security
Security Bulletins - Heimdall Security Research
Heimdall, ISH's Threat Intelligence group, presents bulletins on threat agents, Malware used by malicious groups, Indicators of Compromise, Techniques, Tactics and Procedures (TTPs), and Artifact Analysis and Mitigations, aimed at preventing attacks and evolving cybersecurity maturity.
ISH
Aruba releases security updates to address critical flaws in ArubaOS
HPE Aruba Networking recently released security updates aimed at correcting vulnerabilities CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512 classified as critical present in ArubaOS, which, if exploited, allow remote code execution.
ISH
Goldoon botnet observed exploiting old flaw in D-Link devices
In April, FortiGuard detected a newly developed botnet exploiting an old D-Link flaw, identified as CVE-2015-2051. This specific flaw makes it possible to execute arbitrary remote commands via the GetDeviceSettings feature present in the HNAP interface.
ISH
CVE-2024-32038, Critical OER vulnerability in the Wazuh analysis engine
The CVE-2024-32038 flaw was recently discovered, a critical remote code execution (RCE) vulnerability that affects Wazuh Manager, versions 3.8.0 to 4.7.1. This flaw occurs in the wazuh-analysisd component, which is responsible for analyzing collected data and generating security alerts.
ISH
Critical Vulnerability in R Language Allows Arbitrary Code Execution
Security researchers have identified a CVE-2024-27322 vulnerability in the R programming language, which makes it possible to execute arbitrary code during the deserialization of non-secure content. RDS (R Data Serialization) files or R packages, common among developers.
ISH
Docker Hub repositories detected spreading malware and phishing pages
Researchers from JFrog and Docker worked together to mitigate and resolve issues arising from the recent exposure of repositories on Docker Hub that were used to spread malware and phishing scams within the Docker Hub platform.
ISH
Cyber attack causes London Drugs chain to close stores
Canadian pharmacy chain London Drugs recently temporarily suspended operations at its retail stores in response to a cyber security incident, as the organization described in a statement about the situation.
ISH
Lazarus group observed deploying new Rat Kaolin in their attacks
The Lazarus Group carried out targeted attacks in Asia using Kaolin RAT, a newly developed remote access Trojan. The strategy included the use of fake job lures, a common technique of the group. The attack exploited vulnerability CVE-2024-21338 in the Windows appid.sys driver.
ISH
Critical flaw in WordPress WP-Automatic plug-in being exploited in attacks
The critical vulnerability CVE-2024-27956 in the WP Automatic plugin for WordPress is being exploited by malicious actors to create administrative accounts and install backdoors, granting prolonged access to the affected site.
ISH
ArcaneDoor campaign exploiting Cisco's Zero Days vulnerabilities
Cisco has warned of a malicious group that, since November 2023, has been exploiting flaws in the ASA and FTD firewalls to compromise global government networks. The attackers, known as UAT4356 and STORM-1849, launched attacks on the devices with the ArcaneDoor campaign.
ISH
CVE-2024-4040, Critical vulnerability in CrushFTP being exploited in attacks
The Cybersecurity and Infrastructure Security Agency (CISA) recently added to its catalog of known vulnerabilities (KEV) the critical flaw CVE-2024-4040 in CrushFTP, which has been exploited in cyber attacks.
ISH
New CoralRider campaign distributes infostealers in targeted attack
Cisco has discovered a malicious campaign that spreads three types of infostealers: Cryptbot, LummaC2 and Rhadamanthys. The strategy includes a PowerShell command line parameter, hidden in an LNK file, which allows antivirus to be evaded and the malware to be downloaded onto the target.
ISH
ToddyCat Group uses tunnels and extraction tools for government espionage
Securelist has reported that an advanced persistent threat (APT) group, known as ToddyCat, is targeting government organizations, mainly in the Asia-Pacific region, with the aim of illegally extracting sensitive information.
ISH
Microsoft warns that APT28 hackers exploit Windows flaw reported by NSA
Microsoft has published the results of an investigation into the Russian threat group known as Forest Blizzard (STRONTIUM), reporting that this group has used a customized tool called GooseEgg to exploit the CVE-2022-38028 vulnerability.
ISH
Critical flaw in WordPress plugin affecting over 400,000 sites
Japan's CERT recently published an alert on its vulnerability notes portal (JVN) warning of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in the WordPress plugin Forminator, used on hundreds of thousands of websites.
ISH
Cisco releases patch for command injection vulnerability in Cisco IMC
Cisco has released patches for a highly relevant CVE-2024-20295 vulnerability in the Integrated Management Controller (IMC), which, due to the existence of a public exploit code, could allow attackers to obtain root privileges.
ISH
Threat actor selling VMware ESXi Shell exploit on hacker forum
A threat actor has been spotted on a hacker forum selling a possible exploit targeting the VMware ESXi Shell Service. The ESXi Shell is an essential component for managing VMware ESXi hosts, providing a command line interface for direct interaction with the host.
ISH
CVE-2024-21111, exploit PoC for major VirtualBox flaw available
CVE-2024-21111, a serious vulnerability in Oracle VirtualBox, affecting versions prior to 7.0.16. It allows attackers with basic access to a Windows system running VirtualBox to increase their privileges. A proof-of-concept (PoC) exploit has been disclosed.
ISH
Botnets Continue to Take Advantage of Flaw in TP-Link Routers for Global Spread
The CVE-2023-1389 vulnerability, present in the web management interface of TP-Link Archer AX21 routers, has been exploited by several botnets for large-scale propagation. This flaw allows remote code execution by unauthenticated attackers.
ISH
APT44 group observed using Kapeka backdoor in targeted attacks
Researchers have identified a backdoor, nicknamed "Kapeka", which has been used in offensives against targets in Eastern Europe since mid-2022. This malware is characterized by its versatility and complete set of functionalities.
ISH
MITRE was the target of a zero-day attack on Ivanti Connect Secure devices
MITRE Corporation has reported that it has been compromised by a state-sponsored attack, which took advantage of two vulnerabilities CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure devices since January 2024 that resulted in a breach of its NERVE system.