本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
March 10, 2023 in threat hunting So you finished writing your perfect threat hunting query. Done and dusted, right? Hmm, sorry… chances are, it is… broken. How come? One reason, but it has many acronyms: L10N, T9N, I18N or G11N. If you are mostly dealing with English-centric versions of the operating systems you may now stop reading. But… You will be missing out. Why? THERE ARE OTHER LANGUAGES OUT THERE. And they come with a luggage… The acronyms listed earlier expand into: Translation (T9N)Loca...
March 12, 2023 in threat hunting A few years ago I released a list of ‘bad’ mutexes/mutants. That list was generated from my malware sandbox reports. I thought that it may be good to revisit the idea, but this time with a focus on a ‘clean’ list. What do I mean by that? Windows native binaries reference many ‘clean’ mutexes and mutants. By looking for references to CreateMutex* and OpenMutex API invocations inside the native OS applications and DLLs we can build a list presented below. I hope yo...
Alex Teixeira
This article is an evolution of a previous one I wrote on Jira Workflows for Detection Engineering teams but more focused on the detection inputs and with the introduction of a new actor: the Detection Researcher.What you are going to learn here:What are the primary INPUTS for a detection idea?Who or What drives the detection demand?How to layout a process to take that input and turn into action?----1More from Alex TeixeiraFollow💙 Blueteamer. Love logz. Threat Detection Engineering & Security An...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Cryptojacking, Phishing, Ransomware, Secure boot bypass, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats...
Anton Chuvakin
New Report “State of CloudThreat Detection andResponse”Cloud D&R Report (2023)One of the mysteries of detection and response (D&R) is about how companies really approach D&R in the public cloud. So we did a survey focused on this, and we actually polled both leaders and technologists.“Our State of Cloud Threat Detection and Response report summarizes the survey responses of 400 security leaders and SecOps practitioners in North America regarding the capabilities, practices, and behaviors of prot...
Ari Novick at Cyberark
× Share this Article Facebook Twitter Email LinkedIn Persistence Techniques That Persist March 2, 2023 Ari Novick Share this Article Facebook Twitter Email LinkedIn Abstract Once threat actors gain a foothold on a system, they must implement techniques to maintain that access, even in the event of restarts, updates in credentials or any other type of change that might disrupt access. These techniques are collectively known as persistence techniques. In this blog post, we will focus on how malwar...
Avanan
× Search Quick Links Avanan Blog Attack Briefs Events Webinars Anti-Phishing Avanan vs ATP Contact Us About Us Search Support Solutions Platforms Microsoft 365 G Suite Slack Teams File Sharing All Solutions Security Anti-Phishing Malware & Ransomware Account Takeover Protection DLP & Compliance Archiving Incident Response-as-a-Service Read Our Case Studies See how well we have worked for different industries Learn More Pricing Why Avanan Why Avanan How it Works About Us True AI Threat Calculator...
Avertium
March 7, 2023 Executive Summary In January 2023, researchers saw a decrease in victim posting rates amongst ransomware groups. The month also showed a 41% decrease compared to December 2022. Although there was a decrease in ransomware victims amongst all ransomware groups in January, LockBit stayed at the forefront of ransomware activity. Avertium’s Threat Intelligence Report featuring the worst cyber attacks of 2022, predicted that although the return on investment was dropping for ransomware g...
Bitdefender
Share this Organizations know that they can no longer settle for the anti-virus programs, intrusion detection systems and traditional incident responses that used to be seen as “enough” online protection. Threat actors are now refining their skills daily, and threat intelligence (TI) is becoming a necessity. More security experts have been hired to do the work in 2020 than ever. But is it enough? Is threat intelligence really about multitudes of people scanning through the endless feeds of infor...
Black Hills Information Security
Jordan Drysdale // Tl;dr: Many parsers have been written and several are referenced here. This blog describes a simple parser for Sysmon logs through Event ID (EID) 28 for Microsoft Sentinel. Let’s start with a description of the Sysmon schema version. As shown below, the latest schema version as of 23-DEC-22 was 4.83. This will need to be updated in your Sysmon config files if you wish to stay bleeding edge. The following blocks include some additions to the version of Sysmon modular generating...
Blackberry
CYBERSECURITY / 03.06.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Summary On Feb. 20, the BlackBerry Research & Intelligence team witnessed a new spear-phishing campaign where the threat group APT-C-36, also known as Blind Eagle, impersonated a Colombian government tax agency to gain access to the target’s machines. The scam targeted key industries in Colombia, including health, financial, law enforcement, immigration, and an agenc...
BleepingComputer
Core DoppelPaymer ransomware gang members targeted in Europol operation
Police seize Netwire RAT malware infrastructure, arrest admin
Erica Mixon at Blumira
Brad Duncan at Malware Traffic Analysis
2023-03-07 (TUESDAY) - EMOTET INFECTION WITH SPAMBOT TRAFFIC REFERENCE: //twitter.com/Unit42_Intel/status/1633238684278591489 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-03-07-IOCs-for-Emotet-activity.txt.zip 2.7 kB (2,714 bytes) 2023-03-07-Emotet-malspam-4-examples.zip 547 kB (547,297 bytes) 2023-03-07-Emotet-epoch4-infection-with-spambot-traffic-carved.pcap.zip 51.7 MB (51,717,139 bytes) 2023-03-07-Emotet...
2023-03-06 (MONDAY) - GOZI (ISFB/URSNIF) ACTIVITY TARGETING ITALY REFERENCE: //twitter.com/Unit42_Intel/status/1633934017031467010 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-03-06-IOCs-for-Gozi-infection.txt.zip 1.4 kB (1,386 bytes) 2023-03-06-Gozi-ISFB-Ursnif-traffic.pcap.zip 3.5 MB (3,538,677 bytes) 2023-03-06-Gozi-malware-and-artifacts.zip 169 kB (168,679 bytes) Click here to return to the main page. Co...
2023-03-08 (WEDNESDAY) - ICEDID (BOKBOT) INFECTION WITH BACKCHANNEL AND VNC TRAFFIC NOTES: Infection traffic started on 2023-03-08 shortly after 02:00 UTC, but this wave of malspam & malware is from Tuesday 2023-03-07. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-03-07-IOCs-for-IcedID-activity.txt.zip 1.9 kB (1,942 bytes) 2023-03-07-IcedID-malspam-1919-UTC.eml.zip 170 kB (170,004 bytes) 2023-03-08-IcedID-with-BackC...
Censys
CERT-AGID
Il malware Emotet riprende a colpire l’Italia 08/03/2023 emotet Distribuzione delle campagne Emotet dal 2020 al 2023 Ancora una volta, dopo una pausa di 4 mesi, Emotet riparte con una campagna massiva rivolta ad utenti italiani. L’ultima attività di Emotet osservata in Italia risale al mese di novembre 2022 ed è durata appena una settimana, precisamente dal 3 al 9 novembre, nel corso della quale il CERT-AGID ha registrato 16 campagne veicolate tramite email con allegati ZIP ed XLS che hanno sfru...
Sintesi riepilogativa delle campagne malevole nella settimana del 04 – 10 marzo 2023 10/03/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 18 campagne malevole di cui 16 con obiettivi italiani e e generiche che hanno comunque coinvolto l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 1111 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie i...
Marc Nimmerrichter at Certitude
Skip to content Services Security Assessments Security Engineering Security Governance Cyber Response About Us Companies Team History Values Career Research Press de Deutsch Categories Career Compliance Conferences Expertise Incident Response Press press Release Security Strategy Technical Analysis Uncategorized Vulnerability Research Search for: Increase in Online-Fraud against Accounting Written by Marc Nimmerrichter on 07.03.202308.03.2023 Certitude has noticed an increase in online fraud aga...
Check Point
Yehuda Gelb at Checkmarx Security
The “Skeleton Squad” — Tracing the Origins and Scope of 5000+ Malicious Packages on PypiA group with the ominous name “EsqueleSquad”, which translates to “Skeletons Squad” in Catalan, published over 5000 malicious packages up until last weekend. This group is linked to several other packages uploaded in early January, all dropping malicious executables using different methods.Earlier findingsOn February 23rd, a threat actor started to flood the Pypi ecosystem with thousands of malicious packages...
Cisco’s Talos
By Jonathan Munshaw Thursday, March 9, 2023 14:03 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.It’s the talk of SEO managers everywhere who can’t wait to find a way to work “ChatGPT” into a headline. And in the s...
By Andrew Windsor, Vanja Svajcer Thursday, March 9, 2023 08:03 Threat Spotlight Threats Prometei botnet continued its activity since Cisco Talos first reported about it in 2020. Since November 2022, we have observed Prometei improving the infrastructure components and capabilities. More specifically, the botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods. We assess with high confidence that v3 of the Prometei botnet is...
Greg Darwin at Cobalt Strike Research and Development
Cofense
CyberCX
Published by CyberCX Intelligence on 7 March 2023 CyberCX Intelligence actively monitors the cyber threat landscape for emerging and novel threats to Australian and New Zealand organisations. This Intelligence Update provides situational awareness of cyber attacks attributed to a new and prolific cyber extortion group, calling itself Medusa Team.[1] Key Points CyberCX Intelligence assesses Medusa Team poses a high threat to organisations in Australia, New Zealand and the Pacific region for at le...
Cyborg Security
Revealing the Power of Keylogging: Hunting for the Revealer Keylogger
Threat Hunting: The Talent Search That’s More Complicated Than The Bachelor
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Ransomware Attack, Vulnerabilities & Exploits, Malware Implants, DDoS, Spear Phishing Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property Ransomware – LockBit 3.0 Ransomware | Malware – MQsTTang LockBit 3.0 Ransomware – One of the ransomware groups. Please refer to the trending ma...
Simon Kenin at Deep Instinct
Simon KeninThreat Intelligence ResearcherDeep Instinct Threat LabDUCKTAIL is the name given to a malware operation that was previously focused on targeting individuals and organizations that operate on Facebook’s Business Ads platformThe initial infection starts with a malicious LNK that executes PowerShell to download malware hosted on a public file-sharing serviceThe DUCKTAIL operation has changed their custom malware to be compiled as a .NET Core 5The final payload has been changed from custo...
Simon KeninThreat Intelligence ResearcherDeep Instinct Threat LabEarlier this week, on Tuesday, March 7th, Emotet was observed for the first time this year sending new malspam to infect victims. This is significant because the last time Emotet was seen sending malicious spam was in November of 2022. This current wave is different from the one in November, though, including new evasion techniques that we will detail in this blog. Deep Instinct’s Threat Research team has been tracking Emotet over ...
DomainTools
Dragos
By Dragos, Inc. 03.06.23 LinkedIn Twitter Facebook Email While preparing this Knowledge Pack, Dragos assessed newly disclosed vulnerabilities in over 800 products from vendors including: Siemens, Mitsubishi Electric, Weidmueller, SAUTER Controls, and Baicells. Over 280 characterizations and 560 detections are included in KP-2023-002 for customers running Dragos Platform 2.x. Full release notes are available for registered customers in the Dragos Customer Portal, key highlights of this release ar...
EclecticIQ
Multiple KamiKakaBot malware are used to target government entities in ASEAN countries. EclecticIQ Intelligence and Research team attribute it to APT group, Dark Pink. EclecticIQ Threat Research Team – March 10, 2023 Executive Summary In February 2023, EclecticIQ researchers identified multiple KamiKakaBot malwares which are very likely used to target government entities in ASEAN (Association of Southeast Asian Nations) countries. The latest attacks, which took place in February 2023, were almos...
Paul Asadoorian at Eclypsium
March 9, 2023March 9, 2023 / Paul Asadoorian Subscribe to Eclypsium’s Threat Report What is “BlackLotus”? Following news in late 2022 of a new UEFI bootkit being sold for $5,000 on hacking forums called BlackLotus. ESET researchers have recently released an analysis of this bootkit discovered in the wild. There was speculation as to whether or not BlackLotus was real and did what the sellers claimed it could do (bypass UEFI SecureBoot and implant a bootkit). The Eclypsium team has independently ...
Esentire
Resource Library Tools Case Studies Video Library Glossary Security Advisories Blog Blog — Mar 09, 2023 TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU) BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif 7 minutes read SHARE: Speak With A Security Expert Now Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investiga...
Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution briefs for our services. Cybersecurity Tools MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more Visit Resource Library → TRU INTELLIGENCE...
Fortinet
By Shunichi Imano, James Slaughter, and Geri Revay | March 06, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Sirattacker and ALC ransomware. Aff...
By Cara Lin | March 08, 2023 Affected platforms: Windows Impacted parties: Any organization Impact: Cryptojacks vulnerable systems Severity level: Critical Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI. This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs. It already has an updated version, and the seller’s webpage (Figure 1) guarantees ...
By Guillaume Lovet and Alex Kong | March 09, 2023 Affected Platforms: FortiOS Impacted Users: Government & large organizations Impact: Data loss and OS and file corruption Severity Level: High Fortinet published a CVSS Medium PSIRT Advisory (FG-IR-22-369 / CVE-2022-41328) on March 7th, 2023. The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additional IoCs identified during our ongoing analysis. Executive Summary Multip...
Haircutfish
HaircutfishFollowMar 7·8 min readTryHackMe Brim — Task 6 Exercise: Threat Hunting with Brim | Malware C2 DetectionIf you haven’t done tasks 4 & 5 yet, here is the link to my write-up of them: TryHackMe Brim — Task 4 Default Queries & Task 5 Use CasesGetting the VM StartedClick the green button, labeled Start Machine, at the top of Task 1.The screen should split in half if it doesn’t go to the top of the page. You will see a blue button labeled Show Split View, click this button.The screen should...
InfoSec Write-ups
At the beginning of this year, I wrote on Medium about how I landed a job as a Threat Intelligence Analyst Intern. However, I soon realized that staying current with the latest news in the field was a daunting task, even with tools like TweetDeck and newsletters at my disposal.I’m not sure how I stumbled across this article (pictured below) but it gave me the idea to create a server to stay up to date with Threat Intel.Article Credit — yes, it’s from 2021 and it’s 2023 currently.So with that in ...
Bukar Alibe at INKY
Posted by Bukar Alibe Tweet A Market RINGleader An estimated 12 million video doorbell units are being used worldwide, and leading the market is the Amazon-owned home security system, Ring. The company’s primary product is a video enabled doorbell that detects motion, notifies you someone is at your door, and allows you to see, hear, and speak to your visitor in real time from anywhere. Customers purchase the doorbell and enroll in an inexpensive subscription service so they can store or share v...
Intel471
Mar 08, 2023 There were signs of change in 2022 for ransomware. Those changes included fewer victims paying, increasing law enforcement pressure and clamp-downs on cryptocurrency exchanges. Nonetheless, ransomware will remain one of the most significant cyber threats for organizations this year. In this post, we’ll discuss some of the key trends around ransomware from last year with a view to forecasting what defenders may see this year. Attack Levels and the Big Players Gathering statistics on ...
IronNet
Commemorating the one year anniversary of the Ukraine-Russia War By General (Ret) Keith Alexander and the IronNet Team Tweet Share Mar 8, 2023 February 24, 2023 marked the one year anniversary of Russia’s invasion of Ukraine. When the Ukraine-Russia War began, it commenced the largest military conflict in the age of cyber, leading many to prepare for the cyber domain to become as much of a theater of war as the traditional battleground itself. As the conflict has played out, however, a much diff...
Magnet Forensics
Digital forensics has been an important part of criminal investigations for many years, but it has also become more and more valuable in corporate environments. In addition to investigating human resource issues, assessing policy violations and insider threats, we’re seeing DFIR solutions and expertise being utilized on a wider range of cyber incidents in the incident response space. This is due to the increasing sophistication of cyber incidents which has necessitated an increasingly sophistica...
Malwarebytes Labs
Posted: March 8, 2023 by Threat Intelligence Team February 2023 saw a record number of victims for LockBit, a record high ransom demand, and a devastating assault on the City of Oakland. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not ...
Posted: March 8, 2023 by Threat Intelligence Team A network of online video streaming sites are monetizing traffic with hidden ads. The problem? Advertisers are throwing up to a million dollars every month down the drain as nobody is even seeing the ads. This investigation was a joint effort between Malwarebytes Threat Intelligence's Jérôme Segura, DeepSee's Rocky Moss and Antonio Torres. Key findings Over a dozen unique domains were found selling ad inventory through Google Ad Manager, even tho...
Mandiant
Blog Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge DevicesDaniel Lee, Stephen Eckels, Ben Read Mar 08, 20236 min readUncategorized Groups (UNC Groups)MalwareVulnerabilitiesMandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) applianc...
Blog Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOWMandiant Intelligence and Consulting Mar 09, 20237 min readThreat IntelligenceConsultingUncategorized Groups (UNC Groups)North KoreaMalwareIn part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their oper...
Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 Blog Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970Mandiant Intelligence and Consulting Mar 09, 202325 min readThreat IntelligenceConsultingManaged DefenseUncategorized Groups (UNC Groups)North KoreaSince June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded ...
Andrea Michael at Microsoft Azure
Posted on March 8, 2023 Andrea Michael Product Manager Today, our customers establish and manage their Azure virtual networks at scale. As their number of network resources grows, the question of how to maintain connectivity and security among their scale of resources arises. This is where Microsoft Azure Virtual Network Manager comes in—your one-stop shop for managing the connectivity and security of your network resources at scale (currently in preview). And when customers use Azure Virtual Ne...
Andrea Fisher at Microsoft Security Insights Show
securityinsights.substack.comCopy linkTwitterFacebookEmailWhat should I log in my SIEM?Assessing the value of dataAndrea FisherMar 8133Share this postWhat should I log in my SIEM?securityinsights.substack.comCopy linkTwitterFacebookEmailDuring the last year or so, I’ve done close to 70 Sentinel engagements with customers. We’ve set it up, turned on the data connectors and analytic rules then wait to see what kind of alerts and incidents come in. Working through incidents is always fun but one qu...
MikeCyberSec
//dribbble.com/shots/5122311-ServerIt’s 2023, Ransomware is still the top dog for cyber threats. We’ve seen the recent introductions of data lake technology to SIEM, we’ve seen XDR become a (albeit unagreed definition across the industry) thing, ‘insert any pillar here’ posture management… But no silver bullet detecting & preventing ransomware, coincidence? Nope.The emerging science behind detection engineering has provided the industry with a fresh outlook on how to research threats, prioritise...
Netskope
Proofpoint
Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests Share with your network! March 07, 2023 Zydeca Cass and the Proofpoint Threat Research Team Key Takeaways TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021. The threat actor’s campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities int...
Red Alert
Monthly Threat Actor Group Intelligence Report, January 2023 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 December 2022 to 20 January 2023. In January, activities by a total of 19 Threat Actor Groups were identified, in which activities by SectorA was the most prominent by 31%, followed by SectorE and SectorJ groups. Threat Actors identified in January carried out the highest number of attack...
Dean Murphy at ReliaQuest
SANS Internet Storm Center
Hackers Love This VSCode Extension: What You Can Do to Stay Safe, (Tue, Mar 7th)
Increase in exploits agains Joomla (CVE-2023-23752), (Wed, Mar 8th)
Multi-Technology Script Leading to Browser Hijacking, (Fri, Mar 10th)
Securelist
Industrial threats 06 Mar 2023 minute read Table of Contents Year 2022 in numbersGlobal threat statisticsGeographyVariety of the malware detectedMain threat sources Authors Kaspersky ICS CERT Year 2022 in numbers Parameter H1 2022 H2 2022 2022 Percentage of attacked ICS computers globally 31.8% 34.3% 40.6% Main threat sources Internet 16.5% 19.9% 24.0% Email clients 7.0% 6.4% 7.9% Removable devices 3.5% 3.8% 5.2% Network folders 0.6% 0.6% 0.8% Percentage of ICS computers on which malicious objec...
Publications 08 Mar 2023 minute read Table of Contents Main findings of 20222022 data highlights2022 trends observed by KasperskyMethodologyGlobal detection figures: affected usersGlobal and regional detection figures: geography of affected usersGlobal detection figures – stalkerware applicationsAre Android OS and iOS devices equally affected by stalkerware?Together keeping up the fight against stalkerwareThink you are a victim of stalkerware? Here are a few tips… Authors Kaspersky The state of ...
Secureworks
Research & Intelligence COBALT ILLUSION Masquerades as Atlantic Council Employee The phishing campaign targets researchers who document the suppression of women and minority groups in Iran. Thursday, March 9, 2023 By: Counter Threat Unit Research Team Secureworks® Counter Threat Unit™ (CTU) researchers are investigating suspicious activity reported via Twitter on February 24, 2023. Multiple individuals involved in Middle Eastern political affairs research tweeted that than an individual claiming...
Securonix
Securonix Threat Research Knowledge Sharing Series: New Ransomware, Old Tricks: Detecting Reliable, Real-World Ransomware Indicators of Compromise Threat Research Share By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov TL;DR Today ransomware continues to gain traction and organizations are faced with a barrage of constantly evolving tactics. There are however, several tried-and-true methods of detection or indicators of compromise (IoCs) that many ransomware variants h...
Threat Research Share Authors: Dheeraj Kumar, Ella Dragun The Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs during February. The report additionally provides a synopsis of the threats; indicators of compromise (IOCs); tactics, techniques, and procedures (TTPs); and related tags. This may be followed by a comprehensive threat summary from Threat Labs and search queries from the Threat Research team. For additional informa...
Aleksandar Milenkoski at SentinelOne
March 6, 2023 by Aleksandar Milenkoski PDF SentinelOne has been observing phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses. In this blog post, we summarize our observations on these campaigns to equip defenders with the information they need to protect against this threat. DBatLoader is characterized by the abuse of public Cloud infrastructure to host its malware staging component. The featu...
SOC Fortress
Seamlessly integrate DFIR-IRIS with tools such as Velociraptor, Cortex, and more!Video coming later this week!As technology advances, so do the security threats that come with it. With the ever-evolving nature of these threats, organizations need to be able to quickly identify and respond to potential incidents to minimize the damage. DFIR-IRIS, an open-source platform for case management and incident response, has become a popular tool in the cybersecurity community. However, to make the most o...
SOCRadar
Gabor Szappanos at Sophos
Borne aloft by DLL sideloading, a far-flung infection touches ten time zones Written by Gabor Szappanos March 09, 2023 Threat Research DLL Side-load featured PlugX Sophos X-Ops usb worm Our researchers are currently seeing localized outbreaks of a new variant of the PlugX USB worm – in locations nearly halfway around the world from each other. After first drawing attention to itself in Papua New Guinea in August 2022, the new variant appeared in January both in the Pacific Rim nation and 10,000 ...
M’hirsi Hamza at System Weakness
Detect FIN6 on Azure Sentinel Part 2: Threat Hunting using KQLSourceHi Medium! Here we are again with a new article about Sentinel this is the follow-up (part 2) to the previous article Detect FIN6 on Sentinel Part 1: Run FIN6 exploit.This articleTo give a summary of the previous article, we created our lab environment and simulated the FIN6 attack, now we will be focusing on how to detect the threat and how to focus on each step from the cyber kill chain. To have more details regarding Cyber Ki...
Terry Mayer at Cyjax
By Terry Mayer 10 March 2023 Cyjax has published a new White Paper which is divided into two distinct sections. First, it provides a historical and contemporary overview of the situation in Ukraine, along with an assessment of President Putin’s rationale for launching the 2022 invasion. The events which took place on 24 February 2022 took the world largely by surprise. While fears had been raised in the previous months as Russian forces massed on the Ukrainian border, analysts, government offici...
By Terry Mayer 10 March 2023 The first section of this White Paper provides some historical and contemporary background to the Russia-Ukraine War one year on from the invasion which took place in 2022. Section Two focuses on cyber-attacks relating to the war. The Conclusion assesses possibilities for the future. Subscribe to access this content PrevIcon for prev Ten Ways to Lose Your Crypto ISO 27001 Crown Commercial Service Supplier Incident Response & Investigations Security Project of the Yea...
The DFIR Report
Pham Duy Phuc, Raghav Kapoor, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju at Trellix
By Pham Duy Phuc, Raghav Kapoor, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju · March 07, 2023 Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware that has been active since at least 2007. Since the end of January 2023, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution. Moreover, the Trellix Advanced Research Center has detected various campaigns that used OneN...
Vladimir Kropotov, Matsukawa Bakuei, Robert McArdle, Fyodor Yarochkin, and Shingo Matsugaya at Trend Micro
Subscribe Content added to Folio Folio (0) close Ransomware Examining Ransomware Payments From a Data-Science Lens In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups' ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.” By: Vladimir Kropotov, Matsukawa Bakuei, Robert McArdle, Fyodor Yarochkin, Shingo Matsugaya March 09, 2023...
TrustedSec
Getting Analysis Practice from Windows Event Log Sample Attacks March 7, 2023 By Thomas Millar in Incident Response, Incident Response & Forensics Throughout my career as an Incident Responder, one of the most invaluable skillsets I have had to draw on has been analysis of Windows event logs. These event logs are an invaluable source of information to forensic practitioners, as they are crucial in determining the cause of events during computer security incidents. Windows event logs hold a great...
Changes in the Beacon Object File Landscape March 9, 2023 By Christopher Paschen in Research Time flies when you’re having fun! Can you believe it has been over two (2) years since the release of beacon object files (BOFs)? BOFs were released June 25, 2020, according to the release notes for Cobalt Strike. At that time, I wrote about what made BOFs special in terms of Cobalt Strike, as well as some of the ‘gotchas’ that might be hit when coding against them. Over these last two (2) years, the la...
Jason Hill at Varonis
Jason Hill | 8 min read | Last updated February 20, 2023 Contents Introduction First observed in October 2022, HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data. Seemingly improving upon their initial release, HardBit version 2.0 was introduced toward the end of November 2022, with samples seen throughout the end of 2022 and into 2023. Like most modern ransomware threats, HardBit claims to steal sensitive data from their ...
Jason Hill | 10 min read | Last updated February 7, 2023 Contents Servers running the popular virtualization hypervisor VMware ESXi have come under attack from at least one ransomware group over the past week, likely following scanning activity to identify hosts with Open Service Location Protocol (OpenSLP) vulnerabilities. Specifically, reports suggest that threat actors have been taking advantage of unpatched systems vulnerable to CVE-2020-3992 and CVE-2021-21974 that, when exploited, can allo...
Alexey Firsh at VirusTotal
Threat Hunting with VirusTotal - Episode 2 ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2021 (2) ► November 2021 (4) ► October 2021 (3) ► September 2021 (2) ► August 2021 (2) ► July 2021 (1) ► May 2021 (2) ► March 2021 (1) ► February 2021 (1) ► January 2021 (1) ► 2020 ...
Paul Rascagneres at Volexity
March 7, 2023 by Paul Rascagneres, Volexity Volcano Team Facebook Twitter Email In the ever-changing cybersecurity landscape, threat actors are forced to evolve and continually modify the tactics, techniques, and procedures (TTPs) they employ to launch and sustain attacks successfully. They are continually modifying their malware and command-execution methods to evade detection. The attackers in these cases are attempting to get a step ahead of security software at the most basic level. However,...
Jason Reaves and Joshua Platt at Walmart
By: Jason Reaves and Joshua PlattSummaryCISA recently released a CyberSecurity advisory on the royal ransomware group. In the advisory, a number of excellent mitigation techniques and strategies are recommended. Along with the recommendations are several IOCs and technical details on related activities.After reviewing several of the IOCs, one of the IPs stood out. The ip address 139[.]60.161.213. The date listed in the CISA report is November 2022. Interestingly enough, back in November CERT-UA ...
Lukas Stefanko at WeLiveSecurity
ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information Lukas Stefanko 7 Mar 2023 - 11:30AM Share ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information ESET researchers have identified an active Transparent Tribe campa...