Tag: INITIAL ACCESS

From SIEM to Ticketing: Streamlining Security Operations with Cado’s Export Capabilities
Cado’s export capabilities enhance security operations by streamlining data flow between SIEMs, ticketing systems, and forensic platforms. This integration reduces manual errors, improves efficiency, and ensures timely incident resolution. Affected: Cado platform, SIEMs, ticketing systems

Keypoints :

Modern SOCs face challenges with manual data transfers and incompatible formats.…
Read More
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog
Microsoft Threat Intelligence has reported on the Russian nation-state actor Secret Blizzard, which has been using co-opted tools and infrastructure from other threat actors to conduct espionage activities against targets in Ukraine. The campaigns have involved the deployment of custom malware, including the Tavdig and KazuarV2 backdoors, often facilitated through cybercriminal tools like Amadey bot malware.…
Read More
Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9)
Summary: Cisco has issued critical software updates to address a privilege escalation vulnerability (CVE-2025-20156) in its Meeting Management system, allowing remote attackers to gain administrator access. Additionally, patches were released for a denial-of-service (DoS) flaw in BroadWorks and an integer underflow bug in ClamAV. The vulnerabilities highlight ongoing security challenges faced by organizations using Cisco products.…
Read More
Advanced Threat Detection: Exploitation Tactics from a CIRT Technical Interview
This article examines two scenarios wherein attackers exploit misconfigured Redis servers and utilize cloud storage resources to execute malicious scripts and gain unauthorized access. The sophisticated techniques employed emphasize the necessity for proactive defensive measures. Affected: Redis servers, macOS systems

Keypoints :

Attackers exploit misconfigurations in Redis services to execute remote commands.…
Read More
Four Critical Ivanti CSA Vulnerabilities Exploited, CISA and FBI Urge Mitigation
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory regarding the active exploitation of four critical vulnerabilities in Ivanti Cloud Service Appliances. These include CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, which can lead to unauthorized access, remote code execution, and credential theft.…
Read More
TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware
Summary: Google has identified a financially motivated threat actor named TRIPLESTRENGTH, which targets cloud environments for cryptojacking and on-premise ransomware attacks. The actor employs stolen credentials to hijack cloud resources for cryptocurrency mining and advertises access to compromised servers. Additionally, TRIPLESTRENGTH has been linked to ransomware operations using various malicious tools and has actively sought partnerships for further attacks.…
Read More
Beyond Flesh and Code: Building an LLM-Based Attack Lifecycle With a Self-Guided Malware Agent
This article discusses the integration of older automation tools with large language models (LLMs) to enhance malware development and delivery methods, including the use of tools like Mantis and Stopwatch.ai for reconnaissance and obfuscation. It highlights the potential of LLMs in creating convincing phishing attacks and guiding malware operations, ultimately leading to a more sophisticated attack lifecycle.…
Read More
Dark Web Profile: OilRig (APT34)
OilRig, also known as APT34, is a state-sponsored APT group linked to Iranian intelligence, primarily targeting sectors like government, energy, finance, and telecommunications. Their sophisticated cyber-espionage tactics include spear-phishing and custom malware, making them a persistent threat across the Middle East and beyond. Affected: government, energy, financial, telecommunications sectors

Keypoints :

OilRig is a state-sponsored APT group associated with Iranian intelligence.…
Read More
PlushDaemon compromises supply chain of Korean VPN service
ESET researchers have uncovered a previously undisclosed APT group, PlushDaemon, linked to China, which executed a supply-chain attack on a South Korean VPN developer in 2023. The attackers replaced the legitimate VPN installer with a malicious version that deployed a sophisticated backdoor known as SlowStepper. This backdoor features a comprehensive toolkit with over 30 components, allowing extensive cyber espionage capabilities.…
Read More
China-linked hacker group targets victims in East Asia with malicious VPN installers
Summary: A new Chinese state-sponsored hacker group, PlushDaemon, has been targeting users in East Asia through an espionage campaign involving a compromised VPN installer from South Korean firm IPany. The attackers deployed custom malware capable of extensive data collection and spying on victims. Although discovered recently, PlushDaemon has been active since at least 2019, focusing on espionage against various entities across multiple countries.…
Read More
Targeted supply chain attack against Chrome browser extensions
This article discusses a supply chain attack on Chrome browser extensions that began in December 2024, where attackers exploited a phishing vulnerability to inject malicious code. This breach compromised a number of extensions, risking sensitive user data including authentication tokens. Investigations revealed the attackers’ sophisticated methods and infrastructure, highlighting the ongoing threats posed by such supply chain vulnerabilities.…
Read More
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack
Summary: A newly identified China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack on a South Korean VPN provider, utilizing a sophisticated backdoor known as SlowStepper. This backdoor features a comprehensive toolkit designed for espionage and data collection, indicating the group’s significant operational capabilities since at least 2019.…
Read More
Tracking Down APT Group WIRTE’s DNS Movements
The WIRTE APT group has been active since 2018, primarily targeting organizations in the Middle East and Europe, including government and financial sectors. Recent activities have focused on Middle Eastern entities, utilizing custom loaders like IronWind. A comprehensive analysis revealed 56 indicators of compromise (IoCs) and additional artifacts, highlighting the group’s ongoing threat.…
Read More
Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird Users
Mozilla Firefox and Thunderbird users are facing critical vulnerabilities that could result in arbitrary code execution and system instability. The Indian Computer Emergency Response Team (CERT-In) has issued an advisory urging immediate software updates to mitigate these risks. Affected: Mozilla Firefox, Mozilla Thunderbird

Keypoints :

High-severity vulnerabilities found in Mozilla Firefox and Thunderbird.…
Read More
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Sophos X-Ops’ Managed Detection and Response (MDR) has reported on two active threat clusters, STAC5143 and STAC5777, utilizing Microsoft Office 365 to infiltrate organizations for data theft and ransomware deployment. The tactics include email-bombing, fake tech support, and exploiting remote control tools. Both clusters exhibit overlapping techniques with known threat groups like FIN7 and Storm-1811.…
Read More