Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.Inside FireScam : An Information Stealer with Spyware Capabilities by @CyfirmaR
- FireScam – info stealing malware with spyware capabilities
- distributed as fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain
- malware exfils sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint
- captures notifications across various apps, including system apps, to potentially steal sensitive info and track user activities
- leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads
https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/
2. NONECLID RAT by @CyfirmaR
- enables unauthorised remote access and control of a victim’s computer, often without their awareness
- developed using C# and built for the .NET Framework 4.8
- designed to operate with minimal security checks, making it more difficult for security systems to detect and block its activities
https://www.cyfirma.com/research/noneclid-rat
3. Living off the Land : The Mechanics of Remote Template Injection Attack by @CyfirmaR
- leverages Word’s legitimate template functionality
- decoy document is clean, enabling it to bypass security mechanisms
- executes payloads hosted on remote servers upon opening the document
- observed in campaigns by advanced persistent threats (APTs) like FIN7 and others
4.What We Know About CVE-2024-49112 and CVE-2024-49113 by @TrendMicro
- remote unauthenticated attacker who successfully exploited CVE-2024-49112 would gain the ability to execute arbitrary code within the context of the LDAP service
- PoC for CVE-2024-49113 codenamed LDAPNightmare
- PoC is designed to crash any unpatched Windows Server with no pre-requisites except that the DNS server of the victim domain controller has internet connectivity
5.Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability by #PaloAlto’s #Unit42
- the technique asks the target LLM to act as a judge scoring the harmfulness of a given response using the Likert scale, a rating scale measuring a respondent’s agreement or disagreement with a statement
https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/
6.Tycoon 2FA: Analyzing and Hunting Phishing-as-a-Service Domains by @ValidinLLC
- knowledge of public domains leveraged by Tycoon 2FA utilized for the hunting phase
https://www.validin.com/blog/tycoon_2fa_analyzing_and_hunting_phishing-as-a-service_domains
7.Exploring Package Tracking Smishing Scams by @HuntressLabs
- Have you recently received a text message urging you to take action to avoid a negative outcome?
- Maybe you’ve just been informed you have an outstanding toll fee, or more likely, there’s a package for you being held due to a shipping issue.
- These are almost always smishing (or “SMS phishing”) attacks.
https://www.huntress.com/blog/exploring-package-tracking-smishing-scams
Thank you.
Please add interesting items you came across during the week in the comments below.
