June 20, 2024 at 01:49PM Threat actor UNC3886, suspected to be Chinese, uses open-source rootkits like ‘Reptile’ and ‘Medusa’ on VMware ESXi virtual machines to conduct credential theft, command execution, and lateral movement. Mandiant tracked UNC3886’s attacks on government organizations and revealed their recent use of rootkits, custom malware tools, and attacks targeting various industries … Read more
June 20, 2024 at 10:58AM State-sponsored cyber attacks targeting French diplomatic entities have been linked to Russia by the country’s information security agency. The attacks, attributed to a cluster named Midnight Blizzard, use phishing emails and compromised accounts to initiate malicious actions. The threat actor, known as Nobelium, has also targeted European embassies and leveraged … Read more
June 20, 2024 at 07:15AM Cyber espionage linked to China has targeted telecom operators in an unnamed Asian country since at least 2021, using backdoors and attempting to steal credentials. The attacks also targeted a services company and a university in another Asian country. The campaign appears to involve tools used by various Chinese espionage … Read more
June 19, 2024 at 11:21AM A China-based cyber espionage group, UNC3886, has been using zero-day exploits to target Fortinet, Ivanti, and VMware systems, gaining access to sensitive information in various industries. The group has developed techniques to avoid detection, including using rootkits and backdoors to maintain access. Organizations are advised to follow security recommendations from … Read more
June 17, 2024 at 04:57PM An advanced persistent threat (APT) from Pakistan is conducting cyber espionage against Indian government organizations using the “Dirty Pipe” Linux bug and the Discord-based malware, Disgomoji. The malware utilizes emojis for commands, making it user-friendly but not significantly impacting security software detections. UTA0137 has also been observed exploiting the old … Read more
June 17, 2024 at 01:41PM The group Velvet Ant, believed to be Chinese cyberespionage actors, deployed custom malware on F5 BIG-IP appliances to establish persistent connections and steal data from a company undetected for nearly three years. Sygnia discovered the intrusion, outlining the attack methods and re-infection chain. They also provided defense recommendations to counter … Read more
June 17, 2024 at 08:30AM A suspected China-linked cyber espionage actor conducted a prolonged attack on an East Asian organization for three years, using legacy F5 BIG-IP appliances for internal command-and-control. Sygnia identified the threat, named Velvet Ant, as sophisticated and innovative, utilizing PlugX and DLL side-loading. The attack also involved disabling endpoint security software … Read more
June 15, 2024 at 05:18AM A suspected Pakistan-based threat actor, UTA0137, has conducted a cyber espionage campaign targeting Indian government entities in 2024. They use a malware called DISGOMOJI, a modified version of Discord-C2, to control Linux systems via Discord using emojis. The attacker has also employed various tactics to escalate privileges and socially engineer … Read more
June 14, 2024 at 10:27AM Pakistan-based threat actors, identified as Cosmic Leopard and UTA0137, have targeted Indian government entities in separate espionage campaigns. Operation Celestial Force, ongoing since 2018, utilizes Android and Windows malware to target individuals in defense, government, and related technology sectors. Similarly, UTA0137 has been using the ‘Disgomoji’ malware to access Linux … Read more
June 14, 2024 at 03:12AM North Korean threat actors have been increasingly targeting Brazil, mainly focusing on government, aerospace, technology, and financial sectors. These attacks involve using job-themed social engineering campaigns and spreading malware through cryptocurrency professionals and fake npm packages. Google and Microsoft have highlighted tactics used by different North Korean groups, shedding light … Read more