TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Microsoft has uncovered a stealthy and targeted malicious campaign led by Volt Typhoon, a state-sponsored actor from China, with a focus on post-compromise credential access and network system discovery. Their primary targets are critical infrastructure organizations in the United States, including sectors such as communications, manufacturing,…
TLP TLP TLP CLEAR Author Jordi M. Lobo, David Deflache, Sebastien Tricaud Summary Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and…
TLP TLP TLP CLEAR Author David DEFLACHE Summary MGM Resorts recently fell victim to a cyberattack orchestrated by a group called Scattered Spider, who employed vishing (voice phishing) techniques to gain access to the company’s systems. The attackers, believed to be in their late teens and early 20s and fluent in English, impersonated an employee…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary A new ransomware variant has emerged as part of the Adhubllka ransomware family, targeting individuals and small enterprises with smaller ransom demands to evade media attention. The ransomware spreads via phishing emails and employs a victim portal on Tor for decryption key delivery after ransom payment….
TLP TLP TLP CLEAR Author David Deflache Summary In May 2023, Barracuda disclosed a zero-day vulnerability (CVE-2023-2868) exploited by UNC4841, a suspected Chinese espionage actor. UNC4841 targeted Barracuda Email Security Gateways (ESG) since October 2022, using malicious email attachments. They deployed code families (SALTWATER, SEASPY, SEASIDE) to infiltrate and maintain control, often disguising as legitimate…
TLP TLP TLP CLEAR Author David Deflache Summary Microsoft has detected China-linked state-sponsored group HAFNIUM using zero-day exploits to target on-premises Microsoft Exchange Servers. The group gained access to servers, email accounts, and installed malware. Vulnerabilities CVE-2021-26855, -26857, -26858, and -27065 were patched in the latest release. Exchange Online is unaffected. HAFNIUM’s targets include US…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Vice Society ransomware group gained notoriety in late 2022 and early 2023 for launching attacks across various sectors, including San Francisco’s transit system. While education and healthcare were their primary targets, Trend Micro’s data reveals manufacturing industry infiltration in Brazil, Argentina, Switzerland, and Israel. Exploiting…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In May 2023, a campaign using the “404 TDS” Traffic Distribution System delivered Truebot via email. Recipients clicking the email link were redirected through multiple URLs, ending in a fake Adobe Acrobat document download that was a Truebot executable. After execution, Truebot copied and renamed, then…
TLP TLP TLP CLEAR Author Sebastien TRICAUD Summary Agent Tesla RAT is a potent remote access trojan designed to infiltrate systems discreetly. Employed by threat actors, it facilitates unauthorized access to compromised systems, enabling data theft, surveillance, and control. Operating since 2014, it is notorious for its keylogging capabilities, recording keystrokes to gather sensitive information…
TLP TLP TLP CLEAR Authors Jordi M. Lobo Summary BlackByte 2.0 Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions, believed to be an offshoot of the now-discontinued Conti group, is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of its ransomware-as-a-service (RaaS) scheme. The forensic analysis…
End of content
End of content
