Author: RecordedFuture
Summary:
Russia is intensifying its sabotage operations across Europe, targeting critical infrastructure to destabilize NATO allies and disrupt their support for Ukraine. Recent incidents, such as break-ins at water treatment facilities in Finland and explosions at arms factories in Poland, illustrate Russia’s use of gray zone tactics to undermine Western capabilities without engaging in open conflict.…Summary:
In a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites to deliver Cobalt Strike malware. The attackers embedded malicious JavaScript that spoofed a TLS certificate error, tricking visitors into downloading a disguised security certificate. This incident highlights ongoing cyber-espionage efforts targeting Tibetan entities, linking TAG-112’s infrastructure to other Chinese operations.…Short Summary:
Rhysida ransomware, active since early 2023, utilizes a multi-tiered infrastructure and CleanUpLoader for post-exploitation activities. Recorded Future’s Network Intelligence has enabled early detection of Rhysida victims, providing a crucial window for prevention. The ransomware targets sectors like healthcare and education, affecting both Windows and Linux systems.…
Short Summary:
The article discusses the challenges organizations face in cybersecurity due to fragmented detection tools and the need for comprehensive threat visibility. It highlights how Recorded Future’s Threat Intelligence Cloud Platform and Collective Insights can bridge these gaps by integrating diverse data sources, enhancing threat detection, and providing actionable intelligence to security teams.…
The “Marko Polo” group represents a significant cybercriminal threat, employing sophisticated infostealer malware and social engineering tactics to target individuals and businesses, particularly in the cryptocurrency and online gaming sectors. With over 30 unique scams and a diverse malware toolkit, Marko Polo has compromised tens of thousands of devices globally, leading to substantial financial and reputational damage.…
The “H1 2024 Malware and Vulnerability Trends Report” highlights the evolving tactics of threat actors, particularly in exploiting zero-day vulnerabilities and the rise of infostealer malware. Key trends include a significant increase in Magecart attacks and the evolution of ransomware tactics, emphasizing the need for organizations to strengthen their cybersecurity measures.…
Short Summary:
The resurgence of Intellexa’s Predator spyware, following a decline due to US sanctions, poses renewed privacy and security risks, particularly to high-profile individuals. Recent findings indicate that Predator’s infrastructure has evolved to evade detection, complicating tracking efforts. Cybersecurity best practices are essential for mitigating these risks as global regulation efforts continue to lag behind the spyware’s advancements.…
Insikt Group has reported a rise in cyber threat activity from GreenCharlie, an Iran-nexus group targeting US political and government entities. They employ sophisticated phishing operations and malware like GORBLE and POWERSTAR, utilizing dynamic DNS providers for their infrastructure.
Key Points Group Identity: GreenCharlie, linked to Iran and associated with Mint Sandstorm, Charming Kitten, and APT42.…“`html
Short SummaryThe Recorded Future Payment Fraud Intelligence team has uncovered the ERIAKOS campaign, a sophisticated scam e-commerce network targeting Facebook users. Detected on April 17, 2024, this campaign involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data, primarily from mobile users.…
Summary:
Insikt Group's recent analysis reveals that North Koreans continue to use foreign technology to access the internet despite heavy sanctions. This includes Apple, Samsung, and Huawei devices, as well as various social media platforms. A notable finding is the increased use of obfuscation services like VPNs and proxies to circumvent censorship and surveillance.…
Summary
Between Q4 2023 and Q1 2024, cybercriminals increasingly used QR codes and AI-generated phishing tactics to target executives, exploiting AWS SNS for malicious SMS and VAST tags for malvertising. These sophisticated methods enable threat actors to bypass security measures, capture multi-factor authentication (MFA) tokens, and deceive users more effectively.…
Insikt Group examines a large-scale Russian-language cybercrime operation using fake Web3 gaming initiatives to distribute malware designed to steal information from both macOS and Windows users. These Web3 games, which are based on blockchain technology, offer the potential for financial gains through cryptocurrency earnings.
Web of Deceit: The Rise of Imitation Web3 Gaming Scams and Malware Infections
The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity.…
Summary
Recorded Futures Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations. TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.…
Summary
Insikt Group's research reveals that OilAlpha, a likely pro-Houthi group, continues to target humanitarian and human rights organizations operating in Yemen. They use malicious Android applications to steal credentials and gather intelligence, potentially to control aid distribution. Notable organizations affected include CARE International and the Norwegian Refugee Council.…
Cyber threats are becoming increasingly sophisticated and frequent, making it imperative for organizations to leverage cyber threat intelligence to stay ahead of potential cyber attacks. Organizations across all industries are recognizing the importance of implementing robust threat intelligence solutions to stay ahead of cybercriminals and protect their valuable assets.…
Summary
In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior.…
Insikt Group's report reveals that CopyCop, a likely Russian government-aligned influence network, has shifted its focus to the 2024 US elections. Using AI and inauthentic websites, CopyCop creates and spreads political content. The network registered 120 new websites between May 10 and May 12, 2024, amplifying targeted content through platforms like YouTube.…
From November 2023 to April 2024, Insikt Group identified cyber-espionage activities conducted by RedJuliett, a likely Chinese state-sponsored group, primarily targeting government, academic, technology, and diplomatic organizations in Taiwan. RedJuliett exploited known vulnerabilities in network edge devices such as firewalls, virtual private networks (VPNs), and load balancers for initial access.…
Recorded Futures Insikt Group identified that Vortax, a purported virtual meeting software, spreads three infostealersRhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). This extensive campaign targets cryptocurrency users, exploiting macOS vulnerabilities. Operated by the threat actor markopolo, this campaign has significant implications for macOS security, indicating a potential increase in AMOS attacks.…
The 2024 Paris Olympic Games face numerous threats due to their high-profile nature and international significance. Insikt Group's research identifies several key risks: cybercriminals targeting critical sectors with ransomware, hacktivists aiming to disrupt due to geopolitical conflicts, and state actors engaging in espionage and influence operations.…
Insikt Group tracks the evolutions of GRU's BlueDelta operational infrastructure, targeting networks across Europe with information-stealing Headlace malware and credential-harvesting web pages. BlueDelta deployed Headlace infrastructure in three distinct phases from April to December 2023, using phishing, compromised internet services, and living off the land binaries to extract intelligence.…
In recent research, Recorded Future's Insikt Group uncovered a sophisticated cybercriminal campaign led by Russian-speaking threat actors from the Commonwealth of Independent States (CIS). These threat actors leveraged a GitHub profile to impersonate legitimate software applications like 1Password, Bartender 5, and Pixelmator Pro to distribute various malware types, such as Atomic macOS Stealer (AMOS) and Vidar.…
SolarMarker, a malware known for stealing information, utilizes an evolving, multi-tiered infrastructure that has been active since 2021. This malware, also known as Yellow Cockatoo and Jupyter Infostealer, targets sectors such as education, healthcare, and SMEs. To avoid detection, it employs advanced evasion techniques like Authenticode certificates and large zip files.…
In early March 2024, Insikt Group identified a malign influence network, CopyCop, skillfully leveraging inauthentic media outlets in the US, UK, and France. This network is suspected to be operated from Russia and is likely aligned with the Russian government. CopyCop extensively used generative AI to plagiarize and modify content from legitimate media sources to tailor political messages with specific biases.…
New research from Recorded Futures Insikt Group focuses on the growing threat of a possible "mobile NotPetya" event. Through zero-click exploits, a self-propagating mobile malware could infiltrate smartphones at scale. The threat has increased sharply in the past few years as spyware companies continually refine zero-click exploits.…
Insikt Group examines a large-scale Russian-language cybercrime operation using fake Web3 gaming initiatives to distribute malware designed to steal information from both macOS and Windows users. These Web3 games, which are based on blockchain technology, offer the potential for financial gains through cryptocurrency earnings.
Web of Deceit: The Rise of Imitation Web3 Gaming Scams and Malware Infections
The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity.…
Safeguarding sensitive data, maintaining brand reputation, and cultivating customer trust pose continuous challenges for enterprise organizations. However, the dark web, a hidden corner of the internet, poses unique challenges for cybersecurity professionals. Criminal activities such as the sale of stolen credentials and plans for targeted attacks thrive in this dark section of the internet.…
Check out our on-demand Annual Report webinar or read on for a summary of key topics and themes in the report.
2023 was a year in which cybercrime evolved in significant ways. Our 2023 annual report serves as a playbook of adversaries’ tactics, techniques, and procedures (TTPs) in 2023, with the goal of giving your security team a 360-degree view of the threat landscape.…
Domestic violent extremists (DVEs) in the United States are increasingly doxing senior leaders from the public and private sectors — publishing their personally identifiable information (PII) with malicious intent and without the leaders’ consent. Historically, DVE doxing attempts usually targeted other DVEs and political opponents, but recent trends show a broadening scope of targets, including government officials, executives, and heads of various institutions.…
New Insikt research examines 2023, a year of unexpected outcomes and escalating cybersecurity threats. Throughout the year, cyber threat actors exploited the prevailing chaos to steal data, conduct espionage, and disrupt geopolitics, an example being nation-states like China targeting Taiwanese semiconductor firms. Additionally, the text highlights the rise in exploitation of "as-a-service" enterprise software and shared cloud infrastructure, which led to an increase in weaponized vulnerabilities and high-profile cyberattacks, such as the MOVEit exploit by the ransomware gang CL0P.…
New research from Recorded Futures Insikt Group outlines a collaborative investigation by threat intelligence analysts and R&D engineers into the potential malicious uses of artificial intelligence (AI) by threat actors. They experimented with a variety of AI models, including large language models, multimodal image models, and text-to-speech models, without any fine-tuning or additional training, to mimic the resources threat actors might realistically have.…
New Insikt Group Research provides updated insights on the recent i-SOON leak. On February 18, 2024, an anonymous leak of documents from Anxun Information Technology Co., Ltd. (i-SOON), a Chinese IT and cybersecurity company, shed light on China’s state-sponsored cyber espionage operations. The leak is significant as it reveals the connections between i-SOON and several Chinese state-sponsored cyber groups such as RedAlpha, RedHotel, and POISON CARP, indicating a sophisticated network of espionage operations that includes the theft of telecommunications data for tracking individuals.…
New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.…
Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine.…
Available in the following solutions: Ransomware Mitigation, Automated Security Workflows, and Mitigate Supply Chain Risk
Available in the following modules: Threat Intelligence, and Geopolitical Intelligence
In the ever-changing and converging threat landscape, organizations must remain vigilant to protect their critical assets and sensitive data from increasingly sophisticated attacks.…
Recent Insikt research analyzes ransomware and vulnerability trends spanning the past six years and offers insights into future expectations.
Ransomware groups exploit vulnerabilities in two distinct categories: those targeted by only a few groups and those widely exploited by several. Each category necessitates different defense strategies.…
The report discusses Iranian intelligence and military entities associated with the Islamic Revolutionary Guard Corps (IRGC) involved in cyber activities targeting Western countries through their network of contracting companies. Four known intelligence and military organizations linked to the IRGC engage with cyber contractors. Iranian threat groups linked to the network of contracting parties have launched espionage and ransomware attacks and are leading efforts to destabilize target countries through information operations.…
New Insikt Group research discusses the frequent abuse of GitHub's services by cybercriminals and advanced persistent threats (APTs) for various malicious infrastructure schemes. These include payload delivery, dead drop resolving (DDR), full command-and-control (C2), and exfiltration. GitHub's popularity among threat actors lies in its ability to allow them to blend in with legitimate network traffic, making detection and attribution challenging for defenders.…
In its 2023 Adversary Infrastructure report, Insikt Groups outlook for the infrastructure landscape in 2024 suggests a continuation of the evolving nature of cyber threats, with an emphasis on government efforts to combat malicious activities. Anticipated increases in takedowns of malicious infrastructure reflect a growing awareness among governments of the devastating impacts of ransomware and other destructive attacks.…
In 2023, the payment fraud underground showed signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine in 2022. The dark web carding shops saw a rebound in the volume of stolen payment cards, with 119 million cards posted for sale online.…
In a new report, Recorded Futures Insikt Group examines North Koreas success in its cybercriminal operations targeting the cryptocurrency industry. Since 2017, North Korea has significantly increased its focus on the cryptocurrency industry, stealing an estimated $3 billion worth of cryptocurrency. Initially successful in stealing from financial institutions through the hijacking of the SWIFT network, North Korea shifted its attention to cryptocurrency during the 2017 bubble, starting with the South Korean market and later expanding globally.…
As Black Friday and the holiday shopping season approaches, the threat of online scams is on the rise, with a 22% increase in consumer scam losses reported during the 2022 Black Friday and Cyber Monday sales. Recorded Futures Insikt Group has analyzed recent high-impact scam website campaigns, revealing three key themes in how scammers operate and offering insights into how consumers and businesses can protect themselves.…
Ad fraud, driven by automation, is a pervasive issue in online advertising, involving the inflation of performance metrics through automated bot software and tools. The increasing accessibility of automation solutions has lowered barriers to entry for fraudsters, making ad fraud a more significant threat. Ad fraud results in significant financial losses, estimated to reach $100 billion by the end of 2023, directly impacting advertisers and publishers.…
Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity, making it harder to detect their activities.…
Recorded Future's research group, Insikt Group, has identified an application disseminated on a Telegram Channel used by members/supporters of the Hamas terrorist organization.
The application is configured to communicate with Hamas's Izz ad-Din al-Qassam Brigades website. Infrastructure analysis associated with the website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization.…
Recorded Future’s Insikt Group has conducted an analysis of a prolonged cyber-espionage campaign known as TAG-74, which is attributed to Chinese state-sponsored actors. TAG-74 primarily focuses on infiltrating South Korean academic, political, and government organizations. This group has been linked to Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.…
Insikt Group has identified and analyzed a network named "Empire Dragon," which is believed to be a coordinated and inauthentic operation likely aligned with the Chinese government and based in China. This network has been active since early 2021 and appears to engage in information operations (IOs) aimed at manipulating global audiences through various languages, topics, and platforms.…
New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel’s operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors.…
Insikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public disclosures and improving operations security.…