CYFIRMA: Cybersecurity Dossier
Threat Actor in Focus - APT29’s Latest Tactics: Navigating the Evolving Threat Landscape
In a recent observation, Russian hackers affiliated with APT29, also known as Cozy Bear or Midnight Blizzard, are now shifting their focus to target cloud services, according to a warning issued by members of the Five Eyes intelligence alliance. These hackers, also linked to the Russian Foreign Intelligence Service (SVR), have previously breached U.S. federal agencies and compromised Microsoft 365 accounts belonging to entities within NATO nations. SVR actors exploit service accounts through brute forcing and password spraying, as they lack Multi-Factor Authentication and hold high privileges. Dormant accounts of former employees are also targeted for access. SVR actors exploit enforced password resets to regain access via inactive accounts, complicating incident response efforts. SVR actors leverage password spraying and credential reuse to breach personal accounts, bypassing password authentication. They also use “MFA bombing” to overwhelm victims with Multi-Factor Authentication requests until access is granted.
The ScreenConnect Saga: A Deep Dive into the LockBit Connection
In the ever-evolving landscape of cybersecurity threats, a recent storm has been brewing around ConnectWise’s remote support software, ScreenConnect. The vulnerabilities discovered have left more than?96,427 instances of ScreenConnect exposed and potentially vulnerable to malicious attacks. The severity of the situation is underscored by the active exploitation of these vulnerabilities by threat actors, leading to a widespread campaign that threatens organizations across the globe. ConnectWise’s ScreenConnect has been hit by a duo of critical vulnerabilities, CVE-2024-1709 and CVE-2024-1708, both of which have been exploited in the wild. These vulnerabilities pave the way for threat actors to execute remote code on the affected systems, opening the floodgates for various malicious activities, including the deployment of ransomware. The severity of the vulnerabilities is emphasized by their ease of exploitation, making them an attractive target for cybercriminals.
Exploit Analysis: SSRF and Command Injection for Unauthenticated RCE in Ivanti Connect Secure
CYFIRMA’s Research team conducted a comprehensive analysis of a server-side request forgery (SSRF) vulnerability CVE-2024-21893 and a command injection vulnerability CVE-2024-21887, affecting Ivanti Connect Secure. Discovered on January 31, 2024, by Ivanti, this vulnerability carries a CVSS score of 8.2, indicating its severity. The flaw targets a server-side request forgery vulnerability within the SAML component of Ivanti Connect Secure. Given its nature, this vulnerability demands immediate attention, underscoring the necessity for swift mitigation measures across all Ivanti installations. This investigation aims to offer valuable insights into the vulnerability’s characteristics, potential ramifications, and the critical significance of promptly addressing it through patching and proactive security protocols.
Xeno RAT: A New Remote Access Trojan with Advance Capabilities
At CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This in-depth examination focuses on the proliferation of Xeno RAT; an intricately designed malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. The research explores the array of evasion tactics employed by threat actors to evade detection, while also illuminating the procedures involved in crafting resilient malware payloads. Significantly, the report underscores the adaptive characteristics of these threats, emphasizing the imperative for enhanced security protocols and user vigilance to effectively mitigate associated risks.
领英推荐
Ransomware of the Week
CYFIRMA Research and Advisory Team has found Kuiper ransomware while monitoring various underground forums as part of our Threat Discovery Process. Kuiper ransomware was discovered in the wild in September 2023, coinciding with the launch of their Ransomware-as-a-Service (RaaS) platform during the same month. Ransomware is written in Golang.?The initial sales post for the Kuiper ransomware (Source: Surface Web). Researchers found various versions of ransomware, namely A, B, and C. Each version has distinct “variants” corresponding to the targeted platform of the binary.
Trending Malware of the Week
This week “VietCredCare” is trending. Researchers have identified multiple variants of the VietCredCare malware targeting Windows operating systems. The malware, which continuously evolves, is primarily designed to take over corporate Facebook accounts. The researchers’ analysis shows that various Vietnamese Government Agencies, Public and Private Organizations, Universities, Banks, Enterprises, and personal/business social media accounts are at risk of compromise, indicating a widespread threat affecting diverse sectors in Vietnam.
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com