本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
May 23, 2023 in DeXRAY, Forensic Analysis Pretty much all of my DeXRAY posts ever published been focusing on new versions of this tool being released. Today I will talk about the ‘making of the sausages’ part of this process, aka how DeXRAY came to be. If you have been working in a DFIR space for more than a decade you probably already know that any type of high-fidelity evidence found on an endpoint is gold, and Quarantine folders/files are one of the best in this category… These are locations ...
Adam Goss
Python Threat Hunting Tools: Part 4 — Browser AutomationAdam Goss·Follow9 min read·6 days ago--ShareWelcome back to this series on building threat hunting tools!In this series, I will be showcasing a variety of threat hunting tools that you can use to hunt for threats, automate tedious processes, and extend to create your own toolkit! The majority of these tools will be simple, focusing on being easy to understand and implement. This is so that you, the reader…----FollowWritten by Adam Goss304 F...
Allen West at Akamai
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Data leak, Infostealers, Package-name typosquatting, Phishing, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discu...
Any.Run
May 25, 2023 Add comment 1549 views 5 min read HomeCybersecurity LifehacksChatGPT for SOC and Malware Analysis professionals: 3 Real-World Use Cases Recent posts ChatGPT for SOC and Malware Analysis professionals: 3 Real-World Use Cases 1549 0 Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting 2793 0 Malware Analysis Digest: April 2023 1615 0 HomeCybersecurity LifehacksChatGPT for SOC and Malware Analysis professionals: 3 Real-World Use Cases It’s pretty clear by now th...
Francis Guibernau, Andrew Costis, and Giovanni López at AttackIQ
Jeremy Fuchs at Avanan
The Magic Link Attack Posted by Jeremy Fuchs on May 25, 2023 Tweet Introduction Hackers want you to think that you’re doing an expected action, when in fact you’re doing something you shouldn’t be. They want you to enter your login credentials in a page that looks secure, but actually isn’t. They want you to reply to an email that looks like it comes from your boss, but doesn’t. In this case, they want you to click on a link that looks like one thing, but is in fact another. In this Attack Brief...
Avertium
The Money Message Group - A New Ransomware Threat May 23, 2023 Executive Summary A new ransomware group, known as Money Message, has been observed encrypting network shares and targeting both Windows and Linux operating systems. Money Message targets victims globally, demanding million-dollar ransoms in exchange for the decryption key and to prevent the leakage of stolen data. So far, the group has successfully breached an Asian airline with an annual revenue of $1 billion, the Taiwanese hardwar...
Bitdefender
11 min read Bitdefender Threat Debrief | May 2023 Martin Zugec May 25, 2023 MDR Insights At Bitdefender MDR service, we highly value the power of big data in delivering valuable insights into intelligence matters. Recently, we conducted an extensive analysis of the information requests we receive from our diverse teams and stakeholders. Upon examining the data, we found that almost 60% of customer inquiries revolve around a fundamental question: "Are we adequately protected?" The answer to that ...
Lawrence Abrams at BleepingComputer
Brad Duncan at Malware Traffic Analysis
2023-05-23 - PIKABOT INFECTION WITH COBALT STRIKE REFERENCE: //twitter.com/Unit42_Intel/status/1661134936047247360 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-05-23-IOCs-for-Pikabot-with-Cobalt-Strike.txt.zip 2.1 kB (2,099 bytes) 2023-05-23-Pikabot-infection-with-Cobalt-Strike.pcap.zip 14.7 MB (14,706,924 bytes) 2023-05-23-Pikabot-malware-and-artifacts.zip 2.2 MB (2,208,250 bytes) Click here to return to th...
2023-05-22 - PIKABOT INFECTION WITH COBALT STRIKE REFERENCE: //twitter.com/Unit42_Intel/status/1661068254628986892 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-05-22-updated-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt.zip 1.5 kB (1,493 bytes) 2023-05-22-Pikabot-malware-and-artifact-notes.txt.zip 3.2 kB (3,175 bytes) 2023-05-22-Pikabot-infection-with-Cobalt-Strike.pcap.zip 15.5 MB (15,535,319 bytes) 202...
2023-05-24 (WEDNESDAY) - BYE BYE PIKABOT... WE'RE BACK TO QAK! (OBAMA264 QAKBOT INFECTION) NOTES: On Wed 2023-05-17, Thu 2023-05-18, Mon 2023-05-22 and Tue 2023-05-23, TA577 pushed Pikabot malware instead of Qakbot. Starting on Wed 2023-05-24, TA577 went back to pushing Qakbot. Proofpoint designated threat actor TA577 currently pushes Qakbot with the "BB"-series distribution tag. Based on previous distribution tags, some people refer to the "BB"-series Qakbot as "TR". Proofpoint designated threa...
Brendan Chamberlain at InfosecB
May 25, 2023 Introducing LOOBins I am excited to announce the release of Living Off the Orchard: macOS Binaries (LOOBins). LOOBins is a new âliving off the landâ open-source project that aims to help defensive, offensive, and research cybersecurity professionals understand how various macOS binaries could be used for malicious purposes. The LOOBins website can be found here: //loobins.io Before proceeding, I want to thank everyone who took time to contribute! Jonathan Bar Or (@yo_yo_yo_jbo) ...
Mar 19, 2023 GPT-4 Assisted Detection Engineering Introduction Last week, OpenAI announced and released its latest multimodal model named GPT-4. In contrast to its predecessor, GPT-3, it is more knowledgable, creative, handles lengthier text input, and is capable of interpreting images. The company claims that the new technology âexhibits human-level performance on various professional and academic benchmarks.â While Iâm not convinced that GPT-4 will be replacing detection engineering team...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - May 24, 2023 I recently came across a cool GitHub repo from Zscaler's ThreatLabz team (see here) which contains a whole array of ransom notes from known and new ransomware families. I imagine that Zscaler has some sort of malware hunting capability (potentially LiveHunt YARA rules in VirusTotal) and they manually check for ransom notes uploaded to VT containing strings such as ".onion" to find new and interesting ransomware families. However...
CERT Ukraine
CERT-AGID
Vai al contenuto Vai alla navigazione del sito CERT-AGID Computer Emergency Response TeamAGID Agenzia perl'Italia Digitale Seguici su RSS Telegram Twitter cerca nel sito Menu CERT-AGID //cert-agid.gov.it/ Menu di navigazione Documentazione Documenti AGID Pillole informative Flusso IoC Chi siamo Contatti Strumenti Hashr Verifica HTTPS e CMS Statistiche sulle campagne italiane di malware e phishing Software vulnerabile a Log4shell Glossario 0day Botnet Data breach DDOS-DOS Deep-Dark web Defacing E...
Analisi tecnica e considerazioni sul malware Strela 23/05/2023 packer strela La scorsa settimana il malware Strela è approdato in Italia. Strela è un semplice stealer specializzato nel furto delle credenziali di posta dagli applicativi Thunderbird e Outlook. Il malware in sè è piuttosto semplice ma, fatta eccezione per la prima ondata, il packer con cui viene veicolato è più complicato da analizzare per via della della tecnica di Control Flow Obfuscation (CFO) che impiega. Vogliamo in ques...
Sintesi riepilogativa delle campagne malevole nella settimana del 20 â 26 maggio 2023 Sintesi riepilogativa delle campagne malevole nella settimana del 20 â 26 maggio 2023 26/05/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 27 campagne malevole, di cui 25 con obiettivi italiani e due generiche che hanno comunque interessato lâItalia, mettendo a disposizione dei suoi enti accreditati i relativi 39...
Check Point Research
CISA
Release DateMay 23, 2023 Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its releva...
People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide. This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investi...
Cisco’s Talos
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware By Cisco Talos Thursday, May 25, 2023 08:05 spyware Threats Threat Advisory SecureX We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm ...
By Hazel Burton Friday, May 26, 2023 08:05 The Need to Know Editor's note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends.Cisco Talos Incident Response recently released our 2023 Q1 Incident Response Quarterly Trends report. One of the most noteworthy trends was the prolific use of web shells in cyberattacks.In fact,...
By William Largent Friday, May 26, 2023 17:05 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information provi...
Schyler Gallant, Alex Geoghagan, and Cobi Aloia at Cofense
Csaba Fitzl at ‘Theevilbit’
Beyond the good ol' LaunchAgents - 31 - BSM audit framework May 26, 2023 2 minutes read persistence • beyond macos • persistence • beyond This is part 31 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. macOS implements the OpenBSM audit framework created by McAfee, which allows someone to audit system events, like login, file access, etc… This has been part of the system for very lon...
CyberCX
Cyber Adviser Newsletter - May 2023 Published by CyberCX Intelligence on 25 May 2023 Welcome to the May edition of Cyber Adviser, a monthly readout of insights and expert analysis from the CyberCX Cyber Intelligence desk. As the cyber environment continues to rapidly evolve, Cyber Adviser cuts through the noise and gives you visibility of what matters most - all in 5 minutes or less. Last month by the numbers Sabotage ready? Five Eyes agencies attribute critical infrastructure prepositioning to ...
Cyble
May 23, 2023 Double Extortion Ransomware Groups Make Headlines In the ever-evolving landscape of cyber threats, the number of ransomware groups adopting double extortion is a concerning trend. This rising wave of ransomware attacks has taken the form of not only locking away valuable corporate data but also threatening to expose it to the world unless their demands are met. In the past week alone, more than three newly identified ransomware strains have come to light, causing distress for over 2...
May 23, 2023 Russian Hacktivists Peddling DDoS-As-A-Service in Cyber-Crime Forum Cyble Research and Intelligence Labs (CRIL) recently uncovered a new strain of malware named “MDBotnet” on a cybercrime forum. Our analysis indicates that the origins of this malware can be attributed to a Threat Actor (TA) associated with Russia. This MDBotnet malware has been specifically designed for carrying out distributed denial-of-service (DDoS) attacks on targeted victims by employing an HTTP/SYN flood attac...
May 24, 2023 Increased Adoption of Affordable DDoS Services Executive Summary Hacktivism, a combination of hacking and uncontrolled activism supported by political or social goals, has been spreading societal concerns and aiming its attention at both public and private institutions. In 2022, Cyble Research and Intelligence Labs (CRIL) observed that pro-Russian hacktivist groups such as Killnet, UserSec, GhostSec, Noname057, and various pro-Ukrainian anonymous collectives were highly concentrated...
May 25, 2023 The Rise of Ransomware Hybrids from Existing Code Ransomware continues to pose a persistent and evolving threat in the cybersecurity landscape, with Threat Actors (TAs) constantly refining their techniques to maximize their financial gains. These TAs employ various extortion techniques, including double extortion, countdown timers, etc. Obsidian ORB is one such ransomware variant that uses gift cards for Ransom payments. In the double extortion technique, the attackers gain unauthor...
May 25, 2023 Threat Actor Releases Free Builder to Boost Popularity and Inflict Damage It is apparent from past evidence that threat actors (TAs) utilize social media platforms to demonstrate their technical expertise to attract potential allies or customers interested in acquiring or leasing malware families such as Stealers, Ransomware, RATs, and similar tools. The primary motivation behind such actions is to generate monetary gains or seek collaborations for engaging in highly profitable cybe...
Cyborg Security
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak. Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery. Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption. Ransomware – Royal Ransomware | Malware – Sotdas Royal Ransomware – One of the ransomware groups. Please ref...
Cyjax
By Cymon 24 May 2023 Ongoing collective hacking operations such as OpIsrael, OpIran and OpIndia consist of several hacktivist threat actors working independently to disrupt critical infrastructure and government entities. OpIsrael is an annual coordinated cyberattack, during which pro-Palestine hacktivists attack Israeli government, commercial and private websites. The campaign was launched in November 2012 by the Anonymous collective. OpIran and OpIndia are also long-running operations which or...
DomainTools
Dragos
By Dragos, Inc. 05.22.23 LinkedIn Twitter Facebook Email Our annual 2022 ICS/OT Vulnerability Briefing webinar featured insights from Dragos vulnerability researchers Logan Carpenter and Nick Cano. This webinar highlighted the growth of industrial control systems (ICS) advisories year over year, and the ongoing challenge of prioritizing and mitigating vulnerabilities that lack viable alternatives to patching. This blog summarizes the vulnerability trends and topics from Dragos’s 2022 ICS/OT Cybe...
Elliptic
Chinese Businesses Fueling the Fentanyl Epidemic Receive Tens of Millions in Crypto Payments 23 May, 2023 Cryptoassets Research Featured China Investigations and Reporting Elliptic Research Team Key points: Most fentanyl trafficked into the United States is manufactured using precursors imported from Chinese suppliers. Elliptic researchers received offers from more than 90 China-based companies to supply fentanyl precursors, 90% of which accepted cryptocurrency payments. Many mentioned that they...
Esentire
Resource Library Tools Case Studies Video Library Glossary Security Advisories Blog Blog — May 10, 2023 TRU Positives: Weekly investigation summaries and recommendations from eSentire's Threat Response Unit (TRU) PaperCut Vulnerability Exploited to Deliver Cryptocurrency Miner to Education Sector Customer 5 minutes read SHARE: Speak With A Security Expert Now Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt...
Resource Library Tools Case Studies Video Library Glossary Security Advisories Blog Blog — May 09, 2023 eSentire Threat Intelligence Malware Analysis: Vidar Stealer 20 minutes read SHARE: Speak With A Security Expert Now Vidar Stealer is an information stealer (infostealer) malware that first appeared on hacking forums at the end of 2018. It’s typically spread through the use of drive-by social engineering techniques wherein the victim visits a malicious webpage and unknowingly downloads the mal...
Read more PaperCut Vulnerability Exploited to Deliver Cryptocurrency Miner to… Read more eSentire Recognized as a Top Cybersecurity Leader in the Middle East Read more Visit the eSentire Blog → RESOURCES Case Studies Customer testimonials and case studies. Videos Stories on cyberattacks, customers, employees, and more. Reports Cyber incident, analyst, and thought leadership reports. Webinars Demonstrations, seminars and presentations on cybersecurity topics. Data Sheets Information and solution ...
Fortinet
By Geri Revay and Hossein Jazi | May 22, 2023 Affected platforms: Windows Impacted parties: Windows Users Impact: Allows remote code execution and persistent access to the host (backdoor) and the rest of the network (proxy) Severity level: Medium At Fortinet, we monitor suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE...
Nick Sundvall at Infoblox
Infoblox Researchers Uncover Malicious Domains Hosting Cryptocurrency ScamsMay 24, 2023Author: Nick Sundvall The Discovery Infoblox security researchers have uncovered a group of malicious domains that are being used to host cryptocurrency scams, some of which have been associated with the hacking of Youtube channels. We were able to find the domains by reviewing and analyzing queries in our networks for domains that incorporated certain suspicious keywords. Armed with these initial discoveries,...
Alison Rusk at INKY
Posted by Alison Rusk Tweet Have you signed up for ChatGPT yet? It’s quite possible, especially considering the new controversial language generator reached 1 billion users in March 2023. With that amount of interest, it’s no wonder cybercriminals have begun impersonating the brand in a sophisticated personalized phishing campaign. What is ChatGPT and What Can It Do? In case you’re a newcomer or need a refresher, ChatGPT stands for “Chat Generative Pre-trained Transformer” and is a natural langu...
Jouni Mikkola at “Threat hunting with hints of incident response”
May 19, 2023May 19, 2023JouniMi Post navigation Why Turla? Lately I’ve done quite a lot of write-ups of testing currently active malware and how that could be potentially hunted for. I’d rather write about something else for a change, which led me to this topic. Turla has been in the news lately as their long running malware known as Snake was – well – dismantled by the US government. Turla was also raised to the news where I live which further raised my interest towards the group. Supo, which i...
Ryan at Jumpsec Labs
by ryan | May 26, 2023 | Detection, Jumpsec Following the NCSC and CISA’s detailed joint advisory on the highly sophisticated ‘Snake’ cyber espionage tool, JUMPSEC threat intelligence analysts have provided a condensed blueprint for organisations to start proactively hunting for Snake within their network, contextualising key Indicators of Compromise (IoC), and providing additional methods to validate the effectiveness of Snake detections. Snake’s capabilities The implant dubbed ‘Snake’ has been...
Andrew Shelton at K7 Labs
Posted byAndrew Shelton May 26, 2023May 26, 2023 Malware as a Service (MaaS)RansomwareRemote Access Software Akira Ransomware Unleashing Chaos using Conti Leaks By Andrew SheltonMay 26, 2023 Ransomware attacks have become a serious concern for individuals and organisations alike, and the threat is only growing with the rise of Ransomware-as-a-Service and openly available leaked source code of popular ransomwares. With more threat actors adopting this strategy, it’s important to understand the Ta...
David Carmiel at KELA
24 May 2023 An Executive’s Guide To The Cybercrime Underground David Carmiel, KELA’s CEO In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks. In this article, I will explore the current state of the cybercrime u...
Dex at Lab52
May 25, 2023 During the first quarter of 2023, the Lab52 team has conducted an in-depth analysis of the threats that have been active during the period, focusing on information from both public and private sources, as well as studying the geopolitical context in order to anticipate potential campaigns. Below is the report for the quarter, which includes the main trends of the period, along with analysis of the most sophisticated threats, statistics on ransomware incidents and the most important ...
LockBoxx
Logpoint
Malwarebytes Labs
Posted: May 23, 2023 by Jérôme Segura Ads containing the official website of an impersonated brand are running again, allowing fraudsters to scam users. Web search is about to embark on a new journey thanks to artificial intelligence technology that online giants such as Microsoft and Google are experimenting with. Yet, there is a problem when it comes to malicious ads displayed by search engines that AI likely won't be able to fix. In recent months, numerous incidents have shown that malvertisi...
Posted: May 23, 2023 by Pieter Arntz An employee that tried to take advantage of a ransomware attack on his own company has pleaded guilty after 5 years of denying he had anything to do with it. A 28-year old IT Security Analyst pleaded guilty and will consequently be convicted of blackmail and unauthorized access to a computer with intent to commit other offences. It all started when the UK gene and cell therapy company Oxford BioMedica fell victim to a cybersecurity incident which involved una...
Mandiant
Skip to main content Mandiant is now part of Google Cloud. Learn More. Platform Solutions Intelligence Services Resources Company Mandiant AdvantageExplore our multi-vendor XDR platform, delivering Mandiant products and integrating with a range of leading security operations technology.Explore the platformarrow_forward Start with free account Automated Defense Rapid event investigation and remediation Attack Surface Management Free Subscription Map your external environment Breach Analytics for ...
Blog COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response ExercisesKen Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan Brubaker May 25, 202312 min readThreat IntelligenceICSOperational TechnologyMalwareMandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. Th...
Michael Koczwara
Michael Koczwara·Follow3 min read·4 days ago--2ShareCozy BearAPT29/Nobelium Initial Access & ATT@CK MappingTA0042: Resource DevelopmentT1650: Aquire InfrastructureT1584: Compromised InfrastructureT1587: Develop CapabilitiesT1587.001: Develop Capabilities: Malware----2FollowWritten by Michael Koczwara1.1K FollowersSecurity ResearcherFollowMore from Michael KoczwaraMichael KoczwaraHunting Malicious Infrastructure using JARM and HTTP ResponseHunting QBot C2 and Brute Ratel C4 Infrastructure·4 min r...
Microsoft
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Microsoft’s ‘Security, Compliance, and Identity’ Blog
Advanced hunting for Microsoft Purview Data Loss Prevention (DLP) incidents
Learn to defend against threats with Microsoft Defender and Microsoft Sentinel
Mark E. Haase and Tiffany Bergeron at MITRE-Engenuity
ATT&CK Sync: A Tool for Keeping Current with MITRE ATT&CK®Jon Baker·FollowPublished inMITRE-Engenuity·4 min read·3 days ago--ListenShareWritten by Mark E. Haase and Tiffany Bergeron.A Tool for Keeping Current with MITRE ATT&CK.MITRE ATT&CK® provides a common reference point that enables communication and coordination among cybersecurity teams and between organizations. The cybersecurity community, including the Center for Threat-Informed Defense (Center), builds projects that depend in some way ...
Monty Security
Hunting Lazarus Group’s TTPsmontysecurity·Follow5 min read·4 days ago--ListenShareIntroductionThis aims to serve as a repo of procedures attributed to Lazarus Group activity that can immediately be actioned on by threat hunters given the right logs. Along with each TTP is at least one potential way to hunt for the activity.Let me be clear, you can run all of these hunts, have 0 results, and still be compromised. This is not a checklist. It simply aims to be a resource for how to hunt given Techn...
Palo Alto Networks
4,253 people reacted 3 4 min. read Share By Brad Duncan May 26, 2023 at 6:00 AM Category: Tutorial Tags: banking trojans, BokBot, IcedID, pcap, Wireshark, Wireshark Tutorial This post is also available in: 日本語 (Japanese)Executive Summary So far in 2023, IcedID has been a relatively constant presence in our threat landscape. Also known as BokBot, IcedID is Windows-based malware that can lead to ransomware. This Wireshark quiz presents a packet capture (pcap) from an IcedID infection that occurred...
4,360 people reacted 3 7 min. read Share By Unit 42 May 26, 2023 at 2:30 PM Category: Threat Briefs and Assessments Tags: China, Cloud-Delivered Security Services, Cortex XDR, Cortex XSIAM, Cortex XSOAR, next-generation firewall, Prisma Access, Prisma Cloud, threat prevention, Volt Typhoon Executive Summary On May 24, 2023, a Joint Cybersecurity Advisory was published by multiple intelligence agencies, working with private sector partners, disclosing several cyberattacks from nation-state threat...
Phylum
On the morning of May 10, 2023, Phylum’s automated risk detection platform flagged a series of publications surrounding the popular Flask package on PyPI. After reaching out to the author, we discovered that they were actually white hat publications intended for educational and demonstration purposes. However, this discovery serves as a crucial reminder that manual code review alone of seemingly innocuous packages is not sufficient to ensure security. Attackers can inject malware throughout the ...
A bad actor on GitHub continually respawns his malware immediately after PyPI takes it down. A bad actor on GitHub laces his repositories with malware written in Python and hosted on PyPI. Minutes after his malware is taken down from PyPI, the same malware respawns on PyPI under a slightly different name. He then immediately updates all of his repositories to point to this new package. Most of his GitHub projects are bots or some variety of a stealer. Join us as we take look inside this apparent...
PyPI suspended new account registration for about 30 hours over this past weekend because malicious attacks exceeded the human bandwidth available among the PyPI administrators to properly deal with them. For the moment, this action thwarted one particular attack that Phylum has been tracking, and it stands as a reminder that we must remain vigilant in the fight to defend developers. Join us as we take a brief look into this episode, and one positive effect it had on defending the open-source so...
Proofpoint
Account Compromise, Financial Theft, and Supply Chain Attacks: Analyzing the Small and Medium Business APT Phishing Landscape in 2023 Share with your network! May 24, 2023 Michael Raggi and the Proofpoint Threat Research Team Key Takeaways Small and medium-sized businesses (SMBs) are increasingly being targeted by Advanced persistent threat (APT) actors globally. Proofpoint researchers have identified three main trends of attacks targeting SMBs between 2022 and 2023, including the use of comprom...
Red Canary
Robin Dimyan
CTI Playbooks: Cyber crime intelligenceRobindimyan·Follow6 min read·4 days ago--ListenShareHello everyone!In this blog post, I will be sharing my personal playbook, which serves as a guide to conducting thorough and effective cyber crime intelligence research. This playbook outlines the step-by-step process I follow, highlighting the intelligence requirements associated with each stage. By the end of this article, we will delve into approaches to building an Early Warning System (EWS) with pract...
S2W Lab
Detailed Analysis of CloudDon, Cloud Data Breach of Korea e-commerce companyS2W·FollowPublished inS2W BLOG·9 min read·6 days ago--ShareAuthor: S2W TALONLast Modified : May 22, 2023Photo by C Dustin on UnsplashExecutive Summary2023년 1월 경 Breached 포럼의 donjuji 유저가 온라인 쇼핑몰 A사의 회원 정보 판매 게시글을 업로드하였고, 정확한 유출 경위 파악을 위해 피해기업의 침해사고 분석을 진행함S2W Talon은 공격자 ‘Donjuji’의 클라우드 인프라 공격인 점에서 Operation name을 “CloudDon” 으로 명명분석 결과, A사 개발 서버의 환경변수 페이지가 외부에 노출되어 AWS IAM 크리덴셜 등 클라우드 인증 정보가 노출된 것을 식별함개발 서버의 Middleware내 Mi...
SANS Internet Storm Center
Another Malicious HTA File Analysis – Part 3, (Sun, May 21st)
Help us figure this out: Scans for Apache “Nifi”, (Tue, May 23rd)
Using DFIR Techniques To Recover From Infrastructure Outages, (Fri, May 26th)
DocuSign-themed email leads to script-based infection, (Sat, May 27th)
Giampaolo Dedola at Securelist
APT reports 23 May 2023 minute read Table of Contents Infection vectorsJackalControlInstaller modePersistenceJackalStealJackalWormJackalPerInfoJackalScreenWatcherInfrastructureVictimsAttributionConclusionsIndicators of compromiseMD5 hashesLegitimate compromised websites Authors Giampaolo Dedola GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. Despite the fact that they began their activities years ago, thi...
Secureworks
Research & Intelligence Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations Direct observations of multiple intrusions reveal that the group focuses on operational security. Wednesday, May 24, 2023 By: Secureworks Counter Threat Unit On May 24, 2023, the U.S. National Security Agency (NSA) issued a joint cybersecurity advisory highlighting a cluster of activity it attributes to a People's Republic of China (PRC) state-sponsored threat group. Securewor...
Adrià Alavedra at Security Art Work
23 de mayo de 2023 Por Adrià Alavedra Leave a Comment Actualmente, los ataques de ingeniera social son unos de los vectores de entrada más explotados debido a su gran efectividad. Pero ¿qué es el phishing? Entendemos como phishing un ataque de ingeniera social con el objetivo de captar o robar datos privados de los usuarios afectados: nombres de acceso, contraseñas, datos de las tarjetas de crédito, etc, normalmente mediante el uso de correos electrónicos fraudulentos genéricos. Veamos a continu...
Security Investigation
Threat Hunting Hypothesis Examples: Start For a Good Hunt! Advanced Cyber Security Interview Questions and Answers What is Surface web, Deep web and Dark web TOOLS Wireshark Filters for Security Analyst How to Perform Static Code Analysis on Packed Malware ? How to Detect Malware Hijacking Digital signatures Densityscout – Entropy Analyzer for Threat Hunting and Incident Response Malicious JQuery & JavaScript – Threat Detection & Incident Response IOC Phishing Scam Alert: Fraudulent Emails Reque...
Incident Response For Common Attack Types Threat Hunting Hypothesis Examples: Start For a Good Hunt! Advanced Cyber Security Interview Questions and Answers What is Surface web, Deep web and Dark web TOOLS Wireshark Filters for Security Analyst How to Perform Static Code Analysis on Packed Malware ? How to Detect Malware Hijacking Digital signatures Densityscout – Entropy Analyzer for Threat Hunting and Incident Response Malicious JQuery & JavaScript – Threat Detection & Incident Response IOC Ph...
Sekoia
SentinelOne
May 22, 2023 by SentinelOne PDF In our recent series on Mastering the Art of SOC Analysis, we explored how aspiring SOC Analysts can develop the skills needed in today’s complex threat environment. From learning the fundamentals like network and malware analysis to understanding cloud security and effective internal and external communication. Essential to every SOC analyst is having the right tools and knowing how to use them to their full potential. Many SOCs worldwide partner with SentinelOne...
Aleksandar Milenkoski / May 23, 2023 By Aleksandar Milenkoski and Tom Hegel Executive Summary SentinelLabs has observed an ongoing campaign by Kimsuky, a North Korean APT group, targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations. The campaign focuses on file reconnaissance and information exfiltration using a variant of the RandomQuery malware, enabling subsequent precision attacks. Kimsuky distributes RandomQuery using Microsoft C...
Aleksandar Milenkoski / May 25, 2023 By Aleksandar Milenkoski and Tom Hegel Executive Summary Over the first quarter of 2023, SentinelLabs observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The campaign is the latest iteration of a broader activity nexus dating back to 2021, now targeting the users of over 30 financial institutions. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be le...
SOCRadar
Rianna MacLeod at Sucuri
Symantec Enterprise
Attackers use rebranded variants of leaked LockBit and Babuk ransomware payloads but use own custom exfiltration tool.A relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload and is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems. While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to ...
Nigel Douglas at Sysdig
Stefan P. Bargan at System Weakness
Open in appSign upSign InWriteSign upSign InMember-only storyAPT Groups — Vietnam — Part IIStefan P. Bargan·FollowPublished inSystem Weakness·3 min read·Mar 4--ListenShareSo you might wonder as to why I chose Vietnam for the second part of the APT Groups stories.Perhaps you’re wondering why I’ve decided on Vietnam as the focus for the second part of the APT Groups stories.Vietnam Halong Bay — Credit://www.businessinsider.com/halong-bay-is-beautiful-2015-11?r=US&IR=THalong Bay is recognized as a ...
Team Cymru
top of pageHomeProductsPure Signal ReconPure Signal OrbitPure Signal ScoutIP Reputation FeedController FeedBotnet Analysis and ReportingCommunity ServicesNimbus Threat MonitorDDOS Mitigation using UTRSDragon News Bytes - DNBBogon ReferenceBogon Reference: via HTTPBogon Reference: via BGPBogon Reference: via Routing RegistriesBogon Reference: via DNSIP to ASN Mapping ServiceMalware Hash Registry - MHRCSIRT Assistance ProgramResourcesDragon News BlogResource LibraryAbout Pure SignalCompanyWho We A...
Trend Micro
In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase. By: Mahmoud Zohdy, Sherif Magdy, Mohamed Fahmy, Bahaa Yamany May 22, 2023 Read time: ( words) Save to Folio Subscribe Executive Summary In late December 2022, Mandiant, Sophos and Sentinel One, via a coordinated disclosure, reported malicious kernel drivers being signed through several Microsoft hardware develo...
In this blog entry, we will examine the security risks related to file extension-related Top-Level Domains (TLDs) while also providing best practices and recommendations on how both individual users and organizations can protect themselves from these hazards. By: Joshua Aquino, Stephen Hilt May 23, 2023 Read time: ( words) Save to Folio Subscribe In May 2023, Google launched eight new top-level domains (TLDs) that included .zip and .mov. Although seemingly harmless at first glance, it sparked di...
In this entry, we detail our research findings on how an info stealer is able to achieve persistence on a victim’s machine by modifying the victim’s Discord client. By: Nitesh Surana, Jaromir Horejsi May 23, 2023 Read time: ( words) Save to Folio Subscribe Discord's transition into mainstream appeal has been a double-edged sword: The surge of new users that flocked to the platform during the pandemic brought with it a growing cybercriminal presence that has raised concerns over security and priv...
Conventional wisdom says most organizations will experience a cybersecurity breach at some point—if they haven’t already. That makes having a ready-to-launch incident response process crucial when an attack is detected, as this fictionalized scenario shows. By: Chris LaFleur May 24, 2023 Read time: ( words) Save to Folio Subscribe Experts generally agree that cybersecurity breaches are inevitable. The only real variables are when they will happen, how severe they will be—and how prepared an orga...
This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services. By: Joey Costoya May 25, 2023 Read time: ( words) Save to Folio Subscribe With contributions from Philippe Lin, Fyodor Yarochkin, Matsukawa Bakuei, and Ryan Flores Nowadays, it is imperative for online services to determine if web traffic comes from humans or automated bots. Doing so enables op...
This is an analysis of Bandit Stealer, a new Go-based information-stealing malware capable of evading detection as it targets multiple browsers and cryptocurrency wallets. By: Sarah Pearl Camiling, Paul John Bardon May 26, 2023 Read time: ( words) Save to Folio Subscribe A newly emerged information-stealing malware named Bandit Stealer is gaining traction as it targets numerous browsers and cryptocurrency wallets while evading detection. Currently, there is a growing interest and promotional act...
Trustwave SpiderLabs
access_timeMay 24, 2023 person_outlinePhil Hay, Rodel Mendrez share Over the past few days, we have seen phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message. At this stage, we are exploring and uncovering different aspects of this campaign and will share here some of our observations to date. The Email It starts with an email that originated from a compromised Microsoft 365 account, in this case from Talus Pay,...
access_timeMay 23, 2023 person_outlineTom Neaves share For those wondering what GraphQL is… “GraphQL is a query language for your API, and a server-side runtime for executing queries using a type system you define for your data. GraphQL isn't tied to any specific database or storage engine and is instead backed by your existing code and data.” (Taken from //graphql.org/learn/) For those who are already familiar with GraphQL, especially from a security perspective, the first thing we tend to thin...
Analyzing the NTC Vulkan Leak: What it Says About Russia's Cyber Capabilities access_timeMay 25, 2023 person_outlineArthur Erzberger share Information disclosed in the leaked NTC Vulkan papers allows us to investigate the high probability of cooperation between the Russian private software development company and the Russian Ministry of Defense, namely, the GRU (Sandworm), and possibly others. While we could neither confirm nor deny the authenticity of the leaked documents, we have reason to bel...
VMRay
Kleiton Kurti at White Knight Labs
Kleiton Kurti May 23, 2023 Share This Post Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion In this blog post, we will go through the importance of each profile’s option, and explore the differences between default and customized Malleable C2 profiles used in the Cobalt Strike framework. In doing so, we demonstrate how the Malleable C2 profile lends versatility to Cobalt Strike. We will also take a step further by improving the existing open-source profiles t...
Zach Stanford
A Tale of Greatness#Educationalpurposessvch0st·Follow6 min read·1 day ago--ListenShareBusiness Email Compromise (BEC) still remains a threat type overshadowed by cyber extortion, however, as an incident responder, it is one of the more common types we respond to. Since the adoption of MFA, kits have moved to session theft, and Phishing-as-a-Service kits make it easier than ever for actors to enter this space.Greatness (the Greatness kit, or Greatness Boss) is a phishing kit that was recently rep...
Zscaler ThreatLabz
This is a collection of various ransomware notes from the past to the present. Follow us on Twitter: @Threatlabz Blog: //www.zscaler.com/blogs/security-research About An archive of ransomware notes past and present Topics notes malware ransomware malware-research ransom Resources Readme License MIT license Stars 95 stars Watchers 7 watching Forks 9 forks Report repository Releases No releases published Packages 0 No packages published Languages HTML 100.0% Footer © 2023 GitHub, Inc. Footer navig...
