Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine.…

Read More

Ransom gangs make big bucks by extorting victims, which sadly isn’t new. Their lucrative business allows them not only to live off the stolen money, but also to reinvest into their shady practice.…

Read More

Last updated at Tue, 27 Feb 2024 17:16:10 GMT

*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Insidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within U.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a major crisis or conflict with the United States.…

Read More
Key Takeaways  As per our initial observations, this campaign employs language-specific HTML files to trap unsuspecting victims, tailoring its approach based on linguistic nuances.  Through the strategic embedding of zip archives within HTML files, the campaign orchestrates a series of intricate infiltration maneuvers, evading detection and executing malicious payloads. …
Read More

Published On : 2024-02-13

EXECUTIVE SUMMARY

In this report, we discuss the recently observed XSSLite Stealer that is being discussed within multiple hacking communities. It was released as part of a malware development competition (XSSWare) hosted by the infamous Russian hacking community; XSS. The developer of the stealer has shared the source code of the project and hinted that he is moving on to another project.…

Read More

Available in the following solutions: Ransomware Mitigation, Automated Security Workflows, and Mitigate Supply Chain Risk

Available in the following modules: Threat Intelligence, and Geopolitical Intelligence

In the ever-changing and converging threat landscape, organizations must remain vigilant to protect their critical assets and sensitive data from increasingly sophisticated attacks.…

Read More

In late 2023, a new and distinct ransomware group named 3AM Ransomware emerged. It came to the forefront as a fallback for other ransomware, notably during failed deployments of the infamous LockBit ransomware and later their interesting choice in their website.

First reported by Symantec, the discovery and emergence of 3AM Ransomware marked a notable and interesting event in the cybercrime world.…

Read More

The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.

The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the  advanced persistent threat (APT) group we track as Water Hydra (aka DarkCasino) that targeted financial market traders.…

Read More

Executive Summary 

EclecticIQ analysts observed that cybercriminals increased the delivery of the DarkGate loader following the FBI’s takedown of Qakbot infrastructure in August 2023 [1]. EclecticIQ analysts assess with high confidence that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate.…

Read More

The Sandman APT group has garnered massive attention in 2023 for its targeted attacks against telecommunications providers in regions including Europe and Asia. As revealed by By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence, utilizing a unique and sophisticated LuaJIT-based modular backdoor, LuaDream; Sandman distinguishes itself through a strategic and stealthy approach, minimizing detection risks and leaving a minimal digital footprint.…

Read More

[Update] March 20, 2024: “Technical Documentation and Detailed Exploit Code on CVE-2024-21762”

[Update] March 18, 2024: “PoC Exploit for FortiOS SSL VPN Vulnerability (CVE-2024-21762) Emerges on a Hacker Forum”

[Update] March 11, 2024: “Nearly 150,000 FortiOS Devices Are Vulnerable to CVE-2024-21762”

[Update] February 16, 2024: “Scanning Activity Detected for CVE-2024-22024 in Ivanti; Thousands of Instances Are Still Vulnerable”

Fortinet has revealed a new critical Remote Code Execution (RCE) vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks.…

Read More

On February 7, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) assessing that People’s Republic of China (PRC) state-sponsored cyber actors were seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S.…

Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.…

Read More
10 Billion Attacks Blocked in 2023, Qakbot’s Resurrection, and Google API Abused Foreword

Welcome to the new edition of our report. As we bid farewell to the year 2023, let’s briefly revisit the threat landscape that defined the past year. In 2023, the overall number of unique blocked attacks surged, reaching an unprecedented milestone of more than 10 billion attacks and a remarkable 49% increase year-over-year.…

Read More