Ransomware threat actors have been extorting money after taking control over organizations’ internal networks, distributing ransomware, encrypting systems, and holding system restoration for ransom. Recently, however, threat actors not only encrypts the systems but also leaks internal data and threatens to expose them publicly if the ransom is not paid.…
Author: admin
Ivanti has issued a high-severity advisory for multiple vulnerabilities affecting its Connect Secure and Policy Secure products, including an authentication bypass flaw (CVE-2024-22024) that is currently being exploited in the wild. Customers are urged to apply patches immediately to mitigate risks. #CyberSecurity #VulnerabilityManagement #Ivanti
Read More
Keypoints :
Ivanti released an advisory on February 8, 2024, for CVE-2024-22024, an authentication bypass vulnerability.…
Summary
Read More
A financially motivated threat actor is targeting Mexican banks and cryptocurrency trading entities with custom packaged installers delivering a modified version of AllaKore RAT – an open-source remote access tool.
Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process.…
Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild in 2018 with its core functionality revolving around its ability to act as SOCKS5 proxy. This provides a useful capability for threat actors as a persistent access mechanism or for purposes of leaving behind a backdoor in case of discovery of their initial access method.…
Key Takeaways
Kroll has observed a recent shift in the base64 encoding used for DARKGATE.
The base64 alphabet is now randomized based on characteristics of the victim system.
A weakness in the seed value randomness makes the new alphabet trivial to brute force.
The discovered alphabet can be used to decode the on-disk configuration and keylogging outputs.…
Read More
Huntress SOC analysts recently alerted customers regarding two disparate endpoints identified as being minimally impacted by ransomware; that is, only a limited number of ransomware canary files were encrypted. In neither instance was there any indication of the threat actor conducting reconnaissance activities beyond the impacted endpoint, nor attempting to move laterally to other endpoints within the infrastructure. …
By: Dylan Duncan
Threat actors are using employee’s annual responsibilities like open enrollment, 401k updates, salary adjustments, and even employee satisfaction surveys as lures to steal credentials. Most of these responsibilities tend to fall towards the end of the year, which is subjective to the calendar the employer uses.…
Executive Summary
Read More
Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.…
For the latest discoveries in cyber research for the week of 27th November, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Nevada-based medical transcription company, Perry Johnson & Associates (PJ&A), has disclosed a data breach that affected more than 9M patients at multiple healthcare providers in the US.…
By Dylan Duncan
A malware phishing campaign that began spreading DarkGate malware in September of this year has evolved to become one of the most advanced phishing campaigns active in the threat landscape. Since then, the campaign has changed to use evasive tactics and anti-analysis techniques to continue distributing DarkGate, and more recently, PikaBot.…
SUMMARY
Read More
In early 2023, Secureworks® Counter Threat Unit™ (CTU) researchers discovered how to manipulate the consenting process of a legitimate verified publisher application to implant malicious unverified applications within a Microsoft Entra ID (formerly known as Azure Active Directory) tenant[1]. Any tenant that retained the default user consent configuration for enterprise applications was susceptible to this attack.…
By: Robert O’Callaghan
A method of communication that remains important in our modern world is that of the voice message. The PDC recently observed a phishing campaign where threat actors included an access key in the body as a way to entice the user to access the voice message that had been left for them to review. …
By: Nathaniel Raymond
In 2022, the Cofense Phishing Defense Center (PDC) detected phishing campaigns that used LinkedIn links called Smart Links or “slink” to bypass security email gateway or SEG to deliver credential phishing, which was covered previously in the smart links LinkedIn blog. Smart links are links utilized by a LinkedIn team or business account connected to LinkedIn Sales Navigator services that provide content and track engagement metrics.…
SUMMARY
Read More
Secureworks® Counter Threat Unit™ (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers.…
JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique “MalDoc in PDF” hereafter and explains the details of and countermeasures against it.…
As attacks become more fileless and malware gets more obfuscated, it is getting more difficult to determine whether there is a malicious intent from a file by itself. For this reason, malware detection methods that utilize sandboxes and AI, as well as technologies that detect suspicious behavior after malware infection, such as EDR, have now become common.…
Key points
Starting from the end of 2022, an Android Spyware called SpyNote was observed to carry out bank fraud due to its many features.
SpyNote abuses Accessibility services and other Android permissions in order to:– Collects SMS messages and contacts list;– Record audio and screen;– Keylogging activities;– Bypass 2FA;– Tracking GPS locations.…
Read More
At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python and Node.js…
Case Study
Read More
WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022.
The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!,…
Meduza’s Gaze
Read More
Meduza Stealer … Yes, you read it right, I did not misspelled it, is a new stealer that appeared on Russian-speaking forums at the beginning of June 2023. The stealer is written in C++ and is approximately 600KB in size. The DLL dependencies are statically linked to the binary, which reduces the detection.…