Found 113 bookmarks
Custom sorting
Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.
Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.
On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector. We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.
#arcticwolf#EN#2024#Fog#ransomware#USA#analysis
·arcticwolf.com·
Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer is actively being developed and distributed as an open-source tool on GitHub. Our investigation revealed that the stealer’s source code, related scripts, and a builder for generating malicious binaries are hosted under the GitHub account “Somali-Devs.” Significant contributions from the user KDot227 suggest a close link between this account and the development of the stealer. These scripts and stealer are designed to covertly extract sensitive data from unsuspecting users and organizations.
#cyfirma#EN#2024#Kematian-Stealer#open-source#stealer#analysis
·cyfirma.com·
Kematian-Stealer : A Deep Dive into a New Information Stealer
Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806)
Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806)
Progress un-embargoed an authentication bypass vulnerability in Progress MOVEit Transfer. Many sysadmins may remember last year’s CVE-2023-34362, a cataclysmic vulnerability in Progress MOVEit Transfer that sent ripples through the industry, claiming such high-profile victims as the BBC and FBI. Sensitive data was leaked, and sensitive data was destroyed, as the cl0p ransomware gang leveraged 0days to steal data - and ultimately leaving a trail of mayhem.
#watchtowr.com#EN#2024#MOVEit#CVE-2024-5806#Analysis#PoC
·labs.watchtowr.com·
Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806)
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…
#thedfirreport#EN#2024#analysis#IceID#ScreenConnect#incident#ALPHV#Ransomware
·thedfirreport.com·
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
How AI Will Change Democracy
How AI Will Change Democracy
I don’t think it’s an exaggeration to predict that artificial intelligence will affect every aspect of our society. Not by doing new things. But mostly by doing things that are already being done by humans, perfectly competently. Replacing humans with AIs isn’t necessarily interesting. But when an AI takes over a human task, the task changes.
#schneier#EN#2024#AI#risk#Democracy#Change#analysis
·schneier.com·
How AI Will Change Democracy
Check Point - Wrong Check Point (CVE-2024-24919)
Check Point - Wrong Check Point (CVE-2024-24919)
Gather round, gather round - it’s time for another blogpost tearing open an SSLVPN appliance and laying bare a recent in-the-wild exploited bug. This time, it is Check Point who is the focus of our penetrative gaze. Check Point, for those unaware, is the vendor responsible for the 'CloudGuard Network Security' appliance, yet another device claiming to be secure and hardened. Their slogan - "you deserve the best security" - implies they are a company you can trust with the security of your network. A bold claim.
#watchtowr#EN#2024#CVE-2024-24919#checkpoint#analysis#patch-diff
·labs.watchtowr.com·
Check Point - Wrong Check Point (CVE-2024-24919)
PCTattletale leaks victims' screen recordings to entire Internet
PCTattletale leaks victims' screen recordings to entire Internet
PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target's browser.
#ericdaigle#EN#2024#PCTattletale#analysis#stalkerware#screen#recordings#leak
·ericdaigle.ca·
PCTattletale leaks victims' screen recordings to entire Internet
Leveraging DNS Tunneling for Tracking and Scanning
Leveraging DNS Tunneling for Tracking and Scanning
This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes. Malicious actors occasionally employ DNS tunneling as a covert communications channel, because it can bypass conventional network firewalls. This allows C2 traffic and data exfiltration that can remain hidden from some traditional detection methods.
#unit42#EN#2024#DNS#Tunneling#Tracking#Scanning#research#analysis
·unit42.paloaltonetworks.com·
Leveraging DNS Tunneling for Tracking and Scanning
Analysis of TargetCompany's Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
Analysis of TargetCompany's Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.
#asec.ahnlab#EN#2024#MS-SQL#servers#CoinMiner#BlueSky#ransomware#analysis
·asec.ahnlab.com·
Analysis of TargetCompany's Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)
Kapeka: A novel backdoor spotted in Eastern Europe
Kapeka: A novel backdoor spotted in Eastern Europe
This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor’s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping
#withsecure#EN#2024#Kapeka#analysis#Sandworm
·labs.withsecure.com·
Kapeka: A novel backdoor spotted in Eastern Europe
Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)
Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)
Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain .GOVs - we’re not here to comment on that, but sounds humorous.
#watchtowr#EN#2024#CVE-2024-3400#SSLVPN#Paloalto#GlobalProtect#analysis
·labs.watchtowr.com·
Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)