Executive Summary
Views: 0…
Tag: COLLECTION
Executive SummaryImpersonating North Korea-related questionnaires, manuscript materials, security columns, contributions, monthly magazines, etc.Delivered by hiding an LNK type malicious file inside a ZIP compressed fileExploiting cloud storage such as DropBox, pCloud, etc. as a base for attackAPT37 group’s ongoing RoKRAT fileless attacksEarly detection of LNK and PowerShell stages with Genian EDR1.…
Read More This post is also available in:日本語 (Japanese)
Executive SummaryOver the past 90 days, Unit 42 researchers have identified two Chinese advanced persistent threat (APT) groups conducting cyberespionage activities against entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN):
The first APT group, Stately Taurus, created two malware packages we believe targeted entities in Myanmar, the Philippines, Japan and Singapore.…Overview
This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample. It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others.…
Article Summary: 🔒 Giant Tiger, a discount retailer, experienced a security breach involving customer information. 📧 The compromised data included names, emails, phone numbers, and addresses of customers. 🛡️ Giant Tiger is working to resolve the issue and has hired cybersecurity experts for an independent investigation.…
Article Summary : 🔒 Another city in Florida, St. Cloud, has been hit by a ransomware attack affecting city services. 🚨 City departments are operating as best as possible until the issue is resolved. 💳 In-person payments for Parks and Recreation events are temporarily cash-only. 🚓 Police and Fire Rescue are still responding to calls for service.…
Typically spread through malicious attachments, drive-by downloads, or social engineering, Remcos RAT has been active since 2016. Initially presented by BreakingSecurity, a European company, as a legitimate remote control tool, it has since been exploited by threat actors for nefarious purposes, despite claims of restricted access for lawful use.…
This blog entry discusses the Agenda ransomware group’s use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.
Since its discovery in 2022, the Agenda Ransomware group (also known as Qilin) has been active and in development. Agenda, which Trend Micro tracks as Water Galura, continues infecting victims globally with the US, Argentina, and Australia, and Thailand being among its top targets (based on the threat actor’s leak site data).…
Introduction
Read More Earlier last week, I ran into a sample that turned out to be PureCrypter, a loader and obfuscator for all different kinds of malware such as Agent Tesla and RedLine.
Upon further investigation, I developed Yara rules for the various stages, which can be found here (excluding the final payload):
PureZipPureCrypter2nd stage downloader (PureLogStealer related)With that out of the way, all of this reminded me of the fact that we can also write Yara rules for unique identifiers specific to malware written in .NET,…
AhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware disguised as an installer from a Korean public institution. The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”.…
Introduction
Read More To enhance our threat intelligence, improve detection and identify new threats, Sekoia analysts engage in continuous hunting to address the main threats affecting our customers. For this, we proactively search and identify emerging threats, using our telemetry data, internal tools and external services.
In October 2023, our daily threat hunting routine led us to uncover a new Adversary-in-The-Middle (AiTM) phishing kit allegedly used by multiple threat actors to carry out widespread and effective attacks.…
The Department of Transportation (DOT) will review data collection practices for the country’s 10 largest airlines in a bid to improve passenger privacy protections, Secretary Pete Buttigieg said on Thursday.
The department said it will examine airline policies and training in handling passengers’ sensitive personal data and will ensure it is “not improperly monetized or shared with third parties,” according to a press release. …
Introduction
Read More Malware for mobile devices is something we come across very often. In 2023, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023’s most resonant attacks was Operation Triangulation, targeting iOS, but that was rather a unique case. Among the mobile platforms, Android remains the most popular target operating system for cybercriminals.…
📂 After extracting the zip file, OLEtools was used to handle an Office file, specifically a PowerPoint file. 🔍 OLEtools and olevba were used to analyze Macros within the PowerPoint file. 🔗 Suspicious URLs were found in the Macros, linked to Pastebin and configured under the ‘AutoOpen’ feature.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors.…
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174.…
A threat actor going by the name verifiedBpp has purportedly put up for sale a significant amount of data allegedly sourced from the Saudi Ministry of Health. The dataset, spanning from 2020 to 2024, comprises 100 GB of information, including sensitive personal details such as full names, addresses, telephone numbers, blood types, patient records, staff internal messages, and emails.…
Healthcare , HIPAA/HITECH , Industry Specific
Facing AHA Lawsuit, HHS Tempers 2022 Warning About Tracking IP Addresses, Other PHI Marianne Kolbasuk McGee (HealthInfoSec) • March 19, 2024
HHS OCR has revised its previous guidance pertaining to the use of online trackers by HIPAA-regulated entities in patient portals and other websites.…Last updated at Thu, 21 Mar 2024 13:20:04 GMT
Co-authors are Christiaan Beek and Raj Samani
Within Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains constant.…
Russian state hackers are performing targeted phishing campaigns in at least nine countries spread across four continents. Their emails tout official government business and, if successful, threaten not just sensitive organizational data, but also geopolitical intelligence of strategic importance.
Such a sophisticated, multi-pronged plot could only be wrought by a group as prolific as Fancy Bear (aka APT28, Forest Blizzard, Frozenlake, Sofacy Group, Strontium, UAC-028, and many more aliases still), which IBM X-Force tracks as ITG05 in a new report.…