Today’s Top Cyber Intelligence Highlights — Nov 21, 2024
Today’s news is a delightful cocktail of cybercrime, international intrigue, and the ever-present threat of underfunded cybersecurity agencies. In short, the past 24 hours have served up a grim…
Identify Infrastructure Linked To LockBit 3.0 Ransomware Affiliates By ZoomEye Enhanced New Syntax
Author: Knownsec 404 team
Decade-old local privilege escalation bugs impacts Ubuntu needrestart package
Decade-old flaws in the needrestart package in Ubuntu Server could allow local attackers to gain root privileges without user interaction.
Stories from the SOC: Registry Clues to PDF Blues: A Tale of PUA Persistence
Executive Summary Establishing persistence on a system allows a threat actor continued access or process execution across system restarts or other changes. For this reason, monitoring for and investigating persistence indicators are key components of any robust cybersecurity platform. Two common p…
Helldown Ransomware Attacking VMware ESX And Linux Servers
Helldown, a new ransomware group, actively exploits vulnerabilities to breach networks, as since August 2024, they have compromised 28 victims, leaking their data on a dedicated website.
Alert: XorBot Comes Back with Enhanced Tactics - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
Discover the resurgence of XorBot, an IoT botnet with enhanced tactics, targeting devices and posing a significant cybersecurity threat.
BianLian Ransomware Gang Shifts to Data Extortion, Law Enforcement Warns - CloudSEK News
BianLian ransomware gang targets healthcare & charities, shifting to data extortion. FBI links group to Russia as global ransomware threats escalate.
FBI says BianLian based in Russia, moving from ransomware attacks to extortion | #ransomware | #cybercrime | National Cyber Security Consulting
BianLian ransomware actors are likely based in Russia and have multiple Russia-based affiliates, according to new information shared by the FBI and Australian law enforcement. BianLian has drawn scrutiny for attacks on charities like Save The Children as well as healthcare firms like Boston Childr…
CISA: Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments - RedPacket Security
Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments
CISA: CISA Releases Four Industrial Control Systems Advisories - RedPacket Security
CISA Releases Four Industrial Control Systems Advisories
JVNVU#92857077: Multiple vulnerabilities in Edgecross Basic Software for Windows
US charges five men linked to ‘Scattered Spider’ with wire fraud | #cybercrime | #infosec | National Cyber Security Consulting
Federal authorities unsealed charges Wednesday against five individuals with links to the “Scattered Spider” cybercrime syndicate, accusing them of conducting an extensive phishing scheme that compromised companies nationwide, enabling the theft of non-public data and millions in cryptocurrency. A…
Salt Typhoon: Churning Up a Storm of Consternation
The public first heard the name of Chinese threat actor “Salt Typhoon” on September 25, 2024, when the Wall Street Journal published an article titled “China-Linked Hackers Breach US Internet Providers in New ‘Salt Typhoon’ Cyber Attack.” Many of us were not expecting another typhoon to blow in so …
Azure Key Vault Tradecraft with BARK
BriefThis post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment. AuthenticationAzure …
Azure Key Vault Tradecraft with BARK
This post details the existing and new functions in BARK that support Azure Key Vault tradecraft research
Five Privilege Escalation Flaws Found in Ubuntu needrestart
Five LPE flaws in Ubuntu’s needrestart utility enable attackers to gain root access in versions prior to 3.8
Detecting Pacific Rim IOCs with Eclypsium
The Pacific Rim cyberattack saga, detailed in a series of blog posts by Sophos in October 2024, offers a sobering reminder for enterprises: everyone is a target. No enterprise is too small or uninteresting to fall into the attack path of nation-state threat actors. Widely used firewalls and other…
Multiple Vulnerabilities in Wowza Streaming Engine (Fixed) | Rapid7 Blog
Zyxel VPN security flaw targeted by new ransomware attackers | #ransomware | #cybercrime | National Cyber Security Consulting
Researchers spot Helldown exploiting Zyxel VPN to breach networks The flaw was previously undisclosed The crooks mostly target SMBs in the US and Europe There appears to be a new ransomware player in town, exploiting vulnerabilities in Zyxel firewalls and IPSec access points to compromise victims, …
November 20 Advisory: Apache Traffic Server Vulnerabilities [CVE-2024-38479, CVE-2024-50305, CVE-2024-50306]
Trump’s Second Term: What It Means for Cybersecurity Policy and Cyber Threats
As Donald Trump prepares for his second term as the 47th President of the United States, the cybersecurity landscape is poised for significant evolution. With a Republican majority in both the Senate and House, his administration is positioned to implement a swift and assertive policy agenda. While…
Apple, Oracle, and Apache Issue Critical Updates for Actively Exploited and High-Risk Vulnerabilities - SOCRadar® Cyber Intelligence Inc.
Organizations using Apple, Oracle, and Apache software must act quickly as critical security flaws have been disclosed, with some actively exploited in the
Phishing the “Tech Savvy”: Threat Actors who Target Cryptocurrency Wallets and Networks
Cryptocurrency wallets and networks are enticing targets for state-sponsored threat actors and cybercriminals given the lucrativeness of…
Volt Typhoon Attacking U.S. Critical Infrastructure To Maintain Persistent Access
Volt Typhoon, a Chinese state-sponsored threat actor, targets critical infrastructure sectors like communications, energy, transportation,
Update now! Apple confirms vulnerabilities are already being exploited
Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS. The updates for iOS and Intel-based Mac systems are especially important, as they tackle vulnerabilities that are being actively exploited by cybercriminals. You should make sur…
Ignoble Scorpius, Distributors of BlackSuit Ransomware | #ransomware | #cybercrime | National Cyber Security Consulting
Executive Summary Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Sc…
Update now! Apple confirms vulnerabilities are already being exploited | Malwarebytes
Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.
Chinese APT Group Targets Telecom Firms Linked to BRI
CrowdStrike unveiled a new Chinese-aligned hacking group allegedly spying on telecom providers
The Hidden Threat: How Vulnerabilities Can Shut Down Your Business
Cybersecurity vulnerabilities, such as web security misconfigurations and unpatched applications, pose significant risks that can lead to…
Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign - CyberSRC
The targeting of U.S. telecom giants like T-Mobile by the Chinese threat actor group Salt Typhoon reflects the sophisticated tactics […]
Apple, Oracle, and Apache Issue Critical Updates for Actively Exploited and High-Risk Vulnerabilities
Apple, Oracle, and Apache Issue Critical Updates for Actively Exploited and High-Risk Vulnerabilities Organizations using Apple, Oracle, and Apache software must act quickly as critical security flaws have been disclosed, with some actively exploited in the wild. Apple has patched two severe vulne…
ELPACO-Team Ransomware: A Fresh Variant from the MIMIC Ransomware Family
CYFIRMA has identified a sophisticated dropper binary associated with the “ELPACO-team” ransomware, a new variant of the “MIMIC” ransomware…
6 Common Persistence Mechanisms in Malware
Persistence mechanisms are techniques used by attackers to keep malware active, even after log-offs, reboots, or restarts. In other words, they’re techniques that make malware tougher to detect and even harder to remove once it’s on a system. Let’s dive into a few of the common mechanisms attacke…
6 Common Persistence Mechanisms in Malware - ANY.RUN's Cybersecurity Blog
Learn about the most common mechanisms attackers use to keep their malware persistent on infected systems.
New Cyble Report Highlights Critical Vulnerabilities and Rising Cyber Threats in ANZ for 2024
The 2024 ANZ Threat Landscape Report by Cyble reveals an increase in cybersecurity risks faced by organizations across Australia and
Monthly Threat Actor Group Intelligence Report, September 2024 (ENG)
Monthly Threat Actor Group Intelligence Report, September 2024 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC Threat Research Lab based on data and information collected from 21 August 2024 to 20 September 2024. In September, activities by a total of 47 Threa…
Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Learn about Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 vulnerabilities and how to defend against them effectively.
AndroxGh0st Malware Exploits Critical Vulnerabilities
What is AndroxGh0st?
ANZ Threat Landscape Report 2024: Key Insights For CISO Defenses
Cyble releases the ANZ Threat Landscape Report 2024, highlighting rising cyber threats and mitigation strategies for CISOs.
ช่องโหว่ RCE ระดับ Critical ใน VMware vCenter Server ถูกใช้ในการโจมตีแล้ว
ประจำวันพุธที่ 20 พฤศจิกายน 2567
Helldown Ransomware Group Tied to Zyxel's Firewall Exploits | #ransomware | #cybercrime | National Cyber Security Consulting
Fraud Management & Cybercrime , Network Firewalls, Network Access Control , Ransomware Firewall Vendor Warns Attackers Using Valid Credentials They Previously Stole Akshaya Asokan (asokan_akshaya) , Mathew J. Schwartz (euroinfosec) • November 19, 2024 Image: Shutterstock Attackers wielding an e…
Apple Issues Security Updates to Patch Zero-Day Vulnerabilities in iOS, macOS, and More - CloudSEK News
Apple releases urgent updates for iOS, macOS, and Safari to fix two zero-day flaws under active exploitation. Update now to protect your device and data.
Technical Intricacies of “BabbleLoader”
The loader market is rapidly evolving, with sophisticated tools like BabbleLoader emerging to deliver malicious payloads while evading…
Emergency Security Updates iOS 18.1.1 and macOS Sequoia 15.1.1
Apple issued a new round of updates to address newly discovered flaws in iPhones and Macs, warning that hackers may be exploiting the weaknesses
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root
Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced over 10 years ago in version 21.04.
JVN#16114985: "Kura Sushi Official App Produced by EPARK" for Android uses a hard-coded cryptographic key
US charges five men linked to ‘Scattered Spider’ with wire fraud
Five members of the "Scattered Spider" cybercrime syndicate have been indicted and accused of a nationwide phishing scheme.
US charges five linked to Scattered Spider cybercrime gang
The U.S. Justice Department has charged five suspects believed to be part of the financially motivated Scattered Spider cybercrime gang with conspiracy to commit wire fraud.
Multiples vulnérabilités dans les produits Atlassian - CERT-FR
Monthly Threat Actor Group Intelligence Report, September 2024 (ENG) – Red Alert
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
<p>Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the …
China’s Expanding Influence: Understanding Global Ambitions and Their Impact on U.S. Interests
Strategic Challenges to China’s Rising Power
Understanding Russian Cyber Attacks on the US and Allied Nations — Phishing, Homograph Attacks, and…
Understanding the Threat
The Bears APT’s
APT’s are groups in cybersecurity that are advanced, persistent and cause real threats that results in damage around many organizations.
The Pandas APT’s
APT’s are groups in cybersecurity that are advanced, persistent and cause real threats that results in damage around many organizations.
Managed Vulnerability Scanning: Key Findings and the Importance of Regular Patching
There is no doubt about the value of conducting Managed Vulnerability Scanning.
🚨 Critical Remote Code Execution (RCE) Bug in VMware vCenter Server Now Exploited in Active…
WIRE TOR — The Ethical Hacking Services
The Devil and the Termite: data-leak sites emerge for Chort and Termite extortion groups
Discover the emergence of new English-speaking extortion groups, Chort and Termite. Learn about their tactics.
주간 탐지 룰(YARA, Snort) 정보 - 2024년 11월 3주차 - ASEC
AhnLab TIP 서비스에서 수집한, 공개된 YARA, Snort룰(2024년 11월 3주) 정보입니다. 1 YARA Rules 탐지명 설명 출처 MAL_ELF_Xlogin_Nov24_1 xlogin 백도어 샘플 탐지 https://github.com/Neo23x0/signature-base 4 Snort Rules 탐지명 설명 출처 ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340) Symphony PHP Symf…
Weekly Detection Rule (YARA and Snort) Information - Week 3, November 2024 - ASEC
The following is the information on Yara and Snort rules (week 3, November 2024) collected and shared by the AhnLab TIP service. 1 YARA Rules Detection name Description Source MAL_ELF_Xlogin_Nov24_1 Detects xlogin backdoor samples https://github.com/Neo23x0/signature-base 4 Snort Rules Detection na…
Exploited PAN-OS Zero-Days Threaten Thousands of Firewalls (CVE-2024-0012 and CVE-2024-9474) - SOCRadar® Cyber Intelligence Inc.
Palo Alto Networks recently disclosed two zero-day vulnerabilities affecting their PAN-OS devices, actively exploited in the wild. These flaws, CVE-2024-0012
One Sock Fits All: The use and abuse of the NSOCKS botnet - Lumen Blog
Black Lotus Labs has tracked down a notorious criminal proxy network, with a daily average of 35k bots located mostly in the U.S., allowing users to attack networks with total anonymity
One Sock Fits All: The use and abuse of the NSOCKS botnet - Lumen Blog
Black Lotus Labs has tracked down a notorious criminal proxy network, with a daily average of 35k bots located mostly in the U.S., allowing users to attack networks with total anonymity
Exploited PAN-OS Zero-Days Threaten Thousands of Firewalls (CVE-2024-0012 and CVE-2024-9474)
Exploited PAN-OS Zero-Days Threaten Thousands of Firewalls (CVE-2024-0012 and CVE-2024-9474) Palo Alto Networks recently disclosed two zero-day vulnerabilities affecting their PAN-OS devices, actively exploited in the wild. These flaws, CVE-2024-0012 and CVE-2024-9474, exploit weaknesses in the man…
绿盟科技威胁周报(2024.11.11-2024.11.17) – 绿盟科技技术博客
VMware vCenter Server の重大な RCE バグが攻撃に悪用される - PRSOL:CC
Broadcom は本日、攻撃者が VMware vCenter Server の 2 つの脆弱性を悪用していることを警告しました。 TZL のセキュリティ研究者は、中国の 2024 Matrix Cup ハッキングコンテスト中に RCE 脆弱性(CVE-2024-38812)を報告しました。この脆弱性は、vCenterのDCE/RPCプロトコル実装におけるヒープオーバーフローの脆弱性によって引き起こされ、VMware vSphereやVMware Cloud Foundationを含むvCenterを含む製品に影響を及ぼす。 現在悪用されているもう1つのvCenter Serverの不具合…
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
Middle East Cybersecurity 2024: Challenges Ahead
Regional governments are strengthening Middle East cybersecurity frameworks, with nations like Qatar, Saudi Arabia, and Oman enforcing stricter regulations and fostering cross-sector collaboration.
U.S. CISA adds Progress Kemp LoadMaster, Palo Alto Networks PAN-OS and Expedition bugs to its Known Exploited Vulnerabilities catalog
U.S. CISA adds Progress Kemp LoadMaster, Palo Alto Networks PAN-OS and Expedition bugs to its Known Exploited Vulnerabilities catalog.
CISA Adds 3 New Vulnerabilities to KEV Catalog: Here’s What You Need to Know
Cybersecurity professionals take note: the Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities…
Critical Exploits: VMware vCenter and Kemp LoadMaster Vulnerabilities Under Active Attack
In the ever-evolving landscape of cybersecurity, two newly exploited vulnerabilities have emerged as critical threats, impacting Progress…
Helldown Ransomware: an overview of this emerging threat
Comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs) and Exploitation of Zyxel Vulnerabilities %
CISA Adds Three Critical Vulnerabilities To The Known Exploited Vulnerabilities Catalog
: CISA adds CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog (KEV).
Apple fixes two zero-days used in attacks on Intel-based Macs
Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.
Palo Alto Networks 证实积极利用最近披露的零日漏洞-安全客 - 安全资讯平台
安全客 - 安全资讯平台
Unraveling Raspberry Robin's Layers: Analyzing Obfuscation Techniques and Core Mechanisms
A comprehensive analysis of the inner workings of Raspberry Robin | Multiple layers that use numerous techniques to evade detection & analysis
在 Baxter Life2000 通风系统中发现的关键漏洞-安全客 - 安全资讯平台
安全客 - 安全资讯平台
Botnet fueling residential proxies disrupted in cybercrime crackdown
The Ngioweb botnet, which supplies most of the 35,000 bots in the cybercriminal NSOCKS proxy service, is being disrupted as security companies block traffic to and from the two networks.
Botnet serving as ‘backbone’ of malicious proxy network taken offline
Lumen Technology’s Black Lotus Labs took the ngioweb botnet and NSOCKS proxy offline Tuesday.
Helldown ransomware exploits Zyxel VPN flaw to breach networks
The new 'Helldown' ransomware operation is believed to target vulnerabilities in Zyxel firewalls to breach corporate networks, allowing them to steal data and encrypt devices.
D-Link urges users to retire VPN routers impacted by unfixed RCE flaw
D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices.
Latest Report Findings: Retail Trade Faces 111% Jump in Ransomware - ReliaQuest
Between November 1, 2023, and October 31, 2024, spearphishing was the top initial access technique for our customers across most sectors, including retail trade.
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster.
US-CERT Vulnerability Summary for the Week of November 11, 2024 - RedPacket Security
Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog - RedPacket Security
CISA Adds Three Known Exploited Vulnerabilities to Catalog
Recently disclosed VMware vCenter Server bugs are actively exploited in attacks
Threat actors are actively exploiting two VMware vCenter Server vulnerabilities tracked as CVE-2024-38812 and CVE-2024-38813, Broadcom warns.
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape | Proofpoint US
What happened Proofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures are getting even more clever.
November 18 Advisory: Active Exploitation of Critical RCE in Palo Alto Networks PAN-OS [CVE-2024-0012 and CVE-2024-9474]
Fixing a Bunch of Scripting Engine Vulnerabilities by Disabling Just-In-Time Compiler (CVE-2024-38178)
August 2024 Windows Updates brought a patch for CVE-2024-38178, a remotely exploitable memory corruption issue in "legacy" Scripting Engine (JScript9.dll). This engine, while part of long-expired Internet Explorer, is still present on all Windows computers and can be invoked via various mechan…
Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited
An alarming set of chained vulnerabilities in Palo Alto Networks' PAN-OS software has sparked concerns that attackers could seize administrator
‘ClickFix’ Cyber-Attacks for Malware Deployment on the Rise
Proofpoint researchers have observed the growing use of the ClickFix social engineering tactic, which lures people into running malicious content on their computer
Purple Team Activities: Where Offense Meets Defense to Strengthen Cyber Resilience
Purple team activities serve as a bridge between red and blue teams, combining offensive tactics with defensive strategies to enhance an…
THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 11 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Nov 18, 2024Ravie LakshmananCybersecurity / Infosec What do hijacked websites, fake job offers, and sneaky ransomware have in common? They’re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people. This week makes one thing clear: no system, no person, no …
DONOT’s Assault on Maritime and Defense Manufacturing
Cyble Research and Intelligence Labs (CRIL) identified a campaign linked to the APT group DONOT, targeting Pakistan’s manufacturing sector…
Financially Driven Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers
In October 2024, EclecticIQ analysts identified a phishing campaign targeting e-commerce shoppers in Europe and the USA, attributed to a…
18th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, le…
18th November – Threat Intelligence Report - Check Point Research
For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, led b…
Efficient Distribution of LummaC2 Infostealer via Legitimate Programs
LummaC2 is a sophisticated Infostealer malware that disguises itself as legitimate software to evade detection. It captures sensitive…