Search cyberveille.decio.ch

Found 136 bookmarks

Custom sorting

Triangulation: validators, post-compromise activity and modules | Securelist

In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.

#securelist #EN #2023 #iOS #Apple #macOS #APT #Malware #Malware-Description #analysis #spyware #Triangulation

·securelist.com·Oct 26, 2023

Triangulation: validators, post-compromise activity and modules | Securelist

Another plastic surgery practice appears to have been hit — this time by Hunters International

On October 17, the FBI issued a Public Service Announcement, Cybercriminals are Targeting Plastic Surgery Offices and Patients. Five days later, DataBreaches learned that there had been another attack on a plastic surgery practice where patient data had allegedly been stolen and is in danger of being leaked publicly. It would not be surprising if the FBI knew about the attack and that it was the impetus for the newly released PSA.

#databreaches #EN #2023 #analysis #plastic-surgery #data-breaches #Hunters-International

·databreaches.net·Oct 24, 2023

Another plastic surgery practice appears to have been hit — this time by Hunters International

CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations

Cluster25 analyzed an attack by APT28/FancyBear exploiting the WinRAR vulnerability CVE-2023-38831

#cluster25 #EN #2023 #analysis #CVE-2023-38831 #Exploited #Pro-Russia #WinRAR

·blog.cluster25.duskrise.com·Oct 21, 2023

CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations

Disclosing the BLOODALCHEMY backdoor

BLOODALCHEMY is a new, actively developed, backdoor that leverages a benign binary as an injection vehicle, and is a part of the REF5961 intrusion set.

#elastic.co #EN #2023 #BLOODALCHEMY #backdoor #REF5961 #analysis

·elastic.co·Oct 15, 2023

Disclosing the BLOODALCHEMY backdoor

90s Vulns In 90s Software (Exim) - Is the Sky Falling?

A few days ago, ZDI went public with no less than six 0days in the popular mail server Exim. Ranging from ‘potentially world-ending' through to ‘a bit of a damp squib’, these bugs were apparently discovered way back in June 2022 (!) - but naturally got caught up in the void between the ZDI and Exim for quite some time. Mysterious void.

#labs.watchtowr #EN #2023 #Exim #analysis #CVE-2023-42115

·labs.watchtowr.com·Oct 8, 2023

90s Vulns In 90s Software (Exim) - Is the Sky Falling?

Mirai Botnet's New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Several new Mirai variant families were widely deployed in September 2023, among which hailBot, kiraiBot and catDDoS are the most active.

#nsfocusglobal #EN #2023 #analysis #Mirai #catDDoS #hailBot #kiraiBot

·nsfocusglobal.com·Oct 6, 2023

New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials

Netskope Threat Labs is tracking a campaign that uses malicious Python scripts to steal Facebook users’ credentials and browser data. This campaign targets Facebook business accounts with bogus Facebook messages with a malicious file attached. The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.

#netskope #EN #2023 #analysis #Python #NodeStealer #Facebook #Credentials #Login

·netskope.com·Sep 18, 2023

New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials

Compromised Microsoft Key: More Impactful Than We Thought

Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.

#wiz #EN #2023 #Microsoft #Key #OWA #postmortem #analysis #Storm-0558

·wiz.io·Sep 7, 2023

Compromised Microsoft Key: More Impactful Than We Thought

What's in a NoName? Researchers see a lone-wolf DDoS group

Every morning at roughly the same time, a Russian hacker group known as NoName057(16) carries out distributed denial-of-service (DDoS) attacks on European financial institutions, government websites or transportation services.

#therecord #EN #2023 #NoName057(16)#DDoS #analysis

·therecord.media·Sep 6, 2023

What's in a NoName? Researchers see a lone-wolf DDoS group

Exposing DuckTail

A comprehensive exploration of DuckTail's sophisticated infrastructure and insights gained from months of monitoring.

#zscaler #EN #2023 #DuckTail #insights #analysis #threat-actor

·zscaler.com·Aug 30, 2023

Exposing DuckTail

Adversary On The Defense: ANTIBOT.PW

Discover the lifecycle of a commercial web traffic filtering service originating from a GitHub project and how it found success within phishing operations, including how it evolved into a commercial platform offering under new branding.

#inquest #EN #2023 #analysis #ANTIBOT.PW #phishing

·inquest.net·Aug 28, 2023

Adversary On The Defense: ANTIBOT.PW

CVE-2023-36844 And Friends: RCE In Juniper Devices

As part of our Continuous Automated Red Teaming and Attack Surface Management technology - the watchTowr Platform - we're incredibly proud of our ability to discover nested, exploitable vulnerabilities across huge attack surfaces. Through our rapid PoC process, we enable our clients to understand if they are vulnerable to emerging

#labs.watchtowr #EN #2023 #CVE-2023-36844 #Juniper #RCE #analysis

·labs.watchtowr.com·Aug 26, 2023

CVE-2023-36844 And Friends: RCE In Juniper Devices

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

#talosintelligence #EN #2023 #analysis #ManageEngine #CVE-2022-47966

·blog.talosintelligence.com·Aug 25, 2023

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

Unpacking the Threats Within: The Hidden Dangers of .zip Domains

Let's have a look at the threats brought by introduction of .zip TLD

#avast #EN #2023 #TLD #.zip #analysis

·decoded.avast.io·Aug 1, 2023

Unpacking the Threats Within: The Hidden Dangers of .zip Domains

Into the tank with Nitrogen

The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques

#sophos #analysis #EN #2023 #Nitrogen #Malvertising #initial-access

·news.sophos.com·Jul 31, 2023

Into the tank with Nitrogen

Unmasking the Meduza Stealer: Comprehensive Analysis & Countermeasures

Read Uptycs' analysis of the newly discovered Meduza Stealer malware targeting Windows users, revealing capabilities, potential impact & mitigation steps.

#Uptycs #EN #2023 #meduza #Stealer #Windows #analysis

·uptycs.com·Jul 7, 2023

Unmasking the Meduza Stealer: Comprehensive Analysis & Countermeasures

BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection -

Threat actors are using increasingly sophisticated forms of evasion and anti-analysis as they respond to increased attention to macOS security in the enterprise.

#sentinelone #EN #2023 #BlueNoroff #DPRK #macOS #RustBucket #Evade #analysis

·sentinelone.com·Jul 5, 2023

BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection -

Clop Ransomware: History, Timeline, And Adversary Simulation

The infamous Clop ransomware, mainly known as Cl0p, targets various industries and organizations, extorting data for a huge amount of ransom. It advances actively with new emerging campaigns. This blog walks through the Clop timeline, Mitre TTPs and their emulation.

#fourcore #EN #2023 #Cl0p #History #Timeline #TTP #ransomware #analysis

·fourcore.io·Jul 5, 2023

Clop Ransomware: History, Timeline, And Adversary Simulation

Malware Execution Method Using DNS TXT Record

AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware.

#ASEC #EN #2023 #DNS #TXT #malware #analysis

·asec.ahnlab.com·Jun 30, 2023

Malware Execution Method Using DNS TXT Record

Meduza Stealer or The Return of The Infamous Aurora Stealer

Meduza Stealer malware analysis

#russianpanda #EN #2023 #analysis #meduza #Aurora #Stealer #malware

·russianpanda.com·Jun 29, 2023

Meduza Stealer or The Return of The Infamous Aurora Stealer

Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination

I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled “Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz.” This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you’re interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.)

#callyso0414 #YUCA #medium #EN #2023 #ransomware #logs #log #chats #Stylometric #Analysis

·medium.com·Jun 28, 2023

Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination

PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID

Deep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia. Bumblebee is a malware loader first discovered in March 2022. It was associated with Conti group and was being used as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including ransomware. IcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at least 2017 and has recently been observed shifting some of its focus to malware delivery.

#deepinstinct #EN #2023 #JavaScript #Dropper #PindOS #Bumblebee #analysis

·deepinstinct.com·Jun 26, 2023

PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID

IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits

Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.

#unit42 #EN #2023 #Mirai #analysis #IoT

·unit42.paloaltonetworks.com·Jun 22, 2023

IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits

Shc Linux Malware Installing CoinMiner

The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.

#asec #2023 #EN #Shell #Script #Compiler #analysis #Linux #Malware #CoinMiner #Shc

·asec.ahnlab.com·Jan 4, 2023

Shc Linux Malware Installing CoinMiner

Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog

Microsoft attributes several campaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586), including the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak front “Free Civilian”.

#microsoft #EN #2023 #CadetBlizzard #DEV-0586 #Russia #analysis

·microsoft.com·Jun 14, 2023

Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog

The Phantom Menace: Brute Ratel remains rare and targeted

The commercial attack tool’s use by bad actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.

#sophos #EN #2023 #BruteRatel #faded #analysis

·news.sophos.com·Jun 14, 2023

The Phantom Menace: Brute Ratel remains rare and targeted

Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign

Affected Platforms: FortiOS Impacted Users: Targeted at government, manufacturing, and critical infrastructure Impact: Data loss and OS and file corruption Severity Level: Critical Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity.

#fortinet #EN #2023 #patch #CVE-2023-27997 #analysis #VoltTyphoon #Clarifications

·fortinet.com·Jun 13, 2023

Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign

Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was

When Lexfo Security teased a critical pre-authentication RCE bug in FortiGate devices on Saturday 10th, many people speculated on the practical impact of the bug. Would this be a true, sky-is-falling level vulnerability like the recent CVE-2022-42475? Or was it some edge-case hole, requiring some unusual and exotic requisite before any exposure? Others even went further, questioning the legitimacy of the bug itself. Details were scarce and guesswork was rife.

#labs.watchtowr #EN #2023 #Xortigate #XOR #RCE #CVE-2023-27997 #FortiGate #analysis

·labs.watchtowr.com·Jun 13, 2023

Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was

Analysis of CVE-2023-29336 Win32k Privilege Escalation

Analyzing CVE-2023-29336 Win32k vulnerability, its exploitation, and mitigation measures in the context of evolving security practices.

#numencyber #EN #2023 #Analysis #CVE-2023-29336 #Win32k #Privilege #Escalation

·numencyber.com·Jun 8, 2023

Analysis of CVE-2023-29336 Win32k Privilege Escalation

Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362)

On May 31, threat actors were discovered targeting a critical zero day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access. The vulnerability being exploited is an SQL injection and has since been patched. Resources links, including one for the patch, are at the bottom of this post.

#trustwave #EN #2023 #0-day #MOVEit #CVE-2023-34362 #analysis

·trustwave.com·Jun 6, 2023

Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362)