Summary: This content discusses a vulnerability in a vendor’s product and provides a business recommendation for addressing the issue.

Threat Actor: N/A

Victim: N/A

Key Point :

The vendor, Siemens, is a technology company focused on industry, infrastructure, transport, and healthcare. SEC Consult recommends installing a patch provided by the vendor and conducting a thorough security review of the product.…
Read More

Summary: This content discusses a new command execution technique called ‘GrimResource’ that utilizes specially crafted MSC files and an unpatched Windows XSS flaw to execute code through the Microsoft Management Console.

Threat Actor: Unknown threat actor | Unknown threat actor Victim: Windows users | Windows users

Key Point :

A new command execution technique called ‘GrimResource’ is utilizing specially crafted MSC files and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.…
Read More
Overview

After Microsoft disabled office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have surged in popularity. However, these other techniques are scrutinized by defenders and have a high likelihood of detection. Mature attackers seek to leverage new and undisclosed infection vectors to gain access while evading defenses.…

Read More
Intro – What is Prototype Pollution?

Prototype Pollution is a JavaScript vulnerability where it’s possible for an attacker to control unexpected variables in JavaScript, which on the client-side can lead to Cross-Site Scripting, and on the server-side lead to Remote Code Execution. 

It is caused by ‘JavaScript Weirdness’, specifically in the declaration and setting of variable names, and is exploitable because of further JavaScript weirdness with weak typing, where it’s possible to have various undeclared variables in code that can be controlled by Prototype Pollution. …

Read More

Summary: Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances.

Threat Actor: Malicious actors | malicious actors Victim: Mailcow open-source mail server suite | Mailcow open-source mail server suite

Key Point :

A path traversal vulnerability impacting a function named “rspamd_maps()” that could result in the execution of arbitrary commands on the server by allowing a threat actor to overwrite any file that can be modified with the “www-data” user.…
Read More

If you’re pentesting web applications, you certainly come across a lot of JavaScript. Nearly every web application nowadays is using it. Frameworks like Angular, React and Vue.js place a lot of functionality and business logic of web applications into the front end. Thus, to thoroughly pentest web applications, you have to analyze their client-side JavaScript.…

Read More

Devcore announced a critical remote code execution (RCE) vulnerability in PHP, designated CVE-2024-4577. This flaw affects all PHP versions from 5.x onward running on Windows servers, making it a significant concern due to PHP’s widespread use. This vulnerability stems from mishandling character encoding conversions, particularly affecting systems using certain code pages for languages like Chinese or Japanese.…

Read More

We have observed active exploitation attempts targeting three high-severity CVEs: CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000. These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping, making it possible for attackers to inject malicious scripts.…

Read More

Summary: The content discusses two significant vulnerabilities found in the Slider Revolution plugin, which could compromise the security of WordPress websites.

Threat Actor: N/A

Victim: WordPress websites using the Slider Revolution plugin

Key Point :

A recent security audit of the Slider Revolution plugin has uncovered two significant vulnerabilities that could compromise the security of WordPress websites.…
Read More

Summary: GitLab has patched a high-severity vulnerability that could allow unauthenticated attackers to take over user accounts through cross-site scripting (XSS) attacks.

Threat Actor: Unauthenticated attackers | unauthenticated attackers Victim: GitLab users | GitLab

Key Point :

GitLab has released patches for a high-severity vulnerability (CVE-2024-4835) in its VS code editor (Web IDE) that could be exploited by unauthenticated attackers to steal restricted information.…
Read More

As organizations prepare for the challenges and opportunities of 2024, the critical importance of cybersecurity preparedness is increasingly apparent. In an era characterized by rapid digital transformation and continuous innovation, cyber threats are becoming more sophisticated and frequent, presenting substantial risks to businesses across all sectors.…

Read More

In the constantly changing landscape of cyber threats, ransomware groups adapt their tactics to outmaneuver defenses. Everest Ransomware recently attracted attention in May 2024 for its notable targets. Since its emergence in December 2020, Everest has seemed to infiltrate and compromise organizations using advanced techniques. This profile examines the origins, operational tactics, and mitigation strategies related to Everest Ransomware, offering essential insights for cybersecurity professionals.…

Read More

Summary: An extensive security audit of QNAP QTS, the operating system for the company’s NAS products, has uncovered fifteen vulnerabilities, with eleven remaining unfixed.

Threat Actor: WatchTowr Labs | WatchTowr Labs Victim: QNAP | QNAP

Key Point :

An extensive security audit of QNAP QTS has uncovered fifteen vulnerabilities, including an unpatched stack buffer overflow vulnerability in the ‘No_Support_ACL’ function of ‘share.cgi’…
Read More

Dispossessor has recently emerged in the ransomware landscape, and it is especially notable for its similarities to the notorious LockBit group. Following an extensive crackdown by global law enforcement agencies, which led to the seizure of LockBit’s primary domains, Dispossessor quickly surfaced, mimicking the structure and content of LockBit.

Dispossessor’s logo

Who is Dispossessor Ransomware

The name “Dispossessor” could be linked to Ursula K.…

Read More

Summary: This post examines the activities of Dmitry Yuryevich Khoroshev, the alleged leader of the LockBit ransomware group, who has been charged by the United States, United Kingdom, and Australia for his involvement in cybercrimes.

Threat Actor: Dmitry Yuryevich Khoroshev | Dmitry Yuryevich Khoroshev Victim: Various organizations | LockBit ransomware victims

Key Point :

Dmitry Yuryevich Khoroshev has been indicted on 26 criminal counts, including extortion, wire fraud, and conspiracy, for allegedly creating, selling, and using the LockBit ransomware to extort over $100 million from victim organizations.…
Read More

NOTE: I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback of LockBit Group and their approach after Operation Cronos and does NOT attribute to the Identity of LockBitSupp.…

Read More

Summary: A cybercriminal named “salfetka” is claiming to sell the source code of INC Ransom, a ransomware-as-a-service operation that has targeted various organizations including Xerox Business Solutions, Yamaha Motor Philippines, and the National Health Service in Scotland.

Threat Actor: salfetka | salfetka Victim: INC Ransom | INC Ransom

Key Point:

A cybercriminal named “salfetka” is selling the source code of INC Ransom, a ransomware-as-a-service operation.…
Read More

This report was originally published for our customers on 2 May 2024.

As part of our critical vulnerabilities monitoring routine, Sekoia’s Threat & Detection Research (TDR) team deploys and supervises honeypots in different locations around the world to identify potential exploitations.

Table of contents Introduction

Recently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot.…

Read More