CYFIRMA: Cybersecurity Dossier
Threat Actor in Focus:?
Navigating the Cybersecurity Landscape: Insights and Responses to Recent APT29 Attacks
In a recent observation, the Microsoft security team detected an incident on their corporate systems on January 12, 2024. Researchers identified the threat actor as the Russian state-sponsored threat group, APT29 or Midnight Blizzard, campaign started in late November 2023. This revelation follows a similar acknowledgment by IT service providers of falling victim to an attack orchestrated by the same hacking crew, known by aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes. APT29’s primary targets include governments, diplomatic entities, NGOs, and IT service providers in the U.S. and Europe in the campaign. The group’s strategic objectives involve prolonged, undetected access to gather sensitive information for Russia. Researchers note that the scope of APT29’s campaign may be more extensive than initially thought, although specific entities affected by the recent wave of attacks have not been disclosed.?
Comprehensive Analysis of CVE-2024-21833 Vulnerability in TP-Link Routers : Threat Landscape, Exploitation Risks, and Mitigation Strategies
CYFIRMA’s Research team has conducted a thorough analysis of a critical security vulnerability, identified as CVE-2024-21833, affecting TP-Link Routers (Archer & Deco). Discovered on January 10, 2024, by JPCERT/CC, this vulnerability carries a significant CVSS score of 8.8, indicating it’s severity. The flaw exposes TP-Link Routers (Archer & Deco) to OS command injection, demanding urgent attention due to the potential risks associated with it. The research underscores the critical importance of prompt mitigation measures, emphasizing the need for immediate patching and proactive security measures across TP-Link Router installations. The vulnerability’s nature, potential impact, and the urgency of addressing it are thoroughly explored to provide valuable insights for users and organizations relying on TP-Link networking devices.
Russian Threat Actors Abuse Cloudflare and Freenom Services to run DaaS Program
Cryptocurrency Drainers, also known as Crypto Stealers, are designed to steal the funds from a victim’s wallet. The drainers are primarily spread using a combination of social engineering and phishing, luring victims to enter their wallet details on deceptive websites. One of the notable drainers in 2023 was Inferno Drainer – whose developers announced that they were shutting down (public) operations in November 2023, leaving a void in the crypto drainer community. We have observed multiple drainers that are trying to fill that gap with aggressive marketing, but the CG project bags the winner’s title, with close to 50k subscribers on their telegram channel and 10k affiliates working with them. The affiliates have been observed to be Russian, English and Chinese speakers.
NTT DATA and CYFIRMA Announce Global Strategic Partnership in the AI-powered Cyber Threat Intelligence Field
NTT Data a global digital business and IT services leader, and CYFIRMA, the leading provider of external threat landscape management platform company, today announced global strategic partnership. This collaboration builds on NTT DATA’s recently announced New Global Cybersecurity Strategy and enhances its Threat Management capabilities of NTT Data's global cybersecurity services portfolio. Together, NTT DATA and CYFIRMA provide a new approach to managing cybersecurity where government and businesses are equipped to shift their cyber defence strategies from reactive to predictive using real-time intelligence.?
领英推荐
Ransomware of the Week
CYFIRMA Research and Advisory Team has found Kasseika ransomware while monitoring various underground forums as part of our Threat Discovery Process. Kasseika was first discovered in mid-December 2023, and the ransomware shares similarities with the BlackMatter. The similarities involve pseudo-ransom extensions and the use of extension string.README.txt as the ransom note file name and format. After a rise in bring-your-own-vulnerable-driver (BYOVD) attacks by ransomware groups in 2023, Kasseika has joined the trend. Alongside Akira, BlackByte, and AvosLocker, Kasseika utilizes this tactic to halt antivirus processes, allowing for the deployment of ransomware. Researchers found that Kasseika misused the Martini driver to terminate the victim machine’s antivirus-related processes.
Trending Malware of the Week
This week “LODEINFO” is trending. LODEINFO is a fileless malware discovered in spear-phishing email campaigns since December 2019, primarily targeting Japanese media, diplomacy, public institutions, defense industries, and think tanks. Recently, a new version, v0.7.3, has been identified, indicating ongoing development. Security experts suspect the involvement of APT10 due to similarities in methods and malware. Attacks persist in 2023, with updated versions featuring new capabilities and anti-analysis techniques. The attackers seem focused on concealing their Tactics, Techniques, and Procedures (TTPs). Limited information on detection suggests that identifying LODEINFO is becoming more challenging, as only a few samples were found in 2023, and details of their analysis are not widely publicized.
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com