本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
MoveIT
Release DateJune 07, 2023 Alert CodeAA23-158A SUMMARY Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all ...
on June 08, 2023 Get link Facebook Twitter Pinterest Email Other Apps BackgroundFor the last couple of years, the threat actors associated with the CL0P ransomware group have occasionally ditched encryption in favour of exploiting file transfer applications in mass data-theft-extortion campaigns. This includes attacking Accellion FTA servers (December 2020), SolarWinds Serv-U FTP servers (November 2021), GoAnywhere MFT servers (February 2023), and PaperCut MF/NG servers (April 2023).The operator...
Security operations · 2 MIN READ · AARON WALTON · JUN 6, 2023 · TAGS: MDR What happened? Progress Software recently disclosed a vulnerability (CVE-2023-34362) affecting all MOVEit Transfer versions. Threat actors are actively exploiting the vulnerability to gain unauthorized access. Why does it matter? The Expel security operations center (SOC) team observed that the threat actor deployed a webshell consistently named “human2.aspx”. The human2.aspx webshell reportedly creates a MOVEit Transfer u...
Scott Downie Devon Ackerman Laurie Iacono Dan Cox NOTE: The MOVEit Transfer vulnerability remains under active exploitation, and Kroll experts are investigating. Expect frequent updates to the Kroll Cyber Risk blog as our team uncovers more details. On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). Kroll previously provided guidance on steps to mitig...
Posted: June 6, 2023 by Pieter Arntz The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks. On Friday June 2, 2023 we reported about a MOVEit Transfer vulnerability that was actively being exploited. If your organization uses MOVEit Transfer and you haven’t patched yet, it really is time to move it. Excuse the bad pun, but yesterday we saw the first victims of this vulnerability come forward. ...
Blog Zero-Day Vulnerability in MOVEit Transfer Exploited for Data TheftNader Zaveri, Jeremy Kennelly, Genevieve Stark, Matthew McWhirt, Dan Nutting, Kimberly Goody, Justin Moore, Joe Pisano, Zander Work, Peter Ukhanov, Juraj Sucik, Will Silverstone, Zach Schramm, Greg Blaum, Ollie Styles, Nicholas Bennett, Josh Murchie Jun 02, 20239 min read | Last updated: Jun 09, 2023Zero Day ThreatsVulnerabilitiesThreat IntelligenceDetectionUPDATE (June 9): On June 6, 2023, Mandiant merged UNC4857 into FIN11 ...
11,639 people reacted 8 6 min. read Share By Unit 42 June 6, 2023 at 2:30 PM Category: Threat Brief, Threat Briefs and Assessments Tags: Advanced Threat Prevention, Cortex XDR, Cortex Xpanse, Cortex XSIAM, Cortex XSOAR, CVE-2023-34362, incident response, next-generation firewall, Prisma Access This post is also available in: 日本語 (Japanese)Executive Summary On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability ...
June 7, 2023 by Alex Delamotte PDF By Alex Delamotte and James Haughom SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS .aspx payload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer appl...
MOVEit Hunting Cl0pThreat Hunting with Cyborg Security & CISA Alert for #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023–34362 MOVEit VulnerabilitySimone Kraus·Follow5 min read·2 days ago--ListenShareThe RaaS group Cl0p has repeatedly made headlines in recent weeks with various new methods to access victim systems via vulnerabilities with the main motivation of doing double extortion and encryption.While vulnerabilities such as PaperCut and GoAnywhere were successful campaigns by the atta...
Users of the file-transfer package should apply patches immediately and check for indications of possible compromise Written by Christopher Budd, Paul Jaramillo June 05, 2023 Threat Research CVE-2023-34362 DEV-0950 Exploit featured FIN11 MOVEit Progress Software TA505 vulnerability Sophos X-Ops is tracking the developing situation around a SQL injection vulnerability affecting MOVEit Transfer and MOVEit Cloud. The vulnerability related to this is CVE-2023-34362. This post provides a situation ov...
Adam at Hexacorn
June 7, 2023 in LOLBins I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even less – about its esoteric, yet omnipresent DLL plug-ins… One of the more interesting plug-ins that I know of, and yet, one that you will never really see residing on any system, is… ShellDispatch.dll. It’s a rarely used Nullsoft Plug-In DLL that is known to be used by the installer of WinAmp, yes.. THE WinAmp… and ...
Adam Goss
Python Threat Hunting Tools: Part 6 — Creating EXEs from Python FilesAdam Goss·Follow6 min read·5 days ago--ShareWelcome back to this series on building threat hunting tools. In this series, I will be showcasing a variety of threat hunting tools that you can use to hunt for threats, automate tedious processes, and extend to create your own toolkit!The majority of these tools will be simple, with a focus on being easy to understand and implement. This is so…----FollowWritten by Adam Goss339 Follo...
Adam Goss·Follow6 min read·1 day ago--ShareWhat on earth can Kentucky Fried Chicken and good cyber threat intelligence (CTI) have in common? Do they both have a secret recipe? Are they both finger-licking good?No. It is a lot simpler than that. Both KFC and good intelligence have three things in common.They have both relevantThey are both timely----FollowWritten by Adam Goss339 FollowersCyber Security Professional | Red Teamer | Adversary Emulator | Malware Analysis | Threat Hunter | AutomatorFo...
Anomali
by Anomali Threat Research The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Adware, Botnets, Data leak, Obfuscation, Phishing, Zero-day vulnerabilities, and Zero-click exploits. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the...
Jeremy Fuchs at Avanan
Surging to Inboxes Posted by Jeremy Fuchs on June 8, 2023 Tweet Anga Com is a popular conference based in Germany for broadband and media distributors. The conference attracts over 22,000 participants from 470 companies from across the world. Anga Com had its latest conference in the last week of May. A central part of any conference for a company is to garner interest for their company. Many conferences will give over lead lists for companies to follow up on. This can be a significant source of...
Avertium
June 6, 2023 Executive Summary Towards the end of May 2023, cybersecurity authorities in the U.S. and internationally raised concerns about a recently identified cluster of activity associated with a state-sponsored threat actor known as Volt Typhoon, originating from the People's Republic of China (PRC). This activity has impacted critical infrastructure networks across the U.S. Volt Typhoon uses compromised small office and home (SOHO) devices and living off the land techniques, ensuring their...
Blackberry
RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine CYBERSECURITY / 06.07.23 / The BlackBerry Research & Intelligence Team Share on Twitter Share on Facebook Share on Linked In Email Summary The RomCom threat actor has been carefully following geopolitical events surrounding the war in Ukraine, targeting militaries, food supply chains, and IT companies. In RomCom’s latest campaign, the BlackBerry Threat Research and Intelligence te...
Lawrence Abrams at BleepingComputer
Bohops
WS-Management COM: Another Approach for WinRM Lateral MovementLeveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & PersistenceLeveraging INF-SCT Fetch & Execute Techniques For Bypass, Evasion, & Persistence (Part 2)Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command ExecutionUnmanaged Code Execution with .NET Dynamic PInvokeVSTO: The Payload Installer That Probably Defeat...
Brad Duncan at Malware Traffic Analysis
30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05 - "HE2A" NOTES: I'm gathering data on Formbook, so I plan to generate infection runs on new Formbook samples 30 times during the next month or two. Today's sample is from a .rar archive submitted to VirusTotal on Sunday 2023-06-04. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-05-IOCs-for-Formbook-infection.txt.zip 2.5 kB (2,535 bytes) 2023-06-05-Formbook-infection.pc...
30 DAYS OF FORMBOOK: DAY 2, TUESDAY 2023-06-06 - "CG62" NOTES: This the is 2nd of 30 infection runs on new Formbook samples during the next month or two. Today's sample is from a .rar archive submitted to VirusTotal on Tuesday 2023-06-06. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-06-IOCs-for-Formbook-infection.txt.zip 2.5 kB (2,494 bytes) 2023-06-06-Formbook-infection.pcap.zip 12.0 MB (11,986,144 bytes) 2023-...
30 DAYS OF FORMBOOK: DAY 3, WEDNESDAY 2023-06-07 - "AE30" NOTES: This the is 3rd of 30 infection runs on new Formbook samples during the next month or two. Today's sample is from a .rar archive submitted to VirusTotal early Wednesday 2023-06-07. Zip files are password-protected. If you don't know the password, see the "about" page of this website. FINDINGS: Based on files temporarily stored in the data exfiltration directory, I found the following: Formbook steals login credentials from Chrome, ...
30 DAYS OF FORMBOOK: DAY 4, THURSDAY 2023-06-08 - "T30K" NOTES: This the is 4th of 30 infection runs on recent Formbook samples. Today's sample is from a .rar archive submitted to VirusTotal on Thursday 2023-06-08. Zip files are password-protected. If you don't know the password, see the "about" page of this website. FINDINGS: It looks like Formbook steals login credentials stored on the Firefox web browser (still not for the current version of Microsoft Edge) ASSOCIATED FILES: 2023-06-08-IOCs-f...
30 DAYS OF FORMBOOK: DAY 5, FRIDAY 2023-06-09 - GULOADER FOR FORMBOOK "V16R" NOTES: This the is 5th of 30 infection runs on recent Formbook samples. Today's sample is a GuLoader version of Frombook that's been active since earlier this week. Zip files are password-protected. If you don't know the password, see the "about" page of this website. FINDINGS: It looks like Formbook steals login credentials stored on the Firefox web browser (still not for the current version of Microsoft Edge) ASSOCIAT...
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 03 â 09 giugno 2023 Sintesi riepilogativa delle campagne malevole nella settimana del 03 â 09 giugno 2023 09/06/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 55 campagne malevole, di cui 51 con obiettivi italiani e quattro generiche che hanno comunque interessato lâItalia, mettendo a disposizione dei suoi enti accreditati i relativi...
Check Point
Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa
CISA and Partners Release Joint Guide to Securing Remote Access Software
Release DateJune 06, 2023 Today, CISA, Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs)...
Cisco’s Talos
By Nick Biasini, Craig Jackson Tuesday, June 6, 2023 08:06 On The Radar Cisco Talos Incident Response (Talos IR) has repeatedly observed attackers targeting and using compromised vendor and contractor accounts (VCAs) during recent emergency response engagements. While high-profile software supply chain compromise events garner significant media attention (e.g., the recent disclosure of supply chain attacks via the 3CX Desktop Softphone application), abuse of third-party workforce accounts is oft...
By Jonathan Munshaw Thursday, June 8, 2023 14:06 Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.Now I’m worried we’re already moving backward ...
By William Largent Friday, June 9, 2023 17:06 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 2 and June 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information provi...
Cyberwarzone
LockBit 3.0, aka “LockBit Black,” has been causing waves in the cyber world as a new and sophisticated iteration of the notorious LockBit ransomware. Sharing similarities with the likes of Blackmatter and Blackcat ransomware, this elusive variant presents itself as a formidable adversary. The RaaS Model: LockBit 3.0 LockBit 3.0 operates as a Ransomware-as-a-Service (RaaS), a business model that traces back to its predecessors, LockBit and LockBit 2.0. Its operations have been ongoing since Janua...
MISP, or Malware Information Sharing Platform, is an essential cybersecurity tool. However, users sometimes face a situation where MISP cannot fetch feeds, creating a gap in your threat intelligence. Let’s delve into how to rectify this issue. Potential Reasons for Not Fetching Feeds It’s helpful to understand why MISP may fail to fetch feeds. This could happen due to a variety of reasons, including network connectivity issues, MISP configuration problems, or issues with the feed providers. Veri...
Threat Intelligence (T.I.) feeds are a rich source of data that helps organizations detect, prevent, and mitigate security threats. However, cluttered feeds filled with duplicates and false positives can dilute the value of this information. To make the most out of T.I. feeds, it’s crucial to establish effective processes for keeping them clean and efficient. Table of Contents Handling Duplicate IOCsTackling Duplicate FeedsManaging False PositivesEstablishing Regular AuditsImplementing Feedback ...
The MISP (Malware Information Sharing Platform) is a top-tier tool for threat intelligence. However, users might sometimes experience a situation where it stops updating events seemingly for no reason. This can affect your cybersecurity measures as the platform is no longer receiving or sharing crucial information. Why the Events Stop Updating Before diving into the solution, let’s quickly understand why this issue might occur. There could be multiple reasons for MISP to stop updating events. It...
Cyble
June 4, 2023 New Ransomware-as-a-service (RaaS) Targeting Vmware ESXi Servers Recently, Cyble Research & Intelligence Labs (CRIL) detected the emergence of a fresh Ransomware-as-a-Service (Raas) initiative called ‘NoEscape.’ This program was discovered to be promoted on a cybercrime forum towards the end of May 2023. The creators of NoEscape were actively seeking affiliates to join their network. CRIL has shared the details of this discovery through the latest blog post. Following that, EVIL RAB...
LockBit Ransomware: After the LockBit ransomware successfully executes on a system, it initiates a series of actions. These actions include encrypting files with .lockbit extension, modifying Windows automatic backups by deleting shadow copies using vssadmin.exe, disabling startup repairs using the bcdedit tool, and more. The below figure shows the encrypted files with the .lockbit extension. Figure 6 – Encrypted files & Extensions Additionally, the ransomware leaves a ransom note that provides ...
June 5, 2023 Android Spyware Masqarading As Popular Messaging Applications For Stealing Sensitive Data Cyble Research & Intelligence Labs (CRIL) discovered a new variant of Android Spyware that has set its sights on unsuspecting users in Vietnam. As the malware variant is new in the wild, hence we are referring to this malware as “HelloTeacher” based on the test service present in the source code. HelloTeacher malware disguises itself as a popular messaging application like Viber or Kik Messenge...
June 7, 2023 Microsoft Reports Service Impact Due to Technical Glitch Hacktivist group Anonymous Sudan announced cyberattacks on American organizations on May 5, 2023. These DDoS attacks were claimed to be targeted against several US entities in Healthcare, and Microsoft Corporation in particular. These attacks continued on May 6, 2023 as well. As observed in most hacktivism-related incidents, such backlashes are based on misconstrued events in the geo-political space. Herein too, Anonymous Suda...
June 8, 2023 New Ransomware Holds Similarities with LockBit Ransomware Ransomware continues to pose the most critical cybersecurity threat to organizations’ infrastructure. This malicious software encrypts victims’ files and extorts payment in return for the decryption key. The consequences of ransomware attacks can be severe, including financial losses, data compromise, and reputational damage. Cyble Research and Intelligence Labs (CRIL) has recently discovered a new ransomware named Darkrace w...
June 9, 2023 Misspelled Packages Preying on Unwary Victims On May 20th, an incident report was released by PyPI administrators that announced the temporary suspension of new user and project name registrations. The reason behind this action is the overwhelming surge in malicious users and projects being created on the PyPI index in the past week. In this notice, the PyPI administrators mentioned, “The volume of malicious users and malicious projects being created on the index in the past week ha...
Cyborg Security
Unmasking RedLine Stealer: A Deep Dive into its Threat Landscape and Technical Exploitation
Detection Engineering vs Threat Hunting: Distinguishing the Differences
Cyfirma
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Malware Implants, Social Engineering, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak. Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery. Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption. Ransomware – Black Basta Ransomware | Malware – Satacom Black Basta Ransomware – One of the ransomware g...
Tim Helming at DomainTools
Dragos
By Dragos, Inc. 06.09.23 LinkedIn Twitter Facebook Email Dragos recently analyzed the new industrial control systems (ICS) malware dubbed COSMICENERGY by Mandiant on May 25, 2023. This malware, designed to target IEC 104 devices, exploits existing Microsoft SQL (MS SQL) servers that are connected to remote terminal units (RTUs). Dragos Threat Intelligence independently analyzed the malware and, counter to media headlines claiming power disruption or grid crippling abilities, concluded that COSMI...
Arda Büyükkaya and Ippolito Forni at EclecticIQ
FIN7 delivering Clop ransomware, and at a BatLoader campaign that leverages ChatGPT and Midjourney imposter apps. This edition also addresses a joint Cybersecurity Advisory about Chinese state sponsored group Volt Typhoon, and a remote code execution vulnerability in Barracuda Email Security. Arda Büyükkaya – June 7, 2023 Co-author: Ippolito Forni, Threat Intelligence Consultant Cybercrime Group FIN7 Returns Delivering Clop Ransomware In April 2023, financially motivated cybercrime group FIN7 re...
Matthew at Embee Research
Embee Research Home Reversing Threat Intel Index About Sign in Subscribe intel Practical Queries for Identifying Malware Infrastructure An informal page for storing Censys/Shodan queries Matthew Jun 7, 2023 • 4 min read An informal page for storing Censys/Shodan queries that have returned interesting results. Including examples for - AsyncRAT, Solarmarker, Amadey, Quasar, Laplas, Sliver, Mythic, Qakbot + moreAsyncRAT - Common x509 CertificatesHardcoded values in x509 certificates used for TLS co...
Yuzuka Akasaka at Flare
Flashpoint
Well-known pro-Kremlin hactivist group Killnet has been noted for its level of activity and ambition, especially since the outbreak of the Russia-Ukraine war. SHARE THIS: Flashpoint June 5, 2023 Table Of ContentsTable of ContentsWhat is Killnet?A firmly pro-Kremlin collectiveKillnet’s structureKillnet’s modus operandiNotable Killnet attacksThe future of KillnetIdentify and mitigate cyber risks with Flashpoint Within the realm of digital warfare, the threat actor group known as “Killnet” has esta...
Huntress
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit In a previous blog post, I covered how Splunk, and by extension, other security tools, can be used for malicious purposes. In that specific example, we looked at a straightforward data exfiltration technique. That blog garnered some attention, but I didn’t feel it exemplified the damage that malicious control of security tools can cause a business. In this blog, I will detail how the Splunk Universal For...
Previous Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit Network owners, operators and defenders find themselves in an increasingly contentious and hostile space, with entities ranging from opportunistic criminal elements to state-directed organizations engaging in various types of computer network intrusion. Through the seemingly endless sequence of blogs, alerts and hyperbolic media reporting, stakeholders may find it increasingly difficult to discern a strong “signal...
Intel471
Jun 06, 2023 Virtual currency, or cryptocurrency, revolutionized cybercrime. Criminals no longer needed to transfer funds to each other via payment services and financial institutions. Bitcoin – which relies on a decentralized public ledger and public key cryptography – could be directly sent to another person in a trustless system with no middle parties needed. That sparked a new era where cybercriminals could create online markets for the trade of illegal products, goods and services, all paid...
Koos Goossens
Unlimited Advanced Hunting for Microsoft 365 Defender with Azure Data Explorer – Part IIKoos Goossens·Follow16 min read·2 days ago--ListenShareIntroductionA month ago I've published an article about extending your Microsoft 365 Defender logs beyond the default of 30 days by leveraging Azure Event Hubs and Azure Data Explorer.I promised a second part to that article where I want to zoom in on sizing, performance and cost considerations.If you haven't read the first part, I'd advise you to start t...
Malwarebytes Labs
Posted: June 5, 2023 by Threat Intelligence Team In the last 12 months, the Vice Society ransomware gang has conducted more known attacks against education targets globally, and in the USA and the UK individually, than any other ransomware group. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. Thi...
Posted: June 5, 2023 by Pieter Arntz A new web skimming campaign uses compromised legitimate sites to act as command and control servers. Security researchers at Akamai have published a blog about a new Magecart-alike web skimming campaign that uses compromised legitimate sites as command and control (C2) servers. A web skimmer is a piece of malicious code embedded in web payment pages to steal personally identifiable information (PII) and credit card details from customers of the site. Since th...
Posted: June 9, 2023 by Threat Intelligence Team May saw a record number of 556 reported ransomware victims, the unusual emergence of Italy and Russia as major targets, and a significant rise in attacks on the education sector. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim didn't pay a ransom. This provides the best...
John Doyle at Mandiant
Blog A Peek Behind the Curtain: Examining the Dimensions of a National-level Cyber ProgramJohn Doyle Jun 06, 20234 min readThreat IntelligenceIn the past year, Mandiant Intelligence has been thinking of new ways to help organizations scale their defenses to outpace and outmaneuver state-sponsored cyber programs—all in a format that is widely accessible. This led us to developing “Inside the Mind of an APT,” an on-demand course that shares our more than ten years worth of insights on state-sponso...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Microsoft Security Response Center
MSRC, Security Research & Defense / By jhsharma, andreisaygo / June 08, 2023 / 8 min read Intro Intro Finding vulnerabilities in software is no easy task by itself. Doing this at cloud scale is very challenging to perform manually, and we use tools to help us identify patterns or vulnerability signatures. Yara is one of those tools. Yara is a very popular tool with Blue teams, malware researchers, and for good reason. Once a malicious pattern has been identified, it’s quite easy to write rules t...
Nathaniel Raymond at Cofense
Obsidian Security
Orange Cyber Defense
Skip to content Toggle navigation Sign up Product Actions Automate any workflow Packages Host and manage packages Security Find and fix vulnerabilities Codespaces Instant dev environments Copilot Write better code with AI Code review Manage code changes Issues Plan and track work Discussions Collaborate outside of code Explore All features Documentation GitHub Skills Blog Solutions For Enterprise Teams Startups Education By Solution CI/CD & Automation DevOps DevSecOps Case Studies Customer Stori...
Raymond Roethof
Microsoft Defender for Identity Recommended Actions: Resolve Unsecure Domain Configurations 9th Jun 20238th Jun 2023by thalpius Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with fourteen recommended actions. In a series of blog posts, I will go through all fourteen recommended actions of what it means, a plan of approach, their impact, and my security recommendations, h...
Recorded Future
Posted: 6th June 2023By: Insikt Group® Insikt Group has discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. The group responsible, referred to as Threat Activity Group 71 (TAG-71), has significant overlaps with the North Korean state-sponsored APT38. Between September 2022 and March 2023, Insikt Group discovered 74 domains and 6 malicious files associated with TAG-71's activities. TAG-71 has previo...
Red Alert
Monthly Threat Actor Group Intelligence Report, April 2023 (KOR) 2023년 3월 21일에서 2023년 4월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 4월에는 총 29개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹이 34%로 가장 많았으며, SectorC 그룹의 활동이 그 뒤를 이었다. 이번 4월에 발견된 해킹 그룹들의 해킹 활동은 정부기관과 상업 시설 분야에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 유럽(Europe)과 동아시아(East Asia)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2023년 4월에는 총 5개 해킹 그룹의 활동이 발견되었으며, 이들은 SectorA01, Secto...
Monthly Threat Actor Group Intelligence Report, March 2023 (KOR) 2023년 2월 21일에서 2023년 3월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 3월에는 총 28개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹이 34%로 가장 많았으며, SectorJ 그룹의 활동이 그 뒤를 이었다. 이번 3월에 발견된 해킹 그룹들의 해킹 활동은 정부기관과 금융 관련 산업군에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 동아시아(East Asia)와 유럽(Europe)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2023년 3월에는 총 5개 해킹 그룹의 활동이 발견되었으며, 이들은 SectorA01, Sect...
Justin Schoenfeld at Red Canary
Colin Ferris at ReliaQuest
Miles Arkwright and James Tytler at S-RM Insights
Miles Arkwright, James Tytler 9 June 2023 9 June 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intell...
SANS
Lance Spitzner Parsing the 2023 VZ DBIR for the Human Element Take a look at some of the most significant findings on the role of humans in breaches. June 9, 2023 The Verizon Data Breach Incident Report (VZ DBIR) is one of the industryâs most respected annual security reports. For over fifteen years, the Verizon team has been publishing its data-driven report on the top risks organizations face around the world. What makes this report so valuable is its vendor-neutral approach, global data set...
SANS Internet Storm Center
Github Copilot vs. Google: Which code is more secure, (Tue, Jun 6th)
Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th)
Securelist
Malware reports 07 Jun 2023 minute read Authors David Emm IT threat evolution in Q1 2023 IT threat evolution in Q1 2023. Non-mobile statistics IT threat evolution in Q1 2023. Mobile statistics Targeted attacks BlueNoroff introduces new methods bypassing MotW At the close of 2022, we reported the recent activities of BlueNoroff, a financially motivated threat actor known for stealing cryptocurrency. The threat actor typically exploits Word documents, using shortcut files for the initial intrusion...
Malware reports 07 Jun 2023 minute read Table of Contents Quarterly figuresQuarterly highlightsMobile threat statisticsDistribution of detected mobile malware by typeTOP 20 mobile malware programsRegional malwareMobile banking TrojansMobile ransomware Trojans Authors Anton Kivva IT threat evolution Q1 2023 IT threat evolution Q1 2023. Non-mobile statistics IT threat evolution Q1 2023. Mobile statistics These statistics are based on detection verdicts of Kaspersky products received from users who...
Malware reports 07 Jun 2023 minute read Table of Contents Quarterly figuresFinancial threatsFinancial threat statisticsGeography of financial malware attacksRansomware programsQuarterly trends and highlightsAttacks on Linux and VMWare ESXi serversProgress in combating cybercrimeConti-based Trojan decryptedMost prolific groupsNumber of new modificationsNumber of users attacked by ransomware TrojansGeography of attacked usersTOP 10 most common families of ransomware TrojansMinersNumber of new mine...
Joshua Chung, Melissa Frydrych, Claire Zaboeva and Agnes Ramos-Beauchamp at Security Intelligence
In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10’s tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in c...
Sekoia
Aleksandar Milenkoski at SentinelOne
Aleksandar Milenkoski / June 6, 2023 Executive Summary SentinelLabs has been tracking a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory. The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware. Kimsuky engages in extensive email correspondence...
Nick Powers at SpecterOps
Nick Powers·FollowPublished inPosts By SpecterOps Team Members·15 min read·3 days ago--ListenShareThe contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the content presented at Defcon30.With the barrier to entry for initial access ever increasing, we spent some time digging into potentially lesser-known weaponization options for ClickOnce deployments. A few of the hurdles we’d like to overcome by implementing these weapon...
Splunk
Share: By Splunk Threat Research Team June 05, 2023 PaperCut NG is a popular print management software that has 100 million users at over 70,000 organizations around the world. Recent discoveries have unveiled critical vulnerabilities in this widely-used software, specifically the CVE-2023-27350 authentication bypass vulnerability. This vulnerability, if exploited, allows an attacker to execute arbitrary code with elevated privileges on a target system. By understanding the mechanisms behind thi...
Sysdig
Stop Cloud Breaches in Real Time and Accelerate Investigation and Response with Sysdig CDR
Look both ways: Preventing suspicious behavior with end-to-end detections
Threatmon
Tiffany Bergeron at ‘The Center for Threat-Informed Defense’
Jump to bottom Tiffany Bergeron edited this page Jun 10, 2023 · 4 revisions Pages 6 Home Case Study: NIST 800 53 Mappings Concept of Operations Developers Methodology Usage Clone this wiki locally The primary goal of ATT&CK Sync is to reduce the effort required to stay in sync with new ATT&CK releases. In order to prove the concept, we use the Center’s NIST 800-53 Mappings project as a case study. This project is an ideal case study because it contains a large number of mappings that depend on A...
Trend Micro
This blog talks about the latest TargetCompany ransomware variant, Xollam, and the new initial access technique it uses. We also investigate previous variants' behaviors and the ransomware family's extortion scheme. By: Earle Maui Earnshaw, Nathaniel Morales, Katherine Casona, Don Ovid Ladores June 06, 2023 Read time: ( words) Save to Folio Subscribe After first being detected in June 2021, the TargetCompany ransomware family underwent several name changes that signified major updates in the ran...
We have been able to uncover a massive cryptocurrency scam involving more than a thousand websites handled by different affiliates linked to a program called Impulse Project, run by a threat actor named Impulse Team. By: Cedric Pernet, Joseph C Chen June 06, 2023 Read time: ( words) Save to Folio Subscribe Key discoveries We have been able to uncover a massive cryptocurrency scam involving more than a thousand websites handled by different affiliates linked to a program called Impulse Project, r...
TrustedSec
OneDrive to Enum Them All June 6, 2023 By TrustedSec in Cloud Penetration Testing, Office 365 Security Assessment THIS POST WAS WRITTEN BY @NYXGEEK Greetings fellow hackers, Today we’ll be diving into the topic of user enumeration via OneDrive. I wrote a blog post on this topic a few years back when I first identified the technique. Since then, I’ve learned more about it, and the onedrive_enum.py tool has been updated and is more powerful than ever! In short, OneDrive can be the best way to do u...
Uptycs
Tags: Malware, Threat Intelligence, Endpoint Security, EDR, Threat Research, XDR, macOS, linux, stealer, ransomware, windows Uptycs Threat Research June 05, 2023 Share: In our ongoing efforts to monitor and identify emerging threats on the dark web, the Uptycs threat research team has recently uncovered a new and alarming threat. Last time, we came across the notorious RTM Locker ransomware. This time we’ve stumbled upon a new actor known as the Cyclops threat group. The Cyclops group is particu...
Fae Carlisle at VMware Security
Matthieu Faou at WeLiveSecurity
A curious case of a threat actor at the border between crimeware and cyberespionage Matthieu Faou 8 Jun 2023 - 11:30AM Share A curious case of a threat actor at the border between crimeware and cyberespionage Asylum Ambuscade is a cybercrime group that has been performing cyberespionage operations on the side. They were first publicly outed in March 2022 by Proofpoint researchers after the group targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the...
Jiong Liu and Amir Lande Blau at Wiz
Agentless visibility and risk assessment paired with Wiz Runtime Sensor real-time detection for the best of both worlds5 minutes readJiong Liu, Amir Lande BlauJune 5, 20235 min readToday, we’re very excited to announce the launch of the Wiz Runtime Sensor into public preview, enabling organizations to detect threats affecting their cloud workloads and contextualize detection and response.Cloud-native applications introduced unique attack vectors that challenge existing threat detection tools tha...
