By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov
Sept. 25, 2023, updated Sept. 27, 2023, updated Oct. 6, 2023
tldr:Securonix Threat Research recently discovered an attack campaign appearing to originate from the threat group UAC-0154 targeting victims using a Pilot-in-Command (PIC) Drone manual document lure to deliver malware.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
March 30, 2023, updated April 5, 2023, updated April 18, 2023
While today is the last day for US income tax submissions, the TACTICAL#OCTOPUS campaign continues to target US victims. New samples have once again emerged related to this ongoing threat. …
By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom, Phil Stokes & SentinelLabs
Executive Summary As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.…Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred.…
February 15, 2024 update – On January 20, 2024, the US government conducted a disruption operation against infrastructure used by a threat actor we track as Forest Blizzard (STRONTIUM), a Russian state-sponsored threat actor, as detailed here: https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
December 4, 2023 update – Microsoft has identified a nation-state activity group tracked as Forest Blizzard (STRONTIUM), based in Russia, actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers.…
Research by Shilpesh Trivedi and Pratik Jeware
Uptycs has already identified three Windows-based malware families that use Telegram this year, including Titan Stealer, Parallax RAT, and HookSpoofer. Attackers are increasingly turning to it, particularly for stealer command and control (C2).
And now the Uptycs threat research team has discovered a macOS stealer that also controls its operations over Telegram.…
Recently, InQuest Labs analysts responded to a credential phishing attack discovered by a municipal government organization. The following threat sequence was observed:
The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality’s county health agency.
The email is a lure posing as a payment invoice, with subjects including: Payment Due Payment The HTML email contains a URL pointing to a PDF document stored on Raven (app.raven[.]com),…Earth Preta has actively been changing its tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the tools and malware used by the threat actor in its most recent campaigns.
In our previous research, we disclosed and analyzed a new campaign initiated by the threat actor group Earth Preta (aka Mustang Panda).…
This post is also available in: 日本語 (Japanese)
Executive SummaryTrigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.…
At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or Temp.Reaper) – a North Korea-based advanced persistent threat actor. This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.…
In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike Intelligence and the CrowdStrike Falcon® Complete managed detection and response team observed eCrime adversaries that had previously relied on macro execution for malware delivery adapt their tactics, techniques and procedures (TTPs). …
In part one on North Korea’s UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.…
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1101 is now tracked as Storm-1101.
To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
Just nine months after discovering ZuoRAT – a novel malware targeting small office/home office (SOHO) routers – Lumen Black Lotus Labs® identified another, never-before-seen campaign involving compromised routers. This is a complex campaign we are calling “Hiatus”. It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan (RAT) we’re calling HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.…
By Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju · March 07, 2023This blog was also written by Raghav Kapoor
Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware that has been active since at least 2007. Since the end of January 2023, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution.…
Microsoft OneNote is a file type now entrenched in the ongoing saga of abused file formats leveraged by adversaries to reach through defenses and deliver malware payloads to end users. Recently, we have seen OneNote’s sudden rise to prominence, following a pattern of other types of files used in the same capacity.…
Microsoft Office documents are used worldwide by both corporates and home-users alike. It’s different office versions, whether licensed or unlicensed offers users an easy way to create and modify files. However, this software is also susceptible to cyberattacks.
Cybercriminals often take advantage of its vulnerability and use VBA (Visual Basic Application) macros as entry points to gain access to targeted systems and devices.…
Executive Summary
On February 3, European hosting providers and computer emergency response teams (CERTs) began warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability for which a patch has been available since February 2021.Shortly after the warnings’ publication, SecurityScorecard developed an emergency informational signal to give customers visibility into potentially impacted servers.…