Threat Intelligence - RH-ISAC Blog

Executive Summary On March 29, 2024, Red Hat warned users to immediately stop using systems running Fedora development and experimental versions because of a backdoor, tracked as CVE-2024-3094, found in the latest XZ Utils data compression tools and libraries. Red Hat has warned all users to discontinue any usage of Fedora 41 of Fedora Rawhide for work or personnel use and has…

Executive Summary Security firm Phylum has discovered and reported an automated typosquatting attack campaign recently detected on March 26, 2024, which targeted popular Python libraries hosted on the Python Package Index (PyPI) page. Attackers deployed over 500 typosquatted variations of well-known libraries like TensorFlow, BeautifulSoup, requests, requirements, and others. These variations were designed to mimic legitimate package names but…

Executive Summary Researchers from Sekoia have released a report  detailing an October 2023 discovery and subsequent analysis of a new Adversary-in-The-Middle (AiTM) phishing kit linked to the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, which had been active since at least August 2023. The latest version of Tycoon 2FA features enhanced stealth capabilities, potentially lowering detection rates by security products. Sekoia’s…

Executive Summary The Checkmarx Research team has reported a sophisticated campaign which is targeting software supply chains and resulting in successful exploitation of multiple GitHub users. Key targets included the Top.gg GitHub organization, which claims to have over 170,000 users, and individual developers on the code publishing platform. The attackers employed various novel tactics, including account takeover via…

On March 21, 2023, Mandiant researchers reported their latest technical details detailing a campaign exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect, which they attribute to the Chinese state-sponsored actor known as UNC5174. Community Impact Assessment Due to the widespread use of F5 BIG-IP and ScreenConnect across global regions and industries, the RH-ISAC intelligence team…

Executive Summary Security researchers from TeamT5 have released their latest findings detailing CVE-2023-29300, a JAVA deserialization vulnerability resulting in arbitrary code execution. At least 66 devices in Japan have already been compromised via CVE-2023-29300, affecting various sectors such as healthcare, education, and manufacturing. Threat actors, including cyber-criminals and state-sponsored groups such as China-nexus APT group SLIME13 (known as Flax…

On March 18, 2024, Perception Point researchers published the technical details of a phishing campaign leveraging Microsoft Office document templates for execution and obfuscation to deliver NetSupportRAT to corporate targets based in the United States. Community Impact According to the most recent RH-ISAC Intelligence Trends Summary, Microsoft-related phishing reporting fell slightly, remains a top threat…

On March 5, 2023, Zscaler researchers reported details of a sophisticated phishing campaign they attribute to a single threat actor, leveraging fake meeting invitations for popular video conference tools to spread remote access trojans (RATs). Community Impact The RH-ISAC intelligence team assesses that this and similar campaigns constitute a moderate threat to the RH-ISAC community….

Executive Summary The BlackCat/ALPHV ransomware gang has officially claimed responsibility for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage affecting the Change Healthcare platform, the largest pharmacy payment exchange platform. This declaration of responsibility, which has since been removed on the BlackCat/ALPHV’s facing site, come as the United States…

An international law enforcement operation led by Britain’s National Crime Agency and the United States Federal Bureau of Investigations has arrested and indicted two members of the LockBit ransomware gang and seized significant portions of its internal infrastructure. Several components of LockBit services are still operational, including its data sharing component, which publishes data of victims who fail to pay. Community…