Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements. Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.…
Read More

Snake Keylogger is a Trojan Stealer that emerged as a significant threat in November 2020, showcasing a fusion of credential theft and keylogging functionalities. Developed using .NET, its arsenal includes keystroke logging, harvesting stored credentials, and capturing screenshots. Moreover, it exhibits an adeptness in gathering clipboard data, browser credentials, and conducting system and network reconnaissance.…

Read More

Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.

Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems found in entities located in the Energy, Government, and Media sectors.…

Read More

Malicious actors were detected abusing the open-source hypervisor platform QEMU as a tunneling tool in a cyberattack against a large company.

QEMU is a free emulator and hypervisor that allows you to run other operating systems as guests on a computer.

As part of the attack, threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.…

Read More
Key TakeawaysThe Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK.The malware was used in post-compromise activity following exploitation of a ScreenConnect application.BABYSHARK has been associated, by several sources, with a threat actor Kroll tracks as KTA082 (Kimsuky).The…
Read More

In the realm of cybersecurity, understanding the various data types within an infrastructure is essential for effective defense and management. These data types serve as the foundation for identifying, analyzing, and responding to potential threats. Let’s delve into the four critical data types: traffic data, state data, event data, statistical data, and organizational data, to understand their significance and application in security.…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More
Background

On December 19, 2023, the Justice Department Office of Public Affairs issued a press release indicating that the FBI had “disrupted the ALPHV/BlackCat ransomware variant.” This variant of ransomware is offered to affiliates as “ransomware-as-a-service” (RaaS). The FBI also developed a decryption tool that was made available to organizations impacted by this RaaS variant, in an effort to help them recover and resume business operations. …

Read More
Key PointsAvast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver.  Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update.  The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. …
Read More

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr: In order for malware to successfully infect its target, code obfuscation passed into cmd.exe is frequently used. Let’s look at some real-world examples of what threat actors are doing, and how they can be detected.…

Read More

Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. 

Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).…

Read More

Table of Contents: 

Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.

In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.…

Read More