Threat Intelligence Insights

New research published today from Palo Alto Networks Unit 42 dives deep into North Korean threat activity, providing new evidence and insight to the ongoing efforts by North Korean threat actors against US businesses and individuals. We found two unique campaigns with the goal of espionage, cryptocurrency theft and simply earning cash: -North Korean actors are seeking employment with US based orgs, representing an opportunity to embed insiders in targeted companies. We discovered a stockpile of data including resumes with identities impersonating individuals from various nations, job interview Q&As and scripts, downloaded job postings from US companies, and a scanned fake ID. -North Korean threat actors are manipulating job seekers to install malware. They pose as employers, post fictitious jobs, set up interviews with software developers and deliver malware during the interview process. According to our research, this campaign is still active. If these efforts by North Korean threat actors are successful, there is a critical impact on both job seekers (who may be using devices from their current employers throughout the interview process) and the organizations they’re applying to. Now more than ever, it’s critical organizations proactively prioritize cybersecurity in the face of sophisticated campaigns like this. Check out the full research and insights from Unit 42 here: https://lnkd.in/gtwWZHSs Link in comments to Reuters coverage of this important research by Michael Sikorski & the Unit 42 Threat Intelligence team. 

#ASD and international partners have released an advisory on the tradecraft of a #PRC-backed threat actor named #APT40, and it's well worth a read, whether you are in Government or the private sector. APT40 is code for a group backed by the PRC's Ministry of State Security (#MSS). The MSS is engaged in intelligence gathering and foreign interference activities, including cyber warfare. APT40, based in Haikou, Hainan Province, has been targeting Government and private sector entities around the world since 2017. Their objectives appear to be maintaining persistence in order to exfiltrate data. How does APT40 go about their activities? 🔴 Exploit small office / home office (SOHO) routers as proxies to hide their origins among normal traffic 🔴 Target vulnerable systems on the edge of networks, such as MS Exchange, Atlassian Confluence, and Log4j (commonly found in Java applications), 🔴 Deploying web shells - uploaded code snippets that allow commands to be executed on the remote host, eg. a malicious .aspx file dropped in a public directory on an OWA server 🔴 Conduct internal recon to enumerate victim hosts and accounts 🔴 Move laterally, stealing credentials, then exfiltrating data via existing Command and Control (C2) channels None of the TTPs described in the report are "top shelf" exploitation. This is clever use of well-known exploits against well-known vulnerabilities. Why expose clever TTPs if you don't need to? The advisory contains a few indicators, detection rules, and recommended mitigations. Here is a summary of mitigations: 🔵 Look for process executions in unusual directories or world-writable locations, eg. why is there a process running from C:\WIndows\Temp? (Allow listing would probably prevent this.) 🔵 Implement logging in a centralized location with a suitable retention period 🔵 Patch! The common factor in the listed vulnerabilities (CVE 2021 44228, CVE-2021-31207, CVE-2021- 26084, CVE-2021-31207, CVE-2021-34523; CVE-2021-34473) is that they were all discovered (and presumably patched) in 2021! 🔵 Segment your network - impose costs by forcing the adversary to conduct recon and lateral movement on hard mode. Use jump servers to access sensitive hosts such as auth. 🔵 Other strategies covered in the Essential 8, eg. MFA, restricting admin privs and office macros I for one am glad to see a return to Mandiant-style "APT" codenames rather than the new-fangled monikers like "Electric Tempest". But I would like to see structured threat intelligence released with these reports, eg. STIX JSON format, and hopefully someday soon, structured hunting and response playbooks in CACAO JSON! But I will have more to say about CACAO another day...

The NSA, together with CISA, FBI, and international partners, issued a major joint cybersecurity advisory exposing how Chinese state-sponsored actors have been compromising critical networks worldwide to fuel a global espionage system. The advisory highlights persistent campaigns targeting telecoms, transport, lodging, defense, and government networks using leveraging vulnerabilities on large backbone routers of major telecommunication providers, as well as provider edge (PE) and customer edge (CE) infrastructure. These operations are attributed to multiple advanced threat clusters, including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and others. The report highlights the TTPs, IOCs, and list of CVEs commonly exploited by this APT group. The recommendations are clear: strengthen threat hunting at the edge, enforce centralized logging and network visibility, and close off known vulnerabilities before they are exploited. 𝗖𝗮𝗹𝗹 𝘁𝗼 𝗮𝗰𝘁𝗶𝗼𝗻 If you're responsible for network security in a critical infrastructure organization, prioritize reviewing the detailed technical guidance provided in this advisory. Implement the recommended mitigations, conduct thorough audits of your network edge devices, and ensure your security teams are equipped to detect the specific TTPs outlined in the report. #Cybersecurity #APT https://skd.so/UXMrof

Third-Party Risk: The Hidden Cybersecurity Battlefield in Modern Supply Chains In our interconnected digital ecosystem, your security posture is only as strong as your weakest vendor. Modern enterprises rely on 100s of third-party vendors, creating an exponentially expanding attack surface. Supply chain attacks have become the preferred vector for sophisticated threat actors. Instead of targeting well-defended enterprises directly, attackers exploit vulnerabilities in trusted vendors to simultaneously breach hundreds of downstream organizations. Game-Changing Examples SolarWinds (2020): Compromised software updates affected 18,000+ customers including Fortune 500 companies and government agencies, demonstrating how a single vendor breach cascades across entire sectors. MOVEit (2023): A single vulnerability led to data breaches affecting over 600 organizations globally, showcasing the massive scale of modern supply chain impacts. Why Third-Party Risk Monitoring is Critical Continuous Visibility: Traditional annual assessments are insufficient. Organizations need real-time monitoring of vendor security posture, breach notifications, and compliance status changes. Risk Amplification: When attackers target managed service providers or software vendors, the impact multiplies across all their clients. One compromised vendor can expose thousands of organizations simultaneously. Regulatory Liability: With GDPR, CCPA, and emerging supply chain regulations, organizations face increasing liability for third-party security failures. Proactive monitoring demonstrates due diligence. Building Effective Defense Continuous Assessment: Implement real-time vendor risk scoring across your entire ecosystem Zero Trust Extension: Apply least-privilege access controls to all third-party connections Incident Response Integration: Ensure your IR plans account for vendor breaches with clear communication protocols Contractual Protection: Update vendor agreements with security requirements and liability provisions The Bottom Line Organizations can no longer treat vendor risk as procurement afterthought. The question isn't whether your supply chain will be targeted — it's whether you'll detect and respond effectively when it happens. The strongest security programs extend beyond organizational boundaries to create defensible ecosystems, not just defensible enterprises. #ThirdPartyRisk #TRPM #SupplyChainAttack #CyberSecurity

🔐Industrial Ransomware Threats Surge in Q2 2024: Dragos Report Findings🔐 The latest #Dragos Industrial Ransomware Analysis reveals a significant resurgence in ransomware activity during Q2 2024, with incidents nearly doubling from the previous quarter. As ransomware groups recalibrate their strategies, the industrial sector remains a prime target, highlighting the urgent need for enhanced cybersecurity measures. Key Findings: 🔹Ransomware Rebound: After a temporary decline, Q2 saw a sharp increase in ransomware attacks, underscoring the resilience and adaptability of these threat actors. 🔹Sector Impact: Manufacturing was hit hardest, accounting for 67% of all incidents. Other critical sectors, including transportation and government, also faced significant disruptions. 🔹Evolving Tactics: Groups like BlackSuit and RansomHub have emerged with more sophisticated encryption techniques and improved lateral movement. The report notes, "BlackSuit ransomware has demonstrated advanced lateral movement capabilities, using legitimate administrative tools to evade detection and spread across networks."👈 As industrial operations become increasingly interconnected, the impact of these attacks extends beyond IT systems, potentially threatening the safety and integrity of OT environments. For a deeper dive into these trends, check out the full Dragos report: https://lnkd.in/ec3CmP-T #cybersecurity #ransomware #OTSecurity #zerotrust

Curious about Cyber Threats in AI ? The MITRE ATLAS framework is a great tool to explore. Key points about the framework 👇 - The MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework offers a comprehensive approach to understanding and mitigating adversarial threats in AI systems. - It’s designed to anticipate and defend against a wide range of attacks, whether you’re dealing with machine learning models, neural networks, or other AI technologies. - It provides a detailed mapping of the tactics and techniques adversaries use to exploit AI systems, offering organizations actionable intelligence on how to defend against these threats. For anyone involved in AI security or risk management, studying the MITRE ATLAS framework is essential. Use it for creating practical threat models of your AI applications and mapping AI risks to your environment

Chinese hackers successfully breached multiple critical infrastructure organizations in North America over the last year using a combination of compromised credentials and exploitable servers, researchers at Cisco Talos found. In findings published Thursday, the researchers documented a campaign starting last year where Chinese government-backed hacking groups were tasked with obtaining initial access to “high-value” organizations. Cisco Talos refers to the group as “UAT-8837.” After getting access, the threat actors used a variety of tools to steal credentials, security configurations and other information to enable broader access to victim organizations. While the group has used multiple vulnerabilities to gain access, Cisco Talos tracked several intrusions involving the exploitation of CVE-2025-53690 — a bug affecting products from software company SiteCore. The zero-day vulnerability was spotlighted by federal cybersecurity officials in the Fall, and all federal civilian agencies were ordered to patch the bug by September 25. At the time, Google published its own examination of an incident involving the bug and mentioned at least four of the same post-exploitation tools that were highlighted by Cisco Talos. Cisco Talos said the group’s targeting of the bug indicates the Chinese group “may have access to zero-day exploits.” One of the tools used by the hacking group, called Earthworm, allows threat actors to expose internal endpoints to attacker-owned remote infrastructure. Cisco Talos said Earthworm has been used extensively by Chinese-speaking threat actors during intrusions in order to determine which internal endpoints are undetectable by endpoint protection products. “The undetected version is then used to create a reverse tunnel to attacker-controlled servers,” they explained. Concerns about Chinese hackers targeting critical infrastructure were revived following an incident in December when the group Salt Typhoon was detected compromising an email platform used by Congressional staffers. The staffers targeted in the attacks work on the House of Representatives’ China committee and several others covering foreign affairs. U.S. officials have repeatedly warned of Chinese government-backed hacking groups targeting federal agencies and other critical infrastructure organizations. On Wednesday, a group of Western cyber agencies released an alert about the growing digital threats facing the operational technology at the heart of industrial systems used by many critical infrastructure organizations. https://lnkd.in/gBG6AZAN

Introducing SITF: The First Threat Framework for SDLC Infrastructure by Wiz Open-source framework mapping 70+ attacks. Attack Flow Visualizer for drag-and-drop threat modeling. Shay Berkovich describes how SITF (SDLC Infrastructure Threat Framework) can help organizations harden their SDLC. ⛓️ Model recent supply chain attacks. 🛡️ See a prioritized list of security controls you should implement. 🗡️ Review attack techniques and learn from them. --- SITF maps 70+ attack techniques across five SDLC pillars: 1. Endpoint/IDE 2. VCS 3. CI/CD 4. Registry 5. Production The framework includes an Attack Flow Visualizer for drag-and-drop threat modeling that auto-generates prioritized defense matrices. So given threats or attacks you want to protect against → here are the top controls you should implement first. The post also walks through modeling Shai-Hulud 2.0 using SITF, giving a nice overview of the attack, and the controls that would have prevented each step. The framework runs entirely client-side with no data leaving your machine. 📎 Blog: https://lnkd.in/gBRdx76q 🌐 Live site: https://lnkd.in/gHKdncH4 ⭐ GitHub: https://lnkd.in/gnmexd49 #cybersecurity #supplychain

🚨 CRITICAL ALERT: China-nexus threat actors actively exploiting a 0-day vulnerability in Dell RecoverPoint for Virtual Machines (CVSS of 10), deploying a newer version of BRICKSTORM (which we call GRIMBOLT), and using “ghost NICs” on virtual machines to evade defenders. 🚨   Mandiant (part of Google Cloud) just published research on an active threat campaign by a suspected China-nexus espionage actor (UNC6201) that has been using several novel TTPs. Here’s what you should know:   ☣️ Zero-day Exploitation: They have been exploiting a hardcoded administrator password in Apache Tomcat that was used by Dell RecoverPoint for Virtual Machines. Dell Technologies just disclosed CVE-2026-22769 to address this vulnerability. The hard coded password had been used by this threat actor since at least mid-2024. ☣️ New Malware: We observed the actor replacing BRICKSTORM backdoors with a harder-to-detect malware family we call GRIMBOLT. This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer. ☣️ EDR Evasion: Nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which make it very hard for victim organizations to know they are compromised and significantly prolong intrusion dwell times. ☣️ Ghost NICs: The threat actor created virtual NICs on virtual machines to perform malicious activities, and then deleted those NICs. This made it very difficult for investigators as we saw suspicious/malicious network activity from IP addresses that no longer existed and were not well documented.    🛡️ Any organization using Dell RecoverPoint for Virtual Machines should immediately apply the recommendations provided by Dell.   We appreciate Dell and VMware for their collaboration. Excellent research by Peter Ukhanov, Daniel S., Nick Harbour, John Scarbrough, Fernando Tomlinson, and Rich Reece.   🔗 Link to Dell’s advisory: https://lnkd.in/ek8XeJj4 🔗 Link to Mandiant’s blog and technical analysis: https://lnkd.in/edeRwJjM

Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing the malware family POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. GTIG assesses that POISONPLUG is an advanced modular backdoor used by multiple distinct, but likely related threat groups based in the PRC, however we assess that POISONPLUG.SHADOW usage appears to be further restricted to clusters associated with APT41 🇨🇳 . APT41 is a PRC state-sponsored espionage group that also conducts financially motivated activity for personal gain. The group has been active since at least 2012 and has conducted espionage operations against healthcare, high-tech, and telecommunications organizations. Our new report dives deep (80+ pages!) into ScatterBrain's protection mechanisms and the complexities of developing a deobfuscation solution.  The report can be found at the following link:   https://lnkd.in/gnDPWSKa