This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers identified two Cobalt Strike Team Server instances hosted on the internet and uncovered new profiles that are not available on public repositories. We will highlight the distinct techniques attackers use to exploit the Cobalt Strike platform and circumvent signature-based detections.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.…
Cyble Research and Intelligence Labs (CRIL) investigated a new ransomware named Wagner. This ransomware is a variant of Chaos ransomware. During our analysis, we found that the ransom note dropped by this ransomware, instead of demanding money, urges users to join the PMC Wagner.…
How do you know when something is in hot demand in the underground economy?…
The Cortex Threat Research team has recently identified multiple espionage attacks targeting governmental entities in the Middle East and Africa. According to our findings, the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.…
EclecticIQ researchers identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities, including critical infrastructure.
The command-and-control infrastructure was publicly exposed to the internet. Based on log and meta data found on the server, EclecticIQ analysts assess with high confidence the threat actor performed offensive cyber operations, including reconnaissance, malware delivery, and post-exploitation against selected targets.…
This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.…
This post is also available in: 日本語 (Japanese)
Executive SummaryDuring 2022, analysts from Unit 42 observed the rampant adoption of the InterPlanetary File System (aka IPFS) being used as a vehicle for malicious intent. IPFS is a Web3 technology that decentralizes and distributes the storage of files and other data into a peer-to-peer network.…
Imagine you are a homeowner who wants to protect your valuable assets against theft. Vulnerability management is like installing a security system in your home. If someone tries to break in, it will help alert you to an unexpected open door or broken window. However, it cannot eliminate risk entirely.…
Published On : 2023-04-03
EXECUTIVE SUMMARYThe CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware.…
We present a case study of the cyberespionage efforts by Earth Preta. This study on an active campaign delves into the structure, goals, and requirements of the organizations involved, and provides an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.…
Since our initial report on the ransomware group known as BianLian, we have continued to keep an eye on their activities. Unfortunately, and sadly not surprisingly, the group continues to operate and add to their ever-growing list of victims. Having continued to research BianLian for the past six months or so, we felt the time was right to share an update and some of our findings with the larger community.…
MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).
Once Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files.…
Ransomware is a significant threat that can encrypt its victims’ files and demand a ransom. Additionally, the Threat Actors (TAs) responsible for these attacks often use a double extortion technique, where they encrypt the files and exfiltrate sensitive data from the victim’s device before encryption.…
SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft | Sysdig
Show Table of Contents + Hide −
The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.…
Starting on January 20 2023, Bitdefender Labs started to notice a global increase in attacks using the ManageEngine exploit CVE-2022-47966. This Remote Code Execution (RCE) vulnerability (CVSSv3 critical score 9.8) allows full takeover of the compromised system by unauthenticated threat actors. A total of 24 different products from Zoho ManageEngine are vulnerable.…
Shipping companies and medical laboratories in Asia are being targeted in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools.
Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines.…
One of the largest universities in Israel was recently targeted by a new ransomware called “DarkBit”, and the Threat Actor (TAs) identity behind the attack is still being investigated. While it’s uncertain whether the perpetrator is a disgruntled employee, pro-Palestinian activist, or a combination of both, the ransom note and social media accounts of the DarkBit group may offer some clues about their motives.…
Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit.…