With recent reports that Charming Kitten group (aka Mint Sandstorm) is actively targeting critical infrastructure in the US and other countries, we would like to share the most recent insights from Bitdefender Labs about modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware.…
Tag: INITIAL ACCESS
Threat Actor Adopting CHM Files to enhance their latest attacks
Read More Threat actors (TAs) employ diverse file formats to disseminate malicious payloads, primarily to enhance the likelihood of a successful infection. These different file formats are being sent via spam email as an attachment to entice users to download and execute them, thereby exposing themselves to malicious content.…
By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov
TL;DRThe Securonix Threat Research team (STR) has recently observed a new attack campaign tracked by Securonix as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier [1].…
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
UPDATE #1 – 4/25/23 @ 11am ET: Added information about additional exploitation seen against Papercut MF/NG Server where a crypto-miner was deployed.…
Affected platforms: WindowsImpacted parties: Any organizationImpact: Controls victim’s device and collects sensitive informationSeverity level: Critical
EvilExtractor (sometimes spelled Evil Extractor) is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. It includes several modules that all work via an FTP service.…
ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.…
Summary
Since the beginning of January 2023, the BlackBerry Threat Research and Intelligence team has been following two parallel malicious campaigns that use the same infrastructure but have different purposes.
The first campaign is related to a malvertising Google Ads Platform campaign which began several months ago and distributed fake versions of legitimate software products like AnyDesk (remote desktop software), Libre Office (an open-source office productivity software suite), TeamViewer (remote access and remote-control software), and Brave (a free and open-source web browser) among others.…
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.…
Ex-Conti and FIN7 Actors Collaborate with New Backdoor
Dave Loader, which we have linked to the Trickbot/Conti syndicate and its former members. Minodo’s code shows overlap with the Lizar (aka Tirion, Diceloader) malware family, leading us to suspect that it was created by current or former ITG14 developers.…
THE THREAT
Read More In the first week of April 2023, the eSentire Threat Intelligence team observed a significant increase in Qakbot incidents impacting various industries. Qakbot is an information-stealing malware. Qakbot is commonly delivered using phishing methods, including malicious emails from previously unseen email addresses or as replies to existing email conversations. …
Executive summary
TEHTRIS Threat Hunters analyzed illicit cryptomining activity targeting Linux-based machines. The attack happened on one of our high interaction honeypots hosted in France in mid-January across a short timeframe (less than 5 minutes). Our honeypot was a Linux under Ubuntu 22.04. The cybercriminal group behind this attack employs a strategy to optimize the use of the compromised device’s resources.…
Key TakeawaysThe FBI’s Internet Crime Complaint Center (IC3) recently published their internet crime report for 2022. The report indicates that during 2022 there was an increase in ransomware attacks, and the reported cases resulted in a loss of more than $34.3 million.
The report indicates that during 2022, the IC3 received 870 complaints regarding ransomware infection from organizations belonging to 14 out of 16 critical infrastructure sectors (e.g.,…
Read More AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type.…
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant
Mandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878, for initial access to victim environments. A commercial Internet scanning service identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which may still be unpatched and vulnerable.…
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. MERCURY is now tracked as Mango Sandstorm and DEV-1084 is now tracked as Storm-1084.
To learn more about the new taxonomy represents the origin, unique traits, and impact of threat actors, to get complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type.…
By Max Kersten · April 3, 2023This blog was also written by Alexandre Mundo
We would like to thank Advanced Cyber Services team within Trellix Professional Services for the incident response-related data.
Emerging in early 2022 as a private group which used multiple strains of ransomware, Royal Ransom has used their own ransomware since September 2022.…
By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023
We would like to thank Steen Pedersen and Mo Cashman for their remediation advice.
On the 4th and the 5th of April, a law enforcement taskforce spanning agencies across 17 countries – including the FBI, Europol and the Dutch Police – have disrupted the infamous browser cookie market known as Genesis Market and approached hundreds of its users.…
On December 10, 2021, the Apache Software Foundation disclosed CVE-2021-44228, aka “Log4Shell”, a critical vulnerability in Apache’s Log4j version 2.14.1 and earlier that affects a large number of products that utilize this logging library.
Through our Consulting and Managed Defense clients, Mandiant observed four unique applications targeted and exploited using CVE-2021-44228.…
Proxyjacking has Entered the Chat | Sysdig
Did you know that you can effortlessly make a small passive income by simply letting an application run on your home computers and mobile phones? It lets others (who pay a fee to a proxy service provider) borrow your Internet Protocol (IP) address for things like watching a YouTube video that isn’t available in their region, conducting unrestricted web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP.…