company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

AMD

Microsoft

Intel

loading..
loading..
loading..

Security updates in Microsoft, AMD, & Intel discloses a suite of high severity vulnerabilities

Vulnerabilities disclosed by Microsoft, AMD, and Intel in their security updates result in attacks ranging from arbitrary code execution, privilege escalation t...

13-Nov-2021
3 min read

Related Articles

loading..

Kawasaki

RansomHub

Kawasaki Motors Europe recovers from RansomHub’s ransomware attack, analyzing st...

In early September 2024, Kawasaki Motors Europe (KME) was the target of a sophisticated cyberattack solely orchestrated by the RansomHub ransomware gang. While the initial infiltration attempt was unsuccessful, the incident triggered a swift response involving temporary server isolation and a comprehensive data recovery strategy. With RansomHub threatening to leak 487 GB of stolen data, Kawasaki’s fight against this intrusion continues to be disclosed, highlighting the ever-evolving tactics of ransomware groups. ### Anatomy of Kawasaki Motors Europe (KME) Cyberattack Kawasaki's response to the cyberattack was marked by a strategic isolation of its servers across Europe. As part of this proactive defensive strategy the automotive company initiated a remedial process to remove any lingering malware as we speak. According to [Kawasaki](https://www.kawasaki.eu/en/News_and_events/kawasaki-european-HQ-recovers-from-cyber-attack.html), while the cyberattack resulted in temporary disruptions, its business operations, including dealerships, suppliers, and logistics, remained largely unaffected. ### KME’s Multi-layered Incident Response Strategy 1️⃣ **Server Isolation:** Kawasaki immediately isolated its servers to prevent further propagation of malware across its infrastructure. 2️⃣ **Collaborative Analysis:** Kawasaki's internal IT teams worked hand in hand alongside the external cybersecurity team, ensuring each server was thoroughly scanned before reconnecting to the corporate network. 3️⃣ **Malware Remediation:** The company's efforts centered on identifying and neutralizing any suspicious material that could compromise the integrity of its systems. By the end of the recovery phase, 90% of the company’s servers were expected to be operational again, underscoring the resilience of Kawasaki’s disaster recovery protocols. ### RansomHub’s Bold Move—Claiming Responsibility The RansomHub ransomware group, infamous for its ransomware-as-a-service (RaaS) model, claimed responsibility for the attack on September 5, 2024. As part of their extortion efforts, the group added Kawasaki to its dark web extortion portal, threatening to release 487 GB of stolen data if the demands were not met. ### Dissecting RansomHub’s Threat Model RansomHub’s approach is consistent with modern double extortion tactics—encrypting the victim’s data while simultaneously threatening to release sensitive information unless a ransom is paid. Their success can be attributed to the influx of affiliates from the now-defunct [BlackCat/ALPHV](https://www.secureblink.com/cyber-security-news/blackmatter-affiliates-actively-circulating-blackcat-raas-without-getting-rebranded) ransomware operation, who brought with them a wealth of expertise in executing high-profile cyberattacks. --- > Important Note: While Kawasaki has not confirmed whether customer data is among the stolen files, such a possibility cannot be entirely ruled out. This uncertainty leaves room for potential damage to the company's reputation and customer trust if personal information is exposed. --- ### Ransomware Landscape is Reshaped with RansomHub’s Rise to Prominence RansomHub has rapidly gained notoriety, emerging as one of the most prolific ransomware groups in 2024. The gang's attacks have targeted a diverse array of industries, from healthcare and logistics to retail and energy. Notable victims include [CosmicBeetle](https://www.secureblink.com/cyber-security-news/cosmic-beetle-partners-with-ransom-hub-to-deploy-sc-ransom-ransomware-1), Rite Aid, Frontier, [Planned Parenthood](https://www.secureblink.com/cyber-security-news/planned-parenthood-la-encountered-a-ransomware-attack-that-exposed-400000-patient-data), [Halliburton](https://www.secureblink.com/cyber-security-news/210-victims-in-halliburton-cyberattack-linked-to-ransom-hub-ransomware), and Christie's. This surge in activity has raised alarms across cybersecurity circles, prompting urgent responses from global agencies. ### A Joint Advisory: Global Response to RansomHub In August 2024, a joint advisory issued by the FBI, CISA, and the Department of Health and Human Services (HHS) revealed that RansomHub had compromised 210 victims spanning critical U.S. infrastructure sectors since its inception in February 2024. This advisory underscored the growing threat posed by RansomHub and highlighted the need for coordinated defense mechanisms across industries. Kawasaki’s Road Ahead: Strengthening Cyber Defenses While Kawasaki Motors Europe has made significant strides in recovering from the attack, the threat landscape continues to evolve.

loading..   14-Sep-2024
loading..   4 min read
loading..

Backdoor

Vo1d

Android TV

New Vo1d malware infects 1.3 million Android devices globally, posing a serious ...

In the recent discovery of Vo1d malware infecting over 1.3 million Android streaming boxes has garnered significant attention. This backdoor malware, uncovered by researchers at Dr.Web, enables attackers to gain full control over compromised devices. With global reach spanning nearly 200 countries, this malware’s impact on Android TV boxes, especially those using outdated firmware, raises serious security concerns for users and developers alike. **Key Takeaways:** 1️⃣ Vo1d malware has infected 1.3 million Android TV boxes globally. 2️⃣ The malware uses scripts like install-recovery.sh for persistence. 3️⃣ Affected devices are running outdated Android versions, making them vulnerable. --- ### How the Vo1d Malware Operates Understanding Vo1d's Core Mechanisms Vo1d is a sophisticated backdoor malware that takes advantage of vulnerabilities in Android Open Source Project (AOSP) firmware. Its primary components, vo1d and wd, are responsible for maintaining persistent access to infected systems. The malware’s operations are coordinated through a Command and Control (C&C) server, which remotely executes commands to download and install additional malicious software. **Vo1d.1:** Manages the launching of Vo1d’s secondary module (Vo1d.3) and ensures it remains active. This module can also run executables when instructed by the C&C server. **Vo1d.3:** Installs and launches the Vo1d.5 daemon, which is encrypted within the module. It is also responsible for monitoring directories and installing APK files located within the system. These modules work in tandem to grant attackers ongoing access to infected devices, allowing them to manipulate, download, and execute arbitrary files. --- ### Attack Vectors and Vulnerabilities **Why TV Boxes?** One of the primary reasons Vo1d has been so successful is the widespread use of outdated Android versions in TV streaming boxes. Many of these devices are shipped with older operating systems, such as Android 7.1.2, which contain unpatched vulnerabilities. Manufacturers often neglect security updates, leaving these devices exposed to threats like Vo1d. **Potential Attack Vectors:** - 1. Exploitation of OS vulnerabilities: Attackers exploit flaws in the Android OS to gain root access to the device. - 2. Unofficial Firmware: Many users install unofficial firmware, unknowingly exposing their devices to malware with pre-built root access. ### Persistence Mechanisms To maintain persistence, Vo1d modifies several startup scripts commonly found in Android systems: install-recovery.sh: This script is altered to auto-launch the Vo1d malware during system boot. daemonsu: A root-access manager that is leveraged to ensure continuous root privileges for the malware. --- ### Global Impact: Geographical Spread of Infected Devices **Top Affected Regions** Dr.Web’s report highlights that Vo1d infections have been detected in over 200 countries, with the highest concentration in: - Brazil - Morocco - Pakistan - Russia - Argentina - Saudi Arabia The widespread nature of these infections suggests that many off-brand TV boxes, commonly sold in these regions, are highly susceptible due to outdated or unofficial firmware. --- ### Protecting Against Vo1d Malware **Steps to Secure Your Device** 1. **Firmware Updates:** Always ensure that your TV box is running the latest available firmware. This is critical for patching known vulnerabilities. 2. **Avoid Third-Party APKs:** Refrain from installing APK files from unofficial sources, as these often harbor malware. 3. **Use Play Protect Certified Devices:** Google has emphasized that Play Protect certified devices undergo extensive security checks, reducing the risk of malware infections. --- ### Indicators of Compromise (IOCs) If you suspect that your Android TV box may be compromised by the Vo1d malware, check for the following indicators: Presence of files such as /system/xbin/vo1d and /system/xbin/wd. Alterations to startup scripts like install-recovery.sh or daemonsu. Unexplained changes to the debuggerd file, which may have been replaced by a malware script. The Vo1d malware incident is a stark reminder of the dangers posed by outdated software and unofficial firmware on Android devices. With over 1.3 million TV boxes infected globally, it is crucial for both users and developers to remain vigilant about cybersecurity practices. Regular updates, using certified devices, and avoiding third-party applications are essential steps in safeguarding against these kinds of attacks.

loading..   13-Sep-2024
loading..   4 min read
loading..

PDF

Exploit

Adobe Acrobat Reader users urged to update after patch fixes critical remote cod...

Adobe has patched a critical zero-day vulnerability in Adobe Acrobat Reader. This flaw, identified as CVE-2024-41869, allows remote code execution when a specially crafted PDF is opened, posing a significant threat to users. The vulnerability was disclosed after a proof-of-concept (PoC) exploit surfaced publicly, with researchers urging immediate upgrades to the latest version of Acrobat Reader. #### Vulnerability Breakdown: CVE-2024-41869 The CVE-2024-41869 vulnerability is a use-after-free (UAF) issue, a common yet dangerous security flaw that arises when a program continues to access a memory location after it has been freed. In such cases, the program may exhibit unexpected behavior, such as crashes, but the true danger lies in the potential for an attacker to inject and execute malicious code. ***Here's a breakdown of how this vulnerability works:*** **Use-After-Free (UAF) Vulnerability:** UAF vulnerabilities occur when memory that has already been deallocated is improperly accessed by a program. When exploited, this can lead to system crashes, or worse, the execution of arbitrary code. **Remote Code Execution (RCE):** Attackers can craft malicious PDF files that trigger the vulnerability in Acrobat Reader. Once the user opens the file, the attacker can remotely execute code on the targeted system, potentially leading to full control of the machine. The vulnerability is particularly dangerous due to the public availability of a PoC exploit, allowing threat actors to exploit the flaw before a majority of users apply the patch. #### Discovery of the Vulnerability The vulnerability was first identified by Haifei Li, a cybersecurity researcher who developed EXPMON, a sandbox-based detection platform designed specifically to detect zero-day exploits. Li's discovery of this vulnerability highlights the importance of detecting exploits from a vulnerability perspective, rather than relying solely on malware detection. EXPMON is engineered to focus on advanced exploits, addressing a gap in detection systems that only concentrate on malware. According to Li, _“exploits operate quite differently from malware,”_ necessitating specialized approaches for early detection of such threats. The vulnerability was discovered in June when a malicious PDF containing a proof-of-concept exploit was submitted to EXPMON for analysis. Although the PoC did not carry a malicious payload, it successfully demonstrated the potential to exploit the UAF bug, which could be leveraged for remote code execution. #### Patch Timeline and Challenges Adobe responded to the initial disclosure by releasing a security update in August 2024. However, this initial patch failed to fully mitigate the vulnerability. Researchers from EXPMON noted that the bug could still be triggered under specific conditions, such as when users closed certain dialogs within the application. Despite the update, Acrobat Reader would still crash, indicating that the UAF issue persisted. EXPMON highlighted the flaw on social media, emphasizing that the vulnerability remained exploitable even after Adobe's first patch attempt. Finally, in September 2024, Adobe released a second, comprehensive update that fully addressed the vulnerability. The CVE-2024-41869 flaw has since been resolved in the latest versions of Adobe Acrobat Reader and Adobe Acrobat. #### Urgent Action: Update Adobe Acrobat Reader Now Given the severity of the CVE-2024-41869 vulnerability, it is critical for users to update their Adobe Acrobat Reader to the latest version immediately. With the public PoC exploit in circulation, unpatched systems are vulnerable to targeted attacks. The vulnerability is now fully patched, and users can download the latest security updates directly from Adobe's security page. Failure to apply the update could result in remote attackers executing arbitrary code on vulnerable systems, leading to data theft, system compromise, or further malware infections. Thanks to the work of researchers like Haifei Li and tools like EXPMON, critical vulnerabilities such as CVE-2024-41869 can be identified and mitigated before widespread exploitation occurs. Nonetheless, timely patching remains a crucial defense against such threats. As more technical details about the vulnerability and its detection are expected to be published by Li and the EXPMON team, the case of CVE-2024-41869 serves as a reminder of the evolving complexity of exploit detection and the need for proactive security measures.

loading..   11-Sep-2024
loading..   4 min read
Company Logo
logo

Secure Blink automates the application and API security testing for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

Facebook Logo
Twitter Logo
LinkedIn Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2024 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303