In late October, the operators of the REvil (also known as Sodinokibi) ransomware announced they were shutting down their operations due to an infrastructure compromise. Subsequently, it was confirmed that this compromise was conducted as part of a joint operation by multiple law enforcement and intelligence agencies from various countries. The initial takedown of REvil …
Mercenary advanced persistent threat (APT) groups, sometimes called “hackers-for-hire” – and dubbed private-sector offensive actors (PSOAs) by Microsoft – have become a significant part of the threat landscape in recent years. These cyber-soldiers of fortune have been executing increasing numbers of attack campaigns for their clients, usually nation-states, that are looking for surveillance capabilities. Not …
This month saw the return of the REvil ransomware group (also known as Sodinokibi). The group’s infrastructure went offline in July, soon after their high-profile supply-chain attack targeting Kaseya. At the time, it was unclear if this was a voluntary decision or stemmed from a potential operation by law enforcement entities. However, the group’s infrastructure …
The “Agreement for bringing peace in Afghanistan”, signed by the Taliban and the US on 29 February 2020, paved the way for a ceasefire between conflicting parties in Afghanistan and opened the door for the withdrawal of US and NATO troops from Afghan soil. As part of the agreement, the Taliban pledged to undertake a …
Leaving Afghanistan: China and Russia take new world leadership role Read More »
The most significant ransomware attack in July was the Kaseya attack conducted by the REvil (also known as Sodinokibi) ransomware group. The REvil operators exploited a 0day vulnerability in Kaseya’s VSA servers to bypass authentication measures and perform arbitrary code execution. Notably, this vulnerability had already been privately disclosed to Kaseya, though it remains unclear …
On 12 May, the FBI Cyber Division issued a TLP:WHITE Private Industry Notification. This concerned a spear-phishing campaign distributing messages that masqueraded as financial institutions to push fake Windows apps containing remote access Trojans (RATs). The most recent attack impersonated a US-based financial institution to target an American renewable energy company. The spear-phishing email referenced …
Cyjax has partnered with Security Magazine to bring you a monthly Cybersecurity and Geopolitical vodcast hosted by Chief Information Security Officer (CISO) of Cyjax, Ian Thornton-Trump, and Tristan de Souza (Editor and Head of Communications), in which they ruminate on the enmeshing of cybersecurity and geopolitics and the new challenges and intriguing flashpoints these bring to enterprise …
Cybersecurity and Geopolitical Vodcast (in partnership with Security Magazine) Read More »
The investigation into the SolarWinds supply-chain attack continues apace. In this follow-up to our previous blog published in the immediate aftermath of the attack (see here), we cover some of the major discoveries concerning what is quickly becoming one of the costliest cyberattacks in history, both monetarily and in terms of intelligence lost. The current …
Cyjax analysts have uncovered a mass credential harvesting campaign targeting a wide range of sectors, including government, military, law enforcement, healthcare, finance, technology, manufacturing, and energy. Key campaign attributes Malicious use of the SendGrid email marketing service to distribute URLs to the landing pages. Phishing emails leverage an image with an embedded URL that masquerades …
There has been much debate in the cybersecurity world about the ethics and efficacy of ransomware payments. For many, the solution is simple: do not pay ransoms. Much like negotiating with terrorists, the logic suggests that paying ransomware operators encourages further attacks, sustaining the market, and perpetuating the cycle of compromise. If everyone refused to …
