By Securonix Threat Research: D. Iuzvyk, T.Peck, O.Kolesnikov

tldr:

An interesting campaign leveraging a new SUBTLE-PAWS PowerShell-based backdoor has been  identified targeting Ukraine which follows stealthy tactics to evade detection and spreads by infecting USB drives.

The Securonix Threat Research team has been monitoring an ongoing campaign likely related to Shuckworm targeting Ukrainian military personnel (tracked by Securonix Threat Research as STEADY#URSA).…

Read More

This post is also available in 简体中文, 繁體中文, 日本語, 한국어, Español, Português, Français, Deutsch and Polski.

On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began an investigation, cut off the threat actor’s access, and on Sunday, November 26, we brought in CrowdStrike’s Forensic team to perform their own independent analysis.…

Read More

On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On Jan. 31, 2024, Ivanti disclosed two additional vulnerabilities impacting CS and PS devices, CVE-2024-21888 and CVE-2024-21893.

The vulnerabilities allow for an unauthenticated threat actor to execute arbitrary commands on the appliance with elevated privileges.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs) and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.…

Read More
By D. Iuzvyk, T. Peck, A. Narasimhan, R. Radparvar, A. Barros, O. Kolesnikov tldr:

In the last month, two critical zero-day CVEs were published for Ivanti Connect Secure VPN software: CVE-2023-46805 and CVE-2024-21887.

In December of 2023, Volexity incident response teams discovered a vulnerability regarding an authentication bypass to an organization’s Ivanti Connect Secure (ICS) VPN server appliance (previously known as Pulse Connect Secure).…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

A traffic direction system (TDS) nicknamed Parrot TDS has been publicly reported as active since October 2021. Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. This TDS is easily identifiable by keywords found in the injected JavaScript that we will explore to show the evolution of this threat.…

Read More

Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild in 2018 with its core functionality revolving around its ability to act as SOCKS5 proxy. This provides a useful capability for threat actors as a persistent access mechanism or for purposes of leaving behind a backdoor in case of discovery of their initial access method.…

Read More

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr: Threat actors favor RMM (remote monitoring and management) as it allows for convenient and stealthy command and control capabilities on compromised hosts. Today, let’s take a look at some of the popular options that the bad guys are using and discover how we can detect them.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Malware, like many complex software systems, relies on the concept of software configuration. Configurations establish guidelines for malware behavior and they are a common feature among the various malware families we examine. The configuration data embedded within malware can offer invaluable insights into the intentions of cybercriminals.…

Read More

Published On : 2024-01-03

EXECUTIVE SUMMARY

This report provides a glimpse into the evolving landscape of RAT development and malicious activities performed by threat actors working under name of ‘Anonymous Arabic’. Our team investigated the Silver RAT (written in C sharp) which has capabilities to bypass anti-viruses and covertly launch hidden applications, browsers, keyloggers, and other malicious activities.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting and web chat APIs. In some campaigns, attackers created chatbots that they registered to someone noteworthy such as an Australian footballer.…

Read More