company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Malware

YouTube

loading..
loading..
loading..

Tutorial videos on YouTube help spread Vidar & Raccoon malware

Vidar & Raccoon Malware are heavily distributed leveraging crack software tutorial videos hosted on YouTube….

12-Nov-2022
3 min read

Related Articles

loading..

Cl0p Ransomware

Clop ransomware leverages Cleo zero-day flaw (CVE-2024-50623), threatening to ex...

The notorious Clop ransomware gang has struck again, leveraging a critical zero-day vulnerability (CVE-2024-50623) in Cleo's software products to execute data theft on a massive scale. The group has threatened to expose the identities of 66 victim companies within 48 hours unless ransom demands are met. This marks another high-profile operation by Clop, which has exploited vulnerabilities in platforms like MOVEit Transfer, SolarWinds Serv-U, and Accellion FTA in the past. In its latest announcement on its dark web leak portal, Clop has published partial names of companies it claims ignored their ransom demands. The cybercriminals are actively contacting victims through secure chat links and email, urging them to negotiate and avoid public exposure. --- ### Exploited Vulnerability: CVE-2024-50623 The Cleo data breach centers around a zero-day flaw in LexiCom, VLTrader, and Harmony software products. Tracked as CVE-2024-50623, the vulnerability allows unrestricted file uploads and downloads, enabling attackers to: - Perform remote code execution, gaining control over compromised networks. - Open reverse shells, creating backdoors for further exploitation. ### Vendor Response and Patch Status Cleo has released a patch in version 5.8.0.21, urging users to update immediately. However, researchers from Huntress warn that the patch can be bypassed, highlighting an urgent need for further scrutiny. --- ### Clop’s Extortion Tactics The group’s strategy underscores its increasing boldness and sophistication. By publishing partial company names on its leak site, Clop intensifies pressure on victims, leveraging: - *1. Direct Communication:* Secure chat links and dedicated email channels to facilitate negotiations. - *2. Public Exposure:* Threats to disclose full company names if demands are unmet within the 48-hour deadline. - *3. Strategic Hinting:* Using partial names and public clues to reveal victims, creating a ripple of reputational damage. ### A Larger Impact Looms While 66 companies have been publicly named, cybersecurity expert Yutaka Sejiyama warns the actual list may be significantly larger. With Cleo software used by over 4,000 organizations worldwide, the full scope of this breach remains uncertain. --- ### History of High-Profile Breaches Clop’s modus operandi revolves around exploiting zero-day vulnerabilities to infiltrate high-value targets. Previous operations include: - **MOVEit Transfer Attack:** Compromising government agencies and Fortune 500 firms. - **SolarWinds Serv-U Breach:** Using vulnerabilities to access sensitive systems. - **Accellion FTA Exploit:** Stealing data from financial institutions and universities. This calculated approach solidifies Clop’s position as one of the most formidable ransomware gangs globally. --- ### Mitigation Measures: Protecting Your Network Organizations using Cleo products must act swiftly to mitigate risks. Here’s what you can do: - **1. Immediate Patch Deployment** Update to Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21. Verify patch integrity to ensure no bypass vulnerabilities exist. - **2. Proactive Network Monitoring** Identify unauthorized file transfers or abnormal system activity. Leverage intrusion detection tools to isolate suspicious behavior. - **3. Incident Response Activity** Establish an incident response team to address potential breaches. Create data backups to minimize impact during ransomware attacks. - **4. External Support** Engage cybersecurity experts to perform vulnerability assessments. Notify stakeholders and legal teams to prepare for potential exposure. --- ### Industry Implications This attack once again highlights the systemic vulnerabilities in widely-used software. It underscores the need for: - 1. **Robust Vendor Practices:** Regular penetration testing and faster patch deployment. - 2. **Enhanced Cyber Hygiene:** Organizations must adopt zero-trust architectures and strict access controls. - 3. **Global Cooperation:** Governments and private entities need to collaborate to combat ransomware gangs.

loading..   28-Dec-2024
loading..   3 min read
loading..

Vulnerability

Exploit

DoS

Hackers exploit CVE-2024-3393, a DoS flaw in Palo Alto firewalls, causing reboot...

Hackers are actively exploiting a denial-of-service (DoS) vulnerability in Palo Alto Networks' PAN-OS software, disabling critical firewall protections and leaving organizations vulnerable. The flaw, identified as CVE-2024-3393, targets the DNS Security feature of PAN-OS, forcing firewalls to reboot and, in severe cases, enter maintenance mode, requiring manual intervention to restore normal operations. This ongoing exploitation has caused significant disruption for affected organizations, underscoring the critical need for immediate action. --- ### What Is CVE-2024-3393? CVE-2024-3393 is a severe DoS vulnerability that allows unauthenticated attackers to send malicious packets through the firewall’s data plane, triggering repeated reboots. The flaw only impacts devices with DNS Security logging enabled, making these devices particularly vulnerable to targeted attacks. ### Impacted PAN-OS Versions Palo Alto Networks has confirmed that the following PAN-OS versions are vulnerable to the CVE-2024-3393 exploit: - *PAN-OS 10.1:* Patch available in 10.1.14-h8. - *PAN-OS 10.2:* Patch available in 10.2.10-h12. - *PAN-OS 11.1:* Patch available in 11.1.5. - *PAN-OS 11.2:* Patch available in 11.2.3. - *PAN-OS 11.0:* No patch available as it reached its end-of-life (EOL) on November 17, 2024. ### Real-World Impact: Active Exploitation Reported Palo Alto Networks has observed active exploitation in the wild, with organizations reporting outages caused by malicious DNS packets. These attacks highlight the flaw's critical nature, as attackers can repeatedly disrupt firewall operations until they are rendered inoperative. --- ### Mitigation Steps for Immediate Protection Organizations unable to update to the latest PAN-OS versions should implement the following mitigation measures: For Unmanaged NGFWs or NGFWs Managed by Panorama - 1. Navigate to Objects → Security Profiles → Anti-spyware → DNS Policies → DNS Security for each anti-spyware profile. - 2. Set Log Severity to “none” for all DNS Security categories. - 3. Commit changes. - 4. Revert settings after applying patches. For NGFWs Managed by Strata Cloud Manager (SCM) - Option 1: Disable DNS Security logging directly using the steps above. - Option 2: Disable DNS Security logging for all NGFWs in the tenant by opening a support case. For Prisma Access Managed by SCM Open a support case to disable DNS Security logging across all NGFWs. Request expedited Prisma Access tenant upgrades if required. --- ### Critical Recommendations 1. Apply Updates Immediately: Organizations running impacted PAN-OS versions must upgrade to patched releases without delay. 2. Implement Mitigations: For systems that cannot be updated promptly, follow the prescribed mitigation steps to minimize exposure. 3. Monitor Logs: Regularly audit DNS Security logs for suspicious activity to identify and respond to potential exploitation attempts. --- ### Why This Matters The CVE-2024-3393 vulnerability presents a significant risk to network security, as it directly targets an organization’s ability to defend against threats. A compromised firewall can lead to data breaches, malware intrusions, and operational disruptions, making it imperative to address this issue swiftly.

loading..   28-Dec-2024
loading..   3 min read
loading..

Malware

Ottercookie

North Korean hackers use "OtterCookie" malware in fake job offers targeting deve...

Cybersecurity researchers have uncovered "OtterCookie," a new malware strain used by North Korean threat actors in the ongoing "Contagious Interview" campaign targeting software developers. Active since at least December 2022, this operation has used fake job offers to deliver malicious payloads such as BeaverTail and InvisibleFerret. These payloads are designed to establish backdoors and enable data exfiltration, granting attackers unauthorized access to sensitive systems. OtterCookie, introduced in September 2023 with a new variant in November, marks an evolution in the campaign's tactics. #### The Contagious Interview Campaign This campaign employs fake LinkedIn profiles and job descriptions mirroring real vacancies to trick developers into downloading malicious files disguised as coding tests or projects. OtterCookie is delivered via loaders fetching JSON data to execute JavaScript code, a technique that avoids detection by mimicking legitimate processes. By replicating typical developer workflows and leveraging trusted tools, the malware blends into regular activity, reducing the likelihood of raising suspicion during its execution. JavaScript’s ubiquity in development workflows, including its use in both front-end and back-end programming, makes it an attractive vector for attackers, as it is often trusted and widely executed across diverse environments, making it particularly effective against developers. The malware is spread through compromised Node.js projects, npm packages, and files built as Qt or Electron applications, increasing its reach. #### OtterCookie Attack Chain Once deployed, OtterCookie establishes secure communication with its command-and-control (C2) infrastructure using Socket.IO WebSocket. Initial variants targeted cryptocurrency wallet keys using regular expressions, while newer versions rely on remote shell commands for broader data theft. OtterCookie can exfiltrate clipboard data and reconnaissance commands like ‘ls’ and ‘cat’, enabling attackers to list sensitive files, read configuration data, or locate credentials stored within the system. This reconnaissance often focuses on identifying access credentials, sensitive documents, and configuration files that could provide pathways to further infiltrate networks or escalate privileges within the target environment. For example, attackers could identify critical database credentials, access internal systems, and move laterally to compromise an organization's DevOps pipelines or deploy ransomware across the network, leading to significant operational and financial damages. #### Expanded Capabilities in New Variants The November variant introduced advanced evasion techniques, including encrypted communication protocols, which disguise data exchange with the command-and-control server, and obfuscation, which conceals malicious code within legitimate-looking scripts to bypass security measures. For example, similar techniques have been used in the SolarWinds attack, where obfuscated code allowed attackers to remain undetected for months while exfiltrating sensitive data. These techniques make detection more difficult by masking malicious activities within seemingly legitimate processes and ensuring that traditional signature-based detection methods are less effective. Its clipboard exfiltration feature captures sensitive information, such as passwords and private keys, underscoring its potential impact on individuals and organizations. #### Recommendations for Mitigation 1. **Verify Employer Credibility:** Thoroughly research employers and scrutinize job offers. Check professional reviews, confirm job listings through official company channels, and use trusted platforms like LinkedIn to validate recruiter profiles. Treat unsolicited offers with caution. 2. **Avoid Running Unknown Code:** Use isolated virtual environments for testing provided code. 3. **Implement Endpoint Protection:** Deploy tools capable of detecting sophisticated malware like OtterCookie. 4. **Monitor Software Repositories:** Regularly audit dependencies and third-party packages for security risks. 5. **Adopt Multi-Factor Authentication (MFA):** Secure sensitive accounts and tools with MFA. 6. **Enforce Network Segmentation:** Isolate developer environments from critical systems to limit potential damage.

loading..   27-Dec-2024
loading..   3 min read