October 22, 2024 at 01:33AM Ghostpulse malware has updated its delivery method, now embedding payloads within the pixels of PNG files, enhancing evasion of detection tools. This sophisticated technique allows it to act as a loader for more dangerous malware like Lumma, compelling defenses to evolve accordingly. Attackers also use social engineering tricks for distribution. … Read more
October 21, 2024 at 11:30AM Attacks on exposed Docker Remote API servers deploy the perfctl malware through probing and payload execution. Attackers create containers, execute Base64 encoded payloads, and use evasion tactics to avoid detection. Recommendations to enhance security include strong access controls, regular monitoring, and adherence to container security best practices. ### Meeting Takeaways … Read more
October 21, 2024 at 10:02AM APT41, a Chinese state-sponsored cyber actor, conducted a sophisticated nine-month attack on the gambling and gaming industry, stealthily gathering sensitive data and evading detection by adapting strategies. Utilizing custom malware and exploiting credentials, they established persistence in the compromised network, targeting devices specifically within a designated VPN subnet. ### Meeting … Read more
October 17, 2024 at 06:42AM An APT group known as SideWinder, linked to India, has launched numerous attacks on key entities in the Middle East and Africa, utilizing multi-stage infection methods with a new toolkit called StealerBot. Targeted sectors include government, military, finance, and telecommunications across various countries, highlighting their evolving cyber capabilities. ### Meeting … Read more
October 16, 2024 at 10:42AM The Indian APT group SideWinder has expanded its cyberattacks across Asia, the Middle East, Africa, and Europe, targeting various sectors, including government and military. They employ an advanced malware toolkit, StealerBot, for espionage. Kaspersky warns that these attackers should not be underestimated due to their evolving tactics. ### Meeting Notes … Read more
October 16, 2024 at 07:39AM The analyzed Golang ransomware exploits Amazon S3 Transfer Acceleration to exfiltrate files to attacker-controlled buckets, utilizing hard-coded AWS credentials. It mimics LockBit ransomware to manipulate victims. AWS confirmed these actions violated its policies and suspended the implicated account. Monitoring AWS credentials can serve as potential Indicators of Compromise (IOCs). ### … Read more
October 16, 2024 at 06:36AM To effectively combat cyber threats, organizations must stay informed about the threat landscape. Analysts can enhance investigations by utilizing techniques like pivoting on Command and Control IPs, analyzing URLs, employing MITRE TTPs, using YARA rules, and examining command line artifacts. ANY.RUN’s TI Lookup tool facilitates these processes. **Meeting Takeaways: Cyber … Read more
October 15, 2024 at 01:06PM New variants of the TrickMo Android banking trojan now include features to steal unlock patterns or PINs, allowing attacks even when devices are locked. These versions also improve evasion tactics and target a wide range of applications. Mobile banking malware attacks have increased by 29% from June 2023 to April … Read more
October 14, 2024 at 06:23PM Researchers reported that a sophisticated cyberattacker, likely a nation-state actor, exploited three zero-day vulnerabilities in Ivanti’s Cloud Service Appliance to infiltrate networks. This involved command and SQL injection flaws, enabling them to maintain access and potentially execute advanced techniques like DNS tunneling and deploying rootkits. Organizations must apply patches urgently. … Read more
October 14, 2024 at 01:35PM Forty new variants of the TrickMo Android banking trojan have emerged, designed to steal PINs and sensitive data through deceptive screens and various phishing tactics. Linked to 16 droppers and 22 command and control infrastructures, it has impacted at least 13,000 victims, primarily in Canada, UAE, Turkey, and Germany. ### … Read more