Cyberespionage Group Blind Eagle Infects 1,600 Orgs in Colombia
URL manipulation attack; An agile attack methodology
Continue ReadingMalware
Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems
CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.
| OEM | Microsoft |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2018-8639 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview on Vulnerability
The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Privilege Escalation Vulnerability | CVE-2018-8639 | Windows | High |
Technical Summary
The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.
Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2018-8639 | Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019 | Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. | System compromise, unauthorized access, potential malware persistence |
Remediation:
- Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk.
- Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.
General Recommendations:
- Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches.
- Adopting the principle of least privilege (PoLP) to limit user access.
- Continuous monitoring of anomalous kernel-mode activities.
Conclusion:
Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk.
References:
- https://nvd.nist.gov/vuln/detail/cve-2018-8639
- https://github.com/ze0r/CVE-2018-8639-exp
Orange Group Suffered Data Breach; Threat Actors Exposes Compromised Data
Threat actors aimed infiltrating on Orange’s systems; A case of Ransomware cannot be denied on the data breach that took place.
Orange has confirmed it has recently experienced a cyber-attack, that exposed compromised data. Orange insists it is still investigating the case. The data breach on Orange group when analyzed found it included thousands of internal documents, including sensitive user records and employee data, after infiltrating the company’s infrastructure.
As per reports one of Orange’s non-critical apps breached in an attack aimed at its Romanian operations after HellCat ransomware gang member “Rey” alleged exfiltrating thousands of internal files with user records and employee details, which have been leaked on Tuesday, according to BleepingComputer.
Key Breach details on Orange Group
- The data breach aimed at Infiltration of Orange’s systems for more than a month via the exploitation of Jira software and internal portal vulnerabilities.
- This facilitated the eventual breach and can be a ransomware case as of almost 6.5 GB of corporate data including about 12,000 files over a nearly three-hour period on Sunday.
- The hacker, known by the alias Rey, is a member of the HellCat ransomware group, noted the intrusion to be independent from the HellCat ransomware operation.
- The threat actor claims that they have stolen thousands of internal documents of current and former Orange Romania employee, contractor, and partner email addresses, some of which dated from over five years ago, as well as mostly expired partial payment card details.
- The hacker claims that they gained access to Orange’s systems by exploiting compromised credentials and vulnerabilities in the company’s Jira software (used for issue tracking) and other internal portals.
- The point was getting access to the company’s systems for over a month before executing the data exfiltration as per the hacker. They also stated that they had dropped a ransom note on the compromised system, but Orange did not engage in negotiations.
- Orange emphasized that the attack has not impacted operations amid an ongoing investigation into the incident. The company is yet to disclose whether affected individuals will be notified or if additional security measures will be introduced to prevent similar breaches in the future.
Cyber Security Implications
From cybersecurity point the incident reflected how major organization face cyber threats and what is their strategy for incident response?
How far is the preparedness of enterprises against a ransomware attack?
These are some of the eminent questions organizations must face in order to defend their brand name..Is it proactive, are organizations prepared as Ransomware groups are focusing with advanced techniques.
Cyber security preparedness the next step
It is important that security teams be on their toes to stop any ransomware attack at the source.
AI on the endpoints is the requirement of the day, detecting atypical behavior to predict and block attack advances, at the same time before encryption, having visibility full visibility from the kernel to the cloud enables one to spot signs of compromise .This can also be any ransomware chain or any early indicators of compromise.
Experts keep on warning how to protect assets from getting compromised warning customers and employees to remain vigilant for potential phishing attempts based on the data that has been leaked.
AI Leveraging Ransomware campaigns
Earlier we witnessed cybercriminals would encrypt data and provide the decryption key once payment was received.
Now threats has doubled up with double or triple extortion attacks to expose stolen information on data leak sites in exchange for larger ransoms.
The greater availability of artificial intelligence and machine learning tools has led to these gangs be more sophisticated in their attack methods. Now the attack vectors leverage AI and ML capabilities to evade detection, spread more effectively to reach their final goals.
AI Reshaping Cyber security Roadmap
AI in cybersecurity firstly integrates artificial intelligence technologies that are required to gain critical insights and automate time-consuming processes and this includes machine learning and neural networks, into security frameworks.
These technologies are a must to enable cybersecurity teams and systems to analyze vast amounts of data, recognize attack patterns, and being able to adapt new evolving threats that can be performed with minimal human intervention. Read our blog: AI Reshaping Roadmap for Cyber security
With AI capabilities what is the next scenario we may witness in Ransomware campaigns
-
- Making ransom calls using Voice Cloning
-
- Malware that can target key personnel within the organization
-
- The ability to decipher financial data and demand ransom amounts accordingly
AI-driven systems learn from experiences and AI will empowers organizations, enterprises in future and still doing to enhance their cybersecurity posture and reduce the likelihood of breaches, identify potential risks by acting independently.
Sources:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
Banshee Stealer: A Growing Threat to macOS Users
Overview
Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS.
Key Threat Details:
Malware Capabilities:
- Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security.
- User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access.
- Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging.
C&C decryption Source: Cybersecurity News
Evasion Tactics:
- Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems.
- Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods.
Distribution Mechanisms:
- Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files.
- Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware.
Repository releases source: Cybersecurity News
Recent Developments:
- Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally.
- Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape.
Impact:
- Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses.
- Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications.
- Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide.
Indicators of Compromise (IOCs):
The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link .
| IP Address and Domain | File Hash |
| 41.216.183[.]49 | 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 |
| Alden[.]io | 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 |
| api7[.]cfd | 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab |
| Authorisev[.]site | b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114 |
Recommendations:
To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures:
- Avoid Untrusted Downloads:
- Refrain from downloading software from unverified sources, particularly free or “cracked” versions.
- Verify the authenticity of GitHub repositories before downloading any files.
- Strengthening System Defenses:
- Regularly update macOS and all installed applications to patch known vulnerabilities.
- Deploy advanced security solutions with real-time threat detection and proactive intelligence.
- Enhance Awareness and Training:
- Educate users on identifying phishing websites and suspicious downloads.
- Encourage caution when responding to system prompts or entering credentials.
- Enable Two-Factor Authentication (2FA):
- Secure accounts with 2FA to minimize the impact of stolen credentials.
- Monitor System Activity:
- Regularly review system logs for unauthorized changes or suspicious activity.
- Use tools to monitor unexpected outgoing data transmissions.
- Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.
- Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early.
Conclusion:
The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats.
References:
Critical Windows Privilege Escalation Vulnerability with Public Exploit
Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.
Summary
| OEM | Microsoft |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2024-43641 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Windows Registry Elevation of Privilege Vulnerability | CVE-2024-43641 | Windows | High |
Technical Summary
The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-43641 | Windows 10, Windows 11, Windows Server 2008–2025 | The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition. | Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity. |
Remediation:
- Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates.
- Monitor Activity:
- Monitor logs for suspicious activity related to registry operations.
- The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild.
Conclusion:
CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat.
References:
Zero-Day Vulnerability in Windows Exposes NTLM Credentials
Summary
OEM | Microsoft |
Severity | Critical |
Date of Announcement | 2024-12-12 |
CVE | Not yet assigned |
Exploited in Wild | No |
Patch/Remediation Available | Yes (No official patch) |
Advisory Version | 1.0 |
Vulnerability Name | NTLM Zero-Day |
Overview
A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.
Vulnerability Name | CVE ID | Product Affected | Severity |
NTLM zero-day | Not Yet Assigned | Microsoft Windows | Critical |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
Not Yet Assigned | Windows 7 to 11 (24H2), Server 2008 R2 to 2022 | A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder. | Enables attackers to steal NTLM credentials and gain unauthorized access of the affected systems. |
Remediations
- Apply the 0patch Micropatch:
- Register for a free account at 0patch Central.
- Install the 0patch agent to automatically receive the micropatch.
- Disable NTLM Authentication:
- Navigate to Security Settings > Local Policies > Security Options in Group Policy.
- Configure “Network security: Restrict NTLM” policies to limit NTLM usage.
General Recommendations
- Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
- Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
- Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
- Monitor systems for suspicious NTLM-related activity.
Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries
MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries
Overview
In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.
MUT-8694 Campaign Details
The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:
- Typosquatting: Using package names that closely resemble popular or legitimate libraries.
- Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
- Targeted Ecosystems: npm and PyPI, critical platforms for developers.
Source: Datadog
Key Findings
One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.
Capabilities of Malware
The deployed malware variants include advanced features that allow:
- Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
- Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
- Application Data Exfiltration: Stealing configuration files from popular applications
Affected Packages
Some known malicious packages include:
- larpexodus (PyPI): Executes a PowerShell script to download malware.
- Impersonations of npm libraries: Host binaries leading to infostealer deployment.
Remediation:
To mitigate the risks associated with this attack, users should:
- Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
- Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
- Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
- Use Security Tools: Implement solutions that detect malicious dependencies.
General Recommendations:
- Avoid downloading software from unofficial or unverified sources.
- Regularly update packages and dependencies to the latest versions.
- Conduct periodic security awareness training for developers and IT teams.
References:
Godot Hijacked with Malware to infect Thousands of PC’s
Godot is a platform that host open source game development, where new Malware loader installed in its programming language
At least 17,000 devices were infected with infostealers and cryptojackers so far.
As per researchers cyber criminals have been building malicious code written in GDScript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts.
Earlier hackers targeted the open sources gaming platform targeting users of the Godot Gaming Engine and researcher’s spotted that GodLoader would drop different malware to the infected devices mostly in RedLine stealer, and XMRig, a popular cryptojacker.
GodLoader, the researchers further explained, was downloaded at least 17,000 times, which is a rough estimate on the number of infected devices. However, the attack surface is much, much larger.
Check Point argues that in theory, crooks could hide malware in cheats, cracks, or modes, for different Godot-built games. Check Point detected four separate attack waves against developers and gamers between September 12 and October 3, enticing them to download infected tools and games.
Looking at the number of popular games developed with Godot, that would put the attack surface at approximately 1.2 million people.
Hackers delivered the GodLoader malware through the Stargazers Ghost Network, a malware Distribution-as-a-Service (DaaS) that masks its activities using seemingly legitimate GitHub repositories.
Technical Details
Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime.
There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.
Analysis of WezRat Malware; Check point Findings
New CheckPoint research discovered a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.
Continue Reading