Evasive Panda China-Linked Cyberespionage Targeting Tibetans

Summary: Evasive Panda, a threat actor associated with China, has masterminded an intricate cyberespionage campaign targeting Tibetan users since at least September 2023. This operation employs both watering hole and supply chain attacks to achieve its objectives. Threat Level - Red | Attack Repo...

Critical VMware Vulnerabilities Leading To Sandbox Escape

Summary: Critical vulnerabilities tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255 have been addressed by Vmware. These vulnerabilities allow attackers to bypass virtual machines and execute commands on the host machine. Workstation, Fusion, Cloud Foundation, and VMwa...

TA4903 Spoofing Government Entities and SMBs for Financial Gain

Summary: TA4903, a financially motivated threat actor, conducts high-volume email campaigns targeting U.S. organizations for credential phishing and business email compromise BEC. They spoof various U.S. government agencies and private businesses, employing tools like EvilProxy and incorporating ...

SapphireStealer’s Stealthy Invasion via Deceptive Legal Documents

Summary: An intricate campaign aimed at Russian individuals has emerged, showcasing the SapphireStealer malware, a publicly available information-stealing tool introduced in December 2022. The incorporation of social engineering techniques significantly enhances the efficacy of these campaigns,...

Misconfigured Servers Targeted with New Golang Malwares

Summary: In a newly observed malware campaign, threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services. The campaign aims to deliver a cryptocurrency miner and establish a reverse shell for persistent remote...

GhostSec and Stormous Join Forces for a Ransomware Blitz

Summary: The GhostSec and Stormous ransomware factions have launched a sophisticated campaign. Introducing the GhostLocker 2.0 ransomware and the STMXGhostLocker ransomware-as-a-service RaaS initiative, these groups employ double extortion tactics, posing a significant threat to businesses...

WogRAT Backdoor Poses Risk to Windows and Linux Users

Summary: WogRAT, a backdoor malware targeting both Windows and Linux, spreads through aNotepad, an online notepad service. It disguises itself as system tools to trick users into downloading it, mainly targeting users in Asia. Users are cautioned to download software from official sources and...

Apple Rolls Out Critical Updates to Address Zero-Day Flaws

Summary: Apple has addressed two zero-day vulnerabilities in iOS, namely CVE-2024-23225 and CVE-2024-23296. These vulnerabilities were exploited in attacks targeting Mobile devices, providing attackers with arbitrary kernel read and write privileges, enabling them to bypass kernel memory...

CHAVECLOAK Banking Trojan Sneaks into Brazil’s Financial Hub

Summary: The CHAVECLOAK banking trojan is purposefully crafted to target the banking credentials of individuals in Brazil, highlighting the ongoing focus of cyber criminals on the nations financial sector. Threat Level - Amber | Attack Report For a detailed threat advisory, download the pdf file...

TA577 Targeting Windows NTLM Hashes in Global Campaigns

Summary: TA577, a significant cyber threat group, has shifted tactics to steal NTLM authentication data, utilizing thread hijacking and customized HTML attachments. Organizations should block outbound SMB to thwart exploitation and remain vigilant against evolving attack methods. Threat Level - R...

Critical Vulnerabilities Discovered in TeamCity, Enable Server Takeover

Summary: Two vulnerabilities in the JetBrains TeamCity On-Premises software have been discovered CVE-2024-27198 and CVE-2024-27199. Threat actors may attempt to take advantage of these vulnerabilities in order to breach and gain control of the impacted systems leading to system compromise. Threat...

Attacks, Vulnerabilities and Actors 26 February to 3 March 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of eight attacks were executed, twelve vulnerabilities were uncovered, and six active adversaries we...

New Linux Variant of Bifrost RAT Utilizes Deceptive Domain for Evasion

Summary: A new Linux variant of the Bifrost RAT evades detection using a deceptive VMware domain, aiming to compromise systems. This persistent threat spreads through malicious emails and sites, harvesting sensitive data and now includes an ARM version, emphasizing the need for vigilant...

Summary of Vulnerabilities, Actors & Attacks: February 2024

...

CISA Known Exploited Vulnerability Catalog February 2024

For a detailed CISAs KEV Catalog, download the pdf file here Summary The Known Exploited Vulnerability KEV catalog, maintained by CISA, is the authoritative source of vulnerabilities that have been exploited in the wild. It is recommended that all organizations review and monitor the KEV catalog,...

Iranian hackers soar into the defense sectors of the Middle East

Summary: Since June 2022, the hacking group UNC1549, potentially connected to Tortoiseshell aka Imperial Kitten and linked with the Iranian IRGC, has implemented distinct backdoors known as MiniBike and MiniBus. Their primary focus lies in targeting defense-related entities in the Middle East...

Ivanti Gateways Under Attack by Cybercriminals Patch Now

Summary: Cyber threat actors have been exploiting vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways, including CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, which allow them to bypass authentication and execute arbitrary commands with elevated privileges. Despite...

SPIKEDWINE Ploy to Infiltrate EU Diplomatic Circles

Summary: The SPIKEDWINE threat actor has been identified orchestrating a sophisticated cyber operation targeting European Union diplomats with a deceptive wine-tasting event. Its primary goal is to disrupt geopolitical relations between India and Europe through the deployment of a modular backdoo...

BlackCat’s Resurgence Despite Law Enforcement Disruptions

Summary: Blackcat, a sophisticated Ransomware-as-a-Service operation, infiltrates networks using advanced social engineering and remote access tools, offering triple extortion tactics and cyber remediation advice for ransom payment, and resurged after a December 2023 disruption, causing widesprea...

Xeno RAT Open-Source Trojan Sparks Alarm

Summary: The Xeno RAT, a remote access trojan RAT available on GitHub, has gained attention in the threat landscape due to its open-source nature. This C-based malware is compatible with both Windows 10 and 11, specifically targeting consumers by presenting itself as disguised binaries that...

Uni5 Xposure: The Top 5 Benefits of Integrating With Patch Management Tools

What Does Uni5 Xposure Do? Uni5 Xposure is a comprehensive security solution tailored to conquer the challenges of risk-based vulnerability management and its evolved form, threat exposure management. Through its robust suite of features, Uni5 Xposure offers a dynamic approach to security...

Unmasking Doppelgänger: Russia’s Disinformation Campaign Revealed

Summary: Doppelgänger, a suspected Russia-aligned influence operation network targeting German audiences with propaganda and disinformation, potentially aiming to sway opinions ahead of elections. Doppelgänger employs coordinated social media activities and a dynamic infrastructure to maximize it...

Abyss Locker’s Substantial Threat Explored

Summary: Abyss Locker ransomware surfaced in July 2023, deriving from the HelloKitty ransomware source code, indicating a lineage predating its official release. Similar to other ransomware variants, Abyss Locker infiltrates corporate networks, exfiltrates data for extortion, and encrypts devices...

LockBit’s Resurgence After Operation Cronos

Summary: LockBit ransomware, previously known as "ABCD," remains a significant threat despite the recent takedown of its operations by global law enforcement. It reemerged within 4 days and its Affiliates were found exploiting vulnerabilities in ScreenConnect to install LockBit ransomware and...

Attacks, Vulnerabilities and Actors 19 to 25 February 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of fifteen attacks were executed, five vulnerabilities were uncovered, and five active adversaries...

Apple Shortcuts’ Secret Threat to Your Data

Summary: A security vulnerability, identified as CVE-2024-23204, has been found in Apples Shortcuts application, allowing unauthorized access to sensitive information on devices bypassing TCC. The capability for users to export and share these shortcuts heightens the susceptibility to potential...

Migo Targets Redis Servers for Cryptojacking Attacks

Summary: A new campaign has been uncovered that mines cryptocurrencies on Redis servers running Linux hosts by means of a malicious programme known as "Migo." Migo is distributed as a Golang ELF binary that can persist on Linux hosts and is obfuscated at compile time. The malware uses a variety o...

Roundcube Webmail Faces Unrelenting Exploitation

Summary: The Roundcube email server vulnerability, identified as CVE-2023-43770 and previously mitigated in September 2023, is currently being actively exploited. This flaw enables attackers to gain access to restricted information, with potential repercussions including sensitive data theft, use...

Critical Vulnerabilities in ScreenConnect Under Active Exploitation

Summary: Critical vulnerabilities in ScreenConnect CVE-2024-1709 allow attackers unauthorized access without credentials, while CVE-2024-1708 enables remote code execution. Hackers can gain direct access to confidential information or critical systems. Immediate patching is essential to mitigate...

Earth Preta’s DOPLUGS Leaves its Mark in Asia

Summary: The Chinese threat actor, Earth Preta, strategically targeted numerous Asian countries by employing a customized version of the PlugX backdoor known as DOPLUGS. This sophisticated threat was allegedly revealed during the SMUGX campaign in July 2023. Threat Level - Red | Attack Report For...

VietCredCare Operates As Stealer-as-a-Service, Targeting Meta Sessions

Summary: Since August 2022, a previously unidentified information stealer known as VietCredCare has emerged. This stealer is notable for its capability to automatically sort through credentials specifically for the service it targets. The primary objective of threat actors employing VietCredCare ...

RansomHouse’s MrAgent Reshaping Automation in Cyber Attacks

Summary: The RansomHouse group, operating as a Ransomware-as-a-Service RaaS entity, has recently introduced a sophisticated tool named MrAgent aimed at automating the deployment of its data encrypter across multiple hypervisors. Threat Level - Amber | Attack Report For a detailed threat advisory,...

Kimsuky Exploits Legitimate Certificate to Disseminate TrollAgent

Summary: The Kimsuky group, backed by North Korea, used TrollAgent malware via a fake security program to target a Korean construction associations website, stealing data and enabling remote control between December 2023 and January 2024. Threat Level - Amber | Attack Report For a detailed threat...

Admins Urged to Uninstall VMware EAP Amid Critical Flaws

Summary: VMware has issued a warning to administrators regarding two unaddressed security vulnerabilities necessitating the removal of an outdated authentication plugin. Identified as CVE-2024-22245 and CVE-2024-22250, these vulnerabilities enable session hijacking and authentication relay attack...

North-Korean Cyber-Espionage Operations Grapples Defense Sector

Summary: There is an ongoing cyber-espionage campaign purportedly led by the North Korean threat actors, specifically targeting the global defense industry. The primary objective of these attacks is to acquire data pertaining to advanced military technology, with the intention of assisting North...

Iranian Threat Actor Adapts Tactics to Stay One Step Ahead

Summary: Charming Kitten, an Iranian threat actor, has recently been linked to a series of attacks targeting the Middle East. This campaign involves deploying a new backdoor called BASICSTAR through a deceptive webinar portal. Threat Level - Red | Attack Report For a detailed threat advisory,...

Attacks, Vulnerabilities and Actors 12 to 18 February 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of eight attacks were executed, five vulnerabilities were uncovered, and three active adversaries we...

Akira Ransomware Exploits Cisco Flaw for Maximum Impact

Summary: The Akira ransomware has been identified for utilizing the Cisco AnyConnect SSL VPN as its initial access vector, specifically exploiting the CVE-2020-3259 vulnerability. Despite Cisco addressing this vulnerability with patches released in May 2020, the threat remains prevalent. Threat...

Novel Smishing Kit Leverages Cloud Platform

Summary: SNS Sender, a malicious Python script that leverages AWS SNS for mass SMS spamming, presents a novel approach to cloud-based attack tools, particularly in the area of smishing. The ARDUINODAS threat actor is linked to the operation that uses this cloud capability to send out a lot of...

A Fresh Look at the Bumblebee’s Comeback Strategies

Summary: BumbleBee, a malicious loader discovered in March 2022, resurfaced in the cyber threat landscape on February 8, 2024, after a four-month hiatus. Unlike in previous campaigns, this attack chain diverges from conventional techniques. Threat Level - Amber | Attack Report For a detailed thre...

Turla Expands Their Arsenal with Next-Generation Malwares

Summary: In December 2023, a new backdoor dubbed TinyTurla-NG was deployed by the Russia-affiliated threat actor Turla as part of a three-month campaign targeting Polish non-governmental organizations NGOs. The threat actor utilized malicious PowerShell scripts hosted on various websites,...

Water Hydra Exploits CVE-2024-21412 to Target Financial Traders

Summary: Water Hydra exploited CVE-2024-21412 to bypass Microsoft Defender SmartScreen, targeting financial traders with DarkMe malware through sophisticated spearphishing tactics. This underscores the persistent threat of APT groups and highlights the challenge of defending against evolving atta...

Critical Flaw in Zoom Windows Apps Allows Privilege Elevation

Summary: Zoom has addressed an input validation flaw CVE-2024-24691 that renders the Zoom desktop and VDI clients, along with the Meeting SDK for Windows, vulnerable to privilege escalation on the target system via the network, even by an unauthenticated attacker. Threat Level - Red | Vulnerabili...

Rhysida Ransomware’s Decryptor is Now in Action

Summary: The Rhysida ransomware-as-a-service RaaS group poses a significant global threat, targeting diverse sectors. Recently, an implementation vulnerability in the source code of the Rhysida ransomware has been discovered. By exploiting this vulnerability to reconstruct encryption keys, it...

Microsoft’s February 2024 Patch Tuesday Addresses Two Zero-day Vulnerabilities

Summary: Microsofts February 2024 Patch Tuesday addresses 73 vulnerabilities, including actively exploited zero-days, spanning various products like Office, Exchange Server, and Windows Kernel. Critical flaws in Windows SmartScreenCVE-2024-21351, Internet Shortcut FilesCVE-2024-21412, and Microso...

New Backdoor Masquerading as a Software Update Agent, Targets macOS

Summary: Apple macOS users are currently being targeted by a newly discovered Rust-based backdoor known as RustDoor. This backdoor masquerades as an update for Microsoft Visual Studio and is designed to target both Intel and Arm architectures. RustDoor is equipped with various commands, enabling ...

The Zardoor Backdoor’s Silent Takeover of Saudi Charities

Summary: An espionage operation, designed to distribute a backdoor called Zardoor, was uncovered with evidence suggesting it dates back to March 2021. In May 2023, this meticulously orchestrated campaign specifically targeted non-profit organizations in Saudi Arabia. Threat Level - Amber | Attack...

Centralizing Your Threat Exposure Visibility In One Place

Modern cybersecurity functions staffed with only a handful of analysts and engineers rely on more than 10+ tools to manage their IT infrastructure and security. Most of these tools, mainly scanners, produce large amounts of data such as logs, alerts, and reports, each contributing to the...

Attacks, Vulnerabilities and Actors 5 to 11 February 2024

For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of five attacks were executed, six vulnerabilities were uncovered, and two active adversaries were...

Coyote: A Sophisticated Banking Trojan Targeting Financial Information

Summary: A new banking trojan called Coyote is currently targeting more than 60 banking institutions, primarily in Brazil. The malware distributes itself using the Squirrel installer and executes its infection process using Node.js and Nim, a relatively new multi-platform programming language...