The Updated APT Playbook: Tales from the Kimsuky threat actor group

Co-authors are Christiaan Beek and Raj Samani Within Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains constant. As part of this process, we routinely identify evolving tactics from...

BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities

The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of...

Unveiling the Malicious Tactics of LokiBot Malware

Threat Level Attack Report Follow Hive Pro for a detailed threat advisory, download the pdf file here from HiveForce Labs. Summary LokiBot is a constantly evolving information-stealing malware that creates a backdoor on infected machines to collect sensitive data, and it uses ISO files and API...

Evasion Techniques Uncovered: An Analysis of APT Methods

By Christiaan Beek, with special thanks to Matt Green DLL search order hijacking is a technique used by attackers to elevate privileges on the compromised system, evade restrictions, and/or establish persistence on the system. The Windows operating system uses a common method to look for required...

Mustang Panda APT targets Europe with customized PlugX malware

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary The Mustang Panda APT group has been targeting government and public sector organizations across Asia and Europe since at least 2019. Recently, the group has shifted from using archive files to using...

Microsoft Windows CDFS Integer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of I...

Hackers Repeatedly Targeting Financial Services in French-Speaking African Countries

Major financial and insurance companies located in French-speaking nations in Africa have been targeted over the past two years as part of a persistent malicious campaign codenamed DangerousSavanna. Countries targeted include Ivory Coast, Morocco, Cameroon, Senegal, and Togo, with the...

Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations

A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name...

Hackers Using Bumblebee Loader to Compromise Active Directory Services

The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. "Bumblebee operators conduct intensive reconnaissance activities and redirect the...

USN-5558-1: libcdio vulnerabilities

Zhao Liang discovered that libcdio was not properly performing memory management operations when processing ISO files, which could result in a heap buffer overflow or in a NULL pointer dereference. If a user or automated system were tricked into opening a specially crafted file, an attacker could...

USN-5558-1 libcdio vulnerabilities

Zhao Liang discovered that libcdio was not properly performing memory management operations when processing ISO files, which could result in a heap buffer overflow or in a NULL pointer dereference. If a user or automated system were tricked into opening a specially crafted file, an attacker could...

Hackers Abusing BRc4 Red Team Penetration Tool in Attacks to Evade Detection

Malicious actors have been observed abusing legitimate adversary simulation software in their attacks in an attempt to stay under the radar and evade detection. Palo Alto Networks Unit 42 said a malware sample uploaded to the VirusTotal database on May 19, 2022, contained a payload associated wit...

ChromeLoader Browser Hijacker Provides Gateway to Bigger Threats

ChromeLoader may seem on the surface like a run-of-the-mill browser hijacker that merely redirects victims to advertisement websites. However, its use of PowerShell could pose a greater risk by leading to further and advanced malicious activity, such as the propagation of ransomware or spyware or...

Experts Warn of Rise in ChromeLoader Malware Hijacking Users' Browsers

A malvertising threat is witnessing a new surge in activity since its emergence earlier this year. Dubbed ChromeLoader, the malware is a "pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of R...

Exchange Servers Speared in IcedID Phishing Campaign

The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware...

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of...

Mageia: Security Advisory (MGASA-2018-0225)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SolarWinds attackers launch new campaign

Nobelium is a synthetic chemical element with the symbol No and atomic number 102. It is named in honor of Alfred Nobel. But it is also the name given to the threat actor that is behind the attacks against SolarWinds, the Sunburst backdoor, TEARDROP malware, GoldMax malware, other related...

Huawei EulerOS: Security Advisory for libcdio (EulerOS-SA-2018-1082)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for libcdio (EulerOS-SA-2018-1081)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...