Cyber Threat Intelligence — Analysis, Research & Detection
APT28 is conducting DNS hijacking campaigns against SOHO routers to perform adversary-in-the-middle attacks, intercepting credentials and communications at the network layer before they reach corporate infrastructure. This post covers 9 KQL detections across network telemetry, DNS, authentication, and device vulnerability data.
Read more →This week's highlights: BRICKSTORM defender guide from Google Threat Intelligence, Storm-1175 Medusa ransomware operations from Microsoft, UNC6783 social engineering via lookalike domains, Fortinet and Cisco CVE exploitation in the wild, and the BlueHammer zero-day disclosure.
Read more →Storm-1175 is a financially motivated actor operating high-velocity Medusa ransomware campaigns, weaponising N-day vulnerabilities within days of disclosure. The group has targeted healthcare, education, finance, and professional services across Australia, the UK, and the US, moving from initial exploitation to full ransomware deployment in under 24 hours. This post covers 8 KQL detections across the full attack chain.
Read more →BRICKSTORM is a Go-based backdoor attributed to UNC5221 / Warp Panda targeting VMware vSphere infrastructure. Operating beneath the guest OS layer, it exploits the EDR visibility gap on virtualisation control planes. This post covers 8 KQL detections spanning initial access through to C2 and tamper detection.
Read more →