The FBI, CISA, and MS-ISAC release a joint Cybersecurity Advisory detailing Rhysida ransomware IOCs and TTPs observed through investigations up to September 2023, including initial access via external-facing remote services, Zerologon exploitation, and phishin…
Tag: EDR
FortiGuard Labs’ bi-weekly Ransomware Roundup analyzes NoEscape ransomware, a ransomware‑as‑a‑service group that encrypts and exfiltrates data across Windows, Linux, and ESXi. The operation uses a Tor site and TOX for ransom negotiations and targets multiple s…
Security Joes describes a large-scale data-wiping campaign targeting Israeli organizations, led by hacktivist groups Karma and Moses Staff, featuring BiBi-Linux Wiper and the Windows variant bibi.exe. The investigation links pro-Palestinian motives to the atta…
Black Lotus Labs analyzed a multi-stage Linux kernel exploit named “Elevator” that targets eBPF to escape containers and escalate to ring 0 on specific CoreOS and Ubuntu kernels. The tool performs environment-specific reconnaissance, leaks kernel memory to com…
AhnLab ASEC detected malware distributed through breached legitimate websites using LNK files that prompt users to run them, illustrating a distribution chain that involves HTML and VBScript executed via mshta and PowerShell. The article also covers how AhnLab…
FBI and CISA release a joint advisory detailing Royal ransomware’s operations, including initial access via phishing, data exfiltration with double extortion, and encryption techniques, plus observed tools and IOCs since 2022, with guidance for defenders. The …
SysAid’s on-premises software was found to have a zero-day path traversal vulnerability that allowed code execution, exploited by DEV-0950 (Lace Tempest). The attackers deployed a WebShell via a WAR file, loaded the GraceWire loader to inject into system proce…
GhostSec unveils GhostLocker, a Ransomware-as-a-Service framework, withsold through a dedicated Telegram channel and a current focus on Israel, signaling a shift in their activity. The report details GhostLocker’s build/operation, historical attacks against Is…
Researchers identified a fresh Gootloader variant named “GootBot” that adds lateral movement and stealth to post-infection activity. It uses hardcoded C2 servers on compromised WordPress sites and avoids common off-the-shelf tools to deploy additional payloads…
An NCC Group analysis dives into the D0nut extortion group’s TTPs, detailing how they used Cobalt Strike, BYOVD, GPO modifications, RDP, and Rclone-based exfiltration to deploy ransomware. The report links potential ties to HelloXD and other groups like Hive/R…
Threat researchers from eSentire’s TRU describe how DarkGate loader is used to deploy DanaBot, highlighting drive-by download delivery, a rich feature set, and advanced evasion techniques. The post also covers observed IOCs, attacker infrastructure, and remedi…
CYFIRMA highlights Good Day ransomware, an ARCrypter family member that disguises as a Microsoft Windows Update and employs stealthy techniques (like VSS deletion and debug-detection) while encrypting files and exfiltrating data. The report also covers related…
Unit 42 investigates a destructive, data-theft campaign attributed to the Iranian-linked Agonizing Serpens (Agrius) APT, targeting Israeli higher-education and tech sectors from January to October 2023. The operation blends data exfiltration with new wipers (M…
Decoding a Remcos Loader, leveraging regex, python and Cyberchef to identify IOCs.
Fortinet’s FortiGuard Labs details Knight ransomware, a relatively new double-extortion group active since August 2023 that encrypts files and exfiltrates data for ransom. The report covers infection via phishing campaigns delivering Knight through Remcos and …