Overview On February 13th, 2024, Microsoft announced a Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 patch. The vulnerability occurs at certain IOCTL of “appid.sys” known as AppLocker‘s driver, one of the Windows feature. The threat actor can read and write on a random kernel memory by exploiting the vulnerability, and can either disable security products or gain system privilege.…
Read More

PRESS RELEASE

SAN FRANCISCO, March 5, 2024 /PRNewswire/ — Delinea, a leading provider of solutions that seamlessly extend Privileged Access Management (PAM), today announced the introduction of Privilege Control for Servers on the Delinea Platform, enforcing least privilege principles on critical systems consistently across identities to combat stolen credentials and restrict lateral movement.…

Read More

Published On : 2024-03-05

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.

This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures.…

Read More

Microsoft patched a high-severity Windows Kernel privilege escalation vulnerability in February, six months after being informed that the flaw was being exploited as a zero-day.

Tracked as CVE-2024-21338, the security flaw was found by Avast Senior Malware Researcher Jan Vojtěšek in the appid.sys Windows AppLocker driver and reported to Microsoft last August as an actively exploited zero-day.…

Read More

On February 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the Phobos Ransomware variants observed as recently as February 2024.…

Read More
Key TakeawaysIn February 2023, we detected an intrusion that was initiated by a user downloading and executing a file from a SEO-poisoned search result, leading to a Gootloader infection.Around nine hours after the initial infection, the Gootloader malware facilitated the deployment of a Cobalt Strike beacon payload directly into the host’s registry, and then executed it in memory.…
Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities.…

Read More
Key PointsAvast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver.  Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update.  The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. …
Read More

Mandiant and Ivanti’s investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publication on Jan. 10, 2024, Mandiant observed mass attempts to exploit these vulnerabilities by a small number of China-nexus threat actors, and development of a mitigation bypass exploit targeting CVE-2024-21893 used by UNC5325, which we introduced in our “Cutting Edge, Part 2” blog post. …

Read More
How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure OVERVIEW

This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.

The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services.…

Read More

This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.

 

On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software (CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier.…

Read More