cyberveille.decio.ch

cyberveille.decio.ch

6798 bookmarks
Custom sorting
Patch or Peril: A Veeam vulnerability incident
Patch or Peril: A Veeam vulnerability incident
Delaying security updates and neglecting regular reviews created vulnerabilities that were exploited by attackers, resulting in severe ransomware consequences. Initial access via FortiGate Firewall SSL VPN using a dormant account Deployed persistent backdoor (“svchost.exe”) on the failover server, and conducted lateral movement via RDP. Exploitation attempts of CVE-2023-27532 was followed by activation of xp_cmdshell and rogue user account creation. Threat actors made use of NetScan, AdFind, and various tools provided by NirSoft to conduct network discovery, enumeration, and credential harvesting. * Windows Defender was permanently disabled using DC.exe, followed by ransomware deployment and execution with PsExec.exe.
#group-ib#EN#2024#Veeam#vulnerability#incident#ransomware#FortiGate#NirSoft
·group-ib.com·
Patch or Peril: A Veeam vulnerability incident
RockYou2024: 10 billion passwords leaked in the largest compilation of all time
RockYou2024: 10 billion passwords leaked in the largest compilation of all time
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords. The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.
#cybernews#EN#2024#RockYou2024#list#combo#passwords
·cybernews.com·
RockYou2024: 10 billion passwords leaked in the largest compilation of all time
Allies agree new NATO Integrated Cyber Defence Centre
Allies agree new NATO Integrated Cyber Defence Centre
The NATO Integrated Cyber Defence Centre (NICC) will enhance the protection of NATO and Allied networks and the use of cyberspace as an operational domain. The Centre will inform NATO military commanders on possible threats and vulnerabilities in cyberspace, including privately-owned civilian critical infrastructures necessary to support military activities.
#nato#EN#2024#NATO#NICC#Cyber-Defence-Centre#Belgium
·nato.int·
Allies agree new NATO Integrated Cyber Defence Centre
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer is actively being developed and distributed as an open-source tool on GitHub. Our investigation revealed that the stealer’s source code, related scripts, and a builder for generating malicious binaries are hosted under the GitHub account “Somali-Devs.” Significant contributions from the user KDot227 suggest a close link between this account and the development of the stealer. These scripts and stealer are designed to covertly extract sensitive data from unsuspecting users and organizations.
#cyfirma#EN#2024#Kematian-Stealer#open-source#stealer#analysis
·cyfirma.com·
Kematian-Stealer : A Deep Dive into a New Information Stealer
Persistent npm Campaign Shipping Trojanized jQuery
Persistent npm Campaign Shipping Trojanized jQuery
Since May 26, 2024, Phylum has been monitoring a persistent supply chain attacker involving a trojanized version of jQuery. We initially discovered the malicious variant on npm, where we saw the compromised version published in dozens of packages over a month. After investigating, we found instances of the trojanized jQuery
#phylum#EN#2024#Trojanized#jQuery#Supply-chain-attack#npm
·blog.phylum.io·
Persistent npm Campaign Shipping Trojanized jQuery
Distribution of AsyncRAT Disguised as Ebook
Distribution of AsyncRAT Disguised as Ebook
AhnLab SEcurity intelligence Center (ASEC) covered cases of AsyncRAT being distributed via various file extensions (.chm, .wsf, and .lnk). [1] [2] In the aforementioned blog posts, it can be seen that the threat actor used normal document files disguised as questionnaires to conceal the malware. In a similar vein, there have been cases recently where the malware was disguised as an ebook.
#ahnlab#EN#2024#AsyncRAT#Ebook
·asec.ahnlab.com·
Distribution of AsyncRAT Disguised as Ebook
CVE-2024-4577 Exploits in the Wild One Day After Disclosure
CVE-2024-4577 Exploits in the Wild One Day After Disclosure
  • The Akamai Security Intelligence Response Team (SIRT) has been monitoring activity surrounding CVE-2024-4577, a PHP vulnerability that affects installations running CGI mode that was disclosed in June 2024. The vulnerability primarily affects Windows installations using Chinese and Japanese language locales, but it is possible that the vulnerability applies to a wider range of installations. As early as one day after disclosure, the SIRT observed numerous exploit attempts to abuse this vulnerability, indicating high exploitability and quick adoption by threat actors. The exploitations include command injection and multiple malware campaigns: Gh0st RAT, RedTail cryptominers, and XMRig. Akamai App & API Protector has been automatically mitigating exploits that target our customers. In this blog post, we’ve included a comprehensive list of indicators of compromise (IOCs) for the various exploits we discuss.
#akamai#EN#2024#php#mass-exploitation#CVE-2024-4577
·akamai.com·
CVE-2024-4577 Exploits in the Wild One Day After Disclosure
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.
#checkpoint#EN#2024#Internet#Shortcut#Explorer#CVE-2024-38112
·research.checkpoint.com·
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
APT40 Advisory PRC MSS tradecraft in action
APT40 Advisory PRC MSS tradecraft in action
This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea's National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA) – hereafter referred to as the “authoring agencies” – outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.
#cyber.gov.au#EN#2024#advisory#APT40#Kryptonite-Panda#GINGHAM-TYPHOON#Leviathan#Bronze-Mohawk
·cyber.gov.au·
APT40 Advisory PRC MSS tradecraft in action
BLAST RADIUS
BLAST RADIUS
Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is a very common protocol used for authentication, authorization, and accounting (AAA) for networked devices on enterprise and telecommunication networks.
#blastradius#EN#2024#RADIUS#vulnerability#protocol
·blastradius.fail·
BLAST RADIUS
Hackers target WordPress calendar plugin used by 150,000 sites
Hackers target WordPress calendar plugin used by 150,000 sites
Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely. #Actively #Calendar #Computer #Events #Exploited #File #InfoSec #Modern #Plugin #Security #Upload #Vulnerability #WordPress
#Plugin#Calendar#Events#Vulnerability#File#InfoSec#Actively#WordPress#Security#Upload#Exploited#Modern#Computer
·bleepingcomputer.com·
Hackers target WordPress calendar plugin used by 150,000 sites
Decrypted: DoNex Ransomware and its Predecessors
Decrypted: DoNex Ransomware and its Predecessors
Researchers from Avast have discovered a flaw in the cryptographic schema of the DoNex ransomware and its predecessors. In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024. The  cryptographic weakness was made public at Recon 2024 and therefore we have no reason to keep […]
#avast#EN#2024#Decrypted#DoNex#Ransomware#Muse#Darkrace
·decoded.avast.io·
Decrypted: DoNex Ransomware and its Predecessors