Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
At the beginning of this year, we released a detailed publication on Vidar infrastructure, encompassing both the primary administrative aspects, and the underlying backend. In that publication, we highlighted three key insights:
Russian VPN gateways had the potential to confer anonymity to Vidar operators and customers, thereby rendering it more arduous for analysts to attain a comprehensive understanding of the threat.…
Since November 2022, the eSentire Threat Response Unit (TRU) has observed the resurgence of what we believe to be a malicious campaign targeting the manufacturing, commercial, and healthcare organizations. The campaign is similar to the one reported by Trend Micro researchers in December 2020. The campaign is believed to be conducted by native Russian speaking threat actor(s).…
How do you know when something is in hot demand in the underground economy?…
Since December 2022, the eSentire Threat Response Unit (TRU) has observed Aurora Stealer malware infections in the manufacturing industry. It’s distributed via fake Google Ads for Notepad++ installer. Aurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera, Brave, Mozilla Firefox, Chrome, etc.…
More recently, Symantec has observed Shuckworm leveraging more IP addresses in their PowerShell scripts. This is likely an attempt to evade some tracking methods employed by researchers.
Shuckworm also continues to update the obfuscation techniques used in its PowerShell scripts in an attempt to avoid detection, with up to 25 new variants of the group’s scripts observed per month between January and April 2023.…
As Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense.…
Gaming has gained immense popularity, attracting millions of players globally, primarily due to the wide range of game options available, strong community engagement, and its entertainment value. Unfortunately, this widespread appeal has also attracted the attention of Threat Actors (TAs), who seek to exploit gamers by targeting games with large user bases to maximize their potential victims.…
Summary
The RomCom threat actor has been carefully following geopolitical events surrounding the war in Ukraine, targeting militaries, food supply chains, and IT companies. In RomCom’s latest campaign, the BlackBerry Threat Research and Intelligence team observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based…
Asylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. They were first publicly outed in March 2022 by Proofpoint researchers after the group targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war.…
SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.…
Apache NiFi describes itself as “an easy-to-use, powerful, and reliable system to process and distribute data.” [1] In simple terms, NiFi implements a web-based interface to define how data is moved from a source to a destination. Users may define various “processors” to manipulate data along the way.…
Mandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia. …
Cyble Research and Intelligence Labs (CRIL) recently uncovered a new strain of malware named “MDBotnet” on a cybercrime forum. Our analysis indicates that the origins of this malware can be attributed to a Threat Actor (associated with Russia. This MDBotnet malware has been specifically designed for carrying out distributed denial-of-service (DDoS) attacks on targeted victims by employing an HTTP/SYN flood attack technique.…
A Data-Driven Approach based on Analysis of Network Telemetry
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g.,…
I recently came across an interesting campaign that is using fake websites to distribute malware. Although this TTP is not new, it seems to be on the rise. Anecdotally, I’ve seen it in multiple cases in 2023 more so than before. It’s difficult to quantify without doing extensive research, it is something for other analysts to be aware of more at least. …
Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.…
This blog post was authored by Malwarebytes’ Roberto Santos and Fortinet’s Hossein Jazi
While the official conflict between Russia and Ukraine began in February 2022, there is a long history of physical conflict between the two nations, including the 2014 annexation of Crimea by Russia and when the regions of Donetsk and Luhansk declared themselves independent from Ukraine and came under Russia’s umbrella.…
In late 2022, Bitdefender Labs detected a cyberattack targeting foreign government institutions in Kazakhstan. While investigating this incident, it was revealed that this was a highly targeted attack designed to exfiltrate data. We decided to postpone publishing our findings and monitored the region for other similar attacks.…
A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network’s chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016.…