Hujumlar Bazasi

👤Triton Safety Instrumented System Attack🎯Umumiy25-mar, 2024

Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization. The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment. The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.

Malteiro

👤Malteiro🎯Umumiy13-mar, 2024

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).

Cutting Edge

⚡ Zero-dayYuqori

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.

👤Cutting Edge🎯Umumiy1-mar, 2024

XZ Utils Supply Chain Backdoor

🔗 Ta'minot zanjiriKritik

Social engineering attack over 2+ years planted backdoor in XZ Utils compression library, nearly compromising SSH authentication on major Linux distros.

👤Jia Tan (taxmin qilingan davlat aktyori)📍Noma'lum (Xitoy taxmin)→ Butun dunyo🎯Linux infratuzilmasi24-fev, 2024

Change Healthcare Ransomware Attack

👤ALPHV / BlackCat📍Noma'lum→ AQSh🎯Sog'liqni saqlash21-fev, 2024

ALPHV/BlackCat ransomware group attacked Change Healthcare payment system, disrupting US healthcare for weeks. UnitedHealth paid $22M ransom.

Akira

👤Akira🎯Umumiy20-fev, 2024

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.

APT5

⚡ Zero-dayYuqori

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.

👤APT5🎯Umumiy5-fev, 2024

Southern Water Ransomware — Black Basta

👤Black Basta📍Rossiya→ Buyuk Britaniya🎯Suv infratuzilmasi22-yan, 2024

Black Basta ransomware hit Southern Water UK, stealing 750GB of data including employee and customer records of 5.2M customers.

Microsoft Midnight Blizzard Email Breach

🕵️ APTYuqori

Russian SVR-linked group breached Microsoft corporate email systems, accessing senior executives and cybersecurity team communications.

👤Midnight Blizzard (APT29)📍Rossiya→ AQSh🎯IT, Texnologiya12-yan, 2024

Ivanti VPN Zero-Day Mass Exploitation

⚡ Zero-dayKritik

Multiple threat actors exploited zero-days in Ivanti Connect Secure VPN. Thousands of organizations globally compromised, including US CISA itself.

👤UNC5221📍Xitoy→ AQSh, Yevropa, Osiyo🎯Hukumat, IT, Mudofaa10-yan, 2024

LoanDepot Ransomware Attack

👤ALPHV / BlackCat📍Rossiya→ AQSh🎯Moliya, Ko'chmas mulk6-yan, 2024

ALPHV ransomware hit LoanDepot mortgage company, exposing 16.9M customer SSNs, financial data. Systems offline for weeks.

ToddyCat

👤ToddyCat🎯Umumiy3-yan, 2024

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.

Cinnamon Tempest

👤Cinnamon Tempest🎯Umumiy6-dek, 2023

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.

Mustard Tempest

👤Mustard Tempest🎯Umumiy6-dek, 2023

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.

ALPHV/BlackCat — MeridianLink Extortion

👤ALPHV / BlackCat📍Rossiya→ AQSh🎯Moliya, Dasturiy ta'minot7-noy, 2023

ALPHV directly reported victim MeridianLink to SEC for not disclosing breach within 4 days, marking first case of ransomware regulatory extortion.

Rhysida Ransomware — British Library

👤Rhysida📍Noma'lum→ Buyuk Britaniya🎯Ta'lim, Madaniyat28-okt, 2023

Rhysida ransomware crippled British Library systems, leaking 600GB of HR data. Recovery took months and cost £6-7M.

23andMe Genetic Data Breach

🗃️ Ma'lumot sizintisiYuqori

Hackers used credential stuffing to access 23andMe accounts, stealing genetic and ancestry data of 6.9 million users via DNA Relatives feature.

👤Noma'lum📍Noma'lum→ AQSh, Buyuk Britaniya🎯Biotexnologiya, Sog'liqni saqlash1-okt, 2023

Okta Support System Breach

🗃️ Ma'lumot sizintisiYuqori

Threat actor accessed Okta customer support files, obtaining session tokens for 134 customers including Cloudflare, 1Password, BeyondTrust.

👤Scattered Spider📍Noma'lum→ Butun dunyo🎯IT, Identity Management28-sen, 2023

2015 Ukraine Electric Power Attack

👤2015 Ukraine Electric Power Attack🎯Umumiy27-sen, 2023

2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.

MoustachedBouncer

👤MoustachedBouncer🎯Umumiy25-sen, 2023

MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.

TA2541

👤TA2541🎯Umumiy12-sen, 2023

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.

MGM Resorts Ransomware Attack

👤Scattered Spider📍AQSh/Buyuk Britaniya→ AQSh🎯Mehmonxona, Ko'ngilochar11-sen, 2023

Scattered Spider social-engineered MGM IT helpdesk, deploying ALPHV ransomware. MGM lost $100M+, casino operations halted for days.

Caesars Entertainment Ransomware

👤Scattered Spider📍AQSh→ AQSh🎯Mehmonxona, Ko'ngilochar27-avg, 2023

Scattered Spider attacked Caesars loyalty program database, stealing SSNs. Caesars paid $15M ransom before MGM attack.

Volt Typhoon

📌 BoshqaKritik

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.

👤Volt Typhoon🎯Umumiy27-iyl, 2023

FIN13

👤FIN13🎯Umumiy27-iyl, 2023

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.

Scattered Spider

👤Scattered Spider🎯Umumiy5-iyl, 2023

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365.

C0027