解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 12 – 2024 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

Adam Goss

Adam Goss 18 March 2024 What if I told you there was a system that allowed you to structure your intelligence gathering, manage your data sources, and guide your team to answers during investigations… would you believe me? Well, let me introduce you to the idea of a Collection Management Framework – a structured approach to organizing your data. This article details what a Collection Management Framework is and the major benefits it can provide your entire security team, from incident responders...

Any.Run

March 18, 2024 Add comment 1127 views 11 min read HomeMalware AnalysisAsukaStealer: The Next Chapter in ObserverStealer’s Story Recent posts What is Global Threat Intelligence 205 0 A New Phishing Campaign Deploys STRRAT and VCURMS via GitHub 395 0 Threat Intelligence Lookup: Combined Search for Precise Investigations 297 0 HomeMalware AnalysisAsukaStealer: The Next Chapter in ObserverStealer’s Story The following research was conducted by Anna Pham, also known as RussianPanda, a Senior Threat I...

March 19, 2024 Add comment 297 views 7 min read HomeCybersecurity LifehacksThreat Intelligence Lookup: Combined Search for Precise Investigations Recent posts What is Global Threat Intelligence 205 0 A New Phishing Campaign Deploys STRRAT and VCURMS via GitHub 395 0 Threat Intelligence Lookup: Combined Search for Precise Investigations 297 0 HomeCybersecurity LifehacksThreat Intelligence Lookup: Combined Search for Precise Investigations Do you struggle to connect the dots between multiple artif...

March 20, 2024 Add comment 395 views 4 min read HomeUncategorizedA New Phishing Campaign Deploys STRRAT and VCURMS via GitHub Recent posts What is Global Threat Intelligence 205 0 A New Phishing Campaign Deploys STRRAT and VCURMS via GitHub 395 0 Threat Intelligence Lookup: Combined Search for Precise Investigations 297 0 HomeUncategorizedA New Phishing Campaign Deploys STRRAT and VCURMS via GitHub There’s a new phishing campaign delivering STRRAT and VCURMS Remote Access Trojans through a malic...

March 21, 2024 Add comment 205 views 5 min read HomeCybersecurity LifehacksWhat is Global Threat Intelligence Recent posts What is Global Threat Intelligence 205 0 A New Phishing Campaign Deploys STRRAT and VCURMS via GitHub 395 0 Threat Intelligence Lookup: Combined Search for Precise Investigations 297 0 HomeCybersecurity LifehacksWhat is Global Threat Intelligence Global threat intelligence refers to information about emerging and persistent cybersecurity threats from around the world. ANY.RU...

Avertium

® Why Avertium? Solutions Governance, Risk, + Compliance (GRC) GRC with context - not complexity. Audit + Compliance Business + Risk Continuous Threat Exposure Management (CTEM) Design, implement, and test a comprehensive security program. Acceleration + Optimization Testing + Evaluation Threat Detection + Response (TDR) Detect, adapt, and attack with context. Managed SIEM Managed Detection + Response (MDR) ​Fusion MXDR Microsoft Security Partner End-to-end support from strategy to daily operati...

Barracuda

Topics: Mar. 21, 2024 | Christine Barry Tweet Share Share Tweet Share Share Cactus ransomware doesn't get enough attention. This threat group doesn’t have the longevity of LockBit or the resources of Volt Typhoon, but it certainly makes the most of what it does have. In the twelve months since Cactus was first observed attacking large commercial entities, this threat actor has successfully attacked some of the largest companies in the United States, Italy, the United Kingdom, Switzerland, and Fr...

BI.Zone

Bishop Fox

By: Sebastian Guerrero Share Continuous Integration and Continuous Deployment (CI/CD) pipelines have revolutionized how software is developed and deployed, enabling organizations to deliver updates and new features with unprecedented speed and efficiency. However, this acceleration has not gone unnoticed in the security industry and, recognizing the value and importance of CI/CD pipelines in software development, attackers are constantly searching for new methods to infiltrate these systems and ...

By: Bishop Fox, Security Consultants Share In February, the cybersecurity community was provided with an unauthorized public information disclosure that gave an unprecedented look into some adversarial tools and tactics leveraged by the Chinese government, as well as specific campaigns and capabilities deployed against international companies and governments. The data came from a private Chinese company called iSoon, also known as Auxun, which sold its tools and services to multiple Chinese gove...

Blumira

Brad Duncan at Malware Traffic Analysis

2024-03-19 (TUESDAY): DARKGATE INFECTION NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_darkgate-unit42threatintel-timelythreatintel-activity-7176227299975946241-o6qb //twitter.com/Unit42_Intel/status/1770461681145061378 ASSOCIATED FILES: 2024-03-19-IOCs-from-DarkGate-infection.txt.zip 1.7 kB (1,743 bytes) 2024-03-19-DarkGate-infection-traffic.pcap.zip 810 k...

Cado Security

CERT-AGID

Sintesi riepilogativa delle campagne malevole nella settimana del 16 – 22 Marzo 2024 22/03/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 31 campagne malevole, di cui 22 con obiettivi italiani e 9 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 251 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...

Check Point

CISA

Release DateMarch 19, 2024 Today, CISA, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other U.S. and international partners are issuing a joint fact sheet, People’s Republic of China State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders. Partners of this publication include: U.S. Department of Energy (DOE) U.S. Environmental Protection Agency (EPA) U.S. Transportation Security Administration (TSA) U.S. Department of Treasury Australian Signa...

Release DateMarch 21, 2024 Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques: Volumetric, attacks aiming to consume available ba...

Asheer Malhotra, Holger Unterbrink, Vitor Ventura, and Arnaud Zobec at Cisco’s Talos

By Asheer Malhotra, Holger Unterbrink, Vitor Ventura, Arnaud Zobec Thursday, March 21, 2024 09:08 APT Turla malware SecureX Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate thr...

Corelight

Hunt of the Month: Detecting AsyncRAT Malware Over HTTPS Hunt of the Month: Detecting AsyncRAT Malware Over HTTPS March 20, 2024 by Corelight Labs Team All code discussed in this blog can be pulled from //github.com/corelight/zeek-asyncrat-detector Malware often hides communications with its command and control (C2) server over HTTPS. The encryption in HTTPS usually conceals the compromise long enough for the malware to accomplish its goal. This makes detecting malware that uses HTTPS challengin...

CTF导航

新手法!APT28组织最新后门内置大量被控邮箱(可成功登录)用于窃取数据 APT 5天前 admin 61 0 0 文章首发地址://xz.aliyun.com/t/14123文章首发作者:T0daySeeker 概述 近期,笔者在浏览网络中威胁情报信息的时候,发现美国securityscorecard安全公司于2024年3月5日发布了一篇《A technical analysis of the APT28’s backdoor called OCEANMAP》白皮书报告,此报告对APT28组织使用的OCEANMAP后门进行了详细介绍。 整篇报告的内容不多,全是对OCEANMAP后门功能的描述,笔者很快就浏览完了。浏览完后,笔者也是对OCEANMAP后门产生了一定的兴趣,结合网络中的其他调研信息,也同时让笔者理解了美国securityscorecard安全公司为什么会专门发布一篇白皮书对OCEANMAP后门进行研究: 其实根据样本分析结果,此OCEANMAP后门的整体功能不是特别的复杂,而且其是由C#语言编写的,分析难度也不是很高; 根据网络调研信息,OCEANMAP后门被乌克兰国家计...

Cyfirma

Published On : 2024-03-22 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware. Target Technologies: MS Windows. Introduction CYFIRMA Research and Advisory Team has found Wing ransomware as a service while monitoring various underground forums as part of our Thr...

Eclypsium

Elastic Security Labs

Unveiling malware behavior trendsAnalyzing a Windows dataset of over 100,000 malicious files8 min readSecurity researchPreamble When prioritizing detection engineering efforts, it's essential to understand the most prevalent tactics, techniques, and procedures (TTPs) observed in the wild. This knowledge helps defenders make informed decisions about the most effective strategies to implement - especially where to focus engineering efforts and finite resources. To highlight these prevalent TTPs, w...

Ervin Zubic

Andrew Bentle at Expel

Security operations · 7 MIN READ · ANDREW BENTLE · MAR 21, 2024 · TAGS: MDR / Tech tools Here’s your copy of a helpful log guide to make life easier for analysts. As you can imagine, the Expel security operations center (SOC) uses a lot of logs. So we pulled them all together into a handy quick reference guide for our analysts. Then we decided it might be nice if we shared the list with our readers. Enjoy. Web Access Logs Access logs record the http web requests sent to a web server. They’re the...

g0njxa

Justin Timothy, Jason Baker, and Drew Schmitt at GuidePoint Security

Ian Shefferman at Trellix

Infoblox

DNS Early Detection – Cobalt Strike DNS C2March 22, 2024DNS Early Detection – Proof of Value Study In this blog, we present a proof of value study demonstrating the value of detecting attempted DNS exfiltration and Command and Control (C2) communications. Our focus is on two anonymized customers: a large e-commerce/retail company (Customer #1) and an educational institution (Customer #2). This study shows how the use of both our Suspicious Domain feeds and our Threat Insight capability that insp...

Julien Houry at Airbus

On 2024-03-14 by Julien Houry, Incident Responder Cybersecurity Uncovering Cyber Intruders: A Forensic Deep Dive into NetScan, Angry IP Scanner, and Advanced Port Scanner The use of network scanners with a graphical user interface has been observed in a number of former IR engagements conducted by our CSIRT. Discover how operators use these tools to map networks and minimize detection. Summary Introduction The use of network scanners with a graphical user interface (GUI) has been observed in a n...

Kaido Järvemets at Kaido Järvemets

Streamlining Windows Server Security: A Deep Dive into Sentinel’s Common Event IDs Kaido Järvemets March 19, 2024 IntroductionFor those utilizing Microsoft Sentinel, it’s important to have a clear understanding of the event logs you are collecting. The spreadsheet I have developed is a practical tool that enables both consultants and customers to quickly identify which event IDs are included in the Microsoft Sentinel Common Events package. This clarity is crucial when setting up Windows Servers ...

KELA Cyber Threat Intelligence

They say imitation is the sincerest form of flattery. If that’s the case, some ransomware-as-a-service (RaaS) threat actors must be feeling seriously good about themselves lately. With ransomware operations hitting the headlines, and the global cost of ransomware damage predicted to hit $231B by 2031, threat actors are increasingly creating fake operations, often leveraging the fame of other actors to get more attention to their own activities in order to get a slice of the action. What’s in a N...

Raúl Redondo at Lares Labs

Home About The Team Pentesting 101 Social Engineering 101 GitHub Contact Us Lares.com penetrationtesting Kerberos I - Overview This post, is the first in the series and will aim to provide an overview of the protocol, from its beginnings to the different (ab)use techniques. Raúl Redondo Mar 19, 2024 • 13 min read The three-headed dog is back in business Kerberos, again Brief History of Kerberos Kerberos 101 Kerberos concepts Encryption types Wireshark & Kerberos decryption Kerberos Authenticatio...

Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, and Austin Larsen at Mandiant

Blog Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnectMichael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen Mar 21, 202414 min read | Last updated: Mar 22, 2024 Incident ResponseThreat IntelligenceChinaVulnerabilitiesDuring the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionall...

Mehmet Ergene

Michael Haag

Microsoft Security

Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage

Palo Alto Networks

2,564 people reacted 16 4 min. read Share By Unit 42 March 19, 2024 at 3:00 AM Category: Malware Tags: Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, Cloud-Delivered Security Services, Cortex XDR, Cortex XSIAM, DNS security, next-generation firewall, Smoke Loader, Spear Phishing, UAC-0006, Ukraine This post is also available in: 日本語 (Japanese)Executive Summary This article announces the publication of our first collaborative effort with the State Cyber Protection Centre o...

1,847 people reacted 4 12 min. read Share By Tom Fakterman, Daniel Frank and Jerome Tujague March 21, 2024 at 3:00 AM Category: Malware Tags: Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, backdoor, Cortex XDR, Cortex XSIAM, Curious Serpens, DNS security, Iran, next-generation firewall, Prisma Cloud This post is also available in: 日本語 (Japanese)Executive Summary This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliat...

1,781 people reacted 9 8 min. read Share By Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya and Vishwa Thothathri March 22, 2024 at 3:00 AM Category: Malware Tags: Advanced Threat Protection, Advanced WildFire, Cloud-Delivered Security Services, Cortex XDR, credential stealer, Malspam, next-generation firewall, Sandbox, StrelaStealer Executive Summary StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server...

Proofpoint

Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign Share with your network! March 21, 2024 Joshua Miller and the Proofpoint Threat Research Team What happened Proofpoint researchers recently observed new activity by the Iran-aligned threat actor TA450 (also known as MuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a pay-related social engineering lure to target Israeli employees at large multinational organizations. TA450 is known for targetin...

Digvijay Mane at Quick Heal

By Digvijay Mane 22 March 2024 6 min read 0 Comments In our high-tech world, sneaky cyber threats can pop up anywhere. Lately, we’ve spotted sneaky malware on Android phones spreading through fake WhatsApp messages. These messages pretend to be from the government, but they’re hiding something nasty inside Cybercriminals have cleverly utilized the notification system of the government’s traffic department to spread their malicious software. We’ve encountered several instances of these deceptive ...

Rapid7

Mar 20, 2024 9 min read Rapid7 Last updated at Thu, 21 Mar 2024 13:20:04 GMT Co-authors are Christiaan Beek and Raj SamaniWithin Rapid7 Labs we continually track and monitor threat groups. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains constant. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.Our team recently ran across some interesting activity that we beli...

Mar 21, 2024 2 min read Rapid7 Last updated at Thu, 21 Mar 2024 23:41:49 GMT Co-authors are Robin Long and Raj SamaniConsiderable focus within the cybersecurity industry has been placed on the attack surface of organizations, giving rise to external attack surface management (EASM) technologies as a means to monitor said surface. It would appear a reasonable approach, on the premise that a reduction in exposed risk related to the external attack surface reduces the likelihood of compromise and p...

Recorded Future

Posted: 19th March 2024By: Insikt Group® New research from Recorded Future’s Insikt Group outlines a collaborative investigation by threat intelligence analysts and R&D engineers into the potential malicious uses of artificial intelligence (AI) by threat actors. They experimented with a variety of AI models, including large language models, multimodal image models, and text-to-speech models, without any fine-tuning or additional training, to mimic the resources threat actors might realistically ...

Posted: 20th March 2024By: Insikt Group® New Insikt Group Research provides updated insights on the recent i-SOON leak. On February 18, 2024, an anonymous leak of documents from Anxun Information Technology Co., Ltd. (i-SOON), a Chinese IT and cybersecurity company, shed light on China's state-sponsored cyber espionage operations. The leak is significant as it reveals the connections between i-SOON and several Chinese state-sponsored cyber groups such as RedAlpha, RedHotel, and POISON CARP, indi...

Posted: 21st March 2024By: Insikt Group®New Insikt research examines 2023, a year of unexpected outcomes and escalating cybersecurity threats. Throughout the year, cyber threat actors exploited the prevailing chaos to steal data, conduct espionage, and disrupt geopolitics, an example being nation-states like China targeting Taiwanese semiconductor firms. Additionally, the text highlights the rise in exploitation of "as-a-service" enterprise software and shared cloud infrastructure, which led to ...

Red Alert

Activity of Hacking Group Targeted Financial Industry in 2023 (KOR) 개요 NSHC 위협 분석 연구소(Threat Research Lab)에서는 2023 년에 금융 산업군 대상의 해킹 그룹들의 해킹 활동 정보를 분석하였다. 본 보고서는 금융 산업군으로 분류할 수 있는 은행(Bank), 금융 서비스 관련 기업 및 기관(Finance), 보험(Insurance) 산업군을 대상으로 해킹 활동을 수행한 해킹 그룹들의 해킹 활동 정보를 분석한 정보를 서술하고 있다. 해킹 그룹 활동 통계 2023년에는 총 34개의 해킹 그룹 활동이 확인되었으며, 상위 5개의 해킹 그룹 중 온라인 가상 공간에서 활동하는 사이버 범죄 그룹인 SectorJ 그룹이 60%로 가장 많았으며, SectorA, SectorB 그룹의 활동이 그 뒤를 이었다. SectorJ 그룹은 다른 정부 지원 해킹 그룹들과 다르게 현실 세계에서 금전적인 이윤을 확보할 수 있는 재화적 가...

Red Canary

Salim Salimov

SANS Internet Storm Center

Internet Storm Center Sign In Sign Up Participate: Learn more about our honeypot network //isc.sans.edu/tools/honeypot/ Handler on Duty: Didier Stevens Threat Level: green previousnext Whois "geofeed" Data Published: 2024-03-21 Last Updated: 2024-03-22 19:54:31 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Attributing a particular IP address to a specific location is hard and often fails miserably. There are several difficulties that I have talked about before: Out-of-date whois data, data t...

Internet Storm Center Sign In Sign Up Handler on Duty: Didier Stevens Threat Level: green previous 1768.py's Experimental Mode Published: 2024-03-23 Last Updated: 2024-03-23 09:15:52 UTC by Didier Stevens (Version: 1) 0 comment(s) The reason I extracted a PE file in my last diary entry, is that I discovered it was the dropper of a Cobalt Strike beacon @DebugPrivilege had pointed me to. My 1768.py tool crashed on the process memory dump. This is fixed now, but it still doesn't extract the configu...

Securelist

Industrial threats 19 Mar 2024 minute read Table of Contents Global statistics across all threatsSelected industriesMain threat sourcesMalicious object categoriesRegionsAfricaSouthern EuropeEastern EuropeRussiaCentral AsiaEast AsiaSouth-East AsiaSouth AsiaMiddle EastLatin AmericaAustralia and New Zealand Authors Kaspersky ICS CERT Global statistics across all threats In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%. ...

Malware reports 20 Mar 2024 minute read Authors GReAT Introduction Malware for mobile devices is something we come across very often. In 2023, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023’s most resonant attacks was Operation Triangulation, targeting iOS, but that was rather a unique case. Among the mobile platforms, Android remains the most popular target operating system for cybercriminals. Last month, we wrote a total of four priva...

Security Intelligence

Critical infrastructure is under attack in almost every country, but especially in the United Kingdom. The UK was the most attacked country in Europe, which is already the region most impacted by cyber incidents. The energy industry is taking the brunt of those cyberattacks, according to IBM’s X-Force Threat Intelligence Index 2024. The energy sector is a favorite target for threat actors. The complexity of systems and the reliance on legacy OT systems make them easy prey. Because of the critica...

Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses. Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations. Ransomware negotiators possess a unique blend of technical expertise, psychological...

Securonix

Threat Research Share By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov tldr: The Securonix Threat Research team has uncovered an elaborate multi-stage attack campaign likely associated with the North Korean Kimsuky group. The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU likely associated with the Kimsuky group, which features some new code/stagers as well as some recycled code and TTPs that were reported in the past. While the target...

Simone Kraus

SOCRadar

Stealer Logs of Binance are Leaked Exodus Botnet Tool is on Sale 0-day Exploit of Instagram is on Sale Database of Dubai Property Owners is on Sale Database of Nissan Australia is Leaked HomeResources BlogMar 18, 20245 Mins ReadBinance Stealer Logs, Exodus Botnet, Instagram 0-day Exploit, and Database SalesExplore the most recent dark web threats identified by SOCRadar’s Dark Web Team. From the exposure of Binance user stealer logs to the availability of the Exodus Botnet tool, the digital under...

Scope of the Entertainment Industry Stealer Logs First Look at the Stealer Logs Geographic Trends in the Entertainment Industry Stealer Logs Analysis of E-mail, Credit Card (CC), and Hash Information Strategies for Enhanced Security Against Stealer Logs in Entertainment Platforms Conclusion HomeResources BlogMar 18, 202412 Mins ReadAnalysis of Stealer Logs within the Entertainment IndustryStealer logs – databases of stolen information that vividly depict compromised security – are one of the man...

Who is ShinyHunters? How Does ShinyHunters Hack? ShinyHunters' High-Profile Attacks ShinyHunters Leak Over 70 Million Records Allegedly Stolen from AT&T Why Do Threat Actors Share Leaked Data for Free? The Current Owners of One of the Most Popular Cybercriminal Forums: BreachForums ShinyHunters TTPs - MITRE ATT&CK Framework HomeResources BlogMar 18, 202415 Mins ReadDark Web Profile: ShinyHuntersWithin the obscured world of the Deep/Dark Web, where cybercrime flourishes amidst databases, initial ...

Who is RansomHub Victimology What is to Come? Mitigation Advices for Ransomware SOCRadar against Ransomware HomeResources BlogMar 22, 20247 Mins ReadDark Web Profile: RansomHubA new threat actor has emerged in the ransomware landscape, distinguishing themselves by making claims and backing them up with data leaks. In February 2024, RansomHub posted its first victim, the Brazilian company YKP. Since then, they have made 17 additional claims, although their leak site currently lists only 14 victim...

Dive Deeper Into Digital Skies with the Aviation Industry Threat Landscape Report HomeResources BlogMar 22, 20242 Mins ReadCybersecurity in the Skies: SOCRadar Aviation Industry Threat Landscape ReportThe digital age has brought many wonders, including making air travel easier and more efficient than ever before. But, just like on the ground, the skies are not free from dangers – cyber dangers, to be precise. The “SOCRadar Industry Threat Landscape Report – Aviation” peels back the curtain on th...

Jonas Bülow Knudsen at SpecterOps

Sophos

What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground it when it goes wrong? An Active Adversary Special Report Written by Lee Kirkpatrick March 20, 2024 Security Operations Threat Research active adversary featured incident response Incident response tools MDR RDP Sophos X-Ops Remote Desktop Protocol (RDP) was developed by Microsoft to allow users, administrators, and others to connect to remote computers over a network connecti...

Is it really that risky to expose an RDP port to the internet? What if you change the default port? What if it’s just for a little while? The data answers, loud and clear Written by Lee Kirkpatrick March 20, 2024 Security Operations incident response Incident response tools MDR RDP Sophos X-Ops Is it honestly so bad to expose a server with RDP to the internet? In order to find out, we did just that. For science, we stood up a server, exposed RDP to the internet, and walked away for 15 days. When...

Where in the world is your attacker? Presenting a less-known but useful event to look for in your logs Written by Lee Kirkpatrick March 20, 2024 Security Operations incident response Incident response tools MDR RDP Sophos X-Ops Most defenders are familiar with how to find and look for suspicious RDP lateral movement, whether that means looking based on known-compromised users or on an alert from antimalware or EDR protections associated with a specific user. You’re starting to pivot from the ini...

How can defenders begin to make sense of RDP issues on their networks? We present three powerful tools for investigators’ toolkits Written by Lee Kirkpatrick March 20, 2024 Security Operations incident response Incident response tools MDR RDP Sophos X-Ops Since investigators see so many RDP artifacts in the course of incident responses, they’ve naturally evolved a few favorite tools to seek out such activity. In this article, we’ll look broadly at some of the options open to defenders. In the fi...

Keeping an eye on who’s trying to get onto your network – whether or not they’re successful – can pay off on multiple fronts Written by Lee Kirkpatrick March 20, 2024 Security Operations incident response Incident response tools MDR RDP Sophos X-Ops The 4624_4625 login events query provides defenders, specifically analysts, with a useful tool for both identifying successful RDP logins (Windows Security Log Event 4624) and failed attempts (Windows Security Log Event 4625). These events can be gen...

On the hunt for successful RDP connections that have entered your network from outside? A step-by-step guide (and a query to get you started) Written by Lee Kirkpatrick March 20, 2024 Security Operations incident response Incident response tools MDR query RDP Sophos X-Ops The function of the RDP Logins from External IPs.sql query is fairly self-explanatory, based on the name. In this post, we’ll use it to look for successful RDP connections that have taken place from external IP addresses – that...

Trend Micro

Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. By: Joseph C Chen, Daniel Lunghi March 18, 2024 Read time: ( words) Save to Folio Subscribe Introduction Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and...

CVE-2024-27198 and CVE-2024-27199 are vulnerabilities within the TeamCity On-Premises platform that can allow attackers to gain administrative control over affected systems. By: Junestherry Dela Cruz, Peter Girnus March 19, 2024 Read time: ( words) Save to Folio Subscribe On March 4, 2024, JetBrains disclosed two critical vulnerabilities — CVE-2024-27198 and CVE-2024-27199 — within the TeamCity On-Premises platform that allow attackers to bypass authentication measures and gain administrative co...

Trustwave SpiderLabs

March 20, 2024 3 minutes read Criminals have historically been quick to embrace cutting-edge technology for their financial gain. For instance, the notorious bank robbers Bonnie and Clyde utilized high-powered V-8 engine-equipped Ford cars to outpace local law enforcement. Other criminal groups leveraged telephones to coordinate their activities, while some recognized the advantage of wielding Thomson submachine guns to outgun security personnel and police. In a similar vein, it’s unsurprising t...

Wiz

Sailing Securely Across the SDLC: Introducing Wiz's Image Trust and Kubernetes Audit Log CollectorSecure your applications across the SDLC by deploying only trusted images and monitoring your Kubernetes control plane in near-real time to detect potential threats.4 minutes readOfir Cohen, Nicolas EhrmanMarch 18, 20244 minutes readContainerized applications are the new norm for organizations of all sizes, driving innovation, agility, and scalability. Developer speed has accelerated dramatically, e...

Wiz presents a comprehensive guide to mastering cloud security at financial services organizations.2 minutes readWiz TeamMarch 21, 20242 minutes readContentsKey highlightsWho Can Benefit from this Playbook? Start reading! We 're excited to announce the release of "The Financial Services Cloud Security Playbook," a practical guide that aims to aid in transforming and scaling security teams and processes to support cloud development. The playbook is designed to provide strategies and recommendatio...