Cloud compute credentials attacks target misconfigured cloud compute services to steal credentials and access cloud infrastructure, causing costly resource usage and remediation work. The article presents two real-world cases—one in AWS Lambda and one in Googl…
Tag: EDR
Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.
UNC4191 operations have affected a range of public and private sector entities primarily in Southeast…
Fortinet FortiGuard Labs analyzes a Cryptonite ransomware sample that was open-sourced on GitHub and later observed to behave like a wiper in the wild. The investigation covers static and dynamic analyses, reveals a flawed design that prevents data recovery, a…
ESET researchers analyzed Dolphin, a previously unreported backdoor used by ScarCruft (APT37) that operatives deploy on select targets to exfiltrate files, log keystrokes, take screenshots, and steal browser credentials, using Google Drive for C2. The Dolphin …
Sophos’ postmortem analysis shows LockBit 3.0 (LockBit Black) carries wormable capabilities and borrows heavily from BlackMatter, including tooling used by affiliates and even legitimate pentesters. The investigation highlights evolving self-spread techniques,…
FortiGuard Labs analyzes Cryptonite, an open-source, Python-based ransomware kit that encrypts Windows files and uses NGROK as a reverse proxy for C2. The report details how Cryptonite operates, its encryption method, IoCs, and Fortinet’s protective guidance a…
Cybereason’s Global SOC is tracking a wide Black Basta ransomware campaign that leverages QakBot (QakBot) to gain entry and move laterally in U.S.-based organizations. The campaign ties QakBot infections to rapid deployment of Black Basta, including DNS disrup…
QakBot (Qbot) uses obfuscated Regsvr32-based execution to load its DLL payload, often by moving or renaming system binaries and triggering execution via LNK and batch files. The threat starts with phishing delivering a password-protected ZIP/ISO, leading to us…
Hive ransomware operates as a ransomware-as-a-service (RaaS) that has victimized thousands across sectors like Healthcare and Public Health, encrypting data and threatening leaks. The advisory inventories Hive’s TTPs, IOCs, and mitigations, including initial a…
This post explains how Fortinet researchers debugged a multi-stage .NET malware chain used for Warzone RAT by exporting and running each stage independently, then dumping the next stage for analysis. It covers building a wrapper app to run KeysNormalize.dll, r…
Earth Longzhi is a newly identified APT41 sub-group that conducted two campaigns (2020–2022) across Asia-Pacific with custom Cobalt Strike loaders and multiple loaders/tools to target government, infrastructure, healthcare, and defense sectors. The campaigns b…
RomCom threat actor campaigns spoof SolarWinds, KeePass, and PDF Reader Pro to deliver RomCom RAT, focusing on Ukraine with possible targets in the United Kingdom. Researchers note connections to Cuba Ransomware and Industrial Spy, while clarifying that vendor…
SentinelLabs provides a comprehensive analysis of Black Basta’s operational TTPs, revealing custom tools, EDR-evasion capabilities, and a likely link to FIN7. The findings suggest FIN7 developers may have contributed to Black Basta’s toolset, with privilege es…
Text4Shell (CVE-2022-42889) is a critical remote code execution vulnerability in Apache Commons Text (versions 1.5–1.9) that can be triggered by crafted input strings to run code on vulnerable hosts. The advisory covers exploitation methods, potential post-exp…
Checkpoint’s Brand Phishing Report for Q3 2022 shows DHL as the brand most impersonated in phishing attempts (22%), with Microsoft (16%) and LinkedIn (11%) following; Instagram also enters the top ten due to a blue-badge phishing campaign. The report highlight…