❌

Reading view

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

Threat Research – Sophos News

By:gallagherseanm

1 April 2025 at 05:30

Attack matches three-year long pattern of ScreenConnect attacks tracked by Sophos MDR as STAC4365.

A screenshot of the WikiLeaksV2 web site used by the Qilin RaaS group.

Figure 2: The Qilin data-leak site hosted on Tor features a QR code and hyperlink to the WikiLeaksV2 page

Figure 3: Domain registrations matching STAC4365 activity

Figure 5: A code display of the evilginx HTTP proxy and of the HTTP response that redirects non-phishing visits to the legitimate site—in this case, ScreenConnect

Figure 6: The phishing email received by the targeted administrator: New Login AlertYour ScreenConnect instance was recently logged into from a new IP address: Account ID: Domain: cloud.screenconnect.com Host User Name: IP Address: Location: Long Beach, California, United States Time: 2025/01/22 13:53:20 If you authorized this login, no further action is required. If you did not authorize this login attempt, please review the security alert checklist in documentation for further instructions. Login and review the security alert. ScreenConnect Team

Figure 7: A Windows log file displaying deployment of the attacker’s own ScreenConnect instance

Figure 8: a screenshot of log entries showing data compression via WinRAR

Figure 9: Exfiltration via EasyUpload.io shown in screenshot of activity log.

Figure 10: Telemetry showing the passwords appended to the ransomware as it was executed across different customers

Figure 11: The ransomware note dropped on victims’ computers by the Qilin ransomware

Stealing user credentials with evilginx

Threat Research – Sophos News

28 March 2025 at 02:29

A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there’s hope

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

Security Operations – Sophos News

By:gallagherseanm

1 April 2025 at 05:30

Attack matches three-year long pattern of ScreenConnect attacks tracked by Sophos MDR as STAC4365.

A screenshot of the WikiLeaksV2 web site used by the Qilin RaaS group.

Figure 2: The Qilin data-leak site hosted on Tor features a QR code and hyperlink to the WikiLeaksV2 page

Figure 3: Domain registrations matching STAC4365 activity

Figure 5: A code display of the evilginx HTTP proxy and of the HTTP response that redirects non-phishing visits to the legitimate site—in this case, ScreenConnect

Figure 6: The phishing email received by the targeted administrator: New Login AlertYour ScreenConnect instance was recently logged into from a new IP address: Account ID: Domain: cloud.screenconnect.com Host User Name: IP Address: Location: Long Beach, California, United States Time: 2025/01/22 13:53:20 If you authorized this login, no further action is required. If you did not authorize this login attempt, please review the security alert checklist in documentation for further instructions. Login and review the security alert. ScreenConnect Team

Figure 7: A Windows log file displaying deployment of the attacker’s own ScreenConnect instance

Figure 8: a screenshot of log entries showing data compression via WinRAR

Figure 9: Exfiltration via EasyUpload.io shown in screenshot of activity log.

Figure 10: Telemetry showing the passwords appended to the ransomware as it was executed across different customers

Figure 11: The ransomware note dropped on victims’ computers by the Qilin ransomware

Stealing user credentials with evilginx

Security Operations – Sophos News

28 March 2025 at 02:29

A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there’s hope