By Juan Andres Guerrero-Saade (@juanandres_gs) and Max van Amerongen (@maxpl0it)
Executive Summary On Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine. Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.…Tag: DISCOVERY
By Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil · March 28, 2022
For over a decade, the PlugX malware has been observed internationally with different variants found around the world. This blog covers a PlugX variant that we have named Talisman, a name we based on comparisons with other PlugX variants, and its rather long life since it first emerged in 2008.…
During the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited the infamous Log4Shell vulnerability in VMware Horizon servers. The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates.…
Malicious email and phishing scams are usually topical and follow a pattern of current events, and they typically are crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origin of the term “phishing.”…
Key Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how ransomware groups shifted tactics in 2021 to:
lower sunk costs by using RaaS builders to reduce development time increase payouts with double extortion tactics by using their own data leak sites extend the length and effectiveness of campaigns to get the highest investment returns by updating payloads and/or rebranding their own ransomware groupAdvertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020.…
A Cobalt Strike Cybercrime Syndicate and the Ransomware Hackers’ Favorite Weapon
On March 9, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service issued an updated alert about the Conti ransomware group, encouraging organizations to review their advisory and apply the recommended mitigations.…
Executive Summary
Deep Instinct’s Threat Research team has found a new, undocumented malware developed in Golang
The malware is attributed to APT-C-23 (Arid Viper)
Further research revealed additional, previously unseen second-stage payloads
New Malware Variant Discovery: Arid Gopher
Read More
Our Threat Research team maintains a vigilant watch over the cyber threat landscape, hunting for malware as a normal course of operations.…
This is the story of piecing together information and research leading to the discovery of one of the largest botnet-as-a-service cybercrime operations we’ve seen in a while. This research reveals that a cryptomining malware campaign we reported in 2018, Glupteba malware, significant DDoS attacks targeting several companies in Russia, including Yandex, as well as in New Zealand, and the United States, and presumably also the TrickBot malware were all distributed by the same C2 server.…
ESET researchers discovered a still-ongoing campaign using a previously undocumented Korplug variant, which they named Hodur due to its resemblance to the THOR variant previously documented by Unit 42 in 2020. In Norse mythology, Hodur is Thor’s blind half-brother, who is tricked by Loki into killing their half-brother Baldr.…
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.…
Key Findings
Proofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor.
The attack targeted French entities in the construction, real estate, and government industries.
The attacker used a resume themed subject and lure purporting to be GDPR information.
The attacker used steganography, including a cartoon image, to download and install the Serpent backdoor. …
Read More
STEELHOUND, STEELCORGI and Environment Variable Keying
Read More
UNC2891 often made use of the STEELCORGI in-memory dropper which decrypts its embedded payloads by deriving a ChaCha20 key from the value of an environment variable obtained at runtime. In many cases, Mandiant was unable to recover the requisite environment variables to decrypt the embedded payloads.…
This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet.
With additional insights from Philippe Z Lin
Note: This article has been updated on March 17, 2022, 2:00 a.m.…
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction.
This research analyzes this worming module’s kill chain and the procedures used to launch/control the module through the DirtyMoe service.…
Summary
Multifactor Authentication (MFA): A Cybersecurity Essential• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.• Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available.•…
Cisco Talos has observed new cyber attacks targeting Turkey and other Asian countries we believe with high confidence are from groups operating under the MuddyWater umbrella of APT groups. U.S. Cyber Command recently connected MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS).
These campaigns primarily utilize malicious documents (maldocs) to deploy downloaders and RATs implemented in a variety of languages, such as PowerShell, Visual Basic and JavaScript.…
Read More
Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.
FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.…
8/24 Editor’s Note: Since the publication, SMTP2Go has updated its security measures.
Key Takeaways Proofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. This targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now armed conflict between Russia and Ukraine.…
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware.
Read More
Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges.…
Over the past year, FortiEDR has prevented multiple attacks that attempted to exploit various Microsoft Exchange server vulnerabilities, some of which we have previously covered.
Among these attacks, we identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government.…