Incident Response

HomeBlogIncident Response
Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare

Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare

The Emotet botnet has begun to show signs of life after months of inactivity. The E2 portion has started deploying credential and email stealing modules. It is believed that this could be a preparation step for a new spam campaign. During the downtime, the operators behind Emotet have redesigned it and some of the modules it uses. New features include... Read More
April 22, 2020 Threat Advisory
Threat Advisory: NSA, ASD Release Guidance for Mitigating Web Shell Malware

Threat Advisory: NSA, ASD Release Guidance for Mitigating Web Shell Malware

The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have jointly released a Cybersecurity Information Sheet (CSI) on mitigating web shell malware. Malicious cyber actors are increasingly deploying web shell malware on victim web servers to execute arbitrary system commands. By deploying web shell malware, cyber attackers can gain persistent access to compromised networks. The CSI provides... Read More
Threat Advisory
Threat Advisory: Kwampirs Trojan Campaign Continues

Threat Advisory: Kwampirs Trojan Campaign Continues

The FBI's Cyber Division has re-released a January Flash report for the Kwampirs Remote Access Trojan (RAT). The primary target industries are healthcare, software supply chain, energy, and engineering industries, and the secondary targets are financial institutions and law firms. Kwampirs employs a two-phase approach. According to the FBI's Private Industry Notification, "the first phase establishes a broad and persistent... Read More
April 7, 2020 Threat Advisory
Threat Advisory: Updates Regarding COVID-19 Related Cyber Attacks

Threat Advisory: Updates Regarding COVID-19 Related Cyber Attacks

Overview  Malware-based phishing campaigns have been on the rise since early March. The campaigns appear to be from a trusted source, such as healthcare organizations, educational institutions, government agencies, or other official sources. The associated emails often contain a link that promises key information, relevant data, or tracking information regarding the Coronavirus. A number of these emails appear to originate... Read More
April 6, 2020 Threat Advisory
Threat Advisory: Mitigating Cyber Attacks Using Coronavirus Pandemic

Threat Advisory: Mitigating Cyber Attacks Using Coronavirus Pandemic

Overview  Recently, there has been a significant increase in cyber attacks that take advantage of the global COVID-19 (Coronavirus) pandemic. Threat actors are leveraging additional information on COVID-19 to spread malware infections through phishing emails. These emails, particularly the subject lines, are designed to contain valuable information about the current status of the outbreak to lure victims into opening attachments... Read More
March 12, 2020 Thought Leadership, Threat Advisory
Why Maintaining Data Integrity is Critical in Incident Response

Why Maintaining Data Integrity is Critical in Incident Response

The National Cybersecurity Center of Excellence has released a draft version of the NIST Cybersecurity Practice Guide SP 1800-26, Detecting and Responding to Ransomware and Other Destructive Events. The proposed guide is intended to act as a best practice document to support organizations detecting and responding to data integrity events which can put an organization’s security infrastructure at risk, causing... Read More
February 11, 2020 Thought Leadership
Threat Advisory: Vulnerabilities Found in Cisco Discovery Protocol

Threat Advisory: Vulnerabilities Found in Cisco Discovery Protocol

Multiple vulnerabilities in the Cisco Discovery Protocol implementation of Cisco products were recently discovered by the Cisco Product Security Incident Response Team. These vulnerabilities are collectively known as "CDPwn".  According to Cisco, the Cisco Discovery Protocol "facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn... Read More
February 6, 2020 Threat Advisory
Threat Advisory: HG Updates on Citrix vulnerability – CVE-2019-19781

Threat Advisory: HG Updates on Citrix vulnerability – CVE-2019-19781

Over the past month, Herjavec Group has been supporting clients impacted by the vulnerability (CVE-2019-19781) impacting multiple versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP.  CVE-2019-19781 is a directory traversal exploit that involves adversaries initiating a large scan upon discovery of a successful connection, then dropping files onto the infected system. This establishes a backdoor... Read More
January 24, 2020 Threat Advisory
Threat Advisory: Increased Emotet Malware Activity Detected

Threat Advisory: Increased Emotet Malware Activity Detected

The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory on the increasing use of targeted Emotet malware attacks. Emotet is a Trojan used by threat actors to act as a downloader, or dropper, of other malware. The most common delivery method for Emotet is via the use of spam emails that have a malicious Microsoft Word or Excel... Read More
January 23, 2020 Threat Advisory
Threat Advisory Update: US National Terrorism Advisory System

Threat Advisory Update: US National Terrorism Advisory System

Herjavec Group is aware of elevated concern around Iranian state-sponsored cyber threat actors. We continue to remain vigilant and will report any suspicious activity across our Managed Security Services Enterprise Base. As always, we will work with our partners to share and notify you with any new threat information as it is made available. Our operations team will continue to... Read More
January 6, 2020 Threat Advisory