本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats d...
AttackIQ
A Year of Impact: AttackIQ’s Applied Research in Threat-Informed Defense
Attack Graph Response to CISA Advisory (AA23-061A): #StopRansomware: Royal Ransomware
Augusto Barros at Securonix
Threat Research Share By Augusto Barros, VP, Cyber Security Evangelist PY#RATION is a new campaign uncovered by the Securonix Threat Labs team. The team identified back in August 2022 what seemed to be the version 1.0 of the malware used in this campaign. Since then the code has been updated multiple times and it’s currently in its 1.6.0 version. The malware exhibits remote access trojan (RAT) behavior, allowing for control of, and persistence on, the affected host. As with other RATs, PY#RATION...
Avertium
March 1, 2023 Executive Summary While reviewing SSH scanning activity, it was identified that a block of approximately 50 IP addresses were responsible for 42% of scanning activity over a two-month period. These IP addresses were all assigned to ChinaNet Jiangsu Province Network and fall within a /23 CIDR block. Following further investigation, it was found that this scanning was used to identify SSH servers, which were then subjected to brute-force password attacks against the root account. If ...
Bitdefender
Share this MDR Insights - Patch all the things! Ask any security professional what their advice is to organizations and patching is usually at the top of the list. Look, we get it, it’s not easy to do. Patching can interfere with productivity, slowing down or interrupting the primary business functions. Patching costs money, requires time, planning, and is usually done at late hours or over the weekend. In a recent discussion amongst our Security Operations Center (SOC) analysts, we discovered i...
Bitdefender February 28, 2023 Promo Protect all your devices, without slowing them down. Free 30-day trial A new decryptor for the MortalKombat ransomware is now available for download. Bitdefender has been monitoring the MortalKombat ransomware family since it first appeared online in January this year.Based on the Xorist ransomware, MortalKombat spreads through phishing emails and targets exposed RDP instances. The malware gets planted through the BAT Loader that also delivers the Laplas Clipp...
Blackberry
Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities RESEARCH & INTELLIGENCE / 02.27.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Summary APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and ...
Bill Toulas at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2023-03-02 (THURSDAY) - RIG EK --< MALWARE LOADER --< REDLINE STEALER NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-03-02-IOCs-for-RigEK-to-loader-to-Redline-Stealer.txt.zip 0.8 kB (852 bytes) 2023-03-02-RigEK-to-malware-loader-to-Redline-Stealer.pcap.zip 3.7 MB (3,699,749 bytes) 2023-03-02-RigEK-and-Redline-Stealer-malware-and-artifacts.zip 1.0 MB (1,031,385 bytes) 2023-03-02 (THURSDAY): RIG EK --< MALWARE L...
2023-02-27 (MONDAY) - PCAP FOR AN ISC DIARY (BB17 QAKBOT) NOTES: The ISC diary is for Tuesday 2023-02-28: BB17 distribution Qakbot (Qbot) activity Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-02-27-Qakbot-infection-traffic.pcap.zip 17.1 MB (17,129,439 bytes) Click here to return to the main page. Copyright © 2023 | Malware-Traffic-Analysis.net
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - March 04, 2023 I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence. While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the se...
Matt Muir at Cado Security
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 febbraio 2023 26/02/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 13 campagne malevole con obiettivi italiani, mettendo a disposizione dei suoi enti accreditati i relativi 216 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie illustrate nei grafici, risultanti dai dati estratti dalle pi...
Sintesi riepilogativa delle campagne malevole nella settimana del 25 febbraio – 03 marzo 2023 03/03/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 26 campagne malevole di cui 23 con obiettivi italiani e 3 generiche che hanno comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 1537 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle ti...
Check Point Research
Yehuda Gelb at Checkmarx Security
Pyramid of Pain — Evolving our Defenses to Combat Supply Chain AttackersThreat intelligence is a crucial aspect of cybersecurity that helps organizations stay ahead of the game when it comes to protecting their assets from malicious attacks. One key tool used in threat intelligence is the pyramid of pain, introduced to the world by David Bianco, which provides a visual representation of the level of pain that a threat actor will experience in order to carry out their malicious activities.The hig...
CISA
Release DateFebruary 28, 2023 Alert CodeAA23-059A SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture. Actions to take today to harden your local environment: Establish a security baseline of normal network activity; tune...
Release DateMarch 02, 2023 Alert CodeAA23-061A SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all...
Cisco’s Talos
By Jonathan Munshaw Thursday, March 2, 2023 14:03 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.For years, we as a cybersecurity community have been discussing ways we can fight the global ransomware problem. This included things like pushing for more sanctions against international ransomware groups, new laws from federal governments and decreased access to virtual currency often used by actors to stay undetected.Now, here’s the crazy thing: It might be...
Threat Roundup (Feb. 24 - March 3) By Jonathan Munshaw Friday, March 3, 2023 15:03 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 24 and March 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threa...
George Kurtz at CrowdStrike
February 28, 2023 George Kurtz Executive Viewpoint The CrowdStrike 2023 Global Threat Report, among the most trusted and comprehensive research on the modern threat landscape, explores the most significant security events and trends of the previous year, as well as the adversaries driving this activity. The latest edition of the CrowdStrike Global Threat Report comes at a critical time for organizations around the world. Adversaries have become more sophisticated, relentless and destructive in t...
CTF导航
来自 LOLbins 的 Ursnif 逆向病毒分析 2天前 admin 33 0 0 Ursnif 是 Gozi 恶意软件家族的一个变体,最近针对北美和欧洲的各种实体开展了越来越多的活动。该活动似乎是在 4 月 6 日左右开始的,通过一些位于 8.208.90.28 的域。 自活动开始以来,总共有 16 个域指向该 IP。 自 04/22 起,这些演员已将他们的活动转移到新 IP:47.241.106.208 初始访问: 此活动的特别兴趣点是 TTP 在绕过许多安全工具方面的有效性。在交付阶段,活动使用受感染的电子邮件帐户通过添加链接并恳求收件人检查正在进行的对话的最新更新来注入以前的对话。 提供的链接指向 Google Drive 帐户,这是用户信任的实体,在许多企业中通常无法被阻止。Google 云端硬盘链接会下载一个受密码保护的 zip 文件,其中包含一个 javascript (JS) 文件。 执行: 执行时,JS 文件将由 wscript 执行。Wscript 然后让位给 Regsrv32,它将一个 txt 文件加载到内存中。然而,txt 文件实际上是一个 DLL 文件,一...
CyberCX
Cyber Adviser Newsletter - February 2023 Published by CyberCX Intelligence on 2 March 2023 Welcome to the February edition of Cyber Adviser, a monthly readout of insights and expert analysis from the CyberCX Intelligence desk. January by the numbers Timely reminder to teach users about high-risk file types: Gootloader infections hit Australia Since November 2022, CyberCX has been responding to Gootloader infections in Australian organisations. Gootloader is a malware distribution service linked ...
Cyble
February 27, 2023 Publicly released Proof of Concept (POC) increases the likelihood of exploitation by Threat Actors On 16th Feb 2023, PSIRT released a security advisory for a critical vulnerability affecting multiple versions of FortiNAC, a product of Fortinet. FortiNAC is a network access control solution aimed to provide visibility, control, and automated response to enterprise network that contains Information Technology (IT), Operational Technology (OT), and Internet of Things (IoT) devices...
February 27, 2023 Threat Actors launch search domains on the Surface Web, Darkweb, and Telegram The life cycle of the compromised databases does not end with the initial leak. It is often redistributed across multiple cybercrime forums, collected by Threat Actors, aggregated, and shared again. Cyble Research and Intelligence Labs (CRIL) has observed Threat Actors (TA) offering paid and free search engines for their data collections. On multiple occasions, we found threat actors aggregating datab...
February 28, 2023 Payment Card Data being stolen via Sniffer Malware An Introduction to Sniffers Credit card sniffers are malicious codes usually programmed in JavaScript and designed to covertly steal payment card information and Personally Identifiable Information (PII) entered by the victim on a compromised e-commerce/merchant website. Sniffer programs are also often termed ‘Online Skimmer’. R3NIN is a recent example of one such sniffer. An attacker injects a web server with an obfuscated mal...
March 1, 2023 LOCKBIT Ransomware Group Strikes Third Indian Conglomerate in February 2023 LOCKBIT, the most nefarious ransomware group, claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023. IL&FS was in the news in 2018 for their troubled financial health leading to a grave NBFC financial crisis and liquidity drought that unraveled several other corporates in India. The ransomware group alleged...
February 28, 2023 Tech Scammers Using Executables to Spread Scams Tech scams are a type of online fraud where scammers trick users into believing that there is a problem with their computer or device and then charge them for unnecessary technical support or services. Tech scammers may also use executable files to perpetrate their scams. For example, they may send an email or message with a file attachment designed to look like a legitimate document while, in reality, it contains malicious softwa...
March 1, 2023 Underground carding marketplace leaks over 2 million payment card records, enabling large-scale financial fraud Figure 1 – Bidencash announces another leak On February 28, 2023, the operators of the notorious carding marketplace BidenCash released a dataset of 2,165,700 credit and debit cards to commemorate one year of operation. This leak was advertised on an underground cybercrime forum, similar to leaks previously covered by CRIL (Cyble Research and Intelligence Labs) in October...
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), Smishing, Malvertising, USB as an Attack Vector Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage Business Impact: Data Loss, Fina...
Dr Josh Stroschein
YouTube video
Josh Hanrahan at Dragos
By Josh Hanrahan 03.02.23 LinkedIn Twitter Facebook Email Command and control (C2) has always been a key adversary objective in the compromise of a victim. The quicker an adversary establishes a successful C2 channel in a victim’s network, the faster they can achieve their end objective for impact. Most C2 communications occur over a standard web protocol such as Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS). While using HTTP or HTTPS to “blend in,” adversaries...
EclecticIQ
The EclecticIQ Intelligence and Research Team has discovered a single threat cluster almost certainly targeting the maritime industry in a multi-year campaign. The campaign has been active since at least October 2020 and uses spearphishing emails to target the maritime industry to deliver Agent Tesla and Formbook. EclecticIQ Threat Research Team – March 1, 2023 Executive summary In May 2020 EclecticIQ Intelligence and Research Team published a report (1) on phishing lures impersonating the marit...
Eric Capuano
blog.ecapuano.comCopy linkTwitterFacebookEmailLive Incident Response with VelociraptorA live video walk-through of incident handling using the open source Velociraptor agentEric CapuanoMar 31Share this postLive Incident Response with Velociraptorblog.ecapuano.comCopy linkTwitterFacebookEmailThis is a video I posted some time ago, but I wanted a more permanent place to point to it and it’s supporting guides for anyone wanting more exposure to one of my favorite DFIR tools.This walk-through was pe...
Eric Ooi
If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.OverviewIn this blog, we’ll walkthrough the custom Microsoft 365 dashboards presented in my Securing Microsoft 365 with Elastic talk at ElasticON Global 2021.So, you checked out my Securing Microsoft 365 with Elastic talk at ElasticON Global 2021 and got excited about securing your own environment. This led you to config...
Erik Hjelmvik at Netresec
PolarProxy is constantly being updated with new features, enhanced performance and bug fixes, but these updates are not always communicated other than as a short mention in the ChangeLog. I would therefore like to highlight a few recent additions to PolarProxy in this blog post. Custom TLS Redirection One new feature in PolarProxy is the --redirect argument, which can be used to redirect TLS traffic destined for a specific domain name to a different domain. This feature can be used to redirect T...
In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic. The analyzed PCAP file is from malware-traffic-analysis.net. IOC List C2 IP and port: 80.47.61.240:2222 C2 IP and port: 185.80.53.210:443 QakBot proxy IP and port: 23.111.114.52:65400 JA3: 72a589da586844d7f0818ce684948eea JA3S: ec74a5c51106f0419184d0dd08fb05bc JA3S: fd4bc6cea4877646ccd62f0792ec0b62 meieou.info X.509 cert hash: 9de2a1c39fbe1952221c4b78b8d21dc3afe53a3e ...
FIRST
By DNS SIG Tuesday, February 28th, 2023 The DNS Abuse SIG is very pleased to announce the publication of the DNS Abuse Techniques Matrix, the work of many months and a great number of people from various parts of the security and DNS worlds. The aim of the document is to assist those who are experiencing DNS abuse, particularly incident responders and security teams. To quote from the document itself: The advice currently takes the form of a matrix indicating whether a specific stakeholder can d...
GreyNoise
Brianna CluckMarch 1, 2023GreyNoiseProduct UpdatesWhen running across an unknown IP address in the logs, the first move might be to check the IP addressâs reputation through a number of services. This check is useful for the immediate task at hand, but what if you could see not only reputation reports but see, at a granular level, when and what is causing this reputation? Thatâs where GreyNoise comes in. Alongside the common fields of a GreyNoise IP address pageâs located in the Visuali...
Daniel GrantMarch 1, 2023Product UpdatesGreyNoiseWhy we created the IP similarity featureWhile we at GreyNoise have been collecting, analyzing, and labeling internet background noise, we have come to identify patterns among scanners and background noise traffic. Often weâll see a group of IPs that have the same User-Agent or are sending payloads to the same web path, even though they are coming from different geo-locations. Or, we might see a group that uses the same OS and scanned all the sam...
Darren Spruell at InQuest
Posted on 2023-02-27 by Darren Spruell Microsoft OneNote is a file type now entrenched in the ongoing saga of abused file formats leveraged by adversaries to reach through defenses and deliver malware payloads to end users. Recently, we have seen OneNote's sudden rise to prominence, following a pattern of other types of files used in the same capacity. Below are our insights into aspects of the threat landscape and tips organizations should consider to protect users and their data. Origins of On...
Intel471
Feb 28, 2023 Many intrusions and compromises start with the infection of an endpoint with malicious software (malware). Malware distribution is often centered around tricking someone into opening an executable file that purports to be benign, such as a common software utility, but is actually malicious. One of the most common methods for distributing malware is through spam, but there are other ways. One long-used technique to land malware on systems saw a resurgence in December 2022. “Malvertis...
Kelvin Ling
TryHackMe Room: //tryhackme.com/room/threatinteltoolsThreat intelligence tools allow us cyber security professionals to analyze security incidents. There are specific tools for investigating each kind of threat. Ranging from malicious URLs, malware, emails and IP addresses, analysts can utilize platforms to conduct threat assessments.Categories of threat intelligenceThreat intelligence often involves analyzing a large amount of data collected through SIEM software such as Splunk. To make sense o...
Marius Sandbu
Leave a Comment / By msandbu / 2. March 2023 2. March 2023 Writing a book takes a long time, and just a couple of weeks ago I just wrapped up and released my new book related to Ransomware Protection and as part of any book you need to do some research. Before I started on writing the book I was involved with several cases where customers had been affected by ransomware, however I had only scratched the surface in understanding the complex picture behind it. As part of any article/book/blogpost ...
Mehmet Ergene
Advanced KQL for Threat Hunting: Window Functions — Part 2Photo by R Mo on UnsplashIn my previous blog, I explained what window functions are and how we can use them for threat hunting and detection by giving Cloud Account Takeover Attacks as an example and using the prev() function:Advanced KQL for Threat Hunting: Window Functions — Part 1Window functions can take your threat hunting and DFIR skills to a next level!posts.bluraven.ioIn this post, I’ll explain the sliding_window_counts plugin and...
Sowmya Mahadevaiah at Microsoft Azure
- Azure WAF guided investigation Notebook using Microsoft Sentinel for automated false positive tuning
Posted on March 2, 2023 Sowmya Mahadevaiah Senior Product Manager, Azure Networking With special thanks to Pete Bryan, Principal Security Research Manager, Microsoft Security. The SQL injection attack remains one of the critical attacks in the OWASP Top 10, and it involves injecting a SQL query via the input data field into a web application without input validation. According to Microsoft Digital Defense Report 2022, 67 percent of web application exploits include SQL injections. Azure Web Appli...
Matt Zorich at ‘Microsoft Security Experts’
Microsoft Security Response Center
MSRC, Microsoft Threat Hunting / By Aideen Fay / March 01, 2023 / 19 min read As more businesses shift away from running workloads on dedicated virtual machines to running them inside containers using workload orchestrators like Kubernetes, adversaries have become more interested in them as targets. Moreover, the benefits Kubernetes provides for managing workloads are also extended to adversaries. As adversaries leverage Kubernetes to run their workloads, their understanding of how these platfor...
MSRC, Microsoft Threat Hunting / By Aideen Fay / March 01, 2023 / 5 min read This blog post runs you through how to enable and configure Linux audit logging on your Azure Kubernetes Service (AKS) Virtual Machine Scale Set (VMSS) using the Linux auditing subsystem, also known as auditd. Warning The information provided below is accurate as of the release date of this blog post (2023-03) and guidance may change in future. Unlike the Kubernetes control plane logs which give you visibility into your...
Mitiga
Mitiga Security Advisory: Insufficient Forensic Visibility in GCP StorageByVeronica MarinovOverviewAs part of Mitigaâs continuous research into cloud attacks and forensics, we have been examining potential data exfiltration techniques in GCP (Google Cloud Platform) and how to identify and investigate them. During this research, we discovered a significant forensic security deficiency in Google Cloud Storage that enables a threat actor to exfiltrate in a covert manner. One of the most common a...
Google Cloud Platform Exfiltration: A Threat Hunting GuideByVeronica MarinovIntroductionIf youâre wondering if the cloud era is here, you need only look at the latest stats. 67% of enterprise infrastructure is now cloud-based and 94% of enterprises use cloud services.1 Itâs no wonder that public clouds like Google Cloud Platform (GCP) have become a new playground for threat actors. There is a lot to exploit.As part of a recent Mitiga threat hunt activity, we examined different methods to per...
Nicholas Dhaeyer at NVISO Labs
Nicholas Dhaeyer Threat Hunting, Detection Engineering, Qbot, OneNote, Cyber Threats, Maldoc, Malware, phishing, Reverse Engineering February 27, 2023February 27, 2023 8 Minutes OneNote in the media In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns.I first observed this OneNote abuse in the media via Didier’s post. This was later also mentioned in Xavier’s ISC diary and on the podcast. Later,...
Phylum
Phylum performs a thorough breakdown of a typosquat campaign on PyPI that we identified earlier this month. Published on Feb 28, 2023 Written by The Phylum Research Team Category Malware Share tl;dr - An unsophisticated actor efficiently published about a thousand typosquatted packages of forty popular Python packages containing malicious code in a campaign that lasted two days, but actually only took about an hour to execute. Phylum recently reported a massive typosquatting campaign against a n...
Tom Caiazza at Rapid7
Feb 28, 2023 2 min read Tom Caiazza Last updated at Tue, 28 Feb 2023 17:35:54 GMT Each year, the research team at Rapid7 analyzes thousands of vulnerabilities in order to identify their root causes, broaden understanding of attacker behavior, and provide actionable intelligence that guides security professionals at critical moments. Our annual Vulnerability Intelligence Report examines notable vulnerabilities and high-impact attacks from 2022 to highlight trends that drive significant risk for o...
Recorded Future
Posted: 2nd March 2023By: Insikt Group® Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF. The annual report surveys the threat landscape of 2022, summarizing a year of intelligence produced by Recorded Future’s threat research team, Insikt Group. We analyze global trends and evaluate significant cybersecurity events, geopolitical developments, vulnerability disclosures, and more, providing a broad, holistic ...
Red Alert
Monthly Threat Actor Group Intelligence Report, January 2023 (KOR) 2022년 12월 21일에서 2023년 1월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 1월에는 총 19개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹이 31%로 가장 많았으며, SectorE와 SectorJ 그룹들의 활동이 그 뒤를 이었다. 이번 1월에 발견된 해킹 그룹들의 해킹 활동은 정부부처와 금융 산업군에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 동아시아(East Asia)와 유럽(Europe)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2023년 1월에는 총 3개 해킹 그룹의 활동이 발견되었으며, 이들은 Secto...
Red Canary
ReliaQuest
Resecurity
Resecurity Disrupts Investment Scam Network - Digital Smoke Cybercrime Intelligence 27 Feb 2023 investment fraud, digital fraud, cybercrime, cyber threat intelligence Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from China, Colombia, European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, Australia, Canada, the U.S. including other regions. The bad actors operating as an organ...
S2W Lab
Author: Kay Kyoung-ju Kwak | S2W TALON with ChatGPTKay Kyoung-ju Kwak is the Head of Center for Threat Research and Intelligence, Talon at S2W. He is an advisory member of Cybersecurity Alliance operated by Ministry of Science and ICT, as well as the technical advisor of Personal Information Protection Commission in South Korea.Photo by Geran de Klerk on UnsplashIntroductionCyber Threat Intelligence (CTI) has become an essential component of every organization’s cybersecurity program, enabling t...
Author: Jiho Kim & Sebin Lee | S2W TALONLast Modified : Feb 27, 2023Photo by Alexander Shatov on UnsplashExecutive SummaryLumma Stealer is an info stealer malware written in C language and has been sold on underground forums since August 2022.The seller of Lumma Stealer has been actively promoting it since at least April 2022.The seller posts the announcement about version updates, inquiries, etc. on the underground forum, telegram channel, and his own site.On February 6th, 2023, a spear-phishin...
Safebreach
SANS Internet Storm Center
Tatyana Shishkova at Securelist
Malware reports 27 Feb 2023 minute read Table of Contents Figures of the yearTrends of the yearMobile cyberthreat statisticsInstaller numbersDistribution of detected mobile malware by typeGeography of mobile threatsDistribution of attacks by type of software usedMobile adwareRiskTool-type appsTOP 20 most frequently detected mobile malware programsMobile banking TrojansMobile ransomware TrojansConclusion Authors Tatyana Shishkova These statistics are based on detection verdicts of Kaspersky produ...
Security Scorecard
Shinigami
Disclaimer: All opinions presented here represent my own and not that of my employers.This blog is the first in a three-part series centered around risks associated with thought leadership as a CTI analyst, researcher, or a CTI-adjacent practitioner. This first blog aims to provide a high-level understanding of such risks, the second will provide examples and case studies, and the third will cover recommendations and other mitigations. I do apologize if you were expecting all three in one blog p...
SOCRadar
Security Misconfigurations Caused 35% of All Time Cyber Incidents
Educational Institutions Face 234% Increase in Ransomware Attacks
Sean Gallagher at Sophos
A text message leads to discovery of a vast scam infrastructure run by Chinese cyber-criminals. Written by Sean Gallagher February 28, 2023 Threat Research cryptocurrency fraud Cryptorom Fake apps featured PigButchering ShaZhuPan Sophos X-Ops The success of “pig butchering” (sha zhu pan, 杀猪盘) scams has driven the expansion of their hunt for new victims, both by well-established and well-organized scam rings and by smaller and less professional copycats. In the fake gold trading scam I discussed ...
Ben Martin at Sucuri
Symantec Enterprise
Group targets multiple subsidiaries of single Asian conglomerate. The Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property. Current Blackfly toolset The following tools were used in attacks during late 2022 and early 2023: Backdoor...
Sysdig
Tenable
Security Response Team | Research February 28, 2023 | 5 Min Read The 2022 Threat Landscape Report — Tenable’s annual look at the vulnerabilities and cyberthreats facing security teams — drives home the sheer enormity of the challenges involved in reducing risk. The report provides analysis of the vulnerability landscape, a deep dive into the events that shaped the threat landscape and a detailed breakdown of vulnerabilities sorted by vendor. Some might find the 65-page report daunting. In realit...
Threatmon
Trend Micro
Subscribe Content added to Folio Folio (0) close Privacy & Risks A Deep Dive into the Evolution of Ransomware Part 3 This 3-part blog series takes an in-depth look at the evolution of ransomware business models, from the early stages to current trends. By: Trend Micro February 27, 2023 Read time: ( words) Save to Folio Subscribe Ransomware is an ever-growing problem that has wreaked havoc across a multitude of industries, with astronomical ransom demands leaving businesses and infrastructure fee...
Subscribe Content added to Folio Folio (0) close Ransomware Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks In this blog entry, we present a case study that illustrates how data-science techniques can be used to gain valuable insights about ransomware groups' targeting patterns as detailed in our research paper, “What Decision-Makers Need to Know About Ransomware Risk.” By: Vladimir Kropotov, Matsukawa Bakuei, Robert McArdle, Fyodor Yarochkin, Shingo Matsugaya March 02...
Subscribe Content added to Folio Folio (0) close Managed XDR Exposes Spear-Phishing Campaign Targeting Hospitality Industry Using RedLine Stealer Find out how the Managed XDR team uncovered RedLine Stealer’s evasive spear-phishing campaign that targets the hospitality industry. By: Ryan Soliven, Abraham Camba, Byron Gelera, Catherine Loveria March 02, 2023 Read time: ( words) Save to Folio Subscribe Recently, we noticed a spike in the number of emails received by one of our customers. After furt...
Subscribe Content added to Folio Folio (0) close Risk Management Phishing as a Service Stimulates Cybercrime With phishing attacks at an all-time high, phishing as a service (PhaaS) is turning this once-skilled practice into a pay-to-play industry. Understanding the latest attack tactics is critical to improving your email security strategy. By: Jon Clay March 02, 2023 Read time: ( words) Save to Folio Subscribe According to Verizon, 78% of organizations experienced email-based ransomware attack...
Uptycs
Written by: Uptycs Threat Research Parallax RAT (aka, ParallaxRAT) has been distributed through spam campaigns or phishing emails (with attachments) since December 2019. The malware performs malicious activities such as reading login credentials, accessing files, keylogging, remote desktop control, and remote control of compromised machines. The Uptycs Threat Research team has recently detected active samples of the Parallax remote access Trojan (RAT) targeting cryptocurrency organizations. It u...
WeLiveSecurity
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality Martin Smolár 1 Mar 2023 - 11:30AM Share The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEF...
ESET researchers tease apart MQsTTang, a new backdoor used by Mustang Panda, which communicates via the MQTT protocol Alexandre Côté Cyr 2 Mar 2023 - 11:30AM Share ESET researchers tease apart MQsTTang, a new backdoor used by Mustang Panda, which communicates via the MQTT protocol ESET researchers have analyzed MQsTTang, a new custom backdoor that we attribute to the Mustang Panda APT group. This backdoor is part of an ongoing campaign that we can trace back to early January 2023. Unlike most of...
