Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.BLACK BASTA : RANSOMWARE by @CyfirmaR
emerged as a formidable ransomware group in 2022. Leveraging social engineering and advanced malware, the group systematically compromises networks, demanding ransoms under the threat of data exposure. Their evolving tactics highlight the urgent need for strong defenses and proactive cybersecurity strategies.
https://www.cyfirma.com/research/black-basta-ransomware
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002068.jpg)
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002069.jpg)
2.ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI by #PaloAlto’s #Unit42
- A malicious actor could upload a poisoned model to a public repository, and without realizing it, your team could deploy it in your environment.
- Once active, that model could exfiltrate your sensitive machine learning (ML) models and fine-tuned large language model (LLM) adapters.
- With access to these adapters, attackers could replicate your custom tuning and optimizations, exposing sensitive information embedded in fine-tuning patterns.
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002074-769x1024.jpg)
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002072-903x1024.png)
3.Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack by #PaloAlto’s #Unit42
- North Korean IT worker activity cluster (CL-STA-0237) that was involved in recent phishing attacks using malware-infected video conference apps
- CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs. In 2022, CL-STA-0237 secured a position at a major tech company.
https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002078-769x1024.jpg)
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002079.png)
4.GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487) by @pdiscoveryio
- significant vulnerability that enabled bypassing GitHub’s SAML authentication when encrypted assertions were in use
- in-depth look at GitHub Enterprise’s SAML implementation and analyze the specific code issue that permitted this bypass
https://projectdiscovery.io/blog/github-enterprise-saml-authentication-bypass
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002083-635x1024.jpg)
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002081-1024x247.png)
5.New PXA Stealer targets government and education sectors for sensitive information by @TalosSecurity
- new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia
- new Python program called PXA Stealer that targets victims’ sensitive info, including creds for various online accounts, VPN & FTP clients, financial information, browser cookies, and data from gaming software
https://blog.talosintelligence.com/new-pxa-stealer/
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002086-534x1024.jpg)
![](https://www.andysvints.com/wp-content/uploads/2024/11/1000002085.jpg)
Thank you for reading.
Please add interesting items you came across during the week in the comments below.