Starlight Intelligence

During the Second week of August 2024, the top three countries exploiting Malaysia's public-facing hosts were the United States, India and China. Notably, the majority, accounting for 36%, originated from the United States. #artificialintelligence #cyberattack #cyberawareness #cybersecurity

16 Aug 2024 : Most Active Threat Indicators #Cybersecurity #Cyberattack #RCE #Botnet #IOC Top 3 Source Countries: - India (IN) - A significant contributor to cyber attacks, particularly through the exploitation of vulnerabilities in routers and devices, such as the Mozi botnet and various command injection attacks. - China (CN) - Actively involved in multiple attacks, especially utilizing the Mozi botnet and executing remote code vulnerabilities on GPON routers. - United States (US) - Engaged in various malicious activities, including the SystemBC botnet and extensive scanning activities using Nmap. Source IP 200[.]110[.]182[.]61 3[.]26[.]100[.]255 119[.]160[.]128[.]161 170[.]78[.]22[.]155 131[.]108[.]33[.]216 144[.]217[.]240[.]177 124[.]95[.]5[.]238 113[.]228[.]134[.]11 221[.]203[.]135[.]38 183[.]6[.]76[.]139 42[.]239[.]158[.]202 125[.]42[.]12[.]133 121[.]235[.]55[.]186 115[.]50[.]43[.]27 182[.]121[.]58[.]76 125[.]44[.]195[.]131 123[.]14[.]99[.]203 125[.]47[.]111[.]125 27[.]24[.]46[.]78 120[.]86[.]255[.]68 42[.]52[.]204[.]159 159[.]89[.]27[.]161 165[.]232[.]120[.]129 139[.]162[.]141[.]82 74[.]234[.]21[.]150 59[.]93[.]24[.]164 117[.]201[.]235[.]129 117[.]247[.]138[.]16 103[.]197[.]115[.]69 117[.]219[.]93[.]105 117[.]195[.]86[.]168 117[.]195[.]143[.]118 59[.]178[.]75[.]57 103[.]200[.]84[.]88 59[.]184[.]252[.]98 117[.]254[.]101[.]126 117[.]248[.]164[.]68 117[.]248[.]173[.]154 59[.]183[.]113[.]58 117[.]222[.]254[.]196 220[.]158[.]158[.]88 117[.]213[.]118[.]246 103[.]203[.]72[.]124 61[.]2[.]107[.]22 117[.]206[.]180[.]116 117[.]245[.]169[.]232 103[.]197[.]115[.]63 61[.]0[.]184[.]35 59[.]182[.]86[.]222 61[.]0[.]176[.]103 103[.]197[.]115[.]121 117[.]248[.]172[.]117 59[.]95[.]129[.]147 117[.]203[.]57[.]23 106[.]205[.]172[.]91 117[.]248[.]32[.]20 117[.]200[.]86[.]83 117[.]217[.]42[.]225 117[.]255[.]27[.]85 117[.]248[.]164[.]127 117[.]253[.]8[.]64 117[.]253[.]170[.]60 117[.]245[.]38[.]122 59[.]89[.]9[.]114 117[.]208[.]253[.]81 59[.]92[.]165[.]219 59[.]89[.]231[.]20 59[.]97[.]114[.]89 82[.]102[.]26[.]25 128[.]199[.]45[.]238 175[.]107[.]37[.]216 175[.]107[.]0[.]76 212[.]127[.]78[.]133 188[.]214[.]122[.]106 37[.]120[.]233[.]29 146[.]190[.]110[.]98 146[.]190[.]98[.]186 68[.]183[.]228[.]85 18[.]189[.]14[.]185 18[.]116[.]31[.]24 3[.]142[.]149[.]206 18[.]191[.]151[.]24 172[.]94[.]89[.]5 34[.]216[.]246[.]208 54[.]235[.]206[.]14 18[.]218[.]120[.]53 159[.]65[.]166[.]169 18[.]117[.]144[.]139 64[.]227[.]135[.]53 199[.]45[.]154[.]121 107[.]150[.]31[.]58 18[.]217[.]143[.]136 152[.]42[.]131[.]56 18[.]191[.]38[.]198 18[.]216[.]231[.]225 159[.]65[.]79[.]124 134[.]209[.]32[.]88 152[.]42[.]194[.]207 103[.]114[.]106[.]2 103[.]133[.]111[.]48

Google Pixel Devices Shipped with Vulnerable Apps Exposing User Data A serious security issue affecting various Google Pixel devices. The problem stems from pre-installed applications that contain vulnerabilities, allowing potential attackers to exploit these weaknesses and access sensitive user data, including personal information and account credentials. This issue is significant because it compromises the security and privacy of users who rely on Google Pixel devices for personal and professional communication. With the increasing amount of sensitive information stored on smartphones, any vulnerability that exposes user data can lead to identity theft, financial loss, and a breach of personal privacy. The presence of such vulnerabilities in widely used devices raises concerns about the overall security practices of manufacturers. To prevent exploitation of these vulnerabilities, users are advised to regularly update their devices and applications to ensure they have the latest security patches. Additionally, users should be cautious about granting permissions to applications and consider removing or disabling any unnecessary pre-installed apps. Manufacturers must also prioritize security in their development processes, conducting thorough testing and vulnerability assessments before shipping devices. #Cybersecurity https://lnkd.in/gzz_dWeq

15 Aug 2024 : Most Active Threat Indicators #Cybersecurity #Cyberattack #RCE #Botnet #IOC Top 3 Source Countries: - United States (US) - Responsible for a significant number of attacks, particularly involving scanning activities using Nmap and exploitation of vulnerabilities in various systems. - China (CN) - Engaged in multiple malicious activities, including SSH brute force attempts, exploitation of GPON routers, and the Mirai botnet. - India (IN) - Involved in numerous attacks, especially exploiting vulnerabilities in GPON routers and D-Link devices. Source IP 45[.]230[.]66[.]54 45[.]230[.]66[.]17 45[.]230[.]66[.]16 170[.]64[.]181[.]186 3[.]106[.]118[.]133 129[.]148[.]62[.]192 108[.]165[.]232[.]5 39[.]173[.]182[.]236 27[.]43[.]204[.]57 42[.]4[.]100[.]111 182[.]121[.]168[.]21 182[.]121[.]252[.]73 120[.]85[.]182[.]121 14[.]223[.]35[.]100 39[.]79[.]39[.]95 220[.]198[.]241[.]246 182[.]121[.]243[.]44 186[.]29[.]141[.]124 157[.]230[.]121[.]198 64[.]226[.]120[.]211 159[.]223[.]17[.]137 165[.]227[.]158[.]48 51[.]8[.]231[.]209 142[.]93[.]106[.]91 176[.]74[.]86[.]110 61[.]3[.]97[.]45 117[.]197[.]170[.]195 142[.]93[.]209[.]134 61[.]3[.]212[.]85 59[.]184[.]243[.]180 117[.]219[.]123[.]185 59[.]91[.]87[.]115 59[.]97[.]127[.]60 202[.]168[.]86[.]242 117[.]253[.]53[.]216 117[.]254[.]33[.]163 117[.]207[.]172[.]108 117[.]252[.]132[.]141 45[.]115[.]89[.]232 85[.]203[.]45[.]112 106[.]243[.]22[.]188 124[.]43[.]17[.]60 141[.]98[.]11[.]151 107[.]189[.]31[.]223 160[.]178[.]207[.]106 92[.]119[.]179[.]92 185[.]152[.]95[.]131 83[.]171[.]227[.]218 109[.]92[.]237[.]154 176[.]45[.]189[.]175 47[.]237[.]29[.]192 139[.]59[.]251[.]122 165[.]22[.]56[.]169 37[.]19[.]221[.]158 18[.]216[.]14[.]149 64[.]23[.]248[.]82 3[.]129[.]5[.]167 3[.]16[.]206[.]10 20[.]185[.]184[.]179 154[.]26[.]159[.]123 47[.]236[.]11[.]101 174[.]138[.]46[.]95 3[.]143[.]223[.]90 3[.]145[.]216[.]165 172[.]232[.]203[.]147 3[.]143[.]210[.]142 206[.]123[.]132[.]147 172[.]232[.]203[.]71 3[.]142[.]237[.]148 172[.]232[.]217[.]148 34[.]171[.]200[.]92 18[.]217[.]114[.]107 143[.]198[.]237[.]240 3[.]16[.]167[.]157 51[.]8[.]217[.]166 18[.]217[.]96[.]188 170[.]64[.]206[.]11 3[.]22[.]221[.]255 3[.]17[.]163[.]127 3[.]141[.]6[.]184 5[.]183[.]254[.]186 3[.]140[.]240[.]198 3[.]17[.]139[.]161 45[.]88[.]91[.]179 18[.]223[.]214[.]242 18[.]188[.]15[.]29 3[.]140[.]248[.]157 18[.]216[.]117[.]107 18[.]188[.]218[.]49 134[.]122[.]58[.]104 18[.]220[.]29[.]118 3[.]144[.]185[.]17 13[.]59[.]122[.]28 3[.]138[.]198[.]75 18[.]188[.]66[.]208 3[.]144[.]182[.]36 170[.]64[.]225[.]201 3[.]133[.]11[.]118 18[.]188[.]61[.]195 3[.]17[.]178[.]97

RansomHub Group Deploys New EDR-Killing Malware The emergence of a new malware strain developed by the RansomHub group, designed specifically to disable endpoint detection and response (EDR) solutions. This malware targets security software to evade detection, allowing attackers to execute ransomware attacks more effectively and with greater stealth. The problem is significant because EDR solutions are critical for detecting and mitigating cyber threats in real-time. By circumventing these defenses, the RansomHub group increases the likelihood of successful attacks, which can lead to data breaches, financial losses, and operational disruptions for affected organizations. The ability to disable security measures poses a serious risk to the overall cybersecurity landscape. To prevent such attacks, organizations are advised to enhance their security posture by employing multiple layers of defense, including behavioral analysis tools and network segmentation. Regularly updating security software and conducting security awareness training for employees can also help mitigate risks. Additionally, maintaining robust backup procedures ensures that organizations can recover data in the event of a ransomware attack, minimizing potential damage. #Cybersecurity https://lnkd.in/gdiDa-jf

Microsoft Disables BitLocker Security Fix, Advises Manual Mitigation A significant issue where Microsoft has temporarily disabled a security fix for BitLocker, its disk encryption feature. This decision comes after users reported that the update caused their systems to become unbootable, leading to potential data loss and accessibility issues. The problem is critical because BitLocker is widely used to protect sensitive data on Windows devices. By disabling the security fix, Microsoft has left systems vulnerable to potential attacks that could exploit weaknesses in the encryption process. This situation is particularly concerning for organizations that rely on BitLocker to safeguard confidential information, as it increases the risk of data breaches. To mitigate the risks associated with this situation, Microsoft advises users to implement manual workarounds to protect their data until a stable fix is released. Users should also ensure that their data is backed up regularly and consider alternative encryption solutions if necessary. Staying informed about updates and following best practices for data security are essential steps in maintaining a secure environment. #Cybersecurity https://lnkd.in/g-7E7KTW

Zero-Click Windows TCP/IP RCE Impacts All Systems with IPv6 Enabled - Patch Now! A critical vulnerability in the Windows TCP/IP stack that allows for remote code execution (RCE) without any user interaction, commonly referred to as a zero-click exploit. This flaw affects all Windows systems with IPv6 enabled, enabling attackers to execute arbitrary code simply by sending specially crafted packets to the vulnerable system. The problem is significant because it poses a serious risk to the security of Windows environments, potentially allowing attackers to gain complete control over affected systems. Given the widespread use of IPv6 and the nature of the exploit, this vulnerability could be leveraged in mass attacks, leading to data breaches, system compromises, and significant operational disruptions for organizations. To prevent exploitation of this vulnerability, Microsoft has released an urgent security patch that users are strongly advised to apply immediately. Organizations should ensure that their systems are updated regularly and consider disabling IPv6 if it is not necessary for their operations. Additionally, implementing network security measures such as firewalls and intrusion detection systems can help mitigate the risks associated with such vulnerabilities. #Cybersecurity https://lnkd.in/gDX79euM

SolarWinds Fixes Critical RCE Bug Affecting All Web Help Desk Versions A severe vulnerability identified in SolarWinds' Web Help Desk software that allows remote code execution (RCE). This critical flaw could enable attackers to execute arbitrary code on affected systems, potentially leading to unauthorized access and control over sensitive data. The problem is significant because SolarWinds' Web Help Desk is widely used by organizations for managing IT support and service requests. If exploited, this vulnerability could result in severe consequences, including data breaches, service disruptions, and significant financial losses. The widespread use of this software makes it crucial for organizations to address this vulnerability promptly to protect their systems and data. To prevent exploitation of this vulnerability, SolarWinds has released an urgent security patch that all users are advised to apply immediately. Organizations should also implement regular software updates, conduct security assessments, and monitor their systems for unusual activity. Additionally, educating employees about cybersecurity best practices can further enhance the security posture of organizations using SolarWinds products. #Cybersecurity https://lnkd.in/eVq9Qh-V

13 Aug 2024 : Most Active Threat Indicators #Cybersecurity #Cyberattack #RCE #Botnet #IOC Top 3 Source Countries: - United States (US) - A significant source of cyber attacks, particularly involving the SystemBC botnet and various scanning activities. - India (IN) - Responsible for multiple instances of the Mozi botnet and command injection vulnerabilities, indicating a high level of malicious activity. - China (CN) - Involved in numerous attacks, especially exploiting vulnerabilities in routers and executing various command injections. Source IP 45[.]230[.]66[.]37 3[.]26[.]100[.]215 170[.]64[.]198[.]51 57[.]152[.]56[.]108 46[.]10[.]120[.]126 177[.]19[.]210[.]244 186[.]221[.]166[.]63 122[.]96[.]31[.]201 27[.]206[.]185[.]237 125[.]43[.]82[.]229 111[.]229[.]121[.]30 119[.]186[.]205[.]24 101[.]126[.]93[.]132 113[.]220[.]26[.]211 222[.]139[.]63[.]227 115[.]51[.]34[.]177 113[.]236[.]110[.]63 222[.]139[.]229[.]184 140[.]249[.]175[.]181 109[.]123[.]243[.]194 167[.]71[.]47[.]197 149[.]102[.]247[.]31 149[.]102[.]246[.]198 130[.]61[.]16[.]233 139[.]59[.]135[.]6 172[.]68[.]194[.]182 162[.]158[.]110[.]217 206[.]81[.]28[.]185 196[.]196[.]203[.]42 65[.]21[.]8[.]4 212[.]47[.]241[.]172 88[.]208[.]226[.]216 43[.]154[.]94[.]18 43[.]155[.]104[.]117 172[.]232[.]250[.]21 175[.]45[.]189[.]36 117[.]253[.]6[.]156 159[.]89[.]174[.]87 117[.]253[.]10[.]26 172[.]236[.]66[.]104 59[.]89[.]8[.]155 117[.]255[.]185[.]59 117[.]212[.]44[.]165 61[.]0[.]210[.]118 117[.]242[.]235[.]198 59[.]184[.]247[.]173 59[.]97[.]125[.]122 117[.]198[.]14[.]185 117[.]220[.]150[.]174 117[.]254[.]32[.]212 106[.]51[.]80[.]192 117[.]205[.]58[.]78 195[.]214[.]235[.]79 95[.]174[.]64[.]98 139[.]162[.]120[.]38 189[.]147[.]93[.]39 172[.]235[.]174[.]125 175[.]107[.]1[.]90 151[.]255[.]228[.]252 37[.]43[.]45[.]227 178[.]128[.]221[.]83 128[.]199[.]11[.]103 118[.]107[.]44[.]111 178[.]128[.]104[.]233 41[.]79[.]198[.]23 196[.]203[.]254[.]3 159[.]65[.]104[.]98 3[.]23[.]94[.]209 13[.]59[.]171[.]167 18[.]191[.]39[.]98 64[.]23[.]138[.]225 18[.]222[.]133[.]9 172[.]168[.]41[.]157 18[.]189[.]13[.]214 172[.]168[.]40[.]211 209[.]38[.]20[.]101 206[.]189[.]188[.]160 51[.]8[.]223[.]171 13[.]64[.]193[.]92 3[.]15[.]42[.]194 67[.]207[.]80[.]81 3[.]138[.]140[.]252 3[.]143[.]169[.]180 154[.]38[.]172[.]115 134[.]122[.]69[.]132 144[.]126[.]220[.]201 3[.]144[.]205[.]116 165[.]227[.]16[.]198 18[.]191[.]232[.]181 104[.]131[.]133[.]129 172[.]212[.]58[.]186 3[.]16[.]187[.]170 68[.]69[.]185[.]58 172[.]168[.]41[.]87 159[.]89[.]144[.]191 185[.]230[.]138[.]122 51[.]8[.]217[.]56 152[.]42[.]172[.]17 52[.]228[.]153[.]112 185[.]240[.]64[.]245

New Windows SmartScreen Bypass Exploited as Zero-Day Since March A critical vulnerability in Microsoft's SmartScreen feature that has been actively exploited by attackers since March 2024. This flaw allows malicious actors to bypass SmartScreen protections, which are designed to warn users about potentially harmful applications and websites, thereby increasing the risk of malware infections and data breaches. The problem is significant because SmartScreen is a key security feature in Windows that helps protect users from phishing attacks and malicious downloads. If attackers can circumvent this protection, they can deliver harmful software without triggering warnings, putting users and organizations at greater risk. The ongoing exploitation of this zero-day vulnerability highlights the urgent need for users to be vigilant and proactive in their cybersecurity practices. To prevent exploitation of this vulnerability, Microsoft is urging users to apply the latest security updates and patches as soon as they become available. Additionally, users should exercise caution when downloading software and clicking on links, especially from unknown sources. Implementing comprehensive security measures, such as using antivirus software and conducting regular security audits, can further help mitigate risks associated with this and other vulnerabilities. #Cybersecurity https://lnkd.in/giJy87MJ