Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine.…
Tag: INITIAL ACCESS
By Pham Duy Phuc, Max Kersten in collaboration with Noël Keijzer and Michaël Schrijver from Northwave · February 14, 2024
Ransom gangs make big bucks by extorting victims, which sadly isn’t new. Their lucrative business allows them not only to live off the stolen money, but also to reinvest into their shady practice.…
Last updated at Tue, 27 Feb 2024 17:16:10 GMT
*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.…
This post is also available in: 日本語 (Japanese)
Executive SummaryInsidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within U.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a major crisis or conflict with the United States.…
Key Takeaways As per our initial observations, this campaign employs language-specific HTML files to trap unsuspecting victims, tailoring its approach based on linguistic nuances.
Through the strategic embedding of zip archives within HTML files, the campaign orchestrates a series of intricate infiltration maneuvers, evading detection and executing malicious payloads. …
Read More February 13, 2024
Axel F, Selena Larson and the Proofpoint Threat Research Team
What happenedProofpoint researchers identified the return of Bumblebee malware to the cybercriminal threat landscape on 8 February 2024 after a four-month absence from Proofpoint threat data. Bumblebee is a sophisticated downloader used by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing. …
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we track as Water Hydra (aka DarkCasino) that targeted financial market traders.…
Introduction
Read More Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot.…
This Threat Analysis Report will delve into compromised YouTube accounts being used as a vector for the spread of malware. It will outline how this attack vector is exploited for low-burn, low-cost campaigns, highlighting strategies used by threat actors and how defenders can detect and prevent these attacks. …
Executive Summary
Read More EclecticIQ analysts observed that cybercriminals increased the delivery of the DarkGate loader following the FBI’s takedown of Qakbot infrastructure in August 2023 [1]. EclecticIQ analysts assess with high confidence that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate.…
Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the Azure attack and offers suggestions that affected organizations can implement to protect themselves from it.…
The Sandman APT group has garnered massive attention in 2023 for its targeted attacks against telecommunications providers in regions including Europe and Asia. As revealed by By Aleksandar Milenkoski, Bendik Hagen (PwC), and Microsoft Threat Intelligence, utilizing a unique and sophisticated LuaJIT-based modular backdoor, LuaDream; Sandman distinguishes itself through a strategic and stealthy approach, minimizing detection risks and leaving a minimal digital footprint.…
In June 2023, we’ve observed multiple alerts that seemingly came from different sources. A quick search through our telemetry allowed us to identify multiple infected machines across our clients. Although they would sometimes present different behaviour, the initial infection vector stayed the same.
The servers were still actively delivering the initial payloads in early August in an intermittent fashion, and some of the malware sill went undetected by antivirus engines.…
This blog explores a series of CoinLoader compromises observed by Darktrace in late 2023. CoinLoader is a loader malware known to carry out cryptocurrency mining on infected devices. Darktrace’s autonomous detection and response capabilities allowed it to identify and shut down compromises in the first instance.…
By Jungsoo An, Wayne Lee and Vanja Svajcer.
Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. …
SUMMARY
Read More The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.…
AhnLab SEcurity intelligence Center (ASEC) previously uploaded the article “BlueShell Used in APT Attacks Against Korean and Thai Targets” [1] on the ASEC blog which introduced BlueShell malware strains that were used against Linux systems in Thailand and Korea. The threat actor customized the BlueShell backdoor malware for their attack, and configured the malware’s operating condition to only work in specific systems.…
10 Billion Attacks Blocked in 2023, Qakbot’s Resurrection, and Google API Abused
Foreword
Read More Welcome to the new edition of our report. As we bid farewell to the year 2023, let’s briefly revisit the threat landscape that defined the past year. In 2023, the overall number of unique blocked attacks surged, reaching an unprecedented milestone of more than 10 billion attacks and a remarkable 49% increase year-over-year.…
Key Takeaways Cyble Research and Intelligence Labs (CRIL) has uncovered an active malware campaign targeting cryptocurrency users.
In this campaign, the Threat Actors (TA) utilized deceptive websites posing as legitimate cryptocurrency applications, including Metamask, Wazirx, Lunoapp, and Cryptonotify.
All these malicious sites are distributing the same clipper payload – that CRIL has dubbed “XPhase Clipper” – designed to intercept and modify cryptocurrency wallet addresses copied by users. …
Read More
Key FindingsTwo new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time.
Raspberry Robin is continually updated with new features and evasions to be even stealthier than before.…
Read More