Critical Vulnerability in FortiOS SSL VPN Exploited in the Wild

Summary: A critical Out-of-Bounds Write vulnerability CVE-2024-21762 in Fortinet FortiOS SSL-VPN is actively exploited, enabling remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. Threat Level - Red | Vulnerability Report For a detailed threa...

Albabat Ransomware Infiltrates via Counter-Strike Cheat Utility

Summary: Albabat ransomware, made its debut in November 2023, emerging as a financially motivated threat crafted in Rust. This ransomware has targeted both corporate entities and individual consumers across diverse geographical regions. Threat Level - Red | Attack Report For a detailed threat...

Ivanti Addresses Yet Another VPN Flaw Within a Month

Summary: Ivanti has addressed a newly discovered vulnerability impacting ZTA, Policy, and Connect Secure gateways. Tracked as CVE-2024-22024, this vulnerability stems from a weakness in the SAML component of the gateways related to XXE XML eXternal Entities, enabling remote attackers to access...

Volt Typhoon: A Cyber Threat to U.S. Critical Infrastructure

Summary: State-sponsored cyber actors from the People’s Republic of China, known as Volt Typhoon, are actively targeting critical infrastructure in the United States, employing sophisticated tactics like pre-compromise reconnaissance and living off-the-land techniques. Threat Level - Red | Attack...

JetBrains TeamCity Authentication Bypass Flaw, Paving the Way for Server Takeover

Summary: JetBrains addressed a critical security flaw in its TeamCity On-Premises product. The vulnerability identified as CVE-2024-23917, could potentially allow an unauthorized attacker with HTTPS access to a TeamCity server to circumvent authentication mechanisms and acquire administrative...

Deceptive Crypto Sites A Breeding Ground for XPhase Clipper

Summary: A global malware campaign is actively targeting cryptocurrency enthusiasts, employing deceptive websites that masquerade as authentic cryptocurrency applications and ultimately leading to the execution of the XPhase Clipper payload. Threat Level - Amber | Attack Report For a detailed...

Mispadu Leverages CVE-2023-36025 Vulnerability in Latest Attack

Summary: A new variant of the Mispadu infostealer, a malware known for targeting Spanish and Portuguese speakers, specifically targets Mexican regions and leverages the CVE-2023-36025 vulnerability to gain access. It extends its data theft reach beyond previous versions, capturing browser history...

FritzFrog Expanding Its Lethal Reach with Frog4Shell

Summary: The recent activities surrounding the FritzFrog Golang-based botnet reveal in its iterations, the employment of an exploit called Frog4Shell, capitalizing on the Log4Shell vulnerability. Threat Level - Red | Attack Report For a detailed threat advisory, download the pdf file here To...

Ukraine Hit by Cyber Attack 2,000+ Computers Infected by DIRTYMOE

Summary: The UAC-0027 group executed a sophisticated cyber attack against Ukrainian organizations. Their weapon of choice was the notorious DIRTYMOE PURPLEFOX malware. This modular malware has been active for over half a decade and poses a serious threat. Threat Level - Amber | Attack Report For ...

EventLogCrasher Flaw Not Serviced by Microsoft

Summary: A recently identified vulnerability, known as EventLogCrasher, poses a significant risk to Windows platforms by allowing authenticated attackers to disrupt the Windows Event Log service. This vulnerability affects all iterations of Windows and has yet to be addressed by Microsoft, lackin...

Summary of Vulnerabilities, Actors & Attacks: January 2024

...

Attacks, Vulnerabilities and Actors 29 January to 4 February 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of seven executed attacks, two instances of adversary activity, and six exploited...

Leaky Vessels in Cloud Environments Shake Docker and Beyond

Summary: Four vulnerabilities, collectively termed Leaky Vessels, have been uncovered within container engine components, specifically affecting the runC command line tool. In the most severe instances, illicit entry into the underlying host operating system could result in the compromise of vita...

Ivanti Addresses Zero-Day Vulnerability Exploited in Attacks

Summary: Ivanti has addressed two new high-severity vulnerabilities, CVE-2024-21893 and CVE-2024-21888, affecting its Connect Secure and Policy Secure products. CVE-2024-21893, in particular, has been actively exploited in the wild, posing a significant risk to affected systems. Threat Level - Re...

CISA Known Exploited Vulnerability Catalog January 2024

For a detailed CISAs KEV Catalog, download the pdf file here Summary The Known Exploited Vulnerability KEV catalog, maintained by CISA, is the authoritative source of vulnerabilities that have been exploited in the wild. It is recommended that all organizations review and monitor the KEV catalog,...

UNC4990 Leverage Hosting Platforms in USB Infection Chain

Summary: UNC4990, a financially motivated threat actor, has been observed targeting organizations in Italy by utilizing weaponized USB drives as an initial infection vector. Additionally, they are employing trusted websites such as Vimeo, GitHub, and Ars Technica to host encoded payloads disguise...

Critical Remote Code Execution Flaws Uncovered in Jenkins

Summary: Multiple vulnerabilities have been discovered in Jenkins and number of associated plugins, allowing attackers unauthorized data access and execute arbitrary commands. The critical vulnerability CVE-2024-23897, allows attackers to read system files and opens number of attack vectors...

CherryTree Impostor Dubbed CherryLoader Makes Its Move

Summary: CherryLoader, a new Go-based downloader, has surfaced in cyber attacks, masquerading as the legitimate CherryTree note-taking app. This sophisticated threat infiltrates compromised hosts, delivering malicious payloads such as privilege escalation tools for exploitation and persistent...

Malicious Google Ads Target Chinese Users, Covertly Delivering RATs

Summary: Chinese-speaking users are being targeted in an ongoing malvertising campaign that leverages Google ads. The threat actor employs Google advertiser accounts to create deceptive ads that lure users into downloading Remote Administration Trojans RATs. The malicious ads are designed to mimi...

FAUST: A Phobos Ransomware Variant Launches Fileless Attack

Summary: FAUST ransomware, a variant of the Phobos family, exhibiting intricate deployment stages, from decoding Base64 data to injecting shellcode. Notably, it employs a fileless attack through an Office document with a VBA script, emphasizing the need for user caution with document files from...

Midnight Blizzard Exploiting Legacy OAuth for Lateral Movement

Summary: Midnight Blizzard exploited a legacy test OAuth application with elevated access due to a common password and lack of multi-factor authentication MFA. The attackers leveraged this access to move laterally within Microsofts network, potentially exfiltrating data and gaining broader contro...

Attacks, Vulnerabilities and Actors 22 January to 28 January 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of eight executed attacks, three instances of adversary activity, and three exploited...

AllaKore RAT’s Grip Tightens on Mexican Financial Institutions

Summary: A threat actor has been targeting Mexican banks and cryptocurrency trading since at least 2021. Using custom installers, the actor distributes a modified version of the AllaKore RAT, an open-source remote access tool. The campaign cleverly mimics the Mexican Social Security Institute IMS...

New macOS Backdoor Stealthily Stealing Cryptowallets

Summary: MacOS users have reported infections resulting from the use of cracked software, exposing a previously undisclosed stealer malware that has the capability to collect data from cryptocurrency wallets and system configurations. Threat Level - Amber | Attack Report For a detailed threat...

Art of Impersonation Poses a Threat to Korean IT Powerhouses

Summary: Malicious entities have adeptly employed advanced strategies, masquerading as reputable Korean IT companies. The overarching objective is to establish persistence, achieved through the deployment of RATs such as AsyncRAT and VenomRAT. Threat Level - Amber | Attack Report For a detailed...

Critical GoAnywhere MFT Flaw Allows Attackers to Become Admins

Summary: A critical authentication bypass vulnerability CVE-2024-0204 in Fortra GoAnywhere MFT enables attackers to create new admin users with full privileges, potentially leading to data exfiltration, malware deployment, and further attacks within the network. Threat Level - Red | Vulnerability...

Kasseika Ransomware Employs BYOVD Tactic to Impair Defenses

Summary: The ransomware operation Kasseika has recently been identified using the Bring Your Own Vulnerable Driver BYOVD tactic. This involves exploiting vulnerabilities in a loaded driver to disable antivirus software before initiating the file encryption process. Through this strategy, the...

Critical RCE Flaw in Atlassian Confluence Sparks Active Exploitation

Summary: CVE-2023-22527 is a critical Remote Code Execution vulnerability in outdated Atlassian Confluence versions, actively exploited by malicious actors. Immediate patching to recommended versions is crucial, as nearly 40,000 exploitation attempts have been recorded within three days of...

NS-STEALER Utilizes Discord Bots for Covert Exfiltration of Sensitive Data

Summary: A recently discovered Java-based information stealer, named NS-STEALER, employs a Discord bot channel as an EventListener to exfiltrate sensitive data from compromised hosts. This malware is distributed through ZIP archives that disguise themselves as cracked software. Threat Level - Amb...

ScarCruft Unleashes Tailored Attacks on Cybersecurity Frontlines

Summary: The ScarCruft APT group is actively targeting attacks on media organizations and individuals in the realm of threat intelligence. ScarCruft employs persistent tactics, using phishing emails to deliver RokRAT, a custom-designed backdoor. Threat Level - Amber | Attack Report For a detailed...

Apple Fixes First Actively Exploited Zero-day of 2024

Summary: The CVE-2024-23222 vulnerability in Apples WebKit is actively being exploited, as the processing of maliciously crafted web content may result in arbitrary code execution, posing a severe threat to the security and control of affected tvOS, iPhones, iPads, and macOS. Immediate updating i...

Attacks, Vulnerabilities and Actors 15 January to 21 January 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of six executed attacks, two instances of adversary activity, and eight exploited...

ZLoader’s Resurgence after Two Years in the Shadows

Summary: Zloader is a highly sophisticated Trojan originating from the leaked Zeus source code. Notable for its adaptive nature, the malware continuously evolved through each campaign since its debut in August 2015. After nearly two years of dormancy, Zloader reemerged with new iterations. Threat...

TA866 Makes a Comeback with Extensive Email Campaign

Summary: The threat actor identified as TA866 has returned after a hiatus of nine months, launching a new extensive phishing campaign aimed at distributing well-known malware families like WasabiSeed and Screenshotter. Threat Level - Red | Attack Report For a detailed threat advisory, download th...

COLDRIVER Expands Beyond Phishing, Incorporating Custom SPICA Backdoor

Summary: The threat actor associated with Russia, known as COLDRIVER or Star Blizard, has expanded its tactics from mere credential harvesting. The group has initiated campaigns where PDFs are employed as lure documents to distribute malware. Notably, COLDRIVER has introduced its first custom...

Mint Sandstorm’s Campaign Targets Researchers with Novel Backdoor

Summary: Mint Sandstorm, a threat actor, focuses on high-profile individuals involved in Middle Eastern affairs at universities and research organizations. The group utilizes phishing lures in a campaign to socially engineer targets, enticing them to download malicious files that deploy new...

Androxgh0st Malware Uses Stealthy Tactics in Pilfering Credentials

Summary: The Androxgh0st malware is building a botnet, specifically aimed at illicitly obtaining cloud credentials from popular applications such as Amazon Web Services AWS, Microsoft Office 365, SendGrid, and Twilio. This stolen data is then utilized to disseminate additional harmful payloads...

GitLab Fixes Critical Account Takeover Vulnerability

Summary: Critical GitLab vulnerability CVE-2023-7028 enables unauthorized users to take over the administrator account without user interaction. Exploiting password reset flaws, attackers can submit two emails, both target as well as attacker account leading to complete account takeover. Users wi...

Citrix Warns of Critical Netscaler Flaws Actively Exploited in Attacks – Urges Immediate Patching

Summary: Two zero-day security vulnerabilities, identified as CVE-2023-6548 and CVE-2023-6549, have been discovered in NetScaler ADC and NetScaler Gateway. These vulnerabilities are actively exploited in the wild. CVE-2023-6548 affects the NetScaler management interface, potentially leading to...

Google Fixes First Actively Exploited Chrome Zero-day of 2024

Summary: Google has addressed the first actively exploited Chrome zero-day vulnerability of 2024, identified as CVE-2024-0519. Its a high-severity out-of-bounds memory access weakness in Chromes V8. Attackers could exploit it to access data beyond the intended memory buffer, potentially leaking...

Juniper’s Critical RCE Vulnerability Shakes Network Security

Summary: Juniper Networks has a critical remote code execution RCE vulnerability, CVE-2024-21591, which affects SRX Series firewalls and EX Series switches. This flaw enables attackers to trigger a Denial-of-Service condition and potentially execute remote code with root privileges. Threat Level ...

Windows SmartScreen Exploit Paves the Way for Phemedrone Stealer

Summary: The Phemedrone stealer malware campaign exploits a vulnerability in Microsoft Defender SmartScreen. Phemedrone, an open-source information-stealing malware written in C, is designed to extract data from web browsers, and cryptocurrency wallets. Threat Level - Red | Attack Report For a...

New Attacks Target Misconfigured Apache Applications with Monero Miner

Summary: A recently identified attack exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. This attack stands out due to the attackers utilization of packers and rootkits to conceal the malware, adding an extra layer of complexity and...

Attacks, Vulnerabilities and Actors 8 January to 14 January 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of seven attacks were executed, two vulnerabilities were uncovered, and three active adversaries wer...

Active Exploitation of Two Critical Flaws in Microsoft SharePoint

Summary: Active attacks targeting a critical Microsoft SharePoint Server vulnerability CVE-2023-29357 pose a severe risk, enabling privilege escalation for potential full administrator access. This flaw, coupled with CVE-2023-24955, allows arbitrary code execution. Immediate patching is crucial, ...

Medusa Ransomware Unleashed A Growing Cybersecurity Menace

Summary: Medusa ransomware, a potent threat since late 2022, employs a multi-extortion approach via its Medusa Blog, disclosing victim data and pressuring non-compliant organizations. Operating as a ransomware-as-a-service, Medusas global impact underscores the need for proactive cybersecurity...

Maliciously Crafted Cracked Software Propagates Lumma Stealer via YouTube

Summary: In an attempt to deceive users into downloading the information-stealing virus Lumma, threat actors are exploiting YouTube videos featuring content related to cracked software. These videos typically include content related to the use of cracked software, accompanied by identical...

FBot’s Arsenal against the SaaS Giants

Summary: FBot, a Python-based exploit tool, has systematically targeted critical infrastructures, spanning from web servers and cloud services to content management systems CMS and major Software as a Service SaaS platforms. Its primary objective is to infiltrate these services, acquiring...

Summary of Vulnerabilities, Actors & Attacks: December 2023

...

Two Zero-Day Flaws Found in Ivanti Connect Secure and Policy Secure

Summary: The active exploitation of zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure gateways presents a serious threat, allowing unauthorized remote code execution. The actor, recognized as the Chinese nation-state-level entity UTA0178,...