Massive Spam Operation Hijacks Trusted Brands: Over 8,000 Domains Compromised

A large-scale malicious campaign, dubbed “SubdoMailing” by security researchers at Guardio Labs, has come to light. This campaign involves the hijacking of over 8,000 domains and a staggering 13,000 subdomains belonging to well-established and trusted brands and institutions. This activity, believed to have been ongoing since at least September 2022, highlights the growing sophistication of cybercriminals and the ever-present threat of spam and phishing attacks. Modus Operandi: The attackers behind SubdoMailing leverage compromised legitimate domains and subdomains to distribute spam emails on a massive scale. These emails often appear to originate from trusted senders, making them difficult for recipients to identify as malicious. The content of these emails varies, ranging from seemingly harmless “counterfeit package delivery alerts” to blatant attempts to steal user credentials through phishing tactics. Impact and Concerns: The widespread nature of this campaign raises significant concerns for several reasons: Recommendations: To protect yourself from falling victim to SubdoMailing or similar campaigns, it’s crucial to exercise caution and vigilance when dealing with emails: By remaining vigilant and following these recommendations, you can significantly reduce the risk of falling victim to SubdoMailing and similar email-based threats. Remember, staying informed about the latest cyber threats and adopting safe online practices are crucial steps in protecting yourself and your information in the digital age. Join our internship to learn more about web application penetration testing and cybersecurity: Click me

Massive Spam Operation Hijacks Trusted Brands: Over 8,000 Domains Compromised Read More »

VIEH Daily threat analysis | 19 September 2024

UNC2970 is turning job hunting into a minefield, using fake job offers from major energy and aerospace companies to deliver a trojanized PDF reader. The North Korean group has been using a new backdoor, MISTPEN, for this purpose. A subtle flaw in Salesforce’s public link system almost became a treasure trove for hackers. The vulnerability allowed blind SOQL injection attacks through the Aura API, threatening to expose customer PII and sensitive data.  Marko Polo’s cybercriminal ring is baiting gaming and cryptocurrency influencers with fake job offers, luring them to malware-laden websites. The group has compromised tens of thousands of people. Top Malware Reported in the Last 24 Hours UNC2970 uses new MISTPEN backdoor A North Korea-linked cyber-espionage group, UNC2970, used phishing lures to target victims in critical infrastructure verticals. The attackers posed as job openings from prominent companies in the energy and aerospace industries. They delivered malicious files containing a backdoor, MISTPEN, via a trojanized version of SumatraPDF. The backdoor was capable of downloading and executing PE files and communicated with Microsoft Graph URLs. Key Group attacks with Chaos ransomware The Russian ransomware group Key Group is using the .NET-based Chaos ransomware to encrypt files, steal data, and demand ransom via Telegram. The ransomware infects by encrypting files with a random extension and disabling system recovery, sparing certain files. A ransom message is displayed upon completion of encryption, directing victims to two URLs for payment. It is cautioned not to engage with the attackers as data recovery is unreliable, increasing the risk of permanent data loss even after payment.  Top Vulnerabilities Reported in the Last 24 Hours Chrome 129 released Chrome 129 has been released to address multiple security vulnerabilities. The update, version 129. 0. 6668. 58 on Linux and 129. 0. 6668. 58/. 59 on Windows and Mac, includes a number of fixes and improvements. Nine security fixes have been included in this release. The security issues range from high to low severity and include issues such as type confusion in V8 (CVE-2024-8904) and inappropriate implementation (CVE-2024-8905) in various parts of the browser.  Broadcom fixes critical RCE bug Broadcom patched a critical VMware vCenter Server vulnerability that could allow attackers to execute remote code on unpatched servers using a network packet. The flaw, CVE-2024-38812, affects vCenter Server, VMware vSphere, and VMware Cloud Foundation products. The security patches are now available for download. Furthermore, a privilege escalation vulnerability (CVE-2024-38813) was also fixed, which could give threat actors root privileges on vulnerable servers.  Bug in Salesforce’s public link  Varonis Threat Labs discovered a vulnerability in Salesforce’s public link feature, which could be exploited by threat actors to access sensitive data. The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing for a blind SOQL injection attack to retrieve customer information, including PII. Salesforce patched the vulnerability in February. The vulnerability affected virtually any public link generated by Salesforce, posing a widespread risk to data exposure.  Top Scams Reported in the Last 24 Hours Marko Polo and scams A cybercrime group known as Marko Polo has compromised tens of thousands of devices worldwide through cryptocurrency and gaming-related scams, targeting high-value individuals like gaming personalities, cryptocurrency influencers, and technology professionals. The group lures victims with fake job opportunities on social media, leading them to malicious websites to download harmful software. Marko Polo is a financially motivated traffic team with members primarily from Russia, Ukraine, and English-speaking countries, using various tactics to deceive victims. They have been involved in social media scams, phishing campaigns, distributing malware, and impersonating legitimate software and services to steal sensitive data and make illicit revenue. Wanna join internship: Click here Entire post Credit: Google, gbhackers, bleeping computer, varonis, the record, cyware.

VIEH Daily threat analysis | 19 September 2024 Read More »

VIEH Daily threat analysis | 18 September 2024

Clipper malware are back in action and the attackers are hunting for cryptocurrency wallets. Binance has issued a warning after detecting a surge in ClipBanker attacks, which swap wallet addresses from clipboards, leading to financial losses for unsuspecting users. Apple’s Vision Pro headset hit a snag with a vulnerability dubbed GAZEploit, which let attackers infer virtual keyboard inputs by analyzing eye movements. Patched in visionOS 1.3, CVE-2024-40865 allowed bad actors to extract sensitive data like passwords using supervised learning models to detect typing sessions. WiFi 6 routers are facing a new security storm. D-Link has patched critical vulnerabilities in popular models like COVR-X1870 and DIR-X5460, preventing remote attackers from exploiting flaws like buffer overflows and telnet service issues—users are urged to update their firmware immediately. Top Malware Reported in the Last 24 Hours RustDoor attributed to North Korean hackers North Korean hackers are targeting cryptocurrency users on LinkedIn using the RustDoor malware. The attacks involve pretending to be recruiters for legitimate decentralized cryptocurrency exchanges like STON.fi, aiming to infiltrate networks under the guise of interviews or coding assignments. RustDoor is a macOS malware designed to steal information and operate as a backdoor with two different command-and-control servers. This campaign, detected by Jamf Threat Labs, is significant because it marks the first time RustDoor has been attributed to North Korean threat actors. Crypto users hit with clipper malware Cryptocurrency exchange Binance alerted users to a surge in clipper malware attacks targeting cryptocurrency holders. This malware, known as ClipBankers, can intercept clipboard data and replace cryptocurrency wallet addresses with those controlled by attackers. Binance issued a warning on September 13, 2024, after noticing a significant rise in malicious activity, causing financial losses for affected individuals. Top Vulnerabilities Reported in the Last 24 Hours D-Link patches critical bugs D-Link has addressed critical vulnerabilities in select WiFi 6 routers and mesh networking systems that could be exploited by remote attackers to run unauthorized code or gain access with hardcoded credentials. The impacted models are popular choices for consumers seeking high-quality networking equipment. The flaws, including buffer overflow and telnet service issues, were found in COVR-X1870, DIR-X4860, and DIR-X5460 routers. D-Link advises users to update their firmware to resolve the vulnerabilities. Apple Vision Pro vulnerability revealed Apple’s Vision Pro headset was affected by a security flaw named GAZEploit, allowing attackers to infer virtual keyboard inputs. The vulnerability, CVE-2024-40865, was patched in visionOS 1.3. Researchers found that analyzing eye movements on a virtual avatar could reveal text entered on the keyboard, compromising user privacy. Threat actors could exploit this to extract sensitive information like passwords, using supervised learning models to differentiate typing sessions from other VR activities. Java applications at risk A critical path traversal vulnerability (CVE-2024-38816) in the widely used Spring Framework poses a severe threat to Java applications. Attackers can exploit this flaw to access sensitive files on the server, risking data breaches and system compromise. The vulnerability affects applications using RouterFunctions with FileSystemResource location for static resource handling. Organizations must promptly update their Spring Framework to versions 5.3.40, 6.0.24, or 6. 1.13 to address this risk. Looking for cybersecurity internship: Click here Entire post Credit: Jamf, binance, Bleeping Computer, the hackers news, Security Online, Cyware

VIEH Daily threat analysis | 18 September 2024 Read More »

Why is Telegram a big headache for the Jews, USA and France ?

Why did they decide to literally kidnap the owner Pavel Durov at the Paris Airport ? Pavel Durov, founder and CEO of Telegram, was arrested today in France, there are different charges against him. Telegram is the main source of information about the Israeli genocide and massacre in Gaza. Thousands of videos of Jews massacring children have been posted on Telegram channels by journalists living in Gaza. Israel is trying to stop that flow of information and that is why it has killed over 100 journalists in Gaza alone. The most accurate information about the situation on the ground in Ukraine comes out on Telegram, and NATO can’t control it. The biggest Wagner channels are on Telegram. In general, the best way to assess if a disinformation campaign is taking place, is to check if multiple channels that are pro-Wagner or so have relayed it. Many people use Telegram as their source of information because the information comes directly from the field. Many dead NATO soldiers appear on Telegram and the CIA and NATO command can no longer hide their direct involvement in the war broke out in Russia. Telegram did a lot of damage to the French army in Africa. The Africans organized all their protests, resistance and everything else against the French occupation forces through Telegram. Russian mercenaries, obviously, use different platforms, but Telegram played for them an important role in accelerating the deterioration of France’s military posture, especially in Africa. I think it’s important to take it into consideration when wondering why the French would get involved. The founder of Telegram has been detained by French intelligence services at Le Bourget Airport in Paris while exiting a private jet. He is expected to be presented to a judge later this evening, facing multiple charges, according to TF1. Potential charges include terrorism, drug-related offenses, complicity, fraud, money laundering, concealment, and possession of child exploitation content. The main concern of EU authorities regarding Telegram is its encrypted messaging, as reported by TF1 This is a famous photo of Telegram founder Pavel Durov giving Putin his middle finger. In 2011, Durov said that the Russian government had requested him to cancel the accounts of anti-government figures on his social media platform. Durov not only did not follow, but also publicly released this photo of “raising the middle finger to Putin” in the media, which received cheers from the West. After the 2014 Ukrainian coup, Durov refused to provide the Russian government with information on users involved in the Ukrainian colorful revolution. In the same year, he left Russia, claiming that Russia was “unable to keep up with the information age”. Shortly after, he acquired French and UAE citizenship and stated that he had no plans to return to Russia. Today, Durov was arrested by France on charges of using the platform to “support terrorist activities” and “pedophilia” after refusing to provide user information to the United States and Israel, facing 20 years of imprisonment. In an interview with Tucker Carlson, Durov said that the last time he was in the United States, he brought an engineer from Telegram with him, who the secret services tried to hire behind Durov’s back. Durov helped Ukrainians stage a coup d’état in 2014. Then the whole West glorified him. He also trolled the Russian FSB and sent them the “encryption keys” to telegram in 2017. Back then the west cheered his fight on. Then there’s an attack on the messenger through Apple, which Pavel managed to fend off thanks to the chats that are needed by the Ukrainian military intelligence. Medvedev released a statment about Durov’s arrest: “Some time ago, I asked Durov why he didn’t want to cooperate with law enforcement on serious crimes. “It’s a matter of principle,” he said. I told him, “That will cause serious problems in any country.” He believed that his biggest problems were in Russia, so he left, eventually obtaining citizenship or residency in other countries. He wanted to be a brilliant “citizen of the world,” living well without a homeland. *Ubi bene, ibi patria!* (Where it is good, there is my country!) He miscalculated. To all our common enemies now, he is still Russian—and therefore unpredictable and dangerous. Of a different blood. Definitely not a Musk or a Zuckerberg (who, by the way, actively cooperates with the FBI). Durov needs to finally understand that, like the times, one does not choose their homeland…” Russian officials have been instructed to delete official correspondence in Telegram after the arrest — Claims Baza Such instructions were received by employees of law enforcement agencies, the presidential administration, the government, the Ministry of Defense and some businessmen. However, not all officials confirm receipt of such an order. They expect instructions in the coming days. Russia likely expects the app to fall under the control of the CIA and Mossad And despite Durlov helped NATO in the 2014 coup in Ukraine, Russia is working to free Telegram founder Pavel Durov after he was arrested in France. Maria Zakharova: “Russia sent a note demanding access to Durov, but France perceives his French citizenship as the primary one.” Durov, the founder of Telegram, is a dual Russian-French citizen. The Russian Embassy in Paris seeks an explanation from France, urging it to protect Durov’s rights. Despite the requests, France remains unresponsive. Entire post Credit: Megatron on X

Why is Telegram a big headache for the Jews, USA and France ? Read More »

VIEH Daily threat analysis | 14 August 2024

In a disconcerting twist of events, CERT-UA has sounded the alarm on a phishing campaign that unleashed the ANONVNC malware and compromised over 100 government computers. The ransomware landscape is growing ever more treacherous with the emergence of DeathGrip, a newly minted RaaS that lures aspiring cybercriminals with sophisticated ransomware capabilities. A troubling set of security vulnerabilities in Google’s Quick Share has come to light, exposing users to the QuickShell attack chain that could enable hackers to take complete control of devices and do more harm.  Top Malware Reported in the Last 24 Hours Phishing campaign targets Ukraine CERT-UA warned of a new phishing campaign impersonating the Security Service of Ukraine to distribute malware called ANONVNC, which allows for unauthorized access to infected computers. More than 100 computers, including those belonging to government bodies, have been infected since July 2024. The agency also noted an increase in campaigns distributing the PicassoLoader malware to deploy Cobalt Strike Beacon, with a threat actor tracked as UAC-0057. DeathGrip: New RaaS emerges A new Ransomware-as-a-Service (RaaS) called DeathGrip has appeared in the ransomware landscape. It is being promoted on underground forums and offers aspiring threat actors sophisticated ransomware tools. The emergence of DeathGrip ransomware highlights the evolving threat landscape, emphasizing the importance of robust cybersecurity measures to safeguard against ransomware attacks. The scream of Banshee Stealer  A new cyber threat called Banshee Stealer targets macOS systems, posing a significant risk to users. This malicious software can extract sensitive information like passwords from Keychain, system data, and browser details. It also targets cryptocurrency wallets and plugins, making it a comprehensive tool for cybercriminals. Click here for internship Top Vulnerabilities Reported in the Last 24 Hours Google patches critical flaw Security researchers discovered critical vulnerabilities in Google’s Quick Share, leading to remote code execution and the potential for attackers to gain full system control. The vulnerabilities could have allowed attackers to force file downloads, hijack Wi-Fi connections, and ultimately gain full system control through a series of exploits known as the QuickShell attack chain. Google has acknowledged the severity of the issue and deployed fixes for the reported vulnerabilities. Patch this FreeBSD bug! The FreeBSD Project has released urgent security updates to fix a high-severity flaw in OpenSSH (CVE-2024-7589), which could allow remote attackers to execute arbitrary code with elevated privileges. The flaw stems from a race condition in the privileged sshd context, caused by calling functions that are not async-signal-safe. Users are urged to upgrade to a supported FreeBSD stable version and restart sshd to mitigate the issue. Top Scams Reported in the Last 24 Hours BEC scam targets Orion SA Orion SA, a Luxembourg-based chemicals and manufacturing company, disclosed in a filing with the U.S. SEC that it fell victim to a criminal wire fraud scheme, potentially losing around $60 million. The incident, believed to be a BEC scheme, involved fraudulent wire transfers to accounts controlled by unknown parties. Orion is working with law enforcement to recover the funds and has not found evidence of further fraudulent activity or unauthorized access to its systems. Post Credit: The hackers news, broadcom, cybersecurity news, safebreach, security affairs, the register, Cyware

VIEH Daily threat analysis | 14 August 2024 Read More »

VIEH Daily threat Analysis | 10 August 2024

The cyber espionage group Earth Baku has significantly broadened its operational reach, moving from the Indo-Pacific into Europe, the Middle East, and Africa. The threat group has been deploying advanced tools like the Godzilla webshell, StealthVector, StealthReacher, and a new backdoor.  Kimsuky makes the headline again as it has been found targeting university professors with phishing emails. The goal is to capture login credentials and redirect victims to decoy PDF documents hosted on Google Drive. Meanwhile, Cisco has issued a critical warning concerning five remote code execution vulnerabilities in the web-based management interface of its now end-of-life Small Business SPA 300 and SPA 500 series IP phones. Top Malware Reported in the Last 24 Hours Earth Baku expands operations Earth Baku, linked to APT41, has expanded its operations from the Indo-Pacific to Europe, Middle East, and Africa. Countries like Italy, Germany, the UAE, and Qatar are targeted, with suspected activity in Georgia and Romania. The attackers use IIS servers as entry points, deploying advanced tools like Godzilla webshell, StealthVector, StealthReacher, and SneakCross. The latest backdoor, SneakCross, utilizes Google services for command-and-control. Post-exploitation, Earth Baku uses tools like iox, Rakshasa, Tailscale, and MEGAcmd for persistence and data exfiltration.  Google Authenticator phishing site  Cyble discovered a phishing website posing as Google Safety Centre, distributing two types of malware – Latrodectus and ACR Stealer. The ACR Stealer uses Dead Drop Resolver to hide its Command and Control server details within legitimate platforms, while Latrodectus shows signs of continuous development. The phishing site tricks users into downloading a file disguised as Google Authenticator, which installs the malicious software. Kimsuky targets university professors The North Korean APT group Kimsuky has been found phishing university professors, staff, and researchers. The group uses DMARC exploitation to conceal social engineering and employs a webshell called Green Dinosaur to facilitate its attacks. Green Dinosaur allows remote operators to upload, download, and delete files, enabling the creation of phishing websites disguised as legitimate university portals. These phishing pages target specific universities like Dongduk, Korea, and Yonsei, capturing credentials and redirecting victims to decoy PDFs hosted on Google Drive. Top Vulnerabilities Reported in the Last 24 Hours Sonos smart speakers bug allows eavesdropping NCC Group disclosed vulnerabilities in Sonos smart speakers, including a flaw that could allow attackers to eavesdrop on users. One of the vulnerabilities, CVE-2023-50809, could be exploited by attackers in Wi-Fi range for remote code execution. Sonos has released patches for the issue, which was caused by a wireless driver failing to validate information during a WPA2 four-way handshake. Additionally, NCC researchers found flaws in the Sonos Era-100 secure boot implementation, allowing for persistent code execution with elevated privileges.  Cisco warns of RCE 0-days Cisco has issued a warning about five critical remote code execution vulnerabilities in the web-based management interface of the Small Business SPA 300 and SPA 500 series IP phones, which have reached their end of life. The vulnerabilities allow attackers to execute arbitrary commands and cause denial of service. Cisco has not provided fixes or mitigation tips, so users are urged to transition to newer and supported models. The flaws are tracked as CVE-2024-20450, CVE-2024-20452, CVE-2024-20454, CVE-2024-20451, and CVE-2024-20453. Looking for internship: Click here Post Credit: trendmicro, cyble, cyberressilience, security week, bleeping computer, cyware

VIEH Daily threat Analysis | 10 August 2024 Read More »