Following NoName057(16) DDoSia Project’s Targets
DDoSia is a DDoS attack toolkit used by the pro-Russia hacktivist group NoName057(16) against countries critical the invasion of Ukraine.
Chinese Threat Actors Targeting Europe in SmugX Campaign
In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift to targeting European entities, with a focus on their foreign policy. The activity described in this report, utilizes HTML Smuggling to target governmental entities in Eastern Europe. This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent).
Detecting Popular Cobalt Strike Malleable C2 Profile Techniques
We examine malicious Cobalt Strike case studies with distinct techniques using Malleable C2 profiles.
Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
Decrypted: Akira Ransomware
Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
NCSC marks 20th anniversary of first response to state-sponsored cyber attack
In June 2003, GCHQ experts were involved in responding to a cyber attack against the UK Government for the first time.
TSMC Says Supplier Hacked After Ransomware Group Claims Attack on Chip Giant
The LockBit ransomware group claims to have hacked Taiwan Semiconductor Manufacturing Company (TSMC), but the chip giant says only one of its suppliers was breached. The notorious cybercrime group announced on Thursday on its website that it targeted TSMC, suggesting — based on the $70 million ransom demand — that it has stolen vast amounts of sensitive information. The victim was initially given seven days to respond, but the deadline has been extended to August 6 at the time of writing.
High school changes every student’s password to ‘Ch@ngeme!’
After a cybersecurity audit mistakenly reset everyone’s password, a high school changed every student’s password to “Ch@ngeme!” giving every student the chance to hack into any other student’s account, according to emails obtained by TechCrunch.
CVE-2023-27997 is Exploitable, and 69% of FortiGate…
Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. There are 490,000 affected SSL VPN interfaces exposed on the internet, and roughly 69% of them are currently unpatched. You should patch yours now
TSMC confirms data breach after LockBit cyberattack on third-party supplier
One of the world's biggest chipmakers confirmed a data breach after the LockBit ransomware gang targeted one of its third-party providers.
Malware Execution Method Using DNS TXT Record
AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware.
Meduza Stealer or The Return of The Infamous Aurora Stealer
Meduza Stealer malware analysis
SEC notifies SolarWinds CISO and CFO of possible action in cyber investigation
The Securities and Exchange Commission has notified the chief financial officer and CISO of SolarWinds about potential enforcement actions related to the 2020 cyberattack against the company’s Orion software platform, the company disclosed in a regulatory filing with the agency.
Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination
I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled “Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz.” This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you’re interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.)
Akira Ransomware Extends Reach to Linux Platform
Cyble Research & Intelligence Labs examines the Linux variant of Akira Ransomware and assesses its impact on various sectors.
Swiss intelligence warns of fallout in cyberspace as West clamps down on spies
The efforts by governments in Europe and elsewhere to degrade Russia's human intelligence networks could have blowback in other areas, Swiss intelligence is warning.
Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure
Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure, Author: Jan Kopriva
Microsoft Teams vulnerability allows attackers to deliver malware to employees
Security researchers have found a bug that could allow attackers to deliver malware directly into employees' Microsoft Teams inbox.
Dismantling encrypted criminal EncroChat communications leads to over 6 500 arrests and close to EUR 900 million seized
The dismantling of EncroChat in 2020 sent shockwaves across OCGs in Europe and beyond. It helped to prevent violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime. OCGs worldwide illegally used the encryption tool EncroChat for criminal purposes. Since the dismantling, investigators managed to intercept, share and analyse over 115...
VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors
Additional techniques UNC3886 utilized across multiple organizations to evade EDR solutions.
Siemens Energy confirms data breach after MOVEit data-theft attack
Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.
LetMeSpy, a phone tracking app spying on thousands, says it was hacked
A data breach reveals the spyware is built by a Polish developer
Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution
Our research team is committed to continuously identifying potential security vulnerabilities and techniques that threat actors may exploit to bypass existing security controls. In this blog post, our team is detailing on a comprehensive research specifically focused on process injection techniques utilized by attackers to deceive robust security products integrated into the security stack, such as EDRs and XDRs. Throughout the blog post, we will delve into various process injection techniques e
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
Deep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia. Bumblebee is a malware loader first discovered in March 2022. It was associated with Conti group and was being used as a replacement for BazarLoader. It acts as a primary vector for multiple types of other malware, including ransomware. IcedID is a modular banking malware designed to steal financial information. It has been seen in the wild since at least 2017 and has recently been observed shifting some of its focus to malware delivery.
PyPI Attackers Still At It: Malicious Packages Drop Trojans and Info-stealers
Sonatype's malicious open source and malware detection systems found hundreds of malicious PyPI packages.
Emerging Threat! Exposing JOKERSPY
Explore JOKERSPY, a recently discovered campaign that targets financial institutions with Python backdoors. This article covers reconnaissance, attack patterns, and methods of identifying JOKERSPY in your network.
Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack
During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. The following analysis is incomplete, as we are trying to identify the puzzle pieces that are still missing.
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.
Dissecting TriangleDB, a Triangulation spyware implant
In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. As of now, we have finished analyzing the spyware implant and are ready to share the details.
Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389
FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which was disclosed in mid-March of this year. Read more.