Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that combines many tried-and-true techniques used by other North Korean threat actors, as well as unique attack methodologies to target companies for its financial and cyberespionage objectives.
Microsoft, in collaboration with OpenAI, is publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others. The observed activity includes prompt-injections, attempted misuse of large language models (LLM), and fraud.
Microsoft has uncovered a supply chain attack by the threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.
Since early October 2023, Microsoft has observed North Korean nation-state threat actors Diamond Sleet and Onyx Sleet exploiting the Jet Brains TeamCity CVE-2023-42793 remote-code execution vulnerability. Given supply chain attacks carried out by these threat actors in the past, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected.
Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network.
Microsoft Sentinel is a cloud-native SIEM solution powered by AI and automation that delivers intelligent security analytics across your entire enterprise.
At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity.
In recent months, Microsoft detected weaponization of legitimate open-source software by an actor the Microsoft Threat Intelligence Center (MSTIC) tracks as ZINC, targeting employees at media, defense and aerospace, and IT service provider organizations in the US, UK, India, and Russia.
A group of actors originating from North Korea that MSTIC tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name.
In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. Observed targeting includes pen testers, private offensive security researchers, and employees at security and tech companies.
Microsoft Sentinel is a cloud-native SIEM solution powered by AI and automation that delivers intelligent security analytics across your entire enterprise.
Web shell attacks allow adversaries to run commands and steal data from an Internet-facing server or use the server as launch pad for further attacks against the affected organization.
