本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。「Buy me a coffee」からカンパをすると喜ばれます。
THREAT INTELLIGENCE/HUNTING
Anders Olsson at Truesec
VMware ESXi 8.0 and execInstalledOnly - The Good, the Bad and the UglyVMware vSphere 8.0 has execInstalledOnly enabled in ESXi by default, which is great. Unfortunately it's implemented in a way which makes it less effective in preventing ransomware attacks. Anders OlssonShareWhat's the problem with execInstalledOnly in ESXi 8.0?In April of 2021 when I wrote my first blog post about execInstalledOnly there was zero information on what this setting did or how we were supposed to use it. Even VMwa...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threa...
Adriano Bybyk at Aon
Home → Aon’s Cyber Labs → SCL -1: The Dangerous Side of Safe Senders Stroz Friedberg is regularly called upon by clients to perform Business Email Compromise (BEC) investigations when their Microsoft 365 (“M365”) tenants are compromised by threat actors. In the past few months, Stroz Friedberg has observed threat actors leveraging Safe Senders, a feature built into Outlook, to bypass spam filters and successfully deliver spoofed messages to a targeted user’s mailbox. These spoofed messages are a...
Arch Cloud Labs
Detecting off The Land - Hash Lookups from Native Tooling About The Project Several Red Team projects exists to “live off the land” and avoid introducing additional executables into an environment. This gives Red Teamers and adversaries an advantage to not risk something within their toolkit from gettin caught by the latest and greatest EDR. But what about the Blue Teamers? The DFIR engineers out there tireless working to ensure the saftey of an organization? This blog post highlights how to int...
Francis Guibernau and Ken Towne at AttackIQ
Avertium
December 13, 2022 Executive Summary After emerging in January 2022, Royal ransomware is a ransomware strain that is being distributed by ransomware threat actors from previous operations. Initially, Microsoft attributed the distribution of Royal ransomware to DEV-0569 – a temporary name given by the tech company. Now, researchers are stating that the threat actors behind Royal ransomware have officially branded themselves with the name Royal (the name left behind in recent ransomware notes) and ...
Amanda Berlin at Blumira
Brad Duncan at Malware Traffic Analysis
2022-12-12 (WEDNESDAY) - PCAP AND MALWARE FOR AN ISC DIARY The ISC diary is for Thursday 2022-12-15: Google ads lead to fake software pages pushing IcedID (Bokbot) Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2022-12-14-IcedID-with-Cobalt-Strike-and-VNC-and-Sliver-or-DonutLoader.pcap.zip 70.7 MB (70,652,928 bytes) 2022-12-14-IcedID-and-Cobalt-Strike-and-Sliver-or-DonutLoader-malware-and-artifacts.zip 21.5 MB (21,549,569...
Cado Security
Caprico’s Cave
Ransomware: Warnings of actors targeting healthcare Posted on December 14, 2022 by capricocave December 14th, 2022 This month has seen multiple warnings and briefs regarding ransomware actors that may be targeting healthcare institutions and companies. With this being the holiday surge, there are multiple facets that may become available to threat actors to gain a foothold within the healthcare vertical. HSS Warnings The HSS has sent out multiple briefings highlighting automated attack suites an...
CERT Ukraine
CERT-AGID
Campagna Ursnif in corso a tema Agenzia delle Entrate 15/12/2022 Agenzia Entrate SMB Ursnif Il CERT-AGID ha evidenza di una campagna malevola, attualmente in corso, volta a veicolare il malware Ursnif tramite una e-mail che riporta una falsa comunicazione della Agenzia delle Entrate. L’e-mail invita la vittima a prendere visione delle informazioni presenti nell’archivio (ZIP) allegato che, a differenza delle campagne Ursnif già analizzate in precedenza, contiene una cartella denominata “Dicembre...
Terzo monitoraggio sull’utilizzo del protocollo HTTPS e sullo stato di aggiornamento dei CMS sui sistemi della PA 16/12/2022 CMS HTTPS Come previsto dal Piano Triennale per l’informatica nella Pubblica Amministrazione, AgID ha effettuato una nuova rilevazione (di seguito monitoraggio) sull’utilizzo del protocollo HTTPS e lo stato di aggiornamento dei CMS nei sistemi della Pubblica Amministrazione. Anche per questo terzo monitoraggio sono state utilizzate le metodologie già descritte in precedenz...
Check Point Research
Checkmarx Security
Checkmarx and Phylum reported on a Typosquatting campaign targeting the NPM and PyPi package managers. This campaign targets the popular “requests” package on PyPi and the “discord.js” package on NPM, and includes embedded ransomware. When executed, the ransomware updates the desktop background, encrypts files, and leaves a readme file requesting payment of $100 in cryptocurrency in exchange for the decryption key. Unlike most open-source attacks, the payload is not executed upon installation, b...
WASP Stealer, for those of you who aren’t familiar, is an open-source malware created by loTus04 that is designed to steal sensitive information from a victim’s computer. It has several features that make it particularly effective at this task. For example, it can steal saved passwords, browser cookies, and PC information. Additionally, it can steal Discord tokens from browsers and the Discord app, and it can get all the information associated with these tokens, such as the user’s email, nitro/b...
Joint research of Checkmarx and Illustria resulted with an anomaly discovered in the open-source ecosystemOver 144,000 packages were published to NuGet, NPM, and PyPi by the same threat actorsInvestigation revealed a new attack vector — attackers spam open-source ecosystem with packages containing links to phishing campaignsAll packages and related user accounts were most likely created using automationThe threat actors refer to retail websites with referral ids to benefit the threat actors with...
Cisco’s Talos
By Adam Katz, Jaeson Schultz Tuesday, December 13, 2022 15:12 Threat Advisory Qakbot HTML Smuggling HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage.Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device.Talos has witnessed Qakbot attackers using a relatively new technique that leverages Scalable Vector G...
By Cisco Talos Wednesday, December 14, 2022 08:12 2022YiR Year In Review This report represents an unprecedented effort within Cisco to tell a comprehensive story of our work in the past year, relying on a wide variety of data and expertise.Download the ReportAs a large security organization with global reach, the data we use as the basis for our research presents us with both a gift and a curse. The gift lies in the diversity of inputs, ranging from endpoint detections, incident response engage...
By Cisco Talos Wednesday, December 14, 2022 12:12 Year In Review 2022YiR Talos’ ongoing support for Ukraine has been a large focus of our operational efforts this year. Driven by our core mission of protecting the Ukrainian people and infrastructure, Talos launched a task force of 40+ volunteers dedicated to defending our customers and partners within. This team of experts monitors critical infrastructure customers to identify threats, remediate attacks, and gather information.Discover the top a...
By Madison Burns Thursday, December 15, 2022 14:12 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.It’s the most wonderful time of the year, and I’m not talking about the holidays. The inaugural 2022 Talos Year in Review is here! And it’s taking over the final Threat Source newsletter of the year. Oh and did we mention we’re on Mastodon now? Talos, the gift that keeps on giving. The one big thingThe 2022 Talos Year in Review is officially launched and with...
By William Largent Friday, December 16, 2022 14:12 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 9 and Dec. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information...
Sparsh Kulshrestha and Mayank Satnalika at CloudSEK
by Sparsh Kulshrestha Authors : Sparsh Kulshrestha and Mayank Satnalika Editors : Deepanjli Paulraj On 6th Dec 2022, CloudSEK disclosed a cyber attack directed at the company. During the course of investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the darkweb. Following further investigation, it was found that for A...
Giuseppe Scalzi at Compass Security
December 12, 2022 / Giuseppe Scalzi / 0 Comments Nowadays more and more security tools are used to monitor and generate alerts from different sources (EDR, Proxy, etc.).These alerts often contains URL, domain names, or file hashes that can and should be compared with a threat intelligence source to immediately identify current threats and avoid when possible false positives. In this article, we will show how to import the IoCs (Indicators of Compromise) available on the great threatfox.abuse.ch ...
CTF导航
APT Cloud Atlas: Unbroken Threat APT 6天前 admin 133 0 0 Introduction Specialists at the PT Expert Security Center have been monitoring the Cloud Atlas group since May 2019. According to our data, its attacks have been targeting the government sector of the following countries: Russia Belarus Azerbaijan Turkey Slovenia The goals of the group are espionage and theft of confidential information. The group typically uses phishing emails with malicious attachments as the initial vector for their attac...
CyberCX
Cyber Adviser Newsletter - December 2022 Published by CyberCX Intelligence on 16 December 2022 Welcome to the first edition of Cyber Adviser, a monthly readout of insights and expert analysis from the CyberCX Intelligence desk. November by the numbers Cyber extortion: Record highs, splintering groups Cyber extortion attacks against Australian organisations increased to the highest level CyberCX Intelligence has observed in 2022. Cyber extortion groups claimed responsibility for attacks against a...
Max Heinemeyer at Darktrace
13Dec 202213Dec 2022This blog demonstrates how we use EDR integration in Darktrace for detection & investigation. Weâll look at four key features, which are summarised with an example below:Â Â 1)Â Â Â Contextualizing existing Darktrace information â E.g. âThere was a Microsoft Defender for Endpoint (MDE) alert 5 minutes after Darktrace saw the device beacon to an unusual destination on the internet. Let me pivot back into the Defender UIâ2)Â Â Â Cross-data detection engineering â âD...
Barry Rellis at DomainTools
Domiziana Foti
ATT&CK for Cyber Threat Intelligence Training — Module 3: Mapping to ATT&CK from raw dataIn this course we have the opportunity not only to study what ATT&CK is but also to test ourselves through practical exercises.MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK has two parts: ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud, also ATT&CK for Mobile, which focuses on behavior ag...
Dragos
By Dawn Cappelli 12.14.22 LinkedIn Twitter Facebook Email This is our monthly blog detailing best practices for OT cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology – Cyber Emergency Readiness Team), which provides free resources to help small and medium businesses (SMBs) create or enhance their OT cybersecurity program. The Category and Practice from the OT-CERT OT Cybersecurity Fundamentals Self-Assessment Survey is noted for each best practice. Hopefull...
By Dragos, Inc. 12.15.22 LinkedIn Twitter Facebook Email At Dragos we regularly interact with members across the industrial community who are curious about what other organizations are experiencing when it comes to cybersecurity operations. This includes both gaining insight into what “normal” looks like, and also a desire to connect with others to share insights in a way that doesn’t compromise their own need to maintain operational integrity and privacy. It was with this in mind that we put to...
EclecticIQ
Malware like Emotet is difficult to hunt for merely based on its indicators as they change their characteristics based on the environment they are used in. Hunting for such malware requires special capabilities in the agent as described in this blog EclecticIQ Endpoint Security Team – December 13, 2022 Earlier this year, EclecticIQ Analysts published this article detailing the inner workings of a newly observed Emotet variant. In November, another industry source published a report talking about...
Erik Hjelmvik at Netresec
NetworkMiner is now available as a package in the reverse engineering platform FLARE VM. You can either select the networkminer.vm package in the installer or install NetworkMiner later on from the command line. NetworkMiner can be installed in FLARE VM from an admin shell by running choco install networkminer.vm After installation you’ll find NetworkMiner in the “Networking” category together with FakeNet-NG and Wireshark. FLARE VM allows NetworkMiner to be launched by running the command “netw...
Flashpoint
This blog is part of our 2022 Year In Review, an intelligence retrospective highlighting the most significant trends of the past year—plus insight into 2023. SHARE THIS: Flashpoint Team December 13, 2022 Table Of ContentsTable of ContentsKey TakeawaysData breach landscapeMost impacted sectorsGovernmentFinancial and retailHealthcareMost targeted countriesMalware and hacking servicesPhishingDistributed Denial-of-Service (DDoS)RansomwareProtect your data and assets with Flashpoint KEY TAKEAWAYs Thi...
GuidePoint Security
Haircutfish
HaircutfishFollowDec 13·8 min readTryHackMe MISP — Task 1 Room Overview, Task 2 MISP Introduction: Features & Terminologies, & Task 3 Using the SystemWalkthrough on the use of MISP as a Threat Sharing PlatformTask 1 Room OverviewMISP — MALWARE INFORMATION SHARING PLATFORMThis room explores the MISP Malware & Threat Sharing Platform through its core objective to foster sharing of structured threat information among security analysts, malware researchers and IT professionals.Room ObjectivesWe will...
TryHackMe OpenCTI — Task 6 Investigative Scenario & Task 7 Room ConclusionIf you haven’t done task 1 thru 5 yet, here is the link to my write-up it: Task1 thru Task 5Getting to the OpenCTI DashboardLet’s get to the OpenCTI Dashboard, to do this first we need to click the green Start Machine button at the top of the Task 4, to get the VM up and running.Then go to the top of the Webpage and click the blue Start AttackBox icon, the screen will split and take about a minute and a half for the VM to ...
HaircutfishFollowDec 14·8 min readTryHackMe MISP — Task 4 Feeds & Taxonomies, Task 5 Scenario Event, & Task 6 ConclusionIf you haven’t done task 1, 2, & 3 yet, here is the link to my write-up it: Task 1 Room Overview, Task 2 MISP Introduction: Features & Terminologies, & Task 3 Using the System.Getting to the MISP DashboardHead back to Task 3, at the top will be a green button labeled Start Machine. Click it.On your local machine, open the OpenVPN program. Once the program loads, click on the to...
Learn Network Security and Traffic Analysis foundations and take a step into probing network anomalies.Task 1 IntroductionNetwork Security is a set of operations for protecting data, applications, devices and systems connected to the network. It is accepted as one of the significant subdomains of cyber security. It focuses on the system design, operation and management of the architecture/infrastructure to provide network accessibility, integrity, continuity and reliability. Traffic analysis (of...
TryHackMe Snort — Task 1 Introduction, Task 2 Interactive Material and VM, & Task 3 Introduction to IDS/IPSLearn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.Task 1 IntroductionThis room expects you to be familiar with basic Linux command-line functionalities like general system navigation and Network fundamentals (ports, protocols and traffic data). The room aims to encourage you to start working with Snort to analyse live and captured traf...
InfoSec Write-ups
There are various Threat Intelligence sources that shares threat information with each other to help identify those threats in their organisation and respond to those issues. Some of these Threat Intelligence platforms are:AlientVaultMalwareBytesCISAWhoisXMLAPICiSPIn MISP, these Threat intelligence sharing platforms are mostly integrated to automatically create security events and alerts. However, with some of them, it requires manually effort of reviewing threat articles to look for actionable ...
Chase Sims and Nick Chalard at InQuest
Posted on 2022-12-13 by Chase Sims and Nick Chalard Those who keep tabs on ransomware are no doubt aware of the Black Basta ransomware group. They’ve gained their share of notoriety since some of the group’s malicious code was first detected back in April of 2022. What is interesting here today is that in just the past two weeks, Black Basta deployments are on the rise. As many as 75 organizations have now been compromised - based on information posted on their leak site. This appears to be the ...
Jamie Collier
Cyber threat intelligence (CTI) can help organisations identify relevant threats, but what if its real superpower was the exact opposite? Jamie Collier Dec 15, 2022 • 4 min read Photo by Adam van den Brink. Cyber threat intelligence (CTI) can help organisations identify relevant threats, but what if its real superpower was the exact opposite? At a time when there are plenty of headlines about the latest threats, knowing what not to focus on is increasingly valuable to security leaders. CTI guida...
Jouni Mikkola at “Threat hunting with hints of incident response”
December 18, 2022December 18, 2022JouniMi Post navigation HTML smuggling is a new technique to deliver malicious payload to the endpoints. The idea of the technique is to deliver the malicious code encoded in an image file that is embedded to a HTML attachment file. The reason for doing it this way is to pass the potential perimeter defenses as the malware is built on the local device. It is being reported on multiple different sites that the HTML smuggling technique is used to drop a ZIP file w...
Korstiaan Stam at ‘Invictus Incident Response’
The latest and greatest on the Royal ransomware operation…IntroductionIn the past months we have supported multiple organisations that were hit by ransomware threat actors. In this blog we would like to share some of the latest Tactics, Techniques & Procedures (TTPs) used by the Royal ransomware group. Hopefully this will help organisations and other incident responders that are working similar cases.Royal ransomwareRoyal has been very active in the past few months. Analysis of their leaksite (o...
Lina Lau at Inversecos
Get link Facebook Twitter Pinterest Email Other Apps December 14, 2022 In this brilliant blog (//aadinternals.com/post/phishing/) by @DrAzureAD, he introduced a method of phishing M365 accounts that threat actors can leverage by abusing device code authentication. There have been a lot of great blogs citing this technique but not much written about the detection… which is why I am here 🙂The reason I am writing about this technique is that it’s significantly more difficult to detect than OAuth ab...
Malwarebytes Labs
Posted: December 12, 2022 by Pieter Arntz A new campaign by hacking group MuddyWater has been uncovered in which a legitimate remote access tool is sent to targets from a compromised email account. Researchers have uncovered a new campaign by hacking group MuddyWater, aka Static Kitten, in which a legitimate remote access tool is sent to targets from a compromised email account. The targets in this campaign are reportedly in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikist...
Posted: December 13, 2022 by Pieter Arntz Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network. A recent rise in the number of Truebot infections has been attributed to a threat actor known as the Silence Group. The Silence Group is an initial access broker (IAB) that frequently changes tools and tactics to stay on top of the game. An IAB's primary task is to find a weakness or vulnerability,...
Mandiant
Blog I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed MalwareMandiant Intelligence Dec 13, 202222 min readIncident ResponseMalwareThreat ResearchDuring a recent Incident Response investigation, Mandiant discovered a malicious driver used to terminate select processes on Windows systems. In this case, the driver was used in an attempt to terminate the Endpoint Detection and Response (EDR) agent on the endpoint. Mandiant tracks the malicious driver and its loader as POOR...
Blog Trojanized Windows 10 Operating System Installers Targeted Ukrainian GovernmentMandiant Intelligence Dec 15, 202216 min readExecutive SummaryMandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.Threat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system installers which drop malware that conducts reconnaissance a...
Microsoft Security
Microsoft Security Threat Intelligence Share Twitter LinkedIn Facebook Email Print Web exploitation and web shells are some of the most common entry points in the current threat landscape. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector or mechanism of persistence. Monitoring for exploitation and web shells should be a high priority for all networks, and while these detection techniques are targeted...
Elli at Misconfig
Nozomi Networks
by Nozomi Networks Labs Dec 15, 2022 Share This Threat actors are increasingly leveraging blockchain technology to launch cyberattacks. By taking advantage of the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for a variety of attacks, ranging from malware propagation to ransomware distribution. The Glupteba trojan is an example of a threat actor leveraging blockchain-based technologies to carry out their malicious activity. In this blog, Nozomi Ne...
NSA
Jos van der Peet at Falcon Force
Published inFalconForceJos van der PeetFollowDec 16·13 min readFalconFriday — Using public intelligence feeds to improve detections — 0xFF22Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules around them and then automatically update these watchlists to keep our rules up to date with minimal effort.For this, we will use a publicly available dataset which attempts to keep track of known C2 servers[1].Now, to manage y...
Oz Soprin and Shachar Roitman at Palo Alto Networks
14,705 people reacted 14 14 min. read Share By Oz Soprin and Shachar Roitman December 12, 2022 at 6:00 AM Category: Threat Briefs and Assessments Tags: Cortex XDR, Diamond Ticket, Golden Ticket, kerberos, privilege escalation, Sapphire Ticket Executive Summary Unit 42 researchers show new detection methods that help improve detection of a new line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. The most well-known example of this is the Golden...
Proofpoint
Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations Share with your network! December 14, 2022 Joshua Miller, Crista Giering and the Proofpoint Threat Research Team Key Takeaways From at least late 2020 and through 2022, TA453 has engaged in campaigns that deviate from the group's expected phishing techniques and target victimology. In these campaigns, TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range ...
Akshat Pradhan at Qualys
Recorded Future
Restrictive Laws Push Chinese Cybercrime toward Novel Monetization TechniquesPosted: 13th December 2022By: Insikt Group® Editor’s Note: To read the entire analysis with footnotes, click here to download the report as a PDF. This report analyzes the structure of internet sources used by Chinese-speaking threat actors to facilitate cybercriminal activities. It focuses specifically on advertisements, posts, and interactions on Chinese-language dark web marketplaces and cybercrime-related Telegram c...
Posted: 9th December 2022By: Jake MunroeRaw data and information is often mislabeled as intelligence, and the process and motives for producing threat intelligence are often misconstrued. If you’re new to the field, or you think your organization could benefit from a carefully constructed threat intelligence program, here’s what you need to know first. What Is Threat Intelligence? Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelli...
Posted: 12th December 2022What Is Threat Intelligence? Digital technologies lie at the heart of nearly every industry today. The automation and greater connectedness they afford have revolutionized the world’s economic and cultural institutions — but they’ve also brought risk in the form of cyberattacks. Threat intelligence, often synonymous with open source intelligence (OSINT) is knowledge that allows you to prevent or mitigate those attacks. Rooted in data, threat intelligence provides contex...
Posted: 15th December 2022By: Insikt Group® Editor’s Note: Click here to download the report as a PDF. Recorded Future’s Insikt Group® conducted a study of malicious command-and-control (C2) infrastructure identified using proactive scanning and collection methods throughout 2022. All data was sourced from the Recorded Future® Platform and is current as of September 1, 2022. Executive Summary Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of ...
Ryan Fetterman at Splunk
Share: By Ryan Fetterman December 14, 2022 With cyberattacks growing in scale and complexity, it has never been more difficult to figure out where to invest your time and defensive resources. This remains the core challenge of optimizing an effective security organization. A good prioritization approach should be data-driven, and informed by real attacker activity. ATT&CK helps address both these points, functioning as a standard lexicon for threat reporting and allowing the security community t...
SANS Internet Storm Center
Internet Storm Center Sign In Sign Up Handler on Duty: Guy Bruneau Threat Level: green CyberChef & Entropy Published: 2022-12-17 Last Updated: 2022-12-17 22:34:47 UTC by Didier Stevens (Version: 1) 0 comment(s) You can use CyberChef to calculate the entropy of a file: Not just the entropy value for the whole file, but also other options: Like a curve: Our an image: Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com Keywords: CyberChef Entropy 0 comment(s) Comments cwqwqwq www Nov...
Packet Tuesday: ICMP Errors and the recent FreeBSD "ping" vulnerability. //www.youtube.com/watch?v=Bgmfl17AQWA previousnext Comments Login here to join the discussion. Top of page × Diary Archives Homepage Diaries Podcasts Jobs Data HTTP Header Activity TCP/UDP Port Activity Port Trends Presentations & Papers SSH/Telnet Scanning Activity Threat Feeds Activity Threat Feeds Map Useful InfoSec Links Weblogs Research Papers API Tools DShield Sensor DNS Looking Glass Honeypot (RPi/AWS) InfoSec Glossa...
Google ads lead to fake software pages pushing IcedID (Bokbot) Published: 2022-12-15 Last Updated: 2022-12-15 09:07:35 UTC by Brad Duncan (Version: 1) 0 comment(s) Introduction Fake sites for popular software have occasionally been used by cyber criminal groups to push malware. Campaigns pushing IcedID malware (also known as Bokbot) also use this method as a distribution technique (we also commonly see IcedID sent through email). This week, a new round of reports appeared about Google Ads leadin...
CyberChef & Entropy Published: 2022-12-17 Last Updated: 2022-12-17 22:34:47 UTC by Didier Stevens (Version: 1) 0 comment(s) You can use CyberChef to calculate the entropy of a file: Not just the entropy value for the whole file, but also other options: Like a curve: Our an image: Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com Keywords: CyberChef Entropy 0 comment(s) previous Comments Login here to join the discussion. Top of page × Diary Archives Homepage Diaries Podcasts Job...
Kristen Cotten and Michael Pattison at Scythe
PLATFORMOVERVIEWMARKETPLACEPROFESSIONALÂ SERVICESFOR BLUE TEAMSFOR RED TEAMSFOR PURPLE TEAMSPURPLE TEAM SERVICESLIBRARYALL POSTSTHREAT THURSDAYDOWNLOADSCISOÂ STRESSEDCOMPANYABOUTBOARD OF DIRECTORSINVESTORSADVISORY COUNCILCAREERSPRESS & EVENTSBLOGSWAGÂ STOREUPCOMINGÂ TRAININGCONTACTPARTNERSCONSULTINGMANAGEDÂ SECURITYCYBERÂ RANGESCONTACTSUPPORTPRICINGCONTACT USGet a Demo>> All PostsBlack Basta svvhostKristen CottenMichael PattisonDecember 15, 2022Welcome to this week's edition of SCYTHE #ThreatThu...
Joan Soriano at Security Art Work
13 de diciembre de 2022 Por Joan Soriano Leave a Comment En los anteriores artículos (parte I, parte II) se ha descrito teóricamente un modelo de cobertura basado en la caracterización de una Unidad de Inteligencia de Threat Hunting, así como la interpretación de las tácticas de MITRE ATT&CK como escenarios estadísticamente independientes para la detección de una amenaza. El presente artículo se expondrá una aplicación práctica del modelo para la detección de APTX. El documento completo de la in...
SentinelLabs
sentinellabs / December 13, 2022 Executive Summary SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes. We first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and rece...
SOC Fortress
Deploy your own threat intel in under 10minutes!PART ONE: Backend StoragePART TWO: Log IngestionPART THREE: Log AnalysisPART FOUR: Wazuh Agent InstallPART FIVE: Intelligent SIEM LoggingPART SIX: Best Open Source SIEM DashboardsPART SEVEN: Firewall Log Collection Made EasyPART EIGHT: Firewall Threat Intel With GreyNoisePART NINE: Log NormalizationIntroApart from just ingesting and analyzing our logs, we need a way to enrich our logs with intelligence to help our analyst quickly spot potential mal...
SOCRadar
Sophos
Customers were protected from a novel attack that used a malicious, signed driver to which virtually all EDR software is vulnerable. Written by Paul Murray December 13, 2022 Products & Services Endpoint Heath Check Ransomware Tamper Protection is one of those powerful but lesser-known protection capabilities that works away quietly in the background. It prevents adversaries from turning off defenses in Sophos Intercept X Endpoint, our market leading EDR solution, so they can deploy their payload...
The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, with a legitimate WHCP certificate Written by Andreas Klopsch, Andrew Brandt December 13, 2022 Security Operations Threat Research 2022-12 ADV220005 BURNTCIGAR BYOVD Cuba ransomware Driver Signature Enforcement drivers featured Patch Tuesday SBOM signed drivers Sophos X-Ops supply chain compromise WHCP WHQL Windows x-ops While investigating suspicious activity on a customer network, Sophos X-Ops Rapid Respo...
A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. In the second part of our series, we look at the different flavors of scams prevalent on criminal forums Written by Matt Wixey December 14, 2022 Threat Research BreachForums Exploit marketplaces RaidForums scams Sophos X-Ops XSS Following on from the first chapter of our investigation into scammers who scam scammers, we turn to the variety of scams on criminal marketplaces – which ...
Customers can enrich their internal tools with data from SophosLabs. Written by James Wilson December 15, 2022 Security Operations Intelix The Sophos 2023 Threat Report highlights how modern attackers are becoming increasingly organized as the cybercrime economy continues to transform into an industry. A major opportunity whereby defenders can better protect against new “malware-as-a-service” is by sharing threat intelligence. This is one of the core tenets of Sophos’ security philosophy and a v...
Krasimir Konov at Sucuri
Thomas Roccia
Visualizing Cybersecurity concepts can be a terrific way to learn more about specific tools, methodologies, and techniques! Here is a post that shows six useful infographics on threat intelligence and related topics! This thread was originally posted on Twitter and saved here! 🤓1⃣ — Practical Threat Intel2⃣ — Tactics, Techniques and ProceduresTTP is an important concept to understand to understand the capabilities of threat actors!3⃣ — Mitre ATT&CK MatrixOver the past years the ATT&CK Matrix is ...
Trend Micro
Subscribe Content added to Folio Folio (0) close Detection and Response Intrusion Detection & Prevention Systems Guide IDPS, IDS, IPS… what’s the difference? Discover key differences between intrusion detection and prevention systems as well as 9 technical and non-technical questions to ask when evaluating vendors. By: Trend Micro December 13, 2022 Read time: ( words) Save to Folio Subscribe Blink and it seems like a new crippling vulnerability has popped up. Organizations may become hyper-fixat...
Subscribe Content added to Folio Folio (0) close Ransomware Ransomware Business Models: Future Pivots and Trends Ransomware groups and their business models are expected to change from what and how we know it to date. In this blog entry, we summarize from some of our insights the triggers that spark the small changes in the short term (“evolutions”) and the bigger deviations (“revolutions”) they can redirect their criminal enterprises to in the long run. By: Feike Hacquebord, Stephen Hilt, David...
Dominik Breitenbacher at WeLiveSecurity
ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer Dominik Breitenbacher 14 Dec 2022 - 11:30AM Share ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credentia...
