security
Security Bulletins - Heimdall Security Research
Heimdall, the ISH Threat Intelligence group, presents bulletins on threat agents, malware used by malicious groups, Indicators of Compromise, Techniques, Tactics and Procedures (TTPs) and Artifact Analysis and Mitigations, with a view to preventing attacks and evolving cybersecurity maturity.
ISH
Tips to avoid DNS Spoofing attacks
In this bulletin, so that your organization doesn't fall victim to DNS Spoofing attacks, which, if identified, can be used to redirect users to malicious sites, as well as causing a great deal of damage to your organization, both financially and reputationally, we mention the measures to be taken to use DNSSEC and improve your security maturity...
ISH
Threat actor guaranteeing 6-month persistence in ICS network
A threat group known as Redfly allegedly hacked into a national power grid organization in Asia and maintained access for six months. The discovery was published by Symantec, which found evidence of the ShadowPad malware...
ISH
New Stealers malware identified for macOS
Security researchers have identified a number of new families of infostealers, such as MacStealer, Pureland, Atomic Stealer and RealStealer, and this bulletin focuses on presenting details of the analysis of MetaStealer, whose analysis was carried out by SentinelOne...
ISH
Critical Google Chrome vulnerabilities
Three vulnerabilities have been identified as critical and zero day for Google Chrome, which have been cataloged as CVE-2023-2033, CVE-2023-2136 and CVE-2023-3079...
ISH
Iranian threat actor focusing on Brazil
The threat actor known as Charming Kiten has allegedly been linked to a new wave of attacks on different entities in Brazil and two other countries, Israel and the United Arab Emirates. The actor is said to be using a backdoor previously documented as Sponsoring...
ISH
Using ScreenConnect for remote access by attackers
At the beginning of 2023, Heimdall observed campaigns that used phishing emails which directed the user to download remote management tools known as ScreenConnect, which can be used for remote access by attackers and carry out cyber attacks of various kinds...
ISH
Security flaws found in Nagios XI
A popular network monitoring tool used by organizations to monitor the integrity and performance of assets has been identified as vulnerable due to security flaws. The vulnerabilities catalogued as: CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934 allow users of different authorization levels to exploit SQL Injection vulnerabilities...
ISH
Apple publishes urgent updates
APPLE has published new emergency security updates to fix three new 0-day vulnerabilities exploited in attacks targeting iPhone and MAC users. The vulnerabilities include: Privilege Elevation, Signature Validation Bypass and Arbitrary Code Execution, all vulnerabilities cataloged and described in this bulletin...
ISH
Akira ransomware exploiting Cisco VPN
It was identified that the Akira ransomware threat actors were focusing their attacks on target organizations that use Cisco VPNs, which do not have multi-factor authentication (MFA) enabled for users. It is worth noting that this method is used for initial access to organizations' networks...
ISH
Attacks on supply chains
The Heimdall intelligence team has drawn up a warning about attacks on the supply chain. This term refers to the set of processes and activities related to the production, transportation, storage and delivery of products or services to the end customer...
ISH
CVE-2023-5009 - vulnerability in GitLab
A GitLab update has been released to resolve a vulnerability classified as critical and cataloged as CVE-2023-5009, with a score of 9.6. This vulnerability allows a malicious actor to execute pipelines on behalf of other users...
ISH
Vulnerabilities CVE-2023-34984 and CVE-2023-29183 Fortinet
Fortinet has announced security patches and warned of two vulnerabilities with high severity ratings for its FortiWeb, FortiOS and FortiProxy products affected by vulnerabilities cataloged as CVE-2023-34984 and CVE-2023-29183...
ISH
Kmsdbot malware identification for iot devices
Malware identified by Akamai, known as KMSDBOT, has revealed a campaign using the updated KMSDX binary and targeting IoT (Internet of Things) devices. The binary targets expansion to carry out attacks via a botnet...
ISH
Correction of several Cisco vulnerabilities
Cisco has published a fix for three high-severity flaws in its NX-OS and FXOS software that could be used to cause denial of service (DoS). The vulnerabilities have been cataloged as CVE-2023-20200, CVE-2023-20169, CVE-2023-20168 and CVE-2023-20115...
ISH
Juniper Web Device vulnerability
Multiple vulnerabilities in the J-Web component of Juniper Networks Juno OS in the SRX and EX series have been resolved through patch applications. The vulnerabilities identified and cataloged as: CVE-2023-36844, CVE-2023-36845 and CVE-2023-36847...
ISH
DarkGate malware campaign identified
The intelligence team has collected information on a documented malware first identified in 2018 known and dubbed as DarkGate (also known as MehCrypter). The malware acts as a commodity loader with features that include the ability to download and execute files in memory...
ISH
Cisa warns of vulnerability exploitation
CISA has issued an alert about nation-state-sponsored actors taking advantage of vulnerabilities in Fortinet FortiOS SSL VPN and Zoho ManageEngine ServiceDesk Plus, both catalogued as: CVE-2022-47966 and CVE-2022-42475, which could be used to hack into the organization's network...
ISH
Zero day for Adobe products
Adobe recently published security updates to fix a 0-day vulnerability exploited in Acrobat and Reader. The vulnerability has been cataloged as CVE-2023-26369 with a score of 8.8 (high), which could lead to the execution of malicious code...
ISH
Patch Tuesday Microsoft - September
Microsoft has published its September Path Tuesday. The patch presented updates to 59 flaws, two of which are 0-day vulnerabilities actively exploited by malicious actors...
ISH
CVE-2023-32315-OpenFire
The ISH intelligence team warns of a vulnerability cataloged as CVE-2023-32315 in OpenFire, which is an XMPP server. The vulnerability could allow a "path traversal" attack, where an actor uses OpenFire to access restricted pages. According to research, 1,048 servers are vulnerable in Brazil alone...
ISH
CVE-2023-26359 - Adobe ColdFusion
The ISH intelligence team warns of vulnerabilities in Adobe ColdFusion products as it presents a particular concern for organizations' cyber environments. The vulnerability identified affects versions 1028 update 15 and earlier, which could lead to arbitrary code execution (RCE) by malicious actors...
ISH
Details of the Cuba Ransomware operation
Based on a report by BlackBerry researchers, tools used by the Cuba Ransomware group have been identified. This group is in its fourth year of operation and has shown no signs of slowing down its operations...
ISH
Vulnerabilities identified as exploited July and August
The ISH intelligence team, based on research and information gathering, has listed the main vulnerabilities identified as exploited in July and August, which have been added to the CISA catalog as vulnerabilities used by malicious actors...
ISH
New version of Monti ransomware for Linux machines
The Monti ransomware group has variants based on Windows and Linux operating systems and came to the attention of researchers because of its remarkable similarity to the Conti ransomware. In addition to using the same code, the group has also emulated the Conti group's well-known tactics, techniques and procedures.
ISH
Vulnerability in Jorani versions prior to 1.0.2
The ISH Threat Intelligence team warns of a vulnerability cataloged as CVE-2023-26469, which is a vulnerability in Jorani that could allow a transversal path to access files and execute certain code on the server. According to the CVE, it has a Base Score of 9.8 (critical) and, by researching the vulnerability, we have identified 6 potentially vulnerable servers in Brazil...
ISH
Vulnerability in the WordPress plugin Forminator
The ISH Threat Intelligence team warns of the vulnerability cataloged as CVE-2023-4596, which is a vulnerability in the WordPress plug-in Forminator, which was considered critical with a score of 9.8. Research has identified 396 websites in Brazil alone that are potentially vulnerable...
ISH
Phishing campaigns for Brazil and Spain
The ISH Threat Intelligence team has collected information based on reports made public of phishing email campaigns created in Portuguese and Spanish. It is worth noting that the emails are created posing as Brazilian and Spanish banking institutions...
ISH
Common attacks in 2023
Considering that a cyberattack is a type of malicious action carried out by some individuals, groups or organizations that aim to exploit some type of vulnerability, we provide some of the main types of attacks that were identified in 2023...
ISH
Rhysida ransomware and its operations
PeO HC3 has released a security alert about a new ransomware known as Rhysida, which has been active since May 2023. The operation of the ransomware is still unclear as to its origin or affiliations...
ISH
Common tactics, techniques and procedures against Industrial Organizations
Researchers have published information on the tactics, techniques and common procedures of attacks against industrial organizations, noting that the report obtained by Heimdall was published by Kaspersky and drawn up in 2022 on the basis of information and investigations into various attacks against industrial organizations in Eastern Europe...
ISH
Cloud account acquisition campaign
Cybersecurity researchers have identified an increase of more than 100% in cloud account takeover incidents affecting high-level executives in companies. According to the researchers, 100 organizations were targeted globally. The threat actors used the EvilProxy phishing tool, which is based on a reverse proxy architecture, allowing attackers to steal MFA-protected credentials and cookies...
ISH
New Ransomware group, Yashma
Cisco Talos has reportedly identified a new unknown threat actor of Vietnamese origin, which began operations in June 2023 using a variant of the Yashma Ransomware, even adding operating characteristics of the WannCry Ransomware. The threat actor reportedly used GitHub repositories to download the attack's Ransom Note, unlike other Ransomware operations...
ISH
New vulnerabilities in Cisco products
Cisco has reportedly released security advisories for high-ranking vulnerabilities affecting various products, in which the threat actor could exploit some of the vulnerabilities to take control of an affected system or cause a denial of service condition...
ISH
Security flaw discovered in PaperCut software
PaperCut Software is a print and copy management software that helps companies monitor and control their printing costs. Researchers recently discovered a new security flaw classified as critical, allowing remote code execution (RCE)...
ISH
Patch Tuesday August - Microsoft
Microsoft, through the publication of Patch Tuesday, shared this August the correction of some vulnerabilities offered by the company. The highlights of the updates were the CVEs: CVE-2023-38157, corresponding to a bypass vulnerability in Microsoft Edge and CVE-2023-4071, corresponding to a buffer overflow vulnerability in the Visuals heap, among other vulnerabilities.
ISH
CVE-2023-38035 - Ivanti
Security vulnerability in the MICS Admin Portal at Ivanti could allow attackers to bypass authentication controls in the administrative interface due to an insufficiently restrictive Apache HTTPD configuration...
ISH
Malicious campaign for Redis servers
The malware known as Skidmap, a cryptocurrency miner detected by Trend Micro was identified in September 2019 targeting Linux machines. The code used rootkits in kernel mode to avoid detection, unlike similar miners...
ISH
Main vulnerabilities of 2022
ISH Technology presents the main vulnerabilities exploited by threat actors in 2022, focusing mainly on data provided by the CISA, NSA and FBI organizations.
ISH
Targeted malware campaign against cybercriminals
A malware campaign has been observed making use of OpenBullet configuration files to target inexperienced cybercriminals with the aim of delivering a remote access trojan (RAT) with the ability to steal confidential information...
ISH
Using PowerShell in cyber attacks
PowerShell, being an extremely powerful tool developed by Microsoft, is being used in organizations for a variety of purposes, and due to its ease and usefulness, this tool is now being used by cybercriminals. This tool can be used by cybercriminals for reconnaissance purposes, to move around an infected network and also to ensure persistence on the compromised machine...
ISH
Microsoft Office executables could be abused by cybercriminals
The list of LOLBAS (living-on-the-land-binaries and scripts) files has been updated based on the identification of tools included in Windows that can be used for malicious purposes, such as using Microsoft Office executables to download files from websites...
ISH
New Stealer Rilide campaigns
A new campaign by the malicious Rilide Stealer malware extension created for Chromes browsers has recently been identified. The campaign was targeted at users who use cryptocurrencies and corporate employees, mainly aimed at stealing information and data...
ISH
Vulnerabilities exploited in attacks
ISH's intelligence team, Heimdall, has issued a warning about critical classification vulnerabilities that have been exploited in cyber attacks by threat actors. The vulnerabilities include products from Zimbra, Adobe, Netscaler and others...
ISH
FraudGPT, a new tool for cybercrime
Threat actors are using yet another artificial intelligence (AI) tool that can be used for cybercrime purposes known as FraudGPT. The tool goes hand in hand with another AI tool, WormGPT, both of which are being advertised on Dark Web marketplaces...
ISH
Malware for macOS known as "Realst"
A new malware known as "Realst" has been identified for macOS systems and propagated through a massive campaign. The malware includes support for macOS 14 Sonoma as one of its latest variants. The malware is used to steal data from browsers and virtual wallet applications...
ISH
Telegram, a weapon for cybercriminals
The ISH Intelligence team has issued a warning about the Telegram platform, which is used by cybercrime to carry out various criminal operations, such as the sale of corporate data, the sale of illegal products, hacktivism, data leaks, narcotics and other types of illicit sales
ISH
WORMGPT, an AI for cybercriminals
Malicious actors have managed to create a tool used as Artificial Intelligence (AI) that can generate text in natural language from a given input or context. It is based on the GPT-3 architecture, with some modifications and improvements to meet malicious requests...
ISH
Adobe warns of vulnerability!
Adobe has released security updates for versions 2023, 2021 and 2018 of ColdFusion, in which the updates resolve critical and important vulnerabilities that could lead to arbitrary code execution and detour of security features...
ISH
USB attacks return
Attacks via USB devices, also known as "USB-based malware attacks", can represent a significant threat to the cyber security of organizations, and this is a tactic employed by cybercriminals to...
ISH
RedDriver, malware that hijacks browsers
Security researchers have published an analysis of a malicious undocumented driver nicknamed "RedDriver", which performs a browser hijacking operation based on a driver that uses the Windows Filtering Platform...
ISH
APT Group focuses on ICS products
An advanced persistent threat (APT) group has been identified exploiting vulnerabilities in Rockwell Automation products. The vulnerabilities could cause the interruption or destruction of operations in critical infrastructures...
ISH
Big Head ransomware and its variants
A new family of ransomware has been identified with several variants. The ransomware family emerged in mid-May 2023 and its operation is known as Big Head Ransomware. It was identified by Trend Micro researchers...
ISH
Critical vulnerability CVE-2023-30799
A new vulnerability cataloged as CVE-2023-30799 with a critical score has been disclosed and could lead to privilege escalation. The vulnerability affects MikroTik RouterOS products with versions prior to 6.49.7 and 6.48.6. According to research, Brazil has the largest number of available systems compared to other countries, which has led to this alert regarding the use of this CVE for cyber attacks...
ISH
New malware for Latin America, Toitoin Trojan
A new completely sophisticated and persistent malware campaign targeting companies in Latin America is delivering the Trojan known as ToiToin, which is used to infect this campaign through several stages. The research was released by Zscaler, which identified several customized modules...
ISH
Ransomware group Mallox employing new techniques
The ransomware group known as "TargetCompany" first identified in June 2021 eventually gained attention for its operation due to the encryption adding the extension ".mallox" to the encrypted files. This group was attributed with operating the Mallox ransomware, which used a BatLoader to deploy its encryption payload...
ISH
RedEnergy, Ransomware-as-a-Stealer
A malware variant was identified and attributed with the name Stealer RedEnergy, which during its operation fell into the hybrid category of "Stealer-as-a-Ransomware" malware. This malware focuses on organizations in the public energy, oil, gas and telecommunications sectors in countries such as Brazil and the Philippines...
ISH
Crysis Ransomware Operators with other Ransomware
A threat actor acting in the Crysis ransomware operation was observed by security researchers actively using the Venus ransomware in its operations. Both of the actors and attacks identified used remote service access (RDP) to execute...
ISH
Critical level Citrix vulnerabilities
Citrix has published an advisory on the discovery and disclosure of 3 product vulnerabilities, cataloged as CVE-2023-3519, CVE-2023-3466 and CVE-2023-3467. The CVE-2023-3519 vulnerability could cause unauthenticated remote code execution, with critical severity (9.8)...
ISH
Malicious browser extensions identified
The Chrome Web Store recently identified extensions that showed malicious behavior. One of the extensions analyzed by the researcher showed more than 87 million downloads. The extensions were uploaded and made available between the years 2021 and 2022, identifying a long period for users to become infected...
ISH
New ANATSA Trojan campaign
A banking Trojan developed for Android devices known as Anatsa has been identified using dropper campaigns via the Google Play Store, with more than 30,000 users identified as having installed it. ThreatFabric has released a detailed report on the analysis of the artifacts...
ISH
CISA publishes alert on ICS vulnerabilities
CISA has published an alert regarding a vulnerability in the Hitachi Energy FOXMAN-UM and UNEM products. This vulnerability could allow malicious actors to access confidential information on these products...
ISH
MIRAI Botnet variant exploiting IoT products
A new variant of the botnet known as Mirai is exploiting vulnerabilities in Internet of Things (IoT) devices in order to infect and turn into another botnet device. The vulnerabilities exploited are in products from: D-link, Arris, Zyxel, TP-Link, Tenda, Netgear, MediaTek and others...
ISH
STORM-0978 threat actor exploiting vulnerabilities
Microsoft has identified a phishing campaign directed by the threat actor tracked and identified as Storm-0978 targeting government and defense entities in Europe and North America. The campaign is said to be exploiting a vulnerability cataloged as CVE-2023-36884, which is a vulnerability that causes remote code execution exploited...
ISH
Updates for CVE-2023-33308 - Fortinet
FORTINET has published updates for the vulnerability cataloged as CVE-2023-33308, which could allow malicious actors to execute remote code via stack overflow in the FortiOS and FortiProxy products. The vulnerability has a score of 9.8, considered critical. In its statement, the company recommended updating the products...
ISH
New Ransomware groups in May and June
The ISH threat intelligence team has identified the emergence of at least 13 (thirteen) new ransomware groups that carry out double extortion on their victims. After exfiltrating the data, they encrypt it and send the victim to negotiate...
ISH
Stealer Meduza identified as a MaaS service
A threat actor has published the sale of a Stealer-type malware-as-a-service, identified as Meduza, on a Russian underground forum. According to analysis, this malware has source code and functions similar to the Aurora Stealer malware...
ISH
Apple publishes updates for 0day
Apple has published security updates to fix actively exploited zero-day flaws in its products. The updates were made for iOS, macOS and watchOS systems, covering security defects in the kernel and WebKit, which were exploited by...
ISH
New Ransomware Group Identified, RA Group
A new ransomware group known as the RA Group, which has been operating since mid-April 2023, has been identified. The ransomware bears similarities to the source code leaked from the Babuk Ransomware in 2021...
ISH
Cyberespionage campaign using RDStealer
A cyber-espionage campaign has been identified as "RedClouds" using customized malware catalogued as RDStealer, which aims to automatically steal data from shared drives via Remote Desktop (RDP) connections...
ISH
Vulnerability in critical FortiGate firewalls
A critical vulnerability cataloged as CVE-2023-27997 with a CVSS:9.8 score, known as XORtigate, affects Fortinet FortiOS and FortiProxy SSL-VPN devices and could allow a remote attacker to execute arbitrary code or commands via requests created for exploitation...
ISH
Sophisticated malicious toolkit identified for macOS
A malicious toolkit has been identified by researchers which is integrated into a sophisticated toolkit targeting Apple's macOS system. The files had backdoor capabilities, appearing to be from a malware toolkit for complex attacks...
ISH
Fortinet's new FortiNAC vulnerability
Fortinet has published an update to resolve a critical security vulnerability affecting the FortiNAC network access control solution that could lead to arbitrary code execution. The vulnerability has been catalogued as CVE-2023-33299 and has a severity of 9.8 (critical) and has been described as a case of untrusted object deserialization...
ISH
WordPress plug-in vulnerability
A recently disclosed vulnerability exposes a critical security flaw in the miniOrange login and social registration plug-in for WordPress, which could allow a cybercriminal to log in illegally. The vulnerability has a score of 9.8 and has been cataloged as CVE-2023-2982...
ISH
GravityRAT Android spyware identified
A spyware-type malware has been identified for Android devices and dubbed GravityRAT. The malware was distributed via the BingeChat and Chatico messaging apps. RAT (Remote Access Trojan) has been known to be used by malicious actors since 2015 and was used in targeted attacks against India...
ISH
ChromeLoader's new campaign known as Shampoo.
A malicious campaign has been discovered by security researchers of a malware created through a Google Chrome browser extension. The extension has been dubbed ChromeLoader and the malicious campaign has been attributed with the name Shampoo...
ISH
Critical VMware Aria vulnerability being exploited.
VMware recently reported that a critical vulnerability that could lead to the injection of newly patched commands into the Aria Operations for Networks product, which is a network monitoring tool, is being actively exploited by malicious actors. The vulnerability has been cataloged as CVE-2023-20887...
ISH
New Ransomware group identified, Rhysida
A new group of ransomware was identified in May 2023 using the name Rhysida, which after encrypting the files presents a ransom note indicating the victim for access via the Tor network. The ransomware was written in the C++ programming language and compiled using MinGW...
ISH
Incorrect OAuth configuration can lead to incidents
Incorrect configuration of the identity and authentication infrastructure through OAuth could be exploited to ensure privilege escalation in certain Azure Active Directory (AD) accounts by configuring and exchanging attributes...
ISH
NoEscape ransomware identified (RAAS)
Recently a new Ransomware-as-a-Service program dubbed "NoEscape" was spotted being offered on a cybercrime forum at the end of May 2023 and focused on recruiting new affiliates to its program...
ISH
Update patches for MOVEit published
Progress Software has published a new round of patches for its MOVEit products after researchers identified a zero-day vulnerability. The vulnerability affected MOVEit Transfer and Cloud Managed File Transfer (MFT) software, tracked as CVE-2023-34362...
ISH
LockBit Ransomware Affiliate interviewed
An affiliate recently identified by the FBI, known as Mikhail Pavlovich, a Russian citizen who allegedly worked with the LockBit, Babuk and Hive ransomware operations, has provided details of some trends that can be observed in ransomware groups...
ISH
Ransomware group focusing on SaaS services
A group of malicious actors called 0mega attacked an organization's Sharepoint service, exfiltrating data, uploading a ransom note and deleting the organization's files, forcing it to pay up. The malicious actor was able to move laterally and create administrator accounts...
ISH
CISA publishes two new ICS notices
CISA has published two new Industrial Control Systems (ICS) advisories about related security issues, vulnerabilities and exploits. The warning was limited to products ICSA-23-157-01 (Delta Electronics CNCSoft-B DOPSoft) and ICSA-23-157-01 (Mitsubishi Electric MELSEC IQ-R Series/ IQ-F Series)...
ISH
Massive DDoS attack against Outlook
At the beginning of June, a group of threat actors known as Anonymous Sudan claimed responsibility for a massive DDoS attack against Microsoft services, specifically the Outlook (email) service. The interruption is said to have prevented several users from accessing the mobile application as well as the web version...
ISH
Cyclops ransomware using Stealer for attacks
Another group of ransomware has emerged in the cyber attack sphere, this time called Cyclops Ransomware. This group operates in the RaaS (Ransomware-as-a-Service) format and offers affiliate support, while also providing Stealer-type malware to steal information...
ISH
Risks and recommendations for RDP services
The ISH Intelligence team has produced a bulletin on the Remote Desktop Protocol (RDP) warning of the risk of it being publicly available for threat actors to exploit. Exposure could lead to unauthorized access, theft of confidential information, ransomware and destructive attacks, fraud and criminal activity, network compromise and other types of problems...
ISH
Phishing kit announced for ZIP domains
A new campaign using a "File Archives In the Browser" phishing kit has been identified abusing ZIP domains, which presents the user with fake Winrar or Windows File Explorer windows in the browser to convince users to run the malicious file...
ISH
Malicious campaign against Russian Iphones
Recently, a post on Kaspersky's blog claimed that an extremely comprehensive cyber attack had been directed at the company's professionals who use Apple mobile devices. The attack would have been carried out using spyware-type malware, acting discreetly. In addition to Kaspersky, the Russian Federation has come forward claiming that the US government has carried out attacks in conjunction with Apple...
ISH
Patch Tuesday Microsoft - June
In June, Microsoft published a patch update on Tuesday (14) to correct 78 security flaws, including the possibility of remote code execution...
ISH
New malicious campaign identified, Horabot
A malicious campaign using the Horabot botnet malware has been identified operating in Latin America since November 2020. This malware is distributed via a banking trojan and a spam tool, which could allow malicious actors to take control of the victim's Gmail, Outlook, Hotmail or Yahoo email accounts and other malicious activities...
ISH
New tool marketed for security evasion
A tool has been marketed on an underground forum on the dark web by a threat actor. The tool promised to terminate security services such as antivirus, EDRs and XDRs from various brands and vendors. The tool was advertised as "Terminator"...
ISH
BUG in WhatsApp impairs its use
A bug in the WhatsApp application allowed anyone on the contact list to send a message in the form of a link, which, when clicked, terminated the WhatsApp process on the Android mobile device. The application would only return to working properly once the message had been deleted via WhatsApp Web...
ISH
New malware for OT-ICS
A new malware created especially for OT-ICS products has recently been identified. The malware is known as COSMICENERGY, and is designed to interact with IEC-60870-5-104 (IEC-104) devices, which act as remote terminal units (RTUs) that can cause an interruption in the power supply...
ISH
Analysis of CVE-2023-27997 - FORTIOS
FortiOS product provider Foritnet published a statement yesterday regarding the analysis of CVE-2023-27997, which affects SSL-VPN products in pre-authentication. So far there have been no signs of exploits, but this CVE will be attributed to the arsenal of malicious actors for exploits and initial access...
ISH
Malware-as-a-Service
In this bulletin, ISH's intelligence team, Heimdall, presents the main malware-as-a-service (MaaS) platforms and services that sell stealer-type malware. This malware is mainly focused on stealing information and exfiltrating files, acting even before a ransomware attack, exfiltrating data to C2 channels...
ISH
New stealer malware identified, ObserverStealer
ISH's intelligence team, Heimdall, has identified the operation of a new malware-as-a-service known as ObserverStealer. This malware is marketed on clandestine forums and has a lower value than the other MaaS already identified and has the function of stealing a victim's information and files...
ISH
Vulnerability in Fortigate SSL-VPN
A vulnerability tracked by CVE-2023-27997 has been identified for Fortigate products on FortiOS SSL VPN devices, which could cause remote code execution even if MFA is enabled. An update patch is now available for this vulnerability...
ISH
Vulnerabilities in Zimbra Collaboration Suite
A high severity vulnerability has been identified in Zimbra Collaboration Suite instances, identified through CVE-2022-27974, which allows a malicious actor to inject malicious commands. The threat actor could steal ZCS email account credentials ...
ISH
Alert for flaws in Samsung devices
CISA has published an alert for a security vulnerability affecting Samsung devices with Android versions 11, 12 and 13, which contain an insertion of confidential information in the log file vulnerability, which allows a bypass by the malicious actor ...
ISH
New ransomware identified, 8base
A new ransomware operation has been identified, named 8base Ransomware. This group has a data leak site and has shared data from other companies under attack, including Brazilian companies...
ISH
Malicious Android app with over 50,000 installations
An application that was available on the PlayStore for download was confirmed to be malicious and exhibited the behavior of a remote access trojan (RAT). The application was called iRecorder and was downloaded by more than 50,000 users...
ISH
Microsoft patches 38 vulnerabilities
In May, Microsoft published an update patch that fixes 38 vulnerabilities in its products, as well as announcing which vulnerabilities are at risk of being actively exploited by malicious actors...
ISH
New Ransomware operation identified, MalasLocker
A ransomware operation that uses vulnerabilities in Zumbra servers to exfiltrate email data, as well as exfiltrate the organization's data for later extortion, known as MalasLocker...
ISH
Vulnerability for MOVEit products being exploited
Identifies the MOVEit vulnerability, assigned the CVE-2023-34362 number, in which malicious agents can carry out SQL Injection attacks on the application, which can lead to the creation of backdoors and access to restricted data...
ISH
Recommendations for open Firewall ports
ISH's intelligence team, Heimdall, warns that organizations that keep doors open in firewalls will be subject to cyberattacks, as well as other consequences such as: unauthorized access, exploitation of vulnerabilities, spread of malware, DoS attacks and other...
ISH
XWORM malware exploiting vulnerabilities
A new phishing campaign has been identified that uses a unique attack chain to distribute the XWorm malware on target systems. The malware is commodity malware, which is advertised for sale on clandestine forums and uses exploitation of the Follina vulnerability...
ISH
New Darkrace Ransomware identified
The intelligence research team Heimdall has identified a new ransomware variant known as Darkrace, which has a data leak site. This ransomware encrypts certain files, deletes the event log and terminates certain processes...
ISH
Malicious VSCode extensions are used to steal data
Recently, some extensions that can be installed in the VSCode software were analyzed, among which extensions were found that have malicious behavior, such as data theft, theft of metadata about VSCode configurations and the possibility of injecting code...