Found 452 bookmarks
Custom sorting
ClearFake Malware Analysis | malware-analysis
ClearFake Malware Analysis | malware-analysis
There are several malicious fake updates campaigns being run across thousands of compromised websites. Here I will walk through one with a pattern that doesn’t match with others I’ve been tracking. This campaign appears to have started around July 19th, 2023. Based on a search on PublicWWW of the injection base64 there are at least 434 infected sites. I’m calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of the Javascript being used without obfuscation. I say majority because base64 is used three times. That’s it. All the variable names are in the clear, no obfuscation on them. One noticeable difference from SocGholish is that there appears to be no tracking of visits by IP or cookies. As an analyst you can you go back to the compromised site over and over coming from the same IP and not clearing your browser cache. This also means the site owner is more likely to see the infection as well.
#rmceoin#EN#2023#fake#updates#campaigns#browsers#ClearFake#analysis
·rmceoin.github.io·
ClearFake Malware Analysis | malware-analysis
MAR-10478915-1.v1 Citrix Bleed
MAR-10478915-1.v1 Citrix Bleed
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
#cisa#EN#2023#CitrixBleed#analysis#IoCs
·cisa.gov·
MAR-10478915-1.v1 Citrix Bleed
Shc Linux Malware Installing CoinMiner
Shc Linux Malware Installing CoinMiner
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
#asec#2023#EN#Shell#Script#Compiler#analysis#Linux#Malware#CoinMiner#Shc
·asec.ahnlab.com·
Shc Linux Malware Installing CoinMiner
CVE-2022-35650 Analysis
CVE-2022-35650 Analysis
CVE-2022-35650 The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.
#Anna#0x1337#CVE-2022-35650#Analysis#Moodle#vulnerability#PHP
·0x1337.ninja·
CVE-2022-35650 Analysis
CVE-2020-3433 : élévation de privilèges sur le client VPN Cisco AnyConnect
CVE-2020-3433 : élévation de privilèges sur le client VPN Cisco AnyConnect
Cet article explique comment trois vulnérabilités supplémentaires ont été découvertes dans le client VPN Cisco AnyConnect pour Windows. Elles ont été trouvées suite au développement d’un exploit pour la CVE-2020-3153 (une élévation de privilèges, étudiée dans MISC n°111). Après un rappel du fonctionnement de ce logiciel, nous étudierons chacune de ces nouvelles vulnérabilités.
#ed-diamond#FR#2020#CVE-2020-3433#Cisco#AnyConnect#analysis
·connect.ed-diamond.com·
CVE-2020-3433 : élévation de privilèges sur le client VPN Cisco AnyConnect
CVE-2022-30333
CVE-2022-30333
On May 6, 2022, Rarlab released version 6.17, which addresses CVE-2022-30333, a path traversal vulnerability reported to them by Sonar, who posted a write-up about it. Sonar specifically calls out Zimbra Collaboration Suite’s usage of unrar as vulnerable (specifically, the amavisd component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in 9.0.0 patch 25 and 8.5.15 patch 32 by replacing unrar with 7z.
#attackerkb#CVE-2022-30333#analysis#zimbra#Rapid7
·attackerkb.com·
CVE-2022-30333
BRATA is evolving into an Advanced Persistent Threat
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
#cleafy#2022#EN#malware#BRATA#APT#phishing#analysis#IOCs#banker
·cleafy.com·
BRATA is evolving into an Advanced Persistent Threat
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
#malwarebytes#EN#2022#analysis#email#threat#email-threat#Review#TrickBot#ASyncRat#Dridex
·blog.malwarebytes.com·
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
An update on the threat landscape
An update on the threat landscape
Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.
#google#threat#analysis#2022#EN#Ukraine#TAG#GoogleTAG#informations#APT28#UNC1151#Ghostwriter#FancyBear#MustangPanda
·blog.google·
An update on the threat landscape
Nothing new, still broken, insecure by default since then: Python's e-mail libraries and certificate verification
Nothing new, still broken, insecure by default since then: Python's e-mail libraries and certificate verification
Python’s e-mail libraries smtplib, imaplib, and poplib do not verify server certificates unless a proper SSL context is passed to the API. This leads to security problems.
#pentagrid#EN#Python#e-mail#libraries#smtplib#imaplib#poplib#SSL#insecure#analysis
·pentagrid.ch·
Nothing new, still broken, insecure by default since then: Python's e-mail libraries and certificate verification
FakeUpdateRU Chrome Update Infection Spreads Trojan Malware
FakeUpdateRU Chrome Update Infection Spreads Trojan Malware
Learn about the fake Google Chrome update malware, a common form of website malware that tricks users into downloading a remote access trojan disguised as a browser update. Understand how it works, its impact on websites, and how to protect your site from such threats. Stay updated on the latest malware trends with Sucuri.
#sucuri#EN#2023#Google#Chrome#update#malware#fake#analysis
·blog.sucuri.net·
FakeUpdateRU Chrome Update Infection Spreads Trojan Malware
Another plastic surgery practice appears to have been hit — this time by Hunters International
Another plastic surgery practice appears to have been hit — this time by Hunters International
On October 17, the FBI issued a Public Service Announcement, Cybercriminals are Targeting Plastic Surgery Offices and Patients. Five days later, DataBreaches learned that there had been another attack on a plastic surgery practice where patient data had allegedly been stolen and is in danger of being leaked publicly. It would not be surprising if the FBI knew about the attack and that it was the impetus for the newly released PSA.
#databreaches#EN#2023#analysis#plastic-surgery#data-breaches#Hunters-International
·databreaches.net·
Another plastic surgery practice appears to have been hit — this time by Hunters International
90s Vulns In 90s Software (Exim) - Is the Sky Falling?
90s Vulns In 90s Software (Exim) - Is the Sky Falling?
A few days ago, ZDI went public with no less than six 0days in the popular mail server Exim. Ranging from ‘potentially world-ending' through to ‘a bit of a damp squib’, these bugs were apparently discovered way back in June 2022 (!) - but naturally got caught up in the void between the ZDI and Exim for quite some time. Mysterious void.
#labs.watchtowr#EN#2023#Exim#analysis#CVE-2023-42115
·labs.watchtowr.com·
90s Vulns In 90s Software (Exim) - Is the Sky Falling?
Mirai Botnet's New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
Mirai Botnet's New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
Several new Mirai variant families were widely deployed in September 2023, among which hailBot, kiraiBot and catDDoS are the most active.
#nsfocusglobal#EN#2023#analysis#Mirai#catDDoS#hailBot#kiraiBot
·nsfocusglobal.com·
Mirai Botnet's New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials
New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials
Netskope Threat Labs is tracking a campaign that uses malicious Python scripts to steal Facebook users’ credentials and browser data. This campaign targets Facebook business accounts with bogus Facebook messages with a malicious file attached. The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.
#netskope#EN#2023#analysis#Python#NodeStealer#Facebook#Credentials#Login
·netskope.com·
New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials