RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

June 24, 2024 at 04:24AM Between November 2023 and April 2024, a China-linked state-sponsored threat actor named RedJuliett conducted a cyber espionage campaign targeting government, academic, and diplomatic organizations in Taiwan. They utilized various techniques, including deploying web shells and exploiting vulnerabilities, with a focus on collecting intelligence related to Taiwan’s economic policy and diplomatic … Read more

UNC3886 hackers use Linux rootkits to hide on VMware ESXi VMs

June 20, 2024 at 01:49PM Threat actor UNC3886, suspected to be Chinese, uses open-source rootkits like ‘Reptile’ and ‘Medusa’ on VMware ESXi virtual machines to conduct credential theft, command execution, and lateral movement. Mandiant tracked UNC3886’s attacks on government organizations and revealed their recent use of rootkits, custom malware tools, and attacks targeting various industries … Read more

Highly Evasive SquidLoader Malware Targets China

June 20, 2024 at 08:32AM Chinese-speaking victims have been targeted by a threat actor using the SquidLoader malware loader in recent attacks. The highly evasive SquidLoader malware is aimed at China. [SecurityWeek] Based on the meeting notes: – A threat actor has been using the SquidLoader malware loader in recent attacks targeting Chinese-speaking victims. – … Read more

Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence

June 18, 2024 at 12:36PM A state-sponsored threat actor, Velvet Ant, maintained persistent access to a victim organization’s network for three years using a legacy F5 BIG-IP appliance, deploying various tools and techniques to compromise critical systems and access sensitive data. The cybersecurity firm Sygnia believes they are a China-based threat actor with sophisticated OPSEC … Read more

Scattered Spider Pivots to SaaS Application Attacks

June 18, 2024 at 09:08AM The recent attacks on customer accounts hosted on the Snowflake data warehousing platform may indicate a shift towards targeting SaaS application environments by threat actors. A threat group, UNC3944, has broadened its focus to enterprise SaaS applications and uses tactics like ransomware attacks, credential phishing, social engineering, and creating new … Read more

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

June 17, 2024 at 03:00AM Legitimate-but-compromised websites are being used to distribute a Windows backdoor called BadSpace via fake browser updates. The attack involves infected websites, a command-and-control server, fake browser updates, and a JScript downloader. This backdoor, capable of anti-sandbox checks and system information harvesting, is being distributed through compromised sites. Key Takeaways from … Read more

Pakistani Hackers Use DISGOMOJI Malware in Indian Government Cyber Attacks

June 15, 2024 at 05:18AM A suspected Pakistan-based threat actor, UTA0137, has conducted a cyber espionage campaign targeting Indian government entities in 2024. They use a malware called DISGOMOJI, a modified version of Discord-C2, to control Linux systems via Discord using emojis. The attacker has also employed various tactics to escalate privileges and socially engineer … Read more

Pakistani Hacking Team ‘Celestial Force’ Spies on Indian Gov’t, Defense

June 13, 2024 at 06:08AM A new report from Cisco Talos details a group called “Cosmic Leopard,” operating as “Operation Celestial Force,” which has been conducting cyber espionage against Indian government and defense entities for at least six years. The group’s tactics include using malware like GravityRAT and HeavyLift to target individuals and organizations. Preventative … Read more

Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters

June 12, 2024 at 10:09AM Cybersecurity researchers have uncovered an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency. The threat actors abused anonymous access to launch malicious container images containing a DERO miner. The attack involves targeting externally accessible Kubernetes API servers and uses obfuscation techniques to resist analysis. The attacker’s tactics … Read more

Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw

June 12, 2024 at 07:39AM Symantec reports that threat actors using Black Basta ransomware exploited a privilege escalation flaw in Microsoft’s Windows Error Reporting Service as a zero-day, patched in March 2024. Symantec’s observation points to attempts to exploit the vulnerability in an unsuccessful ransomware attack. It also highlights the emergence of a new ransomware … Read more