Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Summary
Actions to take today to mitigate cyber threats from ransomware:
Install updates for operating systems, software, and firmware as soon as they are released. Require phishing-resistant MFA for as many services as possible. Train users to recognize and report phishing attempts.Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
This post is also available in: 日本語 (Japanese)
Executive SummaryPalo Alto Networks Advanced URL Filtering subscription collects data regarding two types of URLs; landing URLs and host URLs. We define a malicious landing URL as one that provides an opportunity for a user to click a malicious link.…
While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively.…
Author: Tomer Bar, VP Security Research, SafeBreach
As part of our ongoing commitment to conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks, the SafeBreach Labs research team recently discovered a new fully undetectable (FUD) PowerShell backdoor that leverages a novel approach of disguising itself as part of the Windows update process.…
was first documented in May 2022 by researchers at Cybereason, who said the intelligence-gathering campaign had been operating under the radar since at least 2019, stealing intellectual property and other sensitive data from victims.
In the attacks observed by Symantec, the attackers remained active on some networks for more than a year.…
This post is also available in: 日本語 (Japanese)
Executive SummaryRansom Cartel is ransomware as a service (RaaS) that surfaced in mid-December 2021. This ransomware performs double extortion attacks and exhibits several similarities and technical overlaps with REvil ransomware. REvil ransomware disappeared just a couple of months before Ransom Cartel surfaced and just one month after 14 of its alleged members were arrested in Russia.…
Minutes make the difference to defenders in responding to a ransomware attack on a victim’s network. BianLian ransomware raises the cybercriminal bar by encrypting files with exceptional speed.
Threat actors built the new BianLian ransomware in the Go programming language (aka Golang). Despite the large size of files created in Go, threat actors are turning to this “exotic” programming language more often for a variety of reasons, particularly its robust support for concurrency.…
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
High
Analysis SummaryLockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network. LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution.…
ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022.…
Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.
‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users.…
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.
In this intrusion, we see the threat actor use BumbleBee to deploy Cobalt Strike and Meterpreter.…
During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet where a researcher mentioned the creation of multiple fake Zoom sites. All these sites have the same user interface. These sites are created with the express intent of spreading malware disguised as the legitimate Zoom application.…
UPD: A notice on Google’s response to the issue was added.
An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer.…
While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.…
a well-known technique that involves attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application themselves (having installed it themselves in most cases). The legitimate application then loads and executes the payload.…
Beginning with macOS 10.12 (Sierra), Apple introduced a key change to how logging was done on their systems. This new logging system replaced common Unix logs with macOS Unified Logs. These logs can provide forensic investigators a valuable artifact to aid in investigating macOS systems or other Apple devices.…
While conducting our routine threat hunting exercises, Cyble Research and Intelligence Labs (CRIL) came across instances of the PowerShell Empire command and control (C&C) infrastructure. The PowerShell Empire is a post-exploitation red teaming tool used for creating stagers that connect to C&C servers after an initial compromise through vectors such as phishing emails, exploiting public-facing IT systems, and watering hole attacks, etc.…
Author: Tomer Bar, VP Security Research, SafeBreach
SafeBreach Labs researchers are constantly monitoring the hacker underground, sourcing intelligence feeds, and conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. As part of this ongoing effort, we recently discovered a new targeted attack we believe is compelling for four main reasons:
It appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data Exchange (DDE) exploit.…