Andy's News Roundup

Iran-linked cyberspies expand targeting to medical researchers, travel agencies


A cyberespionage group aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC) has been observed attacking new targets over the last two years, including medical researchers, an aerospace engineer and even a Florida-based realtor. The group, tracked as TA453 but also commonly referred to as Phosphorus, Charming Kitten and APT42, has historically gone after Middle East researchers and academics, policymakers, journalists and dissidents, according to a report published Wednesday by security firm Proofpoint. But deviations in both their targeting and tactics in recent months suggest the group has shifted its operations to support the IRGC’s intelligence needs. “They are attacking...

Precious Gemstones: The New Generation of Kerberos Attacks


Executive Summary Unit 42 researchers show new detection methods that help improve detection of a new line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. The most well-known example of this is the Golden Ticket attack, which allows threat actors to forge a ticket to masquerade as a high-privileged user. These two newer attacks extend the Golden Ticket attack in that the forged tickets are not created from scratch, but...

Log4j: One Year Later


One year ago, the Log4j remote code execution vulnerability known as Log4Shell (CVE-2021-44228) was announced. The critical severity level vulnerability in a logging framework used across virtually all Java environments quickly set the internet on fire when it was released and exploited. It’s considered one of the most critical vulnerabilities ever, due to the prevalence of Log4j, a popular Java library for logging error messages in applications, and how easy Log4Shell is to exploit. Just by sending plaintext messages, the attacker can trick the application into sending malicious code to gain remote control over the system. It’s been a year...

Calisto show interests into entities involved in Ukraine war support


Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimology that align closely with Russian strategic interests. Calisto mainly focuses on Western countries, especially the United States, and Eastern European countries. The group was observed carrying out phishing campaigns aiming at credential theft, targeting military and strategic...

Is Hagga Threat Actor (ab)using FSociety framework ?


Introduction Today I’d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable. Analysis My first observable was a zipped text file compressing a simple update.js script. The script was created to avoid automatic analisis tools since the dimension (>9MB) really makes hard to beautify or remove unwanted/funny or added trash code every which happens to be everywhere. nameupdate.jssha2569ea4eebd9cf2a5d4e6343cb559d8c996fae6bf0f3bd7ffada0567053c08acc31typeDrop and ExecuteStage 1 The following images show how it...

Previous page   Next page