NJRAT – Active IOCsJune 24, 2024CVE-2024-38319 – IBM Security SOAR VulnerabilityJune 24, 2024

Analysis Summary

The French information security agency ANSSI reported that Russia-linked APT group APT29, also known as Nobelium, Cozy Bear, and other aliases, has been targeting French diplomatic entities. Despite grouping these attacks under Nobelium, ANSSI differentiates between threat clusters, including one named Dark Halo responsible for the 2020 SolarWinds attack.…

Read More

Summary: Russian-aligned threat actor Nobelium has been continuously targeting French diplomatic entities and public organizations since 2021, according to the French cybersecurity agency ANSSI.

Threat Actor: Nobelium | Nobelium Victim: French diplomatic entities and public organizations | French diplomatic entities and public organizations

Key Point :

Russian-aligned threat actor Nobelium has been targeting French diplomatic entities and public organizations since 2021.…
Read More

Summary: Russian hackers are suspected to be behind the disruption of an online broadcast of the Euro 2024 soccer tournament in Poland.

Threat Actor: Russian hackers | Russian hackers Victim: TVP (Polish public television network) | TVP

Key Point:

Russian hackers attacked the website of TVP, which was broadcasting the Polish national team’s opening match against the Netherlands in the Euro 2024 soccer tournament.…
Read More

Recent history could be termed the Age of Ransomware in the realm of cybercrime. However, threat actors have discovered a way to profit without the need for malware development or sophisticated methods. SpaceBears is a new participant in the Data Broker trend, which has gained momentum particularly due to major crackdowns on ransomware groups by security forces.…

Read More

Summary: Ukraine has signed a security agreement with the U.S. to enhance its defense against Russian invaders, including in cyberspace.

Threat Actor: Russian invaders | Russian invaders Victim: Ukraine | Ukraine

Key Point :

Ukraine has signed a long-anticipated security agreement with the U.S. to strengthen its defenses against Russian invaders, including in cyberspace.…
Read More

Summary: This content discusses the increase in cyber threat activities driven by major regional and global events, such as elections and military exercises.

Threat Actor: China-linked threat groups | China-linked threat groups Victim: Global government sector | global government sector

Key Point :

China-linked threat groups, like Volt Typhoon, are responsible for 68.3% of all advanced persistent threat (APT) activities, with 23% of their activity targeting the global government sector.…
Read More

Summary: The Security Service of Ukraine (SSU) has dismantled the infrastructure used by pro-Russia Ukraine residents to break into soldiers’ devices and deploy spyware. The infrastructure included bot farms and thousands of mobile numbers and Telegram accounts.

Threat Actor: Russian intelligence services | Russian intelligence services Victim: Ukrainian armed forces | Ukrainian armed forces

Key Point :

The Security Service of Ukraine (SSU) dismantled the infrastructure used by pro-Russia Ukraine residents to target Ukrainian soldiers.…
Read More

This blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular adversary that has caught my attention and made me feel like they deserve special attention and investigation.

Qilin has been covered already by experts from Trend Micro, Secureworks, Group-IB, SentinelOne, SOCRadar, BleepingComputer, and MalwareHunterTeam.…

Read More

Summary: A Chinese espionage campaign targeting Fortinet edge devices has resulted in the compromise of at least 20,000 systems worldwide, including governments, international organizations, and defense industry companies.

Threat Actor: Chinese spies | Chinese spies Victim: Dutch defense networks, Western governments, international organizations, defense industry companies | Dutch defense networks

Key Point :

A Chinese espionage campaign targeted Fortinet edge devices and exploited a zero-day vulnerability to deploy the Coathanger remote access Trojan (RAT) on Dutch defense networks.…
Read More

Summary: Hacktivists are conducting DDoS attacks on European political parties that oppose their interests during the European Parliament elections.

Threat Actor: Hacktivists | Hacktivists Victim: European political parties | European political parties

Key Point :

Hacktivists are targeting European political parties that represent and promote strategies opposing their interests.…
Read More

Summary: The content discusses the seizure of 70 domains connected to a pig butchering scam that targeted members of the Russian diaspora through fraudulent cryptocurrency investments.

Threat Actor: Unknown | Unknown Victim: Members of the Russian diaspora | Members of the Russian diaspora

Key Point :

The Brooklyn District Attorney’s office seized 70 domains involved in a cryptocurrency scam that targeted the Russian-speaking community.…
Read More

Summary: A Russian hacktivist crew threatens to attack European internet infrastructure in retaliation for European Parliament-issued sanctions and opposition to the invasion of Ukraine.

Threat Actor: NoName57(16) | NoName57(16) Victim: European Union (EU) | European Union

Key Point :

A Russian hacktivist crew, NoName57(16), along with seven other groups, threatens to launch cyber attacks on European internet infrastructure.…
Read More

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is considering an overhaul of its Joint Cyber Defense Collaborative (JCDC) due to criticism and challenges in its current form.

Threat Actor: N/A Victim: N/A

Key Point :

The JCDC, established in 2021, aims to develop best practices in cybersecurity across industries and improve collaboration between the public and private sectors.…
Read More
In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install ScreenConnect on multiple systems, enabling them to execute various commands and deploy Cobalt Strike beacons. Their toolkit also included CSharp Streamer, a RAT written in CSharp with numerous functionalities, as documented here.…
Read More

Summary: The content discusses a new hacking campaign called “SickSync” launched by the UAC-0020 (Vermin) hacking group, targeting the Ukrainian defense forces and using the legitimate file-syncing software SyncThing in combination with malware called SPECTR.

Threat Actor: UAC-0020 (Vermin) hacking group | UAC-0020 (Vermin) Victim: Ukrainian defense forces | Ukrainian defense forces

Key Point :

The UAC-0020 (Vermin) hacking group, linked to the Luhansk People’s Republic (LPR) region occupied by Russia, has launched a new hacking campaign called “SickSync” targeting the Ukrainian defense forces.…
Read More

Cybercriminals can launch distributed denial-of-service (DDoS) attacks with relative ease these days by using DDoS booter services, online services that automate the DDoS attack process.

WhoisXML API threat researcher Dancho Danchev recently uncovered a list of the user information for a popular DDoS booter service, which our research team used to create a profile and expand to identify related artifacts.…

Read More