This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October …
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of …
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report …
A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in …
More than a week after it suffered a crippling ransomware attack, the hotel giant MGM is struggling to recover. The attack, linked to the ransomware-as-a-service (RaaS) group known as ALPHV, …
The following write-up and analysis is thanks to Matthew Brennan, Harlan Carvey, Anthony Smith, Craig Sweeney, and Joe Slowik.
BackgroundHuntress periodically performs reviews of identified incidents for pattern analysis, …
The Budworm advanced persistent threat (APT) group continues to actively develop its toolset. Most recently, the Threat Hunter Team in Symantec, part of Broadcom, discovered Budworm using an updated version of one …
Secureworks® Counter Threat Unit™ (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. …
This post is also available in: 日本語 (Japanese)
Executive SummaryWe observed a series of intrusions directed at a Southeast Asian government target, a cluster of activity that we attribute …
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such …
This post is also available in: 日本語 (Japanese)
Executive SummaryAn advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged in a number of cyberespionage …
Published by Digital Forensics and Incident Response on 15 September 2023
The CyberCX DFIR team has been engaged to assist in multiple investigations related to the Akira ransomware group, which …
This post is also available in: 日本語 (Japanese)
Executive SummaryTurla (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004, which is linked to …
Since February 2023, Microsoft has observed password spray activity against thousands of organizations carried out by an actor we track as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
This post is also available in: 日本語 (Japanese)
Executive SummaryEarlier this month, our quiz Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer introduced a packet capture (pcap) …
On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we …
Sophos X-Ops is tracking an ongoing campaign, which is targeting Citrix NetScaler systems, conducted by threat actors linked to the FIN8 group [BleepingComputer, SOCRadar]. The hackers are exploiting the remote …
We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
By Trellix · August 17, 2023 This story was also written by Phelix Oluoch
Executive SummaryScattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a …
Note: The following is a redacted version of a larger report. For full and comprehensive details of this attack, please enquire about our CTI-on-demand service.
SummaryBlackBerry has discovered and documented …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
This is the third part of our research based on an investigation of a series of attacks against industrial organizations in Eastern Europe.
The attackers aimed to establish a permanent …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard …
In cloud environments, cryptojacking – a type of cyberattack that uses computing power to mine cryptocurrency – takes the form of cloud compute resource abuse, which involves a threat actor …
This post is also available in: 日本語 (Japanese)
Executive SummaryMallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft (MS) Windows systems. It has been active …
As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident …
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and …
The Trickbot/Conti Crypters: Where Are They Now?
blog we published last May. One year on, ITG23 has experienced many organizational changes, splintering into factions and forging new relationships. Despite these …
The Cortex Threat Research team has recently identified multiple espionage attacks targeting governmental entities in the Middle East and Africa. According to our findings, the main goal of …
Asylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. They were first publicly outed in March 2022 by Proofpoint researchers after the group targeted …
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr: As malware for Apple’s OSX operating system gains more and more traction, in this article, we’ll share some …
Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried …
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can …
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These …
This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a …
This post is also available in: 日本語 (Japanese)
Executive SummaryRoyal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September …
MgBot modular malware framework
MgBot is a well-designed modular framework that is actively maintained. The components of the framework are the following:
MgBot EXE dropper MgBot DLL Loader MgBot Plugins…Using malicious Google Ads or SEO poisoning to distribute malware has become a common tactic for cybercriminals. For example, in the Secureworks® 2022 State of the Threat report, Counter Threat …
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, …
This blog post analyzes a stealthy and expeditious ransomware called BabLock (aka Rorschach), which shares many characteristics with LockBit.
A ransomware called BabLock (aka Rorschach) has recently been making waves …
Ex-Conti and FIN7 Actors Collaborate with New Backdoor
Dave Loader, which we have linked to the Trickbot/Conti syndicate and its former members. Minodo’s code shows overlap with the Lizar (aka …
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, we’ll …