Google C2 RAT POC - A public POC provides capability to establish a covert C2 channel via Google Calendar. There are reports of the POC being subject of underground chatter with potential to be implemented in attacks in the wild
BlueNoroff - Jamf discovered a post-exploitation implant linked to the DPRK-sponsored BlueNoroff - a segment of the Lazarus Group - campaign dubbed "RustBucket." The latter targets macOS crypto users, exchanges and financial services for financial gain
Sberbank - Russian financial services giant Sberbank was impacted by a DDoS attack - Interfax reported on 9 November. The events occurred last 30 October, peaking at 1M RPS targeting the bank's website with subsequent downtime
Chinese Espionage - Telemetry of malware infrastructure reportedly linked to China-sponsored threat actors reveals inbound connections originating from 24 government organizations in Cambodia - Palo Alto Unit 42 reported. Such organizations may have been compromised as part of a long-term espionage campaign
Russian Cyber Warfare - Mandiant / Google Cloud research indicates Russian GRU-linked Sandworm evolved TTPs to target industrial control systems (ICS) and operational technology (OT) in the context of the cyberwarfare in Ukraine. The actor has been observed extensively relying on Living-off-the-Land techniques to disrupt targeted SCADA systems, prior to deploying a Caddywiper instance for destructive purposes
Iran-Nexus Agrius - Palo Alto Unit 42 reported increased offensive activity against Israeli educational organizations. The attacks were attributed to Iran-linked Agrius. The attacks are aimed at information stealing and destructive actions. The initial vector of compromise is consistent with exploitation of vulnerabilities in internet-facing web servers
APT35 - Crowdstrike examined a number of events occurring in October 2023 and argued Iran-nexus APT35 (a.k.a. Imperial Kitten) has been escalating activities across the Middle East, particularly against Israeli organizations in the transportation, logistics, and technology sectors. Attacks involve social engineering, particularly with job recruitment-themed phishing lures. The actor deploys IMAPLoader, a piece of malware capable of fingerprinting victim systems using native Windows utilities and acting as a downloader for additional malware
SysAid Vulnerability - CVE-2023-47246 came under active exploitation with subsequent deployment of the Cl0p ransomware. Microsoft attributed the events to a group they track as "Lace Tempest," whose activities overlap with TA505 / FIN11
CPU-Z - MalwareBytes Labs discovered that versions of CPU-Z software were trojanized via the RedLine information stealer and distributed via abused Google ads; users receiving the payload are being directed to an attacker-controlled Windows news-themed site
Anonymous Sudan - A large DDoS event impacted Cloudflare's website, resulting in users being diverted to a Google-themed page. Anonymous Sudan, believed to be a Russia-nexus group, claimed the attack via their Telegram channel
BlazeStealer - Checkmarx examined a campaign to distribute a novel information stealer - dubbed "BlazeStealer" - via malicious Python packages. The malware abuses a Discord bot in the infection process. The United States, China, and Russia are the most targeted countries