on

Blueliv Threat Exchange Network

October IOC highlights

XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability
Tech support browser lockers continue to be one of the most common web threats. There’s a slightly unusual campaign that has now been ongoing for several weeks. Threat actors are relying on Facebook to distribute malicious links that ultimately redirect to a browser locker page. Their approach is interesting because it involves a few layers of deception including abusing a cross-site scripting vulnerability (XSS) on a popular website.
[511 IOCs]  Learn more >

MosaicRegressor malware found hiding inside UEFI
A compromised UEFI firmware image has been found that contained a malicious implant. This implant served as means to deploy additional malware on the victim computers. This is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild. The few victims that have been targeted by these kind of attacks include diplomatic entities and NGOs in Africa, Asia and Europe.
[68 IOCs]  Learn more >

Purple Fox EK: New CVEs, Steganography, and Virtualization Added to Attack Flow
In recent weeks, there has been a spike in the number of attempts to attack vulnerable versions of Internet Explorer by actors leveraging the Purple Fox exploit kit. Purple Fox has iterated to include use of two recent CVEs – CVE-2020-1054 and CVE-2019-0808 – through publicly-available exploit code. In addition, they made changes to their attack flow that allow them to better circumvent firewall protections and some detection tools.
[40 IOCs]  Learn more >

They’re back: inside a new Ryuk ransomware attack
After a long period of quiet, a new spam campaign linked to the Ryuk actors has been identified. The investigated campaign marks the return of Ryuk with some minor modifications, and also shows an evolution of the tools used to compromise targeted networks and deploy the ransomware. The tactics exhibited by the Ryuk actors in this campaign demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot).
[23 IOCs]  Learn more >

 

Demo Free Trial MSSP
Program