|
Storm-1874. The threat actor Microsoft tracks as Storm-1874 is a financially motivated cybercriminal group known for deploying BlackCat, BlackSuit, and Knight ransomware. In February 2024, Microsoft Threat Intelligence identified Storm-1874 intrusion followed by deployment of BlackCat ransomware at organizations within the United States-based healthcare industry. |
|
Vulnerability profile: CVE-2024-27198 and CVE-2024-27199 in JetBrains TeamCity. Versions of the JetBrains TeamCity build management server before 2023.11.4 are vulnerable to two authentication bypass flaws, CVE-2024-27198 and CVE-2024-27199. Disclosed in early March 2024, both vulnerabilities are rated as critical. |
|
Technique Profile: Bring your own vulnerable driver. In a Bring Your Own Vulnerable Driver (BYOVD) attack, also known as Living Off The Land Drivers (LOLDrivers), a threat actor drops a legitimate, signed driver containing an exploitable vulnerability onto a compromised system to exploit that vulnerability with a separate malicious tool. This technique differs from signed malicious drivers. While the signed driver in BYOVD is developed by a legitimate developer, a signed malicious driver is developed by a threat actor. |
|
Activity profile: Mango Sandstorm targets Israel-based organizations in high-volume phishing campaign. Since late February 2024, Microsoft has observed a high volume of activity attributed to Mango Sandstorm, an Iranian nation-state actor with ties to Iran’s Ministry of Intelligence and Security (MOIS). In a subset of this activity, Mango Sandstorm sent phishing emails to targets in the government and local government sectors in Israel.
|
|
Activity profile: Tax season-related campaigns. Every year, cybercriminals use holidays and important events as opportunities to leverage social engineering to try and steal information from targets. The tax filing season presents one such opportunity, and can result in financial information being stolen, identity theft, and monetary loss. Threat actors use various techniques to craft their campaigns and mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. These techniques include phishing emails, SMS phishing (smishing), malicious advertising, and voice phishing (vishing). Although these are well-known, longstanding techniques, they’re still highly effective.
|
|
Tool Profile: NukeKhet. Since at least 2019, Ruby Sleet (formerly CERIUM) has used its custom NukeKhet malware as a backdoor following spear phishing attacks, primarily against South Korean targets in both the public and private sectors.
|
|
Actor profile: Luna Tempest. The actor Microsoft tracks as Luna Tempest (formerly Storm-0744) is a financially motivated cybercriminal group comprised primarily of Western-based individuals focusing on data theft and extortion. Luna Tempest relies on various social engineering techniques to gain access to a target.
|
|
CVE-2024-28916 - vulnerability affects Gaming Services packages. CVE-2024-28916 is an escalation of privilege vulnerability affecting Gaming Services packages prior to version 19.87.13001.0, which are available for systems running Windows 10 or 11. A threat actor with privileges to create folders and performance traces on a compromised system could exploit the vulnerability to gain SYSTEM privileges.
|