Attackers are using the Tycoon 2FA phishing kit to steal user credentials and bypass multifactor authentication.
Category: Nezařazené
Threat Hunting Scenario: UEFI Bootkit (CVE-2024-7344)
Attackers may exploit CVE-2024-7344 to bypass UEFI Secure Boot and deploy a malicious bootkit, achieving persistence and potentially exfiltrating sensitive data or disrupting system operations.
Engage Report: Codefinger Ransomware Targeting AWS S3 Buckets
- The attacker, dubbed “Codefinger”, obtains valid AWS keys with read and write permissions to S3 buckets.
- The attacker utilizes the Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
- They encrypt the bucket’s data using their own AES-256 key, which is not stored by AWS.
- Only an HMAC of the key is logged in AWS CloudTrail, insufficient for data recovery.
- The attacker sets a 7-day lifecycle policy to delete the files, increasing pressure on the victim.
Abusing SSE-C services with Ransomware
The threat actor is exploiting compromised AWS keys to manipulate cloud storage objects and encrypt S3 bucket data for ransom.
Engage Report: APT32 GitHub Poisoning Attack
- The attacker, suspected to be the OceanLotus group (APT32), created a GitHub account and disguised it as a security researcher from a leading Chinese FinTech company.
- The attacker forked various security tool projects on their homepage to reduce victims’ vigilance.
- The attacker published two malicious poisoning projects, containing plugins for the commonly used Chinese red team tool Cobalt Strike, with new exploit functions.
- The attacker embedded a malicious
.suofile into a Visual Studio project. - When the victim compiles the Visual Studio project, the Trojan will execute automatically.
Hunting CryptoBot in the wild
Attackers are using spearphishing emails containing malicious links to deliver malware that uses Rundll32 and Mshta for defense evasion.
Suspected TTPs:
- Initial Access: Spearphishing Link
- Execution: Rundll32
- Defense Evasion: Mshta
Threat Hunting for Android MW – Gamaredon
Attacker is sending malicious links to mobile devices via SMS or social media posts. The links lead to the download of malicious apps that collect sensitive data.
Threat Hunt for DLL SideLoad
Attackers are using phishing emails to deliver malicious attachments that use DLL side-loading to execute malicious code.
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
Threat Hunting Scenario: Lazarus Group’s Evolved Infection Chain
Lazarus group actors are actively targeting specific industries with tailored spearphishing attacks, utilizing trojanized remote access tools and a complex infection chain involving multiple malware stages and C2 communication for persistent access and data exfiltration.