Identifier: TRR240101.

On 2023-12-28, the Ukrainian government computer emergency and incident response team (CERT-UA) described a malicious espionage campaign that targeted government organizations in Ukraine. CERT-UA attributed the campaign to the APT28 threat-actor (aka Sofacy, Fancy Bear, etc.).

The malicious campaign leveraged spear-phishing to trick users into visiting a remote HTML page and opening a Windows shortcut, which in turn enabled the deployment of remote execution tools (MASEPIE, OCEANMAP), a credential stealer (STEELHOOK) as well as publicly available reconnaissance and credentials harvesting tool (Impacket).…

Read More

[Update] January 30, 2024: “Official Attributions of Star Blizzard”

Within the continuously changing cyber threat landscape, the strategies of Star Blizzard unfold with a calculated precision, resembling a strategic orchestration. Spear-phishing, in this context, mirrors a carefully planned and executed maneuver. This elusive group, exhibiting a level of sophistication comparable to seasoned experts, systematically identifies specific individuals and groups as their targeted audience.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).…

Read More

One hacker collective continues to confound federal law enforcement and cybersecurity experts — the Scattered Spider. Known by a multitude of aliases such as Muddled Libra, UNC3944, Starfraud, and Octo Tempest, this hacking group has not only infiltrated major corporate networks like MGM Resorts and Caesars Entertainment but has done so with a bold audacity that leaves many wondering.…

Read More

Huntress SOC analysts recently alerted customers regarding two disparate endpoints identified as being minimally impacted by ransomware; that is, only a limited number of ransomware canary files were encrypted. In neither instance was there any indication of the threat actor conducting reconnaissance activities beyond the impacted endpoint, nor attempting to move laterally to other endpoints within the infrastructure. …

Read More
SUMMARY

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.…

Read More

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.…

Read More

Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise.…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More

On December 19th, the Israel National Cyber Directorate released an urgent alert warning regarding a phishing campaign actively targeting Israeli customers using F5’s network devices. We’ve labeled this campaign Operation HamsaUpdate. It features the deployment of a newly developed wiper malware that targets both Windows and Linux servers.…

Read More
Executive SummaryOverlaps in targeting, malware characteristics, and long-term malware evolutions post 2018 suggest that the Gaza Cybergang sub-groups have likely been consolidating, possibly involving the establishment of internal and/or external malware supply lines. Gaza Cybergang has upgraded its malware arsenal with a backdoor that we track as Pierogi++, first used in 2022 and seen throughout 2023.…
Read More