On February 8th, 2023, a vendor alerted customers regarding a security vulnerability in Ruckus Wireless Admin. CVE-2023-25717 is a critical vulnerability categorized as a Remote Code Execution (RCE) vulnerability impacting the Ruckus Wireless Admin.
This vulnerability stems from inadequate handling of a specially crafted HTTP request.…
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.
Update as of 7/25/2023 3:40PM PHT: Updated the indicators of compromise.
8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017 and continues to scan for vulnerable applications in cloud and container environments.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
TL;DRAn unusual attack/phishing campaign delivering malware while using meme-filled code and complex obfuscation methods continues dropping Xworm payloads for the last few months and is still ongoing today.
IntroFor the last few months, an interesting and ongoing attack campaign was identified and tracked by the Securonix Threat Research team.…
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.…
In late April we observed a malspam campaign delivering a previously unseen PowerShell malware. We decided to provide an overview of the campaign and some of the malware capabilities. We’re also dubbing this malware family as “PowerDash” because of the “/dash” path on C2 server, used as a gateway for bots.…
Affected platforms: LinuxImpacted parties: Any organizationImpact: Remote attackers gain control of vulnerable systemsSeverity level: Critical
In April, FortiGuard Labs observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). This botnet, known as AndoryuBot, first appeared in February 2023. It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.…
After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a noteworthy threat.
We discovered a new campaign by Earth Longzhi (a subgroup of APT41) that targets organizations based in Taiwan, Thailand, the Philippines, and Fiji.…
On 19th April 2023, PaperCut released a Security alert stating, “We have evidence to suggest that unpatched servers are being exploited in the wild”. The advisory released by vendors provides insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High).…
With recent reports that Charming Kitten group (aka Mint Sandstorm) is actively targeting critical infrastructure in the US and other countries, we would like to share the most recent insights from Bitdefender Labs about modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware.…
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry. …
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
UPDATE #1 – 4/25/23 @ 11am ET: Added information about additional exploitation seen against Papercut MF/NG Server where a crypto-miner was deployed.…
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.…
Scan mode
The Scan mode enumerates software and services via WMI, WinRM, Remote Registry, and Remote Services.
It then checks for the existence of the following security programs:
Defence Defender Endpoint AntiVirus BitDefender Kaspersky Norton Avast WebRoo AVG ESET Malware Defender Sophos Trend Symantec Endpoint Protection Security McAfee TotalAV pcprotect scanguard Crowdstrike Harmony SentinelOne MVISION WithSecure WatchGuard FireEye FSecure Carbon Black Heimdal HitmanPro VIPRE Anti-Virus DeepArmor Morphisec Dr.Web…Summary
Since the beginning of January 2023, the BlackBerry Threat Research and Intelligence team has been following two parallel malicious campaigns that use the same infrastructure but have different purposes.
The first campaign is related to a malvertising Google Ads Platform campaign which began several months ago and distributed fake versions of legitimate software products like AnyDesk (remote desktop software), Libre Office (an open-source office productivity software suite), TeamViewer (remote access and remote-control software), and Brave (a free and open-source web browser) among others.…
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.…
On February 09, 2023, EclecticIQ analysts identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and Security Service of Ukraine (SSU). Analysts identified a publicly exposed Simple Mail Transfer Protocol (SMTP) server and assess with high confidence that the threat actor used the SMTP server to craft and deliver phishing emails.…
Ex-Conti and FIN7 Actors Collaborate with New Backdoor
Dave Loader, which we have linked to the Trickbot/Conti syndicate and its former members. Minodo’s code shows overlap with the Lizar (aka Tirion, Diceloader) malware family, leading us to suspect that it was created by current or former ITG14 developers.…
Executive summary
TEHTRIS Threat Hunters analyzed illicit cryptomining activity targeting Linux-based machines. The attack happened on one of our high interaction honeypots hosted in France in mid-January across a short timeframe (less than 5 minutes). Our honeypot was a Linux under Ubuntu 22.04. The cybercriminal group behind this attack employs a strategy to optimize the use of the compromised device’s resources.…