Mandiant | Breaking Cybersecurity News | The Hacker News

The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG). "Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity," John Hultquist, chief analyst at GTIG, said in an email Monday. "We are now seeing incidents in the insurance industry. Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers." Scattered Spider is the name assigned to an amorphous collective that's known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the ...

Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS . The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN). "LAGTOY can be used to create reverse shells and execute commands on infected endpoints," Cisco Talos researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White said . The malware was first documented by Google-owned Mandiant in late March 2023, attributing its use to a threat actor it tracks as UNC961 . The activity cluster is also known by other names such as Gold Melody and Prophet Spider. The threat actor has been observed leveraging a huge arsenal of known security flaws in internet-facing applications to obtain initial access, followed by conducting reconnai...

Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure product that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution," Ivanti said in an alert released Thursday. The flaw impacts the following products and versions - Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025) Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December ...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970 , which it said overlaps with a threat group known as TEMP.Hermit , which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc). The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB). The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. "UNC2970 targets victims under the guise o...

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45 , which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Silent Chollima, and Stonefly. "APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said . "APT45 has been the most frequently observed targeting critical infrastructure." It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau ...

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the as-yet-unclassified activity cluster under the name UNC5537 , describing it as a financially motivated threat actor. "UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims," the threat intelligence firm said on Monday. "UNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums." There is evidence to suggest tha...

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia's Foreign Intelligence Service (SVR), which was responsible for  breaching SolarWinds and Microsoft . The findings come from Mandiant, which said  Midnight Blizzard  (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024. "This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the  typical   targeting  of  diplomatic missions ," researchers Luke Jenkins and Dan Black  said . WINELOADER was  first disclosed  by Zscaler ThreatLabz last month as part of a cyber espionage campaign that's believed to have been ongoing since a...

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an "aggressive" campaign. Google-owned Mandiant is  tracking  the activity under its uncategorized moniker  UNC5174  (aka Uteus or Uetus), describing it as a "former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS) focused on executing access operations." The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug. Initial access to target environments is facilitated by t...

Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats. Tracked as  CVE-2023-41724 , the vulnerability carries a CVSS score of 9.6. "An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network," the company  said . The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal. It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for "their collaboration on this issue." Ivanti emphasized that it's not aware of any customers affected by CVE-2023-41724, and  added  that ...

At least two different suspected China-linked cyber espionage clusters, tracked as  UNC5325  and  UNC3886 , have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused  CVE-2024-21893  to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as attempted to maintain persistent access to compromised appliances, Mandiant said. The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter. It's worth pointing out that  UNC3886  has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP. "UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication orga...

A financially motivated threat actor known as  UNC4990  is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy. Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics. "UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader," the company  said  in a Tuesday report. "During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain." UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes. It's currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat ...

The compromise of Mandiant's X (formerly Twitter) account last week was likely the result of a "brute-force password attack," attributing the hack to a drainer-as-a-service (DaaS) group. "Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy , we were not adequately protected," the threat intelligence firm  said  in a post shared on X. The attack, which took place on January 3, 2023,  enabled  the threat actor to take control of the company's X account and distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK. Drainers refer to malicious scripts and smart contracts that facilitate the theft of digital assets from the victim's wallets after they are tricked into approving the transactions. According to the Google-owned subsidiary, multiple threat actors are believed to have leveraged CLINKSINK since December 2023 to siphon funds and tok...

American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam. As of writing, the  account has been restored  on the social media platform. It's currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to "@phantomsolw" to impersonate the Phantom crypto wallet service, according to  MalwareHunterTeam  and  vx-underground . Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to "change password please" and "check bookmarks when you get account back." Mandiant, a leading threat intelligence firm, was  acquired by Google  in March 2022 for $5.4 billion. It is now part of Google Cloud. "The Mandiant Twitter account takeover could have happened ...

The notorious Russian hackers known as  Sandworm  targeted an electrical substation in Ukraine last year, causing a brief power outage in October 2022. The findings come from Google's Mandiant, which described the hack as a "multi-event cyber attack" leveraging a novel technique for impacting industrial control systems (ICS). "The actor first used OT-level living-off-the-land ( LotL ) techniques to likely trip the victim's substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine," the company  said . "Sandworm later conducted a second disruptive event by deploying a new variant of  CaddyWiper  in the victim's IT environment." The threat intelligence firm did not reveal the location of the targeted energy facility, the duration of the blackout, and the number of people who were impacted by the incident. The development marks Sandworm's  continuous...

A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war. The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name  Imperial Kitten , and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc. The latest findings from the company build on prior reports from  Mandiant ,  ClearSky , and  PwC , the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems. "The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations," CrowdStrike  said  in a technical report. "Its activity is characterized by its use of social engineering, particularly job recrui...

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group  Gold Melody , which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers," the cybersecurity company  said . "The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption." Gold Melody has been  previously   linked  to  attacks  exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), ...