The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched.
Atlassian’s Confluence is a major collaboration platform used by many companies across the globe. Being a web-based platform, services such as managing projects and collaboration are mainly provided by Confluence Servers (or Confluence Data Centers).…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Last Updated: July 20, 2022
IntroductionThe Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has been tracked by STR as STIFF#BIZON.…
Published On : 2022-07-13
NukeSped RAT ReportSuspected Malware: NukeSped MalwareFunction: RATRisk Score: 8Confidence Level: HighThreat actor Associations: Lazarus Group (North Korea)
Executive Summary:The NukeSped malware is a remote access trojan (RAT) and has been attributed to the threat actor Lazarus Group. The group has been active since 2009 and remain active in 2022 and continue its operation to target countries mainly in Asia Pacific Region.…
Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.…
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations. In a recent campaign, the group was observed making use of a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script.…
This research was conducted by Michael Mullen and Nikolaos Pantazopoulos from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
Summary tl;drIn the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.…
Following on from our earlier Owowa discovery, we continued to hunt for more backdoors potentially set up as malicious modules within IIS, a popular web server edited by Microsoft. And we didn’t come back empty-handed…
In 2021, we noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities within Microsoft Exchange servers.…
During our routine Threat-Hunting exercise, Cyble Research Labs came across a new stealer named “PennyWise” shared by a researcher. The stealer appears to have been developed recently. Though this stealer is fresh, the Threat Actor(s) (TA) has already rolled an updated version, 1.3.4.
Our investigation indicates that the stealer is an emerging threat, and we have witnessed multiple samples of this stealer active in the wild.…
We look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
Since it became operational in April, Black Basta has garnered notoriety for its recent attacks on 50 organizations around the world and its use of double extortion, a modern ransomware tactic in which attackers encrypt confidential data and threaten to leak it if their demands are not met.…
Since the beginning of 2022, ThreatLabz has been closely monitoring the activities of the Evilnum APT group. We identified several instances of their low-volume targeted attack campaigns launched against our customers in the UK and Europe region.
The new instances of the campaign use updated tactics, techniques, and procedures.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia.…
June 15, 2022
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week.…
This post is also available in: 日本語 (Japanese)
Executive SummaryHelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.…
This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;drThis blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.…
This post is also available in: 日本語 (Japanese)
Executive SummaryTo better detect attacks that affect the actions of signed applications – such as supply-chain attacks, dynamic-link libraries (DLL) hijacking, exploitation and malicious thread injection – we have devised a suite of analytics detectors that are able to detect global statistical anomalies.…
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.…