Stay informed about the latest developments in cybersecurity with CYFIRMA's April 2024 Ransomware Report. This edition highlights a shift in the ransomware landscape, with Hunter group now dominating while LockBit's influence declined. The manufacturing sector emerges as a prime target globally, with the USA, Canada, the UK, Germany, and Brazil exp…

CYFIRMA’s Research team embarked on a mission to uncover a targeted attack on Indian defense personnel via WhatsApp Messenger. Suspected to originate from Pakistan, the threat actor deployed malicious Android apps disguised as "MNS NH Contact" and "Posted out off," aiming to gain unauthorized access to sensitive information. Our Investigation revea…

Palo Alto Networks has uncovered CVE-2024-3400, a critical vulnerability exploited by threat actor 'UTA0218' in a sophisticated two-stage attack. This flaw allows unauthorized command execution on vulnerable PAN-OS devices via a backdoor mechanism. Adding to the urgency, CISA has promptly listed CVE-2024-3400 in its Known Exploited Vulnerabilities …

At CYFIRMA, we provide timely insights into prevalent threats and malicious tactics affecting organizations and individuals. Our research team have identified an open directory listing URLs containing highly obfuscated malicious Windows batch scripts in the wild, which executes a stealthy Monero (XMR) crypto miner as the final payload. This payload…

Cyfirma research team discovered a new information stealer named Fletchen Stealer. It is a sophisticated information-stealing malware, offered by its creator as stealer-as-a-service for free that poses a significant threat to cybersecurity. A potent malware written in Rust which boasts advanced anti-analysis capabilities exhibits a high degree of r…

Our Q1 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups from Iran, Russia, China, and North Korea, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats, with Iranian groups like Homeland Justice and Mint Sandstorm targeting governmental and …

A shadow war between Israel and Iran is escalating, but despite unprecedented attacks, both sides are so far trying to keep the conflict below the level of an all-out-war. Israel has vowed to respond to Iran's unprecedented attack; however, the war cabinet seems to be divided over the issue of retaliation. Political considerations are increasingly …

A critical vulnerability, CVE-2024-21894, has been discovered in Ivanti's Connect Secure and Policy Secure gateways, posing a severe global threat to digital security. CYFIRMA’s research team have conducted a thorough analysis of this vulnerability. Immediate action is strongly advised: apply the latest patches provided by Ivanti to secure your sys…

The most important evolving threat to the electric grids is cyber threats and physical security. The power grid in the US and more so in Europe is experiencing a transformation, as the world shifts to sustainable energy, which entails increased reliance on offshore wind farms and undersea infrastructure that are going to supply large chunks of the …

Stay ahead of cybersecurity trends with CYFIRMA's March 2024 Ransomware Report. Lockbit, despite a decline in infections, continues to dominate. The manufacturing sector is a primary target across the globe. Notably, the USA remains a primary victim, trailed by Canada, the UK, Germany, and Spain. Witness the evolution of ransomware tactics as group…

Cyfirma’s latest research uncovers a sophisticated cyber threat targeting individuals in South Asia. Our research team identified a malicious campaign involving a deceptive SFX archive executable. These files, embedded in the malicious binary and decoy PDF, are part of a multifaceted attack aimed at infiltrating systems and executing malicious acti…

Our latest report sheds light on CVE-2024-27198, a severe vulnerability that has been exploited for unauthorized admin access and privilege escalation in JetBrains TeamCity, marked by CISA on March 7, 2024, as a significant threat. This breach has led to Jasmin ransomware attacks and unauthorized user setups, linked to the BianLian and Jasmin famil…

A new concern is beginning to surface as part of the instability in the vital Red Sea shipping corridor: the Houthis or other threat actors may target the numerous subsea cables that transport almost all of the data and financial communications between Europe and Asia. In our blog, we highlight how subsea infrastructure is vulnerable to attack and …

Cyfirma research team discovered a new document stealer Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. It is being distributed as an embedded component in the Office document file. Malware code is hidden under the page title of the first slide of the PowerPoint presentation and file-nesting …

A critical vulnerability, CVE-2024-21762, has been identified in Fortinet's FortiOS/FortiProxy, posing a severe global threat to digital security. CYFIRMA researchers have conducted an exhaustive analysis of the vulnerability. Immediate action is strongly advised. Apply the latest patches provided by Fortinet to secure your systems. Enhance access …

An individual, formerly known for defacing websites, has transitioned to selling a Discord stealer called Nikki Stealer, developed using the Electron framework. With a moderate level of confidence, we assess the developer is from either Brazil or Portugal. This individual has a history of website defacement and is now engaged in selling this steale…

The CYFIRMA Research team embarked on an investigation to uncover activities linked to the banned organization Islamic State. We aimed to gain access to the group or identify individuals endorsing its ideology. During our investigation we infiltrated a Telegram channel promoting Islamic State’s beliefs, which was also part of a private RocketChat s…

Stay informed on the evolving cybersecurity landscape with CYFIRMA's February 2024 Monthly Ransomware Report. LockBit leads the charts despite a takedown by law enforcement, showcasing resilience and technical prowess. Manufacturing takes the hit, recording a 40% rise in attacks. The USA remains a prime target, followed by the UK, Canada, France, a…

The CYFIRMA research team has uncovered a new and highly destructive malware, WinDestroyer. It lacks ransom demands, is geopolitically motivated, and is developed for hacktivism against the backdrop of the Russia-Ukraine conflict. The malware employs DLL reload attacks, API hammering, and lateral movement capabilities, rendering systems unusable. D…

Our latest cyber threat research at Cyfirma reveals a complex stego-campaign, showcasing a malicious .docx file that's raising serious concerns in the cybersecurity landscape. Our dedicated team unearthed a sophisticated attack chain that employs template injection, effectively bypassing conventional email security measures. The malicious .docx fil…

Dive into the cybersecurity storm as ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708) open the door to a looming LockBit ransomware threat. With over 95,311 instances at risk, organizations worldwide must act swiftly. Discover the nuances of this critical connection. Link to the Research Report: The ScreenConnect Saga: A Deep Dive into…

Read our Cyfirma Research report, which explores why Ivanti Connect Secure & Policy Secure users, should be cautious of a critical SSRF vulnerability (CVE-2024-21893) which affects your systems, enabling attackers to bypass mitigations and execute remote code. Exploits, like CVE-2023-46805 & CVE-2024-21887, demonstrate the severity. Ivanti has rele…

CYFIRMA’s research team has discovered a new Remote Access Trojan named Xeno-RAT, featuring sophisticated capabilities. Through comprehensive analysis, our report explores the various evasion techniques utilized by threat actors to circumvent detection, as well as elucidates the methods employed in creating robust malware payloads. Xeno RAT, a pote…

The recent acceleration in hostilities involving Iran-backed militias and the United States, coupled with a surge in Israeli strikes on Iranian positions in Syria, seems to have compelled Tehran to reassess elements of its regional strategy. These regional escalations come at an inopportune time for Iran. This report assesses the current situation …

Urgent Security Advisory! A critical vulnerability, CVE-2024-23897, has surfaced in Jenkins, posing a global threat to digital security. CYFIRMA researchers have conducted an in-depth analysis and exploitation, Immediate action is advised - secure your systems with the latest Jenkins patches. Strengthen access controls, fortify your digital infrast…

Our latest report talks about the XSSLite Stealer; an infostealer born from a malware development competition on a Russian hacking forum. This infostealer comes with anti-sandbox & anti-debugging capabilities, in addition to a web panel's source code to receive the stealer logs from compromised victims. A hefty prize pool of tens of thousands of US…

Uncover the latest trends in the cybersecurity landscape with CYFIRMA's January 2024 Monthly Ransomware Report. LockBit takes the lead with 64 victims, targeting diverse industries, notably Manufacturing. Despite a 20.51% dip in incidents from December 2023, the long-term trend indicates a persistent rise in ransomware threats. New players like Slu…

In times of conflict, the cyber realm becomes a battleground too! Instances like the Russia-Ukraine war & Israel-Gaza conflict show how hacktivists are playing a role. They launch attacks using DDoS tools, deface websites, and even mentor others to disrupt organizations. In the ongoing Israel-Palestine conflict, hackers are wreaking havoc online to…

CYFIRMA’s research team, reveals a critical OS command injection vulnerability (CVE-2024-21833) affecting TP-Link Routers, demanding immediate attention. With a high CVSS score of 8.8, this flaw poses a significant risk, attracting state-sponsored entities and threat groups. Active exploitation is observed, emphasizing the need for prompt patching,…

The CYFIRMA research team reveals a Russian-origin Drainer-as-a-Service (DaaS) project gaining traction in the hacking community. This crypto drainer targets wallets on Ethereum, BNB, Polygon, etc with a massive affiliate network of 10k members. Our investigation reveals how the threat actors are creating phishing infrastructure at no cost, subsequ…

The geopolitical landscape in 2024 is at a critical juncture! As we begin the year, explore five key events may shape the course of global affairs and have profound effect on the Cyber Threat Landscape through this Cyfirma blog! Covering the below key events: · World Goes to the Polls: Over four billion people in nearly 80 countries will participat…

“CYFIRMA’ s research team has identified a new stealer in the wild called “Rage Stealer”. Rage Stealer employs a multifaceted approach, covertly extracting sensitive data encompassing browsers, cryptocurrency wallets, files, credentials, and various applications data. What sets "Rage Stealer" apart is its systematic organization of extracted inform…

The CYFIRMA team recently discovered a malicious Android package orchestrating a sophisticated extortion scheme. Masked as a loan app promising quick funds, unsuspecting users are duped into revealing sensitive information during the installation process. The deceptive app coerces victims into submitting KYC details, including a selfie, gradually a…

CYFIRMA’s Q4 2023 APT report focusses on APT groups from Iran, Russia, China, and North Korea, that brought forth a wave of dynamic and innovative cyber activities, challenging the global cyber security landscape. Iranian actors targeted telecom, higher education, and tech sectors, showcasing updated techniques and new C2 frameworks in the backdrop…

Monster Cloud, an emerging player in the Russian stealer log threat landscape, has shifted from just offering stealer logs to a Malware-as-a-Service (MaaS) model. Operating on Telegram, these threat actors have announced the release of their fully native proprietary information stealer. In this report, we dive into the operations of the Russian-spe…

A critical vulnerability has been identified in Apache Struts 2, exposing a global threat to digital security. CYFIRMA Researchers have analysed this flaw, uncovering potential risks of unauthorized access and data breaches. It is advised to take immediate action - secure your systems with the latest Apache Struts 2 patches. Strengthen access contr…

Taiwan’s election marks the first on the calendar in what will be the largest election year in history. Understanding how the onslaught of disinformation will impact the opinions of the Taiwanese public will be critical for Taiwan’s election, but the tactics and behaviors will likely be duplicated elsewhere, not only by the Chinese Communist Party …

Dive into Cyfirma’s December 2023 Ransomware Report for an exploration of evolving cyber threats. The rise of new players like Hunters International, Dragon Force and WereWolves highlight a severe threat. With 75% more incidents in 2023 than in 2022, this report unveils critical insights into the escalating global cybersecurity threat. Covering key…

At Cyfirma, we are committed to providing up-to-date information on the most prevalent threats and tactics used by malicious actors to target both organizations and individuals. This comprehensive analysis delves into the dissemination of cryptocurrency miners through a YouTube channel. Examining the tactics employed, the report reveals a concernin…

This report provides a glimpse into the evolving landscape of RAT development and malicious activities performed by threat actors working under name of ‘Anonymous Arabic’. Our team investigated the Silver RAT (written in C sharp) which has capabilities to bypass anti-viruses and covertly launch hidden applications, browsers, keyloggers, and other m…

Satellites now sit at the heart of geopolitical power, playing a pivotal role in warfare and strategy. SpaceX's Tranche 0 satellites for the U.S. military and Starlink's impact in Ukraine exemplify this shift. Yet, amidst the dazzle of rocket launches and mega constellations, a silent cyber battle is escalating. This report explores the interconnec…

CYFIRMA’s Research team has conducted a thorough analysis of the critical security vulnerability, CVE-2023-49103, in OwnCloud's Graph. Uncovered by ownCloud on November 21, 2023, this vulnerability is assigned a CVSS score of 7.5, underscoring its severity. This flaw directly impacts OwnCloud/graphapi, posing a significant risk of unauthorized acce…

Dive into the November 2023 Ransomware Report by CYFIRMA for a deep dive into evolving cyber threats. LockBit dominates with 108 victims. With a 25% surge in attacks on Manufacturing and a 78.3% rise in FMCG incidents, the need for defences is evident. Geographically, the USA remains a prime target, experiencing a 45.72% share of attacks. Explore t…

This report explores a sophisticated cyber threat orchestrated by the Sidewinder APT group. Targeting Nepalese government officials, this advanced threat involves a malicious Word document wielding a stealthy Nim backdoor. Unraveling the attack chain reveals a symphony of tactics, including VB scripts, BAT scripts, and a deceptive payload camouflag…

A critical vulnerability, CVE-2023-46747, has surfaced in the F5 BIG-IP Traffic Management User Interface (TMUI), posing a significant global threat to organizations. This flaw enables unauthorized remote code execution, potentially compromising digital assets. CYFIRMA’s Research team has conducted an extensive analysis of this security flaw. Take …

The world has witnessed an unprecedented surge in conflicts over the past two years, surpassing any period since the end of World War II. Amidst a fracturing world order and the waning Pax Americana, simmering tensions threaten to erupt suddenly, or at the very least, escalate into major crises with significant cyber repercussions. Link to the Rese…

At Cyfirma, we are committed to providing up-to-date information on the prevalent threats and tactics used by malicious actors. Our latest report delves into DanaBot Stealer and presents a comprehensive overview of its functionality and capabilities. DanaBot is a stealthy, multi-stage and versatile malware that infiltrates computers to steal valuab…

Cyfirma’s latest report concerning a new malware, Nova, being offered by MaaSoperators Sordeal who have been actively distributing it since early 2023. This information stealer exhibits advanced capabilities, leveraging sophisticated techniques for anti-forensics and defense evasion. Nova targets most of the commonly used browsers, exfiltrating aut…

Amidst the conflicts in Ukraine and Gaza, little attention has been paid to China’s ongoing coercion in the South China Sea. Yet Beijing and Manila are in the midst of an increasingly tense standoff over Second Thomas Shoal, which could easily escalate into a major crisis or even a conflict with cyber fallout. Link to the Research Report: WITH THE …

Explore the October 2023 Ransomware Report from CYFIRMA, uncovering the ever-changing landscape of cyber threats. LockBit leads the charge with 66 victims. Manufacturing takes a hit with 64 incidents, stressing the need for specific defences. The USA is a prime target, enduring 151 ransomware incidents, and now, a new player, Hunters International,…