Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Summary
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize and remediate known exploited vulnerabilities.• Train users to recognize and report phishing attempts.• Enable and enforce multifactor authentication.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
Summary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation algorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to be a direct link between these two malware families. The Ares DGA may be an effort for the threat actor to maximize the lifetime of an infection, which provides more opportunities for monetizing compromised systems through attacks such as wire fraud and ransomware.…
Recent studies show that more than 85% of financial institutions in Central and Western Africa have repeatedly been victimized in multiple, damaging cyberattacks. In a quarter of these cases, intrusions into network systems resulted in the worst possible outcomes for the financial and banking sector: information leaks, identity theft, money transfer fraud, and bank withdrawals on false checks.…
It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A lesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries surrounding it and siding with Ukraine.…
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware.…
Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile organizations, and execute bigger payday schemes like ransomware. Information stealer malware families including Prynt Stealer are often configured through a builder to facilitate the process for less sophisticated threat actors. However, Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.…
AsyncRAT is an open-source remote administration tool released on GitHub in January 2019. It’s designed to remotely control computers via encrypted connection, providing complete control via functionalities such as:
View and record screen Keylogger Upload, download and execute files Chat communication Persistence mechanisms Disable Windows Defender Shutdown / Restart the machine DOS attackAlthough the official GitHub repository contains a legal disclaimer, AsyncRAT is popularly used by attackers and even some APT groups.…
By Adithya Chandra · August 24, 2022This blog was also written by Sushant Kumar Arya
Executive summaryThe Trellix SecOps Team has observed an uptick in the Qbot malware infections in recent months. Qbot has been an active threat for over 14 years and continues to evolve, adopting new infection vectors to evade detection mechanisms.…
IP;C&C domains
45[.]76[.]80[.]199;twiiio-sso[.]com, box-okta[.]org, kucoin-pin[.]com, boxokta[.]com, kucoin-sso[.]com 66[.]42[.]107[.]233;slack-mailchimp[.]com 45[.]32[.]66[.]165;microsoft-sso[.]net, sendgrid-okta[.]org, mlcrosoft[.]info, mlcrosoft[.]cloud 45[.]76[.]238[.]53;ouryahoo-okta[.]org, ouryahooinc-okta[.]com 155[.]138[.]240[.]251;sykes-sso[.]com, internai-customer[.]io, ouryahoo-okta[.]com, ouryahoo-okta[.]net, techmahindra-sso[.]com 149[.]28[.]37[.]137;qualfon-sso[.]com, twiiio[.]net, twiiio[.]org, teleperformanceusa-sso[.]com, tmo-sso[.]net, okta-sso[.]net 149[.]248[.]1[.]50;att-mfa[.]com, att-rsa[.]com 108[.]61[.]119[.]20;mcsupport-okta[.]com, mailgun-okta[.]com, sprint-idg[.]net 149[.]28[.]212[.]53;tmobie[.]net 140[.]82[.]63[.]209;kucoinpin[.]com, kucoinpin[.]net, twiiio-okta[.]net 144[.]202[.]82[.]47;kucoin-pin[.]net, kucoin-sso[.]net 45[.]63[.]39[.]116;telus-sso[.]com 149[.]248[.]62[.]54;rogers-rci[.]net, rogers-ssp[.]com, iqor-duo[.]net, iqor-portal[.]com, cgslnc-okta[.]com, conexusonline[.]com, klaviyo-sso[.]com 66[.]42[.]91[.]138;arise-okta[.]com 216[.]128[.]141[.]52;rogers-rci[.]com,…
This is the second blog post in a four-part series. Read Part 1 | Part 3 | Part 4.
In Part 1 of this four-part blog series examining wiper malware, we introduced the topic of wipers, reviewed their recent history and presented common adversary techniques that leverage wipers to destroy system data. …
Summary
Actions for ZCS administrators to take today to mitigate malicious cyber activity:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.
Updated November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI).…
Threat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download pirated software. Because obtaining and using pirated software is against the law, many individuals partaking in this type of behavior suspend proper scrutiny for the source of their download. As a result, whether they are good or bad people, victims across the world are paying the price with their private information for a single bad decision.…
Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.
Affected Platforms: WindowsImpacted Parties: Windows usersImpact: Controls victim’s machine and collects sensitive informationSeverity Level: Medium
This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.…
Introduction
Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as Automotive, Chemicals Manufacturing and others. In this campaign, the threat actors impersonate government officials from the Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute “Grandoreiro” a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America.…
This blog is a follow-up to our recent publication which described the details of a large-scale phishing campaign targeting enterprise users of Microsoft email services.
Beginning in mid-July 2022, ThreatLabz started observing instances of adversary-in-the-middle (AitM) phishing attacks targeted towards enterprise users of Gmail.…
During our threat hunting exercises in recent months, we’ve started to observe a distinguishing pattern of msiexec.exe usage across different endpoints. As we drilled down to individual assets, we found traces of a recently discovered malware called Raspberry Robin. The RedCanary Research Team first coined the name for this malware in their blog post, and Sekoia published a Flash Report about the activity under the name of QNAP Worm.…
This post is also available in: 日本語 (Japanese)
Executive SummaryBlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.
Ransomware is a malicious program designed to encrypt a user’s data and demand a ransom for the decryption. BlueSky ransomware predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption.…
This post is also available in: 日本語 (Japanese)
Executive SummaryBeginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.
Here, we start with an overview of the ransomware and focus on an evolution of behavior observed leading up to deployment of Cuba Ransomware.…
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.
BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193.…