EUVD-2021-7197

Malicious code in bioql PyPI...

Retail at risk: How one alert uncovered a persistent cyberthreat​​

In the latest edition of our Cyberattack Series, we dive into real-world cases targeting retail organizations. With 60% of retail companies reporting operational disruptions from cyberattacks and 43% experiencing security compromises in the past year, the risks for businesses continue to increase...

📄 Microsoft AutoUpdate Privilege Escalation

Microsoft AutoUpdate MAU suffers from a privilege escalation vulnerability. Titles: CVE-2025-47968-Core-Logic Microsoft AutoUpdate MAU Elevation of Privilege Vulnerability Author: nu11secur1ty Date: 07/03/2025 Vendor: https://www.microsoft.com/en-us Software:...

Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a...

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of...

ToddyCat is making holes in your infrastructure

We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files LoFiSe and PcExter. This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts th...

Using the LockBit builder to generate targeted ransomware

The previous Kaspersky research focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks mo...

Kasseika Ransomware Using BYOVD Trick to Disarms Security Pre-Encryption

The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver BYOVD attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood. The tactic allows...

Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver

In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware...

VulnCheck KEV: CVE-2021-1733

Sysinternals PsExec Elevation of Privilege Vulnerability...

Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe

Poorly secured Microsoft SQL MS SQL servers are being targeted in the U.S., European Union, and Latin American LATAM regions as part of an ongoing financially motivated campaign to gain initial access. "The analyzed threat campaign appears to end in one of two ways, either the selling of 'access'...

Elevationstation - Elevate To SYSTEM Any Way We Can! Metasploit And PSEXEC Getsystem Alternative

Elevation Station Stealing and Duplicating SYSTEM tokens for fun & profit! We duplicate things, make twin copies, and then ride away. You have used Metasploit's getsystem and SysInternals PSEXEC for getting system privs, correct? Well, here's a similar standalone version of that...but without the...

New Report Exposes Vice Society's Collaboration with Rhysida Ransomware

Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society, including in their targeting of education and healthcare sectors. "As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not sugge...

BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising

Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Tre...

When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About

Multi-factor Authentication MFA has long ago become a standard security practice. With a wide consensus on its ability to fend off more than 99% percent of account takeover attacks, it's no wonder why security architects regard it as a must-have in their environments. However, what seems to be le...

What Old is New Again and What's Old is Me?

Welcome to this weeks edition of the Threat Source newsletter. Whats old is new again and whats old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching … and maybe numbness in my legs? Yes, I am...

Quarterly Report: Incident Response Trends in Q4 2022

Syncro, a remote management and monitoring tool, emerges as an increasingly common tool for adversaries. By Caitlin Huey. Ransomware continued to be a top threat Cisco Talos Incident Response Talos IR responded to this quarter, with appearances from both previously seen and newly observed...

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

By Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton. Cisco Talos discovered a new attack framework including a command and control C2 tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web...

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Contributions from Matt Thaxton. Cisco Talos discovered a new attack framework including a command and control C2 tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features...

Asian Governments and Organizations Targeted in Latest Cyber Espionage Attacks

Government and state-owned organizations in a number of Asian countries have been targeted by a distinct group of espionage hackers as part of an intelligence gathering mission that has been underway since early 2021. "A notable feature of these attacks is that the attackers leveraged a wide rang...