DarkVNC is a hidden utility based on the Virtual Network Computing (VNC) technology, initially promoted on an Exploit forum in 2016. The primary distinction between hVNC and VNC lies in their intended usage and the degree of transparency: VNC can serve as a legitimate tool for remote desktop sharing, while hVNC is associated with stealthy or potentially malicious activities, often operating without the user’s knowledge or consent.…
Tag: MONITOR
This is a series that explores methods attackers might use to maintain persistent access to a compromised linux system. To do this, Pberba will take an “offense informs defense” approach by going through techniques listed in the MITRE ATT&CK Matrix for Linux. …
Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidance for customers, researchers, investigators and incident responders. This information is based on observation and analysis of attacks by SophosLabs, Sophos Managed Detection and Response (MDR) and Sophos Incident Response (IR), in which the ScreenConnect client or server was involved.…
Executive SummarySentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgänger.
We observed Doppelgänger intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics relevant to the general population.…
Read More
Table of contentsIntroduction
Read More Scattered Spider (aka UNC3944, Scatter Swine, Muddled Libra, Octo Tempest, Oktapus, StarFraud) is a lucrative intrusion set active since at least May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques.
The intrusion set employs state-of-the-art techniques, particularly related to social engineering, such as impersonation of IT personnel to deceive employees for targeted phishing, SIM swapping, leverage of MFA fatigue, and contact with victims’ support teams.…
Effective monitoring and anomaly detection within a data environment are crucial, particularly in today’s data-driven landscape. At Imperva Threat Research, our data lake serves as the backbone for a range of critical functions, including threat hunting, risk analysis, and trend detection. However, with the daily addition of 2 terabytes of data and the management of thousands of tables, this task becomes intricate and resource-intensive.…
This post is also available in: 日本語 (Japanese)
Executive SummaryFeb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin.…
Wireshark
Read More Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.…
The Sysdig Threat Research Team (TRT) discovered the malicious use of a new network mapping tool called SSH-Snake that was released on 4 January 2024. SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network.…
HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users – individuals – rather than institutions and companies. Its prevalence isn’t remarkably large, nor is the requested ransom payment amount, which has allowed the strain to stay relatively under the radar thus far.…
Introduction
Read More Cado Security Labs researchers have recently encountered a novel malware campaign targeting Redis for initial access. Whilst Redis is no stranger to exploitation by Linux and cloud-focused attackers, this particular campaign involves the use of a number of novel system weakening techniques against the data store itself. …
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe.
The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns.…
Read More Reliable uptime monitoring Uptime Robot…
ReversingLabs researchers have observed a clear trend in which open-source platforms and code have become the stage for a growing and diverse range of malicious activity and campaigns. This trend includes hosting malicious command-and-control (C2) infrastructure, storing stolen data, and delivering second- and third- stage malware including downloaders and rootkit programs.…
Today’s attackers are taking advantage of changing business dynamics to target people everywhere they work. Staying current on the latest cybersecurity attack vectors and threats is an essential part of securing the enterprise against breaches and compromised data.…
SUMMARY
Read More The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.…
By Pham Duy Phuc, Max Kersten in collaboration with Noël Keijzer and Michaël Schrijver from Northwave · February 14, 2024
Ransom gangs make big bucks by extorting victims, which sadly isn’t new. Their lucrative business allows them not only to live off the stolen money, but also to reinvest into their shady practice.…
Recently we got our hands on a set of samples which had a big data section with high entropy and had fake executable information like WinRar, Chrome, CustomRP, etc. Out of curiosity we analysed one but we weren’t able to find any interesting Win32APIs used by this sample.…
Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.…
Read More Last updated at Tue, 27 Feb 2024 17:16:10 GMT
*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.…