top of page

Threat Intelligence Reposts

20 Sept 2023

Cyber Battlegrounds: FCRF Unveils India’s Top 10 Cybercrime Hotspots & Vulnerable Districts

India is facing a severe and growing threat of cybercrime, with a staggering 80 percent of reported incidents emanating from just ten vulnerable districts, as outlined in a recent white paper titled ‘A Deep Dive into Cybercrime Trends Impacting India‘ by the Future Crime Research Foundation (FCRF), a non-profit startup incubated at IIT Kanpur. The study underscores the urgent need for enhanced cybersecurity measures and increased awareness among both individuals and organizations.

Cyber Battlegrounds: FCRF Unveils India’s Top 10 Cybercrime Hotspots & Vulnerable Districts

20 Sept 2023

Joint Cybersecurity Advisory (CISA + FBI) - Snatch Ransomware

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of
current trends in the cybercriminal space and leveraged successes of other ransomware variants’
operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including
the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch
threat actors conduct ransomware operations involving data exfiltration and double extortion. After
data exfiltration often involving direct communications with victims demanding ransom, Snatch threat
actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s
extortion blog if the ransom goes unpaid.

Joint Cybersecurity Advisory (CISA + FBI) - Snatch Ransomware

19 Sept 2023

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants

18 Sept 2023

BlackCat ransomware hits Azure Storage with Sphynx encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage.

While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials.

BlackCat ransomware hits Azure Storage with Sphynx encryptor

18 Sept 2023

Cryptojackers spread their nets to capture more than just EC2

As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.

Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.

Cryptojackers spread their nets to capture more than just EC2

12 Sept 2023

China, Russia will use cyber to sow chaos if war starts, Pentagon says

China and Russia are prepared to unleash a flurry of cyberattacks on U.S. critical infrastructure and defense networks should war break out, according to a Pentagon strategy unveiled this week.

China, Russia will use cyber to sow chaos if war starts, Pentagon says

12 Sept 2023

Malware distributor Storm-0324 facilitates ransomware access

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.

Malware distributor Storm-0324 facilitates ransomware access

12 Sept 2023

China-Linked ‘Redfly’ Group Targeted Power Grid

Symantec warns that the Redfly APT appears to be focusing exclusively on targeting critical national infrastructure organizations.

China-Linked ‘Redfly’ Group Targeted Power Grid

11 Sept 2023

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Investigations have begun into a massive ransomware attack that has affected Sri Lanka’s government cloud system, Lanka Government Cloud (LGC).

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

8 Sept 2023

Storm-0558 Update: Takeaways from Microsoft's recent report

On September 6th, 2023, Microsoft published a follow-up to their initial investigative report from July 11th about Storm-0558 — a threat actor attributed to China who managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts. Microsoft’s latest report about how the signing key may have been compromised by the threat actor

Storm-0558 Update: Takeaways from Microsoft's recent report

7 Sept 2023

CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

The Cybersecurity and Infrastructure Security Agency (CISA) has released an update to a previously published Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. The CSA—originally released to warn network defenders of critical infrastructure organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix)

CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

7 Sept 2023

CISA Releases Four Industrial Control Systems Advisories

CISA released four Industrial Control Systems (ICS) advisories on September 7, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console
ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT
ICSA-23-250-03 Socomec MOD3GP-SY-120K
ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update)
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA Releases Four Industrial Control Systems Advisories

7 Sept 2023

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

A nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

6 Sept 2023

Chinese hack of Microsoft engineer led to breach of US officials’ emails, company says

The Chinese hackers had breached senior US officials’ emails.

Chinese hack of Microsoft engineer led to breach of US officials’ emails, company says

6 Sept 2023

Cybercriminals target MS SQL servers to deliver ransomware

Trustwave has recently deployed honeypot servers mimicking nine popular database systems – MS SQL Server, MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra, and Couchbase – in key regions of the world, and quickly discovered that attack activity on MS SQL honeypots accounted for 93% of the total.

MS SQL servers are an attractive target for cybercriminals because they are widely used and they often store valuable data.

Attackers also find them useful because they can make them part of a cryptomining botnet or use them as a proxy server.

Cybercriminals target MS SQL servers to deliver ransomware

6 Sept 2023

Google Chrome pushes ahead with targeted ads based on your browser history

Google next year aims to drop support for third-party cookies, which store browser data that ad companies use for tracking and analytics – to the frequent detriment of user privacy. The US mega-corp has developed a variety of replacement technologies, such as the Topics API that will allow ad targeting to continue without cookie-based tracking and – it's claimed – no privacy consequences.

Google Chrome pushes ahead with targeted ads based on your browser history

2 Sept 2023

Chrome extensions can steal plaintext passwords from websites

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.

An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.

Chrome extensions can steal plaintext passwords from websites

31 Aug 2023

U.S. and International Partners Release Report on Russian Cyber Actors Using “Infamous Chisel” Malware

“For years, the U.S. Government has been calling out Russian actors who have engaged in a range of malicious cyber activity targeting U.S. and allied partners for cyber espionage and potential disruptive actions,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “Today’s joint report reflects the value of deep collaboration across our international cyber defense partners, the need for all organizations to keep their Shields Up to detect and mitigate Russian cyber activity, and the importance of continued focus on maintaining operational resilience under all conditions.”

U.S. and International Partners Release Report on Russian Cyber Actors Using “Infamous Chisel” Malware

18 Jul 2022

Russia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response

The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador. These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.

Russia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response
bottom of page