Retool details a 2023 cloud-access incident where spear-phishing led to OTP/MFA token misuse, resulting in 27 cloud customer account takeovers (on-prem remained safe). The post argues for stronger controls (hardware FIDO2 keys), improved threat modeling, and h…
Tag: SSO
Agent Tesla samples were delivered via VBS that launch obfuscated PowerShell, use image-based steganography to carry a .NET DLL, and then inject a decoded final .NET payload into the legitimate RegAsm.exe process. The implant harvests system/browser/mail data …
Analysis of a RomCom RAT sample shows it was delivered by a digitally signed installer (signed by Noray Consulting Ltd), drops VMProtect-packed DLLs under C:UsersPublicLibraries, and uses multiple anti-analysis checks before contacting a C2 at startleauge.net.…
CISA analyzed four artifacts from an Aeronautical Sector incident: two 64-bit Meterpreter/Metasploit PE executables that connect to remote C2 servers and execute unencrypted payloads in memory, and two small ASPX webshells that execute remote JavaScript after …
CISA analyzed five malware samples tied to Barracuda Email Security Gateway intrusions and identified artifacts for SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors; the intrusions exploited CVE-2023-2868 against Barracuda ESG. The samples inc…
Security teams are well aware of the growing problem of software supply chain attacks, but it’s essential that organizations stay abreast of the various threats posed to software supply chains. One of the pain points that organizations need to learn more about and defend against is malicious campaig…
Phishing scripts masquerading as PDF viewers were spread via email attachments, prompting users to reveal email passwords through a deceptive login prompt. The attackers exfiltrate credentials and IP data through Telegram, using evolving UI tricks to evade det…
CYFIRMA documents a new malware-as-a-service, Prysmax, offering a fully undetectable information stealer, stealer, RAT, and botnet services. The Python-based Prysmax stealer exfiltrates crypto wallets, passwords, and cookies, uses PowerShell for stealthy actio…
ReversingLabs discovered three additional malicious PyPI packages — tablediter, request-plus, and requestspro — that extend the VMConnect supply-chain campaign and use obfuscated payloads and C2 communications to fetch further stages. Analysis shows evasion te…
Unit 42 provides the answers and deeper analysis for its July 2023 Wireshark quiz on a RedLine Stealer infection, detailing victim details, web traffic, and data exfiltration in a Windows AD environment. The post also lists indicators of compromise and maps ob…
Okta observed social engineering to elevate privileges within customer tenants and obtain a highly privileged role. Attackers leveraged Inbound Federation and cross-tenant impersonation to access apps and impersonate users, revealing novel lateral movement and…
JPCERT/CC reports a new technique called MalDoc in PDF that embeds a Word file inside a PDF to bypass detection. When opened in Word, a macro can trigger VBScript to perform malicious behaviors, potentially evading PDF-focused analysis and traditional sandboxe…
Threat actors increasingly weaponize PDFs in email-borne attacks to gain initial access, with Qakbot and IcedID delivering payloads via malicious links and multi-stage chains. The article also covers social engineering, exploit techniques against PDF readers, …
Openfire CVE-2023-32315 is being exploited to deploy Kinsing malware and a cryptominer via a path traversal attack that grants unauthenticated access to the setup environment. Aqua Nautilus observed a campaign with a high attack volume (over 1,000 attacks in u…
Rapid7 observed increased threat activity targeting Cisco ASA SSL VPN appliances since March 2023, including credential stuffing and brute-force attempts, with MFA not always enabled for all users. Several intrusions culminated in ransomware deployments by the…