"Breach Report" from UAC-0099 (CERT-UA#12463) The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted files and .NET programs for decryption and in-memory execution. The group's espionage activities continue to evolve, with changing targets and infrastructure. The attackers use Cloudflare for hiding and ensuring fault tolerance. The report emphasizes the importance of implementing proper cyber defense measures to protect state information resources. Date: 2024-12-18 19:48:22
A Look Back: The Evolution of Latin American eCrime Malware in 2024 Latin American cybercrime continues to evolve as adversaries refine their tactics and techniques. Key developments in 2024 include the adoption of Rust for improved evasion, consistent use of multi-stage infection chains and malspam campaigns, and evidence of collaboration among threat actors. Notable updates were observed across malware families like Mispadu, Kiron, Caiman, Culebra, Salve, and Astaroth. These updates ranged from new delivery mechanisms and obfuscation techniques to enhanced stealer features. Despite innovations, Delphi-based components remain prevalent. The ongoing refinement of these malware families highlights the adaptability and ingenuity of Latin American cybercriminals in sustaining their operations. Date: 2024-12-18 19:17:29
Your Data Is Under New Management: The Rise of LummaStealer LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized businesses. The malware employs various infection vectors, including phishing emails, cracked software, and malicious downloads. It harvests credentials, cookies, cryptocurrency wallets, and system information, exfiltrating data to remote servers. Recent campaigns have shown increased sophistication in social engineering tactics and the use of legitimate platforms like Steam and Dropbox to evade detection. The malware's accessibility through MaaS has made it popular among diverse threat actors, complicating attribution efforts. Date: 2024-12-18 18:13:53
Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authenticates with Microsoft APIs, and employs various obfuscation techniques. The phishing pages are typically hosted on compromised WordPress sites or attacker-controlled domains. The kit appears to be based on the W3LL OV6 phishing kit codebase. Sneaky Log's operations include selling tools like the AiTM phishing kit, an email sender, and redirect/attachment services. The service uses multiple cryptocurrencies for payments and may employ transaction obfuscation mechanisms. Date: 2025-01-17 17:01:28
Threat Brief: CVE-2025-0282 and CVE-2025-0283 Two critical vulnerabilities in Ivanti Connect Secure, Policy Secure and ZTA gateway products have been discovered. CVE-2025-0282 allows remote code execution, while CVE-2025-0283 enables privilege escalation. Attacks exploiting CVE-2025-0282 have been observed in the wild, involving initial access, credential harvesting, lateral movement, defense evasion, and persistence. Attackers used custom tools like SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH. The activity cluster CL-UNK-0979 has been identified, potentially linked to UNC5337. Immediate patching and monitoring are strongly recommended. Various Palo Alto Networks products offer protection against these threats. Date: 2025-01-17 17:17:41