Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. At the onset of Russia’s invasion of Ukraine on February 24, 2022, Ukraine introduced a moratorium on evictions and termination of utility services for unpaid debt.…
Tag: EXPLOIT
Estimated reading time: 5 minutes
AsukaStealer, marketed on a Russian-language cybercrime forum by the alias ‘breakcore,’ has been exposed. The perpetrator offers its services for a monthly fee of $80, targeting individuals and organizations seeking to exploit its capabilities for malicious purposes.Written in C++, AsukaStealer features customizable configurations and an intuitive web-based interface, enhancing its usability for cybercriminals seeking to deploy and manage malware efficiently.It…
In October 2023 we posted our research about the notorious surveillance framework LightSpy2. In our research, we proved with a high degree of confidence that both implants for Android and iOS came from the same developer and shared the same network infrastructure, but also that they were just a small part of a larger framework.…
Key Points
The cyber threat landscape has seen a significant increase in information-stealing (infostealer) malware activity, with a 30.5% rise in marketplace listings for “stealer logs” from Q3 to Q4 of 2023. This malware type has evolved to encompass more sophisticated tools that aim to harvest sensitive information such as usernames, passwords, and credit card details.…Threat Actor: Blackout Ransomware Group | Blackout Ransomware Group Victim: MCM Telecom | MCM Telecom Price: Not specified Exfiltrated Data Type: Customer information, business details, additional information
Additional Information:
Data Size: Approximately 15 GB Uploaded: 25 May 2024, 11:35:44 UTC Customer Information: ID, name, number, key, status, category code, class code, type, primary sales representative ID, SIC code, tax reference, tax code Business Details: FOB point, shipping method, GSA indicator, partial shipment status, taxpayer ID, price list ID, freight terms, order type ID, sales channel code, warehouse ID Additional Information: Mission statement, number of employees, potential revenue for the current and next fiscal years, fiscal year-end monthIn a recent announcement, the notorious Blackout Ransomware Group has claimed responsibility for a significant cyberattack on MCM Telecom, a B2B telecommunications provider based in Mexico.…
In this blog we examine how Darktrace was able to detect and block malicious phishing emails sent via Microsoft Teams that were impersonating an international hotel chain.
Social Engineering in Phishing AttacksFaced with increasingly cyber-aware endpoint users and vigilant security teams, more and more threat actors are forced to think psychologically about the individuals they are targeting with their phishing attacks. Social…
This time, we’re not revealing a new cyber threat investigation or analysis, but I want to share some insights about the team behind all Sekoia Threat Intelligence and Detection Engineering reports. Let me introduce you to the Sekoia TDR team.
TL;DRSekoia Threat Detection & Research (TDR) is a multidisciplinary team dedicated to Cyber Threat Intelligence and Detection Engineering for the Sekoia SOC Platform.…Summary: This article discusses a critical vulnerability in the TP-Link Archer C5400X gaming router that allows remote command execution, posing a risk to users.
Threat Actor: N/A
Victim: TP-Link Archer C5400X gaming router users
Key Point:
A critical vulnerability in the TP-Link Archer C5400X gaming router has been disclosed, allowing remote command execution.…Summary: Security researchers have released a proof-of-concept exploit for a remote code execution vulnerability in Fortinet’s SIEM solution, which allows executing commands as root on Internet-facing FortiSIEM appliances.
Threat Actor: Horizon3’s Attack Team | Horizon3’s Attack Team Victim: Fortinet | Fortinet
Key Point :
A proof-of-concept exploit has been released for a remote code execution vulnerability in Fortinet’s SIEM solution.…This blog delves into Darktrace’s investigation into the exploitation of the Citrix Bleed vulnerability on the network of a customer in late 2024. Darktrace’s Self-Learning AI ensured the customer was well equipped to track the post-compromise activity and identify affected devices.
What is Citrix Bleed?Since August 2023, cyber threat actors have been actively exploiting one of the most significant critical vulnerabilities disclosed in recent years: Citrix Bleed.…
Published On : 2024-05-29
EXECUTIVE SUMMARYA critical vulnerability, identified as CVE-2024-3273, has been discovered in certain end-of-life (EOL) D-Link NAS devices, presenting a severe threat due to the lack of ongoing support and their high susceptibility to attacks. With a CVSS base score of 9.8, this vulnerability is extremely serious, potentially allowing unauthorized access, data theft, system modifications, or denial of service attacks.…
During a recent red team operation, NetSPI discovered a local privilege escalation path in the default installation of Microsoft Service Fabric Runtime, a software commonly used for local application development. This vulnerability would allow a low privilege user, with a foothold on a host running the service fabric deployment, to elevate their privileges up to System. …
Summary: This article discusses a recent ransomware attack by the Ransomhub group on an Industrial Control Systems (ICS) of a Spanish bioenergy plant, highlighting the dangers of cyberattacks on ICS.
Threat Actor: Ransomhub | Ransomhub Victim: Spanish bioenergy plant | Spanish bioenergy plant
Key Point :
The recent ransomware attack by the Ransomhub group targeted the Supervisory Control and Data Acquisition (SCADA) system of a Spanish bioenergy plant, highlighting the vulnerability of Industrial Control Systems (ICS) to cyberattacks.…Summary: This content discusses the cybersecurity implications of using Dynamic DNS (DDNS) services embedded in appliances, such as those provided by vendors like Fortinet or QNAP, which increases the discoverability of customer devices by attackers.
Threat Actor: Attackers
Victim: Customers using appliances with embedded Dynamic DNS (DDNS) services, such as those provided by vendors like Fortinet or QNAP.…
Cloud cryptomining has become an emerging trend in recent years, powered by the scalability and flexibility of cloud platforms. Unlike traditional on-premises infrastructure, cloud infrastructure allows attackers to quickly deploy resources for cryptomining, making it easier to exploit. One of the most common cryptomining threats for cloud environments is the Kinsing malware.…
Summary: A report has found that a majority of currently exploited software vulnerabilities are missing from the US National Vulnerability Database (NVD).
Threat Actor: N/A Victim: N/A
Key Point :
A VulnCheck report has revealed that 30 out of 59 known exploited vulnerabilities have not yet been analyzed by the NVD team.…Summary: This article discusses how hackers could exploit a bug on the Replicate artificial intelligence platform to steal data and manipulate AI models.
Threat Actor: Hackers | Hackers Victim: Replicate artificial intelligence platform | Replicate artificial intelligence platform
Key Point :
Attackers could have exploited a critical vulnerability in the Replicate artificial intelligence platform to access private AI models and steal data.…Summary: Cisco has addressed a vulnerability in the web-based management interface of the Firepower Management Center (FMC) Software, which could allow an attacker to conduct SQL injection attacks and potentially gain root privileges.
Threat Actor: N/A
Victim: Cisco
Key Point:
Cisco has patched a vulnerability in its Firepower Management Center (FMC) Software that could allow an attacker to conduct SQL injection attacks.…Threat Actor: Unknown | Unknown Victim: Organizations using Pulse Connect Secure VPN | Pulse Connect Secure VPN Price: Not specified Exfiltrated Data Type: Not specified
Additional Information:
The threat actor claims to have a Pulse Connect Secure VPN Remote Code Execution (RCE) 0-day exploit available for purchase.…Threat Actor: Unknown | Unknown Victim: WordPress | WordPress Price: $50,000 Exfiltrated Data Type: Sensitive website data
Additional Information :
Exploit Details: The exploit, priced at $50,000, claims to enable bypassing of WordPress admin authentication, potentially allowing unauthorized access to administrative features and sensitive website data.…