Found 71 bookmarks
Custom sorting
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024. On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network.
#Mandiant#EN#2025#CVE-2025-0282#CVE-2025-0283#IoC#exploitation#analysis#postexploitation#Ivanti
·cloud.google.com·
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
A Measure of Motive: How Attackers Weaponize Digital Analytics Tools | Google Cloud Blog
A Measure of Motive: How Attackers Weaponize Digital Analytics Tools | Google Cloud Blog
Digital analytics tools are useful, but can also be used for malicious purposes. Digital analytics tools are vital components of the vast domain that is modern cyberspace. From system administrators managing traffic load balancers to marketers and advertisers working to deliver relevant content to their brand’s biggest fan base, tools like link shorteners, location trackers, CAPTCHAs, and digital advertising platforms each play their part in making information universally accessible and useful to all.
#Mandiant#EN#2024#Attackers#Weaponize#Digital#Analytics#UNC1189#link-shortner#ma.sk
·cloud.google.com·
A Measure of Motive: How Attackers Weaponize Digital Analytics Tools | Google Cloud Blog
UNC4393 Goes Gently into the SILENTNIGHT
UNC4393 Goes Gently into the SILENTNIGHT
In mid-2022, Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant's initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster's victims, with the Black Basta data leak site purporting over 500 victims since inception. Over the course of this blog post, Mandiant will detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster's transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques.
#Mandiant#EN#2024#QAKBOT#UNC4393#BlackBasta#SILENTNIGHT
·cloud.google.com·
UNC4393 Goes Gently into the SILENTNIGHT
APT41 Has Arisen From the DUST
APT41 Has Arisen From the DUST
  • In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period. APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive
#Mandiant#EN#2024#APT41#Italy#Spain#Taiwan#Thailand#Turkey#UK#dustpan#BEACON#DUSTTRAP
·cloud.google.com·
APT41 Has Arisen From the DUST
UNC3944 Targets SaaS Applications
UNC3944 Targets SaaS Applications
UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider" and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.
#Mandiant#EN#2024#UNC3944#SaaS#Applications#Scattered-Spider#TTPs
·cloud.google.com·
UNC3944 Targets SaaS Applications