本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Allan Liska at ‘Ransomware Sommelier’
ransomwaresommelier.comCopy linkFacebookEmailNoteOtherLockBit Down!Allan LiskaFeb 19, 20241Share this postLockBit Down!ransomwaresommelier.comCopy linkFacebookEmailNoteOtherShareLockBit Ransomware’s infrastructure has been seized through a global joint law enforcement action. It is not just their main site, it appears most negotiation and portal sites are now under the control of law enforcement. Image courtesy Daniel CardThis is unequivocally good news. The LockBit ransomware group has been aro...
Jinghua Bai at APNIC
By Jinghua Bai on 21 Feb 2024 Category: Tech matters Tags: China, DNS, Guest Post, measurement Tweet Blog home The Domain Name System (DNS) is an essential protocol in the architecture of today’s Internet. It routinely translates domain names into IP addresses and also often handles a multitude of invalid queries. These include requests for non-existent domain names, called NXDOMAIN. A high volume of these invalid queries can adversely affect the online user experience, add strain to network ope...
Nitzan Yaakov at Aqua
Arctic Wolf
Bitdefender
Vlad CONSTANTINESCU February 21, 2024 Promo Protect all your devices, without slowing them down. Free 30-day trial Yesterday, authorities announced the success of cooperating law enforcement agencies worldwide in disrupting the infamous Lockbit ransomware gang.Police Turn the Tables on LockbitMere hours after the initial announcement, police flipped the switch on the notorious group, exposing the identity of its members to the world.After disrupting the gang’s main website on Monday and replacin...
Filip TRUȚĂ February 21, 2024 Promo Protect all your devices, without slowing them down. Free 30-day trial A Ukrainian national was extradited to the United States from the Netherlands after being indicted for crimes related to fraud, money laundering and aggravated identity theft using the Raccoon infostealer, the US Justice Department has announced.28-year-old Mark Sokolovsky allegedly conspired to operate the Raccoon Infostealer as a malware-as-a-service (MaaS). Court documents say Sokolovsky...
Brad Duncan at Malware Traffic Analysis
2024-02-21 (WEDNESDAY): PARROT TDS --< SOCGHOLISH --< ASYNC RAT NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_parrottds-socgholish-asyncrat-activity-7166192124441415681-rnLv //twitter.com/Unit42_Intel/status/1760426508558950518 ASSOCIATED FILES: 2024-02-21-IOCs-from-SocGholish-AsyncRAT-infection.txt.zip 1.9 kB (1,848 bytes) 2024-02-21-SocGholish-AsyncRAT-in...
2024-02-09, 02-22 AND 02-23 - DATA DUMP: LATRODECTUS FROM CONTACT FORMS CAMPAIGN NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. ASSOCIATED FILES: 2024-02-09-Contact-Forms-campaign-Latrodectus-notes.txt.zip 1.7 kB (1,735 bytes) 2024-02-09-Contact-Forms-campaign-Latrodectus-infection-traffic-with-Keyhole-VNC-carved.pcap.zip 2.8 MB (2,830,437 bytes) 2024-02-09-Latrodectus-malware-and-artifacts.zip 1.7 MB...
BushidoToken
Get link Facebook Twitter Pinterest Email Other Apps - February 22, 2024 IntroductionA Chinese Ministry of Public Security (MPS) contractor called iSOON (also known as Anxun Information) that specializes in network penetration research and related services has had its data leaked to GitHub.Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their te...
Cado Security
Himaja Motheram at Censys
CERT Ukraine
CERT-AGID
Individuata una campagna di phishing su SPID tramite un dominio appositamente registrato 19/02/2024 phishing SPID Un nuovo attacco di phishing particolarmente mirato agli utenti del Sistema Pubblico di Identità Digitale (SPID) prova a carpire agli utenti le credenziali di accesso a 11 istituti bancari: BNP, Credem, Fineco, ING, InBank, Intesa, Mediobanca, Mediolanum, Poste, Sella, Unicredit. Il phishing è stato individuato da D3lab su un dominio registrato appositamente nella giornata di sabato...
Sintesi riepilogativa delle campagne malevole nella settimana del 17 – 23 Febbraio 2024 23/02/2024 In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 34 campagne malevole, di cui 30 con obiettivi italiani e 4 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 333 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie illustr...
Chainalysis
February 24, 2024 | by Chainalysis Team Share Romance scams, also known as “pig butchering scams” for the way bad actors say they “fatten up” their victims to extract the most possible value, are a large and growing problem with a significant crypto nexus. Romance scammers start by building a relationship over time with the victim (usually of a romantic nature, as the name implies), often initiating contact by pretending to have text messaged a wrong number or via dating apps. As the relationshi...
Check Point
Cisco’s Talos
By Edmund Brumaghin, Ashley Shen, Holger Unterbrink, Guilherme Venere Tuesday, February 20, 2024 08:00 Threats Threat Spotlight Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe.The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email dist...
By Asheer Malhotra, Holger Unterbrink, Vitor Ventura, Arnaud Zobec Thursday, February 22, 2024 08:00 Threat Spotlight Threats Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.Talos also illustrates the post-compromise activity carried out by the operat...
Dylan Duncan at Cofense
Confiant
Introduction ScamClub is a highly sophisticated and well-funded threat actor primarily motivated by financial gains. They exploit vulnerabilities within the ad tech industry, particularly targeting web browsers and ad tech platforms. In September 2023, Confiant definitively linked ScamClub to WayTop International Advertising Limited in Hong Kong. Known for their advanced capabilities, ScamClub develops custom programs and codes to target various operating systems and web browsers. They prioritiz...
Greg Day at Cybereason
Written By Greg Day If I could have one wish for 2024, it would be that we stop calling ransomware by the same name. What started as the simplest of notions, encrypting data and extorting money to return access back, has evolved numerous times to a threat that is far more akin to Nimda (2001) which was recognized as one of the first in an era of blended attacks - like the ‘Swiss army knife’ attacks back in the early 2000s. Today, ransomware uses numerous techniques to gain access. Our latest Ran...
Cyfirma
Published On : 2024-02-22 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Target Industry: Apparel, Biochemical, Electrical, Health, Manufacturing, Real estate and Retail Target Geography: Israel, United States, United King...
Daniel Miessler
Alex Teixeira at Detect FYI – Medium
Joe St Sauver at DomainTools
Dragos
Products Dragos Platform Threat Intelligence Neighborhood Keeper Resources Blog Whitepapers Case Studies Datasheets Webinars Events Year in Review Videos Company About Dragos Careers Partners News DISC Contact Us Report an Incident Privacy Policy Terms of Service Cookie Settings Contact Us COPYRIGHT © 2024 DRAGOS, INC. ALL RIGHTS RESERVED. For information about how we collect, use, share or otherwise process information about you, please see our privacy policy.
Dragos, Inc. Threats Share This LinkedIn Twitter Facebook Email RSS VOLTZITE is an active threat group tracked by Dragos Intelligence. This group shares overlaps with Volt Typhoon (Microsoft) and the adversary described by the U.S. Cybersecurity Infrastructure Security Agency (CISA) in a May 2023 advisory, and a more recent one from February 2024. VOLTZITE has been observed performing reconnaissance and enumeration against multiple US-based electric companies since 2023. Since then, the threat g...
EclecticIQ
Product Marketing Team – February 19, 2024 In today's digital age, the importance of Cyber Threat Intelligence (CTI) cannot be overstated. For organizations at the helm of critical infrastructure, large enterprises, and central governments, a robust CTI practice is not just an option — it's a necessity. We have put together a detailed roadmap for building a comprehensive CTI practice that shields your digital assets and ensures your organization's resilience against cyber threats. Step 1 - Make ...
Elastic Security Labs
Monitoring Okta threats with Elastic SecuritySetup a detection engineering lab for Okta17 min readSecurity researchPreamble Welcome to another installment of Okta threat research with Elastic. Previously, we have published articles exploring Okta’s core services and offerings. This article is dedicated to the practical side of cyber defense - setting up a robust Okta threat detection lab. Our journey will navigate through the intricacies of configuring a lab environment using the Elastic Stack, ...
PIKABOT, I choose you!Elastic Security Labs observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.21 min readCampaignsPIKABOT at a glance PIKABOT is a widely deployed loader malicious actors utilize to distribute payloads such as Cobalt Strike or launch ransomware. On February 8th, the Elastic Security Labs team observed new PIKABOT campaigns, including an updated variant. This version of the P...
Elliptic
Elliptic Research 20 February, 2024 On 19 February 2024, the UK’s National Crime Agency (NCA) announced its role in leading an international law enforcement operation, called Operation Cronos, targeting one of the most notorious ransomware groups, LockBit. This operation resulted in the successful disruption of the ransomware group, with law enforcement seizing their website and accessing a “vast amount of intelligence” regarding the internal workings of the group. Having posted a seizure notice...
Esentire
BY eSentire Threat Response Unit (TRU) February 21, 2024 | 21 MINS READ Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT On October 31, 2023, the Rhysida Ransomware Group launched a crippling attack on the British Library. Although the library did not pay the criminals’ ransom demand of £650,000, library authorities are now estimating that it will cost between £6 Million and £7 Million to rebuild the library’s IT systems. This hefty price tag is going to cost the organisa...
Get Started What We Do How We Do It Resources Company Partners Get Started What we do How we do it Resources Company Partners Get Started Back What We Do ESENTIRE SERVICES Managed Detection and Response Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation. Digital Forensics and Incident Response Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of be...
Feb 21, 2024 Rhysida Ransomware Group, Which Crippled the British Library Racking Up £6… Feb 20, 2024 Blind Eagle's North American Journey VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Feb 21, 2024 ConnectWise ScreenConnect Exploitation THE THREAT On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities...
Flashpoint
SHARE THIS: Flashpoint February 20, 2024 “A Ukrainian national pleaded guilty today to his role in two separate and wide-ranging malware schemes involving tens of millions of dollars in losses.” “’Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software. These criminal groups stole millions of dollars from their victims and even attacked a major hospital with ransomware, leaving it unable to provide critical care to p...
U.S. indictment charges two Russian nationals with attacks against multiple U.S. and international victims; FBI seizes infrastructure; and Department of Treasury takes additional action against LockBit. SHARE THIS: Flashpoint February 21, 2024 “The Department of Justice joined the United Kingdom and international law enforcement partners in London today to announce the disruption of the LockBit ransomware group, one of the most active ransomware groups in the world that has targeted over 2,000 v...
Fortra’s PhishLabs
O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks Posted on February 22, 2024 Image The majority of malicious emails reported in user inboxes contained a link to a phishing site, making credential theft emails the attack method of choice for cybercriminals in Q4. Credential theft made up nearly 60% of all reported incidents, with more than half of the volume attributed to O365 attacks. Despite the threat actor preference toward this threat type, credential theft at...
Neil Matani and Ahmed Khanji at Gridware
MIT PhD Student Hacks Vision Pro Just Days After Its Release Common Penetration Test Findings 2024 33 Million Health Insurance Records Leaked Success Stories Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security. Read More → Contact Us Search Search Close this search box. Under Attack? Leak Reveals Spyware Created by Chinese Government Contractor February 21, 2024 Share: Chinese Government LeakOn 16th February 2024, an unkno...
Huntress
Detection Guidance for ConnectWise CVE-2024-1709ByTeam HuntressDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogDetection Guidance for ConnectWise CVE-2024-1709February 20, 2024Detection Guidance for ConnectWise CVE-2024-1709ByTeam HuntressShareUPDATE:Â Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here. On February 19, 202...
ByJohn Hammond & Caleb StewartDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogCritical Vulnerability Disclosure: ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain RisksOctober 31, 2022Critical Vulnerability Disclosure: ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain RisksByJohn Hammond & Caleb Stew...
Partner LoginPlatformBackPlatformHuntress Managed Security PlatformManaged EDRGet full endpoint visibility, detection, and response.Huntress Security Awareness TrainingEmpower your teams with science-backed security awareness training.Platform OverviewMDR for Microsoft 365Protect your Microsoft 365 identities and email environments.Huntress Security Awareness TrainingEmpower your teams with science-backed security awareness training.Platform OverviewGet a Demo TodayTry Huntress for free and depl...
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)ByTeam Huntress Download YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogSlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)February 23, 2024SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)ByTeam Hu...
Brent Eskridge at Infoblox
Ivanti Connect Secure VPN Exploitation – Correctly Interpreting DNS IoCsFebruary 20, 2024Author: Brent Eskridge On January 10, 2024 Ivanti announced that their Connect Secure VPN devices, formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways, were compromised by attackers exploiting two zero-days. Given the wide usage of Ivanti devices, the response to the attacks has been understandably swift. Organizations are frantically patching their devices and searching for any indicati...
InfoSec Write-ups
Pedram Amini at InQuest
Jeffrey Appel
February 20, 2024 16 min read Pivot via OAuth applications across tenants and how to protect/detect with Microsoft technology? (Midnight blizzard) January 31, 2024 12 min read Protect against QR Code phishing with Microsoft Defender products January 25, 2024 7 min read How to use deception in Microsoft Defender for Endpoint/ Defender XDR January 16, 2024 8 min read How to protect Microsoft Teams with Microsoft 365 Defender January 10, 2024 7 min read Common mistakes during Microsoft Defender for...
Jouni Mikkola at “Threat hunting with hints of incident response”
February 23, 2024February 23, 2024JouniMi Post navigation How to hunt for SEO poisoning? Well this is a good question to which I don’t have a good answer. This query is going to go through the very basics of how this can be started but it is not really that easy to do. I’ve had several different ideas of how to hunt for signs of SEO poisoning and the one in this post is the one that I think is most usable in the hunting scenarios. I have played around with a query which joins the file creation e...
Kaspersky Lab
Solutions for:Home Products Small Business 1-50 employees Medium Business 51-999 employees Enterprise 1000+ employees Kaspersky official blog My Account My Kaspersky My Products / Subscriptions My Orders SolutionsHybrid Cloud SecurityLearn moreInternet of Things & Embedded SecurityLearn moreThreat Management and DefenseLearn moreIndustrial CyberSecurityLearn moreKaspersky Fraud PreventionLearn moreOther solutionsKaspersky for Security Operations CenterIndustriesNational CybersecurityLearn moreIn...
Solutions for:Home Products Small Business 1-50 employees Medium Business 51-999 employees Enterprise 1000+ employees Kaspersky official blog My Account My Kaspersky My Products / Subscriptions My Orders SolutionsHybrid Cloud SecurityLearn moreInternet of Things & Embedded SecurityLearn moreThreat Management and DefenseLearn moreIndustrial CyberSecurityLearn moreKaspersky Fraud PreventionLearn moreOther solutionsKaspersky for Security Operations CenterIndustriesNational CybersecurityLearn moreIn...
Laurie Iacono, Keith Wojcieszek, and George Glass at Kroll
/en/our-team/laurie-iaconoLaurie Iacono/en/our-team/keith-wojcieszekKeith Wojcieszek/en/our-team/george-glassGeorge GlassDownload the ReportNavigation ListQ4 Threat Timeline Navigation ListSector Analysis Navigation ListRansomware Variants Navigation ListCase Study Navigation ListMalware Trend Analysis Kroll’s Q4 analysis shows ransomware groups increasingly gaining initial access through external remote services. The quarter presented a complex security landscape with a mix of both positive and...
Lab52
February 19, 2024 Turla is an APT group allegedly linked to the intelligence service FSB (Federal Security Service) from the Russian Federation. This threat actor is specifically in the Center 16 unit, which carries out the collection of radio-electronic intelligence on communications facilities. Moreover, the Center 16 is in charge of intercepting, decrypting and processing the electronic message and the technical operation of compromising foreign targets. Turla’s activity dates back as far as ...
Mandiant
Blog Unveiling Mandiant’s Cyber Threat Intelligence Program Maturity AssessmentJohn Doyle, Andrew Close, Steven Savoldelli, John Barth, Mark Thomasson, Sachin Kalra Feb 20, 20246 min readThreat IntelligenceAs part of Google Cloud's continuing commitment to improving the overall state of cybersecurity for society, today Mandiant is publicly releasing a web-based Intelligence Capability Discovery (ICD) to help commercial and governmental organizations evaluate the maturity of their cyber threat in...
Mandiant Feb 23, 20241 min readRemediationVulnerabilitiesOn Feb. 19, 2024, ConnectWise announced two vulnerabilities for their ScreenConnect product affecting (on-premises) versions 23.9.7 and earlier:CVE-2024-1708 – Authentication Bypass Vulnerability (10.0)CVE-2024-1709 – Path Traversal Vulnerability (8.4)These vulnerabilities allow an unauthenticated actor to bypass authentication, and access ScreenConnect environments that may be behind a corporate firewall. ConnectWise released an updated v...
Michalis Michalos
Having a Threat Intelligence Platform (TIP) to maintain Indicators of Compromise (IoCs) is somewhat a standard these days. However, not all organizations use a TIP such as MISP, but this shouldn’t prevent anyone from using threat intelligence feeds for hunting, especially when it comes to Microsoft Defender XDR. Table of Contents What are threat intelligence (TI) feeds and why should I consider using them? How can the externaldata operator help harness threat feeds? What kind of files are suppor...
If you are part of a big organization, you might need to reach out to some colleagues and teams, in case you contain an endpoint. An end user will probably reach out to your help desk in order to identify if there is an issue with her/his endpoint. Hence, you may want to spare some time of back and forth of emails or direct messages. On the other hand, if you are part of a team, and most importantly if you are working remotely, you might want to have direct access to which of your endpoints are ...
Morphisec
Posted by Jay Kurup on February 20, 2024 Tweet This blog examines the Akira Ransomware as a Service (RaaS) group, to understand their Tactics, Techniques and Procedures (TTPs), and validate how Morphisec’s patented Anti-Ransomware solution powered by Automated Moving Target Defense (AMTD) can prevent this ransomware threat, as well as comparative ransomware groups. Introduction Ransomware attacks are increasing in frequency and gaining notoriety. All ransomware incidents come with recovery costs...
Zaid Baksh at NCC Group
Puckungfu 2: Another NETGEAR WAN Command Injection Public Report: Aleo snarkOS Implementation and Consensus Mechanism Review Analyzing AI Application Threat Models Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin Memory Scanning for the Masses Rust for Security and Correctness in the embedded world Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise Retro Gaming Vulnerability Research: Warcraft...
Netskope
Palo Alto Networks
2,628 people reacted 9 5 min. read Share By Unit 42 February 20, 2024 at 6:12 AM Category: Reports Tags: Cloud-Delivered Security Services, Cortex XDR, Cortex Xpanse, Cortex XSIAM, incident response, Unit 42 Incident Response Report This post is also available in: 日本語 (Japanese)Introduction Our annual survey of incident data from more than 250 organizations and more than 600 incidents provides a Unit 42 perspective on the current state of security exposures. Threat actors are increasing their sp...
3,709 people reacted 4 3 min. read Share By Unit 42 February 21, 2024 at 5:00 PM Category: Threat Briefs and Assessments Tags: Advanced Threat Prevention, Cloud-Delivered Security Services, ConnectWise, Cortex XDR, Cortex Xpanse, Cortex XSIAM, CVE-2024-1708, CVE-2024-1709, next-generation firewall, remote desktop, vulnerability exploit This post is also available in: 日本語 (Japanese)Executive Summary Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop soft...
1,634 people reacted 11 7 min. read Share By Unit 42 February 23, 2024 at 5:00 PM Category: Malware Tags: Advanced URL Filtering, China, GitHub, i-Soon leaks, Linux, Treadstone, Windows, Winnti Executive Summary On Feb. 16, 2024, someone uploaded data to GitHub that included possible internal company communications, sales-related materials and product manuals belonging to the Chinese IT security services company i-Soon, also known as Anxun Information Technology. The leaked materials appear to s...
1,277 people reacted 9 14 min. read Share By Tom Fakterman, Chen Erlich and Assaf Dahan February 22, 2024 at 4:00 PM Category: Malware Tags: Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, AsyncRAT, Cloaked Ursa, Cloud-Delivered Security Services, DLL, DLL Sideloading, DNS security, Dridex, next-generation firewall, PlugX, Prisma Cloud Executive Summary Dynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security profe...
Penetration Testing Lab
by Administrator.In Credential Access.Leave a Comment on AS-REP Roasting Active Directory users that have the Kerberos pre-authentication enabled and require access to a resource initiate the Kerberos authentication process by sending an Authentication Server Request (AS-REQ) message to the domain controller. The timestamp on that message is encrypted with the hash of the user’s password. The domain controller can decrypt the timestamp using its own record of the user password hash and it will s...
Prodaft
By PRODAFT Team on February 19, 2024 Back Understanding Eavesdropping Attacks in Network Security Share Back to main blog Share Just as people eavesdrop on conversations between folks, network eavesdropping involves a malicious actor listening in on communication across two devices, including servers, computers, and smartphones. According to research, over 37% of smartphones are at risk of eavesdropping attacks. Thus, it's more important now than ever to educate yourself on network eavesdropping...
Red Alert
Monthly Threat Actor Group Intelligence Report, December 2023 (KOR) 2023년 11월 21일에서 2023년 12월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 12월에는 총 36개의 해킹 그룹들의 활동이 확인되었으며, SectorA 그룹이 29%로 가장 많았으며, SectorJ, SectorC 그룹의 활동이 그 뒤를 이었다. 이번 12월에 발견된 해킹 그룹들의 해킹 활동은 정부 기관과 금융 분야에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 동아시아(East Asia)와 유럽(Europe)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2023년 12월에는 총 5개 해킹 그룹의 활동이 발견되었으며, 이들은 S...
Red Canary
ReliaQuest
Carolynn van Arsdale at ReversingLabs
The U.S., U.K., Canada and eight partner countries have disrupted the LockBit ransomware group. Here are the key takeaways, along with expert insights. Blog Author Carolynn van Arsdale, Cyber Content Creator at ReversingLabs. Read More... The United Kingdom’s National Crime Agency (NCA), in collaboration with the U.S., Canada and eight other international partners shared a major update this past Tuesday regarding Operation Cronos, the international disruption campaign created to take down the Lo...
S2W Lab
RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected…
Story of the H2 2023: Statistical Insights into Ransomware Trends and Impact on Victims (English…
Story of the H2 2023: In-depth Examination of Notable Ransomware Groups and Key Issues (English ver.
SANS Internet Storm Center
Wireshark 4.2.3 Released Published: 2024-02-18 Last Updated: 2024-02-18 23:32:43 UTC by Didier Stevens (Version: 1) 0 comment(s) Wireshark release 4.2.3 brings 20 bug fixes. And if you are upgrading Wireshark 4.2.0 or 4.2.1 on Windows you will need to download and install this or later versions manually. Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com Keywords: 0 comment(s) previousnext Comments Login here to join the discussion. Top of page × Diary Archives Homepage Diaries P...
Python InfoStealer With Dynamic Sandbox Detection Published: 2024-02-20 Last Updated: 2024-02-20 07:07:02 UTC by Xavier Mertens (Version: 1) 0 comment(s) Infostealers written in Python are not new. They also onboard a lot of sandbox detection mechanisms to prevent being executed (and probably detected) by automatic analysis. Last week, I found one that uses the same approach but in a different way. Usually, the scripts have a list of "bad stuff" to check like MAC addresses, usernames, processes,...
Phishing pages hosted on archive.org Published: 2024-02-21 Last Updated: 2024-02-21 07:27:43 UTC by Jan Kopriva (Version: 1) 0 comment(s) The Internet Archive is a well-known and much-admired institution, devoted to creating a “digital library of Internet sites and other cultural artifacts in digital form”[1]. On its “WayBackMachine” website, which is hosted on //archive.org/, one can view archived historical web pages from as far back as 1996. The Internet Archive basically functions as a memor...
Simple Anti-Sandbox Technique: Where's The Mouse? Published: 2024-02-23 Last Updated: 2024-02-23 06:23:46 UTC by Xavier Mertens (Version: 1) 0 comment(s) Malware samples have plenty of techniques to detect if they are running in a "safe" environment. By safe, I mean a normal computer with a user between the keyboard and the chair, programs running, etc. These techniques are based on checking the presence of specific processes, registry keys, or files. The hardware can also be a good indicator (a...
Internet Storm Center Sign In Sign Up Handler on Duty: Johannes Ullrich Threat Level: green previousnext Large AT&T Wireless Network Outage #att #outage Published: 2024-02-22 Last Updated: 2024-02-22 16:40:47 UTC by Johannes Ullrich (Version: 1) 1 comment(s) [UPDATE] As of 11:30am ET, AT&T states that about 75% of its network is operational, and they are recovering the rest. Several news sources noted that Verizon and T-Mobile may also have outages. This is likely due to a misinterpretation of "...
Update: MGLNDD* Scans Published: 2024-02-24 Last Updated: 2024-02-25 08:43:36 UTC by Didier Stevens (Version: 1) 0 comment(s) Almost 2 years ago, a reader asked us about TCP connections they observed. The data of these TCP connections starts with "MGLNDD": "MGLNDD_* Scans". Reader Michal Soltysik reached out to us with an answer: MGLN is Magellan, RIPE Atlas Tools. RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability. Thanks to Michal for explaining...
Pierre-Antoine D., Quentin Bourgue, and Livia Tibirna at Sekoia
Daniel Petri at Semperis
Active Directory Security Feb 09, 2024 Read 5 MIN What is an Overpass the Hash attack?How does this attack work?What are the associated risks?How can you detect the attack?How can you mitigate the attack?Defend AD against Overpass the Hash Daniel Petri In the constantly evolving landscape of cyber threats, the Overpass the Hash attack is a potent vector. Leveraging the NTLM authentication protocol, this attack enables adversaries to bypass the need for plaintext passwords. Instead, an Overpass t...
SentinelOne
LABScon Replay | Chasing Shadows | The Rise of a Prolific Espionage Actor
Doppelgänger | Russia-Aligned Influence Operation Targets Germany
Aleksandar Milenkoski / February 22, 2024 Executive Summary SentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgänger. We observed Doppelgänger intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel. The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics ...
SOCRadar
The Role of IoCs in Cyber Defense Making IoCs More Actionable Advanced Strategies for Turning IoCs Into Actionable Intelligence Fundamental Requirements for Better Intel Sharing Operational Challenges and Recommendations Conclusion HomeResources BlogFeb 19, 202412 Mins ReadImportance of Indicators of Compromise (IoCs) in CTI for Actionable IntelligenceWhether in the case of a targeted attack or random mass exploitation, using Indicators of Compromise (IoCs) is a crucial aspect in the ongoing cha...
Who is Hunters International Hive Resurrected Target Scheme Behind the Operation Conclusion How Can SOCRadar Help? HomeResources BlogFeb 20, 20247 Mins ReadDark Web Profile: Hunters InternationalOriginating in the latter part of 2023, this Ransomware-as-a-Service (RaaS) operation has drawn attention due to its technical lineage and operational tactics resembling those of the notorious Hive ransomware group. With law enforcement agencies previously disrupting Hive, Hunters International’s rise ju...
Source Code of Knight Ransomware is on Sale Vulnerabilities of Dior are on Sale Passports of Citizens of Many Countries are Leaked bfBot Stealer Service Sale is Detected Unauthorized RDP Access Sale is Detected for a German Commercial Company Unauthorized VPN Access Sale is Detected for a South Korean Company 8K OWA Accesses are on Sale HomeResources BlogFeb 19, 20248 Mins ReadSales of bfBot Stealer & Knight Ransomware Source Code, Dior Vulnerabilities, Passport Leaks, and MoreThe SOCRadar Dark ...
What is Jupyter Notebook? CTI Operational Procedures with Jupyter Notebook Exploring PyMISP: A Python Library for MISP Integratio CTI Operational Procedures with PyMISP Exploring Examples for Using Jupyter Notebook for CTI Conclusion HomeResources BlogFeb 21, 20248 Mins ReadUsing Jupyter Notebook for CTI using PyMISPIn Cyber Threat Intelligence (CTI), Jupyter Notebook and PyMISP are transformative tools. Just as Bash commands empower defenders, these platforms offer dynamic solutions for analyzi...
Chinese authorities, law enforcement agencies, cybersecurity researchers, and a whole lot of other people are investigating an unprecedented online leak of documents from a private security firm. A vast amount of data has been leaked on GitHub from a Chinese cybersecurity firm that provides services to the Chinese government, unveiling various hacking tools and services.I-SOON leaks on GitHub.The leak appears to have been deliberately executed by a dissatisfied company employee. The firm, known ...
Sophos
Making sense of the ransomware-group takedown -- what it means for ransomware and law enforcement Written by Chester Wisniewski February 21, 2024 Threat Research featured law enforcement Lockbit Ransomware takedown Late on February 19, 2024, the main website of LockBit, the most prolific ransomware group in recent memory, was seized by the United Kingdom’s National Crime Agency (NCA). In cooperation with their international law enforcement partners at the United States FBI, the French Gendarmeri...
Multiple attacks exploit vulnerabilities in an IT remote access tool to deliver a variety of different payloads into business environments Written by Andrew Brandt, Angela Gunn February 23, 2024 Threat Research asyncrat cobalt strike CVE-2024-1708 CVE-2024-1709 featured IR Lockbit MDR Ransomware rust ScreenConnect Sophos X-Ops Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidanc...
Splunk
Add to Chrome? - Part 2: How We Did Our Research By James Hodgkinson Share on X Share on Facebook Share on LinkedIn Analyzing the content and security implications of browser extensions is a complex task! It's almost like trying to piece together a complex jigsaw puzzle (thanks JavaScript). Automation is a key way to reduce this complexity without adding to the workload of security staff. With so many extensions to inspect (we analyzed more than 140,000 of them), automating small portions of tha...
Spur
Sean S. February 22, 2024 MalwareResidential Proxies It’s a scary world out there for residential IPs; they are the key product of “underground” proxy services like Faceless, SocksEscort, NSocks, the defunct 911 Proxy, and now CloudRouter which we suspect has taken its place. But productization of residential IPs is not limited to scary dark web storefronts. There are a surprising number of legitimate “bandwidth sharing” applications enticing users to sub-lease their Internet connection for mere...
Denis Sinegubko at Sucuri
Sysdig
Trend Micro
In this blog entry, we focus on Earth Preta's campaign that employed a variant of the DOPLUGS malware to target Asian countries. By: Sunny Lu, Pierre Lee February 20, 2024 Read time: ( words) Save to Folio Subscribe Introduction In July 2023, Check Point disclosed a campaign called SMUGX, which focused on European countries and was attributed to the advanced persistent threat (APT) group Earth Preta (also known as Mustang Panda and Bronze President). In the same year, we obtained a phishing emai...
The landscape of cybersecurity is continuously evolving, with new threats emerging and the roles and responsibilities of security professionals constantly adapting. By: Trend Micro February 21, 2024 Read time: ( words) Save to Folio Subscribe The SANS 2023 SOC Report is a vital barometer for the state of Security Operations Centers (SOCs) worldwide. It offers a plethora of data-driven insights and emerging trends that are shaping the future of cybersecurity operations. Figure 1. SOC Survey Respo...
Trend and other private entities recently contributed to INTERPOL’s Operation Synergia, a global operation that successfully took down over 1,000 C&C servers and identified suspects related to phishing, banking malware, and ransomware activity. By: Trend Micro February 21, 2024 Read time: ( words) Save to Folio Subscribe Trend Micro has an extensive track record of working with law enforcement by providing threat intelligence. Recently, Trend and other private entities contributed to INTERPOL’s ...
This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. By: Trend Micro Research February 22, 2024 Read time: ( words) Save to Folio Subscribe This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who recently took action against LockBit as part of an international effor...
Trustwave SpiderLabs
December 05, 2013 5 minutes read Brian Bebeau Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is that there must be a legitimate physical address in the email. Spammers have long tried different tactics to get around this. In a recent court decision, the District Court in Utah determined, as one part of their opinion, that an email marketer that use...
February 20, 2024 6 minutes read Rodel Mendrez Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group. The team found Tycoon Group during a regular investigation into a phishing incident, and its distinctive method of communication to its phishing server convinced the team to further explore this active PaaS operation. Tycoon Group Tycoon Group PaaS is sold and marketed o...
February 22, 2024 2 minutes read Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous vulnerabilities inherent in the sector, especially in regard to ransomware. According to the latest report from Trustwave SpiderLabs, titled "2024 Education Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies", researchers monitored 352 ...
Alexandra Martin at VirusTotal
Popular Posts An update from VirusTotal Our goal is simple: to help keep you safe on the web. And we’ve worked hard to ensure that the services we offer continually improve. But as... Introducing VirusTotal Code Insight: Empowering threat analysis with generative AI At the RSA Conference 2023 today, we are excited to unveil VirusTotal Code Insight, a cutting-edge feature that leverages artificial intelli... VT4Browsers++ Any indicator, every detail, anywhere TL;DR: VirusTotal’s browser extension...
WeLiveSecurity
A mix of PSYOPs, espionage and … fake Canadian pharmacies! Matthieu Faou 21 Feb 2024 • , 14 min. read ESET products and research have been protecting Ukrainian IT infrastructure for years. Since the start of the war in February 2022, we have prevented and investigated a significant number of attacks launched by Russia-aligned groups. We have also published some of the most interesting findings on WeLiveSecurity: IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine Industroyer2: In...
You would never give your personal ID to random strangers, right? So why provide the ID of your computer? Unsuspecting users beware, IP grabbers do not ask for your permission. Márk Szabó 22 Feb 2024 • , 6 min. read A common message that any user of a social platform like Discord might see sometimes are warnings about IP grabbers being included as links in messages on various servers. For someone who probably had never heard of IP grabbers before, they would probably not think much about it, but...
Scott Piper at Wiz
We explore “proof-of-storage" cryptocurrencies like Chia, the potential for proof-of-storage cryptojacking attacks, and steps defenders can take to detect them. 6 minutes readScott PiperFebruary 21, 20246 minutes readContentsWhat are proof-of-storage cryptocurrencies, and which are likely to...Chia mining in the cloud The dangers of proof-of-storage cryptojacking Detection Conclusion A 2021 report from Google’s Cybersecurity Action Team mentioned that in 50 compromised Google Cloud instances the...
