A different try to analyze and simplify threat intelligence

Threats Feed

We are excited to announce that the preliminary editions of Threats Feed and Actors Insights are now accessible to the public. Our efforts are focused on incorporating additional practical features and beneficial resources with the intention of nurturing an informed community. Stay connected for further updates.

  1. Peach Sandstorm’s Multi-Faceted Attacks on Satellite, Defense, and Pharma Sectors

    Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).

    read more about Peach Sandstorm’s Multi-Faceted Attacks on Satellite, Defense, and Pharma Sectors
  2. Ballistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations

    The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

    read more about Ballistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations
  3. Iranian-backed APTs Target Aeronautical Sector: A Multi-Vector Attack

    The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

    read more about Iranian-backed APTs Target Aeronautical Sector: A Multi-Vector Attack
  4. APT34 Targets U.S. Enterprises with New SideTwist Trojan Variant

    APT34 has launched a new phishing campaign, using a decoy file named “GGMS Overview.doc” to target U.S.-based enterprises. The campaign employs a variant of the SideTwist Trojan for long-term control over victim hosts. Malicious macros in the document deploy the Trojan, which communicates with a C&C server. Interestingly, the C&C IP address is associated with the United States Department of Defense Network Information Center. The Trojan is capable of executing commands from the C&C and exfiltrating local files. It suggests the APT34 group might be conducting a test operation to preserve attack resources.

    read more about APT34 Targets U.S. Enterprises with New SideTwist Trojan Variant