Zafran Security

?? Thousands of Linux servers compromised by a "creative" malware exploiting vuln ?? Read this week's exploitation report with actionable mitigations: https://lnkd.in/g_rxaM-x 1?? A sophisticated (and creative:) malware aka "perfctl",?has been observed?scanning over 20,000 Linux misconfigurations and vulnerabilities, successfully compromising thousands of servers.?See our blog for specific mitigations. 2?? U.S. water systems continue to be prime targets for cyber threat groups. American Water is currently facing a cyber attack, while several municipal water plants have been compromised.

Can your security measures be turned against you? Fascinating piece from Yonatan Keller on the Windows SmartScreen vulnerabilities

?? Cloud environments targeted by a ransomware group through on-prem ?? Read this week's exploitation report with actionable mitigations: https://lnkd.in/gH63KjA4 1?? Storm-0501, a potential Latvian ransomware group, has been observed targeting hybrid networks. The group moves laterally from on-prem to cloud environments by exploiting weak credentials in highly privileged on-prem accounts. They gain initial access by exploiting known vulns in?Zoho?ManageEngine,?Citrix NetScaler,?and?ColdFusion. 2?? A newly discovered critical vulnerability in Nvidia’s Container Toolkit (CVE-2024-0132) might impact 35% of cloud environments using Nvidia GPUs. 3?? Salt Typhoon, a newly-discovered Chinese state actor, has recently breached several Internet Service Providers in the US. Both Cisco and Microsoft are currently investigating the situation.

?? BREAKING: Microsoft cloud environments under active exploitation utilizing access from on-prem accounts ?? A new report from Microsoft reveals that the ransomware group Storm-0501 (aka UNC2190) is actively exploiting vulnerabilities in hybrid networks, moving from on-premises accounts to cloud environments using weak credentials. This group is targeting critical sectors like government, manufacturing, and transportation. ?? What’s happening? Storm-0501 is using known vulnerabilities in Zoho, CitrixNetScaler, and ColdFusion to gain initial access to hybrid environments. ?? Why is this important? The group is deploying dangerous ransomware like Hive, BlackCat, and Embargo, potentially leading to devastating disruptions. ?? How to mitigate the risk: - Set Conditional Access policies to limit access from untrusted IPs. - Enable protection against bypassing Microsoft Entra MFA. - Monitor critical alerts in Microsoft Defender (e.g., “Ransomware-linked Storm-0501 threat actor detected”). ?? What Zafran customers can do: - Use the Zafran platform to track vulnerabilities exploited by "UNC2190" and assess your exposure across hybrid environments. - Leverage Zafran to optimize compensating controls to minimize exposure. - Use our Defenses page for insights into your security control's effectiveness against Storm-0501 with recommended mitigations. For full list of malicious IPs and hash files, read our advisory: https://lnkd.in/gjwfwbuE

?? The secrets behind the ICBC ransomware hack affecting US financials ?? Here are the top stories from this week's exploitation report: 1?? Pay close attention to Hunters International, a Russian RaaS group that surfaced in late 2023 but has gained traction recently. Their latest targets include the UK branch of ICBC, a major Chinese bank, and AutoCanada. The group recently gained traction with 134 victims in 29 countries in 2024, mostly reaching initial access through phishing and RDP vulnerabilities. 2?? Attacks on the healthcare sector are rising. Recently, the Centers for Medicare & Medicaid Services (CMS) revealed that 3 million patients were affected by a 2023 MOVEit breach, just now detected. Meanwhile, the ransomware group Vice Society has launched a fresh campaign against healthcare organizations, deploying INC ransomware. 3?? The FBI has taken down a massive botnet of 260k devices, constructed by the Chinese state actor UNC5007 (also known as Flax Typhoon). This group exploited 66 vulnerabilities, including high-profile ones like Log4j and Citrix Netscaler. Zafran customers can check exposure to through the weekly insights module.

Last week at Dreamforce, Zafran was invited to present at the "Future of Security Summit" hosted by Salesforce Ventures. ?? It was a great event with hundreds of CISOs discussing how innovation meets security, and Sanaz Yashar shared how Zafran customers deploy their existing security tools to manage threat exposure across their hybrid environments. ?? Until next time San Francisco!

??Here we go! I've just dropped a belter of an episode on CyberBytes: The Podcast with the legendary Ben Seri, Co-Founder & CTO at Zafran Security the world’s first risk and mitigation platform which in the last 6 months has raised a whopping $70m in funding from investors including Sequoia Capital and Cyberstarts. In this episode, we cover: ?? Ben’s past, including finding Security Vulnerabilities like BlueBorne whilst at Armis ?? The Founding Story of Zafran Security and Their Differentiation? ?? Attack vectors, the threat landscape and Ben’s thoughts on AI? ?? The fundraising process and the future of Zafran Full Episode Links Below: ???https://lnkd.in/eNgGSYrV ??https://lnkd.in/e6ws4JaP #cyberbytes #threatexposure #zafransecurity

The fascinating story of Flax Typhoon: the Chinese state-sponsored group exploiting 66 vulns to build a 260k device botnet When a threat actor is in the news, Zafran customers are able to get instant visibility into their exposure so they can take action. Specifically: ?? How well their defenses are configured to protect against the specific TTPs of the threat campaign. ?? The presence of vulnerabilities used by that threat actor, ordered by the risk to your business (internet exposed, loaded in runtime, and the impact of compensating controls). Learn more: https://lnkd.in/gw2WdG6H

?? Weekly Exploitation Report: CitrixBleed+Veeam+Fortinet exploitation = 900k UK patients leak. DDoS against financial firms surge See the full report with specific mitigations: https://lnkd.in/gsTvtJ43 1?? The personal data of over 900,000 British patients, including those with cancer and STDs, has been leaked online by Qilin (also known as Agenda), a notorious Russian Ransomware-as-a-Service group. They are increasingly focused on vulnerability exploitation - particularly?CitrixBleed?(CVE-2023-4966), a flaw in?Veeam?(CVE-2023-27532), and vulnerabilities in?Fortinet. 2?? A new campaign has emerged, targeting Internet-exposed?Selenium Grid servers. Attackers are deploying a binary file that attempts to exploit the?PwnKit vulnerability?(CVE-2021-4034), an old but infamous flaw that allows root access on many popular Linux distributions. 3?? A recent report highlights a?surge in layer 3 and 4 DDoS attacks, especially against the?financial sector. Notably, the discovery of an?SLP vulnerability?(CVE-2023-29552) in March 2023, which enables large-scale DDoS amplification, has been a key driver of these attacks.?