AgentShield: Deception-Based Compromise Detection for Tool-Using LLM Agents

Defenses against indirect prompt injection IPI in tool-using LLM agents share two structural weaknesses. First, they all attempt to prevent attacks rather than detect the compromises that slip through. Second, they have only been evaluated in English, leaving users of low-resource languages such ...

Identity Threat Detection and Response Solution Guide

The Emergence of Identity Threat Detection and Response Identity Threat Detection and Response ITDR has emerged as a critical component to effectively detect and respond to identity-based attacks. Threat actors have shown their ability to compromise the identity infrastructure and move laterally...

MAL-2024-141 Malicious code in lunar-sb.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 387a2f7e6dc2c3022b63ec2ea875bfdbcc6ee0fd07b1ff68475859ea718566d5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2023-46805

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. Recent assessments: cbeek-r7 at January 11, 2024 10:43am UTC reported: CVE-2023-46805 is an...

Citrix Bleed widely exploited, warn government agencies

In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency CISA and the Federal Bureau of Investigation FBI, along with other international agencies, warn that ransomware gangs are actively exploiting the Citrix Bleed vulnerability. Affiliates of at least two ransomwa...

Zero address Pauser assignment

Lines of code Vulnerability details Impact By exploiting the unpauser role's access to call setPauser with any address input, an attacker could permanently disable a core functionality pausing/unpausing the token by assigning a zero address as the pauser. No pauser would mean no ability to freeze...

Access Control Unauthorized access to restricted functions setWithdrawalDelayBlocks

Lines of code Vulnerability details Impact By exploiting the owner's role through social engineering, an attacker could theoretically gain indirect control over any functions that require owner authorization. Specifically, the ability to manipulate withdrawal delays and other critical security...

GHSA-35JJ-VQCF-F2JF Hidden fields can be leaked on readable collections in Payload

Details If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Affected versions: 1.7.0 Workarounds If you are unable to update, you can write a beforeOperation hook to remove where queries...

MAL-2023-958 Malicious code in waline-magic (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8a36651e1c228b2c1cc270f4d650d20db1da7126756f6ae78b407b803174a517 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-5W8R-8PGJ-5JMF matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification

Impact An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of th...

Kaseya Patches Imminent After Zero-Day Exploits

UPDATE 3 The worldwide July 2 attacks on the Kaseya Virtual System/Server Administrator VSA platform by the REvil ransomware gang turn out to be the result of exploits for at least one zero-day security vulnerability, and the company is swinging into full mitigation mode, with patches for the...

UPDATED: Kaseya hijacked, thousands attacked by REvil, fix delayed again

Malwarebytes does not use Kaseya products. Malwarebytes detects the REvil ransomware used in this attack as Sodinokibi. Latest updates July 7, 8:30 am, Kaseya VSA SaaS platform still offline, not updated as planned July 6, 3:40 pm, malspam using fake Kaseya security update July 6, 3:15 am,...

Researchers: Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App

Security researchers have found key flaws in a mobile voting app that some states plan to use in the 2020 election that can allow hackers to launch both client- and server-side attacks that can easily manipulate or even delete someone’s vote, as well as prevent a reliable audit from taking place...

Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

SANS Reviews the CB Predictive Security Cloud

Understanding The Landscape Day by day, it is becoming more challenging to keep endpoints secure. In the SANS “Endpoint Protection and Response” survey from 2018, 42% of respondents indicated at least one of their endpoints had been compromised, and another 20% didn’t know if any endpoints had be...

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain...

FastIR Collector - Windows Incident Response Tool

This tool collects different artefacts on live Windows and records the results in csv files. With the analyses of this artefacts, an early compromission can be detected. Requirements pywin32 python WMI python psutil python yaml construct distorm3 hexdump pytz Execution ./fastIRx64.py -h for help...

GlobalSign Set to Resume CA Operations

GlobalSign is still in the process of completing the investigation into whether its certificate authority infrastructure was compromised, but the company on Tuesday was ready to resume some of its operations under “high-threat” conditions. The company said that it has found evidence that its main...