本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam Goss
Python Threat Hunting Tools: Part 3 — Interacting with APIsAdam Goss·Follow11 min read·4 days ago--ShareWelcome back to this series on building threat hunting tools!In this series, I will be showcasing a variety of threat hunting tools that you can use to hunt for threats, automate tedious processes, and extend to create your own toolkit! The majority of these tools will be simple, focusing on being easy to understand and implement. This is so that you, the…----FollowWritten by Adam Goss293 Foll...
Adam Goss·Follow10 min read·1 day ago--ShareThe AI takeover has begun. Let’s take back control and learn ten ways to use ChatGPT to aid your threat hunting.The power of AI allows you to augment your threat hunting in ways that were unobtainable before. As a threat hunter, I have needed to jump in and find ways that AI can help me elevate my threat hunting skills to stay ahead of the game. This article…----FollowWritten by Adam Goss293 FollowersCyber Security Professional | Red Teamer | Adversary...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Credential theft, China, Exploits, Phishing, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discusse...
AttackIQ
Avertium
May 16, 2023 Executive Summary On April 18, 2023, threat actors started exploiting two PaperCut vulnerabilities tracked as CVE-2023-27350 and CVE-2023-27351. PaperCut is a print management software solution used by over 100 million users from 70,000 organizations. CVE-2023-27350 had a critical CVSS score of 9.8, while CVE-2023-27351 had a high CVSS score of 8.2. A few days after disclosure, threat actors began exploiting a PoC for CVE-2023-27350, which allowed attackers like Clop and LockBit to ...
Black Cell
EVENTS SOLUTIONS FUSION CENTER INTEGRATION OFFENSIVE SECURITY COMPLIANCE CLOUD SECURITY ICS/OT SECURITY MITRE GAP ASSESSMENT ABOUT US KNOWLEDGE CENTER WHITEPAPERS ICS SECURITY FEED BLOG CAREERS CONTACT US Select Page In today’s interconnected digital world, maintaining robust cybersecurity measures is paramount. With the ever-evolving threat landscape, understanding global vulnerability trends becomes crucial for organizations, individuals, and policymakers. This infographic delves into the subj...
Lawrence Abrams at BleepingComputer
Bobby Rauch
The Dangers of Google’s .zip TLDBobbyr·Follow4 min read·3 days ago--9ListenShareCan you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?//github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip//github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zipThis week, Google launched a new TLD or “Top Level Domain” of .zip, meaning you can now purchase a .zip domain, similar to a .com or .org domain for only a few dollars. The securi...
Brad Duncan at Malware Traffic Analysis
2023-05-17 - KNOCK KNOCK... GUESS WHO? IT'S PIKABOT! REFERENCE: //twitter.com/Unit42_Intel/status/1659202217042415619 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt.zip 2.4 kB (2,401 bytes) 2023-05-17-Pikabot-infection-with-Cobalt-Strike-carved.pcap.zip 6.9 MB (6,888,510 bytes) 2023-05-17-Pikabot-malware-and-artifacts.zip 813 kB (813,191 bytes) Click here to return...
2023-05-10 - OBAMA262 QAKBOT (QBOT) INFECTION WITH COBALT STRIKE & DARK CAT VNC REFERENCE: //twitter.com/Unit42_Intel/status/1657015363593203713 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-05-10-IOCs-for-obama262-Qakbot-with-DarkCat-VNC-and-Cobalt-Strike.txt.zip 2.5 kB (2,534 bytes) 2023-05-10-obama262-Qakbot-malspam-3-examples.zip 137 kB (136,779 bytes) 2023-05-10-obama262-Qakbot-with-BlackCat-VNC-and-Coba...
2023-05-10 - ICEID (BOKBOT) INFECTION WITH BACKCONNECT, COBALT STRIKE & KEYHOLE VNC REFERENCE: //twitter.com/Unit42_Intel/status/1657014096200343554 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-05-10-IOCs-for-IcedID-with-BackConnect-and-Keyhole-VNC-and-Cobalt-Strike.txt.zip 2.4 kB (2,373 bytes) 2023-05-10-IcedID-infection-with-Backconnet-and-Cobalt-Strike-and-Keyhole-VNC.pcap.zip 14.3 MB (14,302,331 bytes) 2...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - May 18, 2023 I recently came across an interesting campaign that is using fake websites to distribute malware. Although this TTP is not new, it seems to be on the rise. Anecdotally, I've seen it in multiple cases in 2023 more so than before. It's difficult to quantify without doing extensive research, it is something for other analysts to be aware of more at least. A suspected Russia-based cybercriminal decided to clone the website of a legi...
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 maggio 2023 19/05/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 62 campagne malevole, di cui 60 con obiettivi italiani e due generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 259 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipolo...
Check Point Research
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant
Malicious VSCode extensions with more than 45K downloads steal PII and enable backdoors
Free Demo! Contact Us Support Center Sign In Blog Search Geo Menu Choose your language... English (English) Spanish (Español) French (Français) German (Deutsch) Italian (Italiano) Portuguese (Português) Russian (Русский) Japanese (日本語) Chinese (中文) Czech (čeština) Indonesian (Bahasa Indonesia) Korean (한국어) Dutch (Nederlands) Polish (Polszczyzna) Turkish (Türkçe) Taiwan (繁體中文) Vietnamese (Tiếng Việt) Products QUANTUM Quantum Maestro Quantum Lightspeed Quantum Security Gateway Quantum SD-WAN Quant...
Tzachi(Zack) Zorn at Checkmarx Security
PyPi on Hold: Suspends New Users' and Projects Creations Due to A High Volume of Malicious ActivityTzachi(Zack) Zorn·FollowPublished incheckmarx-security·3 min read·Just now--ListenShareA few hours ago, the PyPi team announced that they are temporarily suspending the creation of new users and the publication of new projects after detecting a high volume of malicious activity that they are unable to respond to in a timely fashion.Large-Scale Attack TrendIn the past few months, we have witnessed a...
CISA
Release DateMay 16, 2023 Alert CodeAA23-136A Summary Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #...
Chetan Raghuprasad at Cisco’s Talos
By Chetan Raghuprasad Monday, May 15, 2023 08:05 Threat Spotlight SecureX Threats ransomware Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.Talos assesses with high c...
William Burgess at Cobalt Strike Research and Development
Cofense
Daniel Fonseca Yarochewsky at Confiant
Daniel Fonseca Yarochewsky·FollowPublished inConfiant·6 min read·3 days ago--ListenShareBrand impersonation and “cloaked” call-centers scale the scam up to more than 50,000 people. Scammers raking in upwards of $800 per victim.Successful malvertising campaigns have two key components: cloaking and churn. Normal security efforts will look at a few websites coming from persuasive and commercial ads and conclude they’re probably legit businesses. Scammers exploit this fundamental flaw to scale up t...
CTF导航
APT-C-28(ScarCruft)组织利用恶意文档投递RokRat攻击活动分析 APT 2天前 admin 69 0 0 APT-C-28 ScarCruft APT-C-28组织,又名ScarCruft、APT37(Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络攻击活动,针对包括化学、电子、制造、航空航天、汽车和医疗保健等多个行业,其中以窃取战略军事、政治、经济利益相关的信息和敏感数据为主。同时,RokRat是基于云的远程访问工具,从2016年开始一直被APT-C-28组织在多个攻击活动中使用。 近期,360高级威胁研究院捕获了APT-C-28组织假借“付款申请表”等恶意文档向目标投递RokRat恶意软件。本次攻击活动与2021年公开威胁情报披露APT-C-28组织利用VBA自解码技术注入RokRat攻击活动的流程基本一致[1]。在本次攻击活动中,我们发现的初始样本是伪装成“付款申请表”的恶意文档,诱导用户启用宏后下载并执行RokRat恶意软...
Cyble
May 16, 2023 Jaguar Tooth Malware deployed via exploitation of SNMP Vulnerability On April 18, 2023, the Cybersecurity and Infrastructure Agency (CISA), the US Federal Bureau of Investigation (FBI) & UK National Cyber Security Centre released the cybersecurity advisory “APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers”. The advisory covers details on the exploitation of SNMP vulnerabilities on unpatched Cisco Routers and deploying “Jaguar Tooth” ...
May 17, 2023 An Infostealer Malware Exploits Social Media Business Accounts of High-Position Individuals DUCKTAIL, a financially motivated malware variant, specifically aims at individuals and businesses utilizing a Social Media Business/Ads platform. The malware is created by Threat Actors (TAs) originating from Vietnam. Since the second half of 2021, TAs have been actively involved in developing and distributing malware associated with the DUCKTAIL operation. The malware is specifically design...
May 17, 2023 Ruckus Wireless Products in the Crosshairs On February 8th, 2023, a vendor alerted customers regarding a security vulnerability in Ruckus Wireless Admin. CVE-2023-25717 is a critical vulnerability categorized as a Remote Code Execution (RCE) vulnerability impacting the Ruckus Wireless Admin. This vulnerability stems from inadequate handling of a specially crafted HTTP request. As indicated by the NVD vulnerability description & publicly available POC, the vulnerability is exploited ...
May 19, 2023 Phishing Campaigns Exploit CapCut’s Popularity to Deliver Multiple Stealers Cyble Research and Intelligence Labs (CRIL) recently discovered a series of phishing websites posing as video editing software. These fraudulent sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors (TAs) specifically targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTo...
Cyborg Security
Unleashing the Serpent: Navigating the Threat of Snake Malware
Guarding the Gates: The Intricacies of Detection Engineering and Threat Hunting
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak. Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Espionage, and Data Destruction. Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption. Ransomware – Play Ransomware | Malware – Merdoor Play Ransomware – One of the ransomware gr...
DCSO CyTec
Andariel’s “Jupiter” malware and the case of the curious C2DCSO CyTec Blog·Follow8 min read·4 days ago--ListenShareImage of code from malwareSince 2020 DCSO has been monitoring a publicly undocumented malware family attributed to the Andariel group, a subgroup of the infamous North Korean Lazarus Group. The malware family has remained largely unchanged over the years and only made few appearances.In early 2023 however, one such appearance seemed particularly noteworthy as the configured Command ...
Emiliano Martinez at VirusTotal
Wednesday, May 17, 2023 Emiliano Martinez Leave a comment Last Monday our colleagues over at Mandiant rolled out Permhash. In their own words, Permhash is an extensible framework to hash the declared permissions applied to Chromium-based browser extensions and APKs allowing for clustering, hunting, and pivoting similar to import hashing and rich header hashing. We are excited to announce that we have been working closely with Jared Wilson on the Mandiant side to support Permhash similarity pivot...
Paul Lawrence And Roger Studner at Expel
Security operations · 3 MIN READ · PAUL LAWRENCE AND ROGER STUDNER · MAY 16, 2023 · TAGS: MDR This type of phishing attack can be ridiculously sneaky We love when our customers run red team engagements. Aside from testing and validating current security controls, detections, and response capabilities, we see it as a great opportunity to partner with our customers on areas of improvement. Here’s the story of how a red team helped Expel improve our phishing service and how we used our platform cap...
Flashpoint
Defendant allegedly participated in attack on D.C. MPD server during global ransomware campaign. SHARE THIS: Flashpoint May 16, 2023 “WASHINGTON – An indictment was unsealed today in the District of Columbia charging a Russian national with participating in a global ransomware campaign which deployed ransomware variants against victims in the District of Columbia, the United States, and around the world. Mikhail Pavlovich Matveev, alleged to use the online monikers Wazawaka, m1x, Broriscelcin, a...
SHARE THIS: Flashpoint May 18, 2023 “An Illinois man pleaded guilty yesterday to leading a conspiracy to sell stolen financial information on the dark web, aka darknet.” “According to court documents, Michael D. Mihalo, aka Dale Michael Mihalo Jr., 40, of Naperville, was the founder of a darknet ‘carding’ site called Skynet Market, which was used to sell stolen financial information on the internet. Operating under the moniker ggmccloud1, Mihalo and his co-conspirators were also prominent vendor...
Michael Zuckerman at Infoblox
Black Basta: Anatomy of the AttackMay 19, 2023Introduction In the constantly evolving realm of cyber threats, new groups consistently arise, creating turmoil for organizations worldwide. One such group that gained infamy in 2022 is the Russian-speaking threat actor known as Black Basta. With their advanced techniques and highly publicized attacks, Black Basta has become a significant worry for organizations in Europe and English-speaking nations. This blog examines the key traits of Black Basta ...
InfoSec Write-ups
ZeusCybersec·FollowPublished inInfoSec Write-ups·17 min read·Aug 8, 2021--ListenShareThis blog contains a complete explanation of How Active Directory Works,Kerberoasting and all other Active Directory Attacks along with Resources.This blog is written as a part of my Notes and the materials are taken from tryhackme room “Attacking Kerberos”Before you start the tryhackme room called “Attacking Kerberos” which will be really confusing for people new to it, i would suggest you to finish these video...
Michael DeBolt at Intel471
Gaining the Intelligence Advantage with Cyber HUMINT - Part Two Advantages, pitfalls and best practices from the world’s leading cyber intelligence operators. Author: Michael DeBolt, Intel 471 Chief Intelligence Officer In part one, we defined cyber HUMINT and why it is different from other kinds of intelligence. We showed how cyber HUMINT can be a crucial differentiator for analysis, providing context to material collected by automation and helping to answer the next logical question. In the se...
Intrusion Truth
intrusiontruth in APT31 May 15, 2023May 11, 2023 459 Words Our last article left you on a cliff edge. What did we find on the dark web which proved so illuminating? Well, it would seem things at Wuhan Xiaoruizhi are not all well. In a post which was later redacted and then disappeared with the downfall of breachforums, we found a post from someone who claimed to be a representative of a disaffected hacker selling the identities of 100 of their colleagues from an ‘elite hacking team’ in Wuhan. Th...
intrusiontruth in APT31 May 16, 2023May 11, 2023 764 Words You might be wondering why we have picked on Cheng Feng. Just a hard-working cyber security professional, right? Well, wrong, as it turns out. Cheng Feng helped us deduce what APT Wuhan Xiaoruizhi is a cover for. As regular readers will know, Intrusion Truth is nothing without its global network of supporters. We had to reach out for support investigating Cheng Feng using the start points from his insurance certificate, and one of our co...
intrusiontruth in APT31 May 17, 2023May 10, 2023 1,257 Words We haven’t quite finished with Mr. Cheng yet. We have one final document to share from Cheng’s cloud. A photo of a handwritten note, a series of names, and differing currency values. Now, we can’t make out the name in the top left, but we are pretty sure that this is a cast list of Cheng’s colleagues. Some of these names are old hat by now: Huang Zhen, Li Yilong, and Huang Zhen #2, for example, take up the bottom three rows. We also ha...
Kela
The risk of cyber attacks by information stealers poses a threat to organizations in the last few years and continues to be a significant concern for companies in 2023. The emergence of new infostealers highlights the ongoing efforts of cybercriminals to create new tools for stealing sensitive data. Organizations must stay up to date about new infostealers in order to remain vigilant and protect themselves against these evolving threats. We’re happy to share this FREE report with you to arm you ...
Kim Zetter at ‘Zero Day’
zetter.substack.comCopy linkTwitterFacebookEmailNotesHow Volexity Discovered the SolarWinds Hacking CampaignAn interview with Volexity President Steven Adair about how his team stumbled upon the "cyber espionage campaign of the decade" — but didn't know it — five months before it got publicly exposed.Kim ZetterMay 17, 2023∙ Paid11ShareShare this postHow Volexity Discovered the SolarWinds Hacking Campaignzetter.substack.comCopy linkTwitterFacebookEmailNotesVolexity President Steven Adair (Photo c...
Bill Cozens at Malwarebytes Labs
Posted: May 18, 2023 by Bill Cozens Unpacking one of the most dangerous threats in cybersecurity. Cyber criminals come in all shapes and sizes. On one end of the spectrum, there’s the script kiddie or inexperienced ransomware gang looking to make a quick buck. On the other end are state-sponsored groups using far more sophisticated tactics—often with long-term, strategic goals in mind. Advanced Persistent Threats (APT) groups fall into this latter category. Well-funded and made up of an elite sq...
Mandiant
Blog Permhash — No Curls NecessaryJared Wilson May 15, 202315 min read | Last updated: May 16, 2023AnalysisAdversaries take numerous directions to gain authorization for actions on targeted endpoints: privilege escalation, DLL side-loading, credential theft, and more. Browser extensions, Android Packages (APKs), and other permission declaring files take a different approach—they declare the permissions they require, sensitive or not. These file types are external code sources that are given auth...
Blog SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced AttackMandiant Intelligence May 16, 202312 min readThreat IntelligenceUncategorized Groups (UNC Groups)TTPsIn 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software wi...
Blog A Requirements-Driven Approach to Cyber Threat IntelligenceJamie Collier, Shanyn Ronis, Ian Lane, Rebecca Simpson May 18, 20233 min readThreat IntelligenceCyber threat intelligence (CTI) serves a broad purpose: to inform, advise, and empower stakeholders within an organization. Successful CTI functions invariably put stakeholder intelligence requirements at the heart of their mission statement. But, any CTI team can and should adopt a requirements-focused approach. In our report, A Requirem...
Michael Koczwara
Michael Koczwara·Follow4 min read·4 days ago--1ShareHunting QBot C2 and Brute Ratel C4 InfrastructureIn this blog, I will explain my hunting methodology with two practical examples.QBot C2Brute Ratel C4I choose these two because despite the difference between Brute Ratel C4 and QBot this methodology (JARM and HTTP Response hash)…----1FollowWritten by Michael Koczwara1.1K FollowersSecurity ResearcherFollowMore from Michael KoczwaraMichael KoczwarainDark Roast SecurityPassword Stealing From HTTPS ...
Vasu Jakkal at Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Nasreddine Bencherchali
LOLBINed — Finding “LOLBINs” In AV UninstallersNasreddine Bencherchali·Follow8 min read·3 days ago--ListenShareFunny PictureThis blog was originally written in February 2022 and update through out the year as vendors respondedIntroductionUsually when people think of LOLBINs they tend to think of built-in OS only binaries. But If we think of a typical enterprise system we find that there are additional software bundled with the OS which include third-party software.These new additions then become...
Sigma Rule Repository Enhancements— New Folder Structure & Rule TypesNasreddine Bencherchali·FollowPublished inSigma_HQ·4 min read·3 days ago--ListenShareIn the past few months we’ve been busy doing a major overhaul of the Sigma project, which includes rules re-writes, metadata enhancements (titles, descriptions, false positives notes) and much more.Contributors Stats Starting From 2023Last month we introduced the logsource-guides a new addition that aims to ease the process of mapping the diffe...
Netskope
InterPlanetary File System: A Decentralized Place to Host Phishing Content
Cloud Threats Memo: More Details on Long-Lasting Campaigns Targeting Eastern Europe
Oleg Skulkin at BI.ZONE
BI.ZONE sheds light on data breaches caused by Leak Wolf’s malware-free attacks The Leak Wolf group hacks Russian companies and publishes their data in its Telegram channel. The so-called hacktivists use no malicious software and act under the guise of company employees to evade detection Download the research May 17, 2023 In 2022, hacktivists were the driving force behind a surge in data breach incidents. Unlike ransomware attackers motivated by financial gains or espionage actors sponsored by ...
Palo Alto Networks
9,013 people reacted 3 4 min. read Share By Unit 42 May 15, 2023 at 6:00 AM Category: Announcement Tags: APT, nomenclature, threat actors, threat intelligence This post is also available in: 日本語 (Japanese)Executive Summary Within Unit 42 Threat Intelligence, we are often asked, “How does Unit 42 define and track actor activity?” To answer this question, we’ll give you a glimpse into our day-to-day activities, specifically focusing on how Unit 42 Threat Intelligence tracks behavior-based activity...
Viren Chaudhari at Qualys
Recorded Future
Posted: 16th May 2023By: Insikt Group®Since May 2022, Insikt Group has tracked an ongoing campaign by the threat group, OilAlpha,; which we are linking to threat actors that likely support a pro-Houthi movement agenda. The group is highly likely to have targeted entities associated with the non-governmental, media, international humanitarian, and development sectors. It is almost certain that the entities targeted shared an interest in Yemen, security, humanitarian aid, and reconstruction matter...
Posted: 18th May 2023By: Insikt Group® Deepfake voice cloning technology is an emerging risk to organizations, representing the evolution in the convergence of artificial intelligence (AI) threats. When leveraged in conjunction with other AI technologies — such as deepfake video technology, text-based large language models (“LLMs”, such as GPT), generative art, and others — the potential for impact increases. Voice cloning technology is currently being abused by threat actors in the wild. It has...
Rob van Os
Report this article Report Report Back Submit Rob van Os Rob van Os Strategic SOC Advisor Published May 17, 2023 + Follow Hacks regularly go unnoticed for a longer period of time. But not just in organisations with immature security. Not even in organisations that do not have a SOC. They occur in organisations with a SOC as well as those without a SOC. If you are lucky, that unnoticed breach was part of a red team exercise, and you get all the insights from the red team to improve your detection...
Ryan Fetterman at Splunk
Share: By Ryan Fetterman May 17, 2023 Welcome to the third entry in our introduction to the PEAK Threat Hunting Framework! Taking our detective theme to the next level, imagine a tough case where you need to call in a specialized investigator (even Sherlock depended on Watson from time to time!). For these unique cases, we can use algorithmically-driven approaches called Model-Assisted Threat Hunting (M-ATH). In this post, we’ll look at M-ATH in detail. This method uses algorithms to find leads ...
Miles Arkwright and James Tytler at S-RM Insights
Miles Arkwright, James Tytler 19 May 2023 19 May 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intell...
SANS Internet Storm Center
Ongoing Facebook phishing campaign without a sender and (almost) without links, (Mon, May 15th)
Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th)
A Quick Survey of .zip Domains: Your highest risk is running into Rick Astley., (Thu, May 18th)
Phishing Kit Collecting Victim’s IP Address, (Sat, May 20th)
Kristen Cotten at Scythe
Threat Emulation: Agent Tesla by Kristen Cotten May 18, 2023 Intro Welcome to the May 2023 SCYTHE #ThreatThursday! This edition features an emulation based on Agent Tesla malware. Executive Summary Agent Tesla is a remote access trojan (RAT) written for the .NET framework that was first discovered in 2014. It is often leveraged as Malware-as-a-Service to gain initial access and then download additional second-stage tools. Agent Tesla is primarily an information stealer with the ability to monito...
Securelist
SOC, TI and IR posts 16 May 2023 minute read Table of Contents Kaspersky Incident Response in various regions and industriesKey trends in 2022: initial attack vectors and impactExpert recommendations Authors Kaspersky GERT Kaspersky Security Services Kaspersky offers various services to organizations that have been targeted by cyberattackers, such as incident response, digital forensics, and malware analysis. In our annual incident response report, we share information about the attacks that we ...
Malware descriptions 17 May 2023 minute read Table of Contents The infection chainTechnical descriptionConclusionMinas indicators of compromise Authors Ilya Borisov Vasily Berdnikov Sometimes when investigating an infection and focusing on a targeted attack, we come across something we were not expecting. The case described below is one such occurrence. In June 2022, we found a suspicious shellcode running in the memory of a system process. We decided to dig deeper and investigate how the shellc...
Security Intelligence
Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats. Physical Threats to the Energy Grid Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid offline is common news. But For...
While examining the state of ransomware in 2023, the statistics show promise — at least on the surface. According to the IBM X-Force Threat Intelligence Index 2023, “Ransomware’s share of incidents declined from 21% in 2021 to 17% in 2022.” Also promising: ransomware groups had a shaky 2022. The Trickbot group, for example, faced significant challenges — including internal leaks and increased government attention, resulting in the shutdown of their Conti ransomware operation and the retirement o...
Izzmier Izzuddin Zulkepli at Security Investigation
Advanced Cyber Security Interview Questions and Answers What is Surface web, Deep web and Dark web OVERVIEW OF MODERN AND FUTURE SOC Anatomy Of The Ransomware Cybercrime Economy TOOLS Wireshark Filters for Security Analyst How to Perform Static Code Analysis on Packed Malware ? How to Detect Malware Hijacking Digital signatures Densityscout – Entropy Analyzer for Threat Hunting and Incident Response Malicious JQuery & JavaScript – Threat Detection & Incident Response IOC Phishing Scam Alert: Fra...
Sekoia
SentinelOne
May 15, 2023 by Phil Stokes and Dinesh Devadoss PDF The red-teaming and attack simulation tool Cobalt Strike has a long and widely observed history of abuse by threat actors targeting Windows platforms, but it has only occasionally been seen used against macOS devices. That, however, appears to be changing with the development of a Go implementation of Cobalt Strike called ‘Geacon’. We have observed a number of Geacon payloads appearing on VirusTotal in recent months. While some of these are lik...
May 17, 2023 by SentinelOne PDF Tactics, techniques, and procedures (TTPs) are the blueprint of threat actors’ attacks – understanding them allows cyber defenders to better respond to sophisticated attacks. Since the threat landscape continues to become more complex with advancements in malware, nation-state APT campaigns, and cybercrime-as-a-service offerings, TTPs remain a critical source of how enterprises can stay ahead of attacks. TTPs allow security professionals to look inside the minds o...
SOCRadar
Sean Gallagher at Sophos
The commercial attack tool’s use by bad actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many. Written by Sean Gallagher May 18, 2023 Threat Research Brute Ratel cobalt strike featured Havok Meterpreter post-exploitation tools Sliver Sophos X-Ops Last year, we reported the growing use of the commercial offensive security tool Brute Ratel by criminal actors, including those behind Black Cat ransomware incidents. After public exposure of a ...
Riley Kilmer at Spur
AboutOur TechCareersProductsMonocleContext-APIFeedsBlogSign InSign Up 2023-05-17 Identifying the Nexus of Scaled Ad Fraud Riley Kilmer Context-API, Monocle, Residential Proxies The Problem Late last week, I was procrastinating perusing LinkedIn and encountered an article that referenced a scaled ad-fraud campaign powered by a free VPN application called Oko VPN (okovpn[.]com). The second I saw the article title, I had a gut feeling it had to involve a residential proxy service. First, I wanted t...
Ben Martin at Sucuri
Websites Defaced with Belarusian Bottled Water Company Content
Vulnerability in Essential Addons for Elementor Leads to Mass Infection
Sumuri
Symantec Enterprise
Merdoor backdoor is low prevalence and used in highly targeted attacks.The Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years. Lancefly may have some links to previously known groups, but these are low confidence, which led researchers at Symantec, by Broadcom Software, to classify this activity under a new group name. Lancefly’s custom malware, whic...
Team Cymru
Updated: 4 days agoA Data-Driven Approach based on Analysis of Network TelemetryThis blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.This blog represents an ongoing piece of resear...
Teri Radichel
Articles by Teri Radichel on the Solar Winds BreachTeri Radichel·FollowPublished inCloud Security·2 min read·5 days ago--ShareThe SolarWinds breach was the largest cyber attack on the US government at that point. It successfully infiltrated a number of organizations. I wrote about cyberwar and the implication of cyber attacks on business and the implication on national security in the first chapter of my book. Here are my posts and analysis on the Solar Winds Breach.----FollowWritten by Teri Rad...
Justin Elze at TrustedSec
Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams May 18, 2023 By Justin Elze in Penetration Testing, Red Team Adversarial Attack Simulation Analyze the balance between gaining useful information and avoiding detection, detailing recon techniques that can be employed without compromising stealth. Rob Joyce, who at the time was Head of the NSA’s Tailored Access Operations group, had this great quote from a 2016 USENIX talk: “We put the time in to know ...
Vikas Singh
Yelisey Bohuslavskiy
Skip to main content LinkedIn Discover People Learning Jobs Join now Sign in Yelisey Bohuslavskiy’s Post Yelisey Bohuslavskiy Security Studies Expert; Author of "Security Pragmatism: The Peripheral Alliance" 4d Edited Report this post Report Report Back Submit [🔒🔬 #Royal #Ransomware #APT Novel Loader: A Preliminary Analysis - 7 Key Points 🧪🔍] Back in March, within our Midnight campaign report at RedSense, we covered emerging malware developed by the #Royal group. Since this threat is actively de...
