Thousands of publicly exposed Ray servers compromised as a result of Shadow Vulnerability
TL;DRThe Oligo research team has recently discovered an active attack campaign targeting a vulnerability in Ray, a widely used open-source AI framework. Thousands of companies and servers running AI infrastructure are exposed to the attack through a critical vulnerability that is under dispute and thus has no patch.…
Article Summary:
New Zealand government reveals it has been attacked by China.
Government agencies were compromised by a PRC state-sponsored group known as APT40.
Networks containing important government information were breached.
National Cyber Security Center worked to contain the activity and improve defenses.…
We are now in an era where AI and ML tools are thriving, with a new AI service popping up every week—from voice cloning apps to those perfecting digitalized art generation. It is worth noting though that many of these complex systems are the result of open source machine learning models.…
Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. …
Key Points
This report examines the threat posed by Chinese advanced persistent threat (APT) groups on operational technology (OT) by analyzing four key cyber attacks from the past 12 months conducted by threat actors with a China nexus (“APT27,” “APT31,” “BlackTech,” and “Volt Typhoon”). Network defenders may find the detection rules and key recommendations detailed throughout this report useful.…A new denial-of-service attack dubbed ‘Loop DoS’ targeting application layer protocols can pair network services into an indefinite communication loop that creates large volumes of traffic.
Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors.…
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174.…
AndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio. Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment and vulnerability scanning.…
In the eBook “Active adversaries: Who they are and how they’re targeting your organization,” we outlined recent research from the Sophos X-Ops team on how active adversaries are breaching organizations in two primary ways: exploiting software vulnerabilities and using compromised credentials.
Sophos X-Ops research found exploited vulnerabilities to be the most prevalent attack vector, comprising 37% of the incidents they evaluated.…
A new client recently came to us reporting seemingly random pop ups occurring on their website. While it was clear that there was something amiss with the website it was difficult to reproduce the issue. However, by inspecting our server side scanner logs we were able to locate the source of the unwanted behavior — and it turned out to be a remarkably interesting JavaScript injection related to a massive malware campaign that we internally call Sign1.…
Summary: The interaction between web2 client-server architectures and web3 systems presents security challenges. Web3 systems often rely on classic centralized components, which can create unique attack surfaces. In this post, ongoing research on the use of web2 components in web3 systems is summarized, including vulnerabilities found in the Dappnode node management framework.…
This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006.…
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr:The Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the North Korean Kimsuky group.
The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated with the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported in the past.…
Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
On March 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner, a WordPress plugin with more than 10,000+ active installations, and our Wordfence Threat Intelligence team identified the same vulnerability in miniOrange’s Web Application Firewall, a WordPress plugin with more than 300+ active installations.…
In late 2023, I wrote an article comparing how well ChatGPT and Google Bard handle writing security policies. Given that ChatGPT 4.0 has been available as a paid version, called ChatGPT Plus, for some time now, and Google recently rebranded Google Bard as Gemini (with Gemini Advanced available as paid offering), it’s a good time to compare how the two perform in a head-to-head of the top 10 use cases for information security professionals.…
Thousands of WordPress websites are potentially at risk of takeover due to a critical-severity vulnerability in two MiniOrange plugins that were discontinued recently, the Wordfence team at WordPress security company Defiant warns.
The two plugins, Malware Scanner and Web Application Firewall from MiniOrange, were closed on March 7, two days after the critical flaw was reported to the maintainers.…
This article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader infrastructure and an overview of its capabilities. BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims.…
Written by World Watch team from CERT Orange Cyberdefense (Marine PICHON, Vincent HINDERER, Maël SARP and Ziad MASLAH) and Sekoia TDR team (Livia TIBIRNA, Amaury G. and Grégoire CLERMONT)
TL;DRResidential proxies are intermediaries that allow an Internet connection to appear as coming from another host; This method allows a user to hide the real origin and get an enhanced privacy or an access to geo-restricted content; Residential proxies represent a growing threat in cyberspace, frequently used by attacker groups to hide among legitimate traffic, but also in a legitimate way; The ecosystem of these proxies is characterised by a fragmented and deregulated offering in legitimate and cybercrime webmarkets; To obtain an infrastructure up to several million hosts, residential proxies providers use techniques that can mislead users who install third-party software; With millions of IP addresses available, they represent a massive challenge to be detected by contemporary security solutions; Defending against this threat requires increased vigilance over the origin of traffic, which may not be what it seems, underlining the importance of a cautious and informed approach to managing network traffic; This joint report is built on extensive research from Sekoia.io…