Tag: zero-day

15 Attack Reports | 0 Vulnerabilities

Attack reports

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Downloadable IOCs: 17

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

A recent campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces has been observed. The threat actors gained unauthorized access to the firewalls' administrative controls, created new accounts, established SSL VPN connections, and made various configuration changes…
zero-day
lateral movement
fortigate
vulnerability scanning
fortinet
2025-01-11
ssl vpn
firewall
jsconsole
Published: January 11, 2025
Downloadable IOCs: 0

New Cleo zero-day RCE flaw exploited in data theft attacks

A critical zero-day vulnerability in Cleo's managed file transfer software is being actively exploited by hackers to breach corporate networks and steal data. The flaw affects Cleo LexiCom, VLTrader, and Harmony products, allowing unrestricted file upload and downloads leading to remote code execut…
data theft
zero-day
CVE-2024-50623
rce
termite
cleo
lexicom
2024-12-11
vltrader
cleo harmony
Published: December 11, 2024
Downloadable IOCs: 0

Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection

A sophisticated ongoing attack has been discovered that evades antivirus software, prevents sandbox uploads, and bypasses Outlook's spam filters. The attackers deliberately corrupt files to conceal their type, making detection difficult for security tools. These corrupted files, often identified as…
zero-day
sandbox evasion
2024-12-04
spam filter bypass
antivirus bypass
file corruption
Published: December 4, 2024
Downloadable IOCs: 6

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

The Good, the Bad and the Ugly in Cybersecurity - Week 43

CISA proposes new security measures to protect sensitive data from adversary nations, following President Biden's Executive Order. A free file recovery tool for early Mallox ransomware victims is released. A novel macOS ransomware, macOS.NotLockBit, is discovered abusing AWS S3 for data exfiltratio…
ransomware
zero-day
mallox
cisa
CVE-2024-47575
2024-10-25
fortinet
aws s3
macos.notlockbit
Published: October 25, 2024
Downloadable IOCs: 0

Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)

A new threat cluster, UNC5820, has been observed exploiting a zero-day vulnerability in FortiManager appliances across multiple industries. The vulnerability allows unauthorized execution of arbitrary code or commands on vulnerable devices. The attackers staged and exfiltrated configuration data fr…
vulnerability
zero-day
exploitation
fortigate
CVE-2024-47575
2024-10-24
fortimanager
cyber-espionage
configuration-exfiltration
network-security
Published: October 24, 2024
Downloadable IOCs: 4

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Downloadable IOCs: 2

Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets.…
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
Published: October 17, 2024
Downloadable IOCs: 0

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)

Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…
social engineering
windows
zero-day
CVE-2023-36025
exploitation
CVE-2021-40444
CVE-2024-38112
2024-07-10
internet explorer
malicious files
Published: July 10, 2024
Downloadable IOCs: 7

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Downloadable IOCs: 39

Uncorking Old Wine: Zero-Day from 2017 + Loader in Unholy Alliance

An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017, CVE-2017-8570, as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor…
apt
cobalt strike
ukraine
malicious document
cobalt strike beacon
zero-day
CVE-2017-8570
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports