Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
2nd Edition GlitchZone RHC 320x100 2
Banner Ransomfeed 970x120 1

Tag: CTI

The Exploit for the RCE on Palo Alto Firewalls is now Online! And let the Administration be for all

Luca Stivali 03/12/2024

A few hours ago on Breach Forum, a threat actor by the name “newplzqibeme” shared a GitHub repository where a python-written exploit for active exploitation of CVE-2024-0012 on PanOS (the Palo Alto firewall operating system) is published. The exploit grants the attacker, full administrative access to the firewall with an Authentication Bypass mechanism, gaining administrator access. The post by “newplzqibeme” shows two public IPs as examples, which are most likely exposed and vulnerable firewalls. Firewalls running PanOS 10.2, 11.0, 11.1 and 11.2 are affected by this CVE if not upgraded to the respective versions (>= 10.2.12-h2, >= 11.0.6-h1, >= 11.1.5-h1 and >=

RHC DarkLab Interviews Interlock Ransomware. “Don’t waste your energy and time. We will do it for you.”

RHC Dark Lab 02/12/2024

RHC DarkLab has always taken a unique and provocative approach in the fight against cyber threats, summed up by the motto: ‘One must know the Demons to learn how to counter them.’ This philosophy guides our ongoing commitment to understanding Threat Actors through face-to-face interviews to expose their techniques, tactics and procedures (TTPs) and improve the defences of those facing these insidious adversaries. Cyber gangs, such as Interlock, often present themselves with a mix of highly sophisticated motivations and skills, as demonstrated by recent attacks targeting seemingly secure systems such as FreeBSD. In many cases, they claim to act to fill gaps

RHC DarkLab Interview Stormous Ransomware. Between history, ideology, techniques and tactics

Redazione RHC 24/11/2024

The Stormous group represents a significant threat in the ransomware landscape: it has an established reputation for its targeted attacks and its overtly pro-Russian ideology. The group may have started operating in mid-2021, later becoming known for its aggressive presence on Telegram, its geopolitical motivations and its philosophy of attacking organisations perceived to be hostile to Russia, to which it declared its support, subsequently targeting the organisations of countries considered to be enemies, destabilising their organisations These include the United States, Western countries, India and Ukraine from 2022. However, their attacks in this way not only compromise the victims’ systems, but also

How Threat Actor make EDR’s harmless with a reboot

Alex Necula 22/11/2024

I became aware of this technique like 9 months ago, and now I see this on a attack in the wild conducted by Qilin Ransomware Gang, so it’s time to make it public. One of the most important security things in EDR’s is the possibility to intercept calls to the kernel. For this purpose, EDR’s vendors use MiniFilter Drivers that load on boot. But what happens when these drivers are forced disabled by attacker? The attacker can peacefully make kernel calls without being intercepted by EDR’s. When the Windows load a MiniFilter Driver , there is a order to load them ,

IntelBroker Claims Tesla Charging Database Breach

Redazione RHC 20/11/2024

Recently, the threat actor known as IntelBroker , posted an alleged data breach. The post, which appeared on the BreachForums platform, claims that Tesla’s charging station database has been compromised and made available for download. At this time we cannot confirm the veracity of the news, as the organization has not yet released any official press release on its website regarding the incident. Therefore, this article should be considered as an “intelligence source”. Introduction on the violation The post, published on BreachForums, revealed that the Tesla charging station database has been made available for download. According to the announcement, the database contains approximately 116,000 records

Potential Compromise of a U.S. Military Database

Pietro Melillo 06/11/2024

A high-ranking user of BreachForums, known as “GOD,” is reportedly selling an alleged database belonging to the U.S. Military, which purportedly contains data on over 385,000 personnel and contractors. This database would have been acquired in November 2024 and is said to include critical personal and service-related information. Details of the Potential Breach If authentic, the database would contain various fields of sensitive data, which may be categorized under the following headers: At this time, we cannot confirm the veracity of this information, as the organization has not released an official press statement on its website regarding the incident. Therefore, this article

Hellcat Claims an Alleged Breach Against Schneider Electric

Pietro Melillo 04/11/2024

In recent hours, the ransomware group known as Hellcat has claimed responsibility for an alleged attack against Schneider Electric, a global leader in energy management and automation. This supposed breach was reported on Hellcat’s data leak site, where information was published suggesting unauthorized access to the company’s infrastructure. At this time, we cannot confirm the authenticity of this news, as the organization has not yet released an official press statement on its website regarding the incident. Therefore, this article should be considered as an ‘intelligence source.’ Details of the Possible Breach According to the Hellcat group, access was allegedly obtained through Schneider

Israeli Air Force Data Sale: A Suspected Leak Puts Sensitive Information at Risk

Pietro Melillo 02/11/2024

Recently, a cyber threat actor known as EagleStrike posted an announcement on a dark web forum, claiming to possess confidential data concerning the Israeli Air Force (IAF). According to the post, this collection of information includes critical details about both active and inactive pilots, as well as various Air Force employees. Leak Details The threat actor claims that the data gathered contains a variety of personal and professional information, including: This detailed information could pose a significant risk to the security of the personnel involved and to the operational integrity of the Air Force. Currently, we are unable to confirm the accuracy

IBM Hacked? Threat Actor ‘888’ Reveals Thousands of Employees’ Data Leak!

Luca Galuppi 31/10/2024

Recently, the notorious Threat Actor, identified by the nickname 888 , claimed to have breached IBM systems and stolen personal data belonging to the company’s employees. The leak, dated October 2024, allegedly resulted in the compromise of approximately 17,500 rows of data. At this time, we cannot confirm the veracity of the news, as the organization has not yet released any official press release on its website regarding the incident. Therefore, this article should be considered as ‘intelligence source’. Details of the Breach According to 888, the breach resulted in the data of approximately 17,500 individuals being compromised. The exfiltrated information is said to contain: names, mobile phone numbers, and international area

Stormous claims an attack on NASA

Pietro Melillo 09/10/2024

In recent years, the landscape of cyber threats has been dominated by increasingly sophisticated ransomware groups. Among them, the ransomware group Stormous has gained notoriety for targeting high-profile organizations, including government entities and technology companies. On October 5, 2024, information concerning NASA and AOSense, an American startup that develops sensors based on quantum technologies, appeared on Stormous’ data leak site. These pieces of information, labeled as “victims” by the group, have not yet been officially confirmed by either NASA or AOSense but represent an important source of intelligence to be analyzed. The Stormous Ransomware Group Stormous is a cybercriminal group known for

Category