Search
Items tagged with: ThreatIntel
Truesec: https://www.truesec.com/hub/blog/dissecting-the-cicada
In June 2024 a new RaaS named Cicada3301 announced they were looking for affiliates. We have now encountered them "in the wild".
Truesec has spent some time analyzing this new Rust-based ransomware strain.
Cicada 3301 - Ransomware-as-a-Service - Technical Analysis
Discover the latest insights on the emerging ransomware group Cicada3301, first detected in June 2024. Truesec's investigation reveals key findings about this group, named after a famous cryptography game, now targeting multiple victims.Simon Hertzberg (Truesec AB)
Microsoft: Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor dubbed "Tickler." Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering (intelligence gathering on LinkedIn). They described the Tickler malware, Azure resources abuse, and post-compromise activity:
- Lateral movement via Server Message Block (SMB)
- Downloading and installing a remote monitoring and management (RMM) tool
- Taking an Active Directory (AD) snapshot
IOC and hunting queries provided.
cc: @briankrebs @mttaggart @serghei @campuscodi @AAKL
#iran #peachsandstorm #cyberespionage #threatintel #IOC #tickler #backdoor #malwareanalysis #linkedin
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler.Microsoft Threat Intelligence (Microsoft Security Blog)
Jaw Dropping DNS Attack Vector Heavily Exploited in the Wild
Learn about the insidious DNS attack vector that threat actors are using to hijack domains from major brands, government institutions, and other organizations, large and small. Find out how to determine whether your domain name is at risk.Infoblox Threat Intel (Infoblox Blog)
Microsoft: Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Reference: CVE-2024-37085 (6.8 medium, disclosed 25 June 2024 by Broadcom VMware ESXi authentication bypass vulnerability.
Microsoft uncovered evidence of VMware ESXi hypervisors being exploited by ransomware threat actors using CVE-2024-37085. This includes Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest... deploying Akira and Black Basta ransomware. They provide a technical analysis of CVE-2024-37085 and a case study of Storm-0506 leveraging it to deploy Black Basta (honorable mention: Qakbot initial infection followed by exploitation of Windows CLFS vulnerability CVE-2023-28252). No IOC, but threat hunting queries are provided.
cc: @SwiftOnSecurity
#CVE_2024_37085 #threatintel #ransomware #qakbot #storm0506 #storm1175 #octotempest #manateetempest #vmware #CVE_2023_28252
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption | Microsoft Security Blog
Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them.Microsoft Threat Intelligence (Microsoft Security Blog)