Today activity has been moderate but lower than yesterday.
Activity Observations
Noted APT28 activity from a previously active address that has picked up and increased 10 fold today
Noted multiple DNS manipulations occurring on software installations. This is indicative that DNS is being weaponized to infect end users. Remember we have been warning about the supply chain attacks that utilize DNS and CDN 's to infect massive amounts of user.
Still seeing Cobalt Strike activity, noted at least 22 different servers running today and was able to add them to our threat intelligence platform
CVE-2021-21972 is actively being exploited
Over 200 new botnet addresses were discovered after a flaw in code allows us to use Google to find a list of C2 servers, we love it when threat actors can't spell or can't spell frequently used terms
Still seeing MassLogger activity
Still seeing Instagram phishing, looks like the threat actor is trying to target specific high profile accounts that are verified
We are also seeing stimulus and tax themed targeted phishing
We are still seeing fallout and additional confirmations of incidents from the supply chain attacks that were tied to SolarWinds. We still believe that DNS hajacking, CDN attacks and DNS manipulation allowed many of these attacks to take place. In fact, we actively detected and stopped a Microsoft login domain being manipulated on a large network this past week as well as on a few ISP's that indicate this as being a much larger issue.
This report may be updated in the next couple of hours with additional information as analyst are currently reviewing new detection's and activity of interest.
In addition we added the following documents for reference
Added 3 documents to our library including the NSA Zero Trust publication and the Cisco critical vulnerability.
Other Notes
Nothing additional today
Last Updated: 3:39 PM EST