Uncover the threats of tomorrow, today.
Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.
Powered by Threat Labs
Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
TA558_Worldwide_Attacks
MEDIUM
+
—
—
- Intel Source:
- Positive Technologies
- Intel Name:
- TA558_Worldwide_Attacks
- Date of Scan:
- 2024-04-16
- Impact:
- MEDIUM
- Summary:
- Researchers at Positive Technologies have discovered a group called TA558 has carried out over 300 attacks worldwide. They are using an old vulnerability called CVE-2017-11882 to spread malware through a campaign called SteganoAmor. This campaign is affecting users in Latin America and other parts of the world. TA558 hides malware within its attacks using a technique called steganography.
Campaign_For_Contact_Forms_Distributes_SSLoad_Malware
LOW
+
—
—
- Intel Source:
- PaloAlto
- Intel Name:
- Campaign_For_Contact_Forms_Distributes_SSLoad_Malware
- Date of Scan:
- 2024-04-16
- Impact:
- LOW
- Summary:
- Researchers at Palo Alto have noticed that the MSI file’s WebDAV server has stopped operating. They have observed this effort spreading Latrodectus malware in the last few weeks. But Latrodectus is not the MSI linked to this specific infection chain.
LightSpy_campaign_returns
LOW
+
—
—
- Intel Source:
- Blackberry
- Intel Name:
- LightSpy_campaign_returns
- Date of Scan:
- 2024-04-16
- Impact:
- LOW
- Summary:
- Blackberry researchers shared the details of the LightSpy campaign, a mobile espionage operation targeting individuals in Southern Asia, potentially with state-sponsored involvement. The “Title-Abstract” section delves into the technical details of the malware, its Chinese origins, and the advanced techniques used. The “Abstract” section offers recommendations for individuals and organizations to protect themselves. The “LightSpy Returns” section discusses the campaign’s return with expanded capabilities and the threat actor group behind it. The article emphasizes the need for increased vigilance and robust security measures in the targeted region.
Decoding_TA427
LOW
+
—
—
- Intel Source:
- Proofpoint
- Intel Name:
- Decoding_TA427
- Date of Scan:
- 2024-04-16
- Impact:
- LOW
- Summary:
- Proofpoint researchers discovered a group called TA427, who are really busy causing trouble. They pretend to be experts from North Korea in different fields like education, news, and research. They do this to trick other experts and sneak into their organizations to gather important information. TA427 has been quite successful at this and doesn’t seem to be stopping anytime soon. They’re quick to change their methods and create new identities when needed.
The_spread_of_infostealers_by_a_Russian_cybercriminal_campaign
LOW
+
—
—
- Intel Source:
- Recorded Future
- Intel Name:
- The_spread_of_infostealers_by_a_Russian_cybercriminal_campaign
- Date of Scan:
- 2024-04-15
- Impact:
- LOW
- Summary:
- The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users.
Zero_Day_Exploitation_of_Unauthenticated_RCE_Vulnerability_in_GlobalProtect
HIGH
+
—
—
- Intel Source:
- Palo Alto, Volexity
- Intel Name:
- Zero_Day_Exploitation_of_Unauthenticated_RCE_Vulnerability_in_GlobalProtect
- Date of Scan:
- 2024-04-15
- Impact:
- HIGH
- Summary:
- Researchers at PaloAlto have identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.
Source:
https://unit42.paloaltonetworks.com/cve-2024-3400/#post-133365-_ydqdbjg0dngh
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
Malvertising_campaigns_hijack_social_media_to_spread_stealers
LOW
+
—
—
- Intel Source:
- Bitdefender
- Intel Name:
- Malvertising_campaigns_hijack_social_media_to_spread_stealers
- Date of Scan:
- 2024-04-15
- Impact:
- LOW
- Summary:
- Threat actors have been copying AI software such as Midjourney, Sora AI, DALL-E 3, Evoto, and ChatGPT 5 on Facebook to trick users into downloading purported official desktop versions of these AI software. The malicious webpages then download intrusive stealers such as Rilide, Vidar, IceRAT, and Nova Stealer.
Embedding_a_credit_card_skimmer_in_a_fake_Facebook_Pixel_tracker_script
LOW
+
—
—
- Intel Source:
- Sucuri
- Intel Name:
- Embedding_a_credit_card_skimmer_in_a_fake_Facebook_Pixel_tracker_script
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Recently Sucuri discovered an interesting case of this: the attackers took that a step further by embedding a credit card skimmer in a well-concealed fake Facebook Pixel tracker script.
Source:
https://blog.sucuri.net/2024/04/credit-card-skimmer-hidden-in-fake-facebook-pixel-tracker.html
A_series_of_tax_themed_phishing_emails_delivering_the_Remcos_RAT
LOW
+
—
—
- Intel Source:
- Esentire
- Intel Name:
- A_series_of_tax_themed_phishing_emails_delivering_the_Remcos_RAT
- Date of Scan:
- 2024-04-12
- Impact:
- LOW
- Summary:
- Last month, eSentire researchers detected a series of tax-themed phishing emails delivering the Remcos RAT as the final payload through GuLoader. The phishing email contained the link to the password-protected ZIP archive hosted on Adobe Document Cloud.
Source:
https://www.esentire.com/blog/tax-season-alert-beware-of-guloader-and-remcos-rat
Observed_spike_of_LockBit_related_activity_of_vulnerabilities_in_ScreenConnect
MEDIUM
+
—
—
- Intel Source:
- Trellix
- Intel Name:
- Observed_spike_of_LockBit_related_activity_of_vulnerabilities_in_ScreenConnect
- Date of Scan:
- 2024-04-12
- Impact:
- MEDIUM
- Summary:
- Recently, Trellix Researchers have observed a rise in LockBit-related cyber activity in vulnerabilities in ScreenConnect. Researchers are confident that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created a feeling that the LE actions did not affect their normal operation.
Threat Content
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
BlogSecuronix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack ChainsLearn More
-
BlogSecuronix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy MalwareLearn More
-
BlogSecuronix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell BackdoorLearn More