Short Summary:
Medusa is a Ransomware-as-a-Service (RaaS) targeting Windows environments, active since June 2021. It gained attention in early 2023 with the launch of its Dedicated Leak Site. Medusa spreads through exploiting vulnerabilities and hijacking accounts, utilizing advanced techniques to evade detection. Security teams are encouraged to validate their defenses against Medusa’s tactics using new tools from AttackIQ.…
Short Summary:
On August 29, 2024, the FBI, CISA, MS-ISAC, and HHS released a Cybersecurity Advisory regarding RansomHub ransomware, detailing its IOCs and TTPs. RansomHub, which operates under a Ransomware-as-a-Service model, has targeted over 210 victims across various critical infrastructure sectors. The advisory aims to enhance defenses against this evolving threat through shared intelligence and assessment templates.…
Short Summary:
Mallox, also known as TargetCompany, FARGO, and Tohnichi, is a ransomware strain active since June 2021, operating under a Ransomware-as-a-Service (RaaS) model. It primarily targets unsecured MS-SQL servers through dictionary attacks, leveraging PowerShell for payload delivery. The group has been expanding its operations by recruiting affiliates and has been observed using various techniques for data exfiltration and lateral movement within networks.…
“`html Short Summary:
On December 11, 2023, Cisco Talos reported on Andariel, a North Korean state-sponsored group linked to the Lazarus group, which has been exploiting vulnerabilities such as Log4Shell and deploying new DLang-based malware, including a Remote Access Trojan named NineRAT. The group’s activities target various sectors, including manufacturing and agriculture, and involve sophisticated techniques for reconnaissance, credential access, and persistence.…
On July 25, 2024, the United States Federal Bureau of Investigation (FBI), the Cyber National Mission Force (CNMF), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), the National Security Agency (NSA), the Republic of Korea’s National Intelligence Service (NIS), the Republic of Korea’s National Police Agency (NPA), and the United Kingdom’s National Cyber Security Centre (NCSC) released a Cybersecurity Advisory (CSA) that highlights cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.…
Cactus is a ransomware strain discovered in March 2023 known for having compromised more than 140 entities as of July 2024.
Cactus typically obtains access to corporate networks by exploiting vulnerabilities in externally facing Virtual Private Network (VPN) software. Once access is secured, the ransomware establishes Command and Control (C2) communications with its operator via Secure Shell (SSH).…
On July 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) detailing the Tactics, Techniques and Procedures (TTPs), mitigation strategies, and detection methods associated with a red team assessment carried out by CISA against a Federal Civilian Executive Branch (FCEB) organization.…
Nefilim is a Ransomware-as-a-Service (RaaS) operation that emerged in March 2020 and is believed to have evolved from the Nemty ransomware family. This attribution is due to the fact that Nefilim arose at the time when Nemty’s operators decided to quit the RaaS business model to concentrate their efforts on more selective attacks with more dedicated resources.…
Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.
Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems found in entities located in the Energy, Government, and Media sectors.…
Winnti is a notorious adversary that has been operational since at least 2010 and is believed to be operating in coordination with or supported by the Chinese government. The group has conducted cyber espionage and financially motivated activities across various industries, including technology, healthcare, and pharmaceuticals.…
On May 10, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.…
On April 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Netherlands’ National Cyber Security Centre (NCSC-NL) released a joint Cybersecurity Advisory (CSA) that disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with Akira ransomware, identified through FBI investigations and trusted third party reporting as recently as February 2024.…
OceanLotus, also known as APT32, Ocean Buffalo, and SeaLotus, is a highly sophisticated adversary operating on behalf of the interests of the Vietnamese government that was first identified by the Sky Eye Laboratory in May 2015 but whose activities can be traced back to at least 2012.…
On February 19, 2024, ConnectWise published a security advisory detailing the discovery of two significant vulnerabilities, CVE-2024-1708 (Path Traversal) and CVE-2024-1709 (Authentication Bypass), affecting ScreenConnect version 23.9.8.
Successful exploitation of these vulnerabilities allowed adversaries to gain unauthorized access and control over affected systems. The exploitation of these vulnerabilities was named “SlashAndGrab” by Huntress, due to the simplicity of adding a single forward slash character to the end of the address of a vulnerable ScreenConnect installation.…
Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.
Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems found in entities located in the Energy, Government, and Media sectors.…
On February 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the Phobos Ransomware variants observed as recently as February 2024.…
DarkGate is a commodity loader written in Borland Delphi that was first identified in 2018 and has been advertised under the Malware-as-a-Service (MaaS) business model on popular cybercrime forums since June 2023.
It has a wide range of capabilities, such as the ability to download and execute files in memory, environment reconnaissance and information gathering, privilege escalation, remote access software deployment, and a Hidden Virtual Network Computing (HVNC) module.…
On February 7, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) assessing that People’s Republic of China (PRC) state-sponsored cyber actors were seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S.…
On January 10, 2024, the software company Ivanti disclosed two vulnerabilities impacting Ivanti Connect Secure VPN, formerly Pulse Secure, and Ivanti Policy Secure appliances. Successful exploitation of these vulnerabilities could result in authentication bypass and command injection, leading to further downstream compromise of a victim network.…
On December 19, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a join Cybersecurity Advisory (CSA) that disseminates Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the ALPHV BlackCat Ransomware-as-a-Service (RaaS) identified through FBI investigations as recently as December 6, 2023.…