apt & targeted attacks

Attack on Security Titans: Earth Longzhi Returns With New Tricks

Posted on May 2, 2023May 2, 2023 by Admin

Attack on Security Titans: Earth Longzhi Returns With New Tricks After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a noteworthy threat. By: Ted Lee, Hara Hiroaki May 02, 2023 Read time: ( words) We discovered a new campaign by Earth Longzhi (a subgroup of APT41) that targets organizations based…

Earth Preta’s Cyberespionage Campaign Hits Over 200

Posted on March 27, 2023March 27, 2023 by Admin

This mix of traditional intelligence trade craft and cyber techniques could mean that these groups have access to advanced resources and support from nation states, since such techniques are not typically available to independent hackers. Moreover, this approach could signify the growing convergence of cyber- and physical security as cyberattacks continue to move beyond digital systems and into the physical world. Operation groups While this is not a comprehensive list, we summarize and attribute the…

Earth Preta Updated Stealthy Strategies

Posted on March 23, 2023March 25, 2023 by Admin

We categorize the different TTPs into six stages: arrival vectors, discovery, privilege escalation, lateral movement, command and control (C&C) and exfiltration, respectively. In our previous research, we covered most of the new TTPs and malware during the first stage, arrival vectors. However, we observed that some of TTPs have been changed. In the following sections, we focus on the updated arrival vectors and their succeeding stages. We previously summarized the arrival vectors used by Earth…

Patch CVE-2023-23397 Immediately: What You Need To Know and Do

Posted on March 21, 2023March 25, 2023 by Admin

How is CVE-2023-23397 exploited? The attacker sends a message to the victim with an extended Message Application Program Interface (MAPI) property with a Universal Naming Convention (UNC) path to a remote attacker-controlled Server Message Block (SMB, via TCP 445). Share-hosted on a server controlled by the attacker, the vulnerability is exploited whether the recipient has seen the message or not. The attacker remotely sends a malicious calendar invite represented by .msg — the message format…

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

Posted on March 1, 2023March 1, 2023 by Admin

The persistence is ensured by copying a script similarly named as the current filename to the /usr/lib/systemd/system/ directory, and creating a symlink to this file in the /etc/ystem/system/multi-user.target.wants/ directory. Thus, this method only works if the current process has root privileges. The content of the script is: [Unit]Description=xxx[Service]Type=forkingExecStart=<path to current file> -xExecStop=/usr/bin/id[Install]WantedBy=multi-user.target After running the code dependent on the parameters, if the operator has not chosen a GUID with the “-f” parameter, the malware generates…

Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack

Posted on February 17, 2023February 17, 2023 by Admin

Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack APT & Targeted Attacks We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea. By: Joseph C Chen, Jaromir Horejsi February 17, 2023 Read time: ( words) We discovered a…

Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns

Posted on February 16, 2023February 16, 2023 by Admin

Technical perspectives Based on the arsenals and TTPs, we believe Earth Yako may be related to a number of existing groups. However, since we could only observe partial technical overlaps between Earth Yako and the following groups, we note that this is not our final attribution. We found the overlaps similar with the following groups: 1. Darkhotel Darkhotel (a.k.a. DUBNIUM) is a threat actor observed to frequently target Japanese organizations in the past. Earth Yako’s…

New APT34 Malware Targets The Middle East

Posted on February 2, 2023February 3, 2023 by Admin

APT34 Targeting and Arsenal Evolution APT34 has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014. Documented as a group primarily involved for cyberespionage, APT34 has been previously recorded targeting government offices and show no signs of stopping with their intrusions. Our continuous monitoring of the group proves it continues to create new and updated tools to minimize the detection…

Attacking The Supply Chain: Developer

Posted on January 25, 2023January 25, 2023 by Admin

In 2021, we published an entry identifying the weak parts of the supply chain security. In the face of the surge in documented attacks, the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions. In this entry, we focus on one specific part of the supply chain: the developers themselves. To find a suitable attack model focusing on the developer, we must…

Raspberry Robin Malware Targets Telecom, Governments

Posted on December 20, 2022December 20, 2022 by Admin

We noted layers 3 and 5 as capable of anti-analysis techniques. Meanwhile, we found that not all layers have unique packers. The fourth and seventh layers are identical, as well as the tenth and thirteenth. The packing of the eighth and fourteenth layers are also similar. This repeated use of packers implies that the group is using a separate packing program. We are continuing with our analysis to see if this program is their own…

1 2 3 4 »

apt & targeted attacks

Attack on Security Titans: Earth Longzhi Returns With New Tricks

Earth Preta Updated Stealthy Strategies

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack

Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns

New APT34 Malware Targets The Middle East

Raspberry Robin Malware Targets Telecom, Governments

VMWARE

Helping Public Sector Organisations Define Cloud Strategy

How to change the VLAN ID of the Service Console in ESX from the command line/console

Cisco UCS and Vmware Interfaces (Vnics) HA Design Considerations

Troubleshooting network and TCP/UDP port connectivity issues on ESX/ESXi(2020669)

vSphere Client Parameters

Configuration Templates

CUE Licenses

Trouble shooting Unity Express with Call Manager Integeration & Operational Issues

CME Configuration Example: SIP Trunks to Viatalk and VoIP.ms

SIP Phone registration – CME Configuration

CUE Voicemail + VPIM networking (CUE to unity)