company logo


Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.


By Industry




IT & Telecom


By Role


DevOps Engineer


Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest


Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.



Cookie Stealer



YouTubers at stake, following the discovery of two years old Phishing campaign, Google unveiled

Google TAG discloses a two-year-old phishing campaign actively targeting the channels of YouTube creators using a cookie stealing malware, later sold to the hig...

3 min read

Related Articles




Learn how a sophisticated Iranian APT uses tailored malware to compromise defens...

A newly disclosed campaign by a sophisticated Iranian advanced persistent threat (APT), likely linked to the Iranian Revolutionary Guard Corps (IRGC), demonstrates a worrying focus on aerospace and defense firms within Israel and the United Arab Emirates. This targeted espionage effort utilizes social engineering tactics and customized malware implants to achieve long-term network access for the exfiltration of critical intellectual property within these sensitive sectors. ## Attacker Profile The meticulous nature of this campaign firmly places the threat actor within the category of an advanced persistent threat (APT). The probable connection to the IRGC signals state-backed objectives and resources, providing the group with the means for long-term operations. The continuous evolution observed in UNC1549's TTPs indicates ongoing investment in their capabilities, likely tied to Iran's broader strategic interests in the aerospace and defense sectors. ## Attack Chain Analysis The initial compromise hinges on the exploitation of human psychology, highlighting the importance of comprehensive security awareness training for all employees. Spear-phishing emails leverage geopolitical narratives and fabricate highly targeted job postings to increase their success rate. The sophistication of these lures suggests that the attackers are actively researching their targets to maximize the effectiveness of their attacks. Watering-hole attacks further demonstrate this point, requiring an understanding of the websites frequently visited by employees within the target industries. Post-compromise, the emphasis firmly rests on the deployment of uniquely crafted malware implants for each victim. This customization strongly suggests a multi-stage attack process. First, a reconnaissance phase enables the attackers to gain an in-depth understanding of the target's network infrastructure, software deployments, and security measures. This information is then used to tailor malware specifically designed to evade detection within the compromised environment. The use of multiple backdoor variants is a deliberate strategy to maximize the probability of sustained access, even in the event of partial discovery by defenders. This persistence is important for the APT's aim of long-term intelligence-gathering operations. ## Potential Malware Strains While direct attribution remains a complex challenge, let's delve deeper into the malware families that likely play a role in UNC1549's attacks: *ShellClient:* The modular nature of ShellClient provides the APT with significant flexibility. Its capabilities, such as keylogging, file exfiltration, and remote command execution, give the attackers extensive control over compromised systems. The ability to dynamically load modules would allow them to adapt their toolset on the fly, tailoring their attacks as needed. *PowerSploit:* The use of PowerShell-based frameworks in targeted attacks is on the rise. PowerSploit's in-memory execution offers significant advantages, particularly in environments with mature endpoint security solutions. It allows the APT to bypass traditional file-based detection mechanisms and minimize its footprint within the compromised network. *Mimikatz Variant:* The potential deployment of customized Mimikatz variants underscores the importance of strong credential hygiene and robust privileged access management (PAM) policies. Credential theft enables rapid lateral movement and the compromise of high-value accounts, opening up vast avenues for data exfiltration and potential network disruption. ## Technical Implications & Defensive Options Let's explore some further technical implications and defense strategies: *Zero-Day Exploitation:* The customization observed in the payloads suggests the APT may be actively acquiring or developing zero-day exploits to gain initial access. Proactive patch management and vulnerability scanning are critical, but defenses must also incorporate behavioral anomaly detection to identify potential exploitation attempts. *Insider Threats:* The attack's focus on social engineering significantly elevates the risk of both intentional and unintentional insider threats. Strict access control policies, the principle of least privilege, and data loss prevention (DLP) solutions are essential to mitigate the risk of sensitive information exposure or system sabotage. *Evolving Detection Strategies:* Legacy, signature-based security solutions are rapidly becoming obsolete. Organizations must invest in advanced detection capabilities, including heuristic analysis, network traffic monitoring, and user and entity behavior analytics (UEBA). These technologies provide a higher probability of detecting the subtle and targeted activities that characterize this type of APT. *Threat Hunting Imperative:* Proactive threat hunting should become a core component of an organization's security posture. Actively searching for indicators of compromise (IOCs) related to UNC1549 is not a sign of defeat, but an acknowledgment of the ever-evolving threat landscape. ## Broader Context & Geopolitical Angle Iranian cyberespionage operations have undergone significant evolution in recent years, mirroring the country's complex geopolitical relationships and ambitions. Let's analyze some historical operations and map them against shifting dynamics in the Middle East: *Stuxnet (2010):* One of the most infamous examples of state-sponsored cyber warfare, Stuxnet was likely a joint US-Israeli operation. It targeted Iran's nuclear program, resulting in physical damage to centrifuges. This event marked a turning point, demonstrating the potential for cyberattacks to cause real-world consequences. *Shamoon (2012):* Attributed to Iran, Shamoon was a wiper malware attack against Saudi Aramco, destroying data and disrupting operations. It signaled Iran's capability and willingness to retaliate against perceived adversaries in the region. *OP Cleaver (2014 onwards):* A complex, multi-year Iranian cyber espionage operation targeting critical infrastructure, the aviation industry, and government organizations primarily in the Middle East and North Africa. This campaign reflects Iran's strategic pursuit of intelligence to counterbalance technological and military disadvantages. ***In recent years we have witnessed a significant increase in both the volume and sophistication of Iranian cyber operations. This coincides with escalating tensions with the US, Israel, and Saudi Arabia, particularly following the US withdrawal from the Joint Comprehensive Plan of Action (JCPOA) and the assassination of Iranian General Qasem Soleimani.*** ## Technology Focus & Implications Iran's specific areas of interest have been in targeting aerospace and defense firms… *Military Modernization:* Stolen intellectual property can accelerate Iran's indigenous missile, drone, and aerospace development programs. This reduces reliance on external suppliers and bolsters its defense and deterrent capabilities. *Technology Sharing:* Iran maintains strategic partnerships with actors like Russia, China, and North Korea. Sharing technological advancements can strengthen alliances and provide those nations with an advantage against shared rivals. *Disruption of Adversaries:* The potential for disruptive attacks against defense supply chains can cause delays, erode public trust, and damage the industrial bases of targeted nations. ## Blurring Lines: Espionage & Warfare The lines between cyber espionage and kinetic warfare are becoming increasingly blurred, especially within the context of Iranian activities. While cyberattacks may be seen as a less escalatory tool of statecraft, they often set the stage for or occur alongside real-world conflict: *Aramco Attacks & Yemen:* The Shamoon incidents coincided with heightened tensions between Iran and Saudi Arabia concerning the conflict in Yemen. *Cyber-Physical Nexus:* Iranian attacks have demonstrated a growing interest in targeting critical infrastructure. Disruption of power grids or transportation networks, for instance, can act as a force multiplier in conjunction with traditional military operations. *Proxy Attacks:* Iran often utilizes proxy groups or non-state actors to conduct cyberattacks, providing a degree of deniability and obfuscating direct links to the Iranian government.

loading..   29-Feb-2024
loading..   6 min read


Massive data breach at Cencora threatens healthcare supply chain and patient pri...

Cencora, a leading global provider of pharmaceutical solutions, is reeling from a significant data breach that could have far-reaching consequences. The company's SEC filing reveals that threat actors successfully infiltrated IT systems and exfiltrated data – potentially including highly sensitive patient records. ## Cencora Data Breach Details Here's a breakdown of what we know so far: *Discovery:* Cencora became aware of the breach on February 21, 2024. *Scope:* The exact nature and volume of stolen data remain under investigation. *Response:* The company immediately initiated containment measures and engaged law enforcement, cybersecurity experts, and external counsel. *No Link to Optum Attack:* Cencora denies connections to the recent Optum Change Healthcare ransomware attack, despite the similar timing and the healthcare sector focus. ## Why the Cencora Data Breach is a Big Deal in the Pharmaceutical Domain With $262.2 billion in annual revenue and a workforce of 46,000, Cencora is a behemoth in the healthcare industry. Their services are vital for: *Pharmacies:* Distributing essential pharmaceuticals *Doctor's Offices:* Providing treatment solutions *Animal Healthcare:* Delivering veterinary medications and supplies This data breach holds the potential to disrupt an enormous segment of the global healthcare supply chain. ## Unanswered Questions & Potential Fallout The investigation is in its early stages, leaving many critical concerns: *Culprits:* The identity of the attackers remains a mystery as we speak *Patient Impact:* The full extent of compromised patient data still remains unknown, raising serious privacy and identity theft risks. *Financial Toll:* Cencora could face hefty fines, lawsuits, and reputational damage depending on the investigation's outcome. ## Cencora's Troubling History The Lorenz ransomware gang allegedly breached Cencora (then AmerisourceBergen) in 2023. This previous incident casts an even more concerning emphasis on the company's overall cybersecurity posture and underscores the relentless targeting of healthcare organizations becoming more prone to the evolving tactics of cybercriminals.

loading..   28-Feb-2024
loading..   2 min read

Data Breach

LoanDepot hit by a major data breach – nearly 17 million customers had Social Se...

A major ransomware attack has severely compromised the data security of LoanDepot, a leading U.S. mortgage lender. Nearly 17 million customers have had their sensitive personal information stolen, including highly sought-after Social Security numbers. ## What Happened to LoanDepot NOW? In early January 2024, LoanDepot suffered a ransomware attack, leading to the encryption of critical company data. The initial estimate of affected customers was 16.6 million. However, an updated data breach notice reveals this number has increased to nearly 17 million. LoanDepot has not disclosed if they paid the ransom demand. Customers of LoanDepot were left unable to use critical services like making payments and accessing their online accounts. ### Type of Data Stolen The stolen data poses a significant risk to the affected LoanDepot customers. It includes: - Names - Dates of birth - Email addresses - Physical addresses - Phone numbers - Financial account details - Social Security numbers ### Why the Stolen Data is a Major Concern Social Security numbers are particularly sensitive as they can be used in various identity theft schemes. This breach could lead to: - Fraudulent financial transactions in a victim's name - Opening of new credit accounts - Tax-related fraud - Medical identity theft ### LoanDepot's Response The company's response to the breach has raised questions and concerns: The delay in disclosing the full scale of the breach. The a lack of transparency around whether a ransom was A major ransomware attack has severely compromised the data security of LoanDepot, a leading U.S. mortgage lender. Nearly 17 million customers have had their sensitive personal information stolen, including highly sought-after Social Security numbers. ## Timeline of the Breach #### Early January 2024: Hackers launch a [ransomware attack]( against LoanDepot, encrypting and effectively holding the company's data hostage. #### January 4, 2024: LoanDepot publicly discloses the cyberattack and initiates its response, taking critical systems offline in an attempt to limit the damage. #### January 22, 2024: Initial estimates from LoanDepot suggest approximately 16.6 million customers could be impacted by the breach. #### Late February 2024: In an updated data breach notice filed with Maine's attorney general, LoanDepot revises the number of affected individuals to nearly 17 million. ## Details of Compromised Data The attackers successfully exfiltrated a vast amount of sensitive customer information, including: **Full names** **Dates of birth** **Email addresses** **Physical addresses** **Phone numbers** **Financial account numbers** **Social Security numbers** ## Potential Ramifications The theft of Social Security numbers poses the most significant risk. This unique identifier can be misused for various identity theft schemes, including: Opening fraudulent new credit accounts Filing false tax returns Obtaining medical services under the victim's name ## Unanswered Questions Uncertainty surrounds some key aspects of the breach: LoanDepot has declined to confirm whether it paid a ransom to the hackers. Customers experienced substantial disruptions with payment processing and difficulty accessing online accounts in the attack's aftermath. . ### Recent Cyberattacks Targeting Loan and Mortgage Companies It's important to note that LoanDepot is not alone. The loan and mortgage industry is a prime target for hackers. This breach highlights the escalating threat and the need for companies to take cybersecurity much more seriously. ### What Can You Do to Protect Yourself? If you're a LoanDepot customer, taking proactive measures now is vital: **Monitor Financial Accounts:** Closely check your financial accounts for unauthorized transactions. **Credit Freeze:** Consider freezing your credit to restrict new account openings. **Strong Passwords:** Use complex passwords and enable multi-factor authentication (MFA).

loading..   27-Feb-2024
loading..   3 min read