Summary:
In May 2024, Unit 42 researchers identified a resurgence of the Silent Skimmer campaign, where a financially motivated threat actor compromised multiple web servers to access payment information. The attackers exploited known vulnerabilities in Telerik UI and employed various techniques for persistence and data exfiltration, including web shells and reverse shells.…Tag: XDR
Summary:
This report discusses the ClickFix social engineering tactic, which utilizes deceptive web pages to trick users into executing malicious PowerShell commands, leading to system infections. The analysis highlights various infection chains, detection opportunities, and the evolution of this tactic within the cybersecurity landscape.Keypoints:
ClickFix is a new social engineering tactic monitored since May 2024.…Summary:
This article discusses an incident involving a threat actor’s unsuccessful attempt to bypass Cortex XDR, which inadvertently provided valuable insights into their operations. Through the investigation, Unit 42 uncovered the use of an AV/EDR bypass tool and identified the threat actor’s identity, revealing their tactics and tools utilized in the attack.…
Short Summary
Read More
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident involving collaboration with the Play ransomware group. This marks a significant shift in Jumpy Pisces’ tactics, indicating their deeper involvement in the ransomware landscape, moving from cyberespionage to potential ransomware attacks targeting a wide range of victims globally.…
Summary: Sophos is acquiring Secureworks for $859 million to enhance its cybersecurity offerings and expand its customer base, with the deal expected to close in early 2025. The acquisition aims to integrate Secureworks’ detection and response capabilities into Sophos’ existing platform, while also developing new services in identity detection and security management.…
Short Summary:
The Cybereason Threat Analysis report investigates the Beast Ransomware-as-a-Service (RaaS) platform, detailing its capabilities, operational methods, and recommendations for defense. The report highlights the group’s expanding marketplace, customizable binaries, and advanced detection and prevention techniques employed by the Cybereason Defense Platform.
Key Points:
Expanding Marketplace: Beast Ransomware group continuously updates tools to attract a wider audience in the cybercrime ecosystem.…Short Summary:
The Trend Micro Threat Hunting Team has identified EDRSilencer, a red team tool that can disrupt endpoint detection and response (EDR) solutions by blocking their communication with management consoles. This tool is being repurposed by threat actors to evade detection, complicating malware identification and removal.…
Short Summary:
In July 2024, Palo Alto Networks identified Lynx ransomware, a successor to INC ransomware, which has targeted various sectors in the U.S. and UK. Lynx operates under a ransomware-as-a-service model and employs double-extortion tactics, exfiltrating data before encryption. The article outlines the delivery mechanisms, technical analysis, and comparisons with INC ransomware, emphasizing the need for robust cybersecurity measures.…
Short Summary
Read More
Unit 42 has identified ongoing malicious activities by North Korean threat actors, known as the CL-STA-240 Contagious Interview campaign. These actors pose as recruiters to lure job seekers into downloading malware, specifically the BeaverTail downloader and the InvisibleFerret backdoor. The campaign has evolved with updates to the malware, which now targets both macOS and Windows platforms, and includes features for stealing sensitive data, particularly cryptocurrency wallets.…
Summary: Security Operations Center (SOC) practitioners are increasingly frustrated with their current threat detection tools, which create excessive alerts and hinder their ability to identify real threats. Despite growing confidence in their capabilities and optimism about AI’s potential, many practitioners feel overwhelmed by the number of tools and alerts they manage, leading to a search for more effective solutions like extended detection and response (XDR).…
Short Summary
Read More
The article discusses a phishing campaign utilizing the Mamba 2FA phishing kit, which mimics Microsoft 365 login pages and employs advanced techniques to capture user credentials and multi-factor authentication (MFA) inputs. The campaign has shown significant evolution and commercialization, indicating a widespread threat to users of Microsoft services.…
Short Summary:
The article provides an in-depth analysis of the NOOPLDR and NOOPDOOR malware tools, focusing on their capabilities, methods of operation, and persistence mechanisms. It details how these tools utilize DLL side-loading, code obfuscation, and registry manipulation to execute malicious payloads while evading detection through various techniques.…
Summary: Microsoft has reported a multi-staged attack by the threat actor Storm-0501, which compromised hybrid cloud environments leading to data exfiltration, credential theft, and ransomware deployment across various sectors in the United States. This financially motivated cybercriminal group has evolved from targeting educational institutions to exploiting vulnerabilities in cloud infrastructures, emphasizing the need for enhanced security measures in hybrid environments.…
Introduction
Read More
In light of the escalating frequency and complexity of ransomware attacks, are security leaders confident in their organization’s defenses? According to Group-IB’s Hi-Tech Crime Trends 2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key trends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the proliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.…
Short Summary
Read More
Unit 42 researchers have identified two new malware samples associated with the North Korean threat group Sparkling Pisces, including a keylogger named KLogEXE and a backdoor variant called FPSpy. These findings highlight the group’s evolving capabilities and their continued targeting of South Korean entities.…
Short Summary: Microsoft has reported a multi-staged attack by the threat actor Storm-0501, targeting hybrid cloud environments in various sectors across the U.S. The group, financially motivated, has been active since 2021 and has evolved to conduct ransomware operations using various techniques, including credential theft, lateral movement, and data exfiltration, ultimately leading to ransomware deployment.…
Read More
Short Summary
Read More
The article discusses the discovery of a new strain of the RomCom malware family, named SnipBot, which exhibits advanced techniques for evasion and obfuscation. This malware allows attackers to execute commands, download additional modules, and pivot through victim networks for data exfiltration. The investigation reveals the malware’s infection chain, post-infection activities, and the potential motivations behind the attacks.…
Short Summary: Trend Micro’s report on the Water Bakunawa group highlights their use of the RansomHub ransomware, which employs advanced anti-EDR techniques, including the EDRKillShifter tool, to evade detection and disrupt security measures. The group exploits vulnerabilities like Zerologon to gain access to networks and has targeted various critical infrastructure sectors, demanding ransoms while threatening to release compromised data.…
Read More
Short Summary:
This article discusses the discovery of a new post-exploitation red team tool called Splinter, identified on customer systems through Advanced WildFire’s memory scanning tools. It highlights the importance of continuous tracking and detection of such tools to enhance security. Splinter, developed in Rust, has standard post-exploitation features and poses a potential threat if misused.…
Short Summary:
Unit 42 researchers have identified an ongoing campaign that delivers Linux and macOS backdoors through poisoned Python packages, named PondRAT. This campaign is linked to the Gleaming Pisces threat actor, known for sophisticated attacks against the cryptocurrency industry. The researchers found significant code similarities between PondRAT and POOLRAT, another malware attributed to Gleaming Pisces.…
Summary: The report by Command Zero highlights the significant challenges faced by SecOps leaders, particularly the skills gap in cybersecurity and the operational difficulties with commonly used tools. It emphasizes the need for investment in talent development and continuous learning to address these issues effectively.
Threat Actor: Command Zero | Command Zero Victim: Cybersecurity Professionals | Cybersecurity Professionals
Key Point :
There is a significant skills shortage in cybersecurity, particularly in cyber investigations, leading to burnout among existing teams.…Short Summary:
This article provides a comprehensive overview of North Korean threat groups under the Reconnaissance General Bureau (RGB) and their associated malware. It highlights the various operations these groups conduct, including espionage, financial crime, and destructive attacks. The article also discusses the detection and prevention capabilities of Palo Alto Networks Cortex XDR against these threats.…
Short Summary
Read More
Unit 42 researchers uncovered that the Chinese APT group, Stately Taurus, exploited Visual Studio Code in espionage operations targeting government entities in Southeast Asia. This novel technique involved using the embedded reverse shell feature of Visual Studio Code to gain unauthorized access to networks, marking its first observed use in the wild.…
Short Summary
Read More
The Unit 42 Managed Threat Hunting team has identified a variant of WikiLoader, known as WailingCrab, which is being delivered through SEO poisoning and spoofing of GlobalProtect VPN software. This article discusses the evasion techniques employed by WikiLoader, the specific tradecraft observed, and the implications for threat hunting and detection.…
Short Summary:
On August 19, 2024, Microsoft reported that a North Korean threat actor, Citrine Sleet, exploited a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution, targeting the cryptocurrency sector. This blog details the tactics, techniques, and procedures (TTPs) used in the attack, the FudModule rootkit, and provides recommendations for mitigation and detection.…
Short Summary:
Between April and July 2024, Microsoft identified the Iranian state-sponsored threat actor Peach Sandstorm deploying a new multi-stage backdoor named Tickler, targeting sectors such as satellite, communications, oil and gas, and government in the US and UAE. The group also conducted password spray attacks and intelligence gathering via LinkedIn, indicating a focus on intelligence collection for Iranian state interests.…
Short Summary
Read More
The threat actor group Bling Libra, known for the ShinyHunters ransomware, has shifted tactics from selling stolen data to extorting victims. They gained access to an organization’s AWS environment using legitimate credentials obtained from public repositories. Despite limited permissions, they conducted reconnaissance and deleted data from S3 buckets, ultimately sending an extortion email to the victim.…
Short Summary:
This publication outlines best practices for event logging to enhance cyber security and resilience against threats. Developed by the Australian Cyber Security Centre (ACSC) in collaboration with international partners, it emphasizes the importance of effective logging solutions to support incident response, reduce alert noise, and ensure compliance with organizational policies.…
Summary: This content discusses the evolving tactics of phishing attacks, particularly focusing on how threat actors exploit URL rewriting features of email security services to bypass protections. It highlights the alarming trend of attackers manipulating these security measures to deliver malicious links disguised as legitimate URLs.…
Short Summary
Read More
Unit 42 researchers uncovered a cloud extortion campaign that exploited misconfigurations, particularly exposed environment variable files (.env files), to compromise and extort multiple organizations. The attackers utilized various tactics, including scanning for sensitive information and leveraging cloud services, to execute their operations and ransom data without encryption.…
Short Summary
Read More
The rise of DeathGrip ransomware, a Ransomware-as-a-Service (RaaS) model, highlights the decreasing barrier to entry for cybercriminals. With tools like LockBit 3.0 and Yashma/Chaos readily available, even those with minimal skills can launch sophisticated attacks. DeathGrip promotes its services through Telegram, offering features such as advanced encryption, security evasion techniques, and system manipulation capabilities.…
Summary: Email attacks have surged by 293% in the first half of 2024 compared to the same period in 2023, with ransomware detections also increasing significantly. The report highlights the targeting of small and medium-sized businesses (SMBs), particularly in government and healthcare, and the emerging use of AI in cyber threats.…
Short Summary
Read More
The RHADAMANTHYS stealer has emerged as a sophisticated threat targeting Israeli users through social engineering tactics, particularly phishing emails. This malware, developed by Russian-speaking actors, employs a multi-stage infection process, advanced anti-analysis techniques, and extensive data exfiltration capabilities, posing a significant risk to sensitive information.…
“`html Short Summary:
The article discusses a campaign by the Russian threat actor Fighting Ursa, which used a car advertisement as a lure to distribute the HeadLace backdoor malware targeting diplomats. The campaign began in March 2024 and involved sophisticated tactics, including the use of legitimate services to host malicious content.…
A recent faulty configuration file in CrowdStrike’s Falcon platform caused a significant IT disruption, rendering millions of Windows machines inoperable. The result was a multi-day outage event, which affected critical sectors such as airlines, banks, and hospitals, and underscored the immense responsibility and potential risk associated with kernel accessibility given to a third-party security solution. …
Written by Mitigant (Kennedy Torkura) and Sekoia.io Threat Detection and Research (TDR) team (Erwan Chevalier and Guillaume Couchard).
Table of contents IntroductionEnterprises are increasingly using cloud infrastructure to take advantage of its underlying benefits. Unlike traditional data centres, cloud infrastructure affords business agility at a cheaper cost.…
Executive Summary
Read More
In this post, we share information about how security professionals can take analysis shortcuts to quickly triage and analyze multiple malware samples. Within minutes, we can determine the malware families from a group of samples, parse the embedded configuration and extract the associated network indicators of compromise (IoCs).…
Table of contents
Key Takeaways
Sekoia.io investigated the mysterious 7777 botnet (aka. Quad7 botnet), published by the independent researcher Gi7w0rm inside the “The curious case of the 7777 botnet” blogpost.
Read More
This investigation allowed us to intercept network communications and malware deployed on a TP-Link router compromised by the Quad7 botnet in France.…
This post is also available in: 日本語 (Japanese)
Executive SummaryResearchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework with over 81,000 stars on GitHub:
LangChain’s website states that more than one million builders use LangChain frameworks for LLM app development.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThe ransomware group RA Group, now known as RA World, showed a noticeable uptick in their activity since March 2024. About 37% of all posts on their dark web leak site have appeared since March, suggesting this is an emerging group to watch.…
On May 23, 2023, the U.S., Australia, New Zealand, Canada and the U.K. issued a joint advisory about a suspected Chinese state-sponsored threat actor group that infiltrates firewalls, routers and virtual private networks (VPNs) belonging to critical infrastructure organizations. The group is primarily referred to as Volt Typhoon aka BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, VANGUARD PANDA, VOLTZITE.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis article reviews container escape techniques, assesses their possible impact and reveals how to detect these escapes from the perspective of endpoint detection and response (EDR).
As cloud services rise in popularity, so does the use of containers, which have become an integrated part of cloud infrastructure.…
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) has uncovered a multi-stage cyberattack campaign with a Zip file containing a malicious shortcut (.lnk) file.
Read More
When the shortcut is executed, it downloads a PowerShell script, initiating a chain of events that ultimately allows the Threat Actor (TA) to gain Remote Desktop Protocol (RDP) access to the victim’s system. …
Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched.
Report Highlights:
In May, ZDI threat hunters under Trend Micro’s Zero Day Initiative discovered a vulnerability that the APT group Void Banshee had been exploiting in an updated Atlantida Stealer campaign.…A supply chain attack is a prominent “Initial Access” tactic employed by malware authors and Advanced Persistent Threat (APT) groups to gain a foothold on their targeted hosts or systems. This method involves compromising a third-party service or software that is trusted by the target, thereby injecting malicious code into legitimate software updates or distributions.…
Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…
Executive Summary
Read More
This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware.…
Executive Summary
Read More
This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a formidable challenge for sandboxes attempting to analyze the malware.
Sandboxes with limited computing resources can struggle to analyze a large volume of binaries.…
Overview
Read More
Mallox ransomware, which is also known as Fargo, TargetCompany, Mawahelper, and so on, has been active since mid-2021. Their operation was also observed in transitioning into the Ransomware-as-a-Service distribution model from mid-2022.
Mallox group focuses on multi-extortion, encrypting their victims’ data and threatening to post it on their public TOR-based sites.…
Executive Summary
Read More
On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387, can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity (CVSS 8.1).…