The DragonOK group has been actively launching attacks for years. We first discussed them in April 2015 when we witnessed them targeting a number of organizations in Japan. In recent months, Unit 42 has observed a number of attacks that we attribute to this group. Multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK. Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format (RTF) documents exploiting the CVE-2015-1641 vulnerability (patched in MS15-033) that in turn leveraged a very unique shellcode. Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques. While Japan is still the most heavily targeted geographic region by this particular actor, we also observed instances where individuals or organizations in Taiwan, Tibet, and Russia also may have been targeted.

In this Kingslayer post-mortem report, RSA Research describes a sophisticated software application supply chain attack that may have otherwise gone unnoticed by its targets.

This report provides new insights into the Shamoon 2.0 and StoneDrill attacks, including: 1. The discovery techniques and strategies we used for Shamoon and StoneDrill. 2. Details on the ransomware functionality found in Shamoon 2.0. This functionality is currently inactive but could be used in future attacks. 3. Details on the newly found StoneDrill functions, including its destructive capabilities (even with limited user privileges). 4. Details on the similarities between malware styles and malware components’ source code found in Shamoon, StoneDrill and NewsBeef.

This post discusses the following event - “On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. "

This blog post continues discussion about the CCleaner supply chain attack.

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands. FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found here.

In mid-November 2017, the Dragos, Inc. team discovered ICS-tailored malware deployed against at least one victim in the Middle East. The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. Importantly, the malware leverages no inherent vulnerability in Schneider Electric products. However, this capability, methodology, and tradecraft in this very specific event may now be replicated by other adversaries and thus represents an addition to industrial asset owner and operators’ threat models.

“In my previous blog I posted details of a cyber attack targeting Indian government organizations. This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs (MEA). In order to infect the victims, the attackers distributed spear-phishing emails containing malicious word document which dropped a malware capable of spying on infected systems. The email purported to have been sent from legitimate email ids. The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims. Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email, this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs (MHA).”

“In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian Embassies and Ministry of External affairs. In this blog post I describe a new attack campaign where cyber espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the nation). Mazagon Dock Shipbuilders Limited (MDL) is a Public Sector Undertaking of Government of India (Ministry of Defence) and it specializes in manufacturing warships and submarines for the Indian Navy.”

CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

This report offers a threat actor profile and indicators of compromise around the OceanLotusGroup actor.

Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office. This report offers insight into this threat.

This paper analyzes a cleanup app that is actually malicious.

This Annual report discusses the events and changes in the cybersecurity landscape of 2017.

Many federal agencies have begun adoption of modern, agile approaches to software delivery, with the goal of building higher quality services faster and more cheaply. While there are significant barriers to the adoption of this paradigm in the federal government, this paper offers specific principles and practices that have already achieved success.

SophosLabs takes a specific look at threats being downloaded on GooglePlay that mine a mobile phone’s resources while searching for cryptocurrency.

The upgraded version of the Dridex Trojan was at one time one of the most successful bank Trojans originally discovered in 2014 and has since re-emerged. This paper provides an overview.

This report is specifically geared to the Healthcare and Cross-Sector Cybersecurity Issues.

Have you ever wondered what 0 types of cyber attacks affect small to midsize businesses (SMBs) and distributed enterprises (DEs)? Well, you’ve come to the right place.

This is the 22nd edition of the Microsoft Security Intelligence Report. In this report, they have organized data sets into two categories, cloud and endpoint. They are sharing data about a shorter time period, one quarter.

With unique and specialized analysis, this paper discusses Nigerian cyber crime actors, their growth, collaboration, and the direction they are headed.