4n6 Week 47 – 2023 - THREAT INTELLIGENCE/HUNTING
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam at Hexacorn
Posted on 2023-11-15 by adam I love exploring unexplored software paths. And not necessarily on the assembly level – and that’s because often… it’s not even necessary. They often lead me to some really weird places f.ex. discovering a software that reads a memory address from a specific environmental variable to execute code from that location, or learning that some unhappy devs at AMD or Microsoft sometimes get a bit annoyed, or that many people do stackoverflow when they code, and that many ‘s...
Adam Goss
Threat Intelligence with MISP Part 7 — Exporting IOCsAdam Goss·FollowPublished inInfoSec Write-ups·11 min read·6 days ago--ShareWelcome back to this series on using MISP for threat intelligence!MISP (Malware Information Sharing Platform and Threat Sharing) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence. It is used across industries and governments worldwide to share and analyze information about the latest threats. Th...
Archbishop Sec
Writing Better Alert Names - How to win hearts of SOC Analysts Nov 7, 2023 The Problem Alerts with names that are hard to understand Alerts with names that are a bit easier to understand How do we fix this? The Plan :tm: Step 1 - Use consistent terminology Step 2 - Peer review detection names Step 3 - Decide what is most important for an analyst to know Fin/TLDR “What you see and what you hear depends a great deal on where you are standing. It also depends on what sort of person you are.” ~ The ...
Assume-breach
Home Grown Red Team: Hosting Encrypted Stager Shellcodeassume-breach·Follow6 min read·1 day ago--ListenShareWelcome back! Today we’re going to talk about hosting encrypted stager shellcode. There are a lot of uses for this. Whether you’re trying to implement a “fileless” implant or you’ve found writable access to a network share, you can be a little more stealthy with a staged payload.You may have noticed the banner. Today we’re foregoing Havoc and using good ole Metasploit. The reason for this ...
Avast Threat Labs
Avertium
November 14, 2023 executive summary The holiday season brings increased online shopping, but it also attracts threat actors seeking to take advantage of unsuspecting shoppers. This week, we'll explain "Silent Skimming" a financially motivated campaign that targets online payment businesses. This campaign primarily victimizes online businesses and point-of-sale service providers, as well as their consumers. Given the increased online shopping during the holiday season, it's important to understan...
Bedang Sen
Embark on a Custom Parser Journey: Unleashing the Power of SOF-ELK®Bedang Sen·Follow15 min read·4 days ago--ListenShareAs security incident response and digital forensics consultants, we frequently come across vast amounts of logs and datasets that require parsing and analysis in a Security Information and Event Management (SIEM) system.SOF-ELK®, the brainchild of Phil Hagen, emerges as an exceptional solution, offering a wide range of prebuilt parsers for commonly encountered datasets such as n...
Adam Paulina at Binary Defense
Justin Seitz at Bullsh*t Hunting
www.bullshithunting.comCopy linkFacebookEmailNoteOtherplayOff the Cuff: Freak in the Google SheetsCertificate hunting using our favourite free spreadsheet.Justin SeitzNov 14, 20234Share this postOff the Cuff: Freak in the Google Sheetswww.bullshithunting.comCopy linkFacebookEmailNoteOtherShareHey folks!Here’s a quick video on how to scrape SSL certificate information from crt.sh with Google Sheets1. This technique can help you discover interesting subdomains, domains that are connected to your t...
CERT Ukraine
CERT-AGID
Campagna di Phishing Agenzia Entrate e Riscossione 13/11/2023 Agenzia Entrate à in corso una campagna di phishing, rivolta indistintamente a imprese private e pubbliche amministrazioni, che sfrutta loghi e finte comunicazioni di Agenzia delle Entrate e Riscossione. L’e-mail, con oggetto “Avviso Raccomandata“, invita la vittima a seguire il link proposto nel corpo del messaggio per prendere atto di una notifica. E-mail di phishing Il collegamento non punta al dominio reale di Agenzia delle Entra...
Le recenti sanzioni finanziarie dell’UE hanno costretto il gruppo Ursnif a cambiare strategia? 14/11/2023 Agenzia Entrate remcos Nella giornata di oggi è stata rilevata una campagna volta a veicolare il malware Remcos1 in Italia. Remcos non è un malware nuovo per l’Italia ed è ampiamente documentato in letteratura. Ad essere rilevante, in questa campagna, non è infatti il malware usato quanto le tecniche di diffusione (in gergo dette TTP). La campagna odierna fa leva su una falsa comunicazio...
Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 Novembre 2023 17/11/2023 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 28 campagne malevole, di cui 24 con obiettivi italiani e 4 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 464 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipolog...
Check Point
Filter by: Select category Research (534) Security (870) Securing the Cloud (269) Harmony (141) Company and Culture (22) Innovation (6) Customer Stories (8) Horizon (1) Securing the Network (7) Partners (1) Connect SASE (10) Harmony Email (42) Artificial Intelligence (15) ResearchNovember 16, 2023 November Shopping Schemes: Check Point Research Unveiling Cybercriminal Tactics as Luxury Brands Become Pawns in Email Scams ByCheck Point Team Share Highlights: Delivery service and shipping sectors a...
Yehuda Gelb at Checkmarx Security
Attacker Hidden in Plain Sight for Nearly Six Months, Targeting Python DevelopersYehuda Gelb·FollowPublished incheckmarx-security·6 min read·2 days ago--ListenShareIt has become commonplace for attackers to invest a significant amount of time and effort within the open-source ecosystem.Attackers, driven by malicious intent, demonstrate an extraordinary level of persistence in their pursuit of exploiting vulnerabilities in the open-source ecosystem. While they may not always achieve their objecti...
CISA
Release DateNovember 13, 2023 Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released an update to joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware. The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as...
Release DateNovember 15, 2023 Alert CodeAA23-319A Related topics: Malware, Phishing, and Ransomware, Cyber Threats and Advisories Actions to take today to mitigate malicious cyber activity: Prioritize remediating known exploited vulnerabilities. Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems. Segment networks to prevent the spread of ransomware. SUMMARY Note: This joint Cybersecurity Adviso...
Release DateNovember 16, 2023 Alert CodeAA23-320A Related topics: Cyber Threats and Advisories, Malware, Phishing, and Ransomware SUMMARY The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through ...
Cisco’s Talos
By Jonathan Munshaw Thursday, November 16, 2023 14:00 Threat Source newsletter I don’t think this is a particularly bold take — but I’m not afraid to say that ad blockers are good! Ever since I started using one sometime in 2016, my experience of using the internet has improved exponentially. I can finally easily find a recipe for dinner on a random influencer’s blog, get a faster answer to “how to replace my car’s headlights” and likely avoid hundreds of pieces of malvertising. But their use ha...
By Guilherme Venere Friday, November 17, 2023 08:01 Threat Spotlight Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations. Most of the group’s Phobos variants are distributed by SmokeLoader, a backdoor trojan. This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomwar...
By Guilherme Venere Friday, November 17, 2023 08:01 ransomware Threat Spotlight Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019.We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared ...
CTF导航
【DFIR报告翻译】从NetSupport持久化到AD域失陷 渗透技巧 6天前 admin 12 0 0 欢迎访问语雀知识库,获取最佳阅读体验: //www.yuque.com/safestplace/zh4qn2/sg11huyoxpt5xgyf 摘要 NetSupport Manager是目前市场上最古老的第三方远程访问工具之一,已有超过 33 年的历史。 这是我们第一次报告 NetSupport RAT 入侵,但对该工具的恶意使用至少可以追溯到 2016 年。在本报告中,我们将分析 2023 年 1 月利用 NetSupport RAT 渗透网络的案例,该 RAT 用于权限维持以及远程控制,从而导致整个AD域失陷。 技术总结 这次入侵始于一封包含恶意 Javascript 文件的 zip 压缩包附件的电子邮件。 电子邮件发送后,用户解压并执行了 Javascript 文件。 JavaScript 代码又运行了一个混淆后的 PowerShell 脚本。 PowerShell 脚本负责将 NetSupport 部署到系统上,并且检测当前运行环境不是一个沙箱,然后在注册表Run Key...
Don’t throw a hissy fit; defend against Medusa 逆向病毒分析 5天前 admin 20 0 0 Intro 介绍 Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. 我们的技术专家撰写了一个博客系列,重点关注最近在 NCC Group 事件响应活动中观察到的四个勒索软件家族部署的战术、技术和程序 (TTP)。 In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we t...
ATT&CK到底有什么用? 渗透技巧 2天前 admin 11 0 0 市面上已经有很多解读ATT&CK的实体书和系列的文章,不过我发现很多朋友仍然对如何使用ATT&CK结合到自己的工作中非常疑惑,我觉得究其原因还是这些材料大多数都是在解释ATT&CK是什么和框架内容的,包括官方的blog和一些材料对场景上的应用也是浅尝辄止,当然其实官方组织的年会和主题相关的会议上甲方分享的实践还是很多的,限于各种原因并没有被更多的人看到。 我也从我的角度来回答一下ATT&CK到底有什么用? 首先官方很清楚的定义了ATT&CK是一个基于对真实世界的观察总结的攻防技战术知识库。成熟度比较高的组织都会沉淀下知识库,也许会有方法论,大小和质量的区别,但是本身从内容来讲是一样的。甚至attck早期版本被人吐槽过专业性和全面性不足。真实世界中存在了那么多知识库到底导致了什么问题?我们来看一个经过适当夸张的场景。 一个组织内有三种设备产出了告警,那么对运营人员来讲,如何判别这三个告警是不是同一个或者说是否具备相关性呢?大家可以想象一下三段分别由中文、英文和法文写出来的文字,如何直到是否具有相关性,只有通晓三种语言...
站点推荐 blog 关于我们 网站提交 今日热榜 CTF平台 IOT安全 ICS安全 区块链安全 汽车安全 漏洞平台 SRC众测平台 乌云镜像 安全招聘 学习平台 网站提交 ChaMd5 blog 关于我们 网站提交 今日热榜 首页•APT•揭秘APT组织 - 美国国安局NSA的TAO 揭秘APT组织 - 美国国安局NSA的TAO APT 2天前 admin 13 0 0 2022年6月22日,西北工业大学发布了一份《公开声明》,披露该校成为境外网络攻击的目标。随后,陕西省西安市公安局碑林分局发布了一份《警情通报》,证实在西北工业大学的信息网络中发现了多款源自境外的木马样本,警方已正式立案调查。 国家计算机病毒应急处理中心和360公司组成的技术团队全程参与了此次案件的技术分析工作。他们从西北工业大学的多个信息系统和上网终端中提取到了多款木马样本,并得到了欧洲、南亚部分国家合作伙伴的通力支持。经过综合使用国内外数据资源和分析手段,技术团队还原了相关攻击事件的总体概貌、技术特征、攻击武器、攻击路径和攻击源头。初步判明,相关攻击活动源自美国国家安全局(NSA)的“特定入侵行动办公室”(TAO...
Cyfirma
Published On : 2023-11-17 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Target Geography: Israel. Introduction CYFIRMA Research and Advisory Team has found ransomware-as-a-service known as GhostLocker while monitoring var...
Digital Daniela
11/18/2023 0 Comments Hi everyone!In this blog I will show you threat intelligence with an open-source platform called MISP, also known as Malware Information Sharing Platform. This is from a TryHackMe room in task 5 that can be found here - //tryhackme.com/room/misp 1. What event ID has been assigned to the PupyRAT event?In MISP, we will need to do a search for PupyRAT, which is a remote access trojan. Once you do a search, you will find the answer, it is 1146. 2. The event is associated with ...
Dragos
Jackson Evans-Davies DISC Share This LinkedIn Twitter Facebook Email RSS The Dragos Industrial Security Conference (DISC) is an annual event celebrated on November 5th that provides attendees with some of Dragos’s best research through multiple cybersecurity presentations focused on industrial control systems (ICS) and operational technology (OT). Last year, Dragos offered the event’s second Capture the Flag (CTF) contest, and considering its immense success, we decided to offer it again this ye...
Abdulrahman H. Alamri Ransomware Research Threats Share This LinkedIn Twitter Facebook Email RSS In a predictable yet concerning trend, ransomware groups continued to impact industrial entities and critical infrastructure during the third quarter of 2023, leading to disruptions in operations. Although there has been a marginal decrease in the reported ransomware incidents compared to the previous quarter, the ramifications remain profound. Not only do they harm the impacted industrial entities, ...
Esentire
BY eSentire Threat Response Unit (TRU) November 16, 2023 | 18 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT IN THIS POST Key TakeawaysJanuary CaseSolarPhantom BackdoorMay CaseHow eSentire is RespondingRecommendations from eSentire’s Threat Response Unit (TRU)Indicators of CompromiseMITRE ATT&CKSigma and YaraReferences Key Takeaways SolarMarker uses process injection to run the hVN...
Crime network behind the $100 million MGM Resorts breach and the publication of topless images of breast cancer patients has adopted new attack tactics to infect corporations and public entities with their ransomware: Google software ads and malware made from genuine IT tools BY eSentire Threat Response Unit (TRU) November 14, 2023 | 7 MINS READ Attacks/Breaches Threat Response Unit Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT IN THIS POST About NitrogenThe Criminal O...
Brandon Dossantos at Expel
Engineering · 3 MIN READ · BRANDON DOSSANTOS · NOV 13, 2023 · TAGS: MDR When it comes to hacker activities post-compromise, inbox rule manipulation can be an attacker’s Swiss Army knife. Check out what we’ve learned from analyzing a dataset of true positive Microsoft 365 Outlook rule events. Attackers interested in the contents of a user’s inbox, even if it’s not the actual treasure chest, it can be a good place to start hunting for the map (and maybe even the keys). Attackers especially love it...
Flashpoint
According to court documents, Makinin developed and deployed malicious software to hack thousands of Internet-connected devices around the world. SHARE THIS: Flashpoint November 14, 2023 “SAN JUAN, Puerto Rico – A Russian and Moldovan national pled guilty to three counts of violating 18 U.S.C. § 1030(a)(5)(A) Fraud and Related Activity in Connection with Computers.” “The FBI today revealed US law enforcement’s dismantlement of a botnet proxy network and its infrastructure associated with the IPS...
Fortinet
By Shunichi Imano and Fred Gutierrez | November 14, 2023 Article Contents By Shunichi Imano and Fred Gutierrez | November 14, 2023 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomwar...
By Andrew Nicchi, John Simmons, Amey Gat and Mark Robson | November 15, 2023 The goal of the FortiGuard IR team is to provide organizations with valuable insights from threat analysis to bolster their security posture. We recently conducted a comprehensive analysis of an incident involving the Rhysida ransomware group, shedding light on their operations, tactics, and impact, including a novel technique involving ESXi-based ransomware. The Rhysida Ransomware Group The Rhysida group was first iden...
By Richard Springer | November 17, 2023 Article Contents By Richard Springer | November 17, 2023 One of the foundational elements of the Fourth Industrial Revolution (Industry 4.0) is interconnectivity. This is the motivation behind the convergence of IT networks and OT environments. When devices, machines, and systems are interconnected via the internet, they can communicate and share data in real-time, and these abilities lead to many new benefits. IT and OT convergence is very compelling to t...
Tom Forbes at GitGuardian
Book a demo Secrets detection Uncovering thousands of unique secrets in PyPI packages Security Researcher Tom Forbes worked with the GitGuardian team to analyze all the code committed to PyPi packages and surfaced thousands of hardcoded credentials. Guest Expert GitGuardian hires external cybersecurity experts to share their unique experience and knowledge in security on the GitGuardian blog. More posts by Guest Expert. Guest Expert 13 Nov 2023 • 10 min read Share Table of contents Liked this ar...
Clement Lecigne and Maddie Stone at Google Threat Analysis Group
Share Twitter Facebook LinkedIn Mail Copy link Press corner RSS feed Threat Analysis Group Zimbra 0-day used to target international government organizations Nov 16, 2023 min read Share Twitter Facebook LinkedIn Mail Copy link Clement Lecigne Threat Analysis Group Maddie Stone Threat Analysis Group Share Twitter Facebook LinkedIn Mail Copy link In June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server many organizat...
GuidePoint Security
Joshua Penny
HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITEDJoshuapenny·Follow15 min read·4 days ago--1ListenShareIntroductionWelcome to my first post. I’ve decided to create a new series of blogs, called ‘HostingHunter’. I will document personal research attempts to uncover malicious or interesting activity conducted on various hosting providers on the internet. I will start with as little knowledge as possible, focusing on the unusual and lesser known providers.This idea was spawned as a result of...
Kevin Beaumont at DoublePulsar
Kevin Beaumont·FollowPublished inDoublePulsar·5 min read·6 days ago--ListenShareRecently, I’ve been tracking LockBit ransomware group as they’ve been breaching large enterprises:I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations — many of whom have incredibly large security budgets.Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Rec...
Kroll
George Glass Keith Wojcieszek Mikesh Nagar NOTE: This remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog. SysAid, an IT service management software provider, has released a security bulletin for a zero-day path traversal vulnerability leading to code execution within their on-premise software. This vulnerability is being tracked as CVE-2023-47246 with a CVSS score of unrated and i...
Laurie Iacono Keith Wojcieszek George Glass Download the Report Q3 Threat Timeline Sector Analysis Ransomware Variants Case Study Malware Trend Analysis Q3 Threat Timeline Menu Close Q3 Threat Timeline Sector Analysis Ransomware Variants Case Study Malware Trend Analysis Social engineering in its many forms took center stage in Q3 2023. The quarter saw “human hacking” evolve from a long-standing security challenge to threat actors’ method of choice. This was evidenced by our observations of the ...
Malwarebytes
Posted: November 14, 2023 by Jérôme Segura As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft. One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in or...
Posted: November 15, 2023 by Threat Intelligence Team This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In October, 318 new victims were posted on ransomware leak sites. The top active gangs...
Muhammad Muneer, Chris Madge, and Arjun Bhardwaj at Mandiant
Blog Insider Threat: Hunting and DetectingMuhammad Muneer, Chris Madge, Arjun Bhardwaj Nov 16, 202314 min readInsider ThreatsThe insider threat is a multifaceted challenge that represents a significant cybersecurity risk to organizations today. Some are malicious insiders such as employees looking to steal data or sabotage the organization. Some are unintentional insiders such as employees who make careless mistakes or fall victim to phishing attacks. If you need a refresher on what insider thre...
Monty Security
Hunting Sandworm Team’s TTPsmontysecurity·Follow6 min read·3 days ago--ListenShareIntroductionThis post is the result of reviewing the references for Sandworm Team’s MITRE Group page (as of November 2023). Searches are provided in KQL for Defender for Endpoint.A few notes:This does not cover every TTP they use. The focus is on process events.No attribution work was done as a part of this analysis. I simply reviewed the existing references in MITRE and took them at face value.Evidence of the TTP ...
Nick Van Gilder
Okta for Red Teamers — Perimeter EditionNick VanGilder·FollowPublished innickvangilder·15 min read·1 day ago--ListenShareThis article by Nick Vangilder and Dave Thomas is intended to be complimentary to the amazing work of Adam Chester (@xpn) over at TrustedSec who recently wrote a fantastic blog post explaining multiple, post-exploitation techniques related to Okta. We highly recommend that you check it out, here: //trustedsec.com/blog/okta-for-red-teamers.Inspired by his work on the post-exp...
Palo Alto Networks
5,229 people reacted 49 18 min. read Share By Eli Birkan, Dan Yashnik, Oriel Cochavi, Bar Lahav and Mike Harbison November 13, 2023 at 3:00 AM Category: Vulnerability Tags: Cortex XDR, CVE-2023-36584, CVE-2023-36884, exploit, Microsoft Office, Microsoft Vulnerability, Prisma Cloud, Remote Code Exectution, RomCom, Storm-0978, Ukraine This post is also available in: 日本語 (Japanese)Executive Summary During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO...
1,922 people reacted 43 6 min. read Share By Unit 42 November 17, 2023 at 3:00 AM Category: Malware Tags: Advanced URL Filtering, Advanced WildFire, APT, C2, China, Cloud-Delivered Security Services, Cortex XDR, Cortex XSIAM, Cortex XSOAR, DNS security, Machine Learning, next-generation firewall, Stately Taurus, threat prevention, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Tensions between China and the Philippines have risen sharply over the past several months. In...
Proofpoint
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities Share with your network! November 14, 2023 Joshua Miller and the Proofpoint Threat Research Team Key takeaways From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode. During the same period, TA402 adjusted its d...
Resecurity
Ransomware Attacks against the Energy Sector on the rise - Nuclear and Oil & Gas are Major Targets in 2024 Cyber Threat Intelligence 12 Nov 2023 Oil, Gas, Energry, Ransomware, Nuclear Energy, Cyber Threats, Cyber Attacks Resecurity has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware attackers have targeted energy installations in North America, Asia, and the European Union....
Roota
Salim Salimov
TEST YOUR DETECTION WITH ATOMIC RED TEAM AND SYSMON OR KIBANA/ELKSalim Salimov·Follow6 min read·4 days ago--ListenShareHello Everyone,As my posts are mainly focused on Cybersecurity activities , today I have decided to write something about “Atomic Red Team” tool , and how does it work.I will be covering how to install on local Machine with example how to run a test , also run the same test on a lab environment.So what is AtomicRedTeam?Basically this is a very useful Red Team tool that can simul...
SANS Internet Storm Center
Noticing command and control channels by reviewing DNS protocols Published: 2023-11-13 Last Updated: 2023-11-14 00:01:25 UTC by Manuel Humberto Santander Pelaez (Version: 1) 1 comment(s) Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network tra...
Redline Dropped Through MSIX Package Published: 2023-11-15 Last Updated: 2023-11-15 07:38:15 UTC by Xavier Mertens (Version: 1) 1 comment(s) The MSIX package file format has been in the light for a few weeks. The GHOSTPULSE[1] malware has been identified to bypass many security controls delivered through an MSIX package. Like many operating systems, Windows can install applications by executing an executable (often called "setup.exe"), but packages are also available. Think about the well-known ...
Beyond -n: Optimizing tcpdump performance Published: 2023-11-16 Last Updated: 2023-11-16 16:07:43 UTC by Johannes Ullrich (Version: 1) 0 comment(s) If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!). So, let's talk about speed and tcpdump. Everybody knows never to run tcpdump without the "-n" swit...
Phishing page with trivial anti-analysis features Published: 2023-11-17 Last Updated: 2023-11-17 10:12:27 UTC by Jan Kopriva (Version: 1) 1 comment(s) Anti-analysis features in phishing pages – especially in those, which threat actors send out as e-mail attachments – are nothing new[1,2]. Nevertheless, sometimes the way that these mechanisms are implemented may still leave one somewhat mystified. This has happened to me a few weeks ago when I found what appeared to be a generic phishing message ...
Securelist
Kaspersky Security Bulletin 14 Nov 2023 minute read Table of Contents A review of last year’s predictions1. The rise of destructive attacks2. Mail servers become priority targets3. The next WannaCry4. APT targeting turns toward satellite technologies, producers and operators5. Hack-and-leak is the new black (and bleak)6. More APT groups will move from Cobalt Strike to other alternatives7. SIGINT-delivered malware8. Drone hacking!APT predictions for 2024The rise of creative exploits for mobile, w...
MacKenzie Milligan at Security Intelligence
Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was obser...
Den Iuzvyk, Tim Peck, and Oleg Kolesnikov at Securonix
Threat Research Share By Securonix Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov tldr: An interesting ongoing SEO poisoning/malvertising campaign leveraging WinSCP lures along with a stealthy infection chain lures victims into installing malware (alongside the legitimate WinSCP software). Attackers are likely leveraging dynamic search ads which let threat actors inject their own malicious code while mimicking legitimate sources like Google search pages. A rather steep uptick in maliciou...
Sekoia
SentinelOne
Tom Hegel / November 16, 2023 Executive Summary SentinelLabs has garnered new intelligence pertaining to the activities of the Appin Security Group, a renowned entity in the realm of hack-for-hire services. Our comprehensive analysis has unearthed information on numerous global cyber intrusions, encompassing instances of espionage, surveillance, and disruptive actions. Furthermore, our findings establish a high level of confidence in attributing intrusions in various countries, including Norway,...
November 16, 2023 by Jim Walter PDF In this blog post, we delve into the notable trends shaping the cyber threat landscape over the past month. Hot topics this month revolve around the expanding use of generative AIs by cybercriminals, the ongoing surge of ransomware campaigns, and the latest developments in cyber warfare related to the Israel-Hamas war. Crimeware Scene Continues to Explore Advantages of LLMs AI-centric tools and services continue to emerge, with a number of notable developments...
Simone Kraus
Top Cy-X Threat Actors impacting Germany in 2023 and how to defend against themSimone Kraus·Follow18 min read·Nov 12--ListenShareIn this first part of the article, we look at the top 5 Cy-X threat actors that Or identified for Germany in 2023. In addition to the ransomware used by these threat actors, we also look at the top tools used by at least top 3 Cy-X threat actors out of the top 5 Cy-X adversaries. Subsequently, recommendations for action are made for the top tools and the top MITRE ATT&...
SOCRadar
Jared Atkinson at SpecterOps
On Detection: Tactical to FunctionalPart 11: Functional CompositionJared Atkinson·FollowPublished inPosts By SpecterOps Team Members·17 min read·5 days ago--ListenShareIntroductionWelcome back to part 11 of the On Detection blog series. This next article serves as a conceptual foundation upon which we will build over the next few posts. It may not be immediately obvious why this is important, but understanding this concept will make many subsequent ideas much easier to parse.A colleague of mine,...
Tamara Chacon at Splunk
Share: By Tamara Chacon November 17, 2023 So far in this series, we’ve shared some key techniques that are required for threat hunting using Splunk — we’ve discussed how to… Enrich data with lookup commands and workflow actions Examine network traffic with Splunk Stream Discover the different types of data available in your Splunk instance Make the most of your Windows event logs Start using the powerful stats command This post will continue by introducing a set of foundational Splunk threat-hun...
Nigel Douglas at Sysdig
System Weakness
Understanding DLL hijacking - What it is and how it’s used in hackingrootshellace·FollowPublished inSystem Weakness·5 min read·Nov 5--ListenShareDLL HijackingNo, this is not about how to rob a van of a delivery company 😅. DLL hijacking is a technique used in cybersecurity. Maybe you might have already heard about it. Or you might not have any clue. Do you want to find out more? Don’t leave and get ready!● First things first. What is a DLL?DLL stands for Dynamic Link Library. As its name says, it...
Fahri Yeşil·FollowPublished inSystem Weakness·8 min read·2 days ago--ListenShareIn this battleground of bytes and algorithms, cybersecurity professionals find themselves on the frontline, defending against an array of cyber threats that are as dynamic as they are pervasive. Traditional security measures are often outpaced by the ingenuity of attackers, necessitating innovative tools and approaches to stay ahead of the curve.This brings us to YARA, a robust defender in the arsenal of cybersecurit...
Taz Wake
Linux Incident Response - created by DALL-E Linux Incident Response - using ss for network analysis Report this article Taz Wake Taz Wake Cyber security incident response | Threat hunting | Digital forensics | Certified SANS instructor & course author | I am not looking for any new certification training... Published Nov 14, 2023 + Follow Introduction to the ss CommandThe ss (socket statistics) command is a powerful tool in Linux used for examining sockets. As an incident responder, understandin...
Understanding NetFlow: An Introductory Guide for Incident Responders
Reflective Code Injection Attacks – An Overview for Incident Responders
Team Cymru
Threat Modeling and Real-Time Intelligence - Part 2Leverage Internet Telemetry & Threat Intelligence for Benefits Beyond the MITRE ATT&CK Framework The MITRE ATT&CK framework is like a blueprint of the battlefield, showcasing potential threat actors and their tactics to infiltrate an organization. It guides a security practitioner to identify gaps in an organization's capabilities by following the tactics a bad actor may use to gain access. It also covers the techniques employed by threat actors...
Third Eye intelligence
General Tips Threat Intelligence Navigating the Evolving Cyber Threat Landscape: Insights from ACSC’s 2021-2023 Reports November 15, 2023November 15, 2023 Comparing the ACSC reports is like watching a cybercrime drama series, each season bringing twists. The decrease in BEC losses from 2022 to 2023 could indicate improved defences or shifting criminal tactics. However, the massive jump in overall scam losses is a wake-up call for Australians. Adapting and evolving is crucial, much like the cyber...
Shilpesh Trivedi and Nisarga C M at Uptycs
WinRAR CVE-2023-38831 Vulnerability Draws Attention from APTs Tags: Threat Intelligence, Vulnerability Management, Zero Day, Exploitation, WinRAR Uptycs Threat Research November 17, 2023 Share: Authors: Shilpesh Trivedi and Nisarga C M In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced ...