The MITRE Corporation revealed that threat actors behind the December 2023 attacks created rogue virtual machines (VMs) within its environment.
The MITRE Corporation has provided a new update about the December 2023 attack. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.
A previously undocumented APT group tracked as LilacSquid targeted organizations in the U.S., Europe, and Asia since at least 2021.
Cisco Talos researchers reported that a previously undocumented APT group, tracked as LilacSquid, conducted a data theft campaign since at least 2021.
The attacks targeted entities in multiple industries, including organizations in information technology and industrial sectors in the United States, organizations in the energy sector in Europe, and the pharmaceutical sector in Asia.
Russia-linked threat actor FlyingYeti is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX.
Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149) targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity.
At the beginning of Russia’s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, leading to significant debt Read Full Article ...
Russia-linked APT28 used the HeadLace malware and credential-harvesting web pages in attacks against networks across Europe.
Researchers at Insikt Group observed Russian GRU’s unit APT28 targeting networks across Europe with information-stealer Headlace and credential-harvesting web pages. The experts observed the APT deploying Headlace in three distinct phases from April to December 2023, respectively, using phishing, compromised internet services, and living off the land binaries. The credential harvesting pages were designed to target Ukraine’s Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank. The credential harvesting pages created by the group Read Full Article ...
Ukraine CERT-UA warned of cyber attacks targeting defense forces with SPECTR malware as part of a cyber espionage campaign dubbed SickSync.
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber espionage campaign targeting defense forces in the country. The Ukrainian CERT attributes the attack to the threat actor UAC-0020 which employed a malware called SPECTR as part of the campaign tracked as SickSync.
The threat actor UAC-0020, aka Vermin, operates under the control of the law enforcement agencies of the temporarily Read Full Article ...
Morphisec researchers observed a threat actor, tracked as Sticky Werewolf, targeting entities in Russia and Belarus.
Sticky Werewolf is a threat actor that was first spotted in April 2023, initially targeting public organizations in Russia and Belarus. The group has expanded its operations to various sectors, including a pharmaceutical company and a Russian research institute specializing in microbiology and vaccine development.
In their latest campaign, Sticky Werewolf targeted the aviation industry with emails supposedly from the First Deputy General Director of AO OKB Read Full Article ...
Chinese cyberespionage group Velvet Ant was spotted using custom malware to target F5 BIG-IP appliances to breach target networks.
In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to a China-linked threat actor tracked as ‘Velvet Ant.’
The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.
A China-linked cyber espionage group has compromised telecom operators in an Asian country since at least 2021.
The Symantec Threat Hunter Team reported that an alleged China-linked APT group has infiltrated several telecom operators in a single, unnamed, Asian country at least since 2021.
The threat actors used tools associated with Chinese espionage groups, they planted multiple backdoors on the networks of targeted companies to steal credentials.
French information security agency ANSSI reported that Russia-linked threat actor Nobelium is behind a series of cyber attacks that targeted French diplomatic entities.
The French information security agency ANSSI reported that Russia-linked APT Nobelium targeted French diplomatic entities. Despite the French agency linked the attacks to the cyberespionage group Nobelium (aka APT29, SVR group, Cozy Bear, Midnight Blizzard, BlueBravo, and The Dukes), ANSSI differentiates these groups into separate threat clusters, including a group named Dark Halo, which was responsible for the 2020 SolarWinds attack.
The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.
Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches.
Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches.
The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device.
Multiple cybersecurity agencies released a joint advisory warning about a China-linked group APT40 ‘s capability to rapidly exploit disclosed security flaws.
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. released a joint advisory warning about the China-linked group APT40 (aka TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Red Ladon, TA423, and Leviathan) and its capability to rapidly exploit disclosed flaws
The China-linked group was able to exploit vulnerabilities within hours or days of the public Read Full Article ...
Void Banshee APT group exploited the Windows zero-day CVE-2024-38112 to execute code via the disabled Internet Explorer.
An APT group tracked as Void Banshee was spotted exploiting the Windows zero-day CVE-2024-38112 (CVSS score of 7.5) to execute code through the disabled Internet Explorer.
The vulnerability is a Windows MSHTML Platform Spoofing Vulnerability. Successful exploitation of this vulnerability requires an attacker to take additional actions before exploitation to prepare the target environment. An attacker can trigger the issue by sending the victim a malicious file Read Full Article ...
China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an updated version of the macOS backdoor Macma.
The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor.
“The Daggerfly (aka Evasive Panda, Bronze Highland) espionage group has extensively updated its toolset, introducing several new versions of its malware, most likely in response to exposure of Read Full Article ...
Belarus-linked APT group GhostWriter targeted Ukrainian organizations with a malware family known as PicassoLoader, used to deliver various malicious payloads.
The Ukrainian Government’s Computer Emergency Response Team (CERT-UA) reported a surge in activity associated with the APT group UAC-0057 (aka GhostWriter) group between July 12 and 18, 2024. Threat actors distributed documents containing macros designed to deploy the PICASSOLOADER malware on victim computers, which then delivered the post-exploitation tool Cobalt Strike Beacon.
The attackers used bait documents related to local government reform (USAID/DAI Read Full Article ...
China-linked group APT41 breached a Taiwanese government-affiliated research institute using ShadowPad and Cobalt Strike.
Cisco Talos researchers reported that the China-linked group compromised a Taiwanese government-affiliated research institute. The experts attributed the attack with medium confidence to the APT41 group.
The campaign started as early as July 2023 and threat actors delivered the ShadowPad malware, Cobalt Strike, and other post-exploitation tools.
The sample of ShadowPad malware employed in this campaign exploited an outdated vulnerable version of Read Full Article ...
South Korea’s National Cyber Security Center (NCSC) reported that North Korea-linked hackers hijacked VPN software updates to deploy malware.
South Korea’s national security and intelligence agencies, including the National Intelligence Service, the Prosecutor’s Office, the Police Agency, the Military Intelligence Command, and the Cyber Operations Command, have issued a joint cybersecurity advisory to warn that North Korea-linked hackers exploited VPN software update to install malware on target networks.
According to the South Korean authorities, the government of Pyongyang’s goal is to steal intellectual Read Full Article ...
A China-linked APT, tracked as StormBamboo, compromised an internet service provider (ISP) to poison software update mechanisms with malware.
Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda, Daggerfly, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.
The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.
In mid-2023, Volexity discovered multiple malware infections affecting macOS Read Full Article ...
Cybersecurity analysts have uncovered critical details about the North Korean advanced persistent threat (APT) group Kimsuky, which has been targeting universities as part of its global espionage operations.
Kimsuky, active since at least 2012, primarily targets South Korean think tanks and government entities, though its reach extends to the US, the UK and other European nations. The group specializes in sophisticated phishing campaigns, often posing as academics or journalists to infiltrate networks and steal sensitive information.
A new self-spreading worm named 'CMoon,' capable of stealing account credentials and other data, has been distributed in Russia since early July 2024 via a compromised gas supply company website.
According to Kaspersky researchers who discovered the campaign, CMoon can perform a broad range of functions, including loading additional payloads, snapping screenshots, and launching distributed denial of service (DDoS) attacks.
Judging from the distribution channel the threat actors used, their targeting scope is focused on high-value targets rather than random internet users, which Read Full Article ...
CISA and the FBI confirmed today that the Royal ransomware rebranded to BlackSuit and has demanded over $500 million from victims since it emerged more than two years ago.
This new information was shared as an update to a joint advisory published in March 2023, which says the BlackSuit gang has been active since September 2022.
However, this private group is believed to be a direct successor of the notorious Conti cybercrime syndicate and started as Quantum ransomware in January 2022.
On Tuesday, IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation.
McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio.
"While McLaren Health Care continues to investigate a disruption to our information technology system, we want Read Full Article ...
Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks.
The vulnerability leveraged in these attacks is CVE-2024-4885, a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older.
Proof-of-concept (PoC) exploits for CVE-2024-4885 are publicly available that target exposed WhatsUp Gold '/NmAPI/RecurringReport' endpoints.
Threat monitoring organization Shadowserver Foundation reports that the attempts started on August Read Full Article ...
A global stop-payment mechanism created by INTERPOL successfully recovered over $40 million stolen in a BEC attack on a company in Singapore.
INTERPOL says this is the largest recovery of funds stolen through a business email compromise (BEC) scam.
BEC scams are a type of cyberattack in which cybercriminals attempt to redirect legitimate corporate payments to an attacker-controlled bank account.
These attacks are conducted by threat actors compromising a vendor's or company's email address to trick billing departments into approving new banking information Read Full Article ...
SafeBreach security researcher Alon Leviev revealed at Black Hat 2024 that two zero-days could be exploited in downgrade attacks to "unpatch" fully updated Windows 10, Windows 11, and Windows Server systems and reintroduce old vulnerabilities.
Microsoft issued advisories on the two unpatched zero-days (tracked as CVE-2024-38202 and CVE-2024-21302) in coordination with the Black Hat talk, providing mitigation advice until a fix is released.
In downgrade attacks, threat actors force an up-to-date target device to roll back to older software versions, reintroducing vulnerabilities that can be Read Full Article ...
AWS has recently announced two new security features. First, passkeys can now be used for multi-factor authentication (MFA) for root and IAM users, providing additional security beyond just a username and password. Second, AWS now requires MFA for root users, starting with the root user account in an AWS Organization. This requirement will be expanded to other accounts throughout the year.
Microsoft has announced the general availability of its Entra Suite. According to the company, the suite provides a solution that integrates identity and security, facilitating a more unified approach to security operations.
The Entra Suite is built to streamline the implementation of zero-trust security models. Zero-trust is a framework where trust is never assumed, and verification is continuously enforced. By integrating identity management with security operations, Microsoft aims to make zero-trust adoption more seamless for organizations.
Microsoft recently announced new SKUs for its Azure Bastion service: a Developer SKU that is now generally available (GA) after its public preview last year and a premium SKU being rolled out in a public preview.
Microsoft Azure Bastion is a fully managed Platform as a Service (PaaS) that offers seamless RDP and SSH connectivity to virtual machines accessed directly in the Azure portal. The Developer SKU is designed for Dev/Test users who need secure VM connections without requiring extra features, configuration, or scaling. The new premium SKU offers advanced recording, Read Full Article ...
Amazon Web Services (AWS) has launched a new open-source agent for AWS Secrets Manager. According to the company, this agent simplifies the process of retrieving secrets from AWS Secrets Manager, enabling secure and streamlined application access.
The Secrets Manager Agent is an open-source tool that allows your applications to retrieve secrets from a local HTTP service instead of reaching out to Secrets Manager over the network. It comes with customizable configuration options, including time to live, cache size, maximum connections, and HTTP port, allowing developers to tailor the agent to their application's Read Full Article ...
At the annual Build conference, Microsoft announced the flex consumption plan for Azure Functions, which brings users fast and large elastic scale, instance size selection, private networking, and higher concurrency control.
The Flex Consumption Plan is a new Azure Functions hosting plan that uses the familiar serverless consumption-based billing model (pay for what you use). It provides users with more flexibility and customization options without sacrificing existing capabilities. According to the company, users can build serverless functions with this plan, leading to higher throughput, improved reliability, better performance, and enhanced security according Read Full Article ...
