Info-stealer Campaign targets German Car Dealerships and Manufacturers - Check Point Software Check Point researchers uncovered a dedicated campaign targeting German companies with a focus on German car dealerships and manufacturers. There is extensive infrastructure designed to look like existing German car dealerships and manufacturers. According to the researchers, emails with receipts and contracts in German are designed to instill confidence and lure recipients were sent to carefully selected targets. The main malware hosting site is an Iranian hosted non-governmental website with a double connection to the campaign. InfoStealer Germany Automotive Malware Phishing MaaS AZORult BitRAT Raccoon 49 Indicators 49 Public |
|
Network Footprints of Gamaredon Group Gamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an APT group based in Russia. Their activities can be traced back as early as 2013, prior to Russia’s annexation of the Crimean Peninsula. This blog post contains observations of Cognitive Intelligence Team over Gamaredon Group's activities during the month of March 2022. APT Gamaredon Russia Malware Pteranodon Crimea 96 Indicators 96 Public |
|
|
|
Threat Advisory: Critical F5 BIG-IP Vulnerability A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. Cisco has reported out a list of attacker IPs based on their telemetry associated with this CVE. CVE-2022-1388 Scanning Cisco 118 Indicators 118 Public |
|
Bitter APT adds Bangladesh to their targets Cisco Talos discovered an ongoing campaign operated by what they believe is the Bitter APT group since August 2021. This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802, all in Microsoft Office, then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal. Cisco BitterAPT T-APT-17 SpearPhishing CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 25 Indicators 25 Public |
|
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments. Either method delivers an ISO file containing files to install Bumblebee malware. Today's diary compares two examples of ISO files for Bumblebee malware from Monday 2022-05-09 that appear to be from TA578. Bumblebee Malware TA578 ISC 22 Indicators 22 Public |
|
Please Confirm You Received Our APT | FortiGuard Labs FortiGuard Labs examined a spearphishing email sent to a diplomat in Jordan. The email contained a malicious attachment that had capabilities and techniques usually associated with advanced persistent threats (APTs). Based on the techniques used in this attack, it appears to be another campaign launched by APT34. This blog analyzed the attack chain associated with this email and the traits that set it apart from average malware, such as DNS tunneling and stateful programming. SpearPhishing FortiGuardLabs APT34 VBA WMI Saitama 21 Indicators 21 Public |
|
|
Bitter APT adds Bangladesh to their targets Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims. As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability. Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, Cisco Talos assess with moderate confidence that this campaign is operated by the Bitter APT group. CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 Microsoft MicrosoftOffice Bitter APT T-APT-17 Bangladesh ZxxZ RAT Trojan 59 Indicators 59 Public |
|
|
RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns On 2022/01/14 we published an article on patterns in self-signed SSL certificates related to Dridex command and control (C2). This blog expands on that work, looking at additional Dridex C2 SSL cert patterns. Using those patterns we were able to identify previously unreported, live C2 servers. Dridex Malware C2 74 Indicators 6 Public 68 RiskIQ |
|
|
|
Cybereason vs. Quantum Locker Ransomware The Quantum Locker is a ransomware strain that was first discovered in July 2021. Since then, the ransomware was observed used in fast ransomware attacks, in some cases even Time-to-Ransom (TTR) of less than 4 hours, leaving defenders little time to react. IcedID was used to deploy Quantum Locker execution via a phishing attack. Ransomware Cybereason IcedID QuantumLocker 25 Indicators 25 Public |
|
|
F5 BIG-IP Unauthenticated RCE Vulnerability (CVE-2022-1388) An unauthenticated remote code execution (RCE) vulnerability has been discovered for BIG-IP devices older than BIG-IP 17. There are currently exploits publicly available for this vulnerability. Patches are available for BIG-IP 13-16. Patches are *NOT* available for BIG-IP 11 and 12 as they are too old (these versions are still vulnerable). Such devices should be patched and their management interfaces should not be directly exposed to the internet. F5-BIG-IP Vulnerability ActiveExploitation Exploit RCE CVE-2022-1388 0 Indicators 0 Public |
|
Comments
Post a Comment