On March 31, 2026, the npm package Axios — downloaded over 100 million times per week — was compromised through a maintainer account hijack, silently deploying a cross-platform Remote Access Trojan across Windows, macOS, and Linux systems. Researchers attribute the attack with high confidence to BlueNoroff, the financially motivated subgroup of North Korea's state-sponsored Lazarus Group. Precisely planned and engineered to evade detection, this incident is a direct materialization of the software supply chain risk Critical Start identified as a top threat in our H2 2025 Cyber Threat Intelligence Report. This advisory breaks down the full attack chain, affected industries, and prioritized mitigation strategies to protect your organization.

This threat report details a coordinated phishing campaign that leverages HTML smuggling to bypass traditional security gateways and deliver malicious payloads directly to endpoints. By using a Phishing-as-a-Service (PhaaS) platform, attackers automated the creation of personalized HTML attachments with unique hashes to evade detection across multiple industries, most notably in manufacturing and finance. Once opened, these files execute JavaScript to reconstruct malware locally, leading to credential theft, keylogging, and lateral movement. To mitigate this risk, organizations should immediately enforce phishing-resistant MFA and implement gateway-level blocks on all inbound HTML and HTM file attachments.

Handala Hack Team: The New Face of Destructive Cyber Warfare — Associated with Iran’s Ministry of Intelligence, the Handala Hack Team has evolved into a major threat to U.S. enterprises. Their most alarming tactic confirmed in the March 2026 Stryker attack is the abuse of Microsoft Intune to issue mass-wipe commands that bypass traditional EDR and antivirus entirely. Any organization with Israeli business ties or U.S. Defense contracts is now at elevated risk as this group continues to weaponize cloud management tools for maximum destruction.

200,000 Devices Wiped: The Stryker Attack — On March 11, 2026, a Fortune 500 manufacturer suffered a massive destructive attack that bypassed traditional EDR and antivirus entirely. No malware was required; instead, the Handala Hack Team weaponized a compromised admin account to issue mass-wipe commands directly through Microsoft Intune. This event serves as a critical warning that standard defenses are no longer enough against identity-based cloud threats.

Critical Start’s Cyber Research Unit analyzed over 1,000 high-severity incidents from late 2025, revealing a 3.7% surge in critical alerts and a significant shift in industry targeting, with Manufacturing and Healthcare now facing the highest risk. The findings confirm that phishing has overtaken sophisticated exploits as the primary attack vector, signaling that modern threats are increasingly driven by identity abuse and user interaction rather than technical vulnerabilities.

Iranian state-sponsored cyber activity is escalating following rising geopolitical tensions. Organizations in critical sectors should assume heightened risk, including reconnaissance, DDoS activity, and intrusion pre-positioning. Our Cyber Research Unit is actively tracking developments in real time and analyzing emerging threat patterns. A validated intelligence report will be released later this week. 

AI has shifted from a productivity tool into an operational advantage for attackers, accelerating reconnaissance, command execution, and large-scale user compromise. Recent cyberattacks show adversaries exploiting GenAI to bypass static detection, adapt to diverse mobile device environments, and weaponize AI branding to compromise over 260,000 users.

Iranian cyber threat actors are conducting targeted campaigns against U.S. financial institutions. These attacks leverage phishing, credential abuse, and persistence techniques to gain access and evade defenses. Once inside, adversaries exfiltrate sensitive data and enable ransomware activity, exposing critical gaps in enterprise security.

Cyber threat actors exploit geo-political events to target organizations and increase the credibility of social engineering campaigns. Politically - themed emails, impersonation of trusted entities, and fraudulent communications deliver credential-harvesting links, malware-laden documents, or requests that authorize access within enterprise environments. 

Phishing attacks have evolved into multi-layered campaigns that exploit user trust through fake CAPTCHA pages and internally spoofed messages exploiting misconfigured email routing. These tactics manipulate victims into executing harmful commands or divulging credentials and multi-factor authentication codes, enabling attackers to harvest session tokens, deploy malware, and establish persistent footholds across both Windows and macOS environments. This emerging threat circumvents traditional security controls, raising the stakes for enterprise defenses.

Buy Now, Pay Later (BNPL) services are projected to capture 15% of holiday sales in 2025, but they come with a hidden cost: fraud rates up to six times higher than traditional payments. In Part 1 of our Holiday Threat Season series, we expose the criminal marketplace driving this $5 billion problem.

Advanced campaigns (GhostCall/GhostHire) are leveraging fake Zoom calls and malicious coding assignments to target tech executives and Web3 users on Windows and macOS. Separately, a large-scale phishing campaign known as "Beamglea" is abusing 175 malicious npm packages as CDN hosts to deliver Microsoft OAuth credential-harvesting pages.

Federal agencies confirmed active exploitation of a high-severity Windows SMB client vulnerability (CVE-2025-33073) that allows privilege escalation and lateral movement. Separately, Logitech confirmed a data theft incident linked to the Oracle E-Business Suite zero-day , with Cl0p claiming responsibility for leaking nearly 1.8 TB of data.

Microsoft's Digital Crimes Unit seized 338 domains to disrupt the Raccoon0365 phishing-as-a-service ecosystem, which facilitated the theft of over 5,000 Microsoft 365 credentials. In parallel, a new ransomware group known as Kawa4096 is rapidly expanding, employing a retro console-style interface and double-extortion tactics to target finance and education sectors in the US and Japan.

While your security team operates with reduced staff, attackers ramp up their campaigns. This five-part CTI series breaks down the threats that define the holiday season — from ransomware to targeted phishing — and provides the actionable intelligence you need to secure your organization through the end of the year.

Researchers uncovered a massive supply-chain compromise affecting 18 popular JavaScript packages like 'chalk' and 'debug,' which see a combined two billion weekly downloads. The malicious code hijacks cryptocurrency wallets by intercepting browser APIs. Separately, a significant data leak allegedly from Chinese cybersecurity firm Knownsec exposed over 12,000 internal files, potentially revealing state-linked tools and global infrastructure targets.

Researchers identified four malicious npm packages impersonating Flashbots and crypto utilities to harvest Web3 wallet credentials, private keys, and mnemonic seeds. Separately, CISA is warning of two CVSS 10.0 vulnerabilities in Red Lion industrial RTUs that allow unauthenticated remote code execution.

A new AI-enabled security framework, Hexstrike-AI, was rapidly weaponized by cybercriminals to autonomously exploit Citrix NetScaler zero-day vulnerabilities. In parallel, a new Python-based infostealer called RedTiger is targeting French-speaking gamers on Discord, modifying the app's internal code to maintain persistence even after password resets

A China-linked phishing operation attributed to APT41 impersonated U.S. Representative John Moolenaar to target government entities with a new Python loader. In parallel, Juniper Networks issued extensive patches addressing nearly 220 vulnerabilities, including nine critical issues such as a CVSS 9.0 XSS flaw in Junos Space.

North Korea-aligned groups Kimsuky and Lazarus are actively deploying new, heavily obfuscated variants of HttpTroy and BLINDINGCAN in espionage campaigns. In a separate supply-chain attack, malicious npm packages were found using Ethereum smart contracts as a hidden C2 infrastructure to deliver malware.

A China-linked espionage group (UNC6384) has been exploiting a Windows LNK zero-day since September to target European diplomatic entities, using it to deploy the PlugX backdoor. In a separate supply-chain compromise, leaked secrets in the Visual Studio Code and Open VSX ecosystems enabled the "GlassWorm" campaign to publish malicious extensions and steal developer credentials.

Researchers detailed how China-based actors exploited a critical SharePoint zero-day (CVE-2025-53770) to deploy multiple backdoors in a widespread espionage campaign. In a separate development, Canada's national cyber agency is warning that hacktivists have begun tampering with exposed industrial control systems, citing incidents where they altered water pressure and manipulated tank gauges.

Go inside a multi-stage credential attack targeting healthcare. Part 3 of our CTI series breaks down real incidents, showing how attackers used SPN reconnaissance, LSASS theft, Living-off-the-Land Binaries (LoTL), and PetitPotam, and how they were stopped.

The Qilin ransomware group is deploying Linux binaries on Windows systems to target VMware ESXi and Nutanix AHV environments. Meanwhile, a massive global smishing campaign attributed to the China-linked Smishing Triad is active across 121 countries, leveraging a Phishing-as-a-Service ecosystem and fast-flux domains.

Unity Technologies patched a high-severity vulnerability (CVE-2025-59489, CVSS 8.4) in its game engine that could allow local code execution and privilege escalation across all major platforms. Separately, APT28 is abusing Signal Desktop’s lack of “Mark of the Web” tagging to target Ukrainian military personnel.

Espionage group Transparent Tribe (APT36) is targeting Indian government organizations using the BOSS Linux distribution via a new RAT , while SideWinder hits diplomatic targets across South Asia. Separately, Toys "R" Us Canada and Sotheby's have disclosed data breaches affecting customer and employee information, respectively.

Credential attack tactics shifted dramatically in 2025. Our CTI team's analysis reveals a massive summer spike, a 226% surge targeting the Education sector, and the rise of password spraying as the dominant method. Get the data driving these critical trends.

Espionage group Mustang Panda deployed a new USB worm, SnakeDisk, against targets in Thailand amid regional tensions1. Meanwhile, a global campaign is abusing a flaw in Microsoft's signed WatchDog driver to bypass endpoint defenses and install ValleyRAT2.

Attackers no longer need to break in; they can simply log in. Our CTI team's new four-part series kicks off with a deep dive into the methods, motivations, and business implications of credential access attacks, from password spraying to credential stuffing.

A new RowHammer variant dubbed Phoenix (CVE-2025-6202) bypasses DDR5 mitigations, achieving root access in under two minutes on affected hardware. Separately, CISA confirmed the Oracle E-Business Suite zero-day (CVE-2025-61884) is actively exploited by Cl0p and mandated federal patching by November 10.

In a rare instance of direct targeting, Chinese APT group Jewelbug was observed targeting a Russian IT service provider in a potential supply chain attack. Separately, F5 has disclosed a nation-state breach of its BIG-IP development environment, where attackers exfiltrated source code and details of undisclosed vulnerabilities.

Phishing remains the number one entry point for most cyberattacks, preying on human psychology rather than technical flaws. Our latest threat report shows that threat actors are strategically targeting industries like Banking & Finance (17%) and Manufacturing (13%) during peak business hours to maximize their success rate.

An Oracle E-Business Suite zero-day (CVE-2025-61882), exploited since July in an extortion campaign with links to Cl0p, has been patched. Separately, CISA added a critical Sudo privilege escalation vulnerability (CVE-2025-32463) to its Known Exploited Vulnerabilities catalog.

CISA issued an emergency directive after a China-linked group was found exploiting three Cisco firewall zero-days to deploy malware. In a separate action, U.S. and French law enforcement seized the clearnet domain of the BreachForums extortion site.

As identity becomes the new perimeter, understanding how adversaries steal and weaponize credentials is more critical than ever. This four-part series from our Cyber Threat Intelligence team dissects the complete credential access attack lifecycle, from motivations to mitigation.

The threat of macOS infostealers is rapidly maturing, with Malware-as-a-Service offerings now common on underground markets. Separately, a critical flaw in OnePlus OxygenOS (CVE-2025-10184) allows apps to access sensitive SMS data and OTPs without requiring user permissions.

Cisco has confirmed active exploitation of a critical stack overflow flaw (CVE-2025-20352) in the SNMP subsystem of its IOS and IOS XE software. Separately, a new campaign is using thousands of Facebook ads to distribute hybrid malware that steals from cryptocurrency wallets.

A new zero-click "ShadowLeak" attack uses hidden prompts in emails to make ChatGPT's Deep Research agent exfiltrate user data. Separately, attackers physically installed Raspberry Pi devices in ATM networks to create covert tunnels for large-scale fraud.

LockBit 5.0 has emerged with enhanced obfuscation and a destructive variant that targets VMware ESXi infrastructure. Separately, WatchGuard has disclosed a critical remote code execution vulnerability (CVE-2025-9242) in its Firebox firewalls and is urging immediate patching.

A new class of malware is using LLMs like GPT-4 to generate malicious logic at runtime. Separately, CISA has confirmed active exploitation of a critical RCE flaw in the DELMIA Apriso manufacturing platform and is urging immediate patching.

Researchers have documented the first cases of collaboration between the Russian-aligned espionage groups Gamaredon and Turla in Ukraine, with one providing initial access for the other. Separately, Apple has released backported security updates for older iPhones and iPads to patch an actively exploited zero-day (CVE-2025-43300).

Samsung has patched a critical zero-day (CVE-2025-21043) in its proprietary image library that was actively exploited in the wild for remote code execution. Separately, a new "GPUGate" malware campaign activates its payload only on systems with a GPU to bypass sandbox defenses

A new Hook Android trojan variant now incorporates ransomware-style overlays and advanced screen-streaming for real-time fraud. Separately, SAP has released patches for multiple critical vulnerabilities, including a CVSS 10.0 flaw enabling unauthenticated remote code execution.

The North Korea-linked Kimsuky group is now using generative AI and deepfakes to forge convincing documents for spear-phishing campaigns. Separately, Adobe has patched a critical flaw in its Commerce and Magento platforms that could allow for customer account takeovers.

A hacktivist group leaked nearly 600 GB of source code and internal data from China's Great Firewall, revealing domestic censorship and surveillance export operations. Coinciding with this, Microsoft's Patch Tuesday addresses 80 flaws, including two zero-days and a critical, wormable RCE in its HPC Pack2.

US authorities have attributed a phishing campaign impersonating a US Congressman to China's APT41. Separately, a critical vulnerability in SAP S/4HANA is being actively exploited, allowing attackers with low-privileged accounts to achieve full administrative takeover.

A Lazarus subgroup is targeting crypto firms with a sequence of custom RATs delivered through social engineering. Separately, a novel phishing campaign uses QR codes in PDF attachments to bypass email security and steal Microsoft 365 credentials and MFA tokens.

Cyber threat intelligence reveals a significant rise in the frequency and sophistication of Adversary-in-the-Middle (AitM) attacks. Unlike traditional phishing that simply harvests credentials, AitM campaigns use reverse-proxy infrastructure to intercept the entire authentication process, including MFA challenges and session cookies.

A massive supply chain attack attributed to UNC6395 began with a GitHub compromise and led to OAuth token theft. The attackers bypassed MFA to exfiltrate CRM data and embedded credentials from over 700 Salesforce and Google Workspace instances.

Russia-linked APT28 is weaponizing Microsoft Outlook as a C2 backdoor using its new GONEPOSTAL tool1. Meanwhile, CISA issued an emergency directive requiring agencies to patch a critical Sitecore vulnerability that is currently under active exploitation in the wild2.

A new ransomware group, LunaLock, is threatening to submit stolen artwork to AI companies for training data. In a separate campaign, attackers are exploiting Microsoft ADFS redirects in a novel phishing technique called "ADFSjacking" to bypass URL filtering.

A malicious pull request compromised the popular ETHcode VS Code extension, automatically updating nearly 6,000 installs with a hidden payload. Separately, Zscaler confirmed a data breach resulting from the ongoing Drift-Salesforce supply chain incident, exposing customer data.

China-linked MURKY PANDA is exploiting cloud provider relationships to compromise downstream victims and access customer emails. Meanwhile, a new ransomware-as-a-service group named Desolator has launched, offering affiliates up to 90% payouts and comprehensive operational support.

Russian and Chinese state actors are actively exploiting a 2018 Cisco vulnerability for network access. Separately, attackers compromised 700 Salesforce instances via a third-party integration, while a critical new exploit chain targeting SAP NetWeaver is being used in the wild.

A recent analysis of leaked DPRK data revealed new IOCs and TTPs, while the Androxghost botnet has evolved to exploit over 20 vulnerabilities. In addition, Colt Technology Services confirmed a ransomware incident, and Trend Micro disclosed two critical zero-day vulnerabilities.

New SEC regulations demand timely reporting of cyber incidents, seeking to enhance investor confidence. Organizations must proactively strengthen defenses and ensure compliance to mitigate risks from sophisticated attacks.

Cybercriminals increasingly target business communication platforms like email and chat apps, attracted by sensitive data and infrastructure vulnerabilities. Organizations must prioritize security to safeguard information.

The exploitation of an Okta breach to infiltrate Cloudflare’s systems exposes sobering supply chain vulnerabilities. Though customer data was spared, the attackers accessed internal tools and source code by compromising a critical supplier. This resource examines crucial security takeaways regarding network segmentation, least privilege protections, and enhanced monitoring to safeguard against adjacent supplier risk.

DDoS attacks skyrocketed 31% in early 2023, inundating 44,000 servers daily. This report explores the perfect storm fueling the alarming rise of DDoS assaults capable of crippling infrastructure and causing extensive damage. It spotlights essential security measures every organization must have in place to weather the surging digital deluge.

Compromised login credentials played a role in 28% of cyber intrusions in 2023, yet authentication methods have vastly evolved over time. This report explores the historical development of authentication and the growing reliance of threat actors on stolen passwords. It examines emerging techniques like biometrics and passkeys that could reshape authentication’s future, providing organizations with robust defenses against attacks exploiting credentials.

Cyberattacks on file transfer services surged 48% in 2023, posing grave financial, reputational, and privacy risks. Prominent incidents like the Clop ransomware attack demonstrate how threat actors strategically exploit vulnerabilities in widely used file sharing conduits to infiltrate networks. This report contains insights on the grCyberattacks on file transfer services surged 48% in 2023, posing grave financial, reputational, and privacy risks. Prominent incidents like the Clop ransomware attack demonstrate how threat actors strategically exploit vulnerabilities in widely used file sharing conduits to infiltrate networks. This report contains insights on the growing dangers and how to safeguard your organization.owing dangers and how to safeguard your organization.

Security risks have surged with the integration of APIs in modern software development, making proactive defense strategies crucial. This situation calls for advanced measures to counteract sophisticated API attacks, which are essential for maintaining operational integrity and protecting against reputational harm.

Paying ransoms empowers cybercriminals to escalate attacks globally. Experts urge organizations to unite across sectors, implement robust defenses, report all incidents, and share intelligence to dismantle the ransomware infrastructure.

While memory-safe languages like Rust offer security benefits, they also attract cybercriminals. The growing Rust community and resources potentially make it easier for attackers to develop sophisticated, hard-to-detect malware.

The shared responsibility model and remote data storage in cloud computing create security gaps. Misconfigurations and innovative hacker tactics leave data vulnerable, demanding proactive, compliant defense strategies from organizations.

Browser-based phishing attacks rose 198% in the second half of 2023, with evasive techniques now accounting for 30% of attempts. Adapting defenses is crucial to counter these evolving threats.

As the world gears up for a pivotal year of elections in 2024, an unprecedented surge in malicious cyber activity threatens the integrity of democratic processes. With cyberattacks targeting elections skyrocketing from 10% in 2015 to a staggering 26% in 2022, nation-states are increasingly seeking to influence outcomes, particularly in NATO and OECD countries. This report delves into the alarming 100% rise in malicious activity observed between 2023 and early 2024, underlining the urgent need for robust cybersecurity measures to safeguard the sanctity of elections worldwide.

State-sponsored hackers are exploiting AI tools like OpenAI for attacks. Defenses currently lag in countering these AI advancements, signaling an urgent need for innovation.

Recently discovered Critical ScreenConnect vulnerabilities are being exploited by threat actors. Urgent patching is advised to mitigate ransomware, data theft, and persistent access risks.

The Akira ransomware is exploiting a high-severity vulnerability in Cisco ASA/FTD software. The flaw enables access for gathering sensitive data, underscoring the need for strong vulnerability management.

A highly sophisticated phishing campaign, observed since September 2023, has elevated its threat level by incorporating the PikaBot malware alongside DarkGate, becoming one of the most advanced campaigns since the dismantling of the Qakbot (Qbot) operation.

The conflict between Israel and Palestine has resulted in cyberattacks by politically motivated hackers, commonly known as hacktivists, that have wide-ranging effects, impacting various industries. It is crucial for organizations to maintain a high threat level, as more hacking groups are likely to join the Israel-Hamas conflict.

Cybercriminals are leveraging artificial intelligence  to craft sophisticated email threats, signifying a notable shift in the role of AI in email security.

Federal authorities have issued a warning to the healthcare sector regarding the emerging threat posed by the Akira ransomware-as-a-service group.

The FBI is warning organizations of an increase in scammers pretending to be recovery companies. Cyber recovery scams, also known as data recovery scams, play on the vulnerabilities and emotions of individuals who have experienced data loss or other digital disasters.

Since May 2023, a large phishing campaign is utilizing Quick Response (QR) codes in an attempt to collect Microsoft credentials from victims. The emails masquerade as a Microsoft security notification with a QR code embedded inside a PNG image or a PDF attachment.

As APIs become integral to modern software development, organizations must proactively address the evolving security risks they introduce. Implementing robust defense strategies and advanced measures is crucial to safeguard against sophisticated API attacks, maintain operational integrity, and protect against potential reputational harm.

As APIs become integral to modern software development, organizations must proactively address the evolving security risks they introduce. Implementing robust defense strategies and advanced measures is crucial to safeguard against sophisticated API attacks, maintain operational integrity, and protect against potential reputational harm.

With phishing attacks escalating in sophistication and frequency, staying ahead of these evolving threats is paramount. The anticipated rise in 2024 underscores the urgent need for enhanced security practices and awareness.

COM Hijacking has emerged as a prevalent and dangerous technique for malware persistence, exploiting legitimate Windows functionalities to evade detection. By manipulating the registry and leveraging trusted COM objects, attackers can stealthily execute malicious code without leaving suspicious file traces. This versatile method offers a wide attack surface, targeting diverse applications and data. As COM Hijacking techniques continuously evolve, businesses and security professionals must remain vigilant and implement robust mitigation strategies to combat this growing threat and safeguard their systems from compromise.

A devastating ransomware attack on a critical healthcare billing and payment system has exposed the sector’s vulnerability to cyber threats. The attack has caused widespread disruptions, financial strain, and potential data breaches, underscoring the urgent need for robust cybersecurity measures to protect patient data, ensure uninterrupted care, and safeguard the healthcare industry from the growing threat of cyberattacks.

APT29’s constantly evolving tactics and ability to exploit unanticipated vulnerabilities make them a formidable threat to organizations. Their adaptability allows them to infiltrate systems before detection, potentially causing widespread damage and data breaches, emphasizing the need for organizations to remain vigilant, update their defenses, and stay informed about APT29’s latest activities to maintain a robust security posture.

ShadowSyndicate is actively scanning the internet for servers running outdated versions of aiohttp, exploiting the publicly available CVE-2024-23334 proof-of-concept. By targeting sensitive files and gaining unauthorized access, they can potentially deploy ransomware payloads, highlighting the critical importance of timely patching and robust cybersecurity measures.

The DEEP#GOSU campaign showcases North Korean cyber actors’ sophisticated tactics, from targeted social engineering to multi-stage scripting. Organizations must prioritize robust cybersecurity to defend against evolving espionage and financial threats.

In early 2023, the threat actors behind the BumbleBee malware shifted to a new delivery method, opting to use malicious online ads to spread the downloader.

The Critical Start Cyber Threat Intelligence Team is aware of and monitoring a trend in malware being developed to specifically target Linux systems. Targeting of Linux systems has been relatively scarce and primitive in comparison to other proprietary operating systems.

A new, harder-to-detect variant of the Redline Stealer trojan has surfaced, disguising itself as a software installer and employing Lua bytecode to evade security software. Once installed, it steals user data and exploits Windows processes to maintain persistence on infected systems, underscoring the need for robust security measures.

The rapid rise of IoT devices is a double-edged sword. While it unlocks a wave of innovation across industries, it also introduces significant security risks. Transportation, for instance, grapples with hackable ELDs in trucks, potentially compromising data and even vehicle control (as evidenced by the March 2024 ELD vulnerabilities).

The promise of generative artificial intelligence (GenAI) is undeniable. From automating tasks and personalizing experiences to generating creative content, GenAI offers organizations a wealth of opportunities. However, this powerful technology comes with a hidden cost – a new wave of security challenges.

Palo Alto Networks is facing a serious security threat. A critical vulnerability (CVE-2024-3400) has been discovered in their PAN-OS firewall software that could allow attackers to seize complete control of your firewall. This vulnerability specifically targets PAN-OS versions 10.2, 11.0, and 11.1, but only if two specific features are enabled:

Python’s widespread adoption has created a double-edged sword for both developers and cybercriminals. On the one hand, its large user base presents a vast potential target pool for attackers. Even a minor infection rate can translate into a significant number of victims due to the sheer number of Python users worldwide.

eFile.com, an IRS approved software service, was recently found to be delivering JavaScript malware. The service was a conduit for the filing of more than 66 million tax returns in 2022. The malware was loaded on nearly every page of the website prompting users to click on the malicious file to download.

Chinese advanced persistent threat (APT) actor, Mustang Panda (a.k.a. Earth Preta, RedDelta or BRONZE PRESIDENT) is delivering lure archives via spear-phishing emails and Google Drive links.

Research has revealed that the Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities have a vulnerability in the WiFi protocols built–in power save mechanism that could allow an adversary to meddle with traffic, client connections, and more.

A critical flaw in MOVEit Transfer is under active exploitation, allowing attackers to bypass authentication. Immediate updates and security measures are essential to prevent severe consequences.

The Cloud Development Kit (CDK) attack poses significant threats to AWS CDK users through code injection, misconfigurations, and supply chain vulnerabilities. Implementing strict access controls and regular audits are crucial for defense.

The recent cyber-attack on MITRE, a leading cybersecurity organization, has sent tremors through the industry. This brazen breach shatters the illusion of invulnerability, emphasizing that even the most well-resourced organizations are not immune to determined attackers exploiting zero-day vulnerabilities, as seen with the Ivanti software in this case.

The recently discovered TunnelVision technique poses a significant risk to organizations and individuals relying on VPNs for secure remote access. By exploiting a vulnerability in the DHCP, attackers can manipulate routing tables and redirect VPN traffic through a server under their control, effectively bypassing encryption and exposing sensitive data.

The Federal Bureau of Investigation (FBI) released an advisory on cyber criminals tampering and switching legitimate QR codes. Since October 2022, the use of QR codes within phishing scams has risen.

A critical Cisco NX-OS vulnerability (CVE-2024-20399) is being exploited by the China-linked hacking group Velvet Ant, posing significant risks to organizations. This exploitation can lead to network disruption, data theft, and persistent access, particularly threatening sectors like government, finance, technology, and healthcare.

The Fourth of July weekend presents heightened cybersecurity risks for travelers, with public Wi-Fi snooping affecting 33% of surveyed respondents. Social media hacks, phishing scams, and identity theft also pose significant threats to holidaymakers.

Separately, Palo Alto Networks issued an informational security advisory discussing Rorschach ransomware operators using the Cortex XDR Dump Service Tool (cydump.exe) to load untrusted dynamic link libraries (DLLs) using DLL-sideloading. This is true only when the tool is removed from its installation directory; it is not possible to side-load DLLs when Cortex XDR agent is installed on Windows and is running from the installation path because Cortex XDR’s security permissions and protections prevent it. In the advisory, Palo Alto verified that Cortex XDR 7.7, and newer versions, with content update version 240 (released Nov 2021), and later content updates, detect and block the ransomware. New versions of Cortex XDR agent, capable of blocking the DLL side-loading technique, will be released next week to prevent future misuse of the software. Mac OS and Linux platforms are not affected by this issue. 

—

Security researchers have discovered a new ransomware strain, called Rorschach, with unique technical features. The malware is deployed using the dynamic link library (DLL) side-loading technique via a signed component in Cortex XDR, a threat detection and incident response tool from Palo Alto Networks.

In 2022, a spike in targeting third-party vendors almost doubled from 2021, with 63 attacks on vendors being reported and 298 victims. This trend of increasing attacks on third-party vendors has only continued in Q1 of 2023 as several third-party vendors have reported being attacked by malicious campaigns. There are several dangers when third-party vendors are attacked.

Business Email Compromise (BEC) attacks have become a major cybersecurity concern, with losses 80 times greater than ransomware. FBI reports show BEC incidents nearly doubled from 2019 to 2023, causing $12.5 billion in losses and posing a threat to global economies.

With ~40% of U.S. employees working remotely or in hybrid arrangements, organizations face increasing cybersecurity risks. While remote work offers numerous benefits, it also necessitates robust security measures to protect against threats targeting VPNs, mobile devices, and unprotected networks.

Two-step phishing attacks are on the rise as threat actors become more sophisticated in targeting potential victims and evading detection. These phishing attacks use legitimate vendors that the threat actor has previously compromised.

Educational institutions have become prime targets for cybercriminals, facing a 37% surge in ransomware attacks since 2023. With average recovery costs reaching $2.73 million per incident, 48% higher than the global average, the need for robust cybersecurity measures in education has never been more critical.

Microsoft disclosed a new zero-day vulnerability in Outlook identified as CVE-2023-23397. This flaw is an elevation-of-privilege (EoP) vulnerability that enables remote code execution capability as threat actors can steal NTLM credentials of Microsoft Outlook users.

Sharp Panda, (also known as APT19, Emissary Panda, or Iron Tiger) is a sophisticated Chinese Advanced Persistent Threat (APT) group. The group has been active since at least 2012 and is known for sharing tools and infrastructure with other Chinese APT groups.  

Public-facing applications have become a major vulnerability, with web app exploits leading to 30 catastrophic incidents and $5.7 billion in losses. As threat actors increasingly target these applications and associated cloud infrastructure, organizations must prioritize robust protection strategies.

Recently, several malware operators have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner. Cyber criminals have started new phishing campaigns delivering malicious OneNote attachments that deliver Formbook, Redline Stealer, AsyncRat or Qbot malware to unsuspecting victims.

Russian-based ransomware group LockBit continues to expand its arsenal with the addition of a new variant, LockBit Green. The acquisition of Green comes less than a year after the deployment of LockBit Black. Threat researchers at SentinelOne indicated a large portion of this variant overlaps with the Conti ransomware version whose source code was leaked last year. LockBit is expected to continue to dominate the ransomware arena as the operators make strides to increase its capabilities and versatility.

Adversary-in-the-middle (AiTM) phishing campaigns are a growing threat because they are highly effective and can bypass even the most advanced security measures. They are particularly dangerous when they target large organizations, which can have a significant impact on the organization’s operations and reputation. Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations. It remains important for organizations to be vigilant and aware of this type of attack and take steps to protect themselves.

Effective version currency management is crucial for mitigating cyber threats. By consistently updating systems and leveraging threat intelligence, organizations can better protect their assets from both known and emerging vulnerabilities.

In early June 2022, CISA published a Joint Cybersecurity Advisory (CSA) highlighting espionage activity related to Chinese state-sponsored advanced persistent threat (APT) groups targeting telecommunications companies. Furthermore, there has been an increase in open and closed-source identification and reporting of Chinese threat actor activities over the last month. Critical Start Cyber Threat Intelligence analysts will be monitoring this situation closely as it evolves.

Critical Start supports the CISA backed recommended actions listed below:

• Apply patches as soon as possible
• Disable unnecessary ports and protocols
• Replace end-of-life infrastructure
• Implement a centralized patch management system

The ransomware group formerly known as Conti is currently shut down.

The admin panel of the gang’s official website, Conti News, is shut down as is the negotiations service site. Meanwhile the rest of the infrastructure, to include chatrooms, messengers, servers, and proxy hosts are going through a massive reset. This was an intentional decision, months in the making, to attempt to shed some of the group’s toxic branding.

For over two months, the Conti collective silently created subdivisions that began operations before the start of the shutdown process. These subgroups either utilize existing Conti alter egos and locker malware or took the opportunity to create new ones. The group is adopting a network organizational structure, more horizontal and decentralized than the previously rigid Conti hierarchy.

The new network will include the following types of groups:

• Fully autonomous (Karakurt, BlackBasta, BlackByte)
• Semi-autonomous (AlphV/BlackCat, HIVE, HelloKitty/FiveHands, AvosLocker)
• Independent affiliates
• Mergers & acquisitions

This model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than Ransomware-as-a-Service (RaaS).

The other major development for this new ransomware model is the transition from data encryption to data exfiltration. Relying on pure data exfiltration maintains most major benefits of a data encryption operation, while avoiding the issues of a locker altogether. Most likely, this will become the most important outcome of Conti’s re-brand.

Chinese cyber actors have intensified their operations, employing sophisticated tactics for espionage and disruption. Recent incidents, including the exploitation of vulnerabilities to deploy backdoors, highlight the growing threat landscape and the need for comprehensive defensive strategies.

The Critical Start CTI team observed a pattern of breaches over the last five weeks related to higher education being targeted by ransomware. Two out of the four southern schools, Florida International University and North Carolina A&T University, have been linked to BlackCat (a.k.a., ALPHV). No threat actors have claimed responsibility for the latest, Austin Peay State University, reported on by Critical Start CTI earlier this month, but the school is still investigating. Around the country there have been at least 13 reported attacks against U.S. universities and colleges in 2022 so far. These include Kellogg Community College, targeted last week, Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas and National University College, to name a few.  

About BlackCat 

BlackCat, (aka ALPHVM, ALPHV, and Noberus) is a newly emerged ransomware-as-a-Service (RaaS) group assessed to be a re-branding of BlackMatter and DarkSide groups. BlackCat ransomware emerged in November 2021 and is developed in Rust, a cross-compilation language allowing for rapid development of malware for Windows and Linux. The ransomware executable is highly customizable, with different encryption methods (AES, ChaCha20) and options allowing for attacks on a wide range of corporate environments. Common TTPs include the use of a signed binary proxy to download the ransomware, access token manipulation and UAC bypass for privilege escalation, deleting files and logs on host for defense evasion purposes, and the use of SMB and PsExec for lateral movement.  

We Recommended That You 

• Implement a user training program to raise awareness surrounding email phishing and social engineering techniques
• Limit and monitor usage of RDP and SMB, to include disabling SMB version 1
• Implement a timely patch management schedule
• Ensure Multi-Factor Authentication is in use for all VPN connections, webmail, and access to critical systems, and enforce strong password usage
• Continuously review third-party security postures

Rhysida, a new ransomware-as-a-service operation, targets critical infrastructure with double extortion tactics. Their recent attack on the Port of Seattle demonstrates the group’s growing threat to global operations and underscores the urgent need for enhanced cybersecurity measures.

BazarCall was used by Ryuk and Conti in 2020/2021 and has made a reappearance in March 2022 targeting several companies across multiple industries. Using the BazarCall Tactic, Conti creates a fake call center from which calls are made to potential victims convincing them to open malicious email attachments. These malicious attachments exploit Atera remote monitoring software, Cobalt Strike, and Sliver C2 Framework, then delivers BazarLoader.

It’s important to note that phone calls are made following extensive social engineering and reconnaissance activities. Previous breaches involving these tactics have provided evidence that call center personnel have convincing information regarding target company operations.

We recommend that you:

• Train users to identify social engineering techniques (vishing) and spearphishing emails
• Disable macro scripts from Microsoft Office files transmitted via email
• Enable strong Spam filters to prevent phishing emails from reaching end users
• Monitor for beaconing activity. BazarLoader requires consistent communication with C2 servers via Cobalt Strike, Sliver, or Atera

CTO Randy Watkins provides more information about the group behind the breach in this informal breakdown of what we know now. 

Listen to the Podcast >

March 23, 2022

Critical Start is monitoring the recent breach against Okta and the associated third-party
service providers that support Okta’s operations.

Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network. The company only acknowledged the compromise after the Lapsus$ hacking and extortion group posted screenshots on Monday, nearly two months after the hackers first gained access to its network.

Key points to know:

• The Okta service has not been breached and remains fully operational.
• There are no corrective actions that need to be taken by customers.
• Any Okta customer that could have potentially been impacted has already been identified and contacted directly by email.
• There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
• The security breach did not impact legacy Sitel Group systems or networks; only legacy Sykes’ network was affected.
• Lapsus$ has targeted several big-name companies in recent weeks, including Nvidia and Samsung. Microsoft also reported a possible associated security breach.

Critical Start always recommends customers enable MFA for all user accounts. Passwords alone do not
offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys,
as other methods of MFA can be vulnerable to phishing attacks.

Threat actors increasingly leverage legitimate system tools in malware-free Living Off the Land (LoTL) attacks to evade detection. Recent analysis reveals the critical importance of behavior analytics in identifying these sophisticated attacks that exploit common IT administration tools.

Advanced Persistent Threat groups are increasingly leveraging AI and Large Language Models to enhance their cyberattacks. This evolution in threat tactics enables more sophisticated phishing campaigns and automated attacks, presenting new challenges for cybersecurity professionals.

Social engineering attacks have evolved beyond traditional phishing to include sophisticated techniques like angler phishing on social media platforms. The integration of AI and automation has enabled cybercriminals to deploy more precise, large-scale attacks across multiple communication channels, highlighting the urgent need for enhanced security measures.

• Russian Cyber Attacks: Threat Actors and New Developments
  Russia’s attack on Ukraine has heightened concerns around cyber threats. We dive into likely threat actors and emerging attacks like Hermetic Malware and WhisperGate in more detail.

  Read More >

  ---

  Russian Focus Hides Iranian APT Activity 12:30pm CT

  CTI is also monitoring the situation unfolding in Iran and the implications of the Russia/Ukraine situation functioning as a distraction for other APT activity

  What we know now:

  • Threat actor is likely Muddy Water, a known APT group associated with Iran
  • Of the 23 malware samples analyzed by the FBI, 14 files were identified as variants of the POWGOOP malware family
  • 2 files were identified as JavaScript files that contain a PowerShell beacon
  • 1 file was identified as a Mori backdoor sample
  • 2 malicious Microsoft Excel spreadsheets were identified as Canopy malware (also known as Starwhale) that contained macros and two encoded Windows script files, which maintain persistence and collect and exfiltrate the victim’s system data to a command and control (C2).

  The following MITRE TTPs apply:

  • spearphishing
  • DLL side Loading
  • powershell
  • obfuscation
  • persistence
  • exfiltration

  Additional reading and resources:

  • IOCs can be downloaded here and here
  • CISA advisory can be found here.
  • Cyber command press release can be found here

   

  ---

  Hermetic Malware 10:45am CT

  We are analyzing Hermetic Malware samples. We know that the initial indicators of this sample began circulating on 2/23/22 by way of a signed driver that erases windows devices after deleting their shadow copies.

  We have several known IOCs which are being passed to our Detection Engineering team. 

  This appears to be a clear effort of destabilization via MDM strategy; Russia has a huge arsenal of cyber capabilities and we have a very consistent record of them targeting Ukraine in this way, thus Russia’s ability to take down critical infrastructure and control the Ukrainian narrative is not surprising.

  Often, these attacks and campaigns are attributed to a nonstate actors or individual cyber criminals but the nod from the Russian Federation and the contractive interactions between them and the organized hackers provides a smoke screen between the APT and Russian leadership.

• February 23, 2022

  Critical Start response to Risk of Cyber Attacks as Russia-Ukraine Crisis Escalates
  We have been continuously monitoring the escalating crisis between Russia and Ukraine and are taking steps to protect our customers from this evolving threat.

  Read More >

• January 28, 2022

  Assessing Recent Cyber Threats as Russia-Ukraine Crisis Escalates
  Researchers believe a Russian cyberattack is eminent. Not just on Ukraine, but on their NATO allies. Stay informed as we continue to help our customers maintain their defenses.

The holiday shopping season brings heightened cybersecurity risks, with cybercriminals exploiting online sales platforms through sophisticated fraud schemes. The FBI reported over 50,000 non-payment complaints in 2023, resulting in $309 million in losses, underscoring the critical need for robust multilayered security measures.