Summary:
Threat actors linked to China-based APT groups have targeted various high-profile organizations in Southeast Asia, focusing on intelligence gathering using a range of sophisticated tools. The campaign has been ongoing since October 2023, employing both open-source and living-off-the-land techniques to maintain access and exfiltrate sensitive data.…
Read More
Author: Symantec
Summary:
A targeted attack on a large U.S. organization with a presence in China involved a China-based threat actor who gained persistent access for intelligence gathering. The attackers utilized various tools and techniques, including DLL sideloading and lateral movement across the network, to compromise multiple machines and exfiltrate data.…
Read More
Short Summary:
Mobile apps are increasingly vulnerable due to the presence of hardcoded and unencrypted cloud service credentials in their codebases. This issue poses significant risks to user data and backend services, as demonstrated by the Pic Stitch: Collage Maker app, which has been found to contain hardcoded AWS credentials.…
Short Summary:
The article discusses various tools and techniques used by attackers in the context of ransomware operations. It categorizes these tools into four main areas: Living off the Land, Impairing Defenses, Remote Desktop/Remote Admin, and Data Exfiltration. The article also highlights the growing robustness of the ransomware ecosystem and suggests visiting the Symantec Protection Bulletin for the latest protection updates.…
Short Summary:
Ransomware activity surged in Q2 2024, with a 36% increase in claimed attacks compared to Q1, totaling 1,310 incidents. The resurgence is attributed to the recovery of LockBit and the emergence of new ransomware operators like Qilin and RansomHub, which have rapidly gained traction in the ransomware ecosystem.…
Short Summary:
The article emphasizes the critical need for mobile security, highlighting the risks associated with unencrypted data transmission in various apps. It discusses specific apps that expose sensitive user information and offers best practices for developers to enhance security and protect user data.
Key Points:
Mobile security is increasingly important in a digital world.…Short Summary:
A new backdoor known as Backdoor.Msupedge has been discovered, targeting a university in Taiwan. This backdoor employs DNS tunneling to communicate with its command-and-control server, utilizing a unique technique that is not commonly seen. It is installed as a dynamic link library (DLL) and can execute various commands based on the resolved IP address from the C&C server.…
“`htmlShort Summary:
The article discusses the increasing trend of threat actors utilizing legitimate cloud services for their attacks, highlighting various espionage operations and malware tools that exploit these services. Notable tools mentioned include GoGra, Grager, and MoonTag, which leverage Microsoft Graph API for command-and-control operations. The article emphasizes the need for organizations to monitor and protect against these evolving threats.…
Threat actors utilizing Large Language Model (LLM) AIs to generate code used in malware campaigns.
Read More
Symantec has observed an increase in attacks that appear to leverage Large Language Models (LLMs) to generate malicious code used to download various payloads.
LLMs are a form of generative AI designed to understand and generate human-like text.…
Symantec reported a Daggerfly intrusion against a telecoms operator in Africa involving previously unseen plugins for MgBot.
Macma updateMacma is a macOS backdoor that was first documented by Google in 2021 but appears to have been used since at least 2019. At the time of discovery, it was being distributed in watering hole attacks involving compromised websites in Hong Kong.…
was the target of a U.S.-led law enforcement operation in December 2023. Although Noberus attempted to reestablish itself in the following weeks, it eventually closed in March 2024, citing the impact of the law enforcement operation, amid reports of a falling out with many of its affiliates.…
CVE-2024-26169) occurs in the Windows Error Reporting Service. If exploited on affected systems, it can permit an attacker to elevate their privileges. The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild.…
said it was responsible for an attack on Korea Hydro and Nuclear Power (KHNP). Multiple employees at KHNP were targeted with spear-phishing emails containing exploits that installed disk-wiping malware on their machines. The U.S. government has said that the group is a unit of North Korea’s military intelligence organization, the Reconnaissance General Bureau (RGB). …
Open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines. For an example of how Rclone may be used, see case study below.
AnyDesk: A legitimate remote desktop application. By installing it, attackers can obtain remote access to computers on a network. Malicious…