解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 49 – 2023 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

0xdeaddood

After months of hard work and dedication, Impacket v0.11.0 is now available and has a bunch of new and exciting features. We can’t wait for you to explore and enjoy the added capabilities that come with this version! Post author By 0xdeaddood Post date August 3, 2023 No Comments on Impacket v0.11.0 Now Available First published in coresecurity.com We are thrilled to announce a new version of Impacket! After months of hard work and dedication, Impacket v0.11.0 is now available and has a bunch of ...

Bill Stearns at Active Countermeasures

Adam at Hexacorn

Posted on 2023-11-26 by adam Inspired by Phill Moore’s new project called Ruler, I combed my collection of all old HijackThis logs (that I web scraped a long time ago) looking for paths that may be associated with security software. Unlike Phill’s, the resulting data dump is not curated, so it definitely includes lots of junk, but since it was relatively easy to put together, why not… The intention here is primarily to highlight how ‘rich’ the world of directory and file names is. Not only we ca...

Stefan Hostetler, Markus Neis, and Kyle Pagelow at Arctic Wolf

Share : This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community and we will update this blog with more details as our investigation continues. Key Takeaways Exploitation of Qlik Sense application in the observed campaign. Cactus ransomware deployed in association with observed exploitation. ManageEngine UEMS and AnyDesk deployed for remote access. M...

Francis Guibernau and Andrew Costis at AttackIQ

BI.Zone

Rare Wolf preys on sensitive data using fake 1C:Enterprise invoices as lureBI.ZONE·Follow5 min read·3 days ago--ListenShareHow adversaries create diversions and stay invisibleBI.ZONE Threat Intelligence specialists have discovered a cybercriminal group that has been active since at least 2019. While this cluster of activity was previously directed against the countries neighboring Russia, now such attacks have reached Russia itself. The attackers use phishing emails to install a legitimate monit...

Binary Defense

Martin Zugec at Bitdefender

Martin Zugec November 30, 2023 Monitoring lateral movement across hybrid cloud environments, spanning platforms like Google Cloud, Amazon Web Services (AWS), and Microsoft Azure is a critical aspect of maintaining robust cybersecurity, demanding heightened security expertise from technical teams. While the dynamics of lateral movement within traditional Active Directory (AD) environments are well understood, the introduction of hybrid cloud infrastructures brings a new layer of complexity. Bitde...

Blackberry

AeroBlade on the Hunt Targeting the U.S. Aerospace Industry RESEARCH & INTELLIGENCE / 11.30.23 / The BlackBerry Research & Intelligence Team, Dmitry Bestuzhev Share on Twitter Share on Facebook Share on Linked In Email Summary BlackBerry has uncovered a previously unknown threat actor targeting an aerospace organization in the United States, with the apparent goal of conducting commercial and competitive cyber espionage. The BlackBerry Threat Research and Intelligence team is tracking this threa...

Brad Duncan at Malware Traffic Analysis

2023-11-27 (MONDAY) - TA577 PUSHES ICEDID (BOKBOT) VARIANT REFERENCES: //www.linkedin.com/posts/unit42_ta577-icedid-bokbot-ugcPost-7135285478743822336-Hwga //twitter.com/Unit42_Intel/status/1729519857908015333 ASSOCIATED FILES: 2023-11-27-IOCs-for-TA577-pushing-IcedID-variant.txt.zip 1.5 kB (1,531 bytes) 2023-11-27-TA577-pushes-IcedID-variant.pcap.zip 411 kB (410,551 bytes) 2023-11-27-IcedID-variant-malware-and-artifacts.zip 675 kB (674,899 bytes) Click here to return to the main page. Copyright...

2023-11-30 (THURSDAY) - DARKGATE ACTIVITY REFERENCE: //www.linkedin.com/posts/unit42_darkgate-timelythreatintel-malwaretraffic-activity-7136107640379637760-F4OH //twitter.com/Unit42_Intel/status/1730342021628400092 ASSOCIATED FILES: 2023-11-30-IOCs-for-DarkGate-activity.txt.zip 1.9 kB (1,896 bytes) 2023-11-30-DarkGate-infection-traffic.pcap.zip 1.7 MB (1,697,331 bytes) 2023-11-30-DarkGate-malware-and-artifacts.zip 2.9 MB (2,914,719 bytes) Click here to return to the main page. Copyright © 2023 |...

2023-11-29 (WEDNESDAY) - EMAIL --< JINXLOADER --< FORMBOOK/XLOADER REFERENCE: //www.linkedin.com/posts/unit42_jinxloader-formbook-xloader-activity-7136002703737974786-9y8J //twitter.com/Unit42_Intel/status/1730237085246775562 ASSOCIATED FILES: 2023-11-29-IOCs-for-JinxLoader-to-Formbook-XLoader.txt.zip 2.2 kB (2,151 bytes) 2023-11-28-malspam-for-JinxLoader.eml.zip 46.0 kB (45,953 bytes) 2023-11-29-JinxLoader-to-Formbook-XLoader.pcap.zip 10.8 MB (10,778,279 bytes) 2023-11-29-JinxLoader-and-Formboo...

Cado Security

CERT Ukraine

CERT-AGID

Sintesi riepilogativa delle campagne malevole nella settimana del 25 Novembre – 1 Dicembre 2023 01/12/2023 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 34 campagne malevole, di cui 29 con obiettivi italiani e 5 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 390 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle...

Check Point

Filter by: Select category Research (534) Security (875) Securing the Cloud (273) Harmony (143) Company and Culture (24) Innovation (6) Customer Stories (8) Horizon (1) Securing the Network (7) Partners (1) Connect SASE (10) Harmony Email (44) Artificial Intelligence (16) SecurityNovember 30, 2023 Unlocking the Power of MITRE ATT&CK: A Comprehensive Blog Series on Implementation Strategies for Incident Response Teams ByCheck Point Team Share Welcome to this journey of blog posts which will be a ...

CISA

Release DateNovember 28, 2023 Related topics: Cybersecurity Best Practices CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no ...

Release DateDecember 01, 2023 Alert CodeAA23-335A Actions to take today to mitigate malicious activity: Implement multifactor authentication. Use strong, unique passwords. Check PLCs for default passwords. SUMMARY The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminatin...

CrowdStrike

November 9, 2023 Counter Adversary Operations Counter Adversary Operations CrowdStrike Counter Adversary Operations has been investigating a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics and technology sectors that occurred in October 2023. Based on a detailed examination of the malicious tooling used in these attacks, along with additional reporting and industry reports, CrowdStrike Intelligence attributes this acti...

CTF导航

The Art of Windows Persistence - HADESS The Art of Windows Persistence - HADESS 渗透技巧 3天前 admin 322 0 0 In the realm of Windows persistence, key findings reveal a diverse and sophisticated array of techniques used by attackers to maintain access to systems. These methods range from simple manipulations like startup folder and registry autorun entries to more complex strategies involving service modification, DLL hijacking, and exploitation of Windows Management Instrumentation (WMI) and Component...

Malware analysis report: Stealc stealer - part 2 Malware analysis report: Stealc stealer - part 2 逆向病毒分析 3天前 admin 18 0 0 We continue to publish our analysis report of Stealc, an information stealer promoted by its supposed developer Plymouth on Russian-language underground forums and sold as malware as a service since January 9, 2023. 我们继续发布对 Stealc 的分析报告,Stealc 是一种信息窃取者,由其所谓的开发商普利茅斯在俄语地下论坛上推广,自 2023 年 1 月 9 日起作为恶意软件即服务出售。 In this part we are analyse exfiltration system information and download...

Mobile Malware Analysis Part 5 – Analyzing An Infected Device 逆向病毒分析 3天前 admin 10 0 0 In the first part of iOS Malware Detection as a part of our Mobile Malware Analysis Series, we covered how to gather forensics artifacts, what to use to do analysis and what are some interesting files on the iOS. In this part, we will simulate a couple of IOCs and to see how to search for them. 作为移动恶意软件分析系列的一部分,在 iOS 恶意软件检测的第一部分中,我们介绍了如何收集取证工件、使用什么进行分析以及 iOS 上有哪些有趣的文件。在这一部分中,我们将模拟几个 IOC,并了解如何搜索它们。 The first par...

APT-C-28(ScarCruft)组织针对韩国部署Chinotto组件的活动分析 APT 3天前 admin 16 0 0 APT-C-28 ScarCruft APT-C-28(ScarCruft)亦被称为APT37(Reaper)、Group123等,是一个来自朝鲜半岛的APT组织。该组织自被披露以来,其攻击活动一直持续至今,并维持着较高的活跃度。APT-C-28的主要目标是韩国等亚洲国家,且在多个领域开展网络间谍活动,其中涵盖化学、电子、制造、航空航天、汽车和医疗保健等行业。 近期,360高级威胁研究院发现该组织托管在某网站后台的恶意攻击文件,涉及携带载荷的ZIP和RAR类型的压缩包文件,这些载荷通过释放或远端加载恶意脚本,进而无文件加载Powershell类型的Chinotto木马进行窃密行动,并且加载的木马远控指令有所增加,说明该组织在不断优化更新其载荷,以达到窃密目的。 一、攻击活动分析 1.攻击流程分析 APT-C-28组织通过钓鱼邮件捆绑恶意的ZIP和RAR压缩包。其中ZIP文件携带恶意LNK文件,执行时释放诱饵和BAT文件,批处理文件内存加载Powershell程...

Cybereason

Written By Cybereason Security Research Team Cybereason issues Threat Alerts to inform customers of emerging threats, including a recently observed DJvu variant delivered via a loader masquerading as freeware. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them. WHAT'S HAPPENING? The Cybereason Security Services Team is investigating incidents that involve variants of the DJvu ransomware delivered via loader payloads masquerading as ...

Cyfirma

Published On : 2023-12-01 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Introduction CYFIRMA Research and Advisory Team has found ransomware known as Vx-underground while monitoring various underground forums as part of o...

Embee Research

Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Testimonials Sign in Subscribe Beginner Identifying Suspected PrivateLoader Servers with Censys Refining Queries and Identifying Suspicious servers using Censys. Matthew Nov 26, 2023 — 5 min read This is a quick post based on a tweet shared by @g0njxa. Here we will build a Censys query to identify servers related to an IP related to PrivateLoader. Initial SearchWe can begin with an initial search on the IP Address us...

Home Reverse Engineering Detection Engineering Threat Intelligence Paid Modules Testimonials Sign in Subscribe Advanced Building Advanced Threat Intel Queries Utilising Regex and TLS Certificates - (BianLian) Creating Regex Signatures on TLS Certificates with Censys. Matthew Nov 27, 2023 — 8 min read In this post we will investigate a Bianlian C2 address and use TLS certificates to obtain another ~50 servers. Our primary focus will be building a regex query that matches the unique TLS structure ...

Advanced Threat Intel Queries - Catching 83 Qakbot Servers with Regex, Censys and TLS Certificates Catching 83 Qakbot Servers using Regular Expressions. Matthew Nov 30, 2023 — 9 min read In this post we will leverage regular expressions and TLS certificates to capture 83 dispersed Qakbot servers. These servers are well made and there are minimal traditional patterns (ports, service names, ASN's) that can be used for signaturing. Instead we will focus on commonalities within the subject_dn and is...

Falco

Falco horizontal logo_teal2FalcoAboutWhat is Falco? Learn about Falco and how it works Why choose Falco? Benefits of Falco for runtime security Falco use cases Threat detection and regulatory compliance Case studies Discover how the industry is adopting Falco Falco ecosystem Integrations and plugins FAQ The most common questions about the whole FalcoecosystemDocsBlogCommunityAbout the community For users and contributors Events Meet and learn about Falco Contributors The people who build Falco F...

Tim Berghoff at G Data

12/01/2023 G DATA Blog During an incident response, looking for malware is often akin to looking for a needle in a hay stack. To complicate matters further, in the case of Cobalt Strike you often have no idea what that needle even looks like. And time is not on your side. Hidden signals The configuration is key Cobalt Strike is essentially a tool that is used for red teaming - an attack simulation that helps to closely simulate the processes of a real attack. The responsible departments within a...

GreyNoise

Glenn ThorpeNovember 29, 20232023-11-30 UPDATERon Bowes of the GreyNoise Labs team has made some updates to the deep dive into this critical vulnerability in ownCloud’s Graph API. ‍‍2023-11-29 UPDATERon Bowes of the GreyNoise Labs team has put together a deep dive into this critical vulnerability in ownCloud’s Graph API. Ron discusses the exploit, its impact on Docker installations, and our comprehensive testing process, here at GreyNoise.2023-11-27 ORIGINAL POSTOn November 21, 2023, ow...

Ron Bowes at GreyNoise Labs

Explore our deep-dive into CVE-2023-49103, a critical vulnerability in ownCloud’s Graph API. We discuss the exploit, its impact on Docker installations, and our comprehensive testing process. Learn about the role of Apache’s mod_rewrite and the htaccess.RewriteBase rule in mitigating the vulnerability. Ideal for cybersecurity professionals and technologists. owncloud vulnerabilities podman docker disclosure Author Ron Bowes Published November 29, 2023 2023-12-01 Update #3 Rapid7 has released...

Hackopia

Every time I see a new cyber incident on the news, or start working on a new incident, the first question that pops up in my mind (much like many other Digital Forensics and Incident Response (DFIR) professionals) is How did they get in?! That innate human characteristic of curiosity (and a bit of nosiness) creeps up and one of the most frustrating parts about the DFIR profession is not getting to the root cause of initial access. What is Initial Access? Initial access into a corporate network i...

Haircutfish

TryHackMe Wireshark:Traffic Analysis — Task 5 Tunneling Traffic: DNS and ICMP & Task 6 Cleartext Protocol Analysis: FTPHaircutfish·Follow12 min read·Nov 25--ListenShareIf you haven’t done tasks 3 and 4 yet, here is the link to my write-up of them: Task 3 ARP Poisoning & Man In The Middle and Task 4 Identifying Hosts: DHCP, NetBIOS and KerberosGetting the VM StartedStarting at Task 1, you will see the green Start Machine button. Click this button to get the VM Started.Scroll to the top where the ...

Human Security

By Satori Threat Intelligence and Research Team Nov 30, 2023 Research & Detection, Account Takeover, Threat Intelligence Researchers: Gabi Cirlig, Adam Sell, Arik Atar ScrubCrypt is an obfuscation tool threat actors use to help slip malware past antivirus software, allowing them to launch attacks that might otherwise be stopped. HUMAN’s Satori Threat Intelligence Team recently uncovered a new build of ScrubCrypt available for sale in underground communities and used in attacks on HUMAN customers...

Huntress

Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit During the various phases of an attack, it’s not uncommon for threat actors to use “living off the land” binaries (LOLBins) or scripts and libraries (LOLBAS). Doing so means that the threat actor has fewer tools to bring with them, and it also reduces their chances of being detected because they’re hiding amongst seemingly normal activity within the environment. There are a number of tools provided in a ...

Previous Post Next Post Share on Twitter Share on LinkedIn Share on Facebook Share on Reddit Threat actors of varying types continue to target managed file transfer (MFT) applications for exploitation. The latest concerning MFT vulnerability was identified by Converge Technology Solutions, originally in August 2023 impacting CrushFTP. Following responsible disclosure to the vendor, the vulnerability was publicly disclosed on November 16, 2023 as CVE-2023-43117. What follows is the Huntress team'...

Infoblox

DNS Early Detection – ROMCOMNovember 30, 2023Infoblox’s DNS Early Detection Program utilizes proprietary techniques to identify potentially malicious domains at the earliest opportunity. The program shares our recent analysis of malicious domains disclosed through public OSINT, contrasting it with our preliminary identification of these domains as suspicious. Threat actors have refined their techniques, causing most of the potential damage before malicious domains are identified and shared throu...

William MacArthur at InQuest

Kostas

Behind the Scenes: The Daily Grind of Threat HunterKostas·Follow7 min read·4 days ago--ListenShareI recently shared a command on Twitter and asked folks if they thought this was something fishy. I want to take this opportunity to walk you through the steps that a threat hunter takes in day-to-day operations. This includes formulating a hypothesis, developing a query, and conducting an investigation.Below is the poll I shared on Twitter and the final results that show the majority of people who t...

Bert-Jan Pals at KQL Query

Bert-Jan Pals included in KQL Sentinel Defender For Endpoint Threat Hunting 2023-11-29 2660 words 13 minutes Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries (such as Kusto Query Language (KQL)) can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report to a KQL hunting query. This is done ba...

Land of Jacob’s Musings

YARA and Me: Contributing to YARA's Upcoming Release Published at Nov 30, 2023 #YARA#YARA-X#software engineering YARA and Me I’ve spent a fair amount of time lately developing bits and pieces of the Mach-O module for YARA-X, which is the next iteration of the YARA ecosystem that is likely nearing its first release in the near future. I began by starting to write features for YARA (the one written in C), but was advised by Victor Alvarez (the original author and continued maintainer of the YARA e...

Bill Cozens at Malwarebytes

Posted: November 28, 2023 by Bill Cozens We’ve told you about ransomware-as-a-service (RaaS) gangs; we’ve told you about living off the Land (LOTL) attacks. What do you get when you bring the two together? Bad news. Our recent report, Threat Brief: Ransomware Gangs & Living Off the Land Attacks, takes a deep dive into why the intersection of these two threats is so dangerous. Ransomware gangs use LOTL attacks to carry out their malicious activities using legitimate IT administration tools like P...

Lauren Parker at MITRE-Engenuity

Attack Flow for TurlaLauren Parker·FollowPublished inMITRE-Engenuity·4 min read·4 days ago--ListenShareMITRE Engenuity’s Center for Threat-Informed Defense and ATT&CK Evaluations have collaborated to release Attack Flow for Turla. The attack flow focuses on the adversary emulated during the 5th round of Enterprise Evaluations (2023) and combines elements of the emulation plan and the evaluation criteria to create a comprehensive diagram of the incident. You’ll be able to use the attack flow to l...

Mostafa Yahia

Hunting for AMSI Bypassing methodsMostafa Yahia·Follow5 min read·4 days ago--ListenShareIntroduction to AMSIAMSI (Antimalware Scan Interface) is a Windows software component provided by Microsoft to be integrated with any applications to scan the user inputs such as executed scripts and commands. For example, Antivirus products usually integrated with AMSI to check for any script-based malware or suspicious command executions by the PowerShell.How AMSI workslets say that you have an AV product t...

Obsidian Security

Red Canary

Salim Salimov

Hunting Malware in Sysmon Logs with SplunkSalim Salimov·Follow11 min read·4 days ago--ListenShareHello Medium,Today my story is about finding malicious activities after an infection brought to a company network by a malicious document .Few words about the Tools I will be using__________1. A sample EVTX log file created by Sysmon. (file name: 5295-win82-sysmon.evtx)Sysmon is a Microsoft Windows system activity logging tool. It’s logs can be viewed and analyzed using the Windows integrated Event V...

SANS Internet Storm Center

Scans for ownCloud Vulnerability (CVE-2023-49103) Published: 2023-11-27 Last Updated: 2023-11-27 14:22:54 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to ad...

Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary] Published: 2023-11-27 Last Updated: 2023-11-29 02:12:28 UTC by Guy Bruneau (Version: 1) 0 comment(s) [This is a Guest Diary by Alex Rodriguez, an ISC intern as part of the SANS.edu BACS program] Honeypots can be an effective means of discovering the variety of ways hackers target vulnerable systems on the Internet. The first thing you may ask yourself is, “What is a honeypot?” In short, it is a magnificent tool that can be ...

Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today Published: 2023-11-30 Last Updated: 2023-11-30 03:34:23 UTC by John Bambenek (Version: 1) 0 comment(s) Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting CVE-2023-1389. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from 45.95.146.26 a quick litt...

Securelist

Malware reports 01 Dec 2023 minute read Table of Contents Quarterly figuresQuarterly highlightsMobile threat statisticsDistribution of detected mobile malware by type*TOP 20 most frequently detected mobile malware programsRegion-specific malwareMobile banking TrojansMobile ransomware Trojans Authors Anton Kivva IT threat evolution in Q3 2023 IT threat evolution in Q3 2023. Non-mobile statistics IT threat evolution in Q3 2023. Mobile statistics These statistics are based on detection verdicts of ...

Malware reports 01 Dec 2023 minute read Table of Contents Targeted attacksUnknown threat actor targets power generator with DroxiDat and Cobalt StrikeAnalysis of samples exploiting CVE-2023-23397 vulnerabilityCommon TTPs in attacks on industrial organizationsEvil Telegram doppelganger used to target people in ChinaOther malwarePossible supply-chain attack on Linux machinesThe Cuba ransomware gangLeaked Lockbit 3 builderThe evolving world of crimewareA cryptor, a stealer and a banking Trojan Auth...

Malware reports 01 Dec 2023 minute read Table of Contents Quarterly figuresFinancial threatsFinancial threat statisticsGeography of financial malware attacksRansomware programsQuarterly trends and highlightsVulnerability exploitationMore attacks on healthcareMost prolific groupsNumber of new modificationsNumber of users attacked by ransomware TrojansGeography of attacked usersTOP 10 most common families of ransomware TrojansMinersNumber of new miner modificationsNumber of users attacked by miner...

SentinelOne

November 29, 2023 by Jim Walter PDF A little over a year ago, we described how ransomware operators had evolved their tactics from simple file locking to more sophisticated forms of extortion in Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber Extortion. Since then, cybercrime actors have not stood still, and we are currently seeing the emergence of a brace of new tactics to wrest funds out of organizations and their clients in the wake of a business network compromise....

November 30, 2023 by Jim Walter PDF Earlier this week, CISA released an advisory warning of active exploitation of Programmable Logic Controllers (PLCs) used in Water and Wastewater treatment plants following intrusions into two U.S. critical infrastructure installations. The advisory and attacks come in the wake of increased public threats made by the Iran-backed Cyber Av3ngers “hacktivist” group to target industries using Israeli-manufactured OT and ICS equipment. In this post, we describe the...

Sophos

Written by Younghoo Lee, Ben Gelman November 27, 2023 AI Research adversarial ai artificial intelligence featured Generative AI scams Generative artificial intelligence technologies such as OpenAI’s ChatGPT and DALL-E have created a great deal of disruption across much of our digital lives. Creating credible text, images and even audio, these AI tools can be used for both good and ill. That includes their application in the cybersecurity space. While Sophos AI has been working on ways to integra...

Despite concern over illicit applications of ChatGPT and similar models, Sophos X-Ops’ exploration of cybercrime forums suggests many threat actors are still skeptical – and wrestling with the same issues and problems as the rest of us Written by Sophos X-Ops November 28, 2023 Threat Research AI ChatGPT cybercrime featured FraudGPT LLM malware Sophos X-Ops WormGPT A significant amount of media coverage followed the news that large language models (LLMs) intended for use by cybercriminals – inclu...

Cody Thomas at SpecterOps

Cody Thomas·FollowPublished inPosts By SpecterOps Team Members·9 min read·4 days ago--ListenShareTL;DR;Mythic v3.2 has Push C2, Interactive Async Tasking, TypedArray parameters, new graphing libraries in the UI, database migrations, dynamic file browser groupings, and more! Fill out this survey to help make it better and guide its development going forward.Image Generated by //hotpot.ai/art-generatorMythic v3.2It’s been a few months since the last Mythic update, so it’s time to release a new ver...

Stephan Wolfert

Detecting RBCD abuse in a sea of Active Directory logs Posted on November 29, 2023 By Stephan Wolfert TL:DR Resource-Based Constrained Delegation abuse is a privilege escalation technique which can be visible and detectable! Where do we start for detectability? What is Resource-Based Constrained Delegation (“RBCD”)? RBCD is a security feature which allows an administrator to delegate permissions in order to securely manage resources. Essentially, RBCD allows an object to access specific resource...

Sygnia

November 29, 2023 Protect your organization by monitoring the monitors – a critical defense against cyber threats. First published on spiceworks, November 6, 2023 Discover cybersecurity’s overlooked but critical aspect: monitoring the monitors. Learn why it’s vital to protect against cyber threats by monitoring human and technical monitors, says Yotam Meitar, director of incident response at Sygnia. While responding to one of the most sophisticated attacks we’ve encountered in recent years, our ...

Tamara Chacon at Splunk

Share: By Tamara Chacon December 01, 2023 When hunting, advanced security Splunkers use apps. Specifically, three related apps from an incredibly generous man named Cedric Le Roux! (You can guess from the name that yes, he's French.) And frankly, you probably only know one: URL Toolbox. One of the most popular Splunk security apps of all time, URL Toolbox’s URL parsing capabilities have been leveraged by thousands who want to separate subdomain, domain, and top level domain (TLD) from a URL. Thi...

Share: By Tamara Chacon December 01, 2023 In Parsing Domains with URL Toolbox, we detailed how you can pass a fully qualified domain name or URL to URL Toolbox and receive a nicely parsed set of fields that includes the query string, top level domain, subdomains, and more. In this article, we are going to do some nerdy analytic arithmetic on those fields. So, if you haven’t read that previous post, go check it out and then come back here...we’ll wait. . .. …OK, you’re back! So what do we mean by...

Taz Wake

John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, and Ron Deibert at The Citizen Lab

We confirm that two members of Serbian civil society were targeted with spyware earlier this year. Both have publicly criticized the Serbian government. We are not naming the individuals at this time by their request. The Citizen Lab’s technical analysis of forensic artifacts was conducted in support of an investigation led by Access Now in collaboration with the SHARE Foundation. Researchers from Amnesty International independently analyzed the cases and their conclusions match our findings. Cl...

Alexandre Mundo and Max Kersten at Trellix

By Alexandre Mundo, Max Kersten · November 29, 2023 First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators to investigate the malware’s inner workings to empower blue teams to create additional defensive rules outside of their already in-place security. Analysed sample MD-5 f526a8ea744a8c5051deefbf2c6010af SHA-1 d4f6241abe5f46e6b18f10da95d004924eac4ed3 SHA-256 8bfa4c...