CyberAlerts

Feds finger Russian behind Qakbot malware that hit 700,000 computers

Source: TheRegister

May 22nd, 2025 (30 days ago)

DOJ charges man allegedly behind Qakbot malware

Description: The alleged leader of the cybercriminal gang behind the Qakbot malware, which was used by many high-profile ransomware gangs, has been indicted by the U.S. Justice Department.

Source: The Record

May 22nd, 2025 (30 days ago)

[zotregistry.dev/zot] zot logs secrets

Description: Summary When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Details Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the above stated problem: http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } } PoC Set up a blank new zot k8s deployment with the code snippet above. Impact exposure of secrets, on configuring a oidc provider References https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8 https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e https://github.com/advisories/GHSA-c37v-3c8w-crq8

Source: Github Advisory Database (Go)

May 22nd, 2025 (30 days ago)

Decentralized crypto platform Cetus hit with $223 million hack

Description: The company paused the platform for safety reasons before confirming that an attacker had stolen the funds.

Source: The Record

May 22nd, 2025 (30 days ago)

CVE-2024-6409

Openssh: possible remote code execution due to a race condition in signal handling affecting red hat enterprise linux 9

Description: A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

EPSS Score: 70.2%

SSVC Exploitation: none

Source: CVE

May 22nd, 2025 (30 days ago)

CVE-2024-41197

An issue in Ocuco Innovation - INVCLIENT.EXE v2.10.24.5 allows attackers to bypass authentication and escalate privileges to Administrator via a...

Description: An issue in Ocuco Innovation - INVCLIENT.EXE v2.10.24.5 allows attackers to bypass authentication and escalate privileges to Administrator via a crafted TCP packet.

EPSS Score: 0.02%

Source: CVE

May 22nd, 2025 (30 days ago)

US indicts leader of Qakbot botnet linked to ransomware attacks

Description: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks. [...]

Source: BleepingComputer

May 22nd, 2025 (30 days ago)

🏴‍☠️ Nightspire has just published a new victim : Simalga

Description: Simalga (Spain)

Source: Ransomware.live

May 22nd, 2025 (30 days ago)

Pocket, One of the Only Apps I Ever Liked, Is Shutting Down

Description: Pocket, the app for saving articles to read later, announced it is shutting down on July 8.

Source: 404 Media

May 22nd, 2025 (30 days ago)

Ghosted by a cybercriminal

Description: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.

Source: Cisco Talos Blog

May 22nd, 2025 (30 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Feds finger Russian behind Qakbot malware that hit 700,000 computers Source: TheRegister May 22nd, 2025 (30 days ago)
	DOJ charges man allegedly behind Qakbot malware Description: The alleged leader of the cybercriminal gang behind the Qakbot malware, which was used by many high-profile ransomware gangs, has been indicted by the U.S. Justice Department. Source: The Record May 22nd, 2025 (30 days ago)
	[zotregistry.dev/zot] zot logs secrets Description: Summary When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Details Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the above stated problem: http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } } PoC Set up a blank new zot k8s deployment with the code snippet above. Impact exposure of secrets, on configuring a oidc provider References https://github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8 https://github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e https://github.com/advisories/GHSA-c37v-3c8w-crq8 Source: Github Advisory Database (Go) May 22nd, 2025 (30 days ago)
	Decentralized crypto platform Cetus hit with $223 million hack Description: The company paused the platform for safety reasons before confirming that an attacker had stolen the funds. Source: The Record May 22nd, 2025 (30 days ago)
CVE-2024-6409	Openssh: possible remote code execution due to a race condition in signal handling affecting red hat enterprise linux 9 Description: A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server. EPSS Score: 70.2% SSVC Exploitation: none Source: CVE May 22nd, 2025 (30 days ago)
CVE-2024-41197	An issue in Ocuco Innovation - INVCLIENT.EXE v2.10.24.5 allows attackers to bypass authentication and escalate privileges to Administrator via a... Description: An issue in Ocuco Innovation - INVCLIENT.EXE v2.10.24.5 allows attackers to bypass authentication and escalate privileges to Administrator via a crafted TCP packet. EPSS Score: 0.02% Source: CVE May 22nd, 2025 (30 days ago)
	US indicts leader of Qakbot botnet linked to ransomware attacks Description: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks. [...] Source: BleepingComputer May 22nd, 2025 (30 days ago)
	🏴‍☠️ Nightspire has just published a new victim : Simalga Description: Simalga (Spain) Source: Ransomware.live May 22nd, 2025 (30 days ago)
	Pocket, One of the Only Apps I Ever Liked, Is Shutting Down Description: Pocket, the app for saving articles to read later, announced it is shutting down on July 8. Source: 404 Media May 22nd, 2025 (30 days ago)
	Ghosted by a cybercriminal Description: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure. Source: Cisco Talos Blog May 22nd, 2025 (30 days ago)