This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
Tag: FIREWALL
Hàng tháng, Chúng tôi – GTSC tổng hợp lại các thông tin về bảo mật về APT, Malware, CVEs và gói gọn nó vào trong một bài tổng hợp.
1.1 Chimera GroupNCC Group và Fox-IT đã và đang theo dõi một nhóm tấn công với nhiều mục tiêu đa dạng, từ các sở hữu trí tuệ (IP) của các nạn nhân trong ngành công nghiệp chất bán dẫn cho đến dữ liệu từ ngành công nghiệp hàng không.…
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines. This activity has been ongoing since at least November 2021.
The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max and SketchUp Pro, with malicious scripts and uses Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts.…
Read More
Published On : 2023-09-01
EXECUTIVE SUMMARYThe CYFIRMA research team has discovered a new malware-as-a-service known as Prysmax. The developer behind Prysmax claims that their USP is FUD (fully undetectable) malware, be it their stealer or their RAT. They offer custom development services, along with subscriptions for a stealer, RAT, and botnet services.…
Executive Summary
Infamous Chisel is a collection of components targeting Android devices.
This malware is associated with Sandworm activity.
It performs periodic scanning of files and network information for exfiltration.
System and application configuration files are exfiltrated from an infected device.
Infamous Chisel provides network backdoor access via a Tor (The Onion Router) hidden service and Secure Shell (SSH).…
Read More
This post is also available in: 日本語 (Japanese)
Executive SummaryEarlier this month, our quiz Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer introduced a packet capture (pcap) from July 2023 with a RedLine Stealer infection. This article provides answers to the quiz, and it offers a more in-depth look at RedLine Stealer traffic.…
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.…
SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.…
Read More
Notification
Read More
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”…
Read More
Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.…
Read More
12.20pm BST, 22 August 2023: Updated with additional IoCs
A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers.
In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate.…
Note: The following is a redacted version of a larger report. For full and comprehensive details of this attack, please enquire about our CTI-on-demand service.
SummaryBlackBerry has discovered and documented new tools used by the Cuba ransomware threat group.
Cuba ransomware is currently into the fourth year of its operation and shows no sign of slowing down.…
LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab | Sysdig
Show Table of Contents + Hide −
The Sysdig Threat Research Team (TRT) recently discovered a new, financially motivated operation, dubbed LABRAT. This operation set itself apart from others due to the attacker’s emphasis on stealth and defense evasion in their attacks.…
Introduction
Read More
In June of 2023, our research team at Zscaler ThreatLabz discovered a threat actor targeting FinTech users in the LATAM region. JanelaRAT involves several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack.
The final malware involved in this campaign is a heavily modified variant of BX RAT.…
Notification
Read More
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact.…
A Data-Driven Approach Based on Analysis of Network Telemetry
In this blog post, we will provide an update on our high-level analysis of QakBot infrastructure, following on from our previous blog post. We will pick up the timeline from where we left it, basing our findings on data collected between 1 May and 20 July 2023.…
Key Takeaways
The blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
The PowerShell scripts use obfuscated binary strings to hide malicious code.…
Read More
Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023.
This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics.
The threat actor uses an uncommon technique to deliver the ransom note.…
Read More