CYFIRMA research team’s latest report explores the tactics of hacktivists - ransomware variants, stealer logs, and strategic alliances - and examines their motivations; be they geopolitical, financial, cultural, or racial. It also shows how social media is being leveraged for recruitment, coordination, and monetization via theft or extortion, what …

CYFIRMA’s research team have just published a new report on the QWERTY Info Stealer malware. Our analysis reveals how this malware collects and sends sensitive data from infected systems while using advanced techniques to avoid detection. Stay informed about this threat to better protect your data and systems. Link to the Research Report: QWERTY IN…

U.S. water systems deliver safe and affordable drinking water to millions of people, while also supporting agriculture, industry, and power generation. However, this critical infrastructure faces significant challenges from aging facilities, increasing demand, and emerging cyberthreats. Our report outlines the key threats to water infrastructure, t…

Stay informed with CYFIRMA's Tracking Ransomware-July 2024 Report, highlighting the latest cybersecurity trends. RansomHub and LockBit3 have seen significant surges in activity, with LockBit3 experiencing a remarkable 245.5% increase. While the manufacturing sector saw a 10.9% decline, Education faced a staggering 250% rise in attacks. The US conti…

The CYFIRMA research team is actively monitoring the ongoing fallout from the CrowdStrike Blue Screen of Death (BSOD) incident. Our updated report offers a comprehensive analysis of the tactics, techniques, and procedures (TTPs) used by threat actors exploiting this situation. In this updated report, we provide further insights, including a detaile…

CVE-2024-6387 Alert! A critical vulnerability in OpenSSH's server (sshd) allows unauthenticated remote code execution with root access, affecting over 4.8 million internet-exposed instances. This flaw poses a significant risk across various industries and geographies and is being actively exploited in the wild, as confirmed by CISA’s Known Exploite…

The death of Hamas leader Ismail Haniyeh in Tehran, and the announcement of the death of Hamas military wing commander Muhammad Daif on the same day is likely to escalate the ongoing cyberwar as Iran vows revenge. The dire humanitarian situation in Gaza will continue to fuel pro-Palestinian sentiment and inspire further hacktivist action, while the…

Critical Alert: Organizations relying on ServiceNow must act now! CVE-2024-4879 poses a grave risk of remote code execution and unauthorized data access. With extensive global use, swift action is imperative. Attackers exploit Jelly template injections to trigger code execution, risking sensitive data and service disruptions. Update ServiceNow, mon…

The CYFIRMA research team has examined a variant of the Mint Stealer malware and provides a comprehensive analysis of this information-stealing malware operating within a malware-as-a-service (MaaS) framework. Designed to target sensitive data, Mint Stealer employs sophisticated techniques to evade detection. This report explores its evasion tactic…

The Cyfirma research team has investigated the Flame Stealer, which is maintaining a strong presence with predominantly Portuguese speakers. This malware is designed to stealthily extract data from a wide range of sources, including discord tokens, browser cookies, credentials, etc. Flame Stealer employs advanced techniques such as covert data extr…

Our Q2 2024 APT Quarterly Highlights report reveals a surge of dynamic and innovative cyber activities from Iranian, Russian, Chinese, and North Korean APT groups, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats from Iran's Void Manticore and APT42 targeting critical sectors, to Russia's APT28 and …

A critical vulnerability (CVE-2024-24919) with a CVSS score of 8.6 has been discovered in EOL Check Point devices, allowing remote attackers to read arbitrary files. The Hacktivist group "Ghost Clan Malaysia" has shared affected IP addresses worldwide. Upgrade to supported versions and apply necessary hotfixes immediately to protect your data and i…

Braodo Info Stealer, a Python-based malware, is targeting users in Vietnam and several other countries. This sophisticated threat spreads possibly through phishing emails, uses GitHub for hosting malicious code, and exfiltrates stolen data via Telegram channels. Learn more about this emerging threat impacting global cybersecurity. Link to the Resea…

Stay informed about the latest developments in cybersecurity with CYFIRMA's Tracking Ransomware-June 2024 Report. This month's report highlights key trends, including a decrease in ransomware attacks by groups like Play and RansomHub, while Akira and Qilin increased their operations. Discover significant changes in targeted industries, with most se…

Critical Alert: Organizations using PHP in CGI mode must act now! CVE-2024-4577 presents a severe risk of remote code execution. With millions of websites potentially affected globally, immediate action is crucial. Attackers can exploit CGI argument injection to execute arbitrary commands, leading to unauthorized access or server compromise. Update…

The CYFIRMA team has uncovered "Kematian-Stealer," a sophisticated info stealer targeting Windows systems, hosted on GitHub. This open-source malware is designed to stealthily extract data from a wide range of sources, including browsers, cryptocurrency wallets, messaging apps, gaming platforms, VPNs, and email clients. Kematian-Stealer employs adv…

This year’s Olympic games come at a heightened moment for international conflict & terrorism. The potential for a jihadi group or individuals inspired by one to take the world’s attention with a potential attack or for Russia to try to embarrass France with acts of sabotage are very high. Link to the Research Report: Paris Olympics - CYFIRMA #Geopo…

Cyfirma research team has examined a variant of Lumma Stealer malware, and this report provides a comprehensive analysis of this advanced information-stealing malware, explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Lumma S…

CYFIRMA's latest investigation reveals how terrorist groups in Kashmir are still exploiting digital platforms to spread propaganda and influence people. Their psychological operations (Psy Ops) aim to manipulate public perception, spread fear, and destabilize the region. Despite a reduction in physical presence, groups like TRF and Kashmir Tigers a…

Stay informed about the latest trends in the ransomware landscape with CYFIRMA's May 2024 Ransomware report. This edition highlights significant increases in ransomware activity, with LockBit3 surging tremendously and Play rising by 10.34%. Incransom's activity doubled, while RansomHub and Medusa also showed notable activity. Manufacturing, real es…

CYFIRMA research team has examined a variant of Vidar Stealer malware, and this in-depth examination explores the tactics employed by threat actor to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Additionally, it describes the use of social media platforms to procure co…

Urgent Alert: Hackers are actively exploiting CVE-2024-3273, a critical vulnerability in D-Link NAS devices, with affected device IP addresses being shared on underground forums. With over 90,000 potentially impacted devices globally and inclusion in CISA's Known Exploited Vulnerabilities list, immediate action is crucial to secure data and prevent…

The notorious Nikki Stealer group has transitioned into the Iluria Stealer group, maintaining a strong presence with a predominantly Portuguese-speaking user base. Both their websites are hosted by Hostinger, and the current owner, as per his Discord bio, claims to be the former CEO of Nikki Stealer. Dynamic analysis reveals that Iluria Stealer has…

Meet Synapse ransomware, the newest digital threat on the block. This latest threat, emerging in February 2024, operates under a Ransomware-as-a-Service model, distributing its malicious payload via the dark web. Our research sheds light on the internal working of this malware. Discover how it selectively avoids encrypting Iranian systems, raising …

Critical Alert: Organizations relying on Tinyproxy must act now! CVE-2023-49606 poses a grave risk of remote code execution. With 1.6M+ servers potentially affected globally; swift action is imperative. Attackers exploit HTTP requests to trigger memory corruption, risking unauthorized access or service disruptions. Update Tinyproxy, monitor for ano…

Our latest report dives into the information stealer SamsStealer, a newly identified information stealer targeting Windows systems. This stealer is written in .NET, is designed to extract sensitive data stealthily from a variety of browsers and applications, including Chrome, Microsoft Edge, Discord, and cryptocurrency wallets. Once it has gathered…

India's Loksabha Elections 2024 hold immense significance, not only for the nation but also for the global democratic landscape. The scale and complexity of the electoral process make it susceptible to cyberattacks, especially with the proliferation of generative AI and deepfake technologies. Link to the Research Report: The Indian Election : The G…

Stay informed about the latest developments in cybersecurity with CYFIRMA's April 2024 Ransomware Report. This edition highlights a shift in the ransomware landscape, with Hunter group now dominating while LockBit's influence declined. The manufacturing sector emerges as a prime target globally, with the USA, Canada, the UK, Germany, and Brazil exp…

CYFIRMA’s Research team embarked on a mission to uncover a targeted attack on Indian defense personnel via WhatsApp Messenger. Suspected to originate from Pakistan, the threat actor deployed malicious Android apps disguised as "MNS NH Contact" and "Posted out off," aiming to gain unauthorized access to sensitive information. Our Investigation revea…

Palo Alto Networks has uncovered CVE-2024-3400, a critical vulnerability exploited by threat actor 'UTA0218' in a sophisticated two-stage attack. This flaw allows unauthorized command execution on vulnerable PAN-OS devices via a backdoor mechanism. Adding to the urgency, CISA has promptly listed CVE-2024-3400 in its Known Exploited Vulnerabilities …

At CYFIRMA, we provide timely insights into prevalent threats and malicious tactics affecting organizations and individuals. Our research team have identified an open directory listing URLs containing highly obfuscated malicious Windows batch scripts in the wild, which executes a stealthy Monero (XMR) crypto miner as the final payload. This payload…

Cyfirma research team discovered a new information stealer named Fletchen Stealer. It is a sophisticated information-stealing malware, offered by its creator as stealer-as-a-service for free that poses a significant threat to cybersecurity. A potent malware written in Rust which boasts advanced anti-analysis capabilities exhibits a high degree of r…

Our Q1 2024 APT Quarterly Highlights Report unveils a surge of dynamic and innovative cyber activities from APT groups from Iran, Russia, China, and North Korea, challenging the global cybersecurity landscape. Detailed analysis reveals escalating cyber threats, with Iranian groups like Homeland Justice and Mint Sandstorm targeting governmental and …

A shadow war between Israel and Iran is escalating, but despite unprecedented attacks, both sides are so far trying to keep the conflict below the level of an all-out-war. Israel has vowed to respond to Iran's unprecedented attack; however, the war cabinet seems to be divided over the issue of retaliation. Political considerations are increasingly …

A critical vulnerability, CVE-2024-21894, has been discovered in Ivanti's Connect Secure and Policy Secure gateways, posing a severe global threat to digital security. CYFIRMA’s research team have conducted a thorough analysis of this vulnerability. Immediate action is strongly advised: apply the latest patches provided by Ivanti to secure your sys…

The most important evolving threat to the electric grids is cyber threats and physical security. The power grid in the US and more so in Europe is experiencing a transformation, as the world shifts to sustainable energy, which entails increased reliance on offshore wind farms and undersea infrastructure that are going to supply large chunks of the …

Stay ahead of cybersecurity trends with CYFIRMA's March 2024 Ransomware Report. Lockbit, despite a decline in infections, continues to dominate. The manufacturing sector is a primary target across the globe. Notably, the USA remains a primary victim, trailed by Canada, the UK, Germany, and Spain. Witness the evolution of ransomware tactics as group…

Cyfirma’s latest research uncovers a sophisticated cyber threat targeting individuals in South Asia. Our research team identified a malicious campaign involving a deceptive SFX archive executable. These files, embedded in the malicious binary and decoy PDF, are part of a multifaceted attack aimed at infiltrating systems and executing malicious acti…

Our latest report sheds light on CVE-2024-27198, a severe vulnerability that has been exploited for unauthorized admin access and privilege escalation in JetBrains TeamCity, marked by CISA on March 7, 2024, as a significant threat. This breach has led to Jasmin ransomware attacks and unauthorized user setups, linked to the BianLian and Jasmin famil…

A new concern is beginning to surface as part of the instability in the vital Red Sea shipping corridor: the Houthis or other threat actors may target the numerous subsea cables that transport almost all of the data and financial communications between Europe and Asia. In our blog, we highlight how subsea infrastructure is vulnerable to attack and …

Cyfirma research team discovered a new document stealer Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. It is being distributed as an embedded component in the Office document file. Malware code is hidden under the page title of the first slide of the PowerPoint presentation and file-nesting …

A critical vulnerability, CVE-2024-21762, has been identified in Fortinet's FortiOS/FortiProxy, posing a severe global threat to digital security. CYFIRMA researchers have conducted an exhaustive analysis of the vulnerability. Immediate action is strongly advised. Apply the latest patches provided by Fortinet to secure your systems. Enhance access …

An individual, formerly known for defacing websites, has transitioned to selling a Discord stealer called Nikki Stealer, developed using the Electron framework. With a moderate level of confidence, we assess the developer is from either Brazil or Portugal. This individual has a history of website defacement and is now engaged in selling this steale…

The CYFIRMA Research team embarked on an investigation to uncover activities linked to the banned organization Islamic State. We aimed to gain access to the group or identify individuals endorsing its ideology. During our investigation we infiltrated a Telegram channel promoting Islamic State’s beliefs, which was also part of a private RocketChat s…

Stay informed on the evolving cybersecurity landscape with CYFIRMA's February 2024 Monthly Ransomware Report. LockBit leads the charts despite a takedown by law enforcement, showcasing resilience and technical prowess. Manufacturing takes the hit, recording a 40% rise in attacks. The USA remains a prime target, followed by the UK, Canada, France, a…

The CYFIRMA research team has uncovered a new and highly destructive malware, WinDestroyer. It lacks ransom demands, is geopolitically motivated, and is developed for hacktivism against the backdrop of the Russia-Ukraine conflict. The malware employs DLL reload attacks, API hammering, and lateral movement capabilities, rendering systems unusable. D…

Our latest cyber threat research at Cyfirma reveals a complex stego-campaign, showcasing a malicious .docx file that's raising serious concerns in the cybersecurity landscape. Our dedicated team unearthed a sophisticated attack chain that employs template injection, effectively bypassing conventional email security measures. The malicious .docx fil…

Dive into the cybersecurity storm as ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708) open the door to a looming LockBit ransomware threat. With over 95,311 instances at risk, organizations worldwide must act swiftly. Discover the nuances of this critical connection. Link to the Research Report: The ScreenConnect Saga: A Deep Dive into…

Read our Cyfirma Research report, which explores why Ivanti Connect Secure & Policy Secure users, should be cautious of a critical SSRF vulnerability (CVE-2024-21893) which affects your systems, enabling attackers to bypass mitigations and execute remote code. Exploits, like CVE-2023-46805 & CVE-2024-21887, demonstrate the severity. Ivanti has rele…

CYFIRMA’s research team has discovered a new Remote Access Trojan named Xeno-RAT, featuring sophisticated capabilities. Through comprehensive analysis, our report explores the various evasion techniques utilized by threat actors to circumvent detection, as well as elucidates the methods employed in creating robust malware payloads. Xeno RAT, a pote…