Shows
CYFIRMA ResearchCYFIRMA Research- Tracking Ransomware: April 2025Stay ahead of evolving ransomware threats with CYFIRMA’s April 2025 Ransomware Report.Last month revealed shifting dynamics—Qilin surged by 71%, while Play and DragonForce increased by 75% and 25% respectively. Despite a 29% drop in total incidents from March, the Manufacturing, IT, and Consumer sectors remained heavily targeted.The U.S. topped the victim chart, followed by the UK and Canada. New threats emerged with FOG, Interlock, and ELENOR-corp using phishing lures, fake IT tools, and stealth tactics. Storm-2460 exploited a Windows zero-day, while DragonForce and Nova expanded affiliate models driving modular, widespread ransomware campaigns. Emerging Groups like Sile...2025-05-1607 minCYFIRMA ResearchCYFIRMA Research- PupkinStealer : A .NET-Based Info-StealerCYFIRMA’s latest threat report reveals the workings of PupkinStealer, a .NET-based information stealer designed to extract a focused set of sensitive data from victim systems. Targeting browser credentials, desktop files, Telegram and Discord sessions, and screenshots, the malware compresses all stolen content into a ZIP archive and exfiltrates it using the Telegram Bot API, making attribution and detection more challenging. Our report includes a full technical analysis, Indicators of Compromise (IoCs), MITRE ATT&CK mapping, and a custom YARA rule for detection. Stay informed and enhance your defenses. Link to the Research Report: https://www...2025-05-1204 minCYFIRMA ResearchCYFIRMA Research- Gunra RansomwareA new threat is on the rise - Gunra Ransomware. This sophisticated ransomware not only encrypts files but also exfiltrates sensitive data, threatening to leak the data unless the ransom is paid.Read the latest report from the CYFIRMA research team to learn more! Stay informed and safeguard your systems! Link to the Research Report: https://www.cyfirma.com/research/gunra-ransomware-a-brief-analysis/#CyberSecurity #Ransomware #Gunra #DataProtection #CyberThreats #CYFIRMA #CYFIRMAresearch #ETLM #ExternalThreatLandscapeManagementhttps://www.cyfirma.com/2025-05-0609 minCYFIRMA ResearchCYFIRMA Research- US MANUFACTURING RELOCATION AND THREATSDonald Trump’s new tariff promises to revive American manufacturing, but evidence shows they are more likely to raise prices, reduce competitiveness, deter investment, and fuel geopolitical instability. The vision of millions of factory jobs ignores automation, labor shortages, and global supply chains. Instead of revitalizing the industry, tariffs risk slowing growth and driving inflation, putting greater pressure on businesses and consumers. Critically, the turbulence is likely to extend into cyberspace. Economic strain and heightened geopolitical tensions are expected to trigger a sharp increase in cyberattacks! Read CYFIRMA’s latest report to learn more.Link to th...2025-05-0511 minCYFIRMA ResearchCYFIRMA Research- Hannibal Stealer: A Rebranded Threat Born from Sharp and TX LineageRead CYFIRMA’s report on the Hannibal Stealer, a rebranded variant of SHARP and TX Stealers, which has re-emerged with expanded data exfiltration capabilities and an updated command-and-control infrastructure. Hannibal Stealer is built in C# on the .NET framework. It targets a wide range of data sources, including browsers, cryptocurrency wallets, VPN configurations, FTP credentials, and system information. It incorporates clipboard hijacking and geofencing techniques to maximize impact. The malware is managed through a Django-based control panel, enabling real-time log monitoring and payload distribution. Current promotion across Telegram and underground forums points to sustained activity.Link to th...2025-04-3008 minCYFIRMA ResearchCYFIRMA Research- Technical Malware Analysis Report: Python-based RAT MalwareA New Breed of Python-Based RATs is Abusing Discord for C2 The CYFIRMA research team has investigated an emerging class of Python malware that is turning popular platforms into weaponized control panels. One recent variant showcases just how accessible and disruptive these tools have become. This lightweight Remote Access Trojan (RAT) uses Discord bots and interactive UI buttons to control infected systems — no shell commands, no fancy exploits, just real-time remote control through a familiar interface. Key Capabilities:Locks the user’s screen with an unclosable fullscreen GUIForces system crashes (BSOD) via low-leve...2025-04-2906 minCYFIRMA ResearchCYFIRMA Research: Cyber Espionage Among Allies- Strategic Posturing in an Era of Trade TensionsThe CYFIRMA research team provides a comprehensive analysis of how diplomacy, defense, and digital strategy are colliding:As trade friction intensifies especially under the 2025 U.S. tariff regime, cyberspace is becoming the frontier of quiet competition between traditional allies. While full-scale cyber warfare remains unlikely, behind-the-scenes intelligence gathering is rising fast.Our latest report explores:U.S. and allied cyber espionage trendsHow economic policy shapes digital posturingThe role of non-state actors and hacktivistsWhy restraint still (mostly) prevailsLink to the Research Report: https://www.cyfirma.com/research/cyber-espionage-among-allies-strategic-posturing-in-an-era-of-trade-tensions/...2025-04-2208 minCYFIRMA ResearchCYFIRMA Research- Tracking Ransomware: March 2025Stay ahead of evolving ransomware threats with CYFIRMA’s Monthly Ransomware Report – March 2025. The month of March saw shifting dynamics, with Safepay experiencing a huge surge of 223%, while RansomHub and Akira declined. Babuk2 has possibly leveraged fake extortion claims. Manufacturing, IT, and Consumer sectors remained prime targets as total incidents dropped 30.7% from February. The U.S. led victim counts, followed by Germany and Canada. Notably, Black Basta’s automated brute-force tool BRUTED, Qilin’s use by North Korean APTs, and Akira’s IoT exploitation underscored evolving tactics.New custom malware like Betruger, Medusa’s BYOVD attack, and m...2025-04-2105 minCYFIRMA ResearchCYFIRMA Research- The Neptune RATCYFIRMA researchers have identified a dangerous new version of Neptune RAT being actively shared online. This malware spreads through GitHub, Telegram, and YouTube, often advertised as the "Most Advanced RAT." The attack starts when victims run malicious PowerShell commands. First, the "irm" command downloads harmful code from the file hosting website. Then "iex" executes this code, installing the malware in the AppData folder. The malware connects back to the attackers, giving them full control of infected computers. Neptune RAT is packed with dangerous features. It can steal passwords from over 270 applications, hijack cryptocurrency transactions, lock files for r...2025-04-1509 minCYFIRMA ResearchCYFIRMA Research- Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis TechniquesCYFIRMA’s research team has conducted an in-depth investigation into Konni RAT, a sophisticated remote access trojan (RAT) that uses advanced evasion techniques to bypass detection. It exploits Windows features, such as file extension hiding and the 260-character limit for LNK files, to conceal malicious activity. After gaining access, Konni RAT maintains persistence through registry modifications and collects sensitive data from infected systems, and exfiltrates this information to remote servers while using modular batch scripts to perform tasks like payload execution and file deletion.Due to its stealth and adaptability, Konni RAT poses a significant thr...2025-04-0104 minCYFIRMA ResearchCYFIRMA Research: Turning Aid into Attack- Exploitation of Pakistan's Youth Laptop Scheme to Target IndiaThe CYFIRMA research team has identified a fake Indian Post Office website leveraging the Clickfix technique to target Indian users. The report details how a Pakistani threat actor is targeting both Windows and Android users by dropping APK files for Android devices, copying PowerShell commands to the clipboard, and dropping Clickfix instructions pdf file.Link to the Research Report: https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/#CyberSecurity #Clickfix #APT36 #ExternalThreatLandscapeManagement #ETLM #CYFIRMA #CyfirmaResearchhttps://www.cyfirma.com/2025-03-2807 minCYFIRMA ResearchCYFIRMA Research- Tracking ransomware: February 2025Stay ahead of evolving ransomware threats with CYFIRMA’s Monthly Ransomware Report – February 2025. Ransomware activity surged by 87.45% in February month, with Cl0p witnessing an alarming 453% rise. Manufacturing, FMCG, and Transportation sectors faced the highest spike in attacks. The U.S. remained the top target, followed by Canada, the U.K., Germany, and France. Notably, China-linked actors exploited a Check Point vulnerability to deploy ShadowPad and ransomware. New ransomware groups, including Anubis, Linkc Pub, and RunSomeWares, emerged, while law enforcement dismantled the 8Base ransomware group. Ghost ransomware continues to target critical sectors, and Black Basta’s attack on Sout...2025-03-2006 minCYFIRMA ResearchCYFIRMA Research- LithiumWare RansomwareThe CYFIRMA research has identified a new ransomware variant named LithiumWare, showcasing advanced capabilities designed to disrupt, encrypt, and steal. Key Features of LithiumWare:Data Theft: Exhibits activities indicative of stealing personal data, including detecting crypto-addresses.Persistence: Creates files in the startup directory, manipulates desktop.ini for cloaking, and executes services like svchost.exe.Reconnaissance: Reads machine GUIDs, security settings, and environment variables to tailor attacks.Misuse of Legitimate Software: Drops and executes files via trusted programs like msedge.exe and WinRAR.exe to evade detection.Link to the Research Report: LithiumWare Ransomware - CYFIRMA2025-03-1106 minCYFIRMA ResearchCYFIRMA Research- SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & ExtortionThis report explores a fake financial management app on the Google Play Store named Finance Simplified, which has been downloaded over 100,000 times. The app reportedly downloads an additional fraudulent loan application targeting Indian users. Once installed, users attempting to secure loans are subjected to cyber blackmail and bullying. The malicious app gains unauthorized access to sensitive user data, including Clipboard content, Files, SMS, Contacts, Camera, and more. The CYFIRMA research team’s investigation reveals that multiple fraudulent loan apps are hosted on a single IP address but operate through different ports. These scam apps are being aggressively pro...2025-02-2106 minCYFIRMA ResearchCYFIRMA Research- Tracking Ransomware- January 2025Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware – January 2025 Report. January witnessed 510 ransomware victims globally, with Akira emerging as the most active group while new threats like MORPHEUS surfaced. The Manufacturing, sector is the most targeted, and the USA remained the top victim region with 259 reported cases. Notably, Akira’s activity surged by 60%, while Lynx and Incransom saw exponential growth, rising by over 200%. Additionally, ransomware actors are now exploiting cloud platforms, collaboration tools, and even Microsoft Teams phishing schemes to gain unauthorized access. As threats grow more sophisticated, organizations must ado...2025-02-1304 minCYFIRMA ResearchCYFIRMA Research- APT Quarterly Highlights- Q4 2024Our Q4 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups across Iran, North Korea, Russia, and China. These groups intensified operations with a sharp focus on credential theft through phishing, MFA push-bombing, and fake job scams. RomCom (Russia) and Lazarus (North Korea) exploited zero-day vulnerabilities in Mozilla, Windows, and Google Chrome for stealthy malware deployment, while Jumpy Pisces (Andariel) partnered with Play ransomware, signaling North Korea’s growing reliance on ransomware for revenue. Evasive Panda (China) shifted towards cloud-based espionage, targeting Google Drive and Outlook with CloudScout malware. Meanwhile, Ir...2025-02-1207 minCYFIRMA ResearchCYFIRMA Research: Windows Locker RansomwareNew Ransomware Alert: "Windows Locker"A new .NET-based ransomware strain, Windows Locker, is making waves with its advanced tactics, also read the CYFIRMA research team's full report for a comprehensive analysis:Encryption: Files are encrypted with the .winlocker extension. Ransom Note: Victims receive a Readme.txt file with instructions to contact the attacker.Persistence: The ransomware modifies registry keys to stay active on compromised systems.No Recovery: It deletes shadow copies, making it impossible to restore data through traditional methods.Stay vigilant! Keep backups and security software u...2025-01-2805 minCYFIRMA ResearchCYFIRMA Research- Android Malware in DONOT APT OperationsThe CYFIRMA team has analyzed malware linked to the Indian APT group DONOT, uncovering its use of a deceptive app called “Tanzeem” to gather intelligence under the guise of a chat platform. The app shuts down after permissions are granted, suggesting a targeted approach. Two analyzed versions, from October and December, showed minimal differences, indicating consistent tactics. The misuse of the OneSignal platform, typically for legitimate notifications, to deliver phishing links highlights the group’s evolving methods to maintain persistence. These findings emphasize the need to understand such threats as the group continues adapting to target individuals across the region...2025-01-2203 minCYFIRMA ResearchCYFIRMA Research- TRACKING RANSOMWARE: DECEMBER 2024Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-December 2024 Report. The report highlights key trends, including a 12.38% decrease in ransomware attacks compared to November, alongside the rise of new groups like Funksec, which targeted VMware ESXi hypervisors and Windows servers. Critical vulnerabilities, such as CVE-2023-46604 in Apache ActiveMQ, were exploited to deploy ransomware like Mauri, enabling attackers to create backdoor accounts and gain persistent access to networks. Industries like FMCG and E-commerce faced increased targeting due to sensitive data and digital growth, while the United States led global attack figures with 283 inci...2025-01-1303 minCYFIRMA ResearchCYFIRMA Research- Living off the Land: The Mechanics of Remote Template Injection AttackAt CYFIRMA, we continuously analyze the tactics and techniques employed by threat actors. One such technique is Remote Template Injection, which exploits Microsoft Word's template functionality to bypass traditional defenses. Used by Advanced Persistent Threat (APT) groups, this method disguises malicious payloads in seemingly harmless documents, making it a potent tool in spear-phishing campaigns. Our latest report uncovers how attackers exploit Word’s XML-based OOXML format to inject malicious templates, bypassing email filters and endpoint detection. We detail the technical execution, risks, and mitigation strategies. Stay informed, stay secure. Link to the Research Report: https://www.c...2025-01-1005 minCYFIRMA ResearchCYFIRMA Research- Inside FireScam: An Information Stealer with Spyware CapabilitiesIntroducing FireScam: A New Android Malware Threat The CYFIRMA research team have uncovered a new, sophisticated Android malware - FireScam, an advanced information-stealing malware with spyware capabilities. Disguised as a fake ‘Telegram Premium’ app, this malware is spread through phishing websites and targets users with the intent to steal sensitive information. Once installed, it stealthily monitors notifications, text messages, and app activity, exfiltrating data via encrypted channels and Firebase services. By employing tactics like SSL pinning, obfuscation, and environment detection, FireScam evades security measures, making it a dangerous new threat for Android users. Link to the Re...2025-01-0204 minCYFIRMA ResearchCYFIRMA Research- How Festive Events Have Become Prime Targets for Digital Exploitation and FraudThe CYFIRMA research team is proud to offer insights into the increased cyber risks the holiday season brings! Stay alert, verify offers, and keep your information safe!As the year end of season approaches, watch out for scammers using advanced tactics. Phishing emails might offer irresistible deals but could contain malicious links - always verify before clicking! Be cautious of fake websites and typo-squatting domains that mimic popular retail sites; double-check URLs before purchasing. Scammers also use malicious ads and deepfake videos of celebrities promoting fake offers. Additionally, hacktivists may target high-traffic retail websites with DDoS attacks...2024-12-3006 minCYFIRMA ResearchCYFIRMA Research: Tracking Ransomware- November 2024Stay ahead of cybersecurity trends with CYFIRMA's November 2024 Ransomware Report. Ransomware incidents rose by 15.65%, affecting 606 victims worldwide. Emerging groups like Chort, Ymir, and SafePay deployed advanced techniques. Ransomware groups are seen exploiting critical vulnerabilities like Veeam Backup systems and targeting weekends for reduced detection. Key sectors such as Manufacturing, Healthcare, and Finance experienced significant attacks, while the USA led with 326 victims. Notable events included SafePay's breach of 1.2 TB of data, disrupting logistics services, and RansomHub’s attack on Bologna FC, leaking sensitive financial and operational details. The evolving threat landscape highlights the urgency of robust defe...2024-12-1204 minCYFIRMA ResearchCYFIRMA Research: Exploration of Parano – Multiple Hacking Tools’ CapabilitiesCYFIRMA's latest research highlights the emerging threat of the Parano Malware Family, which includes Parano Stealer, Ransomware, and Screen Locker. Developed by the cybercriminal group Paranodeus, these tools target sensitive data using advanced techniques for persistence and evasion. Despite bans on their initial distribution channels, Paranodeus has shown adaptability by aligning with new threat groups like CyberVolk and DarkAssault. This evolving threat continues to pose significant risks to individuals and organizations. Link to the Research Report: https://www.cyfirma.com/research/exploration-of-parano-multiple-hacking-tools-capabilities/ #ParanoMalware #CyberSecurity #DataTheft #Ransomware #screenlocker #ThreatIntelligence #StaySecure #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLMht...2024-12-0506 minCYFIRMA ResearchCYFIRMA Research- Investigation into Helldown RansomwareHelldown ransomware is spreading fast, targeting key industries like Real Estate, IT, Manufacturing, and Healthcare. The ransomware targets both Windows and Linux systems, exploits known vulnerabilities, and encrypts files.First spotted in August 2024 by CYFIRMA, Helldown has already impacted businesses in 11 countries, with the USA and Germany being hit the hardest. It uses advanced techniques to avoid detection and disrupt operations. Researchers have found it linked to vulnerabilities in Zyxel firewalls for gaining access.Link to the Research- Investigation into Helldown Ransomware - CYFIRMA#Helldown #Ransomware #US #Manufacturing #IT #Healthcare #Threatintelligence #CYFIRMA...2024-11-2804 minCYFIRMA ResearchCYFIRMA Research: Hexon StealerHexon Stealer is a variant of Stealit Stealer, which itself is derived from Fewer Stealer. Rebranding and code reuse are common practices among malware developers. Stealer devs often create Telegram or Signal channels to market their stealers, attracting a significant user base by promoting them across various platforms. The CYFIRMA research team’s investigation, identified patterns linking Stealit and Hexon Stealer, ultimately uncovering that the developers behind these tools are Turkish speakers. Link to the Research Report: HEXON STEALER: THE LONG JOURNEY OF COPYING, HIDING, AND REBRANDING - CYFIRMA#CyberSecurity #InfoSec #CyberThreats #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM #St...2024-11-2705 minCYFIRMA ResearchCYFIRMA Research: CVE-2024-9264: A Critical Vulnerability in Grafana- Vulnerability Analysis and ExploitationThe CYFIRMA Research team provides insights into a severe flaw in Grafana (versions 2024-11-2503 minCYFIRMA ResearchCYFIRMA Research- Black Basta Ransomware GroupStay vigilant against Black Basta’s sophisticated ransomware tactics! In our latest analysis, Black Basta continues to be a leading threat in the cyber landscape, targeting industries, such as healthcare, finance, and manufacturing. Known for exploiting vulnerabilities and using double extortion, this ransomware group applies social engineering to infiltrate systems, often posing as IT support via platforms like Microsoft Teams. Their operations involve deploying tools like AnyDesk, Cobalt Strike, and SystemBC to gain a foothold and maintain control, allowing them to extract sensitive data and demand ransom under the threat of exposure. With ransomware notes urging victims to act qu...2024-11-1504 minCYFIRMA ResearchCYFIRMA Research- TRACKING RANSOMWARE : OCTOBER 2024Stay ahead of cybersecurity trends with CYFIRMA's October 2024 Ransomware Report! This month saw a 42.78% increase in ransomware, led by groups like RansomHub, and new threats emerging, such as Hellcat and Playboy. Manufacturing and Healthcare were heavily impacted, while DragonForce expanded its Ransomware-as-a-Service model. Tactics like “Bring Your Own Vulnerable Driver” (BYOVD) and CVE-2024-40711 exploitation were highlighted, with advanced strains like Qilin.B enhancing encryption. Black Basta also refined social engineering attacks via Microsoft Teams, demonstrating the ransomware landscape's evolving sophistication. Link to the Research Report: TRACKING RANSOMWARE : OCTOBER 2024 - CYFIRMA #ThreatLandscape #StaySecure #CyberSecurity #Ranso...2024-11-1405 minCYFIRMA ResearchCYFIRMA Research- Wish StealerCYFIRMA’s research team has uncovered a new strain of malware known as "Wish Stealer," a sophisticated Node.js-based program targeting Windows users. This malware is designed to steal sensitive information from popular platforms like Discord, various web browsers, and cryptocurrency wallets. It employs advanced techniques, including privilege escalation, clipboard manipulation, and session hijacking, to capture valuable data, such as login credentials, cookies, and credit card information. Wish Stealer can also bypass two-factor authentication (2FA), allowing unauthorized access without alerting the victim. To stay hidden, the malware disables antivirus software and embeds itself deep within system folders, mak...2024-11-1307 minCYFIRMA ResearchCYFIRMA Research- Wish StealerCYFIRMA’s research team has uncovered a new strain of malware known as "Wish Stealer," a sophisticated Node.js-based program targeting Windows users. This malware is designed to steal sensitive information from popular platforms like Discord, various web browsers, and cryptocurrency wallets. It employs advanced techniques, including privilege escalation, clipboard manipulation, and session hijacking, to capture valuable data, such as login credentials, cookies, and credit card information. Wish Stealer can also bypass two-factor authentication (2FA), allowing unauthorized access without alerting the victim. To stay hidden, the malware disables antivirus software and embeds itself deep within system folders, ma...2024-11-1104 minCYFIRMA ResearchCYFIRMA Research: G700- The Next Generation of Craxs RATCYFIRMA's latest research highlights the G700 RAT, a potent malware targeting Android devices, especially in the cryptocurrency and finance sectors. With advanced techniques like privilege escalation, SMS hijacking, and phishing injection, G700 RAT can bypass security and compromise sensitive data. Strengthen your defenses to stay protected!Link to the Research Report: G700 : The Next Generation of Craxs RAT - CYFIRMA#CyberSecurity #ThreatIntelligence #MalwareAlert #G700RAT#AndroidSecurity #CYFIRMA #InfoSechttps://www.cyfirma.com/2024-11-0708 minCYFIRMA ResearchCYFIRMA Research: CVE-2024-7479 and CVE-2024-7481- Privilege Escalation - Vulnerability Analysis and ExploitationCritical Alert: Organizations using TeamViewer's Remote Client and Remote Host products on Windows must act now!CVE-2024-7479 and CVE-2024-7481 present a severe risk of privilege escalation. With millions of users potentially affected globally, immediate action is crucial. Both flaws involve improper cryptographic signature verification during driver installation. Specifically, CVE-2024-7479 pertains to VPN drivers, while CVE-2024-7481 relates to printer drivers. These vulnerabilities allow local, unprivileged attackers to escalate their privileges by exploiting TeamViewer's installation process and loading malicious drivers onto the system. Users should update to version 15.58.4 or later to mitigate this risk, check...2024-11-0603 minCYFIRMA ResearchCYFIRMA Research- Data Breach Investigation on CiscoCYFIRMA's investigation uncovered a major data breach at Cisco, led by the notorious threat actor IntelBroker. On October 14, 2024, IntelBroker posted on BreachForum, revealing that critical data such as source code, hard-coded credentials, SSL certificates, API tokens, and confidential documents were stolen. This breach impacts Cisco's B2B clients, with over 26 client source codes compromised. Our investigation also found that despite Cisco’s efforts to block access, the hackers regained entry using hard-coded credentials found in previously exfiltrated data. This exposes serious security risks and highlights the need for immediate remediation. Link to the Research Report: Data...2024-10-2206 minCYFIRMA ResearchCYFIRMA Research: Tracking Ransomware- September 2024Stay ahead of cybersecurity trends with CYFIRMA's September 2024 Ransomware Report. This month’s analysis highlights significant shifts among top ransomware groups like Medusa, which saw a 525% surge in victims, while others like RansomHub and Meow experienced declines. Key industries such as IT and transportation saw notable increases, while sectors like manufacturing and finance recorded drops. The report also explores emerging threats like Kransom, a ransomware disguised as a popular game and highlights the impact of ransomware groups leveraging vulnerabilities in SonicWall systems. Don’t miss out—read the full report to understand the evolving threat landscape and how you...2024-10-1405 minCYFIRMA ResearchCYFIRMA Research- iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and ExploitationImmediate action is required for all organizations using iTunes for Windows! CVE-2024-44193 is a critical local privilege escalation vulnerability that could lead to unauthorized system access. Attackers exploit misconfigured permissions in the AppleMobileDeviceService.exe to elevate privileges and gain control. Given the widespread use of iTunes, this poses a significant risk. Update iTunes to version 12.13.3 or later, monitor systems for anomalies, and review permissions to prevent exploitation. Stay proactive and secure your systems now! Check CYFIRMA Research's latest report. Link to the Research Report: iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and Exploitation - CYFIRMA...2024-10-1103 minCYFIRMA ResearchCYFIRMA Research: OSINT Investigation- Hunting Malicious Infrastructure Linked to Transparent TribeCYFIRMA's latest report delves into a crucial investigation targeting the malicious infrastructure linked to the APT group "Transparent Tribe." Employing open-source intelligence (OSINT), we thoroughly tracked the command-and-control (C2) servers utilized by this persistent threat actor. By leveraging advanced techniques such as JARM fingerprinting, we identified a network of 15 servers hosted by DigitalOcean, primarily aimed at malicious activities against individuals in India, reflecting the group's historical focus on Indian government sectors. This investigation reveals the group's innovative use of Linux desktop entry files as attack vectors, highlighting their continuous adaptation in the dynamic cyber landscape. Additionally, the...2024-10-0105 minCYFIRMA ResearchCYFIRMA Research: Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based MalwareThe CYFIRMA research team has examined a variant of the Gomorrah stealer malware, a .NET-based malware that targets a range of sensitive data on infected systems. This report provides a comprehensive analysis of its operational methods and evasion techniques to remain undetected. This information-stealing malware operates within a malware-as-a-service (MaaS) framework and highlights the evolving strategies of cyber threat actors in the modern threat landscape. Stay vigilant, stay secure.Link to the Research Report: Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware - CYFIRMA #CYFIRMA #CyberSecurity #GomorrahStealer #MalwareasaService #MalwareAnalysis #CyfirmaResearch #ThreatIntelligence #ExternalThreatLandscapeManagement #ETLM...2024-09-1703 minCYFIRMA ResearchCYFIRMA Research: BLX StealerThe CYFIRMA research team presents an analysis of a new malware, the BLX Stealer, also known as XLABB Stealer, which is targeting sensitive data like credentials, browser information, cryptocurrency wallets, and Discord tokens. Actively promoted on Telegram and Discord, this malware can persist through system reboots and even uses Discord Webhook for data exfiltration. Stay protected by updating software, enabling multi-factor authentication, and monitoring for suspicious activities.Link to the Research Report: BLX STEALER - CYFIRMA #BLXStealer #CyberSecurity #MalwareAlert #XLABB #DataProtection #CyfirmaResearch #Stealer #CyberThreat #CYFIRMA #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLMhttps://www.cyfirma.c...2024-09-1306 minCYFIRMA ResearchCYFIRMA Research- Tracking Ransomware – August 2024Stay informed with CYFIRMA's Tracking Ransomware-August 2024 Report, highlighting critical shifts in ransomware activities. Emerging groups like RansomHub and Lynx surged, with RansomHub seeing a 57.78% rise in victims and Lynx skyrocketing by 900%. In contrast, established actors like LockBit3 faced a 23.68% decline. The Manufacturing, Finance, and FMCG sectors were hit the hardest, while the Healthcare and Government sectors saw a decline in attacks. Geographically, the U.S. remains the most impacted region.It's crucial to remain vigilant against emerging cyber threats. Explore deeper into the full report to uncover actionable insights that can fortify your defenses and mitigate risks...2024-09-1205 minCYFIRMA ResearchCYFIRMA research- Ailurophile StealerThe CYFIRMA research team explores a new malware, dubbed "Ailurophile Stealer" that targets sensitive browser data, such as passwords, cookies, and browsing history. Distributed via GitHub, this threat uses advanced tactics like UPX packing and command-and-control communication via Telegram to evade detection. The attackers, likely operating from Vietnam, are using multiple platforms to spread this malware, posing significant risks to individuals and organizations. Stay vigilant, update your security tools, and educate your teams about recognizing and avoiding suspicious activity.Link to the Research Report: AILUROPHILE STEALER - CYFIRMA #CyberSecurity #MalwareAlert #DataProtection #ETLM #ExternalThreatLandscapeManagement #A...2024-09-1005 minCYFIRMA ResearchCYFIRMA RESEARCH: PowerShell KeyloggerThe CYFIRMA research team presents an analysis of a new keylogger that uses PowerShell scripts to silently capture sensitive information, such as passwords and credit card details. This sophisticated malware employs techniques, including system discovery, command execution, and encrypted C2 communication. The attackers also use anonymized networks like Tor, making it difficult to trace their activities. Stay vigilant! Ensure your systems are updated and monitor for unusual activity to protect your data.Link to the Research Report: CYFIRMA RESEARCH : POWERSHELL KEYLOGGER - CYFIRMA #CyberSecurity #DataBreach #PowerShell #Keylogger #InfoSec #MalwareAlert #DigitalSafety #CyfirmaResearch #CYFIRMA #ExternalThreatLandscapeManagement #ET...2024-09-0706 minCYFIRMA ResearchCYFIRMA Research- CVE-2024-30078 Remote Code Execution Vulnerability Analysis and ExploitationThe CYFIRMA research team presents their latest report! Organizations using Microsoft Windows Wi-Fi Drivers must act now! CVE-2024-30078 presents a severe risk of remote code execution. With billions of Microsoft Windows Wi-Fi Drivers potentially affected globally, immediate action is crucial. Learn more with insights into this vulnerability. Safeguard your systems to prevent exploitation.Link to the Research Report: CVE-2024-30078 Remote Code Execution Vulnerability Analysis and Exploitation - CYFIRMA #CyberSecurity #VulnerabilityManagement #MicrosoftWindowsWiFiDrivers #CVE202430078 #CYFIRMAResearch #VulnerabilitySummary #ExternalThreatLandscapeManagement #ETLM #CYFIRMAhttps://www.cyfirma.com/2024-08-2903 minCYFIRMA ResearchCYFIRMA Research: A Comprehensive Analysis of Angry Stealer: Rage Stealer in a New DisguiseThe CYFIRMA research team reveals a critical update in the malware landscape: We have recently identified a dropper binary that deploys an information-stealing malware known as "Angry Stealer." This malware is making its rounds on various platforms, including websites and Telegram, where it's being advertised. Angry Stealer is essentially a rebranded version of Rage Stealer. This malware is designed to exfiltrate a wide range of sensitive data from infected systems, including browser data (passwords, cookies, autofill info), cryptocurrency wallet details, VPN and application data, and more. It uses advanced techniques to evade security measures and sends stolen i...2024-08-2804 minCYFIRMA ResearchCYFIRMA Research: Tactics and Motivations of Modern HacktivistsCYFIRMA research team’s latest report explores the tactics of hacktivists - ransomware variants, stealer logs, and strategic alliances - and examines their motivations; be they geopolitical, financial, cultural, or racial. It also shows how social media is being leveraged for recruitment, coordination, and monetization via theft or extortion, what are the implications for cybersecurity, and what threats face our infrastructure? Link to the Research Report: Tactics and Motivations of Modern Hacktivists - CYFIRMA#Cyfirmaresearch #ThreatIntelligence #Cybersecurity #ETLM #Hacktivists #ExternalThreatLandscapeManagement #CYFIRMA #Hacktivismhttps://www.cyfirma.com/2024-08-2206 minCYFIRMA ResearchCYFIRMA Research: QWERTY Information StealerCYFIRMA’s research team have just published a new report on the QWERTY Info Stealer malware. Our analysis reveals how this malware collects and sends sensitive data from infected systems while using advanced techniques to avoid detection. Stay informed about this threat to better protect your data and systems. Link to the Research Report: QWERTY INFORMATION STEALER - CYFIRMA#Cyfirmaresearch #ThreatIntelligence #Cybersecurity #ETLM #Malware #ExternalThreatLandscapeManagement #CYFIRMA #QWERTYInfoStealerhttps://www.cyfirma.com/2024-08-2103 minCYFIRMA ResearchCYFIRMA Research: Tracking Ransomware July- 2024Stay informed with CYFIRMA's Tracking Ransomware-July 2024 Report, highlighting the latest cybersecurity trends. RansomHub and LockBit3 have seen significant surges in activity, with LockBit3 experiencing a remarkable 245.5% increase. While the manufacturing sector saw a 10.9% decline, Education faced a staggering 250% rise in attacks. The US continues to be the primary target geographically. The report also covers the evolution of ransomware groups like Black Basta, Play, and Eldorado. Additionally, the newly emerged Vanir Group and MAD LIBERATOR are making aggressive moves. Key events include Russian dominance in ransomware, the release of a new decryptor for DoNex victims and more. 2024-08-1405 minCYFIRMA ResearchCYFIRMA Research- CrowdStrike Falcon Sensor Update: Worldwide Blue Screen of Death (BSOD) Incident Update – IIThe CYFIRMA research team is actively monitoring the ongoing fallout from the CrowdStrike Blue Screen of Death (BSOD) incident. Our updated report offers a comprehensive analysis of the tactics, techniques, and procedures (TTPs) used by threat actors exploiting this situation.In this updated report, we provide further insights, including a detailed incident report, an examination of fraudulent attempts by unknown threat actors, phishing domain registrar details, information stealers, and malware campaigns.As we continue our investigation, we will provide additional updates to keep you informed of this unfolding situation. Stay informed! Link to t...2024-08-1306 minCYFIRMA ResearchCyfirma Research- Mint StealerThe CYFIRMA research team has examined a variant of the Mint Stealer malware and provides a comprehensive analysis of this information-stealing malware operating within a malware-as-a-service (MaaS) framework. Designed to target sensitive data, Mint Stealer employs sophisticated techniques to evade detection. This report explores its evasion tactics, methods for concealing malicious activities, and highlights the evolving strategies of cyber threat actors in the modern threat landscape. Mint-stealer is being sold on multiple dedicated websites and support is offered through Telegram for its subscribers.To mitigate the risks associated with Mint Stealer, users are advised to e...2024-08-0103 minCYFIRMA ResearchCYFIRMA Research: Flame StealerThe Cyfirma research team has investigated the Flame Stealer, which is maintaining a strong presence with predominantly Portuguese speakers. This malware is designed to stealthily extract data from a wide range of sources, including discord tokens, browser cookies, credentials, etc.Flame Stealer employs advanced techniques such as covert data extraction, persistence mechanisms, detection evasion, and data exfiltration via Discord webhooks.Link to the the Research Report: FLAME STEALER - CYFIRMA#CyberSecurity #InfoStealer #FlameStealer #ThreatDetection #CyberThreats #StaySafe #CYFIRMA #CYFIRMAResearch #ExternalThreatLandscapeManagement #ETLMhttps://www.cyfirma.com/2024-07-3006 minCYFIRMA ResearchCYFIRMA Research- TRACKING RANSOMWARE – JUNE 2024Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-June 2024 Report.This month's report highlights key trends, including a decrease in ransomware attacks by groups like Play and RansomHub, while Akira and Qilin increased their operations. Discover significant changes in targeted industries, with most sectors experiencing a decline in attacks. Notably, ransomware incidents were reduced by approximately 38.27% from May to June 2024.Link to the Research Report: TRACKING RANSOMWARE - JUNE 2024 - CYFIRMA#ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #Cyfirma #ETLM #Play #Lockbit #Akira #USA #UK#Manufacturing #CyfirmaResearch #ExternalThreatLandscapeManagement h...2024-07-1604 minCYFIRMA ResearchCYFIRMA Research- PHP CGI Argument Injection (CVE-2024-4577)- Vulnerability Analysis and ExploitationCritical Alert: Organizations using PHP in CGI mode must act now! CVE-2024-4577 presents a severe risk of remote code execution. With millions of websites potentially affected globally, immediate action is crucial. Attackers can exploit CGI argument injection to execute arbitrary commands, leading to unauthorized access or server compromise. Update PHP configurations, monitor for unusual activity, and enforce strict input validation immediately. Proactive security measures are essential. Safeguard your systems now to prevent exploitation. Check CYFIRMA Research's latest report.Link to the Research Report: PHP CGI Argument Injection (CVE-2024-4577)- Vulnerability Analysis and Exploitation...2024-07-1203 minCYFIRMA ResearchCYFIRMA Research: Kematian-Stealer- A Deep Dive into a New Information StealerThe CYFIRMA team has uncovered "Kematian-Stealer," a sophisticated info stealer targeting Windows systems, hosted on GitHub. This open-source malware is designed to stealthily extract data from a wide range of sources, including browsers, cryptocurrency wallets, messaging apps, gaming platforms, VPNs, and email clients. Kematian-Stealer employs advanced techniques such as covert data extraction, persistence mechanisms, detection evasion, in-memory execution, and data exfiltration via Discord webhooks. It can also download and execute additional scripts and payloads directly into memory. The builder for Kematian-Stealer, also hosted on GitHub, allows users to customize and deploy the malware. Features and C2 server d...2024-07-1105 minCYFIRMA ResearchCYFIRMA Research: Lumma Stealer-Tactics, Impact, and Defense StrategiesCyfirma research team has examined a variant of Lumma Stealer malware, and this report provides a comprehensive analysis of this advanced information-stealing malware, explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Lumma Stealer targets sensitive data by employing sophisticated techniques, and utilizes counterfeit websites posing as legitimate antivirus software for distribution and promotion.Lumma Stealer, a potent malware written in C, is designed to surreptitiously steal a wide array of data from compromised systems. It has rapidly...2024-07-0103 minCYFIRMA ResearchCYFIRMA Research- Digital Warfare: Pakistan-Based Terrorist Organizations Utilize Digital Platforms in J&K for Psy OpsCYFIRMA's latest investigation reveals how terrorist groups in Kashmir are still exploiting digital platforms to spread propaganda and influence people. Their psychological operations (Psy Ops) aim to manipulate public perception, spread fear, and destabilize the region. Despite a reduction in physical presence, groups like TRF and Kashmir Tigers are ramping up their digital efforts post Article 370 abrogation. Link to the Research Report: Digital Warfare: Pakistan-Based Terrorist Organizations Utilize Digital Platforms in J&K for Psy Ops - CYFIRMA#CyberSecurity #CyfirmaResearch #ExternalThreatLandscapeManagement #ETLM #DigitalThreats #PsyOps #StaySafe #Telegram #Propaganda #Kashmir #Kashmirdispute #CYFIRMA #Terrorism #Terror #Indiaht...2024-06-2604 minCYFIRMA ResearchCYFIRMA Research- Tracking Ransomware May 2024Stay informed about the latest trends in the ransomware landscape with CYFIRMA's May 2024 Ransomware report. This edition highlights significant increases in ransomware activity, with LockBit3 surging tremendously and Play rising by 10.34%. Incransom's activity doubled, while RansomHub and Medusa also showed notable activity. Manufacturing, real estate, banking, and healthcare sectors saw increased targeting. The US remains the top geographical target. Emerging groups like SpiderX, Fakepenny, and Arcusmedia present new threats. Stay vigilant and explore the full report for actionable insights.Link to the Research Report: Tracking Ransomware May 2024 - CYFIRMA #ThreatLandscape#StaySecure#CyberSecurity#RansomwareReport#Th...2024-06-2004 minCYFIRMA ResearchCYFIRMA Research- Vidar Stealer: An In-depth Analysis of an Information-Stealing MalwareCYFIRMA research team has examined a variant of Vidar Stealer malware, and this in-depth examination explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Additionally, it describes the use of social media platforms to procure command and control details for data exfiltration and updates. Vidar Stealer, a potent malware written in C++, is capable of stealing a wide range of data from compromised systems.To mitigate the risks associated with Vidar Stealer, users are advised to exercise caution...2024-06-0604 minCYFIRMA ResearchCYFIRMA Research - TRACKING RANSOMWARE : APRIL 2024Stay informed about the latest developments in cybersecurity with CYFIRMA's April 2024 Ransomware Report. This edition highlights a shift in the ransomware landscape, with Hunter group now dominating while LockBit's influence declined. The manufacturing sector emerges as a prime target globally, with the USA, Canada, the UK, Germany, and Brazil experiencing significant impacts.The report underscores the evolving tactics of ransomware groups, including rebranding efforts by HelloKitty and the launch of leak sites by C3RB3R. Additionally, emerging groups like SEXi, APT73, and DarkVault are gaining attention for their distinct tactics and choice of targets. Notable incidents...2024-05-1503 minCYFIRMA ResearchCYFIRMA Research - New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android MalwareCYFIRMA’s Research team embarked on a mission to uncover a targeted attack on Indian defense personnel via WhatsApp Messenger. Suspected to originate from Pakistan, the threat actor deployed malicious Android apps disguised as "MNS NH Contact" and "Posted out off," aiming to gain unauthorized access to sensitive information.Our Investigation revealed the use of sophisticated social engineering tactics, with malicious apps designed to exploit vulnerabilities and evade detection. Notably, the attacker employed a Spynote Android remote administration tool or possibly a modified version known as 'Craxs Rat', showcasing their advanced evasion tactics.This incident se...2024-05-1002 minCYFIRMA ResearchCYFIRMA Research - Obfuscated Batch Script’s Journey to Monero MiningAt CYFIRMA, we provide timely insights into prevalent threats and malicious tactics affecting organizations and individuals. Our research team have identified an open directory listing URLs containing highly obfuscated malicious Windows batch scripts in the wild, which executes a stealthy Monero (XMR) crypto miner as the final payload.This payload is unfolded after 5 stages of unpacking, with capabilities such as Anti analysis /debugging, privilege escalation, defense evasion, stealth execution, file-less execution, and mining cryptocurrency. This malware has a very low to zero malicious reputation on known anti-malware tools.Link to the Research Report: https://www.c...2024-05-0205 minCYFIRMA ResearchCYFIRMA Research - Fletchen Stealer: An Information Stealer with Sophisticated Anti-Analysis MeasuresCyfirma research team discovered a new information stealer named Fletchen Stealer. It is a sophisticated information-stealing malware, offered by its creator as stealer-as-a-service for free that poses a significant threat to cybersecurity. A potent malware written in Rust which boasts advanced anti-analysis capabilities exhibits a high degree of resilience against detection and analysis. Its primary function is to steal sensitive data from compromised systems, including passwords, financial information, and cryptocurrency wallets. This malware is persistence-capable and uses scheduled tasks and auto-run registry entries to achieve this.Link to the Research Report: https://www.cyfirma.com/research/fletchen-stealer-an-information-stealer-with-sophisticated-anti-analysis-measures/2024-04-2903 minCYFIRMA ResearchCYFIRMA Research - Ivanti RCE (CVE-2024-21894) Vulnerability Analysis and ExploitationA critical vulnerability, CVE-2024-21894, has been discovered in Ivanti's Connect Secure and Policy Secure gateways, posing a severe global threat to digital security. CYFIRMA’s research team have conducted a thorough analysis of this vulnerability. Immediate action is strongly advised: apply the latest patches provided by Ivanti to secure your systems. Additionally, enhance access controls, bolster your digital infrastructure defenses, and maintain heightened vigilance. Stay informed about potential threats and continuously monitor trusted sources for updates to ensure robust cybersecurity.Link to the Research Report: Ivanti RCE (CVE-2024-21894) Vulnerability Analysis and Exploitation - CYFIRMA2024-04-1903 minCYFIRMA ResearchCYFIRMA Research: Tracking Ransomware- March-2024Stay ahead of cybersecurity trends with CYFIRMA's March 2024 Ransomware Report. Lockbit, despite a decline in infections, continues to dominate. The manufacturing sector is a primary target across the globe. Notably, the USA remains a primary victim, trailed by Canada, the UK, Germany, and Spain.Witness the evolution of ransomware tactics as groups like RA World expand their global reach, while StopCrypt evolves to evade detection. GhostLocker 2.0 emerges with enhanced encryption, and Qilin advances with a Rust-based variant targeting VMware servers.New threats surface with Donex encrypting data and Kill Security listing fresh victims. March’s ke...2024-04-1204 minCYFIRMA ResearchCYFIRMA Research- A New Campaign Identified Targeting Individuals in South AsiaCyfirma’s latest research uncovers a sophisticated cyber threat targeting individuals in South Asia. Our research team identified a malicious campaign involving a deceptive SFX archive executable. These files, embedded in the malicious binary and decoy PDF, are part of a multifaceted attack aimed at infiltrating systems and executing malicious actions. Further analysis hints at collaboration with Russian cybercriminals, raising concerns about C2 infrastructure targeting individuals in South Asia.Stay informed with our detailed report shedding light on the tactics and techniques employed by threat actors. Arm yourself with knowledge to defend against the ever-evolving cyber landscape. 2024-04-1104 minCYFIRMA ResearchCYFIRMA Research - Sync-Scheduler StealerCyfirma research team discovered a new document stealer Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. It is being distributed as an embedded component in the Office document file. Malware code is hidden under the page title of the first slide of the PowerPoint presentation and file-nesting is used to hide the PowerPoint presentation in the Word document as an embedded component. Link to the Research Report: https://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/#CYFIRMA #CYFIRMAResearch #CyberSecurity #MalwareAlert #DataProtection #CyberThreats #StaySecure #SecurityUpdates #Stealer #ETLM #ExternalThreatLandscapeManagementhttps://w...2024-03-2902 minCYFIRMA ResearchCYFIRMA Research - FortiOS/FortiProxy (CVE-2024-21762)- Vulnerability Analysis and ExploitationA critical vulnerability, CVE-2024-21762, has been identified in Fortinet's FortiOS/FortiProxy, posing a severe global threat to digital security. CYFIRMA researchers have conducted an exhaustive analysis of the vulnerability. Immediate action is strongly advised. Apply the latest patches provided by Fortinet to secure your systems. Enhance access controls, bolster your digital infrastructure defenses, and maintain heightened vigilance. Stay informed about potential threats and continuously monitor trusted sources for updates to ensure robust cybersecurity. Link to the Research Report: FortiOS/FortiProxy (CVE-2024-21762)- Vulnerability Analysis and Exploitation - CYFIRMA#CYFIRMA #CYFIRMAResearch #CyberSecurity #VulnerabilityAlert #DataProtection #Cy...2024-03-2202 minCYFIRMA ResearchCYFIRMA Research - Islamic State’s Telegram Hustle: How a Terrorist Organization Raises FundsThe CYFIRMA Research team embarked on an investigation to uncover activities linked to the banned organization Islamic State. We aimed to gain access to the group or identify individuals endorsing its ideology. During our investigation we infiltrated a Telegram channel promoting Islamic State’s beliefs, which was also part of a private RocketChat server exclusively used by ISIS. Additionally, we uncovered a donation program operating through a Telegram channel, the "WhispersOfTheForgotten". Our team engaged with the admin of the channel to in order to understand their intentions and the true purpose behind the donation program. Li...2024-03-1403 minCYFIRMA ResearchCYFIRMA Research - Tracking Ransomware- February 2024Stay informed on the evolving cybersecurity landscape with CYFIRMA's February 2024 Monthly Ransomware Report. LockBit leads the charts despite a takedown by law enforcement, showcasing resilience and technical prowess. Manufacturing takes the hit, recording a 40% rise in attacks. The USA remains a prime target, followed by the UK, Canada, France, and Spain.The evolution of ransomware tactics becomes apparent as LockBit aggressively returns, and RansomHouse introduces 'MrAgent' for automated attacks.Emerging threats include Alpha's sophistication and the mysterious Blackout group.February witnessed significant events: Knight ransomware's source code for sale, Hyundai Motor hit by...2024-03-1104 minCYFIRMA ResearchCYFIRMA Research - Exploiting Document Templates: Stego-Campaign Deploying Remcos RAT and Agent TeslaOur latest cyber threat research at Cyfirma reveals a complex stego-campaign, showcasing a malicious .docx file that's raising serious concerns in the cybersecurity landscape. Our dedicated team unearthed a sophisticated attack chain that employs template injection, effectively bypassing conventional email security measures.The malicious .docx file, distributed possibly through phishing emails, sets off a multi-stage attack upon opening. The attack involves the deployment of the Remcos Remote Access Trojan (RAT) and the notorious Agent Tesla malware, each with its set of malicious functionalities. Notably, the document, seemingly benign on the surface, contains a targeted approach, hinting at...2024-03-0604 minCYFIRMA ResearchCYFIRMA Research - Exploit Analysis: SSRF and Command Injection for Unauthenticated RCE in Ivanti Connect SecureRead our Cyfirma Research report, which explores why Ivanti Connect Secure & Policy Secure users, should be cautious of a critical SSRF vulnerability (CVE-2024-21893) which affects your systems, enabling attackers to bypass mitigations and execute remote code. Exploits, like CVE-2023-46805 & CVE-2024-21887, demonstrate the severity.Ivanti has released a second mitigation and patches to address all vulnerabilities. Ensure your systems are up to date and protected against these threats. Stay vigilant and take action to safeguard your network.Link to the Research Report: Exploit Analysis: SSRF and Command Injection for Unauthenticated RCE in Ivanti...2024-03-0103 minCYFIRMA ResearchCYFIRMA Research - Xeno RAT: A New Remote Access Trojan with Advance CapabilitiesCYFIRMA’s research team has discovered a new Remote Access Trojan named Xeno-RAT, featuring sophisticated capabilities. Through comprehensive analysis, our report explores the various evasion techniques utilized by threat actors to circumvent detection, as well as elucidates the methods employed in creating robust malware payloads.Xeno RAT, a potent malware written in C# with advanced capabilities, demonstrates an alarming trend as it continuously evolves to enhance its features. It exploits the DLL search order functionality in Windows to load malicious DLLs into trusted executable processes and employs process injection to inject malicious code into legitimate Windows processes. Em...2024-02-2703 minCYFIRMA ResearchCYFIRMA Research - Jenkins (CVE-2024-23897) – Vulnerability Analysis and ExploitationUrgent Security Advisory! A critical vulnerability, CVE-2024-23897, has surfaced in Jenkins, posing a global threat to digital security. CYFIRMA researchers have conducted an in-depth analysis and exploitation, Immediate action is advised - secure your systems with the latest Jenkins patches. Strengthen access controls, fortify your digital infrastructure, and remain vigilant. Stay informed about potential threats and regularly monitor trusted sources for updates to ensure robust cybersecurity.Link to the Research Report: Jenkins (CVE-2024-23897) - Vulnerability Analysis and Exploitation - CYFIRMA#CYFIRMA #CYFIRMAResearch #CyberSecurity #VulnerabilityAlert #DataProtection #CyberThreats #StaySecure #JenkinsSecurity #SecurityUpdates #CVE-2024-23897 #Jenkins #ETLM...2024-02-1903 minCYFIRMA ResearchCYFIRMA Research - Ransomware Trends- January 2024Uncover the latest trends in the cybersecurity landscape with CYFIRMA's January 2024 Monthly Ransomware Report. LockBit takes the lead with 64 victims, targeting diverse industries, notably Manufacturing. Despite a 20.51% dip in incidents from December 2023, the long-term trend indicates a persistent rise in ransomware threats. New players like Slug, Going Insane, and Kasseika bring fresh challenges to the forefront.In January, the USA faced 140 ransomware incidents, emphasizing the importance of robust cybersecurity. Notable events include Akira's attack on a major IT firm and Blackcat impacting Fidelity National Financial. The report also uncovers the relationship between 3AM and other groups.2024-02-1304 minCYFIRMA ResearchCYFIRMA Research - Comprehensive Analysis of CVE-2024-21833 Vulnerability in TP-Link Routers : Threat Landscape, Exploitation Risks, and Mitigation StrategiesCYFIRMA’s research team, reveals a critical OS command injection vulnerability (CVE-2024-21833) affecting TP-Link Routers, demanding immediate attention. With a high CVSS score of 8.8, this flaw poses a significant risk, attracting state-sponsored entities and threat groups. Active exploitation is observed, emphasizing the need for prompt patching, proactive monitoring, and collaboration within the cybersecurity community. Organizations using TP-Link devices are urged to update firmware, strengthen passwords, and optimize configurations to fortify defenses against potential exploits. Stay vigilant to safeguard network infrastructure and prevent unauthorized access.Link to the Research Report: Comprehensive Analysis of CVE-2024-21833 Vulnerability in TP...2024-02-0303 minCYFIRMA ResearchCYFIRMA Research - Russian Threat Actors Abuse Cloudflare and Freenom Services to run DaaS ProgramThe CYFIRMA research team reveals a Russian-origin Drainer-as-a-Service (DaaS) project gaining traction in the hacking community. This crypto drainer targets wallets on Ethereum, BNB, Polygon, etc with a massive affiliate network of 10k members. Our investigation reveals how the threat actors are creating phishing infrastructure at no cost, subsequently using compromised Twitter accounts to launch crypto phishing campaigns - making it a situation where the risk is low, the skill level required is minimal, but the potential rewards are high. Link to the Research Report: Russian Threat Actors Abuse Cloudflare and Freenom Services to run Daa...2024-02-0104 minCYFIRMA ResearchCYFIRMA Research - LOOKING INTO THE CRYSTAL BALL: WHAT WILL 2024 BRING IN GEOPOLITICSThe geopolitical landscape in 2024 is at a critical juncture! As we begin the year, explore five key events may shape the course of global affairs and have profound effect on the Cyber Threat Landscape through this Cyfirma blog! Covering the below key events: · World Goes to the Polls: Over four billion people in nearly 80 countries will participate in elections, with Taiwan's recent election raising tensions in the Taiwan Strait.· Stalemate in Ukraine: The conflict between Russia and Ukraine remains in an attritional phase, with cyber warfare becoming a pivotal element in the ongoing struggle.2024-01-3007 minCYFIRMA ResearchCYFIRMA Research - From Screen Captures to Crypto wallets: Analyzing the Multi-Faceted Threat of Rage Stealer“CYFIRMA’ s research team has identified a new stealer in the wild called “Rage Stealer”. Rage Stealer employs a multifaceted approach, covertly extracting sensitive data encompassing browsers, cryptocurrency wallets, files, credentials, and various applications data. What sets "Rage Stealer" apart is its systematic organization of extracted information into specific directories, ensuring a streamlined process. The malware's ingenious technique lies in its adeptness at compressing and archiving data, and discreetly exfiltrates via the Telegram. The malware promoted under the moniker "xStealer" on a dedicated Telegram channel and the promoter also engages with users on channel, and even offe...2024-01-2903 minCYFIRMA ResearchCYFIRMA Research - Pakistan-based Threat Actor Targets Indians with Fake Loan Android ApplicationThe CYFIRMA team recently discovered a malicious Android package orchestrating a sophisticated extortion scheme. Masked as a loan app promising quick funds, unsuspecting users are duped into revealing sensitive information during the installation process. The deceptive app coerces victims into submitting KYC details, including a selfie, gradually acquiring a wealth of personal data. Once armed with a government ID, contact list, and text messages, threat actors manipulate selfies into compromising content. Subsequently, they exploit the situation, attempting extortion by threatening to distribute the manipulated images. Although the demanded amount is minimal, persistent messages and calls create pressure o...2024-01-2403 minCYFIRMA ResearchCYFIRMA Research - Apache Struts RCE (CVE-2023-50164)- Vulnerability Analysis and ExploitationA critical vulnerability has been identified in Apache Struts 2, exposing a global threat to digital security. CYFIRMA Researchers have analysed this flaw, uncovering potential risks of unauthorized access and data breaches. It is advised to take immediate action - secure your systems with the latest Apache Struts 2 patches. Strengthen access controls, fortify your digital infrastructure, and remain vigilant. Stay informed about potential threats and regularly monitor trusted sources for updates to ensure robust cybersecurity.Link to the Research Report: Apache Struts RCE (CVE-2023-50164)- Vulnerability Analysis and Exploitation - CYFIRMA#CYFIRMA #CYFIRMAResearch #CyberSecurity #VulnerabilityAlert...2024-01-1802 minCYFIRMA ResearchCYFIRMA Research- Tracking Ransomware- December 2023Dive into Cyfirma’s December 2023 Ransomware Report for an exploration of evolving cyber threats. The rise of new players like Hunters International, Dragon Force and WereWolves highlight a severe threat. With 75% more incidents in 2023 than in 2022, this report unveils critical insights into the escalating global cybersecurity threat. Covering key events during this period such as: Akira hitting Nissan AustraliaPlay targeting GRTC LockBit strikes XeinadinRhysida infiltrating King Edward VII’s HospitalRead the full report for a comprehensive understanding of the month's top 5 ransomware groups, Industries targeted, geography targeted, trend comparison, evolution in groups, and new players...2024-01-1103 minCYFIRMA ResearchCYFIRMA Research - OwnCloud: CVE-2023-49103 Vulnerability Analysis and ExploitationCYFIRMA’s Research team has conducted a thorough analysis of the critical security vulnerability, CVE-2023-49103, in OwnCloud's Graph. Uncovered by ownCloud on November 21, 2023, this vulnerability is assigned a CVSS score of 7.5, underscoring its severity. This flaw directly impacts OwnCloud/graphapi, posing a significant risk of unauthorized access to sensitive information! Our report provides valuable insights into the nature of the vulnerability, its potential impact, insights from underground forums and the critical importance of prompt mitigation. Link to the Research Report: OwnCloud : CVE-2023-49103 Vulnerability Analysis and Exploitation - CYFIRMA#CyberSecurity #OwnCloud #VulnerabilityAlert #St...2023-12-2603 minCYFIRMA ResearchCYFIRMA Research: Tracking Ransomware- November 2023Dive into the November 2023 Ransomware Report by CYFIRMA for a deep dive into evolving cyber threats. LockBit dominates with 108 victims. With a 25% surge in attacks on Manufacturing and a 78.3% rise in FMCG incidents, the need for defences is evident. Geographically, the USA remains a prime target, experiencing a 45.72% share of attacks. Explore the developments in ransomware like DJVU, Phobos and Cerber. GhostSec came up with GhostLocker, CVE-2023-4966 and other vulnerabilities were exploited by LockBit, Cl0p and other groups. There was an increase of approximately 18.21% in ransomware victims from October to November 2023. Stay vigilant and informed ag...2023-12-2204 minCYFIRMA ResearchCYFIRMA Research - F5 BIG-IP Remote Code Execution – CVE-2023-46747 – Vulnerability Analysis and ExploitationA critical vulnerability, CVE-2023-46747, has surfaced in the F5 BIG-IP Traffic Management User Interface (TMUI), posing a significant global threat to organizations. This flaw enables unauthorized remote code execution, potentially compromising digital assets. CYFIRMA’s Research team has conducted an extensive analysis of this security flaw.Take Immediate Action! Ensure your systems are shielded with the latest F5 patches. Strengthen access controls and maintain vigilant monitoring of your digital infrastructure. Link to the Research Report: F5 BIG-IP Remote Code Execution - CVE-2023-46747 - Vulnerability Analysis and Exploitation - CYFIRMA2023-12-1103 minCYFIRMA ResearchCYFIRMA Research - Episode 061: TRACKING RANSOMWARE: OCTOBER 2023Explore the October 2023 Ransomware Report from CYFIRMA, uncovering the ever-changing landscape of cyber threats. LockBit leads the charge with 66 victims. Manufacturing takes a hit with 64 incidents, stressing the need for specific defences.The USA is a prime target, enduring 151 ransomware incidents, and now, a new player, Hunters International, adds a twist to the cybersecurity plot. While there's a 33.34% drop in victims from September, the battle against ransomware continues.Geographically, the report highlights the USA, bearing 43.64% of attacks, showing a deliberate focus on nations with advanced technology. See the evolution of BlackCat's 'Munchkin' tool...2023-11-2304 minCYFIRMA ResearchCYFIRMA Research - Episode 060: Citrix Bleed: CVE-2023-4966 Vulnerability Analysis and ExploitationA critical vulnerability found in Citrix ADC/Gateway poses a severe threat to digital security. This flaw facilitates unauthorized access and potential data breaches, raising concerns globally. CYFIRMA researchers have done an in-depth analysis of this vulnerability.Immediate action needed! Secure your systems with the latest patches from Citrix. Strengthen access controls and maintain constant vigilance over your digital infrastructure. Stay wary of potential threats and regularly monitor trusted sources for updates.Link to the Research Report: Citrix Bleed: CVE-2023-4966 Vulnerability Analysis and Exploitation - CYFIRMA#CYFIRMA #CYFIRMAResearch #CyberSecurity #VulnerabilityAlert #DataProtection #CyberThreats #StaySec...2023-11-2002 minCYFIRMA ResearchCYFIRMA Research - Episode 055: Cyfirma Quarterly Ransomware Report: Q3 2023Stay ahead of ransomware threats with CYFIRMA 2023 Q3 Ransomware Report, offering essential insights into the ever-evolving cyber threat landscape. This quarter saw a stark reminder of the urgent need for robust cybersecurity measures, as the manufacturing industry topped the list with 209 reported cyberattacks. In addition to manufacturing, industries like IT, FMCG, Healthcare and Real Estate and Construction are also grappling with alarming data breaches. The Cl0p ransomware group stood out for its remarkable adaptability, making it a significant threat. Moreover, the United States emerged as the most heavily targeted region, with the UK, Germany, Ca...2023-10-3005 minCYFIRMA ResearchCYFIRMA Research - Episode 054: Part 2: Craxs Rat Latest Version with Dropper Module.The team at CYFIRMA recently obtained the new version of Craxs RAT. We observed the latest developments in the advanced Craxs Remote Administration Tool.The tool is now equipped with the dropper module that generates a malicious Android payload which carries the main payload. This new add-on empowers threat actors to compromise Android users with greater efficiency.What's more, the introduction of a novel dropper module has left the security community astonished as this is the first publicly available RAT that provides a dropper option to target Android users. To learn more about this powerful...2023-10-2702 minCYFIRMA ResearchCYFIRMA Research - Episode 052: Atlassian Confluence Data Center and Server CVE-2023-22515 BAC Vulnerability Analysis and ExploitationA critical vulnerability, CVE-2023-22515, has been detected in the Atlassian Confluence Data Center and Server, posing a grave threat to organizations globally. This flaw allows unauthorized access and privilege escalation, leaving digital assets vulnerable to hackers. Alarmingly, the notorious ransomware group; Trigona, is also linked to this threat. CYFIRMA Research has done an in-depth analysis of this vulnerability. Take Immediate Action! Ensure your systems are fortified with the latest patches from Atlassian. Bolster access controls and maintain vigilant oversight of your digital environment. Stay alert to potential attacks and diligently follow updates from trusted sources.2023-10-2002 minCYFIRMA ResearchCYFIRMA Research- Episode 044: CHIT-CHAT WITH A RANSOMWARE OPERATORLearn about the experience of a ransomware operator in their own words! CYFIRMA Research recently published a report on a new threat actor group known as Fusion Core. In a follow-up, we were able to get in touch with “NecroSys”, who is the developer of SarinLocker ransomware and the current face of FusionCore. Read what NecroSys has to say about FusionCore's alleged links with APTgroups, their malware arsenal and what's on the horizon for them.Link to the Research Report: CYFIRMA RESEARCH - CHIT-CHAT WITH A RANSOMWARE OPERATOR - CYFIRMA #externalthreatlandscape #cyber...2023-10-0412 minCYFIRMA ResearchCYFIRMA Research - Episode 040: Mini Cyber-Conflict Leaving Impact on Small Businesses and Government Sector CYFIRMA’s Research team is closely monitoring an evolving cyber conflict between independent hacktivist groups in Asia and the middle east. This isn't state backed, but it's impacting small businesses. A surge in cyber-attacks from Islamic countries like Indonesia, Pakistan, Bangladesh, Afghanistan, and Malaysia, initially sparked by perceived injustices against Muslims in India, has taken an unexpected turn. Indian hackers have also retaliated, resulting in unintended harm to businesses in both regions. The Russia-Ukraine conflict birthed cyber hacktivist groups on both sides, resorting to aggressive tactics like DDOS attacks and defacements to convey their messages. This...2023-09-2203 minCYFIRMA ResearchCYFIRMA Research - Episode 037: Tracking Ransomware- August 2023The CYFIRMA monthly Ransomware Report report thoroughly analyses ransomware activity in August 2023, covering significant attacks, the top five ransomware families, geographical distribution, targeted industries, evolution of attacks, new ransomware groups, vulnerabilities exploited by ransomware groups, and trends between July and August 2023. Organizations can leverage these insights to enhance their cybersecurity strategies and mitigate ransomware risks.Link to the Research Report: Tracking Ransomware - August 2023 - CYFIRMA#RansomwareTrends #CybersecurityInsights #ThreatLandscape #StaySecure #CyberSecurity #RansomwareReport #ThreatIntelligence #Ransomware #DigitalDefense #Cyfirma #ETLM #Cyfirmaresearch #LockBit #Cloak #Akira #Knightransomware #INCransomware #ScatteredSpider #ViceSociety #RhysidaRansomware #BlackCatSphynx https://www.cyfirma.com/2023-09-0705 minCYFIRMA ResearchCYFIRMA Research - Episode 031: TRACKING RANSOMWARE– JULY 2023The latest CYFIRMA Monthly Ransomware report presents an evolving threat landscape marked by a surge in ransomware attacks, significantly impacting critical industries on a global scale. The 'Cl0p' group stands at the forefront, targeting 183 victims, while the IT and Manufacturing sectors endure the highest toll, each encountering 50 incidents.The United States faces the brunt with 186 attacks, underscoring the unwavering pursuit of high-value targets. Noteworthy incidents such as Maximus and the Port of Nagoya underscore the gravity of the situation while emerging players 'Cactus' and 'Cyclops' introduce new dimensions of threat. In the face of t...2023-08-1705 minCYFIRMA ResearchCYFIRMA Research - Episode 019: WISE REMOTE Stealer Unleashed: Unveiling Its Multifaceted Malicious ArsenalInformation stealers remain an enduring and evolving security concern for individuals and organizations alike. CYFIRMA’s Research team has recently uncovered an advanced information stealer, known as “WISE REMOTE Stealer,” that functions as both a stealer and a Remote Access Trojan (RAT). This sophisticated malware has gained significant traction through promotion in underground forums.Continual enhancements are observed within the WISE REMOTE Stealer, as the threat actor diligently incorporates new features to amplify its effectiveness and expand its user base. This report offers in-depth insights into the comprehensive capabilities and features of WISE REMOTE Stealer, empowering stakeholders with a...2023-07-0604 minCYFIRMA ResearchCYFIRMA Research - Episode 016: Zero Day ShopThe CYFIRMA research team has identified a new marketplace run by unknown threat actors, known as the Zero-Day Shop. It serves as a one-stop destination for threat actors, offering a range of dangerous tools and services. Zero Day Shop acts as a middleman between initial access brokers, offers malware and exploit software to launch devastating cyber-attacks. The consequences of the products on offer are far-reaching: data breaches, financial fraud, identity theft, and reputational damage. Therefore, organizations must remain vigilant and bolster their defenses against these evolving threats. Link to Research Report: Research Report: Zero Day Shop...2023-06-2604 minCYFIRMA ResearchCYFIRMA Research - Episode 014: DoNot APT Elevates its Tactics by Deploying Malicious Android Apps on Google Play StoreThe team at CYFIRMA recently obtained suspicious Android apps hosted on the Google Play Store under the account “SecurITY Industry”. Further technical analysis revealed that the apps have malware characteristics and belong to the notorious Advanced Persistent Threat Group; “DoNot”. A total of three Android apps were hosted with the name Device Basic Plus, nSure Chat, and iKHfaa VPN, with two of them having malicious characteristics, that are nSure Chat and iKHfaa VPN. The report highlights deep technical analysis, including modus operandi and the “DoNot” groups’ shift from previously targeting individuals in Kashmir to expanding their target range, in order to gather information...2023-06-1903 minCYFIRMA ResearchCYFIRMA Research - Episode 013: Mystic Stealer – Evolving “stealth” MalwareInformation stealers pose an ongoing and dynamic threat to the security of both individuals and organizations. CYFIRMA’s Research team recently discovered an information stealer called “Mystic Stealer” being promoted in an underground forum, with the threat actor utilizing a Telegram channel for their operations. This threat actor continuously enhances the malware, incorporating new features to enhance its effectiveness and expand its user base. Our open-source intelligence (OSINT) investigation revealed the existence of over 50 active command and control (C2) servers, indicating the growing prevalence of this threat. Given the consistent demand for potent information stealers, “Mystic Stealer” emerges as a potentia...2023-06-1505 minCYFIRMA ResearchCYFIRMA Research - Episode 012: Unveiling DeltaBoys : Interview about their Past and MotivationCyfirma recently interviewed the DeltaBoys; a threat actor group that specialises in mass defacements. Following our recent research report; 'DeltaBoys- Black Hats on the Rise’, our insightful and unique interview explores the DeltaBoys’ ideological and geopolitical motivations, affiliations, their financial motivations, and gives them the chance to have their voices heard across the world. Link to Research Report: Unveiling DeltaBoys : Interview about their Past and Motivation. - CYFIRMA #CyfirmaInterviews #DeltaBoys #ThreatActorGroup #MassDefacements #CyberSecurity #ResearchReport #BlackHatsOnTheRise #FinancialMotivations #IdeologicalMotivations #VoiceOfDeltaBoys #SecurityResearchhttps://www.cyfirma.com/2023-06-1408 minCYFIRMA ResearchCYFIRMA Research - Episode 011: Unveiling an Authenticated Stored Cross-Site Scripting Zero-Day Vulnerability in PowerPress Plugin 10.2.3 and EarlierBlubrry PowerPress, a popular plugin used by podcasters to enhance their websites, has recently come under scrutiny due to a security vulnerability. Cybersecurity researchers at CYFIRMA discovered the security vulnerability, specifically affecting versions 10.2.3 and earlier. The vulnerability identified is a zero-day authenticated stored cross-site scripting (XSS) exploit, found within the “Show Title” field, which allows an attacker with authenticated access to inject malicious code into the podcast’s title, potentially compromising the security and integrity of the affected website.Link to Research Report: Unveiling an Authenticated Stored Cross-Site Scripting Zero-Day Vulnerability in PowerPress Plugin 10.2.3 and Earlier - CYFIRM...2023-06-0802 minCYFIRMA ResearchCYFIRMA Research - Episode 007: Evolution of KILLNET from Hacktivism to Private Hackers Company and the Role of Sub-groupsRecently KILLNET creator; ‘KillMilk’, announced that they were building a global team of operators from the darknet and special services members, with financially motivated destructive capabilities. Their operation went full circle from offering services to hackers and competing businessmen, to taking orders from private and state persons, along with defending the interests of the Russian Federation. CYFIRMA research report focused on analyzing KILLNET, Subgroups, capabilities, and recent development in the group’s motive.Key PointsThe KILLNET operation has come full circle, evolving from a service provider for hackers and competing businesses, to a priv...2023-05-1704 minCYFIRMA ResearchCYFIRMA Research - Episode 001: ARES Leaks Emerging Cyber Crime CartelARES, is a new threat actor group identified by CYFIRMA Research. ARES is involved in selling corporate and government authority databases. CYFIRMA Research has observed cartel-like behaviour, affiliations with other threat actors, and connections with established hacking groups like RANSOMHOUSE ransomware group, KelvinSecurity, and Adrastea hacker group. ARES Leaks is potentially becoming an alternative to BreachedForum, intensifying its efforts to add more threat actors and leaks to its platform. The ARES group comprises expert penetration testers, malware developers, and other resources, offering not only data leaks but also Botnet and DDoS services. The OSINT search reveals that the group's...2023-04-2804 min