WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution
Our TDR team has been investigating the WebDAV infrastructure used to distribute the Emmenhtal loader. Here are some key insights:
cyberveille.decio.ch
Emmenhtal: a little-known Emmenhtal distributing commodity infostealers worldwide
- Following detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were able to uncover several recent campaigns leading to CryptBot and Lumma infostealers. Some of these campaigns are still active and target various organizations worldwide. These campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese lovers), which hides in the padding of a modified legitimate Windows binary and uses HTA. Emmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially motivated threat actors through various means (from traditional email phishing lures to fake videos). IoCs can be found on our dedicated GitHub page here. Note: The analysis cut-off date for this report was August 07, 2024.
Australian police infiltrate encrypted messaging app Ghost and arrest dozens
Australian police say they have infiltrated Ghost, an encrypted global communications app developed for criminals, leading to dozens of arrests.
Europol takes down "Ghost" encrypted messaging platform used for crime
Europol and law enforcement from nine countries successfully dismantled an encrypted communications platform called
Police Hack Into ‘Ghost’, An Encrypted Platform for Criminals
Operation Kraken is a sign that organized criminals are moving away from larger encrypted phone companies to a decentralized collection of smaller players and consumer access apps that the rest of us use.
Taking over Train infrastructure in Poland /Traction power substation and lighting systems
(6 Months later CZAT 7 Server is offline or changed to another ip address , this post was written 6 months ago, published today 9/2/2024) I’m a big fan of trains, i like them, but never tough that someday i would take over train traction power substation located in Poland from my home in Costa Rica. I’m not a train expert/engineer and i had no idea how the train management works , I’m a cyber security professional doing research in the internet about OT Industrial equipment exposed potentially vulnerable or misconfigured. Everything explained here is just what i learned reading official documentation from the Elester-pkp website . https://elester-pkp.com.pl/
Mastercard invests in continued defense of global digital economy with acquisition of Recorded Future
Mastercard today expanded its cybersecurity services with an agreement to acquire global threat intelligence company Recorded Future from Insight Partners for $2.65 billion.
Vanir Ransomware Group onion site seized by German law enforcement
Threat actors called Vanir Ransomware Group posted a few listings in July. Tonight, however, their onion site has a seized message: ” THIS HIDDEN SITE HAS BEEN SEIZED by the State Bureau of Investigation Baden-Württemberg as a part of a law enforcement action taken against Vanir Ransomware Group “
Port of Seattle refuses to pay Rhysida ransom, warns of data leak
The cyberattack over Labor Day weekend severely hampered operations at Seattle's airport, which is managed by the Port of Seattle.
VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest
VMware warned that an attacker with network access could send a specially crafted packet to execute remote code. CVSS severity score 9.8/10.
How Lazarus Group laundered $200M from 25+ crypto hacks to fiat …
Bluenoroff or APT38, more commonly referred to as Lazarus Group is a threat group which has been tied to the North Korean government since as early as 2009 primarily being financially motivated utilizing malware custom built for each target. Early on, the threat group gained notoriety for cyberattacks such as Sony Pictures Hack in 2014 and $81M Bangladesh Bank heist in 2016 and in more recent years has shifted focus to targets in the cryptocurrency industry. Analytics firms such as TRM and Chainalysis release annual reports summarizing crypto related incidents linked to DPRK and since 2017 they estimate between $3B to $4.1B has been stolen.
IoT Thermostat Bug Allows Hackers to Turn Up the Heat | by NewSky Security | NewSky Security
With the ever-increasing impact of smart and connected devices in our daily lives, Cybersecurity has a variety of security challenges to deal with. The field of traditional computer security deals…
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
UNC2970 is a cyber espionage group suspected to have a North Korea nexus.
Qilin ransomware attack on Synnovis impacted over 900K patients
The personal information of a million individuals was leaked online following a ransomware attack that in June hit NHS hospitals in London.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Microsoft working on OS update to prevent another IT outage
Existing low-level access for security solutions will undergo a rework
Hadooken Malware Targets Weblogic Applications
Nautilus researchers identified a new Linux malware targeting Weblogic servers with running Hadooken malware
Apple is well on its way to making iPhones theft-proof
Apple’s latest theft-prevention measure went live for beta testers yesterday: Activation Lock for iPhone components. The move is likely to...
SolarWinds fixed critical RCE CVE-2024-28991 in Access Rights Manager
SolarWinds addressed a critical remote code execution vulnerability, tracked as CVE-2024-28991, in Access Rights Manager.
Multiple attacks forces CISA to order agencies to upgrade or remove end-of-life Ivanti appliance
The nation’s top cyber watchdogs urged federal agencies to either remove or upgrade an Ivanti appliance that is no longer being updated and has been exploited in attacks.
German radio station forced to broadcast 'emergency tape' following cyberattack
Radio Geretsried, a local station in Bavaria, said it was trying to save music files and restore systems after an apparent ransomware attack.
23andMe Agrees To $30 Million Settlement For Last Year's Data Breach
Affected users can try to claim up to $10,000 if the breach at 23andMe led to financial fraud or paying up for security or mental health services.
Scammers advertise fake AppleCare+ service via GitHub repos
Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.
'Vo1d' Trojan Malware Infects 1.3 Million Android-Based TV Boxes Globally
Antivirus firm Dr.Web has flagged a type of Android malware known as Android.Vo1d that has infected about 1.3 million TV boxes across 197 countries. The malware effectively enables a backdoor into the TV box's system that allows an attacker to download and install malicious third-party software. The R4 TV box model running Android 7.1.2, a TV Box running Android 12.1, and the KJ-SMART4KVIP TV box running Android 10.1 were the types of devices reportedly impacted.
UK arrests teen linked to Transport for London cyber attack
U.K.'s National Crime Agency says it arrested a 17-year-old teenager who is suspected of being connected to the cyberattack on Transport for London, the city's public transportation agency.
Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS
I found a zero-click vulnerability in macOS Calendar, which allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This could lead to many bad things including malicious code execution which can be combined with security protection evasion with Photos to compromise users’ sensitive Photos iCloud Photos data. Apple has fixed all of the vulnerabilities between October 2022 and September 2023.
Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media
With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in manipulating public opinion.
Apple Suddenly Drops NSO Group Spyware Lawsuit
Apple said there’s “too significant a risk” of exposing the anti-exploit work needed to fend off the very adversaries involved in the case.
Ils réclament 3 millions à la Banque cantonale de Zurich: 4 jeunes arrêtés
Quatre jeunes Suisses ont été arrêtés pour avoir tenté de faire chanter la Banque cantonale de Zurich (ZKB). Ils ont exigé des bitcoins d'une valeur de trois millions de francs, faute de quoi les données de clients de la banque seraient publiées.
Chinese APT Abuses VSCode to Target Government in Asia
A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims' environments for Southeast Asian espionage. A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims' environments for Southeast Asian espionage.