本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam Goss
Python Threat Hunting Tools: Part 8 — Parsing JSONAdam Goss·FollowPublished inInfoSec Write-ups·8 min read·6 days ago--ListenShareWelcome back to this series on building threat hunting tools. In this series, I will be showcasing a variety of threat hunting tools that you can use to hunt for threats, automate tedious processes, and extend to create your own toolkit!The majority of these tools will be simple, with a focus on being easy to understand and implement. This is so that you, the reader, ...
Anomali
Anomali Cyber WatchSTAXXLimoAnomali Newsletter Company LeadershipNews & EventsReviewsAwardsCareersContact us Blog Support Schedule Demo Schedule Demo English English Français Deutsch 日本語 Italiano Português Русский EspañolBlogSupportSchedule DemoDiscoverProductsMarketplacePartnersResourcesCompanyThe Anomali PlatformTransform security operations with disruptive security analytics. Go from business risk to cyber actions in minutes. Amplify your visibility, automate your workflows, and optimize your...
Jeremy Fuchs at Avanan
Over Half of Malicious Files are HTML Attachments Posted by Jeremy Fuchs on June 20, 2023 Tweet Our research has revealed that credential harvesting remains the top attack vector, responsible for 59% of attacks. This malicious tactic also plays a significant role in Business Email Compromise (BEC), accounting for 15% of attacks. Cybercriminals utilize phishing emails containing malicious URLs or attachments to steal and harvest user credentials. Shockingly, over 50% of these attachments are HTML...
URL-Based Phishing: The Fake Instagram Posted by Jeremy Fuchs on June 21, 2023 Tweet One of the biggest problems with online security is URL-based phishing. These attacks involve fake links that mimic legitimate ones, tricking users into entering sensitive information that falls into the hands of hackers. Our cutting-edge Zero Phishing tool is the ultimate solution to URL-based phishing. With its superior performance, it detects four times more zero-day phishing pages than traditional anti-phish...
Martin Zugec at Bitdefender
Brad Duncan at Malware Traffic Analysis
30 DAYS OF FORMBOOK: DAY 13, SATURDAY 2023-06-17 - "MR04" NOTES: This the is my 13th of 30 infection runs for recent Formbook activity. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-17-IOCs-for-Formbook-infection.txt.zip 1.3 kB (1,312 bytes) 2023-06-17-Formbook-infection-traffic.pcap.zip 898 kB (898,086 bytes) 2023-06-17-Formbook-malware.zip 492 kB (491,899 bytes) 30 DAYS OF FORMBOOK: DAY 13, SATURDAY 2023-06-17 ...
30 DAYS OF FORMBOOK: DAY 14, SUNDAY 2023-06-18 - "JY05" NOTES: This the is my 14th of 30 infection runs for recent Formbook activity. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-18-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,864 bytes) 2023-06-18-Formbook-infection-traffic.pcap.zip 3.6 MB (3,635,523 bytes) 2023-06-18-Formbook-malware-and-artifacts.zip 1.5 MB (1,478,722 bytes) 30 DAYS OF FORMBOOK: DAY 14, SUND...
30 DAYS OF FORMBOOK: DAY 15, MONDAY 2023-06-19 - "CE18" NOTES: This the is my 15th of 30 infection runs for recent Formbook activity. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-19-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,907 bytes) 2023-06-19-Formbook-malspam-0504-UTC.eml.zip 708 kB (707,748 bytes) 2023-06-19-Formbook-infection-traffic.pcap.zip 6.1 MB (6,130,987 bytes) 2023-06-19-Formbook-malware-and-arti...
30 DAYS OF FORMBOOK: DAY 16, TUESDAY 2023-06-20 - "F1W6" NOTES: This the is my 16th of 30 infection runs for recent Formbook activity. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-20-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,911 bytes) 2023-06-19-Formbook-malspam-0200-UTC.eml.zip 722 kB (722,167 bytes) 2023-06-20-Formbook-infection-traffic.pcap.zip 3.6 MB (3,637,778 bytes) 2023-06-20-Formbook-malware-and-art...
30 DAYS OF FORMBOOK: DAY 17, WEDNESDAY 2023-06-21 - MODILOADER FOR XLOADER "NVP4" NOTES: This the is my 17th of 30 infection runs for recent Formbook activity. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-21-IOCs-from-ModiLoader-for-XLoader-infection.txt.zip 2.2 kB (2,239 bytes) 2023-06-21-ModiLoader-for-XLoader-infection-traffic.pcap.zip 3.2 MB (3,233,943 bytes) 2023-06-21-ModiLoader-malware-and-artifacts.zip 1...
30 DAYS OF FORMBOOK: DAY 18, THURSDAY 2023-06-22 - "K2L0" NOTES: This the is my 18th of 30 infection runs for recent Formbook activity. Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-22-IOCs-for-Formbook-infection.txt.zip 1.9 kB (1,859 bytes) 2023-06-22-Formbook-infection-traffic.pcap.zip 3.5 MB (3,542,531 bytes) 2023-06-22-Formbook-malware-and-artifacts.zip 337 kB (337,063 bytes) IMAGES Shown above: Traffic from ...
2023-06-22 (THURSDAY) - FILES FOR AN ISC DIARY (OBAMA271 QAKBOT) NOTES: The ISC diary is for Thursday 2023-06-22: Qakbot (Qbot) activity, obama271 distribution tag Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-06-22-some-IOCs-from-obama271-Qakbot-activity.txt.zip 1.5 kB (1,518 bytes) 2023-06-22-email-and-files-from-obama271-Qakbot-activity.zip 1.8 MB (1,822,289 bytes) 2023-06-22-initial-Obama271-Qakbot-infection-tra...
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 17 – 23 giugno 2023 23/06/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 27 campagne malevole, di cui 25 con obiettivi italiani e due generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 549 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipolo...
Check Point
Filter by: Select category Research (520) Security (804) Securing the Cloud (249) Harmony (109) Company and Culture (7) Innovation (5) Customer Stories (4) Horizon (1) Securing the Network (3) Connect SASE (4) Harmony Email (12) Artificial Intelligence (9) SecurityJune 19, 2023 ‘Sign in to continue’ and suffer : Attackers abusing legitimate services for credential theft ByCheck Point Team Share Highlights: Check Point Research (CPR) detected an ongoing phishing campaign that uses legitimate serv...
Filter by: Select category Research (520) Security (804) Securing the Cloud (249) Harmony (109) Company and Culture (7) Innovation (5) Customer Stories (4) Horizon (1) Securing the Network (3) Connect SASE (4) Harmony Email (12) Artificial Intelligence (9) SecurityJune 21, 2023 Phishing Tools for Purchase: A Closer Look at Facebook Scamming Groups ByCheck Point Team Share By Gal Yogev Highlights: Facebook groups are hosting scammers who offer tools for creating phishing pages, facilitating brand...
Filter by: Select category Research (520) Security (804) Securing the Cloud (249) Harmony (109) Company and Culture (7) Innovation (5) Customer Stories (4) Horizon (1) Securing the Network (3) Connect SASE (4) Harmony Email (12) Artificial Intelligence (9) SecurityJune 22, 2023 Stealthy USB: New versions of Chinese espionage malware propagating through USB devices found by Check Point Research ByCheck Point Team Share Highlights: Check Point Research (CPR) puts a spotlight on a Chinese state spo...
Cisco’s Talos
By William Largent Friday, June 23, 2023 14:06 Threat Roundup Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.As a reminder, the information pr...
Cofense
“Caffeine” Phishing Service Domains, Patterns Still Heavily Used After Store Seemingly Defunct
Compromised Domains account for over 50% of Embedded URLs in Malware Phishing Campaigns
Cyberwarzone
If you are a cybersecurity enthusiast, then you must have heard of YARA. It’s a powerful tool, a veritable magnet for digital threats. Today, we dive into how this powerful tool can be used to hunt down phishing kits and phishing pages. YARA Rule Overview: PK_1and1_Ionos This YARA rule, named “PK_1and1_Ionos“, is designed to detect a phishingkit that impersonates IONOS by 1&1, a well-known web hosting company. Authored by Thomas ‘t4d’ Damonneville, it’s an excellent example of how YARA can be us...
Incident responders and cybersecurity enthusiasts, this one’s for you. If you’ve ever faced challenges in tracing data exfiltration via FileZilla, this tool will ease your pain. It dives deep into user directories, parsing and analyzing critical FileZilla-related files: filezilla.xml, recentservers.xml, and queue.sqlite3. The filezilla.xml file stores user settings, providing insights into user-specific preferences. recentservers.xml keeps track of recently accessed servers, helping you trace co...
You’re in the right place, my friend, if you want to understand the nitty-gritty details of ransomware and data extortion groups. Knowing these two can be a game-changer in your cybersecurity journey. Let’s dive in. A Quick Glimpse at Ransomware Simply put, ransomware is a kind of bad news wrapped up in code. Cybercriminals use it to take your data hostage. They encrypt your files and make them useless to you. Unless, of course, you pay a ransom. Then, they promise, you get your data back. It’s ...
Cyble
June 20, 2023 MOVEit, VMware, and Fortinet Global Internet Exposure Enticing Cybercriminals Organizations face a significant threat when their internet-exposed assets are misconfigured or outdated, as it greatly expands the potential attack surface for Threat Actors (TAs). In previous research articles, Cyble Research & Intelligence Labs (CRIL) researchers have extensively discussed impact and attacks via internet-exposed assets – Active exploitation of multiple CVEs, and Exposed Network Monitor...
June 22, 2023 Evasive BatLoader Executes Ransomware Payloads on the Fly The ransomware known as “TargetCompany,” which first appeared in June 2021, gained significant attention due to its unique method of appending the name of the targeted company as a file extension to encrypted files. This ransomware variant was also observed appending a “.mallox” extension to encrypted files, leading to its previous identification as “Mallox”. Last year, Cyble Research and Intelligence Labs (CRIL) also report...
June 23, 2023 SupremeBot Pushes Umbral Stealer to Maximize Monetary Gain Threat Actors (TAs) use game installers to spread various malware because games have a wide user base, and users generally trust game installers as legitimate software. The social engineering tactics that TAs use exploit users’ trust and entice them to download and run malicious game installers. The large file size and games’ complexity provide TAs opportunities to hide malware within them. Malware distributed through game ...
Share : Weekly Attack Type and Trends Key Intelligence Signals: Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak. Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage, Lateral Movement. Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption. Ransomware – Clop Ransomware | Malware – Skuld Clop Ransomware – One of the ransomware groups. Pl...
darkQuasar
Public Notifications Fork 10 Star 67 Adversarial Interception Mission Oriented Discovery and Disruption Framework, or AIMOD2, is a structured threat hunting approach to proactively identify, engage and prevent cyber threats denying or mitigating potential damage to the organization. aimod2.com License View license 67 stars 10 forks Star Notifications Code Issues 1 Pull requests 0 Actions Projects 0 Security Insights More Code Issues Pull requests Actions Projects Security Insights darkquasar/AIM...
Flashpoint
A running timeline of Anonymous Sudan’s DDoS attacks on countries, industries, companies, and governmental entities around the world, including Microsoft, Australia, Israel, and multiple US hospitals SHARE THIS: Flashpoint Intel Team June 20, 2023 Table Of ContentsTable of ContentsAnonymous Sudan makes its presence knownApparent connections to KillnetGuise of Islamist ideologiesAnonymous TTPs: Details of Microsoft attackTimeline Anonymous Sudan makes its presence known Anonymous Sudan has been a...
Matteo at Forensics Matters
Simple Forensics imaging with dd, dc3dd & dcfldd Forensics timeline using plaso log2timeline for Windows Find out Windows installation date Extract GPS data from JPEG using imago Categories Android Forensics DFIR Notes Digital Forensics Image Forensics OSINT Quick start tutorial Quick Tutorial windows forensics Tags 4n6 adb Android data carving data recovery dc3dd dcfldd dd dfir exif foremost foremost configuration forensics forensics image gps data image image forensics imago incident response ...
Intel471
Jun 21, 2023 Ransomware continues to be one of the most pervasive types of cybercrime and a tangible risk to enterprises, governments, schools and health care organizations. Although multiple countries have launched coordinated efforts to fight ransomware groups through law enforcement takedowns, cryptocurrency seizures and indictments, the crime remains difficult to stop. One tenet of many anti-ransomware action plans is improving cyber resiliency and thus reducing the potential target pool. Th...
Jun 22, 2023 On May 27, 2023, the CLOP ransomware and extortion group began exploiting software called MOVEit, which is used by organizations to transfer large files. CLOP used a structure query language-injection (SQLi) vulnerability (CVE-2023-34362) to place a web shell named LEMURLOOT on MOVEit instances. From there, the group used LEMURLOOT to download files stored within MOVEit (a full rundown of indicators of compromise from the U.S. Cybersecurity and Infrastructure Agency is here). Victim...
Invictus Incident Response
AWS CloudTrail cheat sheetInvictus Incident Response·Follow2 min read·3 days ago--ListenShareIncident Response in AWS made easy (easier 😉)As enthusiastic cloud incident responders we’ve had our fair share of AWS incidents. If you say incident response and AWS you say CloudTrail, it’s the most important source for your investigations. Therefore we’ve decided to develop a cheat sheet for ‘interesting’ CloudTrail events that we’ve come across during incidents. Use this information to perform faster...
Keisuke Shikano at JPCERT/CC
鹿野 恵祐 (Keisuke Shikano) June 20, 2023 TSUBAME Report Overflow (Jan-Mar 2023) Metrics TSUBAME Email This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of January to March 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here. Observation of suspicious packets sent from a ho...
Jumpsec Labs
by francesco iulio | Jun 19, 2023 | Incident Response In May 2023 the NCSC and CISA released a joint cyber security advisory addressing a piece of Russian malware called Snake. According to them, this malware has been gathering intelligence for the FSB in more than 50 countries for the last 20 years. Off the back of this advisory JUMPSEC decided to perform a number of threat hunts to provide assurance for some of our clients. Whilst conducting these hunts, we thought it would be beneficial to sh...
by maxcorbridge | Jun 21, 2023 | Exploitation, Research, Security Bug, Vulnerability, Windows TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware i...
KELA
In recent months, the popularity of Generative AI has surged due to its powerful capabilities. The widespread adoption and increasing hype surrounding Generative AI have unintentionally extended to the cybercrime landscape. Just like any other advanced and powerful technology that takes our world to the next level, the bad guys always manage to find their oh-so-‘special’ way in. Cybercriminals have started leveraging Generative AI for their malicious purposes and day-to-day activities, including...
Raúl Redondo at Lares Labs
The abuse of misconfigured Access Control Lists is nothing new. However, it is still one of the main ways of lateral movement and privilege escalation within an active directory domain. Raúl Redondo Jun 19, 2023 • 12 min read We often find and capitalize on these misconfigurations in our Red Team / Internal Pentests / Insider Threat assessments.In this post, we will discuss, in a general overview, some concepts that will help us understand how Windows handles access relationships and privileges ...
Rabindra Dev Bhatta at Logpoint
Matt Suiche at Magnet Forensics
This is a post authored by Matt Suiche (Director, Memory, IR & R&D). The Cybersecurity and Infrastructure Security Agency (CISA) & partners recently released a joint cybersecurity advisory uncovering techniques and tactics used by the threat actor behind the CL0P ransomware. This campaign was launched using an SQL injection zero-day vulnerability (now labeled as CVE-2023-34362) to install a web shell named LEMURLOOT on MOVEit Transfer web applications. We’ve covered how to hunt for web shells in...
Bill Cozens at Malwarebytes Labs
Posted: June 23, 2023 by Bill Cozens A quick look the cybercriminal group known as Royal—one of the fastest growing ransomware gangs today. When we first introduced the Royal ransomware gang in our November 2022 review, little did we know they'd rapidly evolve into one of the most potent threats in our ongoing monthly threat intelligence briefings. In fact, the Malwarebytes Threat Intelligence team has tracked down a staggering 195 ransomware incidents credited to Royal from November 2022 to Jun...
Marco Ramilli
Attack Cyber Crime cybersecurity data breachJune 22, 2023June 22, 2023 Introduction In today’s digital landscape, the prevalence of cyber threats and incidents has become a significant concern for individuals, organizations, and governments alike. I have had the opportunity to explore numerous vendor reports in the past months and gain insights into the evolving nature of breaches and incidents. Through my research, I have discovered a multitude of interest findings, highlighting the relentless ...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Takashi Koide at NTT Security Japan
Takashi Koide June 19, 2023 //www.passle.net/Content/Images/passle_logo-186px.png Passle //passle.net Takashi Koide This article explains our recent paper "Detecting Phishing Sites Using ChatGPT" [1] published in June 2023. The author of this article is Takashi Koide.Can ChatGPT detect phishing sites?The use of artificial intelligence (AI) in cyber attacks has become a growing concern in the security community. ChatGPT has the potential to automate various malicious activities, such as generatin...
Palo Alto Networks
9,025 people reacted 5 10 min. read Share By Kristopher Russo, Austin Dever and Amer Elsad June 21, 2023 at 6:00 AM Category: Threat Advisory/Analysis, Threat Briefs and Assessments Tags: 0ktapus, Advanced URL Filtering, app-ID, Cortex XDR, Cortex XSIAM, Cortex XSOAR, DNS security, incident response, MITRE, Muddled Libra, next-generation firewall, Phishing, Scatter Swine, Scattered Spider, social engineering This post is also available in: 日本語 (Japanese)Executive Summary At the intersection of d...
6,714 people reacted 5 11 min. read Share By Chao Lei, Zhibin Zhang, Yiheng An and Cecilia Hu June 22, 2023 at 6:00 AM Category: Malware Tags: Advanced Threat Prevention, Advanced URL Filtering, botnet, Cloud-Delivered Security Services, CVE-2019-12725, CVE-2019-17621, CVE-2019-20500, CVE-2021-25296, CVE-2021-46422, CVE-2022-27002, CVE-2022-29303, CVE-2022-30023, CVE-2022-30525, CVE-2022-31499, CVE-2022-36266, CVE-2022-40005, CVE-2022-45699, CVE-2023-1389, CVE-2023-25280, CVE-2023-27240, IoT, Io...
Phylum
On June 11, Phylum’s automated risk detection platform alerted us to a peculiar pattern of publications on NPM. The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed. At the time of this writing, we have yet to fully unravel the mystery, but we invite you to follow along as we share the discoveries we’ve made so far.⚠️As this appears to still be an active attack, we will be updating this po...
Proofpoint
Cybercrime Targeting Italy Share with your network! June 21, 2023 Proofpoint Threat Research Team Download full report (PDF) Global Threat Landscape Proofpoint has observed multiple major changes impacting the global threat landscape. This includes the shift away from macro-enabled documents, the increased use and availability of credential phishing kits that bypass multi-factor authentication (MFA), and efforts to build trust with targets by initiating benign conversations before sending conten...
Mohammad Amr Khan at Pulsedive
Akira is an emergent ransomware group that has been active since April 2023, targeting small to medium organizations. Here's what you need to know. Mohammad Amr Khan Jun 21, 2023 • 6 min read OverviewAkira is an emergent ransomware group that has been active since April 2023 (Recon InfoSec). The group has targeted small to medium sized organisations with double extortion. They have accessed environments through VPN services where users did not have multi-factor authentication enabled. The group ...
Recorded Future
Posted: 20th June 2023By: Insikt Group® Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an ope...
Posted: 23rd June 2023By: Insikt Group® New research by Recorded Future’s Insikt Group examines North Korea’s cyber strategy. Despite the ever-increasing number of cyberattacks publicly attributed to North Korea, the regime does not publish an official cyber-strategy doctrine. North Korea's cyber strategy is focused on aggressive information collection and financial theft operations to support its goals of maintaining the Kim family dynasty and unifying the Korean peninsula under its leadership....
Red Alert
Monthly Threat Actor Group Intelligence Report, April 2023 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 March 2023 to 20 April 2023. In April, activities by a total of 29 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 34%, followed by SectorC groups. Threat Actors identified in April carried out the highest number of attacks on workers an...
Caroline Fenstermacher at ReliaQuest
root@V3dedBlog:~
June 20, 2023 Introduction Hey everyone! Welcome back to the second part of the kernel development series. In my previous post, we briefly covered some details on setting up a kernel development lab and writing a basic kernel driver. If you haven’t read it yet, then I highly recommend you do so before continuing. In today’s post, we will be covering the Windows Filtering Platform (WFP ) and how it can be used to process network packets via our driver. Specifically, we will be focusing on ICMP pa...
Miles Arkwright and James Tytler at S-RM Insights
Miles Arkwright, James Tytler 23 June 2023 23 June 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our inte...
SANS Internet Storm Center
Qakbot (Qbot) activity, obama271 distribution tag, (Thu, Jun 22nd)
Word Document with an Online Attached Template, (Fri, Jun 23rd)
Security Intelligence
Each year, we continue our everlasting hope that ransomware attacks will disappear. The unfortunate reality is that ransomware is as prominent as ever. Experts predict that ransomware attacks will only become more frequent and sophisticated, posing an even greater threat across all industries. When ransomware strikes, the biggest question a company has to answer is typically whether to pay the ransom. But paying the ransom is only a fraction of the total cost to a business. In some cases, compan...
Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to...
Securonix
Threat Research Share By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov June 21, 2023 TL;DR MULTI#STORM, an interesting attack campaign involving Python-based loader malware was recently seen being used to deliver Warzone RAT infections using phishing emails. An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip...
SentinelOne
June 20, 2023 by SentinelOne PDF A Russian-speaking hacker has been making headlines recently after promoting a tool that the threat actor claims can bypass EDR and AV tools. The so-called ‘Terminator’ tool is said to be able to kill processes belonging to “all AVs/EDRs/XDRs”, which if used in conjunction with other malware, could allow threat actors to breach defenses. SentinelOne customers are protected from the Terminator EDR tool. In this post, we take a look at how the tool works and how or...
Simone Kraus
Killnet & REvilHow are they attacking the banking system in Europe?Simone Kraus·Follow7 min read·5 days ago--ListenShareThe pro-Russian hacktivist collective known as Killnet, along with another Russian-speaking hacktivism group called Anonymous Sudan announced together, on their official Telegram channels on June 14th at 6pm, they plan to take down Western financial institutions in the next 48 hours. The presumed targets include European and U.S. banks, the SWIFT system and the Western central ...
Holistic Threat ModelingSimone Kraus·Follow7 min read·4 days ago--ListenShareThis article is about an own threat informed defense approach for threat informed assessments and workshops to help customers improve their security postures.How does a new threat modeling emerge and how can it be developed holistically?With the new developed holistic threat modeling approach we show how customers can daily analyze more effectively to improve their security posture and how we can provide them with our m...
Puja Mahendru at Sophos
Get insights into real-world ransomware experiences - including the frequency, costs, and root causes of attacks - in our latest annual survey of the manufacturing and production sector. Written by Puja Mahendru June 21, 2023 Products & Services Manufacturing Ransomware research Solutions Vulnerabilities Sophos has released the State of Ransomware in Manufacturing and Production 2023, a report based on a survey of 363 IT/cybersecurity professionals across 14 countries working in the manufacturin...
Symantec Enterprise
Backdoor leverages Microsoft Graph API for C&C communication.The Flea (aka APT15, Nickel) advanced persistent threat (APT) group continued to focus on foreign ministries in a recent attack campaign that ran from late 2022 into early 2023 in which it leveraged a new backdoor called Backdoor.Graphican. This campaign was primarily focused on foreign affairs ministries in the Americas, although the group also targeted a government finance department in a country in the Americas and a corporation tha...
System Weakness
Arslan Sabir·FollowPublished inSystem Weakness·5 min read·Jun 4--ListenShareIn the previous blog we talked about the logging of RDP logs if you had not read the previous blog please find below link:Windows RDP Event Logs: Identification, Tracking and Investigation Part-1Remote Desktop Protocol (RDP) is a widely used technology that allows users to connect remotely to another computer or…arslansabir11.medium.comIn this blog we will dive into a scenario involving the investigation of an RDP sessio...
joshuanatan·FollowPublished inSystem Weakness·7 min read·Jun 1--ListenShareImage by pch.vector on FreepikAs a cyber consultant that has never been in a security operational team, I find it really difficult to understand how these processes work. A big thanks to my buddy, if you happen to read this blog, I thank you for the knowledge sharing in this area.I will try to formalize all our discussions and my current understanding of this particular subject at this point in time (June 2023). I want to...
John B.·FollowPublished inSystem Weakness·6 min read·Mar 10--ListenShareLLMNR Image created by John BrownIntroductionIn this ethical hacking project, using a safe virtual network environment that I set up using VirtualBox, I go over Responder for educational purposes and to learn about one of the Kali Linux tools, Responder. Responder is a sniffing tool used to gain vulnerable credentials from network traffic, including those sent over SMB, HTTP, and other protocols. Responder is also an LLMNR, ...
Dissecting the Phish: Intro to Phishing Investigations — Useful Online ResourcesLena·FollowPublished inSystem Weakness·8 min read·Feb 23--ListenShareIn this blog post, I will be introducing online resources that can be used to investigate Phishing sites.In Collecting the Phishing Samples, I will cover how Phishing domain samples can be collected from online databases.In Domain/IP/URL Analysis, I will be covering how the domains, IPs, and URLs can be analyzed using online services and WHOIS infor...
Paritosh·FollowPublished inSystem Weakness·3 min read·May 25--ListenShareI again and again wanted to know like what actually is fileless malware and how it can be used for malicious purposes. So i explored some more things today and sharing it with you guys as well. Let’s beginnn…A fileless malware attack refers to a type of cyberattack where malicious code is executed directly in the memory of a targeted system without leaving any trace on the hard drive or file system. This technique allows th...
Lena·FollowPublished inSystem Weakness·6 min read·Feb 19--ListenShareRecently in Japan, there has been an increase in Smishing attacks that abuse Duck DNS. In this blog post, I will be investigating one of these Duck DNS smishing attacks. The one analyzed here impersonates a mobile payment system.Table of contentsThe SMS messageAndroid User-AgentiPhone User-AgentDuck DNS behaviourConclusionThe SMS messageThe message says,【利用停止予告】KDDI未払い料金お支払いのお願い。/lhuyykzzlv[.]duckdns.orgWhich translates to,[Sus...
The Sleuth Sheet
The Missing Semester of Your OSINT EducationVEEXH·FollowPublished inThe Sleuth Sheet·13 min read·6 days ago--ListenShareART By VEEXHTOPICSData analysisProgrammingMachine LearningStorytellingIn the field of Open-Source Intelligence (OSINT), it is essential to have a diverse set of skills to effectively collect, evaluate and analyze publicly available information. By incorporating Data Analysis, Programming, Machine Learning and Storytelling into your OSINT knowledge, you can transform raw data in...
How Learning Intelligence Analysis Makes Your Life EasierVEEXH·FollowPublished inThe Sleuth Sheet·7 min read·5 days ago--ListenShareART By VEEXHIntroductionHave you ever wondered how intelligence analysts work? How do they collect, evaluate, and interpret information to produce actionable insights? And more importantly, how can you apply their skills and methods to your own life?Intelligence analysis is not just for spies and detectives. It is a process that can be applied to various domains of ...
The Three Types of Intelligence for Threat Intelligence: A Comprehensive GuideVEEXH·FollowPublished inThe Sleuth Sheet·5 min read·1 day ago--ListenShareART By VEEXHThreat intelligence is the process of collecting, analyzing and disseminating information about existing or emerging cyber threats that target an organization. Threat intelligence helps security teams to be more proactive, enabling them to prevent, detect and respond to cyber attacks more effectively.However, not all threat intelligen...
Threatmon
Todyl
Detection & Response Team | 2023-06-22 | 7 min read This is Part 2 of Todyl’s breakdown of XWorm 4. Click here for Part 1. In the first part, we detailed the four files used to propagate the .NET loader in this XWorm attack. Now, we’ll dig deeper into the .NET loader as well as the XWorm malware itself. It’s important to note the fact that XWorm is a continuously developed product and a rapidly evolving threat. So, although this information is accurate as of the time of writing, the community wi...
Trellix
The CyberThreat Report Unveils Financial, Telecom, and Energy Sectors Increasingly Under Attack SAN JOSE, Calif.--(BUSINESS WIRE)-- Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today released the June 2023 edition of The CyberThreat Reportfrom the Trellix Advanced Research Center which analyzes cybersecurity trends from the last quarter. Insights were gleaned from a global network of expert researchers who analyze over 30 million detections o...
Trend Micro
This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators. By: Peter Girnus, Aliakbar Zahravi June 20, 2023 Read time: ( words) Save to Folio Subscribe The remote access trojan (RAT) SeroXen tool can be purchased on the clear...
Learn how analysts can search for threats with greater accuracy, speed, and effectiveness. By: Shannon Murphy June 20, 2023 Read time: ( words) Save to Folio Subscribe Threat actors continuously adapt their tactics, techniques, and procedures (TTPs) to circumvent preventative security controls. Extortionware and distributed-denial-of-service (DDoS) threats have surged in volume, in addition to frequent ransomware attacks and BEC scams. The demand to seek out threats proactively to reduce dwell t...
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ransomware binaries. By: Arianne Dela Cruz, Paul Pajares, Ivan Nicole Chavez, Ieriz Nicolle Gonzalez, Nathaniel Morales June 23, 2023 Read time: ( words) Save to Folio Subscribe The Trigona ransomware is a relatively new rans...
Radoslaw Zdonczyk and Mariusz Siedlecki at Trustwave SpiderLabs
Honeypot Recon: MSSQL Server – Database Threat Overview '22/'23 access_timeJune 20, 2023 person_outlineRadoslaw Zdonczyk, Mariusz Siedlecki share Introduction In a constantly connected world, protecting sensitive data in what are often complex database structures requires staying up to date with cyber criminals’ malicious attack techniques, and infection methods. This research is an extension of another project which involves monitoring attacks carried out on database servers worldwide. Understa...
VirusTotal
Inside of the WASP's nest: deep dive into PyPI-hos... Actionable Threat Intel (II) - IoC Stream AI boosts Code Language and File Format identifica... ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2021 (2) ► November 2021 ...
Inside of the WASP's nest: deep dive into PyPI-hos... Actionable Threat Intel (II) - IoC Stream AI boosts Code Language and File Format identifica... ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2021 (2) ► November 2021 ...