Found 58 bookmarks
Custom sorting
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit
In December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft’s monthly Patch Tuesday release. Both vulnerabilities were deemed as highly significant due to the widespread use of LDAP in Windows environments: CVE-2024-49112: A remote code execution (RCE) bug that attackers can exploit by sending specially crafted LDAP requests, allowing them to execute arbitrary code on the target system. CVE-2024-49113: A denial-of-service (DoS) vulnerability that can be exploited to crash the LDAP service, leading to service disruptions. In this blog entry, we discuss a fake proof-of-concept (PoC) exploit for CVE-2024-49113 (aka LDAPNightmare) designed to lure security researchers into downloading and executing information-stealing malware.
#trendmicro#EN#2025#malware#Stealer#research#LDAPNightmare#fake#PoC#CVE-2024-49113
·trendmicro.com·
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit
What We Know About CVE-2024-49112 and CVE-2024-49113
What We Know About CVE-2024-49112 and CVE-2024-49113
In December 2024, two Windows Lightweight Directory Access Protocol (LDAP) vulnerabilities were identified by independent security researcher Yuki Chen: CVE-2024-49112, a remote code execution (RCE) flaw with a 9.8 CVSS score, and CVE-2024-49113, a denial-of-service (DoS) flaw with a 7.5 CVSS score.
#trendmicro#EN#2024#CVE-2024-49112#CVE-2024-49113#LDAPNightmare#Microsoft#LDAP#RCE
·trendmicro.com·
What We Know About CVE-2024-49112 and CVE-2024-49113
Attacker Abuses Victim Resources to Reap Rewards from Titan Network
Attacker Abuses Victim Resources to Reap Rewards from Titan Network
  • Trend Micro researchers observed an attacker exploiting the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor used public IP lookup services and various system commands to gather details about the compromised machine. The attack involved downloading and executing multiple shell scripts to install Titan binaries and connect to the Titan Network with the attacker’s identity. * The malicious actor connects compromised machines to the Cassini Testnet, which allows them to participate in the delegated proof of stake system for reward tokens.
#trendmicro#EN#2024#Titan#Network#Confluence#exploitation#Atlassian#vulnerability#CVE-2023-22527
·trendmicro.com·
Attacker Abuses Victim Resources to Reap Rewards from Titan Network
A Dive into Earth Baku’s Latest Campaign
A Dive into Earth Baku’s Latest Campaign
Since late 2022, Earth Baku has broadened its scope from the Indo-Pacific region to Europe, the Middle East, and Africa. Their latest operations demonstrate sophisticated techniques, such as exploiting public-facing applications like IIS servers for initial access and deploying the Godzilla webshell for command and control.
#trendmicro#EN#2024#APT41#malware#apt-&-targeted-attacks#research#EarthBaku#reports
·trendmicro.com·
A Dive into Earth Baku’s Latest Campaign
The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider | Trend Micro (US)
The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider | Trend Micro (US)
On Thursday, April 18, 2024, the UK’s Metropolitan Police Service, along with fellow UK and international law enforcement, as well as several trusted private industry partners, conducted an operation that succeeded in taking down the Phishing-as-a-Service (PhaaS) provider LabHost. This move was also timed to coincide with a number of key arrests related to this operation. In this entry, we will briefly explain what LabHost was, how it affected its victims, and the impact of this law enforcement operation — including the assistance provided by Trend Micro.
#trendmicro#EN#2024#cybercrime#report#LabHost#takedown#PhaaS#Phishing-as-a-Service
·trendmicro.com·
The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider | Trend Micro (US)
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption
  • On Feb. 19, 2024, Operation Cronos, a targeted law enforcement action, caused outages on LockBit-affiliated platforms, significantly disrupting the notorious ransomware group's operations. LockBit’s downtime was quickly followed by a takeover of its leak site by the UK’s National Crime Agency (NCA), spotlighting the concerted international effort against cybercrime. Authorities leveraged the compromised LockBit leak site to distribute information about the group and its operations, announce arrests, sanctions, cryptocurrency seizure, and more. This demonstrated support for affected businesses and cast doubt on LockBit's promises regarding data deletion post-ransom payment — emphasizing that paying ransoms is not the best course of action. Trend Micro analyzed LockBit-NG-Dev, an in-development version of the ransomware. Key findings indicated a shift to a .NET core, which allows it to be more platform-agnostic and emphasizes the need for new security detection techniques. The leak of LockBit's back-end information offered a glimpse into its internal workings and disclosed affiliate identities and victim data, potentially leading to a drop in trust and collaboration within the cybercriminal network. The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group’s future, hinting at the significant impact of the incident on the ransomware-as-a-service (RaaS) industry. Businesses can expect shifts in RaaS tactics and should enhance preparedness against potential reformations of the disrupted group and its affiliates. Contrary to what the group themselves have stated, activities observed post-disruption would indicate that Operation Chronos has a significant impact on the group’s activities.
#trendmicro#EN#2024#research#LockBit#Operation-Cronos#impact
·trendmicro.com·
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US)
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US)
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
#trendmicro#EN#2024#targeted-attacks#research#report#Earth-Krahang#i-soon
·trendmicro.com·
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US)
DarkGate Opens Organizations for Attack via Skype, Teams
DarkGate Opens Organizations for Attack via Skype, Teams
From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA) abusing instant messaging platforms to deliver a VBA loader script to victims. This script downloaded and executed a second-stage payload consisting of a AutoIT scripting containing the DarkGate malware code. It’s unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization.
#trendmicro#EN#2024#malware#DarkGate#Skype#Teams
·trendmicro.com·
DarkGate Opens Organizations for Attack via Skype, Teams
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability CVE-2024-21412 in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
#trendmicro#EN#2024#CVE-2024-21412#Water-Hydra#exploits-&-vulnerabilities#research#report#apt-&-targeted-attacks
·trendmicro.com·
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
A Closer Look at ChatGPT's Role in Automated Malware Creation
A Closer Look at ChatGPT's Role in Automated Malware Creation
As the use of ChatGPT and other artificial intelligence (AI) technologies becomes more widespread, it is important to consider the possible risks associated with their use. One of the main concerns surrounding these technologies is the potential for malicious use, such as in the development of malware or other harmful software. Our recent reports discussed how cybercriminals are misusing the large language model’s (LLM) advanced capabilities: We discussed how ChatGPT can be abused to scale manual and time-consuming processes in cybercriminals’ attack chains in virtual kidnapping schemes. We also reported on how this tool can be used to automate certain processes in harpoon whaling attacks to discover “signals” or target categories.
#trendmicro#EN#2023#malware#articles#news#reports#research#ChatGPT
·trendmicro.com·
A Closer Look at ChatGPT's Role in Automated Malware Creation
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
#trendmicro#EN#2023#malware#endpoints#BlackCat#WinSCP#report#SpyBoy#GoogleAds
·trendmicro.com·
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices
Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices
An overview of the Lemon Group’s use of preinfected mobile devices, and how this scheme is potentially being developed and expanded to other internet of things (IoT) devices. This research was presented in full at the Black Hat Asia 2023 Conference in Singapore in May 2023.
#trendmicro#EN#2023#malware#cyber-crime#LemonGroup#Preinfected#Guerrilla#Android#mobile#mobile-device#IoT#AndroidOS_Guerilla
·trendmicro.com·
Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices
Raspberry Robin Malware Targets Telecom, Governments
Raspberry Robin Malware Targets Telecom, Governments
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
#trendmicro#EN#2022#malware#apt#endpoints#RaspberryRobin#obfuscation#analysis
·trendmicro.com·
Raspberry Robin Malware Targets Telecom, Governments