解析メモ

マルウェア解析してみたり解析に役に立ちそうと思ったことをメモする場所。このサイトはGoogle Analyticsを利用しています。

4n6 Week 13 – 2024 - THREAT INTELLIGENCE/HUNTING

本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。

THREAT INTELLIGENCE/HUNTING

Aaron Goldstein at Todyl

Aaron GoldsteinMarch 27, 2024Of the many attack vectors and techniques today’s organizations face, few are more inconspicuous than Living-off-the-Land attacks. These in-memory attacks leverage existing binaries, scripts, or tools within an operating system to carry out malicious activities. As a result, LOLBAS attacks can go unnoticed because they blend in with legitimate system activities and leave little to no artifacts. Digging deeper into LOLBAS The driving force behind LOLBAS is the misus...

Aaron GoldsteinMarch 28, 2024When considering cybersecurity threats, it’s just as important to think about how an attacker breaches a network as it is to evaluate what information they might be targeting. One method for initial access that is particularly devious is the use of Visual Basic for Applications (VBA) macros in Microsoft Office products. VBA is the language Microsoft uses to enhance its software through customizable automation and scripting. Given Microsoft’s dominance in the oper...

Adam Goss

Allan Liska at ‘Ransomware Sommelier’

ransomwaresommelier.comCopy linkFacebookEmailNoteOtherRansomware Attacks Against Local Governments AcceleratingErrr...well, continuing to accelerate. Allan LiskaMar 30, 2024Share this postRansomware Attacks Against Local Governments Acceleratingransomwaresommelier.comCopy linkFacebookEmailNoteOtherShareAs I write this, there have been 54 publicly reported ransomware attacks against state and local governments around the world in 2024. The publicly reported part is important because the real numb...

Anton Chuvakin

Avertium

March 27, 2024 executive summary Since 2019, Phobos ransomware has targeted critical infrastructure sectors, with attacks resulting in the successful encryption of data and ransom demands totaling millions of dollars. Phobos operates as a ransomware-as-a-service (RaaS) model, facilitating various extortion campaigns that cause significant financial harm to victims. A recent advisory issued by several U.S. cybersecurity and intelligence agencies, including the Federal Bureau of Investigation (FBI...

BI.Zone

Terry Reese at Black Hills Information Security

| Terry Reese While social engineering attacks such as phishing are a great way to gain a foothold in a target environment, direct attacks against externally exploitable services are continuing to make headlines. In this blog, we’ll cover things you can do to better protect externally exposed network resources. If you haven’t reviewed your external footprint in some time, this is a good read to help you examine your current configurations and give you some ideas on better securing external infra...

Brad Duncan at Malware Traffic Analysis

2024-03-26 (TUESDAY): GOOGLE AD LEADS TO MATANBUCHUS INFECTION WITH DANABOT NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_malvertising-matanbuchus-danabot-activity-7178753900911480833-JlSx //twitter.com/Unit42_Intel/status/1772988284571877807 ASSOCIATED FILES: 2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt.zip 3.0 kB (3,006 bytes) 2024-03-26-Mat...

CERT-AGID

Campagna di Phishing Outlook rivolta alle PA 26/03/2024 outlook Email di phishing Il CERT-AgID è stato informato di una campagna attiva mirata alle Pubbliche Amministrazioni, finalizzata al furto delle credenziali di accesso agli account di posta elettronica MS Outlook. Gli aggressori, camuffandosi da dipartimenti HR o contabilità aziendali, stanno inviando email fraudolente che promettono aggiustamenti salariali o accessi a buste paga elettroniche, nel tentativo di sottrarre credenziali di acce...

Agenzia delle Entrate – Punto Fisco: Campagna di Phishing mirata al furto di credenziali e Matrici di sicurezza 25/03/2024 Agenzia Entrate PuntoFisco Siatel Pagina di phishing Il CERT-AGID ha rilevato l’esistenza di una pagina di phishing mirata agli utenti di Siatel v2.0 – PuntoFisco dell’Agenzia delle Entrate, attiva online dal primo pomeriggio del 21 marzo 2024. Pur presentando somiglianze con la campagna identificata lo scorso anno dall’Agenzia delle Entrate, al momento non disponiamo dell’e...

AgentTesla intensifica la sua presenza in Italia: il ruolo cruciale degli allegati PDF 28/03/2024 AgentTesla Email per diffondere AgentTesla Recentemente, gli operatori di AgentTesla hanno rafforzato le campagne di malspam in Italia, confermando la tendenza osservata negli ultimi mesi verso un maggiore impiego di allegati PDF. Questi documenti contengono link che, una volta utilizzati, avviano il download di file con codici JavaScript dannosi. L’email in questione sollecita con urgenza il destin...

Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 Marzo 2024 29/03/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 34 campagne malevole, di cui 29 con obiettivi italiani e 5 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 239 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...

Check Point

Filter by: Select category Research (557) Security (911) Securing the Cloud (285) Harmony (159) Company and Culture (19) Innovation (6) Customer Stories (12) Horizon (5) Securing the Network (11) Partners (8) Connect SASE (10) Harmony Email (62) Artificial Intelligence (19) Infinity Global Services (12) Crypto (13) Healthcare (14) Harmony SASE (1) SecurityMarch 27, 2024 Beware the Tax Scam Tsunami: Unmasking QR Code schemes, Bogus Refunds and AI imposters ByCheck Point Team Share It’s tax season...

Filter by: Select category Research (557) Security (911) Securing the Cloud (285) Harmony (159) Company and Culture (19) Innovation (6) Customer Stories (12) Horizon (5) Securing the Network (11) Partners (8) Connect SASE (10) Harmony Email (62) Artificial Intelligence (19) Infinity Global Services (12) Crypto (13) Healthcare (14) Harmony SASE (1) Securing the CloudMarch 28, 2024 PyPI Inundated by Malicious Typosquatting Campaign ByOri Abramovsky, Head of Data Science Share Highlights: PiPI is o...

Checkmarx Security

João Tomé at Cloudflare

CTF导航

APT-C-43(Machete)组织疑向更多元化演变 APT 2周前 admin 87 0 0 APT-C-43 Machete APT-C-43(Machete)组织最早由卡巴斯基于2014年披露,该组织的攻击活动集中于拉丁美洲具备西班牙语背景的目标,其主要通过社会工程学开展初始攻击,使用钓鱼邮件或虚假博客进行恶意文件传播,其受害者似乎都是西班牙语群体。 2020年12月我们对该组织意图窃取委内瑞拉军事机密为反对派提供情报支持的攻击活动进行了披露,披露的攻击活动中APT-C-43使用了Python编写的新后门Pyark进行攻击,同样地,此次报告中我方也会对该组织近年使用的新后门进行披露,同时对该组织的演变提供几分猜想。 一、攻击活动分析 1.攻击流程分析 完整的攻击流图描述以及攻击流程图: 2.恶意载荷分析 APT-C-43组织的载荷投递方式并未做过大改变,主要还是通过鱼叉钓鱼邮件以及虚假博客进行投递,钓鱼邮件中包含携带恶意宏代码的Office文档,宏代码启用后将会发起FTP请求从远程服务器中下载后门木马运行。 恶意文档的宏代码通过加密用以迷惑用户。 经提取的恶意宏代码运行后会使用...

推陈出新!Kimsuky组织最新远控组件攻击场景复现 逆向病毒分析 2周前 admin 48 0 0 文章首发地址://xz.aliyun.com/t/14181文章首发作者:T0daySeeker 概述 近期,笔者在浏览网络中威胁情报信息的时候,发现twitter上有人发布了一篇推文,推文的大概意思是推文作者获得了Kimsuky组织使用的PowerShell后门,同时推文作者还赋了一张截图,截图上展示了PowerShell后门的控制端程序的GUI界面。 笔者之前也跟踪过Kimsuky组织,对其所使用的攻击组件有过一些研究,不过此次却是笔者第一次见到其使用PowerShell后门作为最终远控木马端,因此,笔者准备对该PowerShell后门进行详细的深度剖析: 功能分析:发现其使用socket套接字进行网络通信,通信加密算法为RC4,支持12个远控功能指令; 通信模型分析:结合后门通信数据包对其通信模型进行详细的对比分析; 逆向开发控制端:模拟构建PowerShell后门控制端,可有效还原攻击利用场景; 相关截图如下: PowerShell后门分析 外联上线 通过分析,发现此Power...

DinodasRAT Linux 后门程序针对全球实体 逆向病毒分析 1周前 admin 20 0 0 DinodasRAT,又称为XDealer,是一种用C++编写的多平台后门程序,提供了一系列的功能。这个RAT允许恶意行为者监视并从目标计算机中收集敏感数据。该RAT的Windows版本曾在对圭亚那政府实体的攻击中使用,并由ESET研究人员记录为Jacana行动。 2023年10月初,在ESET发布该公告后,我们发现了DinodasRAT的一个新的Linux版本。样本迹象表明,这个版本(根据攻击者的版本系统命名为V10)可能从2022年开始运行,尽管第一个已知的Linux变种(V7),即使到2021年,仍未公开描述。在这个分析中,我们将讨论攻击者使用的一个Linux植入物的技术细节。 初始感染概览 DinodasRAT Linux植入物主要针对基于Red Hat的发行版和Ubuntu Linux。当首次执行时,它会在与可执行文件相同的目录中创建一个隐藏文件,格式为“.[可执行文件名].mu”。此文件被用作一种互斥锁,以确保植入物仅运行一个实例,并且只有在能够成功创建此文件时才允许其继...

揭开 Kimsuky 黑客的面纱 逆向病毒分析 1周前 admin 32 0 0 ‍ ToddlerShark 恶意软件是一群威胁行为者,隶属于朝鲜 APT 黑客组织 Kimsuky。他们使用 CVE-2024-1708 和 CVE-2024-1709 用一种名为 ToddlerShark 的新恶意软件变种感染数量目标。他们是一个由朝鲜国家支持的黑客组织,以对世界各地的组织和政府进行网络间谍攻击而闻名。威胁行为者正在利用 2024 年 2 月 20 日披露的身份验证绕过和远程代码执行漏洞,当时 ConnectWise 敦促 ScreenConnect 客户立即将其服务器升级到 23.9.8 或更高版本。 关于 ToddlerShark 的信息收集 恶意软件开发 ToddlerShark 是 Kimsuky、BabyShark 和 ReconShark 后门的新变种。他们以针对美国、欧洲和亚洲的政府组织、研究中心、大学和智库而闻名。黑客首先通过利用漏洞来攻击 ScreenConnect 端点,从而获得初始访问权限,这使他们能够进行身份验证、绕过和代码执行功能。在站稳脚跟后,Kimsuky...

朝鲜APT LAZARUS 在供应链攻击中使用 MAGICLINE4NX 零日漏洞 APT 1周前 admin 52 0 0 大家好,我是紫队安全研究。建议大家把公众号“紫队安全研究”设为星标,否则可能就无法及时看到啦!因为公众号现在只对常读和星标的公众号才能大图推送。操作方法:先点击上面的“紫队安全研究”,然后点击右上角的【…】,然后点击【设为星标】即可。 英国和韩国机构警告称,与朝鲜APT Lazarus 正在利用 MagicLine4NX 零日漏洞进行供应链攻击 国家网络安全中心(NCSC)和韩国国家情报院(NIS)发布联合警告称,与朝鲜有关的 Lazarus 黑客组织正在利用 MagicLine4NX 软件中的零日漏洞进行供应链攻击。 MagicLine4NX是由韩国Dream Security公司开发的联合证书计划。它使用户能够使用联合证书执行登录并对交易进行数字签名。 用户可以将该软件与各种应用程序集成,例如网络浏览器、电子邮件客户端和文件浏览器程序。 “2023年3月,网络攻击者串联利用安全认证和联网系统的软件漏洞,对目标组织的内网进行未经授权的访问。”联合公告中写道。 ...

Cyble

Cybercrime March 28, 2024 Solana Drainer’s Source Code Saga: Tracing Its Lineage to the Developers of MS Drainer CRIL delves into the leaked source code of the Solana Drainer, examining its correlation with the MS Drainer. Key Takeaways Threat actors (TAs) are actively exploiting platforms like Google Ads and social media platforms such as X (formerly Twitter) to disseminate crypto drainers, employing tactics such as compromising famous accounts, generating counterfeit profiles, and using malici...

Malware March 27, 2024 WarzoneRAT Returns with Multi-Stage Attack Post FBI Seizure CRIL analyzes a malware campaign spreading WarzoneRAT (Avemaria), which has resurfaced following the FBI's dismantling of its malware operation and seizure of infrastructure. Key Takeaways In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation. Recently, Cyble Research and Intelligence Labs (CRIL) observed few samp...

Cyfirma

Published On : 2024-03-28 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows Target Geographies: Belgium, Czech Republic, Netherlands, United States Target Industries: Finance, FMCG, Media & Internet, Transportation Introduction...

Arda Büyükkaya at EclecticIQ

Arda Büyükkaya – March 27, 2024 Executive Summary Beginning March 7th, 2024, EclecticIQ analysts identified an uncategorized threat actor that utilized a modified version of the open-source information stealer HackBrowserData [1] to target Indian government entities and energy sector. The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force. The attacker utilized Slack channels as exfiltration points to upload confidential interna...

Elastic Security Labs

AboutTopicsVulnerability updatesReportsToolsSubscribeOpen navigation menu29 March 2024•Samir BousseadenIn- the- Wild Windows LPE 0- days: Insights & Detection StrategiesThis article will evaluate detection methods for Windows local privilege escalation techniques based on dynamic behaviors analysis using Elastic Defend features.14 min readSecurity operationsBased on disclosures from Microsoft, Google, Kaspersky, Checkpoint, and other industry players, it has become apparent that in-the-wild Wind...

Elliptic

Elliptic Research 28 March, 2024 The National Bureau for Counter Terror Financing of Israel (NBCTF) has today issued Administrative Seizure Order 5/24 (ASO 5/24) in which it listed 42 cryptoasset accounts that it is “convinced…are property of a designated terrorist organization, or property used for the perpetuation of a severe terror crime as defined by the Law.” These 42 accounts (listed below) are all on the TRON blockchain and have primarily been used to transact in the USDT stablecoin. Thir...

Matthew at Embee Research

Latrodectus Loader Matthew Mar 25, 2024 - 5 min read This post will dive into a Latrodectus loader that leverages junk comments and wmi commands to obfuscate functionality and download a remote .msi file. There are three "stages" to this sample, which can be decoded through a combination of regular expressions and CyberChef. Obtaining Initial SampleThe initial sample can be found on Malware Bazaar and was initially uploaded by pr0xylifeSHA256: 71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782...

Content Paint Home Threat Intelligence Reverse Engineering Detection Engineering -Socials -Socials--Twitter -Socials--Github -Socials--Linkedin -Socials--Youtube -About -About--Contact Search Sign in Threat Intelligence Introduction To Discovering Malicious Infrastructure Through Passive DNS Pivoting Demonstrating DNS pivoting and analysis techniques for uncovering Malicious infrastructure Matthew Mar 27, 2024 - 6 min read I recently became aware of an awesome DNS Analysis tool called Validin wh...

Uncovering APT Infrastructure Through Historical Records and Subdomain Analysis Leveraging Passive DNS to identify APT infrastructure. Building on public intelligence reports. Matthew Mar 30, 2024 - 9 min read In this post we leverage passive DNS analysis tools to expand on an ACTINIUM intelligence report published by Microsoft. This analysis will leverage the initial domains provided in the report to identify new domains of interest that match the reported style and structure detailed in the or...

Flare

Flashpoint

Defendants operated as part of the APT31 hacking group in support of China’s Ministry of State Security’s transnational repression, economic espionage and foreign intelligence objectives. SHARE THIS: Flashpoint March 25, 2024 “BROOKLYN, NY – An indictment was unsealed today charging seven nationals of the People’s Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14...

Explore in-depth coverage ranging from data breaches, vulnerabilities, and ransomware, to tailored sector-specific analysis, geopolitical analysis, and best practices designed to fortify your security posture. SHARE THIS: Flashpoint March 27, 2024 Table Of ContentsTable of ContentsForward-looking data and key insightsComprehensive threat analysisBeyond bytes and bullets: The Power of OSINTThe best data for the best intelligence Forward-looking data and key insights Cyber and physical threats are...

Google Cloud Threat Intelligence

March 22, 2024Mandiant Written by: Luke Jenkins, Dan Black Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster...

March 29, 2024Mandiant Written by: Andrew Oliveau Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials to deploying malicious applications to targeted devices, SCCM attacks have aided in accomplishing complex objectives and evading existing detections. Mandiant's Red Team has utilized SCCM technology to perform novel attacks against mature clients where c...

March 6, 2024Mandiant Written by: Aseel Kayal During the analysis of a banking trojan sample targeting Android smartphones, Mandiant identified the repeated use of a string obfuscation mechanism throughout the application code. To fully analyze and understand the application's functionality, one possibility is to manually decode the strings in each obfuscated method encountered, which can be a time-consuming and repetitive process. Another possibility is to use paid tools such as JEB decompiler ...

March 21, 2024Mandiant Written by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in ...

Roman Rez at Group-IB

Marshall Price at GuidePoint Security

Human Security

By Rosemary Cipriano Mar 26, 2024 Research & Detection, Cybersecurity, Threat Intelligence HUMAN’s Satori Threat Intelligence team recently published their research into an operation we dubbed PROXYLIB. This operation used 28 apps on the Google Play Store to enroll devices as nodes in a proxy network when downloaded - 3 million downloads to be exact - without the consumer ever knowing. This created a large residential proxy network for fraudsters to purchase access to. All of the identified mali...

By Satori Threat Intelligence and Research Team Mar 26, 2024 Research & Detection, Cybersecurity, Threat Intelligence Researchers: Gabi Cirlig, Maor Elizen, Lindsay Kaye, Joao Marques, Vikas Parthasarathy, Joao Santos, Adam Sell, Inna Vasilyeva Executive Summary Residential proxies are frequently used by threat actors to conceal malicious activity, including advertising fraud and the use of bots. Access to residential proxy networks is often purchased from other threat actors who create them thr...

Jai Minton and Harlan Carvey at Huntress

MSSQL to ScreenConnectByJai Minton and Harlan CarveyDownload YourFirst nameLast NameEmailTitleStay up to date with HuntressPrivacy PolicyThank you! Your submission has been received!Oops! Something went wrong while submitting the form.HomeBlogMSSQL to ScreenConnectMarch 28, 2024MSSQL to ScreenConnectBy: No items found.|Contributors:No items found.ByJai Minton and Harlan CarveyShareBackgroundHuntress SOC analysts continue to see alerts indicating malicious activity on endpoints running MSSQL Serv...

Invictus Incident Response

March 26, 2024Interested in all the secrets of the UAL? Join our OnDemand or live training.‍IntroductionGreat news for those who frequently acquire the Unified Audit Log (UAL): it's officially integrated with the Graph API! In a previous blog post, we touched upon its initial implementation within the Graph API Beta module. At that time, it was only available to a special group that Microsoft gives early access to. It’s now up and running for everyone (as far as we know). We've run a series ...

Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt at Jamf

Start Trial Infostealers continue to pose threat to macOS users Jamf Threat Labs dissects ongoing infostealer attacks targeting macOS users. Each with different means of compromising the victim’s Macs but with similar aims: to steal sensitive user data. March 29 2024 by Jamf Threat Labs Authors: Jaron Bradley, Ferdous Saljooki, Maggie Zirnhelt Introduction Over the past year, the macOS environment has been under constant attack by infostealers. Many of these stealers are targeting individuals in...

Andrey Polkovnichenko at JFrog

Analyzing the actual consequences and exploitation of the npm Manifest Confusion vulnerability. By Andrey Polkovnichenko, Security Researcher March 26, 2024 9 min read SHARE: Several months ago, Darcy Clarke, a former Staff Engineering Manager at GitHub, discovered the “Manifest Confusion” bug in the npm ecosystem. The bug was caused by the npm registry not validating whether the manifest file contained in the tarball (package.json) matches the manifest data published to the npm server. Clarke c...

JPCERT/CC

宇野 真純(Masumi Uno) March 29, 2024 JSAC2024 -Day 1- Email JPCERT/CC held JSAC2024 on January 25 and 26, 2024. The purpose of this conference is to raise the knowledge and technical level of security analysts, and we aimed to bring them together in one place where they can share technical knowledge related to incident analysis and response. The conference was held for the seventh time and, unlike last year, returned to a completely offline format. 17 presentations, 3 workshops, and 6 lightning talk...

鹿野 恵祐 (Keisuke Shikano) March 29, 2024 TSUBAME Report Overflow (Oct-Dec 2023) TSUBAME Email This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of October to December 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here . Packets observed from products under development JP...

Vigneshwaran P at K7 Labs

Posted byVigneshwaran P March 26, 2024March 26, 2024 Remote Access Trojan Unknown TTPs of Remcos RAT By Vigneshwaran PMarch 26, 2024 Typically spread through malicious attachments, drive-by downloads, or social engineering, Remcos RAT has been active since 2016. Initially presented by BreakingSecurity, a European company, as a legitimate remote control tool, it has since been exploited by threat actors for nefarious purposes, despite claims of restricted access for lawful use. On analyzing a few...

Brian Krebs at Krebs on Security

March 26, 2024 66 Comments Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the ...

March 28, 2024 10 Comments Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a thread hijacking attack in which a journalist was copied on a phishing email from the unwilling ...

Raúl Redondo at Lares Labs

Home About The Team Pentesting 101 Social Engineering 101 GitHub Contact Us Lares.com penetrationtesting Kerberos II - Credential Access In this part of the series, we will focus on Credential Access and the attacks that Kerberos can facilitate. Raúl Redondo Mar 26, 2024 • 11 min read First Cerberus head, ready to gain access to the domain. In the first part of the Kerberos series, we’ve set the groundwork for the following parts, covering an overview of Kerberos, concepts, encryption types, the...

Swachchhanda Shrawan Poudel at Logpoint

By Swachchhanda Shrawan Poudel|2024-03-25T11:17:36+01:00March 25th, 2024| - 3 min read Fast facts Raspberry Robin, previously disseminated through USB drives, now employs Discord for distribution. The utilization of Raspberry Robin has been observed dropping a variety of payloads, including ransomware and stealers, such as CLOP. Tools like RunDLL32 and Shell32.dll are abused for living off the land for proxy execution of malicious CPL files Raspberry Robin, also known as the QNAP worm, is attrib...

Lumen

Black Lotus Labs Posted On March 26, 2024 0 22.4K Views 0 Shares Share On Facebook Tweet It Executive Summary The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024. As our team has disc...

Michalis Michalos

It has been some time since Part 1 of this blog has been posted, you may find it here. First part, focused mainly on the benefits and how to operationalize MITRE ATT&CK at Microsoft Defender XDR while this blog will focus on Microsoft Sentinel. Table of contents Analytics Hunting The MITRE ATT&CK blade Workbooks KQL queries Closing remarks Part 2: Microsoft Sentinel Analytics The first, and probably most fundamental place to begin with MITRE ATT&CK in Microsoft Sentinel is the Analytics blade. E...

Tiffany Bergeron and Mark E. Haase at MITRE-Engenuity

Nasreddine Bencherchali

Leandro Fróes at Netskope

Obsidian Security

Palo Alto Networks

6,066 people reacted 19 5 min. read Share By Unit 42 March 26, 2024 at 1:00 PM Category: Malware Tags: advanced persistent threat, Advanced URL Filtering, APAC, APT, BRONZE PRESIDENT, China, DNS security, Espionage, Mustang Panda, Prisma Cloud Defender, Stately Taurus, WildFire This post is also available in: 日本語 (Japanese)Executive Summary Over the past 90 days, Unit 42 researchers have identified two Chinese advanced persistent threat (APT) groups conducting cyberespionage activities against e...

Palo Alto Networks

33,867 people reacted 32 6 min. read Share By Unit 42 March 30, 2024 at 7:15 PM Category: Cloud, Threat Brief, Threat Briefs and Assessments, Vulnerability Tags: Advanced WildFire, Cortex XDR, Cortex XSIAM, CVE-2024-3094, incident response, Linux, Prisma Cloud, XZ Utils This post is also available in: 日本語 (Japanese)Executive Summary On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the ...

Positive Technologies

How APT groups operate in the Middle East Published on March 27, 2024 APT groups and operations Contents The Middle East is a target for APT groups How cybercriminals prepared for attacks Gaining initial access Persisting in the system What to study inside Where to find credentials How to collect valuable information Communicating with the C&C server How to cover the tracks How to resist APT attacks About the report Brief description of APT groups Heat map of APT tactics and techniques in the Mi...

Grace Chi at Pulsedive

In the first of our four-part series, learn why practitioners prioritize human-to-human sharing and its benefits. Grace Chi Mar 26, 2024 • 5 min read BLUFCyber threat intelligence (CTI) practitioners consistently and strongly believe in the value of connecting with others for improved CTI outcomes - for themselves and othersThe overall amount of benefits realized from networking increased over previous years, with a steadfast focus on awareness of timely, new informationAll types of "content" (d...

Red Alert

Monthly Threat Actor Group Intelligence Report, January 2024 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 December to 20 January 2024. In January, activities by a total of 26 Threat Actor Groups were identified, in which activities by SectorA groups were the most prominent by 30%, followed by SectorB and SectorJ groups. Threat Actors identified in January carried out the highest number of att...

Monthly Threat Actor Group Intelligence Report, December 2023 (JPN) このレポートは2023年11月21日から12月20日までNSHC ThreatReconチームから収集したデータと情報に基づいて分析したハッキンググループ(Threat Actor グループ)の活動をまとめたレポートである。 今年の12月には合計 36件のハッキンググループの活動が確認され、最も多い活動はSectorAグループの29%であり、 続きはSectorJ、SectorCグループの活動であった。 今年 12月に確認されたハッキンググループのハッキング活動は、政府機関や金融の分野に努めている関係者やシステムをターゲットにして最も多い攻撃を行った、地域ごとには東アジアやヨーロッパに位置した諸国をターゲットにしたハッキング活動が最も多いことが確認された。 1. SectorAグループ活動の特徴 2023年12月には合計5件のハッキンググループの活動が確認され、このグループはSectorA01、SectorA02、SectorA05、SectorA06...

Monthly Threat Actor Group Intelligence Report, February 2024 (KOR) 2024년 1월 21일에서 2024년 2월 20일까지 NSHC ThreatRecon팀에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 2월에는 총 26개의 해킹 그룹들의 활동이 확인되었으며, SectorJ 그룹이 34%로 가장 많았으며, SectorC, SectorA 그룹의 활동이 그 뒤를 이었다. 이번 2월에 발견된 해킹 그룹들의 해킹 활동은 정부 기관과 제조업 분야에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 유럽(Europe)과 북아메리카(North America)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 2024년 2월에는 총 2개 해킹 그룹의 활동이 발견되었으며, 이들은 ...

Resecurity

Cyber Threat Intelligence 25 Mar 2024 Cybercrime, IoT, Dark Web, Anonymity, TTPs, Fraud Intelligence, Wireless Networks, LTE Resecurity identified a new solution advertised on the Dark Web – GEOBOX, a custom software, purpose-built for Raspberry Pi devices, representing an evolution in tooling for fraud and anonymization. Notably, the cybercriminals transformed widely used geek-favorite device into a 'plug-and-play' weapon for digital deception – enabling the operator to spoof GPS locations, emu...

S2W Lab

SANS Internet Storm Center

Internet Storm Center Sign In Sign Up Handler on Duty: Johannes Ullrich Threat Level: green next Slicing up DoNex with Binary Ninja Published: 2024-04-04 Last Updated: 2024-04-04 17:53:02 UTC by John Moutos (Version: 1) 0 comment(s) [This is a guest diary by John Moutos] Intro Ever since the LockBit source code leak back in mid-June 2022 [1], it is not surprising that newer ransomware groups have chosen to adopt a large amount of the LockBit code base into their own, given the success and effici...

New tool: linux-pkgs.sh Published: 2024-03-24 Last Updated: 2024-03-26 12:48:15 UTC by Jim Clausing (Version: 1) 0 comment(s) During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever...

Scans for Apache OfBiz Published: 2024-03-27 Last Updated: 2024-03-27 12:08:56 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Today, I noticed in our "first seen URL" list, two URLs I didn't immediately recognize: /webtools/control/ProgramExport;/ /webtools/control/xmlrpc;/ These two URLs appear to be associated with Apache's OfBiz product. According to the project, "Apache OFBiz is a suite of business applications flexible enough to be used across any industry. A common architecture allows d...

Sekoia

Frank Graziano at Square

Using /proc to find fileless malwareIntroduction This post outlines what I believe to be a novel way to overcome the limitations of the osquery yara scanning table to find fileless malware on Linux operating systems. Background What is osquery? osquery is a powerful open source toolset that exposes operating systems in a way that allows them to be queried with SQL. There are myriad use cases of this instrumentation, but we primarily use it to ask security relevant questions of our hosts. Over th...

Stephan Berger

30 Mar 2024 Table of Contents Introduction wafySummary Analysis of wafySummary Conclusion Indicators of Compromise Introduction In a recent investigation conducted by my colleague, Giuseppe Paternicola, it was discovered that the initial entry point that ultimately led to the deployment of the Abyss ransomware was a compromised SonicWall Secure Mobile Access (SonicWall SMA) device. The threat actor exploited CVE-2021-20039 to gain access (Authenticated Command Injection). Subsequent analysis of ...

Arianne Dela Cruz, Raymart Yambot, Raighen Sanchez, and Darrel Tristan Virtusio at Trend Micro

This blog entry discusses the Agenda ransomware group's use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. By: Arianne Dela Cruz, Raymart Yambot, Raighen Sanchez, Darrel Tristan Virtusio March 26, 2024 Read time: ( words) Save to Folio Subscribe Since its discovery in 2022, the Agenda Ransomware group (also known as Qilin) has been active and in development. Agenda, which Trend Micro tracks as Water Galura, continues infecting victims globally with the US, Argentina,...

Bernard Bautista at Trustwave SpiderLabs

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More Contact Us Login Fusion Platform Login What is the Trustwave Fusion Platform? MailMarshal Cloud Login Incident Response Experiencing a security breach? Get access to immediate incident response assistance. 24 HOUR HOTLINES AMERICAS +1 855 438 4305 EMEA +44 8081687370 AUSTRALIA +61 1300901211 SINGAPORE +65 68175019 Recommended Actions Request a Demo Services Solutions Why Trustwave Partners Resources Co...

Vectra AI

Vectra AI Threat Briefing: Scattered SpiderLearn about the attacker group Scattered Spider, how they operate, and how Vectra AI helps you defend against their hybrid attack techniques.Read more Contact UsFree Demo English FrançaisDeutsch日本語EspañolItalianoTürkçe Platform Customers Research & Insights Resources Partners Company English FrançaisDeutsch日本語EspañolItalianoTürkçeLog inFree Demo BackPlatformThe integrated signal for extended detection and response (XDR). Detect – ...

Jakub Kaloč at WeLiveSecurity

Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries Jakub Kaloč 20 Mar 2024 • , 11 min. read Last year ESET published a blogpost about AceCryptor – one of the most popular and prevalent cryptors-as-a-service (CaaS) operating since 2016. For H1 2023 we published statistics from our telemetry, according to which trends from previous periods continued without drastic changes. However, in H2 2023 we registered a significant chang...

Merav Bar, Amitai Cohen, and Danielle Aminov at Wiz

Detect and mitigate CVE-2024-3094, a critical supply chain compromise, affecting XZ Utils Data compression library. Organizations should patch urgently. 7 minutes readMerav Bar, Amitai Cohen, Danielle AminovMarch 29, 20247 minutes readContentsTL;DRChangelogWhat is CVE-2024-3094?Wiz Research data: what’s the risk to cloud environments? Which products are affected?Which actions should security teams take?Diving into the technical intricaciesLatest Wiz research findings (as of April 3, 2024)Multipl...