本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
January 21, 2023 in Yara sigs A few days ago I posted a very specific question on Twitter and Mastodon: You’ve got gazillion of random yara rules stored inside many random .yar files scattered around many folders. What do you use to read them all, remove duplicates, ensure all rule names are unique, and all the unique rules end up in a ‘merged’ final .yar file (or files)? I am aware of these projects & gists://github.com/plyara/plyara//github.com/lsoumille/Yara_Merger//gist.github.com/Neo23x0/57...
Andrea Fortuna
Jan 16, 2023 Incident response is a critical component of any organization’s cybersecurity strategy. With the increasing use of cloud-based services, it’s essential to have the right tools in place to quickly and effectively respond to security incidents. In this post, I propose some of my favorite tools that can assist in investigation against Azure AD and Microsoft 365, useful to detect, investigate, and respond to security incidents. Mandiant Azure AD Investigator PowerShell module for detect...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.Trending...
Assume-breach
//www.trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.htmlThe Windows LNK file is just one of the many ways to get easy execution while bypassing Applocker and some AV. While this isn’t a new concept, it does present a lot of opportunity and is still favorite method of initial access for APTs around the world.In this post we’re not going to be doing anything with VHD files or ISOs (maybe we’ll look at that in the future), but we will be doing a few thin...
Home Grown Red Team: Bypassing Applocker, UAC, and Getting Administrative PersistenceWelcome back! In my previous post, I showed how we can bypass default Applocker rules using LNK files to get a Havoc beacon.In this installment, we’re going to bypass UAC and gain administrative persistence on a target without dropping EXEs to disk. Pretty cool, right?Getting StartedIf you haven’t read my previous post, you can find it here: Bypassing Applocker Using LNK Files. That post is going to show you how...
Jeremy Fuchs at Avanan
The Blank Image Attack Posted by Jeremy Fuchs on January 19, 2023 Tweet A few years ago, we wrote about the MetaMorph attack. In this attack, the malicious HTML attachments use meta refresh to redirect the end-user from an HTML attachment hosted locally to a phishing page hosted on the public internet. This attack builds upon the wave of HTML attachment attacks that we’ve recently observed targeting our customers, whether they be SMBs or enterprises. It adds another layer of sophistication to ma...
Bank Security
Understanding the importance and methods of the cyber attribution from a strategic point of viewIntroductionWorking in cyber threat intelligence involves a fair amount of activity aimed at attributing cyber attacks.Since today there is no clear list of the different ways to attribute a cyber attack to a specific criminal group or APT, I have decided to describe below the various steps to do so and describe why it is so important for the cyber security sector from a strategic point of view.image ...
Blackberry
Emotet Returns With New Methods of Evasion CYBERSECURITY / 01.20.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Summary Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via p...
Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations RESEARCH & INTELLIGENCE / 01.19.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email SUMMARY The Gamaredon Group has been actively targeting the Ukrainian government lately, relying on the infrastructure of the popular messaging service Telegram to bypass traditional network traffic detection techniques without raising obvious flags. Back in November 2022, BlackBerry uncovered a ...
Brad Duncan at Malware Traffic Analysis
2023-01-16 (MONDAY) - GOOGLE AD --< FAKE 7-ZIP PAGE --< MALICIOUS .MSI FILE REFERENCE: //twitter.com/Unit42_Intel/status/1615470858067222568 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt.zip 3.4 kB (3,397 bytes) 2023-01-16-infection-by-malware-from-fake-7zip-page.pcap.zip 40.5 MB (40,459,942 bytes) 2023-01-16-malware-and-artifacts-from-infection.zip 37.6 MB (37,5...
2023-01-12 (THURSDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE REFERENCE: //twitter.com/Unit42_Intel/status/1613710507638235136 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt.zip 1.9 kB (1,937 bytes) 2023-01-12-IcedID-infection-with-Cobalt-Strike.pcap.zip 4.0 MB (3,955,876 bytes) 2023-01-12-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip 1.7 MB (1...
2023-01-16 (MONDAY) - ICEDID (BOKBOT) WITH BACKCONNECT AND VNC AND COBALT STRIKE NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-01-16-IOCs-for-IcedID-infection-with-backconnect-and-VNC-and-Cobalt-Strike.txt.zip 2.2 kB (2,158 bytes) 2023-01-16-IcedID-infection-with-Backonnect-and-VNC-and-Cobalt-Strike.pcap.zip 7.4 MB (7,384,462 bytes) 2023-01-16-malware-and-artifacts-for-IcedID-and-Cobalt-Strike.zip 1.7 MB (1,6...
2023-01-18 (WEDNESDAY) - GOOGLE AD --< FAKE LIBRE OFFICE PAGE --< ICEDID (BOKBOT) --< COBALT STRIKE NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-01-18-IOCs-for-fake-LibreOffice-page-to-IcedID-to-Cobalt-Strike.txt.zip 2.4 kB (2,361 bytes) 2023-01-18-IcedID-with-Cobalt-Strike-traffic.zip 4.7 MB (4,736,544 bytes) 2023-01-18-IcedID-with-Cobalt-Strike-malware-and-artifacts.zip 4.1 MB (4,082,199 bytes) IMAGES Show...
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 gennaio 2023 20/01/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 26 campagne malevole di cui 21 con obiettivi italiani e 5 generiche che hanno comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 321 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...
Check Point Research
Cisco’s Talos
By William Largent Thursday, January 19, 2023 16:01 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment. To that end, I want to talk briefly about why talent retention isn’t just about money. So I am going to speak directly to the people managers from the team leads in the SOC to the C-Level execs. When you examine what you do on...
By Guilherme Venere Thursday, January 19, 2023 08:01 Threat Spotlight Threats Qakbot Bumblebee Gamaredon Malware Research SecureX Adversaries’ shift toward Shell Link (LNK) files, likely sparked by Microsoft’s decision to block macros, provides the opportunity to capitalize on information that can be provided by LNK metadata.Cisco Talos analyzed metadata in LNK files and correlated it with threat actors tactics techniques and procedures, to identify and track threat actor activity. This report o...
By William Largent Friday, January 20, 2023 16:01 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 13 and Jan. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information...
Cofense
Countercraft
The cybersecurity landscape is always shifting and with threats and cyber actors becoming more sophisticated, Of all the challenges in todayâs landscape, cybersecurity in banking is perhaps the top priority. 51% of financial institutions consider cyber threats to be one of the biggest risks facing their business today.1Financial services has the second-highest cost of data breach, with a $5.72 million average cost per incident.CounterCraft has a multitude of solutions for the finance industry....
CTF导航
idek 2022 Forensics Writeup by r3kapig WriteUp 6天前 admin 96 0 0 idek 2022 Forensics Writeup by r3kapig 前言: Forensics类别 AK 师傅们TQL (应该是第一支AK的队伍),现将师傅们的writeup整理如下,供给大家学习与进步,另外持续招新,简历请root@r3kapig.com Pretty Good Prank: linux内存取证,先获取到内存镜像对应的版本然后制作profile 制作完成便可开始取证,主要是看一眼命令行内容 可以看到对Cirt.pdf用gpg进行加密后删掉了原文件,所以现在要做的就是找到相应的加密后的文件以及私钥和密码,可以直接strings寻找 可以看到他把加密后的文件上传到了//ufile.io/fetnsp24 于是可以访问并下载到加密后的Cirt.pdf 私钥也可以直接在内存里找PGP PRIVATE KEY -----BEGIN PGP PRIVATE KEY BLOCK-----lQWGBGO/g7oBDADnJpOQBh/cd7Zl...
Cybereason
Written By Cybereason Global SOC and Incident Response Team January 19, 2023 | 20 minute read What you need to know about this attack framework before it replaces Cobalt Strike This particular Threat Analysis report is part of a series named “Purple Team Series”, covering widely used attack techniques, how threat actors are leveraging them and how to detect their use. Introduction Cybereason’s GSOC and Incident Response teams have analyzed a growing C2 framework named Sliver and created by a cyb...
Cyble
January 18, 2023 Threat Actors Leveraging Popular Applications To Target Users Threat Actors (TAs) are increasingly using phishing sites to trick victims into stealing sensitive information or downloading malware such as Information stealer, Remote Access Trojans (RATs), and other malware. The links to these phishing pages are often distributed via email, online ads, and other channels. Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and ...
January 19, 2023 Sophisticated Android Malware Strikes Users in Thailand, Philippines, and Peru Cyble Research & Intelligence Labs (CRIL) discovered a phishing website, hxxp://lionaiothai[.]com, that was impersonating the genuine Thai Airline – Thai Lion Air, and tricking victims into downloading a malicious application. The downloaded malicious application is a Remote Access Trojan (RAT) which receives commands from the Command and Control (C&C) server and performs various actions. The RAT has ...
Terry Mayer at Cyjax
By Terry Mayer 16th January 2023 The major cyber threats facing the energy sector include ransomware, phishing, malware, vulnerability exploitation, supply chain issues, and DDoS attacks. These attacks may be carried out by state-sponsored threat actors, highly-organised criminal gangs, hacktivist collectives or even individuals acting alone. The energy sector is a prime target for cyber criminals for a variety of reasons: state-sponsored groups will be particularly interested in the damage they...
Esentire
Read more The Resolution Every CSO/CISO Should Make This Year Read more Why You Should Take Advantage of Microsoft 365 Defender, the Microsoft 365… Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution briefs for...
Financial Security Institute
Masscan Ransomware Threat Analysis - 2022 Cyber Intelligence Report IT정보실 2023-01-18 [FSI Intelligence Report] Masscan Ransomware Threat Analysis Report(English Version).pdf Masscan Ransomware Threat Analysis - 2022 Cyber Intelligence Report Numerous cases of ransomware damage were reported by many Korean companies in the second half of 2022. The damage is unique in its aspect, that an attacker infiltrated a database (DB) server with a vulnerable security system, distributed ransomware, encrypte...
IT정보실 2023-01-18 [FSI] Malicious APK deforming ZIP file format found under experiment in the wild.pdf Since 2017, the Financial Security Institute has been tracking and responding to Voice phishing, which is a type of financial fraud, impersonating financial institutes to mislead victims to install malicious apps which steal device information and results in actual financial loss via social engineering. Malicious apps are always involved in this crime process, while a new anti-analysis method ba...
IT정보실 2023-01-18 [FSI Intelligence Report]Voice Phishing App Distribution Group Profiling.pdf Voice Phishing App Distribution Group Profiling(English Version) The Financial Security Institute has analyzed malicious apps collected from January to September 2021 to identify the top 3 groups distributing voice phishing apps. This report contains profiling features, and analysis of voice phishing apps by each distribution group. 이전글 Malicious APK deforming ZIP file format found under experiment in t...
Present and Future of Financial Mobile Malware(English Version) - FSI Intelligence Report IT정보실 2023-01-18 Present and Future of Financial Mobile Malware(Abridged)_En.pdf Present and Future of Financial Mobile Malware_En.pdf Present and Future of Financial Mobile Malware The present report has conducted the analysis on a binary decompile and a source code targeting around 100 samples of representative malicious apps in android mobile banking such as Anubis, BlackRock, Cerberus, EventBot, KRBankB...
TA505 Threat Group Profiling(English Version) - FSI Intelligence Report IT정보실 2023-01-18 [FSI Intelligence Report]TA505 Threat Group Profiling(Abridged)_En.pdf [FSI Intelligence Report]TA505 Threat Group Profiling_En.pdf Profiling of TA505 Threat Group That Continues to Attack the Financial Sector (Follow the Trail of TA505) Based on the information gathered by the Financial Security Institute for about a year, this report contains the TA505 threat group's tactics, techniques, procedures and rec...
Profiling a Threat Group Targeting Korea - Campaign RIFLE(English Version) IT정보실 2023-01-18 [FSI] Threat Intelligence Report-Campaign RIFLE_EN.pdf Profiling a Threat Group Targeting Korea This report is the result of Financial Security Institute's analysis and correlation tracking of multiple intrusions and malware for years, confirming that it is a series of actions taken by an equivalent threat group, naming it the Rifle campaign. 이전글 TA505 Threat Group Profiling(English Version) - FSI Intelli...
James Slaughter at Fortinet
By James Slaughter | January 19, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report provides readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers variants of the CrySIS/Dharma ransomware family. Affected platforms: Microso...
Haircutfish
TryHackMe Zeek Exercises — Task 3 Phishing, Task 4 Log4J, & Task 5 ConclusionIf you haven’t done task 1 & 2 yet, here is the link to my write-up of it: Task 1 Introduction & Task 2 Anomalous DNS.Getting the VM StartedClick the green button labeled Start Machine, at the top of Task 1.The screen should split in half if it doesn’t go to the top of the page. You will see a blue button labeled Show Split View, click this button.The screen should be split now, you have to wait for the VM to load. When...
James Horseman at Horizon3
Patrick Schläpfer at HP Wolf Security
Dray Agha at Huntress
Previous Post At Huntress, we love to thread and share our investigative approaches to our interesting findings internally so other teams can see what we’re up to and learn a thing or two. In this blog, we’ll go on a short journey of how we dissected a vague Managed Antivirus alert, and along the way, offer some ideas and methods for security analysts everywhere. We’ve got a good balance of Huntress-specific approaches and methods that anyone can deploy for any machine. (Insert cheesy image of a...
Dheeraj Yadav at InfoSec Write-ups
Phishing Email Analysis: A complete guide dheerajydv19 Hey guys, it’s me Dheeraj Yadav and in today’s blog, we will learn about all the techniques used for analyzing email and verifying if it’s legit or not. This blog is useful for everyone ranging from a normal internet user to CISO of an M.N.C. The blog is designed in such a way that there would be no way that you got any false positives. What is Phishing? Phishing is a type of online scam in which hackers send fake emails pretending to be fro...
Jon DiMaggio at Analyst1
Jouni Mikkola at “Threat hunting with hints of incident response”
January 21, 2023January 21, 2023JouniMi Post navigation Why? There has been a new Advanced Persistent Threat group, named Dark Pink which have been using the msbuild.exe LOLBIN for doing their malicious deed. The group has been especially active in the APAC area, with some activity in Europe too – specifically in Bosnia and Herzegovina – weirdly enough. The group is mostly targeting military organizations so it is not a common threat for all the organizations. They have been reportedly using the...
Mandiant
Blog Gone Phishing: Hunting for Malicious Industrial-Themed Emails to Prevent Operational Technology CompromisesDaniel Kapellmann Zafra, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker Jan 17, 202315 min readOperational TechnologyICSphishingemailPhishing is one of the most common techniques used to deliver malware and gain access to target networks. This is not only because of its simplicity and scalability, but also because of its efficiency in exploiting vulnerabilities in human b...
Blog Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)Scott Henderson, Cristiana Kittner, Sarah Hawley, Mark Lechtik Jan 19, 202317 min readVulnerabilitiesZero Day ThreatsChinaMalwareMandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a ...
Emily Parrish at ‘Microsoft Security Experts’
Nextron Systems
Jan 20, 2023 | Security Monitoring We’ve updated our Antivirus Event Analysis Cheat Sheet to version 1.12.0. It includes updates in several sections New signatures for PUA like FRP and Adfind Signature strings have been sorted alphabetically (not shown in the screenshot below) You can download the new version here. Tip: to always find the newest version of the cheat sheet, use this search query. Visualised changes: Newsletter New blog posts (~1 email/month) Subscribe Subscribe to RSS Feed Follow...
Nozomi Networks
by Nozomi Networks Jan 18, 2023 Share This Monitoring the constantly-evolving cyber threat landscape is essential in staying up-to-date on the latest threats and potential attack vectors. This allows organizations to anticipate vulnerabilities, proactively harden their systems, and implement countermeasures that can protect against malicious actors. By understanding how their networks may be susceptible to attack, organizations can take action to reduce the likelihood of a successful breach. In ...
OSArmor
Users reported some malicious Microsoft OneNote documents in the past days that lead to AsyncRAT, a remote administration tool used to control and monitor other computers. While it is common to see Microsoft Word, Excel and PowerPoint maldocs distributed via emails, OneNote maldocs are something new that we don’t frequently see. The infection starts with a OneNote document distributed via email that references to an invoice or order that needs to be reviewed. Once the malicious OneNote document ...
Palo Alto Networks
10,923 people reacted 17 9 min. read Share By Unit 42 January 18, 2023 at 3:00 AM Category: Government Tags: Advanced URL Filtering, APT, backdoor, China, Compromise, Cortex XDR, DNS security, Iran, Playful Taurus, Turian, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that routinely conducts cyber espionage campaigns. The group has been...
PhishLabs
Subscribe Get The Latest Insights QBot Campaigns Overwhelmingly Lead Reported Payloads in Q4 By Jessica Ellis | January 17, 2023 QBot was the most reported payload targeting employee inboxes in Q4, according to Fortra’s PhishLabs. This is the fourth consecutive month QBot has led malware activity as bad actors target organizations with a steady stream of high-volume attack campaigns. QBot previously represented the second most reported payload family, trailing behind RedLine Stealer in Q3. Email...
Grace Chi at Pulsedive
Case Study: BSI's "PhishQueue" service leverages Pulsedive's Enterprise TIP to help clients detect, investigate, and defend against phishing attacks. Grace Chi Jan 20, 2023 • 5 min read View as PDFℹ️Bayside Solutions, Inc. (BSI)US cybersecurity firm founded in 2001, serving clients in energy, finance, defense, high-technology, and other sectors.BSI’s PhishQueue is a phishing management service that allows users to report suspicious messages, get expert analysis, and detect threats.BSI leverages ...
Glenn Thorpe at Rapid7
Jan 19, 2023 3 min read Glenn Thorpe Last updated at Fri, 20 Jan 2023 23:46:05 GMT Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario. Several o...
Recorded Future
Posted: 17th January 2023By: Insikt Group® Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF. This report provides trends and metrics for the payment card fraud landscape in 2022 and identifies the merchants most frequently compromised or abused as tester merchants. The target audience of this report is fraud and cyber threat intelligence (CTI) teams at financial institutions and merchant services companies. ...
Red Alert
Monthly Threat Actor Group Intelligence Report, November 2022 (ENG) This report is a summary of Threat Actor group activities analyzed by NSHC ThreatRecon team based on data and information collected from 21 October 2022 to 20 November 2022. In November, activities by a total of 29 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 40%, followed by SectorJ and SectorB groups. Threat Actors identified in November carried out the highest number of...
Red Canary
SANS Internet Storm Center
Elon Musk Themed Crypto Scams Flooding YouTube Today, (Sun, Jan 15th)
PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th)
Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th)
Malicious Google Ad –< Fake Notepad++ Page –< Aurora Stealer malware, (Wed, Jan 18th)
SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th)
Importance of signing in Windows environments, (Fri, Jan 20th)
Sansec
16th January 2023Web Skimming / Sansec Threat ResearchLearn about new eCommerce hacks?Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.What isMagecart?Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About MagecartMagento and Adobe Commerce stores around the world have been ha...
John Dwyer, James Kainth, Joseph Lozowski, and Philip Pedersen at Security Intelligence
This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their inter...
Securonix
Threat Research Share Ransomware dominated cybersecurity news in 2021, as large-scale attacks plagued organizations both private and public. Perhaps the most widely publicized attack was on Colonial Pipeline, disrupting gas supplies from Texas to New Jersey and forcing the pipeline provider to pay a ransom of 75 bitcoin, which translated into about $4.4 million. The good news is that while global cyberattacks rose in 2022, ransomware attacks were down about 8 % in the third quarter, compared wit...
SentinelOne
January 16, 2023 by Jim Walter PDF Researchers at ASEC recently reported on a NetSupport RAT campaign that utilizes Pokemon as the social engineering lure. Threat actors staged a malicious website, hosting a Pokemon-based NFT game, offering both a fun and financially rewarding experience. In reality, those drawn into the site are coerced into downloading the trojanized NetSupport RAT client, allowing attackers full access to their device. NetSupport RAT has been observed in numerous attacks on e...
January 19, 2023 by Tom Hegel PDF In recent weeks there has been a noticeable increase in malicious search engine advertisements found in the wild– an attack method known as SEO Poisoning, which can be considered a type of malvertising (malicious advertising). Industry colleagues have also observed this activity, as noted by vx-underground this week. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and whi...
SOCRadar
Jonathan Johnson at SpecterOps
It’s dangerous to find malicious services alone! Take this!Authors: Luke Paine & Jonathan JohnsonIntroductionThis is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. Services are an important part of the Windows operating system, allowing the control and configuration of long-running processes essential to keeping the OS functional. This ...
Splunk
Share: By Splunk Threat Research Team January 19, 2023 The Windows Registry is one of the most powerful Windows operating system features that can tweak or manipulate Windows policies and low-level configuration settings. Because of this capability, most malware or adversaries abuse this hierarchical database to perform malicious tasks on a victim host or environment. Over the last 2 years, the Splunk Threat Research Team has analyzed and reverse engineered some of the most prevalent and success...
Scott J Roberts
January 20, 2023 · 12 min · Scott J RobertsAnalysis paralysis occurs when you overthink and underwork. — Orrin WoodwardSo, you’re playing with Synapse, it’s outstanding, you’ve sorted through lifting, creating data, maybe even added some Power Ups. Chances are, you’ve learned and started seeing the genius between the idea of nodes (which represent facts) and tags (which can be used to represent countless things, but notably assessments). You’ve probably even created a few.Possibly more than a fe...
Kayleigh Martin at Sucuri
Team Cymru
SummaryThree key takeaways from our analysis of Vidar infrastructure:Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor.Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks.Th...
Teri Radichel
ACM.133 Limiting Pass Role permissions using AWS IAM policiesThis is a continuation of my series on Automating Cybersecurity Metrics.In the last post I wrote about AWS IAM Permission Boundaries.AWS IAM Permission BoundariesACM.132 An underused and underrated IAM feature that can help prevent privilege escalation on AWSmedium.comIn this post we’ll consider permission boundaries with the IAM Pass Role permission.The IAM Pass Role permissionHow does a principal on AWS assign permissions to a comput...
ACM.134 Preventing a user from leveraging another user with permissions they don’t haveThis is a continuation of my series on Automating Cybersecurity Metrics.In my last few posts I’ve been trying to outline an IAM architecture that prevents IAM administrators (or an attacker who obtains their credentials or an active session) from escalating privileges. In other words, how can we prevent an IAM administrator from simply granting themselves additional permissions they don’t already have and be a...
Trend Micro
Subscribe Content added to Folio Folio (0) close Cloud Abusing a GitHub Codespaces Feature For Malware Delivery Proof of Concept (POC): We investigate one of the GitHub Codespaces’ real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts to create a malware file server. By: Nitesh Surana, Magno Logan January 16, 2023 Read time: ( words) Save to Folio Subscribe Git...
Subscribe Content added to Folio Folio (0) close Malware Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa. By: Peter Girnus, Aliakbar Zahravi January 17, 2023 Read time: ( words) Save to Folio Subscribe While threat hunting, we found an active campaign usin...
Subscribe Content added to Folio Folio (0) close Malware Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader). By: Junestherry Dela Cruz January 17, 2023 Read time: ( words) Save to Folio Subscribe We discuss the Batloader malware campaigns we obse...
Subscribe Content added to Folio Folio (0) close Cyber Threats “Payzero” Scams and The Evolution of Asset Theft in Web3 In this entry, we discuss a Web3 fraud scenario where scammers target potential victims via fake smart contracts, and then take over their digital assets, such as NFT tokens, without paying. We named this scam “Payzero”. By: Fyodor Yarochkin, Vladimir Kropotov, Jay Liao January 18, 2023 Read time: ( words) Save to Folio Subscribe Web3 is a lucrative emerging technology where ma...
Lior Sonntag at Wiz
Learn how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident11 minutes readLior SonntagJanuary 12, 202311 min readContentsFrom compromised secret to ongoing attack Hunting for signs of persistence in AWS Query #1 — Suspicious persistence activity by AWS principalsRemediationQuery #2 — Abuse of unsuccessful AssumeRole operationQuery #3 — Successful AssumeRole operation by a highly suspicious p...RemediationHunting for...
