/ D-Link router - Hidden Backdoor
Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware:
https://www.twcert.org.tw/en/cp-139-7880-629f5-2.html
Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware:
https://www.twcert.org.tw/en/cp-139-7880-629f5-2.html
/ Backdoor BadSpace delivered by high-ranking infected websites
There is a tendency to infect WordPress websites and to inject the malicious code to the JavaScript libraries like jQuery or in the index page.
..The PowerShell code silently downloads the BadSpace backdoor and after ten seconds it executes the downloaded file using rundll32.exe..:
https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor
There is a tendency to infect WordPress websites and to inject the malicious code to the JavaScript libraries like jQuery or in the index page.
..The PowerShell code silently downloads the BadSpace backdoor and after ten seconds it executes the downloaded file using rundll32.exe..:
https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor
Gdatasoftware
BadSpace: Backdoor hides in fake software update
Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, there's an unwelcome surprise: the BadSpace backdoor. What is this new threat…
/ New Diamorphine rootkit variant seen undetected in the wild
https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/
https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/
Gendigital
New Diamorphine rootkit variant seen undetected in the wild
Advanced Features of New Diamorphine
/ Cloaked and Covert: Uncovering UNC3886 Espionage Operations
After exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi servers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter server..:
https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
After exploiting zero-day vulnerabilities to gain access to vCenter servers and subsequently managed ESXi servers, the actor obtained total control of guest virtual machines that shared the same ESXi server as the vCenter server..:
https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
Google Cloud Blog
Cloaked and Covert: Uncovering UNC3886 Espionage Operations | Google Cloud Blog
UNC3886 uses several layers of organized persistence to maintain access to compromised environments over time.
/
...part of a business email compromise (BEC) phishing campaign:
https://any.run/cybersecurity-blog/phishing-incident-report/
Any.Run - Phishing Incident Report: Facts and Timeline ...part of a business email compromise (BEC) phishing campaign:
https://any.run/cybersecurity-blog/phishing-incident-report/
ANY.RUN's Cybersecurity Blog
Phishing Incident Report: Facts and Timeline - ANY.RUN's Cybersecurity Blog
We are providing the first results of our investigation into the recent incident and share a full account of the events with our community.
Forwarded from OpenBLD.net (Yevgeniy Goncharov)
OpenBLD.net Preventing: - Polyfill supply chain attack (hits 100K+ sites)
The
All IoC sent to💪
Attack details:
https://sansec.io/research/polyfill-supply-chain-attack
The
polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain...All IoC sent to
OpenBLD.net ecosystem Attack details:
https://sansec.io/research/polyfill-supply-chain-attack
Please open Telegram to view this post
VIEW IN TELEGRAM
/ The Growing Threat of Malware Concealed Behind Cloud Services
- Affected Platforms: Linux Distributions
- Impacted Users: Any organization
- Impact: Remote attackers gain control of the vulnerable systems
- Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hosting methods lack..:
https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services
- Affected Platforms: Linux Distributions
- Impacted Users: Any organization
- Impact: Remote attackers gain control of the vulnerable systems
- Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hosting methods lack..:
https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services
Fortinet Blog
The Growing Threat of Malware Concealed Behind Cloud Services
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers. Over the past month, FortiGuard Labs has been monitoring botne…
/ GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5
- Run pipelines as any user
- Private job artifacts can be accessed by any user
- Denial of service using a crafted OpenAPI file
- and more..
https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/
- Run pipelines as any user
- Private job artifacts can be accessed by any user
- Denial of service using a crafted OpenAPI file
- and more..
https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/
GitLab
GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5
Learn more about GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
Qualys
OpenSSH CVE-2024-6387 RCE Vulnerability: Risk & Mitigation | Qualys
CVE-2024-6387 exploit in OpenSSH poses remote unauthenticated code execution risks. Find out which versions are vulnerable and how to protect your systems.
/ Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications
...Such an attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage. One of the vulnerabilities could also enable zero day attacks against the most advanced and secure organizations’ infrastructure..:
https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods
...Such an attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage. One of the vulnerabilities could also enable zero day attacks against the most advanced and secure organizations’ infrastructure..:
https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods
www.evasec.io
Vulnerabilities in CocoaPods Open the Door to Supply Chain Attacks Against Thousands of iOS and MacOS Applications | E.V.A
Multiple vulnerabilities affecting the CocoaPods ecosystem, have been discovered, posing a major risk of supply chain attacks.
/ CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers...
The new versions of CapraRAT each use WebView to launch a URL to either YouTube or a mobile gaming site, CrazyGames[.]com. There is no indication that an app with the same name, Crazy Games, is weaponized as it does not require several key CapraRAT permissions, such as sending SMS, making calls, accessing contacts, or recording audio and video..:
https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/
The new versions of CapraRAT each use WebView to launch a URL to either YouTube or a mobile gaming site, CrazyGames[.]com. There is no indication that an app with the same name, Crazy Games, is weaponized as it does not require several key CapraRAT permissions, such as sending SMS, making calls, accessing contacts, or recording audio and video..:
https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/
SentinelOne
CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts
SentinelLABS has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned actor Transparent Tribe.
/ Microsoft will end new Office 365 connectors to Teams on August 15, October
https://devblogs.microsoft.com/microsoft365dev/retirement-of-office-365-connectors-within-microsoft-teams/
https://devblogs.microsoft.com/microsoft365dev/retirement-of-office-365-connectors-within-microsoft-teams/
Microsoft News
Retirement of Office 365 connectors within Microsoft Teams
Starting August 15, 2024 we will be retiring the Office 365 connectors feature from Microsoft Teams and recommend Power Automate workflows as a solution.
/ RockYou2024: 10 billion passwords leaked in the largest compilation of all time
https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
Cybernews
RockYou2024: 10 billion passwords leaked in the largest compilation of all time
RockYou2024, the largest password compilation, leaked on a hacker forum.
/
On 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 emails..:
https://blog.ethereum.org/2024/07/02/blog-incident
blog.ethereum.org mailing list incidentOn 2024-06-23, 00:19 AM UTC, a phishing email was sent out to 35,794 emails..:
https://blog.ethereum.org/2024/07/02/blog-incident
Ethereum Foundation Blog
blog.ethereum.org mailing list incident | Ethereum Foundation Blog
/ Windows Hyper-V Elevation of Privilege Vulnerability
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38080
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38080
/ Leaked access token with administrator access to Python’s GitHub repos
The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub..:
https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack/
The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub..:
https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack/
JFrog
Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine
The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker…
/ Patch or Peril: A Veeam vulnerability incident
...this detailed analysis highlights how quickly the threat actors practiced the exploitation of the recently disclosed CVE-2023-27532 vulnerability (March 2023) to target unpatched Veeam Backup & Replication Software. The blog provides an overview of the attacker’s tactics, techniques, and procedures (TTPs)..:
https://www.group-ib.com/blog/estate-ransomware/
...this detailed analysis highlights how quickly the threat actors practiced the exploitation of the recently disclosed CVE-2023-27532 vulnerability (March 2023) to target unpatched Veeam Backup & Replication Software. The blog provides an overview of the attacker’s tactics, techniques, and procedures (TTPs)..:
https://www.group-ib.com/blog/estate-ransomware/
Group-IB
Patch or Peril: A Veeam vulnerability incident
Delaying security updates and neglecting regular reviews created vulnerabilities that were exploited by attackers, resulting in severe ransomware consequences.
/ Apple warns iPhone users in 98 countries of spyware attacks
https://techcrunch.com/2024/07/10/apple-alerts-iphone-users-in-98-countries-to-mercenary-spyware-attacks/
https://techcrunch.com/2024/07/10/apple-alerts-iphone-users-in-98-countries-to-mercenary-spyware-attacks/
TechCrunch
Apple warns iPhone users in 98 countries of spyware attacks | TechCrunch
Apple has issued a new round of threat notifications to iPhone users across 98 countries, warning them of potential mercenary spyware attacks. It's the Apple issued threat notifications to iPhone users across 98 countries, warning them of spyware attacks.
/ “Nearly all” AT&T customers had phone records stolen in new data breach disclosure
Operatotors record all messsages and calls? It's unpleasant when it all flows out..
https://www.malwarebytes.com/blog/news/2024/07/nearly-all-att-customers-had-phone-records-stolen-in-new-data-breach-disclosure
Operatotors record all messsages and calls? It's unpleasant when it all flows out..
https://www.malwarebytes.com/blog/news/2024/07/nearly-all-att-customers-had-phone-records-stolen-in-new-data-breach-disclosure
Malwarebytes
“Nearly all” AT&T customers had phone records stolen in new data breach disclosure
AT&T has told customers about yet another data breach. This time call and text records of nearly all customers were stolen.
/ Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
https://www.trendmicro.com/en_id/research/24/g/CVE-2024-38112-void-banshee.html
https://www.trendmicro.com/en_id/research/24/g/CVE-2024-38112-void-banshee.html
Trend Micro
CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks