The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. …
Tag: XDR
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October …
Earlier this year, a software vendor was compromised by the Lazarus malware delivered through unpatched legitimate software. What’s remarkable is that these software vulnerabilities were not new, and despite warnings …
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of …
This blog discusses how threat actors abuse Discord’s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware.
Our latest …
Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators …
Coauthored by Karthickkumar Kathiresan of Uptycs Threat Research Team…
Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of …
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s …
This entry delves into threat actors’ intricate methods to implant malicious payloads within seemingly legitimate applications and codebases.
IntroductionAs technology evolves and the world becomes more interconnected, so do …
This post is also available in: 日本語 (Japanese)
Executive SummaryThe CL0P ransomware group recently began using torrents to distribute victim data after a successful campaign stealing data from thousands …
With contributions from Shingo Matsugaya
We delve into three of the most active ransomware families that dominated the first half of 2023: LockBit, Clop, and BlackCat.
Since 2022, our telemetry …
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor’s server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which …
This post is also available in: 日本語 (Japanese)
Executive SummaryWe observed a series of intrusions directed at a Southeast Asian government target, a cluster of activity that we attribute …
This post is also available in: 日本語 (Japanese)
Executive SummaryA cluster of threat actor activity that Unit 42 observed attacking a Southeast Asian government target could provide insight into …
This post is also available in: 日本語 (Japanese)
Executive SummaryAn advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged in a number of cyberespionage …
This post is also available in: 日本語 (Japanese)
Executive SummaryTurla (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004, which is linked to …
This post is also available in: 日本語 (Japanese)
Executive SummaryEarlier this month, our quiz Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer introduced a packet capture (pcap) …
Summary
Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. …
A new remote access trojan threat has emerged in the realm of cybersecurity, referred to as QwixxRAT. Both businesses and individual users are at risk, as this Trojan silently infiltrates …
In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we’ve covered in previous blog entries.
In June 2023, Trend …
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually …
Awareness of the newest shifts and patterns is vital in the fast-changing world of cyber threats. This rings particularly true with ransomware, known for its quick changes and intricate tactics. …
In cloud environments, cryptojacking – a type of cyberattack that uses computing power to mine cryptocurrency – takes the form of cloud compute resource abuse, which involves a threat actor …
This post is also available in: 日本語 (Japanese)
Executive SummaryMallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft (MS) Windows systems. It has been active …
Threat Researchers: Nischay Hegde and Siddartha Malladi…
August 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers are advised to apply patches, which supersede the mitigations listed in this blog, as soon as possible.
Microsoft …
As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident …
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the …
During the week of February 20, 2023, Sophos X-Ops MDR team received two separate requests for threat hunts related to unusual activity in two customers’ Microsoft 365 (formerly Office 365) …
Recently, while monitoring dark web forums and Telegram channels, the Uptycs Threat Research team made a compelling discovery: a formidable menace dubbed The Meduza Stealer. …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers identified two Cobalt Strike Team Server instances hosted on the internet and uncovered new profiles that are …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and …
Cryptojacking, the illicit use of computing resources to mine cryptocurrency, has become increasingly prevalent in recent years, with attackers building a cybercriminal economy around attack tools, infrastructure, and services to …
We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat …
The Cortex Threat Research team has recently identified multiple espionage attacks targeting governmental entities in the Middle East and Africa. According to our findings, the main goal of …
This post is also available in: 日本語 (Japanese)
Executive SummaryRoyal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September …
The Uptycs threat research team has discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created …
With recent reports that Charming Kitten group (aka Mint Sandstorm) is actively targeting critical infrastructure in the US and other countries, we would like to share the most recent insights …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux …
The Uptycs threat research team has discovered a new Linux malware, Poseidon, deployed by the APT-36 group, also known as Transparent Tribe. This Pakistan-based advanced persistent threat group is notorious …
The Aurora stealer is a notorious Golang-based information stealer that’s been gaining popularity from the end of 2022 through the first quarter of 2023. The Morphisec Threat Labs team has …
The Uptycs threat research team has identified a new variant of credential stealing malware, dubbed Zaraza bot, that uses telegram as its command and control. Zaraza is the Russian word …
Executive summary
TEHTRIS Threat Hunters analyzed illicit cryptomining activity targeting Linux-based machines. The attack happened on one of our high interaction honeypots hosted in France in mid-January across a short …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently discovered a malware campaign targeting Portuguese speakers, which aims to redirect cryptocurrency away from legitimate users’ wallets …
By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023
We would like to thank Steen Pedersen and Mo Cashman for their remediation advice.
On the 4th …
Research by: Jiri Vinopal, Dennis Yarizadeh and Gil Gekker
Key Findings:
Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain, we dubbed Rorschach,…February 15, 2024 update – On January 20, 2024, the US government conducted a disruption operation against infrastructure used by a threat actor we track as Forest Blizzard (STRONTIUM), a …