Vulnerability Archives - Malware Patrol https://www.malwarepatrol.net/category/vulnerability/ Intelligent Threat Data Tue, 12 Mar 2024 12:47:00 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.4 https://www.malwarepatrol.net/wp-content/uploads/2022/01/Fivcom-Icon.png Vulnerability Archives - Malware Patrol https://www.malwarepatrol.net/category/vulnerability/ 32 32 InfoSec Articles (02/27/24 – 03/12/24) https://www.malwarepatrol.net/infosec-articles-02-27-24-03-12-24/ Tue, 12 Mar 2024 01:48:40 +0000 https://www.malwarepatrol.net/?p=52149 The post InfoSec Articles (02/27/24 – 03/12/24) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Anatomy of a BlackCat (ALPHV) Attack

Source: SYGNIA

In 2023, Sygnia’s IR team was engaged by a client to investigate suspicious activities in the client’s network. The activities were ultimately identified as a financial extortion attack executed by the BlackCat (ALPHV) ransomware group or one of its affiliates, and included a massive data exfiltration. Read more.

Delving into Dalvik: A Look Into DEX Files

Source: MANDIANT

Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. Additionally, we are releasing a tool called dexmod that exemplifies Dalvik bytecode patching and helps modify DEX files. Read more.

Server Killers Alliances: Here Is The List Of Hacker Groups

Source: GBHackers

A new tweet from Daily Dark Web reports that a group called The Server Killers has formed an alliance and is planning to launch cyber attacks on Moldova. Read more.

TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

Source: KROLL

The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK. Read more.

Cyber Dragon Attacks And Disables Linkedin

Source: PRIVACY Affairs

The lesser-known but dangerous hacking group Cyber Dragon took Linkedin offline recently as a result of a massive breach. As users reported, both the website and the app were down for more than 24 hours intermittently. Read more.

New Fakext malware targets Latin American banks

Source: Security Intelligence

In November 2023, security researchers at IBM Security Trusteer found new widespread malware dubbed Fakext that uses a malicious Edge extension to perform man-in-the-browser and web-injection attacks. Read more.

Check Point Research Alerts: Financially Motivated Magnet Goblin Group Exploits 1-Day Vulnerabilities to target Publicly Facing Servers

Source: CHECK POINT

Rapid Exploitation of 1-Day Vulnerabilities: Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a POC is published, significantly increasing the threat level posed by this actor. Read more.

TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids

Source: Proofpoint

TA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private businesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those located globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the campaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC) activity. Read more.

Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Source: The Hacker News

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023. “The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said. Read more.

Ukraine’s GUR Hacked The Russians Ministry of Defense

Source: Security Affairs

The documents revealed the leadership of the Russian Ministry, including other high-ranking officials within the divisions of Russian Ministry of Defense. This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat’. Read more.

The post InfoSec Articles (02/27/24 – 03/12/24) appeared first on Malware Patrol.

]]>
InfoSec Articles (02/13/24 – 02/27/24) https://www.malwarepatrol.net/infosec-articles-02-13-24-02-27-24/ Tue, 27 Feb 2024 02:03:56 +0000 https://www.malwarepatrol.net/?p=51343 The post InfoSec Articles (02/13/24 – 02/27/24) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

LockBit ransomware returns, restores servers after police disruption

Source: BLEEPING COMPUTER

On Saturday, LockBit announced it was resuming the ransomware business and released damage control communication admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos. Read more.

A Cyber Attack Hit The Royal Canadian Mounted Police

Source: Security Affairs

The Canadian government declared that two of its contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, have been hacked, resulting in the exposure of sensitive information belonging to an undisclosed number of government employees. Read more.

Russian hackers shift to cloud attacks, US and allies warn

Source: BLEEPING COMPUTER

APT29’s initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims’ cloud tenants. Read more.

Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)

Source: HELP NET SECURITY

ConnectWise shared the existence of the two flaws on Monday (February 19), when it said that they’ve been reported through their vulnerability disclosure channel via the ConnectWise Trust Center, and urged customers that are self-hosted or on-premise to update their servers to version 23.9.8 as soon as possible. Read more.

Feds remove Ubiquiti router botnet used by Russian intelligence

Source: SC Media

The botnet was built by cybercriminals outside the GRU who initially installed Moobot malware on Ubiquiti Edge OS routers that could be compromised because they used publicly known default administrator passwords. Read more.

Earth Preta Campaign Uses DOPLUGS to Target Asia

Source: TREND MICRO

In this blog entry, we focus on the Earth Preta campaign, providing an analysis of the DOPLUGS malware variant that the group used, including backdoor command behavior, integration with the KillSomeOne module, and its evolution. Read more.

Migo – a Redis Miner with Novel System Weakening Techniques

Source: CADO

The malware, named Migo by the developers, aims to compromise Redis servers for the purpose of mining cryptocurrency on the underlying Linux host. Read more.

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Source: CISCO TALOS

We have observed evidence that the distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket. Ousaban is also being dropped as part of the Astaroth infection process. Read more.

How BRICS Got “Rug Pulled” – Crypto Counterfeiting Is On The Rise

Source: Resecurity

A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates. Read more.

Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices

Source: The Hacker News

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch, and Telegram. Read more.

The post InfoSec Articles (02/13/24 – 02/27/24) appeared first on Malware Patrol.

]]>
InfoSec Articles (01/30/24 – 02/13/24) https://www.malwarepatrol.net/infosec-articles-01-30-24-02-13-24/ Tue, 13 Feb 2024 01:10:34 +0000 https://www.malwarepatrol.net/?p=51317 The post InfoSec Articles (01/30/24 – 02/13/24) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Maldocs of Word and Excel: Vigor of the Ages

Source: CHECK POINT RESEARCH

In our research, we show the statistics on attacked industries and countries and highlight the payloads – many of them are in the top prevalent malware lists – delivered by maldocs. We investigate lures used in different attack campaigns and describe several tricks that can help maldocs fool automated sandboxes, even though the CVEs used are well-known and well-aged. Read more.

I Know What Your Password Was Last Summer…

Source: LARES

An interesting aspect we regularly encounter when compromising organisations is the psychology behind how people choose their passwords. This insight reveals patterns and tendencies in password creation within windows environments, shedding light on common vulnerabilities and the human factors influencing password security. Read more.

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

Source: SECURELIST

This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. Read more.

Raspberry Robin Keeps Riding the Wave of Endless 1-Days

Source: CHECK POINT RESEARCH

Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web. Read more.

Chinese hackers fail to rebuild botnet after FBI takedown

Source: BLEEPING COMPUTER

Before KV-botnet’s takedown, it allowed the Volt Typhoon threat group (aka Bronze Silhouette) to proxy malicious activity through hundreds of compromised small office/home offices (SOHO) across the U.S. to evade detection. Read more.

2023 Cybersecurity Lingo for Stronger Digital Defense

Source: THE CYBER EXPRESS

The language of cybersecurity can be compared with a digital sword when it comes to ever-changing environments in cyberspace, where shadows keep both danger and safety. Ending 2023 leads us into a lexical exploration of the complex fabric of cyberslang, where cyber sentinels use secret cybersecurity jargon to secure the virtual world. Read more.

Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks

Source: The Register

The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords – à la CitrixBleed. Read more.

The post InfoSec Articles (01/30/24 – 02/13/24) appeared first on Malware Patrol.

]]>
InfoSec Articles (01/16/24 – 01/30/24) https://www.malwarepatrol.net/infosec-articles-01-16-24-01-30-24/ Wed, 31 Jan 2024 02:23:14 +0000 https://www.malwarepatrol.net/?p=51212 The post InfoSec Articles (01/16/24 – 01/30/24) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 – v0.7.3 Analysis

Source: ITOCHU Cyber Intelligence Inc.

According to information released by security vendors, APT campaigns using LODEINFO target Japanese media, diplomacy, public institutions, defense industries, and think tanks. It is also suggested that the infamous APT group called APT10 is involved given the similarities in their methods and malwares. Read more.

Spoofing 802.11 Wireless Beacon Management Frames with Manipulated Power Values Resulting in Denial of Service for Wireless Clients

Source: Trustwave

So, the story starts in Ubuntu, in dmesg to be exact. Dmesg (diagnostic messages) prints kernel-related messages for those of you not familiar. So, there I was, minding my own business, not at all looking into wireless, actually looking into some Bluetooth research (watch this space!). I had to install some required packages and suddenly Ubuntu crashed on me. I look into dmesg to see what the fuss is all about, no real answer… but I noticed this line that had to do with the wireless interface. Read more.

Exploits released for critical Jenkins RCE flaw, patch now

Source: BLEEPING COMPUTER

Multiple proof-of-concept (PoC) exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. Read more.

Nigerian ‘Yahoo Boys’ Behind Social Media Sextortion Surge in the US

Source: Infosecurity Magazine

Their typical approach is to “bomb” high schools, youth sports teams and universities with fake accounts, using advanced social engineering tactics to coerce their victims into a compromising situation. Read more.

The Intricacies of Atomic Stealer (AMOS) and the Emergence of Xehook Stealer on Dark Web

Source: The Cyber Express

A new information stealer has arrived on the dark web. Known as the Atomic Stealer (AMOS), this information stealer, this information-stealing malware is designed for a phishing campaign associated with the rise of dead cookie restoration and Xehook Stealer. Read more.

Russia-Linked APT Group Midnight Blizzard Hacked Hewlett Packard Enterprise (HPE)

Source: The Hacker News

Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment. The attackers were collecting information on the cybersecurity division of the company and other functions. Read more.

NSPX30: A sophisticated AitM-enabled implant evolving since 2005

Source: welivesecurity

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. Read more.

The post InfoSec Articles (01/16/24 – 01/30/24) appeared first on Malware Patrol.

]]>
InfoSec Articles (01/02/24 – 01/16/24) https://www.malwarepatrol.net/infosec-articles-01-02-24-01-16-24/ Tue, 16 Jan 2024 01:12:04 +0000 https://www.malwarepatrol.net/?p=51199 The post InfoSec Articles (01/02/24 – 01/16/24) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign

Source: TREND MICRO

CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks. Read more.

Atomic Stealer rings in the new year with updated version

Source: Malwarebytes LABS

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024. Read more.

Financial Fraud APK Campaign

Source: Unit 42 PaloAlto Networks

The threat actors used this Android application to impersonate law enforcement authorities. They claimed that the victim’s bank account was suspected of being involved in money laundering or other financial-related crimes. They then sent the victim a download link to this application package, urging the victim to input their sensitive personal information into the malicious application. Read more.

Unprecedented Growth in Malicious Botnets Observed

Source: NETSCOUT

Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads. These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain. Read more.

You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance

Source: Akamai

The NoaBot botnet has most of the capabilities of the original Mirai botnet (such as a scanner module and an attacker module, hiding its process name, etc.), but we can also see many differences from Mirai’s original source code. First and foremost, the malware’s spreader is based in SSH, not based in Telnet like Mirai. Read more.

Unseen Threats in Software Development | The Perils of Trojanized NPM Packages

Source: SentinelOne

Because npm and npm packages can extend deep into the organization’s development environment, security is a crucial issue that must be addressed. Let’s look at some examples of how easily, and severely, npm can be leveraged by threat actors. Read more.

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

Source: TREND MICRO

In general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike, leading to Black Basta ransomware attacks (coincidentally, Black Basta also returned to operations in September 2023). The threat actor conducted several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot. Read more.

The post InfoSec Articles (01/02/24 – 01/16/24) appeared first on Malware Patrol.

]]>
InfoSec Articles (12/19/23 – 01/02/24) https://www.malwarepatrol.net/infosec-articles-12-19-23-01-02-24/ Wed, 03 Jan 2024 13:27:18 +0000 https://www.malwarepatrol.net/?p=51155 The post InfoSec Articles (12/19/23 – 01/02/24) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla

Source: Zscaler

Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts. Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation. Read more.

Malware leveraging public infrastructure like GitHub on the rise

Source: ReversingLabs

Here are two novel techniques deployed on GitHub that were discovered by ReversingLabs. The first abuses GitHub Gists, and the second issues commands through git commit messages. Read more.

BlackCat Rises: Infamous Ransomware Gang Defies Law Enforcement

Source: Infosecurity Magazine

Despite law enforcement efforts to take down the notorious ALPHV/BlackCat ransomware gang, the cybercriminals are not going down without a fight. Latest developments have shown that the site that was supposedly ‘taken down’ by the FBI has now been ‘unseized.’ Read more.

Behind the Scenes of Matveev’s Ransomware Empire: Tactics and Team

Source: The Hacker News

Matveev is said to lead a team of six penetration testers – 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila – to execute the attacks. The group has a flat hierarchy, fostering better collaboration between the members. Read more.

Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa

Source: Symantec

The attackers used a variety of tools in this activity, which occurred in November 2023, including leveraging the MuddyC2Go infrastructure, which was recently discovered and documented by Deep Instinct. Researchers on Symantec’s Threat Hunter Team, part of Broadcom, found a MuddyC2Go PowerShell launcher in the activity we investigated. Read more.

Millions of Xfinity customers’ info, hashed passwords feared stolen in cyberattack

Source: The Register

Millions of Comcast Xfinity subscribers’ personal data – including potentially their usernames, hashed passwords, contact details, and secret security question-answers – was likely stolen by one or more miscreants exploiting Citrix Bleed in October. Read more.

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns

Source: Trellix

Trellix Advanced Research Center has tracked abuse of one more such tool used for quite some time now. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers. Read more.

The post InfoSec Articles (12/19/23 – 01/02/24) appeared first on Malware Patrol.

]]>
InfoSec Articles (11/28/23 – 12/05/23) https://www.malwarepatrol.net/infosec-articles-11-28-23-12-05-23/ Tue, 05 Dec 2023 12:58:45 +0000 https://www.malwarepatrol.net/?p=51006 The post InfoSec Articles (11/28/23 – 12/05/23) appeared first on Malware Patrol.

]]>

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin

Source: Wordfence

The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it. Read more.

SQL Brute Force Leads to BlueSky Ransomware

Source: THE DFIR REPORT

While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide. Read more.

Cactus Ransomware Exploiting Qlik Sense Code Execution Vulnerability

Source: GBHackers

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames. They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Read more.

New SugarGh0st RAT targets Uzbekistan government and South Korea

Source: Cisco TALOS

We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. Read more.

Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails

Source: The Hacker News

RETVec, which works on over 100 languages out-of-the-box, aims to help build more resilient and efficient server-side and on-device text classifiers, while also being more robust and computationally less expensive. Read more.

Booking.com Customers Scammed in Novel Social Engineering Campaign

Source: Infosecurity Magazine

The researchers said the campaign, which they believe has been running for at least a year, begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen. Read more.

Apache ActiveMQ Jolokia Remote Code Execution Vulnerability (CVE-2022-41678) Notification

Source: Security Boulevard

In the configuration of ActiveMQ, jetty allows org.holokia.http.AgentServlet to process requests for/api/Jolokia. An authenticated attacker can send a specially crafted HTTP request to write a malicious file through the Jolokia service, thus implementing remote code execution. At present, the vulnerability PoC has been made public. Read more.

The post InfoSec Articles (11/28/23 – 12/05/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (11/21/23 – 11/28/23) https://www.malwarepatrol.net/infosec-articles-11-21-23-11-28-23/ Wed, 29 Nov 2023 14:34:18 +0000 https://www.malwarepatrol.net/?p=51000 The post InfoSec Articles (11/21/23 – 11/28/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

Source: The Hacker News

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. Read more.

Third-party data breach affecting Canadian government could involve data from 1999

Source: The Register

The government of Canada has confirmed its data was accessed after two of its third-party service providers were attacked. The third parties both provided relocation services for public sector workers and the government is currently analyzing a “significant volume of data” which could date back to 1999. Read more.

Play Ransomware Goes Commercial – Now Offered as a Service to Cybercriminals

Source: The Hacker News

The ransomware strain known as Play is now being offered to other threat actors “as a service,” new evidence unearthed by Adlumin has revealed. Read more.

DarkGate and PikaBot Phishing Campaign is Using Qakbot Tactics

Source: Security Boulevard

The operators behind a phishing campaign that is distributing the DarkGate and PikaBot malware is using many of the techniques attributed to the notorious QakBot operation that was taken down by law enforcement agencies in August. Read more.

Citrix warns admins to kill NetScaler user sessions to block hackers

Source: BLEEPING COMPUTER

Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 ‘Citrix Bleed’ vulnerability to secure vulnerable devices against attacks. Besides applying the necessary security updates, they’re also advised to wipe all previous user sessions and terminate all active ones. Read more.

Anonymous Sudan DDoS Attack Cloudflare Decoded

Source: Security Boulevard

Cloudflare swiftly acknowledged the DDoS attack, emphasizing that it exclusively impacted the www.cloudflare.com website, leaving their broader range of products and services unscathed. A Cloudflare spokesperson assured users that no customer data or services were compromised during the incident. This emphasizes that the website operates on separate infrastructure designed to prevent any collateral damage. Read more.

Malware dev says they can revive expired Google auth cookies

Source: BLEEPING COMPUTER

The Lumma information-stealer malware (aka ‘LummaC2’) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Read more.

DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

Source: DARK READING

North Korean threat actors are posing as both job recruiters and job seekers on the Web, deceiving companies and applicants for financial gain and, possibly, to gain access into Western organizations. Read more.

New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login

Source: The Hacker News

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices. Read more.

Welltok Data Breach Impacted 8.5 Million Patients in the U.S.

Source: Security Affairs

The company disclosed a data breach that exposed the personal data of nearly 8.5 million patients (8,493,379) in the U.S.. On July 26, 2023, threat actors hacked the company’s MOVEit Transfer server. Read more.

ClearFake Campaign Spreads macOS AMOS Information Stealer

Source: Security Affairs

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign. Read more.

PoC for Splunk Enterprise RCE flaw released (CVE-2023-46214)

Source: HELP NET SECURITY

A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and has consolidated the steps required for exploitation into a Python script. If specific prerequisites are met, the script should open a remote command prompt. Read more.

Hackers Hijack Industrial Control System at US Water Utility

Source: SECURITY WEEK

The Municipal Water Authority of Aliquippa in Pennsylvania has confirmed that hackers took control of a system associated with a booster station over the weekend, but said there was no risk to the water supply. Read more.

GE servers hacked n DARPA Military Info Leaked

Source: Cybersecurity INSIDERS

General Electric, commonly referred to as GE, a multinational corporation engaged in the fields of renewable energy, aerospace, and power, has fallen prey to a cyber attack resulting in the leakage of sensitive information related to DARPA Military operations. Read more.

The post InfoSec Articles (11/21/23 – 11/28/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (11/14/23 – 11/21/23) https://www.malwarepatrol.net/infosec-articles-11-14-23-11-21-23/ Mon, 20 Nov 2023 10:14:16 +0000 https://www.malwarepatrol.net/?p=50749 The post InfoSec Articles (11/14/23 – 11/21/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

IPStorm botnet dismantled by FBI as hacker pleads guilty to three charges

Source: SC Media

The Federal Bureau of Investigation (FBI) dismantled an international botnet comprising more than 23,000 proxies after the hacker responsible for the network reached a plea deal with authorities. Read more.

Scattered Spider

Source: CISA

The FBI and CISA are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Read more.

UK labels AI Tools as a cyber threat to National Elections

Source: Cybersecurity INSIDERS

Britain has identified the continued use of AI tools as a significant cyber threat to the upcoming national elections slated for January 2025. Emphasizing the increasing difficulty for security experts to track and neutralize these deepfake threats, particularly in the context of digital elections, the nation has raised concerns about potential interference. Read more.

Samsung Hacked: Customers Personal Information Exposed

Source: GBHackers

The breach was formally confirmed in an email received by this reporter on the night of November 15. Samsung traced the detection of the cyber incursion back to November 13. Although the specific third-party business application remains undisclosed, Samsung ascribes the breach to a flaw. Customers who made purchases between July 1, 2019, and June 30, 2020, are presumed to be impacted. Read more.

Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks

Source: The Hacker News

A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks. Read more.

Attacker – hidden in plain sight for nearly six months – targeting Python developers

Source: Checkmarx

For nearly half a year, a threat actor has been planting malicious Python packages into the open-source repository. Many of the malicious packages were camouflaged with names closely resembling popular legitimate Python packages. Consequently, they received thousands of downloads. Read more.

TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities

Source: Proofpoint

From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode. Read more.

Children’s tablet has malware and exposes kids’ data, researcher finds

Source: TechCrunch

The Dragon Touch KidzPad Y88X contains traces of a well-known malware, runs a version of Android that was released five years ago, comes pre-loaded with other software that’s considered malware and a “potentially unwanted program” because of “its history and extensive system level permissions to download whatever application it wants,” and includes an outdated version of an app store designed specifically for kids, according to Hancock’s report, which was released on Thursday and seen by TechCrunch ahead of its publication. Read more.

New ‘Octo’ malware tricks Android users into giving up bank details

Source: RNZ

Netsafe says it’s not aware of New Zealanders being tricked into giving up their bank details by a sophisticated new malware but it is possible they have without realising. The ABC reported that Russian cyber criminals have targeted hundreds of bank customers across the Tasman with a malware called Octo. Read more.

ALPHV/BlackCat Take Extortion Public

Source: TREND MICRO

ALPHV filed a complaint with the Security and Exchange Commission (SEC) stating their victim (MeridianLink) had not disclosed a breach within the 4 day requirement from the SEC. It appears this is an attempt to influence MeridianLink to pay the ransom sooner than later. This is an interesting spin on the traditional tactic used and one that could become more pronounced in 2024. Read more.

Phishing page with trivial anti-analysis features

Source: SANS Internet Storm Center

Anti-analysis features in phishing pages – especially in those, which threat actors send out as e-mail attachments – are nothing new[1,2]. Nevertheless, sometimes the way that these mechanisms are implemented may still leave one somewhat mystified. This has happened to me a few weeks ago when I found what appeared to be a generic phishing message in one of my spam traps. Read more.

CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector

Source: CISA

This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur. Read more.

Blacksuit Ransomware linked to Royal Ransomware

Source: Cybersecurity INSIDERS

As per an advisory from the FBI and US-CISA, a forthcoming ransomware variant is set to enter the cybersecurity landscape, marking itself as a rebrand or offshoot of the Royal Ransomware gang, notorious for purportedly amassing around $275 million in 2022. Read more.

CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack

Source: SECURITY WEEK

Toyota Financial Services Europe & Africa this week confirmed being targeted in a cyberattack, which appears to have been conducted by a known ransomware group. The Toyota subsidiary said it recently detected unauthorized activity on systems in a limited number of locations. In response, it took some systems offline and they are gradually being brought back online. Read more.

The post InfoSec Articles (11/14/23 – 11/21/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (11/07/23 – 11/14/23) https://www.malwarepatrol.net/infosec-articles-11-07-23-11-14-23/ Wed, 15 Nov 2023 03:54:14 +0000 https://www.malwarepatrol.net/?p=50743 The post InfoSec Articles (11/07/23 – 11/14/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Japan Aviation Electronics Targeted in Ransomware Attack

Source: SECURITY WEEK

While Japan Aviation Electronics has not found evidence of data exfiltration, the Alphv/BlackCat ransomware gang claims to have stolen roughly 150,000 documents from the company, including blueprints, contracts, confidential messages, and reports. Read more.

Microsoft Authenticator Restricts Suspicious MFA Notifications

Source: Latest Hacking News

The Redmond giant has recently announced introducing a new privacy feature to its authenticator app. With this feature, Microsoft Authenticator app now blocks suspicious multi-factor authentication notifications to prevent potential abuse. Read more.

Chinese multinational bank hit by ransomware

Source: HELP NET SECURITY

The state-owned Industrial and Commercial Bank of China (ICBC), which is one of the largest banks in the world, has been hit by a ransomware attack that led to disrupted trades in the US Treasury market. Read more.

After ChatGPT, Anonymous Sudan Took Down The CloudFlare Website

Source: Security Affairs

The hacktivist group Anonymous Sudan claimed responsibility for the massive distributed denial-of-service (DDoS) attack that took down the website of Cloudflare. Cloudflare confirmed that a DDoS attack took down its website for a few minutes and ponited out that it did not impact other products or services. Read more.

Threat Actors Leverage File-Sharing Service and Reverse Proxies for Credential Harvesting

Source: TREND MICRO

The attacker-controlled reverse proxies function as intermediary servers positioned between the target and a legitimate authentication endpoint, such as the Microsoft 365 login page. When a victim interacts with the fake login page, the reverse proxy presents the genuine login form, manages incoming requests, and conveys responses from the legitimate Microsoft 365 login page. Read more.

Iranian hackers launch malware attacks on Israel’s tech sector

Source: BLEEPING COMPUTER

Security researchers have tracked a new campaign from Imperial Kitten targeting transportation, logistics, and technology firms. Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, and for several years it used the online persona Marcella Flores. Read more.

Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan

Source: welivesecurity

When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website, but the app has malicious espionage capabilities. Read more.

Routers Targeted for Gafgyt Botnet [Guest Diary]

Source: SANS Internet Storm Center

The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials. Read more.

Keeping Up with Today’s Top Mobile Spyware Threat Trends

Source: CheckPoint

In this post, we will explore trends including the rise of new and more sophisticated types of mobile spyware: nation-level spyware and modified applications. We’ll also present several best practices to help you protect all your organization’s assets. Read more.

Police Seized BulletProftLink Phishing-as-a-Service (PhaaS) Platform

Source: Security Affairs

The Royal Malaysian Police announced to have dismantled the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. A joint international operation conducted by the Malaysian police, the FBI, and the Australian Federal Police took down several domains employed in the cybercriminal operation. Read more.

It’s Still Easy for Anyone to Become You at Experian

Source: Krebs on Security

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. Read more.

The Lorenz Ransomware Group Hit Texas-Based Cogdell Memorial Hospital

Source: Security Affairs

The Lorenz extortion group claimed responsibility for the security breach and added the hospital to its Tor leak site. The group claims to theft of more than 400GB of data, including internal files, patient medical images, and also employee email communications. Read more.

Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers

Source: The Hacker News

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a “shift in the persistent actor’s tactics.” Read more.

Chinese APT Targeting Cambodian Government

Source: Unit 42 by Palo Alto

Unit 42 has identified malicious Chinese APT infrastructure masquerading as cloud backup services. Monitoring telemetry associated with two prominent Chinese APT groups, we observed network connections predominately originating from the country of Cambodia, including inbound connections originating from at least 24 Cambodian government organizations. Read more.

The post InfoSec Articles (11/07/23 – 11/14/23) appeared first on Malware Patrol.

]]>