Blogs

Summary  

North Korean threat actor, Lazarus Group, was observed shifting their focus and evolving tools and tactics as part of a long-running campaign called Operation Dream Job cluster, also tracked under the monikers DeathNote or NukeSped. While the group is known for targeting the cryptocurrency sector, recent attacks have targeted the medical, automotive, academic, energy, and defense sectors in Eastern Europe and other parts of the world.

What is the Legion Hacking Tool? 

Legion, a new Python-based credential harvester and Simple Mail Transfer Protocol (SMTP) hijacking tool, has been developed to target online email services for phishing and spam campaigns, and is being advertised for sale on Telegram. The malware is primarily intended to scan for and parse Laravel application secrets from exposed user environment variables (.env) files.

How Big is the Cybercrime Economy? 

According to the World Economic Forum (WEF), cybercrime is now the world’s third-largest economy coming in behind the United States and China.

Summary  

Mélofée, a new malware family, was recently discovered being used by the Chinese state-sponsored hacking groups Winnti Advanced Persistent Threat (APT) group, and Earth Berberoka targeting Linux servers. There are three different samples of the malware being circulated. All three versions of the malware share a common code base that uses shell commands to download the rootkit and the main implant from an attacker-controlled server.

MDR services are gaining popularity as organizations seek more effective measures to identify and respond to security threats. With the increasing frequency and sophistication of cyberattacks, it's crucial to choose the right MDR provider to reduce your risk exposure and protect your critical assets. 

FusionCore is a group that operates as both malware developers and threat actors, providing malware subscriptions as well as hacker-for-hire services. They specialize in a wide range of malware and use phishing as their primary attack vector for initial access.  

The threat actors behind the IcedID (a.k.a. BokBot) banking trojan are making strides to update and improve the malware. Analysis of several recent campaigns show new variants of the malware are shifting away from its original functionality to deliver additional payloads instead, specifically ransomware. Additionally, the creators removed unnecessary functions making IcedID stealthier, and increasing its detection and evasion capabilities.

Summary  

Cl0p ransomware, a Ransomware-as-a-Service (RaaS) model, has targeted over 90 organizations worldwide, with more than 50 of these attacks occurring within the United States. In March 2023, the Cl0p leak site listed 91 victims, which is an increase of over 65% in the total number of attacks between August 2020 and February 2023. It is assessed that this sudden increase in ransomware attacks is likely associated with the group’s exploitation of the zero-day vulnerability, CVE-2023-0669.

Summary  

An emerging ALPHV (a.k.a. BlackCat, Noberus) affiliate, tracked as UNC4466, is exploiting CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in publicly exposed installations of Veritas Backup Exec. These vulnerabilities grant the threat actors initial access to victim environments. A recent internet scan revealed over 8,500 instances of Veritas Backup Exec are currently exposed to the internet. It is unknown if all these installations have been updated with Veritas Backup software version 21.2.

Let’s face it, in our ever-growing digital world, cybersecurity is a big deal. A multi-trillion-dollar big deal! Cybercriminals are getting craftier, using multi-stage attacks and cross-domain techniques that can make life difficult for cybersecurity operations. To add to that, Security Operations Center (SOC) teams are often in a spot where they are very much behind the 8-ball staff wise, skillset wise, tool wise, or worse, all the above.

The Dark Power ransomware, a relatively new ransomware strain, was launched in early February 2023. It is a rare breed of ransomware, as it was written in the Nim programming language. The ransomware targets Microsoft Windows platforms, and its impact is high, as it encrypts files on the compromised machine and demands a ransom for file decryption.