Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Join the waitlist
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Malware
Solaris vulnerability leveraged to obtain root privileges by BPFdoor malware
BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and log...
25-May-2022
4 min read
Related Articles
Russia
DDoS
Top Lithuanian websites reportedly under the target of a massive DDoS attack lau...
Pro-Russian threat actors Killnet have launched a series of highly disruptive DDoS attacks against Lithuanian government institutions and networks (distributed denial of service attacks). The nation's National Cyber Security Center (NKSC) [acknowledged](https://kam.lt/en/intense-ongoing-ddos-attack-targets-companies-and-institutions-in-lithuania/) that the attack affected the Secure National Data Transfer Network as well as private and public sector organizations. This ***[intense](https://lrv.lt/en/news/intense-ddos-attacks-targeted-several-companies-and-institutions-in-lithuania?__cf_chl_rt_tk=_xxadndAJPW1z4iTRKHVpF6ySUDXTlgkxw62snmioio-1656438710-0-gaNycGzNCKU)*** attack prohibited customers from accessing services on 27 June 2022. Even if the attack has been contained and the majority of sites have been restored, the risk of a second attack cannot be discounted. "It is extremely likely that similar or even more intensive attacks will continue in the following days, particularly against the communications, energy, and financial sectors." The attack appears to be a response to the diplomatic dispute between Russia and Lithuania over Russia's exclave of Kaliningrad. For your information, it is located on the coast of the Baltic Sea and was a part of Germany before World War II before becoming a member of the Soviet Union. After Lithuania's independence in 1990, no ground routes were available to connect Kaliningrad to Russia. Infuriating the Kremlin, Lithuania supported the EU ban on Russian exports after it was applied throughout all EU territories and prohibited the flow of vital resources to [Kaliningrad](https://www.theguardian.com/world/2022/jun/21/kaliningrad-russia-threatens-serious-consequences-as-lithuania-blocks-rail-goods), including metals, coal, and construction supplies. In a video, the Russia-aligned hacktivist group Killnet claimed credit for the DDoS attack. It stated that it would continue to strike the country until the embargo on Russian exports was lifted. The group's representative [told](https://www.reuters.com/technology/russias-killnet-hacker-group-says-it-attacked-lithuania-2022-06-27/) Reuters that Killnet had destroyed 1,652 online sites and aims to cause additional damage in the near future. According to Hackread.com, Killnet is now active on Telegram and has posted a list of Luthinian websites that the gang is targeting. In one of its Russian-language statements, the organization asserted the following: In 39 hours, we could isolate 70% of Lithuania's network infrastructure. Web integration of Lithuanian websites and electronic systems is in the "Blockade," or "Geo block," and web traffic and other means of communication are only accessible within the country. We are therefore interfering with Lithuania's network interactions with the rest of the globe. Currently, Lithuania is in a worse state than Kaliningrad. And we honor our promise!_ According to the government of Lithuania, the DDoS attack overloaded the websites of various institutions with malicious traffic. Among the websites taken down by Killnet are those of the State Tax Inspectorate (STI) of Lithuania and the country's major accounting services provider, B1.lt. The attack destroyed the Secure National Data Transfer Network, one of the most vital components of the nation's cybersecurity, especially during times of conflict. The Core Center of State Telecommunications in Lithuania is currently identifying the affected websites in order to provide DDoS mitigation. 
29-Jun-2022
3 min read
Vulnerability
Container
Security researchers at Cyble detected over 900,000 misconfigured Kubernetes clu...
Cyble security researchers have [detected](https://blog.cyble.com/2022/06/27/exposed-kubernetes-clusters/) over 900,000 misconfigured Kubernetes clusters that were publicized online, exposed to malicious scanning, some of which were even vulnerable to data-exposure hacks. According to their findings throughout the investigation to discover vulnerable Kubernetes instances across the Internet, employing the same scanning tools and search queries as malicious actors. While there are a staggering 900,000 Kubernetes servers, with 65% of them (585,000) placed in the United States, 14 percent in China, 9 percent in Germany, and 6 percent each in Netherlands and Ireland.  The servers with the most exposed TCP ports were "443" (just over one million instances), "10250" (231,200 instances), and "6443" (84,400 instances). It is crucial to note that not all of these exposed clusters are exploitable, and even among those that are, the level of danger varies based on the design of each individual cluster. Cyble audited the error codes issued by the Kubelet API in response to unauthenticated calls in order to determine how many exposed instances posed a substantial danger. The great majority of exposed instances return error code 403, indicating that the unauthenticated request is prohibited and cannot proceed, preventing any attacks against them.  Then there is a subset of around 5,000 instances that respond with error code 401, indicating that the request is denied.  However, this answer alerts a potential attacker that the cluster is operational, allowing them to launch additional exploits and vulnerabilities-based assaults. The remaining 799 Kubernetes instances that return status code 200 are entirely accessible to external attackers. In such instances, threat actors can access nodes on the Kubernetes Dashboard without a password, gain access to all secrets, and do other actions.  While the number of vulnerable Kubernetes servers is relatively limited, all it takes is the discovery of a remotely exploitable flaw for a far higher number of devices to become susceptible to attack. Consult the NSA and CISA's recommendations for tightening your Kubernetes system's security to verify that your cluster is not among the 799 or the 5,000 instances that are less severely vulnerable. The [Shadowserver Foundation](http://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/) published a report on exposed Kubernetes instances in which they found 381,645 distinct IPs replying with an HTTP status code of 200 last month. The reason for this mismatch, according to Cyble, is that they employed open-source scanners and simple queries that could be accessed by any threat actor. Shadowserver, on the other hand, scanned the whole IPv4 address space and monitored daily for any additions. "The statistics supplied in the Kubernetes blog produced by our organization are derived from Open-source scanners and queries accessible for the product. Cyble noted that searches were conducted using the keywords "Kubernetes", "Kubernetes-master", "KubernetesDashboard", "K8", and favicon hashes along with status codes 200,403, and 401. "According to their blog post on Kubernetes, the Shadowserver uses a different method for locating the exposure: 'We scan daily with an HTTP GET request using the /version URI. We scan the entire IPv4 address space using ports 6443 and 443. We only include Kubernetes servers that answer with 200 OK (along with a JSON response) and disclose version information in their responses.'" "Because we do not scan the entire IPv4 area like Shadowserver and rely on open-source intelligence, our results differ from those of Shadowserver." Cyble's stats may not be as striking, but they are crucial because they correspond to Kubernetes clusters that are extremely simple to detect and attack.
29-Jun-2022
4 min read
Cryptocurrency
Blockchain
Threat actors exploited a security vulnerability in Harmony’s Horizon Blockchain...
Binance Chain, Ethereum, and Bitcoin's layer-1 primary bridge were all exploited, while the BTC bridge was unaffected. Horizon Bridge is the most recent system to be compromised. Thursday saw a malicious attack on the proprietary Horizon Blockchain bridge, according to US crypto platform Harmony. Horizon Bridge managed $100 million in altcoins after an attacker exploited a vulnerability and stole them. To your knowledge, Blockchain bridges or cross-chain bridges allow users to transfer assets such as NFTs, stablecoins, and tokens across the Binance Smart Chain, Ethereum, and Harmony Blockchains. Specifics of the Fraud The assault began at approximately 7:08 am EDT and continued until 7:26 am EDT. During this time, there were eleven transactions from Horizon for various tokens. Now, the attacker is attempting to exchange them for ETH by sending tokens to a different wallet on Uniswap DEX (decentralized exchange) and ETH back to their original wallet. Harmony [tweeted](https://mobile.twitter.com/harmonyprotocol/status/1540110924400324608) that an attacker had stolen $100 million from their Blockchain bridge. According to Elliptic, a company that analyzes blockchains, a number of cryptocurrencies were stolen, including Binance Coin, Ethereum, Dai, and USD Coin. However, Harmony's Bitcoin (BTC) bridge was unaffected. Company's Reaction According to the company's [blog post](https://medium.com/harmony-one/harmonys-horizon-bridge-hack-1e8d283b6d66), as soon as the incident was detected, various cybersecurity partners, exchange partners, forensic experts, and the FBI were enlisted to identify the perpetrator and recover the stolen assets. *** The Harmony team has identified a heist of around $100 million that occurred this morning on the Horizon bridge. We have begun collaborating with national authorities and forensic experts to locate the thief and recover the stolen money. *** In addition, the team engaged with the attacker and sent a transaction containing an embedded message to their address. Additionally, Harmony blocked new transactions on the Horizon bridge. Harmony did not disclose how the monies were stolen or the underlying vulnerability.
28-Jun-2022
2 min read
Secure Blink built a heuristic application security management platform that offers Vulnerability Management, Version Management & Application Healthbot. Secure Blink envisions a safer web by reinventing cybersecurity.
