Gartner: “Organizations Must Expand From Threat to Exposure Management in 2023”

...

A New Emerging CatB Ransomware Using DLL Hijacking to Evade Detection

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary CatB is a ransomware that uses a technique called DLL hijacking to evade detection. It does this by injecting itself into the Microsoft Distributed Transaction Coordinator MSDTC service, a legitimate...

Synology addresses the RCE vulnerability that affects VPN Plus servers

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Synology has addressed a flaw in VPN Plus Server that has the potential to take control affected systems. The vulnerability, identified as CVE-2022-43931, is an out-of-bounds write fault in Synolo...

Summary of Vulnerabilities & Threats: December 2022

...

Linux malware leverages plugin exploits to backdoor WordPress sites

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary WordPress sites are being exploited by an unidentified strain of Linux malware that exploits flaws in plugins and compromises the sites by injecting malicious JavaScripts that are run sequentially until...

Malware Distribution via Google PPC by IcedID Botnet Distributors

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The IcedID botnet has been using Google pay-per-click ads to distribute itself through malvertising attacks since December 2022. Malvertising involves the use of malicious ads that are displayed in searc...

Actors, Threats and Vulnerabilities 26 December 2022 – 02 January 2023

...

WordPress plugin has been exploited in the wild to mount backdoors

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Malicious actors are actively exploiting a critical vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plugin in order to plant backdoors on e-Commerce sites. The security flaw...

Trading platforms are in jeopardy due to ArkeiStealer

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Threat actors are currently disseminating ArkeiStealer via Windows Installer binaries disguised as trading applications. The trading application has been backdoored with the SmokeLoader downloader, which...

New Ransomware Variants Created Using Leaked Conti Source Code

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The leaked source code of the Conti ransomware has been used to create new strains of the ransomware. These new strains include Putin Team, ScareCrow, BlueSky, and Meow ransomware are being distributed...

The Linux kernel has several security flaws

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary The Linux kernel is vulnerable to a vulnerability that allows remote attackers to execute arbitrary code on affected installations. This vulnerability can be exploited without authentication, but...

Bluenoroff Bypasses MoTW to Target Japanese Organizations

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary Bluenoroff is known for targeting financial institutions and government organizations and has been active since at least 2014. From September onwards Bluenoroff threat actors added a new feature, that...

Actors, Threats and Vulnerabilities 19 – 25 December 2022

...

SideCopy APT Launches Phishing Campaign Against Indian Government

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary The new malicious activity of the SideCopy threat actors is the attack campaign STEPPYKAVACH, which was notably active in 2021 and was originally related to Pakistan. The most recent malicious attack...

Campaigns Spread InfoStealer Malware Targeting Italy, Germany, and Turkey

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A number of campaigns have been launched that spread InfoStealer malware written in the .NET programming language using phishing emails and Windows Shortcut LNK files and Batch Scripts BAT. Based on the...

GuLoader’s Advanced Anti-Analysis Techniques

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary GuLoader is an advanced malware downloader that uses polymorphic shellcode to bypass traditional security solutions. In GuLoader, all embedded DJB2 hash values are mapped against every API used by the...

Vice Society gang switches to new custom ransomware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Vice Society is a well-established ransomware group that has successfully targeted a range of enterprises. They aim to maximize their financial gain by using the standard double extortion strategy. In...

Microsoft Rolled Out SPNEGO NEGOEX Critical Vulnerability

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Microsoft updated the severity level of the CVE-2022-37958 vulnerability from high to critical after discovering that threat actors can use the vulnerability to execute code remotely...

Ekipa RAT A High-Priced and Evolving Threat for Targeted Attacks

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Ekipa is a remote access trojan RAT that is used for targeted attacks and can be purchased on underground forums for a high price of$3,900. It primarily spreads and operates through the use of Microsoft...

Nokoyawa 2.0 A Reworked Rust-Based Ransomware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Nokoyawa is a 64-bit Windows-based ransomware family that first appeared in early February 2022. The threat group behind Nokoyawa conducts double-extortion ransomware attacks, first stealing data from...

Two Zero-day Supply Chain Attacks Found in the Python Package Index

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A zero-day supply chain attack called "aioconsol" was discovered on December 9, 2022 in a Python package published on the Python Package Index PyPI on December 6, 2022. All three versions of the package...

Gamaredon APT cyber feud strikes Ukrainian entities

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary One of the most ubiquitous, intrusive, consistently active, and laser-focused APTs targeting Ukraine in cyberspace is the Gamaredon group, also known as the Shuckworm. Gamaredon Group has employed fast...

New Exploit Method that Bypasses ProxyNotShell Mitigations

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A new exploit method has been found in the mitigations of the Microsoft Exchange vulnerability ProxyNotShell URL rewrite that allows for remote code execution RCE on compromised servers through Outlook W...

RisePro: A New Threat Emerges on the Russian Online Marketplace

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary RisePro is a type of malware that has been designed to steal sensitive information from infected computers and send it back to the attacker. It was first seen being sold on the illegal Russian online...

Apple addresses macOS Dirty Cow, Achilles, and other flaws

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Apple addressed multiple vulnerabilities in macOS Monterey. These vulnerabilities affect different functionalities such as Bluetooth, BOM, DriverKit, File System, IOHIDFamily, Kernel, and...

Outlining a new SiestaGraph backdoor

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The Foreign Affairs Office of an Association of Southeast Asian Nations ASEAN member is targeted by multiple threat actors who are coordinating active campaigns via a vulnerable Microsoft Exchange server...

Multiple Old Vulnerabilities actively exploiting in Cisco Products

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Several security old vulnerabilities actively exploiting in Cisco IOS, NX-OS, and HyperFlex software, some of which can be exploited for authentication bypassing to gain full control of the impact...

Actors, Threats and Vulnerabilities 12 – 18 December 2022

...

Samba addressed a series of severe vulnerabilities

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Samba is a free-source Windows interoperability package that provides file server, printer, and Active Directory services for Linux, Unix, and macOS operating systems. Samba has resolved a set of...

Agenda ransomware made its return with a Rust variant

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary In addition to BlackCat, Hive, Luna, and RansomExx, Agenda is the latest ransomware strain to use the cross-platform programming language Rust. Ransomware-as-a-service RaaS group Agenda, attributed to an...

VMware tackles security flaws in ESXi and vRealize

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary VMware addressed security weaknesses to address a critical-severity vulnerability affecting ESXi, Workstation, Fusion, and Cloud Foundation, as well as a critical-severity command injection flaw...

China-based MirrorFace APT group targeting Japanese Political Entities

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary A Chinese-speaking APT group named MirrorFace has started its attacks by spearphishing campaign with LODEINFO backdoor, targeting Japanese political entities since June 29, 2022 and this campaign operatio...

Mallox Ransomware is Ramping up its Operation

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Mallox ransomware strains have been spotted in the wild, indicating that the ransomware is operational, propagating rapidly, and infecting entities. An unknown .NET-based loader distributes these Mallox...

A New GoLang Botnet named GoTrim BruteForcing multiple CMS

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A new GoTrim botnet has been scanning and brute-forcing on the four Content Management Systems WordPress, DataLife Engine, Joomla!, and OpenCart websites. GoTrim botnet is written in Go Programming...

Citrix ADC and Gateway Zero-Day Vulnerability Exploited by APT5

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Patch Tuesday for December tackles two zero-day vulnerabilities, one of which is being actively exploited CVE-2022-44698 and another that was publicly disclosed at the time of release CVE-2022-44710, alo...

Microsoft addresses actively exploited zero-day and numerous critical flaws

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Patch Tuesday for December tackles two zero-day vulnerabilities, one of which is being actively exploited CVE-2022-44698 and another that was publicly disclosed at the time of release...

The Cloud Atlas Perpetual Threat aims to persuade entities in Russia

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary Cloud Atlas is a cyberespionage gang. They have launched repeated, highly focused attacks on critical infrastructure spanning geographical zones and political disputes since their discovery in 2014. As...

MuddyWater is back with new techniques

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary MuddyWater used Dropbox links and document attachments with URLs redirected to ZIP archives as lures in its campaign, which also utilized compromised corporate email accounts. In addition to using Remote...

Active exploitation of the Fortinet pre-auth RCE vulnerability

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Fortinet has addressed a critical security flaw in its FortiOS SSL-VPN product, which is being actively exploited in the wild. The heap-based buffer overflow bug in FortiOS sslvpnd is listed as...

Actors, Threats and Vulnerabilities 5 – 11 December 2022

...

Truebot exploits vulnerability in Netwrix to deploy Clop Ransomware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary In 2017, Truebot was discovered to be linked to the Silence group and has affected more than 1,500 systems worldwide with shellcode, Cobalt Strike beacons, Grace malware, the Teleport tool, and Clop...

Hive Pro includes Breach & Attack Simulation as a feature in its Threat Exposure Management Platform

...

Iran-based Agrius deploys Fantasy wiper to attack IT firms in Israel

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Iran-based Agrius group has targeted Israel and the United Arab Emirates since 2020. In the beginning, the group deployed a wiper called Apostle, disguised as ransomware, which was later modified into...

Internet Explorer Zero-Day Vulnerability Exploited by APT 37

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary North Korean hackers identified as APT37 exploited a previously unknown Internet Explorer zero-day vulnerability to infect South Koreans, North Korean defectors, policymakers, journalists, and human righ...

Fortinet addresses Authentication Bypass in addition to numerous flaws

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Fortinet addressed security flaws across its products, including a high-severity authentication bypass affecting FortiOS and FortiProxy tracking CVE-2022-35843 in FortiOSs SSH login component. Onl...

New Botnet named Zerobot Exploiting Multiple Vulnerabilities

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary A new botnet named ‘Zerobot’ has two variants, both are written in Go programming language, the first variant discovered on 18 Nov 2022, and within a short time on 24 Nov 2022 second variant was...

US Defense & NGOs fall prey to Russian hackers

Threat Level Actors Report For a detailed threat advisory, download the pdf file here Summary Russian state-sponsored group Calisto is linked to spoofing Microsoft login pages of Global Ordnance, a legitimate U.S. military weapons and hardware supplier. According to some, the themed domains are...

BlackMagic Ransomware disrupts the Israeli logistics sector

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The latest ransomware entity, known as "BlackMagic" has emerged. This gang targets its victims using a double extortion approach in which it initially exfiltrates the victims data, followed by encryption...

Linux flaws could be chained together to achieve root access

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Two vulnerabilities CVE-2022-41974 and CVE-2022-41973 can either be exploited individually or in combination to lead to local privilege escalation, the first potentially causing a symlink attack a...

BackdoorDiplomacy targets the telecom industry in the Middle East

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary BackdoorDiplomacy, an advanced persistent threat APT gang with roots in China, is most likely behind a hostile campaign targeting the Middle East. The espionage action, aimed at a Middle Eastern telecom...