Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
In the past few months, a new wave of cyberattacks has been flooding Iran. These attacks are far from minor website defacements – the recent wave is hitting national infrastructure and causing major disruptions to public services.
This article provides an in-depth technical analysis of one of the attacks against the Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.…
By Amitai Ben Shushan Ehrlich and Yair Rigevsky
Executive SummarySentinelLabs has been tracking the activity of an Iranian-aligned threat actor operating in the Middle-East and the US. Due to the threat actor’s heavy reliance on tunneling tools, as well as the unique way it chooses to widely deploy those, we track this cluster of activity as TunnelVision.…Over the past year, FortiEDR has prevented multiple attacks that attempted to exploit various Microsoft Exchange server vulnerabilities, some of which we have previously covered.
Among these attacks, we identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government.…
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals.…
More than 350 ecommerce stores infected with malware in a single day.
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.
— Sansec (@sansecio) January 25, 2022
Last week Sansec’s Early Breach Detection Network detected a mass breach of over 500 web stores running the Magento 1 ecommerce platform.…
Over the past seven months, SophosLabs has monitored a series of new efforts to distribute SolarMarker, an information stealer and backdoor (also known as Jupyter or Polazert). First detected in 2020, the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.…
case study below, Antlion compromised the networks of at least two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity the group carried out on those networks was largely similar to the activity that is detailed in the case study, with the xPack backdoor frequently deployed and a lot of evidence of credential dumping.…
A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.
A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column.…
Over the past months, the Cybereason Nocturnus Team has been tracking the Iranian hacker group known as Moses Staff. The group was first spotted in October 2021 and claims their motivation is to harm Israeli companies by leaking sensitive, stolen data. …
Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019.…
Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country.
Active since at least 2013, Shuckworm specializes in cyber-espionage campaigns mainly against entities in Ukraine. The group is known to use phishing emails to distribute either freely available remote access tools, including Remote Manipulator System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon to targets.…
Chaes is a banking trojan that operates solely in Brazil and was first reported in November 2020 by Cybereason. In Q4 2021, Avast observed an increase in Chaes’ activities, with infection attempts detected from more than 66,605 of our Brazilian customers. In our investigation, we found the malware is distributed through many compromised websites, including highly credible sites.…
On November 11th, Google TAG published a blogpost about watering-hole attacks leading to exploits for the Safari web browser running on macOS. ESET researchers had been investigating this campaign the week before that publication, uncovering additional details about the targets and malware used to compromise its victims.…
We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group’s favored Windows malware, Crimson RAT.
APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has historically targeted Indian military and diplomatic resources.…
While monitoring the distribution source of malware in Korea, the ASEC analysis team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea, where njRAT and UDP Rat were distributed in the past.…
In December 2021, the ThreatLabz research team identified several macro-based MS office files uploaded from Middle Eastern countries such as Jordan to OSINT sources such as VT. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.…
Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region.…
At the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner, which has been integrated into Kaspersky products since the beginning of 2019. Further analysis has shown that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.…