CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

• CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
• CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
• CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
• CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
• CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

Sekoia: Helldown Ransomware: an overview of this emerging threat
Sekoia offers a threat actor profile for Helldown ransomware, a relatively new threat actor group performing double extortion (with a data leak site). A potential Zyxel vulnerability that Helldown exploits is CVE-2024-42057 (8.1 high, disclosed 03 September 2024) Zyxel firewall command injection vulnerability. They provide a technical analysis (dynamic and static) of both the Windows and Linux variants of Helldown ransomware. Indicators of compromise are listed.

#Helldown #ransomware #cybercrime #CVE_2024_42057 #zyxel #vulnerability #malwareanalysis #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence

Google security advisories: Android Security Bulletin December 2024
At a glance, no mention of exploitation. No Pixel bulletin, Android Automotive OS and Wear OS have no patches for December 2024. Nothing for Pixel Watch.

#google #android #pixel #vulnerability #cve #infosec #cybersecurity

IBM security advisory: Security Bulletin: Multiple Security Vulnerabilities were found in IBM Security Verify Access Appliance. (CVE-2024-49803, CVE-2024-49804, CVE-2024-49805, CVE-2024-49806)
"The IBM Security Verify Access appliance provides access and authentication management for user to web application sessions." (@cR0w this seems very similar to IdentityIQ's purpose innit?)

• CVE-2024-49803 (9.8 critical) remote code execution vulnerability
• CVE-2024-49805 (9.4 critical) hardcoded credentials vulnerability
• CVE-2024-49806 (9.4 critical) hardcoded credentials vulnerability
• CVE-2024-49804 (7.8 high) privilege escalation vulnerability

Leave it to a network security policy management solution to have hardcoded credentials. h/t: @xtrc

#IBM #vulnerability #CVE #infosec #cybersecurity

How likely would a Beijing-based cybersecurity company comply with the requirement to first report software vulnerabilities to the PRC Ministry of Industry and Information Technology (MIIT) first? 🤔 After 4 months, Microsoft credited bee13oy with Cyber Kunlun Lab for CVE-2024-38199, (9.8 critical, disclosed 13 August 2024) Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability. This was marked publicly disclosed at the time of announcement.

Not disparaging their company, just curious as to the background of CVE-2024-38199 being publicly disclosed.

Zscaler: Unveiling RevC2 and Venom Loader
Financially motivated threat actor Venom Spider aka (Golden Chickens) that offers Malware-as-a-Service (MaaS) tools for use by other cybercrime groups. Zscaler reports on two new malware families deployed by those MaaS tools: RevC2 backdoor and Venom Loader. RevC2 uses WebSockets to communicate with its command-and-control (C2) server. The malware is capable of stealing cookies and passwords, proxies network traffic, and enables remote code execution (RCE). Venom Loader is a new malware loader that is customized for each victim, using the victim’s computer name to encode the payload. Technical analysis provided, and indicators of compromise listed.

#venomspider #goldenchickens #cybercrime #maas #revC2 #venomloader #IOC #infosec #cybersecurity #cyberthreatintelligence #CTI

Happy #PatchTuesday from Citrix:

• NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-8534 and CVE-2024-8535
  • CVE-2024-8534 (CVSSv4: 8.4 high) Memory safety vulnerability leading to memory corruption and Denial of Service
  • CVE-2024-8535 (CVSSv4: 5.8 medium) Authenticated user can access unintended user capabilities
• Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
  • CVE-2024-8068 (CVSSv4: 5.1 medium) Privilege escalation to NetworkService Account access
  • CVE-2024-8069 (CVSSv4: 5.1 medium) Limited remote code execution with privilege of a NetworkService Account access

Please see the advisories for the prerequisites for each vulnerability.

#Citrix #NetScaler #CVE #vulnerability #infosec #cyberesecurity

CloudSEK: Cyber Monday Scams: A Comprehensive Analysis of Threats and Mitigation Strategies
CloudSEK explores the growing threat landscape of Cyber Monday scams, detailing the diverse tactics cybercriminals use to exploit the online shopping surge. Key threats include phishing attacks, fake online marketplaces, social media scams, fraudulent gift card generators, and advanced tools like Malware-as-a-Service (MaaS). Psychological manipulation tactics—such as urgency, authority, and social proof—amplify the success of these schemes.

#cybermonday #cybercrime #scam #phishing #maas #infosec #cybersecurity #CyberThreatIntelligence #CTI

Citizen Lab: No Escape: The Weaponization of Gender for the Purposes of Digital Transnational Repression
Citizen Lab provides a study on security risks and harms caused by digital transnational repression against exiled and diaspora women human rights defenders. They highlight the specific ways in which state and state-affiliated actors deploy digital technologies and weaponize gender as a tool of repression against women human rights defenders residing outside their countries of origin. There are gender-specific forms of online harassment, abuse, and intimidation.

"...state or state-affiliated actors build on such misogyny and patriarchism to instigate and perpetrate repressive acts with a distinct political purpose: to silence criticism and dissent beyond their borders."

Read the 82 page PDF report

#humanrights #repression #womensrights #news #journalism #dissidents #harassment

Global China Pulse: The Political Economy of Ethnic Armed Organisations in the China–Myanmar Borderland: Opium, Gambling, and Online Scams
The recent COVID-19 pandemic and border wall along the China-Myanmar border disrupted traditional illicit economies that were sustaining Ethnic Armed Organizations (EAO) and led to a rapid shift towards scam compounds that use human trafficked labor. Neither pig butchering or romance scams are mentioned in the reporting, but this is an in-depth look at the history behind the competing factions and their illicit economies.

"...EAOs use the governance of illicit economies as both a conflict pretext and a diplomatic tool, strategically engaging or withdrawing from such economies to influence external actors and secure recognition or cooperation."

h/t: @campuscodi

#cybercrime #scam #myanmar #geopolitics #china #drugs #gambling #pigbutchering #news #infosec #cybersecurity #CyberThreatIntelligence #CTI

Fortinet: SmokeLoader Attack Targets Companies in Taiwan
Fortinet reports on a September 2024 campaign targeting Taiwanese companies with SmokeLoader malware. Victims were in manufacturing, healthcare, information technology, and other sectors. The infection chain leverages both CVE-2017-0199 (7.8 high) Microsoft Office and WordPad Remote Code Execution Vulnerability and CVE-2017-11882 (7.8 high) Microsoft Office Memory Corruption Vulnerability. Indicators of compromise provided.

#smokeloader #taiwan #CVE_2017_0199 #CVE_2017_1182 #vulnerability #eitw #IOC #threatintel #infosec #cybersecurity #CyberThreatIntelligence #CTI

Kaspersky: Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
Kaspersky reports on a phishing campaign delivering NetSupport RAT and BurnsRAT, with suspected links to the financially-motivated TA569 group acting as initial access brokers. The campaign began around March 2023, targeting mainly Russian users and businesses. Indicators of compromise provided.

#phishing #netsupport #burnsrat #rat #IOC #threatintel #infosec #cybersecurity #CyberThreatIntelligence #CTI

The DFIR Report: The Curious Case of an Egg-Cellent Resume
The DFIR Report provides a case study of an ongoing more_eggs malware campaign run by the financially motivated TA4557/FIN6 cybercrime group. This was investigated in March 2024, with the initial access being resume lure (TA4557 modus operandi). CVE-2023-27532 (7.5 high) Veeam Backup missing authentication vulnerability is leveraged. The DFIR Report notes that several leaked hostnames are linked to Fog ransomware attacks as reported by Arctic Wolf. Indicators of compromise, sigma and Yara rules provided.

#ta4557 #FIN6 #more_eggs #CVE_2023_27532 #eitw #activeexploitation #ransomware #cybercrime #IOC #yara #threatintel #infosec #cybersecurity #CyberThreatIntelligence #CTI

CISA: CISA Adds One Known Exploited Vulnerability to Catalog
Hot off the press! CVE-2023-28461 (9.8 critical) Array Networks AG and vxAG ArrayOS Improper Authentication vulnerability

#CVE_2023_28461 #arraynetworks #arrayos #cisa #kev #cisakev #knownexploitedvulnerabilitiescatalog #vulnerability #eitw #activeexploitation #infosec #cybersecurity

FBI: Update on SVR Cyber Operations and Vulnerability Exploitation (PDF)
FBI, NSA, CNMF, and NCSC-UK released a joint cybersecurity advisory to highlight tactics, techniques and procedures (TTPs) used by Russia's Forieng Intelligence Service (SVR) in recent cyber operations. SVR cyber actors, tracked as APT29, Midnight Blizzard (formerly Nobelium), and Cozy Bear, have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations.

This contains a list of known exploited CVEs.

#russia #svr #apt29 #cozybear #eitw #activeexploitation #cve #midnightblizzard #cyberespionage #threatintel #infosec #cybersecurity #cyberthreatintelligence #cti

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
Since 22 October 2024, Microsoft Threat Intelligence observed Russian APT29 (tracked as Midnight Blizzard) sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. Microsoft assesses that the goal of this operation is likely intelligence collection.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.

Microsoft describes the spearphishing campaign, RDP connection, and email infrastructure. Hunting queries and indicators of compromise provided. APT29, aka Cozy Bear and NOBELIUM, is publicly attributed to Russian Foreign Intelligence Service (SVR).

#russia #apt29 #svr #cozybear #midnightblizzard #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI