June 20, 2024 at 01:49PM Threat actor UNC3886, suspected to be Chinese, uses open-source rootkits like ‘Reptile’ and ‘Medusa’ on VMware ESXi virtual machines to conduct credential theft, command execution, and lateral movement. Mandiant tracked UNC3886’s attacks on government organizations and revealed their recent use of rootkits, custom malware tools, and attacks targeting various industries … Read more
June 20, 2024 at 08:32AM Chinese-speaking victims have been targeted by a threat actor using the SquidLoader malware loader in recent attacks. The highly evasive SquidLoader malware is aimed at China. [SecurityWeek] Based on the meeting notes: – A threat actor has been using the SquidLoader malware loader in recent attacks targeting Chinese-speaking victims. – … Read more
June 18, 2024 at 12:36PM A state-sponsored threat actor, Velvet Ant, maintained persistent access to a victim organization’s network for three years using a legacy F5 BIG-IP appliance, deploying various tools and techniques to compromise critical systems and access sensitive data. The cybersecurity firm Sygnia believes they are a China-based threat actor with sophisticated OPSEC … Read more
June 18, 2024 at 09:08AM The recent attacks on customer accounts hosted on the Snowflake data warehousing platform may indicate a shift towards targeting SaaS application environments by threat actors. A threat group, UNC3944, has broadened its focus to enterprise SaaS applications and uses tactics like ransomware attacks, credential phishing, social engineering, and creating new … Read more
June 17, 2024 at 03:00AM Legitimate-but-compromised websites are being used to distribute a Windows backdoor called BadSpace via fake browser updates. The attack involves infected websites, a command-and-control server, fake browser updates, and a JScript downloader. This backdoor, capable of anti-sandbox checks and system information harvesting, is being distributed through compromised sites. Key Takeaways from … Read more
June 15, 2024 at 05:18AM A suspected Pakistan-based threat actor, UTA0137, has conducted a cyber espionage campaign targeting Indian government entities in 2024. They use a malware called DISGOMOJI, a modified version of Discord-C2, to control Linux systems via Discord using emojis. The attacker has also employed various tactics to escalate privileges and socially engineer … Read more
June 13, 2024 at 06:08AM A new report from Cisco Talos details a group called “Cosmic Leopard,” operating as “Operation Celestial Force,” which has been conducting cyber espionage against Indian government and defense entities for at least six years. The group’s tactics include using malware like GravityRAT and HeavyLift to target individuals and organizations. Preventative … Read more
June 12, 2024 at 10:09AM Cybersecurity researchers have uncovered an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency. The threat actors abused anonymous access to launch malicious container images containing a DERO miner. The attack involves targeting externally accessible Kubernetes API servers and uses obfuscation techniques to resist analysis. The attacker’s tactics … Read more
June 12, 2024 at 07:39AM Symantec reports that threat actors using Black Basta ransomware exploited a privilege escalation flaw in Microsoft’s Windows Error Reporting Service as a zero-day, patched in March 2024. Symantec’s observation points to attempts to exploit the vulnerability in an unsuccessful ransomware attack. It also highlights the emergence of a new ransomware … Read more
June 11, 2024 at 10:51AM Cybersecurity researchers have unveiled the activities of a Chinese threat actor called SecShow, targeting open DNS resolvers globally, potentially for malicious purposes. Meanwhile, a financially-motivated threat actor advertises a botnet service, Rebirth, targeting game servers for DDoS attacks. This reflects an increasing trend of cyber threats targeting gaming communities for … Read more