/ Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine

📢 Открытые практикумы DevOps, Linux, Networks, Golang: Расписание на неделю

• 27 мая Golang: Начало работы с gRPC в Golang (Сергей Парамошкин – Технический менеджер Яндекс.облако)
• 28 мая Security: Безопасность Docker (Алексей Федулаев – DevSecOps Lead Wildberries)
• 29 мая Linux: DHCP-сервер на Kea (Даниил Батурин – Основатель проекта VyOS)
• 30 мая DevOps: Фильтрация пакетов с помощью nftables (Николай Лавлинский – Технический директор)

Детали ↘ Здесь

/ Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion

Technical details of new behavior employed by the adversary, who aligns with Google Mandiant’s UNC5221, and how the BRICKSTORM backdoor and BEEFLUSH web shell abused VMs in VMware through a privileged user account, VPXUSER, to establish persistence within the impacted environment. Will also provide detection noscripts, from MITRE and CrowdStrike, to find this activity in other environments and go over how Secure Boot serves as a barrier against the adversary technique..:

https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b

/ Threat actors ride the hype for newly released Arc browser

https://www.threatdown.com/blog/threat-actors-ride-the-hype-for-newly-released-arc-browser/

/ Remote Command Execution on TP-Link Archer C5400X

https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/

/ Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store

https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google

/ The Pumpkin Eclipse or “Chalubo” - remote access trojan (RAT)

Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP)..:

https://blog.lumen.com/the-pumpkin-eclipse/

Chrome Manifest v2 RIP coming soon . Google has set the first date for getting rid of the manifest for this version.

Starting on June 3 on the Chrome Beta, Dev and Canary channels, if users still have Manifest V2 extensions installed, some will start to see a warning banner when visiting their extension management page..:

https://blog.chromium.org/2024/05/manifest-v2-phase-out-begins.html

/ ShrinkLocker: Turning BitLocker into ransomware

https://securelist.com/ransomware-abuses-bitlocker/112643/

/ PikaBot: a Guide to its Deep Secrets and Operations

PikaBot is a malware loader... several sources reported that successful PikaBot compromises led to the deployment of the Black Basta ransomware...

This article provides an in-depth analysis of PikaBot, focusing on its anti-analysis techniques implemented in the different malware stages. Additionally, this report shares technical details on PikaBot C2 infrastructure:

https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/

📢 Открытые практикумы DevOps, Linux, Networks, Golang: Расписание на неделю
⁠
• 10 июня Networks: Системы мониторинга VoIP
• 11 июня Linux: Низкоуровневые интерфейсы Linux
• 13 июня DevOps: Мониторинг и нагрузочное тестирование Angie

Детали ↘ Здесь

/ Muhstik Malware Targets Message Queuing Services Applications

https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/

/ 1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension

https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7

/ Bypassing 2FA with phishing and OTP bots

https://securelist.com/2fa-phishing/112805/

/ Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080

/ FortiOS RCE

Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments:

https://www.fortiguard.com/psirt/FG-IR-23-460

Аутлук или Оутглюк? Ясно одно - открыв письмо из него можно словить два эффекта одновременно: Critical Microsoft Outlook Vulnerability Executes as Email is Opened (CVE-2024-30103)

The CVE-2024-30103 vulnerability is particularly concerning due to its high probability of exploitation. It is a zero click vulnerability which does not require the user to interact with the content of a malicious email, making it extremely simple to execute:

https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability

/ AutoIt Delivering Vidar Stealer Via Drive-by Downloads

Dangerous KMSPico activator tool..:

https://www.esentire.com/blog/autoit-delivering-vidar-stealer-via-drive-by-downloads

/ lnav – Awesome terminal log file viewer for Linux and Unix

https://www.cyberciti.biz/open-source/lnav-linux-unix-ncurses-terminal-log-file-viewer/

/ D-Link router - Hidden Backdoor

Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware:

https://www.twcert.org.tw/en/cp-139-7880-629f5-2.html

/ Backdoor BadSpace delivered by high-ranking infected websites

There is a tendency to infect WordPress websites and to inject the malicious code to the JavaScript libraries like jQuery or in the index page.

..The PowerShell code silently downloads the BadSpace backdoor and after ten seconds it executes the downloaded file using rundll32.exe..:

https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor