Blog · research & analysis
In recent weeks, consistent with previously documented activity (background), we have observed a general increase in compromise activity across monitored environments. Criminal groups deploy malware for multiple objectives: Ransomware execution, sensitive data exfiltration, and credential harvesting. Qakbot — documented in detail under MITRE ATT&CK S0650 — is consistently used for all three. Unlike previous campaigns, … Read more
Resoconto riguardante le operazioni offensive informatiche condotte dalla Russia nei confronti di infrastrutture ucraine durante l’avvio del conflitto.
In a press release, Spanish authorities announced the arrest of a criminal group of 8 individuals who carried out SIM-Swapping attacks to access the bank accounts of unsuspecting victims. SIM-Swapping is an attack technique that enables criminals to seize control of a victim’s phone number. The captured number is then used to intercept SMS-based 2FA … Read more
On 2021-12-23 the Fortgale team identified a massive exploitation campaign targeting VMware Horizon deployments. The attack chain consists of Log4Shell (CVE-2021-44228) exploitation followed by deployment of a backdoor inside the corporate Horizon servers — granting persistent Remote Command Execution (T1190 — Exploit Public-Facing Application). The threat actor executes a PowerShell command (T1059.001) to interact with … Read more
During the first weeks of December 2021 we observed attacks targeting the Apache Log4j library. On 2021-12-12, an official security advisory disclosed a critical Remote Command Execution vulnerability — CVE-2021-44228 (T1190 — Exploit Public-Facing Application). Any vulnerable system exposed to the public network is to be considered compromised given the volume of mass-exploitation activity observed … Read more
Agent Tesla is a spyware that exfiltrates information from victim systems by capturing keystrokes and user actions (T1056.001 — Keylogging). Built on the .NET framework, it transmits stolen data to a command-and-control (C2) server. Agent Tesla extracts credentials and stored data from web browsers, email clients, and FTP clients (T1555.003 — Credentials from Web Browsers, … Read more
In recent days we observed a series of attacks targeting e-commerce platforms running the Nginx web server. Researchers identified, during an investigation into a CronRAT malware compromise, the execution of a previously undocumented malware family — NginRAT — which evades the leading security solutions by injecting its own code into legitimate Nginx worker processes (T1055.012 … Read more
Zero-day vulnerability in Windows Installer enabling local privilege escalation: exploitation techniques, public PoC analysis and mitigation paths.
APT28 (Fancy Bear) Gmail phishing operation: lookalike domains, OAuth abuse, credential harvesting and target profiles consistent with Russian GRU TTPs.
