October 9, 2024 at 04:44PM The Mamba 2FA phishing kit targets Microsoft 365 users with deceptive login pages, sneaking past two-factor authentication. Priced at $250/month in cybercrime forums, it mimics various Microsoft services and collects credentials through Telegram. Active since November 2023, it previously operated on ICQ before moving to Telegram. ### Meeting Takeaways on … Read more
September 26, 2024 at 02:57AM Cloudflare has observed an advanced threat actor using multiple cloud service providers for credential harvesting, malware delivery, and command-and-control. The actor, known as SloppyLemming, targets government, law enforcement, energy, education, telecommunications, and technology entities in South and East Asian countries. The attacks involve spear-phishing emails, malicious links, and custom-built tools … Read more
September 26, 2024 at 12:35AM A threat actor known as “SloppyLemming,” identified as an advanced persistent threat (APT) by Crowdstrike, is conducting espionage against government and law enforcement targets in the Indian subcontinent. They utilize Cloudflare Worker cloud services and various tools in phishing attack chains for credential harvesting and email compromise, targeting sensitive organizations … Read more
September 25, 2024 at 08:48AM A threat actor called SloppyLemming, likely based in India, is using cloud services to target energy, defense, government, telecom, and tech entities in Pakistan and other South and East Asian countries. Cloudflare reports the group’s operations align with Outrider Tiger, known for using Sliver and Cobalt Strike in attacks. SloppyLemming … Read more
September 16, 2024 at 01:21AM Cybersecurity researchers have identified ongoing phishing campaigns using HTTP header refresh entries to deliver fake email login pages, targeting large corporations in South Korea, U.S. government agencies, and schools. These attacks encompass various sectors and are part of a growing trend of sophisticated tactics to trick recipients and steal sensitive … Read more
August 28, 2024 at 03:03AM Cybersecurity researchers have identified a new QR code phishing campaign using Microsoft Sway to host fake pages, exploiting legitimate cloud services. These attacks have targeted users in Asia and North America, particularly in technology, manufacturing, and finance sectors. The phishing tactic involves tricking users into scanning QR codes to steal … Read more
August 23, 2024 at 06:36AM Summary: A recent Qilin ransomware attack involved stealing credentials from Google Chrome browsers, using compromised VPN portal credentials, then editing the default domain policy to harvest credentials and erase evidence after exfiltrating them. Ransomware groups continue to evolve tactics, with Russian-speaking groups earning over $500 million from ransomware proceeds and … Read more
August 22, 2024 at 05:43PM Qilin ransomware group deployed a custom stealer to harvest Google Chrome credentials, constituting a concerning shift in ransomware tactics. The attack involved gaining network access, 18 days of reconnaissance, credential theft via PowerShell script, event logs deletion, and ransomware deployment. Organizations are advised to prohibit browser secret storage, implement multi-factor … Read more
August 15, 2024 at 08:57AM Russian and Belarusian NGOs, media, and international organizations in Eastern Europe are targeted by spear-phishing campaigns linked to Russian government interests. One campaign, River of Phish, is attributed to a collective with ties to Russia’s Federal Security Service, while the second, COLDWASTREL, uses similar tactics. The attacks employ personalized social … Read more
August 2, 2024 at 12:42PM A Russia-linked threat actor, APT28, has been using a car-for-sale phishing lure to deploy the HeadLace backdoor in a campaign targeting diplomats since March 2024. The attacks involve the use of a legitimate service called webhook[.]site to deliver malicious files and are linked to previous campaigns by APT28. The tactics … Read more