Summary:
The Mandiant Red Team conducted an assessment to illustrate how advanced threat actors can exploit Microsoft Entra ID environments, particularly through Intune-managed Privileged Access Workstations (PAWs). By abusing specific Intune permissions, the team demonstrated lateral movement and privilege escalation techniques, ultimately compromising Entra ID service principals.…Tag: ACTIVE DIRECTORY
Summary:
Rapid7’s Incident Response team investigated a Microsoft Exchange service account breach that led to unauthorized access and lateral movement across the network, compromising the entire domain. The attacker exploited a vulnerability in Microsoft SharePoint (CVE-2024-38094) and remained undetected for two weeks, utilizing various tactics, techniques, and procedures (TTPs) to achieve their objectives.…Summary:
Tropic Trooper, also known as Pirate Panda and APT 23, is a Chinese state-sponsored cyber threat group that has been active since 2011. Specializing in espionage, the group targets sensitive sectors like government, healthcare, and transportation, utilizing advanced tactics such as spear-phishing and custom malware to infiltrate networks and extract valuable information.…Summary:
This article discusses an incident involving a threat actor’s unsuccessful attempt to bypass Cortex XDR, which inadvertently provided valuable insights into their operations. Through the investigation, Unit 42 uncovered the use of an AV/EDR bypass tool and identified the threat actor’s identity, revealing their tactics and tools utilized in the attack.…Summary: A recent Rapid7 report details a significant compromise of a Microsoft SharePoint server, attributed to the exploitation of CVE-2024-38094, which allowed attackers to gain domain access and impact critical systems. The incident highlights the necessity for swift detection and response to vulnerabilities in on-premise SharePoint servers to mitigate potential damage.…
Short Summary
Read More
Rapid7’s Incident Response team investigated a Microsoft Exchange service account breach that led to unauthorized access and lateral movement across the network. The attacker exploited a vulnerability in SharePoint (CVE-2024-38094) to gain initial access and remained undetected for two weeks, compromising the entire domain.…
Short Summary
Read More
Sophos has been actively combating multiple threat actors based in China who target perimeter devices, particularly Sophos firewalls. This article outlines a timeline of notable activities by these actors, detailing their tactics, techniques, and procedures (TTPs), as well as Sophos’s responses and collaboration with third-party reports for attribution and context.…
Summary: A recently patched security vulnerability in Styra’s Open Policy Agent (OPA) could have allowed attackers to leak NTLM hashes, potentially leading to credential theft and relay attacks. The flaw, tracked as CVE-2024-8260, was addressed in version 0.68.0 after responsible disclosure.
Threat Actor: Unknown | unknown Victim: Styra | Styra
Key Point :
The vulnerability allows leakage of NTLM credentials from the OPA server’s local user account to a remote server.…Short Summary:
In Q3 2024, APT groups from China, North Korea, Iran, and Russia intensified their cyber operations, employing sophisticated techniques and targeting critical infrastructure. Chinese APTs focused on network devices, North Korean actors escalated attacks on various sectors, Iranian groups expanded their espionage efforts, and Russian actors utilized social engineering tactics.…
Short Summary: The FBI, CISA, NSA, CSE, AFP, and ASD’s ACSC have issued a Cybersecurity Advisory regarding Iranian cyber actors employing brute force techniques to compromise critical infrastructure sectors. These actors aim to obtain credentials and network information for sale to cybercriminals, utilizing methods such as password spraying and MFA push bombing since October 2023.…
Read More
Summary: Microsoft has issued new guidance to help organizations defend against Kerberoasting attacks, which exploit the Kerberos authentication protocol to steal Active Directory credentials. The guidance emphasizes the importance of strong password policies and encryption methods to mitigate risks associated with these evolving cyber threats.
Threat Actor: Cybercriminals | cybercriminals Victim: Organizations with Active Directory | organizations with Active Directory
Key Point :
Kerberoasting attacks involve requesting service tickets encrypted with account password hashes, allowing attackers to perform offline brute-force attacks.…Summary: A recent security alert reveals that attackers are exploiting known vulnerabilities in Zyxel security appliances to steal credentials and gain unauthorized access through SSL VPN tunnels. Administrators are urged to update firmware and implement security best practices to mitigate these risks.
Threat Actor: Unknown | unknown Victim: Zyxel | Zyxel
Key Point :
Attackers exploit vulnerabilities in the ATP and USG FLEX series running outdated firmware (ZLD V4.32 to ZLD V5.38).…
Short Summary
Read More
Trend Micro’s investigation into the Earth Simnavaz APT group reveals their advanced tactics targeting critical sectors in the UAE, utilizing sophisticated malware and exploiting vulnerabilities for espionage and data exfiltration.
Key Points Group Identification: Earth Simnavaz, also known as APT34 and OilRig, is linked to Iranian interests.…Short Summary:
This article discusses a vishing attack that targeted a remote employee in the hospitality sector, leading to unauthorized access to the customer’s network. Darktrace’s anomaly-based threat detection successfully identified and mitigated the attack, preventing data loss and reinforcing the importance of robust security measures against social engineering tactics.…
Short Summary
Read More
Silent Push research reveals that the FIN7 threat group is employing new tactics, including the use of an AI “DeepNude Generator” across multiple websites to distribute malware. The group continues to utilize browser extension lures to deliver the NetSupport RAT, posing significant risks to organizations by compromising credentials and facilitating ransomware attacks.…
Short Summary: Akira is a ransomware that has been active since March 2023, targeting various industries primarily in North America, the UK, and Australia. It operates as a Ransomware as a Service (RaaS), employing double extortion by exfiltrating data before encryption. The group has a history linked to the Conti group, with overlapping code and tactics.…
Read More
Short Summary:
Trend Micro’s MDR team successfully mitigated a more_eggs infection, which was initiated through a spear-phishing email that tricked a recruitment officer into downloading a malicious file disguised as a resume. Utilizing the Vision One platform, the team automated the response to the threat by implementing custom filters and a security playbook.…
Summary: Microsoft has reported a multi-staged attack by the threat actor Storm-0501, which compromised hybrid cloud environments leading to data exfiltration, credential theft, and ransomware deployment across various sectors in the United States. This financially motivated cybercriminal group has evolved from targeting educational institutions to exploiting vulnerabilities in cloud infrastructures, emphasizing the need for enhanced security measures in hybrid environments.…
Short Summary:
In November 2023, a BlackCat ransomware intrusion was initiated by Nitrogen malware, which was disguised as Advanced IP Scanner. The attack involved deploying Sliver and Cobalt Strike beacons, lateral movement using various tools, and ultimately the deployment of BlackCat ransomware after exfiltrating data using the Restic backup tool.…
Introduction
Read More
In light of the escalating frequency and complexity of ransomware attacks, are security leaders confident in their organization’s defenses? According to Group-IB’s Hi-Tech Crime Trends 2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key trends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the proliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.…