One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8618668 |
| Date de publication | 2024-12-02 12:13:17 (vue: 2024-12-02 13:08:22) |
| Titre | Weekly OSINT Highlights, 2 December 2024 |
| Texte | ## Snapshot Last week\'s OSINT reporting highlights the sophistication and diversity of cyber threat campaigns, emphasizing advanced techniques, varied attack vectors, and strategic targeting. Key themes include ransomware operations like Elpaco and CyberVolk, leveraging advanced encryption and Ransomware-as-a-Service models, and phishing campaigns such as Rockstar 2FA and SVG-based malware distribution showcasing innovative tactics to bypass MFA and exploit image formats. Attack vectors spanned vulnerabilities like Zerologon and CVE-2023-28461, legitimate tools like Atera, and novel methods like Wi-Fi proximity attacks. Threat actors ranged from state-sponsored groups to financially motivated cybercriminals and hacktivists. The targets reflected global geopolitical and economic stakes, focusing on public sectors, critical infrastructure, and high-value industries across Europe, the US, and Asia, reinforcing the importance of proactive threat intelligence and mitigation strategies. ## Description 1. [BianLian\'s Shift to Data Extortion](https://sip.security.microsoft.com/intel-explorer/articles/c958d17f): The BianLian ransomware group has transitioned from file encryption to data theft extortion, leveraging tactics like privilege escalation, SOCKS5 tunneling, and customized PowerShell scripts. Active since 2022, the group targets sectors like healthcare and airlines, using techniques such as ProxyShell exploitation and calling employees to pressure ransom payments. 1. [BYOVD Campaign Exploiting Avast Driver](https://sip.security.microsoft.com/intel-explorer/articles/75844a3f): Trellix researchers discovered malware leveraging the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique with Avast\'s outdated anti-rootkit driver to bypass tamper protections. The malware terminates security processes using kernel-level privileges, posing significant risks to organizations relying on antivirus and EDR solutions. 1. [SpyLoan Apps Targeting Global Users](https://sip.security.microsoft.com/intel-explorer/articles/ddc51ef9): McAfee Labs reported a surge in SpyLoan apps on Android devices, exploiting users in South America, Asia, and Africa through predatory practices. These apps harvest sensitive data, extort victims, and misuse permissions, leading to financial fraud and harassment. 1. [Exploitation of CVE-2023-28461](https://sip.security.microsoft.com/intel-explorer/articles/4d4a4d34): CISA flagged CVE-2023-28461, a vulnerability in Array Networks\' ArrayOS, as actively exploited and mandated remediation by December 2024. Exploited due to improper authentication, the vulnerability threatens both federal and non-federal organizations. 1. [Hexon Stealer Targets Discord Users](https://sip.security.microsoft.com/intel-explorer/articles/19796350): CYFIRMA linked Hexon Stealer, a rebranded version of Stealit Stealer, to credential theft and cryptocurrency wallet exfiltration. Built with the Electron framework, the malware injects malicious code into Discord, enabling full system control for attackers. 1. [North Korean IT Worker Front Companies](https://sip.security.microsoft.com/intel-explorer/articles/d3dd2b00): SentinelLabs uncovered DPRK\'s use of fake tech companies impersonating U.S. brands to secure global contracts and fund state programs. These front companies route payments through shadow banking systems and cryptocurrencies, supporting activities like weapons development. 1. [Elpaco Ransomware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/73371539): Kaspersky reported the Elpaco ransomware, a variant of Mimic, exploiting RDP brute force and Zerologon (CVE-2020-1472) for privilege escalation. The attacks, targeting various global industries, employ advanced encryption techniques and file discovery methods, rendering files unrecoverable without the private key. 1. [CyberVolk Ransomware Operations](https://sip.security.microsoft.com/intel-explorer/articles/db8b4022): CyberVolk, a pro-Russian hacktivist group, has deployed ransomware like Hexa |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 0287 0978 1472 1575 2020 2022 2023 2024 2024** 28461 2fa 365 49039 9680 about accounts across actions active actively activities activity actor actors advanced adversary africa ahnlab airlines aitm aligned aligning all america android anti antivirus any apps array arrayos asia associated asyncrat atera attack attackers attacks authentication avast backdoor banking based began bianlian blizzard blog: both brands breaching bring brute built byovd bypass calling campaign campaigns can challenges check cisa code com/intel combined community companies compromise content contracts control copyright credential credentials critical cryptocurrencies cryptocurrency customer customers customized cve cyber cybercriminals cybervolk cyfirma data date day december defender deliver delivery deploy deployed deploying description detailed detection development devices discord discovered discovery discussed distributed distribution diversity downloads dprk driver dual due economic edr electron elpaco email emails embedded emphasizing employ employees enabling encryption environments: escalation eset establish europe evade evasion evolution execute exfiltration exploit exploitation exploited exploiting exploits explorer/articles/07dff601 explorer/articles/19796350 explorer/articles/2758cf39 explorer/articles/29ec3550 explorer/articles/2b93a4d2 explorer/articles/4d4a4d34 explorer/articles/73371539 explorer/articles/75844a3f explorer/articles/7dae7a55 explorer/articles/87adc2a0 explorer/articles/c958d17f explorer/articles/d3dd2b00 explorer/articles/db8b4022 explorer/articles/ddc51ef9 explorer/articles/ed3704da extort extortion fake federal file files financial financially flagged focusing following force forest formats found framework fraud from front full fund geopolitical get global government governmental group groups gruesomelarch hacktivist hacktivists harassment harvest has healthcare hexalocker hexon high highlighting highlights homed https://aka https://security https://sip identified image impersonating importance improper include industries industry information infostealer infostealers infrastructure injects innovative intelligence iran kaspersky kernel key kit korean labs land last latest leading learn legitimate level leveraged leveraging like linked living lures malicious malware mandated mango may mcafee measures method methods mfa microsoft middle mimic misuse mitigate mitigation models more most motivated ms/threatintelblog muddywater nearby nearest neighbor networks non north novel objectives off operations organizations osint out outdated own parano part payments permission permissions persistence phishing platforms portals posing post powershell practices predatory pressure prevent private privilege privileges pro proactive processes profile: profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340 profiles/a647864ed5679aef83782afd3e364c89d96df74b83512daf3ff8c2ba926ea632 profiles/c99ff317467e2d97107388d0bb2a080646fb4722162f71765280bc295fc67f4f profiles/d8a488ebb705e1b6bf64d3bd0c6e67344faf89546a63c30035b2cf9a250de421 profiles/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8 profiles/e9216610feb409dfb620b28e510f2ae2582439dfc7c7e265815ff1a776016776 programs prohibited protection protections provide proximity proxyshell public ranged ransom ransomware rdp rebranded recent recommended reflected reinforcing relying remediation rendering reported reporting reports reproduction research researchers reserved respond revealed rights risks rmm rockstar romcom rootkit route russian sandstorm scripts sectors secure security sensitive sentinellabs service shadow shift showcasing significant since site snapshot socks5 solutions sophisticated sophistication sophos south spanned sponsored spoofed spyloan stakes state steal stealer stealit storm strategic strategies strawberry stuffing such summary supporting surge svg system systems tactics tamper target targeting targets tech technique techniques tempest terminates theft |
| Tags | Ransomware Malware Tool Vulnerability Threat Mobile Medical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.