CloudWizard APT: the bad magic story goes on

In March 2023, we uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind the attack. Since the release of our report about...

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs

ARCHIVED STORY Triton Malware Spearheads Latest Attacks on Industrial Systems Alexandre Mundo · MAR 26, 2020 Malware that attacks industrial control systems ICS, such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that...

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs

ARCHIVED STORY Triton Malware Spearheads Latest Attacks on Industrial Systems Alexandre Mundo · MAR 26, 2020 Malware that attacks industrial control systems ICS, such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that...

Zebrocy: A Russian APT Specializing in Victim Profiling, Access

Zebrocy, the Russian speaking threat group that shares similarities and overlaps with both the Sofacy and BlackEnergy APTs, is once again roaming the wide plain of government, foreign-affairs and military targets. Researchers have spotted the group using a new first-stage malware dropper in recen...

Zebrocy’s Multilanguage Malware Salad

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy Zebrocy is an active sub-group of victim profiling and access specialists Zebrocy maintains a lineage back through 2013, sharing malware artefacts and...

IT threat evolution Q1 2019

Targeted attacks and malware campaigns Go Zebrocy Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right. On the basis of this threat actor's past behaviour, ...

WannaCry-Infested Laptop Starts at $1.13M in Art Auction

Malware as high art? Stranger things have happened, but a Windows laptop infected with six high-profile pieces of malware think WannaCry and BlackEnergy is nonetheless looking to fetch more than $1 million in public art-auction bids. A project called “The Persistence of Chaos,” mounted by artist...

Compromising vital infrastructure: the power grid

Where were you when the lights went out? That line became famous after the 1977 blackout in New York City. This power outage was caused by lightning and lasted for up to two days, depending on which part of New York you lived in. While in this case the power grid failure was a freak incident due ...

APT review of the year

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them? Not an easy question to answer; everybody has partial visibility and it's never possible to really understand the motivations of some attacks or the developments behind them...

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs Thomas Roccia · NOV 08, 2018 Malware that attacks industrial control systems ICS, such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that mana...

GreyEnergy: New malware targeting energy sector with espionage

By Waqas After BlackEnergy, critical infrastructure around the world is among key targets of the new malware called GreyEnergy. In its recent research, ESET has revealed details of a new group of cybercriminals dubbed as GreyEnergy, which seems to be the replacement of BlackEnergy APT group. The...

NotPetya Linked to Industroyer Attack on Ukraine Energy Grid

The massive NotPetya ransomware outbreak that crippled organizations around the world last year turns out to have links to the Industroyer backdoor, which targets industrial control systems ICS and took down the Ukrainian power grid in Kiev in 2016. In fact, the same threat actor – dubbed TeleBot...

The Aurora Power Grid Vulnerability and the BlackEnergy Trojan

At recent Industrial IoT security briefings, the Aurora vulnerability has come up repeatedly. Attendees ask, “Is our country’s power grid safe? How can we protect the grid? What is Aurora?” This post provides a look at Aurora, and the BlackEnergy attack that can exploit Aurora. In March 2007, the...

Router Vulnerability and the VPNFilter Botnet

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats ­ from nation-states, criminals and hackers ­ that we should expect in coming year...

VPNFilter Malware Impact Larger Than Previously Thought

Researchers say the impact of the VPNFilter malware discovered last month is larger than originally reported. On Wednesday, Cisco Talos researchers said they now believe the malware has infected twice the number of router brands than previously stated. They added that VPNFilter also delivers a mo...

VPNFilter EXIF to C2 mechanism analysed

On May 23 2018, our colleagues from Cisco Talos published their excellent analysis of VPNFilter, an IoT / router malware which exhibits some worrying characteristics. Some of the things which stand out about VPNFilter are: It has a redundant, multi-stage command and control mechanism which uses...

FBI seizes control of a massive botnet that infected over 500,000 routers

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack. Yesterday we reported about a piece ...

VPNFilter Malware Infects 500k Routers Including Linksys, MikroTik, NETGEAR

Malware called VPNFilter has infected 500,000 router brands ranging from Linksys, MikroTik, NETGEAR and TP-Link that are mostly used in home offices. Researchers at Cisco Talos said they decided to warn the public of the threat despite the fact the infected devices and malware are still under...

The MeDoc Connection

This Post Authored by David Maynor, Aleksandar Nikolic, Matt Olney, and Yves YounanSummaryThe Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Service...

Researchers Find BlackEnergy APT Links in ExPetr Code

Researchers have found links between the BlackEnergy APT group and threat actors behind the ExPetr malware used in last month’s global attacks. According to researchers at Kaspersky Lab, there are strong similarities between older versions of BlackEnergy’s KillDisk ransomware compared to ExPetr...