Trend Micro: Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
Trend Micro provides a case study in which the attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system. The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk 😂. DarkGate malware was deployed to their machine and persistence was created, but the attack was stopped. Trend Micro is sharing infection chain and post-infection actions for security awareness. Indicators of compromise provided.

U.S. Department of Defense: Cyber Command Chief Discusses Challenges of Getting Intel to Users
A generic-looking press release revealed additional information about the Salt Typhoon hack:

• "the Chinese government led hack aimed at North America and Southeast Asian targets."
• "The hack — discovered by Microsoft"
• "is just one part of China's global cyber program"
• The agency did send out cyber security advisories in 2022 "that laid out this exact series of things that we had observed overseas,"

I don't know about you, but this is my first time hearing confirmation of Southeast Asian victims from a government official, that it was discovered by Microsoft (obvious in hindsight), and that there were early indicators and warnings (I&W) since 2022. cc: @nattothoughts

Rapid7: Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Rapid7 reports a resurgence of activity from Black Basta ransomware operators in early October 2024 with new malware payloads, improved delivery, and increased defense evasion. They provide a technical analysis of the attack lifecycle. Indicators of compromise provided at their GitHub repo, and TTPs are mapped to MITRE ATT&CK.

Rapid7: Investigating a SharePoint Compromise: IR Tales from the Field
Rapid7 provides a case study of a compromised Microsoft Exchange service account with domain administrator privileges. They assessed that the initial infection vector was CVE-2024-38094 (7.2 high) Microsoft SharePoint Remote Code Execution Vulnerability. Seeing how this CVE was added to the CISA's KEV Catalog only 8 days ago, it is very likely that Rapid7 fed CISA the KEV information via backchannels. They describe the attacker's tactics, techniques, and procedures (TTPs). Indicators of compromise are provided.

Proofpoint: Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
Proofpoint reported on a Prince ransomware campaign impersonating British postal carrier Royal Mail that occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations’ websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms. Proofpoint notes that there’s no decryption mechanisms or data exfiltration, so the end result is destructive rather than typical ransomware. They describe the campaign details (from infection to ransom note) and include a bit about the ransomware creator SecDbg having a paid infostealer version called ThunderKitty. Proofpoint does not attribute this activity to a tracked threat actor. Indicators of compromise are provided.

Shoutout to @selenalarson for the awesome post