Researchers from Aqua Nautilus have successfully intercepted Kinsing’s experimental incursions into cloud environments. Utilizing a rudimentary yet typical PHPUnit vulnerability exploit attack, a component of Kinsing’s ongoing campaign, we have uncovered the threat actor’s manual efforts to manipulate the Looney Tunables vulnerability (CVE-2023-4911). This marks the first documented instance of such an exploit, to the best of our knowledge.…
Tag: CVE
Introduction
Read More
On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs). …
Last updated at Fri, 03 Nov 2023 18:32:32 GMT
Tom Elkins, John Fenninger, Evan McCann, Matthew Smith, and Micah Young contributed attacker behavior insights to this blog.
Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments.…
ESET Research
ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible
Matthieu Faou
25 Oct 2023 • , 5 min. read
ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023.…
Recent posts
HomeMalware Analysis
Unpacking the Use of Steganography in Recent Malware Attacks
Read More
UPD: The section “Additional tasks” has been updated to include a new November 2023 steganography campaign.
Malware delivery techniques are always evolving to bypass security measures. Gone are the days when a scammer could simply send an executable file as an email attachment — today, it simply won’t get past email filters. …
In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.…
Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time.…
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Blockchain, Botnets, Hexadecimal IP notation, Infostealers, and Ransomware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure…
Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.…
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.…
CVE-2023-43261 has likely been exploited in the wild, but not at scale.
The CVE description does not report the correct set of affected industrial cellular routers nor the correct set of affected firmware.
Although recently disclosed, CVE-2023-43261 was patched years ago.
Read More
The recent disclosure of CVE-2023-43261 caught our attention because it reportedly affected a set of well-known industrial cellular routers created by Milesight.…
On Oct. 11, a new version of curl (8.4.0) was released where a couple of new vulnerabilities were fixed (CVE-2023-38545 with severity HIGH and CVE-2023-38546 with severity LOW). These issues were previously announced in the project’s discussion. At the time of this blog, there have been several proof of concepts released for CVE-2023-38545 which result in crashes, but not exploitation.…
Updates
Nov. 02: Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved.…
A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
A government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S.,…
Affected Platforms: LinuxImpacted Users: Any organizationImpact: Remote attackers gain control of the vulnerable systemsSeverity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.…
Update: Wordfence has released a malware detection signature for wp.ph$p to Wordfence Premium, Wordfence Care, Wordfence Response, and the paid tiers of Wordfence CLI as of Monday, October 16, 2023.
Today, on October 13, 2023, the Wordfence Threat Intelligence Team became aware of a vulnerability that was recently patched in Royal Elementor Addons and Templates, a WordPress plugin installed on over 200,000 sites, that makes it possible for unauthenticated attackers to upload arbitrary files to vulnerable sites.…
SUMMARY
Read More
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.…
This entry delves into threat actors’ intricate methods to implant malicious payloads within seemingly legitimate applications and codebases.
IntroductionAs technology evolves and the world becomes more interconnected, so do the techniques used by threat actors against their victims. Threat actors pose a significant risk to organizations, individuals, and communities by continuously exploiting the intricate interdependencies within supply chains and codebases.…
Introduction
Read More
In the last few months, Check Point Research has been tracking “Stayin’ Alive”, an ongoing campaign that has been active since at least 2021. The campaign operates in Asia, primarily targeting the Telecom industry, as well as government organizations.
The “Stayin’ Alive” campaign consists of mostly downloaders and loaders, some of which are used as an initial infection vector against high-profile Asian organizations.…
Recently, Qualys discovered and reported a critical vulnerability affecting the popular GLIBC ecosystem, which is installed by default on most Linux-based operating systems. Specifically, a buffer overflow was found in the code responsible for handling special environment variables during the startup of a process which can result in a local privilege escalation.…