Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
page 1 / 7
132 résultats taggé Research  ✕
wget to Wipeout: Malicious Go Modules Fetch Destructive Payload https://socket.dev/blog/wget-to-wipeout-malicious-go-modules-fetch-destructive-payload
06/05/2025 11:23:41
QRCode
archive.org
thumbnail

Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.

The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.

No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.
Introduction: The Silent Threat#
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:

github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.

socket.dev EN 2025 Wipeout github Payload GO research Developers supply-chain-attack
macOS Vulnerabilities: A Year of Security Research at Kandji https://www.kandji.io/blog/vulnerabilities-year-review
05/05/2025 09:14:33
QRCode
archive.org
thumbnail

Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.

Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.

Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.

kandji EN 2025 macOS Vulnerabilities research
MCP Prompt Injection: Not Just For Evil https://www.tenable.com/blog/mcp-prompt-injection-not-just-for-evil
04/05/2025 13:54:57
QRCode
archive.org
thumbnail

MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.

Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.

Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.

Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.

tenable EN 2025 MCP Prompt-Injection LLM LLMs technique interface vulnerability research
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US) https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html
27/04/2025 10:29:08
QRCode
archive.org
thumbnail
  • Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima.
  • The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea.
  • Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others.
  • Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges.
  • Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators.
  • IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies.
  • Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.
trendmicro EN 2025 Russia North-Korea network research infrastructure IoCs
CVE-2025-32955: Security mechanism bypass in Harden-Runner Github Action https://sysdig.com/blog/security-mechanism-bypass-in-harden-runner-github-action/
23/04/2025 08:09:24
QRCode
archive.org

The Sysdig Threat Research Team (TRT) has discovered CVE-2025-32955, a now-patched vulnerability in Harden-Runner, one of the most popular GitHub Action CI/CD security tools. Exploiting this vulnerability allows an attacker to bypass Harden-Runner’s disable-sudo security mechanism, effectively evading detection within the continuous integration/continuous delivery (CI/CD) pipeline under certain conditions. To mitigate this risk, users are strongly advised to update to the latest version.

The CVE has been assigned a CVSS v3.1 base score of 6.0.

sysdig CVE-2025-32955 EN 2025 research vulnerabilty CI/CD Harden-Runner GitHub Action
The Ever-Evolving Threat of the Russian-Speaking Cybercriminal Underground | Trend Micro (US) https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-ever-evolving-threat-of-the-russian-speaking-cybercriminal-underground
16/04/2025 13:49:12
QRCode
archive.org
thumbnail

We dive into one of the most sophisticated and impactful ecosystems within the global cybercrime landscape. Our research looks at tools and techniques, specialized forums, popular services, plus a deeply ingrained culture of secrecy and collaboration.

trendmicro EN 2025 Research Russia Russian-Speaking cybercrime landscape
Searching for something unknow https://secureannex.com/blog/searching-for-something-unknow/
13/04/2025 10:51:44
QRCode
archive.org
thumbnail

After the release of the Secure Annex ‘Monitor’ feature, I wanted to help evaluate a list of extensions an organization I was working with had configured for monitoring. Notifications when new changes occur is great, but in security, baselines are everything!

To cut down a list of 132 extensions in use, I identified a couple extensions that stuck out because they were ‘unlisted’ in the Chrome Web Store. Unlisted extensions are not indexed by search engines and do not show up when searching the Chrome Web Store. The only way to access the extension is by knowing the URL.

secureannex EN 2025 suspicious extensions Chrome analysis research
VanHelsing, new RaaS in Town https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/
25/03/2025 08:21:44
QRCode
archive.org
thumbnail
  • VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program launched on March 7, 2025. The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%. The only rule is not to target the Commonwealth of Independent States (CIS).
  • Check Point Research discovered two VanHelsing ransomware variants targeting Windows, but as the RaaS mentions in its advertisement, it provides more offerings “targeting Linux, BSD, ARM, and ESXi systems”. The program provides an intuitive control panel that simplifies operating ransomware attacks. Check Point Research obtained two variants of the VanHelsing Ransomware, compiled just five days apart. The newest variant shows significant updates, highlighting the fast-paced evolution of this ransomware.
  • In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims, demanding large ransom payments for decryption and the deletion of stolen data. During negotiations, they demanded $500,000 to be paid to a specified Bitcoin wallet.
checkpoint EN 2025 research VanHelsing RaaS VanHelsingRaaS
Eradicating trivial vulnerabilities, at scale https://www.ncsc.gov.uk/blog-post/eradicating-trivial-vulnerabilities-at-scale?is=e4f6b16c6de31130985364bb824bcb39ef6b2c4e902e4e553f0ec11bdbefc118
03/02/2025 11:12:16
QRCode
archive.org
thumbnail

A new NCSC research paper aims to reduce the presence of ‘unforgivable’ vulnerabilities.

ncsc.gov.uk EN 2025 research unforgivable vulnerabilities
IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
20/01/2025 08:53:40
QRCode
archive.org
thumbnail

Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.

trendmicro EN 2025 malware iot research report cyber-threats DDoS IoT botnet cameras
Will the Real Volt Typhoon Please Stand Up? https://censys.com/will-the-real-volt-typhoon-please-stand-up/
20/01/2025 07:31:49
QRCode
archive.org
thumbnail

Despite both technical exposure by researchers and law enforcement disruption, this infrastructure has remained uncharacteristically consistent, only changing hosting providers. Given the contrasting high level of sophistication between Volt Typhoon’s activity within target organizations and their proxy network, it is possible the KV Botnet is operated by a party other than Volt Typhoon.

censys EN 2025 research Volt-Typhoon KVBotnet exposure
New Star Blizzard spear-phishing campaign targets WhatsApp accounts | Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
19/01/2025 09:27:38
QRCode
archive.org
thumbnail

In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a […]

microsoft Threat Intelligence Star-Blizzard WhatsApp spear-phishing campaign research
Backdooring Your Backdoors - Another $20 Domain, More Governments https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
12/01/2025 21:07:29
QRCode
archive.org
thumbnail

After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/

watchtowr EN 2025 backdoor infrastructure abandoned access analysis hack research hackback
Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html
09/01/2025 16:45:09
QRCode
archive.org
thumbnail

In December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft’s monthly Patch Tuesday release. Both vulnerabilities were deemed as highly significant due to the widespread use of LDAP in Windows environments:

CVE-2024-49112: A remote code execution (RCE) bug that attackers can exploit by sending specially crafted LDAP requests, allowing them to execute arbitrary code on the target system.
CVE-2024-49113: A denial-of-service (DoS) vulnerability that can be exploited to crash the LDAP service, leading to service disruptions.
In this blog entry, we discuss a fake proof-of-concept (PoC) exploit for CVE-2024-49113 (aka LDAPNightmare) designed to lure security researchers into downloading and executing information-stealing malware.

trendmicro EN 2025 malware Stealer research LDAPNightmare fake PoC CVE-2024-49113
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces – Sophos News https://news.sophos.com/en-us/2024/12/19/phishing-platform-rockstar-2fa-trips-and-flowerstorm-picks-up-the-pieces/
20/12/2024 09:18:33
QRCode
archive.org
thumbnail

A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar 

sophos EN 2024 research analysis phishing-as-a-service Rockstar FlowerStorm
300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/
14/12/2024 11:10:11
QRCode
archive.org
thumbnail

In this research, we uncovered several vulnerabilities and security flaws within the Prometheus ecosystem. These findings span across three major areas: information disclosure, denial-of-service (DoS), and code execution. We found that exposed Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys.
Additionally, we identified an alarming risk of DoS attacks stemming from the exposure of pprof debugging endpoints, which, when exploited, could overwhelm and crash Prometheus servers, Kubernetes pods and other hosts.

aquasec EN 2024 Prometheus Servers DoS attacks Exposed research
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass https://oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
14/12/2024 10:30:01
QRCode
archive.org
thumbnail

Oasis Security's research team uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.

The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.

oasis.security EN 2024 research MFA Microsoft MFA-bypass
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia https://www.cyfirma.com/research/unidentified-threat-actor-utilizes-android-malware-to-target-high-value-assets-in-south-asia/
09/12/2024 11:43:26
QRCode
archive.org
thumbnail

The team at CYFIRMA analyzed a malicious Android sample designed to target high-value assets in Southern Asia. This sample, attributed to an unknown threat actor, was generated using the Spynote Remote Administration Tool. While the specifics of the targeted asset remain confidential, it is likely that such a target would attract the interest of APT groups. However, we are restricted from disclosing further details about the actual target and its specific region. For a comprehensive analysis, please refer to the detailed report

cyfirma EN 2024 Unidentified Threat Actor Malware research Android Spynote Remote Administration Tool
The hidden network report https://research.cert.orangecyberdefense.com/hidden-network/report.html
28/11/2024 08:27:03
QRCode
archive.org

Since February 2024, the World Watch Cyber Threat Intelligence team has been working on an extensive study of the private and public relationships within the Chinese cyber offensive ecosystem. This includes:

  • An online map showcasing the links between 300+ entities;
  • Historical context on the Chinese state entities dedicated to cyber offensive operations;
  • An analysis of the role of universities and private companies in terms of capacity building;
  • A focus on the ecosystem facilitating the acquisition of vulnerabilities for government use in cyber espionage campaigns.
Orange Cyberdefense CERT EN 2024 Threat Research China
When Guardians Become Predators: How Malware Corrupts the Protectors https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/
27/11/2024 09:15:01
QRCode
archive.org

We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us? Our Trellix Advanced Research Center team recently uncovered a malicious campaign that does just that. Instead of bypassing defenses, this malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda. The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system.

trellix EN 2024 research Avast Anti-Rootkit driver malware aswArPot.sys malware analysis
page 1 / 7
4259 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio