Introduction

Cado Security Labs researchers have recently encountered a novel malware campaign targeting Redis for initial access. Whilst Redis is no stranger to exploitation by Linux and cloud-focused attackers, this particular campaign involves the use of a number of novel system weakening techniques against the data store itself. …

Read More
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns.…
Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.…

Read More

Ransom gangs make big bucks by extorting victims, which sadly isn’t new. Their lucrative business allows them not only to live off the stolen money, but also to reinvest into their shady practice.…

Read More
Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.…
Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Insidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China (PRC) state-sponsored cyber actors. This group focuses on pre-positioning themselves within U.S. critical infrastructure IT networks, likely in preparation for disruptive or destructive cyberattacks in the event of a major crisis or conflict with the United States.…

Read More
Key Takeaways As per our initial observations, this campaign employs language-specific HTML files to trap unsuspecting victims, tailoring its approach based on linguistic nuances.  Through the strategic embedding of zip archives within HTML files, the campaign orchestrates a series of intricate infiltration maneuvers, evading detection and executing malicious payloads. …
Read More

In late 2023, a new and distinct ransomware group named 3AM Ransomware emerged. It came to the forefront as a fallback for other ransomware, notably during failed deployments of the infamous LockBit ransomware and later their interesting choice in their website.

First reported by Symantec, the discovery and emergence of 3AM Ransomware marked a notable and interesting event in the cybercrime world.…

Read More

Available in the following solutions: Ransomware Mitigation, Automated Security Workflows, and Mitigate Supply Chain Risk

Available in the following modules: Threat Intelligence, and Geopolitical Intelligence

In the ever-changing and converging threat landscape, organizations must remain vigilant to protect their critical assets and sensitive data from increasingly sophisticated attacks.…

Read More

Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the Azure attack and offers suggestions that affected organizations can implement to protect themselves from it.…

Read More