TLP TLP TLP CLEAR Authors Jordi M. Lobo Summary BlackByte 2.0 Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions, believed to be an offshoot of the now-discontinued Conti group, is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of its ransomware-as-a-service (RaaS) scheme. The forensic analysis…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Mallox is a ransomware strain that targets Microsoft Windows systems and has been active since June 2021. Recently, Unit 42 researchers observed a significant increase in Mallox ransomware activities, with a rise of almost 174% compared to the previous year. The group exploits unsecured MS-SQL servers…
TLP TLP TLP CLEAR Authors Sebastien Tricaud Summary Active Exploitation of Adobe Coldfusion CVE-2023-29298. We are providing data to help teams quickly detect and react to this ongoing threat. DATA TIMELINE CATEGORY Exploit references https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/
TLP TLP TLP CLEAR Author David Deflache Summary In this attack scenario, an individual with the IP address 192.168.0.42 and a valid username is engaging in an authentication brute force attack through SSH. Their target is a system with the IP address 192.168.0.111, using the default SSH port 22. The attacker executes a loop of…
TLP TLP TLP CLEAR Authors Sebastien Tricaud, David Deflache Summary GoBruteforcer is a newly discovered Golang-based malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. The malware was found on a legitimate website and utilizes different processor architectures. It deploys an IRC bot for communication with the attacker’s server and uses specific…
TLP TLP TLP CLEAR Author David Deflache Summary This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a…
TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…
TLP TLP TLP CLEAR Author Jordi Lobo Summary The exploitation of a critical zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer solution has been observed. This vulnerability enables remote attackers to gain unauthorized access to the database. Various organizations, particularly in North America, have been affected by this exploitation. The attacker’s behavior appears to be…
TLP TLP TLP CLEAR Author Jordi Lobo Summary ESXiArgs VMware Ransomware: Massive VMware: Ransomware attack targeting the VMware ESXi hypervisor. Exploits CVE-2021-21974 vulnerability: This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated….
TLP TLP TLP CLEAR Author David Deflache Summary The attack on the Microsoft SQL Server involved a series of sophisticated techniques employed by the adversaries. It began with the initial stage of reconnaissance, where the attackers sought to identify vulnerabilities and potential entry points. They then proceeded to exploit a known vulnerability in the server…
End of content
End of content
