解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 38 – 2023 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

Phill Moore, Zach Stanford, Suyash Tripathi and Yogesh Khatri at CyberCX

Adam Goss

Cyber Threat Intelligence with MISP: Part 1 — What is MISP?Adam Goss·Follow7 min read·6 days ago--1ShareCyber threat intelligence (CTI) is the art of gathering, analyzing, and understanding information about cyber security threats. It involves collecting data, transforming it into actionable intelligence, and distributing it to key stakeholders to improve your organization’s security posture.To do this effectively, you need a platform to store and analyze the intelligence you collect. You could ...

Allan Liska at ‘Ransomware Sommelier’

ransomwaresommelier.comCopy linkFacebookEmailNotesOtherYou. Are. The. Criminal. Dumbass.Thoughts on ALPHV/BlackCat's Reaction to Caesars and MGM Ransomware AttackAllan LiskaSep 15, 2023Share this postYou. Are. The. Criminal. Dumbass.ransomwaresommelier.comCopy linkFacebookEmailNotesOtherShareThis afternoon the operator of the ALPHV / BlackCat ransomware group posted a long, rambling update on the MGM ransomware attack. Similar to many of these ransomware manifestos this one is self-indulgent and...

Jeremy Fuchs at Avanan

Storm-0324 Threat Group Switches Phishing Tactics to Teams Posted by Jeremy Fuchs on September 13, 2023 Tweet A stunning new development in the world of Teams phishing was announced by Microsoft. An initial access broker that's previously worked with ransomware groups is switching from email to Teams as their way into corporate networks. The group, known as Storm-0324, is a financially-motivated organization, and has worked with the Fin7 group, which is known for deploying Clop ransomware. Start...

Phishing via Adobe Posted by Jeremy Fuchs on September 14, 2023 Tweet We’ve been talking about it week after week—hackers are using legitimate services for illegitimate means. Why is this increasing in popularity? It’s easy. Just sign up for any popular SaaS tool. It’s free. And the hackers are able to send it out with the legitimacy and reputation of these brands, making it nearly impossible for security services and end-users to decipher. We continue to see new services used. This is not an is...

Breaking Down PayPal BEC 3.0 Scams Posted by Jeremy Fuchs on September 14, 2023 Tweet We've written a lot about how scammers are using PayPal for BEC 3.0 scams. This means tat hackers are sending invoices directly from PayPal, not a spoofed site. That means it will sail past most security services and trick end-users. We put together a breakdown of what these scams look like in the real-world: Tweet Topics: Blog Attack Briefs NEXT POST: Phishing via Adobe Get a Demo Experience the power & simpli...

Avertium

September 12, 2023 executive summary Monti ransomware, known for its versions on both Windows and Linux systems, grabbed the attention of cybersecurity experts in June 2022. The ransomware became noticed not only for its similar name to the notorious Conti ransomware but also for its use of similar tactics. Monti intentionally copied the tactics, techniques, and procedures (TTPs) of the Conti team. They even incorporated many of Conti's tools and took advantage of Conti's leaked source code. Sin...

Black Cell

In today’s dynamic digital landscape, relying solely on conventional security measures leaves organizations vulnerable to evolving threats. That’s where threat hunting comes in – a proactive approach to detect and thwart potential cyber threats before they escalate. This guide is tailor-made for IT enthusiasts, security analysts, and aspiring cybersecurity experts looking to master the art of threat hunting. It demystifies the concept, offering practical insights, methodologies, and best practic...

BushidoToken

Get link Facebook Twitter Pinterest Email Other Apps - September 15, 2023 The dozens of cybercriminals that made up the Conti group continue to launch campaigns unabated. Previously in 2022, I blogged about how following the Conti Leaks, the operators of Conti continued on via multiple rebranded ransomware campaigns, such as Royal, BlackBasta, and Quantum, among others. Since my last two blogs on the Conti/TrickBot gang, multiple members have been officially sanctioned by the US and UK governmen...

CERT-AGID

Il malware Vidar torna ad insidiare le caselle PEC 13/09/2023 PEC vidar Email iniziale Una nuova campagna malware massiva, veicolata tramite una serie di account di Posta Elettronica Certificata precedentemente violate ed indirizzata verso altre email PEC, è stata rilevata e contrastata in data odierna dal CERT-AGID con il supporto dei Gestori PEC interessati. Come osservato nel mese di luglio, l’attività dei criminali è iniziata poco dopo la mezzanotte ed è durata appena un’ora. Nello specif...

Sintesi riepilogativa delle campagne malevole nella settimana 09 – 15 Settembre 2023 15/09/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 31 campagne malevole, di cui 29 con obiettivi italiani e 2 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 240 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie...

Check Point Research

Richard Bejtlich at Corelight

How Does the Kill Chain Apply to Network-Derived Evidence? How Does the Kill Chain Apply to Network-Derived Evidence? September 12, 2023 by Richard Bejtlich Subscribe to blog X Sign up for blog updates When Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin published their paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” in late 2010, they changed the way security personnel thought about defending their digital asset...

CTF导航

第75篇:美国APT供应链打穿伊朗物理隔离的核工厂案例分析(第2篇) APT 3天前 admin 79 0 0 Part1 前言 大家好,我是ABC_123。在上一篇文章《第74篇:美国APT网络攻击破坏伊朗核设施全过程复盘分析(震网病毒上篇)》中,我详细介绍了美国APT组织如何通过网络攻击破坏伊朗核设施工厂的流程,并着重描述了美国NSA在此之前所做的准备工作。多数读者一直认为震网病毒是通过特工将带有病毒的U盘插入核设施工厂内部网络,但这个说法并不准确,后续的震网病毒已经实现了自动化入侵绝对物理隔离的伊朗核设施工控内网。这听起来令人难以置信,一个病毒怎么可能自动化突破国家级别的物理隔离呢?然而美国APT组织确实成功实施了这一行动,他们采用的方法正是现在国内攻防比赛中对于难打目标的主战打法——供应链攻击。 Part2 供应链攻击思路 供应链攻击诞生的背景 早期美国政府通过荷兰招募的特工成功把藏有震网病毒0.500版本的U盘带入伊朗纳坦兹核工厂的工控内网,并成功插入工控系统的重要主机,导致一批离心机损坏。后期特工进入核设施工厂越来越困难,奥巴马总统上台之后,美国政府要求美国NSA修改病毒代...

记一次曲折的exchange漏洞利用-ProxyMaybeShell 渗透技巧 3天前 admin 42 0 0 记一次曲折的exchange漏洞利用-ProxyMaybeShell 这两年几乎每隔一段时间exchange都会出现一些高危漏洞,这些漏洞基本分为两类,一类是ssrf导致的安全问题,一类是后台的反序列化漏洞。比较出名的包括CVE-2021-34473(ProxyShell)、CVE-2022-41040(ProxyNotShell)等。本文复现了一次较为复杂的exchange漏洞利用,需要攻击者对exchange历史漏洞有较深入的理解才能完成整体的利用。 目前配套环境已上线xBitsPlatform,环境名为ProxyMaybeShell,为公开挑战,分值为400分。 前置知识 Exchange-SSRF导致的问题 host可控的SSRF CVE-2018-8581 ssrf导致读取任意用户邮件 //evi1cg.me/archives/CVE_2018_8581.html ssrf结合ntlmralay直接攻击dc //evi1cg.me/archives/Exchang...

Cyfirma

Published On : 2023-09-14 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Introduction CYFIRMA Research and Advisory Team has found ransomware known as Xollam while monitoring various underground forums as part of our Threa...

Elliptic

Elliptic Research 15 September, 2023 The elite North Korean hacking group Lazarus appears to have recently ramped up its operations, conducting a confirmed four attacks against crypto entities since June 3rd. Now, they are suspected of carrying out a fifth attack, this time targeting CoinEx on September 12. In response to this, CoinEx have released several tweets indicating that suspicious wallet addresses are still being identified, and therefore the total value of stolen funds is not yet known...

Expel

Security operations · 3 MIN READ · BRADY STOUFFER · SEP 13, 2023 · TAGS: MDR The EventCode 39 case: some of the best threats we see arrive courtesy of clever red teams. In this story, we unravel an attack on Active Directory and how we countered it with two new detections. Recently, a customer encountered a red team operation which included attacks against Active Directory (AD). More specifically, they exploited vulnerable configurations in AD Certificate Services (AD CS). While there were over ...

Security operations · 6 MIN READ · DAVE JOHNSON · SEP 14, 2023 · TAGS: MDR Logs are a necessary and useful component in any cybersecurity practice, but when and how you use them can significantly change your security outcomes. 🎵JavaScript… snap… snap… JavaScript… snap… snap… JavaScript… snap… snap… JavaScript… snap… snap… You put the malware into my hosts. You make my alerts sky-high, when the campaign starts JavaScript into my RAM (yeah yeah) Goes a knock knock knock til my agents fail But some...

Malcolm Heath at F5 Labs

The device providing the service.

Anshu Bansal, Rakshit Awasthi, Ashutosh Venkatrao More at Falco

Falco horizontal logo_teal2FalcoAboutWhat is Falco? Learn about Falco and how it works Why choose Falco? Benefits of Falco for runtime security Falco use cases Threat detection and regulatory compliance Case studies Discover how the industry is adopting Falco Falco ecosystem Integrations and plugins FAQ The most common questions about the whole FalcoecosystemDocsBlogCommunityAbout the community For users and contributors Events Meet and learn about Falco Contributors The people who build Falco F...

Justin Timothy at GuidePoint Security

Hornet Security

von Security Lab | Sep 11, 2023 | Threat Research Einleitung Der Monthly Threat Report von Hornetsecurity bietet Ihnen Einblicke in die Sicherheitstrends von MS365, bedrohungsbezogene E-Mails sowie Kommentare zu aktuellen Ereignissen im Bereich der Cybersicherheit. Diese Ausgabe konzentriert sich auf die Daten des Monats August. Zusammenfassung In unseren Daten spiegelt sich ein leichter Rückgang der Bedrohungen für den betrachteten Berichtszeitraum wider. HTML-Dateien bleiben unverändert die be...

Joe Slowik at Huntress

Previous Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit On September 10, 2023, MGM Resorts and gambling operations in Las Vegas faced widespread disruption and loss of IT functionality. The action was subsequently linked to an entity referred to as “Scattered Spider,” an increasingly brazen and troublesome criminal threat actor. More significantly, subsequent reporting after the MGM incident revealed that another Las Vegas casino and hotel entity, Caesars Entertainment...

Intel471

Sep 15, 2023 The deployment of file-encrypting ransomware by organized cybercriminal gangs is one of the largest cybersecurity risks facing organizations. A network breach that culminates with a ransomware infection often starts with an infection with a type of malware called a loader. This malware acts as a foothold into an organization’s network and is subsequently used to install other payloads such as malware or tools. Bumblebee is a type of a loader that has increasingly been used by threat...

KELA Cyber Threat Intelligence

KELA Cyber Intelligence Center In August 2023, KELA encountered several critical vulnerabilities that raised significant interest within the cybercrime underground: CVE-2023-3519 (Citrix ADC and NetScaler Gateway) CVE-2023-27997 (Fortigate) CVE-2023-34124 (SonicWall) CVE-2022-24834 (Redis) This report highlights the details of each vulnerability, their implications, and recommendations for mitigation. In addition to known vulnerabilities, threat actors always look for buying 0-day vulnerabilitie...

KELA Cyber Intelligence Center In recent years, the automotive industry has been undergoing a rapid transformation of digitalization. As new technologies become increasingly prominent in the automotive sector, they open the door to a wide range of cyber threats and high interest from cybercriminals to attack automotive companies. The automotive industry includes a wide range of stakeholders. Beyond the big original equipment manufacturers (OEMs) that manufacture the cars, there are also Tier 1 a...

Malwarebytes Labs

Posted: September 12, 2023 by Threat Intelligence Team Ransomware news in August was highlighted by the sudden fall of CL0P from the list of the monthly most active gangs, while Lockbit returned to the number one spot. This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim did not pay a ransom. This provides the best overall...

Posted: September 13, 2023 by Jérôme Segura Corporate users performing Google searches for the popular conferencing software Webex are being targeted in a malvertising campaign. A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search. We are releasing this blog to warn users about this threat as the malicious ...

Mandiant

Blog Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and NotorietyMandiant Intelligence Sep 14, 202312 min read | Last updated: Sep 15, 2023 Uncategorized Groups (UNC Groups)Threat IntelligencephishingUNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC394...

Microsoft Security

Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage

Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage

Roman Daszczyszak, Steve Luke, and Ross Weisman at MITRE-Engenuity

Summiting the Pyramid: Level Up Your AnalyticsJon Baker·FollowPublished inMITRE-Engenuity·6 min read·3 days ago--ListenShareWritten by Roman Daszczyszak, Steve Luke, and Ross Weisman.The Pyramid of Pain introduced the world to the idea that if defenders focused on identifying and detecting adversary tactics, techniques, and procedures (TTPs), it would be harder for adversaries to evade detection. The higher up the Pyramid a defender can detect, the greater the cost imposed on the adversary.The P...

Nextron Systems

by Jonathan Peters | Sep 15, 2023 | Nextron In the last weeks, we observed an increase in .NET based malware using DLL sideloading. A prominent example is JanelaRAT, a recent campaign targeting Latin American FinTech users. Their initial attack involves a phishing email, mainly in Portuguese language. The user is tricked into running a VisualBasic script, which then downloads the legitimate app used for sideloading and the payload posing as a legitimate DLL file. In the JanelaRAT cases, we looke...

Givan Kolster at Falcon Force

Red teaming Leg ups: helping hand or red team failure? September 11, 2023 Givan Kolster Red teaming exercises are an excellent means to identify gaps in the security controls and test the detection and response capabilities of an organization. Being able to simulate an advanced attacker and breach an organization and compromise live, production systems gives me a thrill every time and provides great learning opportunities for our clients. Performing such exercises comes with risks. And therefore...

Palo Alto Networks

1,169 people reacted 3 4 min. read Share By Unit 42 September 14, 2023 at 3:00 AM Category: Reports Tags: attack surface management, Cloud Infrastructure Protection, Cloud Security, Cortex XDR This post is also available in: 日本語 (Japanese)Introduction It’s challenging to ensure proper protection for your organization in an ever-changing, vulnerable environment. In our survey of over 250 organizations, we found that 80% of security exposures are found in cloud environments and 20% of cloud servic...

Riccardo Ancarani at ‘Red Team Adventures’

Attacking an EDR - Part 2 For less fun but even more profit Posted on September 14, 2023 Introduction - Where we left off DISCLAMER: This post was done in collaboration with Devid Lana. You can find his blog here: her0ness - Attacking an EDR Part 2 Continuing from our last research, we pursued the exploration of the attack surface of the EDR solution under our scrutiny, STRANGETRINITY. Last time we focused on identifying exclusions within the EDR’s configuration that allowed us to perform action...

SANS Internet Storm Center

Securelist

SOC, TI and IR posts 11 Sep 2023 minute read Table of Contents IntroductionCuba ransomware gangVictimologyRansomwareCuba extortion modelArsenalProfitsInvestigation of a Cuba-related incident and analysis of the malwareHost: SRV_STORAGEBughatchSRV_Service hostVeeampAvast Anti-Rootkit driverBurntcigarSRV_MAIL host (Exchange server)SqlDbAdminCobalt StrikeNew malwareBYOVD (Bring Your Own Vulnerable Driver)ConclusionAppendix Authors Alexander Kirichenko Gleb Ivanov Introduction Knowledge is our best ...

Research 12 Sep 2023 minute read Table of Contents A malicious Debian repositoryA DNS-based backdoorA Bash stealerMystery of the infection vectorAn unexpected redirectionOrigins of the backdoorWhy wasn’t the malicious package discovered earlier?Indicators of Compromise Authors Georgy Kucherin Leonid Bezvershenko UPDATE 13.09.2023. Free Download Manager team issued an official statement regarding this incident. Over the last few years, Linux machines have become a more and more prominent target f...

Industrial threats 13 Sep 2023 minute read Table of Contents Global threat statisticsGeographyIndividual industriesCategories of malicious objectsMain threat sources Authors Kaspersky ICS CERT Global threat statistics In the first half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased from H2 2022 by just 0.3 pp to 34%. Percentage of ICS computers on which malicious objects were blocked, by half year That said, he percentage of attacked ICS computers drop...

Sekoia

Yossi Rachman at Semperis

SentinelOne

macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks September 11, 2023 by Phil Stokes PDF This year has seen an explosion of infostealers targeting the macOS platform. Throughout 2023, we have observed a number of new infostealer families including MacStealer, Pureland, Atomic Stealer and RealStealer (aka Realst). Over the last few months, we have also been tracking a family of macOS infostealers we call ‘MetaStealer’. Last week, Apple dropped a new signature ...

Sep 2023 Cybercrime Update | New Ransomware Threats and the Rising Menace of Telegram September 13, 2023 by Jim Walter PDF In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. From the burgeoning market of bypass services to the alarming criminal activities on Telegram, we provide an update on cybercriminal activity to help defenders, SOC Teams and security leaders stay abreast of the latest developments and fortify their defenses in...

Ready, Set, Turla | Everything You Need to Know Before the MITRE ATT&CK® 2023 Evaluations September 14, 2023 by Tim Woolford PDF The cybersecurity industry is awaiting the highly anticipated MITRE ATT&CK® Evaluations for 2023, expected to be published next week. In this comprehensive post, we provide all the essential knowledge needed to derive maximum value from the forthcoming test results. Our journey through MITRE’s evaluations begins with exploring why MITRE embarked on this testing journey...

Simone Kraus

Summiting the Pyramid — A new Dimension of “Cyber Analytics Engineering”Simone Kraus·Follow12 min read·11 hours ago--ListenShareExample Wiper and Driver -DriveSlayer (Hermetic Wiper)With great pleasure I officially received the CTID newsletter yesterday about their latest project Summiting the Pyramid. And again you see, how important the structured approach in analysis is in order to be able to react rapid to cyber attacks via detected indicators in the sense of Threat Informed Defense by using...

Snyk

Written by: Najia GulSeptember 11, 2023 0 mins readWeb cache poisoning is a cyber attack that wreaks havoc on unsuspecting websites. It exploits vulnerabilities by caching mechanisms that web servers, proxies, and content delivery networks (CDNs) use, compromising data integrity. Malicious actors can use cache poisoning to deliver malicious payloads, tamper with sensitive information, or redirect users to fraudulent websites.In this article, we’ll comprehensively explore web cache poisoning atta...

Yağmur Ernalbant at SOCRadar

Sophos

To use the Mastodon web application, please enable JavaScript. Alternatively, try one of the native apps for Mastodon for your platform.

Ryan Fetterman at Splunk

Share: By Ryan Fetterman September 12, 2023 Advanced threats often require advanced methods, and advanced methods can require more analysis and development time. However, detecting these behaviors — like the use of dictionary-based Domain Generation Algorithms (DGA) — can result in high-impact findings like the discovery of active malware communication. In these cases, investing the resources to enable hunting high-impact threats is a worthwhile effort. In a previous post, we outlined an advance...

Symantec Enterprise

National grid in Asia compromised by attackers using ShadowPad Trojan.Espionage actors are continuing to mount attacks on critical national infrastructure (CNI) targets, a trend that has become a source of concern for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team has found evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year. The attackers manag...

Attackers resorted to new ransomware after deployment of LockBit was blocked on targeted network.A new ransomware family calling itself 3AM has emerged. To date, the ransomware has only been used in a limited fashion. Symantec’s Threat Hunter Team, part of Broadcom, has seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.3AM is written in Rust and appears to be a completely new malware ...

Adam Burgher at WeLiveSecurity

ESET Research uncovers the Sponsoring Access campaign, which utilizes an undocumented Ballistic Bobcat backdoor we have named Sponsor Adam Burgher 11 Sep 2023 • , 18 min. read ESET researchers discovered a Ballistic Bobcat campaign targeting various entities in Brazil, Israel, and the United Arab Emirates, using a novel backdoor we have named Sponsor. We discovered Sponsor after we analyzed an interesting sample we detected on a victim’s system in Israel in May 2022 and scoped the victim-set by ...