Avos ransomware group expands with new attack arsenal
By Flavio Costa, * In a recent customer engagement, we observed a month-long AvosLocker campaign. * The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. * The initial ingress point in this incident was a pa
Microsoft Patch Tuesday for Feb. 2022 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update Tuesday, disclosing 51 vulnerabilities across its large collection of hardware and software. None of the vulnerabilities disclosed this month are considered “critical,” an extreme rarity for the company’s Patch Tuesdays. Additionall
Threat Spotlight: Solarmarker
By Andrew Windsor, with contributions from Chris Neal. Executive summary * Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger. * A previous staging module, "d.m," used with this malware has been rep
Intelligence-driven disruption of ransomware campaigns
By Neil Jenkins and Matthew Olney. Note: Our guest co-author, Neil Jenkins, is the Chief Analytic Officer at the Cyber Threat Alliance. He leads the CTA's analytic efforts, focusing on the development of threat profiles, adversary playbooks and other analysis using the threa
Sowing Discord: Reaping the benefits of collaboration app abuse
As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. * Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organ
Defending Microsoft Exchange from encrypted attacks with Cisco Secure IPS
This blog was authored by Brandon Stultz Microsoft released fixes for several critical vulnerabilities in Exchange Server earlier this month. One of these vulnerabilities (CVE-2021-26855) — aka "ProxyLogon" — is especially dangerous. ProxyLogon is a server-side request
Kasablanka Group's LodaRAT improves espionage capabilities on Android and Windows
* The developers of LodaRAT have added Android as a targeted platform. * A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities. * The operators behind LodaRAT tied to a specific campaign targeting Bangladesh, although others h
LodaRAT Update: Alive and Well
* During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality. * Multiple new versions of LodaRAT have been spotted being used in the wild. * These new versions of LodaRAT abandoned their previous obfuscation techniques.
Trickbot: A primer
The group behind Trickbot has expanded its activities beyond credential theft into leasing malware to APT groups.