Cybercriminals have developed an enhanced version of the infamous GhostLocker ransomware that they are deploying in attacks across the Middle East, Africa, and Asia.

Two ransomware groups, GhostSec and Stormous, have joined forces in the attack campaigns with double-extortion ransomware attacks using the new GhostLocker 2.0 to infect organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand, as well as other locations.…

Read More

A plugin for the open source network security monitoring tool Zeek is affected by several vulnerabilities that threat actors could leverage in attacks aimed at industrial control system (ICS) environments.

The existence of the vulnerabilities was disclosed recently by the US security agency CISA. The agency’s ICS advisory describes two critical- and one high-severity vulnerabilities impacting the Ethercat plugin for Zeek.…

Read More

Published On : 2024-03-05

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.

This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures.…

Read More

American Express (Amex) notifies customers that their credit card information has been compromised in a data breach involving a third-party merchant processor. The company did not disclose the number of impacted customers.

“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system.”…

Read More

BleepingComputer has discovered a content farm operating some 60+ domains named after popular media outlets, including the BBC, CNBC, CNN, Forbes, Huffington Post, Reuters, The Guardian, and Washington Post, among others.

These “news” websites, which we were able to trace to their proprietor in India, repost articles from credible media and research organizations without attribution.…

Read More

BleepingComputer has discovered a content farm operating some 60+ domains named after popular media outlets, including the BBC, CNBC, CNN, Forbes, Huffington Post, Reuters, The Guardian, and Washington Post, among others.

These “news” websites, which we were able to trace to their proprietor in India, repost articles from credible media and research organizations without attribution.…

Read More
Table of contentsContext

Since the onset of the War in Ukraine, various groups identified as “nationalist hacktivists” have emerged, particularly on the Russian side, to contribute to the confrontation between Kyiv and Moscow. Among these entities, the pro-Russian group NoName057(16) has garnered attention through the initiation of Project DDoSia, a collective endeavour aimed at conducting large-scale distributed denial-of-service (DDoS) attacks, targeting entities (private corporations, ministries and public institutions) belonging to countries supporting Ukraine, predominantly NATO member states.…

Read More
Key TakeawaysIn February 2023, we detected an intrusion that was initiated by a user downloading and executing a file from a SEO-poisoned search result, leading to a Gootloader infection.Around nine hours after the initial infection, the Gootloader malware facilitated the deployment of a Cobalt Strike beacon payload directly into the host’s registry, and then executed it in memory.…
Read More
Summary:

Lookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. Following the tactics of groups like Scattered Spider, this kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs and even photo IDs from hundreds of victims, mostly in the United States.…

Read More
Key PointsAvast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver.  Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update.  The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. …
Read More

Mandiant and Ivanti’s investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, 2024, Mandiant observed mass attempts to exploit these vulnerabilities by a small number of China-nexus threat actors, and development of a mitigation bypass exploit targeting CVE-2024-21893 used by UNC5325, which we introduced in our “Cutting Edge, Part 2” blog post. …

Read More
 Introduction

Zscaler’s ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain.…

Read More
What is DCRat malware?

DCRat, also known as Dark Crystal RAT, is a remote access trojan (RAT) that lets threat actors take control over an infected machine and extract users’ data, such as the information copied to the clipboard and personal credentials from apps. The malware is known for its stealthiness and its ability to evade detection by security software.…

Read More

On February 19, 2024, ConnectWise released a security patch addressing two vulnerabilities in the ScreenConnect software, potentially leading to Remote Code Execution (RCE). These vulnerabilities, identified as CVE-2024-1709 and CVE-2024-1708, allow attackers to bypass authentication and perform path traversal, respectively, enabling unauthorized access and administrative privilege escalation.…

Read More