Researchers discovered a new phishing campaign that abuses QR codes to redirect targets to phishing landing pages, effectively circumventing security solutions and controls designed to stop such attacks in their tracks.

The crooks behind the phishing attacks which targeted French Cofense customers used a URL encoded in a QR code to circumvent security software which analyzes and blocks suspicious or blacklisted domains. The phishing emails were camouflage as a SharePoint email with a “Review Important Document” subject line and a message body which would invite potential victims “Scan Bar Code To View Document.”

Read more »

In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10.  This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.

Want to talk to our experts about Operation Soft Cell? Email us now.


  • Earlier this year, Cybereason identified an advanced, persistent attack targeting telecommunications providers that has been underway for years, soon after deploying into the environment.
  • Cybereason spotted the attack and later supported the telecommunications provider through four more waves of the advanced persistent attack over the course of 6 months.
  • Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers.
  • The attack was aiming to obtain CDR records of a large telecommunications provider.
  • The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.
  • The tools and TTPs used are commonly associated with Chinese threat actors
  • During the persistent attack, the attackers worked in waves- abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.

Read more »

Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month.

Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their explicit permission.

However, the newly discovered malware, dubbed OSX/Linker, has not been seen in the wild as of now and appears to be under development. Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.

According to Joshua Long from Intego, until last week, the “malware maker was merely conducting some detection testing reconnaissance.”

“One of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” Long said in a blog post.

However, since the malware sample links to a remote server from where it downloads the untrusted app, attackers can also distribute same samples to real targeted by merely replacing the defined sample app with a malware app on their server.
Read more »

Ryuk ransomware is the cryptovirus that targets companies with large ransom demands to make more profit from one attack. However, ransomware can also affect everyday users and corrupt or delete their data. You need a thorough system scan to terminate the malware in time.

Ryuk is a ransomware virus that has already attacked and encrypted data from several companies, data centers, and PCs. According to numerous speculations, the virus is hailing from the same family as Hermes ransomware which is attributed to an infamous Lazarus group. Once it gets into the system, Ryuk ransomware encrypts systematically selected data and makes it unavailable for the use. Additionally, it generates a RyukReadMe.txt ransom note on the desktop and all folders that can be found on the victim’s computer. It urges the victim to transfer a huge ransom (the ransom fee varies from 15 BTC to 50 BTC, depending on the amount of encrypted data) via provided Bitcoin wallet. Ryuk ransomware returned to the headlines after performing several attacks during the Christmas time, including the cloud hosting provider. This new version has been named RYK ransomware due to the file extension appended. However, note that alternative it has been called as Cryptor2.0.

Read more »

Security researchers tracking activities of various nation-state cyber-espionage groups found evidence suggesting that the Turla group hijacked the infrastructure of OilRig hackers to compromise a target both actors were interested in.

Turla is a Russian-backed advanced threat actor also known by the names Waterbug, Snake, WhiteBear, VENOMOUS BEAR, and Kypton. It focuses on cyber-espionage, with a diverse set of victims, from the military and the government sector to education, research entities.

Also known by multiple names (Crambus, APT34, HelixKitten), OilRig is linked to the Iranian government and engages in the same type of espionage activities. Its victims are typically from government agencies and companies from the Middle East.

Read more »