Dell SecureWorks Counter Threat Unit researchers have found that threat groups victimizing a particular vertical today may infiltrate new verticals tomorrow. Organizations should never dismiss the threat from groups that seem to only target other industries and should have thorough plans and mitigation strategies in place.
Dell SecureWorks Counter Threat Unit™ (CTU) researchers analyzed a stealthy malware family named Stegoloader that has been active since at least 2013 and yet is relatively unknown. It has been distributed through software piracy websites, bundled with software license key generators.
Dell SecureWorks CTU researchers responded to an intrusion perpetrated by Threat Group-1314 (TG-1314), one of numerous threat groups that employ the “living off the land” technique to conduct their intrusions. Detecting threat actors who are “living off the land,” using credentials, systems, and tools they collect along the way instead of backdoors, can be challenging for organizations that focus their instrumentation and controls primarily on the detection of malware and indicators such as command and control IP addresses, domains, and protocols.
Prioritizing resources and effort to improve the overall security posture and incident readiness of any organization is an arduous but necessary task. No organization has unlimited funds and resources; in fact, the truth is quite the opposite. Fully exploiting threat intelligence can help IT professionals make decisions about best utilizing available resources. With respect to […]
ZeroAccess (also known as Sirefef) is a peer-to-peer (P2P) botnet for perpetrating advertising click-fraud. It was disrupted by law enforcement in December 2013. The Dell SecureWorks Counter Threat Unit™ (CTU) research team observed the botnet reactivate from March 21, 2014 until July 2, 2014. On January 15, 2015 at 7:58 pm EST, the botnet again […]
During an incident response engagement, Dell SecureWorks Counter Threat Unit™ (CTU) analysts observed lateral movement activities conducted by the adversary to establish a solid foothold within the compromised infrastructure. A remote access trojan (RAT) was copied to and installed on multiple systems as a Windows service, and was then executed via a scheduled task. Each […]
The media has reported that several companies in the past year have suffered significant security breaches, as a result of hackers compromising companies’ third party vendors. Instead of going after large organizations directly, some threat actors are opting to target smaller, third party vendors who do business with the larger companies. The criminals are hoping these third party vendors will have fewer security protections in place. If the hackers are able to break into one of these vendors, get their hands on the credentials the vendor uses to access the larger company’s network and successfully use those credentials, then the criminals have just gained their initial foothold into the target company— all under the guise of a trusted partner. From there, the hackers might go after valuable trade secrets and Intellectual Property, customer credit and debit card data, or Personal Identifiable Information for Employees and Customers (names, addresses, social security numbers, email addresses and phone numbers).
On September 24, 2014, the Bash command injection vulnerability described by CVE-2014-6271 was publicly disclosed. The Dell SecureWorks Counter Threat Unit™ (CTU) research team released a set of countermeasures to its iSensor devices (Dell SecureWorks’ proprietary Intrusion Protection/Detection systems) to address this vulnerability, as well as related vulnerabilities that were identified in the following days. As of Monday, September 29, 2014, Dell SecureWorks iSensor devices repelled more than 140,000 scanning and exploit attempts.
Dell SecureWorks Counter Threat Unit™ (CTU) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 (TG-0416) . Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client’s infrastructure. TG-0416 is a stealthy and extremely successful Advanced Persistent Threat (APT) group known to target a broad range of verticals since at least 2009, including technology, industrial, manufacturing, human rights groups, government, pharmaceutical, and medical technology.
Since the evening of July 21, 2014, Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a threat group the CTU research team refers to as Threat Group-0110 (TG-0110)[i] phishing many organizations in the manufacturing and financial verticals. TG-0110 is known for using the Pirpi backdoor to access endpoints. Pirpi can search for and exfiltrate files, run other executable files, and execute commands. It also has reverse shell capabilities.