Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.
In the past few weeks, there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager.…
Using the Wiz Runtime Sensor, we have recently detected a new fileless attack targeting cloud workloads. The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique. As far as we know, this is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild, and our evidence shows close to 200 instances where this attack was used for cryptomining.…
August 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers are advised to apply patches, which supersede the mitigations listed in this blog, as soon as possible.
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America.…
WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022.
The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!,…
Rekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies.…
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.…
July 06, 2023
Joshua Miller, Pim Trouerbach, and the Proofpoint Threat Research Team
Key TakeawaysTA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets. TA453 in May 2023 began deploying LNK infection chains instead of Microsoft Word documents with macros. …How many times have we heard “It takes just one click”? Well, in this case it took approximately three. In May 2023, the ReliaQuest Threat Hunting Team responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.”…
Meduza Stealer … Yes, you read it right, I did not misspelled it, is a new stealer that appeared on Russian-speaking forums at the beginning of June 2023. The stealer is written in C++ and is approximately 600KB in size. The DLL dependencies are statically linked to the binary, which reduces the detection.…
Volexity works with many individuals and organizations often subjected to sophisticated and highly targeted spear-phishing campaigns from a variety of nation-state-level threat actors. In the last few years, Volexity has observed threat actors dramatically increase the level of effort they put into compromising credentials or systems of individual targets.…
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.
The DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel reached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users.…
QR Code usage has skyrocketed in recent years. In fact, 97% of consumers had no idea what a QR Code was in 2012. But by 1Q22, Americas led the world in QR code usage with 2,880,960 scans, making these quirky codes an appealing path for new and sophisticated phishing campaigns.1,2
…
During the week of February 20, 2023, Sophos X-Ops MDR team received two separate requests for threat hunts related to unusual activity in two customers’ Microsoft 365 (formerly Office 365) environments. This prompted an investigation into sets of Microsoft Graph security events forwarded to Sophos XDR, to identify whether suspicious or malicious activity occurred.…
Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
Skip to how to use the Akira Ransomware DecryptorNote that this ransomware is not related to the Akira ransomware discovered by Karsten Hahn in 2017 and our decryptor cannot be used to decrypt files from this old variant.…
AhnLab Security Emergency response Center (ASEC) has recently discovered that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services. [1] Actual logs from the AhnLab Smart Defense (ASD) infrastructure also show attacks being launched through RDP.…
Recently, while monitoring dark web forums and Telegram channels, the Uptycs Threat Research team made a compelling discovery: a formidable menace dubbed The Meduza Stealer. …
Introduction
On Monday 2023-06-26, I received an email in one of my honeypot accounts, and the email led to a loader-based infection for Remcos RAT. The loader seems to be a GuLoader- or ModiLoader (DBatLoader)-style malware, but it’s not like the GuLoader or ModiLoader samples I’ve run across so far. …
Since April, Morphisec Labs has been closely monitoring an active GuLoader campaign that primarily focuses on law firms, along with healthcare and investment firms, specifically within the United States. GuLoader, also known as Cloudeye, has been active for over three years, continuously evolving over time. Its developers employ a range of anti-analysis techniques, making it challenging for security researchers to analyze.…
AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from June 11th, 2023 to June 17th, 2023 and provide statistical information on each type.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.…