本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Aaron Goldstein at Todyl
Aaron Goldstein | 2023-02-07 | 5 min read Threat hunting is a crucial element of a strong security program. Automated security tools are not 100 percent effective against threat actor’s TTPs (tactics, techniques, and procedures) that continuously evolve, so human threat hunters add a critical layer of protection to earlier identification and detection of threats. Threat hunting takes many different forms and is an often-used marketing buzzword, making it difficult to understand exactly what the ...
Andrea Bocchetti at System Weakness
Zeek, also known as Bro, is an open-source network security analysis framework. It provides a comprehensive platform for performing network traffic analysis, including capturing and analyzing network traffic, identifying security threats, and generating reports. Zeek is used by network administrators and security professionals to detect and respond to security incidents and to analyze network traffic for network performance and optimization.RITA (Real Intelligence Threat Analytics) is an open-so...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Malvertising, North Korea, Proxying, Russia, Typosquatting, Ukraine, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the thre...
by Joe Ariganello IntroductionIn today's digital age, the threat of cyber-attacks is greater than ever. Traditional security operations, which have focused on reactive measures such as patching vulnerabilities and responding to breaches, are no longer sufficient to meet the challenges of the modern threat landscape. As a result, security organizations are shifting their focus to proactive measures to stay ahead of emerging threats.This shift towards proactive security operations is the focus of ...
Antoine Cailliau
Feb 10, 2023 In this post, we’ll explore how files get stored in a Vertex Axon and recorded on the Vertex Synapse platform. The Axon is a tool for storing binary data securely within the Synapse framework; it indexes binaries using SHA-256 hash so that no duplicate storage occurs. By default, blobs are stored inside an LMDB Slab. I created this post to gain a more extensive comprehension of file uploads, allowing me to rebuild the feature within my custom Telepath client in C#. In a following bl...
Feb 3, 2023 In this blog post, I will provide insight into tracking organizations using the Vertex Synapse system. This centralized intelligence platform will store all important data and intelligence. The core component of the system is open source. Structured data and data modeling enables us to gain a deeper comprehension of the world and how it works. We can query our system to uncover correlations, retrieve information or create statistics, warnings, etc. In Synapse, for example, I model or...
AttackIQ
Avast Threat Labs
Avertium
Flash Notice: Beware - QakBot Group Infects Microsoft's OneNote with QakNote Malware February 10, 2023 overview This week, security professionals are seeing an increase in malware campaigns impacting Microsoft’s OneNote – a note sharing component of Microsoft Teams. The group TA577 or QakBot has been distributing malware to infect systems via OneNote files since January 31, 2023. The malware campaigns have been named QakNote and they are actively making their way through various organizations. T...
Blackberry
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool RESEARCH & INTELLIGENCE / 02.09.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Summary A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims. The at...
Brad Duncan at Malware Traffic Analysis
2023-02-07 (TUESDAY) - ONENOTE FILE PUSHES UNIDENTIFIED MALWARE REFERENCE: I originally thought this was Matanbuchus, but it appears to be a new malware family. Initial tweet: //twitter.com/Unit42_Intel/status/1623349272061136900 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-02-07-IOCs-for-unidentified-malware.txt.zip 1.9 kB (1,874 bytes) 2023-02-07-malspam-for-unidentified-malware-1158-UTC.eml.zip 104.3 kB (...
Carly Battaile at Aon
Home → Aon’s Cyber Labs → Bypassing MFA: A Forensic Look at Evilginx2 Phishing Kit Is MFA Enough? Recently, Stroz Friedberg Incident Response Services encountered an uptick in compromises where multi-factor authentication (“MFA”) was not effective in keeping the threat actor out of the environment. Attack patterns to bypass MFA have been around for years, but some methods are becoming increasingly mainstream due to the increase in organizations adopting and implementing MFA. While there are doze...
Censys
6 Steps Threat Profilers Can Follow to Uncover Ransomware (and Other Nefarious Activity)
The Threat Profiler’s Playbook: 6 Steps to Uncovering Ransomware (& Other Nefarious Activity)
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 04 – 10 febbraio 2023 10/02/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 25 campagne malevole di cui 23 con obiettivi italiani e 2 generiche che hanno comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 425 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie...
Check Point Research
CISA
Skip to main content An official website of the United States government Here's how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or // means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. CISA.gov Services Report Toggle navigation CISA.gov Services Report CertMain Menu Alerts and Tips Resources Industrial Control Systems ...
Skip to main content An official website of the United States government Here's how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or // means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. CISA.gov Services Report Toggle navigation CISA.gov Services Report CertMain Menu Alerts and Tips Resources Industrial Control Systems ...
Cisco’s Talos
By Cisco Talos Monday, February 6, 2023 08:02 2022YiR Year In Review The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, which increased in scope and intensity in 2022. This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022.Download the ransomware and loader summary reportVisit the Year ...
By Madison Burns Wednesday, February 8, 2023 14:02 2022YiR Year In Review Did you miss our livestream covering the ransomware and commodity loader section in the Cisco Talos Year in Review report? Join host Mitch Neff and special guests Aliza Johnson, Azim Khodjibaev, and Nick Biasini as they discuss Talos' findings and experiences monitoring ransomware and commodity loaders in 2022. Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts. New cont...
Threat Source newsletter (Feb. 9, 2023): Don't let criminals exploit your empathy By William Largent Thursday, February 9, 2023 14:02 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations. As a person it’s always difficult to try to find impactful ways to help peop...
By Vitor Ventura Thursday, February 9, 2023 08:02 On The Radar Active defense a key approach to protecting against major threatsHaving an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malici...
CTF导航
yara匹配引擎进阶语法指南 渗透技巧 3天前 admin 50 0 0 前言 具备检测相关经验的同学可能都对yara匹配引擎比较熟悉了,看雪论坛上也有非常详细的翻译文章 - 编写Yara规则检测恶意软件 本文主要对yara文档容易被忽略的部分进行了翻译和总结,并且给出一些进阶用法的例子,提高对yara匹配引擎语法的理解程度。 参考文档:** //yara.readthedocs.io/en/v4.2.3/writingrules.html 匹配字符串 yara的匹配字符串可以使用一些修饰符,总结下来有如下部分: 关键词 支持的字符串类型 概括 限制 nocase 文本,正则表达式 忽略大小写 不能与xor、base64、 或base64wide一起使用 wide 文本,正则表达式 通过交错空 (0x00) 字符来模拟 UTF16 无 ascii 文本,正则表达式 匹配 ASCII 字符,仅在wide使用时才需要 无 xor 文本 匹配具有单字节键的 XOR 文本字符串 不能与nocase、base64、 或base64wide一起使用 base64 文本 base64 编码的字符串(...
Reza Rafati at Cyberwarzone
6 days ago Reza Rafati In today’s digital world, online security is more important than ever. With the growing number of cyber attacks and threats, it is essential to have tools that can help detect and prevent malware, viruses, and other malicious software. VirusTotal is one such tool that has become increasingly popular among individuals, system administrators, and security researchers. In this article, we’ll take a look at what VirusTotal is and how it can help you keep your devices and syste...
Cyble
February 6, 2023 ESXi Args Ransomware Outbreak Affects Over 1,000 Servers On February 3rd, CERT-FR warned users about a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware. The report also stated that the Threat Actors (TAs) leveraging a two-year-old vulnerability tracked as CVE-2021-21974. According to VMware, ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG contain a heap overflow vulnerability in OpenS...
February 9, 2023 Royal Ransomware Expands to Linux Platforms, Targets ESXi Servers Royal ransomware was first identified in early 2022 and was found to be targeting Windows machines. The Threat Actors (TAs) initially relied on third-party ransomware such as BlackCat and Zeon ransomware, but later in September 2022, they began using new and unique code. By November 2022, Royal ransomware had become the most widespread ransomware in the wild, surpassing Lockbit as the top ransomware for the first ...
Daniel Chronlund
Microsoft 365 Data Exfiltration – Attack and Defend Daniel Chronlund Cloud, Graph, Microsoft, Microsoft 365, Security February 9, 2023February 10, 2023 3 Minutes Attackers are turning their eyes towards the cloud, and since heavy data exfiltration is now part of any ransomware attack, I wanted to create an eyeopening PoC of how bad app permissions in Azure AD / Microsoft Graph can be used as part of such an attack. I’ve added a new tool to my DCToolbox PowerShell module called Invoke-DCM365DataE...
Darktrace
10Feb 202310Feb 2023In the latter half of 2022, Darktrace observed a rise in Vidar Stealer infections across its client base. These infections consisted in a predictable series of network behaviors, including usage of certain social media platforms for the retrieval of Command and Control (C2) information and usage of certain URI patterns in C2 communications. In the blog post, we will provide details of the pattern of network activity observed in these Vidar Stealer infections, along with detai...
Dragos
By Dragos, Inc. 02.06.23 LinkedIn Twitter Facebook Email The Dragos Platform receives regular updates through Knowledge Packs which include enhancements to threat detections, protocol support, asset visibility, and response playbooks to equip customers with better OT visibility in their environments and the tools to respond. Each Knowledge Pack contains the latest insight from Dragos intelligence teams, streamlining the detection of devices and potential malicious activity across industrial netw...
By Dragos, Inc. 02.10.23 LinkedIn Twitter Facebook Email In the previous blog in this series, we covered the foundational elements that make up Neighborhood Keeper, as well as how the information-sharing program fits into the broader context of Cyber Threat Intelligence (CTI). As we move through the rest of the series, we’ll be taking a more in-depth look at many of the topics and concepts previewed in the initial overview. This installment focuses on analyzing trends observed in the Neighborhoo...
Edward Hawkins at VMware Security
Erik Hjelmvik at Netresec
CapLoader 1.9.5 was released today! The most important addition in the 1.9.5 release is the new Alerts tab, in which CapLoader warns about malicious network traffic such as command-and-control protocols. The alerts tab also shows information about network anomalies that often are related to malicious traffic, such as periodic connections to a particular service or long running sessions. Other additions in this new version are: BPF support for “vlan” keyword, for example “vlan”, “not vlan” or “vl...
Esentire
Resource Library Tools Case Studies Video Library Glossary Security Advisories Blog Blog — Feb 10, 2023 TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU) OneNote Payload Smuggling: Multiple Threats Leverage OneNote to Deliver Malware 8 minutes read SHARE: Speak With A Security Expert Now Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate,...
Flashpoint
Attacks A new advisory outlines the TTPs state-sponsored DPRK cyber threat actors use to hold organizations ransom. Here’s our guidance on ransomware prevention, readiness, and response. SHARE THIS: Flashpoint Team February 10, 2023 Table Of ContentsTable of ContentsNew DPRK cybersecurity advisoryPreventing an attackPatching vulnerabilities, security flawsGaining visibility into illicit marketplaces, obfuscation servicesReady, set, respond New DPRK cybersecurity advisory Multiple US government a...
GreyNoise
Exploit Vector Analysis of Emerging âESXiArgsâ RansomwareMatthew RemacleFebruary 8, 2023VulnerabilitiesGreyNoise LabsGreyNoise ResearchWow do I hate ESXi Threat Intel (right now) In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXiâs OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do no...
Nick RoyFebruary 10, 2023GreyNoiseUse CasesHow often do you find yourself asking âis this targeting me or just opportunistically exploiting parts of the internet?â Whether this has happened to you once or happens every single day, you probably spent too much time trying to figure out the answer. At GreyNoise we help our customers answer this question and many more. Here are the top 6 ways we can help threat hunters improve their investigations.Wildcard and Boolean SearchesThe GreyNoise Query...
Haircutfish
HaircutfishFollowFeb 11·8 min readTryHackMe Brim — Task 4 Default Queries & Task 5 Use CasesIf you haven’t done tasks 1, 2, & 3 yet, here is the link to my write-up of them: Task 1 Introduction, Task 2 What is Brim?, & Task 3 The Basics.Getting the VM StartedClick the green button labeled Start Machine, at the top of Task 1.The screen should split in half if it doesn’t go to the top of the page. You will see a blue button labeled Show Split View, click this button.The screen should be split now,...
Joe Slowik at Huntress
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit Summary On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA...
Intel471
Feb 08, 2023 Starting around Feb. 3, 2023, thousands of servers running older versions of VMware’s ESXi hypervisor were attacked in an aggressive, automated ransomware campaign. Ransomware groups have targeted VMware’s software before, but this attack was the largest mass attack against ESXi to date. The attack is continuing, although the number of infected servers is falling. The ransomware strain was dubbed ESXiArgs by the research community, as it targets ESXi virtual machines and creates fil...
Jason Hill at Varonis
Jason Hill | 10 min read | Last updated February 7, 2023 Contents Servers running the popular virtualization hypervisor VMware ESXi have come under attack from at least one ransomware group over the past week, likely following scanning activity to identify hosts with Open Service Location Protocol (OpenSLP) vulnerabilities. Specifically, reports suggest that threat actors have been taking advantage of unpatched systems vulnerable to CVE-2020-3992 and CVE-2021-21974 that, when exploited, can allo...
Jeremy Wiedner at Cybersecurity Tid-Bytes
Posted bycyb3rsheepdogFebruary 6, 2023February 6, 2023Posted inSecurity Analysis, Threat IntelTags:CTI, Cyber Threat Intelligence, Cybersecurity, Cybersecurity Game, InfoSec, Intrusion Analysis, KC7, Learn Cybersecurity, Threat Intel In my previous post KC7 – Intrusion Analysis I introduced it, why it is cool and a great resource for those wanting to get some hands-on experience in Intrusion Analysis and Threat Intel with realistic data in a tool that actual security professionals would use. I t...
KC7 – Intrusion Analysis – Data Customization Posted bycyb3rsheepdogFebruary 8, 2023Posted inSecurity Analysis, Threat IntelTags:#malware, CTI, Cybersecurity, Cybersecurity Analysis, Cybersecurity Game, InfoSec, Intrusion Analysis, KC7, Learn Cybersecurity, Threat Intel In my first post, KC7 – Intrusion Analysis, about KC7 I went over setting up the server to generate your own realistic randomized data and how to upload it into your Azure Data Explorer Cluster. I then introduced the KC7 – Scoreb...
Kaitlin McIntyre at Lumen
Kaitlin McIntyre Posted On February 6, 2023 0 0 Shares Share On Facebook Tweet It Defenders are under enormous pressure to keep pace with attack trends, and as 2023 progresses, it’s essential to look back at the previous year and think about how we can prepare for the future. At Lumen, we glean insights from our network, security operations centers and our threat intelligence team, Black Lotus Labs, and more. Their mission is to leverage the unmatched visibility that the Lumen global backbone pr...
Keith McCammon at Red Canary
Lab52
Louis Mastelinck
Azure Active Directory, Exchange Online, Microsoft Defender for Office, Microsoft Sentinel Who changed my security baseline? Configuring your tenant with correct security policies that match the needs of your company or customer takes time and effort. But once everything is in place you can sleep on both ears… right? Unless other admins change the security baseline behind your back. This isn’t necessarily with bad intentions. Security policies are often changed because somebody is troubleshootin...
Malwarebytes Labs
Posted: February 8, 2023 by Threat Intelligence Team Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in January 2023, and looks at LockBit's newest encryptor. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfull...
Merav Bar at Wiz
Recent attacks leverage CVE-2021-21974 to install ransomware on VMWare ESXi servers. Security teams are advised to patch and stay vigilant for indicators of compromise. 2 minutes readMerav BarFebruary 7, 20232 min readContentsWhat is CVE-2021-21974? Wiz Research data: what’s the risk to cloud environments? What sort of exploitation has been identified in the wild? Indicators of compromise Which products are affected? What actions should security teams take? References On February 3rd, 2023, rese...
Microsoft Security
Microsoft Security Experts Microsoft Detection and Response Team (DART) Share Twitter LinkedIn Facebook Email Print Our story begins with eight Microsoft Detection and Response Team (DART) analysts gathered around a customer’s conference room to solve a cybersecurity mystery. Joined by members of the customer’s cybersecurity team, they were there to figure out how a Russia-based nation-state hacking group known as NOBELIUM had bypassed authentication checks and impersonated users to gain access ...
Microsoft’s ‘Security, Compliance, and Identity’ Blog
Guidance for investigating Microsoft Purview Data Loss Prevention incidents
Learn how to investigate Microsoft Purview Data Loss Prevention alerts in Microsoft 365 Defender
Nozomi Networks
by Nozomi Networks Labs Feb 7, 2023 Share This Comprehensive research is required to create the best detection rule for a new vulnerability or threat. But what does ‘best’ mean? Well, the interpretation of ‘best’ depends on what we know about the vulnerability, but sometimes key information may not be available. Therefore, to develop accurate detection rules that can track malicious activity, you must search for this information in non-traditional areas, like the binary code of malicious tools. ...
Rintaro Koike at NTT Security Japan
Ryu Hiyoshi February 8, 2023 //www.passle.net/Content/Images/passle_logo-186px.png Passle //passle.net Ryu Hiyoshi 本日の記事は、SOC アナリスト 小池 倫太郎の記事です。---2023年1月初めから複数の日本企業において、Google広告経由でマルウェアをダウンロードするインシデントが急増しています。IcedIDやAurora Stealerを配布するものなど、観測されている攻撃キャンペーンは数多く存在しますが、特に私たちがSteelCloverと呼んでいる攻撃グループによるものが多くなっています。本稿では、直近で観測されたGoogle広告経由でのマルウェア配布事例の中から、SteelCloverによる攻撃の最新動向を共有します。SteelCloverSteelCloverは少なくとも2019年から活動している攻撃グループで、金銭を目的に攻撃を行っています。Malsmoke[1][2][3][4]と呼ばれる攻撃キャンペーンを実行している攻撃グループであり、Batload...
OALABS Research
What is Yara and how is it used Feb 9, 2023 • 4 min read yara tutorial Overview Rule Syntax Overview There Be Dragons! Using Yara Rules for Identifying Malware (Threat Intel) Rules Used Like AV Signatures Rules Used Exclusively For Hunting Testing Questions Custom Yara Engines Some Fun Hunting PDB Paths Overview Yara rule is basically just a set of rules used to match some features in a file (binary). The Yara scanning tool can then take these rules and scan a set of files, identifying files tha...
Olaf Hartong at Falcon Force
Microsoft Defender for Endpoint Internals 0x04 — Timeline telemetryThis blog has been in draft for quite some time and for no particular reason it was never published. A recent tweet rekindled my desire to share more details about our learnings in working with MDE at large scale for many clients.In previous blogs in this series I’ve spoken about how MDE get its telemetry and how it stacks up against Sysmon. Which audit settings it relies on and which — if not configured correctly - might give yo...
Rajaram Sivasankar at IronNet
By Rajaram Sivasankar, IronNet VP of Product Management Tweet Share Feb 6, 2023 A few months ago, Google Cloud shared that it has identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect specific versions of Cobalt Strike more likely to be leveraged by threat actors. The goal behind Google Cloud’s research is to make Cobalt Strike “harder for bad guys to abuse,” and IronNet believes a proactive approach to Cobalt Strike server detection is key in this community effort. D...
Christiaan Beek at Rapid7
Feb 09, 2023 5 min read Rapid7 Last updated at Thu, 09 Feb 2023 16:07:38 GMT By Christiaan Beek, with special thanks to Matt GreenDLL search order hijacking is a technique used by attackers to elevate privileges on the compromised system, evade restrictions, and/or establish persistence on the system. The Windows operating system uses a common method to look for required dynamic link libraries (DLLs) to load into a program. Attackers can hijack this search order to get their malicious payload ex...
Red Alert
Monthly Threat Actor Group Intelligence Report, December 2022 (KOR) 2022년 11월 21일에서 2022년 12월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 12월에는 총 24개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹과 SectorJ 그룹이 각각 26%로 가장 많았으며, SectorC와 SectorE 그룹들의 활동이 그 뒤를 이었다. 이번 12월에 발견된 해킹 그룹들의 해킹 활동은 정부부처와 정보통신 산업군에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 유럽(Europe)과 동아시아(East Asia) 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 이번 12월에는 총 4개 해킹 그룹의 활동이...
Threat Actor targeting Vulnerable Links in Cyber Security 개요 스코틀랜드에는 “A chain is only as strong as its weakest link”라는 속담이 있다. 이 속담은 사슬이 얼마나 튼튼하게 만들어져 있던, 그 사슬에 약한 고리가 존재한다면 그 사슬은 더 이상 튼튼한 사슬이 될 수 없다 라는 의미를 내포하고 있다. 이 속담 속의 사슬과 마찬가지로 보안 또한 약한 고리가 존재한다. 아무리 견고한 보안 시스템에도 약한 고리가 존재하기 마련이며, 약한 고리를 노리는 취약점 하나에 보안 시스템 전체가 흔들릴 수 있기 때문에 보안 조직은 취약점에 대해 경계해야 한다. 대부분의 소프트웨어 취약점에 대한 정의와 분류는 CVE(Common Vulnerabilities and Exposures) 시스템으로 이루어지고 있다. 최근 5년간 발견된 취약점의 추이를 살펴보면, 2019년 약 20만 건이었던 취약점의 개수는 2020년 이후...
Safebreach
SANS Internet Storm Center
Video: Analyzing Malicious OneNote Documents, (Sun, Feb 5th)
Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams, (Mon, Feb 6th)
APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th)
Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th)
Sansec
7th February 2023Web Skimming / Sansec Threat ResearchLearn about new eCommerce hacks?Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.What isMagecart?Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About MagecartSansec discovered that one in nine online stores accidentally e...
Security Art Work
6 de febrero de 2023 Por Joan Soriano Leave a Comment Durante el último trimestre de 2022 el equipo de Lab52 ha llevado a cabo un análisis en profundidad de las amenazas que han actuado durante el periodo, tanto de información de fuentes públicas como de fuentes privadas, y respaldándose en el estudio del contexto geopolítico de cara a la anticipación de posibles campañas. A continuación, se presenta el informe del trimestre, el cual incluye las principales tendencias del periodo, junto el análi...
Securonix
Threat Research Share By Securonix Threat Labs, Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov Figure 1: Hoaxshell payload found in the wild (pastebin.com) Introduction By now, news about the elusive Hoaxshell and associated Villain framework have been making waves across cybersecurity news channels. What makes Hoaxshell interesting is the unique way connections are constructed from the infected host to the C2 server. It’s this unique design that makes detection quite difficult compared to a tr...
Tom Hegel at SentinelOne
February 9, 2023 by Tom Hegel PDF Advertising is an integral part of the modern digital economy, providing businesses with the opportunity to reach a large and diverse audience. However, malicious actors are taking advantage of the ubiquity of online advertising to spread malware, phishing scams, and other forms of malicious content. In recent weeks, Google Ads, one of the largest online advertising platforms, has become a popular target for these types of attacks. In this analysis, we examine r...
SOCRadar
Jonathan Johnson at SpecterOps
IntroductionCreating detections can be challenging. There often isn’t a “simple” way to detect something, and once we see an event that seems to correlate with the activity we are looking for, it is easy to become fixated. We create that detection and move on. However, what if other telemetry sources had helped provide a different context to that action of interest? Could we have created multiple detections with various telemetry sources to provide better coverage? If a telemetry source can be “...
Splunk
Share: By Splunk Threat Research Team February 09, 2023 Internet Information Services (IIS) is a commonly used web server produced by Microsoft to assist organizations of all sizes to host content publicly or internally, including on premise SharePoint or Exchange. IIS modules are like building blocks, modules may be added to the server in order to provide the desired functionality for applications. Installation is done by using one of three methods on Windows - The IIS interface, AppCmd.exe and...
Symantec
Russia-linked Nodaria group has deployed a new threat designed to steal a wide range of information from infected computers.The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files. The earliest evidence of Graphiron dates from Oct...
Threatmon
Trend Micro
Subscribe Content added to Folio Folio (0) close Risk Management Ransomware Revolution: 4 Types of Cyber Risks in 2023 The ransomware business model is poised to change. These four predictions could help to keep your organization secure from new forms of cyber extortion. By: Trend Micro February 09, 2023 Read time: ( words) Save to Folio Subscribe Security leaders and CISOs have been protecting their organizations from ransomware for decades, adapting with changes in technology to defend against...
TrustedSec
ESXiArgs: What you need to know and how to protect your data February 7, 2023 By Ashley Pearson, Nick Gilberti, Tyler Hudak, Liz Waddell, Justin Vaicaro, Steven Erwin, Shane Hartman, Olivia Cate and Thomas Millar in Incident Response, Incident Response & Forensics, Threat Hunting Threat Overview Around February 03, 2023, a ransomware campaign called “ESXiArgs” emerged that targeted Internet-facing VMware ESXi servers running versions older than 7.0. Though not confirmed, it has been reported by ...
ESXiArgs: The code behind the ransomware February 8, 2023 By Scott Nusbaum in Incident Response, Incident Response & Forensics 1 Deep Dive into an ESXi Ransomware TrustedSec’s Nick Gilberti wrote a great blog covering the ESXi ransomware’s shell script here. However, in this blog, we are going to dive a little deeper into the code behind this ransomware. The sample ransomware discussed was acquired from VirusTotal and Bleeping Computers forum. The following is a list of the parts of the malware,...
Karthickkumar Kathiresan at Uptycs
Written by: Karthickkumar Kathiresan The Uptycs threat research team has recently identified an attack campaign that uses Stealerium, a type of stealer malware. It’s delivered through Microsoft Office attachments containing malicious macros. Once activated, it’s capable of stealing sensitive information such as network information, system information, screenshots and login credentials for cryptocurrency wallets. In general, stealer malware is used by cybercriminals focused on pilfering account c...
Roman Kovac at WeLiveSecurity
A view of the T3 2022 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts Roman Kovac 8 Feb 2023 - 11:30AM Share A view of the T3 2022 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts In 2022, an unprovoked and unjustified attack on Ukraine shocked the world, bringing devastating effects on the country and its population. The war continues to impact everything from energ...
