本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Alex Teixeira
Open in appSign upSign InWriteSign upSign InMember-only storyWhat's missing before the 'One Metric That Matters' in Threat Detection?Alex Teixeira·FollowPublished inDetect FYI·6 min read·Aug 1--ShareThis is a short blog to help those focused on SOC metrics!Although I have previously covered this topic, it remains evident that effectively tracking reliable metrics demands the team to adapt and potentially implement new processes to achieve their objectives.I share here a few ideas that might be h...
Any.Run
August 1, 2023 Add comment 2489 views 7 min read HomeNewsMalware Analysis News: July 2023 Recent posts Malware Analysis News: August 2023 248 0 Release Notes: New Config Extractors, Suricata Rules, and More 1211 0 ANY.RUN for Universities and Students: Special Offer 801 0 HomeNewsMalware Analysis News: July 2023 This is the July 2023 edition of ANY.RUN’s monthly malware analysis news report, where we share key cybersecurity incidents from the last 30 days. In July, cybercriminals deploy FraudGPT...
Top 3 Prevalent Malware of Q2 2023: Overview August 3, 2023 Add comment 2148 views 6 min read HomeCybersecurity LifehacksTop 3 Prevalent Malware of Q2 2023: Overview Recent posts Malware Analysis News: August 2023 248 0 Release Notes: New Config Extractors, Suricata Rules, and More 1211 0 ANY.RUN for Universities and Students: Special Offer 801 0 HomeCybersecurity LifehacksTop 3 Prevalent Malware of Q2 2023: Overview Every day, malware researchers, SOC, and DFIR professionals generate over 14,00...
Yaara Shriki and Ofek Itach at Aqua
In 2017 and 2020 we saw the oddest campaign - ‘Meow’ - targeting unsecured databases such as MongoDB, Elasticsearch, Cassandra, CouchDB, and other software such as Hadoop clusters, FTPs, Jenkins etc. The Modus Operandi was very simple finding an exposed instance, deleting everything, and destroying data without any explanation. Back in 2017 and 2020, it was quite a conundrum. There was little information about the attack and attackers. Now, the threat actor is back… One of our honeypots, a Jupyt...
Australian Cyber Security Centre
Jeremy Fuchs at Avanan
Phishing via SharePoint Posted by Jeremy Fuchs on August 3, 2023 Tweet We’ve been writing recently about how hackers are utilizing legitimate services to send out phishing campaigns. We’ve seen it used from Google, QuickBooks, PayPal and more. There are a few reasons behind this trend. One, it’s simple. Hackers are able to create free accounts with these services and send them out to multiple targets. They then can embed a phishing link within a legitimate document and email it directly from the...
Matěj Krčma at Avast Threat Labs
Avertium
August 1, 2023 Executive Summary Meet 8Base, a stealthy ransomware group that evaded detection for over a year, only to resurface with an alarming surge in operations during May and June 2023. Operating since 2022, 8Base's recent attacks have targeted 67 entities, with a focus on business services, manufacturing, and construction sectors in the U.S. and Brazil. During June 2023, 8Base’s tactics escalated to double extortion, pressuring victims to pay a demanded ransom. Possibly linked to the inf...
Dylan Souvage at AWS Security
Skip to Main Content Click here to return to Amazon Web Services homepage Contact Us Support English My Account Sign In Create an AWS Account Products Solutions Pricing Documentation Learn Partner Network AWS Marketplace Customer Enablement Events Explore More Close عربي Bahasa Indonesia Deutsch English Español Français Italiano Português Tiếng Việt Türkçe Ρусский ไทย 日本語 한국어 中文 (简体) 中文 (繁體) Close My Profile Sign out of AWS Builder ID AWS Management Console Account Settings Billing & Cost Manage...
Fleming Shi at Barracuda
Topics: Aug. 2, 2023 | Fleming Shi Tweet Share Share Tweet Share Share In 2023, artificial intelligence and generative AI have dominated headlines, and their impact is starting to make its mark on ransomware attacks ― for example with AI-enhanced phishing attacks to gain access to target networks and AI-powered automation for greater reach. Over the last 12 months, that helped drive ransomware to new heights as the frequency of ransomware attacks continues to climb with no sign of slowing down. ...
Tim Thorne at Binalyze
Tim Thorne : Thu, Jul 27, '23 DFIR Lab DRONE is AIR’s built-in automated compromise assessment technology which dramatically reduces the time required to identify IOCs in a DFIR investigation and begin containment and remediation. DRONE flies above your live systems and data acquisitions to deliver an unparalleled decision support system. DRONE will guide analysts, helping them ‘pin-point’ anomalies in the shortest possible time by labeling what is Dangerous, Matched, Suspicious, Rare and Releva...
Martin Zugec at Bitdefender
Brad Duncan at Malware Traffic Analysis
2023-08-01 (TUESDAY): BANDOOK INFECTION NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-08-01-Bandook-infection-notes.txt.zip 1.5 kB (1,545 bytes) 2023-08-01-Bandook-infection-traffic.pcap.zip 1.5 MB (1,450,224 bytes) 2023-08-01-Bandook-malware-and-artifacts.zip 11.8 MB (11,758,238 bytes) 2023-08-01 (TUESDAY): BANDOOK INFECTION NOTES: - Thanks to @JAMESWT_MHT who tweeted about this and submitted the EXE sample ...
2023-08-03 - GOOGLE AD --< FAKE TURBOTAX SITE --< DANABOT REFERENCE: //twitter.com/Unit42_Intel/status/1687510041270657024 NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. ASSOCIATED FILES: 2023-08-03-malicious-ad-to-Danabot-IOCs.txt.zip 1.7 kB (1,746 bytes) 2023-08-03-malicious-ad-to-Danabot-traffic.pcap.zip 96.9 MB (96,919,042 bytes) 2023-08-03-malicious-ad-to-Danabot-malware-and-artifacts.zip 126.1 MB (126,059,179 bytes) Click here...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - August 05, 2023 Welcome to the world of hacktivism, where technology and activism collide. Verifying and researching hacktivist claims can be a challenging and time-consuming endeavour. The sheer volume of claims made by various hacktivist groups and individuals can be overwhelming. With numerous events occurring simultaneously, resources can be strained when attempting to fact-check each claim thoroughly. Hacktivist activities can involve d...
Cado Security
The cloud has become an integral part of modern business, but with its increased adoption comes an increased risk of cyber attacks and data breaches. Cado experts continuously track emerging cloud trends and this report delves deep into the noteworthy discoveries unveiled during the past year. The report covers: An overview of the Cado Security Labs team and core capabilities Cloud attack trends over the last year Observations and predictions from the cloud security landscape Key recommendations...
CERT Ukraine
Check Point Research
Yehuda Gelb at Checkmarx Security
Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto SectorYehuda Gelb·FollowPublished incheckmarx-security·7 min read·Aug 2--ListenShareDuring the last month, we have been monitoring a highly targeted campaign. We began tracking this threat actor in early April 2023, when our systems flagged several suspicious npm packages (those packages were also flagged by our colleagues at Phylum). Later GitHub confirmed that this threat actor was tied to Jade Sleet and TraderTrait...
CISA
Release DateAugust 01, 2023 Alert CodeAA23-213A SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to ga...
Cisco’s Talos
By Cisco Talos Wednesday, August 2, 2023 08:08 Vulnerability Spotlight VPNFilter Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.Talos is highlighting some of the major issues our researchers discovered...
Threat Source newsletter Welcome to this week’s edition of the Threat Source newsletter.The time has come once again for all of us (well, not me specifically but lots of other Talos people) to descend on Las Vegas for Hacker Summer Camp. Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the next few weeks with a slew of presentations, demos and appearances to speak to the security community.As always, we’ll be at the Cisco booth at BlackHat, located just north of th...
By Hazel Burton Thursday, August 3, 2023 08:08 Features From new ransomware groups, a growing mercenary space, espionage campaigns, supply chain attacks, and new “as a service” tools popping up, there's a lot to talk about already in the first half of 2023.Here are the main threats we've covered on our blog up until the end of June 2023. The timeline is a blend of threat advisory articles, and long-term research that our analysts have been working on for a while. Talos Half-Year in Review 2023 I...
Cofense
Corelight
Detecting Storm-0558 using Corelight evidence Detecting Storm-0558 using Corelight evidence August 1, 2023 by Chris Brown Subscribe to blog X Sign up for blog updates While there have been many intrusions, compromises, breaches, and incidents that have made news in the IT and InfoSec industries throughout 2022 and into this year, when events or threats like Storm-0558 gain coverage by mainstream media, we often get questions about Corelight’s ability to detect threats through our sensors, produc...
Detections and Findings using Corelight in the Black Hat Asia NOC Detections and Findings using Corelight in the Black Hat Asia NOC August 3, 2023 by Dustin Lee Subscribe to blog X Sign up for blog updates As promised, we wanted to dedicate a blog to detections and findings from the network operations center (NOC) at Black Hat Asia 2023 as a follow up to our Lessons Learned blog. Some of these discoveries may not surprise the seasoned analyst or senior threat hunter – but will hopefully provide ...
Cyberdom
by SecWriter · July 29, 2023 Cloud Service Principal is the key, abuse the hole, or the misconfiguration. While I’m investigating or attacking the cloud for many components on a daily basis. I find a lot of abuses. Some of them are great, others less. Entra ID Apps are part of them. What are the differences between App Registration and Enterprise Apps in Entra ID? Can you spot these questions: How many App types do Entra ID have? Which type can consent via user or admin? How do they behave in ea...
Cyfirma
Published On : 2023-08-04 Share : Ransomware of the Week Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: Linux OS, VMware ESXi servers. Target Geographies: Canada, Sweden, Switzerland, United Kingdom, United States of America. Target Industrie...
Daniel Chronlund
Microsoft Entra ID Honeypot Accounts with Microsoft Sentinel Daniel Chronlund Cloud, Entra ID, Microsoft, Microsoft Sentinel, Security August 1, 2023 3 Minutes Threat hunting is a powerful method of trying to detect stealthy cyber attacks. Threat hunting is an art form and over time you can become a skilled hunter. However, these days we need to do more to detect breaches in our IT environments. One method of trying to lure the attackers and reveal themselves is to use some kind of bait. This is...
Tim Helming at DomainTools
Abdulrahman H. Alamri at Dragos
Abdulrahman H. Alamri Ransomware Threats Vulnerability Management Share This LinkedIn Twitter Facebook Email RSS The second quarter of 2023 proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organizations and infrastructure. The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by thes...
Yuzuka Akasaka at Flare
Fortinet
Ransomware Roundup - DoDo and Proton By Shunichi Imano and James Slaughter | August 03, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the DoDo and Proton r...
Guardio
Open in appSign upSign InWriteSign upSign In“PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing Facebook Accounts In-The-WildGuardio·Follow10 min read·Aug 2--ListenShareBy Oleg Zaytsev, Nati Tal (Guardio Labs)Guardio’s Email Protection has detected a sophisticated email phishing campaign exploiting a 0-day vulnerability in Salesforce’s legitimate email services and SMTP servers. Guardio Labs’ research team has uncovered an actively exploited vulnerability...
Nic Finn at GuidePoint Security
Huntress
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit In the ever-changing cyber landscape, new threats emerge daily, testing the resiliency of businesses worldwide. To effectively stay ahead of these threats, many businesses are turning to threat hunting, the discipline of proactively seeking out cyber threats that may be lurking in an organization’s IT environment. However, successful threat hunting isn’t just about random searches and hunches. It require...
Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit The idea of “persistence” in a cloud environment is not a well-studied topic. At most, you hear instances of the attacker creating backup logins to maintain their long-term presence in a cloud environment. To continue our series exposing the tradecraft around business email compromise (BEC), this blog will dive into how Huntress identified a threat actor using a novel form of persistence (M365 applicatio...
Pierre Noujeim at InfoSec Write-ups
Open in appSign upSign InWriteSign upSign InMember-only storyMaster D3FEND: Rapid Response to T1059, Command and Scripting InterpreterPierre Noujeim·FollowPublished inInfoSec Write-ups·5 min read·Jul 31--ShareCommand and Scripting Interpreter attacks were the second most common technique seen in MITRE’s Engenuity’s Sightings Ecosystem report, representing 15.77% of 1.1 million sightings. MITRE’s D3FEND matrix outlines how to address this technique however security teams struggle to consistently ...
KELA Cyber Threat Intelligence
KELA Cyber Intelligence Center Despite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations. It seems that some of the July victims were infected with the Linux version of the Akira ransomware, based on the list of stolen files. However, at least for some victims, the infected machine...
KELA Cyber Intelligence Center In July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, i...
KELA Cyber Intelligence Center The Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”. Cyclops...
Malwarebytes Labs
Posted: August 3, 2023 by Threat Intelligence Team Ransomware gangs are also starting to focus on exploiting zero-days for initial access. Ransomware attacks have shown no signs of slowing down in 2023. A new report from the Malwarebytes Threat Intelligence team shows 1,900 total ransomware attacks within just four countries—the US, Germany, France, and the UK—in one year. The findings, compiled together in the 2023 State of Ransomware Report, show alarming trends in the global ransomware surge ...
Mandiant
Blog Transcending Silos: Improving Collaboration Between Threat Intelligence and Cyber RiskJamie Collier, Shanyn Ronis, Kelli Vanderlee, John Doyle, Neil Karan, Andrew Close Aug 02, 20233 min read | Last updated: Sep 04, 2023 Threat Intelligencecyber riskCyber Threat Intelligence (CTI) and risk management have emerged as distinct disciplines, yet they share many similarities in their mission. Both approaches inform decision-making by providing high-quality insight on the most relevant threats an...
- August 2023 Threat Horizons Report Provides Cloud-Focused Cybersecurity Insights and Recommendations
Blog August 2023 Threat Horizons Report Provides Cloud-Focused Cybersecurity Insights and RecommendationsAdam Greenberg Aug 03, 20232 min readThreat ResearchThe Google Cloud Threat Horizons Report first launched in November 2021 with the ultimate goal of providing security decision-makers with strategic intelligence about threats to cloud enterprise users, along with data, metrics, trends, and additional cloud research. Perhaps most importantly, the report aimed to provide recommendations from G...
Lakshya Mathur and Yashvi Shah at McAfee Labs
The Season of Back to School Scams McAfee Labs Aug 02, 2023 5 MIN READ Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season approaches, scammers are taking advantage of the opportunity to deceive parents and students with various scams. With the increasing popularity of online shopping and digital technology, people are more inclined to make purchases online. Scammers have adapted to this trend and are now using social engineering tactics, such as offering high discounts, fre...
Michael Haag
LOLDrivers 2.0: Pioneering ProgressMichael Haag·FollowPublished inmagicswordio·6 min read·Jul 31--ListenShareIntroducing LOLDrivers 2.0: A significant milestone that refines the user experience and expands upon our comprehensive threat detection capabilities. The landing page is now more accessible with the addition of categories and individual download buttons for each hash, and despite a brief hiatus, the search function is back by popular demand. Notably, we’ve integrated Florian Roth’s innov...
Unmasking Malicious Bootloaders with Bootloaders.ioMichael Haag·FollowPublished inmagicswordio·5 min read·Aug 3--ListenShareIn the intricate battleground of cybersecurity, the defense against malicious bootloaders, or bootkits, has always been a relentless game of cat and mouse. As defenders work tirelessly to understand, identify, and revoke these concealed threats, adversaries continue to exploit and advance their craft. Enter Bootloaders.io, a monumental stride exposing bootkits!For organizat...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Ariel Szarf and Or Aspir at Mitiga
This blog lays out a new potential post-exploitation technique: Abusing AWS Systems Manager (SSM) agent so that it functions as a Remote Access Trojan (RAT) on both Linux and Windows machines, while using an attacker AWS account as a Command and Control (C&C). This attack technique falls within the family of techniques that are known as âliving off the landâ. By exploiting the existing SSM agent already present on the system, attackers can maintain control over endpoints without the need for...
Monty Security
A Practical Guide to Threat Hunting in Process Datamontysecurity·Follow10 min read·Aug 5--ListenShareIntroductionThis post aims to provide a core set of ideas for threat hunting — particularly in an intel-driven fashion. The intended audiences are detection engineers, threat hunters, and those aspiring to be one of the two.It will also examine the traditional nomenclature of TTPs (Tactics, Techniques, and Procedures) and where time is spent hunting compared between the three.Lastly, it will end ...
Nextron Systems
Jul 25, 2023 | Nextron, THOR, THOR Lite, Tutorial In this blog post, we address a critical security concern and explore methods for evaluating potential compromises on devices like Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core using THOR or the free THOR Lite YARA and IOC scanners. Recently, a severe remote unauthenticated API access vulnerability, known as CVE-2023-35078, has been identified in Ivanti Endpoint Manager Mobile. This vulnerability, previously branded as MobileIron Core, ...
Obsidian Security
Nir Chako at Pentera
Recorded Future
Posted: 2nd August 2023By: Insikt Group Insikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public discl...
Dave Bogle at Red Canary
ReversingLabs
Selling for $1,000 on the dark web, the email fraud tool leverages generative AI to improve cybercriminals' effectiveness. Blog Author John P. Mello Jr., Freelance technology writer. Read More... Since OpenAI introduced ChatGPT to the public last year, generative AI large language models (LLMs) have been popping up like mushrooms after a summer rain. So it was only a matter of time before online predators, frustrated by the guardrails deployed by developers to keep abuse of the LLMs in check, co...
ReversingLabs threat researchers have identified a new malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo. Blog Author Karlo Zanki, Reverse Engineer at ReversingLabs. Read More... ReversingLabs has identified several malicious Python packages on the Python Package Index (PyPI) open source repository. In all, ReversingLabs researchers uncovered 24 malicious packages imitating three, popular open source Python tools: vConnector, a wrapper module for pyV...
Riccardo Ancarani at ‘Red Team Adventures’
Toggle navigation Riccardo Ancarani - Red Team Adventures About Me Medium Mockingjay - What is old is new again Riding the hype train to see if we can get something useful out of it Posted on July 31, 2023 Mockingjay - What is old is new again There has been quite a lot of rumor recently around the release of a piece of research that discuss a new (?) process injection technique that evades EDRs (what does that even mean?). For reference, these are the blog post I am referring to: New Mockingjay...
Attacking an EDR - Part 1 For some fun and a fair bit of profit Posted on August 3, 2023 Introduction DISCLAMER: This post was done in collaboration with Devid Lana. You can find his blog here: //her0ness.github.io This post is the first of what - we hope - will be a long series of articles detailing some common flaws that can be found on modern EDR products. By no means this will be a complete reference, but will hopefully provide some practical tools to analyze these gargantuesque products and...
S-RM Insights
Nation state actors: what's next on the cyber threat landscape horizon? Paul Caron, Stephen Ross 1 August 2023 1 August 2023 Paul Caron, Stephen Ross Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. In this special edition of our Cyber Intelligence Briefing podcast, S-RM...
Miles Arkwright, James Tytler 4 August 2023 4 August 2023 Miles Arkwright, James Tytler Tags cyber security ransomware cyber incident response data breach threat intelligence CYBER SECURITY INSIGHTS REPORT 2022 We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance. The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our in...
SANS Internet Storm Center
Summary of DNS over HTTPS requests against our honeypots., (Tue, Aug 1st)
Are Leaked Credentials Dumps Used by Attackers?, (Fri, Aug 4th)
From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd)
Secureworks
The Secureworks Taegis XDR Tactic Graphs searches for telemetry that can identify the presence of malicious tools used to gain domain administrator access.Counter Threat Unit Research Team August 1, 2023Secureworks® Counter Threat Unit™ (CTU) periodically conducts purple team exercises called “research sprints” to understand and emulate modern attack techniques, evaluate Secureworks Taegis™ protections, and identify additional detection opportunities. Our work is informed by threat intelligence ...
Antonio Villalón at Security Art Work
2 de agosto de 2023 Por Antonio Villalón Leave a Comment La detección de las amenazas se realiza en buena parte a partir de indicadores de compromiso. Estos indicadores son observables que identificamos en la gestión de un incidente o en una investigación, que nos llegan de terceros en forma de feeds de inteligencia, que descargamos de plataformas como MISP, que compartimos entre grupos de trabajo… En definitiva, los descubrimos o nos los descubren. Pero ¿de dónde vienen estos indicadores? De un...
Security Intelligence
The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Serv...
Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised crede...
SentinelOne
July 31, 2023 by Natacha Bakir PDF In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit their research to showcase their talents and bring their insights to a wider audience. In today’s guest post, researcher Natacha Bakir (Senthorus/Cefcys) digs into the destructive world of wipers: a special class of malware that has neither espionage nor financial gain in mind, but exists s...
August 1, 2023 by Tom Hegel PDF Since the start of 2023, brand impersonation has become the center of many questions we receive from everyday network defenders. While at the start of the year we reported on the heavy spike in malicious Google search ads, the activity continues to this day across many platforms, and does not get as much attention as it deserves. Additionally, while tracking more capable and often state-sponsored threat actors, we continually observe brands being impersonated for ...
SOCRadar
Sophos
New insights into how ransomware impacts this sector, including the frequency, root causes of attacks, and data recovery costs. Written by Puja Mahendru August 01, 2023 Products & Services Ransomware Solutions Sophos has released The State of Ransomware in State and Local Government 2023, an insightful report based on a survey of 225 IT/cybersecurity professionals across 14 countries working in the state and local government sector. The findings reveal the reality of the ransomware challenge fac...
“CryptoRom” fake crypto-trading mobile apps pushed through AI-assisted romance scam, using ChatGPT to lure targets. Written by Jagadeesh Chandraiah, Sean Gallagher August 02, 2023 Threat Research Android Apple App Store ChatGPT cryptocurrency Cryptorom featured Google Play iOS Large Language Models ShaZhuPan Sophos X-Ops Over the past two years, we have been tracking a variety of scams targeting mobile device users, generally referred to as “shā zhū pán” (杀猪盘, which translates as “butcher plate”...
SpecterOps
Stephen Hinck·FollowPublished inPosts By SpecterOps Team Members·5 min read·Aug 1--ListenShareSummarySpecterOps is pleased to announce BloodHound Community Edition (CE) will be available in early access on August 8, 2023! In this blog:BloodHound is now BloodHound CE; new name, slightly different look, same purpose and capability.BloodHound CE has new features and is based on the BloodHound Enterprise (BHE) code base.As a result, BloodHound CE will benefit from better support and more releases.In...
Will Schroeder·FollowPublished inPosts By SpecterOps Team Members·13 min read·Aug 2--ListenShareIn our previous post, we talked about the problem of structured data in the post-exploitation community. We touched on the existing relationship between our tools and data and covered some of the domain-specific challenges that come with offensive data collection. We ended with the question “If all of our offensive tools produced and worked with structured data, what would be possible?” This post shif...
Stephen Hinck·FollowPublished inPosts By SpecterOps Team Members·4 min read·Aug 3--ListenShareSummaryThe BloodHound code-convergence project brings some significant and long-desired feature enhancements to BloodHound Enterprise (BHE):Cypher search, including pre-built queries for AD and AzureBuilt-in support for offline data collection (i.e., control systems or acquisition use cases)Expanded capabilities for pathfindingBloodHound Enterprise customers will get access to these features on Monday, ...
Michael Clark at Sysdig
Third Eye intelligence
General Tips Phishing Threat Intelligence Into the world of Phishing-as-a-Service Providers operating on Telegram targeting Australia July 30, 2023July 30, 2023 Welcome to the fascinating world of phishing as a service (PaaS) provider ecosystem in Australia, where cybercriminals have turned their malicious activities into a profitable business. In our ever-expanding digital frontier, cybersecurity threats are sprouting like dandelions in springtime. Phishing attacks – the cyber equivalent of thr...
Trustwave SpiderLabs
Radoslaw Zdonczyk Jul 30, 2023 Contents Mar 31, 2020 COVID-19 Malspam Activity Ramps Up Jan 6, 2021 A Trump Sex Video? No, It's a RAT! Aug 3, 2023 New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 Intro Since Redis is becoming increasingly popular around the world, we decided to investigate attacks on the Redis instance. We didn’t have to wait long for the first results of the Honeypot. The trap caught an activity about which the Western world does not he...
Pawel Knapczyk, Wojciech Cieslak Aug 3, 2023 Contents Apr 4, 2023 Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies Jul 5, 2023 Honeypot Recon: Enterprise Applications Honeypot - Unveiling Findings from Six Worldwide Locations Dec 21, 2022 Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. T...
Alexandra Martin at VirusTotal
Actionable Threat Intel (V) - Autogenerated Livehu... ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2021 (2) ► November 2021 (4) ► October 2021 (3) ► September 2021 (2) ► August 2021 (2) ► ...
