本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。 一部の記事は Google Bard を使い要約しています。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Roi Kol at Aqua
eBPF is a popular and powerful technology embedded in the Linux kernel. It is widely used by many security tools for monitoring kernel activity to detect and protect organizations. eBPF, however, can potentially be a dual edged sword as it can be used by threat actors as part of their malicious arsenal. Lately, we have seen a rise in the number of eBPF based tools used for malicious goals such as rootkits (ebpfkit, TripleCross) and malwares (pamspy). In this blog we explain how eBPF is used to i...
Assetnote
Jul 21, 2023 Note: our analysis so far indicates that SAML has to be enabled for exploitation, this may change as we continue to reverse engineer this vulnerability. We will update our blog post accordingly. We have been notified that the patches from Citrix cover more than one vulnerability, and that the issue identified in our blog post may not be the only one. There is a possibility that a pre-auth RCE exists without SAML being enabled. In the last week, Citrix have released an advisory which...
Avertium
July 18, 2023 Executive Summary In 2022, Avertium published a Threat Intelligence Report on the pro-Russia threat actor Killnet. At the time, the threat actors publicized their allegiance to Russia and made several threats as the cyber war between the two nations continued. Other threat actors also declared their allegiance to either Russia or Ukraine and retaliatory attacks were in full swing. When it seemed as if Russia had the upper hand, deploying worms such as HermeticWiper and WhisperGate,...
Oleg Skulkin and Andrey Chizhov at BI Zone
New hacker group Quartz Wolf leverages legitimate software to attack the hospitality industry Own malware has never been the go‑to for cybercriminals. The Quartz Wolf hacker group has devised another way to bypass conventional defenses. By using the Assistant remote access software the group attempts to compromise its target systems. In this publication, we reveal the mechanics of this attack and share how BI.ZONE CESP was able to detect and prevent it @media only screen and (min-width: 320px) a...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - July 22, 2023 Online and at conferences, people ask me how to get started in threat intel. What I usually offer as advice to budding analysts starting out is to practise analysing things in the wild. And by 'analysing things in the wild' I mean looking for live reports of cybercriminal activity by others online. One of my favourite examples is SMS phishing text messages, also called Smishing scams. It is a commonly held view that new analyst...
Censys
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 luglio 2023 21/07/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 61 campagne malevole, di cui 60 con obiettivi italiani ed una generica che ha comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 208 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie...
Check Point
Filter by: Select category Research (523) Security (816) Securing the Cloud (256) Harmony (121) Company and Culture (8) Innovation (6) Customer Stories (4) Horizon (1) Securing the Network (4) Connect SASE (4) Harmony Email (22) Artificial Intelligence (12) SecurityJuly 18, 2023 Microsoft Dominates as the Most Impersonated Brand for Phishing Scams in Q2 2023 ByCheck Point Team Share Our latest Brand Phishing Report for Q2 2023 highlights the brands that were most frequently imitated by cybercrim...
Facebook Flooded with Ads and Pages for Fake ChatGPT, Google Bard and other AI services, Tricking Users into downloading Malware Filter by: Select category Research (523) Security (816) Securing the Cloud (256) Harmony (121) Company and Culture (8) Innovation (6) Customer Stories (4) Horizon (1) Securing the Network (4) Connect SASE (4) Harmony Email (22) Artificial Intelligence (12) SecurityJuly 19, 2023 Facebook Flooded with Ads and Pages for Fake ChatGPT, Google Bard and other AI services, Tr...
Filter by: Select category Research (523) Security (816) Securing the Cloud (256) Harmony (121) Company and Culture (8) Innovation (6) Customer Stories (4) Horizon (1) Securing the Network (4) Connect SASE (4) Harmony Email (22) Artificial Intelligence (12) Securing the CloudJuly 20, 2023 CDN Service Exposes Users to Malicious Packages for Phishing Attacks Invisible to Security Tools ByOri Abramovsky, Head of Data Science Check Point CloudGuard Share Malicious package previously removed are stil...
Filter by: Select category Research (523) Security (816) Securing the Cloud (256) Harmony (121) Company and Culture (8) Innovation (6) Customer Stories (4) Horizon (1) Securing the Network (4) Connect SASE (4) Harmony Email (22) Artificial Intelligence (12) Securing the CloudJuly 21, 2023 Docker Images: Why are Many Cyber Attacks Originating Here? ByDotan Nahum Share What happens when you need to set up a container environment quickly? You may use a popular platform called Docker Hub to find an ...
CISA
Release DateJuly 20, 2023 Alert CodeAA23-201A SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure org...
Cisco’s Talos
By Martin Lee Tuesday, July 18, 2023 08:07 On The Radar Implementing a threat intelligence program that meets the definition of threat intelligence control as described in ISO/IEC 27002:2022 — a set of standards set forth by the International Organization for Standardization — is not onerous.The ISO/IEC 27002 standard describes a non-exhaustive list of security controls that organizations can implement on their own or as part of an ISO/IEC 27001-compliant cybersecurity program.The guidance withi...
By Jonathan Munshaw Wednesday, July 19, 2023 08:07 The Need to Know Whether known as commodity malware or “as-a-service,” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue.When used legitimately, as-a-service software is when a third-party company offers its software to another company based on a license that is renewed frequently (mostly monthly or yearly) for a fee. The software is centrally hosted on th...
By Cisco Talos Wednesday, July 19, 2023 11:07 Vulnerability Roundup Since the beginning of July, Cisco Talos has published 40 vulnerability advisories affecting a range of software and hardware, including the Microsoft Edge browser.In our new series called “Vulnerability Roundup,” we’ll be recapping the vulnerabilities we recently disclosed to provide readers with an overview of what the issue is, how they can remediate and what the potential implications are for users. Our latest Vulnerability ...
Cloudbrothers
Fabian Bader enthalten in Sentinel Logic App Analytics Rules KQL Defender for Cloud 2023-07-16 1708 wörter 9 minuten Inhalt Incident vs. alert Alerts Incidents Alert update logic Sentinel to Defender for Cloud Defender for Cloud to Sentinel Behavior summary Is this a problem? Solution Basic logic KQL query Logic App Deploy System managed identity User managed identity Known issues Deploy to a different subscription InsufficientAccessError When working with Defender for Cloud and Microsoft Senti...
Omer Yoachimik and Jorge Pacheco at Cloudflare
Loading... July 18, 2023 2:00PM Omer Yoachimik Jorge Pacheco This post is also available in Français, 繁體中文, 한국어, Deutsch, 简体中文, 日本語, Português, Español. Welcome to the second DDoS threat report of 2023. DDoS attacks, or distributed denial-of-service attacks, are a type of cyber attack that aims to disrupt websites (and other types of Internet properties) to make them unavailable for legitimate users by overwhelming them with more traffic than they can handle — similar to a driver stuck in a traf...
William Burgess at Cobalt Strike Research and Development
Coveware
Table of ContentsCyber Extortion Opportunity Cost CurveTypes of RansomwareAttack Vectors & TTPsIndustries Impacted In the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%. The trend represents the compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the entire c...
CrowdStrike
June 22, 2023 Falcon Complete Team From The Front Lines VANGUARD PANDA Background On May 24, 2023, industry and government sources detailed China-nexus activity in which the threat actor dubbed Volt Typhoon targeted U.S.-based critical infrastructure entities. CrowdStrike Intelligence tracks this actor as VANGUARD PANDA. Since at least mid-2020, the CrowdStrike Falcon® Complete managed detection and response (MDR) team and the CrowdStrike® Falcon OverWatch⢠threat hunting team have observed...
Cyberknow
Update 24. 2023 Russia-Ukraine War — Cybertracker. 20 JULY.Cyberknow·Follow2 min read·2 days ago--ListenShareIt’s been a while — a quick reminder: The Cybertracker I produce for the Russia-Ukraine war is based on Intent of the cyber threat actors, not capability.I just wanted to quickly thank all those who read/use/enjoy the cybertracker I produce, really makes the long nights worth it. When I decided to make a list of cyber groups involved in the Russia-Ukraine war in February 2022 I did not th...
Shani Touitou at CyberProof
Shani Touitou July 18, 2023 3 minute read The digital landscape is rife with new and evolving threats - and to meet this challenge, organizations must invest in proactive security measures. Threat hunting practices – which, by definition, are proactive rather than reactive - play a significant role in mitigating the risks and contributing to a resilient cybersecurity ecosystem. As a case in point, let’s take a look at the work done by CyberProof’s threat hunting team in exposing the security cha...
Cyble
July 20, 2023 New Ransomware Strain Sets Sights on Cryptocurrency Users New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language. NIM, a programming language specifically created for efficient execution and superior performance, has recently caught the attention of malware developers due to it...
July 21, 2023 Luca Stealer Making Waves in the Cyber Threat Landscape Launching new products generates excitement and eagerness among consumers, who eagerly anticipate the latest technological innovations and advancements. However, this excitement also attracts malicious intent. Threat Actors (TAs) often take advantage of the hype surrounding new product releases to carry out their devious schemes. These cybercriminals create deceptive phishing sites that impersonate legitimate platforms, seekin...
Cyborg Security
Cyfirma
Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware, Target Technologies: MS Windows, Linux, and VMware ESXi servers. Target Geography: Belgium, Colombia, France, Italy, Jordan, Lebanon, Mauritius, Netherlands, United States, United Kingdom. Target Industry: En...
Nicole Wong at Darktrace
Discover Darktraceâs Latest InnovationsRegister for the eventCustomer PortalNewsPartnersOverviewTechnology PartnersIntegrationsPartner PortalBecome a partnerFeatured PartnersMicrosoftAWSMcLarenCompanyOverviewCareersInvestorsLeadershipFederalEducationLegalContact usContactProductsCustomersAI Research CentreBlogResources ProductsDaRKTRACEPREVENTâ¢Harden security inside and outDaRKTRACEDETECTâ¢See attacks instantlyDaRKTRACERESPONDâ¢Disarm within secondsDaRKTRACEHEALâ¢Be ready, recover quick...
Vinaya Sheshadri at DomainTools
Doug Metz at Baker Street Forensics
Hunting for Indicators with PowerShell: New Files DFIR, Malware, PowerShell When analyzing the impact of malware execution on a system, it’s important to identify what additional files the malware has introduced to the system. Have other exe’s been dropped? Are there .vbs files being sprinkled around by the malware fairies? What other file types would you be concerned with showing up on your systems? Maybe it’s the inverse and it’s the file extension itself that’s the outlier and you need to ide...
EclecticIQ
EclecticIQ researchers identified a spearphishing campaign that leverages exploited Zimbra and Roundcube email servers to target government organizations. The campaign has been underway since as early as January 2023 and has mostly targeted government entities in Ukraine, but also Spain, Indonesia, and France. Arda Büyükkaya – July 17, 2023 (Updated on July 18, 2023) Executive Summary EclecticIQ researchers identified a spearphishing campaign that leverages exploited Zimbra and Roundcube email s...
This issue of the analyst prompt addresses the FIN8 group using modified Sardonic malware for deployment of BlackCat ransomware. Simultaneously, Revolut suffered a significant loss after the exploitation of a weakness in its payment system, while threat actor Charming Kitten targets macOS users. Arda Büyükkaya – July 20, 2023 FIN8 Group Using Modified Sardonic Malware for Deployment of BlackCat Ransomware According to the Symantec Threat Hunter Team, the financially motivated threat actor known ...
Elastic
ByBobby Suber17 July 2023Table of contentsShare on TwitterShare on LinkedInShare on FacebookShare by emailPrintDo you think you may have Indicators of Compromise (IOCs) floating around in the sea of your Splunk deployment’s Zeek data? Are you concerned that you may not learn about anomalous behavior until it’s too late? If so, then keep reading to learn how Elastic® can help — but first, let me explain the history behind this. Splunk is good at getting data into the platform, specifically unstru...
ByMarvin Ngoma18 July 2023Table of contentsShare on TwitterShare on LinkedInShare on FacebookShare by emailPrintThis blog is the first post of a two-part series. Part 1 talks about the concept of a nation-state and then provides a high-level overview of Locked Shields — the world's largest cybersecurity exercise — and its increasingly important role in promoting cyber warfare readiness for NATO member states and partners. Part 1 also outlines the steps taken by nations to prepare for a cyber war...
Anshu Bansal and Ashutosh Venkatrao More at Falco
Falco horizontal logo_teal2FalcoAboutWhat is Falco? Learn about Falco and how it works Why choose Falco? Benefits of Falco for runtime security Falco use cases Solutions for threat detection and response Falco ecosystem Integrations, plugins, end users and vendors FAQ The most common questions about the whole FalcoecosystemDocsBlogCommunityAbout the community For users and contributors Events Meet and learn about Falco Contributors The people who build Falco Falco brand Brand guidelinesTrainingV...
Yuzuka Akasaka at Flare
Flashpoint
Flashpoint analysts are tracking the newly released “DBot v.3,” the third version of the well-known malware suite “Danabot.” SHARE THIS: Flashpoint Intel Team July 17, 2023 Table Of ContentsTable of ContentsHow DBot v.3 worksPart 1: The botPart 2: The “OnlineServer”Parts 3 and 4: The client and the serverThe most important changes of Danabot version 3Track and protect against malware with Flashpoint Last week, the third version of the malware toolkit Danabot was released on the high-tier Russian...
LockBit was responsible for nearly 28 percent of known ransomware activity in the past year, and remains a major threat to organizations in the ransomware landscape SHARE THIS: Flashpoint July 20, 2023 Table Of ContentsTable of ContentsWhat is LockBit?The formation of LockBitThe LockBit reputationHow LockBit attacksLockbit variantsPreventing a LockBit attackThe future of LockBitIdentify and mitigate cyber risks with Flashpoint In the world of ransomware, LockBit has emerged as a prominent and wi...
Fortinet
By Jonas Walker and Fred Gutierrez | July 17, 2023 Phishing has been a digital thorn in the side of cybersecurity for over a decade. These unsolicited, cleverly masked requests are the wolf in sheep's clothing of the digital world. They are always looming, waiting for some unsuspecting employee to click on a malicious link or attachment that can send your company into a crisis. In the ever-evolving cybersecurity landscape, understanding the phishing threat has become more critical than ever. It ...
Ransomware Roundup - Cl0p By Shunichi Imano and James Slaughter | July 21, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the Cl0p ransomware. Affected plat...
Alexis Wales at GitHub
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning fo...
GuidePoint Security
InfoSec Write-ups
Cybertech Maven·FollowPublished inInfoSec Write-ups·9 min read·Jul 13--1ListenShareIntroductionI used VirtualBox 🖥️ to set up a Windows Active Directory environment, deployed Elastic SIEM (Security Information and Event Management) with Kibana on a Kali Purple machine, and successfully tested its Endpoint Detection and Response (EDR) capabilities.🚨 For this article, I’ll walk you through connecting a Windows 10 machine from my Active Directory environment to Elastic SIEM and demonstrate how to t...
Paritosh·FollowPublished inInfoSec Write-ups·3 min read·May 23--ListenShareAs cybersecurity threats continue to evolve, understanding the architecture and infrastructure of threat actors becomes crucial for effective defense strategies. By analyzing the tools, techniques, and infrastructure employed by malicious actors, security professionals can gain insights into their motives and potential vulnerabilities. This article aims to provide a comprehensive guide on how to determine threat actors’ a...
Hacktivities·FollowPublished inInfoSec Write-ups·10 min read·Jul 16--ListenShareWallpaperThis article provides my approach for solving the FalconEye blue team ctf challenge on the CyberDefenders website, a blue team-focused challenge that requires you to investigate a security breach in an Active Directory network using Splunk SIEM (Security information and event management) solution to uncover the attacker’s steps and techniques while creating a timeline of their activities.DisclaimerI like to ...
Part-1Ali AK·FollowPublished inInfoSec Write-ups·7 min read·6 days ago--ListenShareIntroduction:Persistence is a Phase that’s included in all the popular Security Frameworks such as Cyber/Unified kill chain or MITRE ATT&CK. This phase is done after Exploitation (commonly) but it depends on the Roles of Engagements (ROE) & your Approach Framework Processes.What is Persistence & Backdoor?Persistence is a technique used to maintain a connection with target systems even if the machine is rebooted, s...
Ahmet Talha Şen·FollowPublished inInfoSec Write-ups·5 min read·3 days ago--ListenShareCreated by Lexica.artIn this article, we’ll explain how to finish the JavaScript Deobfuscation challenge from Hack The Box (HTB). We need to analyse and deobfuscate JavaScript code in order to get a secret flag in order to finish this challenge. The steps used to overcome the challenge will be discussed in detail for each phase.Step 1: Initial AnalysisFirst, we visit the provided URL (/94.237.54.69:48876/) and ...
Alison Rusk at INKY
Posted by Alison Rusk Tweet From dark places come dark things. The Lutz’s had Amityville, Tolkien gave us Mordor, and Stephen King’s IT spends his time lurking around in the storm drains. While these dark places are strictly fictional, there is one very dark, very real place that has the potential to scare the world’s bravest CEOs and MSPs. It’s the dark web and even the most inexperienced hacker can set companies up for a disaster. About the Dark Web The dark web isn’t visible to search engines...
IronNet
Why IronNet Use Cases See how organizations benefit from IronNet Customer Testimonials See how customers benefit from IronNet Industry Recognition Discover what industry analysts are saying about Collective Defense and IronNet For SOC Analysts Reduce alert fatigue and build a more proactive defense For CISOs Maximize current investments and strengthen your security posture NBH Bank draws on IronNet behavioral analytics for advanced threat detection Case Study Learn more Platform Collective Defen...
Jonathan Johnson
ThreadSleeper: Suspending Threads via GMER64 DriverJonathan Johnson·Follow8 min read·1 day ago--ListenShareOriginally posted: //www.binarydefense.com/resources/blog/threadsleeper-suspending-threads-via-gmer64-driver/Recently a friend of mine, Nick Powers, sent me the gmer.sys driver that was involved with the Blackout activity which exposed functionality to terminate any process you wanted from a medium integrity level context. This was being used against many EDR vendors, including Microsoft De...
Jouni Mikkola at “Threat hunting with hints of incident response”
July 6, 2023July 6, 2023JouniMi Post navigation What? I’ve been thinking of implementing some sort of Threat Intelligence Platform for my personal usage. The original idea has been to run MISP as it is quite well known to be very good at this sort of thing, however I’ve been hearing a lot of good things about OpenCTI lately. It is by far less mature and less used than MISP, so it is likely to be less polished at this stage. It offers, however, good amounts of eye candy and seems to be a cool pla...
Yuma Masubuchi at JPCERT/CC
増渕 維摩(Yuma Masubuchi) July 19, 2023 DangerousPassword attacks targeting developers’ Windows, macOS, and Linux environments Email At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python a...
Korstiaan Stam at ‘Invictus Incident Response’
Automated First-Response in AWS using Sigma and AthenaInvictus Incident Response·Follow5 min read·2 days ago--ListenShareFollow us on LinkedIn | Twitter | GitHub| MediumBackgroundIdentifying which activities adversaries have performed in a compromised AWS environment is not an easy task. Therefore together with @BertJanCyber we have performed research to investigate if Sigma rules can provide first-response capabilities in a post-compromised environment.We tested a total of 32 different attacks ...
Kristina Balaam and Justin Albrecht at Lookout
Kristina BalaamStaff Security Intelligence EngineerJustin AlbrechtGlobal Director, Mobile Threat IntelligencePlatform(s) AffectedAndroidDiscovered ByLookoutThreat TypeSurveillancewareThreat NameWyrmSpy and DragonEggAdversary GroupAPT41Entry TypeIn-Depth AnalysisPlatform(s) AffectedAndroidLookoutSurveillancewareWyrmSpy and DragonEggAPT41In-Depth AnalysisSummaryLookout attributes WyrmSpy and DragonEgg to infamous Chinese espionage group APT41, which has not slowed down since recent indictments by ...
Mandiant
Blog Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid DetectionMandiant Intelligence Jul 18, 202310 min readThreat IntelligenceChinaTTPsespionageMandiant Intelligence is tracking several ways in which Chinese cyber espionage activity has increasingly leveraged initial access and post-compromise strategies intended to minimize opportunities for detection. Specifically, this analysis highlights Chinese threat groups’ exploitation of zero-days in security, networking...
Blog KillNet Showcases New Capabilities While Repeating Older TacticsMandiant Intelligence Jul 20, 202311 min readThreat IntelligenceRussiaKey JudgmentsMandiant Intelligence assesses with high confidence that operations for which the pro-Russia hacktivist collective KillNet has claimed responsibility consistently mirror Russian strategic objectives, although we have not yet uncovered direct evidence of the collective’s collaboration with or direction from Russian security services. Mandiant asse...
Blog Escalating Privileges via Third-Party Windows InstallersAndrew Oliveau Jul 19, 20237 min readRed TeamingVulnerabilitiesTTPsPicture this: you've finally made it past the perimeter of a highly secured organization. You're feeling pretty pleased with yourself, until you realize you only have Active Directory privileges of a newly hired intern and the thrill trickles away. However, with some crafty tricks and a bit of luck, you just might be able to climb the corporate ladder and get promoted t...
Vasu Jakkal at Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
MikeCyberSec
Hunting for potentially vulnerable Citrix servers with Shodan — CVE-2023–3519@mikecybersec·Follow3 min read·2 days ago--ListenShare//dribbble.com/shots/21918878-Mirkat-The-Dark-Web-MarketBackgroundJust thought I’d share some tips of using Shodan to find potentially vulnerable kit. You may have seen the recent news/noise across Twitter/Feedly, if you haven’t, get out from under your rock!!1 🤘//www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/Sh...
Phylum
In June 2023, Phylum was the first to unearth a series of suspicious npm publications belonging to what appeared to be a highly targeted attack. The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload from a remote server. A recent security alert from GitHub publicly attributes this cyber-attack—which they were investigating independently—to threat actors with strong ties...
Proofpoint
Job Scams Using Bioscience Lures Target Universities Share with your network! July 19, 2023 Timothy Kromphardt and Selena Larson Key Takeaways Proofpoint identified a series of campaigns using fraudulent job offers to target university students. The lures mostly purported to be related to bioscience and health entities. The campaigns began as early as March 2023 and continued through June 2023. The threat actor tried to entice recipients to have a video call about the role, with the ultimate obj...
Ramesh Ramachandran at Qualys
Red Canary
Resecurity
Industry 21 Jul 2023 Cybersecurity, Dark Web Research, Infinite Game Theory, Cybercrime Prevention, Threat Intelligence Context of the blog In this blog, we will explore how defenders can combat cybercrime and fraud with the help of Infinite Game theory. It’s important to allocate resources toward researching the dark web to achieve this. There is no end state in which the cybercrime issue is solved, where there are no longer victims of cybercrime. Dealing with cybercrime is a continuous challen...
Miles Arkwright and James Tytler at S-RM Insights
Miles Arkwright, James Tytler 21 July 2023 21 July 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our inte...
SANS Internet Storm Center
Brute-Force ZIP Password Cracking with zipdump.py: FP Fix, (Sun, Jul 16th)
Citrix ADC Vulnerability CVE-2023-3519, 3466 and 3467 – Patch Now!, (Wed, Jul 19th)
Deobfuscation of Malware Delivered Through a .bat File, (Thu, Jul 20th)
John Dwyer at Security Intelligence
This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management acc...
SentinelOne
Tom Hegel / July 20, 2023 In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside the updated details, the organization shared a list of associated indicators of compromise (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor”. Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state ...
SOCRadar
Sophos
Written by Andrew Brandt July 18, 2023 Threat Research brand abuse brandjacking featured Raas Ransomware Sophos Attackers will sometimes use the name of security companies in their malware. While performing a regular search on VirusTotal looking for interesting malware and new ransomware variants using our threat hunting rules this week, a Sophos X-Ops analyst discovered a novel ransomware executable that appears to use “Sophos” in the UI of the panel alerting that files have been encrypted, (sh...
The realities of ransomware attacks facing education providers in 2023, including the frequency, root causes of attacks, and data recovery costs. Written by Puja Mahendru July 20, 2023 Products & Services Education Ransomware Solutions Sophos has released The State of Ransomware in Education 2023, an insightful report based on a survey of 400 IT/cybersecurity professionals across 14 countries working in education. The findings reveal the real-world ransomware experiences of the sector. Rate of a...
Malvertising campaigns using paid ads result in infostealer and backdoor attacks Written by Colin Cowie, Felix Weyne July 20, 2023 Security Operations Threat Research BatLoader FakeBat featured Gozi IcedID malvertising MDR Sophos X-Ops Cybercriminals are using paid adverts to lure users to malicious sites and trick them into downloading malware, in a variation on SEO (Search Engine Optimization) poisoning. SEO poisoning involves gaming search engines; threat actors put certain keywords on sites ...
Sucuri
Symantec Enterprise
Financially motivated cyber-crime group continues to develop and improve tools and tactics.Symantec’s Threat Hunter Team, a part of Broadcom, recently observed the Syssphinx (aka FIN8) cyber-crime group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware. While analysis of the backdoor revealed it to be part of the Sardonic framework previously used by the group, and analyzed in a 2021 report from Bitdefender, it seems that most of the backdoor’s features have been alt...
Pierre Noujeim at System Weakness
Pierre Noujeim·FollowPublished inSystem Weakness·6 min read·Jun 28--ListenShareIn this blog post I’ll outline four incident response playbooks for MITRE ATT&CK Technique T1003: OS Credential Dumping. Credential Dumping is a technique that allows adversaries to steal user authentication materials, such as usernames and passwords, often from system memory. The indicators of compromise associated with this technique include unexpected and extensive read operations on system memory, suspicious proce...
Implementing MITRE D3FEND for ATT&CK Technique T1053: Scheduled Task/JobPierre Noujeim·Follow6 min read·3 days ago--ListenShareScheduled task/job threats, which make up MITRE ATT&CK Technique T1053, can have severe implications for an organization’s security. MITRE also outlines how to address this technique in their D3FEND Matrix. However, until now, security teams haven’t had a consistent way of implementing D3FEND best practices.This blog will explore how Security Orchestration, Automation, a...
Third Eye intelligence
General Tips Ransomware Threat Intelligence Australian Ransomware Threat Landscape 2023 – January to July 2023 – A Look into Cybersecurity’s Persistent Nemesis July 22, 2023July 23, 2023 Good day to my esteemed readers. I trust everyone is well and maintaining a vigilant stance in light of recent noteworthy cyber events, particularly the Citrix NetScaler vulnerability (CVE-2023-3519) and the exploitation of the MOVEit vulnerability by the Cl0p ransomware group. The latter has affected 403 victim...
Threatmon
Daniel Lunghi at Trend Micro
We recently found that a modified installer of the E-Office app used by the Pakistani government delivered a Shadowpad sample, suggesting a possible supply-chain attack. By: Daniel Lunghi July 14, 2023 Read time: ( words) Save to Folio Subscribe Update: As of July 17, the Pakistani government agency in question has found no compromise of its build environment. As the MSI installer file is not signed, we cannot remove the possibility that the threat actor obtained the legitimate installer and mod...
Jason Hill at Varonis
Taking Microsoft Office by "Storm" Jason Hill 3 min read Published July 18, 2023 Last updated July 20, 2023 Contents Threat actors known as “Storm-0978” are actively exploiting an unpatched Microsoft Office and Windows HTML remote code execution vulnerability. This high-severity zero-day vulnerability, assigned a CVSS v3.1 score of 8.3 and designated as CVE-2023-36884, has been exploited via specially-crafted Microsoft Office documents that victims are tricked into opening using email lures. Sto...
White Knight Labs
PR Group July 20, 2023 Share This Post Ransomware Payments The article “How ransomware gangs negotiate payments” by Kolawole Samuel Adebayo on Fast Company, discusses the intricacies behind ransomware attacks and the methods used by attackers to negotiate payments. The CEO of White Knight Labs, Greg Hatcher, contributes to the article with his expert insights. According to Greg Hatcher, ransomware attackers typically dictate the method of communication and payment, which is almost always Tor and...
Shir Tamari at Wiz
July 21, 2023Kubernetes API limitations in finding non-standard pods and containersJuly 19, 2023Featured eventBlack Hat USALas Vegas, NVAugust 5, 2023Customer stories Learn how some of the world's most forward-thinking companies protect their cloudCustomer reviews See what people who use Wiz have to say about itBridgewater Associates unifies its hybrid and multi-cloud security posture with the Wiz Security GraphReal-time data platform Redis gets total multi-cloud visibility with WizPriceline shi...
