Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
SpearTip has published a report detailing a new brute-force campaign leveraging the fasthttp library to gain unauthorized access to accounts. The campaign targets Azure Active Directory Graph API, resulting in a high volume of authentication failures, account lockouts, and conditional access violations.
Campaign Details
* Target: Azure Active Directory Graph API
* Duration: Ongoing since January 6th, 2025
* Origin: Significant traffic from Brazil
* fasthttp User Agent: Observed in Entra ID sign-in logs under “Other Clients“\
Recommendations
Based on the threat report, the following recommendations are made to mitigate the risks associated with this campaign:
* Monitor Entra ID sign-in logs for thefasthttp user agent.
* Upon investigation of successful authentications or failed MFA/conditional access cases where credentials were correct,simply take these actions:
1. Expire user sessions.
2. Reset user credentials.
3. Review MFA devices associated with potentially compromised users.
* Further investigate ASN providers and IP addresses listed in the report for potential affiliation with the campaign
External References
Full report can be accessed via:
https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Threat Overview
The cybersecurity landscape is constantly evolving, with new threats emerging regularly. One of the latest developments comes from the North Korean-linked threat actor APT-C-28, also known as ScarCruft or APT37. This group has launched a sophisticated cyber espionage campaign using fileless RokRat malware. The 360 Advanced Threat Research Institute has uncovered this campaign, highlighting the advanced tactics, techniques, and procedures (TTPs) employed by APT-C-28.
APT-C-28 is notorious for its targeted attacks on various sectors, including government, defense, and technology industries. The group’s latest campaign involves the use of fileless malware, which makes detection and mitigation more challenging. Fileless malware operates in memory rather than writing to disk, leaving fewer traces behind and making it harder for traditional antivirus solutions to detect.
The RokRat malware is particularly concerning because it allows attackers to gain persistent access to compromised systems. This type of malware can execute commands remotely, exfiltrate data, and even manipulate system processes without being detected by conventional security measures. The fileless nature of RokRat makes it a formidable threat, as it bypasses many traditional security controls.
The campaign orchestrated by APT-C-28 involves multiple stages, starting with initial access through phishing emails or compromised websites. Once inside the network, the attackers use various techniques to move laterally and escalate privileges. The fileless RokRat malware is then deployed to maintain persistence and carry out further malicious activities.
One of the key challenges in mitigating this threat is the lack of visible artifacts on the disk. Traditional security tools that rely on signature-based detection or file scanning are ineffective against fileless malware. Organizations need to adopt a more comprehensive approach to cybersecurity, incorporating advanced endpoint detection and response (EDR) solutions, network monitoring, and behavioral analysis.
Recommendations for Mitigation
User Awareness Training: Conduct regular training sessions for employees on recognizing phishing attempts and other social engineering tactics. Educating users about the risks associated with clicking on suspicious links or downloading attachments can significantly reduce the likelihood of initial compromise.
Regular Security Audits: Perform frequent security audits to identify vulnerabilities in the network infrastructure. This includes patch management, configuration reviews, and penetration testing to ensure that all systems are secure against known threats.
Incident Response Plan: Develop a comprehensive incident response plan tailored to handle fileless malware attacks. This should include steps for containment, eradication, and recovery, as well as post-incident analysis to improve future defenses.
Multi-Factor Authentication (MFA): Enforce MFA for all critical systems and user accounts. This adds an extra layer of security, making it more difficult for attackers to gain unauthorized access even if credentials are compromised.
Advanced Threat Intelligence: Leverage threat intelligence feeds from reputable sources to stay informed about the latest TTPs used by APT-C-28 and other advanced persistent threats. This information can be integrated into security operations to enhance detection capabilities.
Conclusion
The discovery of the fileless RokRat malware campaign by APT-C-28 underscores the need for organizations to adopt a proactive approach to cybersecurity. By implementing advanced detection and response mechanisms, enhancing user awareness, and leveraging threat intelligence, organizations can better protect themselves against sophisticated cyber threats. The evolving nature of cyber attacks requires continuous vigilance and adaptation, ensuring that security measures keep pace with emerging threats.
For more detailed information on this campaign and the associated TTPs, please refer to the external references provided by CyberHunter_NL:
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware
https://otx.alienvault.com/pulse/67b73052cda5eaee6fd1f42c
Please check the following page for additional information:
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware
In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats is crucial. The latest threat report published by CyberHunter_NL on March 3, 2025, sheds light on a significant development involving two Russian autonomous systems: PROSPERO (AS200593) and Proton66 (AS198953). This report, titled ‘PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks,’ provides valuable insights into the interconnected nature of these systems and their potential implications for cybersecurity.
The report highlights a high level of confidence in linking PROSPERO with Proton66. Both autonomous systems are believed to be connected to ‘SecureHost’ and ‘BEARHOST,’ which offer bulletproof hosting services. These services are notorious for providing infrastructure that supports illicit activities, making them a prime target for cybercriminals.
One of the key observations in the report is the near-identical configuration of both networks in terms of peering agreements and load sharing over time. This similarity suggests a coordinated effort between the two systems, potentially indicating a shared operational strategy or even direct collaboration. The implications of this finding are significant, as it underscores the need for enhanced monitoring and mitigation strategies to counter such threats.
The report is based on extensive analysis and includes 490 connected elements, providing a comprehensive overview of the threat landscape. It is classified with a confidence level of 100% and is considered completely reliable (Reliability: A). This high level of reliability underscores the importance of the findings and their potential impact on cybersecurity operations.
For security operation centers (SOCs), this report serves as a critical resource for understanding the evolving threat landscape. SOCs should prioritize monitoring these autonomous systems and their associated services to detect any suspicious activities. Implementing advanced threat detection tools and regularly updating security protocols can help mitigate the risks posed by these networks.
Additionally, SOCs should consider collaborating with other cybersecurity organizations to share intelligence and best practices. This collaborative approach can enhance the overall effectiveness of threat mitigation strategies and ensure a more robust defense against emerging threats.
In conclusion, the report on PROSPERO and Proton66 provides valuable insights into the interconnected nature of bulletproof hosting services and their potential impact on cybersecurity. By staying informed about these developments and implementing appropriate mitigation strategies, SOCs can better protect their networks from evolving threats. For more detailed information, please refer to the external references provided in the report: https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/ and https://otx.alienvault.com/pulse/67c586b5bacba874edce2bcb.
By understanding the links between PROSPERO, Proton66, SecureHost, and BEARHOST, SOCs can take proactive measures to safeguard their networks. Regular updates on threat intelligence, enhanced monitoring capabilities, and collaborative efforts with other cybersecurity organizations are essential steps in this direction. As the threat landscape continues to evolve, staying vigilant and informed will be key to maintaining robust cyber defenses.
Threat Overview
A recent phishing campaign has emerged, employing a new tactic that uses malicious PDF files to trick victims into revealing their personal and financial information. Researchers at Palo Alto Networks Unit42 have discovered this technique, as outlined in the report ‘Phishing Campaign Baits Hook With Malicious Amazon PDFs’.
Report Summary
The phishing campaign, suspected to be from a threat actor group known for its previous targeted attacks, uses PDF files disguised as Amazon order confirmations or shipping notifications. Once opened, victims are directed to a fake Amazon login page where their credentials are harvested.
The malicious PDFs exploitation follows two stages:
Recommendations
Based on this threat report, consider implementing these recommendations to improve your organization’s security posture:
External References
The threat report and additional details can be found at:
Subscribe now to keep reading and get access to the full archive.