Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) by @pdiscoveryio
- subtle flaw in signature verification can have severe consequences, allowing attackers to bypass critical authentication mechanisms
- analysis highlights the importance of strict validation procedures, especially when dealing with security protocols like SAML
2.SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia by @Securonix Threat Research
- North Korea has been identified delivering VeilShell, a stealthy PowerShell-based malware delivered using a series of advanced evasion techniques targeting victims in Southeast Asia
- Victims are likely the subject of phishing emails where the initial payload would be a zip file attached to the email
3.VILSA STEALER by @Cyfirma
- Steals Discord info, browser data, cookies, passwords, crypto wallets, Steam, Telegram, and more.
- Supports major browsers and 40+ crypto wallets.
- The language used is Python.An encryption method is used to mask the runtime behavior of the malware.
https://www.cyfirma.com/research/vilsa-stealer/
4.Separating the bee from the panda: CeranaKeeper making a beeline for Thailand by @ESETresearch
- group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration
- CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools
- uses GitHub’s pull request and issue comment features to create a stealthy reverse shell, leveraging GitHub, a popular online platform for sharing and collaborating on code, as a C&C server.
5.capa Explorer Web: A Web-Based Tool for Program Capability Analysis by @Mandiant
- reverse engineering tool that automates the identification of program capabilities
- capa analyzes programs using various backends, such as IDA Pro, Ghidra, and CAPE, to extract features.
- it identifies capabilities by matching these features against rules written by experts. A program matches a capability rule when its extracted features match the set of conditions declared in the rule
6.No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection by #PaloAlto’s #Unit42
- four previously undisclosed domain name system (DNS) tunneling campaigns that occurred in recent months
https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/
7.Threat actor believed to be spreading new MedusaLocker variant since 2022 by @TalosSecurity
- active since 2022 and targets orgs worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries
- observed distributing MedusaLocker ransomware variant known as “BabyLockerKZ.”, compiled with a PDB path containing the word “paid_memes” which is also present in other tools observed during the attacks, presumably by the same author.
8.YUNIT STEALER by @Cyfirma
- targets system information, browser data (passwords, cookies, autofill), and cryptocurrency wallets, leveraging tools like PowerShell to bypass antivirus defenses
- ensures persistence by modifying Windows registry keys, adding tasks through batch and VBScript, and setting exclusions in Windows Defender.
https://www.cyfirma.com/research/yunit-stealer/
Thanks a lot for reading.