January(137)  February(207)  March(430) April(317) May(278)  June(204)

i

DATE

NAME

CATEGORY

SUBCATE

INFO

19.6.24AzzaSec RansomwareALERTSRANSOMAzzaSec is another run-of-the-mill ransomware variant found being distributed in the wild. The malware encrypts user files and appends .AzzaSec extension to them. The attackers behind this variant leave a ransom note demanding payment in Bitcoin for the file decryption.  
19.6.24New strain of Diamorphine Linux rootkitALERTSVIRUSA new variant of an open-source LKM (Loadable Kernel Module) rootkit dubbed Diamorphine has been found in the wild.
19.6.24Malvertising Campaign Targets Users With Fake Software InstallersALERTSVIRUSA malvertising campaign has been observed, enticing users to download masqueraded installers disguised as popular software such as Google Chrome and Microsoft Teams.
19.6.24Hijack Loader and Vidar Stealer targeting Cisco Webex usersALERTSVIRUSMalware campaigns affecting users in Latin America and the Asia Pacific regions have recently been reported. These campaigns target users of popular commercial software such as the Cisco Webex Meetings App, enticing them to download password-protected archive files containing trojanized software copies.
19.6.24Rogue Raticate Malspam Campaign: Malicious PDFs Lead to NetSupport RATALERTSVIRUSThe cybercriminal group known as Rogue Raticate (aka RATicate) has been active for a few years now and is well-known for targeting enterprises using malicious emails and remote access trojans. This week another one of their campaigns was observed.
19.6.24UNC3886GROUPCAMPAIGNCloaked and Covert: Uncovering UNC3886 Espionage Operations
19.6.24Void ArachneCAMPAIGNMalwareBehind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework
19.6.24markopoloCRYPTOCURRENCYScamThe Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications
18.6.24PowerShell Self-PwnHACKINGPowerShellProofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware.
18.6.24Vortax: MacOS Malware Campaign UnveiledALERTSVIRUSA recent malware campaign targeting macOS vulnerabilities to distribute infostealers has surfaced. The threat actor, identified as markopolo, is actively aiming at cryptocurrency users.
18.6.24Cryptojacking campaign exploiting Docker engine vulnerabilitiesALERTSCRYPTOCURRENCYA new cryptojacking campaign targeting publicly exposed Docker Engine hosts has been observed. It is presumed to be associated with the threat actors behind the previously seen malware campaign dubbed Spinning YARN. The attack vector starts by scanning for open port 2375 and deploying an Alpine Linux container.
18.6.24Rapax Ransomware ALERTSRANSOMRapax is a ransomware whose binaries have recently been submitted to a public malware analysis and detection platform. The ransom note found on compromised machines (instruction.txt) reveals that the author focuses solely on encrypting files rather than employing exfiltration and double-extortion tactics, demanding a ransom of 5,000 US dollars in Bitcoin for decryption.
18.6.24Hijack LoaderMALWARELoaderInfo Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion
18.6.24Spinning YARNCAMPAIGNMalwareSpinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence
18.6.24CVE-2024-37081

VULNEREBILITY

CVE

Multiple VMware vCenter Server Flaws Allow Remote Code Execution
17.6.24COATHANGERMALWARERATMinistry of Defence of the Netherlands uncovers COATHANGER,a stealthy Chinese FortiGate RAT
17.6.24Limpopo ransomware targets ESXi serversALERTSRANSOMLimpopo is new ransomware variant targeting the vulnerable ESXi servers, as reported by Fortinet.
17.6.24CVE-2024-28995 - SolarWinds Serv-U Directory Traversal vulnerabilityALERTSVULNEREBILITYCVE-2024-28995 is a recently disclosed Directory Traversal vulnerability affecting Serv-U managed file transfer (MFT) server solution.
17.6.24Unfading Sea HazeREPORTREPORTDeep Dive into the Unfading Sea Haze A technical look at a threat actor’s ever-evolving tools and tactics
17.6.24Mass exploitationPAPERSPAPERSThe vulnerable edge of enterprise security
17.6.24Velvet AntOPERATIONOPERATIONChina-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
17.6.24Unfading Sea HazeOPERATIONOPERATIONUnfading Sea Haze: New Espionage Campaign in the South China Sea
17.6.24CVE-2024-3079

VULNEREBILITY

CVE

Certain models of ASUS routers have buffer overflow vulnerabilities, allowing remote attackers with administrative privileges to execute arbitrary commands on the device.
17.6.24CVE-2024-3080

VULNEREBILITY

CVE

Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.
17.6.24ARM 'TIKTAG' attackPAPERSPAPERSTIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Executi
17.6.24ARM 'TIKTAG' attackATTACKARM CPUTIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Executi
17.6.24BadSpace MALWAREBackdoorBackdoor BadSpace delivered by high-ranking infected websites
17.6.24NiceRAT MALWARERATBotnet Installing NiceRAT Malware
16.6.24Boelter Blue System Management 1.3 - SQL Injection

Exploit

WebAppsPHP
16.6.24Rebar3 3.13.2 - Command Injection

Exploit

WebAppsMultiple
16.6.24ZwiiCMS 12.2.04 - Remote Code Execution (Authenticated)

Exploit

WebAppsPHP
16.6.24Zyxel IKE Packet Decoder - Unauthenticated Remote Code Execution (Metasploit)

Exploit

RemoteHardware
16.6.24WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)

Exploit

WebAppsPHP
16.6.24PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows)ExploitWebAppsPHP
16.6.24AEGON LIFE v1.0 Life Insurance Management System - SQL injection vulnerability.

Exploit

WebAppsPHP
16.6.24AEGON LIFE v1.0 Life Insurance Management System - Unauthenticated Remote Code Execution (RCE)

Exploit

WebAppsPHP
16.6.24XMB 1.9.12.06 - Stored XSSExploitWebAppsPHP
16.6.24Carbon Forum 5.9.0 - Stored XSS

Exploit

WebAppsPHP
16.6.24AEGON LIFE v1.0 Life Insurance Management System - Stored cross-site scripting (XSS)

Exploit

WebAppsPHP
15.6.24KoiLoader/KoiStealer infectionMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
15.6.24Traffic example of a CVE-2024-4577 probeMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
15.6.24Malspam pushing OriginLogger (AgentTesla)MALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
15.6.24Three days of server scans and probesMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
15.6.24DarkGate activityMALWARE TRAFFICMALWARE TRAFFICZip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
15.6.24DISGOMOJIMALWARELinuxDISGOMOJI Malware Used to Target Indian Government
15.6.24GrandoreiroMALWAREBankingSmishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale
14.6.24CVE-2023-3938

VULNEREBILITY

CVE

(CVSS score: 4.6) - An SQL injection flaw when displaying a QR code into the device's camera by passing a specially crafted request containing a quotation mark, thereby allowing an attacker to authenticate as any user in the database
14.6.24CVE-2023-3939

VULNEREBILITY

CVE

(CVSS score: 10.0) - A set of command injection flaws that allows for execution of arbitrary OS commands with root privileges
14.6.24CVE-2023-3940

VULNEREBILITY

CVE

(CVSS score: 7.5) - A set of arbitrary file read flaws that allows an attacker to bypass security checks and access any file on the system, including sensitive user data and system settings
14.6.24CVE-2023-3941

VULNEREBILITY

CVE

(CVSS score: 10.0) - A set of arbitrary file write flaws that allows an attacker to write any file on the system with root privileges, including altering the user database to add rogue users
14.6.24CVE-2023-3942

VULNEREBILITY

CVE

(CVSS score: 7.5) - A set of SQL injection flaws that allows an attacker to inject malicious SQL code and perform unauthorized database operations and siphon sensitive data
14.6.24CVE-2023-3943

VULNEREBILITY

CVE

(CVSS score: 10.0) - A set of stack-based buffer overflow flaws that allows an attacker to execute arbitrary code
14.6.24UNC4899GROUPGROUPInsights on Cyber Threats Targeting Users and Enterprises in Brazil
14.6.24Sleepy Pickle Part 2HACKINGMLExploiting ML models with pickle file attacks: Part 2
14.6.24Sleepy Pickle Part 1HACKINGMLExploiting ML models with pickle file attacks: Part 1
14.6.24Arid ViperAPTAPTArid Viper poisons Android apps with AridSpy
14.6.24Arid ViperAPTAPTArid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices
14.6.24Celestial ForceOPERATIONOPERATIONOperation Celestial Force employs mobile and desktop malware to target Indian entities
14.6.24Script RATMALWARERATIn Bad Company: JScript RAT and CobaltStrike
14.6.24SSLoad MalwareMALWARELoaderDissecting SSLoad Malware: A Comprehensive Technical Analysis
14.6.24CVE-2024-32896

VULNEREBILITY

CVE

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
14.6.24OPIX RansomwareALERTSRANSOM  OPIX is a newly discovered ransomware variant typically spread through social engineering tactics such as phishing emails and drive-by downloads. The malware modifies user files by encrypting them with a random character string and appending a ".OPIX" extension. For example, a file called "test.txt" becomes something like "B532D3Q9.OPIX".
14.6.24Malspam Campaign Delivering Koi Loader/Koi StealerALERTSVirusIn a recent malspam campaign attackers appear to have altered their tactics in order to avoid detection. Instead of the typical approach of sending direct emails with malicious links, in this case they began with benign emails discussing a random scenario.
14.6.24El Dorado Ransomware: Increased AttacksALERTSRANSOM  El Dorado is a double-extortion ransomware actor who has recently claimed multiple victims on their website. Once they gain access to a company, they search for machines with valuable data to exfiltrate and encrypt, appending .00000001 to encrypted files.
14.6.24Operation Celestial ForceALERTSOPERATIONA new malicious campaign dubbed 'Operation Celestial Force' has been reported by the researchers from Cisco Talos. The campaign has been active since at least 2018 and targeting Indian organizations from the defense, government and technology sectors.
14.6.24ALERTSVULNEREBILITY  As part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. By sending specially crafted malicious MSMQ packets to the vulnerable servers and thus exploiting the vulnerability, the attackers might achieve remote code execution and take over the unpatched server.
14.6.24CVE-2024-4701 - Netflix Genie job orchestration engine vulnerabilityALERTSVULNEREBILITY  CVE-2024-4701 is a recently disclosed critical (CVSS score 9.9) path traversal vulnerability affecting Netflix' Genie job orchestration engine for big data applications. If successfully exploited the vulnerability might allow remote attackers arbitrary code execution within the vulnerable applications as well as sensitive information exposure. The vulnerability has been already patched in Genie OSS version 4.3.18.
14.6.24CVE-2024-2194 - WP Statistics Plugin XSS vulnerabilityALERTSVULNEREBILITY  CVE-2024-2194 is a recently disclosed stored cross-site scripting vulnerability affecting WP Statistics plugin for WordPress in versions up to 14.5. If successfully exploited the vulnerability might allow unauthenticated attackers to inject arbitrary web scripts in pages.
13.6.24Noodle RATMALWARERATNoodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups
13.6.24DERO cryptojackingCRYPTOCURRENCYCRYPTOCURRENCYPause off my cluster: DERO cryptojacking takes a new shape
13.6.24Black BastaRANSOMWARERANSOMWARERansomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
13.6.24CVE-2024-26169

VULNEREBILITY

CVE

Windows Error Reporting Service Elevation of Privilege Vulnerability
13.6.24WARMCOOKIE MALWAREBackdoorDipping into Danger: The WARMCOOKIE backdoor
13.6.24Noodle RAT malware supports both Windows and Linux deploymentsALERTSVirusNoodle RAT is a malware variant recently identified by researchers from Trend Micro. This RAT has been reported as being used in targeted campaigns in the Asia-Pacific region. Noodle RAT is a modular malware with relatively straightforward capabilities and displays several code overlaps with Gh0st RAT and Rekoobe malware families.
13.6.24Adwind (aka jRAT) distributed in recent campaigns targeting users in Italy ALERTSVirusAdwind malware (also known as jRAT or njRAT) has been observed in recent campaigns targeting users in Italy. The attack chain includes malspam emails containing .zip attachments. Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files.
13.6.24WarmCookie backdoorALERTSVirusWarmCookie is a new backdoor variant distributed in phishing campaigns advertising fake job offers. The attack chain leverages malicious JS scripts executing PowerShell commands that in turn lead to the download of WarmCookie DLL payloads. The attackers abuse the Background Intelligent Transfer Service (BITS) to download the malicious payloads.
13.6.24Black Basta attackers leveraging CVE-2024-26169 vulnerability as a Zero-dayALERTSVirusIn a newly released report, Symantec’s Threat Hunter Team reviewed evidence that suggests that attackers linked to Black Basta ransomware compiled CVE-2024-26169 exploit prior to patching. The vulnerability CVE-2024-26169 is a Windows Error Reporting Service exploit that can permit an attacker to elevate their privileges.
13.6.24Malware campaign unveils new ValleyRAT variantALERTSVirusA malware campaign has been observed delivering a newer version of ValleyRAT as the final payload. The attack vector involves a downloader with an injected shellcode that dynamically resolves APIs and establishes a connection with the C2 server to download the next stage malware.
12.6.24Remcos RAT delivered via UUEncoding (UUE) FileALERTSVirusA recent phishing campaign spreading Remcos RAT employs themed documents related to shipping or quotations. The attack commences with a UUE-encoded VBS script, leading to the another obfuscated VBS script upon decoding. This script facilitates the saving and execution of a PowerShell script, which in turn connects to a link to download an additional obfuscated PowerShell script. The purpose of this obfuscation chain is to evade detection.
12.6.24Protection Highlight: Phishers Ramp Up Exploitation of Telegram Bot APIALERTSPHISHING  Over the past few months, more and more phishing actors via malicious HTML have been following in the footsteps of Infostealers and RATs, and are now also abusing the Telegram Bot API to harvest users' credentials and other sensitive information such as credit cards details.
12.6.24TellYouThePass ransomware exploiting CVE-2024-4577 Argument Injection Vulnerability in PHPALERTSVULNEREBILITY  CVE-2024-4577 - is a high-severity (CVSS: 9.8) argument injection vulnerability in PHP, which is a popular scripting tool. This vulnerability affects PHP when it runs in CGI mode. A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the vulnerable PHP server, leading to complete system compromise and deliver malware including ransomware.
12.6.24Fog RansomwareALERTSRANSOM  A new ransomware variant dubbed Fog has been recently distributed in the wild. The attackers behind this malware have been leveraging compromised VPN credentials to attack vulnerable networks of US organizations from the education and recreation sector.
12.6.24AZStealer - a Python-based infostealerALERTSVirusAZStealer is a recently discovered Python-based infostealer variant. It has the functionality to steal a wide variety of information from the compromised endpoints including: data stored in browsers (cookies, history, bookmarks, passwords, saved credit card info and autofill data), Discord tokens, login sessions from miscellaneous applications including Steam, Uplay, Tiktok, Telegram, Twitch, Spotify, Reddit or Roblox.
12.6.24Fireant APT targets Vietnamese entities with LNK file malware campaignALERTSAPT  A malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported. The threat actor targets Vietnamese entities with lures related to the education sector and tax compliance. The attack vector involves phishing emails with archive (zip, rar) attachments containing malicious LNK files. The final payload is believed to be the PlugX RAT, which helps the attackers to remotely execute various commands on the compromised system.
12.6.24Beware of malicious Python packages on PyPI repositoryALERTSVirusNumerous malicious Python packages have been observed on the Python Package Index (PyPI) repository, aimed at exploiting typosquatting to target users of legitimate packages. For instance one such package, 'crytic-compilers', masquerades as the legitimate library 'crytic-compile' and is designed to distribute the Lumma stealer. Similarly, another malicious PyPI package, 'pytoileur', is capable of downloading and installing trojanized Windows binaries for purposes such as surveillance, persistence, and crypto theft.
12.6.24DERO cryptojacking operation targeting Kubernetes infrastructureCRYPTOCURRENCYCRYPTOCURRENCY  Dero, a cryptocurrency, offers better privacy, anonymity and faster rewards than Monero, and is often used in cryptojacking according to a March 2023 report. A recent report from a threat researcher discussed the cryptojacking campaign's evolution, where the attack vector involves exploiting an externally accessible Kubernetes API server with anonymous authentication enabled.
12.6.24CVE-2024-30082

VULNEREBILITY

CVE

Win32k Elevation of Privilege Vulnerability
12.6.24CVE-2024-30085

VULNEREBILITY

CVE

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
12.6.24CVE-2024-30086

VULNEREBILITY

CVE

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
12.6.24CVE-2024-30078

VULNEREBILITY

CVE

Windows Wi-Fi Driver Remote Code Execution Vulnerability
12.6.24CVE-2024-30103

VULNEREBILITY

CVE

Microsoft Outlook Remote Code Execution Vulnerability
12.6.24CVE-2024-30080

VULNEREBILITY

CVE

Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability New
12.6.24CVE-2023-50868

VULNEREBILITY

CVE

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue.
12.6.24DNS PROBING OPERATIONOPERATIONOPERATIONWHAT A SHOW! AN AMPLIFIED INTERNET SCALE DNS PROBING OPERATION
12.6.24ValleyRATMALWARERATTechnical Analysis of the Latest Variant of ValleyRAT
11.6.24More_eggsMALWAREBackdoorMore_eggs Activity Persists Via Fake Job Applicant Lures
11.6.24UNC5537GROUPGROUPUNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
11.6.24CVE-2024-4610

VULNEREBILITY

CVE

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0.
11.6.24SSLoader malware using PhantomLoaderALERTSVirusSSLoader malware uses PhantomLoader (an effective tool for deploying malware) to enhance its elusive and stealthy behavior. This malware infiltrates via phishing mail campaigns, performs reconnaissance while evading detection, and exfiltrates data back to threat actors while delivering payloads through various techniques. 
11.6.24Yet another JScript RAT spreads via phishing campaignALERTSVirusIt is generally known that JScript-based RATs are often spread via phishing campaigns, and a recent attack was spotted using the same technique as former runs where an initial loader script connects to a C&C server triggering the transmission of a new malicious script, known as the second stage loader. This loader then fetches a JScript RAT component from the server, enabling persistent operation and execution of commands received from the server.
11.6.24Abusing Google Ads to distribute backdoor malware masquerading as Advanced IP ScannerALERTSVirusA malicious backdoor malware, masquerading as an Advanced IP Scanner, has been observed in the wild. Advanced IP Scanner is a free network scanner for Windows, primarily used by IT administrators to analyze local area networks (LANs) and gather information about connected devices.
11.6.24New Grandoreiro banking trojan campaign masquerading as government entities through spear-phishingALERTSVirusA new campaign involving the Grandoreiro banking trojan has been observed in the wild. The threat actors are leveraging spear-phishing emails masquerading as correspondence from government entities to lure recipients into downloading ZIP files infected with malware.
11.6.24Agent Tesla sending malicious XLA filesALERTSVirusAgent Tesla, an infostealing .Net based RAT, has recently been observed sending Spanish language malspam with attached XLA files. These files are crafted to take advantage of multiple old vulnerabilities in Office documents (CVE-2017-11882 and CVE-2017-0199) which causes Excel to automatically download and open remotely stored malicious RTF and JS files, which eventually leads to an Agent Tesla infection.
10.6.24Fake 'KMSPico Activator Tool' Utilized to Deliver Vidar InfoStealerALERTSGROUP  Researchers recently identified another drive-by download campaign, wherein users are deceived into downloading a malware-laden application named 'KMSPico activator tool.' This tool, is marketed as a "universal activator" for Windows, but no longer maintained.
10.6.24Sticky WerewolfGROUPGROUPHowling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks
9.6.24CVE-2024-4577

VULNEREBILITY

CVE

CVE-2024-4577: Proof of Concept Available for PHP-CGI Argument Injection Vulnerability
8.6.24Sticky Werewolf APTALERTSAPT  Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others.
8.6.24Seidr StealerALERTSVirusSeidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, OS-related information, data collected from system browsers via keylogging, cryptocurrency wallets etc.
8.6.24DORRA RansomwareALERTSRANSOM  DORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. The ransomware drops a ransom note as a text file called "README-WARNING.txt" where the victims are asked to contact the attackers via provided email for further instructions regarding the data decryption.
8.6.24Apache RocketMQ targeted in Muhstik botnet campaignALERTSBOTNET  A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server.
8.6.24Enhanced version of Vidar Stealer emergesALERTSVirusAn updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and Telegram channels as malware-as-a-service, leveraging social media platforms as part of its command-and-control infrastructure, and collaborating with other malware strains such as STOP/Djvu ransomware and SmokeLoader backdoor.
8.6.24CashRansomware - a new arrival to the threat landscapeALERTSRANSOM  CashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development. CashRansomware is C#-based malware that leverages time‑stomping techniques to detect its execution within a sandbox or a virtualized environment.
8.6.24UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaignALERTSAPT  The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure.
7.6.24appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)

EXPLOIT

WebAppsPHP
7.6.24CMSimple 5.15 - Remote Code Execution (RCE) (Authenticated)

EXPLOIT

WebAppsPHP
7.6.24WBCE CMS v1.6.2 - Remote Code Execution (RCE)

EXPLOIT

WebAppsPHP
7.6.24Monstra CMS 3.0.4 - Remote Code Execution (RCE)

EXPLOIT

WebAppsPHP
7.6.24Dotclear 2.29 - Remote Code Execution (RCE)

EXPLOIT

WebAppsPHP
7.6.24Serendipity 2.5.0 - Remote Code Execution (RCE)EXPLOITWebAppsPHP
7.6.24Sitefinity 15.0 - Cross-Site Scripting (XSS)

EXPLOIT

WebAppsMultiple

7.6.24

Ransomware Trends 2024

REPORT

REPORT

Veeam’s goal is to relentlessly advance data and cyber resilience to keep your business running.

7.6.24

SickSync

CAMPAIGN

CAMPAIGN

Renewed Info Stealer Campaign Targets Ukrainian Military

7.6.24

SPECTR

MALWARE

Stealer

SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

7.6.24

GhostWriter

GROUP

GROUP

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.

7.6.24

Commando Cat

GROUP

Cryptojacking

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

7.6.24

Muhstik

MALWARE

Trojan

Muhstik Malware Targets Message Queuing Services Applications

6.6.24

BoxedApp

MALWARE

App

BoxedApp products are general packers built on top of its SDK, which provides the ability to create Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking).

6.6.24

'Lumma' crypto stealer

MALWARE

Stealer

Russia-linked 'Lumma' crypto stealer now targets Python devs

6.6.24

CVE-2024-32113 - Path Traversal vulnerability in Apache OFBiz

ALERTS

VULNEREBILITY 

CVE-2024-32113 is a recently disclosed path traversal vulnerability affecting Apache OFBiz, which is an open source enterprise resource planning (ERP) system. If successfully exploited the vulnerability might lead to remote code execution in the context of the affected service account. The vulnerability has been patched in Apache OFBiz product version 18.12.13 or above.

6.6.24

Rising trend of exploiting Packer apps in targeted attacks

ALERTS

Virus

An increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial Packer apps, targeting financial institutions and government organizations. BoxedApp packer is one such utility that offers features like virtual storage, virtual processes, and a virtual registry, making it harder for endpoint protection systems to detect or analyze malware.

6.6.24

The rise of Kiteshield packer in the ever-evolving landscape of Linux malware

ALERTS

Virus

Threat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. Most recently, an increasing trend in targeting the Linux platform has been observed, resulting in a surge of Linux malware. Threat actors are leveraging the Kiteshield packer to evade detection on Linux platforms.

6.6.24

CoinMiner's Proxy Server Suffers Unlucky Ransomware Attack

ALERTS

RANSOM 

Reports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. This kind of practice, if it becomes more common, may complicate threat analysis as it blurs the lines between different attack groups and their intentions.

6.6.24

SenSayQ: Emerging Ransomware Group

ALERTS

RANSOM 

SenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. At this time, their modus operandi remains shrouded, but they employ double-extortion tactics, exfiltrating data from companies' environments and encrypting their files.

6.6.24

New Linux variant of the TargetCompany ransomware

ALERTS

RANSOM 

A new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. As called out in the recent report published by Trend Micro, the threat group leveraging this latest Linux variant is actively conducting attacks against ESXi environments. The attackers are also using a custom shell script for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files. Upon completed encryption a ransom note in form of a text file called "HOW TO DECRYPT.txt" is dropped onto the victim's machine.

6.6.24

Updated Cuckoo malware variant spotted in the wild

ALERTS

Virus

Cuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. This variant has been distributed via a fake Homebrew macOS package manager website.

6.6.24

RansomHub Ransomware

ALERTS

RANSOM 

In a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. Analysis indicates that the developers of RansomHub are different from those that developed Knight, but based on a significant overlap of code, it's assumed the RansomHub developers likely purchased Knight source code which was offered for sale in early 2024. As with others, RansomHub attacks involve vulnerability exploitation and dual-use tools to aid in distribution.

6.6.24

DarkCrystal RAT Delivered via Signal Messenger

ALERTS

Virus

The messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins when the victim receives a message with an archive, password, and instructions to open it.

6.6.24

Cobalt Strike campaign targets Ukraine using malicious Excel files

ALERTS

CAMPAIGN 

A new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. The attackers leverage a multi-staged approach while delivering Excel files containing malicious VBA macros, as well as DLL downloaders and injectors in later attack stages. The Cobalt Strike payloads allow the attackers to establish communication with command and control (C2) servers and execute arbitrary commands.

6.6.24

Android Spyware Targets Brazilian Mobile Users in Nubank Masquerade

ALERTS

Virus

Nubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil. An actor has fabricated malicious Android applications (Nubank.apk) to appear related to Nubank.

6.6.24

CVE-2024-24919 - Check Point Security Gateway Information Disclosure Vulnerability

ALERTS

VULNEREBILITY 

CVE-2024-24919 is an information disclosure vulnerability in Check Point Security Gateway. Check Point Security Gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel. Successful exploitation of this vulnerability may allow an attacker to access certain information on internet-connected Gateways, which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

6.6.24

CVE-2024–27348 - Remote Code Execution vulnerability in Apache HugeGraph Server

ALERTS

VULNEREBILITY 

Recently, a critical remote code execution (RCE) vulnerability has been discovered in Apache HugeGraph-Server, identified as CVE-2024-27348 (CVSS: 9.8). Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. The vulnerability affects versions 1.0.0 to 1.3.0 in Java8 and Java11. This vulnerability allows an attacker to execute arbitrary commands on the server.

6.6.24

Underground Ransomware Remains Active

ALERTS

RANSOM 

Over the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. They are known to generate a lengthy ransom note (!!READ_ME!!.txt) with detailed information that has been exfiltrated. Victims are provided with an ID and a password that allow them to connect with the ransomware group through a website on the TOR network. 

6.6.24

Botnet malware campaign distributing NiceRAT malware

ALERTS

Virus

A botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. NiceRAT is a Python-based open-source program with anti-debugging and anti-virtual machine capabilities.

6.6.24

LummaC2 Infostealer Delivered via a Recent ClearFake Campaign

ALERTS

Virus

ClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. Recently, researchers uncovered a new strategy by ClearFake, where users are deceived into manually executing malicious code in PowerShell. This differs from previous tactics where users were typically lured into unwittingly downloading a malicious payload. The change aims to evade security measures and eventually install LummaC2 infostealer malware.

6.6.24

Brazilian banking trojan CarnavalHeist

ALERTS

Virus

A recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" which is Portuguese for invoice).

6.6.24

RedTail cryptomining malware exploiting PAN-OS vulnerability

ALERTS

CRYPTOCURRENCY 

RedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. Exploiting this PAN-OS vulnerability and executing the commands successfully can lead to the downloading of the RedTail payload.

5.6.24

Operation Crimson Palace

OPERATION

OPERATION

Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government

5.6.24

Excel File Deploys

HACKING

HACKING

FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file.

5.6.24

RansomHub

RANSOMWARE

RANSOMWARE

RansomHub: New Ransomware has Origins in Older Knight

5.6.24

CVE-2024-29972

VULNEREBILITY

CVE

This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

5.6.24

CVE-2024-29973

VULNEREBILITY

CVE

This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.

5.6.24

CVE-2024-29974

VULNEREBILITY

CVE

This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

5.6.24

CVE-2024-29975

VULNEREBILITY

CVE

This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.

5.6.24

CVE-2024-29976

VULNEREBILITY

CVE

This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

5.6.24

Decoy Dog 2

OPERATION

RAT

Hellhounds: operation Lahat

5.6.24

Decoy Dog 1

OPERATION

RAT

Hellhounds: operation Lahat

5.6.24

CVE-2024-4358

VULNEREBILITY

CVE

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

5.6.24

DarkGate

MALWARE

RAT

During 2023, DarkGate made a comeback with a version full of new features, becoming one of the most preferred Remote Access Trojans (RATs) by malicious actors.

5.6.24

CVE-2017-3506

VULNEREBILITY

CVE

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.

5.6.24

Sophisticated RAT

MALWARE

RAT

Sophisticated RAT Targeting Gulp Projects on npm

3.6.24

IT threat evolution in Q1 2024. Mobile statistics

ANALÝZA

Malware

Mobile malware statistics for Q1 2024: most common threats for Android, mobile banking Trojans, and ransomware Trojans.

3.6.24

IT threat evolution Q1 2024

ANALÝZA

Malware

Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware platform distributed via zero-click iMessage exploits that allowed an attacker to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information and execute additional modules that extended their control over compromised devices.

3.6.24

IT threat evolution in Q1 2024. Non-mobile statistics

ANALÝZA

Malware

Kaspersky solutions blocked more than 658 million attacks from various online resources.

3.6.24

Cox modems hack

HACKING

Hardware

Hacking Millions of Modems (and Investigating Who Hacked My Modem)

3.6.24

Andariel

GROUP

APT

Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)

3.6.24

Lumma Stealer

MALWARE

Stealer

Fake Browser Updates delivering BitRAT and Lumma Stealer

3.6.24

BitRAT

MALWARE

RAT

Fake Browser Updates delivering BitRAT and Lumma Stealer

1.6.24

Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)

EXPLOIT

WebApps

PHP

1.6.24

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access

EXPLOIT

Remote

Hardware

1.6.24

Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure

EXPLOIT

Remote

Windows

1.6.24

FreePBX 16 - Remote Code Execution (RCE) (Authenticated)

EXPLOIT

WebApps

PHP

1.6.24

Akaunting 3.1.8 - Server-Side Template Injection (SSTI)

EXPLOIT

WebApps

PHP

1.6.24

Check Point Security Gateway - Information Disclosure (Unauthenticated)

EXPLOIT

WebApps

Hardware

1.6.24

Aquatronica Control System 5.1.6 - Information Disclosure

EXPLOIT

WebApps

Hardware

1.6.24

changedetection < 0.45.20 - Remote Code Execution (RCE)

EXPLOIT

WebApps

Multiple

1.6.24

ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated)

EXPLOIT

WebApps

PHP

1.6.24

iMLog < 1.307 - Persistent Cross Site Scripting (XSS)

EXPLOIT

WebApps

PHP

1.6.24

BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection

EXPLOIT

WebApps

PHP

1.6.24

Pumpkin Eclipse

HACKING

Hardware

Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP).