Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements.
Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.…
Read More Tag: EDR
February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.
One malware family we have been tracking on this blog is FakeBat.…
Snake Keylogger is a Trojan Stealer that emerged as a significant threat in November 2020, showcasing a fusion of credential theft and keylogging functionalities. Developed using .NET, its arsenal includes keystroke logging, harvesting stored credentials, and capturing screenshots. Moreover, it exhibits an adeptness in gathering clipboard data, browser credentials, and conducting system and network reconnaissance.…
This post is also available in: 日本語 (Japanese)
Executive SummaryMuddled Libra stands at the intersection of devious social engineering and nimble technology adaptation. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.…
Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.
Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems found in entities located in the Energy, Government, and Media sectors.…
Malicious actors were detected abusing the open-source hypervisor platform QEMU as a tunneling tool in a cyberattack against a large company.
QEMU is a free emulator and hypervisor that allows you to run other operating systems as guests on a computer.
As part of the attack, threat actors used QEMU to create virtual network interfaces and a socket-type network device to connect to a remote server.…
Every month the Nextron Threat Research Team (NTRT) shares insights into evasive threats that we’ve seen in the wild via our Valhalla service. The aim is to highlight interesting samples our rules detected and have or had very low detection rates as reported by VirusTotal scanning.…
Key TakeawaysThe Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK.The malware was used in post-compromise activity following exploitation of a ScreenConnect application.BABYSHARK has been associated, by several sources, with a threat actor Kroll tracks as KTA082 (Kimsuky).The…
Read More In the realm of cybersecurity, understanding the various data types within an infrastructure is essential for effective defense and management. These data types serve as the foundation for identifying, analyzing, and responding to potential threats. Let’s delve into the four critical data types: traffic data, state data, event data, statistical data, and organizational data, to understand their significance and application in security.…
BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges. At this level of access, attackers can accomplish a lot: hide malware, dump credentials, and, crucially, attempt to disable EDR solutions.…
[This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program [1].
IntroFrom a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to capture the attention of several members, myself included.…
SUMMARY
Read More Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Background
Read More On December 19, 2023, the Justice Department Office of Public Affairs issued a press release indicating that the FBI had “disrupted the ALPHV/BlackCat ransomware variant.” This variant of ransomware is offered to affiliates as “ransomware-as-a-service” (RaaS). The FBI also developed a decryption tool that was made available to organizations impacted by this RaaS variant, in an effort to help them recover and resume business operations. …
It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.
Fast forward to 2024 and the same malvertising campaigns are still going on.…
Key PointsAvast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver.
Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update.
The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. …
Read More By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr: In order for malware to successfully infect its target, code obfuscation passed into cmd.exe is frequently used. Let’s look at some real-world examples of what threat actors are doing, and how they can be detected.…
Bitdefender Labs recently helped with an investigation that unfortunately aligns with two key predictions we made for 2024: the rapid rise of opportunistic ransomware and the growing risk of coordinated attacks. This ransomware attack was coordinated and impacted two separate companies simultaneously.…
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania.
Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).…
Table of Contents:
Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.
In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.…
PIKABOT at a glance
Read More PIKABOT is a widely deployed loader malicious actors utilize to distribute payloads such as Cobalt Strike or launch ransomware. On February 8th, the Elastic Security Labs team observed new PIKABOT campaigns, including an updated variant. This version of the PIKABOT loader uses a new unpacking method and heavy obfuscation.…