FISA

The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide. Akira first  emerged in March 2023 , targeting Windows systems in various industries, including education, finance, real estate, manufacturing, and consulting. Like other enterprise-targeting ransomware gangs, the threat actors steal data from breached networks and encrypt files to conduct double extortion on victims, demanding payments that reach several million dollars. Since launching, the ransomware operation has claimed over 30 victims in the United States alone, with two distinct activity spikes in  ID Ransomware  submissions at the end of May and the present.                                                                          Aki...

Exploitation of remote services like VPNs and RDP was the most commonly seen attack technique last year, according to a new report from ReliaQuest. The threat intelligence firm’s ReliaQuest Annual Cyber-Threat Report 2023 is based on data from 35,000 incidents remediated for clients between February 2022 and February 2023. The report recorded nearly 5000 instances of remote service exploitation, more than double the next most common technique: active scanning. The technique became particularly popular among threat actors during the pandemic with the advent of mass home working. “This comes as no surprise; exposed remote services, including VPN, Citrix, TeamViewer or RDP, represent one of the most common methods of enabling initial access onto a targeted network, or establishing persistence,” the report explained. “We have observed significant threat actor interest in identifying exposed RDP servers, which has resulted in a flourishing ecosystem of cyber-criminal activity in identifying...

  Authorities in Kazakhstan have detained a Russian cybersecurity expert wanted by the United States, his employer said on Wednesday (28 June), as authorities in Moscow issued a court order in an attempt to pre-empt his extradition. Nikita Kislitsin, an employee of Russian cybersecurity firm F.A.C.C.T., was detained on 22 June and Kazakh authorities are considering Washington’s extradition request, the company said in a statement. The United States has accused Kislitsin of buying personal data obtained through the 2012 hack of Formspring, a now-defunct social media site that allowed users to receive answers to questions. Russia has protested the detention, calling on Kazakhstan not to carry out the US request. A Russian diplomat in Kazakhstan, Consul-General Yevgeny Bobrov, was quoted in Russian media reports on 28 June as saying that the diplomatic mission had sent a note to the Kazakh foreign ministry, urging it not to move quickly on the extradition. Bobrov’s note included reque...

  Navigating the Maintenance Dashboard When you access the Maintenance Dashboard within the CMC app, your attention is immediately drawn to the informative card displaying details about the "next maintenance window" scheduled for your deployment within the next 30 days. This card appears only if you have a Splunk-initiated maintenance planned within a month. It provides valuable information such as the Maintenance Type, Maintenance ID, scheduled start time, and a status progress timeline, offering daily updates on the status of your maintenance window. For a more comprehensive view, the bottom section of the Maintenance Dashboard features a table that includes additional details about the operation types (e.g., Splunk upgrades, App upgrades) involved for each maintenance window. By default, the table is filtered to show all upcoming maintenance activities within the next 30 days, including the "next maintenance window." In this screenshot we see the ...

  A previously undocumented Windows-based information stealer called  ThirdEye  has been discovered in the wild with capabilities to harvest sensitive data from infected hosts. Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe." The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features. The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed d...

 On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six more security flaws to its known exploited vulnerabilities (KEV) list. Three of them were exploited by Russian APT28 cyberspies to hack into Roundcube email servers belonging to Ukrainian government organizations. The cyber-espionage group (also tracked as BlueDelta, Fancy Bear) was previously linked to Russia's General Staff Main Intelligence Directorate (GRU), the country's military intelligence service. According to a joint investigation from Recorded Future's threat research division Insikt Group and Ukraine's Computer Emergency Response Team (CERT-UA), the attackers exploited the Russia-Ukraine conflict to deceive recipients into opening malicious emails to exploit vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube Webmail software and granting them unauthorized access to unpatched servers. Once the email servers were compromised, they used malici...

Attackers heavily focused on acquiring military and security intelligence in order to support invading forces. The Shuckworm espionage group is continuing to mount multiple cyber attacks against Ukraine, with recent targets including security services, military, and government organizations. In some cases, Shuckworm has succeeded in staging long-running intrusions, lasting for as long as three months. The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more. In a bid to stay ahead of detection, Shuckworm has repeatedly refreshed its toolset, rolling out new versions of known tools and short-lived infrastructure, along with new additions, such as USB propagation malware. Shuckworm (aka Gamaredon, Armageddon) is a Russia-linked group that has almost exclusively focused its operations on Ukraine since it first appea...