本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
1Password
Adam at Hexacorn
Posted on 2023-10-25 by adam Over the years I have made a lot of attempts to systematically extract Windows API information from various sources, but primarily, of course, from Microsoft help documentation available at different times, in different forms and file formats. If you need to ask… I really needed an ‘actionable’ dump of these for my API monitor, and I also wanted to have it all available for quick & dirty reference, for both coding and reversing purposes. Plus, as I will explain later...
Posted on 2023-10-27 by adam Okay, okay, yup, it is a series now. Part two is here! Browsing available Ubuntu apps one can find a lot of interesting software. One of them is kchmviewer. Its purpose is to view CHM files – outdated, but still relevant Windows Help files. Interestingly, one can set up an alternative program to View HTML in this program: Once this is set up, when you open a CHM file on an Ubuntu OS and hit View HTML button: your program of choice will be executed (but it may not be ...
Posted on 2023-10-28 by adam Update After I posted it, @netspooky pinged me with some additional info. Apparently, this technique is known since at least 2019 and was demoed by @zer0pwn first. This blog post from MCG describes various offensive techniques focused on .desktop and .directory files. Old Post This entry is a courtesy of Stephan, who has discovered that .desktop files can be used for persistence as well. Apparently, an ElectroRAT malware is already using this trick in the wild as wel...
Adam Goss
Adam Goss·FollowPublished inInfoSec Write-ups·9 min read·6 days ago--ShareCyber threat intelligence (CTI) involves gathering, analyzing, and understanding information about cyber security threats. To do this effectively, you need to use a CTI aggregator to harness the power of automation and strife to achieve the single pane of glass principle of cyber security architecture.This article will teach you what a CTI aggregator is, why you need one, and how to create your own for free! You will see h...
Any.Run
October 26, 2023 Add comment 230 views 6 min read HomeAnalyst TrainingWhat is Cyber Threat Intelligence Recent posts What is Cyber Threat Intelligence 230 0 Unpacking the Use of Steganography in Recent Malware Attacks 1933 0 Expand Your SIEM’s Threat Coverage with ANY.RUN Threat Intelligence Feeds 542 0 HomeAnalyst TrainingWhat is Cyber Threat Intelligence Cyber Threat Intelligence (CTI) — often referred to as “Threat Intelligence” or “Threat Intel” — is the practice of gathering and analyzing d...
Arch Cloud Labs
About The Project Modern Software Development environments have significant debugging capabilities to troubleshoot issues with the complex nature of modern software . These debugging capabilities typically manifest in Interactive Development Environment (IDE) as features that extend an IDEs capability to examine the given state of an application at run time or analyze previous binary executions. The standalone GNU Debugger (gdb) is integrated in a wide variety of IDEs and other 3rd party (1,2,3)...
Ash Shatrieh at F-Secure
Ash Shatrieh 26.10.23 6 min. read Tags: GatekeeperinfostealersMacOSMalware Share Within the realm of cybersecurity, macOS has held a reputation as a fortress, offering robust protection against malicious attacks. Nevertheless, recent developments have dealt a blow to this perception, with the emergence of infostealers posing an escalating threat to Apple’s ecosystem. Despite Apple’s continuous efforts to bolster security through various features, no operating system is entirely immune to vulner...
Nick Desler at AttackIQ
Ax Sharma at BleepingComputer
BlueteamOps
Detecting ‘Dev Tunnels’BlueteamOps·Follow5 min read·5 days ago--ListenShareImage by Jiří Rotrekl from PixabayDevOps teams leverages tools such as Cloudflared, ngrok to make local services (i.e. an internal web application) accessible from the public internet using secure HTTP connections. This avoids the need to create special firewall rules, as HTTPS traffic is usually allowed on most networks. Microsoft recently launched Dev tunnels for developers. It allows tunnelling of multiple different po...
Brad Duncan at Malware Traffic Analysis
2023-10-23 (MONDAY) - 404 TDS CHAIN LEADS TO ASYNC RAT VARIANT REFERENCE: //www.linkedin.com/posts/unit42_404tds-asyncrat-async-activity-7122945665868984320-W5U3 //twitter.com/Unit42_Intel/status/1717179793966268785 ASSOCIATED FILES: 2023-10-23-IOCs-from-404TDS-Async-RAT-infection.txt.zip 1.5 kB (1,613 bytes) 2023-10-23-404TDS-Async-RAT-infection-traffic.pcap.zip 17.4 MB (17,448,283 bytes) 2023-10-23-Async-RAT-variant-malware-and-artifacts.zip 640 kB (640,557 bytes) Click here to return to the m...
2023-10-18 (WEDNESDAY) - ICEDID FORKED VARIANT WITH BACKCONNECT, ANUBIS VNC, COBALT STRIKE & SCREENCONNECT REFERENCE: //www.linkedin.com/posts/unit42_icedid-backconnect-anubisvnc-activity-7121114100046168064-TDqK //twitter.com/Unit42_Intel/status/1715348477809402118 ASSOCIATED FILES: 2023-10-18-IOCs-from-IcedID-forked-variant-with-VNC-and-Cobalt-Strike.txt.zip 2.3 kB (2,288 bytes) 2023-10-18-IcedID-forked-variant-infection-with-follow-up-activity.pcap.zip 11.5 MB (11,487,843 bytes) 2023-10-18-Ic...
2023-10-25 (WEDNESDAY) - DARKGATE INFECTION FROM MALSPAM REFERENCE: //www.linkedin.com/posts/unit42_darkgate-timelythreatintel-wireshark-activity-7123453508560797697--dJn //twitter.com/Unit42_Intel/status/1717687387025809465 ASSOCIATED FILES: 2023-10-25-IOCs-from-DarkGate-activity.txt.zip 2.4 kB (2,400 bytes) 2023-10-25-DarkGate-malspam-3-examples.zip 151 kB (151,387 bytes) 2023-10-25-DarkGate-PDF-attachments-3-examples.zip 398 kB (398,378 bytes) 2023-10-25-DarkGate-infection-traffic.pcap.zip 8....
CERT-AGID
Analisi di una campagna StrRat veicolata in Italia 23/10/2023 StrRat Email con mittente spoofato Sono trascorsi circa quattro mesi dall’ultima campagna StrRat osservata in Italia. L’e-mail circolata in data odierna è scritta in lingua inglese ma sembra provenire da una nota azienda italiana che si occupa di progettare macchinari industriali ed ha sede a Brescia. Naturalmente il mittente è spoofato ed il contenuto dell’e-mail è confezionato ad arte. Un gioco a Base64 Il file allegato all’e-mai...
Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 Ottobre 2023 27/10/2023 riepilogo In questa settimana, il CERT-AgID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 33 campagne malevole, di cui 31 con obiettivi italiani e 2 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 197 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologi...
Check Point
Filter by: Select category Research (531) Security (862) Securing the Cloud (265) Harmony (135) Company and Culture (16) Innovation (6) Customer Stories (8) Horizon (1) Securing the Network (7) Connect SASE (9) Harmony Email (37) Artificial Intelligence (14) SecurityOctober 25, 2023 A Continuing Cyber-Storm with Increasing Ransomware Threats and a Surge in Healthcare and APAC region ByCheck Point Research Share Highlights: The first 3 quarters of 2023 has witnessed a 3% uptick in average weekly ...
CISA
Release DateOctober 27, 2023 Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free. CISA’s version reimagines technology developed by the United Kingdom’s National Cyber Security Centre (NCSC), making it available to a wider audience. Log management makes systems more secure. Until now, it has been a heavy lift for many targeted organizations, especially ...
Cisco’s Talos
By Nicole Hoffman Tuesday, October 24, 2023 08:10 Talos IR trends Quarterly threat report: Telecommunications and education are most-targeted verticals There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30...
By Asheer Malhotra, Vitor Ventura Wednesday, October 25, 2023 08:10 Threats Threat Spotlight SecureX Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian. The actor also appears to have a defensive interest in the website of the Kazakhstani state-owned email service and has rarely targeted Kazakh entities.YoroTr...
By Jonathan Munshaw Thursday, October 26, 2023 14:10 Threat Source newsletter Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars. But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. I saw several media outlets had reported on a new estimate fr...
Cloudflare
Loading... October 23, 2023 2:32PM Omer Yoachimik Jorge Pacheco 5 min read This post is also available in Deutsch, Français, עברית and عربي. On October 7, 2023, at 03:30 GMT (06:30 AM local time), Hamas attacked Israeli cities and fired thousands of rockets toward populous locations in southern and central Israel, including Tel Aviv and Jerusalem. Air raid sirens began sounding, instructing civilians to take cover.Approximately twelve minutes later, Cloudflare systems automatically detected and ...
Loading... October 26, 2023 2:20PM Kenny Johnson 5 min read On Wednesday, October 18th, 2023, Cloudflare’s Security Incident Response Team (SIRT) discovered an attack on our systems that originated from an authentication token stolen from one of Okta’s support systems. No Cloudflare customer information or systems were impacted by the incident, thanks to the real-time detection and rapid action of our Security Incident Response Team (SIRT) in tandem with our Zero Trust security posture and use o...
Loading... October 26, 2023 2:00PM Omer Yoachimik Jorge Pacheco 15 min read This post is also available in Deutsch, Español and Français. Welcome to the third DDoS threat report of 2023. DDoS attacks, or distributed denial-of-service attacks, are a type of cyber attack that aims to disrupt websites (and other types of Internet properties) to make them unavailable for legitimate users by overwhelming them with more traffic than they can handle — similar to a driver stuck in a traffic jam on the w...
Felix Aeppli at Compass Security
October 24, 2023 / Felix Aeppli / 0 Comments Device code phishing is nothing new. In fact it has been around for some years now. There are many good resources that explain the phishing attack in great detail: //aadinternals.com/post/phishing/ //0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html There are also a number of tools available to facilitate device code phishing attempts and the subsequent misuse of the gained access and refresh tokens: //github.com/secureworks/squarephish //github.com/rvr...
Michael Steele at Confiant
Michael Steele·FollowPublished inConfiant·12 min read·3 days ago--ListenShareRecently, I was involved in publishing Confiant’s ScamClub: Threat Report Q1-Q2 2023. During our investigation into this malvertising threat, we found ScamClub utilizing RTB integration with ad exchanges to push bid responses upstream to forcefully redirect the victim’s browser from the publisher site, to their landing pages containing scams. These scams are meant to entice victims into continuing to sites that ScamClub...
Simon Miteff at Corelight
Writing a Zeek package in TypeScript with ZeekJS Writing a Zeek package in TypeScript with ZeekJS October 26, 2023 by Simon Miteff Subscribe to blog X Sign up for blog updates Zeek® is the world’s most widely used network security monitoring platform and is the foundation for Corelight network evidence. In this blog I share how to write a Zeek package in TypeScript with a new capability called ZeekJS that was released as part of Zeek 6.0. Packages enable security teams to extend Zeek’s network s...
Arfan Sharif at CrowdStrike
October 10, 2023 Arfan Sharif Observability & Log Management Tech Center All web traffic flowing out of your company network should be passing through a web proxy. These proxy logs are a great resource for threat hunting and security investigations, yet they often translate into extremely large volumes of data. In a previous blog post, we shared the value of proxy logs in addressing a range of use cases, including hunting for threats, investigating access to unknown domains and phishing sites, s...
CTF导航
Cyfirma
Published On : 2023-10-26 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Targeted Geography: Austria, Australia, China, France, Netherlands, United Kingdom, United States. Targeted Industries: Business Services, Constructi...
Darrel Lang at Bridewell
An Encounter with DarkGate: Phishing's Next Vector Share this insight: Home Insights Blogs An Encounter with DarkGate: Phishing's Next Vector TeamsPhisher is a phishing tool that allows threat actors to send you messages within Microsoft Teams while posing as a member of your organisation. These typically contain phishing links or executable files that the message will encourage you to open. In this case, the executable file was the DarkGate Loader malware.TeamsPhisher is a tool we have raised a...
Sam Hanson at Dragos
Sam Hanson Research Threats Share This LinkedIn Twitter Facebook Email RSS This is the second posting in our two-part blog series on PIPEDREAM’s OPC UA Module, MOUSEHOLE. To view our first blog in this series, see: Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE In April of 2022, Dragos published a whitepaper and hosted a webinar to alert and inform the industrial cybersecurity community of a sophisticated new malware, PIPEDREAM, the seventh known industrial control systems (ICS)-specific ma...
EclecticIQ
This issue of the Analyst Prompt addresses a Cisco IOS XE Web UI privilege escalation vulnerability, cyberattacks from Sandworm threat actor targeting Ukrainian telecom industry and exploitation details about an unpatched WS_FTP Servers for ransomware delivery. Arda Büyükkaya – October 25, 2023 Cisco IOS XE Software Web UI Privilege Escalation Vulnerability Exploited in the Wild On October 16, 2023, Cisco warned of a critical severity (base score 10) privilege escalation vulnerability tracked as...
Eric Capuano
Threat Hunting with Velociraptor - Long Tail Analysis Labblog.ecapuano.comCopy linkFacebookEmailNoteOtherThreat Hunting with Velociraptor - Long Tail Analysis LabLeverage "rarity" in Velociraptor hunts to identify outliers with a hands-on lab using data generated from 10 systems, one of which is compromised.Eric CapuanoOct 28, 2023∙ Paid3Share this postThreat Hunting with Velociraptor - Long Tail Analysis Labblog.ecapuano.comCopy linkFacebookEmailNoteOtherShareThis post is for paid subscribersSu...
Esentire
BY eSentire Threat Response Unit (TRU) October 17, 2023 | 7 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT IN THIS POST What did we find? DadSec PhaaS Evilginx Showcase What did we do? What can you learn from this TRU positive? Recommendations from our Threat Response Unit (TRU) Team: Indicators of Compromise References Adversaries don’t work 9-5 and neither do we. At eSentire, our...
BY eSentire Threat Response Unit (TRU) October 17, 2023 | 5 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT IN THIS POST What did we find? What did we do? What can you learn from this TRU positive? Recommendations from our Threat Response Unit (TRU) Team: Indicators of Compromise Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat H...
Flashpoint
Data, insights, and analysis on the most impactful events and threats that took place between July 1, 2023 to September 30, 2023—from vulnerabilities and ransomware to data breaches and insider threat. SHARE THIS: Flashpoint Intel Team October 24, 2023 Table Of ContentsTable of ContentsA deeper look into vulnerabilities, malware, ransomware, and insider threatFlashpoint’s Cyber Threat Intelligence Index: Q3 2023 Edition A deeper look into vulnerabilities, malware, ransomware, and insider threat ...
Fortra’s PhishLabs
Subscribe Get The Latest Insights Q3 Payload Report By Jessica Ellis | October 26, 2023 QBot, the leading payload family in Q3, was disrupted as part of a coordinated, multinational operation led by the FBI on August 29, 2023. This resulted in the removal of 700,000 QBot payloads from infected devices across the globe, and interrupted the activity of one of the most active malware families since the former juggernaut Emotet, which was disrupted in 2021. While QBot led all other payload volume in...
Parth Gol at FourCore
Written by Parth GolSecurity Engineer @ FourCore Password Managers have seen rapid adoption by organisations as they provide a safe space to store and access your passwords. Native password managers such as Chrome and Edge Password managers offer users a convenient way of creating secure passwords for different sites without the hassle of remembering each password. As the usage of similar passwords across websites goes down, threat actors have adopted and have now begun to target these password ...
GreyNoise
CVE-2023-4966 Helps Usher In A Bakerâs Dozen Of Citrix Tags To Further Help Organizations Mitigate HarmboB RudisOctober 26, 2023Citrix's NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967. On October 23, 2023, GreyNoise Detection Engineers added tag coverage for CVE-2023-4966, which is an information disclosure vulnerability in NetScaler ADC and NetScaler Gateway. When configured as a gateway (VPN virtua...
Haircutfish
TryHackMe Wireshark:Traffic Analysis — Task 3 ARP Poisoning & Man In The Middle and Task 4 Identifying Hosts: DHCP, NetBIOS and KerberosHaircutfish·Follow20 min read·2 days ago--ListenShareIf you haven’t done tasks 1 and 2 yet, here is the link to my write-up of them: Task 1 Introduction & Task 2 Nmap ScansGetting the VM StartedStarting at Task 1, you will see the green Start Machine button. Click this button to get the VM Started.Scroll to the top where the banner is. On the right side of the p...
Alison Rusk at INKY
Posted by Alison Rusk Hollywood’s writers and actors have been feeling the financial pinch since both groups went on strike back in July. After five long months, Hollywood writers have finally returned to work, but the only actors who have been bringing home a paycheck are the bad actors. That’s right. Bad actors – also known as cybercriminals and phishers – are impersonating some of the more popular streaming services in an attempt to tap into what is poised to be a $330 billion industry.1 Let’...
Miguel B at Intel Optics
Sep 7 Written By Miguel B The Capability Maturity for Cyber Threat Intelligence (CM-CTI) model is a framework for assessing how developed a CTI team is. It was inspired by the Capability Maturity Model Integration (CMMI): “A process level improvement training and appraisal program administered by the CMMI Institute, a subsidiary of ISACA. It was developed at Carnegie Mellon University (CMU) and is required by many US Government contracts, especially in software development. CMMI is used to guide...
J Schell
Tool List README.md Remote Management Monitoring tools Remote Monitoring and Management (RMM) software programs and services are often used by Enterprise and SMB IT to provide management and monitoring of remote endpoints. Attackers have also begun to abuse these programs and services as means to maintain persistance or provide fall back command and control channels. A number of threat groups with varied and diverse goals, have been observed using RMM products to achieve missons of espionage, da...
John F
Advice For Catching a RedLine StealerJohn F·Follow10 min read·6 days ago--ListenShareRedLine Stealer is an infamous malware strain that provides cyber-criminals with a reliable payload for stealing sensitive information from an infected computer. Both MalwareBazaar statistics and ANY.RUN trends consistently track RedLine as the most common payload on their platforms. Redline Stealer is classified by malware taxonomy as an “information stealer” (infostealer). Like many infostealers, RedLine is le...
Kevin Beaumont at DoublePulsar
Kevin Beaumont·FollowPublished inDoublePulsar·4 min read·2 days ago--1ShareCitrixBleed mspaint.exe logo, no copyright so please make t-shirtsThree days ago, AssetNote posted an excellent write up about CitrixBleed aka CVE-2023–4966 in Citrix Netscaler/ADC/AAA/whatever it is called today.This vulnerability is now under mass exploitation. A few weeks ago it was under limited targeted exploitation to allow network access. It’s not AssetNote’s fault — it was clear multiple groups had already obtaine...
Kim Zetter at ‘Zero Day’
www.zetter-zeroday.comCopy linkFacebookEmailNoteOtherDiscover more from Zero DaySpies, hackers and the intersection between cybersecurity and national security. (News, analysis, features, investigations)Over 15,000 subscribersSubscribeContinue readingSign in Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto MinerMalware discovered in 2017 was long classified as a crypto miner. But researchers at Kaspersky Lab say it's actually part of a sophisticated spy platform that has inf...
Bert-Jan Pals at KQL Query
Bert-Jan Pals included in PowerShell Incident Response Defender For Endpoint 2023-10-26 2110 words 10 minutes This is it, the last part of the Incident Response series. In the past weeks, insight was given on how KQL can be used to perform incident response, even if the data is not ingested in Sentinel or Microsoft 365 Defender. Part three marks the last part which discusses how you can leverage Live Response, which is available in Defender For Endpoint.The incident response series consists of t...
Swachchhanda Shrawan Poudel at Logpoint
Bill Cozens at Malwarebytes Labs
Posted: October 23, 2023 by Bill Cozens On September 13th, 2023, the Malwarebytes MDR team spotted a new DarkGate malware campaign on a client network. First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign u...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Monty Security
Evasion by Annoyance: When LNK Payloads Are Too Longmontysecurity·Follow4 min read·3 days ago--ListenShareIntroductionI was analyzing this sample from the Malware Hunter Team and ran into hours of trouble trying to parse the full payload out of the LNK file because it is unusually long. I will go through my troubleshooting process and showcase how I managed to finally pull the whole payload out. (I should have known something was up when MHT indicated the LNK was 40+ MB)Malware Hunter Teams Twee...
Nasreddine Bencherchali
Open in appSign upSign InWriteSign upSign InSigmaHQ Rules Release Highlights — r2023-10-23Nasreddine Bencherchali·FollowPublished inSigma_HQ·3 min read·6 days ago--ListenShare//github.com/SigmaHQ/sigma/releases/tag/r2023-10-23Sigma Rule Packages for 23-10-2023 are released and available for download. This release saw the addition of 21 new rules, 17 rule updates and 24 rule fixes.New RulesSome highlights for the newer rules include, detections for CVE-2023–27363 (Remote Code Execution in Foxit R...
Jared Peck at Proofpoint
From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware Share with your network! October 23, 2023 Jared Peck Key Takeaways A new version of Grandoreiro malware from TA2725 targets both Mexico and Spain. Previously this malware has only targeted victims in Brazil and Mexico. Overview Proofpoint researchers have long tracked clusters of malicious activity using banking malware to target users and organizations in Brazil and surrounding countries. Recently, researche...
PwC
Blog 15 Minute Read October 25, 2023 Share Copy Link Link Copied Close Author: PwC Threat Intelligence Executive summary Since 2019, PwC has tracked an Iran-based threat actor we refer to as Yellow Liderc (a.k.a. Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm). As reported in our previous Year in Retrospect publications,1,2,3 this threat actor remains an active and persistent threat to many industries and countries, including the maritime, shipping and logistics sectors within the Medi...
Brian Donohue and Tess Mishoe at Red Canary
Ivan Righi at ReliaQuest
Roy Akerman at Rezonate
SANS Internet Storm Center
Internet Storm Center Sign In Sign Up Handler on Duty: Guy Bruneau Threat Level: green Spam or Phishing? Looking for Credentials & Passwords Published: 2023-10-29 Last Updated: 2023-10-29 17:09:35 UTC by Guy Bruneau (Version: 1) 0 comment(s) We are now at the end of the Cybersecurity Awareness month, it is important to remain digitally safe all year round [1][2][3]. In the past week, the handler mailbox has been receiving several emails, some asking to authenticate to get a password and other to...
Size Matters for Many Security Controls Published: 2023-10-28 Last Updated: 2023-10-28 11:54:41 UTC by Xavier Mertens (Version: 1) 0 comment(s) This week, I'm teaching FOR610 in Manchester, and while my students are busy resolving some challenges, I'm looking at my hunting results from the previous days. I found an interesting sample. The file was delivered via an email with a URL pointing to a well-known file-sharing service: hxxps://www[.]Mediafire[.]com/file/o3m15ydxnhlm9w0/New+Purchase+Order...
Securelist
Malware descriptions 23 Oct 2023 minute read Table of Contents IntroductionValidation componentsJavaScript ValidatorBinary ValidatorLooking for traces in logs, againMicrophone recordingKeychain exfiltrationSQLite stealing modulesLocation-monitoring moduleConclusion Authors Georgy Kucherin Leonid Bezvershenko Valentin Pashkov Introduction In our previous blogpost on Triangulation, we discussed the details of TriangleDB, the main implant used in this campaign, its C2 protocol and the commands it c...
APT reports 26 Oct 2023 minute read Table of Contents IntroductionHow it startedThe infectionPersistenceBitbucket repositoryThe modulesService modulesConfiguration storageUpgrade/UninstallReverse proxyFunctionality modulesMiscellaneous command handlerCredential harvesterRepeatable tasksRecon moduleSMBv1 and SSH infectorsMonero cryptocurrency mining moduleThunderCryptEternalBlueConclusionIndicators of compromise Authors Sergey Belov Vilen Kamalov Sergey Lozhkin Introduction It’s just another cryp...
APT reports 26 Oct 2023 minute read Table of Contents First stepsDevice imagingExamining backupsTrying to intercept the malicious iMessageGood old MITMCatching the JavaScript validatorThe binary validator and the hint about the attachmentExploring iMessageGetting the implantObtaining the modulesConclusion Authors Leonid Bezvershenko Georgy Kucherin Igor Kuznetsov Boris Larin Valentin Pashkov In the beginning of 2023, thanks to our Kaspersky Unified Monitoring and Analysis Platform (KUMA) SIEM sy...
APT reports 27 Oct 2023 minute read Table of Contents SIGNBT loaderSIGNBTLPEClientConnections with other campaignsConclusionsIndicators of CompromiseMITRE ATT&CK Mapping Authors Seongsu Park Earlier this year, a software vendor was compromised by the Lazarus malware delivered through unpatched legitimate software. What’s remarkable is that these software vulnerabilities were not new, and despite warnings and patches from the vendor, many of the vendor’s systems continued to use the flawed softwa...
Sekoia
SentinelOne
Tom Hegel / October 24, 2023 By Tom Hegel and Aleksandar Milenkoski Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on October 7th, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion. Unfortunately, leading social media platforms continue to fail at stopping the spread of disinformation ...
October 25, 2023 by Rick Bosworth PDF Artificial intelligence (AI) is such a hot topic right now with everyone clamoring to say how their company is leveraging AI in all the new, flashy ways. Here at SentinelOne, we don’t do hype or hyperbole and AI is nothing new. We were founded in 2013 on the premise that AI could fundamentally transform cybersecurity and achieve real-time defenses against machine-speed attacks. Our cloud workload protection platform (CWPP), Singularity Cloud Workload Securit...
October 26, 2023 by Jim Walter PDF The current conflict between Israel and the Hamas militant group has begun an onslaught of hacktivist-level activity carried out in the name of both sides. Amongst the ongoing fighting, numerous hacktivist groups and ‘lone wolves’ have taken the opportunity to maneuver into the cyber arena, deploying an array of malicious activities including Distributed-Denial-of-Service (DDoS) attacks, cyber defacement, doxxing, and custom malware launches. So far, the use of...
Simone Kraus
PART 1Simone Kraus·Follow3 min read·1 day ago--ListenShareGeneral Information — Translation of the Ukranian UAC-0006 alertPart 1 is the translation of the UA, part 2 analysis is in progressSmoke LoaderIn the period from October 2 to October 6, 2023, the Government Computer Emergency Response Team of Ukraine CERT-UA recorded at least four waves of cyberattacks carried out by the UAC-0006 group using the SmokeLoader malware.Legitimate compromised e-mails are used to send e-mails, and SmokeLoader i...
LockBit claims to have hacked BoeingSimone Kraus·Follow12 min read·1 day ago--ListenShareYesterday the next victim was published on Twitter and this time it is Boeing. It reminds me of Rheinmetall and Black Basta, and I wonder how it can happen that strategically important companies get into trouble due to ransomware attacks? In this article I try to find out why LockBit is “successful” and what we can do to better defend our own security posture.A short summary of who LockBit is (WorldWacht OCD...
SOCRadar
Nico Shyne at SpecterOps
Nico Shyne·FollowPublished inPosts By SpecterOps Team Members·18 min read·5 days ago--ListenShareWritten by Nico Shyne & Josh PragerThe Game of Domain DominanceJust as in the political landscape of Westeros, defenders face a dynamic adversarial relationship…except instead of fighting rival families, defenders are locked into a struggle with innovators on the offensive side of cybersecurity. This innovation manifests in the form of evolving tradecraft and tooling, and defenders must stand ready t...
Splunk
Share: By Splunk Threat Research Team October 27, 2023 A recently disclosed CVE-2023-40044, which targets Progress Software WS_FTP Server Ad Hoc module, highlights the importance of providing detection developer environments where they can replicate, validate, and produce data of ongoing exploitations campaigns with the purpose of developing detections to protect their organizations. As its name suggests, the named software is a file transfer application that is being targeted for exploitation. ...
Ben Martin at Sucuri
Cedric Pernet at Trend Micro
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals. By: Cedric Pernet October 27, 2023 Read time: ( words) Save to Folio Subscribe In recent years, cybercriminals have become increasingly professional — fraudsters have consistently been improving their skills, making less crucial mistakes, and creating various “as-a-service” businesses to help lower-skilled threat ...
Megan Nilsen at TrustedSec
Skip to Main Content Menu Search Input Search Contact Us Report a breach Blog A Hitch-hacker's Guide to DACL-Based Detections (Part 3) October 17, 2023 A Hitch-hacker's Guide to DACL-Based Detections (Part 3) Written by Megan Nilsen Purple Team Adversarial Detection & Countermeasures Active Directory Security Review Threat Hunting Research Security Testing & Analysis This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionIn this t...
Skip to Main Content Menu Search Input Search Contact Us Report a breach Blog A Hitch-hacker's Guide to DACL-Based Detections (Part 2) October 12, 2023 A Hitch-hacker's Guide to DACL-Based Detections (Part 2) Written by Megan Nilsen Active Directory Security Review Purple Team Adversarial Detection & Countermeasures Research Security Testing & Analysis Threat Hunting This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionThis is a...
Skip to Main Content Menu Search Input Search Contact Us Report a breach Blog A Hitch-hacker's Guide to DACL-Based Detections (Part 1B) October 11, 2023 A Hitch-hacker's Guide to DACL-Based Detections (Part 1B) Written by Megan Nilsen Active Directory Security Review Purple Team Adversarial Detection & Countermeasures Research Security Testing & Analysis Threat Hunting This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionIn this...
Skip to Main Content Menu Search Input Search Contact Us Report a breach Blog A Hitch-hacker's Guide to DACL-Based Detections (Part 1A) October 10, 2023 A Hitch-hacker's Guide to DACL-Based Detections (Part 1A) Written by Megan Nilsen Active Directory Security Review Purple Team Adversarial Detection & Countermeasures Research Security Testing & Analysis Threat Hunting This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionIf you ...
Josh Lemon at Uptycs
Tackle your most pressing Kubernetes, container security, and compliance challenges. Meet with an Uptycs expert at KubeCon NA 2023. Why Uptycs? Products Show submenu for Products Cloud Security Overview - Why CNAPP Workload Protection (CWPP) Posture Management (CSPM) Entitlement Management (CIEM) Threat Detection and Response (CDR) Container and K8s Security (KSPM) Endpoint Security Overview - Why XDR Workspace and Workload Security Uptycs XDR vs. The Old Way Solutions Show submenu for Solutions...
Daniel Pascual at VirusTotal
The path from VT Intelligence queries to VT Livehu... ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► February 2022 (2) ► January 2022 (2) ► 2021 (19) ► December 2021 (2) ► November 2021 (4) ► October 2021 (3) ► ...
WeLiveSecurity
ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible Matthieu Faou 25 Oct 2023 • , 5 min. read ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023. This is a different vulnerability than CVE-2020-35730, which was also exploited by th...
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023 Jean-Ian Boutin 26 Oct 2023 • , 2 min. read ESET APT Activity Report Q2–Q3 2023 summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from April 2023 until the end of September 2023. In the monitored timespan, we observed a notable strategy of APT groups utilizing the exploitation of known vuln...
Avigayil Mechtinger and Itamar Gilad at Wiz
Part 2 dives into the world of LKMs (Loadable Kernel Modules) and kernel-space rootkits to explore what LKMs are, how attackers abuse them, and how to detect them.15 minutes readAvigayil MechtingerOctober 24, 202315 minutes readContentsLoadable kernel modulesExploring and interacting with kernel modules from the user-space Syscalls (system calls) and kernel functions Abuse of LKMLimitations Kernel functions hooking methods Syscall table modification Using Kprobes (kernel probes) Using Ftrace VFS...
