本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
April 14, 2023 in Autostart (Persistence) I never heard of OBS (Open Broadcaster Software), until I saw this Twitter thread. After downloading it, trying it, tinkering with it… I actually found it far more confusing than Screen2Gif, but this is because it offers a lot more advanced options, tweaking, and… supports scripting. A-HA! The moment I learnt about scripting, I immediately went to OBS’ Scripting Help section and started reading it with an intention of creating a small PoC. My thought pro...
Adam Goss
Hey friend, welcome back!In my last blog post on using threat intelligence articles for hunting we looked at extracting IOCs and TTPs from these articles and using them to perform IOC-based and TTP-based threat hunts. Hunting IOCs was simple, however for TTPs we had to correlate MITRE ATT&CK techniques mentioned in these articles to corresponding Sigma rules that could…----More from Adam GossFollowCyber Security Professional | Red Teamer | Adversary Emulator | Malware Analysis | Threat Hunter | ...
Stiv Kupchik at Akamai
Alican Kiraz
Threat Hunting for Windows Event LogsSicario (2015)Firewall, Windows Event Logs, and Linux Audit Logs are the most basic logs that strengthen our hands when we hunt threats in an institution’s cyber infrastructure. Precious data is created when our correlations in SIEM are enriched with Sysmon, Linux Auditd, and HIDS — NIDS Logs. In this article, we will look at how to detect various attacks on Windows Event Logs.Windows Event Logs allow us to analyze many attacker actions and detect attacks. Al...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptocurrency, Data leak, Malvertising, Packers, Palestine, Phishing, Ransomware, and Software supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a g...
Anton Chuvakin
This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our sixth Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4 and #5).My favorite quotes from the report follow below:“Our research has shown that the most common vector used to compromise any network, including cloud instances is to take over an account’s credentials directly: either because there ...
Any.Run
April 13, 2023 Add comment 979 views 5 min read HomeCybersecurity LifehacksMalware Trends Report: Q1, 2023 Recent posts PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader 24 0 Malware Trends Report: Q1, 2023 979 0 Malware Analysis Digest: March 2023 1722 1 HomeCybersecurity LifehacksMalware Trends Report: Q1, 2023 Welcome to ANY.RUN’s quarterly malware trends report! At ANY.RUN, we process hundreds of thousands of tasks each month. While we’ve traditionally shared yearly s...
Francis Guibernau at AttackIQ
Jeremy Fuchs at Avanan
Zelle Phishing Posted by Jeremy Fuchs on April 13, 2023 Tweet Zelle, the widely used and highly acclaimed money-transfer service, is now a prime target for cybercriminals. The simplicity of sending funds to friends or businesses through Zelle has made it appealing for hackers looking to cash in. Cybersecurity researchers at Avanan, a Check Point Software Company, have detected that hackers successfully impersonate Zelle to swipe money from unsuspecting users. In this report, we'll dive into the ...
Avertium
in 2023 April 11, 2023 Executive Summary Previously, Avertium reported that the cyber war between Russia and Ukraine would ramp up in the coming months. Towards the end of February 2023, two cyber threat intelligence firms (Recorded Future and Google’s TAG) warned that Russia had plans to escalate its cyber attacks against Ukraine. Google’s TAG team stated that they had high confidence that Moscow would increase disruptive and destructive attacks in 2023 if the war shifts “fundamentally” in Ukra...
April 12, 2023 overview A zero-day vulnerability (CVE-2023-28252) was found in the Windows Common Log File System (CLFS) and is being actively exploited. The vulnerability allows attackers to gain SYSTEM privileges on target Windows systems and deploy Nokoyawa ransomware payloads. CISA's Known Exploited Vulnerabilities catalog now includes CVE-2023-28252, which impacts all versions of supported Windows servers and clients. This vulnerability can be exploited by attackers in low complexity attack...
Rodrigo Ferroni and Eduardo Ortiz Pineda at AWS Security
by Rodrigo Ferroni and Eduardo Ortiz Pineda | on 13 APR 2023 | in AWS CloudTrail, Intermediate (200), Security, Identity, & Compliance, Technical How-to | Permalink | Comments | Share This blog post shows you how to use AWS CloudTrail Lake capabilities to investigate CloudTrail activity across AWS Organizations in response to a security incident scenario. We will walk you through two security-related scenarios while we investigate CloudTrail activity. The method described in this post will help ...
Aziz Farghly
In this small article, i will explain how to write a Yara rule for Medusa RansomwareIntroductionMedusa is RansomWare that will run specific tasks to prepare the target system for the encryption of files, Medusa was first seen in 2019, Medusa avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom, Medusa Locker has been known to exploit Remote Desktop Protocol (RDP) vulnerabilities to gain access to a victim’s machine, It uses a combination of AES ...
Belkasoft
YARA Rules in Belkasoft X Introduction Belkasoft X is a comprehensive digital forensic and cyber incident response investigation platform. It features powerful tools and modules that help examiners extract, analyze, and report on digital evidence from a wide range of sources. One of the important features of Belkasoft X is its support for YARA rules. YARA is an open-source tool designed to assist malware researchers in identifying and classifying malware samples. It has become a popular standard...
BI.Zone
Delivering attacks through emails is so last century, or at least so seem to think the Watch Wolf group hackers who switched to spreading their malware through SEO poisoning. We discovered that they deliver the Buhtrap trojan through fake websites posing as legitimate resources for accountants. Context ads help to get the websites to the top of search results.Our Cyber Threat Intelligence team unearths a series of attacks by the Watch Wolf hacker group. The malicious campaign aims to steal money...
Martin Zugec at Bitdefender
Share this On April 11, 2023, Microsoft released a patch for a vulnerability in Microsoft Message Queuing (MSMQ) service. CVE-2023-21554 (dubbed QueueJumper) is a critical unauthorized remote code execution (RCE) vulnerability with a CVSS score of 9.8. Attack complexity is low, and it doesn’t require any privileges or user interaction. To exploit this vulnerability, threat actors would send a malicious MSMQ packet to a listening MSMQ service. What is MSMQ? Microsoft Message Queueing is a technol...
Ionut Ilascu at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2023-04-12 (WEDNESDAY) - QUICK POST: QAKBOT (QBOT), DISTRIBUTION TAG OBAMA251 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-04-12-obama251-Qakbot-notes.txt.zip 4.0 kB (4,010 bytes) 2023-04-12-obama251-Qakbot-malspam-10-examples.zip 704 kB (703,721 bytes) 2023-04-12-obama251-Qakbot-infection.pcap.zip 37.5 MB (37,534,725 bytes) 2023-04-12-obama251-Qakbot-malware-samples.zip 4.3 MB (4,291,772 bytes) Click here t...
2023-04-14 (FRIDAY) - QUICK POST: ICEDID (BOKBOT) ACTIVITY NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-04-14-IcedID-notes.txt.zip 2.6 kB (2,606 bytes) 2023-04-14-firebasestorage-URL-harvesting.pcap.zip 4.6 kB (4,649 bytes) 2023-04-14-IcedID-infection-traffic.pcap.zip 3.3 MB (3,314,607 bytes) 2023-04-14-IcedID-email-example-and-malware-samples.zip 12.0 MB (11,966,221 bytes) Click here to return to the main p...
2023-04-13 (THURSDAY) - METASTEALER INFECTION REFERENCE: //twitter.com/Unit42_Intel/status/1646940355936256000 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-04-13-IOCs-for-MetaStealer-infection.txt.zip 2.2 kB (2,175 bytes) 2023-04-13-MetaStealer-malspam-example.eml.zip 3.2 kB (3,156 bytes) 2023-04-13-MetaStealer-C2-traffic.pcap.zip 7.7 MB (7,724,880 bytes) 2023-04-13-MetaStealer-malware-and-artifacts.zip 28.1...
Censys
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 8 – 14 aprile 2023 15/04/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 20 campagne di phishing (nessuna campagna malware con target Italia), mettendo a disposizione dei suoi enti accreditati i relativi 54 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie illustrate nei grafici, risultanti dai d...
Yehuda Gelb at Checkmarx Security
The open-source ecosystem plays an essential role in today’s software development landscape. It enables developers to collaborate, share, and build upon each other’s work, accelerating innovation and software quality. However, this vast ecosystem also presents unique security challenges. When attackers infiltrate the open-source supply chain by distributing malicious packages, they put countless projects and organizations at risk.This blog will delve into the following:1. Why simply reporting on...
Cisco’s Talos
By Jaeson Schultz Thursday, April 13, 2023 00:04 On The Radar Threats Phishing attacks are increasingly more targeted and customized than in the past.The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.Artificial Intelligence ...
By Jonathan Munshaw Thursday, April 13, 2023 14:04 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of bei...
By William Largent Friday, April 14, 2023 16:04 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information ...
Cofense
360 Threat Intelligence Center
APT-C-28(ScarCruft)组织对韩国地区攻击活动分析 原创 高级威胁研究院 360威胁情报中心 360威胁情报中心 微信号 CoreSec360 功能介绍 360威胁情报中心是全球领先的威胁情报共享、分析和预警平台,依托360安全大脑百亿级样本,万亿级防护日志等海量安全数据,整合360漏洞挖掘、恶意代码分析、威胁情报追踪等团队的安全能力,产出高质量的安全威胁情报,驱动安全的防御、检测和响应。 发表于 收录于合集 #APT 91 个 #朝鲜半岛 18 个 #APT-C-28 ScarCruft 1 个 APT-C-28 ScarCruftAPT-C-28(ScarCruft),又称Konni,是一个活跃于朝鲜半岛的APT组织,其主要针对周边国家地区的政府机构进行网络攻击活动,以窃取敏感信息为主。该组织的攻击活动最早可追溯到2014年,近年来该组织活动频繁,不断被数个国内外安全团队持续追踪和披露。近期360高级威胁研究院多次发现该组织针对韩国的定向攻击行动。在本轮攻击中,该组织前后使用“奖励清单”、“支付”等具有诱导性的文件名,同时使用“加密货币”、“通讯录”等诱饵内容诱导用户...
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Cyber Espionage, Data destruction, Persistence, and Lateral movement Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Information Exposures Ransomware – Royal Ransomware | Malware – Cry...
Darktrace
11Apr 202311Apr 2023Social engineering has become widespread in the cyber threat landscape in recent years, and the near-universal use of social media today has allowed attackers to research and target victims more effectively. Social engineering involves manipulating users to carry out actions such as revealing sensitive information like login credentials or credit card details. It can also lead to user account compromises, causing huge disruption to an organizationâs digital estate. As peop...
Dragos
By Dragos, Inc. 04.14.23 LinkedIn Twitter Facebook Email Our annual 2022 ICS/OT Threat Landscape webinar, moderated by Dr. Thomas Winston, Director of Intelligence Content, and delivered by Kent Backman, Principal Adversary Hunter, and Josh Hanrahan, Senior Adversary Hunter, covers the significant events and activity reported by the Dragos Threat Intelligence team in our 2022 ICS/OT Cybersecurity Year in Review report. This blog highlights the main topics and trends shared in our recent webinar,...
EclecticIQ
This issue of the Analyst Prompt discusses three cybersecurity incidents. The first involves the Telerik vulnerability, which was exploited to target US government entities. The second incident involves North Korean threat actors using generic malware to steal emails. The third incident involves the Clop ransomware group claiming to have compromised 130 organizations via a vulnerability in GoAnywhere MFT. EclecticIQ Threat Research Team – April 12, 2023 Exploit Tools and Targets: Threat Actors E...
Devon Kerr at Elastic
ByDevon Kerr03 April 2023Share on TwitterShare on LinkedInShare on FacebookShare by emailPrintCredential Access Breakdown In the second part of our breaking down the Elastic Global Threat Report series, we’re focusing on the credential access tactic, which was the third-most common category of behavior we observed. Roughly 10% of all techniques we saw involved one form of credential theft or another and dissecting this class of behaviors is helpful both to improve our understanding of threats an...
Esentire
Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution briefs for our services. Cybersecurity Tools MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more Visit Resource Library → TRU INTELLIGENCE...
Bob Rudis at GreyNoise
Duo Tags For Identifying Microsoft Message Queue Scanners Live Now - QueueJumper (CVE-2023-21554)boB RudisApril 12, 2023VulnerabilitiesMass ExploitationCheck Point Research discovered three vulnerabilities in Microsoft Message Queuing (MSMQ) service, patched in April's Patch Tuesday update. The most severe, QueueJumper (CVE-2023-21554), is a critical vulnerability allowing unauthenticated remote code execution. The other two vulnerabilities involve unauthenticated remote DoS attacks:CVE-2023-217...
Adam Rice at Huntress
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit In a previous life before joining Huntress, I was a Splunk administrator and architect. Over time I noticed a few features/behaviors of Splunk that I thought might be exploitable and wanted to dive into that suspicion and see if I was correct. Over the last year, I've been tinkering with the viability of using Splunk as a "living off the land" command and control (C2) server. Fun Fact: A Living off the L...
Bukar Alibe at INKY
Posted by Bukar Alibe Tweet Today’s phishing tale has all the makings of gangster movie – fugitives, theft, crime rings, and tax fraud. It starts with a clever phishing email that when properly unraveled, provides some added insight into the world of cybercrime. Before we get into the phish at hand (spoiler alert: tax professionals beware) we’d like to provide a little background. FBI Brands Kim Dotcom a Fugitive and the Leader of an Internet Upload Crime Ring As a teenager, Kim Schmitz began ma...
Intel471
Apr 13, 2023 Cybercrime has become increasingly challenging to defend against because of its scale, which has been enabled by the cybercrime-as-a-service economy. Rather than lone wolf cybercriminals performing every task needed to compromise and monetize a computer or account, those tasks are now covered by specialists. Malware and botnets can be rented. Vulnerability information can be purchased. Cybercriminals no longer have to learn how to do every action to execute an operation. They can bu...
Kijo Niimura
Skip to content Toggle navigation Sign up Product Actions Automate any workflow Packages Host and manage packages Security Find and fix vulnerabilities Codespaces Instant dev environments Copilot Write better code with AI Code review Manage code changes Issues Plan and track work Discussions Collaborate outside of code Explore All features Documentation GitHub Skills Blog Solutions For Enterprise Teams Startups Education By Solution CI/CD & Automation DevOps DevSecOps Case Studies Customer Stori...
Luis Francisco Monge Martinez
Hunting threats without leaving home — Part IIntroMany times, talking to friends who work in other professions, I tell them how lucky we are, those of us who work in the IT industry. We, unlike 99% of the occupations, can create realistic environments for testing, learning, practicing… and when we are done with those environments we can destroy them and the expense of material will have been zero. How lucky we are!Those of us who are passionate about computer security are even luckier; since its...
Luis Francisco Monge MartinezFollowApr 10·5 min readHunting threats without leaving home — Part IIFeeding our labThe dataFoto de ArtHouse Studio: //www.pexels.com/es-es/foto/hombre-cafe-vintage-mirando-4905089/In the last post we set a platform to store the data. Now we need to feed it with some data. One way would be to install Windows virtual machines, Winlogbeat and Sysmon, but we will do that later. Now I want to talk about Mordor.MordorThis project, also maintained by Roberto Rodríguez and ...
Hunting threats without leaving home — Part IIIAnalizing the data with KibanaHey, hunters! How’s the hunting season going?After what we saw in previous posts Intro I and Intro II, in this article we will continue to understand and improve our Threat Hunting lab.We have already learned how to enter our data about real attacks and now we will learn how to exploit that data. Being able to visualize the data in a comfortable way is, along with selecting good data sources, the most important part of ...
Hunting threats without leaving home — Part IVGrafiki 🐵In this post I will cover something very special to me.In the previous entries Intro I, Intro II and Analizing our data, we saw the exploitation of information with Kibana and its usefulness in seeing potential anomalies at a glance. After a lot of work with Kibana, spending many hours creating visualizations and dashboards, there was one visualization that I missed: the graphs!In that sense, I read some time ago the sentence “Defenders thin...
Jupyter Notebooks 🪐Previus post: Intro I, Intro II, Analizing our data and Grafiki.Do you remember the first post when we talked about what is and what is not Threat Hunting? Well, an essential part of it is the generation of intelligence.It’s good that we are the best at detecting abnormal behavior, but if all that acquired intelligence is not transformed into structured and repeatable information we lose one of the most valuable parts of the process.Structured, so that anyone other than the au...
Malwarebytes Labs
Posted: April 13, 2023 by Threat Intelligence Team Cl0p was the most used ransomware in March 2023, dethroning the usual frontrunner LockBit, after breaching over 104 organizations with a zero-day vulnerability. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture...
Jérôme Segura at Malwarebytes Labs
Posted: April 14, 2023 by Jérôme Segura Scammers are buying ads on for the most common Google searches made by seniors and defrauding them with tech support scams. Knowing their audience is something scammers excel at, and for very good reason. This is particularly true for tech support scammers whose prime targets are seniors. By understanding what retirees are searching for and abusing various online platforms, crooks can precisely go after the demographic they are interested in and lure them ...
Matt Edmondson at SANS
Matt Edmondson Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations The Dark Web's anonymity attracts a variety of users. Explore the various techniques used to identify the individuals behind these sites and personas. April 10, 2023 On April 5, 2023, the FBI and Dutch National Police announced the takedown of Genesis Market, one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the se...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Microsoft Security Insights Show
securityinsights.substack.comCopy linkTwitterFacebookEmailLogs, logs and more logsAndrea FisherApr 12, 202361ShareShare this postLogs, logs and more logssecurityinsights.substack.comCopy linkTwitterFacebookEmailI recently wrote a blog called What should I log in my SIEM? and someone recommended that I do a follow up on what Windows Event logs are helpful in addition to the Security log. It’s a truth universally acknowledged, that a SIEM must contain Windows event logs. But which ones?I think thi...
Microsoft Security Response Center
MSRC, Security Research & Defense / By MSRC / April 11, 2023 / 6 min read Summary Summary Azure provides developers and security operations staff a wide array of configurable security options to meet organizational needs. Throughout the software development lifecycle, it is important for customers to understand the shared responsibility model, as well as be familiar with various security best practices. This is particularly important in deploying Azure Functions and in provisioning Azure Role Ba...
Microsoft’s ‘Security, Compliance, and Identity’ Blog
Gustavo Palazolo at Netskope
Ryan Chapman at Palo Alto Networks
13,292 people reacted 9 16 min. read Share By Ryan Chapman April 13, 2023 at 6:00 AM Category: Ransomware Tags: Cortex XDR, PowerShell Scripts, Vice Society This post is also available in: 日本語 (Japanese)Executive Summary During a recent incident response (IR) engagement, the Unit 42 team identified that the Vice Society ransomware gang exfiltrated data from a victim network using a custom built Microsoft PowerShell (PS) script. We’ll break down the script used, explaining how each function works...
Jessica Ellis at PhishLabs
Subscribe Get The Latest Insights Emotet Returns from Hiatus, Trails QBot in Q1 Volume By Jessica Ellis | April 13, 2023 QBot and Emotet payloads contributed to more than 93% of reported payload volume in Q1, according to Fortra’s PhishLabs. While QBot represented the majority of attacks, this is the first known activity by Emotet actors since 2022 and the largest spike in Emotet reports since Q2 of last year. Email payloads remain the primary delivery method of ransomware targeting organization...
Pierre Jourdan at 3CX
Red Alert
Monthly Threat Actor Group Intelligence Report, February 2023 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 January 2023 to 20 February 2023. In February, activities by a total of 23 Threat Actor Groups were identified, in which activities by SectorA was the most prominent by 28%, followed by SectorE and SectorJ groups. Threat Actors identified in February carried out the highest number of att...
Miles Arkwright and James Tytler at S-RM Insights
Miles Arkwright, James Tytler 14 April 2023 14 April 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our in...
SANS Internet Storm Center
Another Malicious HTA File Analysis – Part 2, (Mon, Apr 10th)
HTTP: What’s Left of it and the OCSP Problem, (Thu, Apr 13th)
SEC Consult
BumbleBee hunting with a Velociraptor 11.04.2023 research BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently analyzed by Angelo Violetti of SEC Defence - the SEC Consult Digital Forensics and Incident Response team. During his research, he used several tools and techniques to define ways to detect the presence of BumbleBee on a compromised infrastructure.The various detection opportunities described in the report can be useful...
Securelist
Research 10 Apr 2023 minute read Table of Contents MethodologyKey findingsTypes of malicious services offered on the dark webGoogle Play loadersBinding serviceMalware obfuscationInstallationsOther servicesAverage prices and common rules of saleHow deals are madeConclusion and recommendations Authors Kaspersky Security Services GReAT In 2022, Kaspersky security solutions detected 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributin...
APT reports 12 Apr 2023 minute read Table of Contents Beginning of tracking DeathNoteShifting focus to the defense industryExpanded target and adoption of new infection vectorAn ongoing attack targeting a defense contractor with updated infection tacticsPost-exploitationAttributionIndicators of CompromiseBeginning of tracking DeathNoteShifting focus to the defense industryExpanded target and adoption of new infection vectorAn ongoing attack targeting a defense contractor with updated infection t...
Research 11 Apr 2023 minute read Table of Contents Elevation-of-privilege exploitPost exploitation and malwareConclusionsIndicators of compromise Authors Boris Larin In February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These exploits were very similar to already known Common Log File ...
Malware reports 13 Apr 2023 minute read Table of Contents IntroductionRapperBot: “intelligent brute forcing”Rhadamanthys: malvertising on websites and in search enginesCUEMiner: distribution through BitTorrent and OneDriveConclusion Authors GReAT Introduction Although ransomware is still a hot topic on which we will keep on publishing, we also investigate and publish about other threats. Recently we explored the topic of infection methods, including malvertising and malicious downloads. In this ...
Security Intelligence
In every industry, visionaries drive progress and innovation. Some call these pioneers “crazy”. The same rule applies to the world of cyber gangs. Most threat groups try to maintain a low profile. They don’t seem to trust anyone and want tight control over money flow. Then along came LockBit. Not only does the group maintain a high profile, but they’ve also turned ransom monetization upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched ...
In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous and complex. Because intelligence providers tend to feed every piece of information to their users, many people think ...
Information-stealing malware has become extremely pervasive in recent years. This malware harvests millions of credentials annually from endpoint devices and enterprises across the globe to devastating effects. Using highly automated and orchestrated attack methods, threat actors and initial access brokers provide an endless supply of compromised credentials to cyber criminal syndicates who use those credentials as early points of entry into company networks, databases and critical online applic...
This blog was made possible through contributions from Christopher Caridi. IBM Security X-Force recently discovered a new malware family we have called “Domino,” which we assess was created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7. Former members of the Trickbot/Conti syndicate which X-Force tracks as ITG23 have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capabl...
BalaGanesh at Security Investigation
OS Credential Dumping- LSASS Memory vs Windows Logs Credential Dumping using Windows Network Providers – How to Respond The Flow of Event Telemetry Blocking – Detection & Response UEFI Persistence via WPBBIN – Detection & Response Network Attack What is Port Forwarding and the Security Risks? CVE-2021-4034 – Polkit Vulnerability Exploit Detection DNSSEC – Domain Name System Security Extensions Explained Detect Most Common Malicious Actions in the Linux Environment How DNS Tunneling works – Detec...
Sekoia
This blog post aims at presenting the main techniques, tools and social engineering schemes used by the cybercriminals from the Russian-speaking infostealer ecosystem and observed by Sekoia.io analysts in the past year. CTI Cybercrime Dark Web Stealer Threat & Detection Research Team April 11 2023 120 0 Read it later Remove 11 minutes reading Table of contentsIntroductionContextMalvertising and SEO-poisoning to spread malicious websitesLarge-scale malvertisingA look at the use of Google Ads by R...
SentinelOne
April 10, 2023 by SentinelOne PDF With the rise of cloud computing, businesses can store troves of data online and access it from anywhere at any time. However, this convenience comes with a price. Cybercriminals are always looking for vulnerabilities in the cloud and one of the most alarming threats to emerge is cloud ransomware. Cloud ransomware is malware that targets cloud-based storage systems and encrypts data held in the cloud, making it inaccessible unless the compromised party agrees to...
Aleksandar Milenkoski / April 13, 2023 Executive Summary SentinelLabs has been tracking a cluster of malicious documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe). We assess that this activity is part of the group’s previously reported targeting of the education sector in the Indian subcontinent. We observed APT36 introducing OLE embedding to its typically used techniques for staging malware from lure documents and versioned changes to the implementation of Crimson RAT, in...
Jagadeesh Chandraiah at Sophos
The end of the fiscal year is already hectic enough, but would-be scammers just don’t care whom they affect Written by Jagadeesh Chandraiah April 12, 2023 Threat Research featured Finance and Banking India smishing It’s tax season in many parts of the world and the end of the fiscal year in others, giving attackers a hook on which to hang an annual round of themed attacks. India’s fiscal year ended on 31 March, and as happens all over the world, threat actors are targeting those completing tax-r...
Splunk
Share: By Splunk Threat Research Team April 13, 2023 The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet. Despite efforts from Microsoft to provide stable drivers and implement checks to prevent malicious or vulnerable drivers from loading, these controls...
Oren Biderman, Amnon Kushnir, Gopal Purohit, Dan Saunders, and Etai Livne at Sygnia
April 10, 2023 Key Takeaways The FBI’s Internet Crime Complaint Center (IC3) recently published their internet crime report for 2022. The report indicates that during 2022 there was an increase in ransomware attacks, and the reported cases resulted in a loss of more than $34.3 million. The report indicates that during 2022, the IC3 received 870 complaints regarding ransomware infection from organizations belonging to 14 out of 16 critical infrastructure sectors (e.g., healthcare, critical manufa...
Threatmon
Max Kersten at Trellix
By Max Kersten · April 13, 2023 The underground intelligence was obtained by N07_4_B07. Another day, another ransomware-as-a-service (RaaS) provider, or so it seems. We’ve observed the “Read The Manual” (RTM) Locker gang, previously known for their e-crime activities, targeting corporate environments with their ransomware, and forcing their affiliates to follow a strict ruleset. Is this yet another ransomware gang, or is there more to this gang and their locker than meets the eye? This blog inve...
Trend Micro
TrustedSec
On the Road to Detection Engineering April 11, 2023 By Leo Bastidas in Career Development, Incident Response, Penetration Testing, Purple Team Adversarial Detection & Countermeasures Introduction People have asked numerous times on Twitter, LinkedIn, Discord, and Slack, “Leo, how do I get into Detection Engineering?” In this blog, I will highlight my unique experience, some learning resources you might want to get your hands on (all free or low cost), and extras that have helped me overall. I’m ...
Hacking Your Cloud: Tokens Edition 2.0 April 13, 2023 By Edwin David in Cloud Penetration Testing, Office 365 Security Assessment Office and Microsoft 365 tokens can add some interesting dynamics to Azure and Microsoft 365 services penetration testing. There are a few different ways of getting JWT tokens, but one (1) of the primary ways is through phishing. In this blog, we are going to explore strategies on gaining maximum efficiency with Office tokens, different toolsets, and how to use them t...
Megan Garza at Varonis
Megan Garza 3 min read Last updated Apr 10, 2023 Contents Last year alone, the Varonis Incident Response team investigated more than 250K alerts. No, that’s not a typo — our IR team reviewed a quarter of a million alerts. With ransomware on the rise and the amount of data growing at an exponential pace, having a proactive team on the frontline is more important than ever. In our latest masterclass, Mike Thompson, Raphael Kelly, and Chris Kisselburgh from the Varonis IR team discussed current glo...
Viktor Hedberg at Truesec
Recently, We Discovered That There Are Possibilities to Export All Conditional Access Policies in a Tenant Using Nothing Other Than End User Permissions. Meaning, No Admin Privileges are Required to Perform This Operation At All.3 min readViktor HedbergShareBackground We Needed A Toolkit To Help Us Quickly Understand How An Azure Active Directory Tenant Is Configured. This Toolkit Needed To Be Able To Perform Actions Such As:Exporting The Number Of Admins In The Tenant.Exporting Conditional Acce...
Zain ul Abidin
IntroductionIn the world of cybersecurity, every second counts. The longer it takes for a security team to detect and respond to a threat, the more damage can be done. That’s why security teams need to understand and measure two critical metrics: Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). In this blog post, we’ll explore what MTTD and MTTR are and how they relate to QRadar.What is MTTD?Mean Time to Detect (MTTD) is the average amount of time it takes for a security team to detec...
