Our Q2 2024 APT Quarterly Highlights report reveals a surge of dynamic and innovative cyber activities from Iranian, Russian, Chinese, and North Korean APT groups, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats from Iran's Void Manticore and APT42 targeting critical sectors, to Russia's APT28 and …

A critical vulnerability (CVE-2024-24919) with a CVSS score of 8.6 has been discovered in EOL Check Point devices, allowing remote attackers to read arbitrary files. The Hacktivist group "Ghost Clan Malaysia" has shared affected IP addresses worldwide. Upgrade to supported versions and apply necessary hotfixes immediately to protect your data and i…

Braodo Info Stealer, a Python-based malware, is targeting users in Vietnam and several other countries. This sophisticated threat spreads possibly through phishing emails, uses GitHub for hosting malicious code, and exfiltrates stolen data via Telegram channels. Learn more about this emerging threat impacting global cybersecurity. Link to the Resea…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-June 2024 Report. This month's report highlights key trends, including a decrease in ransomware attacks by groups like Play and RansomHub, while Akira and Qilin increased their operations. Discover significant changes in targeted industries, with most se…

Critical Alert: Organizations using PHP in CGI mode must act now! CVE-2024-4577 presents a severe risk of remote code execution. With millions of websites potentially affected globally, immediate action is crucial. Attackers can exploit CGI argument injection to execute arbitrary commands, leading to unauthorized access or server compromise. Update…

The CYFIRMA team has uncovered "Kematian-Stealer," a sophisticated info stealer targeting Windows systems, hosted on GitHub. This open-source malware is designed to stealthily extract data from a wide range of sources, including browsers, cryptocurrency wallets, messaging apps, gaming platforms, VPNs, and email clients. Kematian-Stealer employs adv…

This year’s Olympic games come at a heightened moment for international conflict & terrorism. The potential for a jihadi group or individuals inspired by one to take the world’s attention with a potential attack or for Russia to try to embarrass France with acts of sabotage are very high. Link to the Research Report: Paris Olympics - CYFIRMA #Geopo…

Cyfirma research team has examined a variant of Lumma Stealer malware, and this report provides a comprehensive analysis of this advanced information-stealing malware, explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Lumma S…

CYFIRMA's latest investigation reveals how terrorist groups in Kashmir are still exploiting digital platforms to spread propaganda and influence people. Their psychological operations (Psy Ops) aim to manipulate public perception, spread fear, and destabilize the region. Despite a reduction in physical presence, groups like TRF and Kashmir Tigers a…

Stay informed about the latest trends in the ransomware landscape with CYFIRMA's May 2024 Ransomware report. This edition highlights significant increases in ransomware activity, with LockBit3 surging tremendously and Play rising by 10.34%. Incransom's activity doubled, while RansomHub and Medusa also showed notable activity. Manufacturing, real es…

CYFIRMA research team has examined a variant of Vidar Stealer malware, and this in-depth examination explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Additionally, it describes the use of social media platforms to procure co…

Urgent Alert: Hackers are actively exploiting CVE-2024-3273, a critical vulnerability in D-Link NAS devices, with affected device IP addresses being shared on underground forums. With over 90,000 potentially impacted devices globally and inclusion in CISA's Known Exploited Vulnerabilities list, immediate action is crucial to secure data and prevent…

The notorious Nikki Stealer group has transitioned into the Iluria Stealer group, maintaining a strong presence with a predominantly Portuguese-speaking user base. Both their websites are hosted by Hostinger, and the current owner, as per his Discord bio, claims to be the former CEO of Nikki Stealer. Dynamic analysis reveals that Iluria Stealer has…

Meet Synapse ransomware, the newest digital threat on the block. This latest threat, emerging in February 2024, operates under a Ransomware-as-a-Service model, distributing its malicious payload via the dark web. Our research sheds light on the internal working of this malware. Discover how it selectively avoids encrypting Iranian systems, raising …

Critical Alert: Organizations relying on Tinyproxy must act now! CVE-2023-49606 poses a grave risk of remote code execution. With 1.6M+ servers potentially affected globally; swift action is imperative. Attackers exploit HTTP requests to trigger memory corruption, risking unauthorized access or service disruptions. Update Tinyproxy, monitor for ano…

Our latest report dives into the information stealer SamsStealer, a newly identified information stealer targeting Windows systems. This stealer is written in .NET, is designed to extract sensitive data stealthily from a variety of browsers and applications, including Chrome, Microsoft Edge, Discord, and cryptocurrency wallets. Once it has gathered…

India's Loksabha Elections 2024 hold immense significance, not only for the nation but also for the global democratic landscape. The scale and complexity of the electoral process make it susceptible to cyberattacks, especially with the proliferation of generative AI and deepfake technologies. Link to the Research Report: The Indian Election : The G…

Stay informed about the latest developments in cybersecurity with CYFIRMA's April 2024 Ransomware Report. This edition highlights a shift in the ransomware landscape, with Hunter group now dominating while LockBit's influence declined. The manufacturing sector emerges as a prime target globally, with the USA, Canada, the UK, Germany, and Brazil exp…

CYFIRMA’s Research team embarked on a mission to uncover a targeted attack on Indian defense personnel via WhatsApp Messenger. Suspected to originate from Pakistan, the threat actor deployed malicious Android apps disguised as "MNS NH Contact" and "Posted out off," aiming to gain unauthorized access to sensitive information. Our Investigation revea…

Palo Alto Networks has uncovered CVE-2024-3400, a critical vulnerability exploited by threat actor 'UTA0218' in a sophisticated two-stage attack. This flaw allows unauthorized command execution on vulnerable PAN-OS devices via a backdoor mechanism. Adding to the urgency, CISA has promptly listed CVE-2024-3400 in its Known Exploited Vulnerabilities …

At CYFIRMA, we provide timely insights into prevalent threats and malicious tactics affecting organizations and individuals. Our research team have identified an open directory listing URLs containing highly obfuscated malicious Windows batch scripts in the wild, which executes a stealthy Monero (XMR) crypto miner as the final payload. This payload…

Cyfirma research team discovered a new information stealer named Fletchen Stealer. It is a sophisticated information-stealing malware, offered by its creator as stealer-as-a-service for free that poses a significant threat to cybersecurity. A potent malware written in Rust which boasts advanced anti-analysis capabilities exhibits a high degree of r…

Our Q1 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups from Iran, Russia, China, and North Korea, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats, with Iranian groups like Homeland Justice and Mint Sandstorm targeting governmental and …

A shadow war between Israel and Iran is escalating, but despite unprecedented attacks, both sides are so far trying to keep the conflict below the level of an all-out-war. Israel has vowed to respond to Iran's unprecedented attack; however, the war cabinet seems to be divided over the issue of retaliation. Political considerations are increasingly …

A critical vulnerability, CVE-2024-21894, has been discovered in Ivanti's Connect Secure and Policy Secure gateways, posing a severe global threat to digital security. CYFIRMA’s research team have conducted a thorough analysis of this vulnerability. Immediate action is strongly advised: apply the latest patches provided by Ivanti to secure your sys…

The most important evolving threat to the electric grids is cyber threats and physical security. The power grid in the US and more so in Europe is experiencing a transformation, as the world shifts to sustainable energy, which entails increased reliance on offshore wind farms and undersea infrastructure that are going to supply large chunks of the …

Stay ahead of cybersecurity trends with CYFIRMA's March 2024 Ransomware Report. Lockbit, despite a decline in infections, continues to dominate. The manufacturing sector is a primary target across the globe. Notably, the USA remains a primary victim, trailed by Canada, the UK, Germany, and Spain. Witness the evolution of ransomware tactics as group…

Cyfirma’s latest research uncovers a sophisticated cyber threat targeting individuals in South Asia. Our research team identified a malicious campaign involving a deceptive SFX archive executable. These files, embedded in the malicious binary and decoy PDF, are part of a multifaceted attack aimed at infiltrating systems and executing malicious acti…

Our latest report sheds light on CVE-2024-27198, a severe vulnerability that has been exploited for unauthorized admin access and privilege escalation in JetBrains TeamCity, marked by CISA on March 7, 2024, as a significant threat. This breach has led to Jasmin ransomware attacks and unauthorized user setups, linked to the BianLian and Jasmin famil…

A new concern is beginning to surface as part of the instability in the vital Red Sea shipping corridor: the Houthis or other threat actors may target the numerous subsea cables that transport almost all of the data and financial communications between Europe and Asia. In our blog, we highlight how subsea infrastructure is vulnerable to attack and …

Cyfirma research team discovered a new document stealer Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. It is being distributed as an embedded component in the Office document file. Malware code is hidden under the page title of the first slide of the PowerPoint presentation and file-nesting …

A critical vulnerability, CVE-2024-21762, has been identified in Fortinet's FortiOS/FortiProxy, posing a severe global threat to digital security. CYFIRMA researchers have conducted an exhaustive analysis of the vulnerability. Immediate action is strongly advised. Apply the latest patches provided by Fortinet to secure your systems. Enhance access …

An individual, formerly known for defacing websites, has transitioned to selling a Discord stealer called Nikki Stealer, developed using the Electron framework. With a moderate level of confidence, we assess the developer is from either Brazil or Portugal. This individual has a history of website defacement and is now engaged in selling this steale…

The CYFIRMA Research team embarked on an investigation to uncover activities linked to the banned organization Islamic State. We aimed to gain access to the group or identify individuals endorsing its ideology. During our investigation we infiltrated a Telegram channel promoting Islamic State’s beliefs, which was also part of a private RocketChat s…

Stay informed on the evolving cybersecurity landscape with CYFIRMA's February 2024 Monthly Ransomware Report. LockBit leads the charts despite a takedown by law enforcement, showcasing resilience and technical prowess. Manufacturing takes the hit, recording a 40% rise in attacks. The USA remains a prime target, followed by the UK, Canada, France, a…

The CYFIRMA research team has uncovered a new and highly destructive malware, WinDestroyer. It lacks ransom demands, is geopolitically motivated, and is developed for hacktivism against the backdrop of the Russia-Ukraine conflict. The malware employs DLL reload attacks, API hammering, and lateral movement capabilities, rendering systems unusable. D…

Our latest cyber threat research at Cyfirma reveals a complex stego-campaign, showcasing a malicious .docx file that's raising serious concerns in the cybersecurity landscape. Our dedicated team unearthed a sophisticated attack chain that employs template injection, effectively bypassing conventional email security measures. The malicious .docx fil…

Dive into the cybersecurity storm as ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708) open the door to a looming LockBit ransomware threat. With over 95,311 instances at risk, organizations worldwide must act swiftly. Discover the nuances of this critical connection. Link to the Research Report: The ScreenConnect Saga: A Deep Dive into…

Read our Cyfirma Research report, which explores why Ivanti Connect Secure & Policy Secure users, should be cautious of a critical SSRF vulnerability (CVE-2024-21893) which affects your systems, enabling attackers to bypass mitigations and execute remote code. Exploits, like CVE-2023-46805 & CVE-2024-21887, demonstrate the severity. Ivanti has rele…

CYFIRMA’s research team has discovered a new Remote Access Trojan named Xeno-RAT, featuring sophisticated capabilities. Through comprehensive analysis, our report explores the various evasion techniques utilized by threat actors to circumvent detection, as well as elucidates the methods employed in creating robust malware payloads. Xeno RAT, a pote…

The recent acceleration in hostilities involving Iran-backed militias and the United States, coupled with a surge in Israeli strikes on Iranian positions in Syria, seems to have compelled Tehran to reassess elements of its regional strategy. These regional escalations come at an inopportune time for Iran. This report assesses the current situation …

Urgent Security Advisory! A critical vulnerability, CVE-2024-23897, has surfaced in Jenkins, posing a global threat to digital security. CYFIRMA researchers have conducted an in-depth analysis and exploitation, Immediate action is advised - secure your systems with the latest Jenkins patches. Strengthen access controls, fortify your digital infrast…

Our latest report talks about the XSSLite Stealer; an infostealer born from a malware development competition on a Russian hacking forum. This infostealer comes with anti-sandbox & anti-debugging capabilities, in addition to a web panel's source code to receive the stealer logs from compromised victims. A hefty prize pool of tens of thousands of US…

Uncover the latest trends in the cybersecurity landscape with CYFIRMA's January 2024 Monthly Ransomware Report. LockBit takes the lead with 64 victims, targeting diverse industries, notably Manufacturing. Despite a 20.51% dip in incidents from December 2023, the long-term trend indicates a persistent rise in ransomware threats. New players like Slu…

In times of conflict, the cyber realm becomes a battleground too! Instances like the Russia-Ukraine war & Israel-Gaza conflict show how hacktivists are playing a role. They launch attacks using DDoS tools, deface websites, and even mentor others to disrupt organizations. In the ongoing Israel-Palestine conflict, hackers are wreaking havoc online to…

CYFIRMA’s research team, reveals a critical OS command injection vulnerability (CVE-2024-21833) affecting TP-Link Routers, demanding immediate attention. With a high CVSS score of 8.8, this flaw poses a significant risk, attracting state-sponsored entities and threat groups. Active exploitation is observed, emphasizing the need for prompt patching,…

The CYFIRMA research team reveals a Russian-origin Drainer-as-a-Service (DaaS) project gaining traction in the hacking community. This crypto drainer targets wallets on Ethereum, BNB, Polygon, etc with a massive affiliate network of 10k members. Our investigation reveals how the threat actors are creating phishing infrastructure at no cost, subsequ…

The geopolitical landscape in 2024 is at a critical juncture! As we begin the year, explore five key events may shape the course of global affairs and have profound effect on the Cyber Threat Landscape through this Cyfirma blog! Covering the below key events: · World Goes to the Polls: Over four billion people in nearly 80 countries will participat…

“CYFIRMA’ s research team has identified a new stealer in the wild called “Rage Stealer”. Rage Stealer employs a multifaceted approach, covertly extracting sensitive data encompassing browsers, cryptocurrency wallets, files, credentials, and various applications data. What sets "Rage Stealer" apart is its systematic organization of extracted inform…

The CYFIRMA team recently discovered a malicious Android package orchestrating a sophisticated extortion scheme. Masked as a loan app promising quick funds, unsuspecting users are duped into revealing sensitive information during the installation process. The deceptive app coerces victims into submitting KYC details, including a selfie, gradually a…