Keypoints :
Malware campaigns are using fake CAPTCHA pages to mimic trusted services.…Keypoints :
Phishing incidents accounted for 46% of all customer incidents from August 1 to October 31, 2024.…Short Summary:
In October 2024, ReliaQuest identified a campaign by the ransomware group Black Basta, which has evolved its tactics to include social engineering through Microsoft Teams and QR codes. The attackers are using these methods to gain initial access to targeted environments, likely with the intent to deploy ransomware.…
Short Summary:
In July 2024, a ReliaQuest customer in the manufacturing sector experienced a data exfiltration attack. The threat actor exploited a Fortinet firewall and used a brute-force attack on a privileged service account to gain access to multiple file servers, exfiltrating sensitive business data. The ReliaQuest Threat Hunting team collaborated with the customer to isolate affected hosts and implement remediation strategies, including the use of GreyMatter Response Playbooks for rapid response.…
Summary: The report discusses the growing trend of threat actors exploiting legitimate IT tools for malicious operations, termed CAMO (Commercial Applications, Malicious Operations), which allows them to bypass security measures and evade detection. It emphasizes the need for organizations to recognize this threat and implement effective countermeasures to mitigate risks associated with the misuse of these tools.…
Summary: The report highlights the evolving landscape of malware loaders in 2024, emphasizing their significant role in cyberattacks and the increasing sophistication of their techniques. It provides insights into the most prevalent loaders, including SocGholish, GootLoader, and Raspberry Robin, along with mitigation strategies for organizations to combat these threats.…
Short Summary:
In 2024, malware loaders have become a prevalent tool in cyberattacks, with loaders like SocGholish, GootLoader, and Raspberry Robin leading the charge. These loaders utilize sophisticated evasion techniques and are increasingly leveraging scripting languages like Python for persistence and stealth. The report highlights the evolution of these loaders, their impact on organizations, and provides mitigation strategies for cybersecurity professionals.…
Summary: This report analyzes the rising use of data-exfiltration tools, particularly Rclone, by threat actors in cyber incidents, highlighting their capabilities and the implications for organizations. It also provides recommendations for enhancing security measures to mitigate the risks associated with data exfiltration.
Threat Actor: Various threat groups | LockBit, Black Basta, Blacksuit Victim: Organizations across sectors | US manufacturing sector, UK professional services
Key Point :
Rclone has been identified as the most frequently used data-exfiltration tool, appearing in 57% of incidents investigated by ReliaQuest.…Key Points
In June 2024, ReliaQuest responded to detections from an endpoint detection and response (EDR) tool signaling the beginning of a ransomware attack by the “Medusa” ransomware group that resulted in the encryption of various hosts in a customer environment. Since 2022, the Ransomware-as-a-Service (RaaS) group Medusa has targeted organizations in the technology, education, manufacturing, and healthcare sectors by taking advantage of unpatched vulnerabilities and hijacking legitimate accounts.…Key Points
ReliaQuest observed new execution techniques in a campaign from the JavaScript framework “ClearFake,” tricking users into copying, pasting, and manually executing malicious PowerShell code. Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing “LummaC2” malware.…Key Points
The cyber threat landscape has seen a significant increase in information-stealing (infostealer) malware activity, with a 30.5% rise in marketplace listings for “stealer logs” from Q3 to Q4 of 2023. This malware type has evolved to encompass more sophisticated tools that aim to harvest sensitive information such as usernames, passwords, and credit card details.…Summary: This report examines the threat posed by Russia-linked advanced persistent threat (APT) groups on operational technology (OT) by analyzing key cyber attacks from the past 12 months, providing detection rules and recommendations for network defenders.
Threat Actor: Russia-linked APT groups | Russia-linked APT groups Victim: Various industries and specifically a manufacturing industry customer | manufacturing industry
Key Points:
This report analyzes cyber attacks conducted by Russia-linked APT groups on operational technology (OT) in the past year, providing useful detection rules and recommendations for network defenders.…In Q1 2024, ReliaQuest detected suspicious JavaScript files in customer environments—including “update.js,” a common file name used by SocGholish and other fake-update malware variants. While reviewing the execution of the first-stage payload, we identified a new behavior for this malware: the ingress of Python for persistence. …
In early September 2023, ReliaQuest detected suspicious process executions within a customer’s environment, originating from the Windows debug directory. Our subsequent investigation revealed these executions as part of a more significant cyber-threat incident that resulted in double extortion: the encryption of customer data, followed by ransomware deployment and a threat to publicly release the data. …
In early September, an automated retroactive indicator of compromise (IoC) threat hunt identified an indicator of compromise (IoC) in the environment of one of our customers. The detected IP address, 144.76.136[.]153, was previously used by the cybercrime group Scattered Spider to perform exfiltration via the domain transfer.sh.…
How many times have we heard “It takes just one click”? Well, in this case it took approximately three. In May 2023, the ReliaQuest Threat Hunting Team responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.”…