Ankura's Cyber Threat Investigations & Expert Services (CTIX) team analyzed and compiled the latest threats and current cyber trends over the past sixty days into an in-depth report, Ankura's Cyber Threat Intelligence Bulletin. Updated for March 2022, we provide an in-depth look at current global threats and key cyber trends to watch.

Below, we share a summary of the key topics from the March Bulletin. Download the full report below.

A Look Inside the Daxin Malware

Daxin, the highly sophisticated malware linked to Chinese advanced persistent threat (APT) actors performs advanced data gathering and espionage operations while infecting hardened targets without detection. Active since November 2019, more significant Daxin malware attacks occurred in November 2021 and were targeted at telecommunications, transportation, and manufacturing companies. 

Its advanced detection-avoidance techniques and stealthy method of network communication to evade detection by security operations is thought to be a recent development. Read the full breakdown of Daxin's functionality and capabilities in our bulletin.

What Happened to Raidforums?

Two new active successor sites have emerged in the wake of the Raidforums takedown in February 2022, “Breached[.]co,” also known as “BreachedForum.” and “raidforums2[.]com” also known as “Raid2.” BreachedForum appears to be the most popular direct successor to Raidforums thus far while Raid2 appears to have been created by a pro-Ukrainian group and has seen a slower growth rate and less activity. Raidforum users have also appeared to migrate to other well-known and previously established forums with new users spiking in the ten (10) days following the Raidforum seizure. 

APT41 Targeting United States State Government Entities

Advanced Persistent Threat 41 (APT41), a known sophisticated nation-state threat organization has been targeting United States (U.S.) state government entities since 2012. The group's activity has continued to rise. Most recently, APT41 threat actors successfully compromised six (6) U.S. State Government entities. In each case, the point-of-compromise was a device vulnerable to the Log4j vulnerability. Threat actors also used other unsuspected vulnerability targets detailed in the bulletin.

Threat Actor of the Month

Despite being relatively new, Lapsus$ is a highly active yet inexperienced extortion hacking group targeting large companies. Since February 2022, the group has claimed responsibility for attacks on Nvidia, Microsoft, Samsung, Okta, and Globant proving Lapsus$ can breach some of the largest companies despite being comprised of teenagers and young adults. 

Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Download the full bulletin for a list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Read more details and insights by downloading our full March Cyber Threat Intelligence Bulletin below.