Cyber Threat Intelligence Archives

SolarWinds Attack: Italy activates the Cyber Security Nucleus

Following a tampering with a number of SolarWinds Orion platform updates in March, hackers have infiltrated the networks and computer systems of government and private entities around the world by spying on their moves and, in some cases, stealing highly sensitive data assets. The attack has also affected our country, unfortunately. From the early stages of the discovery, Italy activated the Cyber Security Nucleus, the collegiate body entrusted with the task of managing cyber incidents that could have a potential impact on national security. The Cyber Security Nucleus What is this? According to the current legislation that regulates the activities of the Information Security Department (DIS) of the Presidency of […]

Dec 11

When a false flag doesn’t work: Exploring the digital-crime underground at campaign preparation stage

At the beginning of October 2020 we found copy of a malicious document potentially to be attributed to an APT group known with the name of APT34 / OilRig. The attribution, based on several elements found within the malicious document, was firstly reported by a security researcher through a social network. According the extracted evidences, the author “signed” this malicious document leaving his/her username within the document metadata. This nickname was already widely known within the Cyber Threat Intelligence field because attributed to a member of the already mentioned threat group. Indeed this nickname is Iamfarhadzadeh, linked to Mohammad Farhadzadeh, believed to be a member of the hacking unit identified […]

Jul 14

Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene

Recently Telsy observed some artifacts related to an attack that occurred in June 2020 that is most likely linked to the popular Russian Advanced Persistent Threat (APT) known as Venomous Bear (aka Turla or Uroburos). At the best of our knowledge, this time the hacking group used a previously unseen implant, that we internally named “NewPass“ as one of the parameters used to send exfiltrated data to the command and control. Telsy suspects this implant has been used to target at least one European Union country in the sector of diplomacy and foreign affairs. NewPass is quite a complex malware composed by different components that rely on an encoded file to […]

Apr 21

Telsy’s report on UniCredit’s data breach went viral worldwide

On the evening of April 19, Telsy denounced that the personal data of about 3000 employees of the UniCredit S.p.A. bank, one of the largest banks in Italy, had been put on sale on cybercrime forums. According to the seller, in the leak there are information about thousands of employees, including emails, phone numbers, encrypted password, last name and first name. The database was found available on at least two cyber-crime and hacking related forums. In the following hours the article published by Telsy on its blog (which can be found at the following link )has been reported by several major news agency worldwide. Telsy’s CEO, Emanuele Spoto, commented: “Yesterday […]

Jan 15

Tamper detection technologies: it takes a thief to catch a thief

Tamper detection technlogies are already present in our everyday life, even when we are not aware that they can be called by that name. Tamper detection and tamper evidence methods are already in use in many common situations. They provide proof of unauthorized access to the inner components of a device (i.e. it can void the warranty) or even just of a luxury good in department stores. We speak about tamper evidence when the goal is to reveal the unauthorized access upon examination by a human, and about tamper detection when we implement some sort of automatic action in response to the event. Baseline, tamper evidence and detection methods detect […]

Aug 29

Zebrocy relies on dropbox and remote template injection to supply its dishes to an institution of Eastern Europe diplomatic sector.

// Introduction On the 22nd of August 2019, Zebrocy, a new spear-phishing email message has been collected by Telsy CTI Team. This malicious email has been armed with an attached lure document designed to infect and steal data from victim systems after executing a sequence of multi-stage malicious instructions. // Actor Profiling Zebrocy has been considered for years a subgroup of Sofacy (aka APT28, aka Fancy Bear, aka Group 74). However, it appears very different from the latter mainly due to its lower level of sophistication and an extensive use of a deal of development languages. Zebrocy has also the tendency to acquire and use publicly available code from sharing […]

Apr 20

Introducing Our CTI Research Blog

This post introduces the CTI Research Blog of the Telsy Threat Recon Team. Find out all updates here! CTI Research Blog: What is Cyber Threat Intelligence? Cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources. We live in a world where cyber threats could bring an organization to its knees. Therefore, it can be downright terrifying. Threat intelligence can help organizations gain valuable knowledge about these threats. It also builds effective defense mechanisms and mitigate the risks that could damage their bottom line […]

Tag Archives: Cyber Threat Intelligence