Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms
Source: The Hacker News
These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading malicious datasets. Read more.
Newly Discovered Group Offers CAPTCHA-Solving Services to Cybercriminals
Source: Infosecurity Magazine
ACTIR described Greasy Opal’s CAPTCHA-bypassing tool as an easy, fast, and flexible tool for the automatic recognition of a wide array of CAPTCHAs. Greasy Opal’s tool boasts a 10-time faster efficiency than typical CAPTCHA-solving solutions, such as AntiGate (Anti-Captcha), RuCaptcha or DeCaptcher. Read more.
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
Source: Google Mandiant
Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. Read more.
China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches
Source: Sygnia
The modus-operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and applications that organizations onboard. Due to the ’black box‘ nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit. Read more.
PG_MEM: A Malware Hidden in the Postgres Processes
Source: Aqua
Aqua Nautilus researchers have uncovered PG_MEM, a new PostgreSQL malware, that brute forces its way into PostgreSQL databases, delivers payloads to hide its operations, and mines cryptocurrency. Read more.
Qilin ransomware caught stealing credentials stored in Google Chrome
Source: Sophos
During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential-harvesting technique with potential implications far beyond the original victim’s organization. Read more.
MSC file distribution exploiting Amazon services
Source: ASEC
Recently, ASEC (AhnLab SECURITY INTELLIGENCE CENTER) confirmed that malicious MSC files exploiting Amazon services are being distributed. The MSC extension is characterized by its XML file format structure and is executed by MMC (Microsoft Management Console). Read more.
MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
Source: Cisco Talos
This campaign consists of distributing a variant of the open-source XenoRAT malware we’re calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor. Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors. Read more.
Ailurophile: New Infostealer sighted in the wild
Source: G Data
We discovered a new stealer in the wild called ‘”Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the website’s web panel, its customers are provided the ability to customize and generate malware stubs. Read more.
Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
Source: Cisco Talos
The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. Read more.