Author name: William Thomas

The investigation into the SolarWinds supply-chain attack continues apace. In this follow-up to our previous blog published in the immediate aftermath of the attack (see here), we cover some of the major discoveries concerning what is quickly becoming one of the costliest cyberattacks in history, both monetarily and in terms of intelligence lost. The current […]

Cyjax analysts have uncovered a mass credential harvesting campaign targeting a wide range of sectors, including government, military, law enforcement, healthcare, finance, technology, manufacturing, and energy. Key campaign attributes Malicious use of the SendGrid email marketing service to distribute URLs to the landing pages. Phishing emails leverage an image with an embedded URL that masquerades

One of the biggest network management systems (NMS) in the USA, SolarWinds, announced on 14 December that it was breached in a ‘highly sophisticated’ supply chain attack. SolarWinds’ Orion platform, used to monitor network devices and critical servers, had its update server compromised to push Trojanised DLL files dubbed SUNBURST or Solorigate. These malicious DLLs

2020 has seen a wide range of attacks and the evolution of the threat landscape. Ransomware attacks have dominated the headlines, alongside state-sponsored APT groups targeting the global COVID-19 response effort. New threat actors have emerged, and well-established groups have persisted undeterred, using upgraded tactics, techniques, and procedures (TTPs). #1 Global malicious email campaigns Throughout

On 30 October, Cyjax analyst William Thomas presented his talk on the phishing threat landscape at BeerCon2: Rise of the Rookie. The presentation was wide-ranging and included an exploration of threat actors leveraging the cloud to support delivery, bypassing defence mechanisms, and the top-tier threats in this ecosystem. Will’s talk can be found on the

Cyjax analysts recently uncovered an Office 365 credential-harvesting campaign that masquerades as “A Message from Your CEO”. The delivery system leveraged in these attacks uses multiple techniques to bypass secure email gateways (SEG), one of which has surfaced again in a BazarLoader infection chain. This technique is effective because Basecamp and Google Cloud hosting are

Threat analysts at Cyjax have uncovered multiple mass credential harvesting campaigns that have recently been targeting cybersecurity companies, government entities, and organisations in a range of other sectors. Reverse engineering these campaigns revealed the attacker’s infrastructure and stolen data store. Throughout July and August 2020, we detected two separate credential harvesting campaigns targeting accounts for

Cyjax researchers have observed a recent malicious spam campaign pushing commodity malware such as the AgentTesla infostealer and AveMaria remote access Trojan (RAT). This campaign caught our attention due to its reliance on Discord, the instant messaging and VoIP application, to host its payloads. The spam emails are sent from spoofed sender addresses and masquerade