What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-01-02 18:39:30 | Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation (lien direct) | A recent claim that a critical zero-day vulnerability existed in the popular open-source file archiver 7-Zip has been met with skepticism from the software\'s creator and other security researchers.
A recent claim that a critical zero-day vulnerability existed in the popular open-source file archiver 7-Zip has been met with skepticism from the software\'s creator and other security researchers. |
Vulnerability Threat | ★★★ | |
 |
2025-01-02 16:23:00 | Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them (lien direct) | In the past year, cross-domain attacks have gained prominence as an emerging tactic among adversaries. These operations exploit weak points across multiple domains – including endpoints, identity systems and cloud environments – so the adversary can infiltrate organizations, move laterally and evade detection. eCrime groups like SCATTERED SPIDER and North Korea-nexus adversaries such as FAMOUS
In the past year, cross-domain attacks have gained prominence as an emerging tactic among adversaries. These operations exploit weak points across multiple domains – including endpoints, identity systems and cloud environments – so the adversary can infiltrate organizations, move laterally and evade detection. eCrime groups like SCATTERED SPIDER and North Korea-nexus adversaries such as FAMOUS |
Threat Cloud | ★★ | |
 |
2025-01-02 16:06:02 | DORA Regulation (Digital Operational Resilience Act): A Threat Intelligence Perspective (lien direct) | A Primer for Senior Stakeholders What is DORA (Digital Operational Resilience Act)? The Digital Operational Resilience Act (DORA) is...
A Primer for Senior Stakeholders What is DORA (Digital Operational Resilience Act)? The Digital Operational Resilience Act (DORA) is... |
Threat | ★★ | |
 |
2025-01-02 13:00:53 | Building Cyber Resilience with Trofi Security and Check Point (lien direct) | >As the digital threat landscape grows increasingly complex, organizations are under mounting pressure to secure their environments against a variety of risks, from ransomware and phishing to sophisticated zero-day exploits. Businesses need security solutions that not only prevent breaches but are also straightforward to deploy, manage, and adapt as their needs evolve. Trofi Security serves a diverse range of customers, from small startups to large enterprises, addressing their unique challenges with tailored solutions. While small and mid-sized businesses (SMBs) often face hurdles like limited IT capabilities and budgets, Trofi ensures they are not left behind, delivering robust, scalable cyber security […]
>As the digital threat landscape grows increasingly complex, organizations are under mounting pressure to secure their environments against a variety of risks, from ransomware and phishing to sophisticated zero-day exploits. Businesses need security solutions that not only prevent breaches but are also straightforward to deploy, manage, and adapt as their needs evolve. Trofi Security serves a diverse range of customers, from small startups to large enterprises, addressing their unique challenges with tailored solutions. While small and mid-sized businesses (SMBs) often face hurdles like limited IT capabilities and budgets, Trofi ensures they are not left behind, delivering robust, scalable cyber security […] |
Ransomware Vulnerability Threat | ★★ | |
|
2025-01-01 18:54:00 | New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites (lien direct) | Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites.
The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo.
"Instead of relying on a single click, it takes advantage of a double-click sequence," Yibelo said.
Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo. "Instead of relying on a single click, it takes advantage of a double-click sequence," Yibelo said. |
Vulnerability Threat | ★★★ | |
 |
2025-01-01 16:10:00 | A Snake in the Net: Defending Against AiTM Phishing Threats and Mamba 2FA (lien direct) | Phishing-as-a-Service (PhaaS) platforms have lowered entry barriers for cybercriminals, leading to sophisticated AiTM phishing attacks. Darktrace\'s AI-driven solutions, including Darktrace / EMAIL, effectively counter these threats by identifying and neutralizing phishing attempts. Recently, Darktrace investigated a notable example involving MFA. Read about the Threat Research team\'s findings here.
Phishing-as-a-Service (PhaaS) platforms have lowered entry barriers for cybercriminals, leading to sophisticated AiTM phishing attacks. Darktrace\'s AI-driven solutions, including Darktrace / EMAIL, effectively counter these threats by identifying and neutralizing phishing attempts. Recently, Darktrace investigated a notable example involving MFA. Read about the Threat Research team\'s findings here. |
Threat | ★★ | |
|
2024-12-31 20:53:15 | What You Need to Know about the US Treasury Breach – and How to Protect Your Organization from a “Major Incident” (lien direct) | >US officials have announced that threat actors linked to China have leveraged vulnerabilities in BeyondTrust\'s remote support software to steal documents in what Treasury Department officials called a “major incident” in a letter to lawmakers. The investigation is still ongoing, but we can outline several key details, insights, and remediation pathways based on available facts. According to reports, the attack leveraged two specific vulnerabilities in BeyondTrust\'s remote support software: CVE-2024-12356 (CVSS 9.8): A critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) software that allowed unauthorized attackers to gain access through improperly validated API endpoints. CVE-2024-12686 (CVSS […]
>US officials have announced that threat actors linked to China have leveraged vulnerabilities in BeyondTrust\'s remote support software to steal documents in what Treasury Department officials called a “major incident” in a letter to lawmakers. The investigation is still ongoing, but we can outline several key details, insights, and remediation pathways based on available facts. According to reports, the attack leveraged two specific vulnerabilities in BeyondTrust\'s remote support software: CVE-2024-12356 (CVSS 9.8): A critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) software that allowed unauthorized attackers to gain access through improperly validated API endpoints. CVE-2024-12686 (CVSS […] |
Vulnerability Threat | ★★★ | |
 |
2024-12-31 20:28:31 | Inside FireScam: An Information Stealer with Spyware Capabilities (lien direct) | ## Snapshot
FireScam is a sophisticated Android malware distributed via phishing websites hosted on GitHub.io.
## Description
Posing as a “Telegram Premium” app, it mimics the RuStore app store to trick users into downloading a malicious APK dropper. Once installed, FireScam initiates a multi-stage infection process, deploying spyware that surveils the device extensively. It exfiltrates sensitive data, including messages, notifications, and e-commerce transactions, to Firebase Realtime Database endpoints.
Key capabilities of FireScam include monitoring notifications across multiple apps, capturing clipboard content, and logging device activity, such as screen state changes and user engagement. The malware also employs obfuscation techniques and sandbox detection mechanisms to evade security tools, ensuring persistence on compromised devices. Additionally, it utilizes Firebase for command-and-control communication and data exfiltration, further obscuring its malicious activities.
FireScam exploits dynamic broadcast receivers and permissions to gain backdoor access to sensitive device events. Its phishing website delivers a realistic Telegram login page via WebView to steal credentials. Advanced tactics like profiling the device environment and using WebSocket connections enhance its stealth and operational success.
## Recommendations
- Only install applications from trusted sources and official stores.
- If a device is no longer receiving updates, strongly consider replacing it with a new device.
- Use mobile solutions such as [Microsoft Defender for Endpoint on Android](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide)to detect malicious applications
- Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.
- Evaluate whether [Microsoft Defender for Internet of Things (IoT)](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/overview) services are applicable to your IoT environment.
## Detections/Hunting Queries
### Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
- [Trojan:AndroidOS/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:AndroidOS/Multiverze)
## References
[Inside FireScam: An Information Stealer with Spyware Capabilities](https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/). CYFIRMA (accessed 2024-12-30)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot FireScam is a sophisticated Android malware distributed via phishing websites hosted on GitHub.io. ## Description Posing as a “Telegram Premium” app, it mimics the RuStore app store to trick users into downloading a malicious APK dropper. Once installed, FireScam initiates a multi-stage infection process, deploying spyware that surveils the device extensively. It exfiltrates sensitive data, including messages, notifications, and e-commerce transactions, to Firebase Realtime Database endpoints. Key capabilities of FireScam include monitoring notifications across multiple apps, capturing clipboard content, and logging device activity, such as screen state changes and user engagement. The malware also employs obfuscation techniques and sandbox detection mechanisms to evade security tools, ensuring persistence on compromised devices. Additionally, it utilizes Firebase for command-and-control communication and data exfiltration, further obscuring its malicious activities. FireScam exploits dynamic broadcast receivers and permissions to gain backdoor access to sensitive device events. Its phishing website delivers a realistic Tel |
Malware Tool Threat Mobile | ★★★ | |
|
2024-12-31 20:19:48 | Four-Faith Industrial Routers Vulnerability Exploited in the Wild to Gain Remote Access (lien direct) | ## Snapshot A post-authentication vulnerability in Chinese-manufactured Four-Faith industrial routers, identified as [CVE-2024-12856](https://security.microsoft.com/intel-explorer/cves/CVE-2024-12856/), is being exploited in the wild to execute unauthenticated remote command injections. ## Description This flaw is being leveraged by attackers using the router\'s default credentials to gain remote access, possibly affecting Four-Faith customers in various sectors including industrial automation, factories and manufacturing plants, power grids, renewable energy plants, water utilities, and transportation and logistics for fleet management and vehicle tracking for real-time data transmission. The vulnerability, which affects at least two router models (F3x24 and F3x36), involves the exploitation of the /apply.cgi endpoint over HTTP. Furthermore, a Censys scan indicated that approximately 15,000 internet-facing devices were vulnerable to the attack. Attackers manipulate the adj\_time\_year parameter during system time modifications with the submit\_type=adjust\_sys\_time action to inject OS commands, which can be used to gain unauthorized remote access or launch reverse shells. For instance, GB Hackers documented an example of a malicious payload sent through a POST, where the running process on the vulnerable device showed the execution of the injected commands. VulnCheck has observed malicious activity from the IP address 178.215.238\[.\]91 attempting to exploit this vulnerability with a payload matching earlier patterns. DucklingStudio\'s blog post from November 2024 also confirmed the active exploitation of this vulnerability, though they saw a different payload than GB Hackers. VulnCheck informed Four-Faith about the vulnerability on December 20. ## Recommendations GB Hackers reports that organizations using Four-Faith routers are strongly encouraged to: 1. **Change Default Credentials**: Immediately update the default login credentials to secure values. 2. **Patch Systems**: Consult Four-Faith for available firmware updates or patches targeting CVE-2024-12856. 3. **Monitor Network Traffic**: Deploy the Suricata rule provided to detect ongoing exploit attempts. 4. **Segregate Networks**: Isolate industrial control systems (ICS) from external networks to reduce attack vectors. The VulnCheck Initial Access team wrote the following Suricata rule to detect CVE-2024-12856 on the wire: alert http any any -> any any ( \ msg:"VULNCHECK Four-Faith CVE-2024-12856 Exploit Attempt"; \ flow:to\_server; \ http.method; content:"POST"; \ http.uri; content:"/apply.cgi"; startswith; \ http.header\_names; content:"Authorization"; \ http.request\_body; content:"change\_action="; \ content:"adjust\_sys\_time"; \ pcre:"/adj\_time\_[^=]+=[a-zA-Z0-9]\*[^a-zA-Z0-9=]/"; \ classtype:web-application-attack; \ reference:cve,CVE-2024-12856; \ sid:12700438; rev:1;) Microsoft recommends detect critical data security risks before they evolve into real incidents through reconnaissance and vulnerability scanning to identify security weaknesses that could be used in a cyberattack. - Regularly update and patch software to protect against known vulnerabilities, using [Microsoft Defender vulnerability management dashboard](https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-dashboard-insights). Read more about how [vulnerability management](https://www.microsoft.com/en-us/security/business/security-101/what-is-vulnerability-management) works. Additionally, [integrate your Security Inform | Tool Vulnerability Threat Industrial | ★★★ | |
|
2024-12-31 16:56:00 | New U.S. DoJ Rule Halts Bulk Data Transfers to Adversarial Nations to Protect Privacy (lien direct) | The U.S. Department of Justice (DoJ) has issued a final rule carrying out Executive Order (EO) 14117, which prevents mass transfer of citizens\' personal data to countries of concern such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
"This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our
The U.S. Department of Justice (DoJ) has issued a final rule carrying out Executive Order (EO) 14117, which prevents mass transfer of citizens\' personal data to countries of concern such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. "This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our |
Threat | ★★★ | |
|
2024-12-31 11:12:00 | Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents (lien direct) | The United States Treasury Department said it suffered a "major cybersecurity incident" that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
"On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based
The United States Treasury Department said it suffered a "major cybersecurity incident" that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents. "On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based |
Threat | ★★★★ | |
 |
2024-12-30 21:54:28 | Treasury workstations hacked by China-linked threat actors (lien direct) | >According to a letter sent to Senate leaders and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions.
>According to a letter sent to Senate leaders and obtained by CyberScoop, the compromises occurred through third-party software provider BeyondTrust, which provides identity and access management security solutions. |
Threat | ★★★ | |
|
2024-12-30 21:53:26 | Catching "EC2 Grouper" no indicators required! (lien direct) | ## Snapshot
The threat actor known as "EC2 Grouper" has been identified as a prolific entity in cloud-based attacks, particularly within AWS environments. EC2 Grouper is recognized for their consistent use of AWS tools for PowerShell, as indicated by their user agent strings, and a distinct security group naming convention that appends a sequential combination of numbers to "ec2group."
## Description
Their attacks often involve the CreateSecurityGroup API to facilitate remote access and lateral movement. The group\'s activities appear to be automated, with API calls to inventory EC2 types and retrieving information about available regions. Additionally, the group gathers details on VPCs, security groups, account attributes, service quotas, and existing EC2 instances. They also attempt to launch new EC2 instances using the security groups they create. The primary method of initial infiltration for EC2 Grouper is believed to be through compromised cloud access keys that are mistakenly committed to public code repositories.
Once these credentials are obtained, EC2 Grouper launches their attacks, which are often accompanied by attacks from other threat actors. Despite the automation and the use of specific APIs, there has been no observed manual activity or actions based on objectives in compromised cloud environments, suggesting that the accounts may have been detected and quarantined before further escalation. The general objective of EC2 Grouper is suspected to be resource hijacking, although the specific end goals remain unconfirmed. Detection strategies include looking for legitimate secret scanning services and correlating various signals to reduce false positives.
## References
[Catching "EC2 Grouper"- no indicators required](https://www.fortinet.com/blog/threat-research/catching-ec2-grouper-no-indicators-required). Fortinet (accessed 2024-12-30)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot The threat actor known as "EC2 Grouper" has been identified as a prolific entity in cloud-based attacks, particularly within AWS environments. EC2 Grouper is recognized for their consistent use of AWS tools for PowerShell, as indicated by their user agent strings, and a distinct security group naming convention that appends a sequential combination of numbers to "ec2group." ## Description Their attacks often involve the CreateSecurityGroup API to facilitate remote access and lateral movement. The group\'s activities appear to be automated, with API calls to inventory EC2 types and retrieving information about available regions. Additionally, the group gathers details on VPCs, security groups, account attributes, service quotas, and existing EC2 instances. They also attempt to launch new EC2 instances using the security groups they create. The primary method of initial infiltration for EC2 Grouper is believed to be through compromised cloud access keys that are mistakenly committed to public code repositories. Once these credentials are obtained, EC2 Grouper launches their attacks, which are often accompanied by attacks from other threat actors. Despite the automation and the use of specific APIs, there has been no observed manual activity or actions based on objectives in compromised cloud environments, suggesting that the accounts may have been detected and quarantined before further escalation. The general objective of EC2 Grouper is suspected to be resource hijacking, although the specific end goals remain unconfirmed. Detection strategies include looking for legitimate secret scanning services and correlating various signals to reduce false positives. ## References [Catching "EC2 Grouper"- no indicators required](https://www.fortinet.com/blog/threat-research/catching-ec2-grouper-no-indicators-required). Fortinet (accessed 2024-12-30) ## Copyright **© Micr |
Tool Threat Cloud | ★★★ | |
|
2024-12-30 19:16:07 | Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger) (lien direct) | ## Snapshot ASEC reports that the Andariel threat group has resumed attacks to distribute SmallTiger malware, targeting Korean software solutions, including asset management and document management tools. ## Description ASEC reports that the Andariel group (tracked by Microsoft as [Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0)) exploits vulnerabilities in asset management solutions to gain control over systems. Most of these attacks resulted in the installation of ModeLoader. In one case, the attackers used [brute-force](https://security.microsoft.com/threatanalytics3/d44f2c6d-6901-4967-82b7-7ffe4f7276e7/overview) and dictionary attacks on exposed update servers to replace update programs with malicious versions, enabling them to distribute SmallTiger. In recent cases, researchers have found SmallTiger in the installation paths of asset management solutions alongside a keylogger. This keylogger stored captured keystrokes in the temporary file "MsMpLog.tmp." The attackers also configured infected systems for future Remote Desktop Protocol (RDP) access. Additionally, they deployed an open-source tool called CreateHiddenAccount to add and conceal a backdoor account. The threat group also targets document management solutions by exploiting outdated Apache Tomcat web servers. After gaining initial access, they query system information and install an Advanced Port Scanner. They then install a web shell via PowerShell commands with the download server also identified as the command-and-control server address for SmallTiger. ## Microsoft Analysis and Additional OSINT Context [Microsoft researchers determined](https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/) that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable. [In February 2024](https://asec.ahnlab.com/ko/73907/), ASEC first identified SmallTiger targeting South Korean defense and manufacturing organizations. Subsequently, in May 2024, Microsoft observed Onyx Sleet conducting attacks using SmallTiger, specifically targeting South Korean defense organizations. Onyx Sleet is a North Korea-affiliated activity group that conducts cyber espionage through numerous campaigns with the goal of intelligence gathering and financial gain. The threat actor utilizes a wide range of custom tools and malware, while maintaining a consistent attack chain approach, especially to organizations of interest to North Korean intelligence, such as those in the defense, engineering, and energy sectors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Maintain good [cyber hygiene](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/cyber-hygiene) and follow online safety best practices to help prevent keylogging. - Install antivirus software. Many antivirus software options now include anti-keylogger and anti-spyware protection. This software can help you identify and avoid keylogging malware. Installing and keeping antivirus software up to date helps prevents data theft. - Regularly update security settings, and if a device is no longer receiving updates, strongly consider replacing it with a new device. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Avoid downloading files from unsafe websites or clicking links in an email from an unknown sender. Phishing has become more sophisticated, so you should be cautious of clicking links or downloading attachments from peopl | Malware Tool Vulnerability Threat | APT 45 | ★★ |
 |
2024-12-30 16:35:58 | On the sixth day of Christmas, an X account gave to me: a fake 7-Zip ACE (lien direct) | An account with the name @NSA_Employee39 claimed to have dropped a zero-day vulnerability for the popular file archive software 7-Zip. Nobody could get it to work.
An account with the name @NSA_Employee39 claimed to have dropped a zero-day vulnerability for the popular file archive software 7-Zip. Nobody could get it to work. |
Vulnerability Threat | ★★★ | |
 |
2024-12-30 16:00:00 | Catching "EC2 Grouper"- no indicators required! (lien direct) | Get detailed tactics associated with EC2 Grouper and how Lacework FortiCNAPP can be leveraged to detect this threat.
Get detailed tactics associated with EC2 Grouper and how Lacework FortiCNAPP can be leveraged to detect this threat. |
Threat | ★★★ | |
 |
2024-12-30 13:22:42 | Why MFA is Good, but Not Good Enough: The Need for Defense-in-Depth to Combat MFA Bypass (lien direct) | Over the past decade multifactor authentication (MFA) has risen to become a cornerstone of modern cybersecurity. However, during that time as user authentication sophistication has improved, so have cybercriminal tactics. Just look at the rise of MFA bypass techniques. Despite the ability of attackers to get past MFA, beliefs about its near perfection persist. Recent Proofpoint research shows that almost half of all accounts that were taken over by bad actors had MFA configured. Yet 89% of security professionals consider MFA a complete protection against account takeover. Clearly, there\'s a disconnect. That\'s why a robust defense-in-depth approach is needed now more than ever. Layered security can help mitigate MFA bypass and reduce the likelihood of a significant breach that stems from an account takeover. In this blog post, we\'ll explore why MFA is not enough and give you some tips to better protect your organization. MFA bypass techniques MFA is effective because it requires users to authenticate with multiple factors. It combines something they know (typically their password) with something they have (an authenticator app or token) or with something they are (like a face scan). While this sounds very secure, threat actors have found multiple ways to bypass MFA. Many of these tactics are highly sophisticated: Phishing attacks. In these attacks, users are tricked by cybercriminals into entering MFA codes or their login credentials into websites that are controlled by the attackers. MFA fatigue attacks. After threat actors steal a user\'s password, they initiate a barrage of MFA push notifications. This can confuse users, leading them to approve the access request just to make the notifications stop. Session hijacking. With this technique, attackers steal session cookies post-authentication. This makes the preceding MFA-based authentication moot. SIM-swapping. This technique compromises SMS-based MFA by transferring the targets phone number to the attacker. To accomplish this, the threat actor needs to socially engineer the mobile carrier or have an insider at the organization. Pure social engineering. Most organizations have a way for remote workers to reset their passwords and MFA configurations without having to show up in person. However, without proper online identity verification the IT helpdesk can be socially engineered to hand over a spoofed employees\' credentials to the threat actor. Adversary-in-the-middle attacks. Attacker tools, like the specialized phishing kit Evilginx, intercepts session tokens. Those tokens are then relayed to legitimate services, which grant attackers access. Check out this demo of an adversary-in-the-middle attack enabled by Evilginx, which Proofpoint Account Takeover Protection can detect and stop. Why MFA alone is not enough No doubt, MFA adds a valuable layer of user authentication security. And this makes it harder for threat actors to break in. But the bypass techniques that are described above show why it\'s so risky to rely on any single security defense mechanism. The increasing prevalence of successful MFA bypass attacks just shows that determined attackers can adapt to overcome broadly deployed protections. While it might seem obvious, it\'s still important to always keep in mind that MFA should only be part of a larger security program. It\'s not a definitive defense. The whole point of defense-in-depth means that implementing additional layers of security reduces the likelihood of a successful attack, even if one layer is breached. Implementing a defense-in-depth strategy A defense-in-depth approach involves multiple, overlapping security measures. This creates redundancies and reduces an attacker\'s ability to exploit any vulnerabilities. Here\'s how organizations can bolster their defenses against MFA bypass: Strengthen endpoint protection. Deploy endpoint detection and response (EDR) tools to identify and mitig | Tool Vulnerability Threat Mobile Cloud | ★★ | |
|
2024-12-30 12:02:43 | Weekly OSINT Highlights, 30 December 2024 (lien direct) | ## Snapshot
Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging social engineering, compromised software repositories, and ransomware-as-a-service to achieve their objectives. These campaigns predominantly target high-value organizations and unpatched systems, emphasizing the importance of addressing known vulnerabilities and monitoring for sophisticated attack chains.
## Description
1. [StealBit Data Exfiltration Tool](https://sip.security.microsoft.com/intel-explorer/articles/68a374b4): The LockBit ransomware group employs StealBit as part of its ransomware-as-a-service program, facilitating data theft in double extortion attacks. Recent updates to the tool broaden its target base and enhance efficiency, allowing faster data exfiltration and streamlined operations.
1. [FICORA and CAPSAICIN Botnets](https://sip.security.microsoft.com/intel-explorer/articles/77c183a0): FortiGuard Labs observed global activity from the FICORA and CAPSAICIN botnets, exploiting long-standing vulnerabilities in D-Link devices. These botnets, targeting unpatched systems, leverage DDoS capabilities and advanced features to dominate infected devices, focusing on East Asia and other global regions.
1. [OtterCookie and the Contagious Interview Campaign](https://sip.security.microsoft.com/intel-explorer/articles/b5a152a8): North Korean actors deploy OtterCookie malware through fake job offers to developers, targeting cryptocurrency wallets and sensitive data. Infection methods include compromised GitHub and npm projects, with evolving variants enhancing data theft and lateral movement.
1. [TraderTraitor\'s $308 Million Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/9cd8b8b5): The North Korean TraderTraitor group stole $308 million from Japan\'s DMM Bitcoin, leveraging LinkedIn for social engineering and GitHub for malware delivery. By compromising a Japanese cryptocurrency wallet company, the group infiltrated systems to manipulate legitimate transactions.
1. [Lazarus Group\'s DeathNote Campaign](https://sip.security.microsoft.com/intel-explorer/articles/3b7cea68): Lazarus Group continues targeting industries like aerospace and cryptocurrency through Operation DreamJob, using trojanized tools and DLL side-loading techniques. Recent attacks deploy advanced malware strains to evade detection, establish persistence, and enable lateral movement within targeted systems.
1. [Cloud Atlas 2024 Campaigns](https://sip.security.microsoft.com/intel-explorer/articles/caa75881): Cloud Atlas targets Eastern Europe and Central Asia with phishing emails exploiting Equation Editor vulnerabilities, delivering VBShower and VBCloud malware. These tools use PowerShell scripts for data theft, lateral movement, and exfiltration, with region-specific tactics to avoid detection.
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 | ★★ |
|
2024-12-30 09:54:31 | 30th December – Threat Intelligence Report (lien direct) | >For the latest discoveries in cyber research for the week of 30th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours […]
>For the latest discoveries in cyber research for the week of 30th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours […] |
Ransomware Vulnerability Threat | ★★★ | |
 |
2024-12-30 02:31:15 | Understanding Data Leaks: Causes, Consequences, and Prevention Strategies (lien direct) | Imagine a seemingly minor misconfiguration in your cloud storage or an employee accidentally emailing a sensitive file to the wrong person. These incidents might seem trivial, but they can quickly snowball into a massive data breach, causing financial consequences. This scenario is a stark reminder of the importance of understanding and preventing data leaks. Data leaks are a threat to organizations, and developers can play a crucial role in preventing them. Understanding the causes and consequences of data leaks and implementing robust security measures can significantly reduce your...
Imagine a seemingly minor misconfiguration in your cloud storage or an employee accidentally emailing a sensitive file to the wrong person. These incidents might seem trivial, but they can quickly snowball into a massive data breach, causing financial consequences. This scenario is a stark reminder of the importance of understanding and preventing data leaks. Data leaks are a threat to organizations, and developers can play a crucial role in preventing them. Understanding the causes and consequences of data leaks and implementing robust security measures can significantly reduce your... |
Data Breach Threat Cloud | ★★ | |
 |
2024-12-30 01:00:00 | Deepfakes, Quantum Attacks Loom Over APAC in 2025 (lien direct) | Organizations in the region should expect to see threat actors accelerate their use of AI tools and mount ongoing "harvest now, decrypt later" attacks for various malicious use cases.
Organizations in the region should expect to see threat actors accelerate their use of AI tools and mount ongoing "harvest now, decrypt later" attacks for various malicious use cases. |
Tool Threat | ★★ | |
 |
2024-12-29 18:20:11 | It\\'s only a matter of time before LLMs jump start supply-chain attacks (lien direct) | \'The greatest concern is with spear phishing and social engineering\' Interview Now that criminals have realized there\'s no need to train their own LLMs for any nefarious purposes - it\'s much cheaper and easier to steal credentials and then jailbreak existing ones - the threat of a large-scale supply chain attack using generative AI becomes more real.…
\'The greatest concern is with spear phishing and social engineering\' Interview Now that criminals have realized there\'s no need to train their own LLMs for any nefarious purposes - it\'s much cheaper and easier to steal credentials and then jailbreak existing ones - the threat of a large-scale supply chain attack using generative AI becomes more real.… |
Threat | ★★★ | |
 |
2024-12-29 10:09:28 | Malware botnets exploit outdated D-Link routers in recent attacks (lien direct) | Two botnets tracked as \'Ficora\' and \'Capsaicin\' have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions. [...]
Two botnets tracked as \'Ficora\' and \'Capsaicin\' have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions. [...] |
Malware Threat | ★★ | |
|
2024-12-28 15:52:01 | FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks (lien direct) | Mirai and Keksec botnet variants are exploiting critical vulnerabilities in D-Link routers. Learn about the impact, affected devices, and how to protect yourself from these attacks.
Mirai and Keksec botnet variants are exploiting critical vulnerabilities in D-Link routers. Learn about the impact, affected devices, and how to protect yourself from these attacks. |
Vulnerability Threat | ★★ | |
|
2024-12-28 11:55:00 | 15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials (lien direct) | A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck.
The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36.
The severity of the shortcoming is lower due to the fact that it only works
A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck. The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36. The severity of the shortcoming is lower due to the fact that it only works |
Vulnerability Threat | ★★★ | |
|
2024-12-27 23:12:00 | North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign (lien direct) | North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie.
Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into
North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie. Contagious Interview (aka DeceptiveDevelopment) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into |
Malware Threat | ★★★ | |
|
2024-12-27 20:35:48 | Inside the LockBit Arsenal - The StealBit Exfiltration Tool (lien direct) | ## Snapshot The Cybereason Global Security Operations Center (GSOC) has analyzed StealBit, a data exfiltration tool developed by the LockBit ransomware group ## Description StealBit is provided to affiliates as part of LockBit\'s ransomware-as-a-service program and is used to exfiltrate data from compromised systems to facilitate double extortion attacks. The tool has evolved over time, incorporating new features aimed at enhancing evasion and efficiency. Notably, while older versions avoided execution on systems in certain countries, including Russia, Ukraine, Belarus, Tajikistan, Armenia, Azerbaijan, Georgia, Kazakhstan, Kyrgyzstan, Turkmenistan, Uzbekistan, and Moldova, newer versions have removed this restriction, broadening their target base. StealBit employs the I/O completion port threading model to optimize data exfiltration efficiency, allowing for parallel processing of multiple files and reducing the overall time required for exfiltration. It also supports interprocess communication between multiple StealBit processes on a single system, enabling scalable designation of files for exfiltration. Additionally, StealBit offers a drag-and-drop feature for operators with graphical user interface access, enhancing usability. However, some features, such as data compression and hidden operation modes, are not fully implemented, potentially exposing the malware\'s presence on compromised systems. ## Microsoft Analysis and Additional OSINT Context StealBit is a data exfiltration tool associated with the LockBit ransomware group, particularly noted for its use in LockBit 2.0 operations. It facilitates the rapid transfer of stolen data to attacker-controlled endpoints, supporting the group\'s double extortion tactics. StealBit is sometimes employed alongside other tools like Rclone or WinSCP to exfiltrate data before encryption. ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\'t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Use [device discovery](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery) to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=magicti_ta_learndoc) brings together incident and alert management across email, devices, and identities, centralizing investigations for threats in email. Organizations can also leverage web browsers tha | Ransomware Malware Tool Threat | ★★★ | |
|
2024-12-27 16:40:00 | Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia (lien direct) | The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen users" in 2024.
"Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code," Kaspersky researcher Oleg
The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen users" in 2024. "Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code," Kaspersky researcher Oleg |
Malware Vulnerability Threat Cloud | ★★ | |
|
2024-12-27 16:14:14 | New \'OtterCookie\' malware used to backdoor devs in fake job offers (lien direct) | ## Snapshot NTT Security Japan reports that North Korean threat actors have been deploying a new malware, \'OtterCookie,\' as part of the [Contagious Interview](https://security.microsoft.com/intel-explorer/articles/9ce29d67) campaign. ## Description The campaign lures developers with fake job offers to deliver malware, including BeaverTail and InvisibleFerret. [NTT Security Japan](https://jp.security.ntt/tech_blog/contagious-interview-ottercookie) reports that the new malware came out around September 2024, with a new variant emerging in November 2024. OtterCookie is delivered through a loader that executes JavaScript code fetched as JSON data, and it\'s been observed executed alongside BeaverTail and by itself. The infection vector includes Node.js projects or npm packages from GitHub or Bitbucket, and more recently, files built as Qt or Electron applications. Once on the target device, OtterCookie establishes a secure connection with its C2 infrastructure using socket.io WebSocket tool. It can steal sensitive data such as cryptocurrency wallet keys using the checkForSensitiveData function. The November variant uses a library called clipboardy to remotely send clipboard content. Also, it can execute reconnaissance commands like \'ls\' and \'cat\' to explore the environment for further infiltration or lateral movement. The evolution of malware and the diversification of infection methods suggest that the threat actors are experimenting with new tactics. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - [Help prevent social engineering attacks](https://www.microsoft.com/en-us/security/security-insider/emerging-threats/feeding-from-the-trust-economy-social-engineering-fraud?ocid=magicti_ta_blog) by not blending personal accounts with work emails or work-related tasks. Avoid opening emails, attachments, and links, including links from social networks, from suspicious sources. Ask yourself if the sender is who they say they are before clicking anything. Be wary of senders and offers. Do a search to determine if the offer is legitimate or a trap. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - Activate conditional access policies. [Conditional access](https://learn.microsoft.com/azure/active-directory/conditional-access/overview?ocid=magicti_ta_learndoc) policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by activating policies regarding compliant devices or trusted IP address requirements. - Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using [Group Policy](https://learn.microsoft.com/deployedge/microsoft-edge-enterprise-sync#sync-group-policies?ocid=magicti_ta_learndoc). - Practice the [principle of least privilege and building credential hygiene](https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself?ocid=magicti_ta_blog#defending-against-ransomware). Avoid the use of domain-wide, admin-level service accounts. Restricting local admin | Malware Tool Threat | ★★ | |
|
2024-12-27 12:41:00 | FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks (lien direct) | Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
"These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings
Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN. "These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings |
Vulnerability Threat | ★★ | |
|
2024-12-27 11:33:21 | Hackers exploit DoS flaw to disable Palo Alto Networks firewalls (lien direct) | Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot. [...]
Palo Alto Networks is warning that hackers are exploiting the CVE-2024-3393 denial of service vulnerability to disable firewall protections by forcing it to reboot. [...] |
Vulnerability Threat | ★★★ | |
|
2024-12-27 10:39:23 | Cybersecurity firm\\'s Chrome extension hijacked to steal users\\' data (lien direct) | At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. [...]
At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. [...] |
Threat | ★★ | |
 |
2024-12-27 10:00:46 | Threat landscape for industrial automation systems in Q3 2024 (lien direct) | The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024.
The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024. |
Threat Industrial | ★★ | |
 |
2024-12-27 10:00:00 | This month in security with Tony Anscombe – December 2024 edition (lien direct) | From attacks leveraging new new zero-day exploits to a major law enforcement crackdown, December 2024 was packed with impactful cybersecurity news
From attacks leveraging new new zero-day exploits to a major law enforcement crackdown, December 2024 was packed with impactful cybersecurity news |
Vulnerability Threat Legislation | ★★ | |
|
2024-12-26 14:00:00 | Emerging Threats & Vulnerabilities to Prepare for in 2025 (lien direct) | From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.
From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months. |
Vulnerability Threat Prediction | ★★★ | |
|
2024-12-26 11:53:10 | New \\'OtterCookie\\' malware used to backdoor devs in fake job offers (lien direct) | North Korean threat actors are using new malware called OtterCookie in the Contagious Interview campaign that is targeting software developers. [...]
North Korean threat actors are using new malware called OtterCookie in the Contagious Interview campaign that is targeting software developers. [...] |
Malware Threat | ★★★ | |
|
2024-12-26 10:58:01 | Researchers Uncover Dark Web Operation Entirely Focused on KYC Bypass (lien direct) | iProov uncovers a major Dark Web operation selling stolen identities with matching biometrics, posing a serious threat to KYC verification systems
iProov uncovers a major Dark Web operation selling stolen identities with matching biometrics, posing a serious threat to KYC verification systems |
Threat | ★★ | |
 |
2024-12-26 10:00:00 | Surfshark One : la protection numérique repensée (lien direct) | – Article en partenariat avec Surfshark –
Face à la multiplication des menaces en ligne, Surfshark bouleverse les codes avec son offre One. Loin des solutions fragmentées habituelles, ce pack réunit les outils indispensables pour une sécurité numérique complète, propulsé par un antivirus qui avait déjà redéfini les standards du marché.
Il faut dire que l’antivirus Surfshark ne fait pas dans la demi-mesure. Testé (notamment) par le laboratoire indépendant AV-TEST, il décroche l’excellence avec un 6/6 en Protection et Usage, complété par un solide 5,5/6 en Performance. Des résultats qui parlent d’eux-mêmes et qui montrent encore une fois le sérieux de la société. Ils n’ont pas grillé les étapes en voulant toucher à tout directement. D’abord ils se sont imposés avec le VPN que vous connaissez bien, puis ils ont élargi leur catalogue avec leur suite d’outils de sécurité. Dont un antivirus qui repose sur le moteur d’un des antivirus les plus reconnus du marché, Avira.
– Article en partenariat avec Surfshark – Face à la multiplication des menaces en ligne, Surfshark bouleverse les codes avec son offre One. Loin des solutions fragmentées habituelles, ce pack réunit les outils indispensables pour une sécurité numérique complète, propulsé par un antivirus qui avait déjà redéfini les standards du marché. Il faut dire que l’antivirus Surfshark ne fait pas dans la demi-mesure. Testé (notamment) par le laboratoire indépendant AV-TEST, il décroche l’excellence avec un 6/6 en Protection et Usage, complété par un solide 5,5/6 en Performance. Des résultats qui parlent d’eux-mêmes et qui montrent encore une fois le sérieux de la société. Ils n’ont pas grillé les étapes en voulant toucher à tout directement. D’abord ils se sont imposés avec le VPN que vous connaissez bien, puis ils ont élargi leur catalogue avec leur suite d’outils de sécurité. Dont un antivirus qui repose sur le moteur d’un des antivirus les plus reconnus du marché, Avira. |
Tool Threat | ★★ | |
|
2024-12-25 22:24:39 | SEO Poisoning: How Cybercriminals Are Turning Search Engines into Traps (lien direct) | Stay protected from SEO poisoning, a cyber threat exploiting search engine rankings to spread malware and phishing scams.…
Stay protected from SEO poisoning, a cyber threat exploiting search engine rankings to spread malware and phishing scams.… |
Malware Threat | ★★ | |
 |
2024-12-25 17:39:39 | Adobe Warns Of Critical ColdFusion Flaw With PoC Exploit (lien direct) | Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available.
The vulnerability identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier).
If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data.
“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.
For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web page creation by enabling communication with back-end systems based on user input, database queries, or other criteria.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said in an advisory released on Monday.
Adobe has assigned the flaw a “Priority 1” severity rating, the highest possible level, due to the “higher risk of being targeted by exploit(s) in the wild for a given product version and platform.”
The company has released emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12). It has recommended users install these patches “within 72 hours” to mitigate any potential security risks associated with this critical flaw.
Further, Adobe has suggested that users apply the security configuration settings detailed in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
While Adobe has yet to confirm any active exploitation of the vulnerability, it has urged users to review the updated serial filter documentation to safeguard against insecure WDDX deserialization attacks.
Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available. The vulnerability identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier). If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data. “An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads. For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web |
Vulnerability Threat | ★★★ | |
|
2024-12-24 15:10:00 | North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin (lien direct) | Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.
"The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said. "TraderTraitor activity is often characterized by targeted social
Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors. "The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said. "TraderTraitor activity is often characterized by targeted social |
Threat | ★★★ | |
|
2024-12-23 20:06:03 | Lazarus Group Targets Nuclear Industry with CookiePlus Malware (lien direct) | KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of…
KEY SUMMARY POINTS Securelist by Kaspersky has published its latest threat intelligence report focused on the activities of… |
Malware Threat | APT 38 | ★★★★ |
|
2024-12-23 13:46:44 | Weekly OSINT Highlights, 23 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting revealed a variety of cyberattack trends, with phishing, malware, and supply chain attacks remaining prominent tactics across multiple industries. Attackers frequently exploit trust within organizations and communities, as seen in campaigns targeting security professionals with trojanized tools and compromised repositories, such as the MUT-1244 attack. Additionally, phishing continues to be a primary vector for delivering malware, ranging from credential harvesters like BellaCPP and Zloader to backdoors like CLNTEND and Glutton. Attackers are increasingly refining their techniques with evasion methods, such as DNS tunneling, obfuscated payloads, and exploiting vulnerabilities in software like ERP systems and cloud services. Threat actors span various regions and sectors, with notable focus on defense, government, financial, and technology targets, in the EMEA, APAC, and LATAM regions. ## Description 1. [WikiKit Campaigns Target Industries With Phishing Kits](https://security.microsoft.com/intel-explorer/articles/81b47d0d): WikiKit targets industries such as automotive, manufacturing, and healthcare, leveraging phishing kits with corporate branding to harvest credentials. The campaign uses advanced evasion techniques like tamper-proof JavaScript and CAPTCHA checks to bypass detection and continues to evolve. 2. [BellaCPP Malware Linked to Charming Kitten](https://security.microsoft.com/intel-explorer/articles/725329cd): BellaCPP malware demonstrates sophisticated persistence techniques and SSH tunneling capabilities. Found alongside an older BellaCiao sample on an infected machine in Asia, it highlights attackers\' evolving strategies to maintain network access, emphasizing the importance of thorough network investigations. 3. [Zloader Evolves With Enhanced DNS Tunneling](https://security.microsoft.com/intel-explorer/articles/9d76113f): Zloader malware now uses a custom DNS tunnel for C2 communications, advanced anti-analysis techniques, and GhostSocks payloads. Its evolving role as an initial access broker for ransomware highlights its growing sophistication and targeted infection methods. 4. [FlowerStorm Rises Amid Rockstar2FA Collapse](https://security.microsoft.com/intel-explorer/articles/ff7a63bc): After technical failures disrupted Rockstar2FA, FlowerStorm emerged with similar phishing infrastructure targeting North America and Europe. The service industry has been heavily impacted by these campaigns, which share backend similarities and operational overlap. 5. [Holiday-Themed Phishing Attacks Exploit Seasonal Urgency](https://security.microsoft.com/intel-explorer/articles/f8198f90): Threat actors exploit the holiday season with targeted lures, delivering malware like Remcos RAT and executing fraud schemes. Campaigns impersonate airlines, HR departments, and nonprofits to steal credentials, money, or sensitive information. 6. [IAM User Exploitation Targets Cloud LLM Models](https://security.microsoft.com/intel-explorer/articles/729893a5): Attackers exploited compromised IAM keys to access AWS environments and attempt unauthorized use of Bedrock LLM models. Despite privilege escalation efforts, Service Control Policies thwarted their attempts to invoke APIs for further abuse. 7. [Lumma Stealer Campaign Abuses Ad Networks](https://security.microsoft.com/intel-explorer/articles/994ccfa2): The Lumma Stealer malware campaign used Monetag ad networks to target users with malicious PowerShell commands disguised as CAPTCHA solutions. The malware harvests sensitive data and continues to resurface despite takedowns of compromised ad accounts. 8. [Evolved NodeStealer Variant Targets Facebook Ads and Financial Data](https://security.microsoft.com/intel-explorer/articles/f7587417): Trend Micro\'s Managed XDR team identified an evolved Python-based NodeStealer variant targeting Facebook Ads Manager accounts, credit card details, and browser-stored data. Spear-phishing emails in Bahasa Melayu, with poorly translated subject lines, were used to target an | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | ★★★ | |
 |
2024-12-23 13:14:36 | Rétrospective cybersécurité : 2024, l\'année des cyberattaques à motivation politique (lien direct) | Rétrospective cybersécurité : 2024, l\'année des cyberattaques à motivation politique
Par Richard Hummel, Senior Threat Intelligence Manager chez NETSCOUT
-
Points de Vue
Rétrospective cybersécurité : 2024, l\'année des cyberattaques à motivation politique Par Richard Hummel, Senior Threat Intelligence Manager chez NETSCOUT - Points de Vue |
Threat | ★★★ | |
 |
2024-12-23 13:00:46 | Navigating the Cyber Threat Landscape: Lessons Learned & What\\'s Ahead (lien direct) | A look at the cyber threat landscape of 2024, including major breaches and trends. An expert weighs in on key lessons and what to expect in 2025.
A look at the cyber threat landscape of 2024, including major breaches and trends. An expert weighs in on key lessons and what to expect in 2025. |
Threat | ★★ | |
 |
2024-12-23 13:00:00 | Get On-Demand, Actionable Cyber Threat Insights with Dragos WorldView Request for Intelligence (RFI) Service (lien direct) | >In today\'s interconnected industrial environments, OT networks are more vulnerable than ever to cyber threats. Even with robust monitoring and...
The post Get On-Demand, Actionable Cyber Threat Insights with Dragos WorldView Request for Intelligence (RFI) Service first appeared on Dragos.
>In today\'s interconnected industrial environments, OT networks are more vulnerable than ever to cyber threats. Even with robust monitoring and... The post Get On-Demand, Actionable Cyber Threat Insights with Dragos WorldView Request for Intelligence (RFI) Service first appeared on Dragos. |
Threat Industrial | ★★ | |
|
2024-12-23 12:44:29 | A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis (lien direct) | What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain...
What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain... |
Tool Threat | ★★ | |
|
2024-12-23 12:05:55 | 23rd December – Threat Intelligence Report (lien direct) | >For the latest discoveries in cyber research for the week of 23rd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The State of Rhode Island has issued a notification that RIBridges, the state’s portal for social services, has suffered a cyber attack and data leak. According to the reports, the breach was […]
>For the latest discoveries in cyber research for the week of 23rd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The State of Rhode Island has issued a notification that RIBridges, the state’s portal for social services, has suffered a cyber attack and data leak. According to the reports, the breach was […] |
Threat | ★★ | |
|
2024-12-23 11:27:40 | CYBI (lien direct) | www.cybi.fr
Contact : Lauret NOË
Année de création : 2022
Activités :
Cybi est un éditeur de solutions en cybersécurité qui met l\'intelligence artificielle au cœur de ses technologies pour détecter, analyser et neutraliser les menaces de manière proactive et évolutive.
Description du produit phare pour 2025 :
SCUBA est une solution de cybersécurité avancée qui utilise l\'intelligence artificielle pour détecter, corréler et neutraliser les menaces en temps réel. Flexible et évolutive, elle offre une (...)
-
ANTIVIRUS - ANTISPAM - ANTISPYWARE - EDR - FILTRAGE, LUTTE CONTRE LES CYBER-MENACES, SOLUTIONS D\'IA, SCADA...
www.cybi.fr Contact : Lauret NOË Année de création : 2022 Activités : Cybi est un éditeur de solutions en cybersécurité qui met l\'intelligence artificielle au cœur de ses technologies pour détecter, analyser et neutraliser les menaces de manière proactive et évolutive. Description du produit phare pour 2025 : SCUBA est une solution de cybersécurité avancée qui utilise l\'intelligence artificielle pour détecter, corréler et neutraliser les menaces en temps réel. Flexible et évolutive, elle offre une (...) - ANTIVIRUS - ANTISPAM - ANTISPYWARE - EDR - FILTRAGE, LUTTE CONTRE LES CYBER-MENACES, SOLUTIONS D\'IA, SCADA... |
Threat | ★★ | |
 |
2024-12-23 08:06:27 | Strengthening ICS/OT Security: Unlock the Power of Effective Threat Detection (lien direct) | >Download this CISO guide for actionable insights and best practices to help you establish an effective ICS/OT threat detection framework.
>Download this CISO guide for actionable insights and best practices to help you establish an effective ICS/OT threat detection framework. |
Threat Industrial | ★★ |
To see everything:
Our RSS (filtrered)
