Date Reported: 2024-06-14 Country: Taiwan Victim: GlobalWafers | gw-semi.com Additional Information :
GlobalWafers, a manufacturer of silicon wafers for semiconductors, has reported a cyberattack that has affected certain production lines. The company will use existing stocks to fulfill orders, but delivery delays may occur until the third quarter.…Tag: CHINA
This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime.
This blog is based on our presentation at Botconf 2024. It can be viewed here.
IntroductionSince 2022, we have been investigating numerous targeted attacks in the Asia-Pacific region that used the same ELF backdoor.…
Check Point Research reported a Foxit PDF Reader vulnerability that threat actors have begun exploiting, putting the application’s users at risk. When exploited, the bug triggers security warnings that may deceive unsuspecting users into executing harmful commands.
The WhoisXML API research team, in a bid to shed more light on the issue by uncovering more potential attack vectors, thus expanded a public list of indicators of compromise (IoCs).…
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno
Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society.…
Threat Actor: Cyber hacker suspected to be living in China’s Zhejiang Province | Cyber hacker suspected to be living in China’s Zhejiang Province Victim: Japanese netizens | Japanese netizens Price: $150 Exfiltrated Data Type: Personal identity information (PII)
Additional Information :
The data sets were discovered in early 2017.…Summary: Chinese crime syndicates have shifted their operations from illicit gambling houses to online cybercrime fraud, targeting vulnerable victims worldwide through romance scams and other long-con cyber fraud.
Threat Actor: Chinese crime syndicates posing as investors | Chinese crime syndicates Victim: Vulnerable victims worldwide | vulnerable victims
Key Point :
Chinese crime syndicates have shifted their operations from illicit gambling houses to online cybercrime fraud.…Summary: The content discusses the increase in vulnerabilities in Internet of Things (IoT) devices, with a particular focus on the most vulnerable device types and the targeting of enterprise IoT devices by threat actors.
Threat Actor: Not specified | N/A Victim: Not specified | N/A
Key Point :
The proportion of IoT devices with vulnerabilities has risen from 14% in 2023 to 33% in 2024, according to a report by Forescout.…
Introduction
Read More ValleyRAT is a remote access trojan (RAT) that was initially documented in early 2023. Its main objective is to infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines. ValleyRAT is commonly distributed through phishing emails or malicious downloads.…
Key Takeaways: Cyble Research and Intelligence Labs (CRIL) recently came across a campaign employing Windows shortcut (LNK) files associated with the Mustang Panda APT group.
Mustang Panda, with its Chinese affiliation, suggests potential state-sponsored or state-affiliated cyber espionage activities targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S.,…
Read More Threat Actor: Unknown | Unknown Victim: State Grid Corporation of China (SGCC) | State Grid Corporation of China Price: $1000 Exfiltrated Data Type: Corporate user accounts, user information, department details, roles, eIDs, usernames, phone numbers, emails, employee numbers, passwords
Additional Information:
A threat actor claims to have gained access to a third-party system and acquired sensitive information belonging to the State Grid Corporation of China (SGCC).…Summary: Chinese threat actors are targeting vulnerable ThinkPHP applications to install a persistent web shell named Dama, allowing further exploitation of breached endpoints.
Threat Actor: Chinese threat actors | Chinese threat actors Victim: ThinkPHP applications | ThinkPHP applications
Key Point :
Chinese threat actors are exploiting the vulnerabilities CVE-2018-20062 and CVE-2019-9082 in ThinkPHP applications to install the Dama web shell.…Cybercriminals can launch distributed denial-of-service (DDoS) attacks with relative ease these days by using DDoS booter services, online services that automate the DDoS attack process.
WhoisXML API threat researcher Dancho Danchev recently uncovered a list of the user information for a popular DDoS booter service, which our research team used to create a profile and expand to identify related artifacts.…
Summary: A severe security flaw in the design of RISC-V processors has been identified, posing a threat to China’s domestic semiconductor sector and enabling cyber attackers to bypass security measures.
Threat Actor: Chinese research team | Chinese research team Victim: China’s expanding domestic semiconductor/Chip sector | China’s expanding domestic semiconductor/Chip sector
Key Point :
A severe security flaw has been discovered in the design of RISC-V processors, allowing cyber attackers to bypass security measures without administrative rights.…Written by: Michelle Cantos, Jamie Collier
Executive Summary Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. …
In May 2023, in a threat hunt across Sophos Managed Detection and Response telemetry, Sophos MDR’s Mark Parsons uncovered a complex, long-running Chinese state-sponsored cyberespionage operation we have dubbed “Crimson Palace” targeting a high-profile government organization in Southeast Asia.
MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe,…
Published On : 2024-06-06
Mustang Panda, also known as Bronze President, is a Chinese cyber threat actor, active since 2012. This group has launched cyberattacks against organizations worldwide, targeting foreign governments, NGOs, and other entities deemed adversaries of the Chinese Communist Party. Mustang Panda is notorious for its sophisticated spear-phishing campaigns, which utilize the target’s native language and often impersonate government services.…
Summary: Chinese state-aligned threat clusters collaborated to steal sensitive military and political secrets from a high-profile government organization in Southeast Asia.
Threat Actor: Chinese state-aligned threat clusters | Chinese state-aligned threat clusters Victim: High-profile government organization in Southeast Asia | High-profile government organization in Southeast Asia
Key Point :
The attack, known as “Operation Crimson Palace,” involved new malware tools, DLL sideloading efforts, and evasion techniques.…In this blog entry, our researchers provide an analysis of TargetCompany ransomware’s Linux variant and how it targets VMware ESXi environments using new methods for payload delivery and execution.
Summary
The TargetCompany ransomware group is now employing a new Linux variant that uses a custom shell script as a means of payload delivery and execution, a technique not seen in previous variants.…Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government organization in Southeast Asia.…
Author: Renée Burton and Dave Mitchell
Read More This blog is based on collaboration between Infoblox Threat Intel and co-author, Dave Mitchell. The campaign research reported here was completed in January 2024, while our findings on DNS amplification cover the past year.
A global scale domain name system (DNS) probing operation that targets open resolvers has been underway since at least June 2023.…