Tag: 2024-10-30
6 attack reports | 96 vulnerabilities
Attack reports
Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Z…
Downloadable IOCs 281
Strela Stealer Targets Europe Stealthily Via WebDav
Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…
Downloadable IOCs 103
Play Ransomware Engagement
Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group, marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existi…
Downloadable IOCs 0
Writing a BugSleep C2 server and detecting its traffic with Snort
This analysis focuses on the BugSleep implant, also known as MuddyRot, a remote access tool that provides reverse shell and file I/O capabilities. The article details the process of reverse engineering BugSleep's protocol, creating a functional C2 server, and developing Snort rules for traffic dete…
Downloadable IOCs 0
Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified
Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domai…
Downloadable IOCs 0
More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence
Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…
Downloadable IOCs 2