Mayakshi
Learning Centre for Cyber Security & Privacy Professionals
Threat Intelligence Reposts
9 Nov 2023
RED ALERT: 'Effluence' Backdoor Persists in Atlassian Confluence Servers and other products
Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) observed the use of novel malware, dubbed “Effluence,” in combination with the exploit of a recent Atlassian Confluence vulnerability. Once implanted, the malware acts as a persistent backdoor and is not remediated by applying patches to Confluence. The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence. The malware is difficult to detect and organizations with Confluence servers are advised to investigate thoroughly, even if a patch was applied.
7 Nov 2023
Android Version 11,12,12L,13 and 14 critically vulnerable
Multiple vulnerabilities have been reported in Android which could be exploited by an attacker to obtain unauthorised access without any clicking and exfiltrate sensitive information and/or denial of service, meaning no access to the device.
30 Sept 2023
North Korean gov’t hackers targeted aerospace company in Spain
Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
North Korean gov’t hackers targeted aerospace company in Spain
Hackers connected to a notorious group within the North Korean government launched an attack against an aerospace company in Spain, according to researchers at security company ESET.
30 Sept 2023
Ransomware gangs destroying data, using multiple strains during attacks: FBI
Ransomware gangs are shifting their tactics to include multiple strains in the same attack and destructive tools beyond encryption or theft, the FBI warned this week.
Gangs are increasingly using “custom data theft, wiper tools, and malware to pressure victims to negotiate,” a white notice published Wednesday said.
29 Sept 2023
BunnyLoader, the newest Malware-as-a-Service
In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server.
28 Sept 2023
Suspected China-based hackers target Middle Eastern telecom, Asian government
Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday.
The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked a U.S. state legislature using a Log4j vulnerability.
27 Sept 2023
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.
BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.
20 Sept 2023
Cyber Battlegrounds: FCRF Unveils India’s Top 10 Cybercrime Hotspots & Vulnerable Districts
India is facing a severe and growing threat of cybercrime, with a staggering 80 percent of reported incidents emanating from just ten vulnerable districts, as outlined in a recent white paper titled ‘A Deep Dive into Cybercrime Trends Impacting India‘ by the Future Crime Research Foundation (FCRF), a non-profit startup incubated at IIT Kanpur. The study underscores the urgent need for enhanced cybersecurity measures and increased awareness among both individuals and organizations.
20 Sept 2023
Joint Cybersecurity Advisory (CISA + FBI) - Snatch Ransomware
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of
current trends in the cybercriminal space and leveraged successes of other ransomware variants’
operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including
the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch
threat actors conduct ransomware operations involving data exfiltration and double extortion. After
data exfiltration often involving direct communications with victims demanding ransom, Snatch threat
actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s
extortion blog if the ransom goes unpaid.
18 Sept 2023
BlackCat ransomware hits Azure Storage with Sphynx encryptor
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage.
While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials.
18 Sept 2023
Cryptojackers spread their nets to capture more than just EC2
As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.
Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.
17 Sept 2023
RedLine Stealer : A new variant surfaces, Deploying using Batch Script
RedLine stealer was first discovered in March 2020 and is one of the most popular stealer malwares. It is designed to steal sensitive information from compromised systems. It is being sold by cybercriminals on underground forums as MaaS (malware-as-a-service). Threat actors are leveraging RedLine Stealer due to its availability and flexibility. This malware is capable of harvesting information from web browsers such as saved credentials and payment card details. It also looks over the system for information, including username, hardware configuration, installed general and security software, installed VPN client, network configurations, cryptocurrency related data, and sends the stolen information to the adversary.
12 Sept 2023
Malware distributor Storm-0324 facilitates ransomware access
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.