Summary
Microsoft and FireEye have identified new malware that is believed to be used by the same attackers who attacked SolarWinds. FireEye refers to them as UNC2452, Microsoft has named them NOBELIUM. One notable feature available in the backdoor is the option to use decoy network traffic mixed in with C2 queries.
Threat Type
Malware, Backdoor, RAT
Overview
FireEye has discovered a new sophisticated second-stage backdoor that is possibly connected to UNC2452, the same group believed to be behind the attac
We are pleased to announce the launch of EdgeKV, our distributed key-value store, into beta! EdgeKV is enabling technology for EdgeWorkers, our serverless computing platform that enables developers to create services using JavaScript and deploy them across our platform. When writing JavaScript, data persistence is often necessary to save data from a user interaction, or to retrieve contextual data to evaluate inside a function.
Summary
Adobe has released three security updates. The updates are for Framemaker, Creative Cloud Desktop Application, and Connect. Each of the updates address at least one vulnerability rated by Adobe as Critical.
Threat Type
Vulnerability
Overview
Adobe has released three security updates. The updates are for Framemaker, Creative Cloud Desktop Application, and Connect. Each of the updates address at least one vulnerability rated by Adobe as Critical. The potential impact of successful exploitation of the
Summary
In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild.
Threat Type
Vulnerability
Overview
In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated a
Summary
In the wake of a targeted attack against CD Projekt Red, SentinelOne has published a blog post analyzing the HelloKitty ransomware.
Threat Type
Ransomware
Overview
SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families. For example, when processes are being killed a CMD window is spawned in the foregr
Summary
Following up on ANSSI's research into recent Sandworm activity, DomainTools reports on their findings related to the infrastructure used by this threat actor.
Threat Type
Malware, APT
Overview
DomainTools has published a report identifying Sandworm infrastructure discovered during their investigation into ANSSI's recent report on the threat group. ANSSI's report discussed the exploitation of Centreon to deliver Exaramel, a known Sandworm tool. The report, however, did not detail any network indicato
Summary
PAM update 4103.04161 contains 10 new events, 9 new moderate event responses, and 9 new aggressive event responses.
Threat Type
Vulnerability
Overview
PAM update 4103.03231 contains 4 new events, 0 new moderate event responses, and 0 new aggressive event responses. This content update is compatible with IBM QRadar Network Security Firmware version 5.4 or later, IBM QRadar Network Security for VMware firmware version 5.4 or later, IBM Security Network IPS GV-Series Virtual Appliances, IBM Security Ne
Summary
New research reveals a connection between the Lazarus Group and TFlower; specifically, TFlower's usage of a MATA framework variant in a recent campaign.
Threat Type
Malware, Backdoor, Ransomware
Overview
A report from Sygnia indicates a connection or collaboration between Lazarus and TFlower. The TFlower ransomware is deployed using the MATA backdoor, which is a well-known Lazarus commodity. The latest variant has not previously been seen in campaigns to this point. In addition to the MATA backdoor,
Summary
The U.S. tax season is often taken advantage of as a source of phishing material for threat actors. Cofense reports on one such case of a file share link purporting to come from the IRS in order to steal Microsoft credentials.
Threat Type
Phishing
Overview
Cofense published a blog post analyzing a phishing campaign attempting to steal Microsoft credentials while capitalizing on the U.S. tax season. The sender email address and name have been spoofed in order to match that of a legitimate IRS tax rep
Previously, I introduced the field of sensor systems architecture and posed a real world example scenario of the unnecessary resource costs and hazards that can happen when the deployment of sensors isn't carefully thought out.
While Unicast defines a single destination endpoint for a given IP, Anycast is an addressing technique in which the same IP is advertised from multiple servers simultaneously.
Summary
The Russian-speaking RTM threat group has launched a new campaign against Russian transport and finance organizations. Kaspersky reports on their usage of new techniques to include ransomware and extortion.
Threat Type
Malware, Ransomware
Overview
Kaspersky has published a blog post analyzing a recent campaign carried out by the RTM threat group against Russian transport and finance organizations. The campaign, as with previous ones, begins with the distribution of a the RTM banker via business-them
Summary
One method of hiding malware from detection is to embed it in a less suspicious file format, such as images. ReversingLabs reports on a few observed examples of this technique being used in conjunction with PHP malware.
Threat Type
Malware
Overview
ReversingLabs published a blog post analyzing various PHP malware samples embedded in image files. This method becomes particularly in handy with placing webshells on servers that allow the upload of image files but not executables. Two specific technique
Summary
Beginning on March 2, 360Netlab observed attacks that attempt to exploit vulnerabilities in QNAP NAS devices running firmware released prior to August 2020. If a device was successfully compromised, the attackers installed cryptomining software.
Threat Type
Vulnerability, Malware, Cryptomining
Overview
A report from 360Netlab provides details on attacks that attempt to exploit two vulnerabilities ( CVE-2020-2506 and CVE-2020-2507 ) in QNAP NAS devices. If successfully exploited, the vulnerabilities
Summary
Two security advisories have been published for Xen. The most serious vulnerability addressed in the advisories could potentially allow an attacker to cause a denial of service condition on the host system.
Threat Type
Vulnerability
Overview
Two security advisories have been published for Xen. The most serious vulnerability addressed in the advisories could potentially allow an attacker to cause a denial of service condition on the host system. Further details are available from the advisories linke
Summary
Ocelot, the Offensive Security research team of Metabase Q, identified a new variant of Ploutus ATM malware in Latin America. The variant, Ploutus-I operates on ATMs from the Brazilian vendor Itautec. It allows for a jack-potting style attack where the money is stolen directly from the ATM but not an individual's account.
Threat Type
Malware
Overview
There has been a new variant of the Ploutus ATM malware seen in Latin America. The variant, Ploutus-I operates on ATMs from the Brazilian vendor Itaute