Recent vulnerability in Eir D1000 Router used to spread updated version of Mirai DDoS bot

Over the last two months a lot has been written about the DDoS malware called Mirai. The first known attack, that only later was attributed to Mirai, was against the Krebs On Security blog on September 20th. It is likely that this same botnet attacked Dyn a month later, causing a massive outage among popular … Continue reading Recent vulnerability in Eir D1000 Router used to spread updated version of Mirai DDoS bot

Ziggo ransomware phishing campaign still increasing in size

Introduction Fox-IT's Security Operations Center (SOC) observed fake Ziggo invoice e-mails, since October 6th 2016, linking to a ransomware variant known as TorrentLocker. The group behind TorrentLocker has previously been observed using fake Dutch postal service emails imitating PostNL, back in 2014.  This distribution method of abusing local postal service names was seen in a lot of … Continue reading Ziggo ransomware phishing campaign still increasing in size

Mofang: A politically motivated information stealing adversary

Mofang (模仿, Mófa ̌ng, to imitate) is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly … Continue reading Mofang: A politically motivated information stealing adversary

LinkedIn information used to spread banking malware in the Netherlands

Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail: Geachte Firstname Lastname, … Continue reading LinkedIn information used to spread banking malware in the Netherlands

Ransomware deployments after brute force RDP attack

Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected attachment. Another method is impersonating a well-known company in a spam e-mail stating an invoice or track&trace information is ready for download. By following the link provided … Continue reading Ransomware deployments after brute force RDP attack

Large malvertising campaign hits popular Dutch websites

On Sunday April 10th the Fox-IT Security Operations Center (SOC) started to see an increase of exploit kit related incidents. The incidents originated from a large malvertising campaign hitting the Netherlands. The list of affected websites spreads across most of the popular Dutch websites. In total we've now seen at least 288 websites being affected. To … Continue reading Large malvertising campaign hits popular Dutch websites