Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)
The Andariel group has been attacking various software used by South Korean companies since the past [1]. Notably, these include asset management solutions and data loss prevention (DLP) solutions, and vulnerability attack cases have also been identified in various other solutions. Attack cases by the Andariel group are continuing in
Weekly Detection Rule (YARA and Snort) Information – Week 3, December 2024
The following is the information on Yara and Snort rules (week 3, December 2024) collected and shared by the AhnLab TIP service. 6 YARA Rules Detection name Description Source EXPL_Cleo_Exploitation_Log_Indicators_Dec24 Detects indicators found in logs during and after Cleo software exploitation (as reported by Huntress in December 2024) https://github.com/Neo23x0/signature-base EXPL_Cleo_Exploitation_PS1_Indicators_Dec24
Analysis on the Case of TIDRONE Threat Actor’s Attacks on Korean Companies
AhnLab SEcurity intelligence Center (ASEC) has recently identified that the TIDRONE threat actor is launching attacks against companies. In the attack cases, Enterprise Resource Planning (ERP) software was exploited to install a backdoor malware called CLNTEND. TIDRONE is a threat group known for targeting Taiwanese defense companies and drone manufacturers.
Weekly Detection Rule (YARA and Snort) Information – Week 2, December 2024
The following is the information on Yara and Snort rules (week 2, December 2024) collected and shared by the AhnLab TIP service. 8 YARA Rules Detection name Description Source VeeamHax exe – file VeeamHax.exe https://github.com/The-DFIR-Report/Yara-Rules PK_Elster_darknet Phishing Kit impersonating Elster tax office (DE) https://github.com/t4d/PhishingKit-Yara-Rules PK_Nickel_memoryerror Phishing Kit impersonating Nickel https://github.com/t4d/PhishingKit-Yara-Rules
cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3)
AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed Linux servers using multiple honeypots. Among the prominent honeypots are SSH services using weak credential information, which are targeted by numerous DDoS and CoinMiner threat actors. ASEC recently identified a new DDoS malware strain targeting Linux servers while monitoring numerous
November 2024 Threat Trend Report on Ransomware
This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in November 2024, as well as major Korean and international ransomware issues worth noting. Below are the summarized details. The number of ransomware samples and number of damaged systems is based
November 2024: Security Issues in the Financial Industry
This report comprehensively covers actual cyber threats and security issues that have occurred in the financial industry in South Korea and abroad. The article includes an analysis of malware and phishing cases distributed to the financial sector, the Top 10 malware targeting the financial sector, and statistics on the industries
Weekly Detection Rule (YARA and Snort) Information – Week 1, December 2024
The following is the information on Yara and Snort rules (week 1, December 2024) collected and shared by the AhnLab TIP service. 0 YARA Rules 3 Snort Rules Detection name Source ET EXPLOIT Linksys E1500/E2500 Remote Command Execution 3 https://rules.emergingthreatspro.com/open/ ET WEB_SPECIFIC_APPS SonicWall NetExtender for Windows EPC Client Update RCE
Trend Report on Phishing Malware Impersonating the National Tax Service (NTS)
There is a noticeable increase in phishing emails impersonating the National Tax Service (NTS) whenever it is time to file value-added tax (VAT) and other taxes. AhnLab SEcurity intelligence Center (ASEC) has been alerting users to this threat by distributing relevant content. Phishing cases impersonating the National Tax Service
Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604)
AhnLab SEcurity intelligence Response Center (ASEC) has covered the attack cases targeting CVE-2023-46604 vulnerability in past blog posts. Systems without vulnerability patch are still being targeted, cases show that their intention is to mainly install CoinMiners. Recently, threat actors using Mauri ransomware have been found exploiting the Apache ActiveMQ vulnerability
