Npav Lab

Fortinet has disclosed an actively exploited critical vulnerability, CVE-2024-47575, impacting FortiManager and FortiAnalyzer devices, which has been attributed to threat cluster UNC5820. This flaw, labeled FortiJump, enables remote unauthenticated attackers to execute arbitrary code on compromised systems, allowing for data exfiltration and potential lateral movement across enterprise networks. The U.S. CISA has flagged this vulnerability for immediate federal agency action, urging rapid patching to prevent unauthorized access and data theft.

A new variant of the Qilin (Agenda) ransomware, known as Qilin.B, has been discovered with enhanced encryption methods, improved evasion techniques, and capabilities to disrupt data recovery. This strain targets both Windows and network systems, making it a serious threat to enterprises across various sectors.

Ransomware gangs are using the notorious LockBit’s reputation to intimidate victims and carry out sophisticated data exfiltration attacks via Amazon S3 Transfer Acceleration. These attacks exploit embedded AWS credentials and target Windows and macOS systems, encrypting data and applying pressure tactics to extract ransom payments.

Net Protector Total Security has proudly received the International VB100 certification, showcasing its exceptional malware detection abilities and reinforcing its reputation as a trusted cybersecurity solution.

The Lazarus hacking group exploited a Google Chrome zero-day vulnerability (CVE-2024-4947) through a fake decentralized finance (DeFi) game, "DeTankZone," targeting individuals in the cryptocurrency sector. This attack demonstrates Lazarus' evolving tactics, using browser exploits and rebranded games to steal sensitive data and potentially cryptocurrency.

A new phishing campaign has been uncovered targeting Russian-speaking users, leveraging the Gophish framework to deliver two remote access trojans (RATs)—DarkCrystal RAT (DCRat) and a newly identified malware, PowerRAT. The campaign exploits phishing emails, malicious documents, and HTML pages to initiate infection chains, resulting in system compromise and data exfiltration.

The Bumblebee malware loader, believed to be a creation of TrickBot developers, has resurfaced after going silent following a law enforcement disruption in May 2024. New attacks tied to Bumblebee have been observed, signaling a possible resurgence of the malware. It continues to target victims through phishing and malvertising, delivering dangerous payloads like ransomware and information-stealing malware.

A recently discovered phishing campaign is exploiting a stored cross-site scripting (XSS) vulnerability in the open-source Roundcube webmail software to steal login credentials. Threat actors are leveraging a now-patched flaw (CVE-2024-37383) via malicious emails, targeting government organizations in Commonwealth of Independent States (CIS) countries. The vulnerability, patched in May 2024, allowed attackers to execute JavaScript within victims' browsers, tricking them into revealing sensitive login information.

A new ClickFix campaign is targeting users with fake Google Meet conference errors, luring them to download infostealing malware on both Windows and macOS systems. The campaign impersonates technical issues and prompts victims to run malicious PowerShell code, infecting devices with malware like Stealc, Rhadamanthys, and AMOS Stealer.

Cybercriminals are increasingly abusing the open-source EDRSilencer tool to tamper with Endpoint Detection and Response (EDR) solutions and conceal their malicious activities. This tool uses the Windows Filtering Platform (WFP) to block security software from communicating, making it harder for organizations to detect and remove malware.