Summary :
The recent disruption of the Rockstar2FA phishing-as-a-service platform has led to the emergence of a similar service called FlowerStorm, which displays striking similarities to its predecessor. The transition highlights ongoing challenges in the phishing landscape as operators adapt to technical setbacks. #Phishing #CyberSecurity #FlowerStorm
Keypoints :
Rockstar2FA, a phishing-as-a-service platform, experienced a significant infrastructure collapse in November.…Summary: The Sophos X-Ops team has identified a rising threat known as “quishing,” which combines QR codes with phishing attacks. Attackers exploit QR codes to direct victims to fraudulent websites, often bypassing traditional security measures. The investigation revealed sophisticated tactics used in recent campaigns, highlighting the need for enhanced vigilance and security measures against such evolving threats.…
Summary:
GootLoader has evolved into an initial access as a service platform, primarily used by cybercriminals to deliver GootKit, a sophisticated info stealer and remote access Trojan. Utilizing SEO poisoning techniques, GootLoader entices victims to download malicious payloads disguised as legitimate files, leading to further exploitation and potential ransomware deployment.…Short Summary:
The Sophos X-Ops team investigated a series of phishing attacks known as “quishing,” which utilize QR codes to trick employees into revealing sensitive information. The attackers sent emails containing PDF documents with QR codes that directed victims to phishing sites mimicking legitimate login pages.…
Short Summary:
The article discusses the increasing prevalence of malware targeting macOS, particularly focusing on the Atomic macOS Stealer (AMOS), which is designed to steal sensitive data from infected machines. AMOS has gained popularity among cybercriminals, with its price tripling over the past year. The article outlines how AMOS is distributed through malvertising and SEO poisoning, and highlights the importance of users being cautious about software installations and permissions.…
Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government organization in Southeast Asia.…
We are investigating a ransomware campaign that abuses legitimate Sophos executables and DLLs by modifying their original content, overwriting the entry-point code, and inserting the decrypted payload as a resource – in other words, impersonating legitimate files to attempt to sneak onto systems. A preliminary check indicates that all the affected Sophos files were part of the 2022.4.3 version of our Windows Endpoint product.…
In the 1960s and ’70s, the US firearms market saw an influx of cheaply-made, imported handguns. Legislators targeted the proliferation of these inexpensive and frequently unreliable weapons, ostensibly because they were believed to pose a risk to their owners and facilitate criminality. This was not an issue unique to the US or to that time period, of course; in the UK, where handguns are now strictly regulated, criminals often resort to reactivated, or even home-made or antique, firearms.…
In December 2023, Sophos X-Ops received a report of a false positive detection on an executable signed by a valid Microsoft Hardware Publisher Certificate. However, the version info for the supposedly clean file looked a little suspicious.
Figure 1: Version info of the detected file. Note the typos ‘Copyrigth’ and ‘rigths’
The file’s metadata indicates that it is a “Catalog Authentication Client Service” by “Catalog Thales ” – possibly an attempt to impersonate the legitimate company Thales Group.…
BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges. At this level of access, attackers can accomplish a lot: hide malware, dump credentials, and, crucially, attempt to disable EDR solutions.…
Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidance for customers, researchers, investigators and incident responders. This information is based on observation and analysis of attacks by SophosLabs, Sophos Managed Detection and Response (MDR) and Sophos Incident Response (IR), in which the ScreenConnect client or server was involved.…