Dissecting TriangleDB, a Triangulation spyware implant
In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. As of now, we have finished analyzing the spyware implant and are ready to share the details.
Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389
FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which was disclosed in mid-March of this year. Read more.
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads
In June 2023, Bitdefender Labs published a research paper about espionage operation in East Asia. This operation was ongoing since at least the beginning of 2022, showing a high level of sophistication typically associated with state-sponsored groups. Despite trying various methods, we have been unable to attribute these attacks to a specific threat actor, but the target aligns with the interest of China-based threat actors.
chonked pt.2: exploiting cve-2023-33476 for remote code execution
second part in a two-part series going over heap overflow in MiniDLNA (CVE-2023-33476). this post provides a walkthrough of steps taken to write an exploit for this vulnerability in order to achieve remote code execution and pop a shell.
ASUS urges customers to patch critical router vulnerabilities
ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.
Le piratage de la société Xplain, une véritable bombe à retardement pour la Suisse
Dans l’ombre des attaques de sites web, le piratage du prestataire informatique Xplain a mis à nu 907 gigaoctets de données hautement sensibles, touchant plusieurs services de l’Etat
Des données personnelles aussi touchées lors de la cyberattaque contre la Confédération - rts.ch - Suisse
Outre des données opérationnelles de la Confédération, l'attaque informatique par rançongiciel contre l'entreprise bernoise Xplain a permis de mettre la main sur des informations concernant des particuliers, affirme Le Matin Dimanche.
Piratage: la Suisse est très mauvaise élève de la cybersécurité
Des dizaines de milliers de serveurs présentent des failles de sécurité en Suisse. La Confédération ne fait pas grand-chose pour remédier à la situation.
Without altering a single line of code, attackers poisoned the NPM package “bignum” by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones
Microsoft says early June disruptions to Outlook, cloud platform, were cyberattacks
Microsoft says the early June disruptions to its Microsoft’s flagship office suite — including the Outlook email apps — were denial-of-service attacks by a shadowy new hacktivist group. In a blog post published Friday evening after The Associated Press sought clarification on the sporadic but serious outages, Microsoft confirmed that that they were DDoS attacks by a group calling itself Anonymous Sudan, which some security researchers believe is Russia-affiliated. The software giant offered few details on the attack. It did not comment on how many customers were affected.
Cyberattaques massives contre la Suisse, huit questions pour analyser une semaine folle
La guerre s’est invitée dans le cyberespace suisse avec fracas cette semaine, le groupe de hackers NoName visant des dizaines de cibles. Il faudra mieux se préparer face à des attaques qui pourraient s’intensifier, avertissent trois experts
A Shady Chinese Firm’s Encryption Chips Got Inside NATO and NASA
The US government warns encryption chipmaker Hualan has suspicious ties to China’s military. Yet US agencies still use one of its subsidiary’s chips, raising fears of a backdoor.
‘Several’ US federal agencies affected by MOVEit breach
Top U.S. cybersecurity officials confirmed Thursday that several federal agencies have been impacted by cyberattacks on the widely used MOVEit file transfer tool. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told reporters that her team and the FBI are working to provide assistance to federal agencies that used MOVEit, which is being exploited by the Russia-based Clop ransomware gang in a widespread breach that appears to have compromised dozens of entities. “We’ve been working closely with Progress Software [which makes MOVEit], the FBI and our federal partners to understand its prevalence within federal agencies,” she said. Earlier in the day, CNN first reported that several government agencies were compromised in the hacks. Easterly said that CISA is providing support to “several agencies that have experienced intrusions of their MOVEit applications.”
Suspected LockBit ransomware affiliate arrested, charged in US
Russian national Ruslan Magomedovich Astamirov was arrested in Arizona and charged by the U.S. Justice Department for allegedly deploying LockBit ransomware on the networks of victims in the United States and abroad.
Microsoft Encrypted Restricted Permission Messages Deliver Phishing | Trustwave
Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.
Ce qui se cache derrière les cyberattaques pro-russes contre la Suisse
Le groupe d'hacktivistes pro-russe «NoName057(16)» poursuit sans relâche ses attaques contre des serveurs suisses. Voici leur organisation sur Telegram.
Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog
Microsoft attributes several campaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586), including the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak front “Free Civilian”.
The Phantom Menace: Brute Ratel remains rare and targeted
The commercial attack tool’s use by bad actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
Cyberattaque contre l'entreprise Xplain: les premiers résultats des analyses indiquent que des mesures sont nécessaires
Berne, 14.06.2023 - Depuis la révélation de l'attaque par rançongiciel qui a visé l'entreprise Xplain, des examens approfondis sont en cours à l'administration fédérale. Les analyses effectuées jusqu'à présent montrent que les données dérobées comprennent aussi des données opérationnelles de diverses autorités et organisations. Le but est maintenant de comprendre comment ces données se sont retrouvées sur l'infrastructure de l'entreprise Xplain.
TAG Aviation: Black Basta pirate une compagnie romande
La société TAG Aviation a été victime d'une attaque par ransomware. Les recherches de watson révèlent que Black Basta est à l'origine de cette attaque.