本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。
THREAT INTELLIGENCE/HUNTING
Ahmed Musaad
Scanning The Top 1000 Python Packages Using GuardDog Ahmed Musaad Photo by Alex Chumak / Unsplash Supply chain attacks are a nightmare, both in logistics and software development. With the increasing dependency on third-party libraries, frameworks, and packages, the risk of data breach or system compromise is heightened. There are no easy solutions for this problem, as we can't just say no to third-party packages. Such a decision would negatively impact development speed and could potentially pu...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, In-memory evasion, Infostealers, North Korea, Phishing, Ransomware, Search engine optimization, and Signed malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine an...
Arctic Wolf
Avertium
December 6, 2022 Executive Summary During 2021, HIVE ransomware was involved in several attacks against the healthcare sector. HIVE is offered as ransomware-as-a-service (RaaS), meaning that the ransomware is used by affiliates in attacks. Avertium published a Threat Intelligence Report naming the top five cyber threats in the healthcare sector and HIVE was in the top ten of global ransomware for the third quarter of that year. HIVE has also been used in attacks against several critical infrastr...
Marshall Jones, Manuel Martinez Arizmendi, and Jonathan Nguyen at AWS Security
by Marshall Jones, Manuel Martinez Arizmendi, and Jonathan Nguyen | on 05 DEC 2022 | in Intermediate (200), Security, Identity, & Compliance, Technical How-to | Permalink | Comments | Share In part 1 of this of this two-part series, How to detect security issues in Amazon EKS cluster using Amazon GuardDuty, we walked through a real-world observed security issue in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and saw how Amazon GuardDuty detected each phase by following MITRE ATT&CK ...
Ben Heater
Wazuh Wazuh: File Integrity Monitoring In this post, I show you how to configure and monitor File Integrity Monitoring (FIM) in Wazuh. 6 days ago • 10 min read By 0xBEN Table of contents What is File Integrity Monitoring?File Integrity Monitoring (FIM) is the process of monitoring for changes in the file system, such as file additions, deletions, or modifications. Wazuh's FIM solution – known as syscheck – can monitor the Windows Registry for changes as well.File integrity monitoring - Capabilit...
Martin Zugec at Bitdefender
Reading time: 35 min Share this A China-linked cyber espionage operation targeting multiple telecom providers in the Middle East was recently discovered by Bitdefender Labs. A wide range of tools were used for this operation, both open-source and custom-built. Download the full research paper: "Cyber-Espionage in the Middle East: Investigating a New BackdoorDiplomacy Threat Actor Campaign" if you want to dive deeper. We attribute this operation to BackdoorDiplomacy, a known advanced persistent t...
Blackberry
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets CYBERSECURITY / 12.06.22 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Mustang Panda continue targeting countries across Europe and Asia Pacific, utilizing current geopolitical events to their advantage. Their attack chain remains consistent, with the continued use of archive files, shortcut files, malicious loaders, and the use of PlugX malware. Base...
BlackByte Ransomware Takes an Extra Bite Using Double Extortion Methods CYBERSECURITY / 12.08.22 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email The BlackByte ransomware variant was first discovered in summer 2021 and has since then produced many new variants, with the latest being spotted in the wild in recent months. BlackByte is a prolific Ransomware-as-a-Service (RaaS) malware which utilizes an increasingly popular double extortion me...
Bart Blaze
Quite a while ago, I've published some of my private Yara rules online, on Github. They can be found here://github.com/bartblaze/Yara-rulesThere's two workflows running on that Github repository: YARA-CI: runs automatically to detect signature errors, as well as false positives and negatives.Package Yara rules: allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab < Artifacts (see image below). The Yara rules are divided into:AP...
Brad Duncan at Malware Traffic Analysis
2022-12-07 (WEDNESDAY) - BUMBLEBEE INFECTION WITH COBALT STRIKE REFERENCE: //twitter.com/Unit42_Intel/status/1600587285577203715 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2022-12-07-IOCs-for-Bumblebee-infection-with-Cobalt-Strike.txt.zip 1.8 kB (1,777 bytes) 2022-12-07-Bumblebee-infection-with-Cobalt-Strike.pcap.zip 1.5 MB (1,535,190 bytes) 2022-12-07-Bumblebee-malware-and-artifacts.zip 1.4 MB (1,436,871 bytes...
2022-12-09 (FRIDAY) - HTML SMUGGLING LEADS TO QAKBOT (QBOT), DISTRIBUTION/BOTNET TAG: AZD NOTES: The HTML file used for smuggling was posted to VirusTotal today, and create/modify dates for the disk image & its content are all 2022-12-09. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2022-12-09-IOCs-for-azd-Qakbot.txt.zip 2.6 kB (2,642 bytes) 2022-12-09-azd-Qakbot-infection-traffic-carved-and-santized.pcap.zip 1.9 MB (1,...
Breachquest
12.05.22 By: BreachQuest What is BEC Business Email Compromise is a phishing attack vector in which threat actors use deceptive tactics to manipulate employees or attempt to gain unauthorized access to an environment. While this may not come in the traditional form malicious links and files. We see an increase in threat actors posing as legitimate organizations and sending invoices for services. Even more alarming, threat actors have been found to compromise the inboxes of leadership staff and s...
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 2 – 9 dicembre 2022 09/12/2022 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 14 campagne malevole di cui 13 con obiettivi italiani e 1 generica che ha comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 168 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie illus...
Check Point Research
Chris Doman at Cado Security
Cisco’s Talos
By William Largent Thursday, December 8, 2022 16:12 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's right, it’s once again the time of year when no matter what your current role or area of expertise you become tech support for your entire family and anyone they’ve ever met. They wi...
Breaking the silence - Recent Truebot activity By Tiago Pereira Thursday, December 8, 2022 14:12 Threat Advisory Truebot Grace botnet CVE-2022-31199 Raspberry Robin TA505 Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.The...
By William Largent Friday, December 9, 2022 14:12 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 2 and Dec. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information p...
Corelight
Zeek on Windows December 5, 2022 by Tim Wojtulewicz Subscribe to blog X Sign up for blog updates Editor's note: This post was originally published on the Zeek.org blog on Nov. 28, 2022. Reposted here in full with permission as a courtesy. As we shared at ZeekWeek 2022 in October, we’re thrilled to announce emerging support for Zeek on Windows, thanks to an open-source contribution from Microsoft. Part of its integration of Zeek into its Defender for Endpoint security platform, this contribution ...
Replace IDS and extend entity visibility December 8, 2022 by John Gamble Subscribe to blog X Sign up for blog updates Today, as a part of our v27 software release, we are launching enhanced IDS rules management functionality, extending analyst visibility around hosts, devices, users, and more, and upgrading the Corelight Software Sensor to give customers more NDR deployment flexibility. Replacing IDS with NDR A core component of Corelight’s open NDR platform is our IDS functionality that deliver...
Cyble
December 6, 2022 Cyble Research and Intelligence Labs have observed several Threat Actors (TAs) using e-commerce platforms such as Shoppy, Selly, Sellix, Satoshibox, Rocketr, and even WordPress to further their criminal activities. This has been the natural progression and scaling of the TA’s activities – from single-party sales through a middleman or escrow to automating the payment and delivery process (auto-buy), thereby allowing the buyer instant access to the product once the cryptocurrency...
December 7, 2022 ChatGPT and Its Usecases for Infosec and Cybersecurity community OpenAI recently released the chatbot ChatGPT; ChatGPT is designed to understand and generate natural language, as well as respond to questions, follow conversations, and generate natural language responses. ChatGPT can generate responses that are much more natural sounding and conversational than traditional chatbots. This is because the system is trained on immense amounts of natural language data, allowing it to ...
December 7, 2022 New Ransomware disrupting Transportation and Logistics Industry in Israel During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group named “BlackMagic” ransomware. This ransomware group uses a double extortion technique to target its victims, in which it first exfiltrates the victim’s data, followed by encryption. This group has disclosed details of over ten victims to date, and all of them are from Israel, indicating...
December 8, 2022 Ransomware potentially targeting organizations dealing in Critical Infrastructure “TargetCompany” is a type of ransomware that was first identified in June 2021. The researchers named it TargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In September 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and adding the “Fargo” extension to the encrypted files. TargetCompany ranso...
December 9, 2022 Cybercriminals exploiting World Cup buzz to conduct malicious campaigns The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims. Cyble Research & Intelligence Labs (CRIL) has been continuously mo...
Ryan at DefaultCredentials
Blue Team Small Cyber Bytes – 1 – Event Consumers – Malware Persistence Ryan2 weeks ago 4 minutes read Malware Persistence Malware persistence is the ability of a malware infection to maintain its presence on a system even after it has been removed or detected by security software. Persistent malware is able to survive system reboots and other attempts to remove it, allowing it to continue its harmful activities. There are several ways in which malware can establish persistence on a system. Thes...
DomainTools
EclecticIQ
2022 cyberattack activity trends have highlighted shifting patterns in malware, threat actor networks, and cyberattack incentives. Much of the changing activity orbits T1078 (Valid Accounts). EclecticIQ Threat Research Team – December 8, 2022 New and Noteworthy: Escalation of Information Stealer Capabilities Targeting Valid Accounts Increases Risk Into 2023 Information Stealing Malware Shows a Strong Trend Toward Targeting Account Information That Can be Deployed in Future Targeted Cyberattacks....
Nigel Douglas at Falco
Falco horizontal logo_teal2FalcoDocumentationBlogCommunityTrainingReleasesv0.33 v0.32 v0.31 v0.30 v0.29 v0.28 v0.27 v0.26English中文 Chinese 한국어 Korean 日本語 Japanese മലയാളം Malayalam English中文 ChineseThe Falco blog Cryptomining Detection Using Falco Falco on AWS Cloud Getting started with modern BPF probe in Falco Falco 0.33.1 Restructuring the Kubernetes Threat Matrix and Evaluating Attack Detection by Falco Falco applies for graduation Falco at the KubeCon NA 2022 Monitoring your EKS clusters aud...
GitGuardian
Thinking Like a Hacker Thinking Like a Hacker: Finding Leaked Code on GitHub Continuing our series about potential attack scenarios, learn how a very easy configuration mistake on GitHub can lead to a major security breach. Guest Expert GitGuardian hires external cybersecurity experts to share their unique experience and knowledge in security on the GitGuardian blog. More posts by Guest Expert. Guest Expert 7 Dec 2022 • 5 min read Share Table of contents C.J. May Information security professiona...
Clement Lecigne and Benoit Sevens at Google Threat Analysis Group
Share Twitter Facebook LinkedIn Mail Copy link Press corner RSS feed Threat Analysis Group Internet Explorer 0-day exploited by North Korean actor APT37 Dec 07, 2022 min read Share Twitter Facebook LinkedIn Mail Copy link Clement Lecigne Threat Analysis Group Benoit Sevens Threat Analysis Group Share Twitter Facebook LinkedIn Mail Copy link To protect our users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. This blog will describe a 0-day v...
Haircutfish
TryHackMe Threat Intelligence Tools — Task 4 Abuse.ch, Task 5 PhishTool, & Task 6 Cisco Talos IntelligenceIf you haven’t done task 1, 2, & 3 yet, here is the link to my write-up it: Tools Task 1 Room Outline, Task 2 Threat Intelligence, and Task 3 UrlScan.io.Task 4 Abuse.chAbuse.ch is a research project hosted by the Institue for Cybersecurity and Engineering at the Bern University of Applied Sciences in Switzerland. It was developed to identify and track malware and botnets through several oper...
TryHackMe Threat Intelligence Tools — Task 7 Scenario 1If you haven’t done task 4, 5, & 6 yet, here is the link to my write-up it: Task 4 Abuse.ch, Task 5 PhishTool, & Task 6 Cisco Talos Intelligence.Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.Task: Use the tools discussed throughout this room (or use your resources) to help you analyze Email2.eml and use the i...
TryHackMe Threat Intelligence Tools — Task 8 Scenario 2 & Task 9 ConclusionIf you haven’t done task 7 yet, here is the link to my write-up it: Task 7 Scenario 1.Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.Task: Use the tools discussed throughout this room (or use your resources) to help you analyze Email3.eml and use the information to answer the questions.Obta...
Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!Task 1 IntroductionIntroductionThis room will expect you to understand basic Linux familiarity, such as installing software and commands for general navigation of the system. Moreso, this room isn’t designed to test your knowledge or for point-scoring. It is here to encourage you to follow along and experiment with what you have learned here.As always, I hope you take a few things a...
TryHackMe OpenCTI — Task 1 thru Task 5Provide an understanding of the OpenCTI ProjectTask 1 Room OverviewThis room will cover the concepts and usage of OpenCTI, an open-source threat intelligence platform. The room will help you understand and answer the following questions:What is OpenCTI and how is it used?How would I navigate through the platform?What functionalities will be important during a security threat analysis?Prior to going through this room, we recommend checking out these rooms as ...
Dorin Karasik at Human Security
By Dorin Karasik Dec 8, 2022 This large e-commerce retailer was bombarded with credential stuffing attacks that led to account takeovers (ATOs). These attacks caused financial losses, customer churn and brand reputation damage. Last fall, the company experienced attacks attempting to take over nearly 2.5 million accounts. Although it successfully blocked the malicious login attempts with HUMAN Bot Defender, the company also wanted to reduce the volume of attacks coming in. The retailer implement...
Dray Agha at Huntress
Previous Post Next Post I’ve been pretty tame so far in this series (see part one and part two). Let’s get spicy. This article puts a bow on the previous two installments we’ve shared on our safari excursion on defense evasion. So... how do you catch defensive evasion? Seems like a paradoxical thing to ask. Well, bad guys have to get IN somehow, they have to RUN stuff somehow, and there has to be some kind of IMPACT to what they run. The advanced ones are able to make the above sneakier but not ...
InfoSec Write-ups
Take Adversary’s perspective in Defender’s TeamHaving recently completed the ‘Foundations of Operationalizing MITRE ATT&CK’ course, I thought it’ll be useful to share some of the key notes and share with you all that I’ve learnt from this widely-recognised and accepted defense framework in Cyber Security.Intro to MITRE ATT&CKA framework where defenders takes the adversary’s perspective to find known adversary behaviours. This helps the defenders to align their defences with probable high-risk at...
Intel471
Dec 07, 2022 Multifactor authentication can stop the takeover of user accounts where login credentials have been compromised. It’s a critical security control, but one that threat actors are increasingly finding ways around with one-time password bots, or OTP bots. A recent large law enforcement action has taken out a major OTP operation, but other services unfortunately appear poised to replace it. Intel 471 has been tracking OTP bots since they emerged in 2021. The bots allow less-sophisticate...
Keisuke Shikano at JPCERT/CC
鹿野 恵祐 (Keisuke Shikano) December 9, 2022 TSUBAME Report Overflow (Jul-Sep 2022) TSUBAME Email This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2022. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here. Observation trends of packets from scanners in Japan TSU...
Asher Langton at Juniper Networks
Home / Threat Research / A Custom Python Backdoor for VMWare ESXi Servers A Custom Python Backdoor for VMWare ESXi Servers December 9, 2022 by Asher Langton In October 2022, Juniper Threat Labs discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compro...
Leonid Grustniy at Kaspersky Lab
Solutions for:Home ProductsSmall Business 1-50 employeesMedium Business 51-999 employeesEnterprise 1000+ employees Kaspersky official blog CompanyAccountGET IN TOUCH SolutionsHybrid Cloud SecurityLearn moreInternet of Things & Embedded SecurityLearn moreThreat Management and DefenseLearn moreIndustrial CyberSecurityLearn moreKaspersky Fraud PreventionLearn moreOther solutionsKaspersky for Security Operations CenterIndustriesNational CybersecurityLearn moreIndustrial CybersecurityLearn moreFinanc...
Keith Wojcieszek, Stephen Green, and Elio Biasiotto at Kroll
Keith Wojcieszek Stephen Green Elio Biasiotto Proactive Key Takeaways Kroll has identified new tactics targeting backup systems being used by threat actors associated with the distribution of AvosLocker ransomware. In these instances, Kroll has observed actors attempting to leverage vulnerabilities within Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) for possible data exfiltration, likely to evade detection by appearing as legitimate activity. In the cases Kroll obser...
Microsoft Security
Microsoft Security Threat Intelligence Share Twitter LinkedIn Facebook Email Print Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also observed threat actors directly targeting organizations within the cryptocurrency industry for financial gain. Attacks targeting this marke...
Yossi Weizman Senior Security Researcher, Microsoft Defender for Cloud Dotan Patrich Principal Architect, Microsoft Defender for Cloud Share Twitter LinkedIn Facebook Email Print Today, we are glad to release the third version of the threat matrix for Kubernetes, an evolving knowledge base for security threats that target Kubernetes clusters. The matrix, first released by Microsoft in 2020, was the first attempt to systematically cover the attack landscape of Kubernetes. Since then, the project ...
Nextron Systems
Dec 5, 2022 | Newsletter, Sigma, VALHALLA Nextron Systems has always supported the Sigma project, investing hundreds of work hours into creating and maintaining the community rules shared in the public Sigma rule repository. Apart from the community support, we’ve created a set of internal detection rules for our products, THOR and Aurora, that we kept confidential for various reasons and didn’t share publicly. Today we are glad to announce that we’ve started feeding these rules into the Valhall...
Or Yair at Safebreach
Palo Alto Networks
16,270 people reacted 6 13 min. read Share By JR Gumarin December 6, 2022 at 3:00 AM Category: Ransomware Tags: Cortex, Cortex XDR, CVE-2021-1675, CVE-2021-34527, HelloKitty, incident response, NGFW, PrintNightmare, Vice Society, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-...
12,098 people reacted 22 9 min. read Share By Dror Alon December 8, 2022 at 3:00 PM Category: Cloud Tags: AWS, Cloud Security, Cortex XDR, cryptomining, Google Cloud, IAM, incident response, Prisma Cloud This post is also available in: 日本語 (Japanese)Executive Summary Cloud breaches often stem from misconfigured storage services or exposed credentials. A growing trend of attacks specifically targets cloud compute services to steal associated credentials and illicitly gain access to cloud infrastr...
pat_h/to/file
Nov 30, 2022 tl;dr I forked and used hfiref0x’s awesome Kernel Driver Utility project to subscribe to the Microsft-Threat-Intelligence feed without using a signed binary or test machine. Back to ETW-TI Despite spending most of my time away from Windows these days, I was recently motivated to check back in with ETW, especially after the exploit used by SealighterTI was patched. To refresh your memory on the systems and acronyms covered in this blog series so far (or skip to the new content): Even...
Patrick Orzechowski at Todyl
Patrick Orzechowski | 2022-11-17 | 5 min read On November 17, 2022 Todyl’s MXDR team observed new infections from a campaign that included the IcedID Trojan, first discovered in 2017 by IBM X-Force [1]. This new activity targets users in the US with IRS notifications and file names such as IRS_Form_11-17-2022_16-48-39.exe. These infections differ from the Emotet activity seen by Proofpoint [2] in recent weeks because the actor used a re-registered parked domain to host the malware. Newly Registe...
Recorded Future
Posted: 5th December 2022By: Insikt Group® Editor’s Note: Click here to download the report as a PDF. This report profiles the infrastructure used by the threat activity group TAG-53, which overlaps with public reporting on Callisto Group, COLDRIVER, and SEABORGIUM. The activity was identified through a combination of Network Intelligence and analysis derived from open-source reporting. The report will be of most interest to network defenders and individuals engaged in strategic and operational ...
Red Alert
Monthly Threat Actor Group Intelligence Report, October 2022 (KOR) 2022년 9월 21일에서 2022년 10월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 10월에는 총 28개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹들이 30%로 가장 많았으며, SectorJ와 SectorE 그룹들의 활동이 그 뒤를 이었다. 이번 10월에 발견된 해킹 그룹들의 해킹 활동은 정부부처와 정보통신 산업군에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 동아시아(East Asia)와 유럽(Europe)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2022년 10 월에는 총 5 개 해킹 그룹의 활동이 발견되었으며, 이...
SANS Internet Storm Center
Internet Storm Center Sign In Sign Up Handler on Duty: Brad Duncan Threat Level: green previousnext VLC's Check For Updates: No Updates? Published: 2022-12-05 Last Updated: 2022-12-05 16:58:49 UTC by Didier Stevens (Version: 1) 3 comment(s) When Johannes mentioned a VLC update (version 3.0.18) on Thursday's Stormcast, I started VLC and let it check for updates: it reported that I had the latest version. But I knew I didn't. Saturday I checked again, still no updates. So I started Wireshark, let ...
Packet Tuesday Episode 4: TLS Client Hello. //www.youtube.com/playlist?list=PLs4eo9Tja8biVteSW4a3GHY8qi0t1lFLL previousnext Comments Login here to join the discussion. Top of page × Diary Archives Homepage Diaries Podcasts Jobs Data HTTP Header Activity TCP/UDP Port Activity Port Trends Presentations & Papers SSH/Telnet Scanning Activity Threat Feeds Activity Threat Feeds Map Useful InfoSec Links Weblogs Research Papers API Tools DShield Sensor DNS Looking Glass Honeypot (RPi/AWS) InfoSec Glossa...
Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers. Published: 2022-12-06 Last Updated: 2022-12-06 15:42:01 UTC by Johannes Ullrich (Version: 1) 0 comment(s) [This is a guest post submitted by Brock Perry [LinkedIn], one of our sans.edu undergraduate interns] Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attack...
Wireshark 4.0.2 and 3.6.10 released Published: 2022-12-07 Last Updated: 2022-12-07 22:21:19 UTC by Jim Clausing (Version: 1) 0 comment(s) Wireshark has released updates for both the 3.6 and 4.0 lines. There appear to be quite a few bug fixes, but no vulnerability fixes. [1] //www.wireshark.org/docs/relnotes/wireshark-4.0.2.html [2] //www.wireshark.org/docs/relnotes/wireshark-3.6.10.html [3] //www.wireshark.org/download.html --------------- Jim Clausing, GIAC GSE #26 jclausing --at-- isc [dot] sa...
Finding Gaps in Syslog - How to find when nothing happened Published: 2022-12-07 Last Updated: 2022-12-08 12:41:43 UTC by Rob VandenBrink (Version: 1) 5 comment(s) I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time. They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently. This was a Cisco ASA firewall, so we of c...
Kristen Cotten and Jake Williams at Scythe
PLATFORMOVERVIEWMARKETPLACEPROFESSIONALÂ SERVICESFOR BLUE TEAMSFOR RED TEAMSFOR PURPLE TEAMSPURPLE TEAM SERVICESLIBRARYALL POSTSTHREAT THURSDAYDOWNLOADSCISOÂ STRESSEDCOMPANYABOUTBOARD OF DIRECTORSINVESTORSADVISORY COUNCILCAREERSPRESS & EVENTSBLOGSWAGÂ STOREUPCOMINGÂ TRAININGCONTACTPARTNERSCONSULTINGMANAGEDÂ SECURITYCYBERÂ RANGESCONTACTSUPPORTPRICINGCONTACT USGet a Demo>> All PostsQakbot ReloadedKristen CottenJake WilliamsDecember 8, 2022Qakbot is making the rounds once again, expanding its servi...
Joan Soriano at Security Art Work
9 de diciembre de 2022 Por Joan Soriano Leave a Comment En el artículo anterior se ha establecido el objetivo de una Unidad de Inteligencia de Threat Hunting, así como realizado un estudio sobre la medición de su valor en función de su cobertura y eficiencia. En el presente se pretende utilizar dichos cálculos para establecer una cobertura a nivel de táctica y poder dibujar el modelo probabilístico de una organización respecto a un grupo APT. Puede leerse la investigación completa aquí. Cobertur...
Sekoia
APT calisto CTI Infrastructure Threat & Detection Research Team December 5 2022 654 0 Read it later Remove 6 minutes reading Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimology that align closely with Russian strategic interests. Calisto mainly focuses on Western countries, especially the United Sta...
Skynet_Cyber
Tawan S.FollowDec 5·3 min readIntroducing My Blog!By Meeeeeeeeee 😊In this first blog, we’ll be discussing Security Operations Center. SOC is an integral part of Cybersecurity. Security Operations Center is where most of the security operation-related activities are taken place. We’ll be exploring some of the key terms, and goings-on inside a typical SOC.Today, I started off with the ‘SOC Fundamentals.’ Hey, nothing wrong with reinforcing the fundamentals and that’s exactly where I’m poking aroun...
By Meeeeeeeeee 😊There are many types of cyber attacks as they continue to evolve and phishing remains one of the most highly used and it’s considered the most effective out of all. If you really think about it, there is a lot of social engineering behind some of the tactics and techniques used when it comes to phishing. And phishing attack is the most common attack vector for initial access. What is Phishing? Phishing is a type of attack directed at stealing personal information of the user in g...
By Meeeeeeeeee 😊Web applications are often used by all on a daily basis. When we think of web applications and their ease of use, we don’t often think of the security that comes with it. Web security is not always sufficient and that is why we want to dig deeper into today’s topic which is web attacks! Keep on reading, let’s find out!What are web apps? Web applications are applications such as popular websites like Gmail, apps like Slack, Facebook, word processors, video editing, and online form...
SOC Fortress
Applications and Vendors and Custom Logs, oh my!PART ONE: Backend StoragePART TWO: Log IngestionPART THREE: Log AnalysisPART FOUR: Wazuh Agent InstallPART FIVE: Intelligent SIEM LoggingPART SIX: Best Open Source SIEM DashboardsPART SEVEN: Firewall Log Collection Made EasyPART EIGHT: Firewall Threat Intel With GreyNoiseWalkthrough VideoIntroThroughout this series we have started ingesting Wazuh logs from our Windows and Linux endpoints (PART 4) and from a pfSense Firewall (PART 7) into our SIEM s...
SOCRadar
Matt Wixey at Sophos
A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. In the first of a four-part series, we look at the forums involved, and how they deal with scammers scamming scammers Written by Matt Wixey December 07, 2022 Threat Research AaaS BreachForums Exploit featured marketplaces RaidForums scams Sophos X-Ops XSS A scam lurks around every corner on criminal marketplaces. Way back in 2009, Microsoft pointed out that the underground economy ...
Splunk
Share: By Splunk Threat Research Team December 05, 2022 The Splunk Threat Research Team (STRT) recently released three new analytic stories, Azure Active Directory Account Takeover, AWS Identity and Access Management Account Takeover and GCP Account Takeover, to help security analysts detect adversaries engaging in cloud account takeover attacks against some of the largest public cloud service providers. In this blog, we describe the telemetry available in each of the cloud providers and the opt...
Sucuri
Infected WordPress Plugins Redirect to Push Notification Scam
How to Securely Shop With Your Credit Card: Use a Virtual Card & Check for Skimmers
Biagio Dipalma at Sysdig
Team Cymru
Updated: 6 days agoTelemetry Data Suggests 107.173.231.114 Remains an Active IOCIntroductionThis blog provides a short update on Team Cymru’s ongoing tracking of threat actor groups associated with Iran.PHOSPHORUS is an Iranian threat group known to target organizations in energy, government, and technology sectors based in Europe, the Middle East, the United States, and other countries/regions. In recent reporting, PHOSPHORUS TTPs have included the likely opportunistic targeting of unpatched vu...
Team Cymru
Updated: 6 days agoTelemetry Data Suggests 107.173.231.114 Remains an Active IOCIntroductionThis blog provides a short update on Team Cymru’s ongoing tracking of threat actor groups associated with Iran.PHOSPHORUS is an Iranian threat group known to target organizations in energy, government, and technology sectors based in Europe, the Middle East, the United States, and other countries/regions. In recent reporting, PHOSPHORUS TTPs have included the likely opportunistic targeting of unpatched vu...
Adam Todd at TrustedSec
More Active Directory for Script Kiddies December 6, 2022 By Adam Todd in Active Directory Security Review, Architecture Review, Research Introduction So… Active Directory is amazing. It tells me everything I want to know—a regular Ask Jeeves for the whole domain—but I’m sure there is more that it can do. What else am I missing? In a previous article, I described the Active Directory (AD) service and how a Script Kiddie might use it to enumerate a network to find interesting things. Please go ba...
Trustwave SpiderLabs
access_timeDecember 08, 2022 person_outlineMaria Katrina Udquin share Recently, we’ve noticed an increase in user reports of SMS-based Business Email Compromise (BEC) messages. This seems to be part of a wider trend as phishing scams via text messages surge. The Federal Communications Commission (FCC) observed an increase in unsolicited text messages, with 2022 practically tripling the number of phishing texts reported to the FCC in 2019. Phishing scams are prevalent in the SMS threat landscape,...
access_timeDecember 08, 2022 person_outlineRodel Mendrez, Phil Hay, Diana Lopera share Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an under...
