Evidence of a pre-existing exploit was rendered when the Huntress agent was added to an endpoint. Within minutes, and in part through the use of previously published threat intelligence, analysts were able to identify the issue and make recommendations to the customer to remediate the root cause.
Zero Day Initiative — CVE-2023-46263: Ivanti Avalanche Arbitrary File Upload Vulnerability
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Ivanti Avalanche enterprise mobility management program. Other Ivanti products
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
Analysis of ransomware gang leak site data reveals significant activity over 2023. As groups formed — or dissolved — and tactics changed, we synthesize our findings.
Attack of the week: Airdrop tracing – A Few Thoughts on Cryptographic Engineering
It's been a while since I wrote an "attack of the week" post, and the fault for this is entirely mine. I've been much too busy writing boring posts about Schnorr signatures! But this week's news brings an exciting story with both technical and political dimensions: new reports claim that Chinese security agencies have developed…
Veeam Backup & Replication is a data backup and replication solution. On March 7, 2023, Veeam published an advisory, along with patches, for https://nvd.nist.g…
In both his twitter (err, X) thread and in a subsequent posting he provided a comprehensive background and triage of the malware dubbed SpectralBlur. In terms of its capabilities he noted: SpectralBlur is a moderately capable backdoor, that can upload/download files, run a shell, update its configuration, delete files, hibernate or sleep, based on commands issued from the C2. -Greg He also pointed out similarities to/overlaps with the DPRK malware known as KandyKorn (that we covered in our “Mac Malware of 2024” report), while also pointing out there was differences, leading him to conclude: We can see some similarities ... to the KandyKorn. But these feel like families developed by different folks with the same sort of requirements. -Greg
This write-up presents an exploit for a vulnerability in the XNU kernel: Assigned CVE-2023-32434. Fixed in iOS 16.5.1 and macOS 13.4.1. Reachable from the WebContent sandbox and might have been actively exploited. *Note that this CVE fixed multiple integer overflows, so it is unclear whether or not the integer overflow used in my exploit was also used in-the-wild. Moreover, if it was, it might not have been exploited in the same way. The exploit has been successfully tested on: iOS 16.3, 16.3.1, 16.4 and 16.5 (iPhone 14 Pro Max) macOS 13.1 and 13.4 (MacBook Air M2 2022) All code snippets shown below are from xnu-8792.81.2.
CVE-2023-46747 : Unauthenticated Remote Code Execution in F5 BIG-IP - Malware Analysis - Malware Analysis, News and Indicators
On 26th October, 2023 F5 released a security advisory about a critical unauthenticated remote code execution vulnerability, CVE-2023-46747, in F5’s BIG-IP configuration utility. This vulnerability could allow unauthent…
The ticking time bomb of Microsoft Exchange Server 2013
I monitor (in an amateur, clueless way) ransomware groups in my spare time, to see what intelligence can be gained from looking at victim orgs and what went wrong. Basically, I’m a giant big dork with too much free time. I’ve discovered two organisations with ransomware incidents, where the entry point appears to have been Exchange Server 2013 with Outlook Web Access enabled, where all available security updates were applied.
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
On May 10, 2022, Zimbra released versions 9.0.0 patch 24 and 8.8.15 patch 31 to address multiple vulnerabilities in Zimbra Collaboration Suite, including CVE-2…
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.
Reconstructing the Attack from a 4th party collector’s point of view Hamid Kashfi 18th December, Predator Sparrows launched a second attack against the fuel distribution system in Iran, similar to their previous operation in 2021. Since 2021, Iranian officials or third-party security vendors have not published any analysis or technical details about the original attack, which is not unusual. Their screenshots from the latest attacks provide some clues that only confirm our previous work, indicating connections to the “Yaas Arghavani” company, a VSAT and POS service provider for the fuel distribution system. The following is an old draft from December 2021, which I wrote for peer eyes rather than public view. The original draft focused on the first attack against the fuel distribution system. Still, some remarks remain valid and relevant to the recent attack on 18 Dec 2023, as little has changed regarding how the system works. The same infrastructure, same suppliers, and same 3rd party vendors, so we are likely just talking about a different attack vector and entry point from the previous case. I will probably draft a new note about the recent attack from scratch soon and when more details are gathered rather than updating the old speculative work.
Rhadamanthys v0.5.0 - a deep dive into the stealer’s components
The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0. In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions. A new plugin system makes the malware expandable for specific distributor needs. The custom executable formats, used for modules, are unchanged since our last publication (XS1 and XS2 formats are still in distribution). Check Point Research (CPR) provides a comprehensive review of the agent modules, presenting their capabilities and implementation, with a focus on how the stealer components are loaded and how they work.
Apache Struts is a popular Java web application framework. On December 7, 2023 Apache published an advisory for CVE-2023-50164, a Struts parameter pollution vu…
Scanning Danger: Unmasking the Threats of Quishing
In this blog, we explore the modus operandi of threat actors utilizing QR code attacks, by examining recent and widespread quishing campaigns detected by Trellix.
Star Blizzard increases sophistication and evasion in ongoing attacks
Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard, who has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against targets.
What it means — CitrixBleed ransomware group woes grow as over 60 credit unions, hospitals, financial services and more breached in US. | by Kevin Beaumont | Dec, 2023 | DoublePulsar
Credit union technology firm Trellance own Ongoing Operations LLC, and provide a platform called Fedcomp — used by double digit number of other credit unions across the United States. This Fedcomp…
In the heart of International Geneva, a diverse ecosystem thrives, housing 38 international organizations (IOs), 432 non-governmental organizations (NGOs), and several hundred associations active at an international level, all united by a shared mission: to make the world a place of peace and justice. NGOs are the unsung heroes, addressing armed conflicts, natural disasters, and humanitarian crises, championing human rights, and advancing the Sustainable Development Goals (SDGs). Like many other organizations, NGOs heavily rely on technology, which is critical for projecting their activities globally in real time. Yet, in today’s digital landscape, this reality brings its own set of challenges.
Gamaredon, also known as Primitive Bear, ACTINIUM, and Shuckworm, is a unique player in the Russian espionage ecosystem that targets a wide variety of almost exclusively Ukrainian entities. While researchers often struggle to uncover evidence of Russian espionage activities, Gamaredon is notably conspicuous. The group behind it conducts large-scale campaigns while still primarily focusing on regional targets. The Security Service of Ukraine (SSU) identified the Gamaredon personnel as Russian Federal Security Service (FSB) officers.
Understanding the Phobos affiliate structure and activity
Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants
There are several malicious fake updates campaigns being run across thousands of compromised websites. Here I will walk through one with a pattern that doesn’t match with others I’ve been tracking. This campaign appears to have started around July 19th, 2023. Based on a search on PublicWWW of the injection base64 there are at least 434 infected sites. I’m calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of the Javascript being used without obfuscation. I say majority because base64 is used three times. That’s it. All the variable names are in the clear, no obfuscation on them. One noticeable difference from SocGholish is that there appears to be no tracking of visits by IP or cookies. As an analyst you can you go back to the compromised site over and over coming from the same IP and not clearing your browser cache. This also means the site owner is more likely to see the infection as well.
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
