Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices
Akira ransomware continues to evolve
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.
Ongoing Social Engineering Campaign Refreshes Payloads
On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7.
UNC3944 Targets SaaS Applications
UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider" and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.
Operation Crimson Palace: A Technical Deep Dive – Sophos News
Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government organization in Southeast Asia. As described in the first part of this report, we identified at least three distinct clusters of intrusion activity present in the organization’s network from at least March 2023 through December 2023. The three security threat activity clusters—which we designated as Alpha (STAC1248), Bravo (STAC1870), and Charlie (STAC1305) – are assessed with high confidence to operate on behalf of Chinese state interests. In this continuation of our report, we will provide deeper technical analysis of the three activity clusters, including the tactics, techniques, and procedures (TTPs) used in the campaign, aligned to activity clusters where possible. We also provide additional technical details on prior compromises within the same organization that appear to be connected to the campaign.
Advanced Cyber Threats Impact Even the Most Prepared
Foreign nation-state cyber adversaries are tenacious. Their attacks are evolving to get around the industry’s most sophisticated defenses. Last year was exploitation of routers, and this year’s theme has been compromise of edge protection devices. MITRE, a company that strives to maintain the highest cybersecurity possible, is not immune. Despite our commitment to safeguarding our digital assets, we’ve experienced a breach that underscores the nature of modern threats. In this blog post, we provide an initial account of the incident, outlining the tactics, techniques, and procedures (TTPs) employed by the adversaries, as well as some of our ongoing incident response efforts and recommendations for future steps to fortify your defenses.
The Updated APT Playbook: Tales from the Kimsuky threat actor group | Rapid7 Blog
Within Rapid7 Labs we continually track and monitor threat groups. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.
Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO
The Trend Micro threat hunting team came across an RA World attack involving multistage components designed to ensure maximum impact.
BlackCat Ransomware Affiliate TTPs
This blog post provides a detailed look at the TTPs of a ransomware affiliate operator. In this case, the endpoint had been moved to another infrastructure (as illustrated by various command lines, and confirmed by the partner), so while Huntress SOC analysts reported the activity to the partner, no Huntress customer was impacted by the ransomware deployment.
Scattered Spider laying new eggs
Discover the techniques, tactics (TTPs) used by Scattered Spider intrusion set, including social engineering and targeted phishing campaigns.
MERCURY and DEV-1084: Destructive attack on hybrid environment - Microsoft Security Blog
Microsoft detected a unique operation where threat actors carried out destructive actions in both on-premises and cloud environments.
Bundesamt für Verfassungsschutz - Counter-intelligence - Joint Cyber Security Advisory
Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
We have been seeing notable changes to TTPs used in GOOTLOADER operations since 2022.
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.
Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include: * Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor. * Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections. * Allegations that the U.S. was responsible for the Nord Stream gas pipeline explosions.
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks.
MERCURY and DEV-1084: Destructive attack on hybrid environment - Microsoft Security Blog
Microsoft detected a unique operation where threat actors carried out destructive actions in both on-premises and cloud environments.
Bundesamt für Verfassungsschutz - Counter-intelligence - Joint Cyber Security Advisory
Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
We have been seeing notable changes to TTPs used in GOOTLOADER operations since 2022.
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.
Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include: * Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor. * Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections. * Allegations that the U.S. was responsible for the Nord Stream gas pipeline explosions.
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks.
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks.