All news with #lateral movement tag

🔍 Cisco Talos reports that threat actor UAT-9921 has deployed the modular VoidLink framework in campaigns targeting technology and financial organizations. The post-compromise toolkit—built in Zig, C, and Go—supports compile-on-demand plugins, stealthy persistence, and runtime evasion. Operators install SOCKS proxies and use open-source scanners for internal reconnaissance and lateral movement, and evidence suggests a Windows implant and role-based access controls are present.

🔐 Unit 42 recovered a rogue VM created by Muddled Libra (aka Scattered Spider, UNC3944) during a September 2025 incident, revealing an operational playbook of reconnaissance, credential theft, lateral movement and data access. The actors abused legitimate tools and stolen certificates, persisted via an SSH tunnel (Chisel), and copied NTDS.dit and SYSTEM hives. Unit 42 recommends strengthening identity controls and adopting Advanced WildFire and Cortex defenses.

🔒 SmarterTools confirmed a network breach by the Warlock (aka Storm-2603) ransomware group after attackers exploited an unpatched SmarterMail instance on January 29, 2026. A single, unpatched VM allowed lateral movement to about a dozen Windows servers across the office network and a secondary QC data center, with hosted SmarterTrack customers most affected. Operators staged tools including Velociraptor and deployed a locker after gaining Active Directory control. SmarterTools urges immediate upgrade to Build 9526 and isolation of mail servers to limit further ransomware deployment.

🔒 Microsoft reported a multi-stage intrusion that exploited internet‑exposed SolarWinds Web Help Desk instances to gain unauthenticated remote code execution and lateral access. Exploitation spawned PowerShell which used BITS to download payloads, and attackers deployed legitimate Zoho ManageEngine components to maintain persistent remote control. They enumerated domain users, established reverse SSH and RDP persistence, performed DLL side‑loading to dump LSASS, and in at least one case executed a DCSync. Organizations are advised to patch WHD, remove unauthorized RMM tools, rotate service and admin credentials, and isolate compromised systems.

🛡️ Cisco Talos warns that a China-linked actor tracked as UAT-7290 has expanded its focus to telecommunications providers in Southeastern Europe. The group leverages Linux-based malware and one-day public exploits against edge network devices, plus targeted SSH brute force, to gain initial access and escalate privileges. UAT-7290 also establishes Operational Relay Boxes (ORBs) that are reused by other China-aligned actors. Talos published technical details and IOCs to help affected organizations respond.

🕵️ ESET researchers discovered a previously undocumented China-aligned APT, named LongNosedGoblin, after investigation of compromises at a Southeast Asian governmental network with additional targeting of Japan. The group abuses Active Directory Group Policy for deployment and lateral movement and relies on cloud services (OneDrive, Google Drive, Google Docs) for C2 and exfiltration. Notable custom tools include NosyDoor, NosyHistorian, NosyStealer and NosyLogger, which use multi-stage loaders, AMSI bypasses and scheduled-task persistence. ESET published IoCs and recommends hardening Group Policy, auditing scheduled tasks and monitoring cloud storage for suspicious files.

🔍 Check Point reports a Chinese-linked group known as Ink Dragon is exploiting misconfigured IIS servers to assemble a stealthy global relay network. Attackers compromise web-facing IIS instances, harvest local credentials, move laterally via RDP, and install a custom IIS module that forwards commands and data between victims to hide C2 origins. Targets include government networks in Southeast Asia, South America and Europe; communications are concealed inside ordinary mailbox drafts. Mitigations include auditing IIS modules against a known baseline, enabling advanced IIS logging, hardening view state settings, and deploying a web application firewall (WAF).

🔍 A prolific China-linked group known as Ink Dragon is exploiting misconfigured public-facing servers in European government networks to create relay nodes, Check Point reports. After probing IIS, SharePoint and other web services for configuration flaws, operators quietly harvest credentials, reuse administrator and service accounts, and move laterally using Remote Desktop to blend into normal traffic. They install backdoors and credential-stealing implants, and deploy a customized module and a new FinalDraft backdoor to maintain long-term access and obfuscate command channels.

🛡️ Cisco Talos describes a new financially motivated campaign deploying DeadLock ransomware that uses a custom stream cipher with time-based keys to encrypt Windows hosts. The actor employs a Bring Your Own Vulnerable Driver (BYOVD) approach with a previously unseen loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling termination of EDR processes. Talos publishes Snort SIDs and multiple ClamAV detections and details lateral movement, anti-forensics, and selective encryption tactics aimed at complicating recovery.

🛡️ Mandiant has linked suspected Iranian espionage actors to a sustained campaign by UNC1549 that deployed backdoors such as TWOSTROKE and DEEPROOT against aerospace, aviation, and defense organizations in the Middle East. Operating from late 2023 through 2025, the group abused trusted third parties and VDI sessions to pivot into customer environments and leveraged highly targeted, role‑relevant phishing. Observed operations combined credential theft, lateral movement, custom tunnellers and credential‑stealing utilities to execute long‑term reconnaissance and data exfiltration.

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.

🔍 Symantec and Carbon Black attributed a mid‑April 2025 intrusion to a China-linked threat cluster that targeted a U.S. nonprofit engaged in influencing policy, using mass scanning and multiple legacy exploits (including CVE-2021-44228, CVE-2017-9805, and Atlassian flaws) to gain initial access. The intruders established stealthy persistence via scheduled tasks that invoked legitimate binaries (msbuild.exe, csc.exe), injected code to reach a C2 at 38.180.83[.]166, and sideloaded a DLL through a Vipre component to run an in-memory RAT. Researchers linked the loader to China-aligned clusters such as Salt Typhoon and warned of broader reuse of legacy vulnerabilities and IIS/ASP.NET misconfigurations for long-term backdoors.

🔒 FortiGuard Incident Response observed that in H1 2025 financially motivated actors frequently used stolen credentials and legitimate remote-access software to gain and extend access across environments. Adversaries relied on compromised VPN logins, password reuse, or purchased credentials, deploying tools like AnyDesk, Splashtop, Atera and ScreenConnect to move laterally and exfiltrate data manually. These intrusions often bypass endpoint-focused defenses because activity mimics normal user behavior, so FortiGuard emphasizes identity- and behavior-driven detection, broad MFA enforcement, and monitoring of remote access tooling.

🔴 Symantec and Carbon Black reported a Russian-origin campaign that targeted a large business services firm and a local government entity in Ukraine, relying on web shells and living-off-the-land techniques to reduce detection. Early activity began on June 27, 2025 with deployment of the LocalOlive web shell, PowerShell exclusions, scheduled memory dumps and credential-theft attempts. Operators used dual-use tools (OpenSSH, RDP changes, winbox64.exe), PowerShell backdoors and native Windows utilities to maintain persistence while minimizing custom malware use. Researchers noted strong Windows tradecraft but could not conclusively attribute the intrusions to a named Russian group.

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.

🔒 Qilin (aka Agenda, Gold Feather, Water Galura) has sharply increased operations in 2025, claiming dozens of victims monthly and peaking at 100 leak-site postings in June. Cisco Talos and Trend Micro analyses show affiliates gain initial access via leaked admin credentials, VPN interfaces and RDP, then harvest credentials with tools like Mimikatz and SharpDecryptPwd. Attackers combine legitimate remote-management software (for example AnyDesk, ScreenConnect, Splashtop) with a BYOVD vulnerable driver to disable defenses, exfiltrate data, and deploy a Linux ransomware binary on Windows systems before encrypting files and removing backups.

🔍Unit 42 details the Jingle Thief campaign, a Morocco‑based, financially motivated operation that uses phishing and smishing to harvest Microsoft 365 credentials and abuse cloud services to commit large‑scale gift card fraud. The actors maintain prolonged, stealthy access for reconnaissance across SharePoint, OneDrive and Exchange, and rely on internal phishing, inbox rules and rogue device enrollment in Entra ID to persist and issue unauthorized cards. The report (cluster CL‑CRI‑1032) links the activity to Atlas Lion/STORM‑0539 and emphasizes identity‑centric detections and mitigations.

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.

🔐 Microsoft Deputy CISO Raji Dani outlines the importance of hardening customer support tools and identities to reduce the risk of lateral movement and data exposure. The post recommends dedicated, isolated support identities protected by Privileged Role MFA and strict device controls. It advocates case-based RBAC with just-in-time and just-enough access, minimizing service-to-service trust, and deploying robust telemetry to speed detection and response. These layered controls apply to in-house teams and third-party providers.

🔐 Unit 42 responded to a significant BlackSuit ransomware campaign after attackers obtained VPN credentials via a vishing call and immediately escalated privileges. The adversary executed DCSync, moved laterally with RDP/SMB using tools like Advanced IP Scanner and SMBExec, established persistence with AnyDesk and a custom RAT, and exfiltrated over 400 GB before deploying BlackSuit across ~60 ESXi hosts. Unit 42 expanded Cortex XDR visibility from 250 to over 17,000 endpoints and used Cortex XSOAR to automate containment while delivering prioritized remediation guidance.