Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud. If proven guilty, Fitzpatrick, who… [...]
Single sign-on (SSO) is an authentication method that allows users to authenticate their identity for multiple applications with just one set of credentials. From a security standpoint, SSO is the… [...]
A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer, it's the latest example of a threat that uses… [...]
Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The issue, dubbed aCropalypse, could enable malicious actors to recover… [...]
In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to… [...]
The professional services industry—made up of companies that provide specialized consulting services such as legal, accounting, and architecture firms, as well as non-governmental organizations, or NGOs,—have come under increased attack… [...]
Cybercriminals and nation-state actors alike find the manufacturing industry an attractive target for attacks due to the rich intellectual property data it houses. From chemicals to electronics to automobiles and… [...]
IcedID is one of the most popular trojans in use today and is a favored tool of many threat groups with a long record of successful compromises. Originally classified as… [...]
The financial services industry has long been an attractive target for cybercriminals seeking financial gain, and as sophisticated nation-state groups progressively target this sector, risks to financial assets are growing.… [...]
In the process of a routine threat-hunting exercise, Cyble researchers discovered a post on a forum that contained information on stealer malware. The post stated that the stealer known as… [...]
The NCSC's threat report is drawn from recent open source reporting. [...]
The NCSC's threat report is drawn from recent open source reporting. [...]
The NCSC's threat report is drawn from recent open source reporting. [...]
The NCSC's threat report is drawn from recent open source reporting. [...]
The NCSC's threat report is drawn from recent open source reporting. [...]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit… [...]
This vulnerability allows remote attackers to delete application-level data on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. [...]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. [...]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit… [...]
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. [...]
Severity: Information only Cisco has released security updates to address nine High and nine Medium severity vulnerabilities for Cisco IOS XE, Cisco IOS, Cisco DNA Center, and other products Cisco has… [...]
Severity: Information only The security update addresses the vulnerability CVE-2023-27532, which affects the Veeam Backup & Replication Component The security update addresses the vulnerability CVE-2023-27532, which affects the Veeam Backup & Replication Component Updated:… [...]
Severity: Information only Five security advisories address multiple vulnerabilities affecting the Drupal platform Five security advisories address multiple vulnerabilities affecting the Drupal platform Updated: 21 Mar 2023 [...]
Severity: Low B. Braun Medical Space Battery Pack SP with Wi-Fi contains a vulnerability that could cause privilege escalation B. Braun Medical Space Battery Pack SP with Wi-Fi contains a vulnerability that could cause… [...]
Severity: Information only Adobe security updates address vulnerabilities in ColdFusion, Photoshop, and other Adobe products Adobe security updates address vulnerabilities in ColdFusion, Photoshop, and other Adobe products Updated: 15 Mar… [...]
Severity: Medium Scheduled security updates address vulnerabilities affecting multiple products Scheduled security updates address vulnerabilities affecting multiple products Updated: 15 Mar 2023 [...]
Severity: Medium Scheduled updates for Microsoft products, including security updates for two zero-day vulnerabilities Scheduled updates for Microsoft products, including security updates for two zero-day vulnerabilities Updated: 15 Mar 2023 [...]
Severity: High Microsoft has released a critical security update to address zero-day vulnerability known as CVE-2023-23397 Microsoft has released a critical security update to address zero-day vulnerability known as CVE-2023-23397… [...]
Severity: Medium Updates address 1 Low, 8 Medium, and 5 High severity vulnerabilities including an actively exploit vulnerability in FortiOS Updates address 1 Low, 8 Medium, and 5 High severity vulnerabilities including… [...]
Severity: Medium Critical update addresses an RCE vulnerability and a second vulnerability that could lead to a DoS condition Critical update addresses an RCE vulnerability and a second vulnerability that… [...]
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred. In the third intrusion, the Mandiant Incident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966.
This blog
In January 2023, the Anonymous affiliated hacktivist group, GhostSec, claimed on social media to have deployed ransomware to encrypt a Belarusian remote terminal unit (RTU)—a type of operational technology (OT) device for remote monitoring of industrial automation devices. The actors’ stated intention was to demonstrate support for Ukraine in the ongoing Russian invasion. Researchers, OT security professionals and media outlets analyzed the claims and concluded that the actor overstated the implications of the alleged attack.
Although there was no significant impact in this particular
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments.
We
In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants identified most of the original compromised hosts, targeted by UNC2970, contained the files %temp%\_SB_SMBUS_SDK.dll and suspicious drivers, created around the same time on disk.
At the time Mandiant initially identified these files