Key TakeawaysIn India, there has been a noticeable surge in pig-butchering scam, specifically aimed at investors and propagated through counterfeit trading applications.
Counterfeit trading applications are being distributed via the Google Play Store and App Store, alongside phishing sites, as part of this fraudulent scheme. …
Read More Tag: INITIAL ACCESS
The FBI’s Internet Crime Complaint Center (IC3) has published its annual report for 2023, which reveals that the number of cybercrime complaints received by the agency increased by nearly 10% compared to the previous year.
Cybercrime victims in the United States filed more than 880,000 complaints with the FBI in 2023, with reported losses totaling over $12.5 billion, which represents a 22% increase from 2022. …
ESET researchers discovered a cyberespionage campaign that, since at least September 2023, has been victimizing Tibetans through a targeted watering hole (also known as a strategic web compromise), and a supply-chain compromise to deliver trojanized installers of Tibetan language translation software. The attackers aimed to deploy malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a backdoor that, to the best of our knowledge, has not been publicly documented yet; we have named it Nightdoor.…
Publicly available exploits incite unwarranted chaos
Executive SummaryOn March 4, 2024, JetBrains released a blog post detailing the security patch for TeamCity, which is a Continuous Integration and Continuous Delivery (CI/CD) server developed by JetBrains and plays a crucial role within organizations across the globe. …
Researchers have spotted a concerted cyber compromise campaign targeting cloud servers running vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis. The attackers are dropping a cryptomining tool, but also installing a Linux-based reverse shell that would allow potential future targeting and malware infestations.
According to an analysis from Cado Security, in most cases the adversary is hunting for common cloud misconfigurations to exploit.…
Mar 06, 2024NewsroomServer Security / Cryptocurrency
Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.…
A cryptojacking campaign involving Linux malware is targeting misconfigured Apache Hadoop, Confluence, Docker, and Redis instances with new and unique malicious payloads, cybersecurity firm Cado Security warns.
As part of the campaign, the attackers employ four new Golang payloads to automate the discovery and exploitation of vulnerable hosts, as well as a reverse shell and multiple user-mode rootkits to hide their presence.…
Updated March 8: Based on our experience, we believe that BlackCat’s claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after their hiatus. This scam tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny.…
Hackers are targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware that automates the discovery and compromise of the hosts.
The malicious tools used in the campaign take advantage of the configuration weaknesses and exploit an old vulnerability in Atlassian Confluence to execute code on the machine.…
Introduction
Read More Cado Security Labs researchers have recently encountered an emerging malware campaign targeting misconfigured servers running the following web-facing services:
The campaign utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to automate the discovery and infection of hosts running the above services.…
North Korean hackers are using a critical vulnerability in ConnectWise’s ScreenConnect software to spread new, shapeshifting espionage malware.
Two weeks ago, ConnectWise revealed two flaws in its popular remote desktop application: CVE-2024-1708, a path traversal bug given a “high” score of 8.4 out of 10 on the CVSS scale, and CVE-2024-1709, a rare “critical” 10 out of 10 authentication bypass bug.…
The proliferation of programmable logic controllers (PLCs) with embedded Web servers in them has given attackers a way to launch potentially catastrophic, remote attacks against operational technology (OT) for industrial control systems (ICS) in critical infrastructure sectors.
To highlight the threat, a team of researchers from the Georgia Institute of Technology has developed malware that an adversary could use to remotely access an embedded Web server within a PLC, and attack the underlying physical system.…
Mar 05, 2024NewsroomMalware / Cyber Threat
North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.
According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.…
Every month the Nextron Threat Research Team (NTRT) shares insights into evasive threats that we’ve seen in the wild via our Valhalla service. The aim is to highlight interesting samples our rules detected and have or had very low detection rates as reported by VirusTotal scanning.…
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
Views: 1…
Mar 05, 2024NewsroomMalware / Artificial Intelligence
More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.
These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.…
Key TakeawaysThe Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK.The malware was used in post-compromise activity following exploitation of a ScreenConnect application.BABYSHARK has been associated, by several sources, with a threat actor Kroll tracks as KTA082 (Kimsuky).The…
Read More Published On : 2024-03-05
EXECUTIVE SUMMARYAt CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.
This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures.…
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark.
Kimsuky (aka Thallium and Velvet Chollima) is a North Korean state-sponsored hacking group known for cyber espionage attacks on organizations and governments worldwide.…
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddlerShark.
Kimsuky (aka Thallium and Velvet Chollima) is a North Korean state-sponsored hacking group known for cyber espionage attacks on organizations and governments worldwide.…