Lyceum group reborn | Securelist- Tempemail

This year, we had the honor to be selected for the thirty-first edition of the Virus Bulletin conference. During the live program, we presented our research into the Lyceum group (also known as Hexane), which was first exposed by Secureworks in 2019. In 2021, we have been able to identify Continue Reading

SAS 2021: Learning to ChaCha with APT41- Tempemail

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor. Tempemail , Continue Reading

MysterySnail attacks with Windows zero-day- Tempemail

Executive Summary In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a Continue Reading

SAS 2021: Operation Software Concepts- Tempemail

During the ‘Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon‘ talk on SAS-at-Home 2021, Rintaro Koike, Shogo Hayashi and Ryuichi Tanabe from NTT Security (Japan) will cover a new APT campaign named Operation Software Concepts. They will share details about this multi-stage attack campaign targeting Russian and Mongolian governments Continue Reading

GhostEmperor: From ProxyLogon to kernel mode- Tempemail

 Download GhostEmperor’s technical details (PDF) While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out for its usage of a formerly unknown Windows kernel mode rootkit that we dubbed Demodex, and a Continue Reading

Tomiris backdoor and its connection to Sunshuttle and Kazuar- Tempemail

Background In December 2020, news of the SolarWinds incident took the world by storm. While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. Continue Reading

Wake me up till SAS summit ends- Tempemail

What do cyberthreats, Kubernetes and donuts have in common – except that all three end in “ts”, that is? All these topics will be mentioned during the new [email protected] online conference, scheduled for September 28th-29th, 2021. To be more specific, there will be a workshop titled, “Prevent & Detect Security Continue Reading

Exploitation of the CVE-2021-40444 vulnerability in MSHTML- Tempemail

Summary Last week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user Continue Reading

IT threat evolution Q2 2021- Tempemail

Targeted attacks The leap of a Cycldek-related threat actor It is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to be side-loaded by it and an encoded payload, generally dropped from a self-extracting archive. Continue Reading

APT trends report Q2 2021- Tempemail

For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in Continue Reading