Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is...

PowerExchange Backdoor and Web Shells Breach at UAE Government Agency

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A high-severity attack targeted a UAE government agency, utilizing a custom PowerShell backdoor named PowerExchange and web shells on Microsoft Exchange servers. To receive real-time threat advisories,...

What is a web shell?

Editors note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends. Cisco Talos Incident Response recently released our...

New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government

An unnamed government entity associated with the United Arab Emirates U.A.E. was targeted by a likely Iranian threat actor to breach the victim's Microsoft Exchange Server with a "simple yet effective" backdoor dubbed PowerExchange. According to a new report from Fortinet FortiGuard Labs, the...

Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware

The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm formerly Americium, has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of...

CVE-2023-2712

Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Command Injection, Using Malicious Files, Upload a Web Shell to a Web Server.This issue affects Rental Module: before 23.05.15...

PT-2023-20965

Name of the Vulnerable Software and Affected Versions Rental Module versions prior to 23.05.15 Description The issue allows Command Injection and enables attackers to upload malicious files, including web shells, to a web server. This is due to an Unrestricted Upload of File with Dangerous Type...

Threat Source newsletter (May 4, 2023) — Recapping the biggest headlines to come out of RSA

Welcome to this weeks edition of the Threat Source newsletter. I didnt attend the RSA Conference in person, and on top of that, I was at the NFL Draft while the conference was going on. Im behind on the biggest talks, panels and presentations that came out during the annual security conference, s...

Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers

Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023. The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell based on tooling overlaps...

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials...

CVE-2023-0255

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites...

CVE-2023-0255

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites...

Design/Logic Flaw

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites...

CVE-2023-0255 Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites...

PT-2023-16115 · WordPress · Enable Media Replace

Name of the Vulnerable Software and Affected Versions: Enable Media Replace WordPress plugin versions prior to 4.0.2 Description: The issue allows authors to upload arbitrary files to the site, potentially enabling them to upload PHP shells on affected sites. Recommendations: For Enable Media...

North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure formerly F-Secure, which codenamed the...

FreeBSD : shells/fish -- arbitrary code execution via git (a3b10c9b-99d9-11ed-aa55-d05099fed512)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the a3b10c9b-99d9-11ed-aa55-d05099fed512 advisory. - fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary cod...

Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That's according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to ...

IIS modules: The evolution of web shells and how to detect them

Web exploitation and web shells are some of the most common entry points in the current threat landscape. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector or mechanism of persistence. Monitoring for...

IIS modules: The evolution of web shells and how to detect them

Web exploitation and web shells are some of the most common entry points in the current threat landscape. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector or mechanism of persistence. Monitoring for...