本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
December 30, 2022 in Autostart (Persistence) This is a real oldie, but still worth a mention… Java gives us a lot of persistence possibilities and one of them are environment variables; when set, they will be adhered to, and as such, can be abused: JAVA_HOME – where java run-time residesLIBRARY_PATH – where the Java libraries sitJVM_DLL – this is a juicy one, which Java virtual machine DLL to load If you see these set on the system, keep an eye on what they are pointing to. Comments Off on Beyon...
January 1, 2023 in Productivity, Reversing Every once in a while I come across questions from RCE analysts who are asking how to analyze samples when either existing tools don’t work, or when they (analysts) get stuck… Truth be told… These are VERY good times to become a reverser. So many tools, so many tutorials available, and of course, so many people reversing stuff every day that you can network with and end up helping each other. Then you have the GPT-3 as well which makes us all feel a bit...
Adepts of 0xCC
Dec 26, 2022 Adepts of 0xCC Dec 26, 2022 Adepts of 0xCC Dear Fellowlship, today’s homily is about how to improve persistences based on PHP extensions. In this gospel we will explain a way to keep a PHP extension loaded on the server without it being backed up by a file on disk. Please, take a seat and listen the story. Dear Fellowlship, today’s homily is about how to improve persistences based on PHP extensions. In this gospel we will explain a way to keep a PHP extension loaded on the server wi...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, Bypassing DNS, DDoS, Infostealers, Layoffs, Spearphishing, Supply chain, and Zero-day vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a ...
Martin Zugec at Bitdefender
Reading time: 19 min Share this MDR Insights EDR Vulnerabilities A recent vulnerability known as Aikido demonstrated how some EDR technologies could be used as data wipers on the installed hosts. Yair, a security researcher at SafeBreach, released the proof-of-concept at 2022’s Blackhat conference showing how unprivileged user access could manipulate an EDR sensor into wiping files on the system. Bitdefender was one of the tested solutions and was not found vulnerable to this attack. However, si...
Bill Toulas at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2022-12-28 (WEDNESDAY) - LINK FROM USPS-THEMED MALSPAM PUSHES NETSUPPORT RAT REFERENCE: Ref: //twitter.com/Unit42_Intel/status/1608185209329008641 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2022-12-28-IOCs-for-NetSupport-RAT-infection.txt.zip 2.2 kB (2,206 bytes) 2022-12-28-NetSupport-RAT-malspam-0910-UTC.eml.zip 2.9 kB (2,929 bytes) 2022-12-28-Fiddler-capture-for-initial-zip-download.saz.zip 30.1 kB (30,116 by...
BushidoToken
Skip to main content Search This Blog @BushidoToken Threat Intel RedZei - Chinese-speaking scammers targeting Chinese students in the UK Get link Facebook Twitter Pinterest Email Other Apps - December 30, 2022 Welcome to the final BushidoToken blog of 2022. Over the last year or so, an associate of mine in the UK has been targeted by a persistent Chinese-speaking scammer. The scammer often calls once or twice a month from a unique UK-based phone number and, if left unanswered, leaves an unusual ...
Cado Security
Check Point Research
CTF导航
BlackByte勒索软件开始使用新的数据泄露工具ExByte 逆向病毒分析 1周前 admin 31 0 0 BlackByte 勒索软件在 2021 年被首次发现,随后不断发现其变种。BlackByte 勒索软件不仅使用双重勒索,还运营着勒索软件即服务(RaaS)。最近,研究人员发现 BlackByte 开始使用名为 ExByte 的数据泄露工具来窃取受害者的数据。 基本情况 最初 BlackByte 由 C 语言编写,最近的样本开始转向 Go 语言编写,也有一些是两种语言混合开发。大多数在野样本都是经过 UPX 加壳的,许多变种都由自定义的 UPX 壳加壳。该恶意软件通常带有死神图标,在其长袍上写有字母 BB 代表 BlackByte。 恶意软件图标 为了逃避检测,恶意软件使用了类似合法程序的文件描述。研究人员以伪装程亚马逊公司程序文件的恶意样本为例: 文件描述伪装 系统检查 勒索软件如果发现系统语言为如下语言,就会直接退出不进行加密。 此外,恶意软件还会检测安全分析工具的 DLL 文件。如果存在,恶意软件也会立即退出。 持久化 BlackByte 勒索软件会删除卷影副本和系统备...
Operation Dragon Dance:悬在博彩行业上的达摩克里斯之剑 APT 6天前 admin 132 0 0 概述 2022年5月份,奇安信威胁情报中心发表了《Operation Dragon Breath(APT-Q-27):针对博彩行业的降维打击》[1]一文,披露了APT-Q-27针对博彩行业的攻击活动并在文末引出了Miuuti Group一个针对博彩行业的攻击组,人员组成复杂,具有很强的流动性,可能与已知组织存在重叠,从2015年至今使用了多个通讯软件0day漏洞。本文通过对最近几年捕获到的两个相同类型的0day漏洞进行介绍,并且我们会讨论基于Electron框架开发跨平台的桌面应用的安全性问题。 本文我们将给出两个0day漏洞细节和一个完整攻击事件分析,相关客户可找我们获取详细信息,所涉及产品漏洞现在均已修补。IOC均已无法访问,暂不提供。 漏洞一 该软件在注册企业公司账号后会提供远程会话权限,并附有本地咨询代码,方便企业将该html挂载到公司官网,以便于客户随时发起询问。 点击“客服在线”即可和远端安装好客服软件的客服聊天。网页端聊天界面如下: 远端客服软件则可以...
APT-C-56(透明部落)利用外贸链接伪装文档攻击分析 APT 3天前 admin 99 0 0 APT-C-56 透明部落 透明部落(Transparent Tribe),别名APT36、ProjectM、C-Major,是一个具有南亚背景的APT组织,其长期针对周边国家和地区(特别是印度)的政治、军事进行定向攻击活动,其开发有自己的专属木马CrimsonRAT,还曾被发现广泛传播USB蠕虫。 在今年年初,透明部落与SideCopy被发现利用相同的基础设施并使用相同主题针对相似目标进行攻击,其利用走私情报相关诱饵、伪装成印度国防部邮件针对印度频频发起攻击。与之相关联的SideCopy更新了基于Golang的Linux窃密武器。从去年开始一直针对印度的政府、公共部门、各行各业包括但不限于医疗、电力、金融、制造业等保持高强度的信息窃取活动。 近期,360高级威胁研究院监测到透明部落利用外贸主题的链接进行攻击活动样本。样本伪装成scr表格文件,并同时释放持久化组件与RAT对中招用户持续监控。这次使用的RAT既不是其专属木马CrimsonRAT,也不是常用的ObliqueRAT,我们通过持...
TeamTNT挖矿木马应急溯源分析 渗透技巧 3天前 admin 22 0 0 声明:该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。 请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。 在前一周的时间里,客户有遇到被TeamTNT入侵挖矿的案例。但由于客户在没有给被入侵主机做快照的情况下,回滚了之前的快照,导致无法进一步入侵溯源排查。 因此在腾讯云公网上上搭建了redis未授权的漏洞环境并在控制台安全组放行端口。随后很短时间内便收到了云镜的告警通知。 0x01 确定最早入侵时间点 通常根据云镜的告警短信,基本可以确定最早入侵时间点。这对于后续的溯源分析非常重要。 因为在该主机上是我提前搭建好的redis漏洞环境,所以是通过redis入侵的。查看reids的相关日志确定对应时间有写入文件的操作。 0x02 快照备份,及时止损 收到告警后第一时间对被感染的主机做了快照备份,当然不清楚感染的是挖矿还是勒索的情况下,最好还是先关机处理。毕竟应急响应的核心点是及时止损。 先给...
Cyble
New wave of Financial Fraud: Scammers Monitoring Social Media Complaints December 27, 2022 IRCTC and multiple Indian Banking Users at Risk Twitter is a popular social media platform that allows people from all walks of life to share their thoughts, ideas, and experiences with others. Users can express their opinions, ask questions, and share their knowledge with a wide audience. With its reach and influence, Twitter has become a powerful tool for communication and connection. Additionally, Twitt...
December 27, 2022 Italians Users Targeted by PureLogs Stealer Through Spam Campaigns Executive Summary During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022. Figure 1 – Tweet Related to PureLogs Malware The spam email includes a link to download a passw...
Dr. Web
December 30, 2022 Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites. For many years cybercriminals have been attacking WordPress-driven ...
EclecticIQ
Comparing Sysmon and EclecticIQ Endpoint Response - Event Filters A comparative analysis of Sysmon and EclecticIQ Endpoint Response in allowing meaningful and targeted data collection and monitoring. EclecticIQ Endpoint Security Team – December 27, 2022 Comparing Sysmon and EclecticIQ Endpoint Response - Event Filters For effective information monitoring, modern security software uses sensors that generate various data types depending on the monitoring purpose. A sensor collects data and informa...
Guardio
Open in appSign upSign InWriteSign upSign InGuardioFollowDec 28, 2022·9 min readSave“MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto WalletsBy Nati Tal (Guardio Labs)TL;DRA newly uncovered technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass. Pointing to allegedly credible advertisement sites that are fully controlled by threat actors, those are used to masquerade and re...
Haircutfish
TryHackMe Snort Challenge — The Basics — Task 4 Writing IDS Rules (PNG) & Task 5 Writing IDS Rules (Torrent Metafile)If you haven’t done task 1, 2, & 3 yet, here is the link to my write-up of it: Task 1 Introduction, Task 2 Writing IDS Rules (HTTP), & Task 3 Writing IDS Rules (FTP).Opening the VMClick the green Start Machine button in the top of Task 1.The screen will split in half, with the VM on the right and the Tasks on the left. If the screen didn’t split in half go to the next step, if it ...
TryHackMe Snort Challenge — The Basics — Task 6 Troubleshooting Rule Syntax ErrorsIf you haven’t done task 4 & 5 yet, here is the link to my write-up of it: Task 4 Writing IDS Rules (PNG) & Task 5 Writing IDS Rules (Torrent Metafile).Opening the VMClick the green Start Machine button in the top of Task 1.The screen will split in half, with the VM on the right and the Tasks on the left. If the screen didn’t split in half go to the next step, if it did split in half skip the next step.Scroll to th...
TryHackMe Snort Challenge — The Basics — Task 7 Using External Rules (MS17–010)If you haven’t done task 6 yet, here is the link to my write-up of it: Task 6 Troubleshooting Rule Syntax Errors.Opening the VMClick the green Start Machine button in the top of Task 1.The screen will split in half, with the VM on the right and the Tasks on the left. If the screen didn’t split in half go to the next step, if it did split in half skip the next step.Scroll to the top of the page, you will see a blue bot...
TryHackMe Snort Challenge — The Basics — Task 8 Using External Rules (Log4j) & Task 9 ConclusionIf you haven’t done task 7 yet, here is the link to my write-up of it: Task 7 Using External Rules (MS17–010).Opening the VMClick the green Start Machine button in the top of Task 1.The screen will split in half, with the VM on the right and the Tasks on the left. If the screen didn’t split in half go to the next step, if it did split in half skip the next step.Scroll to the top of the page, you will ...
Howard Oakley at ‘The Eclectic Light Company’
[…] LikeLike Leave a Reply Cancel reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. ( Log Out / Change ) You are commenting using your Twitter account. ( Log Out / Change ) You are commenting using your Facebook account. ( Log Out / Change ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. Δ T...
[…] LikeLike Leave a Reply Cancel reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. ( Log Out / Change ) You are commenting using your Twitter account. ( Log Out / Change ) You are commenting using your Facebook account. ( Log Out / Change ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. Δ T...
Huntress
Previous Post We simply couldn’t end the year 2022 on a calm note—hackers made sure of that with their latest Microsoft Exchange exploit. On December 22, Huntress observed a significant increase in malicious PowerShell executions delivering a ConnectWise Control (ScreenConnect) payload on unpatched Exchange hosts using the exploit chain consisting of CVE-2022-41080 and CVE-2022-41082. This exploit chain was coined “OWASSRF” by Crowdstrike, as it involves an Outlook Web Access server-side request...
Marco Ramilli
apt Cyber Crime cybersecurityDecember 27, 2022December 27, 2022 Initial Access Brokers (IAB) are still the main way cyber criminals use to get access to their next target, but in 2022, as never before, I saw an increment of exploited vulnerabilities used by threat actors as initial vector or escalation vector. This behavior highlights the rise of a new skill-set belonging with specific actors named: exposed vulnerability exploitation. If you are wondering what are such a vulnerabilities or if yo...
Michael Koczwara
What you can learn from scanning adversaries' infra?In this short blog, I will go straight to the point. In the past few months/weeks I have scanned the internet on a daily/weekly basis with Shodan, Censys, Nmap, and my python scripts and I would like to share my intel/research. I will very briefly explain how different Threat Actors work, what kind of infra and tools are used to perform attacks, and how bad they are in opsec.Infrastructure----More from Michael KoczwaraFollowSecurity Researcher ...
Oliver Lyak
In this blog post, we present new techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. While previous techniques for bypassing Credential Guard focus on attackers targeting new victims who log into a compromised server, these new techniques can also be applied to victims logged on before the server was compromised.Credential Guard is intended to safeguard both NTLM hashes and Kerberos tickets, but for the purposes of this post, we w...
Red Alert
Monthly Threat Actor Group Intelligence Report, November 2022 (KOR) 2022년 10월 21일에서 2022년 11월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 11월에는 총 29개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹들이 40%로 가장 많았으며, SectorJ와 SectorB 그룹들의 활동이 그 뒤를 이었다. 이번 11월에 발견된 해킹 그룹들의 해킹 활동은 정부부처와 연구기관에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 동아시아(East Asia)와 유럽(Europe)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2022년 11 월에는 총 5 개 해킹 그룹의 활동이 발견되었으며, 이들은...
SANS Internet Storm Center
Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th)
Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th)
SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th)
Ross Moore at Secjuice
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. Ross Moore Dec 30, 2022 • 9 min read TOKYO by Dmitry Mel Remember the old Westerns, TV shows like The Lone Ranger and movies like The Magnificent Seven? In many of them – especially the TV shows - the good cowboy and sidekick catch the bad guy, they start walking away to get the sheriff, and invariably another bad guy who was hiding emerges, and then there’s a shootout. The audience, after seei...
Jennifer Gregory at Security Intelligence
As we look forward to 2023, we can find many ransomware lessons in looking back at 2022. The year brought us numerous attacks by many of the same gangs we’ve watched for years, as well as some newcomers. Many ransomware gangs operate like businesses, with their own marketing departments and user documentation. With the advent of Ransomware-as-a-Service (RaaS), gangs now sell their software to other criminals and get a portion of the profits — revenue without having to lift even a virtual finger....
Matt Wixey at Sophos
A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. In the fourth and final part of our series, we look at how scammers scamming scammers can benefit researchers Written by Matt Wixey December 28, 2022 Threat Research BreachForums Exploit featured marketplaces scams Sophos X-Ops XSS It’s the last chapter in our ‘Scammers who scam scammers’ series! (Missed the previous instalments? Part 1 introduced the ecosystem, Part 2 looked at th...
Telsy
Microsoft Exchange servers exploited with OWASSRF 19 Dec Decision Intelligence: a tool for the security of people and companies 29 Dec Microsoft Exchange servers exploited with OWASSRF 19 Dec Decision Intelligence: a tool for the security of people and companies View all English Italiano Back to top Cyber Threat Intelligence Microsoft Exchange servers exploited with OWASSRF 29 Dec Executive Summary In December 2022, Telsy Incident Response Team was called upon to handle a cyber security incident...
Andre Rall at Uptycs
Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2 Written by: Andre Rall Introduction As organizations move their application workloads to the public cloud, it is more vital than ever for customers to protect the credentials used in their public cloud environments. Compromised or mismanaged credentials are increasingly at the root of adverse cyber events. Research firm Gartner estimates that "by 2023, 75% of security failures will result from inadequate management of identitie...
Detecting Anomalous AWS Sessions From Temporary Credentials - 2 of 2 Written by: Andre Rall Introduction In our previous blog post, we discussed some common scenarios in which temporary credentials in AWS can be compromised and abused by malicious actors. In this blog, we will introduce the Uptycs’ Identity Threat Detection and Response (ITDR) solution for the cloud that will detect and provide a means to remediate the likely compromised temporary credentials. Without a capability like ITDR for ...
