Key TakeawaysCyble Research and Intelligence Labs (CRIL) encountered an executable file obtained from a deceptive URL masquerading as a fake Russian government site, possibly distributed via spam emails.
The downloaded executable file is identified as SapphireStealer, disguised with a PDF icon, designed to deceive users into believing it is a PDF document. …
Read More Tag: EXFILTRATION
Mar 06, 2024NewsroomCyber Crime / Ransomware
The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.
“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar said.…
Mar 06, 2024The Hacker NewsData Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn’t anyone’s fault; it’s inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.…
Intel-Ops
·
Follow
9 min read ·Mar 5, 2024
—
On February 29th 2024, CISA released an advisory on Phobos ransomware.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
Intel-Ops is actively tracking infrastructure assessed to belong to the 8Base Ransomware group, an operator of Phobos ransomware. Our Threat Intel customers will be proactively blocking this threat.…
Open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines. For an example of how Rclone may be used, see case study below.
AnyDesk: A legitimate remote desktop application. By installing it, attackers can obtain remote access to computers on a network. Malicious…
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…
Published On : 2024-03-05
EXECUTIVE SUMMARYAt CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.
This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures.…
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddlerShark.
Kimsuky (aka Thallium and Velvet Chollima) is a North Korean state-sponsored hacking group known for cyber espionage attacks on organizations and governments worldwide.…
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark.
Kimsuky (aka Thallium and Velvet Chollima) is a North Korean state-sponsored hacking group known for cyber espionage attacks on organizations and governments worldwide.…
A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS).
The researchers are from the Georgia Institute of Technology and they have published a paper detailing this ICS security project.…
Executive summary
Read More In 2023, Account Takeover (ATO) was confirmed to be among the most harmful types of fraud for online banking customers. At Cleafy, we have seen that 90% of fraud attempts are still conducted via Account Takeover, and our forecasts expect this number to stay flat in 2024.…
U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.
“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S.…
On February 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the Phobos Ransomware variants observed as recently as February 2024.…
I-Soon’s commercial offering reveals that their main issue is processing collected data, not breaching their targets in the first place. Their products leverage deep learning to help them sort and classify stolen documents.
The company appears to have trouble sourcing malware and relies on generally crude methods (i.e.,…
Read More
Key TakeawaysIn February 2023, we detected an intrusion that was initiated by a user downloading and executing a file from a SEO-poisoned search result, leading to a Gootloader infection.Around nine hours after the initial infection, the Gootloader malware facilitated the deployment of a Cobalt Strike beacon payload directly into the host’s registry, and then executed it in memory.…
Read More [This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program [1].
IntroFrom a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to capture the attention of several members, myself included.…
In October 2023, the network of a Darktrace customer was targeted with ALPHV, or BlackCat, ransomware. An investigation into the attack revealed the usage of methods associated with the Nitrogen campaign, such as ‘malvertising’ and the distribution of malicious Python packages.
As-a-Service malware trendingThroughout the course of 2023, “as-a-Service” strains of malware remained the most consistently observed threat type to affect Darktrace customers, mirroring their overall prominence across the cyber threat landscape.…
SUMMARY
Read More Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
SUMMARY
Read More The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities.…
Bitdefender Labs recently helped with an investigation that unfortunately aligns with two key predictions we made for 2024: the rapid rise of opportunistic ransomware and the growing risk of coordinated attacks. This ransomware attack was coordinated and impacted two separate companies simultaneously.…