https://bit.ly/3qXad6I - 🌐 Cybersecurity firm Bitdefender has conducted an extensive investigation into a targeted cyber attack against East-Asian infrastructure, uncovering the workings of a sophisticated, presumably custom malware dubbed as Logutil backdoor. This operation reportedly ran for over a year, aiming to compromise credentials and exfiltrate data. #Cybersecurity #Bitdefender #LogutilBackdoor 🕵️‍♀️The operation, traced back to early 2022, leveraged multiple tools to achieve its nefarious ends, Logutil being the primary one. Notably, AsyncRat was used during the initial stages of infection. The investigation suggests that CobaltStrike was part of the attackers' arsenal too. The victim of this operation was a company operating in the Technology/IT Services industry in East Asia. #CyberAttack #AsyncRat #CobaltStrike 💾 Modern cybercrime syndicates are increasingly leveraging legitimate components to perpetrate their attacks. For instance, DLL hijacking and misuse of legitimate scheduled tasks and services are commonly employed tactics. Notably, state-affiliated actors such as the APT29 group have used this strategy effectively, substituting a binary responsible for updating Adobe Reader with a malicious component, thus achieving persistence. #CybercrimeTactics #APT29 #AdobeReader 📍 These stealthy tactics were evident in the recent incident as well. The perpetrators deployed malware in locations less likely to be suspected of hosting such threats and more likely to be excluded from the security systems' scrutiny. #MalwareDeployment #CybersecurityChallenge 🔐 In this attack, the actors demonstrated capabilities of collecting credentials from various applications including MobaXterm, mRemoteNG, KeePass, and even Chrome passwords and history. They also attempted data exfiltration from mysql servers by accessing server process memory, and made attempts to dump LSASS memory. #DataExfiltration #CredentialTheft 🔁 The investigation also found that the attackers could infect other systems if an RDP session was established with the infected system, by placing malicious components in \tsclient\c\ subfolders if tsclient share was enabled. This highlights the extent of the attack's complexity and potential for propagation.

RT @DimensionData: .@DigitalCreed quotes the Global Threat Intelligence Report, when it says that #credentialtheft is up with tech companies (36%), telcos, (18%), and business and professional services (14%) significantly impacted. Read the full article on https://t.co/m9QZuDPCUV #GTIR2019

.@DigitalCreed quotes the Global Threat Intelligence Report, when it says that #credentialtheft is up with tech companies (36%), telcos, (18%), and business and professional services (14%) significantly impacted. Read the full article on https://t.co/m9QZuDPCUV #GTIR2019

— Dimension Data (@DimensionData) May 30, 2019

via Twitter https://twitter.com/Lomonpla May 30, 2019 at 08:28AM

https://bit.ly/3BsE6gV - 🔒 In the first quarter of 2023, ransomware-as-a-service platforms such as Alphv, Lockbit, and Defray have been used to target VMware's ESXi, a popular virtualization and management system. ESXi does not support third-party antivirus software, making it an attractive target for adversaries. #Cybersecurity #Ransomware 🖥️ ESXi is a Type-1 hypervisor developed by VMware and is used to run and manage virtual machines (VMs). Unlike Type-2 hypervisors that run on a standard host operating system, a Type-1 hypervisor runs directly on a host's hardware. ESXi systems are often managed by vCenter, a server administration tool. #VMware #ESXi 🛡️ Despite the increasing threats to ESXi, VMware maintains that antivirus software is not required for the vSphere Hypervisor. A series of vulnerabilities have been exploited by threat actors, increasing the risk to ESXi systems. This lack of security measures is making ESXi an increasingly lucrative target for adversaries. #CyberThreats #InfoSec 🚨 The security issue is escalating. VMware products are being targeted due to their prevalence in the virtualization field and their integral role in many organizations' IT infrastructures. Threat actors are exploiting the lack of security tools, inadequate network segmentation, and in-the-wild (ITW) vulnerabilities to create a target-rich environment. #CyberCrime #DataProtection 🔑 Credential theft is a primary attack vector against ESXi hypervisors. Once credentials are stolen, adversaries can authenticate against the server to further their attack based on their objectives. If an attacker has sufficient privileges, they can execute arbitrary code directly on the latest ESXi versions. #CyberAttack #CredentialTheft 💻 Virtual machine access is another method used to target ESXi. If a VM is not adequately segregated from the rest of the network, it can act as a proxy for lateral movement through the network. If the VM is the only entry point into a network, the attacker must directly target the ESXi hypervisor to run code at the hypervisor level. #VMwareSecurity #VirtualMachine 🛠️ To mitigate these risks, VMware recommends avoiding direct access to ESXi hosts, using a hardened jump server with multi-factor authentication, ensuring vCenter is not exposed to the internet, backing up ESXi datastore volumes regularly, and physically disconnecting the storage or cutting power to the ESXi host if encryption is suspected. #CyberDefense #CyberHygiene 🔮 It's anticipated that adversaries will continue to target VMware-based virtualization infrastructure due to the increasing adoption of virtualization technology, VMware’s dominance in the field, and the routine targeting of virtualization products. Regularly applying security updates and conducting security posture reviews are crucial measures for organizations to adopt.

https://bit.ly/41Fkwsq - 🎯 The Lancefly APT group is employing a custom-built backdoor, dubbed Merdoor, in its latest cyber-attacks targeting organizations in South and Southeast Asia. The group has been particularly active in sectors including government, aviation, education, and telecoms. This backdoor has been used sparingly and selectively, pointing to highly targeted attacks. #CyberSecurity #APT #Lancefly 🔍 Merdoor backdoor, which has been in existence since 2018, is a powerful tool with functionalities such as installing itself as a service, keylogging, and communicating with its command-and-control (C&C) server through various methods. The backdoor is usually injected into legitimate processes perfhost.exe or svchost.exe. #Merdoor #Backdoor #CyberAttack 🚪 The initial infection vector for these attacks remains unclear. There are suggestions that SSH brute forcing and exploitation of exposed public-facing servers could be the possible infection vectors, demonstrating Lancefly's adaptability in choosing infection vectors. #InfectionVector #CyberThreat 💼 In their campaign, the attackers have used non-malware techniques for credential theft on victim machines, including PowerShell and a legitimate tool by Avast. They also used a masqueraded version of the legitimate archiving tool WinRAR for staging and encrypting files before exfiltration. #CredentialTheft #CyberDefense 🛠️ Notable attack chain tools and TTPs used by Lancefly include Impacket Atexec, suspicious SMB activity, LSSAS Dumper, NBTScan, and loaders like Blackloader and Prcloader. The attackers also employed the ZXShell rootkit, which continues to be actively developed. #AttackChain #CyberTools 🔗 While Lancefly uses tools associated with other APT groups like APT41 and APT17, the links between these groups are not definitive. The overlaps and shared tools may suggest some connections, but these are not strong enough to attribute this activity and the development of the Merdoor backdoor to a known attack group. #APTGroups #CyberIntelligence 🔔 This recent Lancefly activity is significant due to its use of the Merdoor backdoor and the highly targeted nature of these attacks. The tools used and sectors targeted indicate the attack campaign's motivation is intelligence gathering. The exposure of this activity may or may not lead to alterations in how the group carries out its activity.

https://bit.ly/42qTAhN - Inside Mispadu massive infection campaign in LATAM A recent infection attempt at a customer network was detected by Metabase Q Security Operations Center. The use of fake certificates to try to evade detection caught their attention. During the analysis of the artifacts provided by the SOC team, 20 different spam campaigns were identified targeting Chile, Mexico, Peru, and Portugal. The campaigns started around August 2022 and were still running at the time of this writing, early March 2023. Due to a misconfiguration made by the attackers, Ocelot was able to grab from 8 out of the 20 Command and Control Servers (C2s) (most of them compromised websites), showing a shocking 90,518 credentials stolen coming from a total of 17595 unique websites from all sectors! By looking at the techniques, tactics, and arsenal used during these campaigns, there is no doubt it is very similar to the Mispadu banking trojan but with new components not seen before. From web search results: Mispadu (aka URSA) was first documented by ESET in November 2019. It targets Brazil and Mexico as well as other Latin American countries like Bolivia, Chile, and Peru. Its main goals are monetary and credential theft.