North Korea’s ‘Stonefly’ APT Swarms US Private Co’s. for Profit

October 2, 2024 at 05:49PM North Korean APT group “Stonefly” has pivoted to targeting US private companies for financial gain, evading a recent US indictment and $10 million bounty. Previously focused on espionage, the group deployed Backdoor.Preft and Nukebot in August attacks, intending ransomware deployment. Businesses should watch for Stonefly’s indicators of compromise to guard … Read more

Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

October 2, 2024 at 06:45AM In August 2024, North Korean state-sponsored threat actor Andariel targeted three U.S. organizations in a likely financially motivated attack. While unable to deploy ransomware, it’s part of their pattern. Andariel, a sub-cluster of Lazarus Group, is known for deploying ransomware, creating custom backdoors, and using N-day security flaws for network … Read more

Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

August 20, 2024 at 06:40AM A new backdoor named Msupedge has been discovered being used in a cyber attack on a university in Taiwan. This backdoor is notable for communicating with a command-and-control server via DNS traffic and using an open-source tool for its code. The attack vector was likely a critical flaw in PHP, … Read more

Chinese Hackers Target Taiwan and US NGO with MgBot Malware

July 23, 2024 at 09:31AM Taipei and U.S. NGOs targeted by state-affiliated Chinese hacking group Daggerfly, using upgraded malware tools. Symantec reports the group engages in internal espionage, exploits Apache HTTP server vulnerability, and quickly adapts to continue espionage activities. New malware linked to Daggerfly includes MACMA and Nightdoor, targeting major operating systems. CVERC accuses … Read more

Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw

June 12, 2024 at 07:39AM Symantec reports that threat actors using Black Basta ransomware exploited a privilege escalation flaw in Microsoft’s Windows Error Reporting Service as a zero-day, patched in March 2024. Symantec’s observation points to attempts to exploit the vulnerability in an unsuccessful ransomware attack. It also highlights the emergence of a new ransomware … Read more

Who are these RansomHub cyber-thieves? Looks like a Knight ransomware reboot

June 5, 2024 at 04:22PM RansomHub, a new cyber-crime group, has been identified as a possible rebrand of the Knight ransomware gang. It has been active in stealing and auctioning off data from various organizations using sophisticated techniques. There is evidence of overlap between RansomHub and Knight’s code, suggesting a connection between the two groups. … Read more

RansomHub extortion gang linked to now-defunct Knight ransomware

June 5, 2024 at 08:43AM RansomHub is a new Ransomware-as-a-Service believed to have evolved from the defunct Knight ransomware project. It operates as a data theft and extortion group, recently targeting United Health subsidiary Change Healthcare and international auction house Christie’s. Symantec analysts found commonalities with Knight, indicating a likely derived lineage, though operated by … Read more

Broadcom Merges Symantec and Carbon Black Into New Business Unit

March 11, 2024 at 02:51PM Broadcom announced the merger of Carbon Black and Symantec into a new unit focusing on integrating network and data telemetry with Endpoint Detection and Response (EDR) technologies. The new Enterprise Security Group will manage Broadcom’s cybersecurity portfolio and enhance the products of both companies for greater customer visibility and control. … Read more

New JinxLoader Targeting Users with Formbook and XLoader Malware

January 1, 2024 at 02:00AM JinxLoader, a new Go-based malware loader, has been identified as a method used by threat actors to deliver next-stage payloads such as Formbook and XLoader. Cybersecurity firms highlighted its use in multi-step attack sequences via phishing emails impersonating Abu Dhabi National Oil Company, leading to a surge in infections and … Read more

Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa

December 19, 2023 at 07:15AM MuddyWater, an Iranian cyber espionage group affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has used a new command-and-control framework called MuddyC2Go in attacks on telecommunications sectors in Egypt, Sudan, and Tanzania. Symantec’s Threat Hunter Team, tracking the group as Seedworm, has observed the group’s use of various tools … Read more