本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
May 12, 2023 in Autostart (Persistence), LOLBins I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of our choice when we use its feature that is both Matlab-user friendly, and … unbelievable. Using the following command line invocation: MATLAB.exe -nosplash -nodesktop -r "run('c:\test\test.m'); exit;" we can instruct matlab to load the matlab file named ‘test.m’ in a batch-like fash...
Adam Goss
Python Threat Hunting Tools: Part 2 — Web ScrapingAdam Goss·Follow8 min read·May 8--ShareWelcome back to this series on building threat hunting tools!In this series, I will be showcasing a variety of threat hunting tools which you can use to hunt for threats, automate tedious processes, and extend to create your own toolkit! The majority of these tools will be simple with a focus on being easy to understand and implement. This is so that you, the reader, can…----FollowWritten by Adam Goss291 Fol...
Adam Goss·Follow8 min read·4 days ago--ShareThreat intelligence platforms help organizations collect, analyze, and share information about potential cyber security threats.They enable businesses to proactively detect and respond to threats by aggregating data from various sources into a single screen. This data is correlated, enriched, and made actionable through visualization tools…----FollowWritten by Adam Goss291 FollowersCyber Security Professional | Red Teamer | Adversary Emulator | Malware...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed....
AttackIQ
Attack Graph Response to CISA Advisory AA23-129A: Hunting Russian Intelligence “Snake” Malware
Response to CISA Advisory AA23-131A: Malicious Actors Exploit PaperCut MF and NG
Jeremy Fuchs at Avanan
Creating Malicious Content Hosted on Squarespace Posted by Jeremy Fuchs on May 11, 2023 Tweet We have been tracking the next wave of Business Email Compromise attacks. It relies on the use of legitimate services to unleash attacks. There’s nothing fake or spoofed about these emails. These are legitimate emails, sent from legitimate sites, that link to or include malicious instructions. This means that hackers take the services that we use every day, and weaponize them against users. And this is ...
Avertium
® Why Avertium? Solutions Cybersecurity Strategy Take your cybersecurity strategy to the next level. Strategic Security Assessments Threat Mapping Cybersecurity Roadmap Threat Detection + Response Detect, adapt and attack with context. Fusion MXDR Fusion MXDR for Microsoft Digital Forensics + Incident Response Attack Surface Management No more blind spots, weak links, or fire drills. Risk Assessments Pen Testing + Social Engineering Infrastructure, Architecture, + Integration Zero Trust Network ...
May 11, 2023 overview Common Vulnerability Scoring – CVE-2023-24932: CVSS Base Score: 6.7 Impact Subscore: 5.9 Exploitability Subscore: 0.8 Overall CVSS Score: 6.7 Microsoft has issued security updates for a Secure-Boot zero-day vulnerability (CVE-2023-24932) that has been exploited by BlackLotus UEFI malware in the wild. This exploit has allowed the malware to infect Windows systems that were already fully patched. Secure Boot prevents rootkits from loading during the boot process on computers ...
Marshall Jones and Deric Martinez at AWS Security
by Marshall Jones and Deric Martinez | on 10 MAY 2023 | in Advanced (300), Amazon Aurora, Best Practices, Security, Identity, & Compliance | Permalink | Comments | Share With Amazon Relational Database Service (Amazon RDS), you can set up, operate, and scale a relational database in the AWS Cloud. Amazon RDS provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. If you use Amazon RDS for your workloads, you can n...
Black Hills Information Security
moth // Introduction One fateful night in June of 2022, Ethan sent a message to the crew: “Anyone know ways to fool Auditd on Linux? I’m trying to figure out how to change the auid (audit user id) field. This field remains the same even if you use su or sudo (there are other user id fields that track these changes).” Ethan also helpfully sent a reference link to describe what he was looking at. Now, do I know Auditd well enough to warrant looking into this myself? No. Am I a big enough fan of Li...
Blackberry
SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey RESEARCH & INTELLIGENCE / 05.08.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Summary The BlackBerry Threat Research and Intelligence team has been actively tracking and monitoring the SideWinder APT group, which has led to the discovery of their latest campaign targeting Pakistan government organizations. In this campaign, ...
Lawrence Abrams at BleepingComputer
Amanda Berlin at Blumira
CERT EU
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 6 – 12 maggio 2023 12/05/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 46 campagne malevole di cui 45 con obiettivi italiani ed una generica che ha comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 267 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie i...
Check Point
Filter by: Select category Research (519) Security (776) Securing the Cloud (242) Harmony (101) Company and Culture (4) Innovation (5) Customer Stories (6) Securing the Network (2) Connect SASE (4) Harmony Email (2) ResearchSecurityMay 11, 2023 April 2023’s Most Wanted Malware: Qbot Launches Substantial Malspam Campaign and Mirai Makes its Return ByCheck Point Team Share Check Point Research uncovered a substantial malspam campaign for Trojan Qbot, which came in second in last month’s threat ind...
Yehuda Gelb at Checkmarx Security
A new stealthier type of Typosquatting attack spotted, targeting NPMYehuda Gelb·FollowPublished incheckmarx-security·5 min read·6 days ago--ListenShareIn the evolving world of cybersecurity, attackers are always looking for new ways to exploit weaknesses and compromise systems. Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attac...
CISA
Last RevisedMay 11, 2023 Alert CodeAA23-131A SUMMARY The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023. According to FBI obser...
Cisco’s Talos
By Tiago Pereira Wednesday, May 10, 2023 08:05 Threat Advisory A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attach...
By Jonathan Munshaw Thursday, May 11, 2023 14:05 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.It seems like if you we...
By William Largent Friday, May 12, 2023 15:05 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 5 and May 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information provid...
Csaba Fitzl at ‘Theevilbit’
Beyond the good ol' LaunchAgents - 30 - The man config file - man.conf May 10, 2023 2 minutes read persistence • beyond macos • persistence • beyond This is part 30 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. I was watching an old BSidesLuxemburg 2019 talk by Aaron Jewitt, called “Threat Hunting On Linux And Mac With Auditbeat System Module”, it’s up on YouTube. Aaron mentioned i...
Cyborg Security
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leak. Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Espionage, and Data Destruction. Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption. Ransomware – LockBit 3.0 Ransomware | Malware – FLUHORSE LockBit 3.0 Ransomware –...
Kelsey LaBelle at DomainTools
Dragos
By Dragos, Inc. 05.10.23 LinkedIn Twitter Facebook Email On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform. Dragos has a culture of transparency and a commitment to providing educational material to the community. This is why it’s important to us to share what happened during a recent failed extortion scheme against Dragos in which a cybercriminal group attempt...
New Knowledge Pack Released (KP-2023-002) By Dragos, Inc. 03.06.23 LinkedIn Twitter Facebook Email While preparing this Knowledge Pack, Dragos assessed newly disclosed vulnerabilities in over 800 products from vendors including: Siemens, Mitsubishi Electric, Weidmueller, SAUTER Controls, and Baicells. Over 280 characterizations and 560 detections are included in KP-2023-002 for customers running Dragos Platform 2.x. Full release notes are available for registered customers in the Dragos Customer...
EclecticIQ
Creative Ransomware Extortion and Further Malware Capabilities With ChatGPT This release of the Analyst Prompt provides insight into how macro tactics and techniques in the ransomware landscape are once again shifting and how this changes risk perception. EclecticIQ analysts also provide a prudent update on threat actor opportunities for integrating ChatGPT capabilities for malicious design. Aleksander W. Jarosz – May 9, 2023 The Blackcat-Western Digital Ransomware Cyberattack Serves a Good Exam...
EQSTLab
JavaScript is not available. We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center. Help Center Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp. Something went wrong, but don’t fret — let’s give it another shot.Try again
Flashpoint
Through Operation MEDUSA, the FBI, and the U.S. Attorney’s Office for the Eastern District of New York neutralized the FSB’s premier cyberespionage malware implant in coordination with multiple foreign governments. SHARE THIS: Flashpoint May 9, 2023 “The Justice Department today announced the completion of a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called ‘Snake’, that the U.S. Government attributes...
Flashpoint’s monthly look at the cyber risk ecosystem affecting organizations around the world, including intelligence, news, data, and analysis about ransomware, vulnerabilities, and insider threats. SHARE THIS: Flashpoint Intel Team May 11, 2023 Table Of ContentsTable of ContentsRansomwareVulnerabilitiesInsider ThreatTakedowns: Genesis MarketGet best-in-class intel Ransomware Flashpoint’s latest ransomware infographic paints a sobering picture of the evolving threat landscape, with cybercrimin...
Fortinet
Ransomware Roundup - Maori By Shunichi Imano and James Slaughter | May 12, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This latest edition of the Ransomware Roundup covers the Maori ransomware. Affec...
GuidePoint Security
Trevor Borden at InQuest
Posted on 2023-05-10 by Trevor Borden YARA is a popular and powerful tool for identifying and classifying malware. It has been in use for many years and is widely referenced by cybersecurity professionals to detect threats. In 2022, Greg Lesnewich started #100DaysofYARA, as an initiative, similar to #100DaysOfCode, to engage with YARA for the first 100 days of the year. The challenge involves contributing to the community by writing and sharing one new YARA rule each day for 100 days, either wor...
Intrusion Truth
What’s Cracking at the Kerui Cracking Academy? intrusiontruth in APT31 May 11, 2023May 11, 2023 682 Words A brand-new investigation – we know you love it. We’re back once more to tell a familiar tale: how an MSS-sponsored APT group – known for its hacking operations around the world – has been caught red-handed. This time, in Wuhan. It should come as no surprise that Wuhan was already a place of interest to us before the city reached global fame in 2020. Wuhan is home to some of China’s most imp...
intrusiontruth in APT31 May 12, 2023May 11, 2023 484 Words Our last article introduced the mysterious graduates of Kerui Cracking Academy. As luck would have it, said mysterious graduates have left feedback, complete with graduate destinations and contact details on Kerui’s website. We won’t bore you by going through each individual piece of feedback – feel free to peruse at your leisure. Suffice it to say that Kerui graduates were pretty pleased with their student experience. But there were a f...
All roads lead back to Wuhan… Xiaoruizhi Science and Technology Company intrusiontruth in APT31 May 13, 2023May 11, 2023 871 Words As our readers know from our investigation into Hainan Xiandun Technology Development Company, the Intrusion Truth team have become quite adept at spotting a fishy front company when we see one. Typically, these are ‘companies’ with a generic-sounding ‘technology’ name and a minimal online presence. They often post adverts on university websites looking for graduates...
Shusei Tomonaga at JPCERT/CC
朝長 秀誠 (Shusei Tomonaga) May 12, 2023 Attack Trends Related to DangerousPassword Email JPCERT/CC has observed attacks on cryptocurrency exchanges believed to be related to DangerousPassword attack campaign (also known as CryptoMimic or SnatchCrypto) continuously since June 2019. For many years, attackers have been using an attack technique of infecting targets with malware by sending shortcut files to them via email. However, it is known that they also use various other patterns of attacks to inf...
Kim Zetter at ‘Zero Day’
zetter.substack.comCopy linkTwitterFacebookEmailNotesTimeline of the SolarWinds Hack and InvestigationTo accompany an in-depth feature story I wrote for WIRED about the SolarWinds hack--considered the most sophisticated and boldest supply-chain hack ever pulled off--here's a timeline of events.Kim ZetterMay 9, 2023∙ Paid192ShareShare this postTimeline of the SolarWinds Hack and Investigationzetter.substack.comCopy linkTwitterFacebookEmailNotesPhoto: Suzanne Cordeiro/Getty ImagesLast week, after ...
Laurie Iacono, Stephen Green, and Dave Truman at Kroll
Laurie Iacono Stephen Green Dave Truman Key Takeaways Kroll has identified a new ransomware strain which we're calling CACTUS, active since at least March 2023. CACTUS has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access. Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and det...
Logpoint
Detecting and Responding to Compromises in Azure AD through AAD Connect
BCS for SAP: Enhanced security monitoring and threat detection
Matt Suiche at Magnet Forensics
This memory analysis post is authored by Matt Suiche (Director, Memory, IR & R&D). This week, a joint cybersecurity advisory was issued by the cybersecurity authorities (AA22-110A) of the United States, Canada, Australia, New Zealand and United Kingdom to provide an overview of Russian state-sponsored cyber operations and TTPs. In the advisory AA23-129A, we learn more about intelligence collection capabilities used by an implant dubbed as “Snake” to target multiple industries in multiple countri...
Malwarebytes Labs
Posted: May 8, 2023 by Threat Intelligence Team LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best overall picture of ransomware activity, but the true number of a...
Posted: May 10, 2023 by Bill Cozens How MSPs can prepare for the complex landscape of mobile malware. Whether a company gives them out or they're owned by the employees or students, mobile devices are like honey for cybercriminals. And the kicker? Most of these devices are not protected enough. Just check out the following stats from last year: 18 percent of clicked phishing emails in 2022 came from a mobile device. (Verizon Mobile Security Index 2022) 46 percent of organizations that had suffer...
MDSec
Home < Knowledge Centre < Insights < Nighthawk 0.2.4 – Taking Out The Trash May 2nd 2023 Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4. Our last Nighthawk public post was for our 0.2.1 release in November and while several months have passed, we’ve continued to be busy in the background releasing new versions and features to customers, as well as beginning a separate and parallel development stream on a design re-architecture. With our latest...
Michael Haag
Living Off The Land Drivers 1.0 Release: New Features, Enrichments, and Community ContributionsMichael Haag·FollowPublished inmagicswordio·6 min read·May 8--ListenShareFirst — We want to thank everyone for the feedback and comments! We really appreciate it.IntroductionSince its inception, the Living Off The Land Drivers (LOLDrivers) project has seen tremendous growth and success. As a reminder, the project aims to provide a comprehensive and well-maintained repository of drivers with known vulne...
Nisos
by Nisos | May 10, 2023 | Blog, Research Executive Summary Although not officially branded as ‘Trigona’ until October 2022, samples of the ransomware strain have been observed globally prior to the re-branding due to Trigona’s unique characteristics. First, Trigona is written in Delphi programming language, enabling the ransomware to leverage password-protected executables in order to obfuscate the malicious content within. (See source 1 in appendix) Additionally, the ransomware group utilizes a...
Doel Santos, Daniel Bunce and Anthony Galiette at Palo Alto Networks
17,468 people reacted 6 11 min. read Share By Doel Santos, Daniel Bunce and Anthony Galiette May 9, 2023 at 6:00 AM Category: Ransomware, Threat Briefs and Assessments Tags: Cortex XDR, next-generation firewall, Royal Ransomware, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring...
Proofpoint
Crime Finds a Way: The Evolution and Experimentation of the Cybercrime Ecosystem Share with your network! May 12, 2023 Selena Larson, Joe Wise and the Proofpoint Threat Research Team Download full report (PDF) Overview The cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers. Financially motivated threat actors that gain initial access via email are no longer using static, predictable ...
Reason Labs
May 12, 2023Malicious actors are leveraging the current number 1 box office movie, Super Mario Bros., to distribute malware. ReasonLabs researchers discovered multiple files downloaded to its users’ devices which were supposed to be Super Mario Bros. but were instead files distributing malicious software. The malicious software, a Trojan virus, installs a web extension that hijacks the user’s search function in order for the cyber attacker to receive monetary gain or steal sensitive information....
Recon Infosec
May 10, 2023 12:54:20 PM / by Eric Capuano Tweet The Recon SOC recently worked an IR case involving the newly emerged Akira Ransomware Group. News didn't begin to break about this threat actor until May 7, 2023, but our investigation shows evidence this crew began this particular campaign in early-mid April. When we began the IR, the targets of the ransomware activity were multiple VMware ESXi servers and a single Windows server. We moved quickly to get the environment into a defensible posture ...
Red Alert
2022 Activities Summary of SectorA groups (KOR) 개요 2022년 총 7개의 SectorA 하위 그룹들의 해킹 활동이 발견되었다. 이들은 한국과 관련된 정치, 외교 활동 등 정부 활동과 관련된 고급 정보를 수집하기 위한 목적을 가지며 전 세계를 대상으로 한 금전적인 재화의 확보를 위한 해킹 활동을 병행하고 있다. SectorA 그룹들의 공격 방식은 마이크로소프트 워드(Word), 엑셀(Excel)과 같은 파일 형태의 악성코드를 사용하는 방식 외에도 네이버(Naver), 구글(Google) 등의 이용률이 높은 인터넷 서비스들로 위장한 피싱 웹 페이지를 공격에 활용하는 빈도가 증가한 것으로 확인된다. 2022년 한 해 동안 발생한 SectorA 그룹들의 활동량을 분석한 결과 SectorA05 그룹의 활동이 가장 두드러졌으며, SectorA06 그룹과 SectorA01 그룹의 활동이 그 뒤를 이었다. [그림 1 : 2022년 확인된 SectorA의 하위...
2022 Activities Summary of SectorB groups (KOR) 개요 2022년 총 22개의 SectorB 하위 그룹들의 해킹 활동이 발견되었다. 이들은 전 세계를 대상으로 각국 정부 기관의 정치, 외교 활동 등 정부 활동 관련 고급 정보를 수집하는 것을 목적으로 하며, 각각의 하위 그룹들이 해킹 활동을 위한 악성코드나 취약점 등을 공유하는 양상을 보인다. 2022년 한 해 동안 발생한 SectorB 그룹들의 활동량을 분석한 결과 SectorB22 그룹의 활동이 가장 두드러진 것으로 확인된다. [그림 1 : 2022년 확인된 SectorB의 하위 그룹 활동량] SectorB 그룹들의 주요 공격 대상이 된 산업군들을 살펴보면 정부 기관과 국방 관련 분야에 종사하고 있는 관계자 또는 시스템이 가장 많은 공격 대상이 되었으며, 그 다음으로는 제조, 교육, IT 분야 순서로 확인된다. [그림 2 : 2022년 공격 대상이 된 산업 분야 통계] 다음은 2022년 Sect...
2022 Activities Summary of SectorD groups (KOR) 개요 2022년 총 9개의 SectorD 하위 그룹들의 해킹 활동이 발견되었다. 이들은 주로 해킹 그룹을 지원하는 국가와 정치적인 경쟁 관계에 있는 국가들을 대상으로 해킹 활동을 수행하였으며, 최근의 SectorD 해킹 그룹들의 해킹 활동 목적은 해킹 그룹을 지원하는 국가에 반대하는 인물 또는 국가들의 정치, 외교 활동 등 정부 활동 관련 고급 정보를 수집하기 위한 목적으로 분석된다. 2022년 한 해 동안 발생한 SectorD 그룹들의 활동량을 분석한 결과 SectorD02, SectorD05, SectorD10 그룹의 활동이 각각 20%로 가장 두드러진 것으로 확인된다. [그림 1 : 2022년 확인된 SectorD의 하위 그룹 활동량] SectorD 그룹들의 주요 공격 대상이 된 산업군들을 살펴보면 정부 기관과 교육 분야에 종사하고 있는 관계자 또는 시스템이 가장 많은 공격 대상이 되었다. [...
2022 Activities Summary of SectorC groups (KOR) 개요 2022년 총 11개의 SectorC 하위 그룹들의 해킹 활동이 발견되었다. 이들은 해킹 그룹을 지원하는 국가와 인접한 국가를 포함한 전 세계를 대상으로 각 국가들의 정부 기관의 정치, 외교 활동 등 정부 활동 관련 고급 정보를 수집하기 위한 목적으로 분석된다. 2022년 한 해 동안 발생한 SectorC 그룹들의 활동량을 분석한 결과 SectorC08 그룹의 활동이 가장 두드러진 것으로 확인된다. [그림 1 : 2022년 확인된 SectorC의 하위 그룹 활동량] SectorC 그룹들의 주요 공격 대상이 된 산업군들을 살펴보면 정부 기관과 국방 관련 분야에 종사하고 있는 관계자 또는 시스템이 가장 많은 공격 대상이 되었다. [그림 2 : 2022년 공격 대상이 된 산업 분야 통계] 다음은 2022년 SectorC 그룹의 공격 대상이었던 국가의 정보를 지도에 표기한 것이며, 붉은 색이 짙을수록...
2022 Activities Summary of SectorJ groups (KOR) 개요 2022년 총 32개의 SectorJ 하위 그룹들의 해킹 활동이 발견되었다. 이들은 다른 정부 지원 해킹 그룹들과 다르게 현실 세계에서 금전적인 이윤을 확보할 수 있는 재화적 가치가 있는 온라인 정보들을 탈취하거나, 직접적으로 특정 기업 및 조직들을 해킹 한 후 내부 네트워크에 랜섬웨어(Ransomware)를 유포하거나, 중요 산업 기밀을 탈취한 후 이를 빌미로 금전적 대가를 요구하는 협박 활동 등을 수행한다. 2022년 한 해 동안 발생한 SectorJ 그룹들의 활동량을 분석한 결과 SectorJ09 그룹의 활동이 가장 두드러진 것으로 확인된다. [그림 1 : 2022년 확인된 SectorJ의 하위 그룹 활동량] SectorJ 그룹들의 주요 공격 대상이 된 산업군들을 살펴보면 온라인 마켓플레이스(Online marketplace) 및 전자상거래(eCommerce)가 포함된 상업 시설 분야에서...
Ryan Chapman at SANS
Ryan Chapman Ransomware: Every internet-connected network is at risk. Be prepared! As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. Here is what you can do to prepare. May 4, 2023 Cyber criminals are targeting every type of organization, from small businesses to large enterprises. Many people tend to believe that ransomware actors only target large enterprises and/or critical systems; unfortunately, the opposite is true. If you ha...
S-RM Insights
Miles Arkwright, James Tytler 12 May 2023 12 May 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intell...
Shaun McCullough at SANS
Shaun McCullough What Is Threat Detection? Three ingredients for a top-notch threat detection program in the Cloud May 8, 2023 Threat Detection in the CloudThreat detection is identifying and responding to security incidents to prevent or mitigate attacks and security breaches. A simple sentence, but one that is a significant undertaking to implement well. This post looks at three ingredients to impellent a top-notch threat detection program in your cloud environment.Remember that building a thr...
SANS Internet Storm Center
Quickly Finding Encoded Payloads in Office Documents, (Sun, May 7th)
Exploratory Data Analysis with CISSM Cyber Attacks Database – Part 2, (Tue, May 9th)
Securonix
Threat Research Share By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov TL;DR An unusual attack/phishing campaign delivering malware while using meme-filled code and complex obfuscation methods continues dropping Xworm payloads for the last few months and is still ongoing today. Intro For the last few months, an interesting and ongoing attack campaign was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CH...
Sekoia
Sophos
The latest edition of Sophos’ annual ransomware study reveals the reality facing organizations in 2023, including the frequency, cost and root cause of attacks. Written by Sally Adam May 10, 2023 Products & Services Credentials Encryption. Featured featured Ransomware research Vulnerabilities Sophos has released its annual State of Ransomware 2023 report, revealing deep insights into the ransomware challenges facing businesses today based on a survey of 3,000 IT/cybersecurity professionals acros...
A new recently observed ransomware family dubbed Akira uses a retro aesthetic on their victim site very reminiscent of the 1980s green screen consoles and possibly takes its namesake from the popular 1988 anime film of the same name. Written by Paul Jaramillo May 09, 2023 Security Operations Threat Research Akira featured incident response Ransomware Sophos XDR On April 6, 2023, the Sophos Incident Response team was engaged to support a ransomware victim organization in North America. The follow...
Cody Thomas at SpecterOps
Cody Thomas·FollowPublished inPosts By SpecterOps Team Members·11 min read·6 days ago--ListenShare— Title by ChatGPT for introducing Mythic 3.0What is Mythic?Mythic is a plug-n-play command and control (C2) framework that heavily leverages Docker and a microservice architecture where new agents, communication channels, and modifications can happen on the fly. Some of the Mythic project’s main goals are to provide quality of life improvements to operators, improve maintainability of agents, enabl...
Squiblydoo.blog
Posted bysquiblydooMay 12, 2023May 7, 2023Posted inUncategorizedTags:analysis, Certificate, deepdive, infostealer, malware, Polazert, registry This material was presented at SLEUTHCON on May 12, 2023. Abstract: Authenticode Certificates are intended to ensure that software is created by vetted parties and that the software can be trusted; however, malware is often signed with valid Authenticode certificates and the process for signing malware and the implications are often misunderstood within I...
Tom Wechsler at Microsoft
Advanced threat hunting within Active Directory Domain Services - Knowledge is power! Advanced threat hunting within Active Directory Domain Services - Knowledge is power! Discussion Options Subscribe to RSS Feed Mark Discussion as New Mark Discussion as Read Pin this Discussion for Current User Bookmark Subscribe Printer Friendly Page TomWechsler MVP May 12 2023 07:32 AM Mark as New Bookmark Subscribe Mute Subscribe to RSS Feed Permalink Print Report Inappropriate Content May 12 2023 07:32 AM...
Khristian Joseph Morales and Gilbert Sison at Trend Micro
Managed XDR Investigation of Ducktail in Trend Vision One™ The Trend Micro Managed XDR team investigated several Ducktail-related web browser credential dumping incidents involving different customers. By: Khristian Joseph Morales, Gilbert Sison May 09, 2023 Read time: ( words) Save to Folio Subscribe In July 2022, security researchers discovered an operation called Ducktail, in which threat actors used information-stealing malware to target, individuals and employees who might have access to Fa...
Joshua St. Hilaire at Vectra AI
Command and Control (C2) Evasion TechniquesByJoshua St. Hilaire AND|January 28, 2021Share On: ï¡ ï ï ï ïPart 1: JA3/S randomization / Cipher StuntingJA3 has been gaining some popularity within the security community to easily flag known tools or malware using a signature which can be generated easily from the Transport Layer Security (TLS) values used during communication which employs such encryption. Though JA3 signatures are easy to use and seem like an easy way in which defenders can...
Bernardo.Quintero at VirusTotal
Friday, May 12, 2023 Bernardo.Quintero Leave a comment Following the announcement of VirusTotal Code Insight at the RSA Conference 2023, we've been thrilled by the overwhelmingly positive response from the cybersecurity community. As enthusiasm grows, we've been flooded with inquiries from those keen to discover more about Code Insight. To address these questions, we've put together a Q&A covering popular topics, including news about the tool's expanded capabilities. Our aim is to establish real...
VulnCheck
Jonathan McCay, Joshua Platt and Jason Reaves at Walmart
MetaStealer: String Decryption and DGA overviewJason Reaves·FollowPublished inWalmart Global Tech Blog·5 min read·6 days ago--ListenShareBy: Jonathan McCay, Joshua Platt and Jason ReavesUnit42[1] recently tweeted about a campaign starting with a malicious email link that downloads a OneNote file used to drop and execute MetaStealer. While investigating the MetaStealer sample[2], we noticed it attempts to connect to multiple domains that seemed to be randomly named. After landing on the C2 routin...
Jean-Ian Boutin at WeLiveSecurity
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023 Jean-Ian Boutin 9 May 2023 - 11:30AM Share An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023 ESET APT Activity Report Q4 2022–Q1 2023 summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end o...
