Cyber Espionage & Data Exfiltration Attack Results from 3-Year Old Backdoor


Executive Summary This report is an overview of live espionage and data exfiltration resulting from a previously unknown backdoor that flew under the radar for over 3 years. The weapon? Spear phishing with official-looking documents targeting government employees. The target? A Southeast Asian government. There is medium-to-high-confidence that the Chinese APT group “SharpPanda” is behind […]

New NOBELIUM Campaign Focuses on Phishing


Executive Summary This report is about a new malware campaign by a foreign adversarial nation-state threat actor recently being referred to as NOBELIUM. The threat actor has gained prominence for its involvement in the SolarWinds supply chain attack. This new campaign focuses on phishing using a sophisticated toolset. Tactics, Techniques, and Procedures NOBELIUM seems to […]

Flash Notice: VMware Discloses Critical vCenter Server Vulnerabilities – PATCH IMMEDIATELY

Darkside Ransomware

Overview Details: On May 25, 2021, VMware released a new critical security advisory, VMSA-2021-0010 (CVE-2021-21985 & CVE-2021-21986), affecting vCenter Server 6.5, 6.7, and 7.0. These vulnerabilities could allow a malicious actor to gain access to vCenter by exploiting the vSAN plugin, even if vSAN is not currently in use. VMware has also made improvements to the vCenter Server plugin […]

Malware Campaign Utilizes Microsoft Executable MSBuild


Overview of TIR-20210516 This report is about a malware campaign using a well-known Microsoft executable called MSBuild to propagate in a file-less manner. The type of malicious software being used are remote access tools (RATs) and information stealers. This kind of attack uses a living of the land binary (LOLBin) strategy while operating completely in […]

FiveHands Ransomware Overview


Overview of the FiveHands Ransomware Variant This report is an overview of the FiveHands Ransomware variant that successfully attacked an organization (CISA release date May 6, 2021). CISA reports that the variant used publicly-available pen test and exploitation tools—plus FiveHands ransomware and SombRAT remote access trojan (RAT)—to steal information, obfuscate files, accomplish network discovery, accomplish […]

Overview of the BadAlloc Vulnerabilities


Overview of TIR-20210502 This report is an overview of a series of vulnerabilities discovered by Microsoft’s Section 52 research team, which they have labeled “BadAlloc”. More than 25 critical memory allocation vulnerabilities affecting various consumer, industrial and medical IoT and OT devices have been identified. Successful exploitation of these vulnerabilities may give a malicious actor […]

Dell BIOS Driver Privilege Escalation Flaws

Summary of Dell Computer BIOS Driver Privilege Escalation Flaws May 4, 2021 Our Technology Partner SentinelOne announced today that hundreds of millions of Dell Computers (desktops, laptops, notebooks, and tablets), could be vulnerable to a BIOS Driver Privilege Escalation Flaw.  SentinelLabs discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets.  Attackers may exploit these vulnerabilities to […]

Exploitation Campaign by Two Threat Actor Groups Affects Pulse Secure


CVE-2021-22893 Overview This report is about the exploitation campaign affecting the Pulse Secure vpn appliance by two different threat actor groups. Successful exploitation of the vulnerability CVE-2021-22893 and some older software bugs provides the bad actor with the ability to gain legitimate privileged access to the network remotely. The two groups involved in this campaign […]

Clop Ransomware (TIR-20210419)


Overview of Clop Ransomware This report is an overview of the Clop ransomware. Discovered in February of 2019, a recent increase in Clop attacks have been noticed by cyber security researchers. Notably, in March of 2021 the actor behind Clop attacked the well-known security firm Qualys, with the intention of leaking customer data. Palo Alto’s […]