Tag: UNIX

Short Summary: The article discusses a newly discovered stealthy malware named perfctl that targets Linux hosts. The malware has been analyzed in a lab environment, revealing its ability to run without root privileges, utilize Tor for communication, implant backdoors, and exfiltrate sensitive data. The analysis also highlights the malware’s use of various techniques to gather information and replicate itself.…
Read More

Summary: Recent research has revealed that a set of four vulnerabilities in the Common Unix Printing System (CUPS) not only allows for remote code execution but also enables attackers to launch significant distributed denial-of-service (DDoS) attacks at minimal cost. Approximately 58,000 Internet-exposed devices are vulnerable to being exploited for these attacks, which can generate substantial traffic and strain server resources.…

Read More

ThreatWire Summary

Summary of ThreatWire Video

The video discusses the recent breaches in security involving Meta and a significant car hacking vulnerability related to Kia models, along with new vulnerabilities in the Common Unix Printing System (CUPS).

Key Points: Meta has been fined 1 million for storing hundreds of millions of user passwords in plain text, leading to an investigation by the Irish Data Protection Commission.…
Read More
Summary: This article discusses the emergence and characteristics of “perfctl” malware targeting Linux servers, exploiting over 20,000 misconfigurations. The malware is designed to be stealthy and persistent, utilizing techniques like rootkits, process masquerading, and TOR for communication. The potential impact includes resource hijacking through cryptomining and proxy-jacking.…
Read More

Short Summary:

Vulnerabilities in the Common Unix Printing System (CUPS) allow remote attackers to exploit the “cups-browsed” process, potentially executing arbitrary commands on affected systems. Four CVEs have been identified, with three rated High and one Critical, necessitating immediate attention and patching to mitigate risks.

Key Points:

Vulnerabilities in CUPS allow remote command execution.…
Read More

Summary: Multiple critical vulnerabilities have been identified in the Common Unix Printing System (CUPS), allowing remote unauthenticated attackers to execute arbitrary commands on affected systems. Security researcher Simone Margaritelli detailed these vulnerabilities, emphasizing their potential for exploitation across various platforms, including Linux and BSD systems.

Threat Actor: Unknown | unknown Victim: Various systems | various systems

Key Point :

Vulnerabilities allow attackers to silently replace printer IPP URLs, leading to arbitrary command execution.…
Read More
Short Summary

In March 2024, Elastic Security Labs uncovered a sophisticated Linux malware campaign targeting vulnerable servers. The attackers exploited an Apache2 web server to gain initial access and deployed various malware, including KAIJI and RUDEDEVIL, for DDoS attacks and cryptocurrency mining. The investigation revealed potential money laundering activities through compromised hosts and highlighted the attackers’ use of advanced techniques for persistence, privilege escalation, and command and control communication.…

Read More

Summary: A critical security vulnerability (CVE-2023-27584) has been identified in Dragonfly2, an open-source file distribution system, due to a hard-coded cryptographic key that allows unauthorized access. Users are urged to upgrade to version 2.0.9 or later to mitigate this risk.

Threat Actor: Unknown | unknown Victim: Dragonfly2 users | Dragonfly2

Key Point :

The vulnerability scores 9.8 on the CVSS scale, indicating its critical nature.…
Read More
Short Summary

The SonicWall Capture Labs threat research team has identified a critical zero-click vulnerability, CVE-2024-20017, affecting MediaTek Wi-Fi chipsets. This vulnerability allows remote code execution without user interaction and has a CVSS score of 9.8. MediaTek has released patches, and users are urged to update their devices immediately to mitigate risks.…

Read More

Threat Actor: CyberVolk | CyberVolk Victim: University of Waterloo, Linköping University | University of Waterloo, Linköping University Price: $2,000 (per university) Exfiltrated Data Type: Databases

Key Points :

CyberVolk claims to have exploited FTP vulnerabilities to gain access to the universities’ systems. The group threatens to delete the databases if the ransom is not paid within 48 hours.…
Read More

Short Summary:

The article discusses the sophisticated cyber operations conducted by DPRK-affiliated threat groups, particularly focusing on their use of social engineering tactics and Python programming for initial access to secure networks. It highlights specific examples of malicious Python scripts that disguise harmful functionalities and evade detection, emphasizing the need for continuous vigilance in cybersecurity defenses against such evolving threats.…

Read More

Summary: Aqua Nautilus researchers have discovered a new Linux malware named Hadooken, which targets Weblogic servers and deploys a cryptominer and Tsunami malware. The attack exploits weak passwords to gain initial access and execute malicious payloads, leading to potential data breaches and resource hijacking.

Threat Actor: Unknown | unknown Victim: Weblogic servers | Weblogic servers

Key Point :

Hadooken malware is executed after gaining access through a weak password, dropping both a cryptominer and Tsunami malware.…
Read More

Short Summary:

Cado Security has identified two campaigns targeting the Selenium Grid, a popular web testing tool, to deploy a sophisticated cryptominer named “perfcc”. These campaigns exploit misconfigured instances of Selenium Grid, which lack authentication, allowing threat actors to execute malicious scripts and hijack resources for cryptomining and proxyjacking.…

Read More

Short Summary:

Aqua Nautilus researchers have identified a new Linux malware named Hadooken, targeting Weblogic servers. The malware exploits weak passwords to gain initial access, drops Tsunami malware, and deploys a cryptominer. The article discusses the malware’s components, attack flow, and detection methods.

Key Points:

Hadooken malware targets Weblogic servers, leveraging weak passwords for initial access.…
Read More
Short Summary: The FBI, CISA, and NSA have assessed that Russian GRU Unit 29155 is responsible for cyber operations targeting global entities for espionage and sabotage since 2020. They have utilized the WhisperGate malware against Ukrainian organizations since January 2022. Organizations are advised to implement security measures to mitigate these threats.…
Read More
Short Summary: A critical vulnerability (CVE-2024-36401) in GeoServer allows remote code execution by unauthenticated users, affecting versions prior to 2.23.6, 2.24.4, and 2.25.2. The vulnerability has been actively exploited, leading to various malware campaigns targeting organizations globally. Key Points: Vulnerability: CVE-2024-36401 with a CVSS score of 9.8.…
Read More

Summary: Recent vulnerabilities in the Dovecot mail server, identified as CVE-2024-23184 and CVE-2024-23185, could allow attackers to execute denial-of-service (DoS) attacks by overwhelming the server with excessive or overly large email headers. Prompt updates to the Dovecot package are recommended to mitigate these risks.

Threat Actor: Unknown | unknown Victim: Dovecot users | Dovecot

Key Point :

Vulnerabilities CVE-2024-23184 and CVE-2024-23185 can lead to resource exhaustion and DoS attacks.…
Read More