Threats & Defenses

0 Comments
The most common threat in the cybersecurity world often sounds like a plot from a blockbuster movie. The clock is ticking… You have only a few hours… Can you solve the mystery before you have to pay the ransom? According to Secureworks’ Director of Intelligence, Mike McLellan, year after year, threat actors around the world
0 Comments
Disinformation is a known tool for nation-state threat actors. Learn what it means for threat intelligence practitioners. Tuesday, August 25, 2020 By: Secureworks When the first page of the calendar turned to 2020, none of us knew what would come in a few months’ time. In fact, Secureworks’ Senior Security Researcher Rafe Pilling thought the
0 Comments
The following analysis was compiled and published to Threat Intelligence clients in July 2018. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about the IRON LIBERTY threat group, as well as details about the Karagany and MCMD malware used exclusively by IRON LIBERTY, to supplement the discussion of the man-on-the-side technique described in the
0 Comments
The following analysis was compiled and published to Threat Intelligence clients in August 2018. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about the IRON LIBERTY threat group, as well as details about the Karagany and MCMD malware used exclusively by IRON LIBERTY, to supplement the discussion of the man-on-the-side technique
0 Comments
The following analysis was compiled and published to Threat Intelligence clients in September 2018. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about the IRON LIBERTY threat group, as well as details about the Karagany and MCMD malware used exclusively by IRON LIBERTY, to supplement the discussion of the man-on-the-side technique described in
0 Comments
Summary The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. Secureworks® Counter Threat Unit™ (CTU) analysis suggests that REvil is likely associated with the GandCrab
0 Comments
Summary The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People’s Republic of China
0 Comments
The following analysis was compiled and published to Threat Intelligence clients in November 2018. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about BRONZE VINEWOOD and its use of the HanaLoader malware and DropboxAES RAT, to increase visibility of the threat group’s activities. In mid-2018, Secureworks® Counter Threat Unit™ (CTU) researchers identified
0 Comments
The following analysis was compiled and published to Threat Intelligence clients in March 2019. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about BRONZE VINEWOOD and its use of the HanaLoader malware and DropboxAES RAT, to increase visibility of the threat group’s activities. Summary DropboxAES is a simple remote access trojan (RAT) used
0 Comments
The following analysis was compiled and published to Threat Intelligence clients in April 2019. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about BRONZE VINEWOOD and its use of the HanaLoader malware and DropboxAES RAT to increase visibility of the threat group’s activities. Summary BRONZE VINEWOOD (also known as APT31 and ZIRCONIUM) is
0 Comments
Cyberespionage operations by governments with mature cyber capabilities persist regardless of geopolitical events. Espionage typically focuses on broader long-term strategic goals. Secureworks® Counter Threat Unit™ (CTU) researchers monitor Iranian cyber operations, including the potential for retaliation after a January 2, 2020 U.S. drone strike killed Islamic Revolutionary Guard Corps (IRGC) Quds Force General Qasem Soleimani.
0 Comments
The ongoing COVID-19 (also known as coronavirus) pandemic is creating challenges for organizations and individuals around the world. Most organizations have implemented remote working for their employees where possible. This transition changes how employees access data and communicate with colleagues and customers. That change creates an opportunity for threat actors who seek to exploit the
0 Comments
On March 27, 2020, the U.S. government approved a $2 trillion USD stimulus package that provides COVID-19 (also known as coronavirus) pandemic relief for qualified taxpayers in the form of $1,200 checks. Since then, Secureworks® Counter Threat Unit™ (CTU) researchers have observed an increase in tax identity theft aimed at fraudulently obtaining stimulus checks (see
0 Comments
A timely snapshot of the global threat landscape for security and business leaders. Friday, May 8, 2020 By: Secureworks Counter Threat Unit As your organization continues to adapt to a new business environment, our Counter Threat Unit™ (CTU) remains vigilant in tracking coronavirus-themed cyber activity and assessing the cybersecurity risk. This concise, weekly snapshot from
0 Comments
Today, the Secureworks® Counter Threat Unit™ (CTU) research team began publishing Threat Group profiles  on the Secureworks website. The profiles include a summary of the groups, their objectives, other aliases by which the groups are known, and the malware they use. Both criminal and government-sponsored Threat Groups are included. Why publish these records, given that
0 Comments
Since 2015, Secureworks® Counter Threat Unit™ (CTU) researchers have observed a massive increase in the number and impact of post-intrusion ransomware incidents. In these attacks, a threat actor gains access to a compromised network, moves laterally to other systems and networks, locates the critical business assets, and then chooses a time (which could be days
0 Comments
Summary Secureworks® Counter Threat Unit™ (CTU) researchers have tracked the activities of the BRONZE UNION threat group (also known as Emissary Panda, APT 27, and LuckyMouse) since 2013. CTU™ analysis suggests that BRONZE UNION is located in the People’s Republic of China. The threat group has historically leveraged a variety of publicly available and self-developed
0 Comments
The BRONZE UNION threat group focuses on espionage and targets a broad range of organizations and groups using a variety of tools and methods. Wednesday, February 27, 2019 By: Counter Threat Unit Research Team This blog and the accompanying threat analysis, entitled A Peek Into BRONZE UNION’S Toolbox, are based on nearly two years of
0 Comments
Cloud-deployed containers and container orchestration systems are becoming mainstream. Vulnerabilities and exploits associated with containers are gathering pace; however, the best practice of securing containers continues to be overlooked. Containers allow for packaging and deployment of single applications. Decoupling applications or services from various parts of a target environment can provide a variety of operational
0 Comments
On October 4, 2018, a Bloomberg Businessweek article alleged that in 2015, manufacturers inserted microchips onto the motherboards of servers destined for U.S. public and government organizations to provide Chinese government-sponsored threat actors with unauthorized access. The story was immediately refuted in its entirety by the three companies named in the story: Apple, Amazon, and
0 Comments
Author: Brett Stone-Gross, Ph.D., Dell SecureWorks Counter Threat Unit Date: 7 August 2014 Overview Lurk is a malware downloader that uses digital steganography: the art of hiding secret information within a digital format, such as an image, audio, or video file. Lurk specifically uses an algorithm that can embed encrypted URLs into an image file
0 Comments
Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 27 August 2014 Overview In late February 2014, the Dell SecureWorks Counter Threat Unit™ (CTU™) research team analyzed a family of file-encrypting ransomware being actively distributed on the Internet. Although this ransomware, now known as CryptoWall, became well-known in the first quarter of 2014, it has
0 Comments
Author: Brett Stone-Gross and Pallav Khandhar, Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 17 December 2014 Summary Threat actors regularly develop new Trojan horse malware to fuel their operations and to ensure the longevity of their botnets. After the takedowns of the Gameover Zeus and Shylock botnets, researchers predicted that a new breed of
0 Comments
Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 12 January 2015 Summary Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the
0 Comments
Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 12 May 2015 Summary In early February 2015, Dell SecureWorks Counter Threat Unit™ (CTU™) researchers investigated a new file-encrypting ransomware family named TeslaCrypt, which was distributed by the popular Angler browser exploit kit. After encrypting popular file types with the AES-256 encryption algorithm, TeslaCrypt holds the
0 Comments
Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: August 5, 2015 Summary Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390). Analysis of TG-3390’s operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People’s Republic of China. The threat actors
0 Comments
Author: Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 07 October 2015 Summary While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with