By Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup
Executive Summary In Q1 of 2023, SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East. We assess that this activity represents an evolution of tooling associated with Operation Soft Cell.…Tag: ACTIVE DIRECTORY
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.…
First introduced in July 2022, Icarus Stealer is an infostealer malware that uses an hVNC capability so that the threat actor can create a new hidden desktop to navigate through the infected computer system without interacting with the main desktop. Icarus Stealer is also significantly cheaper compared to other popular infostealers like Redline Stealer and Raccoon Stealer, making it easier for inexperienced cybercriminals to use.…
In this blog post we will be analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Attack VectorsIn the past Ransomware targeting ESXi Hypervisors was largely human-operated as a later stage of general Ransomware attack, where other Assets (Clients, Servers) are encrypted first.…
Key Findings
Proofpoint began tracking a new threat actor, TA866.
Proofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023.
The activity appears to be financially motivated, largely targeting organizations in the United States and Germany.
With its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via screenshots before installing a bot and stealer.…
Read More
We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers.
On December 2022, we identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD)…
Last updated at Wed, 25 Jan 2023 20:23:13 GMT
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products.…
Written by Jon DiMaggio.
Table of Contents
I gotta story to tell…
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Last updated at Thu, 09 May 2024 16:11:11 GMT
How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.…
BACKGROUND
Read More
In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is traditionally known as a banking trojan used to steal financial information from its victims.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.…
On December 2, 2022, one of our 24/7 SOC Cyber Analysts escalated an incident involving the GootLoader malware at a pharmaceutical company. eSentire’s Threat Response Unit (TRU) responded quickly and proceeded with an in-depth threat investigation of GootLoader.
eSentire leveraged Microsoft Defender for Endpoint to quarantine and prevent the threat (Figure 1).…
On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors [2].…
Большинство кибератак имеют финансовую мотивацию, однако в последнее время возросло число атак, цель которых — не обогащение, а нанесение ущерба жертве. Одним из инструментов таких атак являются вайперы (от англ. wiper) — программы, которые уничтожают данные без возможности восстановления. К наиболее известным вайперам, появившимся в 2022 году, относятся DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2 и RuRansom.…
The holiday season seems to be at an ebb for the Aviation Industry in Southeast Asia, as two low-cost carriers faced ransomware attacks this week.
Ransomware is a daunting threat that has loomed over strategic industries, including Aviation, in 2022. In our previous blog, we covered the emerging threats to the Aviation industry and predicted an increase in large-scale cyber-attacks on the sector.…
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk.…
The Cybereason Global SOC (GSOC) team is investigating Qakbot infections observed in customer environments related to a potentially widespread ransomware campaign run by Black Basta. The campaign is primarily targeting U.S.-based companies. …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in the file, by analyzing a .NET wiper named DoubleZero. We identify the challenges of detecting this threat through PE structural analysis and conclude by examining the cues picked up by the machine learning model to detect this sample.…