本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Bill Stearns at Active Countermeasures
Adam at Hexacorn
Posted on 2024-03-01 by adam I was recently surprised by the fact that Windows’ nslookup.exe accepts the local config file .nslookuprc. When the program starts it resolves the environment variable HOME and then looks for a %HOME%.nslookuprc file. It then reads this config file (if it exists) line by line. More details about syntax can be found here. This entry was posted in Living off the land, LOLBins by adam. Bookmark the permalink. Privacy Policy Proudly powered by WordPress
Posted on 2024-03-03 by adam Windows Explorer is a beast. It does so many things when it starts that it hurts… Sometimes, literally. One of the things it checks during its startup routine is the comparison of the Registry value HKEY_CURRENT_USER\Control Panel\Appearance\SchemeLangID and the result of the call to GetUserDefaultUILanguage API. If they do not match, it attempts to load a ‘desk.cpl’ library and call its UpdateCharsetChanges function. So…. We can create a dodgy desk.cpl, copy explore...
Agari
O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks Posted on February 22, 2024 Image The majority of malicious emails reported in user inboxes contained a link to a phishing site, making credential theft emails the attack method of choice for cybercriminals in Q4. Credential theft made up nearly 60% of all reported incidents, with more than half of the volume attributed to O365 attacks. Despite the threat actor preference toward this threat type, credential theft at...
Dean Houari at Akamai
AttackIQ
Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
Avertium
February 28, 2024 executive summary Snatch, a data extortion group also previously named Truniger after the group’s founder, has been named as a ransomware operation to watch by the U.S. Cybersecurity and Infrastructure Security Administration (CISA) and by the Federal Bureau of Investigation (FBI). The group works with many partners and affiliates, with their primary goal being financial gain via data leaks. Over the last couple of years, Snatch has demonstrated a consistent ability to evolve i...
Dave Addison at BadOosb
Fluid Fraud Hunting - Getting Something From Nothing Hunting for fraud sites from no formal information. Pivoting into exposing Australian MyGov portal fraud and shining a spotlight on a certain Russian host; home to big phishes Dave Addison Feb 28, 2024 — 5 min read When given an IOC to work with, its fairly directional; in the sense that there is a flow to pivoting and building out surrounding information. However, if you have nothing to hunt for... where can you go and find something no one e...
Hunting For the 'Contiinued' Phish Kit We pick up something from the trash pile and figure out its phish kit family! Giving birth to a hunt query to detect Contiinued phish kit portals using URLScan Dave Addison Mar 1, 2024 — 3 min read So today... we will be dissecting the shit out of a fraud page; and figuring out how to map it to its originating phishing kit. Succeeding that, we will have a nice indicator to spot and tag them accordingly and maybe have some fun with the functionality on the w...
BadOosb Home About Sign in Subscribe C2Hunt Havoc - Part Two - Finding Havoc C2 Team Servers Looking into default Teamserver profiles and how lack of modification can leave Havoc Teamservers exposed online. Dave Addison Mar 2, 2024 — 6 min read In the previous Havoc hunt post we went over a basic OPSEC fail, whereby default scripts add tags to the HTML response identifying it as a Havoc server using "X-Havoc: true". In theory this is easily overcome by a modification of the profile itself.Moving...
Bitdefender
Andrei LAPUSNEANU February 27, 2024 Promo Protect all your devices, without slowing them down. Free 30-day trial Here at Bitdefender, we're constantly working on improving detection capabilities for our macOS cyber-security products; part of this effort involves revisiting old (or digging up new) samples from our malware zoo. During routine verifications, we were able to isolate multiple suspicious and undetected macOS disk image files surprisingly small for files of this kind (1.3 MB per file)....
Martin Zugec February 28, 2024 Bitdefender Labs recently helped with an investigation that unfortunately aligns with two key predictions we made for 2024: the rapid rise of opportunistic ransomware and the growing risk of coordinated attacks. This ransomware attack was coordinated and impacted two separate companies simultaneously. The attack by the threat actor CACTUS began by exploiting a software vulnerability less than 24 hours after its initial disclosure. This underscores a crucial lesson ...
Joff Thyer at Black Hills Information Security
| Joff Thyer The Challenge As stated in PART 1 of this blog, the Windows endpoint defense technology stack in a mature organization represents a challenge for Red Teamer initial access operations. For initial access operation success in a well-instrumented environment, we typically need to meet a minimum bar for artifact use, such that: The generated software artifact is unique to evade any static analysis detection. Windows event tracing is squelched in user mode artifact execution. Kernel call...
Amanda Berlin at Blumira
Cado Security
Himaja Motheram at Censys
CERT Ukraine
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 24 Febbraio – 1 Marzo 2024 03/03/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 16 campagne malevole, di cui 14 con obiettivi italiani e 2 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 143 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle ti...
Check Point
Filter by: Select category Research (551) Security (895) Securing the Cloud (283) Harmony (154) Company and Culture (17) Innovation (6) Customer Stories (12) Horizon (5) Securing the Network (11) Partners (8) Connect SASE (10) Harmony Email (57) Artificial Intelligence (17) Infinity Global Services (11) Crypto (13) Healthcare (14) Harmony SASE (1) ResearchFebruary 28, 2024 A Shadowed Menace : The Escalation of Web API Cyber Attacks in 2024 ByCheck Point Research Share Highlights: Significant Inc...
CISA
Release DateFebruary 26, 2024 Alert CodeAA24-057A How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure OVERVIEW This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of t...
Release DateFebruary 27, 2024 Today, CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released an update to the joint advisory #StopRansomware: ALPHV Blackcat to provide new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the ALPHV Blackcat ransomware as a service (RaaS). ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector. CISA, the FBI, and HHS urge network de...
Release DateFebruary 29, 2024 Related topics: Cyber Threats and Advisories, Incident Detection, Response, and Prevention, Securing Networks Today, CISA and the following partners released joint Cybersecurity Advisory Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways: Federal Bureau of Investigation (FBI) Multi-State Information Sharing & Analysis Center (MS-ISAC) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) United...
Last RevisedFebruary 29, 2024 Alert CodeAA24-060A Related topics: Cyber Threats and Advisories, Malware, Phishing, and Ransomware, Incident Detection, Response, and Prevention Actions to take today to mitigate Phobos ransomware activity: Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools. Prioritize remediating known exploited vulnerabilities. Implement EDR solutions to disrupt threat actor memory allocation techniques. SUMMARY Note: This joint Cybersecurity Advisory...
Release DateFebruary 29, 2024 Alert CodeAA24-060B Related topics: Cyber Threats and Advisories, Incident Detection, Response, and Prevention, Securing Networks Actions to take today to mitigate cyber threats against Ivanti appliances: Limit outbound internet connections from SSL VPN appliances to restrict access to required services. Keep all operating systems and firmware up to date. Limit SSL VPN connections to unprivileged accounts. SUMMARY The Cybersecurity and Infrastructure Security Agency...
Fabian Bader at Cloudbrothers
Fabian Bader enthalten in Conditional Access Entra ID KQL Security Sentinel 2024-02-27 841 wörter 4 minuten Inhalt No compliant device? Big problems! Meet authentication flows in Conditional Access Create using Graph API Recommendation Identify device code usage Device Code Flow is a great feature. You are signed in on a machine that does not have any UI but need to connect to an Azure or Microsoft 365 resource? No problem, device code flow to the rescue. All major PowerShell cmdlets, the az to...
Allen Marin at Corelight
GET A DEMO +1(888) 547-9497 Solutions Products Resources Company Support Toggle navigation Toggle navigation Solutions Products Resources Company Support GET A DEMO +1(888) 547-9497 Toggle navigation START HERE Evidence-based security WHY CORELIGHT Complete visibility Next-level analytics Faster investigation Expert hunting CORELIGHT LABS Recent research Mission and team Polaris program TRENDING TOPICS Encrypted traffic VERTICALS Federal Forrester rates Corelight a strong performer Toggle naviga...
CTF导航
AsukaStealer:新型信息窃取恶意软件的分析 逆向病毒分析 1周前 admin 15 0 0 2024 年 2 月 2 日,Cyble 研究与情报实验室 (CRIL) 发现一种名为“AsukaStealer”的恶意软件即服务 (MaaS) 在俄语网络犯罪论坛上做广告,该论坛的网络面板版本为 0.9.7报价为每月 80 美元。AsukaStealer 最初于 2024 年 1 月 24 日在另一个受欢迎的俄罗斯论坛上使用替代角色进行广告。 该恶意软件采用 C++ 编写,具有灵活的设置和基于 Web 的面板,旨在从浏览器、扩展程序、Discord 令牌、FileZilla 会话、Telegram 会话、加密钱包和扩展程序、桌面屏幕截图以及 Steam 桌面的 maFiles 收集信息验证器应用程序。共享了命令与控制 (C&C) 面板的一些屏幕截图,以演示 AsukaStealer 恶意软件即服务 (MaaS)。 详细研究还表明,该恶意软件很可能是 ObserverStealer 的改进版本。 图1:AsukaStealer在论坛上的广告 观察与分析 AsukaStealer 的发起...
Cyble
Critical Infrastructure, Vulnerability February 16, 2024 Vulnerable Fortinet Devices: Low-hanging Fruit for Threat Actors Cyble analyzes the increasing incidences of vulnerabilities in Fortinet, highlighting the impact they have on Critical Infrastructure. Exposed Fortinet Devices Painting a Target on Critical Infrastructure Executive Summary In recent years, the cybersecurity landscape has been increasingly marred by the exploitation of vulnerabilities in network security devices, with Fortinet...
Malware, Stealer February 20, 2024 AsukaStealer, a Revamped Version of the ObserverStealer, Advertised as Malware-as-a-Service Cyble analyzes the resurgence of Observer stealer, as AsukaStealer under a Malware-as-a-Service model On February 2, 2024, Cyble Research & Intelligence Labs (CRIL) identified a Malware-as-a-services (MaaS) dubbed ‘AsukaStealer’ advertised on a Russian-language cybercrime forum, for which the version 0.9.7 of the web panel was offered for USD 80 per month. The AsukaSteal...
Cryptocurrency, Phishing February 26, 2024 Ongoing Phishing Campaign Targets Healthcare and Cryptocurrency Users via ScreenConnect CRIL investigates a recent phishing scheme targeting Healthcare and cryptocurrency users to deploy Connectwise ScreenConnect. Key Takeaways Cyble Research and Intelligence Labs (CRIL) detected a continuous phishing effort aimed at the cryptocurrency community and healthcare organizations in the US. The campaign’s focus on both cryptocurrency individuals and healthcar...
Annoucement March 1, 2024 Cyble Chronicles – March 1st, 2024: Latest Findings & Recommendations for the Cybersecurity Community Ongoing Phishing Campaign Targets Healthcare and Cryptocurrency Users via ScreenConnect Cyble Research and Intelligence Labs (CRIL) has unearthed a sophisticated phishing campaign that specifically targets the cryptocurrency community and healthcare organizations within the United States. The modus operandi involves the distribution of ScreenConnect, a legitimate tool b...
Cyfirma
Published On : 2024-02-29 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows, Linux and MacOS Introduction CYFIRMA Research and Advisory Team has found Kuiper ransomware while monitoring various underground forums as part of our...
DomainTools
Enhancing Cybersecurity Incident Response with DomainTools: A Comprehensive Guide
Enhancing Vulnerability Management with CISA’s Playbook and DomainTools Data
Elastic Security Labs
Ransomware in the honeypot: how we capture keys with sticky canary filesThis article describes the process of capturing encryption keys from ransomware using Elastic Defend ransomware protection.23 min readSecurity researchTL;DR Source: //twitter.com/DebugPrivilege/status/1716890625864564796 At Elastic, we have bi-annual ON Weeks, where engineers break into “hack-a-thon” teams to tackle a technical challenge voted on by the team. This article presents the outcome of yet another Elastic ON Week, ...
Ervin Zubic
Esentire
Feb 27, 2024 LockBit Ransomware Operations Might Be Down – Now What? Feb 26, 2024 Beware the Bait: Java RATs Lurking in Tax Scam Emails VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Feb 21, 2024 ConnectWise ScreenConnect Exploitation THE THREAT On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities ar...
Feb 26, 2024 Beware the Bait: Java RATs Lurking in Tax Scam Emails VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Feb 21, 2024 ConnectWise ScreenConnect Exploitation THE THREAT On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities are now under active exploitation. The vulnerabilities are currently tr...
VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Feb 21, 2024 ConnectWise ScreenConnect Exploitation THE THREAT On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities are now under active exploitation. The vulnerabilities are currently tracked as… Feb 09, 2024 Volt Typhoon Activity THE THREAT On February...
FBI
Fortinet
By Shunichi Imano and Fred Gutierrez | February 26, 2024 Article Contents By Shunichi Imano and Fred Gutierrez | February 26, 2024 On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomwar...
By Carl Windsor | February 27, 2024 In today’s dynamic threat environment, staying informed and proactive is crucial for any organization seeking to protect its networks. The FortiGuard Labs Outbreak Alerts Annual Report 2023 is a comprehensive resource that delves into real-world examples of attacks across diverse verticals, offering valuable insights into the most significant cyberattacks of 2023 and critical information that organizations can use to evaluate their cybersecurity posture. Key T...
g0njxa
Nati Tal and Oleg Zaytsev at Guardio
Harfanglab
E-mail*
Huntress
SlashAndGrab: The ConnectWise ScreenConnect Vulnerability ExplainedByTeam HuntressDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogSlashAndGrab: The ConnectWise ScreenConnect Vulnerability ExplainedFebruary 26, 2024SlashAndGrab: The ConnectWise ScreenConnect Vulnerability ExplainedByTeam HuntressShareThe âexploitâ is trivial and embarrassingly easy. Â...
BlackCat Ransomware Affiliate TTPsByHarlan CarveyDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogBlackCat Ransomware Affiliate TTPsFebruary 28, 2024BlackCat Ransomware Affiliate TTPsByHarlan CarveyShareBackgroundOn December 19, 2023, the Justice Department Office of Public Affairs issued a press release indicating that the FBI had âdisrupted the ALPHV/B...
Attacking MSSQL Servers, Pt. IIByTeam HuntressDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogAttacking MSSQL Servers, Pt. IIFebruary 29, 2024Attacking MSSQL Servers, Pt. IIByTeam HuntressShareThe AttackOn February 8, 2024, Huntress published the first Attacking MSSQL Servers blog post. On February 23, a Huntress SOC analyst observed similar activity asso...
Michael Zuckerman at Infoblox
The 2024 Healthcare Cyber Trend Research ReportFebruary 29, 2024We are pleased to announce the release of our 2024 Healthcare Cyber Trend Research Report. Please download your copy here. This analysis offers insights into the latest cyber threats targeting the healthcare industry within the United States during calendar year 2023. Recognizing the critical need for timely intelligence to protect patient data and healthcare operations, we share our research and perspectives on emerging cyber attac...
Nick Chalard at InQuest
Intel-Ops
David Cohen at JFrog
By David Cohen, Senior Security Researcher February 27, 2024 13 min read SHARE: In the realm of AI collaboration, Hugging Face reigns supreme. But could it be the target of model-based attacks? Recent JFrog findings suggest a concerning possibility, prompting a closer look at the platform’s security and signaling a new era of caution in AI research. The discussion on AI Machine Language (ML) models security is still not widespread enough, and this blog post aims to broaden the conversation aroun...
KELA Cyber Threat Intelligence
Read more Use Cases Cybercrime Threat Intelligence Fraud Detection Law Enforcement Vulnerability Intelligence Third-Party Intelligence Brand Protection Platform IDENTITY GUARD INVESTIGATE MONITOR TECHNICAL INTELLIGENCE THREAT LANDSCAPE AiFort KELA Partner Program KELA Partners Partner Program Partner Login Resources Cyber Intelligence Center Updates KELA Datasheets Cyber Intelligence Webinars KELA Blog Future of Cybercrime Podcast KELA Success Stories Press About Leadership Mission Careers EN 日本...
Bert-Jan Pals at KQL Query
Bert-Jan Pals included in KQL Sentinel Defender For Endpoint Detection Engineering 2024-02-29 1824 words 9 minutes The recent ScreenConnect vulnerability (CVE-2024-1709 & CVE-2024-1708) showed once more why it is so important to detect post-exploitation behaviour. @Huntress described in a detailed way which behaviour was identified, more on that is shared on their blog: SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708). The most important takeaway is menti...
Mandiant
Blog Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence AttemptsMatt Lin, Robert Wallace, Austin Larsen, Ryan Gandrud, Jacob Thompson, Ashley Pearson, Ashley Frazer Feb 27, 202417 min readIncident ResponseThreat IntelligenceZero Day ThreatsChinaMandiant and Ivanti's investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Following the initial publi...
Blog When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense SectorsOfir Rozmann, Chen Evgi, Jonathan Leathery Feb 27, 202413 min readThreat IntelligenceIranespionageToday Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. Mandiant attribut...
Rémi Pointel at MISP
- go to homepage Toggle Navigation Home Features Data Models Data Models MISP core format MISP taxonomies MISP Galaxy MISP Objects Default feeds Documentation Documentation Documentation OpenAPI Tools Support Contributing Research projects Research topics Legal License Legal and policy GDPR ISO/IEC 27010:2015 NISD Communities Download Events Upcoming events Past events Webinars Hackathon MISP Summit News Contact Reaching us Contact Us Press inquiries Professional Services Commercial Support Secu...
Monty Security
Michael Dereviashkin at Morphisec
Posted by Michael Dereviashkin on February 26, 2024 Tweet Morphisec Threat Labs recently discovered multiple indicators of attacks leading to threat actor, UAC-0184. This discovery sheds light on the notorious IDAT loader delivering the Remcos Remote Access Trojan (RAT) to a Ukrainian entity based in Finland. Introduction This blog explores the broader execution course of the attack, emphasizing key unique aspects including usage of the IDAT loader and targeting of the Ukraine entity in Finland....
Nasreddine Bencherchali
Orange Cyberdefense
Mail in the Middle â A tool to automate spear phishing campaigns Reading time ~15 min Posted by Felipe Molina on 26 February 2024 Categories: Phishing, Tool, Typosquatting Context In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing: Szymon and Jason physi...
Ovi Liber
RE:archive | APT37's ROKRAT HWP Object Linking and Embedding Ovi Mar 1, 2024 Please note: The sample covered in this report is from 2022. I have covered this sample for archiving purposes and does not pertain to a known recent threat campaign, though the techniques covered may still apply.RE:archiveThis project, aims to cover the reverse engineering of malware and exploits of historic or prior campaigns by APT groups. Of course, were possible, I want to cover malware and exploits of current samp...
Palo Alto Networks
Prodaft
Combating Insider Threats - Detection, Prevention, and Implementation By PRODAFT Team on February 27, 2024 Back Combating Insider Threats - Detection, Prevention, and Implementation Share Back to main blog Share According to the CISO survey 2023, insider threats came in second, causing 30% of cybersecurity risks to organizations globally. As remote work models become more prevalent worldwide, insider threats are becoming more frequent. An insider might be part of this organization or have a link...
Matthew Green at Rapid7
Feb 29, 2024 7 min read Matthew Green Last updated at Thu, 29 Feb 2024 17:32:12 GMT UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and c...
Ben Webb at Recon Infosec
Ben Webb By now it’s old news that the LockBit Ransomware as a Service (RaaS) company has been “disrupted” by law enforcement, there have been several good articles detailing the specifics. Servers have been seized (though maybe not all of them), two people have been arrested and indictments have been unsealed for others. A new decryption tool has even been released, which may provide relief for at least some of the victims. LockBit was well known to be the largest and most sophisticated of the ...
Recorded Future
Posted: 1st March 2024By: Insikt Group® New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Notably, this is the first identification of Predator customers in Botswana and the Philip...
Red Alert
Monthly Threat Actor Group Intelligence Report, December 2023 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 November 2023 to 20 December 2023. In December, activities by a total of 36 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 29%, followed by SectorJ and SectorC groups. Threat Actors identified in December carried out the highest numb...
ReliaQuest
Robin Dimyan
SANS Internet Storm Center
Utilizing the VirusTotal API to Query Files Uploaded to DShield Honeypot [Guest Diary] Published: 2024-02-25 Last Updated: 2024-02-26 01:13:50 UTC by Guy Bruneau (Version: 1) 0 comment(s) [This is a Guest Diary by Keegan Hamlin, an ISC intern as part of the SANS.edu BACS program] Part of the SANS undergraduate program is a 20-week internship with the SANS Internet Storm Center. During that time, interns are tasked with setting up a DShield sensor to act as a honeypot, capturing data and generati...
Take Downs and the Rest of Us: Do they matter? Published: 2024-02-27 Last Updated: 2024-02-27 17:19:25 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)" [1]. The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this...
Exploit Attempts for Unknown Password Reset Vulnerability Published: 2024-02-28 Last Updated: 2024-02-28 14:36:16 UTC by Johannes Ullrich (Version: 1) 4 comment(s) My Google skills let me down this morning, attempting to figure out which vulnerability is exactly being exploited by these "forgotuserpassword.action" scans. Maybe someone else can help me out here. Based on the scans, I do not believe this is a "normal" password reset vulnerability. Atlassian's Confluence is one suspect using a URL ...
[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service. Published: 2024-02-29 Last Updated: 2024-02-29 01:41:25 UTC by John Moutos, SANS BACS Student (Version: 1) 1 comment(s) [This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1]. Intro From a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to...
Scanning for Confluence CVE-2022-26134 Published: 2024-03-01 Last Updated: 2024-03-01 00:21:20 UTC by Confluence,CVE-2022-26134,scan,DShield, (Version: 1) 0 comment(s) I have added daemonlogger [1] for packet capture and Arkime [2] to visualize the packets captured by my DShield sensor and started noticing this activity that so far only gone to TCP/8090 which is URL and base64 encoded. The DShield sensor started capturing this activity on the 12 February 2024 inbound from various IPs from variou...
Marc Brown at Scythe
It's not news to anyone reading this blog that the cyber landscape is rapidly changing. Digital threats are becoming more sophisticated and ... Marc Brown 5 min. read 26 Feb 2024 It's not news to anyone reading this blog that the cyber landscape is rapidly changing. Digital threats are becoming more sophisticated and pervasive, and organizations are constantly seeking innovative approaches to bolster their defenses. As a side effect, insurance companies grapple with more claims, uneasiness, and ...
Securelist
Malware reports 26 Feb 2024 minute read Table of Contents The year in figuresThe year’s trendsMobile threat statisticsDistribution of detected installation packages by typeTOP 20 most frequently detected mobile malware programsRegion-specific malwareMobile banking TrojansMobile ransomware TrojansConclusion Authors Anton Kivva The figures above are based on detection statistics received from Kaspersky users who consented to sharing usage data with Kaspersky Security Network. The data for years pr...
D. Iuzvyk, T. Peck, and O. Kolesnikov at Securonix
SIEM Share By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov tldr: In order for malware to successfully infect its target, code obfuscation passed into cmd.exe is frequently used. Let’s look at some real-world examples of what threat actors are doing, and how they can be detected. Last year we touched on how threat actors leverage PowerShell and how code can be obfuscated to avoid detection. Recently, the Securonix Threat Research team has been monitoring a trend known...
Sekoia
SentinelOne
February 26, 2024 by Matthew Pines & Dakota Cary PDF Last week, PinnacleOne collaborated with SentinelLabs to unpack the leak of internal files from a firm (I-Soon) that contracts with Chinese government security agencies to hack global targets. In this ExecBrief, we examine how I-Soon (上海安洵) fits into the larger Chinese hacking ecosystem and highlight key implications for business leaders. Please subscribe to read future issues— and forward this newsletter to your colleagues to get them to sign...
February 27, 2024 by Jim Walter PDF February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks. In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always w...
Simone Kraus
SOCRadar
Who is Patchwork APT Victimology Technical Capabilities and Tools Mitigations and Defense MITRE ATT&CK TTPs of Patchwork APT Latest IoCs related to Patchwork APT HomeResources BlogFeb 27, 20249 Mins ReadDark Web Profile: Patchwork APTThe Patchwork APT group, identified in December 2015 but probably active since 2009, is a cyber espionage entity suspected to be based in India. It targets a variety of high-profile entities, including government, defense, and diplomatic organizations, primarily in ...
DarkGate Emergence Attack Overview of DarkGate Recent Microsoft Teams Campaign Impact of DarkGate Malware Mitigation Measures Conclusion HomeResources BlogFeb 29, 202410 Mins ReadDarkGate Malware: Exploring Threats and CountermeasuresAs we get increasingly digitized, the threat posed by malware has reached unprecedented levels in parallel. From individual users to large corporations, no entity is immune to the detrimental effects of malicious software. Among the vast array of threats lurking in ...
A Rising Trend: Business Email Compromise (BEC) Attacks The Weakest Link in the Chain: Humans BEC Cashout Methods Manipulating Emotions: The Key Strategy in Business Email Compromise (BEC) Attacks Preventing Business Email Compromise (BEC) Attacks: A Multilayered Approach How does threat intelligence help organizations tackle BEC attacks? You are not alone, power your organization’s security posture with SOCRadar’s Extended Threat Intelligence HomeResources BlogMar 01, 202412 Mins ReadBusiness E...
YARA: A Foundation of CTI YARA 4.5.0: What's New? YARA-X: The Rust Implementation Conclusion HomeResources BlogMar 01, 20249 Mins ReadWhat is YARA, YARA v4.5.0 and YARA-XEffective threat detection and analysis are essential for safeguarding digital assets in cybersecurity. YARA stands as a key tool in the arsenal of cybersecurity professionals, enabling analysts to identify and mitigate threats efficiently. As a rule-based malware detection and classification tool, YARA plays a pivotal role in C...
Splunk
By Akash Kadakia Share on X Share on Facebook Share on LinkedIn Identifying bad actors within your organization often feels like a complicated game of hide and seek. A common comparison is that it's akin to finding a needle in a haystack. So, if the bad actor represents the 'needle' and your organization the 'haystack,' how would you uncover these bad actors? Perhaps the quickest way to find the needle is by burning the haystack. Alternatively, dumping the hay into a pool of water and waiting fo...
By Teoderick Contreras Share on X Share on Facebook Share on LinkedIn Recently, the cybersecurity world has been abuzz with discussions about Phemedrone, a newly emerged stealer exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. The project was most recently available on GitHub; however, the project was taken down, and the associated account was removed. Active development still occurs via Telegram. Phemedrone distinguishes itself as a sophisticated stealer, a...
Ben Martin at Sucuri
Nigel Douglas at Sysdig
System Weakness
Demystifying Incident Response in Cybersecurity: Detecting, Triage, Classify, and Respond
RustDoor: Unveiling the New MacOS Backdoor Crafted in Rust Linked to Ransomware Syndicates
Teri Radichel
Trend Micro
During our monitoring of Earth Lusca, we noticed a new campaign that used Chinese-Taiwanese relations as a social engineering lure to infect selected targets. By: Cedric Pernet, Jaromir Horejsi February 26, 2024 Read time: ( words) Save to Folio Subscribe Introduction Trend Micro previously published a number of entries discussing the operations of a China-linked threat actor we track as Earth Lusca. The group, which has been active since at least 2020 and has regularly changed its modus operand...
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry. By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus February 27, 2024 Read time: ( words) Save to Folio Subscribe On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software...
Edwin David at TrustedSec
February 27, 2024 Weaponization of Token Theft – A Red Team Perspective Written by Edwin David Cloud Penetration Testing Office 365 Security Assessment This blog is the start of several deep dives into the weaponization of token theft. The focus of this blog will be on conditional access around devices and attacker behavior on compromising Microsoft 365 users. Ultimately, some conditions will give us persistent access to a user and a targeted device of our choosing for 90 days.1 Enterprise Devic...
