Tag: ACTIVE DIRECTORY
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant
Mandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878, for initial access …
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. MERCURY is now tracked as Mango Sandstorm and …
By Max Kersten · April 3, 2023This blog was also written by Alexandre Mundo
We would like to thank Advanced Cyber Services team within Trellix Professional Services for the incident …
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and …
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance …
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded …
February 15, 2024 update – On January 20, 2024, the US government conducted a disruption operation against infrastructure used by a threat actor we track as Forest Blizzard (STRONTIUM), a …
By Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup
Executive Summary In Q1 of 2023, SentinelLabs observed initial phases of attacks against telecommunication providers in the…Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed …
First introduced in July 2022, Icarus Stealer is an infostealer malware that uses an hVNC capability so that the threat actor can create a new hidden desktop to navigate through …
In this blog post we will be analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Attack VectorsIn …
We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to …
Last updated at Wed, 25 Jan 2023 20:23:13 GMT
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Rapid7 is responding …
Written by Jon DiMaggio.
Table of Contents
I gotta story to tell…
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang …
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats …
Last updated at Thu, 09 May 2024 16:11:11 GMT
How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.Rapid7 routinely conducts research into the wide …
In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known …
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.
To learn …
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor …
On December 2, 2022, one of our 24/7 SOC Cyber Analysts escalated an incident involving the GootLoader malware at a pharmaceutical company. eSentire’s Threat Response Unit (TRU) responded quickly and …
On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as …
Большинство кибератак имеют финансовую мотивацию, однако в последнее время возросло число атак, цель которых — не обогащение, а нанесение ущерба жертве. Одним из инструментов таких атак являются вайперы (от англ. …
The holiday season seems to be at an ebb for the Aviation Industry in Southeast Asia, as two low-cost carriers faced ransomware attacks this week.
Ransomware is a daunting threat …
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of …
The Cybereason Global SOC (GSOC) team is investigating Qakbot infections observed in customer environments related to a potentially widespread ransomware campaign run by Black Basta. The campaign is primarily targeting …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in …
Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove …
Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug …
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by …
The sophistication of threat actors’ DDoS strategy and tactics continues to evolve rapidly in response to improved mitigation-side efforts. Actors have complicated filtering and firewalling by bringing a …
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
Qbot, also known …
Author: Tomer Bar, VP Security Research, SafeBreach
As part of our ongoing commitment to conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive …
This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3.
In Part 3, CrowdStrike’s Endpoint Protection Content Research Team covered the …
We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.
SummaryQAKBOT’s …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
Research by: Marc Salinas Fernandez
The spring of 2022 saw a spike in activity of Bumblebee loader, a recent threat that has garnered a lot of attention due to its …
Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the …
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.…
a well-known technique that involves attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves …
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet.
The post-exploitation started very soon after …
A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously …
Summary
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize and remediate known exploited vulnerabilities.• Train users to recognize and report phishing attempts.• Enable and enforce multifactor authentication.…
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same …
BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via …
Mitiga spotted a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations (mostly CEOs and CFOs) usingOffice 365. The attackers combine high-end spear-phishing with an adversary-in-the-middle …
A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per …