Category: Heimdal Security Blog

The Federal Bureau of Investigation disrupted a Russian government-controlled Snake malware network that compromised hundreds of computers belonging to NATO-member governments and other Russian targets. According to the Justice Department, the disruption effort, called Operation MEDUSA, took the malware offline…

Read more →

There is a new Linux NetFilter kernel flaw that allows unprivileged local users to escalate their privileges to root level, giving them complete control over the system. The vulnerability has been assigned the CVE-2023-32233 identifier, but its severity level has not…

Read more →

The Aurora information-stealing malware was delivered through an in-browser Windows update simulation in a recent malvertising campaign. For more than a year, Aurora has been advertised on various hacker forums as an info stealer with extensive capabilities and low antivirus…

Read more →

Researchers warn Cactus Ransomware exploits VPN Flaws to compromise networks and encrypts itself to avoid detection. The new ransomware strain targets large commercial entities that use remote access services and scans after unpatched vulnerabilities for initial access. How Is Cactus…

Read more →

AndoryuBot new malware aims to infect unpatched Wi-Fi access points to enlist them in DDoS attacks. To this end, threat actors exploit a critical Ruckus vulnerability in the Wireless Admin panel. The flaw is tracked as CVE-2023-25717 and enables hackers…

Read more →

Sysco food distributor announced recently that its network was breached, and business, customer, and employee data was compromised. According to an internal memo the company sent to its employees on May 3rd, data belonging to customers and suppliers in the…

Read more →

NextGen Healthcare, a U.S.-based provider of electronic health record software, notified its clients that threat actors breached its systems and stole the personal data of more than 1 million patients. The company reported a data breach to the Maine attorney…

Read more →

Heimdal® returns with yet another rendition of its monthly Patch Tuesday updates. Our May edition includes security releases for vulnerabilities that impact Microsoft’s Chromium-based Edge browser. In total, 11 fixes have launched, each tackling a different operational area. Enjoy and…

Read more →

We are thrilled to announce that Heimdal® has been awarded the Risk Management Award at the Security Excellence Awards 2023 for our innovative Patch and Asset Management solution!  This award recognizes our commitment to providing cutting-edge cybersecurity solutions that help…

Read more →

As reported by Microsoft, Iranian state-backed threat groups have joined the ongoing assault targeting vulnerable PaperCut MF/NG print management servers. The groups in question are tracked as Mango Sandstorm (aka Mercury or Muddywater) and Mint Sandstorm (also known as Phosphorus…

Read more →

Twitter recognized a security error regarding Twitter Circles in a statement sent to affected users on 5 May 2023. The company mentioned a “security incident” some weeks after the users noticed the initial problem. The Circle Tweets Twitter users reported…

Read more →

Researchers spotted a new ransomware operation in March 2023. It is called Akira and targets businesses worldwide, breaching corporate networks, stealing and encrypting data. Threat actors claim to already have sixteen companies in their portfolio of victims from areas like…

Read more →

Officials from Dallas, Texas declared that Royal Ransomware gang is responsible for a cyberattack that shut down most of the city’s services and knocked the Dallas Police and Fire Rescue departments offline this week. Since the ransomware group’s Wednesday morning…

Read more →

What Is Patch Management? Patch management is the process of identifying and deploying software updates. It is an important process that involves the acquisition, review, and deployment of ‘patches’ to IT infrastructure. The ‘patches’ are pieces of software code that…

Read more →

Identity and Access Management is a critical component of modern-day cybersecurity. Often abbreviated as IAM, it refers to a collection of technologies, policies, and procedures that assist organizations in managing and verifying the identities of individuals and devices, granting access…

Read more →

Kimsuky, a North Korean hacking group, has been observed employing a new version of its reconnaissance malware called “ReconShark” in a cyberespionage campaign with global reach. According to security analysts, the threat actor has broadened the range of targets it…

Read more →

Managing thousands of IP-connected devices can become a great challenge for many organizations. But imagine trying to keep track of which IP Address is assigned to each device, which DHCP lease is up, or when the IP has changed? In this…

Read more →

Heimdal® has recently discovered what can very well be the debut of a massive phishing campaign unfolding in the Nordics. According to a tip sent to us by an anonymous reader, the APT’s choice in phishing is an email in…

Read more →

A new, sophisticated malware toolkit called Decoy Dog was discovered after cybersecurity researchers analyzed more than 70 billion DNS records belonging to enterprise networks. To avoid detection, Decoy Dog uses stealthy methods like strategic domain aging and DNS query dribbling,…

Read more →

A critical flaw affecting Illumina medical devices has been announced in an Industrial Control Systems (ICS) medical advisory issued by the United States Cybersecurity and Infrastructure Security Agency (CISA). The flaws affect the Universal Copy Service (UCS) software in the…

Read more →

Privilege escalation might be a confusing cybersecurity term for many. That’s why in this article we’re going to shed a little bit more light on this topic. Keep reading to find out more about what is privilege escalation, how many…

Read more →

On the 28th of April, acting on a tip received from an anonymous source, Heimdal®’s SOC team has come across an active phishing campaign that appears to specifically target Romanian telecom customers. The preliminary analysis of all of the evidence…

Read more →

RTM Locker is now the most recent enterprise-targeting ransomware operation found to be using a Linux encryptor to target virtual machines on VMware ESXi systems. The RTM (Read The Manual) cybercrime group, which is well-known for disseminating a unique banking…

Read more →

As the world becomes increasingly digital, cybersecurity threats continue to evolve and become more sophisticated. Traditional cybersecurity measures are no longer enough to protect organizations from malicious attacks. That’s where managed threat hunting comes in – a proactive approach that…

Read more →

Imagine sitting at your computer, ready to work or browse the internet, only to find that your connection is suddenly sluggish or completely non-existent. You may have fallen victim to a ping flood attack – one of the most common…

Read more →

Cyber threat hunting is a proactive search for malicious actors and contents in your system. Threat hunting is a must-have part of the defense strategy which focuses to detect and respond rapidly to unknown, undetected, and unresolved threats. This means…

Read more →

A TP-Link Archer A21 (AX1800) consumer-grade WiFi router vulnerability has been used by Mirai botnet to launch DDoS attacks against IoT devices. The flaw in the TP-Link Archer AX21 firmware was discovered back in December 2022, and the company released a patch in…

Read more →

Google advertisements have been exploited to distribute various types of malware over the past few months. To trick unsuspecting users into downloading malware onto their systems, threat actors often used the platform to promote fake websites on legit software and…

Read more →

Across Southeast Asia, Europe and Africa, a new Linux variant of the PingPull malware used by Chinese APT group Alloy Taurus (Gallium) has been reported as an active threat to telecommunications, finance and government organizations. Alloy Taurus is a Chinese…

Read more →

When building an organization’s cybersecurity posture, there are many decisions that will ultimately lead you to the best result for your specific company. One of these decisions is having an in-house SOC team or choosing a managed SOC solution like…

Read more →

IMA Financial Group (IMA) announced on April 19th it had experienced a data breach resulting in confidential consumer data leakage. The insurance and wealth management solutions company filed a notice of the data security incident with the Attorney General of…

Read more →

Alaska Railroad Corporation reported a data breach incident that occurred in December 2022 and they discovered it on March 18th, 2023. According to ARCC, a third party gained unauthorized access to the internal network system. Further on, threat actors accessed…

Read more →

Researchers discovered a new kind of side-channel attack that affects several versions of Intel CPUs and enables data exfiltration. Attackers could leak the data through the EFLAGS register. The discovery was made by researchers at Tsinghua University, the University of…

Read more →

Yellow Pages Group, a Canadian entity that specializes in directory publishing, has officially confirmed that it has fallen victim to a cyberattack. Black Basta, a group known for spreading ransomware and engaging in extortion, has taken credit for the attack…

Read more →

Attackers are taking advantage of critical flaws in the widely used PaperCut MF/NG print management software to install Atera remote management software and take control of servers. The software is used by more than 100 million people from over 70,000…

Read more →

Privileged Account and Session Management (PASM) is a new PAM (Privileged Access Management) that focuses on privileged account monitoring and management for compliance, security, and data integrity purposes. Whereas PAM covers user account, on rights escalation demands, PASM and PEDM…

Read more →

DNS-Layer Security protects users from threats that arise from inbound and outbound traffic. It refers to monitoring communications between endpoints and the internet at a DNS-layer level. Imagine the DNS layer security as a gatekeeper who makes sure that all…

Read more →

The number of cyberattacks spreading EvilExtractor malware across Europe and the U.S. is raising. Researchers warn that threat actors used the data theft tool in a massive phishing campaign in March 2023. Hackers designed this malicious program to extract data…

Read more →

Discarded routers that are for sale on the secondary market are usually improperly wiped, an experiment shows. Threat actors can reboot sensitive data that haven’t been completely erased from them. Cybercriminals can use information about network configuration and details about…

Read more →

In today’s digital age, cyber threats are an ever-present danger to organizations of all sizes. From ransomware attacks to data breaches, the consequences of a successful cyberattack can be devastating. That’s why it’s essential for businesses to adopt a proactive…

Read more →

Shields Health Care Group (SHCG), a medical service provider in the United States, announced a data breach that compromised the personal information of more than 2.3 million people. Shields reported the breach to the Maine Attorney General on April 19,…

Read more →

Threat actors found a new method to inject malicious code into websites. They are now using an abandoned WordPress plugin, Eval PHP. The plugin is still available in the WordPress plugins repository and had approximately 4,000 malicious installations per day…

Read more →

ICICI Bank, an Indian multinational valued at more than $76 billion, with over 5,000 branches operating across India and 15 other countries worldwide has leaked millions of records with sensitive data, including financial information and personal documents of the bank’s…

Read more →

On the 20th of April, Heimdal®’s SOC team has discovered that an unknown APT has been launching smishing attacks against Nordea Bank customers. The data analyzed so far suggests that the threat actor takes advantage of the MitID authentication mechanism…

Read more →

The increasing frequency and size of ransomware attacks are becoming a huge concern for thousands of organizations globally. All over the world, threat actors take advantage of security vulnerabilities and encrypt data belonging to all sorts of organizations: from private…

Read more →

Mint Sandstorm, an Iranian government-backed actor, has been linked to attacks on critical infrastructure in the United States between late 2021 and mid-2022. The entities that were targeted include seaports, energy companies, transit systems, and a major U.S. utility and…

Read more →

The National Cyber Security Centre (NCSC) from the UK issued a warning about state-aligned Russian hacktivists shifting their interest to the business sector. Authorities recommend that all companies in the country tighten their security measures. The Russian Hacktivists Threat Usually,…

Read more →

Attackers are breaking into Microsoft SQL (MS-SQL) servers to install Trigona ransomware payloads and encrypt all files. These servers are not well protected and are exposed to the Internet. By using account credentials that are simple to guess, brute-force or…

Read more →

When trying to tie up your organization’s cybersecurity posture, you look for the perfect detection and response solution to keep you safe. With all the options available nowadays, this is when it can get confusing. In this article, we will…

Read more →

Researchers in US and UK warn that Russian state sponsored APT28 hackers deploy ”Jaguar Tooth” custom malware on routers in order to obtain unauthorized access. The APT28 threat group is known for a wide range of attacks and cyberespionage activities…

Read more →

Following a ransomware attack back in March, sensitive employee data was compromised at CommScope, a major US telecommunications and IT infrastructure company. The Vice Society ransom gang claims to have published CommScope employee data on its dark web leak site. The…

Read more →

A game-changer in the PAM market, PEDM is now on everybody’s lips when talking about more efficient methods to mitigate cybersec risk by properly controlling privileged permissions. Featuring three essential elements: appropriate privileges for appropriate users just at the appropriate…

Read more →

Rheinmetall, a leading German armaments and technology company, was targeted by a cyberattack over the weekend. The attack, however, did not affect company operations, according to officials. Rheinmetall, the largest arms company in Germany and one of the top three Western…

Read more →

Researchers recently discovered a new malware family named “Domino”, allegedly created by ITG14, also known as the FIN7 threat group. Reportedly, ex-Conti hackers have been using it since at least February 2023 to spread Project Nemesis info stealer or Cobalt…

Read more →

Security researchers and experts warn Windows admins about a critical vulnerability discovered in the Windows Message Queuing (MSMQ) middleware service, that can expose hundreds of thousands of systems to attacks. The vulnerability has been patched by Microsoft in this month’s…

Read more →

An ongoing supply chain attack allegedly uses a digitally signed and trojanized variant of the 3CX Voice Over Internet Protocol (VoIP) desktop client to target the company’s clients. The 3CX Phone System engineered by the VoIP IPBX software development company…

Read more →

A malware distribution operation known as Balada Injector has been active since 2017, and it is believed that it has infected over a million WordPress sites. According to GoDaddy’s Sucuri, the massive campaign “leverages all known and recently discovered theme…

Read more →

Apple is backporting two security patches released on Friday. The updated patches address zero-day vulnerabilities on iPhones, iPads, and Macs. Details About the Vulnerabilities The first flaw, tracked as CVE-2023-28206, is an out-of-bounds write issue. This bug may permit threat…

Read more →

Belgian company SD Worx shut down all IT systems for its UK and Ireland services after suffering a cyberattack. The European HR and payroll management company services 5.2 million employees for over 82,000 companies. The company started notifying customers that…

Read more →

Ensuring an efficient threat detection and response (D&R) strategy for your organization is vital for every sector of its activity. But growing workloads and limited resources are only two of the problems you encounter in your search for the best…

Read more →

The Round-robin DNS is a load-balancing technique that helps manage traffic and avoid overloading servers. Multiple IP addresses are assigned to a single domain name; each time the domain name is resolved, the returned IP address is picked in a…

Read more →

Almost 90,000 clients’ personal information was compromised in the cyberattack on the prestigious law firm Cadwalader, Wickersham & Taft. The law firm informed its clients on March 30, 2023, that on November 15, 2022, an unauthorized third party acquired remote…

Read more →

The Government of the Netherlands announced last week its intention to implement the Resource Public Key Infrastructure (RPKI) standard on all its networks. The measure is meant to upgrade de Internet routing safety, protecting the networks against route hijacks and…

Read more →

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Three of the added vulnerabilities were found in the Veritas Backup Exec Agent software and were used by threat…

Read more →

Patch management is an essential practice for businesses to maintain the security and stability of their IT infrastructure. Patches are released by software vendors to fix vulnerabilities and enhance performance, and failing to manage these patches can lead to security…

Read more →

After weeks of silence, the UK’s Criminal Records Office (ACRO) has issued a statement saying that the issues with the website that have been ongoing since January 17 were caused by a “cyber security incident.” ACRO manages criminal record information,…

Read more →

A recent data breach affecting Taiwanese PC parts maker MSI (Micro-Star International) has been listed on the extortion portal of a new ransomware gang known as ‘Money Message’. The threat actors claim to have stolen source code from the company’s…

Read more →

In today’s digital age, it is crucial for businesses to protect their sensitive data and computer systems from cyber threats. One effective way of doing so is by implementing a software restriction policy. But what exactly is a software restriction…

Read more →

A threat hunting framework is a collation of data-driven adversarial scenarios, backed up by hypothetical, field-tested, or time-honored TTPs (i.e., Tactics, Techniques, and Procedures). Serving a wide array of security-wise needs such as baselining, forecasting, threat modeling, vulnerability discovery, and…

Read more →

Threat actors upgraded Typhon info-stealer to a version that has improved evading features against analysis and anti-virtualization mechanisms. The new Typhon Reborn V2 malware is currently advertised on a dark web forum. Typhon was first discovered in August 2022 and…

Read more →

Are you one of those people who get easily scared by pop-up ads and warning messages on your computer? If so, then beware! You might be falling for a common cybercrime tactic known as scareware. Scareware is a type of…

Read more →

A global law enforcement crackdown, dubbed Operation Cookie Monster, has led to the take down of one of the world’s biggest criminal marketplaces used by online fraudsters to buy passwords – Genesis Market. An FBI-led operation involving more than a…

Read more →

Researchers have unveiled a sophisticated and fast ransomware strain called Rorschach, previously undocumented. Malware experts discovered the new ransomware strain after a cyberattack on a U.S.-based company and described it as having “technically unique features”. Among the capabilities observed was the encryption…

Read more →

Researchers discovered a new malware that fakes legitimate Google Drive extensions to inject malicious scripts and steal cryptocurrency. The new Rilide malware targets Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Opera. How Is Rilide Different Just like other…

Read more →

Western Digital announced that they discovered a network breach had affected their systems, starting March 26th. Threat actors managed to obtain unauthorized access to several of the Company’s systems. While law authorities are still investigating, Western Digital claims the intruder…

Read more →

Using the Shodan database, IT security researchers were able to track down 15 million vulnerable systems with vulnerabilities from the US cyber security authority CISA’s Known-Exploited-Vulnerabilities-Catalog (KEV). When KEV vulnerabilities are discovered, updates are usually available from the software manufacturer…

Read more →

Microsoft has patched a misconfiguration issue affecting the Azure Active Directory (AAD) identity and access management service that allowed unauthorized access to many “high-impact” applications. The vulnerabilities were reported to Microsoft in January and February 2022, after which the company…

Read more →

A new online threat actor has emerged: the Money Message ransomware gang. These cybercriminals are attacking companies all over the world, demanding millions of dollars in ransom for the decryption key and not leaking the stolen data. When Did Money…

Read more →

Threat actors are actively exploiting a high-severity vulnerability discovered in the popular plugin Elementor Pro. Elementor Pro is a WordPress page builder plugin with multiple functions that helps users to build professional-looking websites easily, without the need to know how…

Read more →

In today’s cybersecurity space, properly patching the machines and servers in your company can make the difference between a well-secured organization and a vulnerable one. SCCM is one of the most popular system management solutions on the market and has…

Read more →

Winter Vivern (aka TA473), a Russian hacking group, has been exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to access the emails of NATO officials, governments, military people, and diplomats. The CVE-2022-27926 flaw affects versions 9.0.0 of Zimbra Collaboration, which is…

Read more →

Ukraine’s Cyberpolice Department announced an operation during which they busted a phishing gang. The police arrested two scammers and confiscated equipment used for phishing frauds. Threat actors managed to steal $4,300,000 from over a thousand victims across the EU. The…

Read more →

In today’s world, a multitude of smart devices helps us to improve our lives, as we rely more and more on technology for a comfortable and efficient lifestyle – smart appliances, smart cars, smartwatches. Life as we know it is…

Read more →

An ongoing supply chain attack allegedly uses a digitally signed and trojanized variant of the 3CX Voice Over Internet Protocol (VoIP) desktop client to target the company’s clients. The 3CX Phone System engineered by the VoIP IPBX software development company…

Read more →

In today’s fast-paced world, identity management has become a crucial aspect of every organization. From securing sensitive data to ensuring compliance with regulations, effective Identity Lifecycle Management (ILM) is essential for businesses of all sizes. However, implementing an ILM strategy…

Read more →

The Department of Health and Social Care has established a cyber security program aimed at improving cyber resilience across the NHS and social care sectors in England over the next seven years. The use of technology to access health and…

Read more →

The increasing frequency and size of ransomware attacks are becoming a huge concern for thousands of organizations globally. All over the world, threat actors take advantage of security vulnerabilities and encrypt data belonging to all sorts of organizations: from private…

Read more →

User provisioning (also known as account provisioning) is a digital Identity and Access Management (IAM) process that involves creating employee/user accounts and their profiles and giving them appropriate rights and permissions across IT infrastructure and enterprise applications and systems. In…

Read more →

A new North Korean cyber operator has been attributed to a series of attacks conducted to gather strategic intelligence aligned with the state’s geopolitical interests. Security researchers, which are tracking the threat group’s activity under the moniker APT43, believe that…

Read more →

The National Crime Agency (NCA) from the U.K. launched several fake DDoS-as-a-service sites. The aim is to gather the details of people who try to utilize such services. The deceiving sites infiltrate the cybercrime market, and several thousand individuals accessed…

Read more →

A zero-day vulnerability in Crown Resorts’ GoAnywhere secure file-sharing server has led to a data breach at the largest gambling and entertainment company in Australia. The Blackstone-owned company operates complexes in Melbourne, Perth, Sydney, Macau, and London, and has an annual…

Read more →

A command-and-control server (C&C) is a computer that threat actors use to send instructions to compromised systems. Their goal is to direct infected devices into performing further malicious activities on the host or network. Hackers can use C&C or C2…

Read more →

Latitude Financial Services, the recently breached Australian loan giant, announces that the number of affected people reaches 14 million. On March 16, 2023, Latitude disclosed they were the victim of a cyberattack that resulted in 328,000 customer records being exfiltrated.…

Read more →

At least 50 US government officials are either suspected or confirmed to have been targeted by invasive commercial spyware designed to hack mobile phones, extract data, and track the movements of the victims. An executive order limiting the use of…

Read more →

Researchers discovered a new MacOS info-stealer that extracts documents, cookies, and login data from infected devices. MacStealer uses Telegram as a command-and-control platform to exploit MacOS machines from Catalina (10.15) and up to Ventura (13.2). It is delivered on the…

Read more →

According to the city of Philadelphia, cybersecurity recommendations have been issued in response to an Internal Revenue Service (IRS) warning against tax-based phishing attempts.  On day two of the annual Dirty Dozen tax scams campaign, the IRS warns again about…

Read more →

On Friday, March 24th, Twitter sent GitHub a copyright infringement notice, claiming some of the platform`s users leaked parts of their source code. GitHub, the Microsoft-owned service for software developers, reacted promptly and took down the code the same day.…

Read more →

Dole Food Company, one of the world’s largest suppliers of fresh fruit and vegetables, has revealed that it has been hit by a ransomware attack that disrupted its operations. The company is still looking into “the scope of the incident,”…

Read more →

Are you aware of QR code phishing or “quishing”? This form of social engineering attack is gaining popularity among cybercriminals eager to steal your data. In this article, we will find out what quishing is, how it works, and how…

Read more →

New cyber attacks against Middle Eastern telecommunications operators emerged in the first quarter of 2023. Based on technical overlaps, the intrusion set was identified as being the work of a Chinese cyber espionage actor associated with a long-running campaign dubbed…

Read more →