Recent attacks on customer accounts hosted by the Snowflake data warehousing platform suggest that threat actors are shifting to targeting Software-as-a-Service (SaaS) application environments. Mandiant recently released a report on another large threat actor who has started targeting enterprise data in SaaS applications, expanding its usual focus on Microsoft cloud environments and on-premises infrastructure.

According to a new Barracuda report, in 2023, about 92 percent of organizations faced an average of six credential compromises due to email-based social engineering attacks. Scamming and phishing made up most of the social engineering attacks last year. This article continues to discuss key findings regarding some notable trends in how attackers are targeting users via social engineering techniques.

According to G Data CyberDefense, a backdoor dubbed "BadSpace" is being distributed using a multi-stage attack chain involving infected WordPress websites. In late May, the backdoor was identified and observed being distributed using a mechanism similar to that of "SocGholish." This article continues to discuss findings regarding the distribution of the BadSpace backdoor via drive-by attacks involving infected websites and JavaScript downloaders.

According to Action1, threat actors are increasingly targeting edge devices known as load balancers. A load balancer distributes connections from clients between a set of servers. Although load balancers were generally secure, threat actors targeted them disproportionately, resulting in a record 17 percent exploitation rate. A single load balancer vulnerability can provide broad access or disruption capabilities against targeted networks. This article continues to discuss the increased targeting of load balancers by threat actors.

A malware distribution campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into installing malware through malicious PowerShell "fixes." The new campaign has been used by multiple threat actors, including those behind "ClearFake," a new attack cluster called "ClickFix," and the "TA571" threat actor. This article continues to discuss findings regarding the malware distribution campaign involving fake Google Chrome, Word, and OneDrive errors.

Proofpoint researchers warn of a clever social engineering method to deliver malware. A social engineering technique rising in popularity among threat actors is the use of the fake error messages, displayed by a website or when opening an HTML document delivered as an email attachment. The attack chain requires significant user interaction, but the researchers noted that the social engineering method can present a user with what appears to be a real problem and solution at the same time, prompting them to act without considering the risk.

Sygnia reports that a Chinese state-sponsored threat actor dubbed "Velvet Ant" used a legacy F5 BIG-IP appliance to access a victim organization's network for three years. The threat actor used multiple mechanisms to gain a foothold in the organization's network. The cybersecurity company notes that this threat actor had infiltrated the organization's network at least two years before the investigation, gaining a strong foothold and gathering intelligence about it. Velvet Ant has used different tools and techniques to compromise critical systems and access sensitive data.

Rochester Institute of Technology (RIT) researchers created CTIBench, the first benchmark designed for assessing the performance of Large Language Models (LLMs) in Cyber Threat Intelligence (CTI) applications. The researchers emphasized that LLMs could revolutionize CTI by improving security analysts' ability to process and examine massive amounts of unstructured threat and attack data, as well as use more intelligence sources. However, they add that LLMs are vulnerable to hallucinations and text misunderstandings, especially in technical fields.

A team of researchers from Seoul National University, Samsung Research, and the Georgia Institute of Technology revealed a new speculative execution attack called "TikTag" targeting a hardware security feature in Arm CPUs. TikTag enables attackers to bypass protections. The researchers demonstrated the attack on the Memory Tagging Extension (MTE), a security feature introduced with the 8.5-A architecture that detects memory corruption.

Truist Bank has recently confirmed that its systems were breached in an October 2023 cyberattack after a threat actor posted some of the company's data for sale on a hacking forum.  A threat actor known as Sp1d3r is selling what they claim is stolen data containing information belonging to 65,000 employees for $1 million.  The threat actor claims that the data for sale includes bank transactions with names, account numbers, balances, and source codes for Truist Bank's Interactive Voice Response (IVR) automated phone system for transferring funds.