Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
By Max Kersten · November 29, 2023 This blog was also written by Alexandre Mundo
First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators to investigate the malware’s inner workings to empower blue teams to create additional defensive rules outside of their already in-place security.…
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).…
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.
While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack.…
This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community and we will update this blog with more details as our investigation continues.
Key TakeawaysExploitation of Qlik Sense application in the observed campaign.…More and more people nowadays prefer to buy goods online. And why not? It’s convenient, goods will be delivered to your doorstep, and if you choose one of many online marketplaces, it’s even possible to save some money. Sadly, scammers abuse this, targeting these services and their customers for the scammer’s benefit.…
[Update] February 01, 2024: U.S. Government Actions Against Volt Typhoon
As cyber currents ebb and flow, a storm named Volt Typhoon surges from the digital depths. This isn’t your typical tempest from the sea but a state-sponsored maelstrom with a tendency for espionage. Volt Typhoon, believed to be backed by the Chinese government, stands out for its sophisticated tactics and high-profile targets.…
In early September, an automated retroactive indicator of compromise (IoC) threat hunt identified an indicator of compromise (IoC) in the environment of one of our customers. The detected IP address, 144.76.136[.]153, was previously used by the cybercrime group Scattered Spider to perform exfiltration via the domain transfer.sh.…
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Remote attackers gain control of the infected systemsSeverity Level: Critical
FortiGuard Labs recently identified the use of a Russian-language Word document equipped with a malicious macro in the ongoing Konni campaign. Despite the document’s creation date of September, ongoing activity on the campaign’s C2 server is evident in internal telemetry, as shown in Figure 1.…
The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in April 2023.
The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in April 2023 (although there are reports that its infrastructure and inventory were sold on the underground, which might explain why techniques connected with Genesis Market are being used in this attack).…
Author: Alex Jessop (@ThisIsFineChief)
Summary Tl;drThis post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.
Below provides a summary of findings which are presented in this blog post:
Initial access gained via a publicly disclosed vulnerability in an externally facing server Use of vulnerable drivers to disable security controls Remote Desktop Protocol was used for Lateral Movement Access persisted through tunnelling RDP over SSH Exfiltration of data via Mega Execution of ransomware via scheduled taskNoEscapeNoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1].…
By Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll and Vinoo Thomas · November 21, 2023
On September 2023, the Trellix Security Operations Center (SOC) successfully detected and stopped an attack against Musarubra, the holding company for Trellix and Skyhigh Security, involving an emerging malware family named DarkGate.…
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Authors: Shilpesh Trivedi and Nisarga C M
In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced persistent threat (APT) groups, who have used it to gain control of victim systems through deceptive methods.…
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Since the conflict escalated on October 7, 2023, with an aggressive stance from Hamas towards Israel, cyber-threats have surged. For example, many Pro-Hamas and Pro-Palestine hacktivists, alongside state-backed aggressors, have launched cyber-attacks on Israeli businesses, aiming not just to disrupt but to devastate the nation’s economy.…
Dark Pink employs a variety of tools and custom-built malicious software designed for data theft and espionage. Their specialized toolkit comprises:
Cucky: A straightforward custom information stealer coded in .NET. It is proficient in extracting passwords, browsing history, login credentials, and cookies from a range of web browsers targeted by the group.…The Black Lotus Labs team has discovered a highly unique piece of malware designed to compromise the security of the extended Berkeley Packet Filter (eBPF) functionality in the Linux kernel of container-based operating systems, like CoreOS. eBPF is a programmable framework that allows users to run code within the kernel of Linux systems, without having to write a kernel-specific module.…