TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In 2022, a targeted cyberattack employing the WebDav-O malware was identified against a Russian government agency. This malicious activity, linked to the CoughingDown group, spanned back to 2018 and targeted government entities in Belarus. The campaign involved the discovery of multiple WebDav-O variants, with observed…
TLP TLP TLP CLEAR Author Jordi M. Lobo, David Deflache, Sebastien Tricaud Summary Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and…
TLP TLP TLP CLEAR Author David Deflache Summary Microsoft has detected China-linked state-sponsored group HAFNIUM using zero-day exploits to target on-premises Microsoft Exchange Servers. The group gained access to servers, email accounts, and installed malware. Vulnerabilities CVE-2021-26855, -26857, -26858, and -27065 were patched in the latest release. Exchange Online is unaffected. HAFNIUM’s targets include US…
TLP TLP TLP CLEAR Author Sebastien TRICAUD Summary Agent Tesla RAT is a potent remote access trojan designed to infiltrate systems discreetly. Employed by threat actors, it facilitates unauthorized access to compromised systems, enabling data theft, surveillance, and control. Operating since 2014, it is notorious for its keylogging capabilities, recording keystrokes to gather sensitive information…
TLP TLP TLP CLEAR Authors Jordi M. Lobo Summary BlackByte 2.0 Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions, believed to be an offshoot of the now-discontinued Conti group, is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of its ransomware-as-a-service (RaaS) scheme. The forensic analysis…
TLP TLP TLP CLEAR Author David Deflache Summary This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a…
TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…
TLP TLP TLP CLEAR Author Jordi Lobo Summary The exploitation of a critical zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer solution has been observed. This vulnerability enables remote attackers to gain unauthorized access to the database. Various organizations, particularly in North America, have been affected by this exploitation. The attacker’s behavior appears to be…
End of content
End of content
