本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam Goss
Alex Teixeira
Allan Liska at ‘Ransomware Sommelier’
ransomwaresommelier.comCopy linkFacebookEmailNoteOtherThe Problem with Relying on Criminals for DataRansomware attacks were up 70% in 2023...we thinkAllan LiskaJan 15, 20242Share this postThe Problem with Relying on Criminals for Dataransomwaresommelier.comCopy linkFacebookEmailNoteOtherShareHow many ransomware attacks were there in 2023? According to data scraped from data leak sites, there were ~4399 (sites go up an down, scrapers break, etc, so this number is always an estimate). In all of 20...
Antonio Formato
Ilay Goldman and Yakir Kadkoda at Aqua
Researchers at Aqua Nautilus found that 8.2% percent of the most downloaded npm packages are officially deprecated, but due to inconsistent practices in handling package dependencies, the real number is much larger, closer to 21.2%. Moreover, some package maintainers, when confronted with security flaws, deprecate their packages instead of reporting them, getting a CVE assigned or remediating the vulnerabilities. These gaps can leave developers unaware that they are using unmaintained, vulnerabl...
AttackIQ
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 Gennaio 2024 19/01/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 17 campagne malevole, di cui 12 con obiettivi italiani e 5 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 163 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologi...
Check Point
Filter by: Select category Research (543) Security (881) Securing the Cloud (279) Harmony (150) Company and Culture (16) Innovation (6) Customer Stories (11) Horizon (5) Securing the Network (9) Partners (5) Connect SASE (10) Harmony Email (50) Artificial Intelligence (17) Infinity Global Services (11) Crypto (13) Healthcare (14) ResearchJanuary 16, 2024 Check Point Research: 2023 – The year of Mega Ransomware attacks with unprecedented impact on global organizations ByCheck Point Research Share...
Filter by: Select category Research (543) Security (881) Securing the Cloud (279) Harmony (150) Company and Culture (16) Innovation (6) Customer Stories (11) Horizon (5) Securing the Network (9) Partners (5) Connect SASE (10) Harmony Email (50) Artificial Intelligence (17) Infinity Global Services (11) Crypto (13) Healthcare (14) SecurityJanuary 18, 2024 Check Point Research Unfolds: Navigating the Deceptive Waters: Unmasking A Sophisticated Ongoing NFT Airdrop Scam ByCheck Point Research Share ...
Tzachi(Zack) Zorn at Checkmarx Security
CISA
Release DateJanuary 16, 2024 Alert CodeAA24-016A Related topics: Cyber Threats and Advisories, Malware, Phishing, and Ransomware Actions to take today to mitigate malicious cyber activity: Prioritize patching known exploited vulnerabilities in internet-facing systems. Review and ensure only necessary servers and services are exposed to the internet. Review platforms or services that have credentials listed in .env files for unauthorized access or use. SUMMARY The Federal Bureau of Investigation ...
Release DateJanuary 18, 2024 Related topics: Cybersecurity Best Practices, Critical Infrastructure Security and Resilience, Partnerships and Collaboration Today, CISA, the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency released a joint Incident Response Guide for the Water and Wastewater Systems (WWS) Sector. The guide includes contributions from over 25 WWS Sector organizations spanning private industry, nonprofit, and government entities. This coordination enabl...
Chris Neal at Cisco’s Talos
By Chris Neal Thursday, January 18, 2024 08:00 Features Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous research into the driver-based browser hijacker RedDriver and HookSignTool — a signature timestamp forging tool.With the existence of malicious dri...
Nathan Eades at Permiso
Credits: Wilma Miranda Permiso consistently observes that engineers and analysts often struggle with interpreting Azure Monitor Activity Logs, facing confusion and achieving only a partial understanding even after gaining experience. To address this, Permiso aims to level the playing field, offering deeper and more practical insights into these logs. In this blog, you’ll find an invaluable reference tool and guide designed to demystify Azure’s logging complexities. Here’s what we’ll be exploring...
Cyborg Security
Blog January 17, 2024 As we surge into 2024, the cybersecurity landscape is witnessing a paradigm shift. Gone are the days when Indicators of Compromise (IOCs) held the throne. 2023 marked the realization within cybersecurity circles that while IOCs serve a purpose, particularly in confirming participation in major breaches, their continuous monitoring leads to an unsustainable level of alert fatigue. This evolution in cyber defense thinking paves the way for the true hero of 2024: Behavioral Th...
Cyfirma
Published On : 2024-01-18 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows Target Industries: Agriculture, Accessories, Accounting Services, Business Services, Customer Services, Construction, E-Commerce, Education, Energy, Fi...
Martin McCloskey and Christophe Tafani-Dereeper at Datadog Security Labs
January 19, 2024 aws threat detection twitter reddit on this page Key points and observationsFirst observed attacker activity: Data exfiltration from S3 and attempted lateral movement through EC2 Instance ConnectHands-on-keyboard activity beginsS3 enumeration and exfiltrationAttempt to run r6i.metal EC2 instances in an unused regionAdditional persistenceSummary of attacker activitySecond observed attacker activity: Infrastructure-heavy crypto mining on ECSBring your own ECS clusterAnalyzing the ...
Regan at Detect FYI
Joe St Sauver at DomainTools
- Finding Patterns That Only Match Registered Domains (and Which Don’t “Overmatch” Against Subdomains)
Dr Nestori Syynimaa at AADInternals
January 13, 2024 (Last Modified: January 14, 2024) blog Microsoft Entra Domain Services (MEDS) Exfiltrating NTHashes Step 1: Exporting to Entra ID Step 2: Exporting from Entra ID Conclusion References Last year I gave a presentation titled Dumping NTHashes from Azure AD at TROOPERS conference. The talk was about how the Microsoft Entra Domain Services (formerly Azure AD Domain Services) works and how it enabled dumping NTHashes from Entra ID (formerly Azure AD). In this blog, I’ll show how Micro...
Esentire
→ Jan 10, 2024 The First 90 Days: Ensuring Success with a 30-60-90 Day Plan for New… → VIEW BLOG → Resources Case Studies → Videos → Reports → Webinars → Data Sheets → Cybersecurity Tools → Glossary → EXPLORE LIBRARY → SECURITY ADVISORIES Jan 17, 2024 Maximum Severity Confluence Vulnerability (CVE-2023-22527) THE THREAT On January 16th, Atlassian disclosed a new critical Remote Code Execution (RCE) vulnerability that impacts Confluence Data Center and Confluence Server. The vulnerability, tracke...
Peter Michalski at Expel
Security operations · 6 MIN READ · PETER MICHALSKI · JAN 16, 2024 · TAGS: MDR Inbox rules are used for legitimate and malicious reasons alike. Here are some actual case exercises, tips, and tricks on how to analyze using rule conditions alone. Inbox rules help users manage and organize emails. (For those unfamiliar with Outlook inbox rules, I highly recommend Brandon Dossantos’s recent post, which outlined what they are, explained how attackers can abuse them, and offered some helpful detection ...
Jessica Ellis at Fortra’s PhishLabs
Subscribe Get The Latest Insights Executive Attacks on Social Media Hit All-Time High as Analysts Point to AI By Jessica Ellis | January 16, 2024 Executive impersonation on social media is at an all-time high as threat actors take advantage of AI to improve and scale their attacks. In Q3, accounts pretending to belong to high-ranking executives on social media climbed to more than 54% of total impersonation volume, surpassing brand attacks for the first time since Fortra began tracking this data...
Will Francillette at French365Connection
In this blog, I want to show how to connect to the Graph Security API using the PowerShell Graph SDK Module. We will focus on the Advanced Hunting module as an example but other modules are available:Alerts and incidentsAttack simulation and trainingeDiscoveryInformation protectionRecord managementSecure scoreThreat intelligenceTable of contents1 - Overview2 - Advanced hunting via Graph security API3 - Quotas and resource allocation4 - Graph SDK vs Web Request5 - Permissions6 - How-To7 - Conclus...
Wesley ShieldsThreat Analysis Group at Google Threat Analysis Group
Share Twitter Facebook LinkedIn Mail Copy link Threat Analysis Group Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware Jan 18, 2024 min read Share Twitter Facebook LinkedIn Mail Copy link COLDRIVER’s targeting of high profile individuals in NGOs, former intelligence and military officials and NATO governments is moving beyond credential phishing activities. Wesley Shields Threat Analysis Group Share Twitter Facebook LinkedIn Mail Copy link Ov...
Ron Bowes at GreyNoise
Ron BowesJanuary 18, 2024One of my favorite things to do each morning is to look at the significant recent vulnerabilities that I found interesting - right now, my list is Ivanti Connect Secure, Atlassian Confluence, Apache Ofviz, SnakeYAML, etc., to check our honeypots to see if any new exploits have dropped since last time. And oh boy, was I rewarded this morning when I checked Ivanti! The overwhelming majority of what we see daily is scanners scanning honeypots and honeypots luring scanners -...
InfoSec Write-ups
What is Alert Fatigue and How Does the Incident Response Team Suffer?
Blue Team Bootcamp Series (P3): How to Detect Cross-Site Scripting (XSS) Attacks
Streamlining SOC Operations with the “Shift Email Playbook” in Microsoft Sentinel
Intrinsec
par Equipe Cyber Threat Intelligence | Jan 9, 2024 | Cyber Threat Intelligence, Cyber Threat Intelligence, Threat Intelligence Report ThreeAM ransomware Key findings In this report are presented: Intrinsec’s CTI analysts unveil a new extortion scheme being tested by ThreeAM via X (previously known as Twitter). Bots could have been used to automatically name and shame amongst followers of its victims’ official X accounts. We found that the intrusion set intended to set up a dedicated leak site on...
Jamie MacColl, Dr Pia Hüsch, Dr Gareth Mott, James Sullivan, Dr Jason R. C. Nurse, Sarah Turner and Nandita Pattnaik at RUSI
Jamie MacColl, Dr Pia Hüsch, Dr Gareth Mott, James Sullivan, Dr Jason R. C. Nurse, Sarah Turner and Nandita Pattnaik16 January 2024clockLong ReadpdfDownload PDF(2MB)Nawadoln Siributr / Alamy Stock PhotoRansomware incidents remain a scourge on UK society. Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society. The research reveals a wide range of harms caused by ra...
KELA Cyber Threat Intelligence
KELA Cyber Intelligence Center If it looks like a duck, and walks like a duck… you may need to look a little closer. This is an increasingly important lesson, highlighted by the case of threat actors Hunters International, who were wrongly assumed in October 2023 to be a rebrand of Hive ransomware group. This kind of mistake is becoming increasingly easy to make. After all, 60% of the Hunters International ransomware code matched the Hive ransomware. But early reports from the security community...
Bert-Jan Pals at KQL Query
KQL Security Sources - 2024 UpdateBert-Jan Pals included in KQL Sentinel Defender For Endpoint 2024-01-14 532 words 3 minutes It is great to see that more and more repositories, blogs and other sources share security related KQL content. Therefore this post provides an updated list of KQL Security Sources to start the new year. These sources can help you to kickstart your KQL knowledge for the upcoming year, by providing learning material, detection rules, hunting queries and many more.The image...
Kroll
Sean Straw Key Takeaways Kroll has observed a recent shift in the base64 encoding used for DARKGATE. The base64 alphabet is now randomized based on characteristics of the victim system. A weakness in the seed value randomness makes the new alphabet trivial to brute force. The discovered alphabet can be used to decode the on-disk configuration and keylogging outputs. The keylogger output files contain the keystrokes stolen by DARKGATE. Examiners can analyze these files to identify potentially sto...
Dave Truman Play Watching the initial walkthrough of the SYSTEMBC C2 server from our threat intelligence expert, Dave Truman Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild in 2018 with its core functionality revolving around its ability to act as SOCKS5 proxy. This provides a useful capability for threat actors as a persistent access mechanism or for purposes of l...
Kennet Harpsøe at Logpoint
By Kennet Harpsøe|2024-01-17T12:43:03+01:00January 17th, 2024| - 5 min read With the report “Attack on Danish Critical Infrastructure,” the Danish SectorCERT delves into the recently thwarted cyber attack on Danish critical infrastructure. The attack was directed at Zyxel firewalls, and the Sandworm group is believed to be behind it. Notably, it’s an APT group increasingly focused on rapid and agile cyber attacks. Kennet HarpsøeSenior Cyber AnalystTable of Contents1 Assumptions about Sandworm 2 ...
Microsoft Security
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
Microsoft Security Response Center
/ By MSRC / January 19, 2024 / 2 min read The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. As part of our ongoing commitment to responsible transparency as recently aff...
Nasreddine Bencherchali
Marcin Nawrocki, Christopher Conrad, and Clark Arenberg at Netscout
Arbor Networks - DDoS Experts DDoS Attacks Denial-of-service attack NoName057(16) Campaign Analysis by Marcin Nawrocki, Christopher Conrad, Clark Arenberg on January 16th, 2024 IntroductionShortly after the Russo-Ukrainian conflict began, a new threat actor announced their formation on Telegram along with their manifesto (Figure 1). Their self-declared mission statement was to counter-act open hostility towards Russia, targeting NATO-aligned countries. Additionally, they stated an openness to co...
Florian Roth at Nextron Systems
by Florian Roth | Jan 17, 2024 In this blog post, our threat research team presents the most critical cyber security trends for 2024. While many in the field are focusing on headline-grabbing topics like AI, our emphasis is on practical, impactful issues already shaping the cyber landscape. We believe these trends will grow in significance throughout the year. A common theme we’re observing is evasion: sophisticated methods used by attackers to stay under the radar. This includes evading detecti...
Noah McDonald at Google Cloud
Obsidian Security
Jose Rodriguez at Open Threat Research
Jose Rodriguez Jan 15, 2024 • 9 min read Recently, generative artificial intelligence (GenAI) has emerged as a game-changer in cybersecurity, significantly enhancing traditional security operations. Its applications range from helping analysts in understanding complex topics during incidents to deciphering intricate scripts, and summarizing findings effectively. With the appropriate fine-tuning, GenAI models can even suggest investigative steps. This advancement is particularly impressive as it ...
Penetration Testing Lab
Lateral Movement – Visual Studio DTE by Administrator.In Lateral Movement.Leave a Comment on Lateral Movement – Visual Studio DTE A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development needs. Outside of the risk of from malicious .sln files which doesn’t apply Mark of the Web (MotW) and therefore can evade Microsoft controls such as SmartScreen, Visual Studio also provides an opportunity fo...
Prodaft
By PRODAFT Team on January 15, 2024 Back Seeing Through the Fog: Detecting Malicious Sites and Fake Social Media Share Back to main blog Share With social media users giving away more personal information online, sensitive data can now easily travel beyond the owner’s control and into the hands of threat actors. Thus, it’s no surprise that there are over 18,000 fake websites created daily and 16% duplicate Facebook accounts, stealing fragile info and misleading individuals and businesses. But th...
Proofpoint
Security Brief: TA866 Returns with a Large Email Campaign Share with your network! January 18, 2024 Axel F What happened Proofpoint researchers identified the return of TA866 to email threat campaign data, after a nine-month absence. On January 11, 2024, Proofpoint blocked a large volume campaign consisting of several thousand emails targeting North America. Invoice-themed emails had attached PDFs with names such as “Document_[10 digits].pdf” and various subjects such as “Project achievements”. ...
Raymond Roethof
Microsoft Defender for Identity Recommended Actions: Reduce lateral movement path risk to sensitive entities 15th Jan 202416th Jan 2024by thalpius Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with fourteen recommended actions. In a series of blog posts, I will go through all fourteen recommended actions of what it means, a plan of approach, their impact, and my security...
Tess Mishoe and Rachel Schwalk at Red Canary
Robin Moffatt
Published Jan 16, 2024 by in GitHub, DNS at //rmoff.net/2024/01/16/hosting-on-github-pages-watch-out-for-subdomain-hijacking/ A friend messaged me late last night with the scary news that Google had emailed him about a ton of spammy subdomains on his own domain. Any idea how this could have happened, he asked? Security is not my bag, but I do like poking around things to understand how they tick, and this particular exploit kinda intrigued me by its simplicity. I’m a big advocate of running your...
RussianPanda
RussianPanda Case Study Atomic Stealer is known to be the first stealer for MacOS devices, it first appeared on Russian hacking in March, 2023. For 3000$ per month, the user gets the access to the panel. The user provides Telegram Bot ID and build ID to the seller and the user receives the build. The stealer allegedly has the following functionalities and features: Login Keychain dump Extract system information FileGrabber (from Desktop, Documents) MacOS Password retrieval Convenient web panel M...
SANS Internet Storm Center
Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887) Published: 2024-01-16 Last Updated: 2024-01-16 12:53:48 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Last week, Volexity published a blog describing two vulnerabilities in Ivanti's Connect "Secure" VPN [1]. These vulnerabilities have been exploited in limited, targeted attacks. At this point, Ivanti released a configuration workaround but no patch for this vulnerability. The configuration can be applied in ...
macOS Python Script Replacing Wallet Applications with Rogue Apps Published: 2024-01-19 Last Updated: 2024-01-19 05:50:40 UTC by Xavier Mertens (Version: 1) 0 comment(s) Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too[1]. Here is a good example: I found a malicious Python script targeting wallet application on macOS. The script is not obfuscated and is easy to understand. The Virust...
More Scans for Ivanti Connect "Secure" VPN. Exploits Public Published: 2024-01-18 Last Updated: 2024-01-18 13:54:31 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth [1]. Rapid7 also does a good job walking you through how Ivanti obfuscates the LUKS key i...
Securonix
SIEM Share By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov tldr: Threat actors favor RMM (remote monitoring and management) as it allows for convenient and stealthy command and control capabilities on compromised hosts. Today, let’s take a look at some of the popular options that the bad guys are using and discover how we can detect them. RMM software is commonly marketed as legitimate software which allows for complete access from server to client. The server listen...
Jim Walter at SentinelOne
January 16, 2024 by Jim Walter PDF A recent wave of Twitter/X account takeover attacks has seen multiple high-profile social media accounts compromised and used to spread malicious content aimed at stealing cryptocurrency. The attacks use a family of malware known as crypto-drainers and often supplied through Drainer-as-a-Service (DaaS) platforms. Some recent high-profile victims include the SEC and Mandiant. Crypto Drainers and Drainers as a Service have received little attention from security ...
Ameer Owda at SOCRadar
Lance B. Cain at SpecterOps
Splunk
Share: By Splunk Threat Research Team January 17, 2024 AutoIt is a scripting language designed for automating the Windows GUI and general scripting. Over the years, it has been utilized for malicious purposes, including AutoIt-compiled malware, which dates back to as early as 2008. Malware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for payload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of...
Share: By David Bianco January 19, 2024 Hypothesis-driven hunting is probably the most well-known type of threat hunting, and it’s one of the three types defined in the PEAK threat hunting framework. In this article, we’ll walk through a sample hypothesis-driven hunt, step-by-step. For our data, we’ll be using the Boss of the SOC Version 3 (BOTSv3) dataset, which you can use to recreate the hunt and work through it on your own. Below is a diagram of the Hypothesis-Driven hunting process. This di...
Stephan Berger
15 Jan 2024 Table of Contents AsyncRAT Standard C2 ports Persistence Mutex Assembly Information Client information Plugins Mutex Hunting Persistence techniques QuasarRAT Standard C2 ports Mutex Hunting User Agent Persistence techniques Introduction Recorded Future writes in their Adversary Infrastructure Report 2023: The top 5 malware families we detected this year are AsyncRAT, Quasar RAT, PlugX, ShadowPad, and DarkComet. Interestingly, the top 2 detections are open-source, and the last 3 are w...
Ben Martin at Sucuri
UnderDefense
CASE STUDY UnderDefense Initiates Proactive Threat Hunting and Detects Hidden Threats in the Client’s Environment Background The client is one of the ten largest government organizations in the U.S. financial sector. The company was already security-conscious and had several security solutions and tools, including NGAV (a modified version of EDR). Additionally, they had well-configured policies, an active directory domain, firewalls, and an in-house team to deal with emerging alerts. The Challen...
Viktor Sahin-Uppströmer at Truesec
Volexity
January 15, 2024 by Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, Thomas Lancaster Facebook Twitter Email Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a pe...
January 18, 2024 by Matthew Meltzer, Sean Koessel, Steven Adair Facebook Twitter Email On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024, proof-of-concept code for the exploit was made public. Subsequently, Volexity has...
Jacob Baines at VulnCheck
Jacob Baines@Junior_BainesKey Takeaways7777-Botnet remains active, and VulnCheck used co-located services to theorize the botnet is infecting TP-Link, Xiongmai, and Hikvision devices using CVE-2017-7577, CVE-2018-10088, CVE-2022-45460, CVE-2021-36260, and/or CVE-2022-24355.The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume.The botnet doesn’t just start a service on port 7777. It also spins up a SOCKS5 server on port 11228.Introducti...
