Atomic and Exodus crypto wallets targeted in malicious npm campaign

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wallet. The campaign shows persistence, as removing the malicious package doesn't remove the injected code from the wallets. Multiple versions of both wallets were targeted, with the attackers adapting their code accordingly. This incident highlights the growing scope of software supply chain risks, particularly in the cryptocurrency industry, and emphasizes the need for improved monitoring of both source code repositories and locally deployed applications.

Pulse ID: 67fd41f7af4b02a0fd75fb69
Pulse Link: https://otx.alienvault.com/pulse/67fd41f7af4b02a0fd75fb69
Pulse Author: AlienVault
Created: 2025-04-14 17:12:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Bin vorfreudig gespannt auf #RCE nach dem Roman von @SibylleBerg in den Münchner Kammerspielen!
Das Buch mag ich, also ganz gute Voraussetzungen.

1/ War heute im @blnensemble und habe mir #RCE angesehen. Ich hatte den Roman von Sibylle Berg ja letztes Jahr gelesen. War sehr gut. Wir waren auch bei der Einführung:

Aus dem 700seitigen Roman wurde mit KI eine 50seitige Zusammenfassung erzeugt. Diese wurde dann mit Text to Speech vorgelesen. Ein Mensch hat Musik darufgepackt. Mehrere Videokünstler aus verschiedenen europäischen Ländern haben dann mit KI Videos und Bilder dazu gemacht.

Das Stück ist ein dystopisches mit Revolution durch Nerds. Alles ist digitalisiert und dadurch angreifbar. Stromnetze, Transport, Lebensmittelversorgung, Heizung im #Smarthome.

Laut Aussage des Einführenden gab es auch bei den Proben Stromausfälle. Das Buch ist der Bauplan für die Weltrevolution.

Paar so Fetzen aus dem Stück:

„Es braucht eine Revolution zu der man tanzen kann.“

„Nerds retten die Welt.“

„Verzichten kann wieder Spass machen.“

Nach dem Stück haben alle geklatscht und sind dann nach Hause gefahren.

Sie träumen davon, dass die Nerds demnächst Revolution machen.

Vielleicht träumen sie auch nichts, weil sie zu viel Alkohol trinken oder zu starke Schlaftabletten nehmen.

Wenn Ihr weder träumt noch schlaft, dann lest mal #RemoteCodeExecution. Ist lustig. Oder traurig. Je nachdem, wie Ihr so seid.

Ach so: Wir waren uns nicht ganz einig, ob die erste Zusammenfassung mit KI gemacht wurde, oder per Hand. Vielleicht kann das BE das ja noch mal aufklären.

Ich finde es auf einer Meta-Ebene lustig, dass die Menschen, die Angst davor haben, von KI ersetzt zu werden, diese benutzen, um die dystopische Welt zu zeigen.

CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw

A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middleware for user authorization, session data validation, route access control, redirections, and UI visibility management. The issue stems from how the runMiddleware function handles the x-middleware-subrequest header. Attackers can craft malicious headers to bypass middleware controls. Affected versions range from 11.1.4 to 15.2.3. Users are urged to update to patched versions or implement mitigation strategies to block external requests containing the vulnerable header.

Pulse ID: 67e59d30fc2fe9b7ddaded28
Pulse Link: https://otx.alienvault.com/pulse/67e59d30fc2fe9b7ddaded28
Pulse Author: AlienVault
Created: 2025-03-27 18:47:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather than large-scale ransomware extortion. Dragon RaaS primarily targets organizations in the US, Israel, UK, France, and Germany, exploiting vulnerabilities in web applications, using brute-force attacks, and leveraging stolen credentials. The group operates two ransomware strains: a Windows-focused encryptor based on StormCry and a PHP webshell. Despite claims of creating a unique ransomware variant, analysis reveals that Dragon RaaS's payloads are slightly modified versions of StormCry.

Pulse ID: 67db2bceaeb33fde1496fef2
Pulse Link: https://otx.alienvault.com/pulse/67db2bceaeb33fde1496fef2
Pulse Author: AlienVault
Created: 2025-03-19 20:40:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Critical #RCE flaw in #Apache #Tomcat actively exploited in attacks

https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/

#Tomcat: Apache Tomcat Vulnerability CVE-2025-24813 Actively Exploited Just 30 Hours After Public Disclosure!
Successful exploitation could permit attackers to view sensitive files, inject arbitrary content or even achieve Remote Code Execution(#RCE):

https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html

Whoa, a Tomcat RCE is out in the wild! Seriously, a Proof of Concept (PoC) went live, and exploits followed almost immediately. Talk about fast!

So, if you're running Tomcat versions 9.0.0 through 11.0.2, you're gonna want to update ASAP!

But that's not all – give your config a good once-over. Are Default Servlet Writes enabled? What about Partial PUT? If so, you could be in trouble. An RCE or an info leak is potentially lurking.

And hey, remember that network segmentation and regular pentests are invaluable, especially right now. What detection rules are you all using? Let's share some tips!

Credit Card Skimmer and Backdoor on WordPress E-commerce Site

A sophisticated malware attack targeting WordPress WooCommerce sites was discovered, involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a reconnaissance script. The attack focused on financial gain and long-term control. The skimmer, injected into the checkout page, collected payment and billing information, sending it to a malicious server. A PHP backdoor allowed remote system command execution, while a reconnaissance script gathered server information. The attack demonstrates the evolving complexity of e-commerce platform threats, emphasizing the need for strict security measures, regular scans, proper access controls, and timely updates to prevent such exploits.

Pulse ID: 67d52aad906732f7bad24dfa
Pulse Link: https://otx.alienvault.com/pulse/67d52aad906732f7bad24dfa
Pulse Author: AlienVault
Created: 2025-03-15 07:22:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

GitLab naprawia podatności związane z biblioteką ruby-saml

GitLab ogłosił wydanie nowych wersji oprogramowania. Aktualizacja dotyczy zarówno Community Edition, jak i Enterprise Edition. Poprawione wersje to  17.9.2, 17.8.5 oraz 17.7.7. Najważniejsza poprawka dotyczy dwóch podatności (CVE-2025-25291, CVE-2025-25292), zgłoszonych w bibliotece ruby-saml, która jest wykorzystywana przez GitLab do SAML SSO (security assertion markup language; single sign-on). W pewnych okolicznościach...

#WBiegu #Cve #Gitlab #Graphql #Podatności #Rce #Ruby #Saml

https://sekurak.pl/gitlab-naprawia-podatnosci-zwiazane-z-biblioteka-ruby-saml/

Cascading Redirects: Unmasking a Multi-Site JavaScript Malware Campaign

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden elements to force redirects, potentially leading to phishing pages, malvertising, exploit kits, or scam sites. At least 31 infected websites were identified, with domains like awards2today[.]top and chilsihooveek[.]net involved. The infection methods include compromised admin accounts, exploited vulnerabilities, inadequate file permissions, and hidden PHP backdoors. Impacts include traffic loss, reputation damage, SEO blacklisting, and risks of further infections. Detection involves inspecting network activity and file modifications, while prevention measures include regular security audits, updates, strong passwords, and web application firewalls.

Pulse ID: 67ca751fcb0a0f73661e1ad4
Pulse Link: https://otx.alienvault.com/pulse/67ca751fcb0a0f73661e1ad4
Pulse Author: AlienVault
Created: 2025-03-07 04:25:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

Pulse ID: 67c9f6c4232a8b4665784c45
Pulse Link: https://otx.alienvault.com/pulse/67c9f6c4232a8b4665784c45
Pulse Author: AlienVault
Created: 2025-03-06 19:25:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Buon sabato a tutti! È online la consuenta puntata di #NINAsec, la newsletter.

Oggi si parla di vulnerabilità, #RCE e #backdoor ma con un taglio un po’ più tecnico, con spunti di codice per l’implementazione.
E il solito #funfact
https://open.substack.com/pub/ninasec/p/security-weekly-23-28225?r=6bjer&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Another iOS remote access attack that apple do not accept as a problem. Impressive arrogance.
https://www.reddit.com/r/privacy/s/piBtlOKeI3
#apple #infosec #attack #rce #cve

Phishing Campaigns Targeting Higher Education Institutions

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Google Forms for phishing. Another involved cloning university login pages and re-hosting them on attacker-controlled infrastructure. A third campaign targeted staff and students in a two-step process, first phishing faculty credentials and then using compromised accounts to target students. These attacks aim to steal login credentials and financial information, often timed to coincide with key dates in the academic calendar. The campaigns employ various tactics to increase perceived legitimacy and perform payment redirection attacks.

Pulse ID: 67bc93b2e9c1d45f56f8e90f
Pulse Link: https://otx.alienvault.com/pulse/67bc93b2e9c1d45f56f8e90f
Pulse Author: AlienVault
Created: 2025-02-24 15:43:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Magento Credit Card Stealer Disguised in an <img> Tag

A sophisticated credit card stealing malware, disguised within an <img> tag, was discovered on a Magento-based eCommerce website. The malware uses Base64 encoding to hide its malicious JavaScript code, making it difficult to detect. It activates on the checkout page, waiting for user interaction before collecting credit card information. The script creates a hidden form to capture card details and sends the data to a remote server. This technique allows the malware to avoid detection by security scanners and remain unnoticed by users. The article emphasizes the importance of keeping eCommerce platforms updated, using web application firewalls, enforcing strong passwords, and implementing additional security measures to protect against such attacks.

Pulse ID: 67ad4753d4321b2931985f2c
Pulse Link: https://otx.alienvault.com/pulse/67ad4753d4321b2931985f2c
Pulse Author: AlienVault
Created: 2025-02-13 01:13:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network signatures for detection, and highlights recently identified servers. The infrastructure exhibits distinctive HTTP response patterns, allowing for structured detection queries. Nine IP addresses across different ports were identified matching the criteria. Three of these IPs were previously associated with RansomHub activities. The post emphasizes the importance of proactive detection strategies to counter evolving tactics by adversaries using open-source offensive security tools.

Pulse ID: 67adb578e5a854366958749c
Pulse Link: https://otx.alienvault.com/pulse/67adb578e5a854366958749c
Pulse Author: AlienVault
Created: 2025-02-13 09:03:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Gestern das Theaterstück zu #rce von Sybille Berg im Berliner Ensemble gesehen und ich bin immer noch geflasht. Großes Kino.

(Foto von Marcel Urlaub, https://www.berliner-ensemble.de/inszenierung/rce)
#BErce #RemoteCodeExecution

Critical #RCE bug in #Microsoft #Outlook now exploited in attacks

https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-microsoft-outlook-now-exploited-in-attacks/