Thousands of publicly exposed Ray servers compromised as a result of Shadow Vulnerability

TL;DR

The Oligo research team has recently discovered an active attack campaign targeting a vulnerability in Ray, a widely used open-source AI framework. Thousands of companies and servers running AI infrastructure are exposed to the attack through a critical vulnerability that is under dispute and thus has no patch.…

Read More

Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. …

Read More

Key Points

This report examines the threat posed by Chinese advanced persistent threat (APT) groups on operational technology (OT) by analyzing four key cyber attacks from the past 12 months conducted by threat actors with a China nexus (“APT27,” “APT31,” “BlackTech,” and “Volt Typhoon”). Network defenders may find the detection rules and key recommendations detailed throughout this report useful.…
Read More

A new denial-of-service attack dubbed ‘Loop DoS’ targeting application layer protocols can pair network services into an indefinite communication loop that creates large volumes of traffic.

Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks.…

Read More

During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174.…

Read More

In the eBook “Active adversaries: Who they are and how they’re targeting your organization,” we outlined recent research from the Sophos X-Ops team on how active adversaries are breaching organizations in two primary ways: exploiting software vulnerabilities and using compromised credentials.

Sophos X-Ops research found exploited vulnerabilities to be the most prevalent attack vector, comprising 37% of the incidents they evaluated.…

Read More

A new client recently came to us reporting seemingly random pop ups occurring on their website. While it was clear that there was something amiss with the website it was difficult to reproduce the issue. However, by inspecting our server side scanner logs we were able to locate the source of the unwanted behavior — and it turned out to be a remarkably interesting JavaScript injection related to a massive malware campaign that we internally call Sign1.…

Read More

Summary: The interaction between web2 client-server architectures and web3 systems presents security challenges. Web3 systems often rely on classic centralized components, which can create unique attack surfaces. In this post, ongoing research on the use of web2 components in web3 systems is summarized, including vulnerabilities found in the Dappnode node management framework.…

Read More
Executive Summary

This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006.…

Read More

By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr:

The Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the North Korean Kimsuky group.

The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated with the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported in the past.…

Read More

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

On March 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner, a WordPress plugin with more than 10,000+ active installations, and our Wordfence Threat Intelligence team identified the same vulnerability in miniOrange’s Web Application Firewall, a WordPress plugin with more than 300+ active installations.…

Read More

In late 2023, I wrote an article comparing how well ChatGPT and Google Bard handle writing security policies. Given that ChatGPT 4.0 has been available as a paid version, called ChatGPT Plus, for some time now, and Google recently rebranded Google Bard as Gemini (with Gemini Advanced available as paid offering), it’s a good time to compare how the two perform in a head-to-head of the top 10 use cases for information security professionals.…

Read More

Thousands of WordPress websites are potentially at risk of takeover due to a critical-severity vulnerability in two MiniOrange plugins that were discontinued recently, the Wordfence team at WordPress security company Defiant warns.

The two plugins, Malware Scanner and Web Application Firewall from MiniOrange, were closed on March 7, two days after the critical flaw was reported to the maintainers.…

Read More

Written by World Watch team from CERT Orange Cyberdefense (Marine PICHON, Vincent HINDERER, Maël SARP and Ziad MASLAH) and Sekoia TDR team (Livia TIBIRNA, Amaury G. and Grégoire CLERMONT)

TL;DRResidential proxies are intermediaries that allow an Internet connection to appear as coming from another host; This method allows a user to hide the real origin and get an enhanced privacy or an access to geo-restricted content; Residential proxies represent a growing threat in cyberspace, frequently used by attacker groups to hide among legitimate traffic, but also in a legitimate way; The ecosystem of these proxies is characterised by a fragmented and deregulated offering in legitimate and cybercrime webmarkets; To obtain an infrastructure up to several million hosts, residential proxies providers use techniques that can mislead users who install third-party software; With millions of IP addresses available, they represent a massive challenge to be detected by contemporary security solutions; Defending against this threat requires increased vigilance over the origin of traffic, which may not be what it seems, underlining the importance of a cautious and informed approach to managing network traffic; This joint report is built on extensive research from Sekoia.io…
Read More