-
Nov 26, 2024 | 
securelist.com | Cristian Souza |Eduardo Ovalle |Ashley Munoz |Timofey Ezhov
IntroductionIn a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon).
-
Sep 24, 2024 | 
securelist.lat | Anna Larkina |Flavio Negrini |Eduardo Ovalle |Abdul Rhman Alfaifi
El rastreo web se ha convertido en un aspecto omnipresente de nuestra vida en Internet. Ya sea que naveguemos por las redes sociales o juguemos videojuegos, compremos productos o simplemente leamos artículos de noticias, el rastreo web funciona de forma discreta y silenciosa en nuestras sesiones de navegación, y cuenta con millones de procesadores en miles de centros de datos de todo el mundo funcionando sin parar y a pleno rendimiento.
-
Sep 20, 2024 | 
securelist.com | Sherif Magdy |Fedor Sinitsyn |Yanis Zinchenko |Eduardo Ovalle
In the spring of 2024, posts with real people’s personal data began appearing on the -=TWELVE=- Telegram channel. Soon it was blocked for falling foul of the Telegram terms of service. The group stayed off the radar for several months, but as we investigated a late June 2024 attack, we found that it employed techniques identical to those of Twelve and relied on C2 servers linked to the threat actor. We are therefore confident that the group is still active and will probably soon resurface.
-
Jun 24, 2024 | 
securelist.lat | Alexey Antonov |Anton Kivva |David Emm |Eduardo Ovalle
La potencia de cálculo de las computadoras no cesa de aumentar, lo que permite a los usuarios resolver tareas cada vez más complejas con mayor rapidez. Esto lleva, entre otras cosas, a que contraseñas que hace unos años eran imposibles de descifrar, hoy en 2024, los atacantes logren descifrarlas en cuestión de segundos.
-
May 28, 2024 | 
securelist.com | Cristian Souza |Eduardo Ovalle |Dmitry Kachan |Alina Sukhanova
IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.
-
May 23, 2024 | 
securelist.com | Eduardo Ovalle |Ashley Munoz |Cristian Souza |Christopher Zachor
IntroductionAttackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt.
-
Apr 22, 2024 | 
securelist.com | Andrey Gunkin |Alexander Fedotov |Natalya Shornikova |Eduardo Ovalle
We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.
-
Sep 8, 2023 | 
securelist.com | Igor Golovin |Eduardo Ovalle |Francesco Figurelli |Tatyana Machneva
A while ago we discovered a bunch of Telegram mods on Google Play with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a distributed network of data processing centers around the world. What can possibly be wrong with a Telegram mod duly tested by Google Play and available through the official store?
-
Aug 25, 2023 | 
securelist.com | Eduardo Ovalle |Francesco Figurelli |Tatyana Machneva |Olga Svistunova
Lockbit is one of the most prevalent ransomware strains. It comes with an affiliate ransomware-as-a-service (RaaS) program offering up to 80% of the ransom demand to participants, and includes a bug bounty program for those who detect and report vulnerabilities that allow files to be decrypted without paying the ransom. According to the Lockbit owners, the namesake cybercriminal group, there have been bounty payments of up to 50 thousand dollars.
-
Aug 14, 2023 | 
securelist.com | Olga Svistunova |Alexander Rodchenko |Francesco Figurelli |Eduardo Ovalle
Phishers want their fake pages to cost minimum effort but generate as much income as possible, so they eagerly use various tools and techniques to evade detection, and save time and money. Examples include automation with phishing kits or Telegram bots. Another tactic, popular with scammers big and small, phishers included, is hacking websites and placing malicious content on those, rather than registering new domains.
