Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots.

Threat Reports

What We Are Monitoring

Forescout’s Vedere Labs threat research team issues threat reports about topical cyber activities, attacks or vulnerabilities that impact the cybersecurity community at large. The reports include a summary of the incidents and main threat actors, followed by a technical analysis of each incident, list of common vulnerabilities and exposures (CVEs) and affected software, indicators of compromise (IOCs) and mitigation recommendations.

Industroyer2 and INCONTROLLER (PIPEDREAM): In-depth Technical Analysis of the ICS-specific Malware

Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.

Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group

In this threat report, Forescout’s Vedere Labs analyzes attacks by pro-Russian hacktivist group Killnet and shows how to mitigate risk of DDoS and other attacks. Killnet stands out as one of the most active groups since Russian invaded Ukraine and has gained notoriety for DDoSing the websites of western critical infrastructure operators such as airports, banks, energy providers and governmental agencies.

Emotet: The Return of the World’s Most Dangerous Malware

According to CISA, Emotet is among the most costly and destructive malware used against the private and public sectors, and Europol calls it the world’s most dangerous malware. This report shows the result of a dynamic analysis of an Emotet Epoch4 loader sample and presents a list of IoCs extracted from that sample, with recommended mitigations.

Analysis of an ALPHV Incident

This report analyzes the files and tools used by an affiliate of the ALPHV ransomware group (aka BlackCat) during an attack that involved penetrating a SonicWall firewall and encrypting a VMware ESXi environment. New findings break down the malware's sophisticated behavior and present ways to avoid damage.

Night Sky Ransomware

The Night Sky ransomware was first reported by MalwareHunterTeam on January 1, 2022. Victims were asked to contact the attackers on contact[.]nightsky[.]cyou to pay for the ransom. If the victims refused to pay, attackers threatened to expose their data on a leak site. This is known as a double extortion ransomware. Night Sky provides an interesting view into the relationships among several ransomware families.

LAPSUS$

LAPSUS$ is a hacking group that has been active since 2021 and has breached several high-profile organizations, starting with major Brazilian government agencies and companies, then moving on to global businesses such as Microsoft, Nvidia and Okta. This loose collective of hackers is notable for using social engineering techniques and focusing on data exfiltration and public extortion rather than data encryption. This briefing reports on the group's victims, methods and indicators of compromise, and provides mitigation recommendations.

Analysis of Conti Leaks

This report is the result of an analysis of the chats, tutorials and tools used by the Conti ransomware groups and leaked via the Twitter handle “ContiLeaks” since the end of February 2022. The report presents intelligence about the group’s organization, attack techniques and victims which can help network defenders to detect and mitigate attacks from Conti and other similar ransomware groups. It does not rely on automatic translation of leaked chats...

Monitoring Cyber Activities Connected to The Russian-Ukrainian Conflict

Vedere Labs, Forescout’s threat intelligence and research team, is closely monitoring the evolution of cyber activities connected to the Russian-Ukrainian conflict. We continue to gather information regarding active threats; tactics, techniques and procedures (TTPs); Indicators of Compromise (IoCs); and mitigations.

Log4j

Forescout can help detect vulnerable instances of Log4j in your environment, patch or update software, identify ongoing exploits, and segment devices from the network. Review additional resources and articles on how best to protect your environment from vulnerabilities around Log4j.

Learn More

SolarWinds

Given the widespread nature of the SolarWinds breach, Vedere Labs has proactively conducted a thorough security review to validate the integrity of our product binaries and security of our software delivery chain.

Learn More