Winos 4 0 Behind Operation Holding Hands

The Operation Holding Hands campaign employs a stolen digital certificate to distribute a backdoor malware named “給与制度改定のお知らせ.exe” targeting Japanese users, utilizing multi-stage payload delivery and runtime decryption to evade detection. The malware’s complex behaviors include privilege escalation, in-memory execution, and connections to China-linked APT group Silver Fox via Winos 4.0 framework. #HoldingHands #Winos4.0 #SilverFox

Read More
GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Insikt Group uncovered new infrastructure and infection methods employed by GrayAlpha, a cybercriminal group overlapping with FIN7, including custom loaders PowerNet and MaskBat leading to NetSupport RAT infections. The report highlights three primary infection vectors and emphasizes the importance of application allow-lists, employee training, and updated detection rules to combat these threats. #GrayAlpha #FIN7 #NetSupportRAT #PowerNet #MaskBat

Read More

Elastic enhances Windows endpoint security by leveraging call stacks to identify malicious activities with greater precision, distinguishing the actor behind behaviors rather than just the actions themselves. The approach enriches call stacks with contextual data to aid detection, triage, and hunting, while addressing challenges like spoofing and limitations of stack walking. #CallStacks #ElasticDefend #SilentMoonwalk

Read More
Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

Ransomware actors are exploiting unpatched SimpleHelp RMM instances to target utility billing software customers, emphasizing the need for updates and threat mitigation. The attack pattern highlights ongoing vulnerabilities exploited by groups like DragonForce and others, with mitigation strategies recommended by CISA. #SimpleHelp #DragonForce…

Read More
Winos 4 0 Behind Operation Holding Hands

Ransomware actors have been exploiting a path traversal vulnerability (CVE-2024-57727) in SimpleHelp Remote Monitoring and Management (RMM) version 5.5.7 and earlier to target downstream customers, particularly in the utility billing sector. CISA urges immediate mitigation steps including software upgrades, system isolation, and threat hunting to prevent and respond to these attacks….

Read More
Operationalizing Threat Intelligence vs. Threat Hunting: What Does It Really Mean?

Today’s threat actors are increasingly sophisticated, necessitating proactive cybersecurity strategies like threat intelligence and threat hunting to defend against advanced adversaries. Operationalizing these practices within security operations enables organizations to detect unknown threats earlier and improve response times. #eSentire #ThreatHunting #ThreatIntelligence

Read More
Updated Response to CISA Advisory (AA23-352A): #StopRansomware: Play Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre (ACSC) released an updated advisory detailing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) related to the Play ransomware group, active since 2022 and responsible for widespread attacks. The advisory includes new behaviors such as…

Read More
JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique

A large-scale campaign is compromising legitimate websites by injecting obfuscated JavaScript using the JSFireTruck technique, redirecting users from search engines to malicious pages that deliver malware and unwanted content. The campaign affects hundreds of thousands of webpages and employs type coercion-based obfuscation, making detection and analysis challenging. #JSFireTruck #Unit42 #VirusTotal…

Read More
Gone But Not Forgotten: Black Basta’s Enduring Legacy

The ransomware group Black Basta disbanded after internal chat leaks, but its tactics, especially mass email spam and Microsoft Teams phishing, continue to be used by former members and new groups. Emerging attack methods now include Python script execution with cURL for payload delivery, emphasizing the need for strong user education and vigilant defense strategies. #BlackBasta #MicrosoftTeamsPhishing #CactusRaaS

Read More