Executive Summary
On February 3, European hosting providers and computer emergency response teams (CERTs) began warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability for which a patch has been available since February 2021.Shortly after the warnings’ publication, SecurityScorecard developed an emergency informational signal to give customers visibility into potentially impacted servers.…
EclecticIQ researchers observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation – a Ukrainian aviation company. Multiple overlaps between these incidents and previous attacks of the Gamaredon APT group (4), such as command and control infrastructures and adversary techniques, helped analysts to highly likely attribute these latest attacks to the Gamaredon group.…
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”.…
ASEC(AhnLab Security Emergengy response Center) 분석팀은 지난 1월 RedEyes 공격 그룹(also known as APT37, ScarCruft)이 한글 EPS(Encapulated PostScript) 취약점(CVE-2017-8291)을 통해 악성코드를 유포하는 정황을 확인하였다. 본 보고서에서는 RedEyes 그룹의 최신 국내 활동에 대해 공유한다.
1. 개요RedEyes 그룹은 기업이 아닌 특정 개인을 대상으로 개인 PC 정보 뿐만 아니라 휴대전화 데이터까지 탈취하는 것으로 알려져있다.…
By John Fokker, Alfred Alvarado, Tim Hux, Jeffrey Sman, Joao Marques · February 09, 2023
Figure 1: Global Telemetry from Trellix ATLAS for Ips connecting to port 427
Introduction:Early this week, VMware issued a publication regarding a massive global ransomware campaign targeting “End of General Support (EOGS) and/or significantly out-of-date ESXi products.”…
Morphisec has recently identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints.…
This post is also available in: 日本語 (Japanese)
Content WarningWe are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.…
Executive Summary
On January 3, local media reported that a major U.S. city’s housing authority had suffered a ransomware attack. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident. As of this publication, the housing authority has announced a disruption, but has not elaborated on the nature of the event.…Last week, unknown threat actors started targeting, en masse, VMware ESXi hypervisors using CVE-2021-21974, an easily exploitable pre-authorization remote code execution vulnerability. Experts from Bitdefender Labs have been monitoring these exploitation attempts. Guided by our telemetry, we are providing a technical advisory to describe these attacks and document our own detections in the wild.…
On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic – a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation – but further analysis revealed a more interesting set of circumstances.…
This report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was uploaded on August 16, 2022 and follows the group’s activities since that post.
This group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information.…
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
In this blog post we will be analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.
Attack VectorsIn the past Ransomware targeting ESXi Hypervisors was largely human-operated as a later stage of general Ransomware attack, where other Assets (Clients, Servers) are encrypted first.…
On February 3rd, CERT-FR warned users about a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware. The report also stated that the Threat Actors (TAs) leveraging a two-year-old vulnerability tracked as CVE-2021-21974. According to VMware, ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG contain a heap overflow vulnerability in OpenSLP.…
Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers.…
T1190 – Exploit Public-Facing Application Has been observed to be exploiting the following vulnerabilities for initial access: • Magnitude exploit kit • CVE-2016-0189 • CVE-2018-8174 • CVE-2019-1367• Scripting Engine Memory Corruption Vulnerability (Internet Explorer) • CVE-2020-0968• Internet Explorer Memory Corruption Vulnerability • CVE-2021-26411• Remote code execution vulnerability in MSHTML (Internet Explorer) • CVE-2021-40444• PrintNightmare • CVE-2021-34527
T1059.003 – Command and Scripting Interpreter: Windows Command ShellMagniber uses cmd.exe…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks.…
Last updated at Wed, 25 Jan 2023 20:23:13 GMT
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products.…
Written by Jon DiMaggio.
Table of Contents
I gotta story to tell…
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred.…
Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.…