Cado Security Labs researchers have recently encountered an emerging malware campaign targeting misconfigured servers running the following web-facing services:
The campaign utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to automate the discovery and infection of hosts running the above services.…
After examining the events around the time the file was created, we discovered that the threat actor executed the following actions:
We observed that the initial command employs PowerShell to download a file (curl.tmp) from the URL http://preston[.]melaniebest[.]com/ms/curl.tmp and saves it as curl.exe in the C:WindowsSystem32 directory.…
Mar 06, 2024NewsroomSoftware Security / Vulnerability
VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller.…
Mar 06, 2024NewsroomVulnerability / Zero Day
Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.
The shortcomings are listed below –
CVE-2024-23225 – A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protectionsCVE-2024-23296 – A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protectionsIt’s currently not clear how the flaws are being weaponized in the wild.…
The National Security Agency is sharing new guidance to help organizations limit an adversary’s movement on the internal network by adopting zero-trust framework principles.
A zero-trust security architecture requires strict controls for accessing resources on the network, be they inside or outside the physical perimeter, to minimize the impact of a breach.…
Analysis of an Android Malware-as-a-Service Operation
Coper, a descendant of the ,,Exobot malware family, was ,,first observed in the wild in July 2021, targeting Colombian Android users. At that time, Coper (the Spanish translation of “Copper”) was distributed as a fake version of Bancolombia’s “Personas” application.…
Virtualization technology vendor VMware on Tuesday rolled out urgent patches for critical-severity flaws in the enterprise-facing ESXi, Workstation, Fusion and Cloud Foundation products.
The company documented four vulnerabilities and warned that the most serious bugs could allow a malicious actor with local admin privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host.…
Mar 05, 2024NewsroomMalware / Cyber Threat
North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.
According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.…
Cloudflare on Monday announced a series of new security products that leverage AI, protect AI solutions, or defend against AI-enhanced phishing.
To improve its customers’ analytics abilities, Cloudflare introduced an AI assistant in the Security Analytics section of its dashboard, to help identify anomalies and cyberattacks faster by eliminating the complexity of using multiple tools and filters.…
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…
A plugin for the open source network security monitoring tool Zeek is affected by several vulnerabilities that threat actors could leverage in attacks aimed at industrial control system (ICS) environments.
The existence of the vulnerabilities was disclosed recently by the US security agency CISA. The agency’s ICS advisory describes two critical- and one high-severity vulnerabilities impacting the Ethercat plugin for Zeek.…
Mar 05, 2024NewsroomAttack Surface / Exposure Management
Startups and scales-ups are often cloud-first organizations and rarely have sprawling legacy on-prem environments. Likewise, knowing the agility and flexibility that cloud environments provide, the mid-market is predominantly running in a hybrid state, partly in the cloud but with some on-prem assets.…
Published On : 2024-03-05
EXECUTIVE SUMMARYAt CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.
This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures.…
A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions.
Since full technical details to create an exploit are available, administrators are strongly recommended to prioritize addressing the issue by updating to the latest version of the product or installing a security patch plugin from the vendor.…
Last updated at Tue, 05 Mar 2024 22:21:55 GMT
OverviewIn February 2024, Rapid7’s vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:
CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).…Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Controls victim’s device and collects sensitive informationSeverity Level: High
FortiGuard Labs recently uncovered a threat actor employing a malicious PDF file to propagate the banking Trojan CHAVECLOAK. This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware.…
Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional.
The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs. The bug affects HikCentral Professional version 2.5.1 and below.…
BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges. At this level of access, attackers can accomplish a lot: hide malware, dump credentials, and, crucially, attempt to disable EDR solutions.…