GOLD SALEM tradecraft for deploying Warlock ransomware
Analysis of the tradecraft evolution across 6 months and 11 incidents
-
-
Chrome Targeted by Active In-the-Wild Exploit Tied to Undisclosed High-Severity Flaw
Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild. The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID “466192044.” Unlike other disclosures, Google has opted to keep information about the CVE…
-
Active Attacks Exploit Gladinet’s Hard-Coded Keys for Unauthorized Access and Code Execution
Huntress is warning of a new actively exploited vulnerability in Gladinet’s CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. “Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution,” security researcher…
-
React2Shell Exploitation Delivers Crypto Miners and New Malware Across Multiple Sectors
React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based
-
Teen who allegedly stole millions of personal data records arrested in Spain
Daryna Antoniuk reports: Spanish law enforcement has arrested a 19-year-old man in northeastern Spain for allegedly stealing and selling about 64 million personal data records siphoned from nine companies, police said on Tuesday. The suspect, detained last week in Igualada, allegedly accessed the systems of several companies to obtain large volumes of personal information — including national……
-
.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL
New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the “invalid cast vulnerability” SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely…
-
Sophos achieves its best-ever results in the MITRE ATT&CK Enterprise 2025 Evaluation
A major milestone: Sophos XDR delivers 100% detection coverage in the latest ATT&CK Evaluation.
-
Three PCIe Encryption Weaknesses Expose PCIe 5.0+ Systems to Faulty Data Handling
Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could expose a local attacker to serious risks. The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI…
-
IE: HSE confirms second ransomware attack but ‘no evidence’ patient data was stolen
Darragh Mc Donagh reports: There is no evidence that patients’ data was stolen during a second ransomware attack targeting Health Service Executive (HSE) systems earlier this year, the authority has said. Earlier this week, the HSE began offering compensation to victims of a cyberattack that caused widespread disruption in May 2021, costing the agency an estimated €102 million. It has now emerged that a second……
-
Akira ransomware: FBI tallies 250 million in payouts
Damien Bancal reports: US and European agencies have updated their joint warning on Akira: nearly 250 million dollars in ransom demands, a refined attack chain and a clear inheritance from the Conti gang. An updated advisory from US and European agencies, ransom demands estimated at nearly 250 million dollars, focused exploitation of VPNs and remote……