Tag: lateral movement

37 Attack Reports | 0 Vulnerabilities

Attack reports

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

TheWizards, a China-aligned threat actor, employs Spellbinder, a lateral movement tool that enables adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows the group to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The at…
china
lateral movement
adversary-in-the-middle
2025-04-30
software update hijacking
wizardnet
spellbinder
slaac spoofing
2025-05-09
darknights
Published: May 9, 2025
Downloadable IOCs: 8

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strik…
ransomware
malvertising
cobalt strike
dll sideloading
lateral movement
nitrogen
2025-05-02
nitrogenloader
Published: May 2, 2025
Downloadable IOCs: 2

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory
Published: April 28, 2025
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472
Downloadable IOCs: 1

Fake Zoom Ends in BlackSuit Ransomware

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for later…
ransomware
cobalt strike
exfiltration
lateral movement
proxy
blacksuit
sectoprat
brute ratel
2025-03-31
d3f@ckloader
qdoor
Published: March 31, 2025
Downloadable IOCs: 0

Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMe…
espionage
evasion
persistence
lateral movement
china chopper
china-nexus
telecom
2025-03-25
web shells
tunneling
inmemory web shell
Published: March 25, 2025
Downloadable IOCs: 1

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…
ransomware
lockbit
lateral movement
data exfiltration
fortinet
firewall
CVE-2024-55591
CVE-2025-24472
2025-03-14
superblack
wipeblack
Published: March 14, 2025
Downloadable IOCs: 23

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor

A sophisticated breach was identified where threat actors exploited vulnerabilities in SimpleHelp's Remote Monitoring and Management client to infiltrate a network. The attack involved post-compromise tactics including network discovery, administrator account creation, and persistence establishment…
backdoor
exploit
rmm
sliver
lateral movement
akira
cloudflared
2025-02-07
simplehelp
Published: February 7, 2025
Downloadable IOCs: 6

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec…
ransomware
lockbit
cobalt strike
rclone
exfiltration
lateral movement
systembc
ghostsocks
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 21

RansomHub Affiliate leverages Python-based backdoor

A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of comp…
obfuscation
ransomware
socgholish
lateral movement
ransomhub
python backdoor
c2 infrastructure
socks5
2025-01-16
reverse proxy
Published: January 16, 2025
Downloadable IOCs: 6

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

A recent campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces has been observed. The threat actors gained unauthorized access to the firewalls' administrative controls, created new accounts, established SSL VPN connections, and made various configuration changes…
zero-day
lateral movement
fortigate
vulnerability scanning
fortinet
2025-01-11
ssl vpn
firewall
jsconsole
Published: January 11, 2025
Downloadable IOCs: 0

Attackers exploiting a FortiClient EMS vulnerability in the wild

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like…
screenconnect
sql injection
forticlient ems
anydesk
credential theft
remote access
lateral movement
mimikatz
CVE-2023-48788
2024-12-19
Published: December 19, 2024
Downloadable IOCs: 0

U.S. Organization in China Targeted by Attackers

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltrati…
apt
espionage
exfiltration
lateral movement
credential access
2024-12-06
textinputhost.dat
Published: December 6, 2024
Downloadable IOCs: 13

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Know Thy Enemy: A Novel November Case on Persistent Remote Access

In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtu…
remote access
persistent
lateral movement
meshagent
2024-11-26
psexec
rdp brute force
Published: November 26, 2024
Downloadable IOCs: 6

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Dissecting A Multi-Stage PowerShell Campaign Using Chisel

A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope pro…
powershell
persistence
lateral movement
lnk file
multi-stage
command-and-control
2024-11-12
chisel
Published: November 12, 2024
Downloadable IOCs: 17

QSC: new modular framework in CloudComputating campaigns

Kaspersky researchers discovered QSC, a multi-plugin malware framework used by the CloudComputating group in cyber espionage campaigns. QSC consists of a Loader, Core module, Network module, File Manager module, and Command Shell module, allowing attackers to load specific plugins on demand. The fr…
lateral movement
2024-11-08
quarian backdoor
qsc framework
goclient backdoor
Published: November 8, 2024
Downloadable IOCs: 0

Investigating a SharePoint Compromise: IR Tales from the Field

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung …
credential harvesting
lateral movement
mimikatz
impacket
CVE-2024-38094
2024-11-05
domain compromise
sharepoint
fast reverse proxy (frp)
Published: November 5, 2024
Downloadable IOCs: 8

Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis

This analysis examines two cybersecurity incidents: a web shell attack and a VPN compromise. The web shell attack involved uploading malicious files to a server, executing commands, creating a local admin account, and attempting to establish persistence. The VPN compromise led to lateral movement, …
anydesk
persistence
CVE-2020-1472
lateral movement
privilege escalation
web shell
defense evasion
2024-10-24
iis
mxdr
vpn compromise
Published: October 24, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 1

Unmasking Prometei: A Deep Dive Into MXDR Findings

This analysis examines the Prometei botnet's infiltration of a customer's system through a targeted brute force attack. Leveraging Trend Vision One, the investigation traced the botnet's detailed installation routine and stealthy tactics. Prometei, a modular malware family used for cryptocurrency m…
botnet
credential theft
lateral movement
dga
web shell
tor
cryptocurrency mining
2024-10-23
prometei
CVE-2021-27065
CVE-2021-26858
CVE-2019-0708
Published: October 23, 2024
Downloadable IOCs: 0

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …
ransomware
russia
lockbit
hacktivism
credential harvesting
lateral movement
babuk
lockbit 3.0
2024-10-18
xenallpasswordpro
cobint
Published: October 18, 2024
Downloadable IOCs: 1

Threat actor believed to be spreading new MedusaLocker variant since 2022

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly know…
iab
ransomware
credential theft
lateral movement
financially motivated
2024-10-04
babylockerkz
medusalocker
Published: October 4, 2024
Downloadable IOCs: 11

Threat Brief: Understanding Akira Ransomware

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and op…
ransomware
lateral movement
conti
akira
raas
2024-10-04
double extortion
defense evasion
CVE-2023-20269
chacha encryption
CVE-2019-6693
credential dumping
CVE-2021-21972
CVE-2022-40684
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-20269, CVE-2021-21972, CVE-2019-6693, CVE-2022-40684
Downloadable IOCs: 3

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…
ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen
Published: October 1, 2024
Downloadable IOCs: 45

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
linux
backdoor
cryptocurrency
mallox
lateral movement
tsunami
2024-09-13
weblogic
hadooken
Published: September 13, 2024
Downloadable IOCs: 4

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

BlackSuit Ransomware

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside…
ransomware
cobalt strike
discovery
lateral movement
credential access
cobaltstrike
blacksuit
systembc
2024-08-27
sharphound
get-datainfo.ps1
rubeus
Published: August 27, 2024
Downloadable IOCs: 16

CheckMesh: Hidden Threats in Your FW

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the atta…
credential theft
lateral movement
2024-08-05
meshagent
encrypted communication
advanced persistent threat
firewall compromise
Published: August 5, 2024
Downloadable IOCs: 9

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
backdoor
espionage
exfiltration
persistence
lateral movement
2024-08-02
bitsloth
Published: August 2, 2024
Downloadable IOCs: 8

Lost in the Fog: A New Ransomware Threat

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…
ransomware
encryption
lateral movement
credential
2024-06-07
backup deletion
foggyweb
Published: June 7, 2024
Linked vulnerabilities : CVE-2024-4358 (CVSS 9.8), CVE-2024-1800
Downloadable IOCs: 5

Operation Crimson Palace: A Technical Deep Dive

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
malware
cobalt strike
cyberespionage
lateral movement
intrusion
2024-06-06
impersoni-fake-ator
powheartbeat
credential access
pocoproxy
rudebird
phantomnet
ccoredoor
eagerbee
nupakage
Published: June 6, 2024
Downloadable IOCs: 138

Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion

This report details a sophisticated cyber intrusion targeting MITRE's research network (NERVE) through the exploitation of Ivanti Connect Secure zero-day vulnerabilities. The threat actor, suspected to be UNC5221, initiated the attack by gaining unauthorized access and subsequently deploying variou…
persistence
CVE-2024-21887
CVE-2023-46805
2024-05-24
threat
lateral movement
wirefire
giftedvisitor
bushwalk
intrusion
cyberattack
beeflush
rootrot
brickstorm
Published: May 24, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports