UNC1549, an Iran-linked threat actor, has been attributed to new attacks targeting aerospace, aviation, and defense industries in the Middle East. According to Mandiant, the threat actor appears to overlap with Smoke Sandstorm (previously Bohrium) and Crimson Sandstorm (previously Curium). The attacks involve the use of Microsoft Azure cloud infrastructure for Command-and-Control (C2) and social engineering with job-related lures to deliver two backdoors called MINIBIKE and MINIBUS.

By krahal

By grigby1 

By aekwall 

According to Clayton Romans, US Cybersecurity and Infrastructure Security Agency (CISA) Associate Director of the Joint Cyber Defense Collaborative (JCDC), small and local organizations face a unique cybersecurity challenge. They have been hit with ransomware attacks and other cyberattacks, but they often have no way of getting the cybersecurity resources required to defend themselves.

According to Mandiant incident responders and threat hunters, suspected Chinese state-sponsored hackers who exploited Ivanti Connect Secure VPN flaws to breach a number of organizations have showed "a nuanced understanding of the appliance." They were able to make several changes to the device as well as install specialized malware and plugins to ensure persistence across system upgrades, patches, and factory resets.

The US government recently added Canadian network intelligence firm Sandvine to its Entity List, effectively banning organizations from trading with it.  The Waterloo, Ontario-based company provides network policy control products that support networking policies to enable congestion management, security, and censorship.  The US Department of Commerce announced that Sandvine was added to its trade restrictions list for providing the Egyptian government with the technology needed for mass surveillance and censorship.

A threat actor is conducting an investment scam using a Traffic Distribution System (TDS) that leverages the Domain Name System (DNS) to keep its malicious domains changing and resistant to takedowns. The "Savvy Seahorse" threat actor impersonates well-known brand names and uses Facebook ads in nine languages to trick victims into creating accounts on a fraudulent investing platform. Once victims add money to their accounts, the funds are transferred to what is believed to be an attacker-controlled account at a Russian state-owned bank.

Lazarus Group, the North Korean state-sponsored cyber threat group, exploited a flaw in the Windows AppLocker driver to gain kernel-level access and disable security tools, bypassing Bring Your Own Vulnerable Driver (BYOVD) techniques. The activity was detected by Avast analysts, who reported it to Microsoft, resulting in a fix for the flaw, now tracked as CVE-2024-21338. According to Avast, Lazarus Group exploited the vulnerability to create a read/write kernel primitive in an updated version of its FudModule rootkit, which previously abused a Dell driver for BYOVD attacks.