Group-IB’s Threat Intelligence team identified new infrastructure used by APT MuddyWater. We also uncovered that this group uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices.
According to our data, MuddyWater used SimpleHelp for the first time on June 30, 2022. At the time of writing, the group has at least eight servers on which they have SimpleHelp installed.
Our new blog post describes MuddyWater’s previously unknown infrastructure and points to links with some of the group’s publicly known IP addresses. Read now👈
#APT #MuddyWater
According to our data, MuddyWater used SimpleHelp for the first time on June 30, 2022. At the time of writing, the group has at least eight servers on which they have SimpleHelp installed.
Our new blog post describes MuddyWater’s previously unknown infrastructure and points to links with some of the group’s publicly known IP addresses. Read now👈
#APT #MuddyWater
🔥10👍4👏2
Group-IB will no longer be present in the Russian market. This comes after Dmitry Volkov, co-founder and CEO, sold his stake in Group-IB’s Russia-based business to the company’s local management. Group-IB’s branding and trademarks will not be permitted in Russia.
This process marks the completion of the second stage of the regional business diversification announced by Group-IB in July 2022, and encompasses changes to the ownership structure, separation of Group-IB’s business and technical units, and the final withdrawal of the Group-IB brand from the Russian market.
More details👈
This process marks the completion of the second stage of the regional business diversification announced by Group-IB in July 2022, and encompasses changes to the ownership structure, separation of Group-IB’s business and technical units, and the final withdrawal of the Group-IB brand from the Russian market.
More details
Please open Telegram to view this post
VIEW IN TELEGRAM
😢13🔥6👏3👍2
🎣 Phishing attacks are becoming ever more sophisticated and their scale is increasing exponentially.
There are a few approaches to investigate a phishing campaign efficiently. In our new blog post, we present a practical guide based on the investigation into a Chinese-speaking phishing campaign that was observed in July 2022. The campaign was carried out by a phishing gang named PostalFurious by Group-IB. PostalFurious targeted users in APAC, specifically in Singapore, Australia, and some other countries by impersonating postal and, to a lesser extent, toll operators.
Read more👈
#phishing #PostalFurious
There are a few approaches to investigate a phishing campaign efficiently. In our new blog post, we present a practical guide based on the investigation into a Chinese-speaking phishing campaign that was observed in July 2022. The campaign was carried out by a phishing gang named PostalFurious by Group-IB. PostalFurious targeted users in APAC, specifically in Singapore, Australia, and some other countries by impersonating postal and, to a lesser extent, toll operators.
Read more👈
#phishing #PostalFurious
🔥8👍3
🎭 What happens when the people who are meant to stop scams spreading on social media are being impersonated by the scammers themselves?
Group-IB Digital Risk Protection experts have discovered a new and still ongoing global phishing campaign launched on Facebook by cybercriminals who impersonate the technical support staff of Meta, Facebook’s parent company. Group-IB researchers identified more than 3,200 Facebook profiles publishing posts purportedly written by Meta technical support staff in a total of 23 languages. The scammers’ ultimate aim is to gain access to the Facebook accounts of public figures, celebrities, businesses, sports teams, as well as individual profiles, to steal sensitive information, and potentially use the same compromised credentials to gain access to other accounts held by the individual. Group-IB’s Computer Emergency Response Team (CERT-GIB) informed Facebook of its findings, in line with the company's responsible disclosure protocol.
Check out our newest blog post to learn more about this phishing campaign as well as to get recommendations on how not to fall victim. Read👈
Group-IB Digital Risk Protection experts have discovered a new and still ongoing global phishing campaign launched on Facebook by cybercriminals who impersonate the technical support staff of Meta, Facebook’s parent company. Group-IB researchers identified more than 3,200 Facebook profiles publishing posts purportedly written by Meta technical support staff in a total of 23 languages. The scammers’ ultimate aim is to gain access to the Facebook accounts of public figures, celebrities, businesses, sports teams, as well as individual profiles, to steal sensitive information, and potentially use the same compromised credentials to gain access to other accounts held by the individual. Group-IB’s Computer Emergency Response Team (CERT-GIB) informed Facebook of its findings, in line with the company's responsible disclosure protocol.
Check out our newest blog post to learn more about this phishing campaign as well as to get recommendations on how not to fall victim. Read👈
🔥12👍3❤1
This media is not supported in your browser
VIEW IN TELEGRAM
Malware detonation is Group-IB's core technology used for automated malware analysis and natively embedded in Managed XDR and Business Email Protection. To keep-up with the evolving threat landscape, Group-IB constantly updates and evolves its Malware Detonation Platform.
One of the new features added to the Malware Detonation Platform allows analysts to access all artifacts related to malware detonation, including files from the file structure, files created during malware detonation, registry keys, mutexes, network indicators, as well as memory fragments. End-to-end search and related processes mapping options are available. This data can be exported via API and used in external systems for threat hunting and automated response processes.
A picture is worth a thousand words, so let's look at the gif above. A sample of Loki PWS malware was successfully detonated, and the system automatically extracted a number of artifacts, including the malware’s configuration and its predefined commands, along with a C&C servers list.
Want to learn more about the new features in Group-IB's Malware Detonation Platform? Check out our new blog👈
#MXDR #BEP
One of the new features added to the Malware Detonation Platform allows analysts to access all artifacts related to malware detonation, including files from the file structure, files created during malware detonation, registry keys, mutexes, network indicators, as well as memory fragments. End-to-end search and related processes mapping options are available. This data can be exported via API and used in external systems for threat hunting and automated response processes.
A picture is worth a thousand words, so let's look at the gif above. A sample of Loki PWS malware was successfully detonated, and the system automatically extracted a number of artifacts, including the malware’s configuration and its predefined commands, along with a C&C servers list.
Want to learn more about the new features in Group-IB's Malware Detonation Platform? Check out our new blog👈
#MXDR #BEP
👍12🔥2
In March 2023, Group-IB’s Threat Intelligence team infiltrated the Qilin ransomware group and now can reveal inside information about this RaaS program.
Qilin is a Ransomware-as-a-Service affiliate program that now uses a Rust-based ransomware to target its victims. Many Qilin ransomware attacks are customized for each victim to maximize their impact. Qilin’s targets are primarily critical sector companies.
Group-IB’s Threat Intelligence team was able to get information about Qilin’s payment structure as a result of entering a private conversation with one of the users (Haise) on Tox (an open-end messaging app that offers end-to-end encryption), who was identified on the underground forum RAMP. According to the information provided by the owner of the Qilin RaaS program, for payments totaling $3M or less, affiliates earned 80% of the payment; for payments of more than $3M, they earned 85% of the payment.
Read our new blog post to get a detailed breakdown of the group, as well as recommendations on how to prevent Qilin’s attacks👈
#ransomware #Qilin
Qilin is a Ransomware-as-a-Service affiliate program that now uses a Rust-based ransomware to target its victims. Many Qilin ransomware attacks are customized for each victim to maximize their impact. Qilin’s targets are primarily critical sector companies.
Group-IB’s Threat Intelligence team was able to get information about Qilin’s payment structure as a result of entering a private conversation with one of the users (Haise) on Tox (an open-end messaging app that offers end-to-end encryption), who was identified on the underground forum RAMP. According to the information provided by the owner of the Qilin RaaS program, for payments totaling $3M or less, affiliates earned 80% of the payment; for payments of more than $3M, they earned 85% of the payment.
Read our new blog post to get a detailed breakdown of the group, as well as recommendations on how to prevent Qilin’s attacks👈
#ransomware #Qilin
🔥5❤4👍1
When cybersecurity researchers work together, they make the world safer🤝 Group-IB and Bridewell are proud to share the joint blog post about previously unknown infrastructure belonging to APT SideWinder.
While investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists identified and attributed a large part of the group’s infrastructure, namely 55 domains and IP addresses. The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors.
Curious to know more? Read our fresh blog post👈
#APT #SideWinder
While investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists identified and attributed a large part of the group’s infrastructure, namely 55 domains and IP addresses. The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors.
Curious to know more? Read our fresh blog post👈
#APT #SideWinder
👍11
🔍Group-IB has recorded a 25% increase in the use of phishing kits in 2022.
The key trends, based on the analysis of more than 6,000 phishing kits extracted in 2021 and 2022, are the increasing use of access control and advanced detection evasion techniques. What else Group-IB’s Computer Emergency Response Team found out:
📌 In total, just under half of the phishing kits from 2022 seen by CERT-GIB relied on email to handle stolen information.
📌 The number of phishing kits that use Telegram to collect stolen data almost doubled in 2022 compared to the preceding year.
📌 In 2022, 1,824 phishing kits used simple access control mechanisms. Hypertext access (.htaccess) became the most popular access control strategy.
📌 2,060 phishing kits used advanced detection evasion techniques - 26% more than a year earlier.
More details👈
Want to learn how Group-IB protects companies from phishing and scams? Visit our website👈
#phishing #CERT
The key trends, based on the analysis of more than 6,000 phishing kits extracted in 2021 and 2022, are the increasing use of access control and advanced detection evasion techniques. What else Group-IB’s Computer Emergency Response Team found out:
📌 In total, just under half of the phishing kits from 2022 seen by CERT-GIB relied on email to handle stolen information.
📌 The number of phishing kits that use Telegram to collect stolen data almost doubled in 2022 compared to the preceding year.
📌 In 2022, 1,824 phishing kits used simple access control mechanisms. Hypertext access (.htaccess) became the most popular access control strategy.
📌 2,060 phishing kits used advanced detection evasion techniques - 26% more than a year earlier.
More details👈
Want to learn how Group-IB protects companies from phishing and scams? Visit our website👈
#phishing #CERT
👍6🔥5❤2
Application programming interface usage has exploded in recent years. Despite their increasing popularity, APIs are particularly vulnerable if they are not properly implemented or secured.
Check out our fresh blog post, in which we provide a concise overview of API security, including key domains and nuances from the perspectives of API developers and end users. It outlines the importance of secure coding practices, authentication, authorization and other key domains, and provides recommendations for securing your environment. Read👈
#API #cybersecurity
Check out our fresh blog post, in which we provide a concise overview of API security, including key domains and nuances from the perspectives of API developers and end users. It outlines the importance of secure coding practices, authentication, authorization and other key domains, and provides recommendations for securing your environment. Read👈
#API #cybersecurity
🔥9
APT Dark Pink is back with 5 new victims. The group has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium. In line with Group-IB’s zero tolerance policy to cybercrime, we sent proactive warnings to all confirmed and potential victims.
It is important to emphasize that Dark Pink has carried out at least two attacks since the beginning of 2023. The most recent attack known to Group-IB started in April, with the latest files being detected in May. Dark Pink keeps updating their tools. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is now divided into two distinct parts — one that controls the device and the other that steals sensitive data.
In a fresh blog post the Group-IB team analyzes the latest updates in Dark Pink’s toolset, evolution of the group’s exfiltration methods, and modifications of their kill chain. The blog dives deep into the latest TTPs of Dark Pink, observed during the group’s latest attacks. Read now👈
#APT #DarkPink
It is important to emphasize that Dark Pink has carried out at least two attacks since the beginning of 2023. The most recent attack known to Group-IB started in April, with the latest files being detected in May. Dark Pink keeps updating their tools. For example, the group’s custom KamiKakaBot module, designed to read and execute commands from the threat actors via Telegram, is now divided into two distinct parts — one that controls the device and the other that steals sensitive data.
In a fresh blog post the Group-IB team analyzes the latest updates in Dark Pink’s toolset, evolution of the group’s exfiltration methods, and modifications of their kill chain. The blog dives deep into the latest TTPs of Dark Pink, observed during the group’s latest attacks. Read now👈
#APT #DarkPink
❤7👍4🔥4