Cyble Blog
1,300 FOLLOWERS
Keep your knowledge up-to-the-minute with reports on the latest threats and trends in the Cyberworld. The Cyble Research and Intelligence Labs (CRIL) consists of a team of world-class responders, expert malware researchers, and skilled exploit-code analysts. They provide capabilities for customers to manage cyber risks with AI-powered actionable threat intelligence.
Cyble Blog
3h ago
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) identified a campaign targeting individuals connected to the upcoming US-Taiwan Defense Industry Conference, as indicated by the lure document uncovered during the investigation.
The campaign involves a ZIP archive containing an LNK file that mimics a legitimate PDF registration form for deception.
When the LNK file is opened, it executes commands to drop a lure PDF and an executable in the startup folder, establishing persistence.
Upon system reboot, the executable downloads additional content and executes it directly in memory, effe ..read more
Cyble Blog
2d ago
Key Takeaways
Three major advisories from CISA address 17 vulnerabilities across products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter.
Multiple products are affected by vulnerabilities allowing for the cleartext transmission of sensitive data, such as passwords, which could be exploited through Man-in-the-Middle (MitM) attacks. Despite being reported in 2021, these vulnerabilities are now publicly disclosed due to the vendor's lack of response.
With 629 internet-exposed instances, primarily in Italy and France, the likelihood of exploitation is high. Proof of Concepts (P ..read more
Cyble Blog
3d ago
Overview
On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.
On September 4, 2024, the identification of CVE-2024-45195 reignited concern ..read more
Cyble Blog
3d ago
Key Takeaways
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with three critical vulnerabilities: CVE-2016-3714, CVE-2017-1000253, and CVE-2024-40766.
These vulnerabilities are being actively exploited by cybercriminals, posing significant risks to both federal and private sector organizations.
CISA urges all organizations to prioritize the remediation of these vulnerabilities to strengthen their cybersecurity defenses.
Organizations should update software with the latest patches, implement multi-factor authentication (MFA), and continuously monitor for unusual activities ..read more
Cyble Blog
3d ago
Key Takeaways:
CISA incorporated four vulnerabilities (CVE-2021-20123, CVE-2021-20124, CVE-2024-7262, and CVE-2024-7965) into its Known Exploited Vulnerability (KEV) catalog based on evidence of active exploitation.
The Cyble team analyzed critical and high-severity CVEs including those impacting networking products CVE-2024-7261 and CVE-2024-44341 and Dell's PowerProtect tool CVE-2024-37136, which could lead to remote code execution and information exposure.
CRIL detected multiple instances of vulnerability discussions and proof-of-concept sharing in underground forums and channels, includi ..read more
Cyble Blog
4d ago
Key takeaways
Cyble Research and Intelligence Labs (CRIL) has detected a phishing site masquerading as a CapCut download page. The site aims to trick users into downloading malicious software.
Threat actors (TAs) have leveraged a reputation-hijacking technique by embedding a legitimate CapCut-signed application within the malicious downloaded package, exploiting the trustworthiness of well-known apps to bypass security systems.
This campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to execute malicious scripts while evading detection ..read more
Cyble Blog
1w ago
Key takeaways
The Head Mare hacktivist group targets Russian and Belarusian organizations, linking their cyberattacks to geopolitical tensions with Ukraine.
Head Mare's attacks on Russia and Belarus are strategic, aiming to influence political and economic stability in these countries and support its own objectives.
The group uses sophisticated phishing and ransomware attacks, exploiting vulnerabilities like CVE-2023-38831 in WinRAR and ransomware strains like LockBit and Babuk.
Head Mare’s cyber operations align with the Russo-Ukrainian conflict, applying pressure on ..read more
Cyble Blog
1w ago
Iranian state-backed actors operating under aliases like "Pioneer Kitten" are increasingly targeting critical infrastructure – and expanding their activities into brokering access for ransomware affiliates.
Key Takeaways
A group of Iranian state-sponsored hackers has evolved into access brokers for ransomware gangs, targeting critical U.S. and allies’ sectors like education, finance, healthcare, and defense.
The FBI, CISA, and DC3 have issued a joint advisory highlighting the dual nature of these threat actors' activities, which include both monetizing network access and conducting espionage ..read more
Cyble Blog
1w ago
Key takeaways
Cyble Research and Intelligence Lab (CRIL) has identified a highly targeted cyber-attack aimed at political figures and government officials, in Malaysia.
The attack showcases the advanced tactics employed by Threat Actor (TA) in targeting high-profile individuals and institutions.
The campaign active since July, has employed at least three distinct malicious ISO files specifically designed to compromise Malaysian entities.
The malicious ISO files contain multiple components, including a shortcut (LNK) file, a hidden PowerShell script, a malicious ..read more
Cyble Blog
1w ago
Key Takeaways
A North Korean threat actor, Citrine Sleet, has been observed exploiting a zero-day vulnerability in Chromium, designated as CVE-2024-7971, to achieve Remote Code Execution (RCE).
Citrine Sleet, also tracked by other security firms under the names AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, is attributed to Bureau 121 of North Korea's Reconnaissance General Bureau. The group primarily focuses on financial institutions, especially those involved with cryptocurrency, aiming for financial gain.
The group's tactics, techniques, and procedures (TT ..read more