Fake update puts visitors at risk
WordPress admins, take heed: A recent development in a malware downloader called "SocGholish" could place your visitors at risk from malware infections!
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed
FortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to download malicious executable files. Read more.
New Play Ransomware Linux Variant Targets ESXi Shows Ties With Prolific Puma | Trend Micro (US)
Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments.
Analysis of the Phishing Campaign: Behind the Incident
See the results of our investigation into the phishing campaign encountered by our company and get information to defend against it. Here are some key findings: We found around 72 phishing domains pretending to be real or fake companies. These domains created believable websites that tricked people into sharing their login details. The attack was sophisticated, using advanced techniques like direct human interaction to deceive targets. We analyzed several fake websites and reverse-engineered their web-facing application. At the end of the post, you will find a list of IOCs that can be used for improving your organization’s security.
Detecting and Preventing Unauthorized User Access: Instructions
Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers’ accounts. We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity. To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted. This post will assist with investigating any potential threat activity within Snowflake customer accounts and provide guidance in the “Recommended Actions” section below.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive
CVE-2024-23108 Fortinet FortiSIEM Command Injection Deep-Dive and Indicators of Compromise. This blog details a command injection vulnerability which allows an unauthenticated attacker to access the FortiSIEM server as root to execute arbitrary commands.
CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive
CVE-2023-34992 Fortinet FortiSIEM Command Injection Deep-Dive and Indicators of Compromise. This blog details a command injection vulnerability which allows an unauthenticated attacker to access the FortiSIEM server as root to execute arbitrary commands.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
Managing Attack Surface | Huntress Blog
Huntress recently detected interesting activity on an endpoint; a threat actor was attempting to establish a foothold on an endpoint by using commands issued via MSSQL to upload a reverse shell accessible from the web server. All attempts were obviated by MAV and process detections, but boy-howdy, did they try!
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
MAR-10478915-1.v1 Citrix Bleed
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
Bitter Pill: Third-Party Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack
Huntress has uncovered a series of unauthorized access, revealing a threat actor using ScreenConnect to infiltrate multiple healthcare organizations.
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia
Microsoft analyzes a threat group tracked as DEV-0196, the actor’s iOS malware “KingsPawn”, and their link to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infrastructure called REIGN, that’s designed to exfiltrate data from mobile devices.
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
North Korean-sponsored actors believed to be linked to attack that Trojanized several versions of 3CX DesktopApp
BlackLotus UEFI bootkit: Myth confirmed
ESET researchers are the first to publish an analysis of BlackLotus, the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot.
Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs
Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs. This vulnerability allows remote code execution as the root user. (advisory https://www.fortiguard.com/psirt?date=02-2023)
Malware-Traffic-Analysis.net - 2023-02-03 - DEV-0569 activity: Google ad -- FakeBat Loader -- Redline Stealer & Gozi/ISFB/Ursnif
NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.
Ransomware Roundup – Trigona Ransomware
In this week's Ransomware Roundup, FortiGuardLabs covers Trigona ransomware along with protection recommendations. Read the blog to find out more.
OneNote Documents Increasingly Used to Deliver Malware
Key Findings: * The use of Microsoft OneNote documents to deliver malware via email is increasing. * Multiple cybercriminal threat actors are using OneNote documents to deliver malware. * While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages. * In order to detonate the payload, an end-user must interact with the OneNote document. * Campaigns have impacted organizations globally, including North America and Europe. * TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.
The Titan Stealer: Notorious Telegram Malware Campaign
The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.
Shlayer Malware: Continued Use of Flash Updates
Although Flash Player reached end of life for macOS in 2020, this has not stopped Shlayer operators from continuing to abuse it for malvertising campaigns.
L’art de l’évasion How Shlayer hides its configuration inside Apple proprietary DMG files
While conducting routine threat hunting for macOS malware on Ad networks, I stumbled upon an unusual Shlayer sample. Upon further analysis, it became clear that this variant was different from the known Shlayer variants such as OSX/Shlayer.D, OSX/Shlayer.E, or ZShlayer. We have dubbed it OSX/Shlayer.F.
An infostealer comes to town: Dissecting a highly evasive malware targeting Italy
Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT). Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).
Aurora: a rising stealer flying under the radar
Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset.
Technical Analysis of the RedLine Stealer
RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, and priced according to users' needs.