CYFIRMA: Cybersecurity Dossier
Threat Actor in Focus - Unveiling ‘Magnet Goblin’: A Financially Motivated Threat Actor
Researchers have uncovered a new threat actor dubbed “Magnet Goblin” operating with a clear financial motivation. This actor has been observed exploiting 1-day vulnerabilities for initial access, with recent attention drawn to vulnerabilities in Ivanti Connect Secure VPN (CVE-2023-46805 and CVE-2023-21887), swiftly adopted by multiple threat actors. Additionally, Magnet Goblin has targeted platforms such as Magento, Qlik Sense, and potentially Apache ActiveMQ to deploy its custom malware, particularly on Linux systems. Additionally, Remote Monitoring and Management software like ConnectWise’s ScreenConnect has been utilized in their operations. While some of these activities were previously reported, they were not attributed to a specific actor until now. Upon successful exploitation, Magnet Goblin deploys malware from the Nerbian family, notably NerbianRAT; a cross-platform Remote Access Trojan (RAT) with variants for both Windows and Linux, and MiniNerbian; a compact Linux backdoor. Notably, the threat actor has demonstrated adaptability, extending their activities beyond Linux environments to target Windows systems using tools like ScreenConnect and AnyDesk. Following the establishment of command and control (C2), NerbianRAT facilitates various malicious activities on compromised systems.?
Islamic State’s Telegram Hustle: How a Terrorist Organization Raises Funds
The research team collated Telegram channels and groups that were coaxing users to join their Telegram channels in which atrocities against Muslims, prisoners, and refugees in the Al Hol Camp in Syria were being discussed. Several Telegram channels discussed Islam and acts against Muslims. Occasionally, these channels shared posts of the Telegram channel that directly operated with the IS ideology. During the investigation, the team observed one such post being shared by a pro-Islamic Telegram channel. The Telegram channel “WhispersOfTheForgotten” occasionally shared by pro-Islamic telegram channels, specializes in sharing radicalization content and also operates on a RocketChat server named TechHaven (an exclusive platform employed by ISIS). The RocketChat platform has many other ISIS groups active/inactive from different regions around the globe. The existence of the group on the RocketChat server proved that the telegram channel “WhispersOfTheForgotten” is run by users with ISIS ideology. The channel “WhispersOfTheForgotten” on Telegram also runs a parallel donation drive. The suspicious channel shares contact details where other telegram users could reach out to and discuss donations they would like to offer. The team initiated engagement to find out more about their intentions and the real reason behind their donation program.
CYFIRMA INDUSTRY REPORT – MANUFACTURING
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the manufacturing industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the manufacturing industry. We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
TRACKING RANSOMWARE February 2024
Welcome to the February 2024 Ransomware Report. This report offers a detailed analysis of ransomware events during this period. We explore the top 5 most active ransomware groups and the industries they targeted, as well as the locations that experienced the most attacks. We also discuss the evolution of ransomware groups and vulnerabilities exploited, intending to equip organizations with crucial insights to bolster their cybersecurity measures and combat the evolving threat landscape effectively. This CYFIRMA Monthly Ransomware report thoroughly analyses ransomware activity in February 2024, covering significant attacks.
领英推荐
Ransomware of the Week
CYFIRMA Research and Advisory Team has found RA World ransomware while monitoring various underground forums as part of our Threat Discovery Process. The RA World ransomware, formerly known as the RA Group, has demonstrated a concerning capability to infiltrate organizations on a global scale since its initial emergence in April 2023. RA World encrypted files and appended their filenames with a “.RAWLD” extension. After the encryption is completed, a ransom-demanding message titled “Data breach warning.txt” will be created. Researchers have recently uncovered an RA World cyber attack specifically targeting multiple healthcare organizations in the Latin American region.?
Trending Malware of the Week
This week “Fakext” is trending.
Fakext. In November 2023, researchers discovered the Fakext malware, employing a malicious Edge extension for widespread man-in-the-browser and web-injection attacks, notably targeting users in Latin America. The campaign has affected 35,000 sessions, primarily in Latin America, with a smaller impact in Europe and North America. The success of the campaign is evident in its extensive reach. Researchers also noted that Fakext displays injected content in Spanish, including error messages and user forms. The malware specifically targets 14 banks operating in Latin America, particularly in Mexico.
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com