____________________ Summary: The article discusses a new BOLA vulnerability discovered in Grafana, impacting millions of users worldwide. It explains the vulnerability, potential impacts, and provides solutions and mitigations.

Key Point 🛡️: – BOLA vulnerability (CVE-2024-1313) allows low-privileged users to delete dashboard snapshots of other organizations. – Endpoint allows any user to create snapshot images without complexity checks on secret keys.…

Read More
Key Takeaways In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation.  Recently, Cyble Research and Intelligence Labs (CRIL) observed few samples of malware campaign possibly distributed via tax-themed spam emails, deploying WarzoneRAT (Avemaria) as the final payload. …
Read More

____________________ Summary: A new hacking campaign called “ShadowRay” is exploiting an unpatched vulnerability in the Ray framework to breach servers and hijack resources, affecting various industries.

Key Point: 🔒 Ray framework vulnerability exploited by hackers 🔒 Attackers gaining access to sensitive data and resources 🔒 Use of compromised servers for cryptocurrency mining 🔒 Exploitation of vulnerabilities undetected by traditional security measures 🔒 Recommendations for securing Ray deployments ____________________

A new hacking campaign dubbed “ShadowRay” targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies.…

Read More

Thousands of publicly exposed Ray servers compromised as a result of Shadow Vulnerability

TL;DR

The Oligo research team has recently discovered an active attack campaign targeting a vulnerability in Ray, a widely used open-source AI framework. Thousands of companies and servers running AI infrastructure are exposed to the attack through a critical vulnerability that is under dispute and thus has no patch.…

Read More

Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. …

Read More

Key Points

This report examines the threat posed by Chinese advanced persistent threat (APT) groups on operational technology (OT) by analyzing four key cyber attacks from the past 12 months conducted by threat actors with a China nexus (“APT27,” “APT31,” “BlackTech,” and “Volt Typhoon”). Network defenders may find the detection rules and key recommendations detailed throughout this report useful.…
Read More

A new denial-of-service attack dubbed ‘Loop DoS’ targeting application layer protocols can pair network services into an indefinite communication loop that creates large volumes of traffic.

Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors.…

Read More

During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174.…

Read More

In the eBook “Active adversaries: Who they are and how they’re targeting your organization,” we outlined recent research from the Sophos X-Ops team on how active adversaries are breaching organizations in two primary ways: exploiting software vulnerabilities and using compromised credentials.

Sophos X-Ops research found exploited vulnerabilities to be the most prevalent attack vector, comprising 37% of the incidents they evaluated.…

Read More

A new client recently came to us reporting seemingly random pop ups occurring on their website. While it was clear that there was something amiss with the website it was difficult to reproduce the issue. However, by inspecting our server side scanner logs we were able to locate the source of the unwanted behavior — and it turned out to be a remarkably interesting JavaScript injection related to a massive malware campaign that we internally call Sign1.…

Read More

Summary: The interaction between web2 client-server architectures and web3 systems presents security challenges. Web3 systems often rely on classic centralized components, which can create unique attack surfaces. In this post, ongoing research on the use of web2 components in web3 systems is summarized, including vulnerabilities found in the Dappnode node management framework.…

Read More
Executive Summary

This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006.…

Read More

By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr:

The Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the North Korean Kimsuky group.

The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated with the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported in the past.…

Read More