Iran-aligned threat actor #TA450 (AKA #MuddyWater #MangoSandstorm #StaticKitten) has employed new tactics. For the first time, Proofpoint researchers have observed TA450 attempt to use a malicious URL in a PDF attachment rather than directly linking the file in an email.

Security Brief: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

In the March 7-11,2024 phishing campaign tracked by Proofpoint, TA450 sent Hebrew language lures with PDF attachments that contained malicious links.

Targets included Israeli individuals at global manufacturing, technology, and information security companies.

Proofpoint researchers observed the same targets receive multiple phishing emails with PDF attachments that had slightly different embedded links, which led to a variety of file sharing sites. If opened and clicked, a ZIP file containing AteraAgent would be downloaded and ultimately installed.

This activity marks a turn in TA450’s tactics:

➡️ The group is attempting to deliver a malicious URL in a PDF attachment

➡️ This campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content

➡️ This activity continues TA450's trend of leveraging Hebrew language lures and compromised

See our security brief for ET signatures and IOCs.

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2