XZ backdoor: Hook analysis
In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook. Continue reading XZ backdoor: Hook analysis
Category Archives: Incidents
Assessing the Y, and How, of the XZ Utils incident
In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects. Continue reading Assessing the Y, and How, of the XZ Utils incident
XZ backdoor story – Initial analysis
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process. Continue reading XZ backdoor story – Initial analysis
A hack in hand is worth two in the bush
We analyzed the data published by Cyber Av3ngers and found it to be sourced from older leaks by another hacktivist group called Moses Staff. Continue reading A hack in hand is worth two in the bush
QBot banker delivered through business correspondence
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to. Continue reading QBot banker delivered through business correspondence
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
A DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process, was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020. Continue reading Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
At the end of September, GTSC reported the finding of two 0-day vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082. The cybersecurity community dubbed the pair of vulnerabilities ProxyNotShell. Continue reading CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
We investigated CVE-2022-41352 and were able to confirm that unknown APT groups have actively been exploiting this vulnerability in the wild, one of which is systematically infecting servers in Central Asia. Continue reading Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
Two more malicious Python packages in the PyPI
We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI. They were masquerading as one of the most popular open-source packages named “requests“. Continue reading Two more malicious Python packages in the PyPI
LofyLife: malicious npm packages steal Discord tokens and bank card data
This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”. Continue reading LofyLife: malicious npm packages steal Discord tokens and bank card data