本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Banking trojans, DNS hijacking, China, Infostealers, Malvertising, Phishing, and Smishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threa...
Adriano Bybyk at Aon
Home → Aon’s Cyber Labs → AgentVX and Taurus In an investigation occurring in 2021, Stroz Friedberg Incident Response Services team (Stroz Friedberg) encountered a new payload associated with the Taurus Loader. Typically, the information security community sees this loader associated with the Taurus Stealer malware. The Taurus Stealer has the ability to collect information from various web browsers, including passwords, cookies, autofill forms and history. However, in this instance, Stroz Friedb...
Francis Guibernau and Ken Towne at AttackIQ
Avertium
January 24, 2023 overview A vulnerability was found in two dozen ManageEngine products which is currently being exploited in the wild. CVE-2022-47966 is a pre-authentication remote code execution (RCE) vulnerability stemming from an outdated version of the Apache Santuario library. CVE-2022-47966 impacts several popular products used by large organizations, including ServiceDesk Plus, ADSelfService Plus, Active Directory 360, Access Manager Plus, and others. Between October and November 2022, pa...
AWS Security
by Anna McAbee, Luis Pastor, and Marshall Jones | on 25 JAN 2023 | in Intermediate (200), Security, Identity, & Compliance, Technical How-to | Permalink | Comments | Share Uncovering the root cause of an Amazon GuardDuty finding can be a complex task, requiring security operations center (SOC) analysts to collect a variety of logs, correlate information across logs, and determine the full scope of affected resources. Sometimes you need to do this type of in-depth analysis because investigating i...
by Diana Alvarado | on 26 JAN 2023 | in Intermediate (200), Security, Identity, & Compliance, Technical How-to | Permalink | Comments | Share AWS WAF is a web application firewall service that helps you protect your applications from common exploits that could affect your application’s availability and your security posture. One of the most useful ways to detect and respond to malicious web activity is to collect and analyze AWS WAF logs. You can perform this task conveniently by sending your AW...
Bill Stearns at Active Countermeasures
Martin Zugec at Bitdefender
Reading time: 98 min Share this At the end of November 2022, experts from Bitdefender Labs started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on Microsoft Exchange servers are some of the most popular and routinely exploited vulnerabilities. We decided to release a technical advisory describing these attacks, but also documenting some of the recent attacks that we’ve detected in the wild. Service...
Lawrence Abrams at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2023-01-23 (MONDAY) - GOOGLE AD --< FAKE ANYDESK PAGE --< POSSIBLE TA505 ACTIVITY REFERENCE: //twitter.com/Unit42_Intel/status/1617672614792642560 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-01-23-IOCs-for-Google-ad-for-possible-TA505-activity.txt.zip 1.7 kB (1,736 bytes) 2023-01-23-Google-ad-to-possible-TA505-activity.pcap.zip 21.4 MB (21,411,667 bytes) 2023-01-23-possible-TA505-activity-malware-and-artifa...
Cado Security
CERT Polska
Report an incident Search Read in Polish About us News FAQ Analyses Publications Contact Artemis â CERT Polska verifies the cybersecurity of Polish organizations 25 January 2023 | CERT Polska | #artemis, #scanning, #tools The New Year has brought more solutions to improve the security of the Polish Internet. One of them is Artemis, a tool developed by the CERT Polska team and initiated by the KN Cyber science club of Warsaw University of Technology. Artemis was designed to look for websites mi...
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 gennaio 2023 27/01/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 26 campagne malevole di cui 18 con obiettivi italiani e 8 generiche che hanno comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 228 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...
Check Point Research
CISA
Skip to main content An official website of the United States government Here's how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or // means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. CISA.gov Services Report Toggle navigation CISA.gov Services Report CertMain Menu Alerts and Tips Resources Industrial Control Systems ...
Cisco’s Talos
By Cisco Talos Tuesday, January 24, 2023 09:01 Year In Review 2022YiR While our ongoing support to Ukraine and response to the Log4j vulnerabilities were two of our most comprehensive and impactful efforts in 2022, we also dealt with a multitude of other threats as the security community faced an expanding set of adversaries and malware. In January, we identified several emerging trends that we expected would affect or dominate the threat landscape in 2022, many of which ultimately played out as...
By Nick Biasini Tuesday, January 24, 2023 07:01 On The Radar APT As we begin 2023 I wanted to take some time and look at the state sponsored threat landscape. Over the last few decades we've seen seismic shifts in how state sponsored actors attack, starting with traditional espionage with attacks like Moonlight Maze and Project Gunman and evolving into more intellectual property theft and dissident targeting with attacks like Operation Aurora. Now activity is moving into increasingly destructive...
By Kri Dontje Thursday, January 26, 2023 04:01 CTIR trends Phishing Cobalt Strike Microsoft Powershell Qakbot ransomware Remote Access Tool Syncro, a remote management and monitoring tool, emerges as an increasingly common tool for adversaries.By Caitlin Huey.Ransomware continued to be a top threat Cisco Talos Incident Response (Talos IR) responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, IR also observed a significant number of...
What Old is New Again and What's Old is Me? By William Largent Thursday, January 26, 2023 18:01 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching … and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cyc...
By Mitch Neff Friday, January 27, 2023 12:01 2022YiR Year In Review Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022. Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts. New content will be added with each topic...
By William Largent Friday, January 27, 2023 10:01 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 20 and Jan. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information...
CTF导航
Black Basta最近一次的攻击事件分析 逆向病毒分析 3天前 admin 77 0 0 根据Check Point在2022年上半年的报告,每40个组织中就有1个受到勒索软件攻击的影响,这比去年增加了59%。勒索软件之所以如此猖狂,原因就是获利巨大。随着双重勒索的增加,勒索软件攻击变得更加吸引人:即使受害者拒绝支付,被盗的私人数据可能会在黑市上以相当大的价格出售。 自2022年5月以来,累计有89多起知名组织被Black Basta组织攻击。数据显示,该组织的攻击目标明显位于美国和德国,49%的受害者是美国用户。在某些情况下,赎金甚至超过100万美元。 接下来,我将介绍Black Basta活动的技术细节,以及各种规避和反分析技术。 技术细节 在攻击开始之前,幕后组织必须将勒索软件传播到受害者的设备。凭借先进的传播技术,滴管有不同的方式将其有效载荷下载到选定的受害者设备,不过也可能会出现不同滴管模块的组合使用(比如QakBot和Cobalt Strike有效载荷的组合),最终导致勒索软件的执行。 Black Basta向受害者的设备发送勒索软件的可能方式 我们观察到,滴管可以比技...
Niels Groeneveld at Cyber Threat Intelligence Training Center
ByTrainer Jan 25, 2023 stix, taxii By: Niels Groeneveld, OSINT AnalystJanuary 26, 2023 As the world becomes increasingly interconnected and dependent on technology, the need for robust cyber threat intelligence (CTI) sharing has become paramount. The STIX and TAXII frameworks, developed by the OASIS CTI Technical Committee, have been widely adopted as a standard for sharing CTI among organizations and agencies. However, the use cases for STIX and TAXII go far beyond just sharing information on c...
ByTrainer Jan 26, 2023 law enforcement, taxii By: Niels Groeneveld, OSINT AnalystJanuary 26, 2023 STIX and TAXII are widely recognized as key frameworks for the sharing and exchange of cyber threat intelligence between organizations. However, the potential uses for these frameworks extend far beyond just the realm of cyber threats. In fact, they can play a crucial role in facilitating the sharing of threat intelligence between law enforcement agencies in the fight against all types of criminal a...
Cyble
January 24, 2023 Fraudulent Certificates Puts Infosec Professionals’ credibility at risk Professional certifications, including cybersecurity certifications, are a key indicator of qualifications and skill, thus offering a foothold into a competitive workforce. According to a 2020 Gallup poll, certifications are associated with better jobs, more career advancement opportunities, and higher job satisfaction. However, the increasing demand for cybersecurity professionals has led to a rise in fraud...
January 24, 2023 A glimpse of our findings on Ransomware activity in the last Quarter Cyble Research & Intelligence Labs (CRIL) closely monitors, tracks, and analyzes current and emerging ransomware threats across the globe. Our Q4-2022 ransomware report contains our observations around critical ransomware statistics and trends, major attacks, and common Tactics, Techniques, and Procedures (TTPs) observed last quarter. We observed a net rise in Quarter on Quarter Ransomware activities in Q4-2022...
January 25, 2023 Botnet with Clipper Capabilities being pushed via Phishing Sites The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan. In 2022, the Amadey bot was used by affiliates of LOCKBIT to spread ransomware to the v...
January 25, 2023 Uncovering the Secrets of the Command and Control Panel A new trend has been observed among Threat Actors (TAs) of using Golang for their information stealer malware. Golang, also known as Go, is a programming language developed by Google known for its simplicity, efficiency, and performance. Titan Stealer is a recent example of the use of Golang by TAs. One of the primary reasons TAs may be using Golang for their information stealer malware is because it allows them to easily c...
DomainTools
Dr Nestori Syynimaa at AADInternals
January 23, 2023 blog Introduction Installing service account to a local computer Elevation of Privilege Prerequisities Modifying registry A sample service Communication with Microsoft Summary References In my previous blog post I explained how Group Managed Service Accounts (gMSA) passwords are stored locally on the servers. In this blog, I’ll share how you can easily elevate yourself from the local administrator to gMSA without a need to know the account password. I’m already using this techni...
Abdulrahman H. Alamri at Dragos
By Abdulrahman H. Alamri 01.23.23 LinkedIn Twitter Facebook Email During the fourth quarter of 2022, ransomware continued to pose substantial financial and operational risk to industrial organizations worldwide. Dragos actively monitors and analyzes the activities of 57 different ransomware groups that have impacted industrial organizations and infrastructure. Dragos observed through publicly disclosed incidents, network telemetry, and dark web postings that out of these 57 groups, only 24 were ...
EclecticIQ
Godfather malware is a banking trojans used by different threat actors to target Android mobile devices. One primary design of Godfather malware is to harvest login credentials for various financial applications including cryptocurrency wallets and exchanges. EclecticIQ Threat Research Team – January 26, 2023 Godfather malware includes banking trojans used by different threat actors to target Android mobile devices. Initial variants were reported beginning of March 2021. (1) One primary design o...
Elastic
ByBahubali Shetti24 January 2023English简体中文한국어日本語FrançaisDeutschEspañolPortuguêsShare on TwitterShare on LinkedInShare on FacebookShare by emailPrintElastic Observability provides a full-stack observability solution, by supporting metrics, traces, and logs for applications and infrastructure. In a previous blog, I showed you how to monitor your AWS infrastructure running a three-tier application. Specifically we reviewed metrics ingest and analysis on Elastic Observability for EC2, VPC, ELB, and...
ByApoorva Joshi,Susan Chang24 January 2023English简体中文한국어日本語FrançaisDeutschEspañolPortuguêsShare on TwitterShare on LinkedInShare on FacebookShare by emailPrintDoes your organization’s data include sensitive information, like intellectual property or personally identifiable information (PII)? Do you want to protect your data from being stolen and sent (i.e., exfiltrated) to external web services? If the answer to these questions is yes, then Elastic’s Data Exfiltration Detection package can help ...
Fortinet
By Geri Revay | January 24, 2023 FortiGuard Labs has been actively tracking wiper malware targeting Ukrainian organizations since the start of the 2022 Russia-Ukraine conflict. The sudden spike in wiper malware began early in the year with numerous new wiper samples targeted at Ukraine. It displayed a side of cyberattacks we rarely see: pure destruction. We published an article last April 2022 to help people understand the context, history, and technical setup of wiper attacks. This post focuses...
By Anthony Giandomenico and Aamir Lakhani | January 27, 2023 Ransomware attacks have increased in volume, morphing and evolving through the years, especially recently, into the debilitating attacks we see today. According to the 2H 2020 Global Threat Landscape Report from FortiGuard Labs, ransomware attacks increased sevenfold in the second half of 2020 and became even more disruptive. Tactics from threat actors continue to shift and defenders need to not only continue to get the “basics” of def...
Zak Butler and Jonas Taege at Google Threat Analysis Group
Share Twitter Facebook LinkedIn Mail Copy link Press corner RSS feed Threat Analysis Group Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022 Jan 26, 2023 min read Share Twitter Facebook LinkedIn Mail Copy link An update on the information operation network of spammy influence content across multiple platforms — and TAG's ongoing work to track and disrupt. Zak Butler Sr. Strategist, Trust & Safety Jonas Taege Threat Intelligence Analyst Share Twitter Facebook LinkedIn Mail Copy lin...
GuidePoint Security
Haircutfish
HaircutfishFollowJan 25·8 min readTryHackMe Brim — Task 1 Introduction, Task 2 What is Brim?, & Task 3 The BasicsLearn and practice log investigation, pcap analysis and threat hunting with Brim.Task 1 IntroductionBRIM is an open-source desktop application that processes pcap files and logs files. Its primary focus is providing search and analytics. In this room, you will learn how to use Brim, process pcap files and investigate log files to find the needle in the haystack! This room expects you ...
James Horseman at Horizon3
Human Security
By Satori Threat Intelligence and Research Team Jan 19, 2023 Ad Fraud, Research & Detection, Cybersecurity Investigators: Nico Agnese, Maor Elizen, Marion Habiby, Ryan Joye, Vikas Parthasarathy, Adam Sell, Mikhail Venkov In this post: HUMAN’s Satori Threat Intelligence and Research Team uncovered and took down a sophisticated ad fraud operation we’ve dubbed VASTFLUX. This private takedown of an expansive and complex threat embodies the power of modern defense and collective protection. The name ...
By Rosemary Cipriano Jan 19, 2023 Ad Fraud, Threat Intelligence Today we released a report describing the takedown of one of the largest and most sophisticated ad fraud operations the HUMAN Satori Threat Intelligence & Research Team has ever encountered: VASTFLUX. We applied modern defense with our customers and the Human Collective to orchestrate an unprecedented private takedown.At its peak, VASTFLUX’s per day volume surpassed every major investigation we’ve ever published with a whopping 12 b...
Intel471
Jan 25, 2023 The automotive industry is one of the largest in the world, with dozens of countries involved in the direct manufacture of vehicles or its massive supply chain. New vehicles have as many as 30,000 internal components, many of which are produced by third-party original equipment manufacturers. The industry is in the midst of a significant transformation – it’s increasingly embracing software to improve the monitoring, efficiency and safety of vehicles while transitioning from interna...
Ismael Valenzuela at Blackberry
Announcing the New BlackBerry Global Threat Intelligence Report CYBERSECURITY / 01.25.23 / Ismael Valenzuela Share on Twitter Share on Facebook Share on Linked In Email Threat intelligence is “the art of taking the adversary by surprise.” In fact, anticipating, mitigating, and preventing cyberattacks is the primary mission of a practical threat intelligence program. Achieving this goal requires a proactive approach; one that answers critical questions like the following: Which threat actors are ...
Jeffrey Appel
0 Microsoft Defender for Endpoint series – integrations with other products – Part7 0 Microsoft Defender for Endpoint series – Validate Defender protection and additional troubleshooting – Part6 1 Microsoft Defender for Endpoint series – Defender Vulnerability Management – Part5 0 Microsoft Defender for Endpoint series – Attack Surface reduction and additional protection – Part4B 3 This website uses cookies to provide an optimal user experience. Got it! 0 HomeSecurityModern WorkplaceProductsAzur...
Josh Liburdi
Robots working on an assembly line, generated by AI.This is an in-depth post that describes the Brex Detection and Response Team’s approach to managing and automating security alerts at scale, and we hope that it inspires other teams in the industry to take their security alert management to the next level using automation!This post covers the following topics; feel free to jump around and reference them as needed:What Is Alert Management?Requirements for Scaling AlertsBlueprint for a Loosely Co...
Andrew Shelton at K7 Labs
Posted byAndrew Shelton January 23, 2023January 23, 2023 Fake ApplicationsStealer Trojan Information Stealers going Incognito on Google Ads By Andrew SheltonJanuary 23, 2023 It is not new for threat actors to abuse online advertising networks for their malvertising campaigns. But recently, we have seen a huge rise in threat actors abusing Google Ads to spread fake versions of legitimate applications loaded with various stealer malware. We have seen a large number of legit application websites ty...
Karthickkumar Kathiresan and Shilpesh Trivedi at Uptycs
The Titan Stealer: Notorious Telegram Malware Campaign - Uptycs Written by: Karthickkumar Kathiresan Research by: Karthickkumar Kathiresan and Shilpesh Trivedi The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers ...
Luke Leal
2023-01-23 :: Luke #Mister Spy #MisterSpyx #3xPr1nc3 #Beast3x #Zombi Bot #Mister Spy Bot #JEX Bot #Anonymous Fox #backdoor #threat actor #opsec #WordPress #PHP #Python Outline Mister Spy’s Origin Mister Spy Bot How It Works Mister Spy = Moetaz Brayek Mister Spy’s Origin⌗ Mister Spy started out with defacing websites in the late 2010s and between 2019-2022 they’ve claimed an impressive ~19,000 defacements as seen on their Zone-H profile. Their associated GitHub profile, MisterSpyX, even boasts th...
Bill Cozens at Malwarebytes Labs
Posted: January 26, 2023 by Bill Cozens In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent education sector threat. Move over Lockbit, there's a new ransomware-as-a-service (RaaS) player in town attacking the education sector—and its name is Vice Society. Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. And their ideal prey? You guessed it: universities, colleges, and K-12 schools. Th...
Govand Sinjari and Andy Morales at Mandiant
Blog Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER OperationsGovand Sinjari, Andy Morales Jan 26, 202316 min readThreat ResearchManaged DefenseMalwareSince January 2021, Mandiant Managed Defense has consistently responded to GOOTLOADER infections. Threat actors cast a widespread net when spreading GOOTLOADER and impact a wide range of industry verticals and geographic regions. We currently only attribute GOOTLOADER malware and infrastructure to a group we track as UNC2565, and we be...
Matt Suiche at Magnet Forensics
This memory analysis post is authored by Matt Suiche (Director, Memory, IR & R&D). On November 17, 2022, Bitcoin Core developer, Luke Dashjr, reported on his Mastodon account that an unauthorized user had accessed his Linux server. This resulted in a targeted cryptocurrency heist, as well as the theft of his PGP key, as disclosed in a Mastodon message on January 1, 2023. In this post, we’ll explore the breach and share some tactics, techniques, and best practices when dealing with this type of s...
Fernando Ruiz at McAfee Labs
The Rise and Risks of AI Art Apps McAfee Labs Jan 25, 2023 7 MIN READ Authored by Fernando Ruiz The popularity of AI-based mobile applications that can create artistic images based on pictures, such as the “Magic Avatars” from Lensa, and the OpenAI service DALL-E 2 that generates them from text, have increased the mainstream interest of these tools. Users should be aware of those seeking to take advantage to distribute Potential Unwanted Programs (PUPs) or malware, such as through deceptive appl...
Nati Tal at Guardio
“StreamJacking” - Hijacking Hundreds of YouTube Channels Per Day Propagating Elon Musk Branded Crypto Giveaway ScamsBy Nati Tal (Guardio Labs)“StreamJacking” is the latest evolution of a crypto scam circulating for several years now, this time as a complex campaign with hundreds of YouTube channels hijacked each day, pushing fake streams and scam pages that snitch Millions of USD worth of crypto funds in a pro-level of crypto laundering operation.In this write-up, we will shine a light on YouTub...
Mike Harbison and Jen Miller-Osborn at Palo Alto Networks
11,309 people reacted 11 12 min. read Share By Mike Harbison and Jen Miller-Osborn January 26, 2023 at 6:00 AM Category: Malware Tags: Black Basta ransomware, brute ratel c4, Cortex XDR, GootLoader, incident response, PlugX, WildFire Executive Summary Recently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and malware samples on the victim's machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX ma...
Proofpoint
TA444: The APT Startup Aimed at Acquisition (of Your Funds) Share with your network! January 25, 2023 Greg Lesnewich and the Proofpoint Threat Research Team Key Takeaways TA444 is a North Korea state-sponsored threat actor that tested numerous infection methods in 2022 with varying degrees of success. TA444 is a unicorn among state-aligned actors as its primary operations are financially motivated, and their infection chains are often a microcosm of the cybercrime threat landscape at large. Whil...
Daniel Smith at Radware
Recorded Future
Posted: 26th January 2023By: Insikt Group® Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF. Executive Summary ChatGPT is a chatbot developed by OpenAI, an artificial intelligence (AI) laboratory based in the US, which uses the GPT-3 family of autoregressive (AR) language models. ChatGPT launched on November 30, 2022, and has been subject to widespread attention. Among the potential advantages of ChatGPT, we...
Posted: 27th January 2023By: Insikt Group® Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF. Executive Summary BlueBravo is a threat group tracked by Recorded Future’s Insikt Group that overlaps with the Russian advanced persistent threat (APT) activity tracked as APT29 and NOBELIUM. APT29 and NOBELIUM operations have been previously attributed to Russia’s Foreign Intelligence Service (SVR), an organization ...
SANS Internet Storm Center
Kristen Cotten at Scythe
AWS CLI & S3 Buckets by Kristen Cotten January 26, 2023 The cloud and organizations’ migration to cloud infrastructure have fast-tracked digital change over the past several years. Boasting reliability and flexibility, cloud services are an appealing choice for many businesses but do not come without additional complexity and security concerns. Cloud security misconfigurations can be one of the biggest causes of data breaches these days. A recent Trend Micro study reports that 65 to 70% of all...
Secureworks
Skip to main content Close Close 0 Results Found Back To Results Cybersecurity Threat Intelligence Blogs Abraham's Ax Likely Linked to Moses Staff Research & Intelligence Abraham's Ax Likely Linked to Moses Staff Both personas are likely operated by the Iranian COBALT SAPLING threat group. Thursday, January 26, 2023 By: Counter Threat Unit Research Team Secureworks® Counter Threat Unit™ (CTU) researchers investigated similarities between the Moses Staff hacktivist group persona that emerged in S...
Security Intelligence
Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking. Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up. How Caf...
Kronos Malware Attack in Mexico The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security). This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions. The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call...
Do you know what to look for and where to look? Here are five rules for threat-hunting success: 1. Collect logs from key areas. Logs are critical to threat hunting. Collect logs from your key areas, including switches, routers, firewalls, proxies, web servers, applications, operating system events, PowerShell commands, audits and EMETs. You don’t have to send them to your SIEM but at least consider writing them to disk. 2. Monitor network data. Know your environment’s data ingress and egress poi...
Anusthika Jeyashankar at Security Investigation
Free Ransomware Decryption tool -No More Ransom How to Remove Database Malware from Your Website Most Common Malware Obfuscation Techniques Web Malware Removal | How to Remove Malware From Your Website? IOC WEBBFUSCATOR Campaign New TTPS – Detection & Response Remcos RAT New TTPS – Detection & Response Malicious PowerPoint Document Spreads with New TTPS – Detection & Response CVE-2017-0199 – Old Flaws New Techniques Raccoon Infostealer Malware Returns with New TTPS – Detection & Response Mitre A...
Securonix
Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection Threat Research Share By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov Figure 1: PY#RATION payload Introduction The Securonix Threat Research Team has identified a new Python-based attack campaign (tracked by Securonix as PY#RATION) in the wild. The malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affe...
Threat Research Share In our advisory, we detailed how the new PY#RATION attack campaign works. C2 communication is stealthy and detecting it might prove relatively difficult as many business applications leverage the WebSocket protocol to establish communication. Given the plethora of evasion techniques present in the malware, we have provided recommendations and mitigation techniques below for Securonix customers. Figure 1: PY#RATION v1.6.0 VirusTotal detections PY#RATION – MITRE ATT&CK techni...
Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich at SentinelLabs
Aleksandar Milenkoski / January 24, 2023 By Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich Executive Summary SentinelLabs tracks a cluster of recent opportunistic attacks against organizations in East Asia as DragonSpark. SentinelLabs assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks. The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT. The threat actors use Golang ma...
Ahmed Khlief at Shells.Systems
APT-HUNTER V3.0 : Rebuilt with Multiprocessing and new features Posted on 2023-01-252023-01-29 by Ahmed Khlief Estimated Reading Time: 2 minutes Since last release i was working on new features and to increase the processing speed for large number of windows event logs files so i rebuilt the tool to use multiprocessing and added more feature that will help you in your next investigation. Download from here : //github.com/ahmedkhlief/APT-Hunter/releases/tag/V3.0 APT-HUNTER V3.0 Features New use c...
SOC Fortress
Integrate SIGMA rule detection into your SIEM for advanced rule detection capabilitiesWorld’s Best FREE SIEM Stack SeriesIntroThroughout this series we have been relying on Wazuh rules to serve as our detection engine when it comes to spotting malicious activity occurring on our endpoints. While Wazuh gives us the ability to create complex rules for detection, there are other mechanisms we can add onto the stack, such as Sigma rules and Praeco.Throughout this post we explore what Sigma rules are...
SOCRadar
Splunk
Share: By Splunk Threat Research Team January 26, 2023 On September 28th it was disclosed by GTSC that there was a possible new zero day being abused in the wild beginning in early August. Although this campaign looked very similar to the previously abused vulnerability in Microsoft Exchange, dubbed ProxyShell at the time, comprising 3 CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that when combined enabled an adversary to gain remote access to an Exchange PowerShell session that may ...
Stefan P. Bargan at System Weakness
The Evolution of Cybercrime GroupsThe volatility of the ransomware landscape is exemplified by the emergence and dissolution of groups like Conti. These organizations are transient and often have connections to one another. It’s worth noting that many threat actors have migrated from one group to another, such as Conti actors joining BlackBasta and BlackByte. It’s impossible to predict which group will dominate in the coming year, but we can certainly identify three groups that are likely to be ...
Team Cymru
Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations Key FindingsNoName057(16) is a pro-Russian hacktivist operator / group, which has claimed responsibility for repeated Distributed Denial of Service (DDoS) attacks against entities in perceived anti-Russian countries since March 2022.NoName057(16) back-end infrastructure is hosted in Russia and likely operated by individual(s) with experience in systems design / maintenance.DDoS attack targeting instructions inclu...
Tenable
Security Response Team | Cyber Exposure Alerts January 27, 2023 | 3 Min Read Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group PolicySandworm, the Russian-backed APT responsible for NotPetya in 2017, has recently attacked an Ukrainian organization using a new wiper, SwiftSlicer. Background On January 27, ESET Research has published a thread on Twitter discussing its analysis of a new wiper malware used in a cyberattack in Ukraine. This new malware, dubbed "SwiftSlicer", was...
Teri Radichel
ACM.143 Preventing an attacker from creating a backdoor user in your cloud accountThis is a continuation of my series on Automating Cybersecurity Metrics.I have been thinking about the CreateUser escalation problem I wrote about for days. Attackers get ahold of credentials and create back door users in cloud accounts to maintain persistent access. In addition, a rogue insider could potentially leverage their permissions to perform unauthorized actions.Backdoors and Privilege Escalation Via Cloud...
Ieriz Nicolle Gonzalez, Paul Pajares, Arianne Dela Cruz, and Warren Sto.Tomas at Trend Micro
Subscribe Content added to Folio Folio (0) close Ransomware Vice Society Ransomware Group Targets Manufacturing Companies In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry. By: Ieriz Nicolle Gonzalez, Paul Pajares, Arianne Dela Cruz, Warren Sto.Tomas January 24, 2023 Read time: ( words) Save to Folio Subscribe Updated on January 26, 2023 to remove references to K...
Kevin Clark at TrustedSec
Operator’s Guide to the Meterpreter BOFLoader January 24, 2023 By Kevin Clark in Application Security Assessment, Incident Response, Incident Response & Forensics, Penetration Testing, Research, Security Testing & Analysis 1.1 Introduction Recently, myself and a few friends decided to port my coworker Kevin Haubris‘ COFFLoader project to Metasploit. This new BOFLoader extension allows Beacon Object Files (BOFs) to be used from a Meterpreter session. This addition unlocks many new possibilities f...
Unveiled Security
tthe veii0x Cybersecurity, Threat Intelligence January 24, 2023January 24, 2023 9 Minutes Originally posted August 1, 2022 By ttheveii0x on Security Risk Advisors blog UPDATED: January 24, 2023 Establishing Threat Intelligence Requirements should be one of the first things organizations do when starting a Cyber Threat Intelligence (CTI) program. It is possible to establish CTI requirements with a CTI program already in place. Threat intelligence requirements provide the goals and objectives for ...
WeLiveSecurity
Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country Editor 27 Jan 2023 - 06:45PM Share Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country ESET researchers have uncovered a new wiper attack in Ukraine that they attribute to the Sandworm APT group. Dubbed SwiftSlicer, the destructive malware was spotted on the network of a targeted organization on January 25th. It was deployed through Group Policy, which suggest...
