Notices by Not Simon 🐐 (screaminggoat@infosec.exchange), page 2

Zscaler: Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics
Zscaler analyzed typosquatting and brand impersonation activity between February 2024 and July 2024, across over 500 of the most visited domains, examining more than 30,000 lookalike domains, and discovered that over 10,000 domains were malicious.

• Google accounted for the largest percentage of phishing domains that leveraged typosquatting and brand impersonation. Microsoft and Amazon followed closely behind. Altogether almost 75%
• Nearly half of the phishing domains that were discovered used free Let's Encrypt TLS certificates to appear more authentic and avoid web browser warnings.
• .com top-level domain (TLD) accounted for a significant amount of the phishing domains with English speakers being a primary target.
• Internet Services sector was the most heavily spoofed vertical, with Professional Services and Online Shopping in 2nd and 3rd.

IOC provided. See their previous Zscaler ThreatLabz 2024 Phishing Report in a 40 page PDF

#phishing #typosquatting #threatintel #infosec #IOC #cybersecurity

Microsoft: Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor dubbed "Tickler." Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering (intelligence gathering on LinkedIn). They described the Tickler malware, Azure resources abuse, and post-compromise activity:

• Lateral movement via Server Message Block (SMB)
• Downloading and installing a remote monitoring and management (RMM) tool
• Taking an Active Directory (AD) snapshot

IOC and hunting queries provided.

cc: @briankrebs @mttaggart @serghei @campuscodi @AAKL

#iran #peachsandstorm #cyberespionage #threatintel #IOC #tickler #backdoor #malwareanalysis #linkedin