Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidance for customers, researchers, investigators and incident responders. This information is based on observation and analysis of attacks by SophosLabs, Sophos Managed Detection and Response (MDR) and Sophos Incident Response (IR), in which the ScreenConnect client or server was involved.…

Read More
Table of contentsIntroduction

Scattered Spider (aka UNC3944, Scatter Swine, Muddled Libra, Octo Tempest, Oktapus, StarFraud) is a lucrative intrusion set active since at least May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques.

The intrusion set employs state-of-the-art techniques, particularly related to social engineering, such as impersonation of IT personnel to deceive employees for targeted phishing, SIM swapping, leverage of MFA fatigue, and contact with victims’ support teams.…

Read More

Effective monitoring and anomaly detection within a data environment are crucial, particularly in today’s data-driven landscape. At Imperva Threat Research, our data lake serves as the backbone for a range of critical functions, including threat hunting, risk analysis, and trend detection. However, with the daily addition of 2 terabytes of data and the management of thousands of tables, this task becomes intricate and resource-intensive.…

Read More
Introduction

Cado Security Labs researchers have recently encountered a novel malware campaign targeting Redis for initial access. Whilst Redis is no stranger to exploitation by Linux and cloud-focused attackers, this particular campaign involves the use of a number of novel system weakening techniques against the data store itself. …

Read More

Originating in the latter part of 2023, this Ransomware-as-a-Service (RaaS) operation has drawn attention due to its technical lineage and operational tactics resembling those of the notorious Hive ransomware group. With law enforcement agencies previously disrupting Hive, Hunters International’s rise just after the operation underscores the persistent and adaptive nature of cybercriminal networks.…

Read More
Executive SummaryIn December 2023, S2W’s threat intelligence center(a.k.a. Talon) discovered and continuously tracked the Rust-based macOS malware named RustDoor (a reference to the name given by BitDefender) disguised as a VisualStudio update.Through further analysis, we identified the Windows version of RustDoor, which we named GateDoor because it was written in Golang rather than Rust.…
Read More

Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine.…

Read More

The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have observed a distinct campaign spreading it across our telemetry. Our recent study has led to the successful identification and detailed analysis of a previously unrecognized network URL pattern.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Insidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within U.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a major crisis or conflict with the United States.…

Read More

Threat actors of advanced capability seek to compromise network edge devices such as Ivanti systems to establish advanced footholds, from which to perform targeted reconnaissance identifying organizations with data of high value. Three vulnerabilities recently announced in Ivanti systems underscore the importance of layered security for internet-exposed systems.…

Read More

The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.

The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the  advanced persistent threat (APT) group we track as Water Hydra (aka DarkCasino) that targeted financial market traders.…

Read More

Executive Summary 

EclecticIQ analysts observed that cybercriminals increased the delivery of the DarkGate loader following the FBI’s takedown of Qakbot infrastructure in August 2023 [1]. EclecticIQ analysts assess with high confidence that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate.…

Read More

The Sandman APT group has garnered massive attention in 2023 for its targeted attacks against telecommunications providers in regions including Europe and Asia. As revealed by By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence, utilizing a unique and sophisticated LuaJIT-based modular backdoor, LuaDream; Sandman distinguishes itself through a strategic and stealthy approach, minimizing detection risks and leaving a minimal digital footprint.…

Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.…

Read More

S2W

·

Follow

Published inS2W BLOG·

14 min read ·

Feb 7, 2024

Author: Jiho Kim & Sebin Lee | BLKSMTH

Last Modified : Feb 7, 2024

Photo by Mark König on Unsplash Executive SummaryS2W threat research and intelligence center Talon has hunted for and analyzed a sample of what is believed to be a new malware from the Kimsuky group on VirusTotal.…
Read More

Ivanti has issued a high-severity advisory for multiple vulnerabilities affecting its Connect Secure and Policy Secure products, including an authentication bypass flaw (CVE-2024-22024) that is currently being exploited in the wild. Customers are urged to apply patches immediately to mitigate risks. #CyberSecurity #VulnerabilityManagement #Ivanti

Keypoints :

Ivanti released an advisory on February 8, 2024, for CVE-2024-22024, an authentication bypass vulnerability.…
Read More