Attacks Targeting MS-SQL Servers Detected by AhnLab EDR
MS-SQL servers are one of the main attack vectors used when targeting Windows systems because they use simple passwords and are open publicly to the external Internet. Threat actors find poorly managed MS-SQL servers and scan them before carrying out brute force or dictionary attacks to log in with administrator
Distribution of DanaBot Malware via Word Files Detected by AhnLab EDR
There are two types of malicious documents that are distributed via email recently: those exploiting equation editor and those including external link URLs. This post will describe the infection flow of the DanaBot malware that is distributed through documents containing external links, the latter method, as well as the evidence
Initial Access to IIS Web Servers Detected by AhnLab EDR
In the modern Internet society, one can easily obtain information on devices all over the world connected to the Internet using network and device search engines such as Shodan. Threat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing
Rhadamanthys Malware Disguised as Groupware Installer (Detected by MDS)
Recently, AhnLab SEcurity intelligence Center (ASEC) discovered the distribution of Rhadamanthys under the guise of an installer for groupware. The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines. ASEC Blog has previously covered
Infostealers Extorting Web Browser Account Credentials Detected by AhnLab EDR
Web browsers are some of the programs most commonly and frequently used by PC users. Users generally use browsers to look up information, send and receive emails, and use web services such as shopping. This is the case for both individual users and employees conducting business in companies. To use
Defense Evasion Techniques Detected by AhnLab EDR
Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions, but also firewalls, APT defense solutions and products such as EDR. Even in general user environments without separate organization responsible for security, most of them
Kimsuky Group’s Spear Phishing Detected by AhnLab EDR (AppleSeed, AlphaSeed)
Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014, and have expanded their attacks to other countries since 2017 [1]. The group has mainly
Data Leak Detected by AhnLab EDR (vs. Ransomware Threat Actors)
Ransomware threat actors have been extorting money after taking control over organizations’ internal networks, distributing ransomware, encrypting systems, and holding system restoration for ransom. Recently, however, threat actors not only encrypts the systems but also leaks internal data and threatens to expose them publicly if the ransom is not paid.
Account Credential-Stealing Malware Detected by AhnLab MDS (Web Browsers, Email, FTP)
For convenience, users frequently use automatic login feature provided by programs like web browsers, email clients, and FTP clients. This allows programs to store user account credentials in their settings data. Therefore, despite being a convenient feature, this poses a security risk because threat actors are then able to leak
Various LSASS Credentials Dumping Methods Detected by EDR
AhnLab SEcurity intelligence Center (ASEC) has posted the blog article “Account Credentials Theft in Domain Environments Detected by EDR” [1] that discusses threat actors stealing account credentials after taking control over the system in an Active Directory environment. Among the account credentials theft method, this article will cover in detail
