Tag: FIREWALL

This post is also available in: 日本語 (Japanese)

Executive Summary

On March 4, 2019, one of the most well-known keyloggers used by criminals, called Agent Tesla, closed up shop due to legal troubles. In the announcement message posted on the Agent Tesla Discord server, the keylogger’s developers suggested people switch over to a new keylogger: “If you want to see a powerful software like Agent Tesla, we would like to suggest you OriginLogger.…

Read More
Key Takeaways Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access Lorenz waited nearly a month after obtaining initial access to conduct additional activity Lorenz exfiltrated data via FileZilla Encryption was done via BitLocker and Lorenz ransomware on ESXi Lorenz employed a high degree of Operational Security (OPSEC) Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted files Background

The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.…

Read More
Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.…
Read More
Cisco Talos has discovered a new remote access trojan (RAT) we’re calling “MagicRAT,” developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms. We’ve also found links between MagicRAT and another RAT known as “TigerRAT,” disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.…
Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

In early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a company that specializes in network and connectivity products. The vulnerabilities exploited include:

CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability CVE-2022-26258: D-Link Remote Command Execution Vulnerability CVE-2022-28958: D-Link Remote Command Execution Vulnerability

If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks.…

Read More

Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.…

Read More

It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A lesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries surrounding it and siding with Ukraine.…

Read More

Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges. 

BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations.…

Read More
Research by: Moshe Marelus Highlights: Check Point Research (CPR) detected a Turkish based crypto miner malware campaign, dubbed ‘Nitrokod’, which infected machines across 11 countries The malware is dropped from popular software available on dozens of free software websites The malware distributers separate malicious activity from the downloaded fake software to avoid detection Attack was initially found by Check Point XDR, which overcomes the attack’s evasion mechanism. …
Read More

Remcos is a remote access trojan – a malware used to take remote control over infected PCs.This trojan is created and sold to clients by a “business” called Breaking Security. 

Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all the necessary features to launch potentially destructive attacks.…

Read More

As we continue to monitor the cyber situation in Ukraine, the data we are seeing shows some interesting trends. Not only has the volume of attacks continued rising throughout the war in Ukraine, the types of attacks have been varied. A common tactic of cyber criminals is to run automated exploit attempts, hitting as many possible targets as they can to see what gets a result.…

Read More

Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.” On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.

Further, the threat actor publishing the malicious package used the identity and contact information of a real national laboratory software engineer working for a U.S.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.

Ransomware is a malicious program designed to encrypt a user’s data and demand a ransom for the decryption. BlueSky ransomware predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption.…

Read More

By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.

Executive Summary Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.…
Read More