CISA has added critical vulnerabilities affecting Microsoft Windows MSHTML Platform (CVE-2024-43461) and Progress WhatsUp Gold (CVE-2024-6670) to its Known Exploited Vulnerabilities catalog. Users are urged to update affected products immediately due to active exploits and the severity of these vulnerabilities.
Key Points: CISA has added CVE-2024-43461 and CVE-2024-6670 to its Known Exploited Vulnerabilities catalog.…Author: Cyble
Short Summary:
Read More
CISA has added critical vulnerabilities affecting Microsoft Windows MSHTML Platform (CVE-2024-43461) and Progress WhatsUp Gold (CVE-2024-6670) to its Known Exploited Vulnerabilities catalog. Users are urged to update affected products promptly due to active exploitation.
Key Points: CISA has included CVE-2024-43461 and CVE-2024-6670 in its Known Exploited Vulnerabilities catalog.…
Short Summary:
Read More
Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated cyber campaign targeting individuals associated with the upcoming US-Taiwan Defense Industry Conference. The attack utilizes a deceptive ZIP file containing a malicious LNK file disguised as a PDF registration form, which, when executed, establishes persistence and exfiltrates sensitive data while evading detection.…
Short Summary:
Read More
On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) reported active exploitation of CVE-2024-32113, a critical path traversal vulnerability in Apache OFBiz. This vulnerability allows attackers to execute arbitrary commands through specially crafted requests. The situation worsened with the discovery of CVE-2024-45195, which bypasses previous patches, leading to increased exploitation attempts, including the deployment of the Mirai botnet.…
Short Summary:
Read More
Cyble Research and Intelligence Labs (CRIL) has uncovered a phishing campaign that disguises a malicious download as a legitimate CapCut application. This campaign employs reputation hijacking techniques and the JamPlus build utility to execute malicious scripts and deploy NodeStealer, a malware designed to extract sensitive user information.…
Short Summary
Read More
Cyble Research and Intelligence Labs (CRIL) has identified an ongoing spear-phishing campaign by the Gamaredon APT group, targeting Ukrainian military personnel. The campaign utilizes malicious XHTML attachments that execute obfuscated JavaScript to download harmful files, leveraging TryCloudflare for remote access and evasion of detection.…
Short Summary:
Read More
The Head Mare hacktivist group targets Russian and Belarusian organizations, leveraging cyberattacks as a means to influence geopolitical tensions related to the Russo-Ukrainian conflict. Their operations involve sophisticated phishing and ransomware techniques, exploiting vulnerabilities to destabilize key institutions in these nations.
Key Points: Head Mare targets Russian and Belarusian organizations to influence political and economic stability.…
Short Summary
Read More
Cyble Research and Intelligence Lab (CRIL) has uncovered a targeted cyber-attack campaign in Malaysia, aimed at political figures and government officials. The attack utilizes malicious ISO files containing components designed to deploy the Babylon RAT, an open-source Remote Access Trojan, enabling unauthorized access and data exfiltration from compromised systems.…
Short Summary
Read More
Iranian state-backed actors, known as “Pioneer Kitten,” are increasingly targeting critical infrastructure in the U.S. and allied nations. They have evolved into access brokers for ransomware gangs, monetizing network access while also conducting espionage aligned with Iranian government interests. A joint advisory from the FBI, CISA, and DC3 emphasizes the need for organizations to enhance their cybersecurity measures.…
Short Summary
Read More
RansomHub ransomware, which emerged in February 2024, poses a significant threat to various sectors, including critical infrastructure. Utilizing a double-extortion model, it encrypts and exfiltrates data to demand ransoms. The ransomware employs sophisticated techniques such as exploiting zero-day vulnerabilities and advanced data exfiltration methods, making it a formidable challenge for cybersecurity defenses.…
Short Summary
Read More
Cyble Research and Intelligence Labs (CRIL) has discovered a phishing site that impersonates Zoom to trick users into downloading ScreenConnect software. This software allows attackers to gain unauthorized remote access to victims’ computers, facilitating further malicious activities. The campaign also involves spam emails targeting Social Security Administration (SSA) account holders, urging them to download applications under false pretenses.…
Short Summary:
Read More
Cyble Research and Intelligence Lab (CRIL) has uncovered a phishing campaign that targets users downloading VPN applications across Windows, Linux, and macOS. The attackers have developed distinct stealer binaries for each platform, aiming to extract sensitive information such as cryptocurrency wallet data, browser passwords, and SSH keys.…
Short Summary
Read More
A sophisticated cloud extortion campaign targeted over 110,000 domains by exploiting misconfigured AWS .env files to steal credentials and ransom cloud storage data. The attackers leveraged exposed AWS Identity and Access Management (IAM) access keys found in these files, highlighting significant security vulnerabilities in cloud configurations.…
Short Summary
Read More
Cyble Research and Intelligence Labs (CRIL) uncovered a phishing site that mimics the official World Agricultural Cycling Competition (WACC) website. The site, launched shortly after the event, aims to deceive users into downloading malicious files disguised as event photos, ultimately delivering a Havoc Command and Control (C2) framework.…
Short Summary
Read More
The UTG-Q-010 group, a financially motivated APT actor from East Asia, has been identified in a sophisticated campaign targeting cryptocurrency enthusiasts and HR departments. Utilizing spear phishing tactics with malicious LNK files, the group exploits vulnerabilities through social engineering and advanced malware delivery methods, including the use of the Pupy RAT.…
Short Summary:
Read More
Since July 2024, there has been a surge in the detection of a new variant of Gigabud malware, which employs sophisticated phishing tactics by masquerading as legitimate airline applications. The malware’s operations have expanded to target users in multiple countries, and analysis suggests a connection between Gigabud and Golddigger malware, indicating a coordinated approach by the same threat actor.…
“Double Threat: Latrodectus and ACR Stealer Distributing Through Google Authenticator Phishing Site”
Short Summary
Read More
Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated phishing campaign that uses a fake Google Safety Centre page to distribute malicious software. The phishing site tricks users into downloading a file disguised as Google Authenticator, which actually installs two types of malware: Latrodectus and ACR Stealer.…
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) came across an intriguing shortcut (.LNK) file masquerading as a legitimate Office document.
When the user executes the LNK file, it triggers the infection process, which runs a PowerShell command to drop and execute a .NET loader, ultimately delivering the final payload to the victim’s machine. …
Read More
On July 19th, 2024, CrowdStrike, a leading cybersecurity provider of advanced end-point security detection and protection solutions, released a sensor configuration update to Windows systems. This update contained a logic error that resulted in system crashes and Blue Screen of Death (BSOD) incidents. The faulty software update caused widespread disruptions on Friday, affecting critical services in banks, airlines, hospitals, stock markets, and IT industries globally.…
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) has uncovered a multi-stage cyberattack campaign with a Zip file containing a malicious shortcut (.lnk) file.
Read More
When the shortcut is executed, it downloads a PowerShell script, initiating a chain of events that ultimately allows the Threat Actor (TA) to gain Remote Desktop Protocol (RDP) access to the victim’s system. …