Unknown Threat Actor Uses Chaos Ransomware Variant Yashma To Target English Speaking Countries In Addition To Bulgaria, China and Vietnam
Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild.
Mallox Ransomware Group Becomes A Very Active Threat
The group tracked as Mallox aka TargetCompany, Fargo and Tohnichi - tends to break into target networks through vulnerable SQL servers lately. Mallox attacks in 2023 are known to have increased by %174, compared to 2022.
An Ongoing DDoS Campaign Targeting Sweden
NoName057 was among the first to respond, warning of a cyberattack on Sweden. NoName removed the websites of the Swedish Ministry of Finance and rail carrier SJ AB on 28 June. In the following days, known and unknown such as AnonymousSudan, Team 1919, Islamic Hacker Army, Host Kill Crew, USA NEXUS HACKER, Mysterious Team Bangladesh, KEP TEAM, UserSec Collective, Team Heroxr, Electronic Tigers Unit, Team R70, GANOSEC TEAM and Turkish Hack Team The hacker group carried out DDoS attacks on many websites of Sweden.
Gamaredon Steals Data Too Quickly
The Ukraine Computer Emergency Response Team (CERT-UA) begins to warn entities about stealing data 30 minutes after the first security breach by the Russian-linked APT group Gamaredon (aka UAC-0010).
Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign
SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to distribute a variant of PlugX, a widely used malware associated with various Chinese threat actors. Researchers are monitoring the campaign and have identified links to a previously reported campaign attributed to RedDelta and Mustang Panda.
Darknet Parliament(KILLNET,ANONYMOUS SUDAN,REVil) Tries to Paralyze the West's Financial System
Darknet Parliament, the term introduced by the notorious hacktivist group KillNet, has quickly gained traction, becoming the latest buzzword in the cyber media. KillNet introduced the phrase in a Telegram post on June 16.In the post, they outlined a plan to attack Europe’s banking system.
Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques
BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.
Medusa Ransomware Won't Stop
Ransomware operation Medusa became operational in June 2021, according to Bleeping Computer. However, it gained significant momentum in 2023, targeting corporate victims worldwide with multimillion-dollar ransom demands. The ransomware gang has stepped up its effectiveness by launching a "Medusa Blog" in its recent rise. The platform serves to attract media attention by leaking data from victims who refuse to pay the ransom.
Pipedream Malware Continues to Shred Industrial Systems
In 2022, the Chernovite threat group created Pipedream, a new modular malware designed to attack Industrial Control Systems (ICS). This powerful toolset has the potential to launch devastating and devastating attacks on tens of thousands of critical industrial devices.
MOVEit Strikes With All Its Power
A new wave of mass attacks targeting popular file transfer tool MOVEit Transfer has been linked by security researchers to the Clop ransomware gang. The vulnerability exploited by hackers allows them to gain unauthorized access to the database of the affected MOVEit server.
Xworm Enters Through the Door Follina Left Open
Security researchers have identified a new wave of attacks using XWorm malware that exploits the Follina vulnerability. XWorm is a government-sponsored remote access trojan (RAT), the Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.
Smoke Loader Bill Trap
Based on the Ukraine Computer Emergency Response Team (CERT-UA), the SmokeLoader malware is now spreading through a phishing campaign using traps focused on bills. A ZIP folder containing a fake document and a JavaScript file is attached to emails that the agency says were sent from hacked accounts.
Archipelago Hide Office Documents and Cover Up Sneak Campaign With Recon Shark
The North Korean state sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign
Iranian Hackers Participate in Papercut Attacks
State-sponsored threat actors named Mint Sandstorm and Mango Sandstorm, both based in Iran, are taking advantage of unpatched PaperCut instances. Microsoft reports that Mango Sandstorm exploitation activity is still minimal, with operators connecting to organizations’ C2 infrastructure using tools from prior intrusions; in contrast, Mint Sandstorm exploitation activity appears opportunistic, affecting businesses across industries and regions.
Decoding the Spear-Phishing Tactics of SEABORGIUM and TA453 in the UK
SEABORGIUM and TA453 are Russia-based and Iran-based threat actors conducting spear-phishing campaigns targeting organizations and individuals in the U.K. and other areas of interest. They target various sectors, including academia, defense, governmental organizations, and NGOs, using personalized phishing emails to compromise the victims' credentials and gain access to sensitive information.
Raspberry Robin Global USB Malware Campaign
The Raspberry Robin malware campaign has been spreading around the world since it first surfaced in late 2021. "Raspberry Robin" is the name of a set of events from Red Canary that we first observed in September 2021, which often includes a worm installed via a USB drive.
Graphiron Threat From Nodaria(UAC-0056) To Ukraine
The Russia-linked Nodaria group has installed a new threat, using a wide variety of information from infected computers to play.The Nodaria espionage group (aka UAC-0056) is using a new combination of information stealing malware against browsing in Ukraine. The malware (Infostealer.Graphiron) was designed to gather a wide variety of information written in Go from the infected computer, including system information, credentials, screen content, and files.
Domino Effect
Former members of the Conti ransomware group use malware developed by the FIN7 group for financial purposes, compromising systems for follow-on exploits; FIN7 has used the "Domino" tool in its attacks since at least last October.
Hoodoo Uses Google C2 Red Team Tool as Payload
In a strategy change, China-linked APT41 targeted a Taiwanese media outlet and an Italian employment agency with standard, open-source penetration testing tools. The Chinese state-sponsored hacking organization APT 41, also known as HOODOO, targets various industries in the US, Asia, and Europe.
Anonymous Sudan Continues to Attack
The world of cyberattacks continues to evolve with the emergence of new hacktivist groups that target different countries for various political reasons. One such group that has been making headlines is KillNet Anonymous Sudan, which is affiliated with the pro-Russian hacktivist group KillNet.
Operations From APT36 To Government Agencies
APT36 is an advanced persistent threat group attiributed to Pakistan taht primarilly targets users working at Indian government organizations.SideCopy APT is a Pakistani threat actor operating since at least 2019,targeting mainly South Asian countries and more specifally India and Afghanistan.
Hack For Hire Group Targets Legal, Finance and Travel Institutions
Unlike malware-as-a-service (MAAS), hacking-for-hire companies carry out sophisticated, hands-on attacks and exploit vulnerabilities in executing their campaigns, according to a report by researchers Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.
Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client
A new supply chain attack called SmoothOperator is currently targeting 3CX's VoIP desktop client, which could cause significant impact due to the company's diverse and valued customer profile. The attackers use a trojanized version of the software to steal information from Windows and macOS users.
Earth Lusca
Earth Lusca is a sophisticated cybercrime group. According to reports from cybersecurity firms. They use a variety of tactics and tools to carry out their attacks, including spear-phishing emails, social engineering, and malware such as remote access trojans (RATs) and credential stealers.
Adversary-in-the-Middle: The Rise of AiTM Phishing Kits and the Threat Posed by DEV-1101
AiTM phishing kits, such as those developed by DEV-1101, are increasingly replacing less advanced forms of phishing. These kits can bypass MFA using reverse-proxy functionality and are available for purchase by cybercriminals, lowering the barrier of entry for cybercrime. DEV-1101 offers an open-source kit that automates phishing activity and provides support services to attackers. Since its release in May 2022, the kit has been continually enhanced with features such as managing campaigns from mobile devices and CAPTCHA evasion, making it attractive to actors with varying motivations and targets in any industry or sector.
APT5 Smashes Citrix's Networks
APT5 is a sophisticated cyber espionage group that is believed to be based in China and has been active since at least 2007. The group primarily targets high-tech and telecommunications firms across the US, Europe, and Asia, using advanced malware and zero-day exploits to gain unauthorized access to networks and steal sensitive information.
Dalbit's Ingenuity
Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.
Hiatus.RAT Data Thieves
A new malware campaign, Hiatus, targets business-grade routers to spy on Latin America, Europe, and North America victims. The campaign deploys two malicious binaries, a remote access trojan called HiatusRAT, and a variant of tcpdump that can capture packet capture on the target device.
Communication Barrier from KillNet
Active since at least January 2022, KillNet has evolved from initially a leased DDoS service to a full-fledged threat group. Group distributed denial of service (DDoS) attacks birth website servers to get hit. While KillNet's ties to official Russian government agencies, such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service, have not been confirmed, the group is involved in the group, including the health services. should be viewed as a threat to government and critical infrastructure organizations.
ESXiArgs: The Consequences of Infection
ESXiArgs is a ransomware strain that has been reported to have infected over 3000 hosts in several countries, including France, Germany, the Netherlands, the U.K., and Ukraine. The ransomware is suspected to be based on the leaked Babuk ransomware code and is believed to be targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.
From Lazarus''No Pineapple''
The North Korean hacker group Lazarus APT 38 ,has been active since 2009. They were a group of criminals with an indeterminate number of criminals. However, due to their intended nature, methods, and threats on the web, they were classified as an Advanced Persistent Threat. The cybersecurity community gathers these under other names such as Zinc and Hidden Cobra.
The Face of Disaster: Turkey and Syria Earthquake
February 6, 2023, Turkey and Syria woke up to the morning of a major natural disaster. Two devastating earthquakes, 7.7 and 7.6 magnitudes, struck southeastern Turkey and Syria, with millions of people in dozens of different cities affected, and the death toll exceeded thousands. The Turkish government declared a Level 4 alert, the highest level, and requested international assistance for the disaster area.
Messy Adventures of Cozy Bear
Cozy Bear, also known as APT29, is a sophisticated advanced persistent threat (APT) group believed to be associated with the Russian government. The group has been active since at least 2008. It has been linked to several high-profile cyber espionage operations, including the 2016 hack of the Democratic National Committee (DNC) in the United States. Cozy Bear is known for its sophisticated techniques and ability to remain undetected for long periods of time within compromised networks.
Aoqin Dragon
Aoqin Dragon is a known threat actor that has been active since 2013 and primarily targets government, education, and telecommunication organizations in Southeast Asia and Australia.
Red Menshen: A Look into the Chinese Cyber Espionage Threat
Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the U.S, Turkey, Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor.
Glupteba: The Blockchain-Enabled Modular Malware
Glupteba is a complex and advanced form of malware that has been affecting Windows devices globally since 2019. It utilizes blockchain technology and has multiple modules that can be used for various malicious activities,
Exploit of Romcom RAT's
The RomCom RAT is a malicious software program used by a threat actor to remotely control compromised systems, often by impersonating well-known brands and deploying fake versions of legitimate software through phishing campaigns.
Bronze President
Bronze President is a likely Chinese government-sponsored threat group that has been active since at least 2012. It is known for conducting cyber-espionage campaigns targeting organizations and individuals in the Asia-Pacific region and beyond.
Who will be Earth Bogle's Victims in North Africa and the Middle East?
The campaign is active, and currently, threat actors are targeting victims with NjRAT (also known as Bladabindi) in the Middle East and North Africa.
StrongPity Expand It's Target
StrongPity, also known as APT-C-41 and Promethium, is a cyber espionage group that has been active since at least 2012. The group's initial focus was on targeting individuals and organizations in Syria and Turkey, but their campaigns have since expanded to encompass a wider range of targets across Africa, Asia, Europe, and North America. The group uses various methods such as watering hole attacks and phishing messages to infiltrate targeted systems and steal sensitive information. These attacks are designed to activate the killchain, which is the sequence of actions taken by the attackers to gain access, establish control, and exfiltrate data from the targeted systems.
World Cup Qatar
The 2022 FIFA World Cup is scheduled to be the 22nd running of the FIFA World Cup competition, the quadrennial international men's football championship contested by the senior national teams of the member associations of FIFA. It is scheduled to take place in Qatar from 20 November to 18 December 2022. This will be the first World Cup ever to be held in the Arab world, and the second World Cup held entirely in Asia after the 2002 tournament in South Korea and Japan.[a] In addition, the tournament will be the last to involve 32 teams, with an increase to 48 teams scheduled for the 2026 tournament in the United States, Mexico, and Canada.
Cyber Risk to the Oil and Gas Industry
There has been significant interest within the offshore oil and gas industry to utilise Industrial Internet of Things (IIoT) and Industrial Cyber-Physical Systems (ICPS). There has also been a corresponding increase in cyberattacks targeted at oil and gas companies.
The New Target: Immigrations
Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.
Cyber Security in Elections
In recent years, the effect of cyber operations on the elections of countries has been increasing rapidly and it has been observed that interstate operations are carried out with cyber espionage campaigns.
The Return of Emotet
The notorious Emotet malware is staging a comeback of sorts, months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. While the malware maintainers remain unknown, this campaign suspiciously coincides with the Russian invasion of Ukraine.
Prestige Ransomware: Targeting Ukraine & Poland
A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed Prestige. "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC) said.
Russia - Ukraine Cyberwar
The day before the invasion of Ukraine by Russian forces, a new wiper malware sample spreading across Ukrainian companies is observed. An hour before the invasion, an IssacWiper attack against government websites was recorded. Moreover, cyber-attacks continued in March, as well, with the CaddyWiper malware which infiltrated the systems of several Ukrainian organizations, from both the government and the financial sectors.
Hafnium
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Attacks on industrial control systems using ShadowPad
Researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. These infected machines includes engineering hardware systems related to automation systems Infected machines includes engineering computers used in building automation systems.
Operation AppleJeus: North Korea’s Cryptocurrency Malware
After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses.
SolarWinds
Austin, Texas-based SolarWinds sells software that lets an organization see what's happening on its computer networks. Hackers inserted malicious code into an update of that software, which is called Orion. Around 18,000 SolarWinds customers installed the tainted update onto their systems
Operation Quicksand: MuddyWater's Attacks to Israeli Organizations
During September 2020, identified a new campaign targeting many prominent Israeli organizations was identified. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm).
Covid-19
Many threat actors are leveraging the high level of global anxiety around the spread of the Coronavirus and are using it to gain initial access to their victim ictim’s network and launch their campaigns. The common factor among these campaigns is the use of social engineering techniques to manipulate their victims into trusting their malicious scams.
Hackers Behind the Iran
The asymmetric nature of the cyberwarfare domain has enabled Iran to carry out the most sophisticated and costly cyber attacks in the history of the internet age
Energy War
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins
Magniber Ransomware Used a Variant of Microsoft SmartScreen Bypass with Malformed Signature
Magniber ransomware, which targeted Asian countries in 2017, continues to attack with expanded targets worldwide since 2021
US Federal Agencies Targeted by Kitten's
An APT group called Nemesis Kitten, which has ties to Iran, reportedly directed its attack towards an unidentified U.S. federal agency, with some suspicions suggesting the targeted entity was the U.S. Merit Systems Protections Board. The group infiltrated the agency's network and loaded cryptocurrency-mining software onto it.
The Pegasus Project
The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.
The Cyber Face of Economic Development
Like other Chinese espionage operators, hacker groups, espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity.
Red Children of Censorship
North Korean state-sponsored cyber espionage groups. Focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 group expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.
From Altai To The Red Square
The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
Trusted by world's leading organizations
Copyright © 2023 SOCRadar Cyber Intelligence Inc.
All rights
reserved.