First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators to investigate the malware’s inner workings to empower blue teams to create additional defensive rules outside of their already in-place security.…

Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).…

Read More

[Update] February 01, 2024: U.S. Government Actions Against Volt Typhoon

As cyber currents ebb and flow, a storm named Volt Typhoon surges from the digital depths. This isn’t your typical tempest from the sea but a state-sponsored maelstrom with a tendency for espionage. Volt Typhoon, believed to be backed by the Chinese government, stands out for its sophisticated tactics and high-profile targets.…

Read More

Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Remote attackers gain control of the infected systemsSeverity Level: Critical

FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document’s creation date of September, ongoing activity on the campaign’s C2 server is evident in internal telemetry, as shown in Figure 1.…

Read More

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in April 2023.

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in April 2023 (although there are reports that its infrastructure and inventory were sold on the underground, which might explain why techniques connected with Genesis Market are being used in this attack).…

Read More

Author: Alex Jessop (@ThisIsFineChief)

Summary Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.

Below provides a summary of findings which are presented in this blog post: 

Initial access gained via a publicly disclosed vulnerability in an externally facing server Use of vulnerable drivers to disable security controls Remote Desktop Protocol was used for Lateral Movement Access persisted through tunnelling RDP over SSH Exfiltration of data via Mega Execution of ransomware via scheduled taskNoEscape

NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1].…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More

Authors: Shilpesh Trivedi and Nisarga C M

In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced persistent threat (APT) groups, who have used it to gain control of victim systems through deceptive methods.…

Read More
Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. …
Read More
Key TakeawaysSolarMarker uses process injection to run the hVNC and data staging payload. The actors behind SolarMarker primarily utilize .NET for the majority of their payloads, with the notable exception of the observed hVNC backdoor, which is written in Delphi. The initial infection triggers numerous PowerShell processes, resulting in a highly noticeable activity pattern.…
Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More
Dark Pink TTPs Dark Pink Toolset

Dark Pink employs a variety of tools and custom-built malicious software designed for data theft and espionage. Their specialized toolkit comprises:

Cucky: A straightforward custom information stealer coded in .NET. It is proficient in extracting passwords, browsing history, login credentials, and cookies from a range of web browsers targeted by the group.…
Read More
Executive Summary

The Black Lotus Labs team has discovered a highly unique piece of malware designed to compromise the security of the extended Berkeley Packet Filter (eBPF) functionality in the Linux kernel of container-based operating systems, like CoreOS. eBPF is a programmable framework that allows users to run code within the kernel of Linux systems, without having to write a kernel-specific module.…

Read More
Key takeaways From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.   During the same period, TA402 adjusted its delivery methods, moving from using Dropbox links to using XLL and RAR file attachments, likely to evade detection efforts.  …
Read More