解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 13 – 2023 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

0xRob

Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 2 – Setting up Custom Queries and a Example Host Investigation Notebook 23rd March 2023 Uncategorised 0xrob 0 Welcome to part 2 of the threat hunting with jupyter notebook series, If you followed part 1 you should be setup and able to query MDE in a jupyter notebook using msticpy. Now lets do the exciting part, lets build some custom queries and use them to investigate a host for suspicious activity and put it all together in...

Alex Teixeira

Anyone working in log-based Threat Detection knows this. Command-line telemetry is the Crème de la Crème of data sources.And we don't need much effort to verify such statement. Simply check how many TTPs one is able to monitor from such rich telemetry:Credit: Jose Luis Rodriguez & Roberto RodriguezIn short, detection-wise, those logs do provide high benefit/cost ratio, especially in Windows…----More from Alex TeixeiraFollow💙 Blueteamer. Love logz. Threat Detection Engineering & Security Analytic...

Amr Ashraf

11 minute read On this page Summery Yara Rule for Detection Python Configuration Extractors OverView where to start?! File headers Strings Byte Sequence Code Sections Final 1 Before Testing Retrive Samples Yara Testing Configuration Extraction Summery You Can find the results from this research on my Github here: Yara Rule for Detection AveMaria(WareZone)RAT Python Configuration Extractors There are two Configuration Extractors(the explanation mentioned in the blog post) If standerd RC4 If NonSt...

Anomali

by Anomali Threat Research Anomali Cyber Watch: Winter Vivern Impersonates Poland’s Combating Cybercrime Webpage, Trojanized Telegram Steals Cryptocurrency Keys from Screenshots, SilkLoader Avoids East Asian ThreatBook Cloud Sandbox, and More.The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Data leak, Injectors, Packers, Phishing, Ransomware, Russia, and Ukraine. The IOCs related to these stories are attached to Anomal...

Arctic Wolf

AttackIQ

BI.Zone

A new threat has been uncovered. The Key Wolf hacker group is bombarding Russian users with file-encrypting ransomware. Interestingly enough, the attackers do not demand any ransom. Nor do they provide any options to decrypt the affected files. Our experts were the first to detect the proliferation of the new malware. In this publication, we will take a closer look at the attack and share our view on ways to mitigate it.Key Wolf uses two malicious files with nearly identical names Информирование...

Lindsay Von Tish at Bishop Fox

By: Lindsay Von Tish, Security Consultant II Share Introduction In a world of ever-evolving cybersecurity threats, endpoint detection and response solutions (EDR) provide much-needed visibility into device activity through automated detection and remediation of malicious activity. An attacker who can bypass EDR protection is more likely to successfully take long-term control of an endpoint and escalate their activity without detection. In this blog, we discuss the use of native Windows binaries,...

Derek Banks at Black Hills Information Security

Weekly infosec news podcast with the pen testers and friends of Black Hills Information Security. RSS About Us Testers Admin SOC/HTOC Team Partners Interns BHIS Tribe of Companies Contact Contact Us Email Sign-Up Services Active SOC Blockchain Security Blue Team Services High-Profile Risk Assessments Hunt Teaming (HTOC) Incident Response Penetration Testing Projects/Tools All Tools RITA Books REKCAH Learn Backdoors & Breaches Blog Conference Podcasts PROMPT# Zine Upcoming Events Webcasts Communi...

Brad Duncan at Malware Traffic Analysis

2023-03-16 (THURSDAY) - EPOCH 5 ACTIVITY: EMOTET NOW ALSO USING ONENOTE FILES REFERENCE: //twitter.com/Unit42_Intel/status/1636739251277647874 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-03-15-thru-03-16-Emotet-E5-malspam-9-examples.zip 1.3 MB (1,292,550 bytes) 2023-03-16-Emotet-E5-emails-from-spambot-traffic-7-examples.zip 528 kB (527,998 bytes) 2023-03-15-thru-03-16-Emotet-E5-attachments-10-examples.zip 3...

2023-03-17 (FRIDAY) - EMOTET EPOCH 5 ACTIVITY ASSOCIATED FILES: 2023-03-17-Emotet-E5-notes.txt.zip 3.6 kB (3,619 bytes) 2023-03-17-Emotet-E5-malspam-3-examples.zip 582 kB (581,807 bytes) 2023-03-18-Emotet-E5-infection-traffic.pcap.zip 9.8 MB (9,803,341 bytes) 2023-03-17-Emotet-malware-samples.zip 5.1 MB (5,071,136 bytes) NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IMAGES Shown above: Screenshot of OneNote file for Emotet. Shown a...

2023-03-22 - EMOTET EPOCH 4 ACTIVITY REFERENCE: //twitter.com/Unit42_Intel/status/1638940003035398148 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-03-22-some-IOCs-for-Emotet-E4-activity.txt.zip 2.2 kB (2,186 bytes) 2023-03-22-Emotet-E4-malspam-5-examples.zip 917 kB (917,037 bytes) 2023-03-22-Emotet-malware-samples.zip 2.0 MB (2,011,016 bytes) Click here to return to the main page. Copyright © 2023 | Malware-...

Check Point Software

Yehuda Gelb at Checkmarx Security

New Attack Vector Observed, Targeting .NET Developers in A Software Supply Chain AttackIn a recent, sophisticated attack reported by JFrog, .NET developers have been targeted via the NuGet repository, marking the first time attackers have been observed exploiting autorun mechanisms in NuGet packages to distribute malware.In this blog, we will delve deeper into the details of this unprecedented attack, shedding light on dozens of additional indicators of compromise (IOC) related to the incident a...

Cisco’s Talos

By Edmund Brumaghin, Jaeson Schultz Wednesday, March 22, 2023 15:03 Threat Advisory Threats Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus.Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based...

By Jonathan Munshaw Thursday, March 23, 2023 14:03 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.After asking ChatGPT to write the newsletter for me two weeks ago, I was tempted to have Google’s Bard do the same, but I resisted making this the newsletter’s new gimmick.Instead, I wanted to write about another tech giant — Meta.The company recently doubled down on a threat to remove news links and sharing from its Facebook and Instagram platforms if Canada...

By William Largent Friday, March 24, 2023 13:03 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 17 and March 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information...

CTF导航

攻击技术研判 | 借助OneNote笔记进行MoTW规避新姿势 渗透技巧 7天前 admin 76 0 0 情报背景 在CVE-2022-41091的安全补丁更新后,Windows会将MoTW标记传播到ISO中包含的所有内容并在文件打开时显示安全警告,这意味着用ISO等非NTFS格式文件打包恶意宏文档进行投递以规避MoTW标记的方式基本失效。近期,攻击者开始转向利用OneNote笔记文件(.one)来进行恶意载荷的分发,利用.one文件搭载WSF文件诱导受害者执行,使之成为宏文档的替代方式。本文将围绕其中的技术细节进行分析研判。 组织名称 Emotet 战术标签 初始访问 技术标签 鱼叉式钓鱼附件 情报来源 //www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/ 01 攻击技术分析 要点:利用OneNote文件分发恶意文件规避MoTW 在安装了CVE-2022-41091的安全补丁后,Windows会将Web...

Velociraptor实践-GUI基础操作 渗透技巧 4天前 admin 24 0 0 前序 本文是使用VelociraptorGUI页面进行事件调查的快速指南,更详细内容请查看官方文档。 01 概述-Overview 各功能区说明: Hunt Manager:执行威胁狩猎页面,可以对批量主机执行工件; View Artifacts:工件列表,可以查看所有可用工件,含系统内置以及第三方导入的工件; Server Events:Server事件查看页面;(事件是指当时正在发生的事件;) Server Artifacts:Server类工件执行状态查看页面; Notebooks:创建并执行notebook页面; Host Information:当前选中的客户端主机基础信息及状态 Virtual Filesystem:VFS文件查看; Collected Artifacts:Client类工件执行状态查看页面; Client Events:Client类事件查看页面; 02 基本概念 2.1 VQL-Velociraptor Query Language VQL是Velociraptor...

Bloodhound 工具杂记 渗透技巧 3天前 admin 69 0 0 0x01 汉化及规则 使用方法:替换相应文件即可 效果 添加了大量自定义规则: 域基本信息 查找所有域管 域信任 老旧系统 高风险权限 查找具有 DCSync 权限的主体 具有外部域组成员身份的用户 admincount=1 且启用的账号 具有外部域组成员身份的组 查找本地管理员为域用户的计算机 查找域用户可以读取 LAPS 密码的计算机 查找域用户到高价值目标的所有路径 查找域用户可以进行远程桌面连接的工作站 查找域用户可以进行远程桌面连接的服务器 查找域用户组的危险权限 查找域管理员登录非域控制器的情况 Kerberos 交互 查找高价值组中可以进行 Kerberoasting 的成员 列出所有可以进行 Kerberoasting 的账户 查找具有最高权限的可以进行 Kerberoasting 的用户 可进行 Kerberoasting 攻击的高价值组成员账户 列出所有可进行Kerberoast攻击的账户 查找可以进行 AS-REP Roasting 的用户(未启用预身份验证要求) 最短攻击路径 查找无约束...

Cyber Incident Response Operations Center of the State Cyber Protection Center

Cyble

March 20, 2023 BreachForums Administrator Pompompurin, two Doxbin staff members identified The FBI has arrested a Peekskill, New York man identified as Pompompurin, an administrator and owner of the cybercrime forum BreachForums on March 15, 2023. The person’s identity was revealed in court documents submitted by FBI agent John Longmore as Conor Brian Fitzpatrick. This arrest follows various exploits on the cybercrime forum directly targeting the US government, including Pompompurin‘s November 2...

March 21, 2023 Threat Actors Use DLL Sideloading to Fly Under the Radar SideCopy APT is a Threat Actor(TA) from Pakistan that has been active since 2019, focusing on targeting South Asian nations, especially India and Afghanistan. The SideCopy APT gets its name from the infection chain, which imitates that of the SideWinder APT. Some reports suggest that this actor shares characteristics with Transparent Tribe (APT36) and could potentially be a sub-group of that threat actor. Recently, Cyble Res...

March 23, 2023 Cinoshi Clipper Targets Gamers Using Steam Trade Links Cyble Research and Intelligence Labs (CRIL) discovered a new Malware-as-a-Service (MaaS) platform called “Cinoshi”. Cinoshi’s arsenal consists of a stealer, botnet, clipper, and cryptominer. Currently, this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen. The availability of free malware services means that attackers no longer need technical expertise or resources to launch cybe...

Cyborg Security

Cyfirma

Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Ransomware Attack, Vulnerabilities & Exploits, Malware Implants, DDoS, Spear Phishing Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property Ransomware – Play Ransomware | Malware – FakeCalls Play Ransomware – One of the ransomware groups. Please refer to the trending malware advisor...

Cyjax

Cryptocurrency Threat Landscape Report – A Year in Review 2022 By Joe Wrieden 21 March 2023 This White Paper details the main trends and threats identified in the cryptocurrency sector in 2022 and provides some insight into the current threat landscape. Subscribe to access this content PrevIcon for prev Ukraine in extremis ISO 27001 Crown Commercial Service Supplier Incident Response & Investigations Security Project of the Year 2019 Threat Intelligence Company of the Year Cyjax A leading cyber ...

By Joe Wrieden 21 March 2023 Cryptocurrency and Blockchain technologies have been one of the most prevalent and growing technology industries over the past few years. Threat actors have begun to see cryptocurrency as a highly profitable target for a wide range of reasons, including the ease of laundering, lack of effective testing, and the large number of holders which can be manipulated. In 2022 the total funds stolen by threat actors reached a new high, with the average cost per hack being aro...

Darktrace

23Mar 202323Mar 2023The continued prevalence of Malware as a Service (MaaS) across the cyber threat landscape means that even the most inexperienced of would-be malicious actors are able to carry out damaging and wide-spread cyber-attacks with relative ease. Among these commonly employed MaaS are information stealers, or info-stealers, a type of malware that infects a device and attempts to gather sensitive information before exfiltrating it to the attacker. Info-stealers typically target confid...

EclecticIQ

This issue of the Analyst Prompt looks at the impact SBV’s collapse has had on the cyber threat landscape, Emotet return after a three-month hiatus and the distribution of malware through abusing Google search ads. EclecticIQ Threat Research Team – March 23, 2023 Criminal Actors Exploit SBV Collapse for Financial Gain Criminal actors take advantage of the Silicon Valley Bank (SVB) collapse, likely to steal information and money (1). Security researchers have observed a large spike in typosquatte...

Esentire

Resource Library Tools Case Studies Video Library Glossary Security Advisories Blog Blog — Mar 20, 2023 TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU) Analysis of Microsoft Outlook Elevation of Privilege Vulnerability CVE-2023-23397 8 minutes read SHARE: Speak With A Security Expert Now Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigat...

Derek Manky at Fortinet

By Derek Manky | March 23, 2023 The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks. Does the evidence corroborate the theory that the ongoing conflict in Europe is to blame for the rise in wipers? Indeed. Furthermore, given that Russia is the main source of wiper activity, one can anticipate an increase in the use of wipers against countries and organizations that provide aid, weapons, or other logistical support to Ukraine. While both ransomwa...

German Bundesamt für Verfassungsschutz (BfV) and the National Intelligence Service of the Republic of Korea (NIS)

Nick Roy at GreyNoise

Explore Our DataPricingBlogDocumentationLog InCommunitySolutionsGreyNoise deploys solutions tailored to the needs of specific industries and use cases.VerticalsHealthcareFinancial ServicesGovernmentUse CasesMaximize SOC EfficiencyMass Exploitation DefenseContextualized Threat HuntingResourcesFeatured VideoHow I Use GreyNoiseIn this session, Cody Bernardy talks about alert fatigue and CVE fatigue and how GreyNoise helps to prioritize CVEs.Featured PodcastCyberWire: Hacking Humans #199Opportunisti...

Stuart Ashenbrenner at Huntress

Previous Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit All too often, I blindly 'Accept' Terms & Conditions without reading them. Guilty! Yes, it's come back to bite me before, but I can't be the only one who does this with some regularity. As someone who spends the majority of their day on a computer, one "feature" that can accelerate a person's descent into madness is notifications, alerts, and prompts. Whether it's a Reminders alert that won't leave the top-right c...

Intel471

New loader on the bloc - AresLoader Mar 22, 2023 AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild. Most users are pushing a variety of information stealers with the service. The service offers a “binder” tool that allows users to masquerade their malware as legitimate software. We would like to acknowledge Roberto Martinez and Taisiia Garkava for alerting us to their in-the-wild observations of ...

Jouni Mikkola at “Threat hunting with hints of incident response”

March 19, 2023March 19, 2023JouniMi Post navigation Making the decision of what to analyze The last blog post that I wrote was about creating an ELK with a Kibana view of the currently active malware, using the common publicly available sandbox services. This gives some insight of what is currently active and I think it can be quite current as I believe that quite a lot of people are uploading the malware they come across to the sandboxes. What I have gathered so far is that probably 95% of all ...

Keith McCammon

, mapped to ATT&CK 1 minute read In reviewing security firms’ 2022 threat data, a subset of these include insight into the initial access vectors leveraged most frequently in successful intrusions. This is a summarization of findings based on their reporting. Rank MITRE ATT&CK Technique ID Vector Percentage 1 T1566 Phishing 45% 2 T1190 Exploit Public-Facing Application 26% 3 - Other 9% 4 T1189 Drive-By Compromise 6% 4 T1133 External Remote Services 6% 4 T1078 Valid Accounts 6% 5 T1195 Supply Cha...

Lexfo

Cobalt Strike Investigation - Part 2Thu 09 March 2023 by Lexfo in Csirt. Cobalt strike Psexec Winrm Forensics Csirt Dfir Ttp Splunk Kibana Elk Dfir-orc SigmaTweetShareShareShareIntroductionThe previous article detailed the findings of the Cobalt Strike remote-exec built-in command that allows executing arbitrary commands on the remote host without creating a persistent session with a Beacon.This second part will focus on the jump command in Cobalt Strike, used to establish a connection from a co...

Louis Mastelinck

March 25, 2023 Microsoft Defender for Office Email privacy is a very sensitive subject. Permissions to inboxes are heavily managed and it’s a very bad idea to give yourself as an IT Admin permissions to a mailbox of an end-user. There are multiple options to get access to the content of a mailbox, but some are more stealthy than others. In this blog post, I zoom in the most stealthy way (according to me) to view the content of a mailbox. The tools There are a couple of tools that you can use wit...

Mandiant

Blog Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated PaceJames Sadowski, Casey Charrier Mar 20, 202316 min readThreat IntelligenceZero Day ThreatsVulnerabilitiesExecutive SummaryMandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020.Chinese state-sponsored cyber espionage groups exploited more ze...

Blog We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT SystemsDaniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker Mar 22, 202311 min readOperational TechnologyThreat IntelligenceICSIn January 2023, the Anonymous affiliated hacktivist group, GhostSec, claimed on social media to have deployed ransomware to encrypt a Belarusian remote terminal unit (RTU)—a type of operational technology (OT) device for remote monitoring of industrial automation devices. The actors’ stated ...

Blog UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat ActorRyan Tomcik, Rufus Brown, Josh Fleischer Mar 23, 202316 min readUncategorized Groups (UNC Groups)Managed DefenseIncident ResponseRansomwareWeb application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that ...

Microsoft Security

Microsoft Incident Response Share Twitter LinkedIn Facebook Email Print This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. ...

Nasredding Bencherchali at Nextron Systems

Mar 24, 2023 | Newsletter, Nextron, Security Monitoring, Sigma, Tool, Tutorial One of the main goals of SIGMA as a project and SIGMA rules specifically has always been to reduce the gap that existed in the detection rules space. As maintainers of the SIGMA rule repository we’re always striving for reducing that gap and making robust and actionable detections accessible and available to everyone for free. Today we’re introducing a new contribution to the SIGMA project called log-source guides. Th...

NTT Communications

トップ < テクノロジー < インターンシップ体験記 〜Cobalt StrikeのC2サーバ追跡〜 2023-03-24 インターンシップ体験記 〜Cobalt StrikeのC2サーバ追跡〜 テクノロジー インターンシップ セキュリティ はじめに こんにちは、NTTコミュニケーションズの現場受け入れ型インターンシップに参加した奥です。 現在は大学でLinuxマルウェアの動的解析について研究しています。 今回私は2023年2月6日から2月17日の2週間、イノベーションセンターのNetwork Analytics for Security(通称NA4Sec)プロジェクトに参加し、 Cobalt Strikeを悪用した攻撃事例の調査、またCobalt Strikeのペイロード配布に利用される攻撃インフラの発見・追跡を体験しました。 この記事では、インターンシップ参加の経緯やインターンシップ期間中に取り組んだ内容について紹介します。 インターンシップ参加の経緯 私がこのインターンシップに応募したのは、夏に他社のインターンシップに参加した際に、他の学生たちがNTTのインターンシップを推してい...

Maxime Thiebaut at NVISO Labs

Maxime Thiebaut Videos, Forensics, Reverse Engineering March 20, 2023March 20, 2023 13 Minutes IcedID (a.k.a. BokBot) is a popular Trojan who first emerged in 2017 as an Emotet delivery. Originally described as a banking Trojan, IcedID shifted its focus to embrace the extortion/ransom trend and nowadays acts as an initial access broker mostly delivered through malspam campaigns. Over the last few years, IcedID has commonly been seen delivering Cobalt Strike prior to a multitude of ransomware str...

Palo Alto Networks

8,750 people reacted 5 3 min. read Share By Unit 42 March 21, 2023 at 2:00 AM Category: Ransomware, Reports Tags: Extortion, ransomware threat report This post is also available in: 日本語 (Japanese)Introduction While much attention has been paid to ransomware in recent years, modern threat actors increasingly use additional extortion techniques to coerce targets into paying—or dispense with ransomware altogether and practice extortion on its own. Organizations, in turn, need to evolve defenses to ...

9,112 people reacted 12 7 min. read Share By Shehroze Farooqi, Billy Melicher, Brody Kutt and Alex Starov March 23, 2023 at 6:00 AM Category: Malware Tags: Advanced URL Filtering, Cloud-Delivered Security Services, deep learning, DNS security, JavaScript Malware, malicious injection attack, next-generation firewall, obfuscation This post is also available in: 日本語 (Japanese)Executive Summary Unit 42 researchers have been tracking a widespread malicious JavaScript (JS) injection campaign that redi...

Penetration Testing Lab

Persistence – Service Control Manager by Administrator.In Persistence.Leave a Comment on Persistence – Service Control Manager The service control manager (SCM) is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in Windows 2000 and later the Security Descriptor Definition Language (SDDL) in order to provide a textual representation for security descriptors in a more readable format. Prior to Windows 2000 secu...

Recorded Future

Posted: 23rd March 2023By: Insikt Group® Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF. Executive Summary Cybercriminals devise and execute various workarounds to legalize their illicit income. After international sanctions were leveled against Russia in the wake of Russia’s full-scale invasion of Ukraine, ordinary Russian consumers have likely resorted to similar workarounds to obtain goods produced abro...

Red Canary

ReliaQuest

S2W Lab

Author: HOTSAUCE | S2W TALONLast Modified : Mar 20, 2023Executive Summary최근 정부 기관의 공식 유튜브 채널을 비롯한 게임 유튜버 “인피쉰”, 성우 유튜버 “남도형의 블루클럽” 등 구독자 수가 많은 유튜버들을 대상으로 피싱 메일을 발송하여 계정을 해킹하는 사례가 늘어나고 있음.관련 기사 < (2022–09–24) 머니투데이, “머스크가 왜 나와?” 정부·방송 공식 유튜브 ‘해킹’, 무엇을 노렸나”해킹된 유튜브 채널들은 일론 머스크 라이브 스트리밍을 통해 비트코인 / 이더리움 등 암호화폐를 자신의 주소로 전송하면 두 배로 돌려준다는 피싱 페이지로 접속을 유도하고 있음.일론 머스크, 트럼프 등 유명인사를 사칭하여 암호화폐 피싱 페이지로 접속을 유도하는 케이스는 2020년 부터 존재했으며, 최근에는 유튜브 시청자가 많아지면서 더욱 많은 피해자들에게 접속을 유도하기 위해 유튜브 채널 해킹을 통한 홍보 방법을 사용하고 있음.암호화폐 피...

Author: BLKSMTH | S2W TALONLast Modified: Mar 23, 2023Photo by Pathum Danthanarayana on UnsplashExecutive SummaryAccording to an analysis report published by InterLab in December 2022, a South Korean journalist received a message requesting a conversation via the Wechat messenger, and the requestor instructed the journalist to install a malicious APK file disguised as a messenger called “Fizzle.apk” — InterLab named the malicious APK "RambleOn"We found similar features and codes to the mobile ve...

SANS Internet Storm Center

Securelist

APT reports 21 Mar 2023 minute read Table of Contents Infection chainThe PowerMagic backdoorThe CommonMagic frameworkNetwork communicationPluginsTo be continuedCommonMagic indicators of compromise Authors Leonid Bezvershenko Georgy Kucherin Igor Kuznetsov Administrative organizations were attacked with PowerMagic backdoor and CommonMagic framework Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number o...

Publications 23 Mar 2023 minute read Table of Contents Why defining your workflow is a vital prestage of playbook development1. Be prepared to process incidents2. Create a comfortable track for investigation3. Containment is one of the most important phases to minimize incident consequences4. Lessons learned, or required post-incident actionsSummary: components of a good playbook Authors Igor Talankin An incident response playbook is a predefined set of actions to address a specific security inc...

Security Scorecard

SentinelOne

March 22, 2023 by Phil Stokes PDF The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers. However, the idea of stealing valuable data and then monetizing it in nefarious ways is a tactic tha...

Aleksandar Milenkoski / March 23, 2023 By Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen, in collaboration with QGroup Executive Summary In Q1 of 2023, SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East. We assess that this activity represents an evolution of tooling associated with Operation Soft Cell. While it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41, the exac...

Snyk

Written by: Idan DigmiMarch 23, 2023 0 min readSince the beginning of 2023, Snyk has documented around 6800 malicious packages across PyPI and the npm registry, which requires little to no interaction, almost 860 of which were discovered by us.Starting in the middle of 2022, we observed a surge in the number of malicious packages published into the ecosystems. These newly added 6800 malicious packages follow the massive phishing campaign from a few months ago — as discovered by Checkmarx in Dece...

SOCRadar

Splunk

Share: By Splunk Threat Research Team March 23, 2023 In recent years, there have been several high-profile cyber attacks that have involved the abuse of digital certificates. Digital certificates are electronic credentials that verify the identity of an entity, such as a person, organization, or device, and establish trust between parties in online transactions. They are commonly used to encrypt and sign data, authenticate users and devices, and secure network communications. One such large publ...

Ben Martin at Sucuri

The Sleuth Sheet

ART by VEEXHAn adversary represents the complex, ever-strengthened challenge of navigating digital battlegrounds, exploiting vulnerabilities, and thwarting defenses in a high-stakes game of virtual cat-and-mouse.TOPICSDeconstruct Your WorldviewRemove All BiasesPeer Through The Wilderness of MirrorsCriminally AsymptomaticDECONSTRUCT YOUR WORLDVIEWIn the murky depths of a world where the lines between friend and foe are perpetually blurred, the journey to gain the adversarial mindset begins with a...

Threatmon

Pham Duy Phuc, Max Kersten and Tomer Shloman at Trellix

By Pham Duy Phuc, Max Kersten and Tomer Shloman · March 23, 2023 Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself. This blog dives into the specifics of the ransomware used by the gang, as well as some information regarding their victim naming and shaming website, filled with non-paying victims and stolen data. Based on our observations, there is no specific sector nor geographic area that is targeted by the gang, a...

Mattias Wåhlén at Truesec

Truesec exposes a Russian information operation.1 min readMattias WåhlénShareSince January 23, 2023, a threat actor identifying as "Anonymous Sudan" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be "hacktivists," politically motivated hackers from Sudan. Truesec's Threat Intelligence unit has investigated the threat actor group to shed light on its activities and help identify its true motives. Truesec’s report (published Feb ...

TrustedSec

Situational Awareness BOFs for Script Kiddies March 21, 2023 By Adam Todd in Research Introduction Thanks for the download on BOFs, but now, where can I actually download some BOFs? In my previous blog post, “BOFs for Script Kiddies,” I covered the basics of BOFs. I described what a BOF was (a Beacon Object File), when you would want to use a BOF (post-exploitation), and why you would want to use a BOF (for additional lightweight capabilities). I even pointed you in the direction of how you migh...

Disabling AV With Process Suspension March 24, 2023 By Christopher Paschen in Penetration Testing, Research, Security Testing & Analysis Every now and again, I see a crazy tweet that feels like it just can’t be true. Many of them are not true or are folks making overblown statements about something cool they found—this is part of the research game, and folks are entitled to be excited about what they are learning. Recently, however, I saw something that I thought needed more attention. There was...

Oleg Boyarchuk at VMware Security