Ian Ahl from Permiso’s PØ Labs joins Dave to discuss their research on “Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor.” First observing the group in 2021, they discovered GUI-vil is a financially motivated threat group primarily focused on unauthorized cryptocurrency mining activities.
The research states “the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations.” This group is dangerous because unlike many groups focused on crypto mining, GUI-Vil apply a personal touch when establishing a foothold in an environment. Read More
Mysterious Decoy Dog malware toolkit still lurks in DNS shadows
New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity. […] Read More
Millions of Docker repos found pushing malware, phishing sites
Three large-scale campaigns have targeted Docker Hub users, planting millions of repositories designed to push malware and phishing sites since early 2021. […] Read More
Most of the activity took place after the initial fix went public on GitHub. TAG highlights staying protected by keeping software up-to-date and promptly applying security updates.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
TAG found a critical XSS flaw in Zimbra’s email server (CVE-2023-37580), which was actively exploited in June. Zimbra released a hotfix on July 5, 2023, and an advisory on July 13, 2023.
Timeline (Source – Google TAG)
Besides this, researchers also identified three threat groups exploiting it before the official patch, and a fourth campaign emerged after the fix.
Zimbra’s URL vulnerability led to a reflected XSS, allowing the injection of malicious scripts into web pages.
Campaigns
Here below we have mentioned all the campaigns:-
Campaign 1: First known exploitation leads to email-stealing framework
Campaign 2: Winter Vivern exploitation after hotfix pushed to Github
Campaign 3: Exploit used for credential phishing
Campaign 4: N-day exploit used for stealing authentication token
The discovery of four CVE-2023-37580 campaigns underscores the urgency for prompt mail server fixes. Attackers exploit vulnerabilities post-Github fix, pre-public advisory.
This follows CVE-2022-24682 exploitation and precedes CVE-2023-5631. Regular XSS exploits highlight the need for rigorous mail server code audits.
