Intelligence Hub
Get information on recent vulnerabilities, malware and breaches being tracked by Critical Start’s Cyber Threat Intelligence (CTI), part of our Cyber Research Unit (CRU).
Get information on recent vulnerabilities, malware and breaches being tracked by Critical Start’s Cyber Threat Intelligence (CTI), part of our Cyber Research Unit (CRU).
Holiday E-commerce Cybersecurity Threats
November 27, 2024
Social Engineering Evolution 2024
October 21, 2024
AI-Powered Cyber Threats Rise
October 16, 2024
Living Off Land Attacks
October 15, 2024
Rhysida: Emerging Ransomware Threat
September 24, 2024
Chinese Cyber Threat Escalation
September 19, 2024
Proactive Vulnerability Management Trends
September 18, 2024
Public Apps: Prime Attack Targets
August 22, 2024
Education’s Cybersecurity Crisis Escalates
August 16, 2024
Remote Work: Security Challenges
August 13, 2024
BEC Attacks: Rising Global Threat
July 25, 2024
Wi-Fi Risks for Holiday Travelers
July 3, 2024
Cisco Vulnerability Exposes Networks
July 2, 2024
MOVEit Vulnerability Alert
June 26, 2024
CDK Attack Overview
June 21, 2024
MITRE Breach: A Reminder of Evolving Cyber Threats
May 10, 2024
TunnelVision: The Looming Threat to VPN Security
May 8, 2024
Redline Stealer: The Evolving Threat of Information Theft
May 7, 2024
Top Industries Battling IoT Security Vulnerabilities
April 18, 2024
The Double-Edged Sword of GenAI: Unlocking Potential While Mitigating Risks
April 17, 2024
Why Bots Are the Future of the Internet and How Businesses Need to Adapt
April 16, 2024
OS Command Injection Vulnerability in GlobalProtect Gateway
April 12, 2024
Python Coder Security is Critical for Modern Organizations
April 11, 2024
Phishing Threats Surge
April 4, 2024
The Rise of COM Hijacking
April 3, 2024
COM Hijacking has emerged as a prevalent and dangerous technique for malware persistence, exploiting legitimate Windows functionalities to evade detection. By manipulating the registry and leveraging trusted COM objects, attackers can stealthily execute malicious code without leaving suspicious file traces. This versatile method offers a wide attack surface, targeting diverse applications and data. As COM Hijacking techniques continuously evolve, businesses and security professionals must remain vigilant and implement robust mitigation strategies to combat this growing threat and safeguard their systems from compromise.
Healthcare Under Cyber Siege
March 27, 2024
A devastating ransomware attack on a critical healthcare billing and payment system has exposed the sector’s vulnerability to cyber threats. The attack has caused widespread disruptions, financial strain, and potential data breaches, underscoring the urgent need for robust cybersecurity measures to protect patient data, ensure uninterrupted care, and safeguard the healthcare industry from the growing threat of cyberattacks.
APT29: Evolving Threat Landscape
March 26, 2024
APT29’s constantly evolving tactics and ability to exploit unanticipated vulnerabilities make them a formidable threat to organizations. Their adaptability allows them to infiltrate systems before detection, potentially causing widespread damage and data breaches, emphasizing the need for organizations to remain vigilant, update their defenses, and stay informed about APT29’s latest activities to maintain a robust security posture.
ShadowSyndicate Exploits Vulnerable Servers
March 20, 2024
ShadowSyndicate is actively scanning the internet for servers running outdated versions of aiohttp, exploiting the publicly available CVE-2024-23334 proof-of-concept. By targeting sensitive files and gaining unauthorized access, they can potentially deploy ransomware payloads, highlighting the critical importance of timely patching and robust cybersecurity measures.
Navigating API Security Trends
March 20, 2024
As APIs become integral to modern software development, organizations must proactively address the evolving security risks they introduce. Implementing robust defense strategies and advanced measures is crucial to safeguard against sophisticated API attacks, maintain operational integrity, and protect against potential reputational harm.
North Korean Cyberattacks Evolve
March 19, 2024
The DEEP#GOSU campaign showcases North Korean cyber actors’ sophisticated tactics, from targeted social engineering to multi-stage scripting. Organizations must prioritize robust cybersecurity to defend against evolving espionage and financial threats.
Memory-Safe Languages Enable Malware
March 18, 2024
While memory-safe languages like Rust offer security benefits, they also attract cybercriminals. The growing Rust community and resources potentially make it easier for attackers to develop sophisticated, hard-to-detect malware.
Cloud Security Challenges Exposed
March 12, 2024
The shared responsibility model and remote data storage in cloud computing create security gaps. Misconfigurations and innovative hacker tactics leave data vulnerable, demanding proactive, compliant defense strategies from organizations.
Browser Phishing Attacks Surge
March 7, 2024
Browser-based phishing attacks rose 198% in the second half of 2023, with evasive techniques now accounting for 30% of attempts. Adapting defenses is crucial to counter these evolving threats.
Global Elections Under Siege: The Alarming Rise of Cyber Threats
March 5, 2024
As the world gears up for a pivotal year of elections in 2024, an unprecedented surge in malicious cyber activity threatens the integrity of democratic processes. With cyberattacks targeting elections skyrocketing from 10% in 2015 to a staggering 26% in 2022, nation-states are increasingly seeking to influence outcomes, particularly in NATO and OECD countries. This report delves into the alarming 100% rise in malicious activity observed between 2023 and early 2024, underlining the urgent need for robust cybersecurity measures to safeguard the sanctity of elections worldwide.
ScreenConnect Vulns Active Threats
February 27, 2024
Recently discovered Critical ScreenConnect vulnerabilities are being exploited by threat actors. Urgent patching is advised to mitigate ransomware, data theft, and persistent access risks.
AI Powers Cybercrime Growth
February 27, 2024
State-sponsored hackers are exploiting AI tools like OpenAI for attacks. Defenses currently lag in countering these AI advancements, signaling an urgent need for innovation.
Akira Ransomware Cisco Risk
February 23, 2024
The Akira ransomware is exploiting a high-severity vulnerability in Cisco ASA/FTD software. The flaw enables access for gathering sensitive data, underscoring the need for strong vulnerability management.
SEC Regulations Impact Cyber Incidents
February 22, 2024
New SEC regulations demand timely reporting of cyber incidents, seeking to enhance investor confidence. Organizations must proactively strengthen defenses and ensure compliance to mitigate risks from sophisticated attacks.
Education Sector Cyber Risks Rise
February 14, 2024
The education sector contains valuable sensitive data that makes it an attractive target for cybercriminals seeking financial gain or strategic advantage, and as educational institutions digitize teaching and operations, their attack surface and vulnerability expands, necessitating vigilant cybersecurity measures.
Rising Business Communication Risk
February 14, 2024
Cybercriminals increasingly target business communication platforms like email and chat apps, attracted by sensitive data and infrastructure vulnerabilities. Organizations must prioritize security to safeguard information.
Outmaneuvering a Shape-Shifting Threat
February 8, 2024
The ingenious BianLian ransomware distinguishes itself through perpetual adaptation across platforms, strategic targeting, and technical sophistication. By examining this formidable threat that evolves from Android banking trojan to ransomware, this resource equips organizations with insights on shoring up defenses, enhancing detection, and thwarting the attacks of this metamorphic foe.
Combating Third Party Breach Contagion
February 5, 2024
The exploitation of an Okta breach to infiltrate Cloudflare’s systems exposes sobering supply chain vulnerabilities. Though customer data was spared, the attackers accessed internal tools and source code by compromising a critical supplier. This resource examines crucial security takeaways regarding network segmentation, least privilege protections, and enhanced monitoring to safeguard against adjacent supplier risk.
The Inside Job – Thwarting Cyber’s Greatest Threat
February 1, 2024
Insider threats surged an astounding 76% in 2023, yet only 30% of companies feel ready to handle them and 21% have comprehensive programs. This alarming gap reveals organizational vulnerability to internal breach, IP theft, and sabotage. By detailing a proactive framework across detection, access controls, and culture shifts, this report provides a blueprint for mitigating escalating insider threat risk.
The Surging Storm of DDoS
January 30, 2024
DDoS attacks skyrocketed 31% in early 2023, inundating 44,000 servers daily. This report explores the perfect storm fueling the alarming rise of DDoS assaults capable of crippling infrastructure and causing extensive damage. It spotlights essential security measures every organization must have in place to weather the surging digital deluge.
Progress in Authentication Methods
January 25, 2024
Compromised login credentials played a role in 28% of cyber intrusions in 2023, yet authentication methods have vastly evolved over time. This report explores the historical development of authentication and the growing reliance of threat actors on stolen passwords. It examines emerging techniques like biometrics and passkeys that could reshape authentication’s future, providing organizations with robust defenses against attacks exploiting credentials.
File Transfer Under Threat
January 24, 2024
Cyberattacks on file transfer services surged 48% in 2023, posing grave financial, reputational, and privacy risks. Prominent incidents like the Clop ransomware attack demonstrate how threat actors strategically exploit vulnerabilities in widely used file sharing conduits to infiltrate networks. This report contains insights on the growing dangers and how to safeguard your organization.
Top API Security Trends
January 23, 2024
Security risks have surged with the integration of APIs in modern software development, making proactive defense strategies crucial. This situation calls for advanced measures to counteract sophisticated API attacks, which are essential for maintaining operational integrity and protecting against reputational harm.
Ransomware Defense United
January 18, 2024
Paying ransoms empowers cybercriminals to escalate attacks globally. Experts urge organizations to unite across sectors, implement robust defenses, report all incidents, and share intelligence to dismantle the ransomware infrastructure.
DarkGate and PikaBot Threat Surge
November 28, 2023
A highly sophisticated phishing campaign, observed since September 2023, has elevated its threat level by incorporating the PikaBot malware alongside DarkGate, becoming one of the most advanced campaigns since the dismantling of the Qakbot (Qbot) operation.
Open Enrollment Phishing Campaign
November 15, 2023
During the open enrollment period, scammers use phishing techniques to steal personal information. The Federal Trade Commission warns against sharing personal information in response to unexpected contacts.
Israeli Conflict and Industries Impacted
October 19, 2023
The conflict between Israel and Palestine has resulted in cyberattacks by politically motivated hackers, commonly known as hacktivists, that have wide-ranging effects, impacting various industries. It is crucial for organizations to maintain a high threat level, as more hacking groups are likely to join the Israel-Hamas conflict.
FBI: Ransomware Gangs Employing New Tactics
October 9, 2023
The FBI has issued a warning about ransomware gangs adopting new tactics, including employing multiple ransomware strains in a single attack, and using destructive tools beyond encryption or theft.
AI Chatbot Vulnerabilities
September 20, 2023
Cybercriminals are leveraging artificial intelligence to craft sophisticated email threats, signifying a notable shift in the role of AI in email security.
Feds Warn Healthcare Sector
September 19, 2023
Federal authorities have issued a warning to the healthcare sector regarding the emerging threat posed by the Akira ransomware-as-a-service group.
FBI Warns About Recovery Scams
August 24, 2023
The FBI is warning organizations of an increase in scammers pretending to be recovery companies. Cyber recovery scams, also known as data recovery scams, play on the vulnerabilities and emotions of individuals who have experienced data loss or other digital disasters.
Malicious QR Codes Attacking the Energy Sector
August 23, 2023
Since May 2023, a large phishing campaign is utilizing Quick Response (QR) codes in an attempt to collect Microsoft credentials from victims. The emails masquerade as a Microsoft security notification with a QR code embedded inside a PNG image or a PDF attachment.
BumbleBee Downloader Now Being Distributed via Malicious Ads
May 5, 2023
In early 2023, the threat actors behind the BumbleBee malware shifted to a new delivery method, opting to use malicious online ads to spread the downloader.
Malware Targeting Linux Systems
April 20, 2023
The Critical Start Cyber Threat Intelligence Team is aware of and monitoring a trend in malware being developed to specifically target Linux systems. Targeting of Linux systems has been relatively scarce and primitive in comparison to other proprietary operating systems.
FBI Warns of Public Charging Station Vulnerabilities
April 19, 2023
The FBI recently released a warning to avoid free public charging stations as they are potentially being compromised by threat actors. Cyber criminals are using public charging stations to infect devices with malware or monitoring software that enables the threat actor to access your phone, tablet, or computer, also referred to as “Juice Jacking.”
New LockBit Ransomware Encryptor Targets macOS
April 18, 2023
Russian-based ransomware group LockBit continues to expand its arsenal with the addition of a new variant specifically targeting macOS. Cybersecurity researcher MalwareHunterTeam discovered a ZIP (.zip file) archive on VirusTotal containing various available LockBit encryptors.
Threat Actors Exploiting Tax Season
April 13, 2023
eFile.com, an IRS approved software service, was recently found to be delivering JavaScript malware. The service was a conduit for the filing of more than 66 million tax returns in 2022. The malware was loaded on nearly every page of the website prompting users to click on the malicious file to download.
Mustang Panda APT
April 12, 2023
Chinese advanced persistent threat (APT) actor, Mustang Panda (a.k.a. Earth Preta, RedDelta or BRONZE PRESIDENT) is delivering lure archives via spear-phishing emails and Google Drive links.
WiFi Protocol Vulnerability Exposing Network Traffic
April 11, 2023
Research has revealed that the Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities have a vulnerability in the WiFi protocols built–in power save mechanism that could allow an adversary to meddle with traffic, client connections, and more.
Threat Actors Experimenting with QR Codes
April 10, 2023
The Federal Bureau of Investigation (FBI) released an advisory on cyber criminals tampering and switching legitimate QR codes. Since October 2022, the use of QR codes within phishing scams has risen.
Rorschach Ransomware
April 6, 2023
UPDATE
Separately, Palo Alto Networks issued an informational security advisory discussing Rorschach ransomware operators using the Cortex XDR Dump Service Tool (cydump.exe) to load untrusted dynamic link libraries (DLLs) using DLL-sideloading. This is true only when the tool is removed from its installation directory; it is not possible to side-load DLLs when Cortex XDR agent is installed on Windows and is running from the installation path because Cortex XDR’s security permissions and protections prevent it. In the advisory, Palo Alto verified that Cortex XDR 7.7, and newer versions, with content update version 240 (released Nov 2021), and later content updates, detect and block the ransomware. New versions of Cortex XDR agent, capable of blocking the DLL side-loading technique, will be released next week to prevent future misuse of the software. Mac OS and Linux platforms are not affected by this issue.
—
Security researchers have discovered a new ransomware strain, called Rorschach, with unique technical features. The malware is deployed using the dynamic link library (DLL) side-loading technique via a signed component in Cortex XDR, a threat detection and incident response tool from Palo Alto Networks.
Third Party Vendor Risks and What you Should Know
March 22, 2023
In 2022, a spike in targeting third-party vendors almost doubled from 2021, with 63 attacks on vendors being reported and 298 victims. This trend of increasing attacks on third-party vendors has only continued in Q1 of 2023 as several third-party vendors have reported being attacked by malicious campaigns. There are several dangers when third-party vendors are attacked.
Two-Step Phishing Attacks
March 21, 2023
Two-step phishing attacks are on the rise as threat actors become more sophisticated in targeting potential victims and evading detection. These phishing attacks use legitimate vendors that the threat actor has previously compromised.
Microsoft Outlook Zero-Day Exploited in the Wild
March 21, 2023
Microsoft disclosed a new zero-day vulnerability in Outlook identified as CVE-2023-23397. This flaw is an elevation-of-privilege (EoP) vulnerability that enables remote code execution capability as threat actors can steal NTLM credentials of Microsoft Outlook users.
Emotet Returns After Three Months of Silence
March 17, 2023
After a brief hiatus, Emotet threat actors have re-commenced operations as of early March 2023. Originally tracked as a banking trojan, Emotet has evolved into a multi-purpose dropper/downloader malware.
Sharp Panda Utilizes New Version of the Soul Framework
March 8, 2023
Sharp Panda, (also known as APT19, Emissary Panda, or Iron Tiger) is a sophisticated Chinese Advanced Persistent Threat (APT) group. The group has been active since at least 2012 and is known for sharing tools and infrastructure with other Chinese APT groups.
Threat Actors Using Microsoft OneNote
February 13, 2023
Recently, several malware operators have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner. Cyber criminals have started new phishing campaigns delivering malicious OneNote attachments that deliver Formbook, Redline Stealer, AsyncRat or Qbot malware to unsuspecting victims.
Living Off Land Attacks
October 15, 2024
Rhysida: Emerging Ransomware Threat
September 24, 2024
Chinese Cyber Threat Escalation
September 19, 2024
Proactive Vulnerability Management Trends
September 18, 2024
Public Apps: Prime Attack Targets
August 22, 2024
Education’s Cybersecurity Crisis Escalates
August 16, 2024
Remote Work: Security Challenges
August 13, 2024
BEC Attacks: Rising Global Threat
July 25, 2024
Wi-Fi Risks for Holiday Travelers
July 3, 2024
Cisco Vulnerability Exposes Networks
July 2, 2024
MOVEit Vulnerability Alert
June 26, 2024
CDK Attack Overview
June 21, 2024
MITRE Breach: A Reminder of Evolving Cyber Threats
May 10, 2024
TunnelVision: The Looming Threat to VPN Security
May 8, 2024
Redline Stealer: The Evolving Threat of Information Theft
May 7, 2024
Top Industries Battling IoT Security Vulnerabilities
April 18, 2024
The Double-Edged Sword of GenAI: Unlocking Potential While Mitigating Risks
April 17, 2024
Why Bots Are the Future of the Internet and How Businesses Need to Adapt
April 16, 2024
OS Command Injection Vulnerability in GlobalProtect Gateway
April 12, 2024
Python Coder Security is Critical for Modern Organizations
April 11, 2024
Phishing Threats Surge
April 4, 2024
The Rise of COM Hijacking
April 3, 2024
COM Hijacking has emerged as a prevalent and dangerous technique for malware persistence, exploiting legitimate Windows functionalities to evade detection. By manipulating the registry and leveraging trusted COM objects, attackers can stealthily execute malicious code without leaving suspicious file traces. This versatile method offers a wide attack surface, targeting diverse applications and data. As COM Hijacking techniques continuously evolve, businesses and security professionals must remain vigilant and implement robust mitigation strategies to combat this growing threat and safeguard their systems from compromise.
Healthcare Under Cyber Siege
March 27, 2024
A devastating ransomware attack on a critical healthcare billing and payment system has exposed the sector’s vulnerability to cyber threats. The attack has caused widespread disruptions, financial strain, and potential data breaches, underscoring the urgent need for robust cybersecurity measures to protect patient data, ensure uninterrupted care, and safeguard the healthcare industry from the growing threat of cyberattacks.
APT29: Evolving Threat Landscape
March 26, 2024
APT29’s constantly evolving tactics and ability to exploit unanticipated vulnerabilities make them a formidable threat to organizations. Their adaptability allows them to infiltrate systems before detection, potentially causing widespread damage and data breaches, emphasizing the need for organizations to remain vigilant, update their defenses, and stay informed about APT29’s latest activities to maintain a robust security posture.
ShadowSyndicate Exploits Vulnerable Servers
March 20, 2024
ShadowSyndicate is actively scanning the internet for servers running outdated versions of aiohttp, exploiting the publicly available CVE-2024-23334 proof-of-concept. By targeting sensitive files and gaining unauthorized access, they can potentially deploy ransomware payloads, highlighting the critical importance of timely patching and robust cybersecurity measures.
Navigating API Security Trends
March 20, 2024
As APIs become integral to modern software development, organizations must proactively address the evolving security risks they introduce. Implementing robust defense strategies and advanced measures is crucial to safeguard against sophisticated API attacks, maintain operational integrity, and protect against potential reputational harm.
North Korean Cyberattacks Evolve
March 19, 2024
The DEEP#GOSU campaign showcases North Korean cyber actors’ sophisticated tactics, from targeted social engineering to multi-stage scripting. Organizations must prioritize robust cybersecurity to defend against evolving espionage and financial threats.
Memory-Safe Languages Enable Malware
March 18, 2024
While memory-safe languages like Rust offer security benefits, they also attract cybercriminals. The growing Rust community and resources potentially make it easier for attackers to develop sophisticated, hard-to-detect malware.
Cloud Security Challenges Exposed
March 12, 2024
The shared responsibility model and remote data storage in cloud computing create security gaps. Misconfigurations and innovative hacker tactics leave data vulnerable, demanding proactive, compliant defense strategies from organizations.
Browser Phishing Attacks Surge
March 7, 2024
Browser-based phishing attacks rose 198% in the second half of 2023, with evasive techniques now accounting for 30% of attempts. Adapting defenses is crucial to counter these evolving threats.
Global Elections Under Siege: The Alarming Rise of Cyber Threats
March 5, 2024
As the world gears up for a pivotal year of elections in 2024, an unprecedented surge in malicious cyber activity threatens the integrity of democratic processes. With cyberattacks targeting elections skyrocketing from 10% in 2015 to a staggering 26% in 2022, nation-states are increasingly seeking to influence outcomes, particularly in NATO and OECD countries. This report delves into the alarming 100% rise in malicious activity observed between 2023 and early 2024, underlining the urgent need for robust cybersecurity measures to safeguard the sanctity of elections worldwide.
ScreenConnect Vulns Active Threats
February 27, 2024
Recently discovered Critical ScreenConnect vulnerabilities are being exploited by threat actors. Urgent patching is advised to mitigate ransomware, data theft, and persistent access risks.
AI Powers Cybercrime Growth
February 27, 2024
State-sponsored hackers are exploiting AI tools like OpenAI for attacks. Defenses currently lag in countering these AI advancements, signaling an urgent need for innovation.
Akira Ransomware Cisco Risk
February 23, 2024
The Akira ransomware is exploiting a high-severity vulnerability in Cisco ASA/FTD software. The flaw enables access for gathering sensitive data, underscoring the need for strong vulnerability management.
SEC Regulations Impact Cyber Incidents
February 22, 2024
New SEC regulations demand timely reporting of cyber incidents, seeking to enhance investor confidence. Organizations must proactively strengthen defenses and ensure compliance to mitigate risks from sophisticated attacks.
Education Sector Cyber Risks Rise
February 14, 2024
The education sector contains valuable sensitive data that makes it an attractive target for cybercriminals seeking financial gain or strategic advantage, and as educational institutions digitize teaching and operations, their attack surface and vulnerability expands, necessitating vigilant cybersecurity measures.
Rising Business Communication Risk
February 14, 2024
Cybercriminals increasingly target business communication platforms like email and chat apps, attracted by sensitive data and infrastructure vulnerabilities. Organizations must prioritize security to safeguard information.
Outmaneuvering a Shape-Shifting Threat
February 8, 2024
The ingenious BianLian ransomware distinguishes itself through perpetual adaptation across platforms, strategic targeting, and technical sophistication. By examining this formidable threat that evolves from Android banking trojan to ransomware, this resource equips organizations with insights on shoring up defenses, enhancing detection, and thwarting the attacks of this metamorphic foe.
Combating Third Party Breach Contagion
February 5, 2024
The exploitation of an Okta breach to infiltrate Cloudflare’s systems exposes sobering supply chain vulnerabilities. Though customer data was spared, the attackers accessed internal tools and source code by compromising a critical supplier. This resource examines crucial security takeaways regarding network segmentation, least privilege protections, and enhanced monitoring to safeguard against adjacent supplier risk.
The Inside Job – Thwarting Cyber’s Greatest Threat
February 1, 2024
Insider threats surged an astounding 76% in 2023, yet only 30% of companies feel ready to handle them and 21% have comprehensive programs. This alarming gap reveals organizational vulnerability to internal breach, IP theft, and sabotage. By detailing a proactive framework across detection, access controls, and culture shifts, this report provides a blueprint for mitigating escalating insider threat risk.
The Surging Storm of DDoS
January 30, 2024
DDoS attacks skyrocketed 31% in early 2023, inundating 44,000 servers daily. This report explores the perfect storm fueling the alarming rise of DDoS assaults capable of crippling infrastructure and causing extensive damage. It spotlights essential security measures every organization must have in place to weather the surging digital deluge.
Progress in Authentication Methods
January 25, 2024
Compromised login credentials played a role in 28% of cyber intrusions in 2023, yet authentication methods have vastly evolved over time. This report explores the historical development of authentication and the growing reliance of threat actors on stolen passwords. It examines emerging techniques like biometrics and passkeys that could reshape authentication’s future, providing organizations with robust defenses against attacks exploiting credentials.
File Transfer Under Threat
January 24, 2024
Cyberattacks on file transfer services surged 48% in 2023, posing grave financial, reputational, and privacy risks. Prominent incidents like the Clop ransomware attack demonstrate how threat actors strategically exploit vulnerabilities in widely used file sharing conduits to infiltrate networks. This report contains insights on the growing dangers and how to safeguard your organization.
Top API Security Trends
January 23, 2024
Security risks have surged with the integration of APIs in modern software development, making proactive defense strategies crucial. This situation calls for advanced measures to counteract sophisticated API attacks, which are essential for maintaining operational integrity and protecting against reputational harm.
Ransomware Defense United
January 18, 2024
Paying ransoms empowers cybercriminals to escalate attacks globally. Experts urge organizations to unite across sectors, implement robust defenses, report all incidents, and share intelligence to dismantle the ransomware infrastructure.
DarkGate and PikaBot Threat Surge
November 28, 2023
A highly sophisticated phishing campaign, observed since September 2023, has elevated its threat level by incorporating the PikaBot malware alongside DarkGate, becoming one of the most advanced campaigns since the dismantling of the Qakbot (Qbot) operation.
Open Enrollment Phishing Campaign
November 15, 2023
During the open enrollment period, scammers use phishing techniques to steal personal information. The Federal Trade Commission warns against sharing personal information in response to unexpected contacts.
Israeli Conflict and Industries Impacted
October 19, 2023
The conflict between Israel and Palestine has resulted in cyberattacks by politically motivated hackers, commonly known as hacktivists, that have wide-ranging effects, impacting various industries. It is crucial for organizations to maintain a high threat level, as more hacking groups are likely to join the Israel-Hamas conflict.
FBI: Ransomware Gangs Employing New Tactics
October 9, 2023
The FBI has issued a warning about ransomware gangs adopting new tactics, including employing multiple ransomware strains in a single attack, and using destructive tools beyond encryption or theft.
AI Chatbot Vulnerabilities
September 20, 2023
Cybercriminals are leveraging artificial intelligence to craft sophisticated email threats, signifying a notable shift in the role of AI in email security.
Feds Warn Healthcare Sector
September 19, 2023
Federal authorities have issued a warning to the healthcare sector regarding the emerging threat posed by the Akira ransomware-as-a-service group.
FBI Warns About Recovery Scams
August 24, 2023
The FBI is warning organizations of an increase in scammers pretending to be recovery companies. Cyber recovery scams, also known as data recovery scams, play on the vulnerabilities and emotions of individuals who have experienced data loss or other digital disasters.
Malicious QR Codes Attacking the Energy Sector
August 23, 2023
Since May 2023, a large phishing campaign is utilizing Quick Response (QR) codes in an attempt to collect Microsoft credentials from victims. The emails masquerade as a Microsoft security notification with a QR code embedded inside a PNG image or a PDF attachment.
BumbleBee Downloader Now Being Distributed via Malicious Ads
May 5, 2023
In early 2023, the threat actors behind the BumbleBee malware shifted to a new delivery method, opting to use malicious online ads to spread the downloader.
Malware Targeting Linux Systems
April 20, 2023
The Critical Start Cyber Threat Intelligence Team is aware of and monitoring a trend in malware being developed to specifically target Linux systems. Targeting of Linux systems has been relatively scarce and primitive in comparison to other proprietary operating systems.
FBI Warns of Public Charging Station Vulnerabilities
April 19, 2023
The FBI recently released a warning to avoid free public charging stations as they are potentially being compromised by threat actors. Cyber criminals are using public charging stations to infect devices with malware or monitoring software that enables the threat actor to access your phone, tablet, or computer, also referred to as “Juice Jacking.”
New LockBit Ransomware Encryptor Targets macOS
April 18, 2023
Russian-based ransomware group LockBit continues to expand its arsenal with the addition of a new variant specifically targeting macOS. Cybersecurity researcher MalwareHunterTeam discovered a ZIP (.zip file) archive on VirusTotal containing various available LockBit encryptors.
Threat Actors Exploiting Tax Season
April 13, 2023
eFile.com, an IRS approved software service, was recently found to be delivering JavaScript malware. The service was a conduit for the filing of more than 66 million tax returns in 2022. The malware was loaded on nearly every page of the website prompting users to click on the malicious file to download.
Mustang Panda APT
April 12, 2023
Chinese advanced persistent threat (APT) actor, Mustang Panda (a.k.a. Earth Preta, RedDelta or BRONZE PRESIDENT) is delivering lure archives via spear-phishing emails and Google Drive links.
WiFi Protocol Vulnerability Exposing Network Traffic
April 11, 2023
Research has revealed that the Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities have a vulnerability in the WiFi protocols built–in power save mechanism that could allow an adversary to meddle with traffic, client connections, and more.
Threat Actors Experimenting with QR Codes
April 10, 2023
The Federal Bureau of Investigation (FBI) released an advisory on cyber criminals tampering and switching legitimate QR codes. Since October 2022, the use of QR codes within phishing scams has risen.
Rorschach Ransomware
April 6, 2023
UPDATE
Separately, Palo Alto Networks issued an informational security advisory discussing Rorschach ransomware operators using the Cortex XDR Dump Service Tool (cydump.exe) to load untrusted dynamic link libraries (DLLs) using DLL-sideloading. This is true only when the tool is removed from its installation directory; it is not possible to side-load DLLs when Cortex XDR agent is installed on Windows and is running from the installation path because Cortex XDR’s security permissions and protections prevent it. In the advisory, Palo Alto verified that Cortex XDR 7.7, and newer versions, with content update version 240 (released Nov 2021), and later content updates, detect and block the ransomware. New versions of Cortex XDR agent, capable of blocking the DLL side-loading technique, will be released next week to prevent future misuse of the software. Mac OS and Linux platforms are not affected by this issue.
—
Security researchers have discovered a new ransomware strain, called Rorschach, with unique technical features. The malware is deployed using the dynamic link library (DLL) side-loading technique via a signed component in Cortex XDR, a threat detection and incident response tool from Palo Alto Networks.
Third Party Vendor Risks and What you Should Know
March 22, 2023
In 2022, a spike in targeting third-party vendors almost doubled from 2021, with 63 attacks on vendors being reported and 298 victims. This trend of increasing attacks on third-party vendors has only continued in Q1 of 2023 as several third-party vendors have reported being attacked by malicious campaigns. There are several dangers when third-party vendors are attacked.
Two-Step Phishing Attacks
March 21, 2023
Two-step phishing attacks are on the rise as threat actors become more sophisticated in targeting potential victims and evading detection. These phishing attacks use legitimate vendors that the threat actor has previously compromised.
Microsoft Outlook Zero-Day Exploited in the Wild
March 21, 2023
Microsoft disclosed a new zero-day vulnerability in Outlook identified as CVE-2023-23397. This flaw is an elevation-of-privilege (EoP) vulnerability that enables remote code execution capability as threat actors can steal NTLM credentials of Microsoft Outlook users.
Emotet Returns After Three Months of Silence
March 17, 2023
After a brief hiatus, Emotet threat actors have re-commenced operations as of early March 2023. Originally tracked as a banking trojan, Emotet has evolved into a multi-purpose dropper/downloader malware.
Sharp Panda Utilizes New Version of the Soul Framework
March 8, 2023
Sharp Panda, (also known as APT19, Emissary Panda, or Iron Tiger) is a sophisticated Chinese Advanced Persistent Threat (APT) group. The group has been active since at least 2012 and is known for sharing tools and infrastructure with other Chinese APT groups.
Threat Actors Using Microsoft OneNote
February 13, 2023
Recently, several malware operators have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner. Cyber criminals have started new phishing campaigns delivering malicious OneNote attachments that deliver Formbook, Redline Stealer, AsyncRat or Qbot malware to unsuspecting victims.
February 3, 2023
Russian-based ransomware group LockBit continues to expand its arsenal with the addition of a new variant, LockBit Green. The acquisition of Green comes less than a year after the deployment of LockBit Black. Threat researchers at SentinelOne indicated a large portion of this variant overlaps with the Conti ransomware version whose source code was leaked last year. LockBit is expected to continue to dominate the ransomware arena as the operators make strides to increase its capabilities and versatility.
January 10, 2023
Adversary-in-the-middle (AiTM) phishing campaigns are a growing threat because they are highly effective and can bypass even the most advanced security measures. They are particularly dangerous when they target large organizations, which can have a significant impact on the organization’s operations and reputation. Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations. It remains important for organizations to be vigilant and aware of this type of attack and take steps to protect themselves.
November 1, 2022
OpenSSL published an advisory detailing two new vulnerabilities CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”); both classified as high. Although initially assessed as a critical vulnerability, CVE-2022-3602, was downgraded to high due to unlikely remote code execution in common configurations. These vulnerabilities impact OpenSSL 3.0.0-3.0.6 ONLY. Users should upgrade to 3.0.7 as soon as possible. Those unable to immediately update should disable TLS client authentication. Currently there are no known exploits in the wild.
Our CTI team will continue to monitor these known vulnerabilities and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates the CTI team will continue to post on the Intelligence Hub and give updates via ZTAP bulletins.
October 31, 2022
Critical Start CTI team is aware of a new OpenSSL vulnerability that will be disclosed tomorrow, November 1st. Details and characteristics of the flaw have not been released, however due to the critical classification of the vulnerability we recommend updating to the new version of OpenSSL (version 3.0.7) being released on Tuesday, November 1st. The CTI team will be working closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. Critical Start CTI team will continue to monitor the situation.
July 7, 2022
In early June 2022, CISA published a Joint Cybersecurity Advisory (CSA) highlighting espionage activity related to Chinese state-sponsored advanced persistent threat (APT) groups targeting telecommunications companies. Furthermore, there has been an increase in open and closed-source identification and reporting of Chinese threat actor activities over the last month. Critical Start Cyber Threat Intelligence analysts will be monitoring this situation closely as it evolves.
Critical Start supports the CISA backed recommended actions listed below:
May 19, 2022
The ransomware group formerly known as Conti is currently shut down.
The admin panel of the gang’s official website, Conti News, is shut down as is the negotiations service site. Meanwhile the rest of the infrastructure, to include chatrooms, messengers, servers, and proxy hosts are going through a massive reset. This was an intentional decision, months in the making, to attempt to shed some of the group’s toxic branding.
For over two months, the Conti collective silently created subdivisions that began operations before the start of the shutdown process. These subgroups either utilize existing Conti alter egos and locker malware or took the opportunity to create new ones. The group is adopting a network organizational structure, more horizontal and decentralized than the previously rigid Conti hierarchy.
The new network will include the following types of groups:
This model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than Ransomware-as-a-Service (RaaS).
The other major development for this new ransomware model is the transition from data encryption to data exfiltration. Relying on pure data exfiltration maintains most major benefits of a data encryption operation, while avoiding the issues of a locker altogether. Most likely, this will become the most important outcome of Conti’s re-brand.
May 9, 2022
The Critical Start CTI team observed a pattern of breaches over the last five weeks related to higher education being targeted by ransomware. Two out of the four southern schools, Florida International University and North Carolina A&T University, have been linked to BlackCat (a.k.a., ALPHV). No threat actors have claimed responsibility for the latest, Austin Peay State University, reported on by Critical Start CTI earlier this month, but the school is still investigating. Around the country there have been at least 13 reported attacks against U.S. universities and colleges in 2022 so far. These include Kellogg Community College, targeted last week, Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas and National University College, to name a few.
About BlackCat
BlackCat, (aka ALPHVM, ALPHV, and Noberus) is a newly emerged ransomware-as-a-Service (RaaS) group assessed to be a re-branding of BlackMatter and DarkSide groups. BlackCat ransomware emerged in November 2021 and is developed in Rust, a cross-compilation language allowing for rapid development of malware for Windows and Linux. The ransomware executable is highly customizable, with different encryption methods (AES, ChaCha20) and options allowing for attacks on a wide range of corporate environments. Common TTPs include the use of a signed binary proxy to download the ransomware, access token manipulation and UAC bypass for privilege escalation, deleting files and logs on host for defense evasion purposes, and the use of SMB and PsExec for lateral movement.
We Recommended That You
March 29, 2022
BazarCall was used by Ryuk and Conti in 2020/2021 and has made a reappearance in March 2022 targeting several companies across multiple industries. Using the BazarCall Tactic, Conti creates a fake call center from which calls are made to potential victims convincing them to open malicious email attachments. These malicious attachments exploit Atera remote monitoring software, Cobalt Strike, and Sliver C2 Framework, then delivers BazarLoader.
It’s important to note that phone calls are made following extensive social engineering and reconnaissance activities. Previous breaches involving these tactics have provided evidence that call center personnel have convincing information regarding target company operations.
We recommend that you:
March 28, 2022
CTO Randy Watkins provides more information about the group behind the breach in this informal breakdown of what we know now.
March 23, 2022
Critical Start is monitoring the recent breach against Okta and the associated third-party
service providers that support Okta’s operations.
Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network. The company only acknowledged the compromise after the Lapsus$ hacking and extortion group posted screenshots on Monday, nearly two months after the hackers first gained access to its network.
Key points to know:
Critical Start always recommends customers enable MFA for all user accounts. Passwords alone do not
offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys,
as other methods of MFA can be vulnerable to phishing attacks.
Russian Cyber Attacks: Threat Actors and New Developments
Russia’s attack on Ukraine has heightened concerns around cyber threats. We dive into likely threat actors and emerging attacks like Hermetic Malware and WhisperGate in more detail.
Russian Focus Hides Iranian APT Activity 12:30pm CT
CTI is also monitoring the situation unfolding in Iran and the implications of the Russia/Ukraine situation functioning as a distraction for other APT activity
What we know now:
The following MITRE TTPs apply:
Additional reading and resources:
Hermetic Malware 10:45am CT
We are analyzing Hermetic Malware samples. We know that the initial indicators of this sample began circulating on 2/23/22 by way of a signed driver that erases windows devices after deleting their shadow copies.
We have several known IOCs which are being passed to our Detection Engineering team.
This appears to be a clear effort of destabilization via MDM strategy; Russia has a huge arsenal of cyber capabilities and we have a very consistent record of them targeting Ukraine in this way, thus Russia’s ability to take down critical infrastructure and control the Ukrainian narrative is not surprising.
Often, these attacks and campaigns are attributed to a nonstate actors or individual cyber criminals but the nod from the Russian Federation and the contractive interactions between them and the organized hackers provides a smoke screen between the APT and Russian leadership.
Log4Shell is a Remote Code Execution vulnerability with the Open Source Apache Log4j framework that is part of the Apache Logging Project. This is the most widely used logging framework on millions of systems worldwide and many governments have rated the risk a 10 out of 10, or “red” level risk of the highest severity.
To put this event into laymen’s terms: If 95% of all garage doors installed from 2016-2021 could be opened from any Internet Web Browser…from anywhere around the world… This is the significance of Log4shell.
Critical Start takes a closer look at the SolarWinds breach through two January information sessions.
With the breach linked back to the use of Solarwinds’ updater as the distribution mechanism for the backdoor, finding out who had been affected was easy, and the results were devastating.