top of page

Threat Intelligence Reposts

9 Nov 2023

RED ALERT: 'Effluence' Backdoor Persists in Atlassian Confluence Servers and other products

Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) observed the use of novel malware, dubbed “Effluence,” in combination with the exploit of a recent Atlassian Confluence vulnerability. Once implanted, the malware acts as a persistent backdoor and is not remediated by applying patches to Confluence. The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence. The malware is difficult to detect and organizations with Confluence servers are advised to investigate thoroughly, even if a patch was applied.

RED ALERT: 'Effluence' Backdoor Persists in Atlassian Confluence Servers and other products

8 Nov 2023

SysAid On-Prem Software CVE-2023-47246 Vulnerability

The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software.

SysAid On-Prem Software CVE-2023-47246 Vulnerability

7 Nov 2023

Android Version 11,12,12L,13 and 14 critically vulnerable

Multiple vulnerabilities have been reported in Android which could be exploited by an attacker to obtain unauthorised access without any clicking and exfiltrate sensitive information and/or denial of service, meaning no access to the device.

Android Version 11,12,12L,13 and 14 critically vulnerable

7 Nov 2023

Union Government issues advisory to social media intermediaries to identify misinformation and deepfakes

Remove any such content when reported within 36 hours of reporting

Union Government issues advisory to social media intermediaries to identify misinformation and deepfakes

30 Sept 2023

North Korean gov’t hackers targeted aerospace company in Spain


Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
North Korean gov’t hackers targeted aerospace company in Spain
Hackers connected to a notorious group within the North Korean government launched an attack against an aerospace company in Spain, according to researchers at security company ESET.

North Korean gov’t hackers targeted aerospace company in Spain

30 Sept 2023

Ransomware gangs destroying data, using multiple strains during attacks: FBI

Ransomware gangs are shifting their tactics to include multiple strains in the same attack and destructive tools beyond encryption or theft, the FBI warned this week.

Gangs are increasingly using “custom data theft, wiper tools, and malware to pressure victims to negotiate,” a white notice published Wednesday said.

Ransomware gangs destroying data, using multiple strains during attacks: FBI

29 Sept 2023

BunnyLoader, the newest Malware-as-a-Service

In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server.

BunnyLoader, the newest Malware-as-a-Service

29 Sept 2023

CERT-In reported multiple vulnabilities in Google Chrome

CERT-In reported vulnerabilities in Google chrome . This update includes 10 security fixes.

CERT-In reported multiple vulnabilities in Google Chrome

28 Sept 2023

Suspected China-based hackers target Middle Eastern telecom, Asian government

Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday.

The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked a U.S. state legislature using a Log4j vulnerability.

Suspected China-based hackers target Middle Eastern telecom, Asian government

27 Sept 2023

People's Republic of China-Linked Cyber Actors Hide in Router Firmware

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

People's Republic of China-Linked Cyber Actors Hide in Router Firmware

20 Sept 2023

Cyber Battlegrounds: FCRF Unveils India’s Top 10 Cybercrime Hotspots & Vulnerable Districts

India is facing a severe and growing threat of cybercrime, with a staggering 80 percent of reported incidents emanating from just ten vulnerable districts, as outlined in a recent white paper titled ‘A Deep Dive into Cybercrime Trends Impacting India‘ by the Future Crime Research Foundation (FCRF), a non-profit startup incubated at IIT Kanpur. The study underscores the urgent need for enhanced cybersecurity measures and increased awareness among both individuals and organizations.

Cyber Battlegrounds: FCRF Unveils India’s Top 10 Cybercrime Hotspots & Vulnerable Districts

20 Sept 2023

Joint Cybersecurity Advisory (CISA + FBI) - Snatch Ransomware

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of
current trends in the cybercriminal space and leveraged successes of other ransomware variants’
operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including
the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch
threat actors conduct ransomware operations involving data exfiltration and double extortion. After
data exfiltration often involving direct communications with victims demanding ransom, Snatch threat
actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s
extortion blog if the ransom goes unpaid.

Joint Cybersecurity Advisory (CISA + FBI) - Snatch Ransomware

19 Sept 2023

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

18 Sept 2023

BlackCat ransomware hits Azure Storage with Sphynx encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage.

While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials.

BlackCat ransomware hits Azure Storage with Sphynx encryptor

18 Sept 2023

Cryptojackers spread their nets to capture more than just EC2

As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.

Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.

Cryptojackers spread their nets to capture more than just EC2

17 Sept 2023

RedLine Stealer : A new variant surfaces, Deploying using Batch Script

RedLine stealer was first discovered in March 2020 and is one of the most popular stealer malwares. It is designed to steal sensitive information from compromised systems. It is being sold by cybercriminals on underground forums as MaaS (malware-as-a-service). Threat actors are leveraging RedLine Stealer due to its availability and flexibility. This malware is capable of harvesting information from web browsers such as saved credentials and payment card details. It also looks over the system for information, including username, hardware configuration, installed general and security software, installed VPN client, network configurations, cryptocurrency related data, and sends the stolen information to the adversary.

RedLine Stealer : A new variant surfaces, Deploying using Batch Script

12 Sept 2023

China, Russia will use cyber to sow chaos if war starts, Pentagon says

China and Russia are prepared to unleash a flurry of cyberattacks on U.S. critical infrastructure and defense networks should war break out, according to a Pentagon strategy unveiled this week.

China, Russia will use cyber to sow chaos if war starts, Pentagon says

12 Sept 2023

Malware distributor Storm-0324 facilitates ransomware access

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.

Malware distributor Storm-0324 facilitates ransomware access

12 Sept 2023

China-Linked ‘Redfly’ Group Targeted Power Grid

Symantec warns that the Redfly APT appears to be focusing exclusively on targeting critical national infrastructure organizations.

China-Linked ‘Redfly’ Group Targeted Power Grid

11 Sept 2023

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Investigations have begun into a massive ransomware attack that has affected Sri Lanka’s government cloud system, Lanka Government Cloud (LGC).

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data
bottom of page