本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Data breaches, North Korea, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.Trending C...
Anton Chuvakin
This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fifth Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3 and #4).My favorite quotes from the report follow below:“Identity and trust relationships in and between cloud environments will continue to get more complex, challenging visibility and enabling threat actors to have wider and deeper impact o...
Avertium
January 4, 2023 Executive Summary Play ransomware (also known as PlayCrypt) is a new ransomware operation that launched in June 2022. The operation has amassed a steady stream of victims across the world. Play has recently been in the news for attacking Argentina’s Judiciary of Cordoba and the German hotel chain “H-Hotels”. Play’s attacks focus on organizations in the Latin American region – Brazil being their primary target. They have also been observed deploying attacks on India, Hungary, Spai...
Anna McAbee at AWS Security
by Anna McAbee | on 04 JAN 2023 | in Announcements, Security, Identity, & Compliance | Permalink | Comments | Share The AWS Security Incident Response Guide focuses on the fundamentals of responding to security incidents within a customer’s Amazon Web Services (AWS) Cloud environment. You can use the guide to help build and iterate on your AWS security incident response program. Recently, we updated the AWS Security Incident Response Guide to more clearly explain what you should do before, durin...
Ionut Ilascu at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2023-01-03 (TUESDAY) - GOOGLE AD --< FAKE NOTPAD++ PAGE --< RHADAMANTHYS STEALER NOTES: Special thanks to @500mk500, @da_667, and @ex_raritas for identifying this malware! Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-01-03-IOCs-from-Rhadamanthys-Stealer-infection.txt.zip 2.0 kB (1,952 bytes) 2023-01-03-Rhadamanthys-Stealer-traffic.pcap.zip 1.0 MB (1,018,898 bytes) 2023-01-03-Rhadamanthys-Stealer-malware-and-artifac...
2023-01-02 - BRINGING IN THE NEW YEAR Since I started this blog in 2013 through the end of 2022, I've done 2,200 posts, not counting these non-technical blog entries. While updating this site going into 2023, I wanted a more accurate count. With the issues Twitter is currently facing, I've inlcuded a link to my Mastodon profile on the main page of this site. I still use Twitter for work-related purposes, like submitting samples to Malware Bazaar. -- Brad Duncan, Brad [at] malware-traffic-analysi...
2023-01-03 (TUESDAY) AND 01-04 (WEDNESDAY) - ASTAROTH (GUILDMA) MALWARE INFECTIONS REFERENCE: SANS Internet Storm Center (ISC) diary: More Brazil malspam pushing Astaroth (Guildma) in January 2023 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. By the time I ran infection traffic from these malware samples, the next day had started in UTC time. In the first pcap, I let the infected host run overnight, then I opened banco.bradesco the...
Bruce Sussman at Blackberry
The Cybercriminal Who Rose from the Dead CYBERSECURITY / 01.05.23 / Bruce Sussman Share on Twitter Share on Facebook Share on Linked In Email When the U.S. government revealed charges against 26-year-old Mark Sokolovsky, it stunned more than a few cybersecurity researchers. After all, they thought he was dead. As it turns out, the baby-faced Ukrainian national — and alleged cybercriminal — was very much alive, but has suffered a serious reversal of fortune. His days of taking selfies with fistfu...
CERT-AGID
Report annuale sull’andamento delle campagne malevole che hanno interessato l’Italia nel 2022 05/01/2023 2022 Analizzando i dati definitivi nell’anno 2022, il CERT-AGID ha rilevato e contrastato 1763 campagne malevole, per una media di quasi 5 al giorno, ed ha condiviso con le proprie organizzazioni accreditate un totale di 31978 indicatori di compromissione (IoC). Nel 2021 le campagne rilevate erano state 496, ma bisogna precisare però che questo dato non è direttamente confrontabile con quello...
Check Point Research
Christian Taillon
Photo by Josh Felise on UnsplashThis article is my response to two excellent blog posts by the Crowdstrike Overwatch team making the case against part-time threat hunting. In this article, I make a case for part-time threat hunting in certain circumstances and discuss one of many strategies to compensate for the disadvantages of only a part-time program. I may disagree with some of the article’s conclusions, which is why I play devil’s advocate; however, both articles are worth sharing and readi...
Madison Burns at Cisco’s Talos
By Madison Burns Thursday, January 5, 2023 14:01 Threat Source newsletter Happy New Year and welcome to this week's edition of the Threat Source newsletter. We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.The one big thingLa...
CTF导航
APT组织CONFUCIUS针对巴基斯坦IBO反恐行动的网络攻击事件分析 APT 6天前 admin 140 0 0 一、概述 受多方因素影响,巴基斯坦长期遭受严重的地方恐怖主义威胁,该国一直以来也将反恐作为重要的国家安全战略。2022年下半年,巴基斯坦安全部队在俾路支省、开伯尔区、北瓦济里斯坦区等地展开了多次基于情报的行动(intelligence-based operation, IBO),突袭并击毙了多名恐怖分子。 巴基斯坦方面近期在反恐方面的高调表现引发了印度方面的关注。11月30日,绿盟科技伏影实验室捕获了一起针对巴基斯坦木尔坦地区武装力量的网络攻击事件,攻击者以木尔坦的罗德兰区IBO行动报告为诱饵,尝试投递一种变种木马程序以控制受害者设备。绿盟科技伏影实验室经过分析,确认该事件的主导者为印度方面的APT组织Confucius。 二、组织关联 Confucius是一个由印度资助的APT组织,从2013年开始执行网络攻击活动,主要目标为巴基斯坦、中国等印度邻国,对军事、政府与能源等领域的目标具有浓厚兴趣。 Confucius组织会同时使用Windows端木马程序与Andriod...
CertPotato|从WebShell到System权限 渗透技巧 5天前 admin 54 0 0 01 简介 本文所介绍的CertPotato是一种能够在AD域环境中从WebShell的服务账户权限提升到本地System权限的技术。虽然名字包含Potato但是并没有利用NTLM中继攻击,其实现主要依赖于ADCS和TGT委派。成功的关键需要以下几个条件: 当前WebShell是以服务账户运行的 存在AD域环境且配置了ADCS服务 CA包含可以注册且包含可进行身份验证EKU的证书模板 02 实现过程 一般情况下Windows服务在服务账户上下文中运行,服务账户大部分都不属于域账户,这样CertPotato中关键的一环申请ADCS证书就无法完成,因此第一步是需要获取一个有效的域账户用于申请证书。Windows中常用的服务账户包含以下六种: 账户类型 本地管理员 权限 认证账户(域内) LocalSystem 有 机器账户 NetworkService 无 机器账户 LocalService 无 匿名 sMSA 无 自身 gMSA 无 自身 虚拟账户 无 机器账户 分析以上账户,Loca...
PowerShell revshells 渗透技巧 4天前 admin 56 0 0 PowerShell revshells 在提示符和工作目录上方显示 username@computer 有部分 AMSI-bypass,使一些事情更容易 TCP 和 UDP Windows Powershell 和核心 Powershell 上传和下载文件的功能。(使用sc0tfree的 Updog) ngrok 支持 ngrok 可以从脚本内部启动/停止 有效载荷将与 ngrok 地址一起生成 更新支持 您可以从脚本内部启动/停止 Updog PowerShell revshells 嵌入了上传/下载功能 使用 curl 从 nix 上传: curl -F path="absolute path for Updog-folder" -F file=filename /UpdogIP/upload 安装外壳 git clone //github.com/4ndr34z/shellscd shells./install.sh 项目地址: //github.com/4ndr34z/shells/ 原文始...
东南亚地区的新晋势力:新APT组织Saaiwc Group针对东南亚军事、财政等多部门的攻击活动分析 APT 3天前 admin 55 0 0 点击蓝字关注我们 一 事件概述 2022年11月,安恒信息猎影实验室在威胁狩猎中持续追踪到针对东南亚地区的攻击活动,活动疑似针对菲律宾、柬埔寨、越南地区的军事、财政部门。 攻击活动主要以ISO文件为初始恶意负载,运行后在本机注册表添加Powershell指令,最后加载Powershell后门PowerDism窃取本机信息并执行任意指令。根据样本中的互斥体名称,我们将该组织命名为:Saaiwc Group,内部编号:APT-LY-1005。相关攻击流程如下图: 经溯源关联分析,我们对该威胁组织的画像分析如下: 组织名称 Saaiwc Group(猎影实验室内部编号:APT-LY-1005) 组织归属 疑似东南亚地区 目标地域 东南亚地区国家(菲律宾、柬埔寨、越南) 目标行业 政府、军事 首次出现 2022年5月 使用工具 PowerDism后门 漏洞利用 CVE-2017-0199 此次攻击活动大约发生在10月下旬到11月底,我们捕获到的样本信息...
Curated Intelligence
on January 02, 2023 Get link Facebook Twitter Pinterest Email Other Apps Jair Santanna (from Northwave Security) in collaboration with Curated Intelligence recently shared his methodology about how to analyze the databases of cybercriminal websites that offer Distributed Denial of Service (DDoS) attacks as a paid service. BackgroundFor years cybercriminals have run DDoS-as-a-Service (DDoSaaS) offerings, commonly known as Booters, Stressers, or DDoS-for-hire. Recently, in December 2022, coordinat...
Cyble
January 5, 2023 Modified Zoom App Employed In Phishing Attack To Deliver IcedID Malware Zoom is a video conferencing and online meeting platform that allows users to host virtual meetings, webinars, and video conference calls. It is available on various devices, such as desktop computers, laptops, tablets, and smartphones, and can be used for personal and business purposes. Zoom has become increasingly popular in recent years, particularly due to the COVID-19 pandemic, which has increased remote...
January 6, 2023 New Stealer Targeting Crypto Wallets and 2FA Extensions of Various Browsers During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine. The figure below shows the da...
Darktrace
03Jan 202303Jan 2023On countless occasions, Darktrace has observed cyber-attacks disrupting business operations by using a vulnerable internet-facing asset as a starting point for infection. Finding that one entry point could be all a threat actor needs to compromise an entire organization. With the objective to prevent such vulnerabilities from being exploited, Darktraceâs latest product family includes Attack Surface Management (ASM) to continuously monitor customer attack surfaces for risks...
Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  04Jan 202304Jan 2023According to the â2021 Insider Threat Reportâ by Cybersecurity Insiders, the Great Resignation and shift to a remote work culture has seen organizations report a 57% increase in insider-motivated attacks [1]. Insider attacks can be difficult to detect and respond to, (especially those perpetrated by malicious individuals who have privileged access and knowl...
BlogCustomer PortalNewsPartnersOverviewTechnology PartnersIntegrationsPartner PortalBecome a partnerCompanyOverviewCareersInvestorsLeadershipLegalContact usContactWhy Darktrace?ProductsProductsDaRKTRACEPREVENTâ¢Harden security inside and out.DaRKTRACEDETECTâ¢See attacks instantly.DaRKTRACERESPONDâ¢Disarm within seconds.DaRKTRACEHEALâ¢Restore back to health.Darktrace Unveiling Ceremony at McLaren HeadquartersCore coverageCloudAppsEmailEndpointZero TrustNetworkOTIntegrationsDarktrace is design...
Delivr
HTML smuggling isn’t a new technique by any means, but its utility and flexibility make it a potent technique that still proves effective for threat actors today.For some actors, e.g. those delivering Qakbot, HTML smuggling is leveraged to deliver malicious content (typically ISOs or ZIPs with the eventual payload inside). Rich HTML content is often used to present the page as a fake Google Drive or Adobe-branded site (among many others) with the JavaScript unpacking and serving the payload. You...
Ethan Smith at Spur
AboutThe CompanyOur TechCareersProductsMonocleContext-APIFeedsBlogSign InSign Up 2023-01-03 What is a Residential Proxy? Ethan Smith Residential Proxies Residential Proxy Primer A residential proxy routes traffic through an IP Address assigned to a physical location using devices at that location, such as cell-phones and laptops. The proxied traffic will inherit the connectivity of that physical location, which provides a high amount of diversity in IP Addresses type and blends the proxied traff...
Myles Satterfield, Tyler Wood, Teauna Thompson, Tyler Collins, Ian Cooper and Nathan Sorrel at Expel
What happens when attackers get their hands on a set of Amazon Web Services (AWS) access keys? Well, let’s talk about it. In this post, we’ll share how that scenario led to our security operations center (SOC), threat hunting, and detection engineering teams all working together on an incident. We love it when incidents teach us new things, helping strengthen our service delivery and keep our customer environments safe. We’ll walk through the entire incident step-by-step to highlight not only wh...
Fortinet
By Shunichi Imano and James Slaughter | January 05, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and across the OSINT community. The Ransomware Roundup report provides brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers Monti, BlackHunt, and Putin ransomware. Affected platforms: Mic...
Francis Guibernau and Ken Towne at AttackIQ
Haircutfish
Snort Challenge — Live Attacks RoomPut your snort skills into practice and defend against a live attackTask 1 IntroductionThe room invites you to a challenge where you will investigate a series of traffic data and stop malicious activity under two different scenarios. Let’s start working with Snort to analyse live and captured traffic.Before joining this room, we suggest completing the ‘Snort’ room.Note: There are two VMs attached to this challenge. Each task has dedicated VMs. You don’t need SS...
TryHackMe NetworkMiner — Task 1 through Task 4Learn how to use NetworkMiner to analyse recorded traffic files and practice network forensics activities.Task 1 Room IntroductionNetworkMiner is an open-source traffic sniffer, pcap handler and protocol analyser. Developed and still maintained by Netresec.The official description;“NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive netw...
TryHackMe NetworkMiner — Task 5 Tool Overview 2 & Task 6 Version DifferencesIf you haven’t done Task 1 through Task 4 yet, here is the link to my write-up of it: TryHackMe NetworkMiner — Task 1 through Task 4Getting VM StartedGo back to Task 1, at the top of the task is a green button labled Start Machine. Click the green button to start the VM.If the screen doesn’t split in half with the VM on the right and Tasks on the left. Then scroll to the top of the page, you will see a Blue button labele...
TryHackMe NetworkMiner — Task 7 Exercises & Task 8 ConclusionIf you haven’t done Task 5 & 6 yet, here is the link to my write-up of it: Task 5 Tool Overview 2 & Task 6 Version Differences.Getting VM StartedGo back to Task 1, at the top of the task is a green button labeled Start Machine. Click the green button to start the VM.If the screen doesn’t split in half with the VM on the right and Tasks on the left. Then scroll to the top of the page, you will see a Blue button labeled Show Split View, ...
Mag Manoj at InfoSec Write-ups
Open in appSign upSign InWriteSign upSign InPublished inInfoSec Write-upsMag ManojFollowJan 6·3 min readSaveCommand Injection in Request BodySOC168 — Whoami Command Detected in Request BodyIn this article, we going to analysis the Command injection Alert generated by LetsDefend.ioWhat is Command Injection?Command InjectionCommand injection is a type of vulnerability that allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application.This can occur when...
K7 Labs
Posted byGaurav Yadav January 2, 2023January 2, 2023 Banking MalwareDownloadersPhishing Legitimate Apps a safe haven for IcedID By Gaurav YadavJanuary 2, 2023 IcedID is a Banking Trojan(used to steal banking details) which has been active since 2017.However, it’s being used these days as a downloader for dropping other malware such as Cobalt Strike, ransomware, stealers etc. Initially, IcedID used to be distributed via phishing emails but recently threat actors have started hosting the stage1 do...
Posted bySaikumaravel January 4, 2023January 4, 2023 Remote Access Trojan Pupy RAT hiding under WerFault’s cover By SaikumaravelJanuary 4, 2023 We at K7 Labs recently identified an interesting technique used by threat actors to execute a Remote Admin Tool. We all know that WerFault.exe is used for the Windows Error Reporting. This blog describes how threat actors use the legitimate WerFault.exe to execute Pupy RAT on the victims’ machine. Figure 1: Execution flow Analysis of Binary Stage 1 – Wer...
Keith McCammon
3 minute read Phil Venables published a helpful collection of ways that risk and cybersecurity leaders can share their successes, ideally on an ongoing basis. His working theory, which I believe is correct, is that we’re not great at this. And as a result, many of our peers only hear from us when things go sideways, which leads to a variety of problems. His first suggestion is aptly focused on incidents: The classic case is incidents. Your main moment in the sun might be in the middle of an inci...
2 minute read It’s 2023 and security firms are starting to release findings from 2022 threat data, notably their lists of top ransomware groups. As with all threat reports, the findings and prevalence are subject to each firms’ visibility, methodology, etc. The data isn’t perfect and it’s not particularly actionable on its own, but it’s interesting and in aggregate can be a useful starting point for other analysis. The 2022 ransomware leaderboard This is not the product of any intelligence analy...
Sarah Hawley, Gabby Roncone, Tyler Mclellan, Eduardo Mattos, and John Wolfram at Mandiant
Blog Turla: A Galaxy of OpportunitySarah Hawley, Gabby Roncone, Tyler McLellan, Eduardo Mattos, John Wolfram Jan 05, 202314 min readUkraineMalwareUncategorized Groups (UNC Groups)Warning: An indicator within this post contains offensive language.In September 2022, Mandiant discovered a suspected Turla Team operation, currently tracked as UNC4210, distributing the KOPILUWAK reconnaissance utility and QUIETCANARY backdoor to ANDROMEDA malware victims in Ukraine. Mandiant discovered that UNC4210 re...
Marius Sandbu
Published by Marius Sandbu on January 5, 2023 A colleague of mine asked if he could use Azure Sentinel / Log Analytics to audit the usage of a Windows File server, hence this blog post saw the light of day. In migration projects, you might need to see, who is actually using the file server??? Before you start migrating data or deleting data that you might not even need anymore. Therefore, you might need to do an audit of who is using it over a course of 14 days to verify that you don’t delete or...
Mehmet Ergene
Advanced KQL for Threat Hunting: Window Functions — Part 1Photo by R Mo on UnsplashWindow functions are one of the powerful methods for data analysis. While they are primarily used in finance and business analytics, they can also be used in threat hunting and DFIR and solve complicated use cases. In this post, I will briefly explain two KQL(Kusto Query Language)window functions, prev() and next(), and how to use them for threat hunting. I’ll use the cloud account takeover scenario I’ve previousl...
MuSecTech
Nik Alleyne at ‘Security Nik’
Understanding NMAP's scan techniques: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans A member of the Toronto Metropolitan University/Rogers Cybersecure Catalyst program, a program I'm currently a mentor for, was using Nmap and could not really see the difference when using the -sW and -sM scan techniques. To help that student and others using Nmap, I thought I should put together a quick blog post.Before getting into the -sW and -sM, let's take a look at some other TCP scan options. ...
Nsfocus
绿盟威胁情报月报-2022年12月2023-01-03绿盟科技威胁防护, 月报 阅读: 222 12月,绿盟科技威胁情报中心(NTI)发布了多个漏洞和威胁事件通告,其中,Fortinet FortiOS sslvpnd远程代码执行漏洞通告:由于sslvpnd对用户输入的内容验证存在缺陷,未经身份验证的攻击者通过发送特制数据包触发缓冲区溢出,最终可实现在目标系统上执行任意代码。CVSS评分为9.8。 另外,本次微软共修复了6个Critical级别漏洞,42个Important 级别漏洞,其中包含2个0 day漏洞。强烈建议所有用户尽快安装更新。 在本月的威胁事件中,针对国家的攻击较多,其中包含黑客组织Kimsuky组织对韩国实体进行攻击:安全研究员发现该组织主要攻击目标为韩国,涉及国防、教育、能源、政府、医疗以及智囊团等领域,以机密信息窃取为主。通常使用社会工程学、鱼叉邮件、水坑攻击等手段投递恶意软件,拥有功能完善的恶意代码武器库。安全研究员还发现本次攻击活动有如下特点:使用PIF可执行文件格式伪装成PDF文件,后续载荷为PebbleDash木马;部分样本诱饵被韩国DRM软件加密,疑似由...
绿盟科技威胁周报(2022.12.26-2023.01.01)2023-01-03绿盟科技周报, 威胁防护 阅读: 140 一、 威胁通告 Exchange Server OWASSRF漏洞(CVE-2022-41080、CVE-2022-41082) 【发布时间】2022-12-30 13:00:00 GMT 【概述】 近日,绿盟科技CERT监测发现国外安全团队公开披露了对Exchange Server漏洞的利用链的技术细节。经过身份认证的远程攻击者利用Exchange Server权限提升漏洞(CVE-2022-41080),在端点Outlook Web Application (OWA)获得在系统上下文中执行PowerShell的权限。之后具有执行PowerShell权限的攻击者通过Exchange Server远程代码执行漏洞(CVE-2022-41082)在目标系统上执行任意代码。以上利用链可绕过微软官方为\”ProxyNotShell\”所提供的缓解措施。请受影响的用户尽快采取措施进行防护。 【链接】 //nti.nsfocus.com/threatNotice Linux...
Renaud Frere at NVISO Labs
Renaud Frere Blue Team, Detection Engineering January 4, 2023January 4, 2023 6 Minutes Introduction Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in a production environment but there were hundreds of existing de...
Patrick Wardle at ‘Objective-See’
👾 A comprehensive analysis of the year's new malware by: Patrick Wardle / January 1, 2023 Objective-See's research, tools, and writing, are supported by the "Friends of Objective-See" such as: Jamf Mosyle Kandji CleanMyMac X Kolide Fleet Palo Alto Networks Sophos 📝 👾 Want to play along? All samples covered in this post are available in our malware collection. ...just please don’t infect yourself! 😅 🖨️ Printable A printable (PDF) version of this report can be found here: The Mac Malware of 2022.p...
Dave Bogle at Red Canary
Robin Dimyan
4-Level Analysis for Threat Prioritisation — Chapter IHello everyone,Today I want to introduce you an analysis technique that will improve defense planning by more accurate prioritisation of threats. This technique integrates different types of information based on a particular threat conception. This conception deviates from the actor-centric definition which is popular in the industry. Therefore, in this chapter I will try to describe these differences.Threats are properties of the terrainThre...
SANS Internet Storm Center
Update to RTRBK – Diff and File Dates in PowerShell, (Wed, Jan 4th)
More Brazil malspam pushing Astaroth (Guildma) in January 2023, (Thu, Jan 5th)
AutoIT Remains Popular in the Malware Landscape, (Fri, Jan 6th)
Security Joes
Updated: 6 days agoRecent attacks documented in previous months seem to be orchestrated by hacking groups using a framework called Raspberry Robin. This well-designed automated framework allows attackers post-infection capabilities to evade detection, move laterally and leverage trusted cloud infrastructures of known data hosting providers such as Discord, Azure & Github, among rest.Threat researchers Felipe Duarte, Charles Lomboni & Shlomit Chkool, responded to similar incidents twice this mont...
Dheeraj Kumar and Ella Dragun at Securonix
Threat Research Share Authors: Dheeraj Kumar, Ella Dragun The Monthly Intelligence Insights provides a summary of curated industry leading top threats monitored and analyzed by Securonix Threat Labs during December. The report additionally provides a synopsis of the threats, indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and related tags. This may be followed by a comprehensive threat summary from Threat Labs and search queries from the Threat Research team. For addi...
Sekoia
This blogpost aims at presenting the current infection chain, payloads and the whole infrastructure used to distribute infostealers Cybercrime Infrastructure Stealer Threat & Detection Research Team January 6 2023 188 0 Read it later Remove 21 minutes reading Table of contentsContextInfection chain leveraging fake cracked softwareStep 1 – Search engine displaying SEO poisoned websitesStep 2 – Redirection links disguising the malicious payloadStep 3 – Final payload hosted on GitHubMalware distrib...
SOC Fortress
Automating Threat Intel with GraylogPART ONE: Backend StoragePART TWO: Log IngestionPART THREE: Log AnalysisPART FOUR: Wazuh Agent InstallPART FIVE: Intelligent SIEM LoggingPART SIX: Best Open Source SIEM DashboardsPART SEVEN: Firewall Log Collection Made EasyPART EIGHT: Firewall Threat Intel With GreyNoisePART NINE: Log NormalizationPART TEN: MISP Threat IntelIntroSIEM Stacks can often feel as if you are trying to drink water from a fire hose. You deploy a few monitoring agents and you are able...
SOCRadar
Eli Trevino at Sucuri
Symantec Enterprise
Continuation of previously documented activity leverages new TTPs.Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign. The activity observed by Symantec, a division of Broadcom Software, appears to be a continuation of activity documented in a G...
System Weakness
EventID: 83What is LetsDefend?LetsDefend is a Blue Team training platform that helps aspiring users gain experience by practicing their cyber investigation skills inside a simulated Security Operations Center (SOC) environment. Its purpose is to help current and future SOC analysts improve their skills in investigating incidents and developing management reports.WalkthroughWe see the alert for SOC119 —Proxy — Malicious Executable File Detected. We then go ahead and create the case.AlertThe first...
ChatGPT is the latest buzzword, but its capabilities go far beyond just answering a few questions.If you haven’t heard of ChatGPT then you been living under the rocks :-PI have been constantly inundated with ChatGPT stories on my Linkedin account, so I thought it would be worth showing you how ChatGPT can help automate detection engineering and allow us to generate basic SIEM rules quickly and easily.Walk with me! Photo by Jason YuenNot sure if we should be excited or nervous about the capabilit...
Source: UnsplashMalware authors have been more creative than UI designers in gaining access to the victim’s device in the least noticeable manner. A file-less malware is an attack vector that executes a command to access sensitive data or install a trojan on the system. The challenge people face here is that such an attack leaves no footprint on the system, making it untraceable unless the author modifies the registries for persistence.These attacks utilize whitelisted, legitimate software appli...
What is LetsDefend?LetsDefend is a Blue Team training platform that helps aspiring users gain experience by practicing their cyber investigation skills inside a simulated SOC (Security Operations Center) environment. Its purpose is to help current and future SOC analysts with their skills in investigating incidents and developing management reports.Challenge Type: Malware analysisPurpose: To analyze a malicious .doc file for its tendencies**Question 1: What type of exploit is running as a result...
The Sleuth Sheet
I must state for the record that this study guide would not be possible without adapting pieces of information from Katie Nickels & Andy Piazza. They’ve done a tremendous job of educating individuals on Cyber Threat Intelligence.WHAT IS CTI?Cyber threat intelligence (CTI) is information about the capabilities, intentions, and activities of adversaries in cyberspace, specifically their ability to compromise, disrupt, or exploit information systems. CTI helps organizations understand the potential...
Third Eye Intelligence
General Tips Ransomware Threat Intelligence Australian Ransomware Threat Landscape 2022 January 3, 2023January 4, 2023 Readers! Happy New Year and Well Wishes. I thought to write about our beloved topic, Ransomware, and this time will focus on Australia. In this blog, I will not be diving into the workings of actual ransomware or doing a technical deep dive on actual samples. However, with some statistics, I will write about victimology and its capabilities and notable TTPs at a higher level. Fo...
Greg Monson at Trustwave SpiderLabs
access_timeJanuary 05, 2023 person_outlineGreg Monson share With 2022 having just ended, let's take a look back at the year in ransomware. With the average cost of an attack ranging from $570,00 to $812,360 for just the ransom, according to Cloudally, it should be no surprise that it continued to be one of the most prominent attacks utilized by malicious groups. We'll be doing a quick overview of a few of the most active groups within the space over the past year, and any developments that those...
Karthickkumar K at Uptycs
Infostealer Malware: Targeting Italian Region - Uptycs Written by: Uptycs Threat Research Research by: Karthickkumar K Infostealer Malware: Targeting Italian Region The Uptycs Threat research team recently became aware of a new infostealer malware attack campaign. In the campaign, we observed that the threat actors delivered emails through spam or phishing mail with the subject as “Invoice”, targeting the specific geo of Italy. The infostealer malware steals sensitive information like system inf...
Stefano Ortolani at VMware Security
William Gamazo and Nathaniel Quist at Palo Alto Networks
8,492 people reacted 8 10 min. read Share By William Gamazo and Nathaniel Quist January 5, 2023 at 6:00 AM Category: Cloud Tags: Automated Libra, CAPTCHA, Cloud Security, containers, cryptomining, DevOps, Freejacking, GitHub, Prisma Cloud, PurpleUrchin, security feature bypass This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a ...
Mark R at you sneakymonkey!
Cloud Metadata - AWS IAM Credential Abuse Attackers are already fully aware of what cloud misconfigurations are and how to take advantage. Why would an attacker run 169.254.169[.]254/latest/meta-data/iam/security-credentials/ ? Mark R Jan 2, 2023 • 8 min read a hot mess of misconfiguration and unknowns It's been noted here (2017 Uber), here (2019 Capital One) and here (2022) about how attackers are fully aware of cloud misconfigurations, attack methods and what their access can lead to. "a singl...
