解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 52 – 2023 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

Bill Stearns at Active Countermeasures

Adam Goss

Adam Goss·Follow10 min read·6 days ago--ShareYou have probably heard of the term cyber threat intelligence (CTI) before. It is constantly cited on social media, makes cyber security news daily, and is a top feature on every security vendor’s newest tool. But what is cyber threat intelligence?CTI is a game changer for many organizations that need to battle the latest threats that are emerging on the cyber security landscape and can be used at both the operational and strategic levels. This guide ...

Akamai

Antonio Formato

Enhancing Cyber Threat Intelligence with TI Mindmap GPT: Integration of Azure OpenAI and advanced featuresMulti-Language Support, IOC Extraction, and BYOK Model Integration in TI Mindmap GPTAntonio Formato·Follow7 min read·6 days ago--ShareOver the past few months, I have been deeply exploring the potential of Generative AI to support Infosec Professionals across various scenarios. My focus has been on how Azure OpenAI-based applications can meet specific demands in cyber threat intelligence. My...

ASEC

In November 2023, AhnLab Security Emergency response Center (ASEC) published a blog post titled “Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)” [1] which covered cases of the Andariel threat group exploiting the CVE-2023-46604 vulnerability to install malware. This post not only covered attack cases of the Andariel group but also those of HelloKitty Ransomware, Cobalt Strike, and Metasploit Meterpreter. Since then, the Apache ActiveMQ vulnerabil...

AttackIQ

Pete Herzog at Blackberry

Sneaky GPU.zip Technique Steals Sensitive Information From Your Graphics Card CYBERSECURITY / 12.21.23 / Pete Herzog Share on Twitter Share on Facebook Share on Linked In Email Summary Researchers from four top American universities have uncovered a new way for threat actors to sneakily access visual information from your graphics card while you're online and browsing certain websites. The researchers call this threat “GPU.zip,” because it takes advantage of the hidden data compression methods u...

Lawrence Abrams at BleepingComputer

Brad Duncan at Malware Traffic Analysis

2023-12-18 (MONDAY): TA577 PIKABOT INFECTION WITH COBALT STRIKE REFERENCE: //www.linkedin.com/posts/unit42_ta577-pikabot-cobaltstrike-activity-7142625078227156992-Cmvd //twitter.com/Unit42_Intel/status/1736859404157276596 ASSOCIATED FILES: 2023-12-18-IOCs-for-TA577-Pikabot-with-Cobalt-Strike.txt.zip 1.7 kB (1,704 bytes) 2023-12-18-TA577-Pikabot-infection-with-Cobalt-Strike.pcap.zip 8.5 MB (8,513,912 bytes) 2023-12-18-TA577-Pikabot-malware-and-artifacts.zip 2.2 MB (2,230,359 bytes) Click here to ...

Bridewell

Share this insight: Home Insights Blogs Hunting for Ursnif Bridewell’s Cyber Threat Intelligence (CTI) team have uncovered Ursnif infrastructure that has been used in campaigns during 2023, infrastructure which has seen extremely low detection, or no detection, by security vendors. Our team believe that this infrastructure has yet to be used by the operators of the Ursnif malware. This infrastructure can be linked together by the unique attributes of the C2 servers used by the operators, predomi...

Share this insight: Home Insights Blogs Bridewell and Group-IB Uncover Possible BlackByte Victim Data As part of ongoing research and monitoring activities into prominent ransomware groups, Bridewell Cyber Threat Intelligence (CI) identified an exposed server hosted in Russia that appeared to host stolen data belonging to victims of the ransomware group BlackByte. The server contained 38 subdirectories named after organisations across the globe. A number of these organisations had not been poste...

Cado Security

CERT Ukraine

CERT-AGID

Il malware Vidar attacca ancora una volta le PEC in Italia 20/12/2023 PEC vidar Messaggio di Posta Elettronica Certificata È stata contrastata una nuova campagna di malspam volta a diffondere massivamente il malware Vidar attraverso messaggi di Posta Elettronica Certificata. La campagna è durata appena 20 minuti, dalle ore 00:07 alle 00:27 ma questo breve arco di tempo è stato comunque sufficiente a raggiungere un numero considerevole di caselle PEC. A differenza delle campagne rilevate nel m...

Check Point

Filter by: Select category Research (540) Security (882) Securing the Cloud (277) Harmony (144) Company and Culture (15) Innovation (6) Customer Stories (10) Horizon (3) Securing the Network (8) Partners (5) Connect SASE (10) Harmony Email (44) Artificial Intelligence (17) Infinity Global Services (11) Crypto (13) CryptoResearchDecember 22, 2023 Navigating the Perilous Waters of Crypto Phishing Attacks ByCheck Point Research Share By Oded Vanunu, Dikla Barda, Roman Zaikin Key Highlights: · Check...

Yehuda Gelb at Checkmarx Security

Yehuda Gelb·FollowPublished incheckmarx-security·6 min read·2 days ago--ListenShareIn early December, a number of malicious Python packages captured our attention, not just because of their malicious nature but for the cleverness of their deployment strategy.The threat actors behind these packages deviated from conventional tactics, introducing a nuanced twist in their approach. The first notable tactic was the exploitation of GitHub, a platform synonymous with trust and reliability within the d...

CISA

Release DateDecember 18, 2023 Alert CodeAA23-352A Related topics: Cyber Threats and Advisories, Malware, Phishing, and Ransomware Actions to take today to mitigate cyber threats from Play ransomware: Prioritize remediating known exploited vulnerabilities. Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems. Regularly patch and update software and applications to their latest versions and conduct...

Release DateDecember 19, 2023 Alert CodeAA23-353A Actions to take today to mitigate against the threat of ransomware: Routinely take inventory of assets and data to identify authorized and unauthorized devices and software. Prioritize remediation of known exploited vulnerabilities. Enable and enforce multifactor authentication with strong passwords. Close unused ports and remove applications not deemed necessary for day-to-day operations. SUMMARY Note: This joint Cybersecurity Advisory (CSA) is ...

Mike Gentile, Asheer Malhotra and Vitor Ventura at Cisco’s Talos

By Vitor Ventura Thursday, December 21, 2023 11:00 Threat Spotlight By Mike Gentile, Asheer Malhotra and Vitor Ventura.Editor’s note: This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by sp...

Cybereason

Written By Cybereason Security Research Team Cybereason issues Threat Alerts to inform customers of emerging threats, including critical vulnerabilities such as CitrixBleed. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them. WHAT'S HAPPENING? The Cybereason Security Services team is investigating incidents that involve the exploitation of a critical vulnerability which exists in NetScaler ADC (previously Citrix ADC) and Citrix Gate...

Cyfirma

Published On : 2023-12-22 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Target Industries: Apparel Retailers, Business Support Services, Chemicals, Construction, Food, IT, Manufacturing, Oil & Gas, Retail, Semiconductors,...

Deep Instinct

Announcing Deep Instinct Prevention for Storage for cloud storage and NAS environmentsLearn moreOpen menuClose menuPartnersLoginPlease enter keyword to search.Back To BlogDECEMBER 21, 2023Threat Actor 'UAC-0099' Continues to Target UkraineDeep Instinct Threat LabKey Takeaways"UAC-0099" is a threat actor that has targeted Ukraine since mid-2022Deep Instinct Threat Lab has identified new attacks by the threat actorThe threat actor was observed leveraging CVE-2023-38831The threat actor targets Ukra...

Dragos

Kyle O’Meara Threats Share This LinkedIn Twitter Facebook Email RSS Written in partnership with Michael Gardner, who previously worked as an Intelligence Technical Account Manager at Dragos, Inc. Threat hunting is an intimidating topic in security operations discussions – and becomes even more so when plans are made to traverse the information technology – operational technology (IT-OT) boundary in scheduled hunts. Despite the intimidation factor, OT-based threat hunts can be a fruitful process ...

EclecticIQ

This issue of the Analyst Prompt addresses details of Star Blizzard APT Group's spear-phishing campaigns, abuse of AWS secure token services for cloud breaches, and exploitation of the Outlook CVE-2023-23397 vulnerability targeting NATO forces. Arda Büyükkaya – December 22, 2023 Spear-Phishing Operations of Star Blizzard APT Group Attributed to Russian Intelligence Agency FSB A joint report from the Five Eyes intelligence alliance, published on December 7, 2023, reveals the cyber operations of R...

Paul Asadoorian at Eclypsium

Emanuele De Lucia

Posted on December 21, 2023December 22, 2023 by In recent days, the FBI was entrenched in a virtual struggle against the ransomware group known as ALPHV / BlackCat. This engagement unfolded subsequent to the FBI gaining control of the underlying infrastructure that the group had utilized to amass over $300 million in ransoms. In the early hours of Dec. 19, 2023, the darkweb website associated with BlackCat DLS (Dedicated Leak Site) started showing a banner explicitly indicating its seizure as re...

Esentire

→ Dec 18, 2023 "NextPHP" Phishing Campaign → Dec 07, 2023 DanaBot's Latest Move: Deploying Latrodectus → VIEW BLOG → Resources Case Studies → Videos → Reports → Webinars → Data Sheets → Cybersecurity Tools → Glossary → EXPLORE LIBRARY → SECURITY ADVISORIES Dec 07, 2023 Qlik Sense Exploitation THE THREAT eSentire has observed multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to gain initial access into victim organizations. Qlik Sense is a popular data analytics… READ N...

Get Started What We Do How We Do It Resources Company Partners Get Started What we do How we do it Resources Company Partners Request a Quote Back What We Do ESENTIRE SERVICES Exposure Management Services → Cyber risk and advisory programs that identify security gaps and build strategies to address them. Managed Detection and Response → MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response. Digital Forensics and Incident Response → Our ...

Flashpoint

FBI offers decryption tool to over 500 victims around the world, additional victims encouraged to come forward. SHARE THIS: Flashpoint December 20, 2023 “MIAMI – The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” “Over the past 18 mo...

Florian Roth

Florian Roth·Follow7 min read·4 days ago--1ListenShareStreamlined Public YARA Rule CollectionIn the world of cybersecurity, alongside the traditional sharing of basic Indicators of Compromise (IOCs) like file hashes, filenames, C2 IP addresses, and mutex names, we now also have the advantage of using open signature formats such as YARA, Sigma, and Suricata. These formats enhance our capabilities by allowing for the sharing of threat information in a vendor-neutral way, and they have been a key f...

Pei Han Liao at Fortinet

Blog Categories Business & Technology FortiGuard Labs Threat Research Industry Trends Partners Customer Stories PSIRT Blogs Business & Technology FortiGuard Labs Threat Research Industry Trends Partners Customer Stories PSIRT Blogs CISO Collective FortiGuard Labs Threat Research Bandook - A Persistent Threat That Keeps Evolving By Pei Han Liao | December 21, 2023 Article Contents By Pei Han Liao | December 21, 2023 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: R...

g0njxa

g0njxa·Follow15 min read·3 days ago--ListenShareRead about insights on real malware and spam campaigns based in the testimony of a victim and a threat actor!This post is sponsored by Malcore.ioThreat actors need to innovate in order to keep business going on, and these operations can’t be hidden because people need to be fooled into clicking that link that would download something suspicious or get us into a suspicious page. If a victim can reach the malicious content, we can also reach it!The m...

GreyNoise

Glenn ThorpeDecember 20, 2023Diverse Set of IPs Exploiting Atlassian Vulnerabilities, Not Just a Few Bad Actors.At GreyNoise, we focus heavily on analyzing data trends and anomalies, as they form a fundamental part of our business. While we collect a vast amount of data regarding unsolicited packets being transmitted across the internet, it is only meaningful if we look at the bigger picture.We have recently introduced some changes to our back-end system for calculating the trending and anomalou...

Nicole Fishbein and Ryan Robinson at Intezer

Written by Nicole Fishbein and Ryan Robinson - 20 December 2023 CountryUnited StatesCanadaAfghanistanAlbaniaAlgeriaAndorraAngolaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia and HerzegovinaBotswanaBrazilBruneiBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaColombiaComorosDemocratic Republic of the Congo (Kinshasa)Congo, Republic of(Brazz...

Jaron Bradley at The Mitten Mac

Jonathan Johnson

Jonathan Johnson·Follow9 min read·5 days ago--ListenShareA Write-Up by TrustedSec’s Research Lead Carlos Perez and Binary Defense’s Research Lead Jonathan Johnson. Originally posted on the Binary Defense page.IntroductionWhile it is important to discover new tradecraft, it is equally important to explore well-established and widely used techniques. The Binary Defense research team collaborated with the TrustedSec research team to dive into adversarial Lightweight Directory Access Protocol (LDAP)...

Jonathan Johnson·Follow11 min read·5 days ago--ListenShareOriginally posted on the Binary Defense page, but was authored by me.IntroductionUnderstanding Windows internals has always been fascinating to me because whether someone does offensive or defensive work, understanding this information should be the foundation of that work. System privileges are one of the Windows OS components that you see used for various purposes but not a lot of great understanding of why it is being used. SeDebugPriv...

Jonathan Johnson·Follow10 min read·5 days ago--ListenShareOriginally posted on the Binary Defense page, but was authored by me.IntroductionDLL Hijack-based attacks have been popular within the offensive community for several years. This technique has been used to achieve initial access, persistence, or privilege escalation in several environments. Due to the volume of DLL loads that happen in an environment, these attacks have been historically perceived as difficult to identify and detect. I th...

karttoon

root@ropgadget[.]com:~# _Zmain disass .Sections PLT / CAT(1) / 20DEC2023 - The Origin of OriginLogger & Agent Tesla By Jeff White (karttoon) After I published a blog at $dayjob on how I came to realize that what I thought was a sample of Agent Tesla turned out to actually be a new malware called OriginLogger, a fellow threat researcher botlabsDev reached out some months later. They had noticed that the two GitHub repositories I referenced for the profile "0xFD3" each had a commit from a differ...

KELA Cyber Threat Intelligence

Read more Use Cases Cybercrime Threat Intelligence Fraud Detection Law Enforcement Vulnerability Intelligence Third-Party Intelligence Brand Protection Attack Surface Visibility Platform AiFort IDENTITY GUARD INVESTIGATE MONITOR TECHNICAL INTELLIGENCE THREAT ACTORS THREAT LANDSCAPE KELA Partner Program KELA Partners Partner Program Resources Cyber Intelligence Center Updates KELA Datasheets Cyber Intelligence Webinars KELA Blog Future of Cybercrime Podcast KELA Success Stories Press About Leader...

KELA Cyber Intelligence Center As we approach the end of 2023, the Hamas-Israel war still rages on, and so do cyberattacks accompanying it. KELA selected 5 questions out of those we’ve been asked by our clients and partners (aside from “how are you?”) in the past 70+ days, and represent the cybersecurity angle of a physical war. Why Should I Be Concerned About Cyberthreats if This is a Physical War? Unfortunately, hybrid warfare has been around for multiple worldwide geopolitical and military co...

Kevin Beaumont at DoublePulsar

Kevin Beaumont·FollowPublished inDoublePulsar·6 min read·2 days ago--ListenShareI monitor (in an amateur, clueless way) ransomware groups in my spare time, to see what intelligence can be gained from looking at victim orgs and what went wrong.Basically, I’m a giant big dork with too much free time.I’ve discovered two organisations with ransomware incidents, where the entry point appears to have been Exchange Server 2013 with Outlook Web Access enabled, where all available security updates were a...

Konrad Kaluzny

Report this article Konrad Kaluzny Konrad Kaluzny Helping companies with cybersecurity: Threat Hunting, Detection Engineering, Threat Intelligence and more Published Dec 17, 2023 + Follow For several years, attackers have been utilizing legitimate, commonly used Remote Monitoring and Management (RMM) software. Due to the extensive functionalities of these tools, attackers can leverage the software for various activities like achieving persistence or creating a C2 communication channel. The selec...

Ujwal Thapa at Logpoint

By Ujwal Thapa|2023-12-19T16:07:48+01:00December 19th, 2023| - 9 min read Overview Recently, CISA, along with the National Cyber Security Centre (NCSC) of the United Kingdom, the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the Federal Bureau of Investigation (FBI) of the United States published a report regarding the Russian Foreign Intelligence Service (SVR)-affiliated cyber actors exploiting the CVE-2023-42793 that allow an unauthenticated malicious actor to e...

Jérôme Segura at Malwarebytes

Posted: December 19, 2023 by Jérôme Segura MetaStealer is a popular piece of malware that came out in 2022, levering previous code base from RedLine. Stealers have become a very hot commodity in the criminal space, so much so that there is competition between various groups. Threat actors have primarily used malspam as an infection vector to drop MetaStealer as well as cracked software via stolen YouTube accounts, but it was at least once previously seen in a malvertising campaign. In the past w...

Michael Haag

Michael Haag·FollowPublished inmagicswordio·6 min read·2 days ago--ListenShareFriends, we meet again for another behind-the-scenes look at the LOLDrivers project. Lurking in our backlog for some time was the integration of Trail of Bits’ HVCI LOLDrivers Check script into the project. Our main goal was two-fold: first, to add a new tag in the YAML indicating whether a driver loads with HVCI enabled or not; and second, to generate files based on this information. This is crucial because it pinpoin...

Malla Reddy Donapati and Subhash Popuri at Microsoft Security Response Center

Azure Serial Console Attack and Defense - Part 2 MSRC, Microsoft Threat Hunting, Security Research / By Malla Reddy Donapati, Subhash Popuri / December 19, 2023 / 11 min read This is the second installment of the Azure Serial Console blog, which provides insights to improve defenders’ preparedness when investigating Azure Serial Console activity on Azure Linux virtual machines. While the first blog post discussed various tracing activities, such as using Azure activity and Sysmon logs on Windows...

MITRE-Engenuity

Kayla Kraines·FollowPublished inMITRE-Engenuity·5 min read·5 days ago--ListenShareWritten by Melanie Chan and Kayla KrainesFollowing the latest round of MITRE Engenuity’s ATT&CK® Evaluations for Enterprise, the Center for Threat-Informed Defense (CTID) added two full emulation plans for the Russian state-sponsored threat actor Turla to the Adversary Emulation Library. MITRE Caldera™ can now run these emulation plans, which are focused on Turla’s usage of Carbon and Snake, to execute automated at...

Maggie MacAlpine·FollowPublished inMITRE-Engenuity·6 min read·5 days ago--ListenShareWritten by Maggie MacAlpine.Collecting and analyzing cyber threat intelligence (CTI) is a key activity within a cybersecurity program. However, the value of CTI is severely diminished if there’s no way to act on it. At the Center for Threat-Informed Defense (Center), we aim to continually advance the community-wide understanding of adversary behaviors and make it much easier for security teams to operationalize ...

Nasreddine Bencherchali

SigmaHQ Rules Release Highlights — r2023–12–21Nasreddine Bencherchali·FollowPublished inSigma_HQ·6 min read·3 days ago--ListenShare//github.com/SigmaHQ/sigma/releases/tag/r2023-12-21Sigma Rule Packages for 21–12–2023 are released and available for download. This release saw the addition of 21 new rules, 55 rule updates and 30 rule fixes by 17+ contributors.New RulesSome highlights for the newer rules include, new detections for Cloudflared a tunneling tool by cloudflare covering additional flags...

Obsidian Security

OSArmor

Recently have been reported some QakBot and PikaBot variants delivered via Windows Installers (.msi files) digitally signed with valid certificates with the intent to bypass antivirus software and application whitelisting software. For the case of QakBot, according to Microsoft Threat Intelligence, the first stage of the infection starts with a PDF file delivered via email that contains a link to download the digitally signed Windows Installer file. Once the .msi file is executed, it will drop a...

Axel F, Dusty Miller, Tommy Madjar and Selena Larson at Proofpoint

BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates Share with your network! December 21, 2023 Axel F, Dusty Miller, Tommy Madjar and Selena Larson Overview Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint research...

Mohammad Amr Khan and Grace Chi at Pulsedive

Here's our 2023 roundup of cyber threat intelligence news: key exploited vulnerabilities, ransomware, and Pulsedive updates over the last year. Mohammad Amr Khan, Grace Chi Dec 19, 2023 • 13 min read Threat Recap2023 was a challenging yet interesting year for defenders with several mass exploitation events that made headlines around the world. Apart from the exploitation of third party software to steal data or gain initial access into environments, ransomware remained a common threat for organi...

Saeed Abbasi at Qualys

Raymond Roethof

Microsoft Defender for Identity NTLM Relay Attack 19th Dec 202320th Dec 2023by thalpius Microsoft Defender for Identity can identify Lateral Movement paths. Lateral Movement Paths allow malicious actors to hop from one device to another or from account to account. For Microsoft Defender for Identity to identify these Lateral Movement Paths, it needs to know which user is a local administrator on domain member servers. Microsoft Defender for Identity uses the Security Account Manager Remote (SAM-...

Recorded Future

Posted: 14th December 2023By: Levi Gundert, Dmitry Smilyanets, Candace Moix and Dylan DavisEditor's note: The following blog post originally appeared on Levi Gundert's Substack page. Image provided by authors The following inspects the mechanics and economies of stolen credentials and current security approaches. We also dig into why intelligence matters greatly for enterprises committed to managing IAM cyber risk and potentially seizing competitive opportunities. The simplest method for obtaini...

Red Canary

ReliaQuest

Resecurity

Cyber Threat Intelligence 21 Dec 2023 cybersecurity, analytics, predictions, 2024 Resecurity, a globally recognized Los Angeles-based cybersecurity company safeguarding Fortune 100 entities, has meticulously compiled a comprehensive forecast outlining the imminent threats and novel security challenges anticipated in the upcoming year. These projections stem from an in-depth analysis of the underground economy's evolution on the Dark Web and a thorough examination of significant incidents targeti...

Roy Akerman at Rezonate

SANS Internet Storm Center

Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518) Published: 2023-12-20 Last Updated: 2023-12-20 15:31:05 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Today, exploit attempts for CVE-2023-22518 cross the "significant" threshold for our "First Seen URLs" list. The URL being accessed, "/json/setup-restore.action?synchronous=true", can be used to bypass authentication [1]. Due to a failure to properly control access to this path, the attacker can execute the "setup-...

Python Keylogger Using Mailtrap.io Published: 2023-12-23 Last Updated: 2023-12-23 07:07:07 UTC by Xavier Mertens (Version: 1) 0 comment(s) I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code: from pynput import keyboard from pynput.keyboard import Listener ... keyboard_listener = keyboard.Listener(on_press=self.save_data) with keyboard_listener: self.report() keyboard_listener.join() This is not the mos...

Sansec

Sansec Threat ResearchDecember 18, 2023Found your Magento 2 store hacked recently? Chances are, that attackers injected a malicious wish list. Just before Christmas? Oh the irony.In recent weeks, Sansec observed a spike in hacked Magento 2 stores. Our investigations led to a (likely) single attacker, who used a combination of clever techniques to bypass WAFs and competing threat actors. This article lists the methods and discovered attack code.Are you a merchant? Take these steps now.The entry v...

Sekoia

SentinelOne

December 18, 2023 by Rick Bosworth PDF In October, the first blog post in this series discussed the Static AI Engine. In this, the second installment of the Detection Engine blog series, we examine the SentinelOne Behavioral AI Engine. Although AI, especially GenAI, are very hot topics right now, SentinelOne has been using AI as a keystone of our technology since our founding in 2013. We hope that this blog series conveys to our customers, prospects, and stakeholders how our AI-powered agent in ...

December 19, 2023 by Jim Walter PDF In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. Several high profile threat operators have continued to briefly disappear only to re-emerge, lending to a more dynamic ransomware landscape. Highlighting the risks seen in the identity attack surface, we also continue to see the fallout from this season’s onslaught of attacks against Identity Access Management (IAM) platforms, specifically. Final...

Simone Kraus

Big Game Hunting — Vidar Server Infrastructure in GermanySimone Kraus·FollowPublished inOSINT TEAM·5 min read·Dec 17--ListenShareScattered Spider and SVR?A few days ago, on 13.12.2023, CISA published a cybersecurity advisory for the Russian Foreign Intelligence Service (SVR), which globally exploits the Jetbrains TeamCity CVE-2023–42793.By chance, I came across an interesting server constellation. For two CISA cybersecurity advisories, the one mentioned with the alert code AA23–347A and for Scat...

SOCRadar

Sophos

Social engineering drives password-stealing malware attack against the front desk Written by Andrew Brandt, Sean Gallagher December 19, 2023 Threat Research featured Hotel malspam malware RH-ISAC Social engineering Sophos X-Ops Spam Sophos X-Ops is warning the hospitality industry that a campaign targeting hotels worldwide with password-stealing malware is using emailed complaints about service problems or requests for information as a social engineering lure to gain the trust of the campaign’s ...

In the second of our new technical thought leadership series, Sophos X-Ops takes a detailed look at anti-ransomware techniques Written by Mark Loman, Matt Wixey December 20, 2023 Threat Research Akira anti-ransomware CryptoGuard featured Intercept X Lockbit Ransomware Remote Ransomware Ransomware is one of the most significant threats facing organizations today. Battling it is no easy task, particularly given that threat actors are continually refining their techniques and approaches. Recent shi...

Seven months after our first investigation, a fuller portrait of the criminal gang and its tactics emerges Written by Morgan Demboski December 21, 2023 Security Operations Threat Research Akira ESX Admins Ligolo-ng MDR nssm.exe sysmon XDR The Sophos MDR Threat Intelligence team previously published the blog Akira Ransomware is “bringin’ 1988 back” in May 2023, roughly two months after the group is reported to have begun operations. Since the ransomware group’s initial attacks in March, Akira has...

Symantec Enterprise

MuddyC2Go framework and custom keylogger used in attack campaign.Iranian espionage group Seedworm (aka Muddywater) has been targeting organizations operating in the telecommunications sector in Egypt, Sudan, and Tanzania. Seedworm has been active since at least 2017, and has targeted organizations in many countries, though it is most strongly associated with attacks on organizations in the Middle East. It has been publicly stated that Seedworm is a cyberespionage group that is believed to be a s...

Taz Wake

Linux Incident Response - understanding the heap and the stack Report this article Taz Wake Taz Wake Cyber security incident response | Threat hunting | Digital forensics | Certified SANS instructor & course author | I am not looking for any new certification training... Published Dec 18, 2023 + Follow IntroductionIn Linux, effective memory management puts the fun into the fundamentals of robust software development. This high-level article looks at the heap and stack, two critical components of...

VirusTotal

Protecting the perimeter with VT Intelligence - ma... Protecting the perimeter with VT Intelligence - Em... VTMondays ► November 2023 (3) ► October 2023 (2) ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► Februar...

Protecting the perimeter with VT Intelligence - ma... Protecting the perimeter with VT Intelligence - Em... VTMondays ► November 2023 (3) ► October 2023 (2) ► September 2023 (1) ► August 2023 (2) ► July 2023 (5) ► June 2023 (5) ► May 2023 (3) ► April 2023 (3) ► March 2023 (2) ► February 2023 (2) ► January 2023 (2) ► 2022 (23) ► December 2022 (1) ► November 2022 (6) ► October 2022 (1) ► September 2022 (1) ► August 2022 (3) ► July 2022 (1) ► May 2022 (1) ► April 2022 (2) ► March 2022 (3) ► Februar...

WeLiveSecurity

A view of the H2 2023 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts Jiří Kropáč 19 Dec 2023 • , 2 min. read The second half of 2023 witnessed significant cybersecurity incidents. Cl0p, a notorious cybercriminal group known for carrying out ransomware attacks on a major scale, garnered attention through its extensive “MOVEit hack”, which surprisingly did not involve ransomware deployment. The attack targeted numerous organization...

You may get more than you bargained for when you buy a budget-friendly smartphone and forgo safeguards baked into Google Play Roman CuprikThomas Uhlemann 20 Dec 2023 • , 7 min. read When shopping for a new smartphone, you’re likely to look for the best bang for your buck. If you’re on the hunt for a top-of-the-range device but aren’t keen on paying top dollar for it, offerings from lesser-known manufacturers will probably make your shortlist. Indeed, in the fiercely competitive smartphone market...

Kaivalya Khursale at ZScaler

KAIVALYA KHURSALEDecember 19, 2023 - 8 min read Threatlabz ResearchContentsIntroductionKey TakeawaysMicrosoft Excel Infection SequenceConclusionZscaler CoverageMore blogsCopy URLCopy URLIntroduction First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XL...