本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
0xRob
Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 1 – Setting up Msticpy with MDE 11th January 2023 Uncategorised 0xrob 0 I plan on making this a 2 part blog series which will go through the following topics Why Jupyter for threat hunting and setting up Jupyter with Msticpy and MDE Example host investigation Notebook with example msticpy custom queries The Why When it comes to Threat Hunting how many times have you seen an analyst with a giant onenote or confluence page fill...
Adam at Hexacorn
January 8, 2023 in Excel Today I will talk about automated query-building using Excel. Working as a detection engineering and/or threat hunting specialist we often need to create a lot of queries including a lot of repetitive conditions that follow a very similar syntax. It’s not pretty. It’s not easy to manage. We can do better. For instance, if our logs refer to process image names (names of the files that are used to launch processes), and we want to write a query that focuses on a bunch of w...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Artificial intelligence, Expired C2 domains, Data leak, Mobile, Phishing, Ransomware, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimps...
Any.Run
January 12, 2023 Add comment 928 views 8 min read HomeCybersecurity LifehacksAnnual Report 2022 Recent posts Annual Report 2022 928 0 5 Ways Virtualization Can Improve Security 994 0 ANY.RUN Named Twice as Malware Monitoring Innovators 2022 1382 3 HomeCybersecurity LifehacksAnnual Report 2022 It’s tradition now to review the year and share all cybersecurity trends and ANY.RUN‘s updates of the last year. Our team has prepared 2022’s threat stats and hopes it helps you make your best decisions. Fo...
Arch Cloud Labs
About The Project In December of 2022, a DLL Hijacking vulnerability with a CVSS score of 7.8 was reported in the Squirrel.Windows auto-install/update utility. This blog post will analyze the vulnerability, and analyze the root cause of said issue with procmon. Analyzing the Security Advisory Squirrel.Windows is an installation utility for Windows desktop applications that does not require a traditional Windows wizzard installation. CVE-2022-46330 states that, Squirrel.Windows is both a toolset ...
Avertium
® Why Avertium? Solutions Cybersecurity Strategy Take your cybersecurity strategy to the next level. Strategic Security Assessments Threat Mapping Cybersecurity Roadmap Threat Detection + Response Detect, adapt and attack with context. Fusion MXDR Fusion MXDR for Microsoft Digital Forensics + Incident Response Attack Surface Management No more blind spots, weak links, or fire drills. Risk Assessments Pen Testing + Social Engineering Infrastructure, Architecture, + Integration Zero Trust Network ...
Justin Kikani at Blumira
Brad Duncan at Malware Traffic Analysis
2023-01-05 (THURSDAY) - INFECTION FROM AGENTTELSA VARIANT, POSSIBLY ORIGINLOGGER REFERENCE: //twitter.com/Unit42_Intel/status/1611379660029366273 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. More information about OriginLogger is available here. ASSOCIATED FILES: 2023-01-05-IOCs-from-Agent-Tesla-variant-possible-OriginLogger.txt.zip 1.7 kB (1,658 bytes) 2023-01-05-Agent-Tesla-variant-malspam-0418-UTC.eml.zip 20.2 kB (20,223 bytes)...
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 06 – 13 gennaio 2023 13/01/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 26 campagne malevole di cui 20 con obiettivi italiani e 6 generiche che hanno comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 269 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...
Check Point Research
Cisco’s Talos
By Mitch Neff Tuesday, January 10, 2023 15:01 Year In Review 2022YiR Did you miss our livestream focused on the APT section in the Cisco Talos Year in Review report? Join host Mitch Neff and special guests Jacob Finn, Asheer Malhotra, and Vitor Ventura as they discuss Talos' findings and experiences tracking APTs in 2022. This livestream sheds light into the topic of APT TTPs, the geopolitical factors that influence the macro-environment and defensive guidance to improve security posture.Visit t...
By Cisco Talos Tuesday, January 10, 2023 09:01 Year In Review 2022YiR State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent. These groups engaged in a variety of malicious activities, including espionage, intellectual property theft, and deploying destructive m...
By Madison Burns Thursday, January 12, 2023 14:01 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.We tried to get ChatGPT to write this week’s newsletter but it was at capacity, so you’ll have to stick with us for another week. Or maybe that’s just what the robots want you to think, you be the judge.The one big thingThis week Talos hosted a 2022 Year in Review: APTs livestream. On the livestream we brought together subject matter experts to deep dive into ...
By William Largent Friday, January 13, 2023 13:01 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 6 and Jan. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information ...
CTF导航
DCSync&DCshadow原理与应用 渗透技巧 1周前 admin 68 0 0 免责声明 由于传播、利用本公众号听风安全所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号听风安全及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢! DCSync 原理 在域环境中,不同域控制器(DC)之间,每 15 分钟都会有一次域数据的同步。当一个域控制器(DC 1)想从其他域控制器(DC 2)获取数据时,DC 1 会向 DC 2 发起一个 GetNCChanges 请求,该请求的数据包括需要同步的数据。如果需要同步的数据比较多,则会重复上述过程。DCSync 就是利用的这个原理,通过 Directory Replication Service(DRS) 服务的 GetNCChanges 接口向域控发起数据同步请求。 DCSync 是域渗透中经常会用到的技术,其被整合在了 Mimikatz 中。在 DCSync 功能出现之前,要想获得域用户的哈希,需要登录域控制器,在域控制器上执行代码才能获得域用户的哈希。 2015 年 8 ...
跨平台重构CobaltStrike的Beacon并使行为对主流杀软免杀 渗透技巧 7天前 admin 53 0 0 跨平台重构CobaltStrike的Beacon并行为对主流杀软免杀 背景 上个月的时候朋友发给了我 geacon 这个项目,该项目使用Golang实现了Beacon的部分功能,我俩觉得这个项目还挺有意思的,就基于这个项目继续开发了,在适配Beacon大部分功能的同时进行了免杀层面上的修改。 我实现了一版适配4.1+版本的 geacon_pro ,他实现了一版适配4.0版本的 geacon_plus ,大体功能相同,部分实现细节不一样。我们后续也会继续维护这个项目,同时把免杀的技术集成进来。 具体的注意事项师傅们可以移步项目,CobaltStrike底层的协议鸡哥以及很多师傅已经做了解析,这里以实现的细节为主,大概说一下我们重构时候的思路以及部分功能的实现细节。 整体的思路 重构的时候需要考虑以下几个点: 1、CobaltStrike的通信协议: 通信说白了就是按照某种协议进行发包与解析,与传统分析底层协议不同,重构的时候还需要分析每条指令是做什么的、以及服务端下发的内容...
APT组织“GroupA21”借政府官方文档攻击巴基斯坦 APT 5天前 admin 121 0 0 1 概述 GroupA21 组织是疑似来自印度的APT组织,又名 “幼象”、“babyelephant” 等, 该组织至少自 2017 年开始活跃,持续针对南亚地区的巴基斯坦、斯里兰卡、马尔代夫和孟加拉等国的政府、军事、外交、情报、原子能和高校等行业和机构开展网络间谍活动的APT组织。该组织在攻击方法及资产上喜欢模仿印度组织 “SideWinder”,在归因上也带来一定困难。 微步情报局近期通过威胁狩猎系统捕获到一起 GroupA21 组织的攻击活动,经过分析有如下发现: 攻击者利用官方网站的正常 PDF 文件作为诱饵,在文件内携带恶意 LNK 文件启动诱饵及木马文件。 攻击者使用的最终载荷为 WarHawk 自研木马以及 NetWire、CobaltStrike 等公开木马,除此外我们还发现了部署 Sliver 的 C2 服务器。 微步通过对相关样本、IP 和域名的溯源分析,提取多条相关 IOC ,可用于威胁情报检测。微步在线威胁感知平台 TDP 、本地威胁情报管理平台 TIP 、威...
自动利用 BloodHound 显示的 Active Directory 权限升级路径的工具 渗透技巧 6天前 admin 41 0 0 如果 BloodHound 数据库中存在 privesc 路径,此工具会自动执行两个 AD 对象、源(我们拥有的)和目标(我们想要的)之间的 AD privesc。自动化由两个步骤组成: 使用 bloodhound 数据和 neo4j 查询寻找 privesc 的最佳路径。 执行使用bloodyAD包找到的路径 由于 autobloody 依赖于bloodyAD,它支持使用明文密码、pass-the-hash、pass-the-ticket 或证书进行身份验证,并绑定到域控制器的 LDAP 服务以执行 AD privesc。 安装 首先,如果你在 Linux 上运行它,你必须libkrb5-dev在你的操作系统上安装 kerberos 才能工作: # Debian/Ubuntu/Kaliapt-get install libkrb5-dev# Centos/RHELyum install krb5-devel# Fedoradnf install k...
APT组织Bitter网络间谍攻击活动实例分析 APT 3天前 admin 119 0 0 Bitter(T-APT-17、BITTER、蔓灵花)组织是一个长期针对中国、巴基斯坦等国家进行攻击活动的南亚地区APT组织,因其早期使用的特种木马通信的数据包头部以“BITTER”作为标识而得名。该组织主要针对政府、军工、能源等单位进行攻击以窃取敏感数据,具有强烈的政治背景。 近日,中孚信息威胁研究人员分析了该组织近期一次针对孟加拉国军事机构的攻击活动,攻击者通过利用Office的公式编辑器组件(EQNEDT32.EXE)漏洞,投放恶意诱饵文档和中间恶意软件来部署远程访问木马,进行网络间谍活动。 攻击流程 EQNEDT32.EXE是Office办公软件内的一个公式编辑器组件,该组件存在多个隐藏了很久的远程代码执行漏洞,攻击者可以在office文档中嵌入恶意的公式数据发起攻击,用户打开恶意文档就会中招。 第一阶段,攻击者通过利用具有Office的公式编辑器组件漏洞的恶意文档作为诱饵,诱导用户打开,从而触发漏洞执行恶意shellcode,以下载第二阶段的恶意样本。 第二阶段,攻击者使用了一个名为v...
威胁Xin解析 | 当心,Royal勒索软件正通过流量广告持续传播 逆向病毒分析 4天前 admin 24 0 0 近日,亚信安全监测到Royal 勒索软件异常活跃,对医疗系统似乎格外“偏爱”的同时,持续通过第三方网站、垃圾邮件附件、恶意广告、后门程序以及虚假安装程序等方式传播,给受害者带来金钱和声誉上的双重损失。 关于Royal Royal 勒索软件最早于 2022 年 9 月首次被发现,其经历了多次迭代更新。有研究人员发现,Royal 勒索软件最初使用的是其他勒索家族(如 BlackCat)的加密器,但他们很快转向使用自己的加密器,其中,Zeon是该组织使用自己的加密器生成的第一个勒索家族,该家族的勒索信与Conti 勒索家族类似。Royal 勒索软件家族会在伪装成合法的下载网站以及 GitHub 和 OneDrive 等合法网站上托管虚假安装程序文件,并将恶意广告通过推广服务有效融入正常的广告流量,诱导受害者下载运行。 Royal的攻击流程 Royal 勒索软件通过伪装成合法的应用程序,诱导受害者下载运行它,作为勒索软件传播的接入点。该勒索软件程序支持命令行参数,"-path"参...
Cybereason
Written By Dan Verton January 9, 2023 | 1 minute read MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a critical tool for security practitioners seeking to understand how attackers move, operate, and conduct their attacks. Designed to look at attacks from the attacker’s perspective, it catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations. Cybereason has developed a comprehensive guide ...
Written By Cybereason Global SOC and Incident Response Team January 10, 2023 | 9 minute read BACKGROUND In this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is traditionally known as a banking trojan used to steal financial information from its victims. It has been around since at least 2017 and has been tied to the threat group TA551. Rec...
CyberProof
CTI Research Team January 9, 2023 3 minute read In October, researchers found a complex EDR bypass technique used in BlackByte ransomware that evades EDR detections. Only a month later, similar tools were found that linked EDR bypassing to the financially motivated hacking group, FIN7 (Carbanak), that carried out a major ransomware campaign. CyberProof’s Cyber Threat Intelligence (CTI) team has identified ties between threat actors related to these EDR bypass techniques, uncovering the covert me...
Cyble
January 11, 2023 Physical Threats from Darkweb Marketplaces: A New Frontier in Cybercrime Physical security is a set of measures designed to prevent unauthorized access to a facility, building, or location and protect against damage or harm to people and assets within that location. It involves the use of various techniques and technologies to secure the perimeter of a location, as well as to protect against intrusions and attacks. One common form of physical security is the use of fences, gates...
January 12, 2023 Evasive Infostealer leveraging Phishing and Spam Campaigns for its Delivery Threat Actors (TAs) are increasingly using spam emails and phishing websites to trick users into downloading malware such as Stealer and Remote Access Trojan (RAT) to infect users’ machines and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) is actively monitoring various stealer malware and publishing blogs about them to inform and educate its readers. Recently, we came across a n...
January 12, 2023 Transportation & Logistics Sector in Turmoil The American Airports underway experienced delays on Tuesday, January 10, 2023, from 10:17 PM EST and at about 10:40 PM EST, the Air Traffic Control System Command Center (ATCSCC) of Federal Aviation Administration (FAA) notified in their Operational Plan about an outage in the Notice to Air Missions (NOTAM) system. The FAA NOTAM outage was subsequently clarified by the ATCSCC, affecting the entire American airspace from 10:28 EST on ...
January 13, 2023 Lorenz Ransomware Group Joins ALPHV and LOCKBIT in Advanced Extortion Tactics Several ransomware groups attempt to make their business model more profitable by adopting different extortion techniques. Some organizations often have more valuable data to lose and are more likely to pay the ransom to avoid the negative impact on their business. If victims refuse to pay, ransomware groups use different extortion techniques to pressure their victims to pay the ransom quickly. Initial...
EclecticIQ
This research investigates a recent QakBot phishing campaign's ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful installation of malicious software on victim device. EclecticIQ Threat Research Team – January 12, 2023 Executive Summary This paper investigates a recent QakBot phishing campaign's ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful...
Esentire
Read more 2023 Predictions for Cloud Security Read more Hackers Exploit Fortinet Devices to Spread Ransomware within Corporate… Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution briefs for our services. Cyber...
Andrey Polovinkin at Group-IB
Haircutfish
HaircutfishFollowJan 9·15 min readTryHackMe Zeek — Task 1 Introduction, Task 2 Network Security Monitoring and Zeek, & Task 3 Zeek LogsIntroduction to hands-on network monitoring and threat detection with Zeek (formerly Bro).Zeek (formerly Bro) is an open-source and commercial network monitoring tool (traffic analyser).The official description; “Zeek (formerly Bro) is the world’s leading platform for network security monitoring. Flexible, open-source, and powered by defenders.” “Zeek is a passiv...
HaircutfishFollowJan 10·18 min readTryHackMe Zeek — Task 4 CLI Kung-Fu Recall: Processing Zeek Logs, Task 5 Zeek Signatures, & Task 6 Zeek Scripts | FundamentalsIf you haven’t done task 1, 2, & 3 yet, here is the link to my write-up of it: Task 1 Introduction, Task 2 Network Security Monitoring and Zeek, & Task 3 Zeek Logs.Getting the VM StartedClick the green button labeled Start Machine, in the top of Task 1.The screen should split in half, if it doesn’t go to the top of the page. You will see...
HaircutfishFollowJan 11·25 min readTryHackMe Zeek — Task 7 Zeek Scripts | Scripts and Signatures, Task 8 Zeek Scripts | Frameworks, Task 9 Zeek Scripts | Packages, & Task 10 ConclusionIf you haven’t done task 4, 5, & 6 yet, here is the link to my write-up of it: Task 4 CLI Kung-Fu Recall: Processing Zeek Logs, Task 5 Zeek Signatures, & Task 6 Zeek Scripts | Fundamentals.Getting the VM StartedClick the green button labeled Start Machine, in the top of Task 1.The screen should split in half, if it...
TryHackMe Zeek Exercises — Task 1 Introduction & Task 2 Anomalous DNSPut your Zeek skills into practice and analyze network traffic.Task 1 IntroductionThe room invites you a challenge to investigate a series of traffic data and stop malicious activity under different scenarios. Let’s start working with Zeek to analyze the captured traffic.We recommend completing the Zeek room first, which will teach you how to use the tool in depth.A VM is attached to this room. You don’t need SSH or RDP; the ro...
James Horseman at Horizon3
Stuart Ashenbrenner at Huntress
Previous Post At Huntress, we aim to serve the 99%. Although Windows is still overwhelmingly leading the market in enterprise endpoints, Apple is beginning to make a dent, increasing their market share in the enterprise each year. Due to the increasing number of Macs in corporate enterprises, Huntress set out to match their own Windows agent with a Mac equivalent. Let’s take a look at our new Mac agent, what we look for and why—and where we’re heading. The Huntress macOS Agent Right now, the mai...
Keith McCammon
less than 1 minute read This Google Sheets template aims to make it easy to perform simple, measurable testing of MITRE ATT&CK techniques using Atomic Red Team or an adversary emulation solution of your choosing. To get started: Choose the technique that you wish to test. To help prioritize your testing, incorporate rankings from public threat reports, your own intelligence, or any other mechanism that you choose. The top techniques from Red Canary’s annual Threat Detection Report are incorporat...
Koen Van Impe
Posted on January 12, 2023 in internet, linux, open source, security Tweet Leave a reply Zeek Zeek (formerly Bro) is a free and open-source software network analysis framework. It gives insights on DNS queries, HTTP and TLS information and details on transmitted files. I find Zeek one of the best network monitoring tools available to provide detailed visibility on network traffic. Zeek has a built-in intelligence framework. This framework allows you to add information received via MISP directly ...
Lina Lau at Inversecos
Get link Facebook Twitter Pinterest Email Other Apps January 10, 2023 Threat actors can create and populate fake logs in the Azure sign-in logs that look like legitimate events The parameters they can spoof in the logs include (and are not limited to):Timestamp of when the events are generatedUser accountIP addressesNetwork location typeDuring forensic investigations, analysts may not be aware that some of the logs are not “legitimate” and start recording indicators of compromise that are not ne...
Elli at Misconfig
Doron Karmi, Deror Czudnowski, Ariel Szarf, and Or Aspir at Mitiga
ByDoron KarmiDeror CzudnowskiAriel SzarfOr AspirOn January 4, CircleCI published a statement announcing the investigation of a security incident. In this technical blog, we will share how to hunt for malicious behavior that may be caused by this incident and affect not only your CircleCI platform but other third-party applications that are integrated with your CircleCI platform, using only the default logging configuration those services provide.We chose popular SaaS and cloud providers GitHub, ...
Natanja Friedrich at Truesec
- Ransomware Attacks and the Skills Needed for a Efficient and Successful Cyber Incident Response Team
Natanja FriedrichShareAs ransomware attacks continue to pose a major threat to organizations of all sizes, having access to a strong and effective cyber incident response (IR) team in place is more important than ever. A specialized and experienced cyber IR team should have a range of technical skills and expertise, including a deep understanding of how ransomware works, the ability to monitor networks for suspicious activity, and the knowledge to take steps to contain the damage of an attack.On...
Nextron Systems
Jan 13, 2023 | Nextron We’ve updated our Antivirus Event Analysis Cheat Sheet to version 1.11.0. It includes updates in several sections add special identifiers for other hack tools and ransomware (sync with Sigma rule changes provided by Arnim Rupp in PR #3919 and #3924) You can download the new version here. Tip: to always find the newest version of the cheat sheet, use this search query. Changes: Newsletter New blog posts (~1 email/month) Subscribe Subscribe to RSS Feed Follow on Twitter Foll...
Alexander Poth at NVISO Labs
Alexander Poth Application Security, Application Whitelisting, IoT, IoT Security, Kiosk, OS Hardening, Remote Code Execution, Vulnerability January 10, 2023January 9, 2023 8 Minutes Introduction Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics. ATMs have been robbed by criminal gangs around the world for decades. A successful approach since ~ 20 years is the use of highly flammable gas, which i...
Eoin Miller at Rapid7
Jan 11, 2023 18 min read Eoin Miller Last updated at Wed, 11 Jan 2023 20:24:43 GMT How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.Recently, Rapid7 observed a malicious actor perf...
Jos Celphas at Velocidex
Example 1: Track commandsWhy Sysmon?Example 2: Track compromised accountsMonitor vs containSending alertsCreating an overview of alertsTest. Test. Test.What more can be done?Tracking an adversary in real-time using VelociraptorJos Clephas - @DfirJos 2023-01-09As an incident responder that is fighting an adversary, you typically want to be alerted the moment they conduct hands-on-keyboard activity on systems of the IT-infrastructure that you are investigating. This blog post shows you two practic...
Recorded Future
Posted: 9th January 2023By: Meghan McGowanFind out more about integrating Recorded Future with the SIEM and SOAR tools your security teams are already using. See our on-demand webinar titled Expect More From Your Threat Intelligence with Splunk Enterprise Security and Splunk SOAR. How do your organization’s security analysts track down and address cyber and physical threats? Is it primarily a manual process involving web research and detection against a flat risk list? Or have you progressed to ...
Red Canary
Resecurity
Dark Web Markets Compete for the Drug Trafficking and Illegal Pharmacy Monopoly Cybercrime Intelligence 8 Jan 2023 Dark Web, Cyber Crime, Intelligence, drug trafficking Major drug markets in the Dark Web are now worth around $315 million annually according to the United Nations Office on Drugs and Crime (UNODC). Resecurity estimates this figure to be significantly higher in 2023, the annual sales of illegal drugs in the Dark Web for 2022 exceeded $470 million - which is the result of increased g...
Rob Zuber at CircleCI
Rob Zuber Chief Technology Officer Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit <Share on Hacker News On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we’ve learned, and what our plans are to continuously improve our security posture for the future. We would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to y...
S-RM Insights
Kyle Schwaeble, James Tytler 13 January 2023 13 January 2023 Kyle Schwaeble, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our ...
SANS Internet Storm Center
New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th)
Prowler v3: AWS & Azure security assessments, (Thu, Jan 12th)
Security Intelligence
The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Desp...
James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware ...
Dheeraj Kumar and Ella Dragun at Securonix
Threat Research Share Authors: Dheeraj Kumar, Ella Dragun This special edition of the Threat Labs Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in 2022. The report additionally provides a synopsis of the threats, indicators of compromise (IOCs), and tactics, techniques and procedures (TTPs) used by the threat actors. For additional information on related search queries used via Securonix Autonomous Threat Sweeper to detect the b...
Sekoia
As many botnets and worms, SEKOIA.IO analysts demonstrate through this article that Raspberry Robin can be repurposed by other threat actors to deploy their own implants. APT Cybercrime Malware Threat & Detection Research Team January 10 2023 414 0 Read it later Remove 8 minutes reading After our first report about QNAPWorm dating back from March 2022, this malware made the headlines under the name of Raspberry Robin following a RedCanary blogpost. Since then, several vendors such as Microsoft, ...
SentinelLabs
- LABScon Replay | Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
LABScon / January 11, 2023 Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind. WMI provides rich information about the computing environment, which allows monitoring via event filters, consumers, and bindings to get notifications about important OS events. These features make WMI critical for solutions such as EDRs, AVs,...
Tom Hegel / January 12, 2023 By Tom Hegel and Aleksandar Milenkoski Executive Summary Pro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure. NoName057(16) was responsible for disrupting services across the financial sector of Denmark this week. Other recent attacks include organizations and businesses across ...
January 9, 2023 by Phil Stokes PDF Our 2022 review of macOS malware revealed that the threats faced by businesses and users running macOS endpoints included an increase in backdoors and cross-platform attack frameworks. Threats like CrateDepression and PyMafka used typosquatting attacks against package repositories to infect users, while ChromeLoader and others like oRAT leveraged malvertising as an infection vector. However, the infection vector used by many other macOS threats remains unknown....
SOC Fortress
Protect your web server with Yara powered by Wazuh’s Active ResponseWorld’s Best FREE SIEM Stack SeriesIntroMany web applications allow end users to upload files. While convenient and often times a required feature with modern web applications, security teams must have proper security features set in place to detect and thwart malicious file uploads. Malicious file uploading is a type of attack that involves placing files onto a server or computer in such a way that they contain some form of bac...
SOCRadar
Ransomware Gangs Leak Large Amounts of Data in Recent Attacks: Hive and Vice Society
Threat Actors Exploit CVE-2022-44877 RCE Vulnerability in CentOS Web Panel (CWP)
Splunk
Share: By Splunk Threat Research Team January 13, 2023 The Splunk Threat Research Team (STRT) is happy to release v3.0 of the Splunk Attack Range. Splunk Attack Range is an open source project that allows security teams to spin up a detection development environment to emulate adversary behavior and use the generated telemetry data to build detections in Splunk. This blog highlights the new features introduced in version 3.0 to help build resilient, high-quality detections. Splunk Attack Range T...
Joe at Stranded on Pylos
The Sleuth Sheet – Medium
Artwork By VEEXHWHAT IS THE DARKNETThe dark net, also known as the deep web, is an Internet overlay network that can only be accessed with specific software, configurations, or authorization. It applies a one-of-a-kind customized communication protocol and can be used for a variety of purposes, including the protection of privacy rights, computer crime, file sharing, the sale of restricted goods, the circumvention of network censorship and content-filtering systems, and the bypassing of restrict...
ThreatMon
Hitomi Kimura, Ryan Maglaque, Fe Cureg, and Trent Bessell at Trend Micro
Subscribe Content added to Folio Folio (0) close Malware Gootkit Loader Actively Targets Australian Healthcare Industry We analyzed the infection routine used in recent Gootkit loader attacks on the Australian healthcare industry and found that Gootkit leveraged SEO poisoning for its initial access and abused legitimate tools like VLC Media Player. By: Hitomi Kimura, Ryan Maglaque, Fe Cureg, Trent Bessell January 09, 2023 Read time: ( words) Save to Folio Subscribe Known for using search engine ...
Megan Nilsen at TrustedSec
A LAPS(e) in Judgement January 10, 2023 By Megan Nilsen in Active Directory Security Review, Incident Response, Incident Response & Forensics, Penetration Testing, Program Assessment & Compliance, Purple Team Adversarial Detection & Countermeasures, Security Program Assessment, Security Testing & Analysis, Threat Hunting As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the danger...
Unveiled Security
Defining Cyber Threat Intelligence tthe veii0x Cybersecurity, Threat Intelligence January 12, 2023 3 Minutes Cyber Threat Intelligence (CTI) is not a new area of cybersecurity, but uncertainty about what CTI is remains a question throughout the community. If you ask ten people to define CTI, you will likely hear eight to ten (8-10) different definitions. It’s very concerning that this is the current state of understanding. To test the hypothesis stated above, I’ll run an Internet search and dig ...
Oleg Boyarchuk at VMware Security
Lukas Stefanko at WeLiveSecurity
ESET researchers identified an active StrongPity campaign distributing a trojanized version of the Android Telegram app, presented as the Shagle app – a video-chat service that has no app version Lukas Stefanko 10 Jan 2023 - 11:30AM Share ESET researchers identified an active StrongPity campaign distributing a trojanized version of the Android Telegram app, presented as the Shagle app – a video-chat service that has no app version ESET researchers identified an active campaign that we have attri...
