本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Chris Brenton at Active Countermeasures
Anton Chuvakin
Any.Run
April 5, 2024 Add comment 174 views 7 min read HomeCybersecurity LifehacksHow to Use Cyber Threat Intelligence: the Basics Recent posts How to Use Cyber Threat Intelligence: the Basics 174 0 Quickly Check if a Sample is Malicious with ANY.RUN's Process Tree 207 0 Release Notes: PowerShell Tracer, Browser Extensions, Integrations and More 635 0 HomeCybersecurity LifehacksHow to Use Cyber Threat Intelligence: the Basics Cyber threat intelligence (CTI) is a framework for collecting, processing, and...
Haya Schulmann at APNIC
By Haya Schulmann on 4 Apr 2024 Category: Tech matters Tags: cloud, DNS, Guest Post 1 Comment Tweet Blog home Adapted from Kelly Sikkema's original at Unsplash. Accurately operating digital resources is crucial for the security of the Internet. Managing resources requires not only creating and configuring them but also releasing them correctly after they are no longer required. However, in practice, when organizations release resources of services that are no longer needed, they often do not pur...
Madison Steel at AttackIQ
AWS Security
by Jonathan Nguyen | on 01 APR 2024 | in Amazon GuardDuty, Amazon Inspector, AWS Security Hub, Intermediate (200), Security, Identity, & Compliance, Technical How-to | Permalink | Comments | Share Continually reviewing your organization’s incident response capabilities can be challenging without a mechanism to create security findings with actual Amazon Web Services (AWS) resources within your AWS estate. As prescribed within the AWS Security Incident Response whitepaper, it’s important to perio...
by Brandon Carroll | on 01 APR 2024 | in AWS Network Firewall, Best Practices, Intermediate (200), Security, Identity, & Compliance | Permalink | Comments | Share In the evolving landscape of network security, safeguarding data as it exits your virtual environment is as crucial as protecting incoming traffic. In a previous post, we highlighted the significance of ingress TLS inspection in enhancing security within Amazon Web Services (AWS) environments. Building on that foundation, I focus on eg...
Binary Defense
Lawrence Abrams at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2024-04-04 (THURSDAY): KOI LOADER/STEALER ACTIVITY NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_koiloader-koistealer-unit42threatintel-activity-7181656774993747968-DphD //twitter.com/Unit42_Intel/status/1775891118963503288 ASSOCIATED FILES: 2024-04-04-IOCs-from-Koi-Loader-Stealer-activity.txt.zip 1.5 kB (1,458 bytes) 2024-04-04-Koi-Loader-Stealer-infection...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - April 03, 2024 Those who have worked in our industry for a certain amount of time will be acutely aware that executives often encounter information security media articles and flag them to their teams. This is something myself and my peers at other organizations also face. So I decided to write about it, expand my thoughts, offer some tips from my experience and research to hopefully provide a practical solution for a common problem.This usu...
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 30 Marzo – 05 Aprile 2024 05/04/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 26 campagne malevole, di cui 18 con obiettivi italiani e 8 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 136 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tip...
Check Point
By Nate Pors, Heather Couk Tuesday, April 2, 2024 08:00 On The Radar Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.There is no easy way to effectively block all unauthorized remote management tools, but security can be greatly improved through a combination of policy and technical contr...
By Chetan Raghuprasad, Joey Chen Thursday, April 4, 2024 08:00 Threats Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.They use RotBot, a customized va...
Dylan Duncan at Cofense
Bret at Cyber Gladius
DCSync attacks superficially sound simple and easy to defend against. What you will find, however, is that truly understanding and mitigating the root vulnerability of a DCSync attack is much more complicated. Most articles on this topic tell you to check for only three “ExtendedRights,” and you’re covered, but oh, how this is wrong. Maybe wrong is not the right word; it’s incomplete. The reality is that an attacker can leverage many other weak ACEs on the domain’s ACL to perform a DCSync attack...
Cyberknow
cyberknow.substack.comCopy linkFacebookEmailNoteOtherInitial Access Broker to RansomwareHow to review IAB posts on Underground ForumsCyberknowApr 03, 2024Share this postInitial Access Broker to Ransomwarecyberknow.substack.comCopy linkFacebookEmailNoteOtherShareThe following is an example of how you can review underground forum posts from Initial Access Brokers (IAB)s and get an understanding of who a possible victim could be. This is an example of a recent situation when an IAB post likely resu...
Cyble
Cybercrime, Fraud April 3, 2024 Elevating the Stakes: The Enhanced Arsenal of the Fake E-Shop Campaign Cyble analyzes the recent developments in the fake e-commerce campaign employing Android malware integrated with screen sharing, aimed at targeting 18 banks in Malaysia. Key Takeaways Once again, a fake e-shop campaign has been detected, this time targeting 18 Malaysian banks with upgraded malicious applications. The campaign has progressed from its initial focus on Malaysian banks to a broader...
Cyfirma
Published On : 2024-04-05 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows Introduction CYFIRMA Research and Advisory Team has found Synapse ransomware as a service while monitoring various underground forums as part of our Th...
Alex Teixeira at Detect FYI
DomainTools
Security Onion
Recently, a vulnerability was reported in the xz library://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094//www.cve.org/CVERecord?id=CVE-2024-3094//nvd.nist.gov/vuln/detail/CVE-2024-3094//www.openwall.com/lists/oss-security/2024/03/29/4//www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usersSecurity Onion is NOT affected by this vulnerability.Searching for xz Vulnerability across non-Security ...
Elastic Security Labs
500ms to midnight: XZ / liblzma backdoorElastic Security Labs is releasing an initial analysis of the XZ Utility backdoor, including YARA rules, osquery, and KQL searches to identify potential compromises.11 min readSecurity researchKey Takeaways On March 29, 2024, Andres Freund identified malicious commits to the command-line utility XZ, impacting versions 5.6.0 and 5.6.1 for Linux, and shared the information on the oss-security mailing list. Andres’ discovery was made after an increase of 500m...
Emanuele De Lucia
Posted On 3 April 20243 April 2024 By edelucia HomeGenericXZ BackDoor (CVE-2024-3094): a Multi-Year Effort by an Advanced Threat Actor With this post I would like to provide a technical dive and considerations about the recently disclosed XZ BackDoor vulnerability (CVE-2024-3094). This vulnerability, which affects the XZ Utils library, a widely used data compression utility in Linux distributions, had the potential for severe consequences, including remote code execution (RCE) and unauthorized a...
Embee Research
Passive DNS For Phishing Link Analysis - Identifying 36 Latrodectus Domains With Historical Records and 302 Redirects Finding phishing domains passive DNS tooling and 302 redirects. Matthew Apr 01, 2024 - 6 min read In this blog, we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X. The initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL in the 302 redirect is re-used across numerous domai...
TLS Certificates and Subdomains. Matthew Apr 04, 2024 - 7 min read In this blog we will identify 6 malicious domains that are likely hosting MatanBuchus malware. We will identify these domains through the usage of hardcoded subdomains in the TLS Certificate of the initial shared domain. After leveraging the hardcoded subdomains, we will leverage registration dates and certificate providers to hone in on our final results. Ultimately this will produce 6 domains sharing the same financial theme th...
Eric Conrad
My talk: //github.com/eric-conrad/c2-talk/ Team Cymru - S2 Threat Research Team: Top C2 FrameworksMy previous C2 detection talk: Leave Only Footprints: When Prevention FailsEVTX files from Leave Only Footprints: When Prevention FailsSysmon: //learn.microsoft.com/en-us/sysinternals/downloads/sysmonImpacket: //github.com/fortra/impacketwmiexec,py: //github.com/fortra/impacket/blob/master/examples/wmiexec.pyImphash: //www.mandiant.com/resources/blog/tracking-malware-import-hashing Posted by Eric Co...
Ervin Zubic
Esentire
BY eSentire April 3, 2024 | 5 MINS READ Attacks/Breaches Managed Detection and Response Ransomware Threat Intelligence Threat Response Unit Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT Did you know that the entity that deploys ransomware in an environment may not actually be the entity that originally breaks in? In recent years, separate threat actors known as Initial Access brokers have emerged, specializing in obtaining and reselling covert access to their victims. ...
BY eSentire April 3, 2024 | 11 MINS READ Cyber Risk Regulatory Compliance Cybersecurity Strategy Threat Intelligence Threat Response Unit Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT Threat detection and response are critical components of a robust cybersecurity strategy. However, simply relying on automated detections is no longer enough to protect your organization from downtime. To reduce the chances of business disruption from advanced and unknown threats, securit...
g0njxa
Google Cloud Threat Intelligence
April 5, 2024Mandiant Written by: Matt Lin, Austin Larsen, John Wolfram, Ashley Pearson, Josh Murchie, Lukasz Lamparski, Joseph Pisano, Ryan Hall, Ron Craft, Shawn Chew, Billy Wong, Tyler McLellan Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant's previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exp...
Maddie Stone and James Sadowski at Google Threat Analysis Group
Share Twitter Facebook LinkedIn Mail Copy link Latest stories Product updates Product updates Android, Chrome & Play Android Chrome Chromebooks Google Play Wear OS by Google Devices & Services Chromecast Fitbit Google Nest Pixel Explore & Get Answers Gemini Google Assistant Maps News Search Shopping Connect & Communicate Photos Translate Registry In The Cloud Docs, Sheets and Slides Gmail Google Cloud Meet More on the Cloud Blog See all product updates Android, Chrome & Play Android Chrome Chrom...
Neil Matani at Hackopia
With the increase in the number of online accounts each individual uses, many online services now provide a “Sign in with…” option for users to use credentials from other identity providers to reduce the number of credentials and simplify the login process. Similarly, corporate environments are increasingly using Single Sign-On (SSO) to limit the amount of credentials employees have to manage to access various corporate resources. SSO and “Sign in with” technologies (in addition to other forms o...
Alice Climent Pommeret at Harfanglab
E-mail*
Intel471
Targeted Phishing Linked to 'The Com' Surges Apr 02, 2024 A persistent social engineering threat faced by enterprises involves attackers trying to obtain login credentials for identity and access management (IAM), cloud resources or single sign-on (SSO)-enabled systems. If successful, these entry points can allow broader access to an organization, leaving the potential for data theft and ransomware. We’ve observed a significant surge in 2024 in this type of phishing taking place over short messa...
Lou Dell’Italia and Blake Cahen at IronNet
By IronNet Threat Research, including lead contributions by Lou Dell’Italia and Blake Cahen Tweet Share Apr 1, 2024 Threat Overview On March 19, 2024, CISA, along with other participating agencies, released a joint Fact Sheet warning executive leaders in the critical infrastructure sector that Volt Typhoon has strategically pre-positioned itself to conduct cyber attacks against US infrastructure. In the event of escalating tension between the US and China, leaders are encouraged to take all the ...
Shachar Menashe, Jonathan Sar Shalom, and Brian Moussalli at JFrog
By Shachar Menashe, Senior Director Security Research Jonathan Sar Shalom, Director of Threat Research Brian Moussalli, Malware Research Team Leader March 31, 2024 14 min read SHARE: Update April 1st – Updated “What is the malicious payload of CVE-2024-3094?” due to newly released OSS tools Update April 7th – Updated “What is the malicious payload of CVE-2024-3094?” due to more published payload research On March 29th, it was reported that malicious code enabling unauthorized remote SSH access h...
Jonathan Johnson
Kelvin W
Kevin Beaumont at DoublePulsar
Brian Krebs at Krebs on Security
April 3, 2024 21 Comments Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called “The Manipulaters,” a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits sti...
April 4, 2024 5 Comments A cybercrook who has been setting up websites that mimic the self-destructing message service privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the sc...
Jake O’Donnell at Logz.io
By: Jake O'Donnell Data volumes are soaring. Environments are increasingly intricate. The risk of applications and systems encountering breakdowns is sky-high, and the mean time to recovery (MTTR) for production incidents is moving in the wrong direction. Disruptions not only jeopardize critical infrastructure but also have a direct impact on the bottom line of organizations. Swift recovery of affected services becomes paramount, as it directly correlates with business continuity and resilience....
Me!
Skip to content Toggle navigation Sign in Product Actions Automate any workflow Packages Host and manage packages Security Find and fix vulnerabilities Codespaces Instant dev environments Copilot Write better code with AI Code review Manage code changes Issues Plan and track work Discussions Collaborate outside of code Explore All features Documentation GitHub Skills Blog Solutions For Enterprise Teams Startups Education By Solution CI/CD & Automation DevOps DevSecOps Resources Learning Pathways...
MITRE Engage™
Rakesh Krishnan at Netenrich
4 min read Red CryptoApp: A New Threat Group in the Ransomware World Rakesh Krishnan : Wed, Apr 03, 2024 @ 09:32 AM Ransomware Threat intelligence Threat hunting This is a preliminary report based only on the data leak site (DLS), listed victims, and other observed patterns. A detailed investigation will require samples not yet publicly available. Red CryptoApp is a new ransomware group that emerged in March 2024. At present, they have published the data of 11 victims on their DLS and announced ...
Obsidian Security
Threat Actors Deliver Malware via YouTube Video Game Cracks Share with your network! April 03, 2024 Isaac Shaughnessy Key takeaways Proofpoint identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content. The video descriptions include links leading to the download of information stealers. The activity likely targets consumer users who do not have the benefits of enterprise-grade security on their home computers. Overview Threat actor...
Latrodectus: This Spider Bytes Like Ice Share with your network! April 04, 2024 Proofpoint Threat Research and Team Cymru S2 Threat Research Proofpoint’s Threat Research team joined up with the Team Cymru S2 Threat Research team, in a collaborative effort to provide the information security community with a comprehensive view of the threat activity described. Key takeaways Proofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. While use of...
Red Alert
Monthly Threat Actor Group Intelligence Report, January 2024 (JPN) このレポートは2023年12月21日から2024年1月20日までNSHC ThreatReconチームが収集したデータと情報に基づいて分析したハッキンググループ(Threat Actor Group)の活動をまとめたレポートである。 今月1月には、合計26件のハッキンググループの活動が確認され、 最も多い活動はSectorAグループの30%であり、続きはSectorB、SectorJグループの活動であった。 今年の1月に確認されたハッキンググループのハッキング活動は、政府機関や教育分野に努めている関係者やシステムをターゲットにして最も多い攻撃を行った。地域ごとにはヨーロッパや東アジアに位置した諸国をターゲットにしたハッキング活動が最も多かったと確認された。 1. SectorAグループ活動の特徴 2024年1月には合計5件のハッキンググループの活動が確認され、このグループはSectorA01、SectorA02、SectorA05、SectorA06、S...
Nick Weber at Red Canary
ReliaQuest
Sandfly Security
XZ SSH Backdoor Detection StrategiesMalware RootkitsDateApril 03, 2024AuthorThe Sandfly Security TeamA sophisticated backdoor targeting the SSH service on Linux was made against the XZ compression library in a supply chain attack. The backdoor almost made it into most major Linux distributions until a sharp-eyed engineer saw a problem during testing and dug into the issue deeper.The technical details of the attack have been covered in other articles, but in sum:Attackers used a 2+ year long time...
SANS Internet Storm Center
Internet Storm Center Sign In Sign Up Handler on Duty: Johannes Ullrich Threat Level: green next Slicing up DoNex with Binary Ninja Published: 2024-04-04 Last Updated: 2024-04-04 17:53:02 UTC by John Moutos (Version: 1) 0 comment(s) [This is a guest diary by John Moutos] Intro Ever since the LockBit source code leak back in mid-June 2022 [1], it is not surprising that newer ransomware groups have chosen to adopt a large amount of the LockBit code base into their own, given the success and effici...
Some things you can learn from SSH traffic Published: 2024-04-03 Last Updated: 2024-04-03 17:48:57 UTC by Johannes Ullrich (Version: 1) 0 comment(s) This week, the SSH protocol made the news due to the now infamous xz-utils backdoor. One of my favorite detection techniques is network traffic analysis. Protocols like SSH make this, first of all, more difficult. However, as I did show in the discussion of SSH identification strings earlier this year, some information is still to be gained from SSH...
Slicing up DoNex with Binary Ninja Published: 2024-04-04 Last Updated: 2024-04-04 17:53:02 UTC by John Moutos (Version: 1) 0 comment(s) [This is a guest diary by John Moutos] Intro Ever since the LockBit source code leak back in mid-June 2022 [1], it is not surprising that newer ransomware groups have chosen to adopt a large amount of the LockBit code base into their own, given the success and efficiency that LockBit is notorious for. One of the more clear-cut spinoffs from LockBit, is Darkrace,...
Sansec
by Sansec Forensics TeamPublished in Threat Research − April 04, 2024Does your Interceptor.php keep getting infected? Attackers are using a new method for malware persistence on Magento servers. Sansec discovered a cleverly crafted layout template in the database, which was used to automatically inject malware.Oops, your XML now contains shell codeThe following XML code was found in the layout_update database table and is responsible for periodic reinfections of your system.Attackers combine the...
Gerardo Santos at Security Art Work
5 de abril de 2024 Por Gerardo Santos Leave a Comment El mundo de la ciberseguridad cada vez se vuelve más complejo y desafiante. Con cada nueva amenaza, desde capacidades dañinas como malware o 0 days, hasta los cambios en las infraestructuras, habiendo pasado de entornos on-premise a híbridos o full-cloud, surge la urgente necesidad de esquemas y metodologías que ayuden a enfrentar estas adversidades. No solo buscamos minimizar el impacto de cualquier amenaza, sino también de alcanzar un nivel...
SOCRadar
Key Points Characteristics of Stealer Malware Examining Stealer Malware Through MITRE ATT&CK Techniques Amadey Stealer MITRE ATT&CK Analysis and Stealers’ MITRE Heatmap Tables What Are the Common Points in Sandbox Analyses of Stealer Malware? Conclusion Home Resources Blog Nis 02, 2024 22 Mins Read The Anatomy of Stealers: How Are They Stealing Our Information? Where Are They Taking It? The world of cyber security faces new and more complex threats every day. Among these threats, which we encoun...
Who is DonutLeaks? Relations and Modus Operandi Victimology Mitigation Strategy: Data Protection Focus SOCRadar: Enhancing Data Breach Detection and Mitigation Home Resources Blog Nis 05, 2024 11 Mins Read Dark Web Profile: DonutLeaks In 2022, the DonutLeaks group emerged as a significant player, demonstrating a sophisticated approach to data extortion. Linked to cyber incidents targeting notable enterprises such as Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and mult...
Sophos
The latter half of 2023 found numerous fronts on which attackers failed to press ahead. Are defenders failing to take advantage? Written by John Shier, Angela Gunn April 03, 2024 Threat Research active adversary Active Adversary Report Case Study featured incident response RDP The first Sophos Active Adversary Report of 2024 presents what the Sophos X-Ops Incident Response (IR) team has learned about the current adversary landscape from tackling security crises around the world. Our report is ba...
While all ransomware attacks have negative outcomes, those that start by exploiting unpatched vulnerabilities have the greatest business impact. Written by Sally Adam April 03, 2024 Products & Services Exploits featured patching Ransomware research Sophos Endpoint Sophos Managed Risk Vulnerabilities To deploy a ransomware attack, adversaries must first gain access to a victim’s corporate environment, devices, and data. Threat actors typically use two main approaches to gain entry: logging in usi...
Stairwell
Puja Srivastava at Sucuri
Tamara Chacon at Splunk
By Tamara Chacon Share on X Share on Facebook Share on LinkedIn Once badness makes an inroad into your network, the adversary has a set of goals — steal credentials, persist, find the good stuff, exfiltrate the good stuff, and get paid!To do that, they need to move laterally.We have touched on two ways in which an adversary can traverse the network and we did this with only three sources of data — Windows Security, System events, and Sysmon. Other data sources like network metadata and registry ...
Floser Bacurio Jr., Bernadette Canubas, and Michaelo Oliveros at Trellix
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption Our new article provides key highlights and takeaways from Operation Cronos' disruption of LockBit's operations, as well as telemetry details on how LockBit actors operated post-disruption. By: Christopher Boyton April 03, 2024 Read time: ( words) Save to Folio Subscribe Summary: On Feb. 19, 2024, Operation Cronos, a targeted law enforcement action, caused outages on LockBit-affiliated platforms, significant...
Thomas Millar at TrustedSec
April 04, 2024 Observations From Business Email Compromise (BEC) Attacks Written by Thomas Millar Incident Response Incident Response & Forensics Since joining TrustedSec, I have gotten to work numerous cases, and each of them is like unraveling a mystery to get at the truth—especially the situations that have involved business email compromise (or BEC). Unfortunately, these cases have not only involved intrusion into cloud email accounts. There have also been situations where the attackers mana...
Karla Agregado at Trustwave SpiderLabs
Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region April 05, 2024 2 minutes read Karla Agregado Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice. Figure 1. Phishing email sample with zip file attachment Upon checking the email header, we see that it has an email address format ...
Greg Zemlin at Wiz
We explore assessment, prevention, and detection strategies for protecting your organization from the XZ Utils vulnerability.4 minutes readGreg ZemlinApril 3, 20244 minutes readContentsAssessment Agentless scanning SBOM search Prevention Detection Adopting a proactive and reactive strategy The XZ Utils backdoor caused some panic throughout the security community following the announcement about it on Friday. The immediate response was reminiscent of Log4j, and thankfully, something we don’t expe...
