Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.Investigation into Helldown Ransomware by @CyfirmaR
- fast-evolving cyber threat targeting critical industries globally. With advanced cross-platform capabilities, including Windows and Linux, it disrupts systems by encrypting files and exploiting vulnerabilities. Its modular design and anti-detection techniques signal active development.
https://www.cyfirma.com/research/investigation-into-helldown-ransomware/
2.RomCom exploits Firefox and Windows zero days in the wild by @ESETresearch
- CVE-2024-9680: use-after-free bug in the animation timeline feature in Firefox
- CVE‑2024‑49039, that allows code to run outside of Firefox’s sandbox
- successful exploitation attempts delivered the RomCom backdoor, in a widespread campaign
3.Bootkitty: Analyzing the first UEFI bootkit for Linux by @ESETresearch
- targeting Linux, specifically, a few Ubuntu versions. designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or notb
- ootkit.efi contains many artifacts suggesting this is more like a PoC than the work of an active threat actor
https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux
4.Malicious PyPI crypto pay package aiocpa implants infostealer code by @ReversingLabs
- malicious code in a legitimate looking package, aiocpa, that was engineered to compromise crypto currency wallets
- malicious actors behind aiocpa were not impersonating or typosquatting legitimate looking packages, they published their own crypto client tool in order to steadily attract a user base that would later be compromised through a malicious version update
5.Know Thy Enemy: A Novel November Case on Persistent Remote Access by @HuntressLabs
- attackers gained persistent remote access to a network through Remote Desktop Protocol (RDP) brute-force attacks and credential theft
- employed MeshAgent, a legitimate remote access tool, disguising it as a Windows Network Virtual Adapter to evade detection
- enabled WDigest to store credentials in plaintext, facilitating further access
https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
Thank you for reading.
Please add interesting items you came across during the week in the comments below.