FIREWALL Archives - Page 33 of 47 - Cybersecurity News Everyday

Threat Research

Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant

January 31, 2024May 16, 2024 Mandiant

On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On Jan. 31, 2024, Ivanti disclosed two additional vulnerabilities impacting CS and PS devices, CVE-2024-21888 and CVE-2024-21893.

The vulnerabilities allow for an unauthenticated threat actor to execute arbitrary commands on the appliance with elevated privileges.…

Threat Research

ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery Campaign

January 31, 2024May 16, 2024 Unit42

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs) and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.…

Threat Research

Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

January 26, 2024May 16, 2024 Securonix

By D. Iuzvyk, T. Peck, A. Narasimhan, R. Radparvar, A. Barros, O. Kolesnikov tldr:

In the last month, two critical zero-day CVEs were published for Ivanti Connect Secure VPN software: CVE-2023-46805 and CVE-2024-21887.

In December of 2023, Volexity incident response teams discovered a vulnerability regarding an authentication bypass to an organization’s Ivanti Connect Secure (ICS) VPN server appliance (previously known as Pulse Connect Secure).…

Threat Research

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

January 26, 2024May 16, 2024 Securonix

Key TakeawaysIn late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, the threat actors executed ransomware across the entire network.…

Threat Research

New Go-based Malware Loader Discovered I Arctic Wolf

January 25, 2024May 16, 2024 Securonix

Background

Arctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware downloader we are calling “CherryLoader” that allowed them to swap exploits without recompiling code. The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims.…

Threat Research

Threat Assessment: BianLian

January 23, 2024May 16, 2024 Unit42

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).…

Threat Research

Parrot TDS: A Persistent and Evolving Malware Campaign

January 23, 2024May 16, 2024 Securonix

This post is also available in: 日本語 (Japanese)

Executive Summary

A traffic direction system (TDS) nicknamed Parrot TDS has been publicly reported as active since October 2021. Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. This TDS is easily identifiable by keywords found in the injected JavaScript that we will explore to show the evolution of this threat.…

Threat Research

Inside the SYSTEMBC Command-and-Control Server

January 19, 2024May 16, 2024 admin

Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild in 2018 with its core functionality revolving around its ability to act as SOCKS5 proxy. This provides a useful capability for threat actors as a persistent access mechanism or for purposes of leaving behind a backdoor in case of discovery of their initial access method.…

Threat Research

Securonix Threat Research Knowledge Sharing Series: On Detecting Real-world Attacks Involving RMM Behaviors Using Securonix

January 16, 2024May 16, 2024 Securonix

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr: Threat actors favor RMM (remote monitoring and management) as it allows for convenient and stealthy command and control capabilities on compromised hosts. Today, let’s take a look at some of the popular options that the bad guys are using and discover how we can detect them.…

Cyber Security News

Medusa Ransomware Turning Your Files into Stone

January 12, 2024January 25, 2025 admin

Executive Summary

Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.…

Threat Research

Fuzzing and Bypassing the AWS WAF

January 9, 2024May 16, 2024 Sysdig

The Sysdig Threat Research Team discovered techniques that allowed the AWS WAF to be bypassed using a specialized DOM event. Web Application Firewalls (WAFs) serve as the first line of defense for your web applications, acting as a filter between your application and incoming web traffic to protect against unauthorized or malicious activity.…

Threat Research

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

January 5, 2024May 16, 2024 Securonix

Published On : 2024-01-03

EXECUTIVE SUMMARY

This report provides a glimpse into the evolving landscape of RAT development and malicious activities performed by threat actors working under name of ‘Anonymous Arabic’. Our team investigated the Silver RAT (written in C sharp) which has capabilities to bypass anti-viruses and covertly launch hidden applications, browsers, keyloggers, and other malicious activities.…

Threat Research

Securing Gold: Assessing Cyber Threats on Paris 2024

January 4, 2024May 16, 2024 SekoiaIO

Table of contentsIntroduction

The next Olympic Games hosted in Paris will take place from 26 July to 11 August 2024, while the Paralympic Games will be carried out from 28 August to 8 September 2024. The Olympic and Paralympic Games, which bring together all the nations around sport competitions every two years, is a showcase for States in front of the world.…

Threat Research

Unveiling Cryptocurrency Malware on YouTube: A Comprehensive Analysis of Mining Threats

January 3, 2024May 16, 2024 Securonix

Published On : 2024-01-05

EXECUTIVE SUMMARY

At Cyfirma, we are committed to providing up-to-date information on the most prevalent threats and tactics used by malicious actors to target both organizations and individuals. This comprehensive analysis delves into the dissemination of cryptocurrency miners through a YouTube channel.…

Threat Research

From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence

December 28, 2023May 16, 2024 Securonix

This post is also available in: 日本語 (Japanese)

Executive Summary

This article summarizes the malware families (and groups pushing malware) seen by Unit 42 and shared with the broader threat hunting community through our social channels. Some malware – such as IcedID and DarkGate – came up repeatedly.…

Threat Research

Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets

December 18, 2023May 24, 2024 Securonix

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting and web chat APIs. In some campaigns, attackers created chatbots that they registered to someone noteworthy such as an Australian footballer.…

Threat Research

Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa

December 18, 2023May 24, 2024 Securonix

Iranian espionage group Seedworm (aka Muddywater) has been targeting organizations operating in the telecommunications sector in Egypt, Sudan, and Tanzania.

Seedworm has been active since at least 2017, and has targeted organizations in many countries, though it is most strongly associated with attacks on organizations in the Middle East.…

Threat Research

Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains

December 14, 2023May 24, 2024 Securonix

This post is also available in: 日本語 (Japanese)

Executive Summary

Malicious actors often acquire a large number of domain names (called stockpiled domains) at the same time or set up their infrastructure in an automated fashion. They do so, for example, by creating DNS settings and certificates for these domains using scripts.…

Threat Research

Routers Roasting on an Open Firewall: the KV-botnet Investigation – Lumen

December 13, 2023May 24, 2024 Lumen-BlackLotus

Executive Summary

The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. We are calling this the KV-botnet, based upon artifacts in the malware left by the authors.…