This ICS/OT attack represents the latest evolution in Russia's cyber physical attack capability.

UNC4841 has continued operations despite Barracuda ESG zero-day remediation efforts.

Ways Chinese cyber espionage activity has increasingly leveraged strategies to evade detection.

In the first half of 2023, we observed a threefold increase in the number of attacks using infected USB drives to steal secrets.

Additional techniques UNC3886 utilized across multiple organizations to evade EDR solutions.

Mandiant is investigating a Barracuda ESG appliance zero-day vulnerability being exploited in the wild.

Analysis of a zero-day vulnerability in MOVEit Transfer, and containment and hardening guidance.

Mandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Attackers are distributing malware using a technique that abuses the URL schema.

Attacker activity in Microsoft Azure that we attribute to a financially motivated threat actor.

A software supply chain attack led to another software supply chain attack.

A ransomware affiliate is targeting publicly exposed Veritas installations to gain access to organizations.

• Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020.
• Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years.
• We identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations.
• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6).

A suspected Chinese actor used a zero-day vulnerability in FortiOS and custom malware for espionage.

We have been seeing notable changes to TTPs used in GOOTLOADER operations since 2022.

A new variant of the URSNIF malware, first observed in June 2022, marks an important milestone for the tool. Unlike previous iterations of URSNIF, this new variant, dubbed LDR4, is not a banker, but a generic backdoor (similar to the short-lived SAIGON variant), which may have been purposely built to enable operations like ransomware and data theft extortion. This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.

Bad actors are using a shared Phishing-as-a-Service platform called “Caffeine”.

Earlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:

1) Maintain persistent administrative access to the hypervisor
2) Send commands to the hypervisor that will be routed to the guest VM for execution
3) Transfer files between the ESXi hypervisor and guest machines running beneath it
4) Tamper with logging services on the hypervisor

For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.

Multiple self-proclaimed hacktivist groups are conducting attacks in support of Russian interests.