TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Vice Society ransomware group gained notoriety in late 2022 and early 2023 for launching attacks across various sectors, including San Francisco’s transit system. While education and healthcare were their primary targets, Trend Micro’s data reveals manufacturing industry infiltration in Brazil, Argentina, Switzerland, and Israel. Exploiting…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In May 2023, a campaign using the “404 TDS” Traffic Distribution System delivered Truebot via email. Recipients clicking the email link were redirected through multiple URLs, ending in a fake Adobe Acrobat document download that was a Truebot executable. After execution, Truebot copied and renamed, then…
TLP TLP TLP CLEAR Author Sebastien TRICAUD Summary Agent Tesla RAT is a potent remote access trojan designed to infiltrate systems discreetly. Employed by threat actors, it facilitates unauthorized access to compromised systems, enabling data theft, surveillance, and control. Operating since 2014, it is notorious for its keylogging capabilities, recording keystrokes to gather sensitive information…
TLP TLP TLP CLEAR Authors Jordi M. Lobo Summary BlackByte 2.0 Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions, believed to be an offshoot of the now-discontinued Conti group, is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of its ransomware-as-a-service (RaaS) scheme. The forensic analysis…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Mallox is a ransomware strain that targets Microsoft Windows systems and has been active since June 2021. Recently, Unit 42 researchers observed a significant increase in Mallox ransomware activities, with a rise of almost 174% compared to the previous year. The group exploits unsecured MS-SQL servers…
TLP TLP TLP CLEAR Authors Sebastien Tricaud Summary Active Exploitation of Adobe Coldfusion CVE-2023-29298. We are providing data to help teams quickly detect and react to this ongoing threat. DATA TIMELINE CATEGORY Exploit references https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/
TLP TLP TLP CLEAR Author David Deflache Summary In this attack scenario, an individual with the IP address 192.168.0.42 and a valid username is engaging in an authentication brute force attack through SSH. Their target is a system with the IP address 192.168.0.111, using the default SSH port 22. The attacker executes a loop of…
TLP TLP TLP CLEAR Authors Sebastien Tricaud, David Deflache Summary GoBruteforcer is a newly discovered Golang-based malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. The malware was found on a legitimate website and utilizes different processor architectures. It deploys an IRC bot for communication with the attacker’s server and uses specific…
TLP TLP TLP CLEAR Author David Deflache Summary This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a…
TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…
End of content
End of content
