Summary:
Earth Estries employs sophisticated attack chains utilizing various malware, including Zingdoor and Snappybee, to exploit vulnerabilities in systems like Microsoft Exchange servers. Their tactics involve maintaining persistence, lateral movement, and data exfiltration through a combination of custom tools and established malware.Keypoints:
Earth Estries targets government and tech sectors since at least 2020.…Threat Actor: IntelBroker | IntelBroker Victim: Nokia | Nokia Price: $20,000 Exfiltrated Data Type: Source code, SSH keys, RSA keys, Bitbucket credentials, SMTP accounts, webhooks, hardcoded credentials
Key Points :
Nokia is investigating claims of a significant data breach involving stolen source code and sensitive information.…Summary:
The article outlines various phishing attempts through email, detailing the types of attachments used and the number of users targeted. The emails primarily involve financial documents and requests, indicating a focus on exploiting business transactions.Keypoints:
Multiple phishing emails targeting users with financial documents. Attachments include various file types such as rar, zip, and exe.…Threat Actor: Unknown Hacker | Unknown Hacker Victim: Nokia | Nokia Price: Offered to reputable buyers on the dark web Exfiltrated Data Type: Sensitive credentials and source code
Key Points :
A significant data breach exposed Nokia’s source code through a third-party contractor. Leaked information includes SSH keys, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded passwords.…Short Summary:
The Sysdig Threat Research Team uncovered a global operation named EMERALDWHALE, which targeted exposed Git configurations, resulting in the theft of over 15,000 cloud service credentials. The attackers exploited misconfigured web services to steal credentials, clone private repositories, and extract sensitive data. The stolen credentials, valuable for phishing and spam campaigns, were stored in an S3 bucket belonging to a previous victim.…
Threat Actor: Unknown | Unknown Victim: RANEPA University | RANEPA University Price: Not disclosed Exfiltrated Data Type: Personal information and IT configurations
Key Points :
RANEPA University in Russia was compromised in a cyberattack. Attackers accessed key systems including OwnCloud, phonebook, and GLPI. Leaked data includes sensitive IT configurations like SMTP settings and LDAP URLs.…Short Summary:
The article discusses the analysis of a packed Snake Keylogger malware sample. It details the reverse engineering process, including unpacking techniques, the use of .NET obfuscation, and the malware’s capabilities such as keylogging and clipboard hijacking. The analysis also highlights the malware’s communication with the threat actor’s Telegram bot and the extraction of various indicators of compromise (IOCs).…
Summary: ESET researchers have uncovered a sophisticated cyberespionage campaign by the APT group GoldenJackal, targeting air-gapped systems within governmental organizations in Europe. This blogpost details previously undocumented tools used by the group, highlighting their capabilities and the timeline of their attacks from 2019 to 2024.
Threat Actor: GoldenJackal | GoldenJackal Victim: Governmental organizations in Europe | governmental organizations in Europe
Key Point :
GoldenJackal has been targeting air-gapped systems since at least 2019, using a custom toolset that includes GoldenDealer, GoldenHowl, and GoldenRobo.…Short Summary:
ESET researchers have uncovered a series of cyberespionage attacks attributed to the APT group GoldenJackal, targeting governmental organizations in Europe. The group has utilized sophisticated tools to compromise air-gapped systems, aiming to steal confidential information. This blogpost details the previously undocumented tools and their functionalities, highlighting GoldenJackal’s capabilities and persistence in targeted networks.…
Summary: Cybersecurity researchers are alerting organizations about active exploitation attempts of a newly disclosed vulnerability, CVE-2024-45519, in Synacor’s Zimbra Collaboration software. The flaw allows unauthenticated attackers to execute arbitrary commands, prompting urgent patching recommendations from security experts.
Threat Actor: Unknown | unknown Victim: Synacor | Synacor
Key Point :
Exploitation attempts began shortly after the vulnerability was disclosed, indicating a rapid response from threat actors.…Summary: Attackers are exploiting a critical remote code execution vulnerability (CVE-2024-45519) in Zimbra’s SMTP server, prompting urgent patching by affected organizations. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands, leading to potential control over vulnerable systems.
Threat Actor: Unknown | unknown Victim: Zimbra | Zimbra
Key Point :
Exploitation of CVE-2024-45519 began on Sept.…Short Summary:
The article details various email payloads used in phishing attempts, specifically focusing on different types of attachments and the malware associated with them. The payloads target multiple users and utilize various compression formats to deliver malicious software.
Key Points:
Date of incidents ranges from September 2, 2023, to September 30, 2024.…Short Summary:
Attackers are exploiting legitimate web features to send spam, utilizing automated processes and human involvement to manipulate web forms and email servers. Credential stuffing is also a significant threat, allowing attackers to access email accounts and send spam from legitimate domains. The article discusses various methods used by spammers and tools that facilitate these attacks, while also providing recommendations for users to enhance their security.…
Short Summary:
This article discusses a series of malicious email campaigns that occurred in August 2024, targeting various users with different types of email payloads, including attachments and links. The campaigns utilized various malware types, such as xloader, snakekeylogger, and originlogger, to compromise users.
Key Points:
Multiple malicious email campaigns reported throughout August 2024.…Summary: Fortinet’s FortiGuard Labs has identified a new variant of the Snake Keylogger, delivered through a malicious Excel document in a phishing campaign that exploits a known vulnerability. This sophisticated malware is designed to steal sensitive information by executing a series of malicious activities upon opening the infected document.…
Short Summary:
The article discusses a phishing campaign that delivers a new variant of the Snake Keylogger through a malicious Excel document. This keylogger is capable of collecting sensitive information from victims’ computers, including saved credentials, keystrokes, and screenshots. The campaign exploits a known vulnerability to execute its payload and employs various techniques to evade detection.…
Short Summary:
The article discusses a phishing campaign that delivers a new variant of the Snake Keylogger through a malicious Excel document. This keylogger is capable of stealing sensitive information from Windows users, including saved credentials, keystrokes, and screenshots. The analysis details the methods used to execute the attack, including exploiting vulnerabilities and employing various scripting languages to download and execute the keylogger.…
Threat Actor: Dark Web Threat Actor | Dark Web Threat Actor Victim: Popular E-commerce Website | Popular E-commerce Website Price: Available for Sale Exfiltrated Data Type: Admin accounts, database access, API keys
Key Points :
User Base: The e-commerce site reportedly has a total of 19,100 registered users.…Short Summary:
The article discusses a phishing attack that led to a malware infection involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. eSentire’s Threat Response Unit (TRU) details their investigation, response, and recommendations for enhancing security measures against such threats.
Key Points:
eSentire operates 24/7 Security Operations Centers (SOCs) with elite threat hunters.…Kimsuky is a North Korean APT group focused on intelligence collection, particularly targeting South Korean entities, as well as the U.S. and Europe. Active since at least 2012, Kimsuky employs phishing tactics to infiltrate university networks and steal sensitive information. Recent advisories from the NSA and FBI highlight their use of social engineering and misconfigured DMARC records to facilitate their operations.…