SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.…

Read More
Executive SummaryIn December 2023, S2W’s threat intelligence center(a.k.a. Talon) discovered and continuously tracked the Rust-based macOS malware named RustDoor (a reference to the name given by BitDefender) disguised as a VisualStudio update.Through further analysis, we identified the Windows version of RustDoor, which we named GateDoor because it was written in Golang rather than Rust.…
Read More

Ransom gangs make big bucks by extorting victims, which sadly isn’t new. Their lucrative business allows them not only to live off the stolen money, but also to reinvest into their shady practice.…

Read More

Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine.…

Read More

DarkGate is a commodity loader written in Borland Delphi that was first identified in 2018 and has been advertised under the Malware-as-a-Service (MaaS) business model on popular cybercrime forums since June 2023.

It has a wide range of capabilities, such as the ability to download and execute files in memory, environment reconnaissance and information gathering, privilege escalation, remote access software deployment, and a Hidden Virtual Network Computing (HVNC) module.…

Read More

Threat actors of advanced capability seek to compromise network edge devices such as Ivanti systems to establish advanced footholds, from which to perform targeted reconnaissance identifying organizations with data of high value. Three vulnerabilities recently announced in Ivanti systems underscore the importance of layered security for internet-exposed systems.…

Read More
Identifying the Exploit

In November 2023, the Huntress team identified novel indicators of an attack where the threat actor used [.highlight]finger.exe[.highlight] (top portion illustrated in Figure 1) to exfiltrate reconnaissance information from an endpoint. Due to the novelty of the observed activity, Huntress analysts conducted a thorough analysis of the available data, documented and shared the findings internally, and then published a blog post to share those findings with the community.…

Read More
Key Takeaways As per our initial observations, this campaign employs language-specific HTML files to trap unsuspecting victims, tailoring its approach based on linguistic nuances.  Through the strategic embedding of zip archives within HTML files, the campaign orchestrates a series of intricate infiltration maneuvers, evading detection and executing malicious payloads. …
Read More

In late 2023, a new and distinct ransomware group named 3AM Ransomware emerged. It came to the forefront as a fallback for other ransomware, notably during failed deployments of the infamous LockBit ransomware and later their interesting choice in their website.

First reported by Symantec, the discovery and emergence of 3AM Ransomware marked a notable and interesting event in the cybercrime world.…

Read More

The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.

The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the  advanced persistent threat (APT) group we track as Water Hydra (aka DarkCasino) that targeted financial market traders.…

Read More

Executive Summary 

EclecticIQ analysts observed that cybercriminals increased the delivery of the DarkGate loader following the FBI’s takedown of Qakbot infrastructure in August 2023 [1]. EclecticIQ analysts assess with high confidence that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate.…

Read More

The Sandman APT group has garnered massive attention in 2023 for its targeted attacks against telecommunications providers in regions including Europe and Asia. As revealed by By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence, utilizing a unique and sophisticated LuaJIT-based modular backdoor, LuaDream; Sandman distinguishes itself through a strategic and stealthy approach, minimizing detection risks and leaving a minimal digital footprint.…

Read More

[Update] March 20, 2024: “Technical Documentation and Detailed Exploit Code on CVE-2024-21762”

[Update] March 18, 2024: “PoC Exploit for FortiOS SSL VPN Vulnerability (CVE-2024-21762) Emerges on a Hacker Forum”

[Update] March 11, 2024: “Nearly 150,000 FortiOS Devices Are Vulnerable to CVE-2024-21762”

[Update] February 16, 2024: “Scanning Activity Detected for CVE-2024-22024 in Ivanti; Thousands of Instances Are Still Vulnerable”

Fortinet has revealed a new critical Remote Code Execution (RCE) vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks.…

Read More

On February 7, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) assessing that People’s Republic of China (PRC) state-sponsored cyber actors were seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S.…

Read More

By Jungsoo An, Wayne Lee and Vanja Svajcer.

Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”  We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. …
Read More