Firefox

Multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird could allow a remote attacker to execute arbitrary code, disclose information, bypass security restrictions, deceive the user, escalate privileges, or cause a denial-of-service condition.

Multiple vulnerabilities exist in Mozilla Firefox, Firefox ESR, and Thunderbird that could allow a remote attacker to execute arbitrary code, disclose sensitive information, bypass security measures, or conduct cross-site scripting or spoofing attacks.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

Hackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.

The Atomic macOS Stealer (AMOS) is a prevalent malware-as-a-service targeting macOS, distributed via social engineering techniques like ClickFix ruses and fake installers, designed to steal sensitive data such as credentials and cryptocurrency wallets, leading to potential account compromise and further attacks.

Mozilla released security updates to address vulnerabilities in Firefox and Firefox ESR versions, potentially allowing for exploitation if left unpatched.

Mozilla released a security advisory addressing vulnerabilities in Firefox and Firefox ESR versions prior to 150.0.1, 140.10.1, and 115.35.1, potentially leading to arbitrary code execution or information disclosure.

Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands, leading to initial access and execution of arbitrary code.

A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.

OSX/CreativeUpdater is a macOS cryptominer distributed through compromised download links on the MacUpdate website, using a trojanized application bundle to execute a script that downloads and installs a persistent Monero miner using launch agents.

The Mac Malware of 2019 report details various Mac malware specimens and variants, including CookieMiner, a cryptominer that steals user cookies and passwords, likely to give attackers access to victims' online accounts and wallets; CookieMiner persists via launch agents and exfiltrates browser cookies to a remote C2 server.

This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

A Firefox zero-day exploit was used to target Mac users, resulting in the installation of the OSX.NetWire.A malware, which establishes persistence and communicates with a command and control server.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

Detection of DNS-over-HTTPS (DoH) being enabled via registry modifications on Windows systems, potentially indicating defense evasion and obfuscation of network activity by masking DNS queries.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.

Attackers masquerade malicious executables as legitimate business application installers to trick users into downloading and executing malware, leveraging defense evasion and initial access techniques.

This rule detects the creation of scheduled tasks in Windows using event logs, which adversaries may use for persistence, lateral movement, or privilege escalation by creating malicious tasks.