Short Summary:
Head Mare is a hacktivist group that emerged in 2023, targeting organizations in Russia and Belarus. They utilize phishing campaigns exploiting vulnerabilities in WinRAR to gain initial access and employ ransomware like LockBit and Babuk to encrypt victims’ data. The group is known for its custom malware, PhantomDL and PhantomCore, and aims to cause significant damage while also demanding ransom for data decryption.…
Short Summary:
The article discusses the rapid exploitation of critical vulnerabilities, particularly focusing on CVE-2024-27198 in TeamCity On-Premises. Following its disclosure, threat actors quickly attempted to exploit this vulnerability, leading to significant security concerns for organizations using TeamCity. Darktrace’s AI capabilities were instrumental in detecting and responding to these exploitation attempts, highlighting the need for faster detection and response mechanisms in cybersecurity.…
Short Summary:
This article discusses the increasing use of Python in malicious activities within the Windows ecosystem. It highlights how attackers exploit Python’s ease of deployment, lack of integration with AMSI, and its ability to interact with various system layers to create and execute malicious scripts.…
Threat Actor: ProtonMail | ProtonMail Victim: Users of ProtonMail | Users of ProtonMail Price: Free Exfiltrated Data Type: Email address validity, creation date, public key
Key Points :
ProtonMail provides an API to verify email addresses and retrieve their creation dates. Users can convert Unix timestamps into standard date formats using online converters.…Summary: Aqua Nautilus researchers have identified PG_MEM, a new type of PostgreSQL malware that employs brute force attacks to infiltrate databases, deploys payloads for stealth operations, and mines cryptocurrency. This blog details the attack methodology, techniques used by the threat actor, and strategies for detection and protection against such threats.…
Short Summary:
The article discusses the rapid exploitation of critical vulnerabilities, particularly focusing on CVE-2024-27198, a severe authentication bypass vulnerability in TeamCity On-Premises. Following its disclosure, threat actors quickly began exploiting this vulnerability, leading to significant security concerns for organizations using TeamCity. Darktrace’s Cyber AI Analyst detected various malicious activities linked to this vulnerability, including command-and-control (C2) connections and cryptocurrency mining attempts.…
Short Summary:
Aqua Nautilus researchers have discovered PG_MEM, a new PostgreSQL malware that uses brute force attacks to gain access to databases, deploys payloads to conceal its operations, and mines cryptocurrency. This article details the attack techniques employed by the threat actor and offers insights on detection and protection strategies.…
Short Summary:
Darktrace reported the swift exploitation of a critical vulnerability (CVE-2024-27198) in JetBrains TeamCity, highlighting the urgent need for rapid detection and response to prevent supply chain attacks. Following its public disclosure, threat actors quickly attempted to exploit the vulnerability, leading to malicious activities such as unauthorized access and cryptocurrency mining on affected systems.…
eSentire’s Threat Response Unit (TRU) investigates the D3F@ck Loader malware, tracing its origins to a developer known as Sergei Panteleevich. The article details the loader’s capabilities, including its use of Extended Validation (EV) certificates to bypass security measures, and its distribution methods for various malware payloads.…
Short Summary:
Aqua Nautilus researchers have identified a new variant of the Gafgyt botnet that targets machines with weak SSH passwords. This botnet executes binaries from memory to expand its network and mine cryptocurrency using GPU power, indicating a shift towards targeting more robust cloud-native servers.…
Server-Side Template Injection (SSTI) vulnerabilities allow attackers to inject malicious code into server-side templates, leading to arbitrary code execution, data theft, and potential server compromise. Recent trends show an increase in critical CVEs affecting various web applications, particularly in sectors like Retail/Wholesale and Finance/Banking.…
Summary: Wiz Research has uncovered a cryptomining campaign named “SeleniumGreed” that exploits exposed Selenium Grid services due to their lack of default authentication, allowing threat actors to deploy malicious miners. This campaign highlights significant security risks associated with misconfigured Selenium instances in cloud environments, which are prevalent and often overlooked by users.…
Wiz Research has detected an ongoing threat campaign that exploits exposed Selenium Grid services for cryptomining, dubbed “SeleniumGreed”.
Selenium is among the most commonly used testing frameworks. Our data shows that the technology can be found in 30% of cloud environments, and the official selenium/hub docker image has over 100 million pulls in Docker Hub. …
Symantec reported a Daggerfly intrusion against a telecoms operator in Africa involving previously unseen plugins for MgBot.
Macma updateMacma is a macOS backdoor that was first documented by Google in 2021 but appears to have been used since at least 2019. At the time of discovery, it was being distributed in watering hole attacks involving compromised websites in Hong Kong.…
On May 23, 2023, the U.S., Australia, New Zealand, Canada and the U.K. issued a joint advisory about a suspected Chinese state-sponsored threat actor group that infiltrates firewalls, routers and virtual private networks (VPNs) belonging to critical infrastructure organizations. The group is primarily referred to as Volt Typhoon aka BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, VANGUARD PANDA, VOLTZITE.…
Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. Read our blog entry to know more.
Summary:
The Play ransomware group, known for its double-extortion tactic, now has a Linux variant targeting ESXi environments.…This post is also available in: 日本語 (Japanese)
Executive SummaryThis article reviews container escape techniques, assesses their possible impact and reveals how to detect these escapes from the perspective of endpoint detection and response (EDR).
As cloud services rise in popularity, so does the use of containers, which have become an integrated part of cloud infrastructure.…