Executive Summary
SentinelLabs has conducted an investigation into Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. Our research has uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments.…
Read More
Tag: RUSSIA
Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.
YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis.…
Read More
Summary
NOBELIUM, aka APT29, is a sophisticated, Russian state-sponsored threat actor targeting Western countries. At the beginning of March, BlackBerry researchers observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.…
Prometei botnet continued its activity since Cisco Talos first reported about it in 2020. Since November 2022, we have observed Prometei improving the infrastructure components and capabilities. More specifically, the botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods.…
Read More
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
ESET researchers have analyzed MQsTTang, a new custom backdoor that we attribute to the Mustang Panda APT group. This backdoor is part of an ongoing campaign that we can trace back to early January 2023. Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.…
The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.…
Executive Summary
Read More
EclecticIQ researchers observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation – a Ukrainian aviation company. Multiple overlaps between these incidents and previous attacks of the Gamaredon APT group (4), such as command and control infrastructures and adversary techniques, helped analysts to highly likely attribute these latest attacks to the Gamaredon group.…
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”.…
EXECUTIVE SUMMARY
Since at least 2019, the Mustang Panda threat actor group has targeted government and public sector organizations across Asia and Europe [3] with long-term cyberespionage campaigns in line with strategic interests of the Chinese government.
In November 2022, Mustang Panda shifted from using archive files to using malicious optical disc image (ISO) files containing a shortcut (LNK) file to deliver the modified version of PlugX malware.…
Read More
Since the infamous Conti ransomware group disbanded due to source code leaks during the Russia-Ukraine war, the LockBit group has claimed dominance. The group has adopted new extortion techniques and added a first-of-its-kind bug-bounty program, along with many features, to advance their new leak site. Upon investigation and analysis, we have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity.…
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
Executive SummaryBlueBravo is a threat group tracked by Recorded Future’s Insikt Group that overlaps with the Russian advanced persistent threat (APT) activity tracked as APT29 and NOBELIUM.…
by Joe Stewart and Keegan Keplinger, Security Researchers with eSentire‘s Threat Response Unit (TRU)
Executive SummaryFor the past 16 months, eSentire’s security research team, the Threat Response Unit (TRU), has been tracking one of the most capable and stealthy malware suites — Golden Chickens. Golden Chickens is the “cyber weapon of choice” for three of the top money making, longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group and Belarus-based Evilnum.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks.…
Written by Jon DiMaggio.
Table of Contents
I gotta story to tell…
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred.…
Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.…
Affected Platforms: FortiOSImpacted Users: Government & large organizationsImpact: Data loss and OS and file corruptionSeverity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.…
Executive Summary
Read More
This paper investigates a recent QakBot phishing campaign’s ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful installation of malicious software on victim device.. Key observations:
EclecticIQ analysts investigated QakBot phishing campaigns switching to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW).…
By Tom Hegel and Aleksandar Milenkoski
Executive Summary Pro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure. NoName057(16) was responsible for disrupting services across the financial sector of Denmark this week.…Major drug markets in the Dark Web are now worth around $315 million annually
The Resecurity® Hunter unit performed an extensive analysis of current trends and dynamics related to the underground economy around active DNMs leveraging technical means and human intelligence (HUMINT) sources. Some results of this research (Drug Trafficking in the Dark Web – Status Report – 2022/2023) arranged by our team are provided within this blog post and are aimed to provide awareness for international law enforcement, cybercrime investigators and intelligence professionals. Some…