In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk.…
Tag: EXPLOIT
Affected Platforms: All OSImpacted Parties: Online ShoppersImpact: Loss of personally identifiable information and/or moneySeverity Level: Low
As we approach the end of 2022, we reflect on a year filled with dramatic changes across the globe and a heightened threat environment, which raises questions about what is to come in 2023.…
There’s a common saying in cyber security, “you can’t protect what you don’t know,” and this applies perfectly to the attack surface of any given organization.
Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant.…
December 8, 2022 update – Reflected additional research on Boa-related CVEs and updated supply chain diagram.
Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries.…
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
This report analyzes the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.…
Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.…
Share this blog
Web browsers contain the most lucrative pieces of information about a user and thus are becoming an interesting target for malware developers. Every keystroke or session cookie can contain very private information about a user, and access to such information can create critical security and privacy issues.…
What is FormBook malware?
Read More
FormBook stealer is an infostealer trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.
Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including the ability to pull stored and recorded user input.…
Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.
Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular.…
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
Introduction With the rise in attention to Cobalt Strike from network defenders, attackers have been looking to alternative command-and-control (C&C) frameworks Among these, Brute Ratel and Sliver are growing in popularity, having recently been featured in a number of publications.…By Antonio Cocomazzi and Antonio Pirozzi
Executive Summary SentinelLabs researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques. SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7. Black Basta maintains and deploys custom tools, including EDR evasion tools.…By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
IntroductionA recently released critical vulnerability for Apache Commons Text library is currently being exploited in the wild. The Apache Commons project provides a large number of Java-based utilities and packages for a wide range of applications.…
Introduction
Read More
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.…
While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox.…
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
Qbot, also known as Qakbot or Pinksliplot is actively developed and capable of a number of functions from reconnaissance, lateral movement, data exfiltration, to delivering other payloads acting as an initial access broker.…
Introduction
VNC is an acronym for Virtual Network Computing. It is a way of controlling a computer remotely from another computer. VNC is similar to a Remote Access Tool (RAT). But unlike a RAT, VNC is a cross-platform screen sharing system that allows full keyboard and visual control, as if you were physically present at the remote host.…
BlackCat
Known for its unconventional methods and use of advanced extortion techniques, BlackCat has quickly risen to prominence in the cybercrime community. As this ransomware group forges its way to gain more clout, we examine its operations and discuss how organizations can shore up their defenses against it.…
FortiGuard Labs recently discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.…
The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC blog has also covered attacks targeting Apache Tomcat servers with the vulnerable JBoss version installed.…