#ThreatActor

Palo Alto Networks Shares Remediation Advice for Hacked Firewalls

by

April 25, 2024 at 10:15AM Palo Alto Networks shared remediation instructions for organizations affected by the CVE-2024-3400 firewall vulnerability. They advise updating to the latest PAN-OS hotfix for unsuccessful exploitation attempts. Companies detecting potential exfiltration or interactive command execution should perform private data resets and factory resets, respectively. The zero-day exploit has seen increasing exploitation … Read more

North Korean Hackers Hijack Antivirus Updates for Malware Delivery

by

April 24, 2024 at 11:15AM North Korean threat actor Kimsuky exploited eScan antivirus’s update mechanism in a malware operation known as GuptiMiner. This involved a man-in-the-middle attack to deliver a malicious payload, enabling the deployment of backdoors and cryptocurrency miners in corporate networks. Despite eScan’s efforts to address the issue, new GuptiMiner infections persist. In … Read more

Threat Actor Uses Multiple Infostealers in Global Campaign

by

April 24, 2024 at 09:15AM Cisco’s Talos security research unit warns of threat actor CoralRaider using information stealers to target users worldwide and harvest credentials and financial data. The threat actor, likely of Vietnamese origin, has been active since at least 2023 and has been targeting users with a combination of three information stealers—Cryptbot, LummaC2, … Read more

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

by

April 24, 2024 at 03:51AM A new malware campaign, called GuptiMiner, is using the eScan antivirus software’s updating mechanism to distribute backdoors and cryptocurrency miners, targeting large corporate networks. The campaign is linked to a North Korean hacking group Kimsuky. The malware uses sophisticated techniques and has evaded detection for at least five years. The … Read more

CoralRaider attacks use CDN cache to push info-stealer malware

by

April 23, 2024 at 05:34PM A financially motivated threat actor, known as CoralRaider, is conducting an ongoing malware campaign targeting systems in the U.S., U.K., Germany, and Japan. The group uses a content delivery network cache to distribute malware, including info stealers LummaC2, Rhadamanthys, and Cryptbot. The attacks start with malicious Windows shortcut files delivered … Read more

ToddyCat APT Is Stealing Data on ‘Industrial Scale’

by

April 22, 2024 at 05:20PM ToddyCat, an APT group, collects data on an industrial scale from government and defense targets in the Asia-Pacific region. They use multiple simultaneous connections to steal data and maintain access, and have links to attacks going back to at least December 2020. Kaspersky recommends specific actions for organizations to protect … Read more

MITRE ATT&CKED: InfoSec’s Most Trusted Name Falls to Ivanti Bugs

by

April 22, 2024 at 03:21PM Chinese state hackers exploited vulnerable Ivanti edge devices to gain long-term access to MITRE Corp.’s unclassified NERVE network. The attackers used various techniques including exploiting VPNs and zero-day vulnerabilities, bypassing MFA, deploying web shells, and exfiltrating data. MITRE only detected the breach three months later, illustrating the serious impact and … Read more

Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability 

by

April 22, 2024 at 08:03AM Palo Alto Networks disclosed a critical vulnerability (CVE-2024-3400) affecting 6,000 internet-accessible firewalls, allowing unauthenticated remote code execution. Exploited by threat actors, the flaw affected GlobalProtect in PAN-OS devices, leading to sensitive data theft and malware deployment. Mitigations initially included disabling device telemetry, but the vendor later released patches effectively eliminating … Read more

MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days

by

April 22, 2024 at 06:21AM MITRE’s R&D network was hacked using zero-day vulnerabilities in an Ivanti product by a foreign state-sponsored threat actor. The attack, identified in January and affecting the NERVE network, prompted MITRE to take the environment offline and investigate. The organization has duly shared attack techniques and mitigation recommendations. Exploitations of the … Read more

HelloKitty ransomware rebrands, releases CD Projekt and Cisco data

by

April 19, 2024 at 03:26PM HelloKitty ransomware was rebranded as HelloGookie by its operator ‘Gookee/kapuchin0.’ Celebrating this rebrand, the threat actor released private decryption keys and leaked passwords and sensitive information from previous attacks on CD Projekt and Cisco. The group is now actively developing from the leaked source code. Whether HelloGookie will reach HelloKitty’s … Read more