Tag: Credential Harvesting
-
Iranian Seedworm Group Infiltrates South Korean Tech Titan in Global Espionage Surge
The Iranian threat collective Seedworm maintained a clandestine presence within the infrastructure of a prominent South Korean electronics manufacturer for nearly a week. During this tenure, the adversaries systematically harvested telemetry, purloined credentials, and exfiltrated sensitive files via a ubiquitous document-sharing platform utilized by millions globally. The campaign afflicted at least nine organizations across nine…
-
Checkmarx Fails Again: TeamPCP Hijacks Jenkins Plugin to Harvest Developer Credentials
Unidentified adversaries have subverted the Checkmarx plugin for Jenkins, embedding deleterious code designed for credential exfiltration. This incursion represents the latest installment in a persistent series of software supply chain attacks orchestrated by the collective known as TeamPCP. Jenkins is utilized by thousands of enterprises to automate the compilation, testing, and deployment of software. The…
-
The “Snow” Storm: How UNC6692 Uses Microsoft Teams and Email Bombing to Breach Corporate Fortresses
Corporate correspondence has once again emerged as a convenient portal for adversaries. In this nascent campaign, the assailants eschew direct “forced entry,” choosing instead to orchestrate a familiar professional complication for employees and promptly offering “succor” while masquerading as Microsoft Teams support personnel. The Mandiant team has detailed the maneuvers of the collective designated as…
-
The Invisible Navy: SideWinder’s New Cloud-Based Strategy for Striking South Asian Defense Forces
The SideWinder threat actor has markedly pivoted its strategic methodology, forsaking traditional infrastructure in favor of a clandestine approach. Rather than leasing dedicated servers, the group has orchestrated an expansive operation leveraging legitimate cloud platforms to masquerade as benign services. This shift has facilitated covert incursions into military and governmental entities across South Asia while…
-
UAT-10608 Collective Hijacked 700+ Next.js Servers in Hours
Cybersecurity specialists have chronicled a voluminous, automated campaign for credential harvesting that, within a mere matter of hours, besieged hundreds of servers across the globe. The offensive unfolded with minimal human intervention, preying upon a vulnerability within ubiquitous web applications to transmute them into fountains of confidential intelligence. The Cisco Talos vanguard has unmasked the…
-
Beyond the Active Session: Hunting Offline Secrets with ProfileHound’s New Graph Edge
ProfileHound is a post-escalation tool to help find and achieve red-teaming objectives by locating domain user profiles on machines. It uses the BloodHound OpenGraph format to build a new edge called HasUserProfile which determines if a user profile exists on a computer. This edge allows operators to make informed decisions about which computers to target for looting…
-
The CanisterWorm Catalyst: How a Compromised Vulnerability Scanner Set the NPM Ecosystem Ablaze
A singular assault upon a developer instrument escalated within a mere twenty-four hours into a catastrophic chain reaction, enveloping scores of projects. Initially, the malefactors breached the ubiquitous Trivy vulnerability scanner, seamlessly weaving credential-harvesting code into its architecture; subsequently, weaponizing these purloined accesses, they commenced the proliferation of venomous packages across the NPM ecosystem. On…
-
The Trojan in the Sidebar: How an Abandoned App Turned the Official Microsoft Store into a Phishing Engine
Researchers have documented the inaugural instance of a deleterious Microsoft Outlook extension proliferating through the official Office Add-in Store. The focal point of this incursion is AgreeTo, a legacy scheduling utility. While the original developers bear no culpability, the abandonment of the project allowed an adversary to commandeer the linked subdomain, transmuted the add-in into…
-
Virtual Sabotage: How Attackers Weaponized SolarWinds Help Desks to Hide Malware Inside QEMU
The Microsoft Defender threat intelligence team has documented a series of substantiated offensives targeting internet-facing SolarWinds Web Help Desk instances. Adversaries weaponized these vulnerable help desk servers as a primary point of ingress, subsequently intensifying their penetration into the internal infrastructure in a concerted bid to seize dominion over critical domain nodes. According to Microsoft…
-
GhostFrame: The Invisible Phishing-as-a-Service That Powered Over a Million Attacks
GhostFrame is a newly emerged phishing tool that, in just three months, has already powered more than one million attacks. It relies on a deceptively simple HTML file and a concealed iframe to swap content on the fly while slipping past defensive controls. Barracuda researchers first identified it in September, and by December it was…
-
MatrixPDF: New Toolkit Turns Ordinary PDFs Into Interactive Phishing Lures That Bypass Gmail
Researchers at Varonis have reported the emergence of a new toolkit named MatrixPDF, which enables attackers to transform ordinary PDF files into interactive phishing lures. These maliciously crafted documents can bypass email security filters and redirect victims to credential-harvesting websites or malware download pages. MatrixPDF was first observed on a cybercriminal forum, where its creator…
-
Scanception: New QR Code Phishing Campaign Bypasses Security to Harvest Credentials on Mobile
Over the past several months, researchers at Cyble Research and Intelligence Labs (CRIL) have been closely monitoring a large-scale and technically sophisticated phishing campaign known as Scanception. Its hallmark lies in the use of QR codes embedded within PDF documents, ostensibly sent on behalf of legitimate organizations, to stealthily harvest users’ credentials. The core of…
-
RemoteMonologue: New Windows Technique Weaponizes DCOM for NTLM Credential Harvesting
RemoteMonologue is a Windows credential harvesting technique that enables remote user compromise by leveraging the Interactive User RunAs key and coercing NTLM authentications via DCOM. Features ? Authentication Coercion via DCOM (-dcom) Targets three DCOM objects (ServerDataCollectorSet, FileSystemImage, UpdateSession) to trigger an NTLM authentication against a specified listener (-auth-to). ? Credential Spraying (-spray) Validate credentials across multiple systems while…