All Threat Reports
Six Month Intrusion of an Asian Electrical Company
Threat actors, identified as Redfly, breached an Asian national grid for a total of six months, starting on February 28th, 2023, as reported by Symantec. Their operations, which culminated on August 3rd, included a series of actions like compromising credentials, using keyloggers, deploying drop loaders, and infecting additional network hosts. Notably, they showed a clear intent by targeting critical infrastructure organizations. While their attack pattern was intermittent, they were most active in May, showing several activities on specified dates, deploying payloads, stealing credentials, and establishing persistence. Their activity spiked again at the end of July. The persistent targeting of critical infrastructure by Redfly presents a significant threat, with the potential to disrupt essential services, particularly during politically tensed times.
Iran-Linked APT33/Peach Sandstorm Ongoing Password Spray Attacks Unveiled by Microsoft
Microsoft disclosed activities linked to Peach Sandstorm (known as APT33, Elfin, and Refined Kitten), an Iranian threat actor, launching password spray attacks since February 2023. The focus has been on industries like satellite, defense, and pharmaceuticals, especially in countries like Israel, the US, Brazil, and the UAE. This shift narrows down from their previous target sectors such as aviation and healthcare. The motive appears to be supporting Iranian state interests by collecting vital intelligence.
BumbleBee Swarms with QakBot's Takedown
Following the QakBot disruption by the FBI, there's been a surge in BumbleBee malware attacks. Kostas, a notable security researcher from the DFIR Report community, has outlined a BumbleBee tactic where the malware uses command line actions to map a network drive to a remote site, transfer user credentials, download a file, and search for 'notepad.exe' files. The method suggests potential file manipulation, highlighting the shifting tactics in the malware landscape post-QakBot's takedown.
A String of CryptoWallet Thefts Point to Cracked LastPass Vaults
Following the 2022 LastPass data breach, investigative journalist Brian Krebs points to an alarming rise in CryptoWallet thefts. Key voices from the industry, such as MetaMask's Taylor Monahan and Unciphered's Nick Bax, echo these concerns. The ongoing situation underscores the vulnerabilities even in renowned security platforms and the increasing sophistication of cyber threats.
Storm-0324 An Enabler of Ransomware
Microsoft's latest research unveils the threat actor Storm-0324, active since 2016, now targeting via Microsoft Teams chats. Historically using email-based vectors with deceptive themes, their move signifies an evolution in attack strategy. They've distributed malware like IcedID and ransomware such as Sage. Notably, from 2019, Storm-0324 has primarily spread JSSLoader, which could escalate to a ransomware impact when handed to groups like Sangria Tempest.
Okta Warns of a Intricate Attack Targeting Privileged Accounts
Recent findings from Okta reveal a meticulously crafted series of social engineering attacks targeting their US-based customers. These attackers aim for the most privileged admin accounts. After succeeding, they exploit identity federation features, mimicking users within the compromised organizations. Okta's insights show the threat actors possess either direct access to privileged account passwords or the ability to interfere with Active Directory. They've also leveraged a unique tactic by employing a secondary identity provider to act as an impersonation tool.
Deploy and maintain detections and threat hunt across all of your logging platforms and security tools without centralizing your data or deploying new agents.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.