Malicious Package

kraken-api is a malicious package. It contains malicious codes in its post-install script which attempt to call home to a Command and Control server to execute arbitrary commands...

Malicious Package

Overview Version 0.1.8 of kraken-api contains malicious code as a postinstall script. When installed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Any computer that has this package installed or running should be considered fully compromised...

Design/Logic Flaw

/fileman/php/upload.php in doorGets 7.0 has an arbitrary file upload vulnerability. A remote normal registered user can use this vulnerability to upload backdoor files to control the server...

CB TAU Threat Intelligence Notification: Email VBS Downloader Connects to C2 Server, Downloads Trickbot Payload

Carbon Black recently learned a customer had received a malicious email attached with a zip file which contained a malicious VBS script file. This malicious VBS downloader will connect to a Command & Control server and then download a malicious payload which contains Trickbot onto the victim’s...

Cybercriminals Have a Heyday with WinRAR Bug in Fresh Campaigns

A recently discovered vulnerability in the WinRAR file archival utility has been exploited in a slew of new campaigns, including one with a never-before-seen payload. The flurry of activity shows no sign of waning as cybercriminals continue to find success exploiting the bug. The campaigns take...

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomwar...

IT threat evolution Q3 2018

Targeted attacks and malware campaigns Lazarus targets cryptocurrency exchange Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around th...

Rapidly Growing Router Botnet Takes Advantage of 5-Year-Old Flaw

A fresh botnet is spreading across the landscape, targeting router equipment. So far, hundreds of thousands of bot endpoints have already been identified, and they’re apparently being marshaled to send out massive amounts of spam. The botnet first emerged in September, according to 360Netlab...

Xxe

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities XXEs when parsing an XML file. An attack...

CVE-2018-0414 Cisco Secure Access Control Server XML External Entity Injection Vulnerability

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities XXEs when parsing an XML file. An attack...

CVE-2018-0414

The CVE-2018-0414 issue affects Cisco Secure Access Control Server (ACS) in its web-based UI. The root cause is incorrect handling of XML External Entities (XXEs) when parsing an XML file, enabling an authenticated, remote attacker to obtain read access to information in the affected system by tr...

Threat Roundup Sept 21 - 28

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by...

Cisco Secure Access Control Server XML External Entity Injection Vulnerability

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities XXEs when parsing an XML file. An attack...

Triout Malware Carries Out Extensive, Targeted Android Surveillance

A mobile spyware for Android was disclosed today, with extensive, advanced surveillance capabilities that suggest that a sophisticated actor is pulling the strings. Using a recently discovered malware dubbed Triout, bad actors are tapping into the proliferating footprint of Android-based...

Malicious Package

Overview All versions of soket.js are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation...

CoinVault Ransomware Authors Sentenced to 240 Hours of Community Service

Almost three years after the arrest of two young Dutch brothers, who pleaded guilty to their involvement in creating and distributing CoinVault ransomware malware, a district court in Rotterdam today sentenced them to 240 hours of community service. In 2015, the two suspects — Melvin 25-year-old...

Gaza Cybergang Returns With New Attacks On Palestinian Authority

Security researchers from Check Point Threat Intelligence Team have discovered the comeback of an APT advanced persistent threat surveillance group targeting institutions across the Middle East, specifically the Palestinian Authority. The attack, dubbed "Big Bang," begins with a phishing email se...

Chinese Hackers Carried Out Country-Level Watering Hole Attack

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers fr...

Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit

If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attack...

Design/Logic Flaw

The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry...