More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.

Extreme PowerShell Obfuscation: blog.cerbero.io/?p=2709 The following is valid PowerShell code: ${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;}; ${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;};

Hey :) We published a #Qakbot infrastructure analysis bringing some cool findings. #QakBot C2 servers are not separated by affiliate ID, identification of three upstream C2 servers located in Russia, upstream activity,etc: team-cymru.com/post/visualizi… IOCs included 🫡 Team Cymru Threat Research

The Group-IB Threat Intelligence team has found a new #phishing kit #WonderP🔍 This phishing kit for rent primarily targets customers of German banks, but also has dormant functionality to target Dutch and Swiss victims in the future.

A macOS vulnerability could allow an attacker with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on a device. Learn more about CVE-2023-32369, which we refer to as “Migraine”, and its patch in our latest blog: msft.it/6018gegrs

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims.

Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now - Lawrence Abrams bleepingcomputer.com/news/security/…

At least 20.3K Fortinet devices likely vulnerable to CVE-2023-27997 (heap buffer overflow in sslvpn pre-authentication) seen in our scans (on 2023-06-12) Fortinet advisory: fortiguard.com/psirt/FG-IR-23… Dashboard: dashboard.shadowserver.org/statistics/com… Make sure to update your FortiOS/FortiProxy!

In our continuous tracking of Russian govt affiliated threat groups, Cadet Blizzard (DEV-0586) has emerged as a novel GRU-affiliated actor that's conducted destructive operations likely supporting military objectives in Ukraine. Get TTPs & protection info: msft.it/6016gmzAq

🔍Deep-dive on #MustangPanda indicators found in Trend Micro's latest and awesome blog 🐼 📍5.188.33.190 (hostname mail.mofa[.]gov[.]tw) revealed an intriguing ssl cert. A #Shodan pivot unveiled another hit: 23.106.123.59 which also had hostname mail.mofa[.]gov[.]tw.

KILLNET hackers group allegedly claims to have targeted IBAN banking system and they also claims to target SEPA, WISE and SWIFT. Meanwhile "REvil" group started a poll to select the targets. #killnet #REvil #infosec #cybersecurity #cyberattack

Microsoft has detected increased credential attack activity by the threat actor Midnight Blizzard using residential proxy services to obfuscate the source of their attacks. These attacks target governments, IT service providers, NGOs, defense industry, and critical manufacturing.

The vx-underground x SentinelOne malware research competition has come to a conclusion and a winner has been chosen. Pol Thill discovered an unknown malware family named "Net_Neo" which targets banking institutions primarily in Spain and Chile. sentinelone.com/blog/neo_net-t…

Microsoft has identified a nation-state actor tracked as Flax Typhoon quietly gaining and maintaining access to organizations in Taiwan via known exploits, malware, built-in tools, and legitimate VPN software. Get the actor's TTPs and detection info: msft.it/60119RbsD

🎯#Qakbot Botnet Takedown in Operation Duck Hunt! 💻 700,000 Victim Computers 💰 $8.6m in cryptocurrency seized by DOJ 💰 Qakbot has earned $58m in ransoms 🔒 Qakbot used by Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta ransomware groups justice.gov/usao-cdca/pr/q…

🚨🚨WE URGE EVERYONE TO UPDATE THEIR APPLE DEVICES AS SOON AS POSSIBLE. We have found an actively exploited #zero #click vulnerability that was used to deliver #NSO group’s #Pegasus #spyware. citizenlab.ca/2023/09/blastp…

⚠️ Use Microsoft Teams? Watch out for TeamsPhisher! While it is not usually possible to send files to MS Teams users outside your org, by security researchers found a bypass by manipulating Teams web requests 🔥 github.com/Octoberfest7/T… Examples of MS Teams phish lures ⬇️ 1/3

Since February 2023, Microsoft has observed password spray activity by Iranian threat actor Peach Sandstorm (HOLMIUM) against thousands of orgs, likely an attempt to collect intelligence to support Iranian interests. Get TTPs, mitigation, hunting guidance: msft.it/60129e0qE

Threat Intelligence with AI: The Power of Google Bard, Drive and Inoreader Integration medium.com/@bank-security…

I'm a huge fan of using Obsidian for everything from a knowledgebase through to a shopping list. Bank Security has done a great job in this post of showing how effective it can be as a CTI tool: bank-security.medium.com/mastering-cybe…