Tag: critical-infrastructure

15 Attack Reports | 0 Vulnerabilities

Attack reports

MuddyWater: Snakes by the riverbank

MuddyWater, an Iran-aligned cyberespionage group, has been targeting critical infrastructure in Israel and Egypt with custom malware and improved tactics. The campaign uses previously undocumented tools like the Fooder loader and MuddyViper backdoor to enhance defense evasion and persistence. Foode…
iran
credential theft
cyberespionage
defense evasion
critical infrastructure
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
reverse tunneling
2026-01-03
fooder loader
muddyviper backdoor
Published: January 3, 2026
Downloadable IOCs: 9

Multi-Platform Ransomware Written in Rust

A new ransomware family named 01flip, written in Rust, has been observed targeting victims in the Asia-Pacific region. The malware supports multi-platform architectures and has been used in attacks on critical infrastructure. Initial access was gained through exploitation of vulnerabilities in inte…
ransomware
rust
sliver
aes encryption
data leak
critical infrastructure
multi-platform
asia-pacific
2025-12-10
01flip
CVE-2019-11580
Published: December 10, 2025
Linked vulnerabilities : CVE-2019-11580
Downloadable IOCs: 3

Snakes by the riverbank

ESET researchers have identified new MuddyWater activity targeting organizations in Israel and Egypt. The Iran-aligned cyberespionage group deployed custom tools to improve defense evasion and persistence, including a Fooder loader to execute the MuddyViper backdoor. The campaign demonstrates a mor…
backdoor
spearphishing
iran
cyberespionage
custom malware
defense evasion
critical infrastructure
israel
2025-12-02
blub
lp-notes
go-socks5
muddyviper
ce-notes
fooder
egypt
Published: December 2, 2025
Downloadable IOCs: 9

Threat Profile: Conti Ransomware Group

Conti, a notorious ransomware operation identified in 2019, quickly gained infamy for its advanced encryption, rapid lateral movement, and double extortion tactics. Operated by the Russia-based Wizard Spider group, Conti evolved from Ryuk ransomware and maintained suspected ties to Russian state in…
ransomware
cobalt strike
government
healthcare
conti
ryuk
double extortion
critical infrastructure
education
trickbot
2025-09-30
wizard spider
russia-based
Published: September 30, 2025
Downloadable IOCs: 2

Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

A critical vulnerability (CVE-2025-32433) in Erlang/OTP's SSH daemon allows unauthenticated remote code execution, affecting critical infrastructure and operational technology networks. With a CVSS score of 10.0, it enables command execution by sending SSH connection protocol messages to open ports…
exploit
vulnerability
ssh
remote code execution
critical infrastructure
CVE-2025-32433
2025-08-11
erlang/otp
operational technology
Published: August 11, 2025
Linked vulnerabilities : CVE-2025-32433 (CVSS 10.0)
Downloadable IOCs: 2

Know thyself, know thy environment

This intelligence report emphasizes the importance of understanding one's own environment and personal weaknesses in cybersecurity. It stresses the need for repeatable processes to maintain knowledge of one's environment and advocates for continuous learning to fill skill gaps. The report also high…
ransomware
qilin
critical infrastructure
pathwiper
2025-06-12
patch management
environment knowledge
gps vulnerabilities
self-awareness
vulnerability disclosure
Published: June 12, 2025
Downloadable IOCs: 0

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

Cyber Espionage using PowerShell stealer WRECKSTEEL

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. Thes…
powershell
ukraine
cyber espionage
government
vbscript
critical infrastructure
2025-04-03
file stealing
wrecksteel
Published: April 3, 2025
Downloadable IOCs: 71

Trimble Cityworks: CVE-2025-0994: Active Exploitation

A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust…
cobalt strike
remote code execution
critical infrastructure
CVE-2025-0994
2025-02-20
vshell
trimble cityworks
iis web server
deserialization vulnerability
Published: February 20, 2025
Linked vulnerabilities : CVE-2025-0994 (CVSS 8.8)
Downloadable IOCs: 16

Will the Real Volt Typhoon Please Stand Up?

This analysis tracks the evolution of the KV Botnet, attributed to the Volt Typhoon threat group, following FBI disruption in December 2023. Despite sophisticated operations, the botnet's infrastructure remained largely consistent, only changing hosting providers. The JDY cluster, targeting Cisco r…
china
critical infrastructure
2025-01-17
kv botnet
jdy cluster
cisco routers
Published: January 17, 2025
Downloadable IOCs: 9

Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications

FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within com…
ukraine
golang
critical infrastructure
2024-11-19
ot-malware
industrial control systems
bustleberm
modbus tcp
frostygoop
Published: November 19, 2024
Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2023-33538, CVE-2023-50358
Downloadable IOCs: 25

Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns

Sophos unveils a five-year investigation tracking China-based threat actors targeting perimeter devices, particularly Sophos firewalls. The report details multiple attack campaigns, including Asnarök, Bookmark Buffer Overflow, and Covert Channels, which exploited zero-day vulnerabilities to gain ac…
sliver
gh0st rat
backdoors
critical infrastructure
2024-10-31
rootkits
CVE-2020-29574
onderon
CVE-2020-15069
CVE-2022-1040
government agencies
perimeter devices
CVE-2020-12271
cloud snooper
libsophos.so
china-based threat actors
CVE-2022-3236
asnarök
zero-day vulnerabilities
asia-pacific targets
CVE-2022-1292
Published: October 31, 2024
Downloadable IOCs: 0

Arsenal honed against Russia's government organizations

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives con…
loader
government
autoit
telegram
2024-10-11
critical infrastructure
sfx executables
rar archives
Published: October 11, 2024
Downloadable IOCs: 25

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

The United States has experienced a significant increase in cyber attacks from June to October 2024, with over 800 organizations affected by ransomware across various sectors. Play, RansomHub, Lockbit, Qilin, and Meow have emerged as the most active ransomware groups. Notable incidents include the …
espionage
ransomware
lockbit
hacktivism
ransomhub
qilin
data breach
2024-10-10
rhysida
critical infrastructure
united states
Published: October 10, 2024
Downloadable IOCs: 0

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14
Click here to see more Attack Reports