Since its discovery in early 2023, Akira ransomware has evolved from a seemingly ordinary addition to the ransomware landscape to a significant threat affecting a wide range of businesses and critical infrastructure entities. This evolution, coupled with its unique aesthetic on its leak site and communications, has drawn attention to its operations.…
Tag: MONITOR
Key PointsAvast discovered a new campaign targeting specific individuals through fabricated job offers.
Avast uncovered a full attack chain from infection vector to deploying “FudModule 2.0” rootkit with 0-day Admin -> Kernel exploit.
Avast found a previously undocumented Kaolin RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server.…
Read More Summary: As part of an international operation called PhishOFF and Nebulae, 37 individuals have been arrested in connection with the cybercrime service LabHost, which was used to steal personal credentials through phishing attacks targeting banks and high-profile organizations.
Threat Actor: LabHost | LabHost Victim: Multiple victims worldwide
Key Point :
LabHost, one of the largest Phishing-as-a-Service (PhaaS) providers, offered phishing pages targeting banks, high-profile organizations, and service providers primarily in Canada, the U.S.,…
Introduction
Read More To enhance our threat intelligence, improve detection and identify new threats, Sekoia.io analysts perform continuous hunting and detection engineering every day to give our customers more options to protect themselves. Sekoia.io Threat Detection & Research (TDR) team is there to fill our SOC platform with detection rules and CTI.…
Summary: Employee fraud in the UK increased due to remote working and financial pressures, according to Cifas. The number of individuals engaging in dishonest actions for personal gain grew by 14% in 2023, with reduced supervision and increased opportunities being key factors.
Threat Actor: Insider Threats | Insider Threats Victim: Organizations | Organizations
Key Point :
Employee fraud in the UK increased by 14% in 2023, with the most common reason being dishonest actions for personal gain.…Summary: This blog post discusses a threat actor that used malvertising and DNS tunneling to distribute a backdoor named “MadMxShell” to target IT professionals in the IT security and network administration roles. The post provides details on the attack chain, technical analysis of the backdoor, infrastructure details, observed commands, indicators of compromise (IOCs), and coverage by Zscaler’s security platform.…
Summary: Cybersecurity researchers have discovered a new campaign that exploits a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
Threat Actor: Unknown | Connect:fun Victim: Unnamed media company | Unnamed media company
Key Point :
A new campaign called Connect:fun is exploiting a critical SQL injection flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.…
Introduction
Read More Recently, a zero-day command-injection vulnerability, assigned to CVE-2024-3400, was found in the Palo Alto Networks PAN-OS. It was assigned the maximum severity score of 10.0 and can be exploited by an unauthenticated user to run arbitrary commands on the target system with root privileges.
Volexity was the first to identify and report the vulnerability.…
On April 18, 2024, the UK’s Metropolitan Police Service and others conducted an operation that succeeded in taking down the Phishing-as-a-Service provider LabHost.
LabHost takedownOn Thursday, April 18, 2024, the UK’s Metropolitan Police Service, along with fellow UK and international law enforcement, as well as several trusted private industry partners, conducted an operation that succeeded in taking down the Phishing-as-a-Service (PhaaS) provider LabHost.…
Date Reported: 2024-04-15 Country: France (FRA) Victim: Le Slip Français | leslipfrancais.fr
Additional Information:
Le Slip Français, a company specialized in the sale of underwear, fell victim to a cyberattack on April 15th. The attack resulted in the theft of certain personal data of its customers, although passwords or payment card information were not compromised.…Summary: Russian nation-state group Sandworm is using a novel backdoor called Kapeka to target organizations in Ukraine and other Eastern and Central European countries. Kapeka is a sophisticated tool that provides long-term access to victim estates and is believed to be part of wider espionage campaigns by Sandworm.…
Summary
Read More This report details the resurgence of the LightSpy mobile espionage campaign, which focuses on targets in Southern Asia and probably India, potentially indicating a renewed focus on political targets and tensions in the region.
Beyond our findings, the echoes of concern reach further. VirusTotal submissions from India suggest potential victims within its borders, aligning with recent warnings by Apple on detections within the same country.…
Key findings:The group is targeting various countries around the world in addition to its priority region of Latin America.It uses long chains that incorporate a variety of tools and malware: AgentTesla, FormBook, Remcos, LokiBot, Formbook, Guloader, SnakeKeylogger, XWorm, and others.The group uses compromised legitimate FTP servers for C2, and SMTP servers, for C2 and phishing.…
Read More Summary: The World Cybercrime Index reveals that Russia is the top hub for digital threat actors and the most significant source of global cybercrime, followed by Ukraine, China, the United States, Nigeria, and Romania.
Threat Actor: Russia, Ukraine, China, United States, Nigeria, Romania
Victim: N/A
Key Point:
Russia is the most significant source of global cybercrime and serves as the top hub for digital threat actors worldwide.…Summary: Test files associated with the XZ Utils backdoor have been found in the Rust crate liblzma-sys, which has been downloaded over 21,000 times. The backdoor was discovered in late March and allowed for remote code execution through manipulation of the Secure Shell Daemon (sshd).
Threat Actor: Unknown | Unknown Victim: Rust developers using the liblzma-sys crate | liblzma-sys
Key Point :
Test files associated with the XZ Utils backdoor were found in the liblzma-sys crate, which has been downloaded over 21,000 times.…AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis threat brief is frequently updated as new threat intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.…
Threat Actor: Credential Stuffing Attackers | Credential Stuffing Attackers Victim: Roku | Roku Price: N/A Exfiltrated Data Type: User account information
Additional Information :
Roku announced that 576,000 accounts were hacked in credential stuffing attacks. Threat actors used credentials stolen from third-party platforms. Unauthorized actors accessed around 15,000 user accounts in the first security breach.…On March 29, 2024, a single message on the Openwall OSS-security mailing list marked an important discovery for the information security, open source and Linux communities: the discovery of a malicious backdoor in XZ. XZ is a compression utility integrated into many popular distributions of Linux.…
A Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a less secure network, such as the internet. It allows users to send and receive data across shared or public networks as if their computing devices were directly connected to a private network.…