployed (Fixed in version 0.1.46) |
CVE |
||
|
1.11.24 |
A new variant of the Android malware called FakeCall has been observed in the wild. |
|||
|
1.11.24 |
Sauron is a new ransomware variant recently found in the wild. The malware appends ".sauron" extension to the encrypted files. The ransom note is dropped in form of a text file called "#HowToRecover.txt" on the affected machines. |
|||
|
1.11.24 |
UNC5812 campaigns against Ukraine with Android and Windows malware |
A recent report highlighted activity attributed to a suspected Russian threat actor identified as UNC5812. The activity involved distributions of Android and Windows malware targeting Ukranian military recruits. |
||
|
1.11.24 |
A new campaign delivering the Bumblebee loader has been reported this month. Bumblebee is a highly sophisticated downloader variant discovered initially back in 2022. |
|||
|
1.11.24 |
CVE-2024-40711 is a recently disclosed critical (CVSS score 9.8) deserialization vulnerability affecting the Veeam Backup and Replication software in version 12.1.2.172 or older. |
|||
|
1.11.24 |
A campaign involving a malicious Android app called "Lounge Pass" targeting air travelers at Indian airports has been observed. Distributed through fake domains, the app intercepts and forwards SMS messages from victims' devices to cybercriminals, leading to significant financial losses. |
|||
|
1.11.24 |
Adware Campaign uses Fake CAPTCHA to deliver Lumma and Amadey malware |
Threat actors are increasingly using fake CAPTCHA as an initial attack vector. A recent adware campaign is targeting online users by presenting them with fake CAPTCHA or update prompts. |
||
|
1.11.24 |
TeamTNT targets cloud-native environments in new Cryptojacking campaign |
A new campaign by the cryptojacking group TeamTNT has been reported targeting cloud-native environments for cryptocurrency mining and reselling compromised servers. |
||
|
1.11.24 |
Rekoobe malware found potentially targeting TradingView users |
An open directory has been discovered hosting Rekoobe malware, potentially aimed at targeting TradingView users along with other cyber espionage campaigns. |
||
|
1.11.24 |
Daggerfly targets Taiwanese entities with new CloudScout Toolset |
China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. |
||
|
1.11.24 |
Daggerfly targets Taiwanese entities with new CloudScout Toolset |
Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. |
||
|
1.11.24 |
Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. |
|||
|
1.11.24 |
A researcher recently identified a multi-stage cyberattack targeting the healthcare industry, initiated through a ZIP file containing a malicious shortcut (.lnk) file, likely spread via phishing emails. |
|||
|
1.11.24 |
Even before making Recall available to customers, we have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards. |
SECURITY |
SECURITY |
|
|
1.11.24 |
Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit |
PHISHING KIT |
||
|
1.11.24 |
In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. |
iOS |
||
|
1.11.24 |
Rare Case of Privilege Escalation Patched in LiteSpeed Cache Plugin |
This blog post is about the LiteSpeed plugin vulnerability. If you’re a LiteSpeed user, please update the plugin to at least version 6.5.2. |
VULNEREBILITY |
|
|
30.10.24 |
Jumpy Pisces Engages in Play Ransomware | Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. | RANSOMWARE | RANSOMWARE |
|
30.10.24 |
CrossBarking | “CrossBarking” — Exploiting a 0-Day Opera Vulnerability with a Cross-Browser Extension Store Attack | EXPLOIT | VULNEREBILITY |
|
30.10.24 |
Rampant Phishing | You’re Invited: Rampant Phishing Abuses Eventbrite | CAMPAIGN | PHISHING |
|
30.10.24 |
CryptoAiToolsv0.7 | A Python toolkit to create and manage crypto trading bots | CRYPTOCURRENCY | CRYPTOCURRENCY |
|
29.10.24 |
CVE-2024-7474 | (CVSS score: 9.1) - An Insecure Direct Object Reference (IDOR) vulnerability that could allow an authenticated user to view or delete external users, resulting in unauthorized data access and potential data loss | VULNEREBILITY | CVE |
|
29.10.24 |
CVE-2024-7475 | (CVSS score: 9.1) - An improper access control vulnerability that allows an attacker to update the SAML configuration, thereby making it possible to log in as an unauthorized user and access sensitive information | VULNEREBILITY | CVE |
|
29.10.24 |
Operation Magnus | On the 28th of October 2024 the Dutch National Police, working in close cooperation with the FBI and other partners of the international law enforcement task force Operation Magnus, disrupted operation of the Redline and META infostealers. | OPERATION | OPERATION |
|
29.10.24 |
Breaking the Barrier: Post-Barrier Spectre Attac | The effectiveness of transient execution defenses rests on obscure model-specific operations that must be correctly implemented in microcode and applied by software. In this paper, we study branch predictor invalidation through. | PAPERS | PAPERS |
|
29.10.24 |
Breaking the Barrier | Speculation barriers, in this case barriers that stop previously learned predictions from being used, are critical for computer software and cloud infrastructure to run securely. | VULNEREBILITY | CPU |
|
29.10.24 |
CloudScout | ESET researchers discovered a previously undocumented toolset used by Evasive Panda to access and retrieve data from cloud services | APT | APT |
|
28.10.24 |
UNC5812 | Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives | GROUP | GROUP |
|
28.10.24 |
BeaverTail | Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview | MALWARE | PYTHON |
|
28.10.24 |
CVE-2024-38202 | Windows Update Stack Elevation of Privilege Vulnerability Recently updated | VULNEREBILITY | CVE |
|
28.10.24 |
Windows Secure Kernel Mode Elevation of Privilege Vulnerability | VULNEREBILITY | CVE | |
|
28.10.24 |
Gun Campaign | TeamTNT’s Docker Gatling Gun Campaign | CAMPAIGN | CAMPAIGN |
|
28.10.24 |
Qilin | New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion | RANSOMWARE | RANSOMWARE |
|
28.10.24 |
Multi-Turn Context Jailbreak Attack on Larg | Large language models (LLMs) have significantly enhanced the performance of numerous applications, from intelligent conversations to text generation. However, their inherent security vulnerabilities have become an increasingly significant challenge, especially with respect to jailbreak attacks. | PAPERS | PAPERS |
|
28.10.24 |
CVE-2024-38094 | Microsoft SharePoint Remote Code Execution Vulnerability | VULNEREBILITY | CVE |
|
28.10.24 |
CVE-2024-47575 | A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests. | VULNEREBILITY | CVE |
|
28.10.24 |
Lazarus APT | The Crypto Game of Lazarus APT: Investors vs. Zero-days | APT | APT |
|
28.10.24 |
CVE-2024-20481 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Remote Access VPN Brute Force Denial of Service Vulnerability | VULNEREBILITY | CVE |
|
28.10.24 |
Grandoreiro | Grandoreiro, the global trojan with grandiose goals | MALWARE | BANKING |
|
28.10.24 |
Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach | Trend Micro researchers recently observed a malicious actor targeting Docker remote API servers to deploy the SRBMiner cryptominer and mine XRP cryptocurrency. | CRYPTOCURRENCY | CRYPTOCURRENCY |
|
28.10.24 |
CVE-2024-38812 | VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) | VULNEREBILITY | CVE |
|
28.10.24 |
End-to-End Encrypted Cloud Storage in the Wild: A Broken Ecosyst | Cloud storage is ubiquitous: Google Drive, Dropbox, and OneDrive are household names. However, these services do not provide end-to-end encryption (E2EE), meaning that the provider has access to the data stored on their servers. The promise of end-to-end encrypted cloud storage is that users can have the best of both worlds, keeping control of their data using cryptographic techniques, while still benefiting from low-cost storage solutions. | PAPERS | PAPERS |
|
28.10.24 |
Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | BIGBROTHER | BIGBROTHER |
|
28.10.24 |
ClickFix | ClickFix tactic: The Phantom Meet | CAMPAIGN | SOCIAL |
|
28.10.24 |
Latrodectus | Analyzing Latrodectus: The New Face of Malware Loaders | MALWARE | LOADER |
|
28.10.24 |
CVE-2024-8260 | A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions. | VULNEREBILITY | CVE |
|
28.10.24 |
Gophish Framework | Threat actor abuses Gophish to deliver new PowerRAT and DCRAT | PHISHING | CAMPAIGN |
|
28.10.24 |
Crypt Ghouls | Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia | GROUP | GROUP |
|
28.10.24 |
CVE-2024-37383 | Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability. | VULNEREBILITY | CVE |
|
27.10.24 |
CVE-2024-9487 | 3.14.2: Security fixes | VULNEREBILITY | CVE |
|
27.10.24 |
Water Makara | Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware | GROUP | GROUP |
|
27.10.24 |
FASTCash | Analysis of a newly discovered Linux based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks. | MALWARE | LINUX |
|
27.10.24 |
TrickMo | Expanding the Investigation: Deep Dive into Latest TrickMo Samples | MALWARE | BANKING |
|
27.10.24 |
DarkVision RAT | DarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. | MALWARE | RAT |
|
27.10.24 |
CVE-2024-38178 | Scripting Engine Memory Corruption Vulnerability | VULNEREBILITY | CVE |
|
27.10.24 |
OperationCodeonToast | AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) | OPERATION | OPERATION |
|
27.10.24 |
EDRSilencer | Trend Micro's Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. | TOOL | HACKING |
|
27.10.24 |
CVE-2024-9486 | VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder | VULNEREBILITY | CVE |
|
27.10.24 |
SideWinder | Beyond the Surface: the evolution and expansion of the SideWinder APT group | APT | GROUP |
|
27.10.24 |
Cicada3301 | Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group | RANSOMWARE | RANSOMWARE |
|
27.10.24 |
UAT-5647 | UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants | GROUP | APT |
|
27.10.24 |
Multiple vulnerabilities affecting Palo Alto Networks Expedition | Multiple vulnerabilities affecting Palo Alto Networks Expedition have been disclosed this month. The reported flaws (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467) have been rated between CVSS 7.0 and CVSS 9.9 and include a mix of command injection, cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities. | ALERTS | VULNEREBILITY |
|
27.10.24 |
CVE-2024-47575 - Fortinet FortiManager Missing Authentication vulnerability | CVE-2024-47575 is a Zero-day vulnerability affecting Fortinet FortiManager, that has been disclosed just this month. The vulnerability has been rated with a critical CVSS score of 9.8. If successfully exploited, it could allow remote unauthenticated attackers to execute arbitrary code via specially crafted requests. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Parano Stealer | Parano Stealer is another "run-of-the-mill" infostealer variant recently observed in the wild. This Python-based malware has functionality to collect and exfiltrate various information from the compromised endpoints, including: credentials, cookies, miscellaneous data stored in web browsers, cryptocurrency wallets, system information or data from various 3rd party applications like Steam, Telegram or Discord. | ALERTS | VIRUS |
|
27.10.24 |
Liberium RAT malware | Liberium RAT (also known as ShadowRoot) is a malware variant recently advertised for sale on hacking forums. The malware has the capabilities allowing the attackers remote access to the vulnerable endpoints, file management operations, registry manipulation as well as theft of system related information and other confidential data. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-38094 - Microsoft SharePoint Deserialization vulnerability exploited in the wild | CVE-2024-38094 is a deserialization vulnerability affecting Microsoft SharePoint, which was initially disclosed and patched back in July 2024. The flaw rated with a CVSS score of 7.2 arises from the product deserializing data without enough verification that the resulting data output will be valid. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Prometei botnet activity | New Prometei botnet activity has been reported in the wild. The botnet has been historically used mostly for Monero cryptomining operations but with time the attackers behind it updated the botnet capabilities to conduct even more complex attacks, allowing for a full control over the infected machines a well as additional arbitrary payload deployments. | ALERTS | BOTNET |
|
27.10.24 |
DarkComet Backdoor | DarkComet is a powerful Remote Access Trojan (RAT) that remains a significant threat because of its stealthy operations and comprehensive functionality. It enables attackers to remotely control infected devices, exfiltrate sensitive data, and deploy further malware. It can evade detection by altering file attributes, manipulating registry keys and escalating privileges. | ALERTS | VIRUS |
|
27.10.24 |
Threat actors distribute WarmCookie malware via various campaigns | WarmCookie is malware that has been observed being distributed through various campaigns, including malicious emails. This malware provides initial access to a compromised victim and is used to establish persistence. Additional functionality associated with WarmCookie includes remote command execution, file system manipulation, and payload delivery, among others. | ALERTS | VIRUS |
|
27.10.24 |
Crystal Rans0m: Rust-Based Hybrid Ransomware | Crystal Rans0m is a Rust-based hybrid ransomware that combines file encryption with data-stealing capabilities that has been observed targeting Italy and Russia. The malware can steal browser data, Discord tokens, Steam files, Riot Games data and utilizes Discord webhooks for data exfiltration. | ALERTS | RANSOM |
|
27.10.24 |
CVE-2024-9680 - Mozilla Firefox Remote Code Execution vulnerability | CVE-2024-9680 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Mozilla Firefox and Thunderbird software. The vulnerability has been assigned a critical CVSS score of 9.8 and arises from a "use-after-free" flaw in the animation timeline component of the browser. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Phemedrone Stealer | Phemedrone is an open-source infostealer variant observed being distributed in the wild this year. The malware is written in C# and has the functionality to collect and exfiltrate various sensitive information such as login credentials, data stored in browsers, cookies, credit card information, cryptocurrency wallets, files stored in "My Documents" folders or data from other 3rd party apps such as Steam, Discord or Telegram. | ALERTS | VIRUS |
|
27.10.24 |
Phemedrone Stealer | Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration. | ALERTS | VIRUS |
|
27.10.24 |
Akira Ransomware Evolution: A move towards cross-platform adaptability | Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. However, starting in early 2024, the group appears to be shifting away from encryption tactics, focusing solely on data exfiltration. | ALERTS | RANSOM |
|
27.10.24 |
Ghostpulse Malware: Shifting tactics from PNGs to Pixel values | According to recent reports, Ghostpulse malware has evolved its tactics by shifting from hiding its encrypted configuration and payload in the IDAT chunk of PNG files, to embedding it directly within the pixel values themselves to evade detection. In recent campaigns, attackers have employed social engineering techniques such as CAPTCHA validations to deceive users which ultimately triggers malicious commands via Windows keyboard shortcuts. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential vulnerability | CVE-2024-28987 is a recently disclosed hardcoded credential vulnerability affecting the SolarWinds Web Help Desk (WHD) software. The flaw is rated as critical (CVSS score 9.1 and if successfully exploited could allow remote unauthenticated attackers to access internal software functionality and modify data. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Threat actors abusing open-source phishing framework to deliver RATS | A recent report by (CTA) member Cisco Talos has recently disclosed a new phishing campaign abusing the open-source phishing readiness assessment framework named 'Gophish' to deploy one of two attack chains. The first uses Pidief infected Office docs to deploy a newly discovered PowerShell RAT dubbed 'PowerRAT' while the second employs malicious HTML files and GOLoader to deploy DCRAT. | ALERTS | VIRUS |
|
27.10.24 |
IcePeony: China-linked APT group targeting Southeast Asian governments | A recently identified APT group linked to China dubbed IcePeony has been detected conducting malware campaigns targeting government agencies and institutions in countries such as India, Mauritius, and Vietnam. The group's attack vector often involves SQL injection, leading to compromises via web shells and backdoors that utilize custom malware like "IceCache" to infiltrate networks. | ALERTS | APT |
|
27.10.24 |
Lumma Stealer delivered via Fake CAPTCHA | Researchers are monitoring an ongoing phishing campaign where attackers appear to have upped their tactics from traditional phishing to incorporating the use of fake CAPTCHA pages and exploiting legitimate software. The intention being to eventually lure users into executing a payload called Lumma Stealer. This infostealing malware is a MaaS (Malware-as-a-Service) variant that steals sensitive data such as passwords and cryptocurrency information. | ALERTS | VIRUS |
|
27.10.24 |
Phishing Campaign Delivering Wiper Malware | A recent campaign was observed by researchers where threat actors were seen targeting Israeli organizations, by impersonating a certain antivirus vendor and sending out phishing emails warning of state-backed threats. The emails include a link to a fake program that downloads a malware called Wiper, designed to erase data. | ALERTS | PHISHING |
|
27.10.24 |
Phishing attack aims at Meta Ads Professionals with Quasar RAT | A malware campaign targeting job seekers and digital marketing professionals has been reported. The campaign specifically focuses on Meta Ads professionals and is believed to be driven by a Vietnamese Threat Actor. The attack chain begins with a phishing email containing an archive attachment that disguises a malicious LNK file as a PDF. When opened, the LNK file triggers PowerShell commands that lead to the download and execution of additional scripts, ultimately resulting in the delivery of the Quasar RAT payload. | ALERTS | PHISHING |
|
27.10.24 |
ClickFix Tactic: New malware campaigns preying on Google Meet users | Various malware campaigns utilizing the emerging ClickFix tactic have been reported since June 2024. One such campaign distributing infostealers through fake Google Meet pages, a popular video communication service has been reported in the wild. Users are lured by emails that appear to be legitimate Google Meet invitations for work meetings, conferences, or other significant events. | ALERTS | CAMPAIGN |
|
27.10.24 |
Recent malicious activities attributed to the UAT-5647 threat group | According to the report published by Cisco Talos, UAT-5647 threat group has been targeting entities in Ukraine and Poland in their most recent campaigns. The threat actors have been distributing two distinct downloader variants called RustyClaw and MeltingClaw, a new RomCom malware variant dubbed SingleCamper, as well as DustyHammock and ShadyHammock backdoors. | ALERTS | GROUP |
|
27.10.24 |
Emerging Stealer Variants: Divulge, DedSec, and Duck Stealers | Multiple stealers have been observed being advertised on hacker forums, GitHub, and Telegram, all developed and promoted by the same entity. Notable variants include Divulge Stealer (a copy of Umbral), DedSec Stealer (based on Doenerium), and Duck Stealer (a derivative of AZStealer). | ALERTS | VIRUS |
|
27.10.24 |
TrickMo targeting Android users with fake lock-screen | Security researchers have recently disclosed a new variant of TrickMo, a mobile banking trojan that targets Android and iOS users. This new variant comes with some new functionality in addition to the existing capabilities, such as screen recording, remote control, and permissions granting. | ALERTS | VIRUS |
|
27.10.24 |
Lockbit ransomware pretender targets macOS and Windows environments for data theft | A new campaign leveraging a malware variant disguised as Lockbit ransomware has been reported in the wild. The GO-based malware targets both macOS and Windows users in attempts to encrypt and exfiltrate confidential data. The stolen information is uploaded to Amazon AWS S3 buckets controlled by the attacks. The malware encrypts user files, deletes shadow copies on the infected machines and appends .abcd extension to the encrypted files. The ransomware then changes the desktop wallpaper to one copied over from Lockbit 2.0 attacks. This action is clearly a tactic meant to pressure the victims in paying the demanded ransom. | ALERTS | RANSOM |
|
27.10.24 |
Microsoft Windows Kernel TOCTOU Race Condition Vulnerability (CVE-2024-30088) | CVE-2024-30088 is a Time-Of-Check Time-Of-Use (TOCTOU) race condition vulnerability in the Microsoft Windows Kernel. It arises when the state of a resource is modified between its validation (check) and actual use, allowing attackers to exploit the gap for privilege escalation. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Leafperforator APT group expands operations into the Middle East and Africa | Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. | ALERTS | APT |
|
27.10.24 |
Meduza Stealer | Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. | ALERTS | VIRUS |
|
27.10.24 |
New Linux variant of FASTCash malware discovered | A new Linux variant of the FASTCash malware (a tool which CISA has attributed to North Korea) has been discovered. FASTCash is malware that is implanted within compromised networks and leveraged to perform unauthorized banking transactions. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-44849 - Qualitor Remote Code Execution (RCE) vulnerability | CVE-2024-44849 is a critical (CVSS: 9.8) Remote Code Execution (RCE) vulnerability in Qualitor, which is a platform for managing customer service processes and centralizing services. This exploit allows remote code execution (RCE) through an arbitrary file upload in Qualitor version before 8.24. | ALERTS | VULNEREBILITY |
|
27.10.24 |
ThunderKitty malware | ThunderKitty is a GO-based open-source infostealer variant seen in the wild. The malware has the functionality to collect miscellaneous information from infected machines including banking details, Discord session tokens, cookies, browser history and other data stored in the browsers, etc. ThunderKitty implements several evasion and anti-analysis techniques, VM environment and Debugger presence detection as well as persistence mechanisms. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-45519 - Remote Command Execution vulnerability in Zimbra Collaboration Suite | CVE-2024-45519 is a recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS) affecting versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1. The flaw stems from user input sanitation failure that if successfully exploited might allow the unauthenticated attackers to execute arbitrary code within the context of the vulnerable Zimbra installations. | ALERTS | VULNEREBILITY |
|
27.10.24 |
INTERLOCK Ransomware | A new ransomware actor, going by the name INTERLOCK, has recently emerged in the threat landscape. This group appears to employ a double-extortion tactic. On successful compromise, encrypted files are appended with the ".interlock" extension. | ALERTS | RANSOM |
|
27.10.24 |
Attackers still using SHTML files to target recipients with phishing | Symantec has recently observed a new phishing campaign using attached SHTML files disguised as import and or payment forms. The messages attempt to entice users to open the attached files to resolve import or billing issues. If the recipient opens the form they are greeted with a fake 'DHL' login page the exfiltrates the entered credentials to a private Telegram channel for the attacker to use later. | ALERTS | PHISHING |
|
27.10.24 |
MiyaRat: The latest tool from the Bitter APT group | The Bitter APT group, recognized for its sophisticated cyber espionage activities targeting East and South Asia, has been observed deploying a new malware known as MiyaRat. This malware is capable of collecting system information, capturing screenshots, performing file uploads and downloads, and exfiltrating data to its command-and-control (C2) server, where it waits for further instructions. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-43363 - Cacti RCE vulnerability | CVE-2024-43363 is a remote code execution (RCE) vulnerability in Cacti, a network monitoring and fault management framework. Successful flaw exploitation happens via log poisoning on the vulnerable instances. This exploitation could ultimately allow the attackers for arbitrary command execution. The vulnerability has been fixed in product version 1.2.28 or higher. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Abuse of Code-Signing Certificates in Lumma Stealer deployment via HijackLoader | A malware campaign has been observed deploying Lumma Stealer using HijackLoader. The attack vector employs a "fake CAPTCHA" to lure users into executing a PowerShell payload that downloads a ZIP archive containing either a DLL or a signed HijackLoader binary. | ALERTS | VIRUS |
|
27.10.24 |
CoreWarrior Malware | Researchers investigated a malware named CoreWarrior and found that this variant aggressively spreads by creating numerous copies, connecting to various IP addresses, opening multiple backdoor access points, and intercepting Windows UI elements for surveillance purposes. | ALERTS | VIRUS |
|
27.10.24 |
Core Werewolf utilizes AutoIt loader and Telegram for Cyber attacks | The Core Werewolf threat actor group, which primarily targets Russia's defense industry and critical infrastructure, has been observed using new tools including an AutoIt loader and delivering malicious files via Telegram in addition to email. | ALERTS | VIRUS |
|
27.10.24 |
ErrorFather Android Trojan | Cerberus Android banking trojan came to light in 2019, and this variant utilizes a multi-stage dropper to deploy its payload and can execute financial fraud through remote attacks, keylogging, and overlay tactics. The emergence of ErrorFather highlights the persistent danger of repurposed malware, as cybercriminals continue to exploit leaked source code years after the original Cerberus malware was discovered. | ALERTS | VIRUS |
|
27.10.24 |
Demodex targeting American telecommunications | APT group 'Squash' has been reported to be utilizing Demodex to target American telecommunications providers. Demodex, a rootkit, is used to establish persistence and then files with fake file headers (PNG, JPEG and WAV have been observed) are used to help evade detection and utilized to establish C2 communications. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-43573 - Microsoft Windows MSHTML Platform spoofing vulnerability | CVE-2024-43573 is a spoofing vulnerability that has been recently disclosed as part of the October 2024 Patch Tuesday. The vulnerability is affecting Microsoft Windows MSHTML Platform. Assigned with the CVSS score of 6.5 (Moderate) the flaw might allow attackers to execute arbitrary code within the context of the vulnerable application. | ALERTS | VULNEREBILITY |
|
27.10.24 |
New Pronsis Loader malware leveraged for Lumma Stealer and Latrodectus delivery | Pronsis Loader is a new malware variant leveraged recently in campaigns delivering Lumma Stealer and Latrodectus payloads. The malware utilizes executables compiled in JPHP programming language, which is a Java implementation of PHP. | ALERTS | VIRUS |
|
27.10.24 |
LemonDuck: The evolving Multi-Platform cryptomining malware | LemonDuck, a well-known cryptomining malware, has evolved into a multi-platform threat and has been observed exploiting SMB vulnerabilities, particularly EternalBlue, as part of its attack vector to gain network access. | ALERTS | VIRUS |
|
27.10.24 |
CVE-2024-7954 - Remote Code Execution vulnerability in SPIP Porte Plume Plugin | CVE-2024-7954 is a critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability in porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16. SPIP is free software content management system (CMS) for publishing websites | ALERTS | VULNEREBILITY |
|
27.10.24 |
Lynx ransomware - a formidable cyber-extortion threat | A new research published by Palo Alto Networks Unit 42 indicates that the ransomware variant known as Lynx shares a significant portion of its source code with the INC ransomware. The threat operators of Lynx have actively targeted organizations in various sectors (architecture, real estate, retail, and financial/environmental services) in the U.S. and UK. This ransomware operates using a RaaS model, and is disseminated through a variety of attack vectors (deceptive phishing mails, malicious downloads to infect users systems, and hacking forums etc.). Once afflicted with Lynx ransomware the victim(s) data is exfiltrated before encryption following the double extortion approach to obtain a ransom payment. | ALERTS | RANSOM |
|
27.10.24 |
CVE-2024-43572 - Microsoft Windows Management Console RCE vulnerability | CVE-2024-43572 is a Microsoft Windows Management Console remote code execution (RCE) vulnerability recently disclosed and patched as part of the October 2024 Patch Tuesday. The vulnerability is exploited through execution of specially crafted malicious Microsoft Saved Console (MSC) files. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Perfctl malware campaign exploiting RocketMQ vulnerability hits Linux Servers worldwide | A Perfctl malware campaign targeting millions of Linux servers worldwide has been observed. The campaign exploits the CVE-2023-33246 RocketMQ vulnerability. The malware employs rootkits for stealth and process masquerading along with TOR for command and control (C2) communication. As the final payload, it deploys a cryptominer alongside proxy hijacking software. Additionally, the malware utilizes temporary directories and modified system utilities to evade detection. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Kransom ransomware targets gamers by imitating Honkai: Star Rail installer | Reports indicate that Honkai: Star Rail, a popular role-playing game, is being exploited by a new ransomware dubbed Kransom. This ransomware spreads through drive-by-download campaigns, enticing victims by masquerading the malicious binary as a legitimate StarRail game installer and employing valid digital certificates. Upon execution, the malicious DLL is loaded using a dynamic-link library (DLL) side-loading technique, initiating the ransomware’s encryption process. | ALERTS | RANSOM |
|
27.10.24 |
Havoc Framework | Researchers have found that cybercriminals are increasingly leveraging pen testing tools like the Havoc framework to evade security systems. This tool is less recognized than others, such as Cobalt Strike or Metasploit, which makes it harder to spot. The Mysterious Werewolf group is using strategies similar to the Mythic framework, and phishing emails that mimic legitimate organizations remain a common tactic for gaining unauthorized access. | ALERTS | VIRUS |
|
27.10.24 |
CleanUpLoader Leveraged By Rhysida | A recent report shed light on a loader/backdoor known as "CleanUpLoader," used by the double-extortion ransomware actor "Rhysida" as an initial vector of infection. It is typically disguised as software installers like Microsoft Teams or Google Chrome. The loader facilitates communication with multiple command-and-control (C2) servers, allowing Rhysida to establish persistence and perform data exfiltration. | ALERTS | VIRUS |
|
27.10.24 |
New Ivanti CSA vulnerabilities exploited in the wild | Ivanti has published a new security advisory regarding three recently disclosed Ivanti CSA (Cloud Services Application) vulnerabilities. The reported vulnerabilities are as follows. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Lua-based malware variants target the educational sector | There has been a recent surge in Lua-based malware targeting students, specifically targeted attacks capitalizing on popular games within the student gamer community who are searching for gaming cheats. Fake game cheats are being leveraged by threat actors to trick users into downloading this malware. | ALERTS | VIRUS |
|
27.10.24 |
Horus Protector | A new malware distribution service has been uncovered called Horus Protector that claims to be a Fully Undetectable (FUD) crypter and distributes various malware families, including AgentTesla, Remcos, Snake, and NjRat. The service distributes malware using a .zip file that contains a VBE script and gathers information from users' machines to transmit to its server. | ALERTS | VIRUS |
|
27.10.24 |
Threat actors associated with North Korea target tech job seekers with malware | The Contagious Interview campaign started in 2023 and is perpetuated by threat actors associated with North Korea. Recent activity has been observed that can be tied to this campaign with threat actors posing as job recruiters and luring victims into supposed interviews. | ALERTS | APT |
|
27.10.24 |
A Recent PhantomLoader Campaign | PhantomLoader is a malware that disguises itself as a legitimate 32-bit DLL for a certain antivirus software and was recently found posing as “PatchUp.exe,” a genuine component of the software. The malicious loader was observed using binary patching and self-modifying techniques to load rust-based malware dubbed SSLoad into memory. | ALERTS | VIRUS |
|
27.10.24 |
Malvertising campaign leads to malicious Windows and Mac payloads | A recently published report identified a campaign whereby advertisers are pushing ads for utility software, such as Slack or Notion, which lead to downloads of malicious payloads. The advertisers registered under existing businesses and distributed ads that target both Windows and Mac users. | ALERTS | VIRUS |
|
27.10.24 |
Yunit Stealer - an infostealing malware with geofencing capabilities | Yunit Stealer is a malware variant recently distributed in the wild. Yunit has extensive infostealing capabilities including theft and exfiltration of credentials, credit card data, cryptocurrency wallets, cookies, auto-fill data and others. The collected information is exfiltrated via Discord or Telegram webhooks back to the attackers. | ALERTS | VIRUS |
|
27.10.24 |
Vilsa Stealer | Vilsa Stealer is a new infostealer malware variant identified in the wild. The malware has the functionality to exfiltrate miscellaneous confidential data from the infected machine including: browser data, credentials, autofill data, cookies, banking information, cryptocurrency wallets, Discord tokens and Telegram data, among others. | ALERTS | VIRUS |
|
27.10.24 |
Falcon Keylogger | Falcon is a keylogger variant recently active in the wild. Older samples of this malware date back even to 2019 while the latest observed are from just last month. Falcon has the functionality to record keystrokes on the infected machine, collect system information, screenshots, etc. The collected data is consecutively exfiltrated to the C2 servers controlled by the attackers. | ALERTS | VIRUS |
|
27.10.24 |
Nunu Stealer malware | Nunu Stealer is a recently discovered Python-based infostealing malware variant which is based off an older Akira Stealer strain. The functionality includes exfiltration of various confidential information such as banking details, credit card data, credentials, autofill data stored in browsers, cookies, 3rd app session data, Discord tokens, cryptocurrency wallets and more. Nunu can be potentially used by attackers to compromise various user accounts and leverage those for further intrusions. | ALERTS | VIRUS |
|
27.10.24 |
VeilShell: A new threat from North Korea's Vedalia APT group | According to reports, threat actors linked to North Korea have been deploying a previously undocumented backdoor and remote access trojan (RAT) called VeilShell in a campaign targeting Southeast Asian countries. This activity is attributed to the Vedalia APT group (aka APT37, ScarCruft, Reaper) | ALERTS | APT |
|
27.10.24 |
SmartLoader Delivering Lumma Stealer | SmartLoader has been traced back to July 2024, involving a private GitHub account called "user-attachments." It starts with a zip archive containing four files: compiler.exe, conf.txt, Launcher.bat, and lua51.dll. The user runs Launcher.bat, which executes compiler.exe with conf.txt, triggering SmartLoader and deploying Lumma Stealer. | ALERTS | VIRUS |
|
27.10.24 |
Key Group: Targeting Russian users with evolving ransomware | The Key Group is a financially motivated ransomware group that primarily targets Russian users and is known for negotiating with victims via Telegram. Like other groups that leverage leaked ransomware builders, Key Group predominantly utilizes the Chaos ransomware builder, among others, and operates a GitHub repository for its command and control (C2) infrastructure. | ALERTS | RANSOM |
|
27.10.24 |
BabyLockerKZ - MedusaLocker Ransomware variant | BabyLockerKZ ransomware is a variant of MedusaLocker which has been active since 2023. This variant uses many of the same TTPs as seen in previous MedusaLocker attacks (publicly available tools, custom tools, lolbins, chat and leak sites). | ALERTS | RANSOM |
|
27.10.24 |
Silver Oryx Blade - a new banking malware targeting Brazil | Silver Oryx Blade is a new banking trojan discovered by the researchers from Scitum. The malware prevalently targets victims from Brazil and attempts to steal banking information from the compromised machines. The infection chain is initiated via phishing emails leveraging financial or tax related lures. | ALERTS | VIRUS |
|
27.10.24 |
Gorilla Botnet: A new global threat based on Mirai code | Reports indicate a surge in activity from a new botnet family called Gorilla Botnet, which is targeting telecommunications, universities, and the gaming industry worldwide. This botnet is a modified version of the Mirai source code and is compatible with various CPU architectures, including ARM, MIPS, x86_64, and x86. It boasts advanced DDoS attack methods and employs multiple techniques for persistence. | ALERTS | BOTNET |
|
27.10.24 |
CeranaKeeper APT Campaign | A recent CeranaKeeper APT campaign was observed by researchers. This China-linked threat actor targets government entities in Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group continuously updates its tools, such as backdoors, to evade detection and exploits cloud services like Dropbox and OneDrive for custom solutions. | ALERTS | APT |
|
27.10.24 |
Fake Update Campaign Delivering WarmCookie Malware | A new campaign in France is using compromised websites to distribute the WarmCookie backdoor through fake update prompts for popular applications like Google Chrome and Java. This tactic, employed by the threat group 'SocGolish', tricks users into downloading malicious software masquerading as legitimate updates for browsers and applications like Java and VMware. | ALERTS | CAMPAIGN |
|
27.10.24 |
Defi Ransomware | Defi is the newest malware variant from the Makop ransomware family. The malware encrypts user files and appends .defi1328 to them, alongside of a developers' email address and a victim's unique ID. The ransom note is dropped in form of text file called "README-WARNING.txt" within various on the disk. | ALERTS | RANSOM |
|
27.10.24 |
Stonefly threat group continues to launch extortion attacks against US targets | Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward. | ALERTS | GROUP |
|
27.10.24 |
K4Spreader and Hadooken Latest Attacks | Recent research identified an infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities (CVE-2017-10271 and CVE-2020-14883). The attacker used Python and Bash scripts to deploy K4Spreader malware, which delivered the Tsunami backdoor and a cryptominer. | ALERTS | VULNEREBILITY |
|
27.10.24 |
New Rast ransomware threat targets Chinese government entities | A new ransomware threat called Rast has been identified, specifically targeting Chinese government entities. The attack vector includes RDP brute-forcing and exploiting N-day vulnerabilities to gain access to border servers, followed by the manual deployment of ransomware components. | ALERTS | RANSOM |
|
27.10.24 |
Active malware campaign targeting Russian energy companies and Electronics suppliers | A new malware campaign targeting Russian energy companies and electronic component suppliers has been observed. The malware spreads through email attachments or Yandex Disk links, using RAR archives that contain LNK files to download and execute malicious HTA files. These files generate VBS scripts that ensure persistence via registry keys and scheduled tasks. | ALERTS | CAMPAIGN |
|
27.10.24 |
CVE-2024-43461 - Windows MSHTML Platform Spoofing vulnerability exploited in the wild | CVE-2024-43461 is a Windows MSHTML spoofing vulnerability recently disclosed as part of the September 2024 Patch Tuesday. Successful exploiting of this flaw might allow attackers to execute arbitrary code within the context of the application. This flaw has been reported as being exploited in zero-day attacks in conjunction with another MSHTML vulnerability from July - CVE-2024-38112. | ALERTS | VULNEREBILITY |
|
27.10.24 |
North Korean hackers target Cryptocurrency users on LinkedIn with RustDoor malware | In early September, the FBI warned of North Korean threat actors targeting the crypto industry. A campaign has been reported where these actors attempt to lure potential victims on LinkedIn to deliver RustDoor malware. One user was approached by someone impersonating a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) technology firm, supported by professional-looking websites to enhance the legitimacy of the fake entities. | ALERTS | CRYPTOCURRENCY |
|
27.10.24 |
CVE-2024-6670 - Progress WhatsUp Gold SQL Injection vulnerability | CVE-2024-6670 is a recently disclosed SQL Injection vulnerability affecting Progress WhatsUp Gold, which is a well known network monitoring software. Successful exploitation of this flaw could allow an unauthenticated attacker to retrieve the user's encrypted passwords. The vulnerability has also been added to the "Known Exploited Vulnerabilities Catalog" by CISA, following reports of active exploitation in conjunction with another WhatsUp Gold vulnerability CVE-2024-6671. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Vulnerabilities in the Common UNIX Printing System (CUPS) | Symantec is aware of multiple vulnerabilities in the Common UNIX Printing System (CUPS) on UNIX-based systems, where an attacker could exploit certain configurations to gain unauthorized access and perform remote code execution (RCE), particularly by leveraging the cups-browsed service. | ALERTS | VULNEREBILITY |
|
27.10.24 |
Advanced Rhadamanthys Infostealer: AI-Driven threats to Cryptocurrency security | A new version of Rhadamanthys Infostealer with advanced features including the use of artificial intelligence (AI) for optical character recognition (OCR) has been reported. | ALERTS | VIRUS |
|
27.10.24 |
DCRat (aka Dark Crystal RAT) Trojan Malware | DCRat (aka Dark Crystal RAT) is a modular remote access Trojan available as malware-as-a-service since 2018. It can execute commands, log keystrokes, and exfiltrate data. Recently, it was delivered using HTML smuggling, which embeds and obfuscates the payload within HTML to evade security measures. | ALERTS | VIRUS |
28.9.24 |
Wallet Scam: A Case Study in Crypto Drainer Tactics | Check Point Research (CPR) uncovered a malicious app on Google Play designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively. The app used a set of evasion techniques to avoid detection and remained available for nearly five months before being removed. | HACKING | CRYPTOCURRENCY |
28.9.24 |
CVE-2024-8190 - Ivanti Cloud Service Appliance Command Injection vulnerability | CVE-2024-8190 is a high severity (CVSS score 7.2) OS Command Injection vulnerability affecting Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 518 or older. If successfully exploited the flaw might allow a remote authenticated attacker for arbitrary code execution. | ALERTS | VULNEREBILITY |
28.9.24 |
Vidar malware spreads via PEC Mail and Telegram profiles | CERT-AGID has identified a new campaign distributing Vidar through PEC mailboxes. The attackers are still leveraging Steam community profiles, but a significant new tactic involves exploiting Telegram profiles. In particular, the bios of these profiles are being used to reveal the IP addresses of their command and control (C2) servers. | ALERTS | VIRUS |
28.9.24 |
Louse APT Group launches malware campaign targeting Chinese entities | The Louse APT group (also known as Patchwork and Dropping Elephant) has reportedly launched a malware campaign targeting Chinese entities. The attack vector involves a malicious LNK file, likely originating from a phishing email. This file executes a PowerShell script that downloads a decoy PDF and a malicious DLL, which is loaded using DLL sideloading techniques. | ALERTS | APT |
28.9.24 |
CVE-2024-46908 | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative | VULNEREBILITY | CVE |
28.9.24 |
CVE-2024-46907 | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative | VULNEREBILITY | CVE |
28.9.24 |
CVE-2024-46906 | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative | VULNEREBILITY | CVE |
28.9.24 |
CVE-2024-46905 | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative | VULNEREBILITY | CVE |
28.9.24 |
CVE-2024-46909 | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative | VULNEREBILITY | CVE |
28.9.24 |
CVE-2024-8785 | Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative | VULNEREBILITY | CVE |
27.9.24 |
Embargo | Embargo Ransomware Group Strikes DME Delivers in Cyber Attack | GROUP | RANSOMWARE |
27.9.24 |
CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL | VULNEREBILITY | CVE |
27.9.24 |
CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system | VULNEREBILITY | CVE |
27.9.24 |
CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD | VULNEREBILITY | CVE |
27.9.24 |
CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter | VULNEREBILITY | CVE |
27.9.24 |
DragonForce | Inside the Dragon: DragonForce Ransomware Group | GROUP | RANSOMWARE |
27.9.24 |
DCRat | DCRat Targets Users with HTML Smuggling | MALWARE | RAT |
27.9.24 |
CVE-2024-0132 | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. | VULNEREBILITY | CVE |
27.9.24 |
Hacking Kia | Hacking Kia: Remotely Controlling Cars With Just a License Plate | HACKING | CAR |
27.9.24 |
FPSpy | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy | MALWARE | BACKDOOR |
27.9.24 |
KLogEXE | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy | MALWARE | KEYLOGGER |
27.9.24 |
SilentSelfie | SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites | CAMPAIGN | CAMPAIGN |
27.9.24 |
Malspam campaign targeting transportation industry | Researchers have recently disclosed a malspam campaign targeting organizations in the transportation industry. The attack originates from compromised mail accounts and utilizes files with a .URL extension that is either attached to or linked within spam messages, if these URL files are opened the victims machine initiates an external SMB connection to download and run a remote malicious executable. | ALERTS | CAMPAIGN |
27.9.24 |
SloppyLemming: Phishing campaigns targeting South and East Asia organizations | Reports indicate that a threat actor known as SloppyLemming has been actively targeting organizations in South and East Asia, particularly in Pakistan and Bangladesh. This actor employs open-source adversary emulation frameworks such as Cobalt Strike and Havoc. | ALERTS | CAMPAIGN |
27.9.24 |
New DragonForce ransomware variant targets Global Industries with LockBit and Conti modifications | New variants of DragonForce ransomware, featuring modified versions of LockBit and Conti, have been observed targeting the manufacturing, real estate, and transportation industries worldwide. DragonForce operates a Ransomware-as-a-Service affiliate program, offering various attack management tools. The group employs the SystemBC backdoor for persistence, along with Mimikatz and Cobalt Strike for credential harvesting and lateral movement. | ALERTS | RANSOM |
27.9.24 |
Twelve attack group aims to destroy | Established in 2023 in response to the Russian-Ukrainian conflict, the attack group known as Twelve has been observed targeting Russian government organizations. The group's tactics include file encryption via ransomware, file/system deletion via wipers, and exfiltration of sensitive data among others. Based on the analysis provided in a recently published report, the goal of the group is focused on destruction rather than financial gain. | ALERTS | HACKING |
27.9.24 |
New KLogExe and FPSpy | New keylogger malware KLogExe and backdoor variant FPSpy have been used by Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) threat group. This APT group is known for its sophisticated cyber-espionage operations and advanced spear phishing attacks. Sparkling Pisces lure victims into downloading and executing malicious payloads. This includes the use of new and undocumented malware. | ALERTS | VIRUS |
26.9.24 |
BlackJack | BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions. | GROUP | Hacktivist |
26.9.24 |
SloppyLemming | Unraveling SloppyLemming’s Operations Across South Asia | CAMPAIGN | Crypto |
26.9.24 |
Salt Typhoon | China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs | CAMPAIGN | ISP |
25.9.24 |
Taliban Stealer | Cyfirma researchers have discovered a website promoting a tool called 'Taliban Stealer'. Once executed, this stealer prompts the user to select what data to collect from the machine, such as passwords, cookies, or cryptocurrency wallets. | MALWARE | Stealer |
25.9.24 |
Rage Stealer | A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise | MALWARE | Stealer |
25.9.24 |
X-FILES Stealer | X-FILES Stealer: Advanced malware with sophisticated features and ongoing enhancements | MALWARE | Stealer |
25.9.24 |
QWERTY Stealer | QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. | MALWARE | Stealer |
25.9.24 |
et Another Silly Stealer (YASS) | There's Something About CryptBot: Yet Another Silly Stealer (YASS) | MALWARE | Stealer |
25.9.24 |
POWERSHELL KEYLOGGER | At CYFIRMA, we are dedicated to delivering timely insights into emerging threats and malicious tactics that pose risks to both organizations and individuals. This report offers an analysis of a newly identified keylogger that operates via a PowerShell script. | MALWARE | Keylogger |
25.9.24 |
Poseidon | Poseidon Stealer Uses Sora AI Lure to Infect macOS | MALWARE | Stealer |
25.9.24 |
Luxy | Luxy: A Stealer and a Ransomware in one | MALWARE | Stealer |
25.9.24 |
Gomorrah | Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware | MALWARE | Stealer |
25.9.24 |
Emansrepo | In August 2024, FortiGuard Labs observed a python infostealer we call Emansrepo that is distributed via emails that include fake purchase orders and invoices. | MALWARE | Stealer |
25.9.24 |
BLX (aka XLABB) | BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. | MALWARE | Stealer |
25.9.24 |
RomCom RAT | Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware | MALWARE | RAT |
25.9.24 |
The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called "ClickFix." The scripts led to an MSI file used to load DanaBot. | HACKING | HTML | |
25.9.24 |
Foxtrot Ransomware - a new MedusaLocker variant | Foxtrot is a latest ransomware variant from the MedusaLocker family. The malware encrypts user files and appends .foxtrot70 to them. The ransom note is dropped in form of a .html file called "How_to_back_files.html". Foxtrot comes with functionality to delete the volume shadow copies and Windows Backup on the infected machines. | ALERTS | RANSOM |
25.9.24 |
PDiddySploit Trojan Malware | A recent research study has revealed that the scandal surrounding Sean 'Diddy' Combs, also known as P. Diddy, has been exploited. Attackers often capitalize on public interest in high-profile scandals to spread malware, taking advantage of the topic to trick unsuspecting users into downloading malicious files. | ALERTS | VIRUS |
25.9.24 |
Turkey and Bulgaria Targeted in Remcos RAT Attacks | Symantec has recently observed two ongoing Remcos RAT campaigns from the same actor, targeting companies in Bulgaria and Turkey. In the Bulgarian campaign, they are using a classic invoice scheme (email subject: Плащане на фактура) to lure users, while in the Turkish campaign, they are using SWIFT transfer social engineering (email subject: Gelen Swift Mesaj). | ALERTS | VIRUS |
25.9.24 |
Nanocore RAT Spreads Through Fake XLS Invoice | Nanocore RAT was highly prevalent many years ago and since has drastically dwindled but some groups and individuals continue to leverage this remote access trojan in their campaigns. One recent example being a fake invoice malspam campaign in which the authors have attached a malicious XLS (invoice.xls) that when executed will grab the Nanocore binary from a Discord server. | ALERTS | VIRUS |
25.9.24 |
SnipBot - a new variant of the RomCom malware | Researchers from Palo Alto reported on a new variant of the RomCom malware dubbed SnipBot. The malware allows the attackers to execute command-line commands on the infected endpoints as well as to download additional arbitrary modules. | ALERTS | VIRUS |
25.9.24 |
New Octo2 mobile malware variant observed in the wild | New variant of the Octo Android malware dubbed Octo2 has been identified in the wild. The malware has been spread via malicious campaigns targeting mobile users from European countries. | ALERTS | VIRUS |
25.9.24 |
CVE-2024-0153 | Arm is aware of a number of security vulnerabilities in the Arm Mali GPU Kernel driver and their details are listed below. | VULNEREBILITY | CVE |
25.9.24 |
Splinter | Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool | MALWARE | Tool Exploit |
25.9.24 |
SpAIware | Spyware Injection Into Your ChatGPT's Long-Term Memory (SpAIware) | MALWARE | Spyware AI |
24.9.24 |
Polyfill.io Supply Chain Attack | Over 100,000+ sites have been impacted by a supply chain attack involving the Polyfill.io service. Polyfill is a popular tool used for enhancing browser capabilities by hundreds of thousands of sites to ensure that all website visitors can use the same codebase for unsupported functionality. | ATTACK | ATTACK |
24.9.24 |
Brain Cipher Ransomware Attack | A significant ransomware attack has struck Pusat Data Nasional (PDN), one of Indonesia’s government-owned national data centers. This incident involved threat actors encrypting government data, which disrupted digital services for immigration, airport checks, and several public services | ATTACK | ATTACK |
24.9.24 |
SnakeKeylogger Attack | Threat actors are continuously preying on end users to unknowingly install a trojan stealer known as SnakeKeylogger or KrakenKeylogger. This trojan was developed using .NET and targets Windows users. | ATTACK | ATTACK |
24.9.24 |
SectopRAT malware masqueraded as Notion installer in a recent distribution campaign | A new campaign spreading SectopRAT malware has been identified in the wild. The campaign disguises the malware binaries as installer files for known productivity software called Notion. The fake installers are distributed from malicious websites also masquerading as Notion software download portals. | ALERTS | VIRUS |
24.9.24 |
Android Malware: Necro Trojan | The latest version of the Necro Trojan has infected various popular applications, including game mods available on Google Play, affecting over 11 million Android devices. This version employs obfuscation to evade detection and uses steganography to conceal its payloads. | ALERTS | VIRUS |
24.9.24 |
Earth Baxia: Targeting Asia-Pacific region by exploiting GeoServer vulnerability | According to a recent report from Trend Micro, the threat actor known as Earth Baxia has been targeting government, telecommunications, and energy organizations in the Asia-Pacific region through spear-phishing emails and the exploitation of the GeoServer vulnerability CVE-2024-36401. | ALERTS | CAMPAIGN |
24.9.24 |
SambaSpy malware targeting Italian users | SambaSpy RAT has been distributed in a new malicious campaign targeting users from Italy. The campaign has several stages within it's infection chain and is leveraging either malware downloaders or droppers depending on the observed run. | ALERTS | VIRUS |
24.9.24 |
Go Injector Campaign Deploys Lumma Stealer | Researchers have identified a campaign using Go Injector to deploy Lumma Stealer, a malware designed to steal sensitive information. The attack begins when users visit a harmful website displaying a fake captcha, which tricks them into copying and running a command. This command downloads a zip file containing legitimate-looking files and the Go Injector. The injector then installs Lumma Stealer, which decrypts stolen data and sends it to the attackers. | ALERTS | VIRUS |
24.9.24 |
Octo2 | Octo2: European Banks Already Under Attack by New Malware Variant | MALWARE | Android |
24.9.24 |
Necro | How the Necro Trojan infiltrated Google Play, again | MALWARE | TROJAN |
23.9.24 |
PondRAT | Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors | MALWARE | RAT |
23.9.24 |
Earth Baxia | Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC | CAMPAIGN | PHISHING |
22.9.24 |
CVE-2024-45694 | (9.8 critical): Stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code on the device. | VULNEREBILITY | CVE |
22.9.24 |
CVE-2024-45695 | (9.8 critical): Another stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code. | VULNEREBILITY | CVE |
22.9.24 |
CVE-2024-45696 | (8.8 high): Attackers can forcibly enable the telnet service using hard-coded credentials within the local network. | VULNEREBILITY | CVE |
22.9.24 |
CVE-2024-45697 | (9.8 critical): Telnet service is enabled when the WAN port is plugged in, allowing remote access with hard-coded credentials. | VULNEREBILITY | CVE |
22.9.24 |
CVE-2024-45698 | (8.8 high): Improper input validation in the telnet service allows remote attackers to log in and execute OS commands with hard-coded credentials. | VULNEREBILITY | CVE |
22.9.24 |
A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server | A stack-based overflow vulnerability exists in the tinydhcp server in the Microchip Advanced Software Framework (ASF) that can lead to remote code execution. | ALERT | ALERT |
22.9.24 |
CVE-2024-8105 | A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised. | VULNEREBILITY | CVE |
22.9.24 |
CVE-2024-43461 | Windows MSHTML Platform Spoofing Vulnerability | VULNEREBILITY | CVE |
22.9.24 |
Marko Polo | “Marko Polo” Navigates Uncharted Waters With Infostealer Empire | GROUP | GROUP |
21.9.24 |
TWELVE | -=TWELVE=- is back | GROUP | GROUP |
20.9.24 |
2024-09-17 - Snake KeyLogger (VIP Recovery), FTP exfil | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
20.9.24 |
2024-09-16 - Snake KeyLogger (VIP Recovery), SMTP exfil | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
20.9.24 |
North Korean APT group Appleworm delivers PondRAT via poisoned Python packages | An ongoing campaign involving poisoned Python packages delivering backdoors for Linux and macOS, dubbed PondRAT, has been reported. This campaign is believed to be driven by the North Korean APT group Appleworm (also known as AppleJeus, Citrine Sleet, Gleaming Pisces). | ALERTS | APT |
20.9.24 |
New campaign targets GitHub users with Lumma Stealer malware via phishing emails | CERT-AGID has reported a new campaign delivering Lumma Stealer malware. As part of this campaign, GitHub users are receiving alarming emails titled “IMPORTANT! Security Vulnerability Detected in Your Repository (Issue #1),” claiming to be from the “GitHub Security Team.” These emails warn recipients of a fabricated security vulnerability and encourage them to click on a suspicious link. | ALERTS | CAMPAIGN |
20.9.24 |
UNC1860 | UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks | APT | APT |
20.9.24 |
Cracks in the Foundation | Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software | HACKING | Vulnerebility |
20.9.24 |
CVE-2024-8963 | Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963) | VULNEREBILITY | CVE |
19.9.24 |
Vanilla Tempest | Highway Blobbery: Data Theft using Azure Storage Explorer | CAMPAIGN | Ransomware |
19.9.24 |
Storm clouds | Storm clouds on the horizon: Resurgence of TeamTNT? | CAMPAIGN | CAMPAIGN |
19.9.24 |
CVE-2024-45409 | The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. | VULNEREBILITY | CVE |
19.9.24 |
Raptor Train | Derailing the Raptor Train | BOTNET | BOTNET |
19.9.24 |
SambaSpy | Exotic SambaSpy is now dancing with Italian users | MALWARE | RAT |
18.9.24 |
New variant of the Gomorrah Stealer identified in the wild | A new variant of the infostealing malware known as Gomorrah Stealer has been identified in the wild. Gomorrah is being offered for sale in form of a Malware-as-a-Service (MaaS) model. The malware is also actively developed by its creators who already announced upcoming 5.5 version of this infostealer to be released soon. | ALERTS | VIRUS |
18.9.24 |
MISTPEN | An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader | MALWARE | Backdoor |
18.9.24 |
CVE-2024-38812 | VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) | VULNEREBILITY | CVE |
17.9.24 |
Fireant (APT31) unveils new tools in recent campaign against Asia-Pacific government entities | The China-linked threat actor known as Fireant (also referred to as Mustang Panda or APT31) has recently been observed using new tools, including PUBLOAD, FDMTP, and PTSOCKET, in espionage attacks targeting government entities in the Asia-Pacific region. | APT | |
17.9.24 |
Ajina mobile banking trojan | Ajina is a recently identified mobile banking trojan variant heavily targeting the Central Asia region. The malware focuses on theft of confidential user data including banking details as well as attempts to intercept the 2FA information. | VIRUS | |
17.9.24 |
Stealthy malware targets US-Taiwan Defense Industry conference attendees | A malware campaign targeting entities linked to the upcoming US-Taiwan Defense Industry Conference has been reported. Victims are lured with documents containing a ZIP archive and an LNK file disguised as a legitimate PDF registration form. | VIRUS | |
17.9.24 |
CloudImposer | CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package | VULNEREBILITY | CVE |
17.9.24 |
Phishing Pages Delivered Through Refresh HTTP Response Header | Phishing Pages Delivered Through Refresh HTTP Response Header | HACKING | PHISHING |
17.9.24 |
RustDoor | North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware | MALWARE | CRYPTOCURRENCY |
17.9.24 |
Protect Your Crypto | Protect Your Crypto: Understanding the Ongoing Global Malware Attacks and What We Are Doing to Stop Them | CRYPTOCURRENCY | CRYPTOCURRENCY |
17.9.24 |
CVE-2024-28991 | SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2024-28991) | VULNEREBILITY | CVE |
15.9.24 |
2024-09-12 - Approximately 11 days of server scans and probes | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
15.9.24 |
2024-09-11 - Data Dump: Remcos RAT and XLoader (Formbook) | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
14.9.24 |
About the security content of visionOS 1.3 | This document describes the security content of visionOS 1.3. | VULNEREBILITY | CVE |
14.9.24 |
TrickMo | A new TrickMo saga: from Banking Trojan to Victim's Data Leak | MALWARE | Banking |
14.9.24 |
CVE-2024-6671 | In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | VULNEREBILITY | CVE |
14.9.24 |
CVE-2024-6670 | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | VULNEREBILITY | CVE |
14.9.24 |
Hadooken | Hadooken Malware Targets Weblogic Applications | MALWARE | Linux |
13.9.24 |
Mekotio and Mispadu malware distributed during Gecko Assault campaign | A new malicious campaign dubbed Gecko Assault has been reported by the researchers from SCILabs. The threat actors have been distributing two different payloads belonging to the URSA/Mispadu and the Mekotio malware families. | VIRUS | |
13.9.24 |
AutoIt-based credential flusher leveraged alongside StealC infostealer | A new campaign delivering the StealC infostealer malware has been observed in the wild. The initial stages of the attack use Amadey malware for loading the infostealer onto the targeted endpoints. In conjunction to the delivered StealC payload, the attackers are leveraging an AutoIt-based credential flusher malware. | VIRUS | |
13.9.24 |
Hadooken - Linux malware targeting Weblogic servers | Hadooken is a new Linux malware variant targeting Oracle Weblogic servers. In the initial attack stages the threat actors exploit known vulnerabilities, server misconfigurations or use weak or otherwise compromised credentials to get access to the targeted environments. Upon execution on the vulnerable server instances Hadooken drops two distinct payloads - Tsunami malware and another binary used for mining cryptocurrency. | VIRUS | |
13.9.24 |
ShrinkLocker Ransomware: Leveraging BitLocker for encryption and system disruption | ShrinkLocker is a recently discovered ransomware that exploits BitLocker, a legitimate Windows feature, to encrypt data and lock users out of their systems. Unlike traditional ransomware, ShrinkLocker uses BitLocker's secure boot partition to make decryption extremely difficult. | RANSOM | |
13.9.24 |
New Phishing Campaign Exploiting CapCut | CapCut, a popular video editor, is being exploited in phishing attacks. The latest campaign involves a malicious package that includes a legitimate CapCut app, JamPlus build utility, and a harmful ".lua" script. Running the app triggers JamPlus to execute the script, which then downloads and runs a final payload from a remote server. | PHISHING | |
13.9.24 |
Veaty and Spearal: Emerging malware in recent campaign against Iraqi Government | A new malware family, Veaty and Spearal, has been reported by Check Point, a CTA member, as being used in a campaign targeting Iraqi government infrastructure. The malware employs several techniques, including a passive IIS backdoor, DNS tunneling, and command-and-control (C2) communication through compromised email accounts. | VIRUS | |
13.9.24 |
Ajina.Banker | Ajina attacks Central Asia: Story of an Uzbek Android Pandemic | MALWARE | Banking |
13.9.24 |
Void captures over a million Android TV boxes | MALWARE | TV | |
13.9.24 |
Proxyjacking | From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking | CAMPAIGN | CRYPTOCURRENCY |
13.9.24 |
Spearal | Targeted Iranian Attacks Against Iraqi Government Infrastructure | MALWARE | ISS Backdoor |
13.9.24 |
Veaty | Targeted Iranian Attacks Against Iraqi Government Infrastructure | MALWARE | ISS Backdoor |
13.9.24 |
OilRig | Targeted Iranian Attacks Against Iraqi Government Infrastructure | APT | APT |
13.9.24 |
Quad7 | A glimpse into the Quad7 operators’ next moves and associated botnets | BOTNET | BOTNET |
13.9.24 |
DragonRank | DragonRank, a Chinese-speaking SEO manipulator service provider | GROUP | GROUP |
13.9.24 |
Yet Another Silly Stealer (YASS) Infostealer | A new infostealer, being referred to as 'Yet Another Silly Stealer' (YASS), has been observed. While it shares some features with CryptBot, YASS also has distinct characteristics. The research compares YASS to CryptBot, emphasizing YASS's unique code and its delivery via a multi-stage downloader called MustardSandwich. This downloader, executed through a Windows LNK file, involves two JScript stages and two PowerShell stages, with the first PowerShell script run via an ActiveXObject. | VIRUS | |
13.9.24 |
BLX (aka XLABB) Stealer activity | BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. BLX is an open-source malware actively distributed via Telegram and other platforms. Functionality-wise the malware is capable of stealing confidential data from compromised endpoints. The exfiltration efforts focus on data such as credentials, information stored in browsers, 3rd party applications accounts, Discord tokens, cryptocurrency wallets and others. | VIRUS | |
13.9.24 |
SEO manipulation leveraged for PlugX and BadIIS malware delivery | A new malicious campaign attributed to the DragonRank threat group has been discovered by researchers from Cisco Talos. The attackers have been reported to leverage search engine optimization (SEO) manipulation techniques to deploy malicious webshells, collect information off the infected systems as well as to deliver PlugX and BadIIS malware payloads. | VIRUS | |
13.9.24 |
Ransomware activity surge observed in second quarter of 2024 | Ransomware activity increased markedly in the second quarter of 2024 as attackers seemingly recovered their momentum following the disruption experienced in late 2023 and early 2024. Analysis of data from ransomware leak sites found that ransomware actors claimed 1,310 attacks in the second quarter of 2024, a 36% increase on the first quarter of this year. This was the second highest amount of attacks claimed in a quarter by ransomware operators, short of the record 1,488 attacks claimed in the third quarter of 2023. | RANSOM | |
13.9.24 |
Linux SSH servers targeted by new SuperShell malware variant | SuperShell malware variant has been observed in a recent campaign targeted at vulnerable or otherwise misconfigured Linux SSH servers. The malware is Go-based and has the functionality to act as a reverse shell effectively allowing the attackers remote control and remote code execution on the infected machine. The servers compromised with use of SuperShell malware are likely to be used later by the attackers for the purpose of cryptomining or DDoS attacks. | VIRUS | |
13.9.24 |
ScRansom Ransomware | Researchers have found that the CosmicBeetle group is now using a new ransomware dubbed ScRansom, replacing their old Scarab ransomware. They are targeting small and medium businesses worldwide and are copying LockBit's style in their ransom notes and websites. CosmicBeetle is suspected to be affiliated with RansomHub, a recently active ransomware gang that has been increasing its operations since March 2024. | ||
13.9.24 |
VSCode abused by Chinese APT group | Stately Taurus, a Chinese APT group that carries out cyber-espionage attacks, has abused Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. This threat actor used VSCode’s embedded reverse shell feature to gain a foothold in target networks to execute arbitrary code and deliver additional payloads. The leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. | APT | |
13.9.24 |
New variant of Cicada3301 ransomware found in the wild | According to a recent report from Palo Alto, Repellent Scorpius is a new ransomware-as-a-service (RaaS) group responsible for the delivery of a ransomware variant dubbed Cicada3301. The threat actors have been observed to leverage a variety of Living-Off-the-Land (LOTL) tools in their attacks. Among them PsExec for ransomware execution and Rclone tool used for data exfiltration. | RANSOM | |
13.9.24 |
Mekotio and BBTok malware remain active among the banking trojans targeting LATAM | Mekotio and BBTok malware variants remain active among the banking trojan families distributed lately across the Latin America region. The malware is usually spread via phishing campaigns utilizing business- or judicial-themed lures. The spam emails leverage either links leading to malicious archive downloads or use malicious attachments directly within the spam emails. While Mekotio is an older malware variant, BBTok was initially discovered just in 2020. Both variants target similar geographical locations and attempt to exfiltrate credentials and sensitive information in order to carry out unauthorized banking operations. | VIRUS | |
13.9.24 |
Threat actors spoof An Post Ireland services to steal credentials | Symantec has identified a new wave of phishing attacks that impersonate An Post Ireland services to steal credentials. An Post Ireland is a state owned postal service provider in Ireland. In this campaign, phishing emails are disguised as parcel notifications to reschedule deliveries or check parcel details. The email content is brief, encouraging recipients to click on a phishing URL. Once clicked, victims encounter webpages designed for credential harvesting. | CRIME | |
13.9.24 |
SpyAgent: Mobile malware stealing cryptocurrency wallets through image scanning | A new mobile malware called SpyAgent has been identified targeting mnemonic keys by scanning for images on your device that might contain them. A mnemonic key is a 12-word phrase used to recover cryptocurrency wallets. These secret phrases are highly valuable to threat actors because gaining access to them enables them to restore your wallet on their own devices and steal all the funds stored within. | VIRUS | |
13.9.24 |
Emerging Loki Backdoor variant employs Mythic Framework and Havoc Techniques | A new version of the Loki backdoor has been discovered targeting Russian organizations. This variant is compatible with the Mythic framework and utilizes various techniques from the Havoc framework, which complicates analysis. The updated variant is divided into a loader and a DLL. The loader gathers system information from the compromised machine, uploads it to the attacker’s C2 server, and retrieves the DLL in response. The DLL is then loaded into memory to download additional payloads and carry out further attacks. | VIRUS | |
11.9.24 |
Latrodectus campaign impersonates Antivirus software to deploy remote payloads | A campaign deploying Latrodectus malware, disguised as a legitimate antivirus vendor, has been reported. The initial attack vector involves phishing and malicious ads. Latrodectus functions as a backdoor, allowing the execution of remote commands and the deployment of malicious payloads such as Brute Ratel C4. It employs common techniques for persistence, including the use of the Windows Component Object Model (COM) and employs TLS certificates for communication with its command-and-control (C2) server. | CAMPAIGN | |
11.9.24 |
CVE-2024-45195: Remote Code Execution (RCE) vulnerability in Apache OFBiz | CVE-2024-45195 is a high-severity (CVSS: 7.5) Remote Code Execution (RCE) vulnerability in Apache OFBiz, a comprehensive suite of business applications. An attacker could likely exploit this vulnerability by framing a specially designed URL that bypasses authentication protocols. If successfully exploited, this vulnerability will allow remote attackers to execute malicious code on the server, potentially leading to complete system compromise. | VULNEREBILITY | |
11.9.24 |
Ongoing exploitation of CVE-2024-36401 in OSGeo GeoServer GeoTools | Multiple campaigns are exploiting a recently disclosed security flaw in OSGeo GeoServer GeoTools. The vulnerability, identified as CVE-2024-36401 (with a CVSS score of 9.8), is a critical remote code execution bug that allows malicious actors to take control of affected instances. This flaw has been leveraged to deploy GOREVERSE, a reverse proxy server designed to connect with a command-and-control (C2) server for post-exploitation activities. | VULNEREBILITY | |
11.9.24 |
TIDRONE activities in Taiwan | In recent news, the TIDRONE group has been targeting Taiwan's military and satellite industries, focusing on drone manufacturers. Using malicious tools like CXCLNT and CLNTEND, the group enables data theft, credential dumping, and user control bypass. According to reports, their Tactics, Techniques, and Procedures (TTPs) include supply chain attacks via ERP software, pointing towards espionage motives. | GROUP | |
11.9.24 |
Babylon open-source RAT targets Malaysia | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | VIRUS | |
11.9.24 |
Babylon open-source RAT targets Malaysia | Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. The attack chain involves usage of crafted .iso files mimicking PDF documents. The delivered ISO archive contains a hidden PowerShell script, a decoy PDF document and a malicious executable leading to infection with the Babylon RAT. | VIRUS | |
11.9.24 |
ToneShell Backdoor Targets IISS Summit | A cyber espionage campaign involving the ToneShell backdoor, attributed to Mustang Panda, has been reported targeting attendees of the 2024 IISS Defense Summit in Prague. The attack leverages a malicious PIF file disguised as summit documents to gain access to sensitive defense discussions. The malware achieves persistence via registry run keys and scheduled tasks and communicates with a C2 server in Hong Kong using raw TCP that mimics TLS. | VIRUS | |
11.9.24 |
BlindEagle strikes Colombia's Insurance sector with Quasar RAT variant | BlindEagle, an advanced persistent threat actor, has been observed targeting Colombia’s insurance sector with the BlotchyQuasar Remote Access Trojan (RAT). The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google Drive accounts. | VIRUS | |
11.9.24 |
Crimson Palace | Crimson Palace returns: New Tools, Tactics, and Targets | CAMPAIGN | APT |
11.9.24 |
Earth Preta | Earth Preta Evolves its Attacks with New Malware and Strategies | CAMPAIGN | APT |
11.9.24 |
CVE-2024-38014 | (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
11.9.24 |
CVE-2024-38217 | (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability | VULNEREBILITY | CVE |
11.9.24 |
CVE-2024-38226 | (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability | VULNEREBILITY | CVE |
11.9.24 |
CVE-2024-43491 | (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability | VULNEREBILITY | CVE |
11.9.24 |
CVE-2024-29847 | (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. | VULNEREBILITY | CVE |
11.9.24 |
CosmicBeetle | CosmicBeetle steps up: Probation period at RansomHub | GROUP | RANSOMWARE |
11.9.24 |
PIXHELL |
PIXHELL Attack: Leaking Sensitive Information from Air-Gap Computers via ‘Singing Pixels?/P> | ATTACK | ATTACK |
11.9.24 |
RAMBO |
RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM | ATTACK | ATTACK |
9.9.24 |
BlindEagle | BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar | APT | APT |
9.9.24 |
Mustang Panda | Chinese APT Abuses VSCode to Target Government in Asia | APT | APT |
9.9.24 |
WhisperGate | WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022. | MALWARE | Wrapper |
9.9.24 |
RAMBO | RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM | ATTACK | ATTACK |
9.9.24 |
EUCLEAK | Side-Channel Attack on the YubiKey 5 Seri | ATTACK | ATTACK |
9.9.24 |
CVE-2024-32896 | there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | VULNEREBILITY | CVE |
9.9.24 |
CVE-2024-42057 | A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through | VULNEREBILITY | CVE |
9.9.24 |
CVE-2024-7261 | The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) | VULNEREBILITY | CVE |
9.9.24 |
CVE-2024-7591 | Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above | VULNEREBILITY | CVE |
9.9.24 |
Android SpyAgent | New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition | MALWARE | Android |
9.9.24 |
Loki | Loki: a new private agent for the popular Mythic framework | MALWARE | Backdoor |
9.9.24 |
Unit 29155 | Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure | GROUP | Military group |
9.9.24 |
TIDRONE | TIDRONE Targets Military and Satellite Industries in Taiwan | MALWARE | Military Malware |
8.9.24 |
CVE-2024-41622 | Remote Command Execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface. (CVSS v3 score: 9.8 "critical") | VULNEREBILITY | CVE |
8.9.24 |
CVE-2024-44340 | RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (authenticated access requirement reduces the CVSS v3 score to 8.8 "high"). | VULNEREBILITY | CVE |
8.9.24 |
CVE-2024-44341 | RCE vulnerability via the lan(0)_dhcps_staticlist parameter, exploitable through a crafted POST request. (CVSS v3 score: 9.8 "critical") | VULNEREBILITY | CVE |
8.9.24 |
CVE-2024-44342 | RCE vulnerability via the wl(0).(0)_ssid parameter. (CVSS v3 score: 9.8 "critical") | VULNEREBILITY | CVE |
8.9.24 |
Cicada3301 | Dissecting the Cicada | RANSOMWARE | RANSOMWARE |
8.9.24 |
COVERTCATCH | North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams | MALWARE | Python |
8.9.24 |
CVE-2024-40766 | SonicOS Improper Access Control Vulnerability | VULNEREBILITY | CVE |
8.9.24 |
CVE-2024-36401 | Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | EXPLOIT | EXPLOIT |
7.9.24 |
CVE-2024-44000 | Critical Account Takeover Vulnerability Patched in LiteSpeed Cache Plugin | VULNEREBILITY | CVE |
7.9.24 |
CVE-2024-45195 | Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | VULNEREBILITY | CVE |
7.9.24 |
Tropic Trooper | Tropic Trooper spies on government entities in the Middle East | APT | |
7.9.24 |
Veeam Security Bulletin (September 2024) | All vulnerabilities disclosed in this section were discovered during internal testing (unless otherwise indicated) and affect Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds. | VULNEREBILITY | CVE |
6.9.24 |
Tropic Trooper unleashes new China Chopper variant and Crowdoor loader | Tropic Trooper, a Chinese-speaking APT group, has been reported targeting Middle Eastern government entities in a cyber espionage campaign. The attackers focused on systems related to human rights studies, using a new China Chopper variant deployed on a compromised Umbraco CMS server. The group employed DLL hijacking to load malicious payloads, including Crowdoor, a loader linked to the SparrowDoor backdoor. | APT | |
6.9.24 |
Spammers abusing uncommon TLDs | Symantec has recently observed a new phishing campaign being delivered from recently created domains designed to steal credentials and/or banking information. In this campaign we have observed over 200 newly registered domains, most of these domains are registered with uncommon TLDs such as '.best', '.rest' or '.shop'. The subjects and message content attempt to lure recipients in with promises of dubious health products. | SPAM | |
6.9.24 |
Formbook Targets Global Sectors with Fake RFQ from Chemical-Oil Joint Venture | Symantec has recently observed a Formbook actor impersonating a major joint venture between a global chemical company based in Germany and a national oil and gas company from Malaysia. In this malicious email campaign, they're targeting companies across multiple countries and various industry sectors, including: | VIRUS | |
6.9.24 |
Acab Infostealer | Acab is a Python-based infostealing malware variant recently observed in the wild. The malware shows some code similarities to another variant known as 1312 Stealer. Acab has the functionality to extract various confidential information from infected endpoints including credentials, banking information, crypto-wallet data, application data/tokens, various information stored in web browsers and others. | VIRUS | |
6.9.24 |
CVE-2024-5932 - GiveWP WordPress Plugin vulnerability | CVE-2024-5932 is a recently disclosed vulnerability affecting GiveWP plugin, which is a Donation and Fundraising Platform plugin for WordPress. The flaw allows for malicious injection within the vulnerable version of the plugin, up to 3.14.1. Successfully exploitation of this flaw might allow unauthenticated attackers to inject an arbitrary PHP Object which can further lead up to arbitrary code execution within the context of the vulnerable application. A patched version 3.14.2 of the plugin has been already released. | VULNEREBILITY | |
6.9.24 |
MacroPack generated payloads distributed in latest campaigns | A payload generation framework called MacroPack has been leveraged to create miscellaneous payloads in a series of malicious activities recently observed by the researchers from Cisco Talos. The attackers have been using Word, Excel or PowerPoint lures that once opened run malicious MacroPack VBA code that ultimately leads to the final payload delivery and execution. Among the distributed payloads were Brute Ratel and Havoc post-exploitation tools as well as a new variant of the PhantomCore RAT. | CAMPAIGN | |
6.9.24 |
KTLVdoor backdoor leveraged by the Funnelweb APT | A new Golang-based backdoor dubbed KTLVdoor has been discovered by researchers from Trend Micro. The malware has been attributed to the Funnelweb APT (also known as Earth Lusca). KTLVdoor is a highly obfuscated malware that comes in variants supporting both Windows and Linux platforms. Functionality-wise the malware is capable of running commands and shellcode received from the C2 servers, various file and directory operations on the infected machine including file download/upload, among others. | VIRUS | |
6.9.24 |
SLOW#TEMPEST campaign targets Chinese entities | A recently identified malware campaign named SLOW#TEMPEST was uncovered targeting Chinese entities. The attack chain starts by way of malspam attachments in the form of zip files which are bundled with a shortcut lnk file in addition to dll/exe files. Successful execution of the available content leads to the establishment of a foothold in the targeted environment. Through this position, the attackers can execute further TTPs to accomplish their goals (such as credential harvesting, lateral movement, persistence and privilege escalation). | CAMPAIGN | |
6.9.24 |
Latrodectus 1.4: New version unveiled with advanced capabilities | A newer version of the Latrodectus downloader has been observed, featuring enhancements like a new string deobfuscation method, a revised C2 endpoint, and two additional backdoor commands. The infection chain begins with a heavily obfuscated JavaScript file, which uses numerous comments to inflate file size and complexity, complicating analysis. The malware then extracts and executes hidden code, subsequently downloading and installing an MSI file from a remote server. This MSI file loads an obfuscated DLL to perform its malicious tasks. | VIRUS | |
5.9.24 |
Emansrepo infostealer | Researchers from Fortinet reported on a new Python-based infostealer variant dubbed Emansrepo. This malware has been distributed via phishing campaigns masquerading the malicious emails as purchase invoices or orders. The initial attack chain stage varies depending on the campaign and may leverage different attachments such as .html or .7z. The dropped Emansrepo payload has the functionality to collect miscellaneous confidential data from the compromised endpoints including credentials, banking information, crypto-wallets, browser and download history, autofill data as well as exfiltrate text/document files from various on-disk locations. | VIRUS | |
5.9.24 |
Zharkbot malware | Zharkbot is a C++based malware loader variant being dropped by Amadey trojan in some recently observed campaigns. Zharkbot employs various anti-analysis, anti-VM and sandbox detection/evasion techniques. Once on the compromised machine, the malware will attempt to set up persistence by copying itself to the temp folder and setting up a scheduled task execution. Zharkbot has the functionality to download and execute arbitrary payloads on the infected endpoints. | VIRUS | |
5.9.24 |
CVE-2024-24809 & CVE-2024-31214 vulnerabilities affecting Traccar 5 | CVE-2024-24809 and CVE-2024-31214 are recently disclosed vulnerabilities affecting Traccar 5 which is an open-source GPS tracking system. The vulnerabilities are rated as CVSS score: 8.5 and CVSS score: 9.7 respectively. Successful exploitation in the affected product versions 5.1 through 5.12 could provide unauthenticated attackers with path traversal and unrestricted upload of arbitrary files. This exploitation could potentially lead to further compromise such as remote code execution on the affected instances. Product vendor has already released patch addressing the vulnerabilities in product version 6.0. | VULNEREBILITY | |
5.9.24 |
CVE-2024-22319 - JNDI Injection Vulnerability in IBM Operational Decision Manager | CVE-2024-22319 is a critical (CVSS: 9.8) JNDI injection vulnerability in IBM Operational Decision Manager. IBM ODM is a comprehensive decision automation solution that helps organizations automate and optimize their decision-making processes. Attackers can exploit this flaw by injecting malicious code into an unchecked argument passed to a specific API through JNDI (Java Naming and Directory Interface). | VULNEREBILITY | |
5.9.24 |
Stone Wolf campaign targets Russian firms with Meduza Stealer malware | A malicious campaign by the Stone Wolf threat actor targeting Russian firms has been reported. The attackers use phishing emails impersonating a legitimate industrial automation provider to deliver the Meduza Stealer malware. The attack vector involves an archive containing a legitimate document alongside a malicious link to download and execute the Stealer payload. This malware collects and exfiltrates credentials, system information, and application data from compromised systems. | CAMPAIGN | |
5.9.24 |
WailingCrab: A WikiLoader variant exploiting VPN Spoofs | A recent report from Palo Alto reveals that WailingCrab, a variant of WikiLoader, is being distributed through SEO poisoning and spoofed GlobalProtect VPN software. This campaign primarily targets the U.S. higher education and transportation sectors. The attack vector involves multiple stages like DLL sideloading, shellcode injection, and using MQTT for command and control. Attackers employ various evasion techniques such as fake error messages, process checks, and encryption. The loader's advanced tactics also leverage compromised WordPress sites and cloud-based Git repositories for infrastructure. | VIRUS | |
5.9.24 |
Luxy Infostealer | Luxy is a recently discovered malware variant with both infostealing and ransomware capabilities. Luxy collects various confidential information from the compromised machines including credentials, browser data, cookies, cryptocurrency wallets, etc. The ransomware module is used to encrypt files on the infected endpoint using AES256 algorithm. The ransom note dropped after the completed encryption asks the victims for ransom payment and for them to contact the attackers via Discord. | VIRUS | |
5.9.24 |
Cybercriminals Target Malaysia’s Digital Lifestyle with SpyNote | Around the world, E-commerce (shopping), service-oriented (food delivery, ride-hailing, and on-demand services), digital payment and deal aggregator android applications are highly popular. They have become integral to the digital lifestyle, meeting the growing demand for convenient, cost-effective services across various markets. These apps cater to consumers' needs for efficiency, accessibility, and savings, making them essential tools in everyday life. | VIRUS | |
5.9.24 |
CVE-2024-7593 - Ivanti Virtual Traffic Manager (vTM) Authentication Bypass vulnerability | CVE-2024-7593 is a critical (CVSS score 9.8) XML authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM). Successful exploitation of this flaw could allow the attackers to bypass authentication and create new administrative users. Such compromise could potentially lead later to arbitrary code execution within the context of the vulnerable application. Product vendor has already released patch addressing this vulnerability in the updated software versions. | VULNEREBILITY | |
5.9.24 |
RAZR Ransomware | RAZR is a recently identified ransomware variant that abuses web hosting service called PythonAnywhere for hosting the malicious binaries. The malware uses AES-256 algorithm for encryption and appends .raz extension to the filenames. The ransom note is dropped in form of a text file README.txt in which the attackers also threaten that the confidential files have not only been encrypted but also exfiltrated. | RANSOM | |
5.9.24 | Macropack | Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads | HACKING | Malware |
5.9.24 | KTLVdoor | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | MALWARE | Backdoor |
5.9.24 | CVE-2024-20439 | (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system | VULNEREBILITY | CVE |
5.9.24 | CVE-2024-20440 | (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API | VULNEREBILITY | CVE |
5.9.24 | APT Lazarus | APT Lazarus: Eager Crypto Beavers, Video calls and Games | APT | APT |
5.9.24 | RansomHub Ransomware | #StopRansomware: RansomHub Ransomwa | RANSOMWARE | RANSOMWARE |
5.9.24 | CVE-2024-7261 | The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. | VULNEREBILITY | CVE |
5.9.24 | Revival Hijack | Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk | HACKING | HACKING |
5.9.24 | CVE-2024-32896 | there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | VULNEREBILITY | CVE |
5.9.24 | WikiLoader | Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant | MALWARE | Loader |
5.9.24 | Head Mare | Head Mare: adventures of a unicorn in Russia and Belarus | GROUP | GROUP |
5.9.24 | Cicada3301 | Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis | RANSOMWARE | RANSOMWARE |
5.9.24 | Rocinante | Rocinante: The trojan horse that wanted to fly | MALWARE | Trojan |
31.8.24 | AA24-242A #StopRansomware: RansomHub Ransomware | #StopRansomware: RansomHub Ransomware | REPORT | Ransomware |
31.8.24 | Insecure Platform Key (PK) used in UEFI system firmware signature | A vulnerability in the user of hard-coded Platform Keys (PK) within the UEFI framework, known as PKfail, has been discovered. | ALERT | ALERT |
31.8.24 | NoteMark < 0.13.0 - Stored XSS | Multiple | WebApps | |
31.8.24 | Gitea 1.22.0 - Stored XSS | Multiple | WebApps | |
31.8.24 | Invesalius3 - Remote Code Execution | Python | WebApps | |
31.8.24 | Windows TCP/IP - RCE Checker and Denial of Service | Windows | DoS | |
31.8.24 |
2024-08-30 - Approximately 11 days of server scans and probes | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
31.8.24 |
2024-08-29 - Phishing email and traffic to fake webmail login page | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
31.8.24 |
2024-08-26 - GuLoader for Remcos RAT | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
31.8.24 |
2024-08-12 - XLoader/Formbook infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
31.8.24 |
Corona Mirai variant distributed via vulnerability exploitation | Mirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek. | BOTNET | |
31.8.24 |
LummaC2 Stealer variant spread via PowerShell execution | LummaC2 infostealer has been reported as being distributed in a recent campaign leveraging obfuscated PowerShell commands. LummaC2 is a C-based infostealing malware often sold under the Malware-as-a-Service (MaaS) model. This malware primary functionality is to steal confidential data from the infected endpoints and exfiltrate it to the C2 servers controlled by the attackers. | VIRUS | |
31.8.24 |
Middle East targeted by malware using fake Palo Alto VPN | A malware campaign targeting organizations in the Middle East has been reported, where attackers use a fake Palo Alto GlobalProtect VPN client to deceive users. This malware employs advanced techniques, including a cleverly disguised command-and-control (C2) infrastructure and tools like Interactsh to communicate with specific hostnames and monitor infection progress. It can execute PowerShell commands, manage processes, and encrypt data. | VIRUS | |
31.8.24 |
X-FILES is a stealer malware written in C that is actively advertised on underground forums, with ongoing enhancements. Like many other infostealers, it aims to steal and exfiltrate sensitive information from infected systems including browser data, cookies, passwords, autofill data, credit card information, and cryptocurrency wallet details. | VIRUS | ||
31.8.24 |
CVE-2024-38653 - XXE vulnerability in Ivanti Avalanche | CVE-2024-38653 is a high severity (CVSS score 7.5) XML External Entity (XXE) vulnerability affecting SmartDeviceServer in Ivanti Avalanche, which is an enterprise endpoint management solution allowing for centralized device management within an organization. | VULNEREBILITY | |
31.8.24 |
Iranian threat actor Elfin deploys 'Tickler' backdoor | Iranian threat actor Elfin (aka APT33, Peach Sandstorm) has been observed deploying a new custom multi-stage backdoor dubbed Tickler. This malware has targeted government, defense, satellite, and oil and gas sectors in the U.S. and the United Arab Emirates (UAE). | VIRUS | |
31.8.24 |
Phishing campaign targets Japan Labor Union Workers | A phishing campaign targeting Japanese workers affiliated with labor unions has been observed. The e-crime actor is impersonating 労働金庫 (Rōdō Kinko), commonly known as Rokin, and the 全国労働金庫協会 (National Association of Labour Banks or Zenkoku Rōdō Kinko Kyōkai), which are part of Japan's unique financial system designed to serve the financial needs of workers. | PHISHING | |
30.8.24 |
Voldemort | The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” | CAMPAIGN | CAMPAIGN |
30.8.24 |
GreenCharlie | GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware | APT | GROUP |
30.8.24 |
Masquerades | Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool | MALWARE | Backdoor |
30.8.24 |
Malicious npm Packages | North Korea Still Attacking Developers via npm | HACKING | Malware |
30.8.24 |
SLOW#TEMPEST | From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users | CAMPAIGN | APT |
30.8.24 |
CVE-2023-22527 | Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem | VULNEREBILITY | CVE |
30.8.24 |
noMu Backdoor | APT Attack Case Analysis Report Using noMu Backdoor | MALWARE | Backdoor |
30.8.24 |
APT32 | Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders | APT | APT |
30.8.24 |
APT29 | State-backed attackers and commercial surveillance vendors repeatedly use the same exploits | APT | APT |
30.8.24 |
CVE-2023-41993 | A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023) | VULNEREBILITY | CVE |
30.8.24 |
CVE-2024-4671 | A use-after-free flaw in Chrome's Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024) | VULNEREBILITY | CVE |
30.8.24 |
CVE-2024-5274 | A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024) | VULNEREBILITY | CVE |
29.8.24 |
A new Snake Keylogger variant | A new Snake Keylogger malware variant has been reported by the researchers from Fortinet. The malware is spread via phishing in form of malicious .xls attachments. The distributed Excel files contain an exploit for an old WordPad RTF vulnerability CVE-2017-0199. The attackers also leverage .hta files, VBscript and PowerShell code within the attack chain of this campaign. | VIRUS | |
29.8.24 |
Advanced dropper distributes 'Angry Stealer' infostealer via Telegram | An advanced dropper binary has been identified, designed to deploy an information stealer known as 'Angry Stealer,' which is actively promoted on Telegram and other online platforms. Angry Stealer targets sensitive data such as browser information, cryptocurrency wallets, VPN credentials, and system details, exfiltrating this data via Telegram. | VIRUS | |
29.8.24 |
Godzilla webshell deployment campaign | A new Godzilla webshell deployment campaign has been reported in the wild. The attackers are targeting organizations running ASP.NET instances with vulnerable environment settings and leverage ViewState function to distribute malicious webshells into the victim's environment. | CAMPAIGN | |
29.8.24 |
Czech Republic officials hit by malware campaign using NATO-themed lures | A malware campaign targeting government and military officials in the Czech Republic has been reported. The threat actor behind this operation is believed to have Russian origins and heavily relied on open-source offensive tools. | VIRUS | |
29.8.24 |
Critical vulnerability CVE-2023-22527 exploited for cryptomining activities | According to reports, the critical vulnerability CVE-2023-22527 is actively being exploited in the wild. This vulnerability is a severe OGNL injection flaw in Atlassian Confluence Data Center and Server. Threat actors are exploiting it for cryptojacking, transforming compromised systems into cryptomining networks. The attack vector includes deploying shell scripts and XMRig miners while maintaining persistence through cron jobs. | VULNEREBILITY | |
29.8.24 |
US voters targeted in phishing campaign | With the US Presidential Election just a few months away and the press reporting allegations of cyber intrusions affecting the campaigns, we reviewed new domains registered between 1 May and 12 August 2024 containing strings "harris", "walz", or "trump" in the domain. Domains with "vance" in them were excluded due to that string being found in many English words and domains unrelated to the election. | PHISHING | |
29.8.24 |
Rocinante mobile malware | Rocinante is a malware variant observed prevalently in campaigns targeted at mobile users in Brazil. Functionality-wise Rocinante has the ability to steal information via keylogging, initiate remote access sessions, simulate swipe movements or touche events on the infected device. The malware might also be leveraged for phishing attacks by displaying bogus login websites and thus targeting the theft of banking credentials. | ||
29.8.24 |
Emerging loader Emmental spreads malware via disguised binaries | A loader called Emmental has been detected in use, being distributed in disguised Windows binaries since February 2024. This loader employs HTA files and utilizes traditional email phishing tactics, including fake videos, to target organizations worldwide. It has been part of several campaigns globally using the Bunny.net CDN provider and WebDAV servers to distribute various malware payloads, such as CryptBot, AsyncRAT, Lumma, Meduza stealer, Xworm, and SectopRAT. The functionality of this tool matches the capabilities advertised in underground markets. | VIRUS | |
29.8.24 |
New macOS variant of the HZ RAT backdoor emerges | A new macOS variant of the HZ RAT backdoor has been discovered in the wild. According to recent reports, the malware is targeting users of the enterprise messenger DingTalk and the messaging platform WeChat. | VIRUS | |
29.8.24 |
AA24-241A Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations |
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | REPORT | REPORT |
29.8.24 |
CVE-2024-7029 | Commands can be injected over the network and executed without authentication. | VULNEREBILITY | CVE |
29.8.24 |
Fortra FileCatalyst Workflow Static HSQLDB Password | Fortra Catalyst Workflow contains a static HSQLDB password that can be used by a remote attacker to access the service with administrative access. | VULNEREBILITY | CVE |
28.8.24 |
CVE-2024-38856 | Apache OFBiz Incorrect Authorization Vulnerability | VULNEREBILITY | CVE |
28.8.24 |
CVE-2024-6386 | The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. | VULNEREBILITY | CVE |
28.8.24 |
HZ Rat | HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat | MALWARE | MacOS |
27.8.24 |
Versa Director Zero-Day Exploitation | Taking the Crossroads: The Versa Director Zero-Day Exploitation | VULNEREBILITY | Zero-Day |
27.8.24 |
Phishing campaign targeting users in Asia Pacific regions | Symantec has recently observed a phishing campaign targeting users in Asia Pacific regions. This campaign utilizes HTML files that post the ill-gotten credentials to 3rd party hosting services, in this case nocodeform[.]io. The messages are delivered from either a 'postmaster' or 'MAILER-DAEMON' address in an effort to obscure themselves. | CAMPAIGN | |
27.8.24 |
SVG-Based Phishing Campaign Hits LATAM Industries Email Credentials | In early August, Symantec observed an actor targeting multiple companies in Latin America across the retail, legal, dairy, finance, energy, and automobile manufacturing sectors. The goal was to collect email credentials, which are likely to fuel the initial access broker markets and lead to further compromises with varying impacts, including financial theft, cyber espionage, and ransomware attacks. | CAMPAIGN | |
27.8.24 |
Phishing campaign targets VPN users with Cheana Infostealer malware | A phishing campaign targeting users downloading VPN software has been reported. As part of the campaign, a phishing site masquerading as a WarpVPN provider is hosted to distribute stealer malware for different operating system platforms. The malware, dubbed Cheana Stealer, collects and exfiltrates various types of information such as in-browser stored data, cookies, passwords, cryptocurrency wallets, and cryptocurrency browser extensions. The Linux and macOS versions have the additional capability of stealing SSH keys and Keychain data. | CAMPAIGN | |
27.8.24 |
Dolphin Loader: The new malware-as-a-service threat exploiting RMM tools | Dolphin Loader is a new Malware-as-a-Service (MaaS) loader that was first observed in July 2024 being sold on Telegram. It is used to distribute various malware payloads, such as SectopRAT, LummaC2, and Redline, primarily through drive-by downloads. | VIRUS | |
27.8.24 |
Attackers Spreading Malware via Infected Websites | Researchers have discovered malware that spreads by disguising itself as a browser update on infected websites. When users visit these sites, they are prompted to download a malicious file posing as a browser update for Chrome or Firefox. These files can be in various formats like EXE, ZIP, APPX, or VHD. The VHD file contains a hidden shortcut (LNK) that executes PowerShell commands and connects to the attacker's C2 server. | VIRUS | |
27.8.24 |
SpyNote Variant Lurks In South Africa Impersonating Two Major Banks | Symantec has recently identified a variant of the SpyNote Android Remote Access Trojan in South Africa's mobile threat landscape. A threat actor is impersonating two major financial institutions, Nedbank and Absa, in an attempt to lure users into installing the malware on their devices, leading to financial losses due to unauthorized transactions, identity theft, and the compromise of sensitive personal information. | VIRUS | |
27.8.24 |
Cthulhu Stealer | Researchers have recently observed another malware-as-a-service (MaaS) that targets Mac users dubbed Cthulhu. This malware gets delivered as a disk image (DMG) with platform-specific binaries and developed in GoLang. It masquerades as legitimate software to trick users into opening the DMG, then uses macOS's 'osascript' tool to prompt for their password and gain unauthorized access. | VIRUS | |
27.8.24 | CVE-2024-0519 | Out-of-bounds memory access in V8 | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-2886 | Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024) | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-2887 | Type confusion in WebAssembly (demonstrated at Pwn2Own 2024) | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-3159 | Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024) | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-4671 | Use-after-free in Visuals | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-4761 | Out-of-bounds write in V8 | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-4947 | Type confusion in V8 | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-5274 | Type confusion in V8 | ||
27.8.24 | CVE-2024-7971 | Type confusion in V8 | VULNEREBILITY | CVE |
27.8.24 | CVE-2024-39717 | The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. | VULNEREBILITY | CVE |
27.8.24 | Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information | VULNEREBILITY | AI | |
27.8.24 | CVE-2024-40766 | SonicOS Improper Access Control Vulnerability | VULNEREBILITY | CVE |
26.8.24 | CVE-2024-27132 | Cross-site Scripting in MLFlow | VULNEREBILITY | CVE |
26.8.24 | CVE-2024-31214 | (CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution | VULNEREBILITY | CVE |
26.8.24 | CVE-2024-24809 | (CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type | VULNEREBILITY | CVE |
26.8.24 | NGate | NGate Android malware relays NFC traffic to steal cash | MALWARE | Android |
25.8.24 | Aurba 501 - Authenticated RCE | Linux | WebApps | |
25.8.24 | HughesNet HT2000W Satellite Modem - Password Reset | Hardware | WebApps | |
25.8.24 | Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure | Hardware | WebApps | |
25.8.24 | Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass | Hardware | WebApps | |
25.8.24 | Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config | Hardware | WebApps | |
25.8.24 | Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass | Hardware | WebApps | |
25.8.24 | Helpdeskz v2.0.2 - Stored XSS | PHP | WebApps | |
25.8.24 | Calibre-web 0.6.21 - Stored XSS | Multiple | WebApps | |
25.8.24 |
sedexp | Unveiling "sedexp": A Stealthy Linux Malware Exploiting udev Rules | MALWARE | Linux |
24.8.24 |
CVE-2021-33044 | (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability | VULNEREBILITY | CVE |
24.8.24 |
CVE-2021-33045 | (CVSS score: 9.8) - Dahua IP Camera Authentication Bypass Vulnerability | VULNEREBILITY | CVE |
24.8.24 |
CVE-2021-31196 | (CVSS score: 7.2) - Microsoft Exchange Server Information Disclosure Vulnerability | VULNEREBILITY | CVE |
24.8.24 |
CVE-2022-0185 | (CVSS score: 8.4) - Linux Kernel Heap-Based Buffer Overflow Vulnerability | VULNEREBILITY | CVE |
24.8.24 |
Peaklight downloader malware activity reported | Peaklight is a new PowerShell-based downloader variant identified by researchers from Mandiant. The malware has been used in recent campaigns distributing various payloads including Lumma infostealer, ShadowLadder and CryptBot. The attackers leverage malicious .lnk files disguised as video files as well as JavaScript droppers within the multi-staged attack chain. | VIRUS | |
24.8.24 |
CVE-2024-4885 - Progress Software WhatsUp Gold RCE vulnerability | CVE-2024-4885 is a recently disclosed critical (CVSS score 9.8) unauthenticated remote code vulnerability affecting Progress Software WhatsUp Gold, which is a network monitoring software. The exploitation of the bug might allow unauthenticated attackers to execute arbitrary commands with iisapppool/nmconsole privileges. | VULNEREBILITY | |
24.8.24 |
Sedexp Linux malware uses udev rules for persistence | Sedexp is a recently identified threat affecting Linux environments. Sedexp malware has been reported to leverage udev rules for the purpose of establishing persistence on the infected machine. Udev is a device manager system on Linux that allows for management of device nodes in the /dev directory. | VIRUS | |
24.8.24 |
PG_MEM - malware targeting PostgreSQL servers for cryptomining | PG_MEM is a new malware variant observed recently in the wild. The campaign distributing this malware leverages brute force attacks against vulnerable PostgreSQL database servers. Once the attackers obtain access to the server, an attempt is made to establish persistence by creating a new privileged account. Later on, the threat actors initiate system discovery and deliver the PG_MEM dropper payload that ultimately delivers a XMRig cryptominer to the infected machine. | VIRUS | |
24.8.24 |
Qilin ransomware | Qilin ransomware caught stealing credentials stored in Google Chrome | RANSOMWARE | RANSOMWARE |
24.8.24 |
PEAKLIGHT | PEAKLIGHT: Decoding the Stealthy Memory-Only Malware | MALWARE | Downloader |
23.8.24 |
CMoon: A .NET-based malware worm in Russian gas sector | CMoon, a .NET-based malware worm, was discovered on the website of a compromised Russian gasification and gas supply company. This malware disguises itself as legitimate regulatory documents and replaces various website links with links to malicious executables. | VIRUS | |
23.8.24 |
Casbaneiro in the UAE: Impersonating Sharjah Ports Authority | In cybersecurity, ports and related authorities are high-value targets for threat actors due to their integral roles in global supply chains and connections to industries such as transportation, logistics, energy, and government sectors. Crooks often disguise themselves as port authorities to lure other industries into phishing scams or social engineering attacks. | GROUP | |
23.8.24 |
NGate - a novel Android malware able to relay NFC data to the attackers | A new campaign leveraging Android malware dubbed NGate has been targeting users of Czech banks. NGate uses a novel technique to relay NFC (near field communication) data from the victims' payment cards via the compromised Android phones and over to the attackers' devices. | VIRUS | |
23.8.24 |
North Korean group puNK exploits Windows shortcuts to deploy Lilith RAT | A previously unidentified North Korean threat actor group dubbed puNK has been detected using Windows shortcut (LNK) files to distribute malware. When executed, these LNK files download AutoIt scripts from the attacker’s server, which subsequently fetch the final payload, the Lilith RAT. The Lilith RAT, written in C++, is an open-source remote control software that facilitates additional remote operations. | VIRUS | |
23.8.24 |
Insom ransomware | Insom malware is the latest variant from the Makop ransomware family. The malware encrypts user files and appends .Insom extension to the renamed file names. A unique victim ID and a malware developers' email address is also appended to the file name. The malware has the functionality to remove volume shadow copies from the infected endpoint. | RANSOM | |
23.8.24 |
Toll Road Smishing Scams Increasingly Target U.S. Drivers | The U.S. has an extensive network of toll roads, bridges, and tunnels, and toll services are used to fund the maintenance and development of infrastructure without relying solely on state and federal taxes. | PHISHING | |
23.8.24 |
TodoSwift: New macOS threat masquerading as a PDF | A new macOS malware dubbed TodoSwift has been identified as disguising itself as a PDF download. The threat actor, likely from North Korea, employs a dropper application developed using Swift/SwiftUI. The dropper deceives users by presenting a seemingly legitimate PDF related to Bitcoin pricing. | VIRUS | |
23.8.24 |
North Korean-based threat actor develops MoonPeak RAT | MoonPeak is a somewhat recently discovered remote access Trojan (RAT) which has been attributed to North Korean-based threat actors. This RAT is a variant of the open-source XenoRAT malware and has seen multiple evolutions. Cisco Talos researchers have published an analysis of MoonPeak along with related threat actor infrastructure. | VIRUS | |
23.8.24 |
Cthulhu | From the Depths: Analyzing the Cthulhu Stealer Malware for macOS | MALWARE | MacOS |
23.8.24 |
FM11RF08S | MIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoors | MALWARE | Backdoor |
23.8.24 |
CVE-2024-28987 | Web Help Desk Hardcoded Credential Vulnerability (CVE-2024-28987) | VULNEREBILITY | CVE |
23.8.24 |
CVE-2024-20399 | A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. | VULNEREBILITY | CVE |
23.8.24 |
ALBeast | The Hunt for ALBeast: A Technical Walkthrough | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-0519 | Out-of-bounds memory access in V8 | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-2886 | Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024) | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-2887 | Type confusion in WebAssembly (demonstrated at Pwn2Own 2024) | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-3159 | Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024) | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-4671 | Use-after-free in Visuals | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-4761 | Out-of-bounds write in V8 | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-4947 | Type confusion in V8 | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-5274 | Type confusion in V8 | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-7971 | Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | VULNEREBILITY | CVE |
22.8.24 |
LiteSpeed Cache | Critical Privilege Escalation in LiteSpeed Cache Plugin | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-6800 | An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-6337 | An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. | VULNEREBILITY | CVE |
22.8.24 |
CVE-2024-7711 | An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. | VULNEREBILITY | CVE |
22.8.24 |
PG_MEM | PG_MEM: A Malware Hidden in the Postgres Processes | MALWARE | CRYPTOCURRENCY |
22.8.24 |
CVE-2024-38206 | Microsoft Copilot Studio Information Disclosure Vulnerability | VULNEREBILITY | CVE |
21.8.24 |
MoonPeak | MoonPeak malware from North Korean actors unveils new details on attacker infrastructure | MALWARE | RAT |
21.8.24 |
Styx | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove | MALWARE | Stealer |
21.8.24 |
TodoSwift | TodoSwift Disguises Malware Download Behind Bitcoin PDF | MALWARE | MacOS |
21.8.24 |
Quasar RAT (aka BlotchyQuasar) Malspam Targeting Italian Banks | Threat researchers have recently observed an email spam campaign spreading Quasar RAT malware which is primarily targeting Italy. The campaign uses deceptive emails that mimic official communications from the Ministry of the Interior, complete with their logos. While the malware and C2 servers remain the same, the URLs for downloading the malicious files have been updated. The malware specifically targets users of certain Italian banks. | VIRUS | |
21.8.24 |
Cybercriminals' Relentless Use of Fake CVs to Breach Corporate Defenses | There is a long list of social engineering tactics in the cybersecurity world, and while it is always fluctuating, some methods are well-established such as sending fake CVs. This tactic involves emailing a fake Curriculum Vitae (CV) and motivation letter, often targeting HR departments or managers. | CRIME | |
21.8.24 |
QWERTY Stealer: New infostealer variant | QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. The malware is capable of performing various checks for the presence of debugging or virtualized environments before execution and has the capability to download additional payloads. | VIRUS | |
21.8.24 |
Styx Stealer malware | Styx Stealer is a new infostealing malware variant discovered by the researchers from Checkpoint. The malware has the functionality to exfiltrate various data from Chromium-based browsers including cookies, credentials, banking details, cryptocurrency wallets, files with pre-defined extensions, Telegram and Discord sessions, among others. | VIRUS | |
21.8.24 |
New Msupedge backdoor employs communication via DNS traffic | A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan. The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen. | VIRUS | |
21.8.24 |
A new and emerging malware dubbed UULoader | Recent research has observed a malware campaign with an increase in the use of malicious .msi files, which, while not common, are known as a method of malware distribution. The new malware strain identified is 'UULoader,' used to deliver next-stage payloads such as Gh0st RAT and Mimikatz. It is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users. | ALERTS | VIRUS |
21.8.24 |
CVE-2024-6220 | (CVSS score: 9.8) - An arbitrary file upload flaw in the 简数采集器 (Keydatas) plugin that allows unauthenticated attackers to upload arbitrary files on the affected site's server, ultimately resulting in code execution | VULNEREBILITY | CVE |
21.8.24 |
CVE-2024-6467 | (CVSS score: 8.8) - An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information | VULNEREBILITY | CVE |
21.8.24 |
CVE-2024-5441 | (CVSS score: 8.8) - An arbitrary file upload flaw in the Modern Events Calendar plugin that allows authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server and execute code | VULNEREBILITY | CVE |
21.8.24 |
CVE-2024-6411 | (CVSS score: 8.8) - A privilege escalation flaw in the ProfileGrid – User Profiles, Groups and Communities plugin that allows authenticated attackers, with Subscriber-level access and above, to update their user capabilities to that of an Administrator | VULNEREBILITY | CVE |
21.8.24 |
pwish | Be careful what you pwish for – Phishing in PWA applications | HACKING | PHISHING |
21.8.24 |
UTG-Q-010 | UTG-Q-010: Targeted Attack Campaign Against the AI and Gaming Industry | GROUP | GROUP |
21.8.24 |
WireServing | "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services | EXPLOIT | EXPLOIT |
21.8.24 |
CharmingCypress | CharmingCypress: Innovating Persistence | MALWARE | Families |
21.8.24 |
TA453 | Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset | GROUP | GROUP |
21.8.24 |
BlindEagle | BlindEagle flying high in Latin America | APT | APT |
21.8.24 |
CVE-2024-23897 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | VULNEREBILITY | CVE |
21.8.24 |
UULoader | Meet UULoader: An Emerging and Evasive Malicious Installer. | MALWARE | Loader |
21.8.24 |
NUMOZYLOD | Finding Malware: Unveiling NUMOZYLOD with Google Security Operations | MALWARE | Maas |
21.8.24 |
Xeon Sender | Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials | TOOL | Phishimg/Spam |
21.8.24 |
CVE-2024-38193 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
21.8.24 |
FIN7 | FIN7: The Truth Doesn't Need to be so STARK | APT | APT |
20.8.24 |
RedLine Stealer Impersonates Oil and Gas Company, Targets Key Sectors in Vietnam | Symantec has recently observed a RedLine Stealer malspam campaign in which an actor is impersonating a leading oil and gas company in Vietnam specializing in exploration and production activities. Both local and international companies in Vietnam across various sectors - including oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel industries - are being targeted. | VIRUS | |
20.8.24 |
Ailurophile Infostealer | Ailurophile is a new PHP-based infostealer variant recently identified in the wild. The malware is advertised online and sold via a subscription model. Ailurophiles' capabilities include theft of data stored in browsers including auto-fill information, cookies, credentials, banking details, browsing history and cryptocurrency wallets. The infostealer can also exfiltrate data files from the compromised machines according to a predefined search criteria such as keywords in filenames or specific extensions. | VIRUS | |
20.8.24 |
Fake Apps target Indian government's PM Kisan Yojana beneficiaries | The PM Kisan Yojana is a historic initiative by the Indian government that is currently benefiting around eight crore farmers across India. Every year, eligible farmers receive a total of INR 6,000, which is distributed in three equal installments of INR 2,000 each. | VIRUS | |
20.8.24 |
Hawk Eye Ransomware | A ransomware actor that goes by the name "Hawk Eye" has been observed in the wild. Files that have been successfully encrypted are appended with a random 4-character extension. The ransom note (read_it.txt) is dropped in various folders, and the desktop wallpaper is changed to a white hawk on a black background. | RANSOM | |
20.8.24 |
Crypto Investment Scams Posing as Tesla | A recent report reveals that attackers are exploiting Tesla's name to promote cryptocurrency scams. These scammers have registered domains containing 'Tesla' to deceive users into visiting malicious links. The links lead to the download of a harmful Android application, which is promoted on social platforms such as YouTube and Telegram. | CRYPTOCURRENCY | |
20.8.24 |
Threat actor Damselfly conducts campaigns against the U.S. and Israel | Damselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals. | APT | |
20.8.24 |
BANSHEE Infostealer | Just this month, a new macOS malware called "BANSHEE Stealer" was discovered, created by Russian threat actors. It affects both x86_64 and ARM64 macOS systems and poses a significant threat by targeting crucial system information, browser data, and cryptocurrency wallets. | VIRUS | |
20.8.24 |
New Gafgyt botnet variant observed in the wild | A new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency. | BOTNET | |
20.8.24 |
New ValleyRAT malware distribution campaign | A new ValleyRAT malware distribution campaign targeted at Chinese speakers has been reported by researchers from Fortinet. The attackers behind this campaign rely on various components including shellcode being executed for reflective DLL loading and a beaconing module used for fetching of additional components. The payload of the campaign - ValleyRAT is a multi-staged malware variant with capabilities including monitoring of user activities, screenshot grabbing, plugin execution, arbitrary file download and others. | VIRUS | |
20.8.24 |
Cyclops Go-based malware | Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. | VIRUS | |
17.8.24 |
.env Files to Breach Cloud Accounts in Extortion Campaign | Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments | INCIDENT | Cloud Computing |
16.8.24 |
SharpRhino | SharpRhino – New Hunters International RAT Identified by Quorum Cyber | MALWARE | RAT |
16.8.24 |
Tusk | Tusk: unraveling a complex infostealer campaign | CAMPAIGN | Malware |
16.8.24 |
ValleyRAT | A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers | MALWARE | RAT |
16.8.24 |
Cuckoo | Update: Cuckoo Malware Evolves | MALWARE | MacOS |
16.8.24 |
BANSHEE | Beyond the wail: deconstructing the BANSHEE infostealer | MALWARE | MacOS |
16.8.24 |
Multiple SMTP services are susceptible to spoofing attacks due to insufficient enforcement | Multiple hosted, outbound SMTP servers are vulnerable to email impersonation. This allows authenticated users and certain trusted networks to send emails containing spoofed sender information. | ALERT | ALERT |
16.8.24 |
Cyclops Go-based malware | Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. | VIRUS | |
16.8.24 |
Pupy RAT distributed in recent UTG-Q-010 APT campaign | Pupy RAT malware has been reported to be distributed in a new campaign attributed to the UTG-Q-010 threat group. The attackers leverage phishing messages containing cryptocurrency lures or emails masqueraded as job resumes. The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment. | VIRUS | |
16.8.24 |
Discovery of tools and batch scripts targeting Windows and Linux systems | According to a recent DFIR report, a range of threat actor tools has been found that can bypass security defenses like Windows Defender and Malwarebytes, delete backups, and disable systems. Among the discovered tools were Ngrok for proxy services and SystemBC, along with two well-known command-and-control frameworks: Sliver and PoshC2. | HACKING | |
16.8.24 |
Malspam attacks target AnyDesk and Microsoft Teams | Researchers recently found another campaign which starts with an email bomb and then involves a phone call via Microsoft Teams. The attacker persuades victims to download AnyDesk, a remote access tool, which allows them to take control of the victim's computer. Once they have control, the attacker runs malicious payloads and steals data from the system. | VIRUS | |
16.8.24 |
New macOS malware uses SwiftUI and OpenDirectory API for credential theft |
A new multi-stage macOS stealer malware has been recently reported. The malware exhibits many traits such as the following: | VIRUS | |
16.8.24 |
.shop gTLD becomes a new favorite to spread waves of cryptocurrency spam emails | Lately, .shop gTLD has been heavily abused by threat actors to spread cryptocurrency spam emails. Shop gTLD (generic top-level domain) was launched in 2016 and is specially designed for online shopping or e-commerce platforms and can be used by retailers and e-commerce stores, among others. | SPAM | |
16.8.24 |
Datablack ransomware | Datablack is a new ransomware variant observed in the wild. The malware exhibits similarities to ransomware strains from the Proton malware family. Datablack encrypts user files and appends .Datablack extension to the renamed file name. The ransom note is dropped in form of a text file called #Recovery.txt, where attackers ask the victims to contact them via email addresses provided for further instructions regarding data decryption. | RANSOM | |
16.8.24 |
Gigabud mobile malware shows links to the Golddigger trojan | A new variant of the Gigabud Android malware has been observed in the wild. While the initial strain of this malware has been known since at least 2023, the distribution of the new variant has expanded and now it targets various countries across the world. The malware is often spread via phishing websites masqueraded as Google Play Store or sites impersonating various banks or governmental entities. | VIRUS | |
16.8.24 |
CVE-2024-38856 - Apache OFBiz Pre-Authentication RCE vulnerability | CVE-2024-38856 is a recently disclosed critical (CVSS score 9.8) pre-authentication remote code execution vulnerability affecting Apache OFBiz versions up to 18.12.14. The vulnerability originates from a flaw in the override view functionality. Once exploited it allows unauthenticated attackers with remote code execution via crafted requests. | VULNEREBILITY | |
16.8.24 |
Allarich Ransomware | A new ransomware dubbed Allarich has emerged recently in the ransomware landscape. It encrypts files, appending the ".allarich" extension to them, and changes the desktop wallpaper. After completing the encryption process, the ransomware generates a ransom note titled "README.txt." | RANSOM | |
16.8.24 |
Phishing campaign impersonates Google Safety Centre | A phishing campaign reportedly impersonating the Google Safety Centre is deceiving users into downloading a malicious file disguised as Google Authenticator. This file installs two types of malware: Latrodectus, a downloader that executes commands from a C&C server, and ACR Stealer, which employs Dead Drop Resolver to obscure its C&C server details. The campaign showcases advanced evasion techniques amid ongoing efforts to refine the malware. | CAMPAIGN | |
16.8.24 |
Actor240524's spear-phishing campaign targets Azerbaijan and Israel with ABCloader | A spear-phishing campaign by a new threat actor, Actor240524, targeting Azerbaijan and Israel has been observed. Users are lured with disguised government official documents containing embedded VBA macros that deliver the ABCloader payload upon execution. ABCloader decrypts and loads an ABCsync DLL, which then communicates with the C2 server for remote commands. The malware employs anti-sandbox and anti-debug techniques to evade detection. | GROUP | |
16.8.24 |
Phishing Attack Delivers 0bj3ctivity Stealer via Discord CDN | A phishing attack has been reported involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. The attack uses a Discord CDN link containing a malicious JavaScript file with an embedded PowerShell script to deploy additional payloads. The Ande Loader is used for both initial infection and persistence. The stealer exfiltrates sensitive data from browsers to either Telegram or a C2 server and includes anti-debug and anti-VM capabilities. | PHISHING | |
16.8.24 |
Grayfly evolves its attack vectors with new loaders and tactics | Grayfly(also known as Earth Baku) has been observed expanding its reach from the Indo-Pacific region to a global scale, targeting sectors such as healthcare, media, government, education, and more. In a recent campaign, the threat actor leveraged public-facing applications like IIS servers for initial access and deployed the Godzilla webshell for control. | VIRUS | |
16.8.24 |
DeathGrip: Emergence of a new Ransomware-as-a-Service | A new Ransomware-as-a-Service (RaaS) called DeathGrip ransomware has emerged in the expanding ransomware threat landscape. Promoted through Telegram and other underground forums, DeathGrip RaaS offers aspiring threat actors on the dark web sophisticated ransomware tools, including LockBit 3.0 and Chaos builders. Their payloads, created using leaked ransomware builders, are already being observed in real-world attacks, enabling individuals with minimal technical skills to deploy fully developed ransomware attacks. | RANSOM | |
16.8.24 |
Spoofed Australian Taxation Office (ATO) email notifications appear in phish runs | The Australian Taxation Office (ATO) is Government of Australia's revenue collection authority. Recently, Symantec has observed phishing attempts mimicking ATO, enticing users to open fake notification emails. The email mentions that a notice of assessment requires user's immediate attention due to an ongoing scheduled maintenance. | SPAM | |
16.8.24 |
CVE-2024-40628/CVE-2024-40629 - JumpServer File Read and Upload vulnerabilities | CVE-2024-40628 and CVE-2024-40629 are recently disclosed file reading and uploading vulnerabilities affecting the JumpServer Ansible module. Successful exploitation of the flaw might allow low-privilege accounts with access to read/write files in the Celery container, posing both risk of sensitive information disclosure as well as potential arbitrary code execution within the context of the affected application. | VULNEREBILITY | |
16.8.24 |
Phishers targeting users in South Korea with tax receipts | Symantec has observed a phishing campaign targeting users in South Korea. The attack attempts to impersonate major account firms sending tax receipts/invoices in order to lure recipients into opening the attachment. The attachment, likely in a bid to fool intended victims, also shares a name with the Nation Tax Service in South Korea, 'NTS_eTaxInvoice.html' | PHISHING | |
15.8.24 | CVE-2024-38173 | Microsoft Outlook Remote Code Execution Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38198 | Windows Print Spooler Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38202 | (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-21302 | (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38199 | (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38213 | (CVSS score: 6.5) - Windows Mark of the Web Security Feature Bypass Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38107 | (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38106 | (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38193 | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38178 | (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-38189 | (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-7570 | (CVSS score: 8.3) - Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-7569 | (CVSS score: 9.6) - An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information | VULNEREBILITY | CVE |
15.8.24 | Actor240524 | New APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel | GROUP | APT |
15.8.24 | ArtiPACKED | ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts | HACKING | HACKING |
15.8.24 | RansomHub | Ransomware attackers introduce new EDR killer to their arsenal | RANSOMWARE | RANSOMWARE |
15.8.24 | Gafgyt | Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments | BOTNET | BOTNET |
15.8.24 | River of Phish | SPEAR-PHISHING CASES FROM EASTERN EUROPE 2022-2024A TECHNICAL BRIEF | CAMPAIGN | Phishing |
15.8.24 | CVE-2024-5916 | (CVSS score: 6.0) - An information exposure vulnerability in PAN-OS software that enables a local system administrator to access secrets, passwords, and tokens of external systems | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-5915 | (CVSS score: 5.2) - A privilege escalation (PE) vulnerability in the GlobalProtect app on Windows devices that enables a local user to execute programs with elevated privileges | VULNEREBILITY | CVE |
15.8.24 | CVE-2024-28986 | SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability (CVE-2024-28986) | VULNEREBILITY | CVE |
15.8.24 | Earth Baku | A Dive into Earth Baku’s Latest Campaign | CAMPAIGN | CAMPAIGN |
15.8.24 | GhostWrite | RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzi | PAPERS | CPU |
15.8.24 | GhostWrite | RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzi | VULNEREBILITY | CPU |
13.8.24 | CVE-2024-33892 | (CVSS score: 7.4) - Information leakage through cookies | VULNEREBILITY | CVE |
13.8.24 | CVE-2024-33893 | (CVSS score: 2.1) - XSS when displaying the logs due to improper input sanitization | VULNEREBILITY | CVE |
13.8.24 | CVE-2024-33894 | (CVSS score: 1.0) - Execution of several processes with elevated privileges | VULNEREBILITY | CVE |
13.8.24 | CVE-2024-33895 | (CVSS score: 4.4) - Usage of a unique key to encrypt the configuration parameters | VULNEREBILITY | CVE |
13.8.24 | CVE-2024-33896 | (CVSS score: 3.3) - Code injection due to improper parameter blacklisting | VULNEREBILITY | CVE |
13.8.24 | CVE-2024-33897 | (CVSS score: N/A) - A compromised devices could be used to request a Certificate Signing Request (CSR) from Talk2m for another device, resulting in an availability issue | VULNEREBILITY | CVE |
13.8.24 | Compromising Microsoft's AI Healthcare Chatbot Service | Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources. | INCIDENT | AI |
13.8.24 | CVE-2024-7589 | OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. | VULNEREBILITY | CVE |
13.8.24 | APT trends report Q2 2024 | For over six years now, Kaspersky’s Global Research and Analysis Team (GReAT) has been sharing quarterly updates on advanced persistent threats (APTs). | ANALÝZA | APT |
11.8.24 | Devika v1 - Path Traversal via 'snapshot_path' | Python | WebApps | |
11.8.24 | Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path | Windows | Local | |
11.8.24 | SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path | Windows | Local | |
11.8.24 | Oracle Database 12c Release 1 - Unquoted Service Path | Windows | Local | |
11.8.24 | Ivanti vADC 9.9 - Authentication Bypass | Multiple | WebApps | |
11.8.24 | Bonjour Service 'mDNSResponder.exe' - Unquoted Service Path Privilege Escalation | Windows | Exploit | Local |
11.8.24 |
QuickShell | QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share | EXPLOIT | EXPLOIT |
11.8.24 |
CVE-2024-38272 | (CVSS score: 7.1) - A vulnerability that allows an attacker to bypass the accept file dialog on Windows | VULNEREBILITY | CVE |
11.8.24 |
CVE-2024-38271 | (CVSS score: 5.9) - A vulnerability that forces a victim to stay connected to a temporary Wi-Fi connection created for sharing | CVE |
|
11.8.24 |
2024-08-08 - Sixteen days of server scans and probes | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
11.8.24 |
2024-07-23 - Eight days of server scans and probes | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
10.8.24 |
Breaching AWS Accounts Through Shadow Resources | The cloud seems complex, but it's what happens behind the scenes that really complicates things. Some services utilize others as resources as part of their logic/operation. Interestingly enough, it turns out that this could lead to catastrophic results if done unsafely. | VULNEREBILITY | CVE |
10.8.24 |
CVE-2024-38200 | Microsoft Office Spoofing Vulnerability | CVE |
|
10.8.24 |
CVE-2024-27459 | The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges. | CVE |
|
10.8.24 |
CVE-2024-24974 | The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service. | CVE |
|
10.8.24 |
CVE-2024-27903 | OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | CVE |
|
10.8.24 |
CVE-2024-1305 | tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space | CVE |
|
10.8.24 |
OpenVPN vulnerabilities | Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE | CVE |
|
10.8.24 |
CVE-2023-50809 | A vulnerability in the Sonos One Gen 2 Wi-Fi stack that does not properly validate an information element while negotiating a WPA2 four-way handshake, leading to remote code execution | CVE |
|
10.8.24 |
CVE-2023-50810 | In certain Sonos products before Sonos S1 Release 11.12 and S2 release 15.9, a vulnerability exists in the U-Boot component of the firmware that allow persistent arbitrary code execution with Linux kernel privileges. A failure to correctly handle the return value of the setenv command can be used to override the kernel command-line parameters and ultimately bypass the Secure Boot implementation. This affects PLAY5 gen 2, PLAYBASE, PLAY:1, One, One SL, and Amp. | CVE |
|
10.8.24 |
Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities | Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an attacker to execute arbitrary commands on the underlying operating system or cause a denial of service (DoS) condition. | CVE |
|
9.8.24 |
English-Spanish Speaking Ransomware Actor Targets Linux Machines | Symantec has recently observed a Linux Ransomware variant binary that appears to be connected to a English and Spanish-speaking Double-extortion Ransomware actor. At this time, their modus-operandi remains unclear, but the ransomware exhibits the following behavior. | RANSOM | |
9.8.24 |
Cryptocurrency-themed lure sites used for phishing attacks | Threat actors are creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of cryptocurrency wallet brands like MetaMask, WalletConnect, Coinbase, Trezor, Ledger, Bitget, Exodus, Phantom, and others. These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typo-squatter subdomains like the following. | CRYPTOCURRENCY | |
9.8.24 |
New malspam campaigns delivering multiple Trojans | A number of malspam campaigns were seen which delivered various Trojans by attempting to exploit an old Microsoft Office vulnerability. CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file. The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload. We observed GuLoader, Remcos RAT, and Sankeloader infostealer as payloads. | SPAM | |
9.8.24 |
Sora AI-themed branding used to distribute malware | Threat Actors have created various phishing sites that impersonate official Sora platforms to lure victims into downloading files disguised as legitimate Sora software in order to distribute harmful payloads, including data stealers and cryptocurrency miners. When users attempt to install what is believed to be authentic application(s), the files trigger malicious processes that compromise the victim’s system. | AI | |
9.8.24 |
Phish emails impersonate UK's Health and Safety Executive (HSE) to lure email users | Health and Safety Executive (HSE) is a British public provider of health and safety solutions to various professionals and organizations. Lately, Symantec has observed phish runs that impersonate Health and Safety Executive (HSE) guidelines, especially the strategy outlined for 2022-2032, to steal credentials. | PHISHING | |
9.8.24 |
New file-less ransomware variant Cronus discovered | A new file-less ransomware variant dubbed Cronus has been reported as part of a malware campaign. Users are lured with documents masquerading as PayPal receipts. These documents contain malicious embedded VBA macros that, when executed, download a PowerShell loader. The loader then uses reflective DLL loading to deploy the ransomware DLL, aiming to evade detection. | RANSOM | |
9.8.24 |
RHADAMANTHYS Stealer Targeting Users in Israel | RHADAMANTHYS stealer, active since 2013 and offered as Malware-as-a-Service, recently began targeting Israeli users with Hebrew phishing emails containing a malicious RAR attachment. The RAR file, posing as a notification from "Calcalist" or "Mako," (two prominent businesses in Israel) extracts three components - a malicious executable, a DLL file, and a support file. Upon execution, RHADAMANTHYS employs anti-analysis techniques to avoid detection and initiates a multi-staged infection process to establish a presence on the compromised system. | VIRUS | |
9.8.24 |
0.0.0.0 Day | 0.0.0.0 Day: Exploiting Localhost APIs From the Browser | EXPLOIT | EXPLOIT |
9.8.24 |
Downgrade Attacks | Windows Downdate: Downgrade Attacks Using Windows Updates | HACKING | Attack |
9.8.24 |
CVE-2024-21302 | (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability | CVE |
|
9.8.24 |
CVE-2024-38202 | (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability | CVE |
|
9.8.24 |
StopRansomware BlackSuit (Royal) Ransomware | The advisory was updated to notify network defenders of the rebrand of “Royal” ransomware actors to “BlackSuit.” The update includes new TTPs, IOCs, and detection methods related to BlackSuit ransomware. “Royal” was updated to “BlackSuit” throughout unless referring to legacy Royal activity. Updates and new content are noted. | RANSOMWARE | RANSOMWARE |
9.8.24 |
CVE-2024-4885 | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges. | CVE |
|
8.8.24 |
SbaProxy leveraged to hijack legitimate antivirus software | A recent report detailed how threat actors are leveraging a tool dubbed 'SbaProxy' disguised as a legitimate anti-virus software component to be able to create a proxy connection through a C2 server. The tool is distributed with malicious intent and in multiple formats such as DLLs, EXEs, and PowerShell scripts, which makes it challenging to detect due to its authentic look and advanced functionality. | EXPLOIT | |
8.8.24 |
Lynx Ransomware | Lynx is another double-extortion ransomware actor that has been fairly active in recent weeks and has claimed multiple companies as victims on their website. They claim to have a strict policy against targeting governmental organizations, hospitals, non-profits, and other sectors vital to society. | RANSOM | |
8.8.24 |
Malware campaign exploits secureserver.net domain to deploy banking trojan | A new banking trojan malware campaign is exploiting the secureserver.net domain to target Spanish and Portuguese-speaking regions. The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. | CAMPAIGN | |
8.8.24 |
Chameleon trojan targets hospitality Industry | A new Chameleon mobile banking Trojan campaign has been reported targeting the hospitality industry. Employees of a Canadian restaurant chain with international operations were lured by a deceptive app masquerading as a legitimate CRM application. | VIRUS | |
8.8.24 |
Zola - a new Proton ransomware variant | Zola is a recently discovered variant from the Proton ransomware family. The ransomware is written in C++ and employs a multi-threaded encryption process. Upon encryption the malware appends .zola extension to the encrypted files. Zola will also attempt to encrypt files on any network devices if present. | RANSOM | |
8.8.24 |
How Malicious Actors Are Leveraging Cloud Services | The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure. | GROUP | |
8.8.24 |
Italian campaign targeting certified email users delivers Vidar infostealer | The Vidar infostealer has been observed as the payload of a recent malspam campaign targeting users in Italy. The campaign was distributed to users of certified email mailboxes and delivered a JavaScript downloader via a link in the email. The JavaScript was responsible for downloading and executing a PowerShell script which in turn leads to the final payload. | CAMPAIGN | |
8.8.24 |
Mispadu (aka URSA) Trojan Malware | Mispadu Stealer (aka Ursa) was recently observed in another malspam campaign targeting systems configured with Spanish or Portuguese as their language settings. Similar to their previous campaigns, a spam email themed as an overdue invoice serves as the initial vector, it then lures users to download a malicious ZIP file. | VIRUS | |
7.8.24 |
SLUBStick |
SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel | EXPLOIT | Linux |
7.8.24 |
CVE-2024-42008 | A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type header | CVE |
|
7.8.24 |
CVE-2024-42009 | A cross-site scripting flaw that arises from post-processing of sanitized HTML content | CVE |
|
7.8.24 |
CVE-2024-42010 | An information disclosure flaw that stems from insufficient CSS filtering | CVE |
|
7.8.24 |
GoGra | Cloud Cover: How Malicious Actors Are Leveraging Cloud Services | MALWARE | Backdoor |
7.8.24 |
CrowdStrike Reveals | External Technical Root Cause Analysis — Channel File 29 | INCIDENT | INCIDENT |
7.8.24 |
Chameleon | Chameleon is back in Canada and Europe | MALWARE | Mobil Trojan |
7.8.24 |
XDSpy phishing campaign targets organizations in Russia and Moldova | A phishing malware campaign by a threat actor dubbed XDSpy has been reported targeting organizations in Russia and Moldova. The attack chains typically use spear-phishing emails with archive attachments containing agreement-related lures to deploy a primary malware module called XDDown. | PHISHING | |
7.8.24 |
Spike in activity delivering Magniber ransomware | A spike in activity leading up to the infection with the Magniber ransomware has been observed in the wild. Attackers spreading this malware variant are known to leverage various delivery methods including malvertisements, delivery via cracked software installers or exploitation of known vulnerabilities, etc. | RANSOM | |
7.8.24 |
OSX and Windows malware spread under the disguise of meeting or productivity software | Ongoing campaigns spreading malware under the disguise of meeting or productivity applications have been reported in the wild. Some recent examples include attacks masquerading under the productivity app called Wasper or the Clusee meeting application. | VIRUS | |
7.8.24 |
HeadLace backdoor distributed by the Swallowtail APT | The latest research from Palo Alto reports on recent HeadLace backdoor distribution campaign being attributed to the Swallowtail APT (aka Fighting Ursa, APT28). The attackers have been leveraging car-for-sale phishing lures in efforts to distribute the malicious payloads. | VIRUS | |
7.8.24 |
Persistent IRATA attacks in Italy | Their modus operandi hasn't changed much over that period; they mainly leverage malicious SMS (smishing) messages containing URL redirections to their malicious apps as the vector of infection. They constantly rotate their social engineering tactics, with Symantec having observed multiple Italian financial services being abused for masquerading purposes. | SPAM | |
7.8.24 |
Are faxes still relevant? This credential harvesting campaign thinks so | Symantec has recently observed a phishing campaign impersonating fax notifications. These notifications include subjects similar to 'Incoming Fax Delivered for user**@****.com' and instructs users to open the attached HTML and enter their credentials in order to view the fax. | CAMPAIGN | |
7.8.24 |
Lumma Stealer via Social Media and AI-Related Lure | There's been reports of a malvertising scam in which cybercriminals hijacked social media pages to promote fake AI photo editors, ultimately tricking users into downloading a prevalent but run-of-the-mill stealer known as Lumma. | VIRUS | |
7.8.24 |
Trust (Crypto) Wallet users targeted with a new phishing wave | Trust Wallet is a crypto wallet that provides its users services such as buying, selling, storing, swapping and managing their cryptocurrencies. Lately, Symantec has observed phish runs that impersonate Trust Wallet services and entice users to open fake notification emails. | CRYPTOCURRENCY | |
7.8.24 |
BITSLOTH Backdoor | BITSLOTH is a Windows backdoor that researcher have uncovered in Latin America that exploits the Background Intelligent Transfer Service (BITS) for command-and-control operations. According to the report, it has been developed over several years, can log keystrokes, capture screens, and gather extensive data. | VIRUS | |
6.8.24 |
Moonstone Sleet | Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access | GROUP | GROUP |
| 6.8.24 | CVE-2024-38856 | Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. | CVE |
|
6.8.24 |
Android Security Bulletin—August 2024 | The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2024-08-05 or later address all of these issues. | OS | Android |
| 6.8.24 | LianSpy | LianSpy: new Android spyware targeting Russian users | MALWARE | Android |
5.8.24 |
STRRAT | Bloody Wolf strikes organizations in Kazakhstan with STRRAT commercial malware | MALWARE | RAT |
5.8.24 |
CVE-2024-6242 | Rockwell Automation Logix Controllers | ICS | Vulnerebility |
5.8.24 |
BlankBot | BlankBot - a new Android banking trojan with screen recording, keylogging and remote control capabilities | MALWARE | Android Banking |
5.8.24 |
StormBamboo | StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms | MALWARE | Backdoor |
4.8.24 |
Panamorfi | A New Discord DDoS Campaign | CAMPAIGN | DDOS |
3.8.24 |
Increased Activity Against Apache OFBiz CVE-2024-32113 | As part of its extensive project portfolio, the Apache Foundation supports OFBiz, a Java-based framework for creating ERP (Enterprise Resource Planning) applications. OFBiz appears to be far less prevalent than commercial alternatives. However, just as with any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical. | SANS | SANS |
3.8.24 | APT28 | Today, APT28 is consistently attributed to GRU Unit 26165, 85th Main Special Service Centre (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU). This attribution is mainly based on an indictment unsealed by the US Department of Justice (DoJ) in 2018. | APT | APT |
3.8.24 | Fighting Ursa | A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat (APT). | APT | APT |
3.8.24 | APT41 | APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike | APT | APT |
3.8.24 | BITSLOTH | BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor | MALWARE | Backdoor |
3.8.24 | BlankBot Mobile banking trojan targeting Turkish users | BlankBot is a new mobile banking Trojan variant that has emerged on the threat landscape, primarily targeting Turkish users. BlankBot abuses Android Accessibility services to gain full control over and collect information from the infected device. | VIRUS | |
3.8.24 | NetSupport RAT Campaign | NetSupport Manager has been weaponized by threat actors to perform malicious activities and executes as a Remote Access Trojan (RAT). Over time various campaigns have been identified each instance building on the previous in attempts to evolve evasion techniques through multiple obfuscation updates. | VIRUS | |
3.8.24 | AutoIT scripts leveraged by the latest Konni RAT malware | Konni RAT malware observed in a recent distribution campaign has been leveraging AutoIT scripts for detection evasion. The attack chain includes the use of .LNK files contained within .zip archives. The .lnk shortcut files are often disguised as documents and have double extensions present, for example ".hwp.lnk". | VIRUS | |
3.8.24 | Spike of activity observed for the Neshuta malware | During the last month Symantec observed a spike of activity attributed to the Neshuta (aka Neshta) malware family. Neshuta is an older file infector variant that's been observed in the threat landscape space as early as 2005. It's main function is to prepend virus code to executable files and collect basic system information. | VIRUS | |
3.8.24 | Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks | As reported by researchers from Cisco Talos, Grayfly threat group (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution. | APT | |
3.8.24 | Bloody Wolf delivers STRRAT malware | A malware campaign by the APT group dubbed Bloody Wolf targeting organizations in Kazakhstan has been reported. The attackers are sending phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies. | VIRUS | |
3.8.24 | Mandrake mobile spyware | A new variant of the Mandrake mobile spyware has been distributed via several apps hosted on the Google Play store. The oldest of the apps called AirFS was first uploaded to the store back in 2022 and remained available for download up until March this year. | VIRUS | |
3.8.24 | TgRAT malware returns with a Linux variant | TgRAT is a malware variant discovered back in 2022 and initially targeting the Windows systems. Earlier this month a Linux version of this RAT has been observed as being distributed in the wild. Upon infection of the targeted machine the malware is used to execute arbitrary commands/scripts, collect screenshots or extract user files from the compromised host. TgRAT is controlled by the attackers via a Telegram bot | VIRUS | |
2.8.24 | SARA Android Ransomware Targets Vietnamese Mobile Users in Fake App Scheme | Android lockers and ransomware were prevalent a couple of years ago, especially during the RansomLock craze. Today, while they remain in the mobile threat landscape, their prevalence has dwindled. These threats typically lock users out of their devices and display a ransom message, demanding payment to regain access with an unlock code. | RANSOM | |
2.8.24 | DeerStealer malware spread via fake Google Authenticator websites | A new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The malware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the Github repository. | VIRUS | |
2.8.24 | SMS Stealer - extensive Android malware distribution campaign | An ongoing large-scale operation distributing a Android malware variant called SMS Stealer has been reported to infect mobile devices across the world. The campaign has been active since at least 2022 and targeting victims in 113 countries. | VIRUS | |
2.8.24 | ModiLoader malware campaign targeting Small and Medium-Sized Business (SMB) in Poland | Modiloader (aka DBatLoader) malware has been deployed in a recent campaigns targeting Small and Medium-Sized Business (SMB) in Poland, Italy and Romania. Modiloader has been spread via malicious email attachments in various file formats such as .img, .tar, .rar or .iso. Modiloader is a Delphi-based malware used to download and execute final payloads delivered to the compromised machines. The payload usually varies and the reported campaigns have been executing malware from Agent Tesla, Remcos or Formbook families. | VIRUS | |
2.8.24 | DoNot APT Targeting Pakistani Android Mobile Users | APT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. The primary objective of these threat actors is to access confidential information and intellectual property. Their techniques include encryption and fileless malware to evade detection. | APT | |
2.8.24 | Protection Highlight: Ransomware-as-a-Service Evolution, Impact, Mitigation | Malware evolution in the threat landscape is the singular reason cybersecurity professionals can’t rest, and Ransomware-as-a-Service (RaaS) is no different. From its first known form in 2012 as Reveton to the most recent inception of Eldorado ransomware, with early incidents reportedly raking in amounts of $400K USD a month to modern-day data breaches costing over $1M and sometimes far in excess of that figure. | RANSOM | |
2.8.24 | Leafperforator campaign exploits Pakistan’s Maritime Affairs documents to spread JavaScript malware | A new malware campaign by the Leafperforator (also known as SideWinder) threat actor, utilizing enhanced tactics and techniques has been reported. This threat actor relies on spear-phishing emails and targets Asian countries. In the latest campaign, users are tricked with documents related to employee termination or salary cuts, leading them to open a disguised file. This file exploits a known security flaw (CVE-2017-0199) to establish contact with a malicious domain masquerading as Pakistan's Directorate General Ports and Shipping. The domain then retrieves an RTF file exploiting CVE-2017-11882, leading to the delivery of JavaScript malware. | CAMPAIGN | |
2.8.24 | Phishing Campaign: Malicious HTML attachment mimics OneDrive to deploy malware Scripts | A new phishing campaign using image files that mimic a Microsoft OneDrive page has been reported. Users are targeted through phishing emails with HTML attachments. When these attachments are opened, they display an image resembling a OneDrive page and show an error indicating a connection issue with the OneDrive cloud service. | PHISHING | |
2.8.24 | Recent activities attributed to the UNC4393 threat group | The threat actor dubbed UNC4393 has been active in the threat landscape since at least 2022. The group has been known to leverage a wide variety of malware variants and custom tools in their attacks including Basta ransomware, KnotWrap dropper, KnotRock tool, DawnCry dropper or the PortYard tunneler. | GROUP | |
2.8.24 | Exela Stealer continues to be distributed in the wild | Exela Stealer is a Python-based malware initially discovered in the threat landscape just last year. New campaigns distributing this infostealer continue to be observed in the wild in recent weeks. | VIRUS | |
2.8.24 | Flame Stealer malware | Flame Stealer is a new C/C++based infostealing malware variant advertised for sale on Discord and Telegram. The malware has the functionality to collect and exfiltrate various information about the infected machine, Discord tokens, clipboard data, credentials, banking information and browser cookies, among others. | VIRUS | |
2.8.24 | Sitting Ducks | Researchers at Infoblox and Eclypsium have discovered that a powerful attack vector in the domain name system (DNS) is being widely exploited across many DNS providers. | ATTACK | Domain |
2.8.24 | BingoMod | BingoMod: The new android RAT that steals money and wipes data | MALWARE | RAT |
2.8.24 | ERIAKOS | "ERIAKOS" Scam Campaign: Detected by Recorded Future’s Payment Fraud Intelligence Team | CAMPAIGN | Scam |
2.8.24 | DigiCert Revocation Incident (CNAME-Based Domain Validation) | Certification |
||
2.8.24 | The Securonix Threat Research team has been monitoring the threat actors behind the ongoing investigation into the DEV#POPPER campaign, we have identified additional malware variants linked to the same North Korean threat actors using similar, stealthy malicious code execution tactics, though now with much more robust capabilities. | CAMPAIGN |
||
2.8.24 | Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies | GROUP |
||
2.8.24 | A trojan for Linux with a wide range of functions and the ability to be remotely controlled via a Telegram bot. The source code is written in Go and encrypted with RSA. | RAT |
||
2.8.24 | At the first stage, the dropper checks the parameters (arguments) used for its launch: this impacts the intermediate persistence stage. If there are input arguments, the add_payload stage begins (named after the function that performs it). | RAT |
||
2.8.24 | Unmasking the SMS Stealer: Targeting Several Countries with Deceptive Apps | SMS |
||
2.8.24 | Turla: A Master’s Art of Evasion | APT |
||
2.8.24 | Mandrake spyware sneaks onto Google Play again, flying under the radar for two years | Spyware |
||
2.8.24 | Phishing targeting Polish SMBs continues via ModiLoader | Loader |
||
2.8.24 | OneDrive Pastejacking: The crafty phishing and downloader campaign | PHISHING |
||
2.8.24 | OneDrive Pastejacking: The crafty phishing and downloader campaign | PHISHING |
||
2.8.24 | VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. | CVE |
||
2.8.24 | Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132. | CVE |
||
|
29.7.24 |
The threat actor known as Hive0137 has been leveraging Large Language Models (LLM) in their recent attacks. LLM is a form of generative AI designed to understand and generate human-like text. The Hive0137 group is known for their malware distribution attacks that often lead to ransomware infections. |
AI |
||
|
29.7.24 |
CVE-2024-40348 is a recently disclosed directory traversal vulnerability affecting Bazaar (version 1.4.3) which is an open source version control software. Successful exploitation of the flaw might allow unauthenticated attackers to perform directory traversal on the vulnerable system, leading to unauthorized access to system directories and sensitive files. |
|||
|
29.7.24 |
Scammers exploit Hamster Kombat’s popularity with malicious farm bot tools |
With the rise in popularity of the Telegram clicker game Hamster Kombat, scamsters are increasingly targeting players. Enthusiasts are attracted by the promise of significant rewards linked to the introduction of a new cryptocoin by the game's creators. |
||
|
29.7.24 |
A ransomware actor calling themselves OceanCorp has been observed in the wild targeting single machines. At this time, according to their ransom note (OceanCorp.txt), this actor does not perform double-extortion tactics, meaning they do not threaten to leak or sell data. |
|||
|
29.7.24 |
Vietnam campaign: Android Spyware Masquerades as Techcombank |
Groups and individuals around the world have been using SpyNote, a popular Android remote access trojan, for the past few years, and its prevalence shows no signs of decreasing. E-crime and targeted campaigns against both enterprises and consumers are observed on a daily basis. |
||
|
29.7.24 |
“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails |
Phishing |
||
|
29.7.24 |
Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT |
RAT |
||
|
28.7.24 |
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules. |
RAT |
||
|
28.7.24 |
Lost in the Fog: A New Ransomware Threat |
RANSOMWARE |
||
|
28.7.24 |
ShadowRoot Ransomware Targeting Turkish Businesses |
RANSOMWARE |
||
|
28.7.24 |
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks |
GROUP |
||
|
28.7.24 |
PKfailJuly 2024 Research Report |
REPORT |
||
|
28.7.24 |
New PlugX campaigns utilising Steam |
CAMPAIGN |
||
|
28.7.24 |
Unplugging PlugX: Sinkholing the PlugX USB worm botnet |
BOTNET |
||
|
27.7.24 |
Threat Actor Distributes Python-Based Information Stealer Using a Fake Falcon Sensor Update Lure |
Stealer |
||
|
27.7.24 |
Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure |
Stealer |
||
|
27.7.24 |
GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware |
AI |
||
|
27.7.24 |
Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65): |
SANS |
||
|
27.7.24 |
Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65): |
Stealer |
||
|
27.7.24 |
Threat Actor uses MSHTML flaw to distribute Atlantida InfoStealer |
A malware campaign conducted by the threat actor known as Void Banshee, which distributes the Atlantida InfoStealer, has been reported. The attack exploits CVE-2024-38112, an MSHTML vulnerability, by abusing .URL files to execute through disabled Internet Explorer. |
||
|
27.7.24 |
SeleniumGreed is a recently disclosed cryptomining operation observed in the wild. The campaign targets exposed versions of Selenium Grid which is a component in Selenium open-source automation framework used for testing web applications. |
|||
|
27.7.24 |
Zilla is the latest Crysis/Dharma ransomware observed in the threat landscape. The malware encrypts user data and appends .ZILLA extension to the encrypted files. Alongside this custom extension, also a unique ID and the email address of the threat actors is added. |
|||
|
27.7.24 |
Phishing campaign targeted at users in India attributed to the Smishing Triad group |
Fortinet researchers reported on a recent phishing operation targeting mobile users in India. The attack has been attributed to a threat group known as the Smishing Triad, known previously to be targeting various countries across the world with similar smishing runs. |
||
|
27.7.24 |
Continuous espionage activities attributed to the Stonefly APT |
Symantec Security Response is aware of the recent joint alert from CISA, FBI and several other partners concerning a number of recent targeted activities attributed to the Stonefly APT group (also known as Andariel or DarkSeoul). |
||
|
27.7.24 |
Malware campaign exploits SEO poisoning to target W2 Form seekers |
A malware campaign has been reported targeting users searching for W2 forms through SEO poisoning techniques. Victims are redirected to spoofed IRS websites, where they are lured into downloading a masqueraded JS file disguised as a W2 form. |
||
|
27.7.24 |
Russian-linked malware campaign targeting Indian political entities |
A malware campaign believed to be orchestrated by a Russian-linked threat actor is reportedly targeting entities interested in Indian political affairs. Victims are lured with .LNK files disguised as genuine office documents. |
||
|
27.7.24 |
Handala Hack: What We Know About the Rising Threat Actor |
GROUP |
||
|
27.7.24 |
CrowdStrike’s Falcon agent caused downtime for millions of computers across the globe beginning July 19. This event caused panic and chaos, which threat actors quickly latch on to gain an edge over defenders. |
Wipper |
||
|
27.7.24 |
Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. |
GROUP |
||
|
27.7.24 |
langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py. |
CVE |
||
|
27.7.24 |
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. |
CVE |
||
|
26.7.24 |
Another ransomware group that employs double-extortion tactics has been making the rounds in the already crowded ransomware threat landscape. Calling themselves RADAR, the group compromises machines, encrypts the files, and appends them with a .[random8characters] extension. |
|||
|
26.7.24 |
Smishing in Japan – Utilities, financial services and shipping top lures |
Smishing, or SMS phishing, is increasingly becoming a favored tactic for cybercriminals due to the widespread use of mobile devices and generally high open rates of SMS messages compared to emails. |
||
|
26.7.24 |
Atlantida Stealer among the malware variants spread by Stargazer Goblin threat group |
Atlantida Stealer has been determined as one of several malware payloads spread recently in a malware distribution campaign attributed to the threat actor known as Stargazer Goblin. Other payloads spread via this malware delivery service dubbed as Stargazers Ghost Network included RedLine, Lumma Stealer, Rhadamanthys and RisePro. |
||
|
26.7.24 |
There has been a rise in cyber attacks using Large Language Models (LLMs) to generate malicious code. Symantec's Team has observed phishing campaigns where LLM-generated scripts download harmful payloads like Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). |
AI |
||
|
26.7.24 |
There was a recent surge in activity from the group called UAC-0057 (aka GhostWriter). In this campaign, attackers are distributing Word documents that are macro-enabled with the intention of launching a malware loader known as PicassoLoader. This malicious loader is capable of deploying a Cobalt Strike Beacon onto the victim's machine. |
|||
|
26.7.24 |
ConfusedFunction: A Privilege Escalation Vulnerability Impacting GCP Cloud Functions |
CVE |
||
|
26.7.24 |
APT45: North Korea’s Digital Military Machine |
APT |
||
|
26.7.24 |
In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. |
CVE |
||
|
26.7.24 |
Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins |
CVE |
||
|
26.7.24 |
(CVSS score: 7.5) - Due to a logic error, lookups that triggered serving stale data and required lookups in local authoritative zone data could have resulted in an assertion failure |
VULNEREBILITY |
||
|
26.7.24 |
(CVSS score: 7.5) - Validating DNS messages signed using the SIG(0) protocol could cause excessive CPU load, leading to a denial-of-service condition. |
VULNEREBILITY |
||
|
26.7.24 |
(CVSS score: 7.5) - It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing |
VULNEREBILITY |
||
|
26.7.24 |
(CVSS score: 7.5) - A malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients |
VULNEREBILITY |
||
|
25.7.24 |
Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android |
Social site |
||
|
25.7.24 |
The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel C4 and an enhanced version of PGoShell |
GROUP |
||
|
25.7.24 |
Remediation and Guidance Hub: Falcon Content Update for Windows Hosts |
INCIDENT |
||
|
25.7.24 |
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed |
CVE |
||
|
25.7.24 |
ACR Stealer is an information stealer advertised by a threat actor operating under the pseudonym SheldIO, on Russian-speaking cybercrime forums. It is sold as a Malware-as-a-Service (MaaS) since March 2024. |
Stealer |
||
|
25.7.24 |
As recently reported by researchers from Trend Micro, a new Linux variant of the infamous Play ransomware has been observed to target the ESXi servers. Prior to execution, the malware runs checks to confirm that it is running within an ESXi environment. Play ransomware will also attempt to power off all running ESXi virtual machines before proceeding with the encryption process. |
|||
|
25.7.24 |
A new variant of LummaC2 has been observed exploiting the 'Steam' gaming platform. This variant now obtains dynamic C2 domains on demand, a departure from its previous technique of embedding C2 details within the sample itself. The malware stores a Steam URL, specifically a Steam account profile page, as executable code. |
|||
|
25.7.24 |
A new variant of the .NET-based Jellyfish Loader malware has been found in the wild. The malware has been reported as being distributed via a malicious .LNK file execution. |
|||
|
25.7.24 |
CVE-2024-4879 - ServiceNow Jelly Template Injection vulnerability |
CVE-2024-4879 is a recently disclosed critical template injection vulnerability (CVSS score 9.3) affecting ServiceNow, which is a popular platform for digital business transformation. Successful exploitation of the flaw might allow the unauthenticated remote attackers to gain access and execute arbitrary code within the context of the Now Platform. |
||
|
25.7.24 |
BianLian is a ransomware threat actor that has been active since mid-2022, specifically targeting the infrastructure sector in the US and Australia. As part of its attack vector, the threat actor typically exploits RDP credentials acquired through third parties or phishing to gain initial access. |
|||
|
25.7.24 |
Threat actors continue to exploit CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen that was reported and patched in February 2024. |
|||
|
25.7.24 |
Keylogging is a pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. |
SANS |
||
|
25.7.24 |
Microsoft Internet Explorer Use-After-Free Vulnerability |
CVE |
||
|
25.7.24 |
Twilio Authy Information Disclosure Vulnerability |
CVE |
||
|
24.7.24 |
Following the recent outage which affected computers running Microsoft operating systems across the globe, attackers are continuously exploiting the incident to lure users into accessing malicious links or launching malware-laden files. A new attack linked to this incident has been discovered involving a Word document containing macros that execute and download an unidentified stealer dubbed Daolpu. |
|||
|
24.7.24 |
Phishing is an all-too-common type of social engineering attack that attempts to steal user data by sending fraudulent communications, usually via email or SMS, which appear to come from a legitimate source. Phishing is predominantly employed at the first stage in a malware attack, whether the ultimate objective is reconnaissance or compromise. |
|||
|
24.7.24 |
Braodo: A new Python-based Infostealer in the cyber threat landscape |
A new infostealer, named Braodo, has been observed circulating in the ever-evolving threat landscape. It is distributed through an archive file that includes a BAT file. When executed, this BAT file connects to GitHub to download a secondary BAT file and a ZIP archive containing the final Braodo infostealer payload. |
||
|
24.7.24 |
The Daggerfly (aka Evasive Panda, Bronze Highland) threat group, which has been active for at least a decade, has made some significant updates to their toolset. Symantec’s Threat Hunter Team has published a report providing details regarding Daggerfly tools such as the modular malware framework MgBot, Macma, a modular macOS backdoor, and a recently observed multi-stage backdoor identified as Suzafk. |
|||
|
24.7.24 |
Threat Actor FIN7 (also tracked under the names Carbon Spider, the Carbanak Group, and Sangria Tempest) is known for its proficiency in sophisticated campaigns and engineering attacks to gain initial access to corporate networks. |
|||
|
24.7.24 |
New variants of BlackSuit ransomware have been observed in the wild, employing deceptive tactics to evade detection. Recently, they masqueraded as fake Qihoo 360 antivirus installers to deceive victims. Once installed, the malware encrypts user files and appends the .blacksuit extension. |
|||
|
24.7.24 |
A new strain of ransomware dubbed CyberVolk has been reported. This ransomware is written in C/C++ and features a unique encryption algorithm developed entirely by the group behind the malware. |
|||
|
24.7.24 |
Researchers at Palo Alto Networks have provided an analysis of the RA World Ransomware group. This group has been active since 2023 and has targeted victims worldwide across multiple industries. |
|||
|
24.7.24 |
In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. |
|||
|
24.7.24 |
FakeApp Campaign: South Korea's Financial Institutions' Mobile Users Targeted |
In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. |
||
|
24.7.24 |
Recently the APT group Seedworm has been observed deploying a previously undocumented backdoor named Bugsleep, primarily via a phishing campaign with PDFs containing malicious links targeting organizations in the Middle East. Once deployed this new backdoor allows attackers to execute remote commands and exfiltrate files to the C&C server. |
|||
|
24.7.24 |
Tag-100: Emerging threat actor exploiting appliance vulnerabilities |
A new threat actor, dubbed Tag-100, has been reported targeting government and private sector entities worldwide. This threat actor exploits vulnerabilities in appliances to initiate its attacks and has been observed exploiting known vulnerabilities in appliances such as Citrix NetScaler. |
||
|
24.7.24 |
Copybara is a banking Trojan affecting Android mobile devices and has been observed targeting users in Italy. Threat actors use previously obtained contact details and portray themselves as bank employees to socially engineer victims into downloading the malicious application by way of SMS phishing and voice phishing, also known as smishing and vishing respectively. |
|||
|
24.7.24 |
NullBulge exploiting code repositories in AI and Gaming Sectors |
n response to the threat actors exploiting security vulnerabilities in AI and gaming-focused entities, a new group dubbed NullBulge has been reported. |
AI |
|
|
24.7.24 |
A recent report has revealed that the National Health Insurance Fund (NEAK) based in Hungary was targeted by attackers who aimed to deploy Lokibot malware. |
|||
|
24.7.24 |
Over the past few weeks, multiple campaigns have been reported, carried out by the China-linked APT group Grayfly also known as APT41. |
|||
|
24.7.24 |
New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) |
In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported. |
SANS |
|
|
24.7.24 |
New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) |
CVE |
||
|
24.7.24 |
Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma |
macOS |
||
|
24.7.24 |
A secret Disinformation Campaign targetingU.S.Congress and Taxpayers conductedbyU.S.Government agencies |
REPORT |
||
|
24.7.24 |
Daggerfly: Espionage Group Makes Major Update to Toolset |
Espionage |
||
|
24.7.24 |
When it comes to website security, sometimes the most innocuous features can become powerful tools in the hands of attackers |
Steal Credit Cards |
||
|
24.7.24 |
Impact of FrostyGoop ICS Malware on Connected OT Systems |
ICS |
||
|
23.7.24 |
This groundbreaking report
unveils the discovery of a technology suite and its connection to |
PAPERS |
||
|
23.7.24 |
GAMBLING IS NO GAME: DNS LINKS BETWEEN CHINESE ORGANIZED CRIME AND SPORTS SPONSORSHIPS |
GROUP |
||
|
23.7.24 |
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. |
HACKING |
||
|
23.7.24 |
Fake Browser Updates Lead to BOINC Volunteer Computing Software |
Malware |
||
|
23.7.24 |
Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma |
Ransomware |
||
|
20.7.24 |
WHY THE PRC FAILS TO BACK ITS CLAIMS OF WESTERN ESPIONAGE |
REPORT |
||
|
20.7.24 |
‘AuKill’ EDR killer malware abuses Process Explorer driver |
Tool |
||
|
20.7.24 |
BugSleep is a backdoor designed to execute the threat actors’ commands and transfer files between the compromised machine and the C&C server. The backdoor is currently in development, with the threat actors continuously improving its functionality and addressing bugs. |
Backdoor |
||
|
19.7.24 |
A new variant of the BeaverTail malware has been reported, distributed via a macOS DMG file that mimics the legitimate video call service MiroTalk. This campaign is linked to North Korean hackers targeting job seekers. The updated malware is a native Mach-O executable capable of stealing sensitive data from web browsers and cryptocurrency wallets. |
|||
|
19.7.24 |
APT17 Campaign: New variants of 9002 RAT targeting Italian government entities |
A malware campaign by the APT17 group has been reported, distributing newer variants of 9002 RAT. The campaign specifically targets government entities and Italian companies. Users are lured with a link to a masqueraded Italian government domain, purportedly to download a Skype installer. |
||
|
19.7.24 |
A recent phishing campaign was observed by researchers targeting Ukrainian defense enterprises on the topic of Unmanned Aerial Vehicle (UAV) purchasing. The distributed email includes a ZIP attachment with a PDF file containing a malicious link. |
|||
|
19.7.24 |
RDPWrapper and Tailscale leveraged in recent malspam campaign |
Researchers have uncovered a multi-stage cyberattack campaign starting with a malicious zip file containing a .lnk shortcut file that was likely spread via phishing emails. Upon execution, the .lnk file downloads a PowerShell script enabling threat actors access via RDP. |
||
|
19.7.24 |
Threat researchers have identified a new ransomware called ShadowRoot which targets businesses in Turkey. The attack starts with a PDF attachment sent via suspicious emails from the "internet[.]ru" domain. If a user clicks on the embedded links within the PDF, it triggers the download of an executable payload that proceeds to encrypt files. Encrypted files have their extensions changed to ".shadowroot". |
|||
|
19.7.24 |
Symantec has observed a phishing malware campaign targeting government entities in Ukraine. Based on the attack vector and behavior, Symantec believes UNC4814, a suspected Russian threat actor, is responsible for the campaign. The threat actor initiates attacks by sending phishing emails with HTA files attached, masquerading as bills and payment notifications. |
|||
|
19.7.24 |
Zero-Day Exploit: Malicious .url Files Leveraging CVE-2024-38112 on Windows |
An ongoing campaign targeting Windows users has been observed. Threat actors distribute phishing emails containing Windows Internet Shortcut files with a .url extension. |
||
|
19.7.24 |
Solarwinds ARM CreateFile Directory Traversal Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM UserScriptHumster Exposed Dangerous Method Remote Command Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Directory Traversal Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Traversal Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Traversal and Information Disclosure Vulnerability |
CVE |
||
|
19.7.24 |
Solarwinds ARM Exposed Dangerous Method Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
SolarWinds ARM Internal Deserialization Remote Code Execution Vulnerability |
CVE |
||
|
19.7.24 |
SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability |
CVE |
||
|
19.7.24 |
We have released our Snowflake threat hunting guide, which contains guidance and queries for detecting abnormal and malicious activity across Snowflake customer database instances. |
REPORT |
||
|
19.7.24 |
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion |
GROUP |
||
|
19.7.24 |
APT41 Has Arisen From the DUST |
APT |
||
|
19.7.24 |
A Comprehensive Look at the Updated Infection Chain of Ghost Emperor’s Demodex Rootkit. |
Rootkit |
||
|
19.7.24 |
APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. |
Shell |
||
|
19.7.24 |
OilAlpha Malicious Applications Target Humanitarian Aid Groups Operating in Yemen |
Mobil App |
||
|
19.7.24 |
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. |
INCIDENT |
||
|
18.7.24 |
A tool used in Qilin ransomware attacks known as "Killer Ultra" was recently uncovered by researchers. |
|||
|
18.7.24 |
A new stealer malware dubbed Noxious Stealer was recently identified by researchers. |
|||
|
18.7.24 |
Specially crafted HTML files allow for abuse of Windows search |
Attackers have been recently observed abusing Windows search in order to redirect users to malware. |
||
|
18.7.24 |
Improperly configured Jenkins Script Console instances (such as Jenkins Groovy plugin) have been weaponized by attackers leading to criminal activities such as the deployment of cryptocurrency miners, and backdoors to gather sensitive information. |
|||
|
18.7.24 |
Afrihost is a South African Internet Service Provider (ISP) that offers services such as ADSL broadband, wireless, mobile services, and web hosting. |
|||
|
18.7.24 |
CVE-2024-36401 (CVSS score: 9.8) is a vulnerability in OSGeo GeoServer GeoTools, with evidence of active exploitation. |
|||
|
18.7.24 |
Threat researchers discovered malware disguised as cracked versions of MS Office. |
|||
|
18.7.24 |
BadPack is a method observed in malware which targets Android mobile devices. |
|||
|
18.7.24 |
HotPage: Story of a signed, vulnerable, ad-injecting driver |
Adware |
||
|
18.7.24 |
SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts |
AI |
||
|
18.7.24 |
TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies |
GROUP |
||
|
18.7.24 |
(CVSS score: 9.8) - Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability |
CVE |
||
|
18.7.24 |
(CVSS score: 8.6) - SolarWinds Serv-U Path Traversal Vulnerability |
CVE |
||
|
18.7.24 |
(CVSS score: 6.5) - VMware vCenter Server Incorrect Default File Permissions Vulnerability |
CVE |
||
|
18.7.24 |
North Korean Hackers Update BeaverTail Malware to Target MacOS Users |
Stealer |
||
|
17.7.24 |
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. |
CVE |
||
|
17.7.24 |
Italian government agencies and companies in the target of a Chinese APT |
APT |
||
|
17.7.24 |
FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks |
APT |
||
|
16.7.24 |
Threat researchers have identified Quasar RAT malware being distributed via a private Home Trading System (HTS), a tool that allows investors to trade from their own PCs. However, the HTS (aka HPlus) used in these attacks is unsearchable and its provider remains unknown. |
|||
|
16.7.24 |
An ongoing campaign has revealed a stealer malware initially distributed through Word documents. This malware infects computers, retrieves the device’s IP address, and subsequently sends the user’s browser information to a dedicated command-and-control (C2) server operated by the attackers, with the data customized for different countries. |
|||
|
16.7.24 |
CVE-2024-36991 - Path Traversal vulnerability in Splunk Enterprise |
CVE-2024-36991 (CVSS: 7.5 High) is a path traversal vulnerability in Splunk Enterprise, a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data, helping organizations derive insights from this data. |
||
|
16.7.24 |
NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS |
Backdoor |
||
|
16.7.24 |
MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign |
GROUP |
||
|
16.7.24 |
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks |
GROUP |
||
|
16.7.24 |
OSGeo GeoServer GeoTools Eval Injection Vulnerability |
CVE |
||
|
15.7.24 |
How SYS01 Stealer Will Get Your Sensitive Facebook Info |
Stealer |
||
|
15.7.24 |
Since early 2024, an ongoing phishing campaign has been targeting Spanish speakers, distributing a new remote access trojan (RAT) known as Poco RAT. |
|||
|
15.7.24 |
Since February 2024, researchers have been tracking the evolving threat actor CRYSTALRAY. The group was observed to leverage the use of a network mapping tool called SSH-Snake, a self-modifying worm malware which exploits compromised SSH credentials to spread through networks. |
|||
|
15.7.24 |
In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild. |
RANSOMWARE |
||
|
14.7.24 |
CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools |
GROUP |
||
|
13.7.24 |
The core of the RADIUS protocol predates modern secure cryptographic design. Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5. In fact, RADIUS appears to have received notably little security analysis given its ubiquity in modern networks. |
PAPERS |
||
|
13.7.24 |
Blast-RADIUS, an authentication bypass in the widely used RADIUS/UDP protocol, enables threat actors to breach networks and devices in man-in-the-middle MD5 collision attacks. |
PROTOCOL |
||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
||||
|
13.7.24 |
Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated) |
|||
|
13.7.24 |
Poultry Farm Management System v1.0 - Remote Code Execution (RCE) |
|||
|
13.7.24 |
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers |
INCIDENT |
||
|
13.7.24 |
DarkGate: Dancing the Samba With Alluring Excel Files |
RAT |
||
|
13.7.24 |
Use-after-free vulnerability in lighttpd version 1.4.50 and earlier |
A use-after-free vulnerability in lighttpd in versions 1.4.50 and earlier permits a remote, unauthenticated attacker to trigger lighttpd to read from invalid pointers in memory. The attacker can use crafted HTTP Requests to crash the web server and/or leak memory in order to access sensitive data. |
ALERT |
|
|
13.7.24 |
A vulnerability in the RADIUS protocol allows an attacker allows an attacker to forge an authentication response in cases where a Message-Authenticator attribute is not required or enforced. This vulnerability results from a cryptographically insecure integrity check when validating authentication responses from a RADIUS server. |
ALERT |
||
|
12.7.24 |
2024-06-25 - Latrodectus infection with BackConnect and Keyhole VNC |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
|
|
12.7.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
12.7.24 |
2024-06-17 - Google ad --> fake unclaimed funds site --> Matanbuchus with Danabot |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
|
|
12.7.24 |
OilAlpha continues to target Arabic-speaking entities, as well as those interested in humanitarian organizations and NGOs operating in Yemen. According to reports, users are lured to a deceptive web portal that mimics the generic login interfaces of humanitarian organizations such as CARE International and the Norwegian Refugee Council, with the aim of stealing credentials. |
|||
|
12.7.24 |
Vultur Campaign: Clothing Retailer Brand Abused in Fake App Scheme |
Brands of all genres are constantly abused by cybercriminals to target specific demographics, and financial institutions are usually the ones most impersonated. |
||
|
12.7.24 |
Threat researchers recently discovered a new loader dubbed DodgeBox. This loader shares significant traits with StealthVector, which is associated with the Chinese APT group APT41 / Earth Baku. |
|||
|
12.7.24 |
Tax-Themed Android Malware Targeting Uzbekistan Mobile Users |
Taxes have been and continue to be prevalently used in social engineering tactics around the world to trick users (both consumers and enterprises) into deploying malware on their machines, entangling themselves in BEC scams, inputting sensitive data into phishing websites, and more. |
||
|
12.7.24 |
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. |
CVE |
||
|
12.7.24 |
This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile. |
CVE |
||
|
12.7.24 |
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. |
CVE |
||
|
11.7.24 |
Despite group disruptions, ransomware activity not decreasing |
In a newly released report, Symantec’s Threat Hunter Team shares insight into observed ransomware activity. The data shows that despite disruptions affecting Lockbit and Noberus groups and a downward trend between the last quarter of 2023 and the first quarter of 2024, activity is still on the rise. |
||
|
11.7.24 |
ViperSoftX: Evolving tactics from Torrent software lures to eBook disguises |
ViperSoftX is an infostealer that continues to evolve and enhance its tactics and techniques. Initially, attackers leveraged pirated versions of popular software to lure users, often distributed through torrent sites. |
||
|
11.7.24 |
GuardZoo: Android spyware targeting middle eastern defense entities |
An Android spyware dubbed GuardZoo has been observed targeting defense entities in the Middle East. It is believed to be associated with the Houthi rebel faction in Yemen. |
||
|
11.7.24 |
Symantec is aware of a remote code execution vulnerability (CVE-2024-29510) in the "Ghostscript" document conversion toolkit used on Linux systems. |
|||
|
11.7.24 |
The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex. |
Anti-ransom |
||
|
11.7.24 |
GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6 |
CVE |
||
|
11.7.24 |
Patch or Peril: A Veeam vulnerability incident |
INCIDENT |
||
|
11.7.24 |
DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1 |
Loader |
||
|
11.7.24 |
New Malware Campaign Targeting Spanish Language Victims |
RAT |
||
|
10.7.24 |
Water Sigbin exploits vulnerabilities to deliver cryptocurrency miner |
The threat actor Water Sigbin (aka 8220 Gang) has exploited vulnerabilities in the Oracle WebLogic Server ( CVE-2017-3506 and CVE-2023-21839) to deliver a cryptocurrency miner called XMRing to the compromised systems. |
||
|
10.7.24 |
In this bulletin however we'll talk about sideloading as it relates to the cybersecurity field. MITRE defines sideloading attacks in T1574.002 as a type of (search order) Hijack Execution Flow, which exploits the way Windows applications load DLLs. |
|||
|
10.7.24 |
Microsoft Office Remote Code Execution Vulnerability |
CVE |
||
|
10.7.24 |
Windows Hyper-V Elevation of Privilege Vulnerability |
CVE |
||
|
10.7.24 |
Windows MSHTML Platform Spoofing Vulnerability |
CVE |
||
|
10.7.24 |
.NET and Visual Studio Remote Code Execution Vulnerability |
CVE |
||
|
10.7.24 |
Huione Guarantee: The multi-billion dollar marketplace used by online scammers |
SPAM |
||
|
10.7.24 |
The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution |
Malware |
||
|
10.7.24 |
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child due to a race condition in signal handling |
CVE |
||
|
9.7.24 |
A recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware. |
|||
|
9.7.24 |
In early 2024, threat researchers exposed the DarkGate campaign, exploiting CVE-2024-21412 via fake software installers. Afterwards, the APT group Water Hydra used the same vulnerability to target financial traders with the DarkMe RAT, bypassing SmartScreen. |
|||
|
9.7.24 |
RADIUS is almost thirty years old, and uses cryptography based on MD5. Given that MD5 has been broken for over a decade, what are the implications for RADIUS? Why is RADIUS still using MD5? |
Protocol |
||
|
9.7.24 |
Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective |
CRYPTOCURRENCY |
||
|
9.7.24 |
Lookout Discovers Houthi Surveillanceware Targeting Middle Eastern Militaries |
Android |
||
|
9.7.24 |
People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action |
APT |
||
|
8.7.24 |
Caught in the Net: Using Infostealer |
In this proof-of-concept (PoC) report, we used Recorded Future Identity Intelligence’s vast trove of information stealer (“infostealer”) malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and arrive at geographic and behavioral trends for the most popular sources |
PAPERS |
|
|
8.7.24 |
Eldorado Ransomware: The New Golden Empire of Cybercrime? |
RANSOM |
||
|
8.7.24 |
StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe |
Stealer |
||
|
8.7.24 |
Satanstealer is a new open source infostealing malware shared on GitHub. The malware collects and exfiltrates various types of information such as browser cookies, passwords, registered phone numbers, and email client details. |
Stealer |
||
|
8.7.24 |
‘Poseidon’ Mac stealer distributed via Google ads |
Stealer |
||
|
8.7.24 |
0bj3ctivity is an infostealer variant first observed last year in campaigns targeting Italy. A new campaign delivering this malware yet again to Italian users has been reported by CERT-AGID. |
Stealer |
||
|
8.7.24 |
A new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection. |
Stealer |
||
|
8.7.24 |
Kematian-Stealer : A Deep Dive into a New Information Stealer |
Stealer |
||
|
8.7.24 |
CloudSorcerer – A new APT targeting Russian government entities |
APT |
||
|
8.7.24 |
A new botnet, dubbed Zergeca and written in Golang, has been observed in the wild. In addition to conducting distributed denial-of-service (DDoS) attacks, the botnet includes several other features such as proxy-based obfuscation. |
|||
|
8.7.24 |
Beware of Orcinius trojan's multi-stage attack via Dropbox and Google docs |
Beware of the Orcinius trojan malware! It's a multi-stage trojan reported to utilize Dropbox and Google Docs as part of its attack vector for downloading secondary payloads. |
||
|
8.7.24 |
A new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection. |
|||
|
8.7.24 |
The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending a malicious --split-string env request if the built-in SSH server is activated. Windows installations are unaffected. |
CVE |
||
|
8.7.24 |
Gogs through 0.13.0 allows deletion of internal files. |
CVE |
||
|
8.7.24 |
Gogs through 0.13.0 allows argument injection during the previewing of changes. |
CVE |
||
|
8.7.24 |
Gogs through 0.13.0 allows argument injection during the tagging of a new release. |
CVE |
||
|
8.7.24 |
Mekotio Banking Trojan Threatens Financial Systems in Latin America |
Banking |
||
|
5.7.24 |
Mekotio is a banking trojan active in the threat landscape since at least 2015 and targeting predominantly the Latin America region. |
|||
|
5.7.24 |
Nigeria features a vibrant religious landscape with multiple different faiths shaping the country. |
|||
|
5.7.24 |
Fake sex tapes remain a common social engineering lure used by malware actors due to their ability to evoke strong emotions potentially resulting in impulsive actions. |
|||
|
5.7.24 |
CVE-2024-37051 is a recently disclosed critical vulnerability impacting Jetbrains IntelliJ integrated development environment (IDE) apps. |
|||
|
5.7.24 |
LukaLocker is a newly seen offering from a ransomware group dubbed Volcano Demon. Recently observed attacks were prefaced by exfiltration of data using harvested credentials. |
|||
|
5.7.24 |
GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks |
Loader |
||
|
5.7.24 |
New Threat: A Deep Dive Into the Zergeca Botnet |
BOTNET |
||
|
5.7.24 |
PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution |
ICS |
||
|
5.7.24 |
PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure |
ICS |
||
|
4.7.24 |
Former reports detailed how AsyncRAT malware is usually distributed via file extensions such as .chm, .wsf, and .lnk. |
|||
|
4.7.24 |
CosmicSting (CVE-2024-34102) - XXE vulnerability is targeting Adobe Commerce and Magento |
CVE-2024-34102 is a critical (CVSS: 9.8) XML External Entity Reference (XXE) vulnerability in Adobe commerce and Magento, which are popular E-commerce platforms. |
||
|
4.7.24 |
CVE-2024-29849 - Veeam Backup Enterprise Manager authentication bypass vulnerability |
CVE-2024-29849 is a recently disclosed critical authentication bypass vulnerability (CVSS score 9.8) affecting Veeam Backup Enterprise Manager. |
||
|
4.7.24 |
CVE-2024-36104 - Path Traversal vulnerability in Apache OFBiz |
CVE-2024-36104 is a Path traversal vulnerability in Apache OFBiz, which is a comprehensive suite of business applications. |
||
|
4.7.24 |
k4spreader: New malware tool used by '8220' Chinese threat actor group |
A new malware tool known as k4spreader has been observed being used by the '8220' Chinese threat actor group in recent campaigns. |
||
|
4.7.24 |
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems |
Spyware |
||
|
3.7.24 |
A Brief History of SmokeLoader, Part 2 |
Loader |
||
|
3.7.24 |
A Brief History of SmokeLoader, Part 1 |
Loader |
||
|
3.7.24 |
Exposing FakeBat loader: distribution methods and adversary infrastructure |
Loader |
||
|
3.7.24 |
Kimsuky Group's New Backdoor Appears (HappyDoor) |
Backdoor |
||
|
3.7.24 |
Xctdoor Malware Used in Attacks Against Korean Companies (Andariel) |
Backdoor |
||
|
3.7.24 |
Symantec is aware of the "regreSSHion" vulnerability (CVE-2024-6387), which is a critical remote code execution (RCE) flaw in OpenSSH. |
|||
|
3.7.24 |
Protection Highlight: CVE-2024-4577 PHP-CGI Argument Injection Vulnerability |
PHP is a general-purpose server scripting language and a powerful scripting tool for making dynamic and interactive Web pages. |
||
|
3.7.24 |
Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims. |
|||
|
3.7.24 |
CVE-2024-31982 is a recently disclosed remote code execution (RCE) vulnerability affecting XWiki, which is a popular open-source and Java-based wiki platform. |
|||
|
2.7.24 |
Indirector: High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predict |
This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs. |
CPU |
|
|
2.7.24 |
High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predictor |
introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake). |
CPU |
|
|
2.7.24 |
||||
|
2.7.24 |
||||
|
2.7.24 |
||||
|
2.7.24 |
||||
|
2.7.24 |
Cisco NX-OS Software CLI Command Injection Vulnerability |
CVE |
||
|
2.7.24 |
Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications |
CVE |
||
|
2.7.24 |
Renewed malicious activity associated to the Datebug APT (aka. Transparent Tribe or APT36) has been reported by researchers from Sentinel One |
|||
|
2.7.24 |
Poseidon is a new infostealer variant targeting the macOS platform. The malware is an evolution of the older variant known as RodStealer. |
|||
|
2.7.24 |
MerkSpy malware payload delivered through exploitation of CVE-2021-40444 vulnerability |
Researchers from Fortinet have reported on a new campaign delivering the MerkSpy malware. |
||
|
2.7.24 |
Researchers have reported a new stealer-type malware dubbed Kematian. |
|||
|
2.7.24 |
ZainCash, a comprehensive mobile wallet service licensed under the Central Bank of Iraq, designed to provide a variety of digital financial services, has become one of the latest Fintech brands abused by cybercriminals. |
|||
|
1.7.24 |
CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts |
Android |
||
|
1.7.24 |
Beware of Snowblind: A new Android malware |
Android |
||
|
1.7.24 |
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server |
CVE |
||
|
1.7.24 |
2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973) |
CVE |
||
|
30.6.24 |
Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware |
GROUP |
||
|
30.6.24 |
Service Outages on Multiple Websites of the KADOKAWA Gro |
GROUP |
||
|
28.6.24 |
Unfurling Hemlock: Deploying malware cluster bomb for multi-malware infections |
The threat actor known as Unfurling Hemlock has been identified employing a method called "malware cluster bomb" to infect target systems with multiple malwares simultaneously. |
||
|
28.6.24 |
Latrodectus malware campaign: Phishing with Firebase URLs and remote access tactics |
Latrodectus is a popular loader utilized by threat actors to download payloads and execute arbitrary commands. Phishing emails are the most common attack vector for distributing the Latrodectus malware. |
||
|
28.6.24 |
Ransomware used as cover for suspected China-backed APT group ChamelGang activities |
According to a recently published report, a suspected China-backed APT group named ChamelGang (aka CamoFei) has been disguising its cyberespionage operations by also incorporating ransomware. |
||
|
28.6.24 |
Threat Actor group UAC-0184 has targeted Ukraine using a malware campaign to deliver a RAT known as XWorm. Using evasive techniques and through the use of Python-related files the XWorm malware compromises systems. |
|||
|
28.6.24 |
0bj3ctivity is an infostealer variant first observed last year in campaigns targeting Italy. A new campaign delivering this malware yet again to Italian users has been reported by CERT-AGID. |
|||
|
28.6.24 |
Latest P2Pinfect malware variant spreads ransomware and coinminers |
A new P2Pinfect variant has been reported to spread both ransomware and Monero coinminer payloads in recent campaigns. P2Pinfect is a Rust-based botnet leveraging peer-to-peer (P2P) communication as C&C mechanism. |
||
|
28.6.24 |
CVE-2024-4358 & CVE-2024-1800 - vulnerabilities in Telerik Report Server |
CVE-2024-4358 and CVE-2024-1800 are two recently disclosed vulnerabilities affecting the Telerik Report Server. |
||
|
28.6.24 |
Threat actor Boolka compromising websites with BMANAGER malware |
Threat actor Boolka has been carrying out opportunistic SQL inection attacks against websites. When unsuspecting visitors land on the infected site(s) the JS inserted into the site(s) collects and exfiltrates the users inputs and interactions (such as credentials and other personal information). |
||
|
28.6.24 |
Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey. |
|||
|
26.6.24 |
Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey. |
|||
|
26.6.24 |
Unstable and Condi botnets abusing cloud services for malicious activities |
As recently reported by researchers from Fortinet, Unstable and Condi botnets have been abusing various cloud services for storage and distribution of malware binaries as well as C2 communication purposes |
||
|
26.6.24 |
CVE-2024-23692 - Rejetto HTTP File Server Server Side Template Injection vulnerability |
CVE-2024-23692 is a recently disclosed critical template injection vulnerability affecting Rejetto HTTP File Server (HFS) version 2.3m. Rejetto HFS is a web-based file sharing solution allowing sending and receiving files over HTTP. |
||
|
26.6.24 |
ClickFix: Exploiting social engineering via PowerShell for malware deployment |
There is a growing cybersecurity trend where users are deceived into copying and pasting malicious PowerShell scripts into an administrative PowerShell terminal window, leading to malware installation. |
||
|
26.6.24 |
A phishing email campaign utilizing a URL shortener in a Microsoft Word file attachment, exploiting the CVE-2017-0199 vulnerability, has been reported in the wild. The URL redirect enticed users to download a variant of Equation Editor malware in RTF format. |
|||
|
26.6.24 |
SpiceRAT is a new malware variant identified by Cisco Talos. The malware has been attributed to a threat actor known as SneakyChef that has been conducting malicious campaigns against governmental entities in EMEA. |
|||
|
26.6.24 |
A new variant of the Android malware SpyMax has been observed in recent campaigns targeting Telegram users. The malicious .apk binaries are spread via a website masqueraded as a legitimate Telegram app download portal. |
|||
|
26.6.24 |
ExCobalt cyber espionage campaign targets Russian organizations with GoRed backdoor |
A cyber espionage campaign targeting Russian organizations by the ExCobalt threat actor has been observed. This campaign specifically targets government entities and IT firms. |
||
|
26.6.24 |
CVE-2024-29824 - SQL Injection Vulnerability in Ivanti Endpoint Manager |
CVE-2024-29824 is a critical SQL Injection vulnerability in Core server of Ivanti Endpoint Manager, which is an enterprise endpoint management solution that allows for centralized management of devices within an organization. |
||
|
26.6.24 |
PHANTOM#SPIKE campaign makes use of .chm files to deliver custom backdoors |
PHANTOM#SPIKE is a recent malicious campaign identified in the wild. The attackers leverage phishing lures with password protected .rar and .zip archives. |
||
|
26.6.24 |
Red Mongoose Daemon is a new banking malware variant identified by researchers from Scitum. The malware has been observed in campaigns targeting banking users and organizations in Brazil. |
|||
|
26.6.24 |
Apache HTTP Server CVE-2021-41773 vulnerability under active exploitation |
CVE-2021-41773 is a critical (CVSS score 7.5) path traversal and file disclosure vulnerability affecting Apache HTTP Server. If successfully exploited, this vulnerability enables unauthorized access of sensitive information. |
||
|
26.6.24 |
Web shell attacks are a common technique used by attackers to maintain persistence and remotely access web servers during cyberattacks. |
|||
|
26.6.24 |
Rafel RAT is an open-source mobile malware observed in some recent campaigns targeting Android users. As reported by Checkpoint, the malware is a versatile tool that allows the attackers both data exfiltration as well as remote control over the infected device. |
|||
|
26.6.24 |
Satanstealer is a new open source infostealing malware shared on GitHub. |
|||
|
26.6.24 |
QR Code-Embedded PDFs exploit Financial Institutions via ONNX Store |
A new phishing campaign involving embedded QR codes in PDF attachments has been reported. ONNX Store, a known Phishing-as-a-Service (PhaaS) platform, has been used to orchestrate this campaign targeting financial institutions. |
||
|
26.6.24 |
A new loader malware dubbed SquidLoader has been reported as being active distributed via phishing campaigns targeting Chinese-speaking users. The malware employs various evasion and decoy techniques in order to stay under the radar and avoid detection. |
|||
|
26.6.24 |
Fake Employee evaluation reports from Human Resources (HR) appear in new phish run |
Threat actors continue masquerading as members of Human resources (HR) department in efforts to spread a new wave of phish emails. |
||
|
26.6.24 |
In a newly released report, Symantec’s Threat Hunter Team provide an analysis of activity observed impacting telecommunications operators in a specific Asian country. |
|||
|
26.6.24 |
TA571 has recently been observed utilizing malicious HTML files in malspam campaigns. These files, once opened, copy a malicious PowerShell script to the user's clipboard while displaying an image that states the attached document is broken, |
|||
|
26.6.24 |
Fickle Stealer is a recently observed malware written in Rust. Attackers leverage multiple delivery methods in a multi-stage attack chain to distribute the payload. |
|||
|
27.6.24 |
ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware |
Gang |
||
|
26.6.24 |
Inside the DEA Tool Hackers Allegedly Used to Extort Targets |
APT |
||
|
26.6.24 |
ExCobalt: GoRed, the hidden-tunnel technique |
Cyber Gang |
||
|
20.6.24 |
Sustained Campaign Using Chinese Espionage Tools Targets Telcos |
CAMPAIGN |
||
|
19.6.24 |
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications |
Scam |
||
|
19.6.24 |
AzzaSec is another run-of-the-mill ransomware variant found being distributed in the wild. The malware encrypts user files and appends .AzzaSec extension to them. The attackers behind this variant leave a ransom note demanding payment in Bitcoin for the file decryption. |
|||
|
19.6.24 |
A new variant of an open-source LKM (Loadable Kernel Module) rootkit dubbed Diamorphine has been found in the wild. |
|||
|
19.6.24 |
Malvertising Campaign Targets Users With Fake Software Installers |
A malvertising campaign has been observed, enticing users to download masqueraded installers disguised as popular software such as Google Chrome and Microsoft Teams. |
||
|
19.6.24 |
Malware campaigns affecting users in Latin America and the Asia Pacific regions have recently been reported. These campaigns target users of popular commercial software such as the Cisco Webex Meetings App, enticing them to download password-protected archive files containing trojanized software copies. |
|||
|
19.6.24 |
Rogue Raticate Malspam Campaign: Malicious PDFs Lead to NetSupport RAT |
The cybercriminal group known as Rogue Raticate (aka RATicate) has been active for a few years now and is well-known for targeting enterprises using malicious emails and remote access trojans. This week another one of their campaigns was observed. |
||
|
19.6.24 |
Cloaked and Covert: Uncovering UNC3886 Espionage Operations |
|||
|
19.6.24 |
Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework |
Malware |
||
|
19.6.24 |
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications |
Scam |
||
|
18.6.24 |
Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. |
PowerShell |
||
|
18.6.24 |
A recent malware campaign targeting macOS vulnerabilities to distribute infostealers has surfaced. The threat actor, identified as markopolo, is actively aiming at cryptocurrency users. |
|||
|
18.6.24 |
Cryptojacking campaign exploiting Docker engine vulnerabilities |
A new cryptojacking campaign targeting publicly exposed Docker Engine hosts has been observed. It is presumed to be associated with the threat actors behind the previously seen malware campaign dubbed Spinning YARN. The attack vector starts by scanning for open port 2375 and deploying an Alpine Linux container. |
||
|
18.6.24 |
Rapax is a ransomware whose binaries have recently been submitted to a public malware analysis and detection platform. The ransom note found on compromised machines (instruction.txt) reveals that the author focuses solely on encrypting files rather than employing exfiltration and double-extortion tactics, demanding a ransom of 5,000 US dollars in Bitcoin for decryption. |
|||
|
18.6.24 |
Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion |
Loader |
||
|
18.6.24 |
Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence |
Malware |
||
|
18.6.24 |
Multiple VMware vCenter Server Flaws Allow Remote Code Execution |
CVE |
||
|
17.6.24 |
Ministry of Defence of the Netherlands uncovers COATHANGER,a stealthy Chinese FortiGate RAT |
RAT |
||
|
17.6.24 |
Limpopo is new ransomware variant targeting the vulnerable ESXi servers, as reported by Fortinet. |
|||
|
17.6.24 |
CVE-2024-28995 - SolarWinds Serv-U Directory Traversal vulnerability |
CVE-2024-28995 is a recently disclosed Directory Traversal vulnerability affecting Serv-U managed file transfer (MFT) server solution. |
||
|
17.6.24 |
Deep Dive into the Unfading Sea Haze A technical look at a threat actor’s ever-evolving tools and tactics |
REPORT |
||
|
17.6.24 |
The vulnerable edge of enterprise security |
PAPERS |
||
|
17.6.24 |
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence |
OPERATION |
||
|
17.6.24 |
Unfading Sea Haze: New Espionage Campaign in the South China Sea |
OPERATION |
||
|
17.6.24 |
Certain models of ASUS routers have buffer overflow vulnerabilities, allowing remote attackers with administrative privileges to execute arbitrary commands on the device. |
CVE |
||
|
17.6.24 |
Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device. |
CVE |
||
|
17.6.24 |
TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Executi |
PAPERS |
||
|
17.6.24 |
TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Executi |
ARM CPU |
||
|
17.6.24 |
Backdoor BadSpace delivered by high-ranking infected websites |
Backdoor |
||
|
17.6.24 |
Botnet Installing NiceRAT Malware |
RAT |
||
|
16.6.24 |
||||
|
16.6.24 |
||||
|
16.6.24 |
||||
|
16.6.24 |
Zyxel IKE Packet Decoder - Unauthenticated Remote Code Execution (Metasploit) |
|||
|
16.6.24 |
WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated) |
|||
|
16.6.24 |
PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows) |
|||
|
16.6.24 |
AEGON LIFE v1.0 Life Insurance Management System - SQL injection vulnerability. |
|||
|
16.6.24 |
AEGON LIFE v1.0 Life Insurance Management System - Unauthenticated Remote Code Execution (RCE) |
|||
|
16.6.24 |
||||
|
16.6.24 |
||||
|
16.6.24 |
AEGON LIFE v1.0 Life Insurance Management System - Stored cross-site scripting (XSS) |
|||
|
15.6.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
15.6.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
15.6.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
15.6.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
15.6.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
MALWARE TRAFFIC |
||
|
15.6.24 |
DISGOMOJI Malware Used to Target Indian Government |
Linux |
||
|
15.6.24 |
Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale |
Banking |
||
|
14.6.24 |
(CVSS score: 4.6) - An SQL injection flaw when displaying a QR code into the device's camera by passing a specially crafted request containing a quotation mark, thereby allowing an attacker to authenticate as any user in the database |
CVE |
||
|
14.6.24 |
(CVSS score: 10.0) - A set of command injection flaws that allows for execution of arbitrary OS commands with root privileges |
CVE |
||
|
14.6.24 |
(CVSS score: 7.5) - A set of arbitrary file read flaws that allows an attacker to bypass security checks and access any file on the system, including sensitive user data and system settings |
CVE |
||
|
14.6.24 |
(CVSS score: 10.0) - A set of arbitrary file write flaws that allows an attacker to write any file on the system with root privileges, including altering the user database to add rogue users |
CVE |
||
|
14.6.24 |
(CVSS score: 7.5) - A set of SQL injection flaws that allows an attacker to inject malicious SQL code and perform unauthorized database operations and siphon sensitive data |
CVE |
||
|
14.6.24 |
(CVSS score: 10.0) - A set of stack-based buffer overflow flaws that allows an attacker to execute arbitrary code |
CVE |
||
|
14.6.24 |
Insights on Cyber Threats Targeting Users and Enterprises in Brazil |
GROUP |
||
|
14.6.24 |
Exploiting ML models with pickle file attacks: Part 2 |
ML |
||
|
14.6.24 |
Exploiting ML models with pickle file attacks: Part 1 |
ML |
||
|
14.6.24 |
Arid Viper poisons Android apps with AridSpy |
APT |
||
|
14.6.24 |
Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices |
APT |
||
|
14.6.24 |
Operation Celestial Force employs mobile and desktop malware to target Indian entities |
OPERATION |
||
|
14.6.24 |
In Bad Company: JScript RAT and CobaltStrike |
RAT |
||
|
14.6.24 |
Dissecting SSLoad Malware: A Comprehensive Technical Analysis |
Loader |
||
|
14.6.24 |
there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
CVE |
||
|
14.6.24 |
OPIX is a newly discovered ransomware variant typically spread through social engineering tactics such as phishing emails and drive-by downloads. The malware modifies user files by encrypting them with a random character string and appending a ".OPIX" extension. For example, a file called "test.txt" becomes something like "B532D3Q9.OPIX". |
RANSOM |
||
|
14.6.24 |
In a recent malspam campaign attackers appear to have altered their tactics in order to avoid detection. Instead of the typical approach of sending direct emails with malicious links, in this case they began with benign emails discussing a random scenario. |
Virus |
||
|
14.6.24 |
El Dorado is a double-extortion ransomware actor who has recently claimed multiple victims on their website. Once they gain access to a company, they search for machines with valuable data to exfiltrate and encrypt, appending .00000001 to encrypted files. |
RANSOM |
||
|
14.6.24 |
A new malicious campaign dubbed 'Operation Celestial Force' has been reported by the researchers from Cisco Talos. The campaign has been active since at least 2018 and targeting Indian organizations from the defense, government and technology sectors. |
OPERATION |
||
|
14.6.24 |
As part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. By sending specially crafted malicious MSMQ packets to the vulnerable servers and thus exploiting the vulnerability, the attackers might achieve remote code execution and take over the unpatched server. |
VULNEREBILITY |
||
|
14.6.24 |
CVE-2024-4701 - Netflix Genie job orchestration engine vulnerability |
CVE-2024-4701 is a recently disclosed critical (CVSS score 9.9) path traversal vulnerability affecting Netflix' Genie job orchestration engine for big data applications. If successfully exploited the vulnerability might allow remote attackers arbitrary code execution within the vulnerable applications as well as sensitive information exposure. The vulnerability has been already patched in Genie OSS version 4.3.18. |
VULNEREBILITY |
|
|
14.6.24 |
CVE-2024-2194 is a recently disclosed stored cross-site scripting vulnerability affecting WP Statistics plugin for WordPress in versions up to 14.5. If successfully exploited the vulnerability might allow unauthenticated attackers to inject arbitrary web scripts in pages. |
VULNEREBILITY |
||
|
13.6.24 |
Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups |
RAT |
||
|
13.6.24 |
Pause off my cluster: DERO cryptojacking takes a new shape |
CRYPTOCURRENCY |
||
|
13.6.24 |
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day |
RANSOMWARE |
||
|
13.6.24 |
Windows Error Reporting Service Elevation of Privilege Vulnerability |
CVE |
||
|
13.6.24 |
Dipping into Danger: The WARMCOOKIE backdoor |
Backdoor |
||
|
13.6.24 |
Noodle RAT malware supports both Windows and Linux deployments |
Noodle RAT is a malware variant recently identified by researchers from Trend Micro. This RAT has been reported as being used in targeted campaigns in the Asia-Pacific region. Noodle RAT is a modular malware with relatively straightforward capabilities and displays several code overlaps with Gh0st RAT and Rekoobe malware families. |
Virus |
|
|
13.6.24 |
Adwind (aka jRAT) distributed in recent campaigns targeting users in Italy |
Adwind malware (also known as jRAT or njRAT) has been observed in recent campaigns targeting users in Italy. The attack chain includes malspam emails containing .zip attachments. Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files. |
Virus |
|
|
13.6.24 |
WarmCookie is a new backdoor variant distributed in phishing campaigns advertising fake job offers. The attack chain leverages malicious JS scripts executing PowerShell commands that in turn lead to the download of WarmCookie DLL payloads. The attackers abuse the Background Intelligent Transfer Service (BITS) to download the malicious payloads. |
Virus |
||
|
13.6.24 |
Black Basta attackers leveraging CVE-2024-26169 vulnerability as a Zero-day |
In a newly released report, Symantec’s Threat Hunter Team reviewed evidence that suggests that attackers linked to Black Basta ransomware compiled CVE-2024-26169 exploit prior to patching. The vulnerability CVE-2024-26169 is a Windows Error Reporting Service exploit that can permit an attacker to elevate their privileges. |
Virus |
|
|
13.6.24 |
A malware campaign has been observed delivering a newer version of ValleyRAT as the final payload. The attack vector involves a downloader with an injected shellcode that dynamically resolves APIs and establishes a connection with the C2 server to download the next stage malware. |
Virus |
||
|
12.6.24 |
A recent phishing campaign spreading Remcos RAT employs themed documents related to shipping or quotations. The attack commences with a UUE-encoded VBS script, leading to the another obfuscated VBS script upon decoding. This script facilitates the saving and execution of a PowerShell script, which in turn connects to a link to download an additional obfuscated PowerShell script. The purpose of this obfuscation chain is to evade detection. |
Virus |
||
|
12.6.24 |
Protection Highlight: Phishers Ramp Up Exploitation of Telegram Bot API |
Over the past few months, more and more phishing actors via malicious HTML have been following in the footsteps of Infostealers and RATs, and are now also abusing the Telegram Bot API to harvest users' credentials and other sensitive information such as credit cards details. |
PHISHING |
|
|
12.6.24 |
TellYouThePass ransomware exploiting CVE-2024-4577 Argument Injection Vulnerability in PHP |
CVE-2024-4577 - is a high-severity (CVSS: 9.8) argument injection vulnerability in PHP, which is a popular scripting tool. This vulnerability affects PHP when it runs in CGI mode. A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the vulnerable PHP server, leading to complete system compromise and deliver malware including ransomware. |
VULNEREBILITY |
|
|
12.6.24 |
A new ransomware variant dubbed Fog has been recently distributed in the wild. The attackers behind this malware have been leveraging compromised VPN credentials to attack vulnerable networks of US organizations from the education and recreation sector. |
RANSOM |
||
|
12.6.24 |
AZStealer is a recently discovered Python-based infostealer variant. It has the functionality to steal a wide variety of information from the compromised endpoints including: data stored in browsers (cookies, history, bookmarks, passwords, saved credit card info and autofill data), Discord tokens, login sessions from miscellaneous applications including Steam, Uplay, Tiktok, Telegram, Twitch, Spotify, Reddit or Roblox. |
Virus |
||
|
12.6.24 |
Fireant APT targets Vietnamese entities with LNK file malware campaign |
A malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported. The threat actor targets Vietnamese entities with lures related to the education sector and tax compliance. The attack vector involves phishing emails with archive (zip, rar) attachments containing malicious LNK files. The final payload is believed to be the PlugX RAT, which helps the attackers to remotely execute various commands on the compromised system. |
APT |
|
|
12.6.24 |
Numerous malicious Python packages have been observed on the Python Package Index (PyPI) repository, aimed at exploiting typosquatting to target users of legitimate packages. For instance one such package, 'crytic-compilers', masquerades as the legitimate library 'crytic-compile' and is designed to distribute the Lumma stealer. Similarly, another malicious PyPI package, 'pytoileur', is capable of downloading and installing trojanized Windows binaries for purposes such as surveillance, persistence, and crypto theft. |
Virus |
||
|
12.6.24 |
DERO cryptojacking operation targeting Kubernetes infrastructure |
Dero, a cryptocurrency, offers better privacy, anonymity and faster rewards than Monero, and is often used in cryptojacking according to a March 2023 report. A recent report from a threat researcher discussed the cryptojacking campaign's evolution, where the attack vector involves exploiting an externally accessible Kubernetes API server with anonymous authentication enabled. |
CRYPTOCURRENCY |
|
|
12.6.24 |
Win32k Elevation of Privilege Vulnerability |
CVE |
||
|
12.6.24 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE |
||
|
12.6.24 |
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
CVE |
||
|
12.6.24 |
Windows Wi-Fi Driver Remote Code Execution Vulnerability |
CVE |
||
|
12.6.24 |
Microsoft Outlook Remote Code Execution Vulnerability |
CVE |
||
|
12.6.24 |
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability New |
CVE |
||
|
12.6.24 |
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. |
CVE |
||
|
12.6.24 |
WHAT A SHOW! AN AMPLIFIED INTERNET SCALE DNS PROBING OPERATION |
OPERATION |
||
|
12.6.24 |
Technical Analysis of the Latest Variant of ValleyRAT |
RAT |
||
|
11.6.24 |
More_eggs Activity Persists Via Fake Job Applicant Lures |
Backdoor |
||
|
11.6.24 |
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion |
GROUP |
||
|
11.6.24 |
Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0. |
CVE |
||
|
11.6.24 |
SSLoader malware uses PhantomLoader (an effective tool for deploying malware) to enhance its elusive and stealthy behavior. This malware infiltrates via phishing mail campaigns, performs reconnaissance while evading detection, and exfiltrates data back to threat actors while delivering payloads through various techniques. |
Virus |
||
|
11.6.24 |
It is generally known that JScript-based RATs are often spread via phishing campaigns, and a recent attack was spotted using the same technique as former runs where an initial loader script connects to a C&C server triggering the transmission of a new malicious script, known as the second stage loader. This loader then fetches a JScript RAT component from the server, enabling persistent operation and execution of commands received from the server. |
Virus |
||
|
11.6.24 |
Abusing Google Ads to distribute backdoor malware masquerading as Advanced IP Scanner |
A malicious backdoor malware, masquerading as an Advanced IP Scanner, has been observed in the wild. Advanced IP Scanner is a free network scanner for Windows, primarily used by IT administrators to analyze local area networks (LANs) and gather information about connected devices. |
Virus |
|
|
11.6.24 |
New Grandoreiro banking trojan campaign masquerading as government entities through spear-phishing |
A new campaign involving the Grandoreiro banking trojan has been observed in the wild. The threat actors are leveraging spear-phishing emails masquerading as correspondence from government entities to lure recipients into downloading ZIP files infected with malware. |
Virus |
|
|
11.6.24 |
Agent Tesla, an infostealing .Net based RAT, has recently been observed sending Spanish language malspam with attached XLA files. These files are crafted to take advantage of multiple old vulnerabilities in Office documents (CVE-2017-11882 and CVE-2017-0199) which causes Excel to automatically download and open remotely stored malicious RTF and JS files, which eventually leads to an Agent Tesla infection. |
Virus |
||
|
10.6.24 |
Fake 'KMSPico Activator Tool' Utilized to Deliver Vidar InfoStealer |
Researchers recently identified another drive-by download campaign, wherein users are deceived into downloading a malware-laden application named 'KMSPico activator tool.' This tool, is marketed as a "universal activator" for Windows, but no longer maintained. |
GROUP |
|
|
10.6.24 |
Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks |
GROUP |
||
|
9.6.24 |
CVE-2024-4577: Proof of Concept Available for PHP-CGI Argument Injection Vulnerability |
CVE |
||
|
8.6.24 |
Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others. |
APT |
||
|
8.6.24 |
Seidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, OS-related information, data collected from system browsers via keylogging, cryptocurrency wallets etc. |
Virus |
||
|
8.6.24 |
DORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. The ransomware drops a ransom note as a text file called "README-WARNING.txt" where the victims are asked to contact the attackers via provided email for further instructions regarding the data decryption. |
RANSOM |
||
|
8.6.24 |
A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. |
BOTNET |
||
|
8.6.24 |
An updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and Telegram channels as malware-as-a-service, leveraging social media platforms as part of its command-and-control infrastructure, and collaborating with other malware strains such as STOP/Djvu ransomware and SmokeLoader backdoor. |
Virus |
||
|
8.6.24 |
CashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development. CashRansomware is C#-based malware that leverages time‑stomping techniques to detect its execution within a sandbox or a virtualized environment. |
RANSOM |
||
|
8.6.24 |
UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaign |
The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure. |
APT |
|
|
7.6.24 |
appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated) |
|||
|
7.6.24 |
||||
|
7.6.24 |
||||
|
7.6.24 |
||||
|
7.6.24 |
||||
|
7.6.24 |
||||
|
7.6.24 |
||||
|
7.6.24 |
Veeam’s goal is to relentlessly advance data and cyber resilience to keep your business running. |
REPORT |
||
|
7.6.24 |
Renewed Info Stealer Campaign Targets Ukrainian Military |
CAMPAIGN |
||
|
7.6.24 |
SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign |
Stealer |
||
|
7.6.24 |
Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself. |
GROUP |
||
|
7.6.24 |
Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers |
Cryptojacking |
||
|
7.6.24 |
Muhstik Malware Targets Message Queuing Services Applications |
Trojan |
||
|
6.6.24 |
BoxedApp products are general packers built on top of its SDK, which provides the ability to create Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). |
App |
||
|
6.6.24 |
Russia-linked 'Lumma' crypto stealer now targets Python devs |
Stealer |
||
|
6.6.24 |
CVE-2024-32113 - Path Traversal vulnerability in Apache OFBiz |
CVE-2024-32113 is a recently disclosed path traversal vulnerability affecting Apache OFBiz, which is an open source enterprise resource planning (ERP) system. If successfully exploited the vulnerability might lead to remote code execution in the context of the affected service account. The vulnerability has been patched in Apache OFBiz product version 18.12.13 or above. |
VULNEREBILITY |
|
|
6.6.24 |
An increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial Packer apps, targeting financial institutions and government organizations. BoxedApp packer is one such utility that offers features like virtual storage, virtual processes, and a virtual registry, making it harder for endpoint protection systems to detect or analyze malware. |
Virus |
||
|
6.6.24 |
The rise of Kiteshield packer in the ever-evolving landscape of Linux malware |
Threat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. Most recently, an increasing trend in targeting the Linux platform has been observed, resulting in a surge of Linux malware. Threat actors are leveraging the Kiteshield packer to evade detection on Linux platforms. |
Virus |
|
|
6.6.24 |
Reports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. This kind of practice, if it becomes more common, may complicate threat analysis as it blurs the lines between different attack groups and their intentions. |
RANSOM |
||
|
6.6.24 |
SenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. At this time, their modus operandi remains shrouded, but they employ double-extortion tactics, exfiltrating data from companies' environments and encrypting their files. This group uses a Lockbit variant to conduct encryption and it drops ransom notes in most folders ([randomID].README.txt) whose content starts with "---Welcome! Your are locked by SenSayQ!---". Similar to other ransomware actors, victims are pressured to make contact within 72 hours or else their stolen data will be published on the attacker’s website. |
RANSOM |
||
|
6.6.24 |
A new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. As called out in the recent report published by Trend Micro, the threat group leveraging this latest Linux variant is actively conducting attacks against ESXi environments. The attackers are also using a custom shell script for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files. Upon completed encryption a ransom note in form of a text file called "HOW TO DECRYPT.txt" is dropped onto the victim's machine. |
RANSOM |
||
|
6.6.24 |
Cuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. This variant has been distributed via a fake Homebrew macOS package manager website. The malware has the usual infostealing features allowing it to steal confidential information, credentials, browser cookies, cryptocurrency wallets and exfiltrate the collected data to C2 servers controlled by the attackers. The new Cuckoo variant has also added some VM environment detection capabilities. |
Virus |
||
|
6.6.24 |
In a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. Analysis indicates that the developers of RansomHub are different from those that developed Knight, but based on a significant overlap of code, it's assumed the RansomHub developers likely purchased Knight source code which was offered for sale in early 2024. As with others, RansomHub attacks involve vulnerability exploitation and dual-use tools to aid in distribution. |
RANSOM |
||
|
6.6.24 |
The messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins when the victim receives a message with an archive, password, and instructions to open it. Inside the archive is an executable file (".pif" or ".exe"), which is a RARSFX archive containing a VBE file, a BAT file, and an EXE file. Running these files infects the computer with DarkCrystal RAT malware, granting attackers unauthorized access. |
Virus |
||
|
6.6.24 |
Cobalt Strike campaign targets Ukraine using malicious Excel files |
A new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. The attackers leverage a multi-staged approach while delivering Excel files containing malicious VBA macros, as well as DLL downloaders and injectors in later attack stages. The Cobalt Strike payloads allow the attackers to establish communication with command and control (C2) servers and execute arbitrary commands. |
CAMPAIGN |
|
|
6.6.24 |
Android Spyware Targets Brazilian Mobile Users in Nubank Masquerade |
Nubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil. An actor has fabricated malicious Android applications (Nubank.apk) to appear related to Nubank. These applications are likely being distributed via malicious SMS or other social platforms. If a user is successfully lured and installs the fake Nubank app on their mobile device, they will end up with a well-known remote access trojan known as SpyNote. |
Virus |
|
|
6.6.24 |
CVE-2024-24919 - Check Point Security Gateway Information Disclosure Vulnerability |
CVE-2024-24919 is an information disclosure vulnerability in Check Point Security Gateway. Check Point Security Gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel. Successful exploitation of this vulnerability may allow an attacker to access certain information on internet-connected Gateways, which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
VULNEREBILITY |
|
|
6.6.24 |
CVE-2024–27348 - Remote Code Execution vulnerability in Apache HugeGraph Server |
Recently, a critical remote code execution (RCE) vulnerability has been discovered in Apache HugeGraph-Server, identified as CVE-2024-27348 (CVSS: 9.8). Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. The vulnerability affects versions 1.0.0 to 1.3.0 in Java8 and Java11. This vulnerability allows an attacker to execute arbitrary commands on the server. If successfully exploited, the impact of this vulnerability can be severe, as it can allow unauthorized access to attackers to gain full control over the server, data manipulation, and potential compromise of the entire system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
VULNEREBILITY |
|
|
6.6.24 |
Over the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. They are known to generate a lengthy ransom note (!!READ_ME!!.txt) with detailed information that has been exfiltrated. Victims are provided with an ID and a password that allow them to connect with the ransomware group through a website on the TOR network. |
RANSOM |
||
|
6.6.24 |
A botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. NiceRAT is a Python-based open-source program with anti-debugging and anti-virtual machine capabilities. It collects system information, browser information, and cryptocurrency data from compromised systems and exfiltrates the collected data to threat actors' Discord channel, used as a Command and Control (C&C) server. |
Virus |
||
|
6.6.24 |
LummaC2 Infostealer Delivered via a Recent ClearFake Campaign |
ClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. Recently, researchers uncovered a new strategy by ClearFake, where users are deceived into manually executing malicious code in PowerShell. This differs from previous tactics where users were typically lured into unwittingly downloading a malicious payload. The change aims to evade security measures and eventually install LummaC2 infostealer malware. |
Virus |
|
|
6.6.24 |
A recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" which is Portuguese for invoice). The actual download is a malicious LNK file which leads to further downloads and executions of script components which are responsible for delivering the final malicious payload. Details regarding the campaign and suspected attacker information were made available in a newly published report by Cisco Talos. |
Virus |
||
|
6.6.24 |
RedTail cryptomining malware exploiting PAN-OS vulnerability |
RedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. Exploiting this PAN-OS vulnerability and executing the commands successfully can lead to the downloading of the RedTail payload. This malware employs advanced evasion and persistence techniques. RedTail has also used other propagation mechanisms involving other vulnerability exploits (such as CVE-2023-46805 and CVE-2024-21887). |
CRYPTOCURRENCY |
|
|
5.6.24 |
Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government |
OPERATION |
||
|
5.6.24 |
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. |
HACKING |
||
|
5.6.24 |
RansomHub: New Ransomware has Origins in Older Knight |
RANSOMWARE |
||
|
5.6.24 |
This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. |
CVE |
||
|
5.6.24 |
This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request. |
CVE |
||
|
5.6.24 |
This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. |
CVE |
||
|
5.6.24 |
This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device. |
CVE |
||
|
5.6.24 |
This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device. |
CVE |
||
|
5.6.24 |
Hellhounds: operation Lahat |
RAT |
||
|
5.6.24 |
Hellhounds: operation Lahat |
RAT |
||
|
5.6.24 |
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. |
CVE |
||
|
5.6.24 |
During 2023, DarkGate made a comeback with a version full of new features, becoming one of the most preferred Remote Access Trojans (RATs) by malicious actors. |
RAT |
||
|
5.6.24 |
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. |
CVE |
||
|
5.6.24 |
Sophisticated RAT Targeting Gulp Projects on npm |
RAT |
||
|
3.6.24 |
Mobile malware statistics for Q1 2024: most common threats for Android, mobile banking Trojans, and ransomware Trojans. |
Malware |
||
|
3.6.24 |
Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information and execute additional modules that extended their control over compromised devices. |
Malware |
||
|
3.6.24 |
Kaspersky solutions blocked more than 658 million attacks from various online resources. |
Malware |
||
|
3.6.24 |
Hacking Millions of Modems (and Investigating Who Hacked My Modem) |
Hardware |
||
|
3.6.24 |
Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) |
APT |
||
|
3.6.24 |
Fake Browser Updates delivering BitRAT and Lumma Stealer |
Stealer |
||
|
3.6.24 |
Fake Browser Updates delivering BitRAT and Lumma Stealer |
RAT |
||
|
1.6.24 |
Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated) |
|||
|
1.6.24 |
ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access |
|||
|
1.6.24 |
||||
|
1.6.24 |
||||
|
1.6.24 |
||||
|
1.6.24 |
Check Point Security Gateway - Information Disclosure (Unauthenticated) |
|||
|
1.6.24 |
||||
|
1.6.24 |
||||
|
1.6.24 |
ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) |
|||
|
1.6.24 |
||||
|
1.6.24 |
BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection |
|||
|
1.6.24 |
Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). |
Hardware |
||
|
31.5.24 |
GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns |
REPORT |
||
|
31.5.24 |
GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns |
Operation |
||
|
31.5.24 |
This page is designed to gather a timeline of the Doppelganger operation with a few elements collected from different reports. |
Operation |
||
|
31.5.24 |
OpenAI is committed to enforcing policies that prevent abuse and to improving transparency around AI-generated content. |
AI |
||
|
31.5.24 |
UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. |
Group |
||
|
31.5.24 |
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. |
CVE |
||
|
31.5.24 |
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. |
CVE |
||
|
31.5.24 |
Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. |
Group |
||
|
31.5.24 |
A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. As reported by Cisco Talos, the attackers have been targeting vulnerable public-facing servers and leveraging compromised RDP credentials to deploy a wide range of tools and malware in their attacks. |
GROUP |
||
|
31.5.24 |
The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. Specializing in deploying cryptocurrency-mining malware, they primarily target cloud-based environments and Linux servers, exploiting known application vulnerabilities as part of their tactics, techniques, and procedures (TTPs). |
CRYPTOCURRENCY |
||
|
31.5.24 |
SmallTiger malware campaign reported targeting Korean companies |
A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. This malware acts as a downloader, connecting to the attackers' C&C server to fetch and execute the final payload in memory. |
CAMPAIGN |
|
|
30.5.24 |
AhMyth is malware that spreads through a few different infection vectors and uses various means to collect and exfiltrate sensitive information from infected devices. |
Android |
||
|
30.5.24 |
RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit |
Cryptocurrency |
||
|
30.5.24 |
(CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Meta SEO <= 4.5.12 |
CVE |
||
|
30.5.24 |
(CVSS score: 8.3) - Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache <= 5.7 |
CVE |
||
|
30.5.24 |
(CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Statistics <= 14.5 |
CVE |
||
|
30.5.24 |
The stealthy trilogy of PurpleInk, InkBox and InkLoader |
Group |
||
|
30.5.24 |
A new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. The attack chain is initiated by users visiting compromised websites and triggering malicious Javascript code redirecting them to fake update websites. Further down the chain, malicious PowerShell scripts lead to the retrieval of malware loaders and final payload execution. The attackers can leverage the delivered payloads to gain control over the compromised endpoints, remote command execution, and infostealing purposes. |
Virus |
||
|
30.5.24 |
Metamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. The HTML attachment contains malicious code that kicks off processes with the main focus on exfiltrating victims’ financial information including banking credentials. |
Virus |
||
|
30.5.24 |
APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. The group utilizes phishing emails to lure recipients into opening an attached or linked malicious ZIP or ISO file which leads to the data exfiltration tool being installed. |
APT |
||
|
30.5.24 |
NSIS-based packer usage observed in many common malware families |
The Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. This system is used to generate self-extracting custom installers which have been observed delivering many different malware families. In a recent report by Check Point Research, they have provided details on a group of packers using this system. |
Virus |
|
|
30.5.24 |
A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. Multiple threat actors are employing various CatDDoS variants to target organizations across multiple sectors, including cloud vendors, communication providers, scientific and research entities, and educational institutions. The vulnerabilities exploited under CatDDoS affect numerous products and technologies, such as Jenkins servers, Apache ActiveMQ servers, Apache Log4j, Cisco Linksys, and NetGear routers, among others. |
BOTNET |
||
|
30.5.24 |
Since at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers in countries such as Argentina, Brazil, Chile, Colombia, and many more. |
Virus |
||
|
30.5.24 |
AllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. The multi-staged infection chain leverages malicious .lnk files possibly delivered through phishing, BPyCode launcher binaries and a DLL loader dubbed ExecutorLoader that leads to the final AllaSenha payload. The malware functionality focuses on theft of user credentials associated with Brazil’s most popular banks. The targeted data includes passwords, QR codes and 2FA tokens. The malware abuses Azure Cloud infrastructure for the purpose of C2 communication and data exfiltration. |
Virus |
||
|
30.5.24 |
Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. Zonix drops a ransom note as a text file called "HOW TO DECRYPT FILES.txt" and also displays a pop-up window on the desktop demanding 1500 USD in bitcoin for the decryption of the locked files. |
RANSOM |
||
|
30.5.24 |
CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMS |
CVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system. If successfully exploited the vulnerability might allow unauthorized attackers to access sensitive data. The product vendor has already released a patch to remediate this vulnerability in software versions 7.4.6, 7.3.13 and 7.2.8. |
VULNEREBILITY |
|
|
30.5.24 |
Emergence of a new North Korean threat actor dubbed Moonstone Sleet |
A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. This actor has been detected engaging in various deceptive tactics, including the establishment of fake companies and job listings to lure potential targets. Additionally, they have been distributing trojanized versions of legitimate software tools, developing malicious games, and introducing a novel custom ransomware named FakePenny, comprising a loader and an encrypter. Their targets span individuals and organizations across sectors such as software and information technology, education, and defense industrial base. |
APT |
|
|
30.5.24 |
Fraudulent PDF Viewer Login Pages Phishing for User Credentials |
A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. Meanwhile, hidden in the background, a malicious JavaScript will attempt to steal the victim's credentials. |
PHISHING |
|
|
30.5.24 |
Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 Event |
Symantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia. |
Virus |
|
|
30.5.24 |
According to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. The threat actors have been observed to target various public organizations and other businesses with a variety of commodity malware variants such as Remcos, QuasarRAT, Neshta, XWorm or AsyncRAT. The attack chain often relies on phishing emails coming from compromised accounts. The attackers have been leveraging malicious .svg files either directly attached in malspam or hosted on public file hosting repositories. The attacks conducted by this threat group aim at information exfiltration and gaining control over the compromised endpoints. |
Virus |
||
|
30.5.24 |
TXZ file extension: Evolution of malware distribution in email campaigns |
Threat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. In a recent campaign, multiple emails carrying files with the TXZ extension as attachments were observed. Late last year, Microsoft added native support to Windows 11 for the TXZ filetype. This means recipients of the malicious messages would have been able to open the TXZ attachment using Windows File Explorer if they are using the Windows 11 operating system. This shows that TXZ campaigns are actively used in some regionally targeted campaigns and can grow in the future with the adoption of Windows 11 or higher. |
Virus |
|
|
30.5.24 |
Gipy malware distributed under the disguise of AI voice generator tools |
A new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. The malware binaries are masqueraded as an AI voice generator tool and distributed via phishing websites. Some examples of the package names observed for this malware are as follows: VoiceAIbeta-x64.exe, VoiceAIAdvancedPro.exe, VoiceAiPro-x64.exe, VoiceAIChanger.exe, etc. Next to typical infostealing features, the malware has capabilities to download and execute additional arbitrary payloads. Various malware families have been observed among the malware payloads downloaded by Gipy, including: Lumma Stealer, Redline Stealer, DCRat, RadxRAT, RisePro, TrueClient and more. |
Virus |
|
|
30.5.24 |
International law enforcement and partners have joined forces. We have been investigating you and your criminal undertakings for a long time and we will not stop here. |
BigBrother |
||
|
30.5.24 |
Detecting Cross-Origin Authentication Credential Stuffing Attacks |
Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. |
Incident |
|
|
30.5.24 |
PyPI crypto-stealer targets Windows users, revives malware campaign |
Python |
||
|
29.5.24 |
Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919) |
CVE |
||
|
29.5.24 |
ALLASENHA: ALLAKORE VARIANT LEVERAGES AZURE CLOUD C2 TO STEAL BANKING DETAILS IN LATIN AMERICA |
RAT |
||
|
29.5.24 |
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks |
APT |
||
|
28.5.24 |
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. |
CVE |
||
|
28.5.24 |
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. |
CVE |
||
|
28.5.24 |
DNSBOMB: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses |
DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses. |
DNS |
|
|
28.5.24 |
DNSBomb is a new practical and powerful pulsing DoS attack exploiting DNS queries and responses. |
DNS |
||
|
28.5.24 |
XLab's CTIA(Cyber Threat Insight Analysis) System continuously tracks and monitors the active mainstream DDoS botnets. Recently, our system has observed that CatDDoS-related gangs remain active and have exploited over 80 vulnerabilities over the last three months. Additionally, the maximum number of targets has been observed to exceed 300+ per day. |
BOTNET |
||
|
28.5.24 |
Attackers are always finding new ways to inject malware into websites and new ways to obscure it to avoid detection, but they’re always up to their same old tricks. In this post, we’ll explore how attackers are using a very obscure PHP snippet WordPress plugin to install server-side malware to harvest credit card details from a WooCommerce online store. |
Hacking |
||
|
28.5.24 |
Before the release of our binary zero-day identification feature, we tested and validated it on our firmware corpus to make sure we were providing meaningful analysis results. In the process, we identified numerous vulnerabilities that we reported to vendors. |
CVE |
||
|
28.5.24 |
The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. |
CVE |
||
|
28.5.24 |
Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. Ransom note is dropped in form of a text file called “HOW_TO_RECOVER_FILES.txt” advising the victims to register on the attackers portal via the provided onion site link. The threat actors behind this malware have been reported to be employing the double extortion technique by not only encrypting confidential data but also by exfiltrating it and threatening the victims with public release. |
RANSOM |
||
|
28.5.24 |
Rising popularity of Arc browser overshadowed by malvertising campaign |
The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. With its innovative user interface design that sets it apart from traditional browsers, it started receiving even more attention after becoming available for Windows, whereas previously it was only intended for macOS systems. |
CAMPAIGN |
|
|
28.5.24 |
Phishing campaign targeting financial institutions impersonates medical center |
A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. These files contain code from a Python clone of the Minesweeper game, along with malicious Python code that downloads additional scripts from a remote source. The scripts are then used to extract and run a legitimate remote computer management program called SuperOps RMM which provides unauthorized remote access to victims' computers. |
PHISHING |
|
|
28.5.24 |
There have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. The malware is currently being advertised, and for now, consumers appear to be the focus via drive-by-download attacks. In addition, multiple tests are also being observed. |
Virus |
||
|
28.5.24 |
Recently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. These deceptive sites have been found hosting advanced malicious files, such as APKs, EXEs, and Inno Setup installers, which can deliver spyware like the Spynote Trojan and data-stealing malwares such as Lummna and StealC. These malicious programs are adept at harvesting victim information, including browser data, and sending it to remote servers under the control of attackers. |
Virus |
||
|
28.5.24 |
CVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework. If successfully exploited, this vulnerability allows attackers to obtain the cookies of the administrator and fake their login using the cookies. The vulnerability has been fixed in versions 1.3.x DEV. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
VULNEREBILITY |
||
|
28.5.24 |
CVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager. Both flaws are code injection vulnerabilities and have been given the CVSS score of 7.5. If successfully exploited they might allow unauthenticated attackers to run malicious SQL statements through the BIG-IP Central Manager API. |
VULNEREBILITY |
||
|
28.5.24 |
CVE-2020-17519: Directory Traversal Vulnerability in Apache Flink |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog. Apache Flink is an open-source batch-processing framework used for distributed processing of streaming data and is widely used in the field of big data. If successfully exploited, this vulnerability allows unauthenticated attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. |
VULNEREBILITY |
|
|
28.5.24 |
In recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk), impersonating two Uzbekistan banks: Xalq Banki and Ipak Yuli. If a user is successfully lured into installing these on their mobile phone, BankBot will monitor for when the user launches any banking apps it is coded to target. It will then leverage the classic overlay technique, overlaying a fake page on top of the legitimate one in order to steal the user's inputs, such as credentials. At this time, the vector of infection remains unknown but it's very likely that these are being spread via malicious SMS messages or redirections. |
Virus |
||
|
27.5.24 |
Navigating cyberthreats and strengthening defenses in the era of AI |
Group |
||
|
27.5.24 |
HTML smuggling is an innovative attack technique, which abuses HTML5 and JavaScript features to inject or extract data across network boundaries. |
HTML |
||
|
27.5.24 |
Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling |
Phishing |
||
|
27.5.24 |
Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages |
Campaign |
||
|
25.5.24 |
Space Pirates: analyzing the tools and connections of a new hacker group |
Group |
||
|
25.5.24 |
Path Traversal Vulnerability in Nexus Repository CVE-2024-4956 |
CVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager. If successfully exploited, this vulnerability will allows unauthenticated remote attackers to access and download sensitive system files, application source code and configurations. The CVSS score of this vulnerability was 7.5. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. |
VULNEREBILITY |
|
|
25.5.24 |
An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers. |
APT |
||
|
25.5.24 |
RustDoor malware exploits JAVS Viewer vulnerability in courtroom software |
A Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments. This backdoor enables attackers to gain full control of affected systems and transmit data about the host system to a command-and-control (C2) server. The malware exploits a deserialization vulnerability in JAVS Viewer software, tracked as CVE-2024-4978. JAVS technologies are utilized in courtrooms, jails, prisons, councils, hearings, and lecture halls nationwide, with more than 10,000 installations worldwide. |
Virus |
|
|
25.5.24 |
Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20 |
CVE |
||
|
25.5.24 |
No sleep until the Cybercrime Fighters Club is done with finding the answer as to who is behind this new ransomware-as-a-service affiliate. |
Group |
||
|
25.5.24 |
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack |
CVE |
||
|
25.5.24 |
BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. |
RAT |
||
|
25.5.24 |
Malware Transmutation! - Unveiling the Hidden Traces of BloodAlchemy |
RAT |
||
|
24.5.24 |
ESXi Ransomware Attacks: Evolution, Impact, and Defense Strategy |
Hacking |
||
|
24.5.24 |
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. |
CVE |
||
|
24.5.24 |
SHARP DRAGON EXPANDS TOWARDS AFRICA AND THE CARIBBEAN |
APT |
||
|
23.5.24 |
As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. Sharp Dragon is known to use large-scale phishing attacks, malicious RTF files, DLL-loaders but most recently also executable loaders disguises as documents. The threat group has also been reported to leverage CVE-2023-0669 RCE vulnerability affecting Fortra GoAnywhere in their attacks. |
APT |
||
|
23.5.24 |
CVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework. If successfully exploited the vulnerability may allow unauthenticated remote attackers to execute arbitrary commands on the affected servers through URL manipulation. While the vulnerability has not yet been reported as being exploited in the wild, a Proof of Concept for it is publicly available. The product vendor has already released a patch to remediate this vulnerability. |
VULNEREBILITY |
||
|
23.5.24 |
Waltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as keylogging, screenshot capturing, WiFi stealing, Discord injection, password stealing, credit card stealing, cryptocurrency and wallet stealing, as well as tokens from Discord and browsers, and session stealing. Additionally, it has anti-VM and anti-debug functionality. The stolen data is zipped and posted to a defined Discord webhook server. |
HACKING |
||
|
23.5.24 |
GuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. One campaign was recently identified where actors are posing as a known Italian company that specializes in the wholesale and retail distribution of seafood, sourcing and importing its products from various countries. |
Virus |
||
|
23.5.24 |
CLOUD#REVERSER campaign leverages cloud storage for malware delivery |
A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. The attackers leverage phishing emails with malicious attachments in the initial attack stages and several VBScript and PowerShell-based payload executions in later stages. The dropped malware has the functionality to exfiltrate user data, execute arbitrary commands and scripts received from the attackers as well as download additional binaries and execute them on the infected endpoints. |
CAMPAIGN |
|
|
23.5.24 |
Acrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape. Its main functionality relies on collecting various user data from the compromised endpoints and exfiltration to the C&C servers controlled by the attackers. Acrid focuses on the theft of data such as browser cookies, passwords stored in browsers, banking information, cryptocurrency wallets, and credentials stored in various applications. Acrid has been reported to leverage a "Heaven’s Gate" technique that effectively enables 64-bit code to be executed within a 32-bit process, potentially allowing the malware to evade security controls monitoring only 32-bit processes. |
Virus |
||
|
23.5.24 |
CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wild |
CVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1, which is an open-source data integration suite used by healthcare companies. If exploited the vulnerability may allow unauthenticated remote attackers to execute code on affected systems, leading to the compromise of critical healthcare data. The vulnerability has been reported as being exploited in the wild and has been added to the "Known Exploited Vulnerabilities Catalog" (KEV) by CISA. |
VULNEREBILITY |
|
|
23.5.24 |
GhostEngine malware terminates EDR agents and deploys coin miner |
A multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner. |
Virus |
|
|
23.5.24 |
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia |
Operation |
||
|
23.5.24 |
Avalanche 6.4.3.602 - additional security hardening and CVE fixed |
CVE |
||
|
23.5.24 |
Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea |
Group |
||
|
23.5.24 |
Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining. |
|||
|
23.5.24 |
Positive Technologies detects a series of attacks via Microsoft Exchange Server |
Exchange |
||
|
22.5.24 |
Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases |
Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration. |
PHISHING |
|
|
22.5.24 |
A new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. XWorm has miscellaneous capabilities including keylogging, data theft, download of additional arbitrary payloads, RAT functionalities and others. |
Virus |
||
|
22.5.24 |
Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoor |
A malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. This payload is believed to be the TinyTurla backdoor, based on its first-stage backdoor functionalities and utilization of a specific C2 infrastructure. |
Virus |
|
|
22.5.24 |
A new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. Keyplug has the capabilities to initiate the C2 communication with attacker servers either via abuse of CloudFlare's CDN (Content Delivery Network) and via the WSS protocol. |
Virus |
||
|
22.5.24 |
(CVSS score: 2.7), which allows a privileged user to read backup session logs |
CVE |
||
|
22.5.24 |
(CVSS score: 7.2), which allows a privileged user to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it's not configured to run as the default Local System account |
CVE |
||
|
22.5.24 |
(CVSS score: 8.8), which allows account takeover via NTLM relay |
CVE |
||
|
22.5.24 |
(CVSS score: 9.8), the vulnerability could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. |
CVE |
||
|
22.5.24 |
A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network |
CVE |
||
|
22.5.24 |
A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network |
CVE |
||
|
22.5.24 |
A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network |
CVE |
||
|
22.5.24 |
A double free vulnerability that could allow authenticated users to execute arbitrary code via a network |
CVE |
||
|
22.5.24 |
An incorrect permission assignment for critical resource vulnerability that could allow authenticated users to read or modify the resource via a network |
CVE |
||
|
22.5.24 |
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware |
InfoStealer |
||
|
22.5.24 |
An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication with the optional encrypted assertions feature. |
CVE |
||
|
22.5.24 |
llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. |
CVE |
||
|
21.5.24 |
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679. |
CVE |
||
|
21.5.24 |
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution. |
CVE |
||
|
21.5.24 |
Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaign |
A cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear. The RAT exhibits advanced capabilities, such as anti-analysis techniques, avoiding handshakes during RAT operation, anti-memory scanning, and using HTTPS for command-and-control (C&C) communication. The Deuterbear infection chain involves two stages: the first stage functions as a plugin downloader, while the second stage acts as a backdoor, harvesting sensitive information from the compromised host. |
Virus |
|
|
21.5.24 |
Reports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. This malware covertly infiltrates victims' systems, exfiltrating various forms of personal data, including login credentials, cryptocurrency wallets, session data, and browsing history. The stolen data is transmitted to file-sharing services and messaging platforms like Telegram, which are used as command-and-control (C2) servers by the attackers. |
Virus |
||
|
21.5.24 |
Bank Mellat Users in Various Countries Targeted by FakeBank Campaign |
Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). Bank Mellat, also known as "Bank of the Nation", has a number of offices and branches both domestically within Iran and internationally. |
CAMPAIGN |
|
|
21.5.24 |
Recently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). This Android banking malware leverages the overlay technique, displaying fake overlay windows in the hope of tricking users into entering their banking credentials. It targets hundreds of banks and cryptocurrency exchange platforms. |
Virus |
||
|
21.5.24 |
HijackLoader is a multi-stage loader that has recently seen some updates. The first stage allows the loader decrypt and decompress additional modules and execute a second stage while the second stage process lives in memory to read an embedded or remotely hosted image in order to fully initiate the second stage and load additional modules. Some of the newly discovered modules, like User Account Control bypass, are design to allow for additional persistence in the target environment. |
Virus |
||
|
21.5.24 |
Antidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control and execution of commands received from the attackers. Malware has the capability to establish http connections or WebSocket communication to the C2 servers. |
Virus |
||
|
21.5.24 |
As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. Recently, one actor has been luring consumers, more specifically gamers, with a Chaos Ransomware disguised as a fake free Discord Nitro. Within the ransom note, the actor is hoping to extort compromised users of 0.003 BTC, which is the equivalent of 195 USD at the time of writing. |
RANSOM |
||
|
21.5.24 |
Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension .Synapse added to them. Additionally, a ransom note named [random_string].README.txt is dropped. The ransomware has the capability to collect system information and encryption statistics, and exfiltrate the data to its remote C2 server. Victims are provided with a URL (hosted on the Tor network) as a means of contact. |
RANSOM |
||
|
21.5.24 |
Storm-1811 threat actor conducts Vishing attack via Quick Assist tool |
Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. Quick Assist is an application that enables a user to share their system with another person over a remote connection to resolve issues. Once the user grants full control, the threat actor executes scripts that lead to the download of batch files with the aim of deploying Black Basta ransomware as the final payload throughout the network. |
GROUP |
|
|
21.5.24 |
In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). This group is linked to malware used in a recent campaign against organizations in South Korea. The campaign leveraged Trojanized software installation packages to deliver the backdoor. |
APT |
||
|
21.5.24 |
No-Justice Wiper - Wiper attack on Albania by Iranian APT) |
Wipper |
||
|
21.5.24 |
Iranian State Actors Conduct Cyber Operations Against the Government of Albania |
Wipper |
||
|
21.5.24 |
BAD KARMA, NO JUSTICE: VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL |
Group |
||
|
21.5.24 |
GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure |
Group |
||
|
20.5.24 |
The LATRODECTUS loader evolves to deliver ICEDID and other malware |
Loader |
||
|
20.5.24 |
Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns |
Banking |
||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
Prison Management System - SQL Injection Authentication Bypass |
|||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
||||
|
19.5.24 |
iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) |
|||
|
19.5.24 |
||||
|
19.5.24 |
In April 2024, while researching CVE-2023-36033, we discovered another zero-day elevation-of-privilege vulnerability, which was assigned CVE-2024-30051 identifier and patched on May, 14 as part of Microsoft’s patch Tuesday. |
Vulnerebility |
||
|
19.5.24 |
As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, Africa and the Middle East. |
Incident |
||
|
18.5.24 |
(CVSS score: 9.3) - A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host |
CVE |
||
|
18.5.24 |
(CVSS score: 7.1) - A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a DoS condition |
CVE |
||
|
18.5.24 |
(CVSS score: 7.1) - An information disclosure vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine |
CVE |
||
|
18.5.24 |
(CVSS score: 7.1) - An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine |
CVE |
||
|
18.5.24 |
Kinsing Demystified A Comprehensive Technical Guide |
Group |
||
|
18.5.24 |
Kinsing Demystified A Comprehensive Technical Guide |
Hacking |
||
|
18.5.24 |
Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts |
RAT |
||
|
18.5.24 |
Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024 |
CyberSpy |
||
|
18.5.24 |
More than one legitimate software package was modified to deliver malware in North Korean group’s recent campaign against South Korean organizations. |
Backdoor |
||
|
17.5.24 |
A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an attacker to change router configurations by hijacking an existing administrator session |
CVE |
||
|
17.5.24 |
An information disclosure vulnerability impacting D-Link DIR-605 routers that allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page |
CVE |
||
|
17.5.24 |
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network. |
WIFI |
||
|
17.5.24 |
Kimsuky APT attack discovered using Facebook & MS management console |
APT |
||
|
16.5.24 |
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware |
Group |
||
|
16.5.24 |
Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
CVE |
||
|
16.5.24 |
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs |
APT |
||
|
16.5.24 |
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs |
APT |
||
|
16.5.24 |
400k Linux servers compromised for cryptocurrency theft and financial gain |
REPORT |
||
|
16.5.24 |
Ebury botnet alive & growing; 400k Linux servers compromised for cryptocurrency theft and financial gain |
Cryptocurrency |
||
|
16.5.24 |
The vivisection of a large Linux server-side credential stealing malware campaign |
|||
|
16.5.24 |
A new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, passwords, and tokens etc. It also has the capability of introducing more payloads. |
Virus |
||
|
16.5.24 |
Remcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. By employing VB scripts,registry modification, and establishing services to restart the malware at varying intervals, this malware can thoroughly infiltrate a system, evade detection, and report statistics to its C2 server. |
Virus |
||
|
16.5.24 |
Many gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording. |
Virus |
||
|
16.5.24 |
Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operation |
A recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. The distributed malware variants include Atomic Stealer (AMOS), Vidar Stealer, Lumma and Octo banking trojan. The attackers have been leveraging fake profiles and repositories hosted on Github that offer software binaries masqueraded as various popular applications. Threat actors behind this campaign have also been utilizing web-based infrastructure including Filezilla FTP servers for malware delivery. |
Virus |
|
|
16.5.24 |
PureCrypter malware used in Mallox ransomware distribution campaign |
PureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads. The attackers have been reported to employ brute-force attacks against vulnerable or otherwise mis-configured MS-SQL servers in the initial attacks stages. PureCrypter is a piece of Malware-as-a-Service (MaaS) offering and potentially leveraged by various affiliates. The delivered payloads might also exfiltrate the user data before encryption, as the Mallox ransomware operators have been known to employ double extortion techniques in the past attacks. |
Virus |
|
|
16.5.24 |
A recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt, and a PowerShell. This process eventually leads to the dropping of payloads such as iu4t4.exe (Danabot) and rundll32.exe, which are responsible for collecting sensitive user and system information. |
Virus |
||
|
15.5.24 |
Phorpiex botnet distributes LockBit Black Ransomware via email campaign |
A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. Phorpiex functions as a Malware-as-a-Service platform and has amassed a significant customer base among threat actors over more than a decade of operation. Since 2018, Phorpiex has been involved in activities such as data exfiltration and ransomware distribution. Despite attempts to disrupt its operations over the years, the botnet continues to persist. |
BOTNET |
|
|
15.5.24 |
Dracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). This threat actor is known for using various other infostealer variants including Aurora, Lumma, Redline and Rhadamanthys, among others. Dracula Stealer is leveraged by the attackers to exfiltrate a wide range of confidential information from victim machines including credentials, banking information and others. |
Virus |
||
|
15.5.24 |
WaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. This malware is disguised as video game installers and designed to extract various types of sensitive data from compromised systems. It targets web browsers, cryptocurrency wallets, credit card numbers, as well as data associated with messaging platforms like Telegram and Discord. Additionally, WaveStealer has the capability to capture screenshots, enhancing its data exfiltration capabilities. |
Virus |
||
|
15.5.24 |
A malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. The attackers utilized deceptive websites masquerading as well-known brands like AnyDesk, WinSCP, BlackRock, Asana, Concur, and Google Meet. Visitors to these sites, often directed through sponsored Google Ads, encountered fake pop-ups urging them to download what seemed to be a browser extension. However, the downloaded payload was actually an MSIX file, a packaging format for Windows apps, which delivered NetSupport RAT and DiceLoader for subsequent stages in the infection chain. |
Virus |
||
|
15.5.24 |
Beast Ransomware and Vidar Infostealer delivered via disguised documents |
Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. Initial infection initiates from a phishing email with an external malicious link that if clicked will download a compressed file. Upon decompression, two executable files will be dropped and these are identified as Beast Ransomware and Vidar Infostealer. |
RANSOM |
|
|
15.5.24 |
Mobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world. |
SPAM |
||
|
15.5.24 |
According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. The malware encrypts user files and appends “.trinitylock” extension to them. Trinity ransomware has also been reported to share some code base with yet another ransomware variant known as Venus. The threat actors behind Trinity are employing the double extortion techniques by also exfiltrating confidential files and threatening to publicly release them. |
RANSOM |
||
|
15.5.24 |
Malspam campaign delivers ASyncRAT by way of multiple scripts |
In a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. The attack downloads a Windows Script File (WSF) that in turn launches a VBS file that's responsible for further execution. Latter parts of the attack are carried out by JS, PowerShell, and batch script components. |
Virus |
|
|
15.5.24 |
Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware. This malware variant is known since at least 2022 and has been leveraged in a number of campaigns targeted at critical infrastructure including the Healthcare and Public Health (HPH) sector. Black Basta is ransomware-as-a-service (RaaS) variant mostly distributed via phishing or exploitation of disclosed vulnerabilities. The attackers behind this malware often employ the double extortion model by not only encrypting user files but also by exfiltrating them and threatening with public release of the stolen data. |
RANSOM |
||
|
15.5.24 |
Researchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. This Trojan was initially spotted back in November 2023 and has been undergoing multiple upgrades, currently at version 3.0. Hidden Shovel's key features are strong concealment, anti-analysis measures, DLL hijacking backdoor and shellcode injection capabilities. |
Virus |
||
|
15.5.24 |
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators |
Social |
||
|
15.5.24 |
High CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09 |
CVE |
||
|
15.5.24 |
(CVSS score: N/A) - A file inclusion issue in the "lib/plugin.php" file that could be combined with SQL injection vulnerabilities to result in remote code execution |
CVE |
||
|
15.5.24 |
(CVSS score: 8.8) - An SQL injection vulnerability in api_automation.php that allows authenticated users to perform privilege escalation and remote code execution |
CVE |
||
|
15.5.24 |
(CVSS score: 10.0) - A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when the "register_argc_argv" option of PHP is On |
CVE |
||
|
15.5.24 |
(CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server, resulting in remote code execution |
CVE |
||
|
15.5.24 |
(CVSS score: 8.8) - Windows MSHTML Platform Security Feature Bypass Vulnerability |
CVE |
||
|
15.5.24 |
(CVSS score: 7.8) - Windows Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability |
CVE |
||
|
14.5.24 |
(CVSS score: 8.1) - A buffer overflow vulnerability that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message. |
CVE |
||
|
14.5.24 |
(CVSS score: 7.8) - An improper privilege management vulnerability that could allow a local, low-privileged attacker to elevate privileges to manufacturer level on the targeted system. |
CVE |
||
|
14.5.24 |
(CVSS score: 6.8) - A files or directories accessible to external parties vulnerability that could allow an attacker with physical access to the target system to obtain read/write access to any files and directories on the targeted system, including hidden files and directories. |
CVE |
||
|
14.5.24 |
(CVSS score: 4.4) - A relative path traversal vulnerability that could allow a local, low-privileged attacker to escape from virtual directories and get read/write access to protected files on the targeted system. |
CVE |
||
|
14.5.24 |
(CVSS score: 3.3) - An exposure of sensitive information vulnerability that could allow a local, low-privileged attacker to disclose hidden virtual paths and file names on the targeted system. |
CVE |
||
|
14.5.24 |
(CVSS score: 3.3) - An exposure of sensitive information through environmental variables vulnerability that could allow a local, low-privileged attacker to obtain unauthorized access to the targeted system. |
CVE |
||
|
14.5.24 |
(CVSS score: 2.4) - An exposure of sensitive information vulnerability that could allow an attacker with physical access to the target system to get access to sensitive data on the targeted system. |
CVE |
||
|
12.5.24 |
CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerability |
CVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32. The bug is caused by improper validation of user-supplied input of the Administrator email address field. If successfully exploited, the vulnerability might allow the remote attackers to insert and execute arbitrary code via the Administrator email address parameter. |
VULNEREBILITY |
|
|
12.5.24 |
CVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application. Successfull exploitation of this vulnerability might potentially lead to unauthorized access and data leak from the vulnerable dashboards. The unprivileged attackers might be allowed to bypass authorization and also delete Grafana dashboard snapshots. Grafana vendor has already released a patch to address this vulnerability. |
VULNEREBILITY |
||
|
11.5.24 |
zEus Stealer Distributed via Crafted Minecraft Source Pack |
Stealer |
||
|
11.5.24 |
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. |
REPORT |
||
|
11.5.24 |
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. |
Ransomware |
||
|
11.5.24 |
FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads |
APT |
||
|
11.5.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
Malware traffic |
||
|
10.5.24 |
Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet delivery |
In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways. |
Exploit |
|
|
10.5.24 |
Malware campaign targeting Windows and MS Office users via software cracks |
A malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. The malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new malware even after removal. |
Virus |
|
|
10.5.24 |
Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome Tactic |
Symantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. The attack chain's initial step remains uncertain, but recently observed Coper samples have been hosted on a content delivery network (CDN) used by LiveChat, a customer service platform. |
Virus |
|
|
10.5.24 |
Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRAT |
Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx). |
CAMPAIGN |
|
|
10.5.24 |
The use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported. Multiple malware campaigns in recent months have utilized the Matanbuchus loader, with their C2 infrastructure hosted on bulletproof hosting services like "Proton66 OOO". |
Exploit |
||
|
10.5.24 |
A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor. |
Virus |
||
|
10.5.24 |
Tricking the VPN client into using the wrong server IP |
VPN |
||
|
10.5.24 |
On Windows, Linux, macOS and Android we are not vulnerable to the LocalNet attack. We never leak traffic to public IPs outside the VPN tunnel. However, on iOS we are affected by this attack vector. |
VPN |
||
|
10.5.24 |
CVE-2024-4671: Use after free in Visuals. Reported by Anonymous on 2024-05-07 |
CVE |
||
|
10.5.24 |
Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot. |
Android |
||
|
10.5.24 |
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. |
CVE |
||
|
10.5.24 |
LLMjacking: Stolen Cloud Credentials Used in New AI Attack |
Cloud |
||
|
10.5.24 |
Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tabl |
Virtual Private Networks (VPNs) authenticate and encrypt network traffic to protect users’ security and privacy, and are used in professional and personal settings to defend against malicious actors, circumvent censorship, remotely work from home, etc. It is therefore essential that VPNs are secure. |
Papers |
|
|
10.5.24 |
TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel. |
VPN |
||
|
10.5.24 |
A local network VPN leaking technique that affects all routing-based VPNs |
VPN |
||
|
10.5.24 |
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. |
CVE |
||
|
10.5.24 |
APT28 campaign targeting Polish government institutions |
APT |
||
|
9.5.24 |
In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to consume all available IP addresses that the DHCP server can allocate. After these IP addresses are allocated, the server cannot allocate any more addresses and this situation leads to a Denial of Service (DoS) attack as new clients cannot gain network access. |
DHCP |
||
|
9.5.24 |
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. |
CVE |
||
|
9.5.24 |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE |
||
|
9.5.24 |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
CVE |
||
|
9.5.24 |
(CVSS score: 7.5) - An OData injection vulnerability that could allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP NEXT Central Manager API |
CVE |
||
|
9.5.24 |
(CVSS score: 7.5) - An SQL injection vulnerability that could allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API |
CVE |
||
|
9.5.24 |
A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. This infostealer is designed to evade detection while stealing sensitive data and dropping additional payloads, typically in the form of a batch file, to establish communication with a command-and-control (C2) server for further instructions. This malware is capable of capturing screenshots and exfiltrating data to a webhook server controlled by the threat actor. |
Virus |
||
|
9.5.24 |
APT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. Subsequently, these commands will execute additional files, enabling attackers to gather user information and transmit that data back to their C2 servers. |
Virus |
||
|
9.5.24 |
Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). This campaign entices users to open the attached PDF, named with a Latin word, containing a link utilizing typo squatted subdomains for Microsoft login services, with the end goal being credential theft for later use. |
CAMPAIGN |
||
|
9.5.24 |
Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. The dropped ransom note in form of a text file asks the victims to contact the attackers via the provided email address for further instructions on how to restore the locked files. |
RANSOM |
||
|
9.5.24 |
CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wild |
CVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1. Successfully exploitation of this vulnerability might allow the attackers to run arbitrary SQL queries, create new admin accounts or upload malicious files onto the compromise servers. This vulnerability has been reported as being actively exploited in the wild. |
VULNEREBILITY |
|
|
9.5.24 |
Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. A ransom note is dropped as a text file called "#SHINRA-Recovery.txt" containing contact details, typically the attacker's email address. |
RANSOM |
||
|
9.5.24 |
CVE-2024-2389 - Command Injection vulnerability affecting Progress Flowmon |
CVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool. If successfully exploited, the bug allows unauthenticated attackers to access the Flowmon web interface via crafted API requests. This compromise can lead further to arbitrary code execution on vulnerable systems. The proof-of-concept for this vulnerability has been released publicly and the vendor has already issued a patched version of the application. |
VULNEREBILITY |
|
|
9.5.24 |
Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. Despite those efforts Lockbit still remains active in the threat landscape and we recently observed a spike in detections related to this ransomware variant. Symantec's Advanced Machine Learning technology played a crucial role in blocking this attack by detecting the malicious emails at the beginning of the attack chain. |
RANSOM |
||
|
8.5.24 |
HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. |
Loader |
||
|
8.5.24 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7. |
CVE |
||
|
8.5.24 |
Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor |
CPU |
||
|
8.5.24 |
Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor |
CPU |
||
|
8.5.24 |
The Intelligent Platform Management Interface (IPMI) implementations in multiple manufacturer's Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. |
Alert |
||
|
8.5.24 |
A vulnerability in the R language that allows for arbitrary code to be executed directly after the deserialization of untrusted data has been discovered. |
Alert |
||
|
7.5.24 |
Uncharmed: Untangling Iran's APT42 Operations |
APT |
||
|
7.5.24 |
CVE-2024-4040 - CrushFTP vulnerability exploited in the wild |
CVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0. Successful exploitation of this vulnerability could allow unauthenticated remote attackers to perform VFS Sandbox escape, bypass authentication, gain administrative privileges and potentially execute arbitrary remote code on the vulnerable servers. The vulnerability has been reported as being exploited in the wild and the vendor has already released patched version of the application. |
VULNEREBILITY |
|
|
7.5.24 |
Counterfeit Revenue Agency page distributing VBlogger malware |
A malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. Upon accessing the site, users unwittingly download an archive containing a malware downloader, which in turn fetches the final payload via FTP to Altervista. The malware, dubbed "vblogger," is developed in VB6 and possesses keylogging and clipboard capture functionalities. The harvested information is stored in a text file and then sent to the command-and-control server (C2) on Altervista. |
Virus |
|
|
7.5.24 |
Cuckoo: A new macOS malware targeting music ripping applications |
A new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. Cuckoo boasts extensive functionality, including the collection of browser-stored information such as passwords, cookies, and other credentials. Additionally, it gathers system information and data related to installed cryptocurrency wallets and extensions. |
Virus |
|
|
7.5.24 |
Android malware used in targeted attack against Indian defense forces |
A socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. Upon successful delivery, the application would install itself under the guise of a Contacts application. Upon execution, the app would request permissions for SMS, Contacts, Storage, and Telephone and subsequently remove itself from view. |
Virus |
|
|
7.5.24 |
Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset. |
Stealer |
||
|
7.5.24 |
CharmingCypress: Innovating Persistence |
VBS |
||
|
7.5.24 |
Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion |
Python |
||
|
7.5.24 |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE |
||
|
7.5.24 |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
CVE |
||
|
6.5.24 |
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. |
CVE |
||
|
6.5.24 |
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. |
CVE |
||
|
6.5.24 |
Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware |
Apple |
||
|
5.5.24 |
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure |
|||
|
5.5.24 |
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass |
|||
|
5.5.24 |
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Device Config Disclosure |
|||
|
5.5.24 |
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass |
|||
|
5.5.24 |
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure |
|||
|
5.5.24 |
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass |
|||
|
4.5.24 |
The report covers the tactics, techniques and tools most commonly deployed by threat actors, the nature of incidents detected and their distribution among MDR customers. |
ANALÝZA |
||
|
3.5.24 |
NiceCurl and TameCat custom backdoors leveraged by Damselfly APT |
NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). These backdoors are reported to be delivered mostly by spear-phishing campaigns and used by the threat actors for the purpose of initial access to the targeted environments. While NiceCurl is a VBScript-based malware with capabilities to download and execute additional modules, TameCat backdoor is used to execute PowerShell and C# scripts as well as download additional arbitrary content. |
APT |
|
|
3.5.24 |
TesseractStealer malware leverages OCR engine for information extraction |
TesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. The malware focuses on specific data related to credentials and cryptocurrency wallet information. Next to TesseractStealer, some of the recent ViperSoftX runs have also been observed to drop another payload from the QuasarRAT malware family. |
Virus |
|
|
3.5.24 |
The infection chain for this campaign initiates from an email file with an HTML attachment. This HTML file uses a background image that resembles what looks like a blank Microsoft Document file, where instructions on how to fix the offline viewing of the file can be seen. This is an attempt to trick victims into pasting malicious PowerShell code into a Windows Terminal. Once the code is executed, an HTA file will be downloaded and will continue to execute, eventually downloading a follow-up ZIP file. Once extracted, it will launch an open-source automation engine called AutoIt to execute a malicious AutoIt script named script.a3x that will eventually load the Darkgate trojan. |
CAMPAIGN |
||
|
3.5.24 |
A recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. Adload malware has been present in the macOS landscape for several years now, known to be distributed via drive-by-downloads and often used in attempts to hijack browser search results, inject ads into webpages or deliver various payloads to the victims. |
Virus |
||
|
3.5.24 |
ZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. This 'new' ability allows ZLoader to block installation on machines other than where the initial infection occurred, stopping further stages from deploying, in the hopes of hindering in depth analysis. |
Virus |
||
|
3.5.24 |
According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. This malware targets the exploitation of an old D-Link vulnerability from 2015 - CVE-2015-2051 for its propagation. Goldoon can establish persistence on the affected device and execute commands received from C2 servers. The attackers might use this malware variant to gain control over the infected devices, collect system information as well as perform various forms of distributed denial-of-service (DDoS) attacks. |
BOTNET |
||
|
3.5.24 |
BirdyClient malware leverages Microsoft Graph API for C&C communication |
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware called BirdyClient used the Graph API to leverage Microsoft OneDrive for C&C purposes. |
Virus |
|
|
3.5.24 |
DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. Emails have been observed containing direct download links while others may use attachments (PDF, ZIP, etc) to initiate the delivery. |
|||
|
3.5.24 |
Dwphon is a recently identified malware variant targeting the Android platform. The malware has the functionality to collect information about the infected device, the info about applications installed on the device as well as some confidential personal information. Dwphon might consist of several distinct modules, each with its own functions and C2 instructions. |
Virus |
||
|
3.5.24 |
No countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. Symantec has recently observed an actor actively targeting users in Kazakhstan with the SpyNote RAT. |
Virus |
||
|
3.5.24 |
GuLoader campaign targeting industries in Russian-speaking countries |
An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan. |
CAMPAIGN |
|
|
3.5.24 |
Subgraph representation learning is a technique for analyzing local structures (or shapes) within complex networks. Enabled by recent developments in scalable Graph Neural Networks (GNNs), this approach encodes relational information at a subgroup level (multiple connected nodes) rather than at a node level of abstraction. |
Papers |
||
|
3.5.24 |
The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. |
Trojan |
||
|
3.5.24 |
Playing Possum: What's the Wpeeper Backdoor Up To? |
Backdoor |
||
|
3.5.24 |
New “Goldoon” Botnet Targeting D-Link Devices |
BOTNET |
||
|
3.5.24 |
Graph: Growing number of threats leveraging Microsoft API |
|
||
|
3.5.24 |
North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts |
CERT |
||
|
3.5.24 |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol |
CVE |
||
|
3.5.24 |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol |
CVE |
||
|
3.5.24 |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol |
CVE |
||
|
3.5.24 |
(CVSS score: 9.8) - Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol |
CVE |
||
|
3.5.24 |
“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps |
Vulnerebility |
||
|
1.5.24 |
Zloader Learns Old Tricks |
Trojan |
||
| 31.3.24 | Vultur | The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. | Malware | Android |
| 31.3.24 | Atomic Stealer | Infostealers continue to pose threat to macOS users | Malware | MacOS |
| 30.3.24 | liveSite Version 2019.1 - Remote Code Execution | PHP | WebApps | |
| 30.3.24 | WinRAR version 6.22 - Remote Code Execution via ZIP archive | Windows | Remote | |
| 30.3.24 | Dell Security Management Server <1.9.0 - Local Privilege Escalation | Linux | Local | |
| 30.3.24 | Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure | Hardware | Remote | |
| 30.3.24 | RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 - Denial of Service | Hardware | DoS | |
| 30.3.24 | Broken Access Control - on NodeBB v3.6.7 | Multiple | WebApps | |
| 30.3.24 | Purei CMS 1.0 - SQL Injection | PHP | WebApps | |
| 30.3.24 | Workout Journal App 1.0 - Stored XSS | PHP | WebApps | |
| 30.3.24 | Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) | Multiple | Remote | |
| 30.3.24 | LimeSurvey Community 5.3.32 - Stored XSS | PHP | WebApps | |
| 30.3.24 | Nagios XI Version 2024R1.01 - SQL Injection | Multiple | WebApps | |
| 30.3.24 | Wallos < 1.11.2 - File Upload RCE | PHP | WebApps | |
| 30.3.24 | Tourism Management System v2.0 - Arbitrary File Upload | PHP | WebApps | |
| 30.3.24 | LBT-T300-mini1 - Remote Buffer Overflow | Linux | Remote | |
| 30.3.24 | MobileShop master v1.0 - SQL Injection Vuln. | PHP | WebApps | |
| 30.3.24 | Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS | PHP | WebApps | |
| 30.3.24 | SPA-CART CMS - Stored XSS | PHP | WebApps | |
| 30.3.24 | Craft CMS 4.4.14 - Unauthenticated Remote Code Execution | PHP | Exploit | WebApps |
| 30.3.24 | CVE-2024-20767 - Adobe ColdFusion vulnerability | CVE-2024-20767 is a directory traversal vulnerability in Adobe ColdFusion, which is a development platform for building and deploying web and mobile applications. If successfully exploited, this vulnerability allows unauthenticated remote attackers to read arbitrary files on the system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system. | ALERTS | Vulnerebility |
| 30.3.24 | Sync-Scheduler Infostealer | A Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. The malware employs file-nesting techniques to conceal its presence and is equipped with anti-analysis and defense evasion techniques. Upon compromising systems, it searches through users' personal directories for office documents such as Word, PowerPoint, and Excel files. | ALERTS | Virus |
| 30.3.24 | WarzoneRAT malware re-emerges with new samples | WarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. The malware functionality allows for remote control, remote shell and file operations, credential theft, keylogging, UAC bypass and more. Back in February 2024 the FBI dismantled the Warzone RAT malware operation and seized the infrastructure associated to this threat. | ALERTS | Virus |
| 30.3.24 | TheMoon malware targets thousands of insecure routers | A new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, particularly those manufactured by Asus, along with other IoT devices. After compromising these devices, the malware utilizes them to route traffic through a proxy service known as Faceless. | ALERTS | Virus |
| 30.3.24 | Beware of FlightNight | A new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. Named FlightNight because of its use of Slack channels named "FlightNight" it is likely the work of the same threat actor. | ALERTS | Virus |
| 30.3.24 | CVE-2024-3094 | Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code |
CVE |
|
| 30.3.24 | TheMoon | Linksys Worm ("TheMoon") Captured | Malware | Worm |
| 30.3.24 | CVE-2024-1086 | A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. |
CVE |
|
| 30.3.24 | WallEscape | Unraveling WallEscape: A Linux Vulnerability Exposing User Passwords and Hijacking Clipboards |
CVE |
|
| 30.3.24 | CVE-2024-28085 | wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) |
CVE |
|
| 30.3.24 | Darcula | Out of the shadows – ’darcula’ iMessage and RCS smishing attacks target USPS and global postal services | Phishing | PhaaS |
| 30.3.24 | DinodasRAT | DinodasRAT Linux implant targeting entities worldwide | Malware | RAT |
| 28.3.24 | Dropper disguised as legitimate PuTTy Software | A threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website. This ad raised suspicion due to the domain name, which was unrelated to PuTTY. | ALERTS | Virus |
| 28.3.24 | Mispadu Stealer extends its reach | Mispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. While originally this malware has been mostly targeting LATAM countries, the recently observed activity shows European countries to be targeted this time around as well. | ALERTS | Virus |
| 28.3.24 | Qilin ransomware remains an active threat in the landscape | Qilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. Qilin is known to be distributed under a Ransomware-as-a-Service (RaaS) model with its operators often employing double extortion tactics. | ALERTS | Ransom |
| 28.3.24 | SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilities | Recent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. One malware variant, SnowLight, is a C-based downloader for Linux, used by the threat actors to download and execute secondary payloads on the infected machines. GoreVerse, GoHeavy and SuperShell are payload variants distributed by UNC5174 in the reported campaigns. | ALERTS | Virus |
| 28.3.24 | Operation FlightNight | Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign | Operation | CyberSpy |
| 28.3.24 | CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
CVE |
|
| 28.3.24 | CVE-2023-24955 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
CVE |
|
| 28.3.24 | CVE-2024-21388 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE |
|
| 28.3.24 | CVE-2024-21388 | “CVE-2024-21388”- Microsoft Edge’s Marketing API Exploited for Covert Extension Installation |
CVE |
|
| 28.3.24 | CVE-2023-48022 | Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment |
CVE |
|
| 28.3.24 | ShadowRay | ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild | Campaign | AI |
| 28.3.24 | NARWHAL SPIDER | NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer. | Group | APT |
| 28.3.24 | Agent Tesla | Agent Tesla's New Ride: The Rise of a Novel Loader | Malware | Loader |
| 27.3.24 | Stately Taurus APT Campaign Targeting Asian Countries | Researchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file. | ALERTS | APT |
| 27.3.24 | VCURMS and STRRAT being delivered via links in spam messages | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. | ALERTS | Virus |
| 27.3.24 | ZENHAMMER: Rowhammer Attacks | on AMD Zen-based Platforms | Attack | CPU |
| 27.3.24 | I-Soon | Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations | Hacking Firm | Hacking Firm |
| 27.3.24 | Earth Krahang | Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Group | APT |
| 27.3.24 | RedAlpha | Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. | Campaign | Campaign |
| 27.3.24 | Earth Lusca | Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections | Group | APT |
| 27.3.24 | BRONZE VINEWOOD | DETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN | Group | APT |
| 27.3.24 | EvilOSX | Malware | osx | |
| 27.3.24 | Trochilus RAT | Trochilus is a C++ written RAT, which is available on GitHub. | Malware | RAT |
| 26.3.24 | VCURMS and STRAT being delivered via links in spam messages | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. | ALERTS | Virus |
| 26.3.24 | VCURMS and STRRAT being delivered via links in spam messages | A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. | ALERTS | Virus |
| 26.3.24 | New backdoor WineLoader | Phishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. WineLoader is a new backdoor variant that shares features similar to that of BurntBatter, BeatDrop, and MuskyBeat which are associated with APT29. Once deployed, WineLoader collects and exfiltrates gathered information from the infected machine (victim's username, process name, device name etc.) to the C2. The C2 can determine to execute additional modules to perform further tasks like establishing persistence. | ALERTS | Virus |
| 26.3.24 | New remote control backdoor leveraging malicious drivers emerges in China | In a recent campaign observed in China, a new remote control backdoor was distributed. The threat actors behind the campaign utilized malicious kernel-mode drivers to carry out exploitation activities. The backdoor exhibited various capabilities, including disabling anti-virus software, stealing keyboard inputs, and downloading additional malware files such as miners and rootkits from command-and-control (C2) servers for execution. This campaign underscores the expectation that threat actors will continue to utilize rootkits to conceal malicious code from security tools, thereby weakening defenses and evading detection for extended periods of time. | ALERTS | Virus |
| 26.3.24 | Emergence of Mirai Nomi in the Threat Landscape | A new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. It includes capabilities such as file deletion, process termination, persistence and elimination of competing bots. Although not very active, its capabilities raise concerns about potential future threats. | ALERTS | Botnet |
| 26.3.24 | CVE-2023-48788 | (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability |
CVE |
|
| 26.3.24 | CVE-2021-44529 | (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability |
CVE |
|
| 26.3.24 | CVE-2019-7256 | (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability |
CVE |
|
| 26.3.24 |
Generic and Automated Drive-by GPU Cache Attacks from the Browser |
Generic and Automated Drive-by GPU Cache Attacks from the Browser | Papers | Papers |
| 26.3.24 | Lord Nemesis Strikes | “Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector | Group | Hacktivism |
| 26.3.24 | TA450 | Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign | Group | APT |
| 24.3.24 | Springtail | Springtail APT group abuses valid certificate of known Korean public entity | Group | APT |
| 24.3.24 | Kimsuky | The Updated APT Playbook: Tales from the Kimsuky threat actor group | Group | APT |
| 23.3.24 | Implementations of UDP-based application protocols are vulnerable to network loops | A novel traffic-loop vulnerability has been identified against certain implementations of UDP-based applications protocols. An unauthenticated attacker can use maliciously-crafted packets against a UDP-based vulnerable implementation of application protocols (e.g., DNS, NTP, TFTP) that can lead to Denial-of-Service (DOS) and/or abuse of resources. | Alert | Alert |
| 23.3.24 | GoFetch Attack | GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs). | Attack | side-channel attack |
| 23.3.24 | minaliC 2.0.0 - Denied of Service | Windows | Remote | |
| 23.3.24 | CSZCMS v1.3.0 - SQL Injection (Authenticated) | PHP | WebApps | |
| 23.3.24 | HNAS SMU 14.8.7825 - Information Disclosure | Hardware | Remote | |
| 23.3.24 | Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi | PHP | WebApps | |
| 23.3.24 | Simple Task List 1.0 - 'status' SQLi | PHP | WebApps | |
| 23.3.24 | Blood Bank 1.0 - 'bid' SQLi | PHP | WebApps | |
| 23.3.24 | Employee Management System 1.0 - 'admin_id' SQLi | PHP | WebApps | |
| 23.3.24 | Quick.CMS 6.7 - SQL Injection Login Bypass | PHP | WebApps | |
| 23.3.24 | xbtitFM 4.1.18 - Multiple Vulnerabilities | PHP | WebApps | |
| 23.3.24 | TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password | Hardware | Remote | |
| 23.3.24 | TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure | Hardware | Remote | |
| 23.3.24 | TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection | Hardware | Remote | |
| 23.3.24 | Backdrop CMS 1.23.0 - Stored XSS | PHP | WebApps | |
| 23.3.24 | Atlassian Confluence < 8.5.3 - Remote Code Execution | Multiple | WebApps | |
| 23.3.24 | Gibbon LMS < v26.0.00 - Authenticated RCE | PHP | WebApps | |
| 23.3.24 | ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE | PHP | WebApps | |
| 23.3.24 | TYPO3 11.5.24 - Path Traversal (Authenticated) | PHP | WebApps | |
| 23.3.24 | WEBIGniter v28.7.23 - Stored XSS | PHP | WebApps | |
| 23.3.24 | WordPress File Upload Plugin < 4.23.3 - Stored XSS | PHP | WebApps | |
| 23.3.24 | vm2 - sandbox escape | Multiple | Local | |
| 23.3.24 | UPS Network Management Card 4 - Path Traversal | PHP | WebApps | |
| 23.3.24 | Nokia BMC Log Scanner - Remote Code Execution | Linux | WebApps | |
| 23.3.24 | Karaf v4.4.3 Console - RCE | Java | WebApps | |
| 23.3.24 | LaborOfficeFree 19.10 - MySQL Root Password Calculator | Windows | Local | |
| 23.3.24 | Winter CMS 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated) | PHP | WebApps | |
| 23.3.24 | KiTTY 0.76.1.13 - Command Injection | Windows | Local | |
| 23.3.24 | KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow | Windows | Local | |
| 23.3.24 | KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow | Windows | Local | |
| 23.3.24 | GitLab CE/EE < 16.7.2 - Password Reset | Java | Remote | |
| 23.3.24 | Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) | Hardware | Remote | |
| 23.3.24 | Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE) | Hardware | Remote | |
| 23.3.24 | SolarView Compact 6.00 - Command Injection | Hardware | Remote | |
| 23.3.24 | Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE) | Hardware | Remote | |
| 23.3.24 | JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) | Java | Remote | |
| 23.3.24 | SnipeIT 6.2.1 - Stored Cross Site Scripting | Multiple | WebApps | |
| 23.3.24 | VMware Cloud Director 10.5 - Bypass identity verification | Multiple | Remote | |
| 23.3.24 | Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE | Hardware | WebApps | |
| 23.3.24 | Client Details System 1.0 - SQL Injection | PHP | WebApps | |
| 23.3.24 | OSGi v3.7.2 (and below) Console - RCE | Multiple | WebApps | |
| 23.3.24 | OSGi v3.8-3.18 Console - RCE | Multiple | WebApps | |
| 23.3.24 | Human Resource Management System 1.0 - 'employeeid' SQL Injection | PHP | WebApps | |
| 23.3.24 | QUARTERRIG | Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader. | Malware | Dropper |
| 23.3.24 | BEATDROP | According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. | Malware | Dropper |
| 23.3.24 | ROOTSAW | Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations | Malware | Spy |
| 23.3.24 | WINELOADER | APT29 Uses WINELOADER to Target German Political Parties | Malware | Loader |
| 22.3.24 | UNC302 | BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies | Group | Group |
| 22.3.24 | CVE-2023-46747 | Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
CVE |
|
| 22.3.24 | Sign1 Malware | Sign1 Malware: Analysis, Campaign History & Indicators of Compromise | Malware | JavaScript |
| 22.3.24 | Revenge RAT | Revenge RAT via malicious PPAM in Latin America, Portugal and Spain | Malware | RAT |
| 22.3.24 | AceCryptor | Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries | Malware | RAT |
| 22.3.24 | Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. | Malware | Loader |
| 22.3.24 | StrelaStealer | StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. | Malware | Stealer |
| 22.3.24 | AcidRain | A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems. | Malware | Wipper |
| 22.3.24 | AcidPour | AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine | Malware | Wipper |
| 22.3.24 | z0Miner | z0Miner Exploits Korean Web Servers to Attack WebLogic Server | Hacking | Exploit |
| 22.3.24 | AndroxGh0st | AndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio. | Malware | Android |
| 22.3.24 | UNC3886 | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. | Group | Group |
| 22.3.24 | UNC5221 | While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. | Group | Group |
| 22.3.24 | CVE-2023-41724 | CVE-2023-41724 (Remote Code Execution) for Ivanti Standalone Sentry |
CVE |
|
| 22.3.24 | CVE-2024-1597 | pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. |
CVE |
|
| 22.3.24 | Loop DoS | Loop DoS: New Denial-of-Service Attack targets Application-Layer Protocols | Attack | Application-Layer Protocols |
|
20.3.24 |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible |
CVE |
||
|
20.3.24 |
According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers |
Crypter |
||
|
20.3.24 |
Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor |
Loader |
||
|
20.3.24 |
WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous |
Stealer |
||
|
20.3.24 |
The GlorySprout or a Failed Clone of Taurus Stealer |
Stealer |
||
|
20.3.24 |
CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers |
CoinMiner |
||
|
20.3.24 |
A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems. |
Wiper |
||
|
20.3.24 |
Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. |
RAT |
||
|
20.3.24 |
A malware campaign employs new TTPs and behaviors to evade detection and deploy NetSupport RAT. |
Phishing |
||
|
20.3.24 |
Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware |
Operation |
||
|
20.3.24 |
Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions |
Group |
||
|
20.3.24 |
APT37's ROKRAT HWP Object Linking and Embedding |
RAT |
||
|
18.3.24 |
In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag. |
CVE |
||
|
18.3.24 |
Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage. |
CVE |
||
|
18.3.24 |
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells. |
CVE |
||
|
18.3.24 |
Scalable Vector Graphics (SVG) files are a popular format for web graphics because they can be resized without losing quality. However, cybercriminals are now exploiting SVGs to deliver malware, posing a new threat to unsuspecting users. |
Malware |
||
|
18.3.24 |
From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites |
Stealer |
||
|
18.3.24 |
The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator. |
CVE |
||
|
18.3.24 |
PowerShell script |
Stealer |
||
|
18.3.24 |
the malware was used previously in campaigns from July through August, and September 2023 |
Stealer |
||
|
18.3.24 |
The government computer emergency response team of Ukraine CERT-UA detected a malicious document "Nuclear Terrorism A Very Real Threat.rtf", opening of which will lead to the download of an HTML file and the execution of JavaScript code (CVE-2022-30190), which will ensure the download and launching the CredoMap malware. |
JavaScript |
||
|
18.3.24 |
X-Force’s analysis revealed that OCEANMAP has a strong overlap in both technique and .NET implementation. Several of the functions used in OCEANMAP were repurposed from the original CREDOMAP stealer and used as a base to build the new persistent backdoor. |
Backdoor |
||
|
18.3.24 |
Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus |
Python |
||
|
18.3.24 |
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns |
Group |
||
|
18.3.24 |
Microsoft Outlook Elevation of Privilege Vulnerability |
CVE |
||
| 17.3.24 | 404 Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. | Malware | Keylogger |
| 17.3.24 | RisePro stealer | RisePro stealer targets Github users in “gitgub” campaign | Malware | Stealer |
| 17.3.24 | CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions | A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. | Alert | Alert |
| 17.3.24 | BunnyLoader 3.0 | Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled | Malware | Loader |
| 16.3.24 | GhostRace | GhostRace: Exploiting and Mitigating Speculative Race Conditio | Papers | Vulnerebility |
| 16.3.24 | GHOSTRACE | GhostRace (CVE-2024-2193) is a new attack combining speculative execution and race conditions, two very challenging class of attacks. | Vulnerebility | CPU |
| 16.3.24 | CVE-2024-2193 | A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. |
CVE |
|
| 14.3.24 | CVE-2023-5528 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. |
CVE |
|
| 14.3.24 | CVE-2024-0778 | A vulnerability, which was classified as critical, has been found in Uniview ISC 2500-S up to 20210930. Affected by this issue is the function setNatConfig of the file /Interface/DevManage/VM.php. The manipulation of the argument natAddress/natPort/natServerPort leads to os command injection. The exploit has been disclosed to the public and may be used. |
CVE |
|
| 14.3.24 | Pelmeni Wrapper | Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor) | Malware | Wrapper |
| 14.3.24 | RedCurl | Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence | Malware | CyberSpy |
| 14.3.24 | zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets. | Malware | RAT |
| 14.3.24 | Botnet Fenix | Botnet Fenix: New botnet going after tax payers in Mexico and Chile | BOTNET | BOTNET |
| 14.3.24 | CyberGate | According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to the victim’s system. | Malware | RAT |
| 14.3.24 | Planet Stealer | Planet Stealer is a recently identified infostealing malware variant. This Go-based malware has been advertised for sale on underground forums. Planet Stealer targets theft of miscellaneous data from the infected endpoints, including user credentials, browser cookies, cryptowallets, session data, configuration files from various communicator apps and software launchers, etc. | Malware | Stealer |
| 14.3.24 | DBatLoader | Latest DBatLoader Uses Driver Module to Disable AV/EDR Software | Malware | Loader |
| 14.3.24 | APT-C-36 | Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. | Group | APT |
| 14.3.24 | Tweaks Stealer | Tweaks Stealer Targets Roblox Users Through YouTube and Discord | Malware | Stealer |
| 14.3.24 | Phemedrone Stealer | Unveiling Phemedrone Stealer: Threat Analysis and Detections | Malware | Stealer |
| 14.3.24 | Mispadu | According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. | Malware | Banking |
| 14.3.24 | DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. | Malware | Loader |
| 14.3.24 | CVE-2024-21412 | CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign |
CVE |
|
| 14.3.24 | DarkCasino | DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property. | Group | APT |
| 14.3.24 | CVE-2023-48788 | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets. |
CVE |
|
| 13.3.24 | PixPirate | PixPirate: The Brazilian financial malware you can’t see | Malware | Android |
| 13.3.24 | STRRAT | STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird. | Malware | RAT |
| 13.3.24 | VCURMS | Recently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java downloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT). | Malware | Java |
| 13.3.24 | CVE-2024-21407 | Windows Hyper-V Remote Code Execution Vulnerability |
CVE |
|
| 13.3.24 | CVE-2024-21408 | Windows Hyper-V Denial of Service Vulnerability |
CVE |
|
| 13.3.24 | CVE-2024-21400 | Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability |
CVE |
|
| 13.3.24 | CVE-2024-26170 | Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability |
CVE |
|
| 13.3.24 | CVE-2024-21433 | Windows Print Spooler Elevation of Privilege Vulnerability |
CVE |
|
| 13.3.24 | CVE-2024-26198 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE |
|
| 13.3.24 | CVE-2024-21334 | Open Management Infrastructure (OMI) Remote Code Execution Vulnerability |
CVE |
|
| 12.3.24 | BIPClip | RL has discovered a campaign using PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases, which are used for wallet recovery. | Malware | PyPI |
| 12.3.24 | CVE-2024-1071 |
CVE |
||
| 12.3.24 | CVE-2024-1468 | The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. |
CVE |
|
| 12.3.24 | Copybara Fraud Operation | On top of this fraud operation architecture, TAs exploit Social Engineering techniques for distributing the Copybara banking trojan, which typically involves smishing and vishing techniques, leveraging native-speaker operators. In particular, several samples reveal TAs distributing Copybara through seemingly legitimate apps, utilizing logos of well-known banks and names that sound authentic, such as “Caixa Sign Nueva”, “BBVA Codigo”, “Sabadell Codigo”. | Campaign | Operation |
| 12.3.24 | CHAVECLOAK | FortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware. Notably, CHAVECLOAK is specifically designed to target users in Brazil, aiming to steal sensitive information linked to financial activities. | Malware | Banking |
| 11.3.24 | Sitecore - Remote Code Execution v8.2 | ASPX | WebApps | |
| 11.3.24 | Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier - Arbitrary File Read | Multiple | WebApps | |
| 11.3.24 | WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover | PHP | WebApps | |
| 11.3.24 | Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass | Windows | Local | |
| 11.3.24 | Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR | Hardware | WebApps | |
| 11.3.24 | Hide My WP < 6.2.9 - Unauthenticated SQLi | PHP | WebApps | |
| 11.3.24 | Akaunting < 3.1.3 - RCE | PHP | WebApps | |
| 11.3.24 | Ladder v0.0.21 - Server-side request forgery (SSRF) | Go | WebApps | |
| 11.3.24 | DataCube3 v1.0 - Unrestricted file upload 'RCE' | PHP | WebApps | |
| 11.3.24 | Numbas < v7.3 - Remote Code Execution | NodeJS | WebApps | |
| 11.3.24 | TP-Link TL-WR740N - Buffer Overflow 'DOS' | Hardware | WebApps | |
| 11.3.24 | GLiNet - Router Authentication Bypass | Hardware | WebApps | |
| 11.3.24 | elFinder Web file manager Version - 2.1.53 Remote Command Execution | PHP | WebApps | |
| 11.3.24 | CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution | PHP | WebApps | |
| 11.3.24 | CVE-2023-50071 - Multiple SQL Injection | PHP | WebApps | |
| 11.3.24 | Lot Reservation Management System - Unauthenticated File Disclosure | PHP | WebApps | |
| 11.3.24 | Lot Reservation Management System - Unauthenticated File Upload and Remote Code Execution | PHP | WebApps | |
| 11.3.24 | kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition | PHP | WebApps | |
| 11.3.24 | Neontext Wordpress Plugin - Stored XSS | PHP | WebApps | |
| 11.3.24 | Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019 - Stored XSS | Hardware | WebApps | |
| 11.3.24 | Easywall 0.3.1 - Authenticated Remote Command Execution | Multiple | WebApps | |
| 11.3.24 | R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure | Hardware | Remote | |
| 11.3.24 | GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit | Hardware | Remote | |
| 11.3.24 | TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution | Hardware | Remote | |
| 11.3.24 | GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit | Hardware | Remote | |
| 11.3.24 | GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit | Hardware | Remote | |
| 11.3.24 | Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated) | Hardware | Remote | |
| 11.3.24 | A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc | Multiple | Local | |
| 11.3.24 | Boss Mini 1.4.0 - local file inclusion | PHP | WebApps | |
| 11.3.24 | Magento ver. 2.4.6 - XSLT Server Side Injection | Multiple | WebApps | |
| 11.3.24 | TPC-110W - Missing Authentication for Critical Function | Hardware | Remote | |
| 11.3.24 | Enrollment System v1.0 - SQL Injection | PHP | Remote | |
| 11.3.24 | AC Repair and Services System v1.0 - Multiple SQL Injection | PHP | Remote | |
| 11.3.24 | Windows PowerShell - Event Log Bypass Single Quote Code Execution | Windows_x86-64 | Local | |
| 11.3.24 | Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection | PHP | Remote | |
| 11.3.24 | Simple Student Attendance System v1.0 - Time Based Blind SQL Injection | PHP | Remote | |
| 11.3.24 | Real Estate Management System v1.0 - Remote Code Execution via File Upload | PHP | Remote | |
| 11.3.24 | Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload | PHP | Remote | |
| 11.3.24 | Petrol Pump Management Software v.1.0 - SQL Injection | PHP | Remote | |
| 11.3.24 | Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file | PHP | Remote | |
| 11.3.24 | Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting | PHP | Remote | |
| 11.3.24 | WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection | PHP | WebApps | |
| 11.3.24 | (shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] | Linux | Local | |
| 11.3.24 | Blood Bank v1.0 - Multiple SQL Injection | PHP | WebApps | |
| 11.3.24 | Saflok - Key Derication Function Exploit | Hardware | Local | |
| 11.3.24 | WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS) | PHP | WebApps | |
| 11.3.24 | WP Rocket < 2.10.3 - Local File Inclusion (LFI) | PHP | WebApps | |
| 11.3.24 | Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit) | Multiple | WebApps | |
| 11.3.24 | TEM Opera Plus FM Family Transmitter 35.45 - XSRF | Hardware | Remote | |
| 11.3.24 | TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution | Hardware | Remote | |
| 11.3.24 | Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) | PHP | WebApps | |
| 11.3.24 | Executables Created with perl2exe < V30.10C - Arbitrary Code Execution | Multiple | Remote | |
| 11.3.24 | Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin | PHP | WebApps | |
| 11.3.24 | Automatic-Systems SOC FL9600 FastLine - Directory Transversal | PHP | WebApps | |
| 11.3.24 | SuperStoreFinder - Multiple Vulnerabilities | PHP | WebApps | |
| 11.3.24 | Moodle 4.3 - Insecure Direct Object Reference | PHP | WebApps | |
| 11.3.24 | Zoo Management System 1.0 - Unauthenticated RCE | PHP | WebApps | |
| 11.3.24 | dawa-pharma 1.0-2022 - Multiple-SQLi | PHP | WebApps | |
| 11.3.24 | IBM i Access Client Solutions v1.1.2 - 1.1.4, v1.1.4.3 - 1.1.9.4 - Remote Credential Theft | Windows_x86-64 | Remote | |
| 11.3.24 | Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure' | Multiple | Remote | |
| 11.3.24 | Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS' | Multiple | DoS | |
| 11.3.24 | Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration | Multiple | Remote | |
| 11.3.24 | FAQ Management System v1.0 - 'faq' SQL Injection | PHP | Remote | |
| 11.3.24 | Flashcard Quiz App v1.0 - 'card' SQL Injection | PHP | Remote | |
| 11.3.24 | Online Shopping System Advanced - Sql Injection | PHP | WebApps | |
| 11.3.24 | taskhub 2.8.7 - SQL Injection | PHP | WebApps | |
| 11.3.24 | comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset | PHP | WebApps | |
| 11.3.24 | Simple Inventory Management System v1.0 - 'email' SQL Injection | PHP | Exploit | Remote |
| 11.3.24 |
BianLian Ransomware Group |
BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566]. | REPORT | Ransomware |
| 11.3.24 | BianLian | BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. | Group | Ransomware |
| 11.3.24 | BianDoor | Malware | Backdoor | |
| 11.3.24 | CVE-2023-42793 | In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible |
CVE |
|
| 11.3.24 | CVE-2024-27198 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible |
CVE |
|
| 11.3.24 | CVE-2024-1403 | In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. |
CVE |
|
| 11.3.24 | MAGNET GOBLIN | Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. | Group | Group |
| 9.3.24 | Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks | Kontrol and Elock locks are electronic locks that utilize firmware provided by Sciener. This firmware works in tandem with an app, called the TTLock app, which is also produced by Sciener. | Alert | Alert |
| 8.3.24 | CVE-2024-20338 | A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. |
CVE |
|
| 8.3.24 | CVE-2024-20337 | A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. |
CVE |
|
| 8.3.24 | CRLF Injection | The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. | Attack | OS |
| 8.3.24 | CVE-2024-20338 | A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. |
CVE |
|
| 8.3.24 | CVE-2024-20337 | A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. |
CVE |
|
| 8.3.24 | CRLF Injection | The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. | Attack | OS |
| 8.3.24 | CVE-2024-20338 | A vulnerability in the ISE Posture (System Scan) module of Cisco Secure Client for Linux could allow an authenticated, local attacker to elevate privileges on an affected device. |
CVE |
|
| 8.3.24 | CVE-2024-20337 | A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. |
CVE |
|
| 8.3.24 | QEMU Emulator Exploited | Cyberattackers tend to give preference to legitimate tools when taking various attack steps, as these help them evade detection systems while keeping malware development costs down to a minimum. | Exploit | Exploit |
| 8.3.24 | Jasmin | GoodWill Ransomware? Or Just Another Jasmin Variant? | Ransomware | Ransomware |
| 8.3.24 | CVE-2024-27199 | In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible |
CVE |
|
| 8.3.24 | CVE-2024-27198 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible |
CVE |
|
| 7.3.24 | MgBot | My Tea’s not cold. An overview of China’s cyber threat | Malware | Bot |
| 7.3.24 | Evasive Panda | Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations. | Group | APT |
| 7.3.24 | Snake | In this Threat Analysis Report, Cybereason Security Services dives into the Python Infostealer, delivered via GitHub and GitLab, that ultimately exfiltrates credentials via Telegram Bot API or other well known platforms. | Malware | InfoStealer |
| 7.3.24 | WogRAT | AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. Said malware supports both the PE format that targets the Windows system and the ELF format that targets the Linux system. | Malware | RAT |
| 7.3.24 | TA4903 | TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids | Group | Phishing |
| 7.3.24 | Quishing | QR codes have had a great run in the past few years, diffusing into almost every aspect of our lives, from looking at restaurant menus and paying for products or services online and offline to accessing websites with greater ease. While the positives of QR codes are clearly visible, both from a business and user perspective, their usage has some pitfalls. | Hacking | Mobil |
| 7.3.24 | 8220 Mining Group | Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. | Group | Cryptocurrency |
| 7.3.24 | Abyss Locker | On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. | Ransomware | Ransomware |
| 7.3.24 | Spinning YARN | Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence | Campaign | Campaign |
| 7.3.24 | SpyNote | The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code | Malware | RAT |
| 7.3.24 | BlackCat (ALPHV) Attack | Explore the thwarted cyber extortion attempt by the BlackCat ransomware group, unraveled by Sygnia’s Incident Response team in mid-2023. | Ransomware | Ransomware |
| 6.3.24 | CVE-2024-22255 | VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. |
CVE |
|
| 6.3.24 | CVE-2024-22254 | VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox. |
CVE |
|
| 6.3.24 | CVE-2024-22253 | VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. |
CVE |
|
| 6.3.24 | CVE-2024-22252 | VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. |
CVE |
|
| 6.3.24 | GhostSec | GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS. | Group | Ransomware |
| 6.3.24 | UNC1945 | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. | Group | APT |
| 6.3.24 | APT32 | Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. | Group | APT |
| 6.3.24 | OceanLotus | According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies. | Malware | OSX |
| 6.3.24 | CVE-2024-23296 | A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. |
CVE |
|
| 6.3.24 | CVE-2024-23225 | A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited. |
CVE |
|
| 6.3.24 | Kimsuky | JOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky | Group | APT |
| 6.3.24 | CVE-2024-1709 | ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. |
CVE |
|
| 6.3.24 | CVE-2024-1708 | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. |
CVE |
|
| 6.3.24 | TODDLERSHARK | TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant | Malware | VBS |
| 5.3.24 |
BEWARE THE SHALLOW WATERS: SAVVY SEAHORSE LURES VICTIMS TO FAKE INVESTMENT PLATFORMS THROUGH FACEBOOK ADS |
DNS threat actors never cease to surprise us. Every day, we learn about creative, new campaigns they have devised to exploit victims. Investment scams are one of these. The US Federal Trade Commission reported that more money was lost to investment scams in the US during 2023 than any other type of scam, totaling over USD $4.6 billion dollars stolen from victims | REPORT | REPORT |
| 5.3.24 | PASS-THE-HASH ATTACK | Pass the hash (PtH) is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session. | Attack | PtH |
| 5.3.24 | TA577 | TA577’s Unusual Attack Chain Leads to NTLM Data Theft | Group | Group |
| 5.3.24 | CVE-2024-23917 | In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible |
CVE |
|
| 5.3.24 | CVE-2024-27199 | In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible |
CVE |
|
| 5.3.24 | CVE-2024-27198 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible |
CVE |
|
| 4.3.24 | ShadowBankinginYour Pocket:ExposingAndroidApp UsedbyMoneyMules | A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions. | REPORT | REPORT |
| 4.3.24 | Fast Adversarial Attacks on Language Models In One GPU Minute | In this paper, we introduce a novel class of fast, beam search-based adversarial attack (BEAST) for Language Models (LMs). | Papers | Papers |
| 4.3.24 | Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs | We demonstrate how images and sounds can be used for indirect prompt and instruction injection in multi-modal LLMs. | Papers | Papers |
| 4.3.24 | ComPromptMized | ComPromptMized: Unleashing Zero-click Worms that Target GenAI-Powered Applications | Attack | AI |
| 4.3.24 | CACTUS | CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks | Ransomware | Ransomware |
| 2.3.24 | MAR-10448362-1.v1 Volt Typhoon | CISA received three files for analysis obtained from a critical infrastructure compromised by the People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon. | CERT | CERT |
| 2.3.24 | CVE-2019-3568 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. |
CVE |
|
| 2.3.24 | Scattered Spider | Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing. | Group | Hacking |
| 2.3.24 | CryptoChameleon | CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack | Cryptocurrency | Phishing |
| 2.3.24 | GUloader | GUloader Unmasked: Decrypting the Threat of Malicious SVG Files | Malware | Loader |
| 2.3.24 | BlackTech | BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. | Group | CyberSpy |
| 2.3.24 | BIFROSE | The Art of Domain Deception: Bifrost's New Tactic to Deceive Users | Malware | RAT |
| 2.3.24 | CVE-2023-46805 | (CVSS score: 8.2) - Authentication bypass vulnerability in web component |
CVE |
|
| 2.3.24 | CVE-2024-21887 | (CVSS score: 9.1) - Command injection vulnerability in web component |
CVE |
|
| 2.3.24 | CVE-2024-21888 | (CVSS score: 8.8) - Privilege escalation vulnerability in web component |
CVE |
|
| 2.3.24 | CVE-2024-21893 | (CVSS score: 8.2) - SSRF vulnerability in the SAML component |
CVE |
|
| 2.3.24 | CVE-2024-22024 | (CVSS score: 8.3) - XXE vulnerability in the SAML component |
CVE |
|
| 2.3.24 | GOLDEN TICKET | A Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.) by accessing user data stored in Microsoft Active Directory (AD). | Attack | Attack |
| 2.3.24 | Golden SAML | Golden SAML, an attack technique that exploits the SAML single sign-on protocol, was used as a post-breach exploit, compounding the devastating SolarWinds attack of 2020—one of the largest breaches of the 21st century. | Attack | Attack |
| 2.3.24 | Peach Sandstorm | Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. | Group | APT |
| 2.3.24 | LightBasin | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. | Group | APT |
| 2.3.24 | GTPDOOR | GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange | Malware | Backdoor |
| 2.3.24 | CVE-2024-21338 | Windows Kernel Elevation of Privilege Vulnerability NewRecently updated |
CVE |
|
| 2.3.24 | WINELOADER | European diplomats targeted by SPIKEDWINE with WINELOADER | Malware | Loader |
| 1.3.24 | UNC3886 | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. | Group | Group |
| 1.3.24 | CVE-2024-21887 | A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE |
|
| 1.3.24 | CVE-2024-21893 | A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. |
CVE |
|
| 1.3.24 | MINIBIKE | A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure. | Backdoor | |
| 1.3.24 | MINIBUS | A custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE | Malware | Backdoor |
| 1.3.24 | LIGHTRAIL | A tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure | Malware | Backdoor |
| 1.3.24 | Tortoiseshell | A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. | Group | Group |
| 1.3.24 | Bohrium | Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. | Group | Group |
| 1.3.24 | UNC1549 | When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors | BigBrother | CyberSpy |
|
28.2.24 |
Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been used for more than 10 years and is still in use. |
Stealer |
||
|
28.2.24 |
New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group |
Backdoor |
||
|
28.2.24 |
Russian Cyber Actors Use Compromised Routers to |
Actions EdgeRouter network defenders and users should implement to protect against APT28 activity |
REPORT |
|
|
28.2.24 |
When Stealers Converge: New Variant of Atomic Stealer in the Wild |
Stealer |
||
|
28.2.24 |
According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. |
Banking |
||
|
28.2.24 |
Modular malware framework targeting SOHO network devices |
Linux |
||
|
28.2.24 |
Compromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in Europe and the Caucasus |
Loader |
||
|
28.2.24 |
Microsoft Outlook Elevation of Privilege Vulnerability |
CVE |
||
|
28.2.24 |
SVR cyber actors adapt tactics for initial cloud access |
APT |
||
|
28.2.24 |
4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin |
CVE |
||
|
28.2.24 |
Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant) |
RAT |
||
|
28.2.24 |
A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures. |
CVE |
||
|
27.2.24 |
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. |
CVE |
||
|
27.2.24 |
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. |
CVE |
||
|
27.2.24 |
Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland |
Loader |
||
|
27.2.24 |
“SubdoMailing” — Thousands of Hijacked Major-Brand Subdomains Found Bombarding Users With Millions of Malicious Emails |
SPAM |
||
|
27.2.24 |
DarkVNC is a hidden utility based on the Virtual Network Computing (VNC) technology, initially promoted on an Exploit forum in 2016. |
Stealer |
||
|
27.2.24 |
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. |
RAT |
||
|
27.2.24 |
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. |
RAT |
||
|
27.2.24 |
Ousaban: LATAM Banking Malware Abusing Cloud Services |
Banking |
||
|
27.2.24 |
Tweet on recent Mekotio Banker campaign |
Banking |
||
|
27.2.24 |
First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. |
Banking |
||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
Microsoft Windows Defender Bypass - Detection Mitigation Bypass |
|||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
||||
|
25.2.24 |
Lost and Found Information System v1.0 - ( IDOR ) leads to Account Take over |
|||
|
25.2.24 |
ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure |
|||
|
25.2.24 |
VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) - Remote Denial Of Service |
|||
|
25.2.24 |
||||
|
25.2.24 |
This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. |
Ransomware |
||
|
23.2.24 |
The issue was addressed with additional permissions checks. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, iOS 17.3 and iPadOS 17.3. A shortcut may be able to use sensitive data with certain actions without prompting the user. |
CVE |
||
|
23.2.24 |
iMessage with PQ3: The new state of the art in quantum-secure messaging at scale |
Crypto |
Crypto |
|
|
22.2.24 |
SSH-Snake: New Self-Modifying Worm Threatens Networks |
Worm |
||
|
22.2.24 |
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer |
RAT |
||
|
22.2.24 |
The Access Point functionality in eapol_auth_key_handle in eapol.c in iNet wireless daemon (IWD) before 2.14 allows attackers to gain unauthorized access to a protected Wi-Fi network. An attacker can complete the EAPOL handshake by skipping Msg2/4 and instead sending Msg4/4 with an all-zero key. |
CVE |
||
|
22.2.24 |
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. |
CVE |
||
|
21.2.24 |
Mustang Panda’s PlugX new variant targetting Taiwanese government and diplomats |
Stealer |
||
|
21.2.24 |
CHINESE THREAT ACTORS TARGETING EUROPE IN SMUGX CAMPAIGN |
Campaign |
||
|
21.2.24 |
Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war |
Operation |
||
|
21.2.24 |
Extra credit: VietCredCare information stealer takes aim at Vietnamese businesses |
Stealer |
||
|
21.2.24 |
Earth Preta Campaign Uses DOPLUGS to Target Asia |
Campaign |
||
|
21.2.24 |
Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system. |
CVE |
||
|
21.2.24 |
Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). |
CVE |
||
|
21.2.24 |
Migo - a Redis Miner with Novel System Weakening Techniques |
Miner |
||
|
21.2.24 |
Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. |
Backdoor |
||
|
21.2.24 |
According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. |
Wipper |
||
|
21.2.24 |
Israel-Hamas War in Cyber |
REPORT |
||
|
21.2.24 |
CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6. |
CVE |
||
|
19.2.24 |
Anatsa Trojan Returns: Targeting Europe and Expanding Its Reach |
Android |
||
|
19.2.24 |
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign |
Group |
||
|
19.2.24 |
Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. |
Backdoor |
||
|
18.2.24 |
Raccoon Stealer v2 – Part 1: The return of the dead |
Stealer |
||
|
18.2.24 |
An info stealer is malicious software (malware) that seeks to steal private data from a compromised device, including passwords, cookies, autofill information from browsers, and cryptocurrency wallet information. |
Stealer |
||
|
17.2.24 |
According to CERT-UA, this malware makes use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking. Its specificity is the presence of a server part, which is usually installed on compromised MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool), effectively turning a legitimate server into a malware control center. |
Backdoor |
||
|
17.2.24 |
TinyTurla Next Generation - Turla APT spies on Polish NGOs |
Backdoor |
||
|
17.2.24 |
FLATLINED: ANALYZING PULSE SECURE FIRMWARE AND BYPASSING INTEGRITY CHECKING |
CVE |
||
|
17.2.24 |
Group-IB uncovers the first iOS Trojan harvesting facial recognition data used for unauthorized access to bank accounts. The GoldDigger family grows |
iOS |
||
|
17.2.24 |
This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads. |
Loader |
||
|
17.2.24 |
Water Hydra’s Zero-Day Attack Chain Targets Financial Traders |
APT |
||
|
17.2.24 |
Internet Shortcut Files Security Feature Bypass Vulnerability |
CVE |
||
|
17.2.24 |
CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day |
Loader |
||
|
17.2.24 |
(CVSS score: 6.5) - Windows Hyper-V Denial of Service Vulnerability |
CVE |
||
|
17.2.24 |
(CVSS score: 7.5) - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
CVE |
||
|
17.2.24 |
(CVSS score: 8.0) - Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability |
CVE |
||
|
17.2.24 |
(CVSS score: 9.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability |
CVE |
||
|
17.2.24 |
(CVSS score: 9.8) - Microsoft Outlook Remote Code Execution Vulnerability |
CVE |
||
|
17.2.24 |
(CVSS score: 8.1) - Internet Shortcut Files Security Feature Bypass Vulnerability |
CVE |
||
|
17.2.24 |
(CVSS score: 7.6) - Windows SmartScreen Security Feature Bypass Vulnerability |
CVE |
||
|
17.2.24 |
Diving Into Glupteba's UEFI Bootkit |
BOTNET |
||
|
17.2.24 |
Diving Into Glupteba's UEFI Bootkit |
Bootkit |
||
|
17.2.24 |
Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. |
Loader |
||
|
17.2.24 |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. |
CVE |
||
|
17.2.24 |
Ivanti Connect Secure: Journey to the core of the DSLog backdoor |
Backdoor |
||
|
17.2.24 |
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. |
CVE |
||
|
17.2.24 |
Akira Ransomware and Exploitation of Cisco Anyconnect Vulnerability CVE-2020-3259 |
Ransomware |
||
|
17.2.24 |
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. |
CVE |
||
|
17.2.24 |
New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group |
macOS |
||
|
17.2.24 |
SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud |
Spam |
||
|
12.2.24 |
Korea Internet & Security Agency (KISA) distribuuje nastroj pro obnovu ransomwaru Rhysida. |
Anti-Ransom tool |
||
|
12.2.24 |
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. |
RAT |
||
|
10.2.24 |
New MacOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group |
Backdoor |
||
|
10.2.24 |
RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS |
Worm |
||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
Wordpress Augmented-Reality - Remote Code Execution Unauthenticated |
|||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated) |
|||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
||||
|
10.2.24 |
Clinic's Patient Management System 1.0 - Unauthenticated RCE |
|||
|
10.2.24 |
Curfew e-Pass Management System 1.0 - FromDate SQL Injection |
|||
|
10.2.24 |
GYM MS - GYM Management System - Cross Site Scripting (Stored) |
|||
|
9.2.24 |
MoqHao evolution: New variants start automatically right after installation |
Android |
||
|
9.2.24 |
Coyote: A multi-stage banking Trojan abusing the Squirrel installer |
Banking |
||
|
9.2.24 |
FortiOS - Out-of-bound Write in sslvpnd |
CVE |
||
|
9.2.24 |
CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure |
CVE |
||
|
9.2.24 |
New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization |
Backdoor |
||
|
8.2.24 |
HijackLoader Expands Techniques to Improve Defense Evasion |
Loader |
||
|
8.2.24 |
Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer |
Stealer |
||
|
8.2.24 |
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges can inject a malicious payload into the login banner and takeover the user account. |
CVE |
||
|
8.2.24 |
Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information. |
CVE |
||
|
8.2.24 |
Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain regular shell access. |
CVE |
||
|
8.2.24 |
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input sanitization. |
CVE |
||
|
8.2.24 |
Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system. |
CVE |
||
|
8.2.24 |
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. |
CVE |
||
|
8.2.24 |
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. |
CVE |
||
|
8.2.24 |
A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. |
CVE |
||
|
8.2.24 |
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. |
CVE |
||
|
8.2.24 |
Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions on an affected device. |
CVE |
||
|
8.2.24 |
KV-Botnet: Don’t Call It A Comeback |
BOTNET |
||
|
7.2.24 |
(CVSS score: 5.3) - Out-of-bounds read when printing error messages, resulting in a denial-of-service (DoS) condition |
CVE |
||
|
7.2.24 |
(CVSS score: 7.4) - Buffer overflow in shim when compiled for 32-bit processors that can lead to a crash or data integrity issues during the boot phase |
CVE |
||
|
7.2.24 |
(CVSS score: 5.5) - Out-of-bounds read in the authenticode function that could permit an attacker to trigger a DoS by providing a malformed binary |
CVE |
||
|
7.2.24 |
(CVSS score: 5.5) - Out-of-bounds read when validating Secure Boot Advanced Targeting (SBAT) information that could result in information disclosure |
CVE |
||
|
7.2.24 |
(CVSS score: 7.1) - Out-of-bounds read when parsing MZ binaries, leading to a crash or possible exposure of sensitive data |
CVE |
||
|
7.2.24 |
According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475). |
Backdoor |
||
|
7.2.24 |
According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant. |
ELF |
||
|
7.2.24 |
Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that's designed to grant persistent remote access to the compromised appliances. |
RAT |
||
|
7.2.24 |
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. |
CVE |
||
|
7.2.24 |
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible |
CVE |
||
|
6.2.24 |
CrackedCantil: A Malware Symphony Breakdown |
Stealer |
||
|
6.2.24 |
Facebook Advertising Spreads Novel Malware Variant |
Stealer |
||
|
6.2.24 |
(CVSS score: 7.2) - Azure HDInsight Apache Ambari Java Database Connectivity (JDBC) Injection Elevation of Privilege Vulnerability |
CVE |
||
|
6.2.24 |
(CVSS score: 8.8) - Azure HDInsight Apache Oozie Workflow Scheduler XML External Entity (XXE) Injection Elevation of Privilege Vulnerability |
CVE |
||
|
6.2.24 |
Analysis of TTPs tied to GambleForce, which carried out SQL injection attacks against companies in the APAC region |
Group |
||
|
6.2.24 |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE |
||
|
6.2.24 |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. |
CVE |
||
|
6.2.24 |
A Spyware Vendor Seemingly Made a Fake WhatsApp to Hack Targets |
Spyware |
||
|
6.2.24 |
Skygofree: Following in the footsteps of HackingTeam |
Android |
||
|
5.2.24 |
ESET researchers discovered several Android apps carrying VajraSpy, a RAT used by the Patchwork APT group |
RAT |
||
|
5.2.24 |
New spyware attacks exposed: civil society targeted in Jordan |
Spyware |
||
|
5.2.24 |
This report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known Icebot), and to provide a comprehensive approach of the threat by detailing the related Techniques... |
Loader |
||
|
5.2.24 |
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign |
Stealer |
||
|
5.2.24 |
Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019 |
Stealer |
||
|
5.2.24 |
Windows SmartScreen Security Feature Bypass Vulnerability |
CVE |
||
3.2.24 |
Thanksgiving 2023 security incident |
Incident |
||
3.2.24 |
Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully. |
Incident |
||
3.2.24 |
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. |
CVE |
||
3.2.24 |
||||
3.2.24 |
Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution |
|||
3.2.24 |
Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS |
|||
3.2.24 |
Electrolink FM/DAB/TV Transmitter - Remote Authentication Removal |
|||
3.2.24 |
Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass |
|||
3.2.24 |
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure |
|||
3.2.24 |
Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure |
|||
3.2.24 |
||||
3.2.24 |
||||
3.2.24 |
||||
3.2.24 |
mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page |
|||
3.2.24 |
||||
|
3.2.24 |
The Coldriver Group, also known as Callisto and SEABORGIUM, is a threat actor known to attack government organizations, think tanks, and journalists in Europe and the Caucasus regions through spearphishing campaigns. |
Group |
||
|
3.2.24 |
ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware |
Backdoor |
||
|
3.2.24 |
Microsoft Outlook Elevation of Privilege Vulnerability |
CVE |
||
|
3.2.24 |
Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine |
Group |
||
|
3.2.24 |
NTLM relay attacks A dangerous game of hot potato |
Attack |
||
|
3.2.24 |
Malware Spotlight – Into the Trash: Analyzing LitterDrifter |
Group |
||
|
3.2.24 |
UAC-0027 Attack Detection: Hackers Target Ukrainian Organizations Using DIRTYMOE (PURPLEFOX) Malware |
Group |
||
|
3.2.24 |
Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor |
Backdoor |
||
2.2.24 |
RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC |
|||
2.2.24 |
||||
2.2.24 |
GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities |
|||
2.2.24 |
||||
2.2.24 |
||||
2.2.24 |
||||
2.2.24 |
||||
|
2.2.24 |
UNC5221: Unreported and Undetected WIREFIRE Web Shell Variant |
CyberSpy |
||
|
2.2.24 |
Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal |
Botnet |
||
|
2.2.24 |
We discuss proof-of-concept rootkits and malware used by cybercriminals in conjunction with Berkeley Packet Filtering (BPF), a piece of technology that allows programs to execute code in the operating systems of popular cloud-computing platforms. We also show how to detect such threats. |
Rootkit |
||
|
2.2.24 |
The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker |
|||
|
2.2.24 |
[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. |
Group |
||
|
2.2.24 |
HeadCrab 2.0: Evolving Threat in Redis Malware Landscape |
|||
|
2.2.24 |
A type confusion issue was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. |
CVE |
||
|
2.2.24 |
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2 and iPadOS 16.2, tvOS 16.2. |
CVE |
||
|
1.2.24 |
'Leaky Vessels' Cloud Bugs Allow Container Escapes Globally |
CVE |
||
|
1.2.24 |
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. |
CVE |
||
|
1.2.24 |
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. |
CVE |
||
|
1.2.24 |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. |
CVE |
||
|
1.2.24 |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. |
CVE |
||
|
1.2.24 |
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. |
CVE |
||
|
1.2.24 |
Telekopye: Hunting Mammoths using Telegram bot |
Bot |
||
|
1.2.24 |
“Scammers Paradise” —Exploring Telegram’s Dark Markets, Breeding Ground for Modern Phishing Operations |
Phishing |
||
|
1.2.24 |
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths |
Python |
||
|
1.2.24 |
Mandiant has observed UNC4990 leverage EMPTYSPACE (also known as VETTA Loader and BrokerLoader), a downloader that can execute any payload served by the command and control (C2) server, and QUIETBOARD, which is a backdoor that was delivered using EMPTYSPACE. |
Backdoor |
||
|
1.2.24 |
Evolution of UNC4990: Uncovering USB Malware's Hidden Depths |
Group |
||
|
1.2.24 |
2023 Adversary Infrastructure Report |
Report |
||
|
1.2.24 |
KRUSTYLOADER - RUST MALWARE LINKED TO IVANTI CONNECTSECURE COMPROMISES |
Loader |
||
|
1.2.24 |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE |
||
|
1.2.24 |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
CVE |
||
|
1.2.24 |
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. |
CVE |
||
|
1.2.24 |
An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. |
CVE |
||
|
1.2.24 |
An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. |
CVE |
||
|
1.2.24 |
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions |
CVE |
||
|
31.1.24 |
||||
|
31.1.24 |
||||
|
31.1.24 |
||||
|
31.1.24 |
||||
|
31.1.24 |
||||
|
31.1.24 |
Blood Bank & Donor Management System using v2.2 - Stored XSS |
|||
|
31.1.24 |
||||
|
31.1.24 |
||||
|
31.1.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
Malware traffic |
||
|
31.1.24 |
Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. |
Malware traffic |
||
|
31.1.24 |
Grandoreiro is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. |
Banking |
||
|
31.1.24 |
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. |
CVE |
||
|
31.1.24 |
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks |
APT |
||
|
31.1.24 |
From Screen Captures to Crypto wallets: Analyzing the Multi-Faceted Threat of Rage Stealer |
Stealer |
||
|
31.1.24 |
RUSSIAN STEALER LOG AGGREGATOR RELEASES FULLY NATIVE INFOSTEALER |
Stealer |
||
|
31.1.24 |
Zloader: No Longer Silent in the Night |
Trojan |
||
|
30.1.24 |
(CVSS score: 5.3) - A missing authentication vulnerability that could lead to exposure of sensitive configuration information |
CVE |
||
|
30.1.24 |
(CVSS score: 8.8) - A cross-site scripting (XSS) vulnerability that could lead to the execution of arbitrary commands with the target's permissions by means of a specially crafted request |
CVE |
||
|
30.1.24 |
Microsoft Outlook Information Disclosure Vulnerability |
CVE |
||
|
30.1.24 |
Older Leaks Re-Surfaces: LOCKBIT Imitator on Surface Web |
Ransomware |
||
|
30.1.24 |
Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks |
Ransomware |
||
|
30.1.24 |
Kuiper ransomware analysis: Stairwell’s technical report |
Ransomware |
||
|
30.1.24 |
The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood. |
Ransomware |
||
|
30.1.24 |
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. |
Ransomware |
||
|
30.1.24 |
Another Phobos Ransomware Variant Launches Attack – FAUST |
Ransomware |
||
|
29.1.24 |
LODEINFO is a fileless malware that has been observed in campaigns that start with spear-phishing emails since December 2019. |
Backdoor |
||
|
29.1.24 |
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. |
CVE |
||
|
29.1.24 |
Inside the SYSTEMBC Command-and-Control Server |
Trojan |
||
|
29.1.24 |
A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. |
CVE |
||
|
29.1.24 |
Midnight Blizzard: Guidance for responders on nation-state attack |
APT |
||
|
29.1.24 |
AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. |
RAT |
||
|
29.1.24 |
Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver |
Ransomware |
||
|
29.1.24 |
CherryLoader: A New Go-based Loader Discovered in Recent Intrusions |
GO base |
||
|
29.1.24 |
Android, Java apps susceptible to novel MavenGate software supply chain attack technique |
Supply chain |
||
|
29.1.24 |
It is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. |
RAT |
||
|
29.1.24 |
A type confusion issue was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. |
CVE |
||
|
29.1.24 |
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. |
CVE |
||
|
29.1.24 |
A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s). |
MacOS |
||
|
29.1.24 |
Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. |
Cryptomining |
||
|
29.1.24 |
Info Stealing Packages Hidden in PyPI |
Python |
||
|
21.1.24 |
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. |
CVE |
||
|
21.1.24 |
vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution. |
CVE |
||
|
20.1.24 |
General-purpose graphics processing unit (GPGPU) platforms from AMD, Apple, and Qualcomm fail to adequately isolate process memory, thereby enabling a local attacker to read memory from other processes. |
Alert |
||
|
20.1.24 |
SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies |
A vulnerability has been found in the way that SMTP servers and software handle the end-of-data sequences (essentially the end of a single email message) in mail messages. |
Alert |
|
|
20.1.24 |
Multiple vulnerabilities were discovered in the TCP/IP stack (NetworkPkg) of Tianocore EDKII, an open source implementation of Unified Extensible Firmware Interface (UEFI). |
Alert |
||
|
20.1.24 |
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. |
Brute Force |
||
|
20.1.24 |
Screentime: Sometimes It Feels Like Somebody's Watching Me |
VBS |
||
|
20.1.24 |
Security Brief: TA866 Returns with a Large Email Campaign |
|||
|
19.1.24 |
Jamf Threat Labs discovers new malware embedded in pirated applications |
OSX |
||
|
19.1.24 |
An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication. |
CVE |
||
|
19.1.24 |
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. |
CVE |
||
|
19.1.24 |
Containerised Clicks: Malicious use of 9hits on vulnerable docker hosts |
Cryptocurrency |
||
|
19.1.24 |
Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware |
Group |
||
|
19.1.24 |
(CVSS score: 6.5) - Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message |
CVE |
||
|
19.1.24 |
(CVSS score: 8.3) - Buffer overflow in the DHCPv6 client
via a long Server ID option |
CVE |
||
|
19.1.24 |
(CVSS score: 6.5) - Out-of-bounds read when handling a ND Redirect message with truncated options |
CVE |
||
|
19.1.24 |
(CVSS score: 7.5) - Infinite loop when parsing unknown options in the Destination Options header |
CVE |
||
|
19.1.24 |
(CVSS score: 7.5) - Infinite loop when parsing a PadN option in the Destination Options header |
CVE |
||
|
19.1.24 |
(CVSS score: 8.3) - Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message |
CVE |
||
|
19.1.24 |
(CVSS score: 8.3) - Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message |
CVE |
||
|
19.1.24 |
(CVSS score: 5.8) - Predictable TCP Initial Sequence Numbers |
CVE |
||
|
19.1.24 |
(CVSS score: 5.3) - Use of a weak pseudorandom number generator |
CVE |
||
|
18.1.24 |
New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs |
Campaign |
||
|
18.1.24 |
Banking companies worldwide are finally shifting away from custom-made Point of Sale (POS) devices towards the wildly adopted and battle-tested Android operating system. |
CVE |
||
|
18.1.24 |
(PHP Unit Command) |
CVE |
||
|
18.1.24 |
(Apache HTTP Server versions), and |
CVE |
||
|
18.1.24 |
(Laravel applications) |
CVE |
||
|
18.1.24 |
CISA and FBI Release Known IOCs Associated with Androxgh0st Malware |
Android |
||
|
18.1.24 |
A lightweight method to detect potential iOS malware |
iOS |
||
|
18.1.24 |
An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. |
CVE |
||
|
18.1.24 |
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. |
CVE |
||
|
17.1.24 |
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. |
CVE |
||
|
17.1.24 |
VMware Aria Automation (formerly vRealize Automation) updates address a Missing Access Control vulnerability (CVE-2023-34063) |
CVE |
||
|
17.1.24 |
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server. |
CVE |
||
|
17.1.24 |
Unauthenticated remote code execution |
CVE |
||
|
17.1.24 |
(CVSS score: 8.2) - Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server) |
CVE |
||
|
17.1.24 |
(CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access) |
CVE |
||
|
17.1.24 |
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. |
CVE |
||
|
17.1.24 |
(CVSS score: 9.4) - A stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote, unauthenticated attacker to cause DoS or potentially result in code execution in the firewall. |
CVE |
||
|
17.1.24 |
(CVSS score: 7.5) - A stack-based buffer overflow vulnerability in the SonicOS allows a remote, unauthenticated attacker to cause DoS, which could result in a crash. |
CVE |
||
|
17.1.24 |
Remcos RAT Being Distributed via Webhards |
RAT |
||
|
16.1.24 |
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign |
Stealer |
||
|
16.1.24 |
Windows SmartScreen Security Feature Bypass Vulnerability |
CVE |
||
|
15.1.24 |
(CVSS score: 8.3), the high-severity vulnerability was addressed by Bosch in November 2023. |
CVE |
||
|
14.1.24 |
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device. |
CVE |
||
|
13.1.24 |
A Missing Release of Memory after Effective Lifetime vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). |
CVE |
||
|
13.1.24 |
An Out-of-bounds Write vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS), or Remote Code Execution (RCE) and obtain root privileges on the device. |
CVE |
||
|
12.1.24 |
Medusa Ransomware Turning Your Files into Stone |
Ransomware |
||
|
12.1.24 |
Apache Applications Targeted by Stealthy Attacker |
Apache |
||
|
12.1.24 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
CVE |
||
|
12.1.24 |
Microsoft SharePoint Server Elevation of Privilege Vulnerability |
CVE |
||
|
12.1.24 |
Flying Under the Radar: Abusing GitHub for Malicious Infrastructure |
GitHub's services are frequently abused both by cybercriminals and advanced persistent threats (APTs) for a wide range of malicious infrastructure schemes. |
Reports |
|
|
12.1.24 |
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code |
CVE |
||
|
12.1.24 |
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10 |
CVE |
||
|
12.1.24 |
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code |
CVE |
||
|
12.1.24 |
Exploring FBot | Python-Based Malware Targeting Cloud and Payment Services |
Linux |
||
|
11.1.24 |
Mac users targeted in new malvertising campaign delivering Atomic Stealer |
osx |
||
|
11.1.24 |
(CVSS score: 8.2) - An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
CVE |
||
|
11.1.24 |
(CVSS score: 9.1) - A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE |
||
|
11.1.24 |
A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device. |
CVE |
||
|
11.1.24 |
This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. |
CVE |
||
|
11.1.24 |
You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance |
Bot |
||
|
10.1.24 |
Babuk is a Russian ransomware. In September 2021, the source code leaked with some of the decryption keys. Victims can decrypt their files for free. |
Anti-Tool |
||
|
10.1.24 |
Microsoft Office Remote Code Execution Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient. |
CVE |
||
|
10.1.24 |
(CVSS score: 7.8), a privilege escalation flaw impacting the Common Log File System (CLFS) driver |
CVE |
||
|
10.1.24 |
(CVSS score: 9.0) - Windows Kerberos Security Feature Bypass Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 7.5) - Windows Hyper-V Remote Code Execution Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. |
CVE |
||
|
10.1.24 |
(CVSS score: 5.3) - Joomla! Improper Access Control Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 9.8) - D-Link DSL-2750B Devices Command Injection Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 7.8) - Apple Multiple Products Code Execution Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
CVE |
||
|
10.1.24 |
(CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability |
CVE |
||
|
10.1.24 |
Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. |
Loader |
||
|
10.1.24 |
Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware |
Campaign |
||
|
10.1.24 |
Securonix Threat Research Security Advisory: New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC Ransomware |
Operation |
||
|
9.1.24 |
A cross-site scripting (XSS) vulnerability in QuMagie that could allow authenticated users to inject malicious code via a network (Addressed in QuMagie 2.2.1 and later) |
CVE |
||
|
9.1.24 |
An operating system command injection vulnerability in QuMagie that could allow authenticated users to execute commands via a network (Addressed in QuMagie 2.2.1 and later) |
CVE |
||
|
9.1.24 |
An SQL injection vulnerability in Video Station that could allow users to inject malicious code via a network (Addressed in Video Station 5.7.2 and later) |
CVE |
||
|
9.1.24 |
An operating system command injection vulnerability in Video Station that could allow users to execute commands via a network (Addressed in Video Station 5.7.2 and later) |
CVE |
||
|
9.1.24 |
An unauthenticated remote code execution vulnerability in Netatalk that could allow attackers to execute arbitrary code (Addressed in QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110) |
CVE |
||
|
9.1.24 |
Deceptive Cracked Software Spreads Lumma Variant on YouTube |
Stealer |
||
|
9.1.24 |
A GAMER TURNED MALWARE DEVELOPER : DIVING INTO SILVERRAT AND IT’S SYRIAN ROOTS |
RAT |
||
|
6.1.24 |
Today will be a quick post on a TA444 (aka Sapphire Sleet, BLUENOROFF, STARDUST CHOLLIMA) Macho family tracked as SpectralBlur we found in August, and how finding it led us to stumble upon an early iteration of KANDYKORN (aka SockRacket). Please read Elastic’s EXCELLENT piece on that family. |
macOS |
||
|
6.1.24 |
Wiper attack on Albania by Iranian APT |
Wipper |
||
|
5.1.24 |
Exclusive: Russian hackers were inside Ukraine telecoms giant for months |
Incident |
Incident |
|
|
5.1.24 |
Win32k Elevation of Privilege Vulnerability |
CVE |
||
|
5.1.24 |
Bandook - A Persistent Threat That Keeps Evolving |
RAT |
||
|
5.1.24 |
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method for Evasion |
RAT |
||
|
3.1.24 |
WhiteSnake Stealer malware sample on MalwareBazaar |
Stealer |
||
|
3.1.24 |
RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data. |
Stealer |
||
|
3.1.24 |
In the course of a research project in collaboration with the SEC Consult Vulnerability Lab, Timo Longin (@timolongin) - known for his DNS protocol attacks - discovered a novel exploitation technique for yet another Internet protocol - SMTP (Simple Mail Transfer Protocol). Threat actors could abuse vulnerable SMTP servers worldwide to send malicious e-mails from arbitrary e-mail addresses, allowing targeted phishing attacks. Due to the nature of the exploit itself, this type of vulnerability was dubbed SMTP smuggling. Multiple 0-days were discovered, and various vendors were notified during our responsible disclosure in 2023. |
SPAM |
||
|
1.1.24 |
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program.Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution. |
DLL |
||
|
1.1.24 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. |
CVE |
||
|
1.1.24 |
Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation |
SSH |
||
|
1.1.24 |
On Christmas Eve, Resecurity's HUNTER (HUMINT) spotted the author of perspective password stealer Meduza has released a new version (2.2). |
Stealer |
||
|
1.1.24 |
Jinx – Malware 2.0 We know it’s big, we measured it! |
Stealer |