4n6 Week 25 – 2024 - THREAT INTELLIGENCE/HUNTING
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Adam Goss
Allan Liska at ‘Ransomware Sommelier’
ransomwaresommelier.comCopy linkFacebookEmailNoteOtherA Ransomware Domain MysteryOr maybe I am just procrastinating...Allan LiskaJun 16, 20242Share this postA Ransomware Domain Mysteryransomwaresommelier.comCopy linkFacebookEmailNoteOtherShareHappy Sunday dear readers and please don your Sherlock Cap to help sus out this mystery. I regularly track newly-registered ransomware-themed domain names to see if there are any interesting patterns and I might have one. Since the beginning of June, there ...
ransomwaresommelier.comCopy linkFacebookEmailNoteOtherThe Defense is Wrong: Periodic Reminder that LockBitSupp is a Lying BastardI love My Cousin Vinnie So MuchAllan LiskaJun 22, 20241Share this postThe Defense is Wrong: Periodic Reminder that LockBitSupp is a Lying Bastardransomwaresommelier.comCopy linkFacebookEmailNoteOtherShareMy Cousin Vinnie is one of my favorite movies and my favorite scene is when the always amazing Marisa Tomei is forced to testify in the trial and exclaims, “The defens...
Saad Ahla at Altered Security
IntroIn the ever-evolving landscape of cybersecurity, the race between attackers and defenders is relentless. Security mechanisms, particularly those at the kernel level, are designed to provide robust protection against sophisticated threats. However, as attackers continuously devise new methods to bypass these defenses, the hunters—our trusted Endpoint Detection and Response (EDR) systems—can themselves become the hunted. This blog delves into a chilling demonstration of how a signed rootkit, ...
Amitai Cohen
About Initializing search korniko98/pivot-atlas About Artifacts Fingerprints Impact Map Tips Tools Updates Pivot Atlas korniko98/pivot-atlas About About Table of contents Introduction Frequently asked questions (FAQ) How should I use Pivot Atlas? What's the best way to contribute to this project? Where can I learn more about pivoting? Where can I learn more about offensive cyber operations? Artifacts Artifacts Domain IP Address Sample TLS Certificate User Agent Fingerprints Fingerprints Impact I...
ANSSI
Ayelen Torello at AttackIQ
Brad Duncan at Malware Traffic Analysis
2024-06-17 (MONDAY): GOOGLE AD --< FAKE UNCLAIMED FUNDS SITE --< MATANBUCHUS WITH DANABOT NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_malvertising-matanbuchus-danabot-activity-7208934021207113728-Tc05 //x.com/Unit42_Intel/status/1803168396755820812 ASSOCIATED FILES: 2024-06-17-IOCs-from-Matanbuchus-infection-with-Danabot.txt.zip 2.4 kB (2,428 bytes) 2024-...
2024-06-12 (WEDENSDAY): KOI LOADER/KOI STEALER INFECTION NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_koiloader-koistealer-unit42threatintel-ugcPost-7206786127276503040-W_aO //twitter.com/Unit42_Intel/status/1801020508755869718 ASSOCIATED FILES: 2024-06-12-IOCs-for-Koi-Loader-Stealer-infection.txt.zip 1.5 kB (1,534 bytes) 2024-06-12-email-examples.zip 3.2 ...
Censys
CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 Giugno 2024 21/06/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento, un totale di 48 campagne malevole, di cui 36 con obiettivi italiani e 12 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 597 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipolog...
Chainalysis
June 20, 2024 | by Chainalysis Team Share This blog is a preview of our 2024 State of Cryptocurrency Investigations Report, which was compiled using insights from our second ever State of Cryptocurrency Investigations Survey. We polled more than 800 public sector employees from around the world to learn about their perspectives on blockchain technology and their abilities to understand and investigate crypto asset activity. The 2024 State of Crypto Investigations Report Available now Get your co...
Check Point
Filter by: Select category Research (565) Security (932) Securing the Cloud (300) Harmony (163) Company and Culture (27) Innovation (6) Customer Stories (13) Horizon (5) Securing the Network (11) Partners (9) Connect SASE (10) Harmony Email (70) Artificial Intelligence (22) Infinity Global Services (15) Crypto (13) Healthcare (14) Harmony SASE (5) Securing the CloudJune 20, 2024 Check Point’s 2024 Cloud Security Report: Navigating the Intersection of Cyber security ByCheck Point Team Share 91% v...
Ben Nahorney at Cisco
June 18, 2024 Leave a Comment Security How to Monitor Network Traffic: Findings from the Cisco Cyber Threat Trends Report4 min read Ben Nahorney The threat landscape is full of moving targets. Over time, popular tools, tactics, and procedures change. Malicious techniques fall out of fashion, only to come roaring back months, if not years, later. All the while, security practitioners monitor network traffic and adapt their defenses to protect their users and networks. Keeping on top of these tren...
Cisco’s Talos
- Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more
By Chris Neal Tuesday, June 18, 2024 08:00 malware Threat Spotlight This blog post is part of a multi-part series, and it is highly recommended to read the first entry here before continuing.As the second entry in our “Exploring malicious Windows drivers” series, we will continue where the first left off: Discussing the I/O system and IRPs. We will expand on these subjects and discuss other aspects of the I/O system such as IOCTLs, device stacks and I/O stack locations, as all are critical compo...
By Hazel Burton Tuesday, June 18, 2024 07:57 On The Radar In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024. In 25% of engagements, the underlying cause was users accepting fraudulent MFA push notifications that originated from an attacker. In 21% of engagements, the underlying cause for the incident was a lack of...
Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia By Chetan Raghuprasad, Ashley Shen Friday, June 21, 2024 08:00 Threats RAT Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the same email address. We identified two infection chains used t...
- SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques
By Chetan Raghuprasad, Ashley Shen Friday, June 21, 2024 08:00 Threats RAT Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. In the newly discovered campaign, we observed a wider scope of targets spread across countries in EMEA and Asia, compared with previous observations that mainly targeted South Korea and Uzbekistan. SneakyChef uses lures that are scanned documents of government agencies, mo...
Cyberdom
Published May 11, 2024 · Updated May 26, 2024 As part of ongoing research and hunting, as well as investigating security incidents, I encounter many cases where there are gaps in security tools, systems do not document and collect logs properly or do not display them as we would like, attackers are very skilled, and finding evidence can be complex. Visibility and logs missing or not displayed correctly can decide the results of an incident investigation and even lead to a lack of visibility. In ...
Published April 26, 2024 · Updated April 28, 2024 Cloud incidents are common and occur every week, some with a minor impact and others with extensive impacts on the organization and its users. In the security incidents I investigated, I could see the differences between each environment. In the countless investigations I carried out, it was possible to see diverse environments and the fact that each environment is unique in terms of log collection and IR readiness, some with maturity and others ...
Cyble
Cyborg Security
Blog June 18, 2024 Security teams are faced with a reality: sometimes, adversaries are going to compromise an environment. A user may click on a link in a phishing email that leads to the download of malware that’s not caught by antivirus software. A threat actor may exploit an unpatched vulnerability in an internet-facing appliance that was not on an organization’s asset register. Compromised credentials could lead to an attacker taking over a highly privileged account, lending access to a doma...
Community Content June 21, 2024 Threat Overview – Spectre RAT The Spectre remote access trojan (RAT) is modular malware that was first seen in September of 2020, being available as a malware-as-a-service (MaaS) program. Spectre RAT is developed in C++ and gives the operator the means to employ techniques such as remotely executing commands and payloads, manipulation of processes, downloading and uploading of files, and stealing information. The RAT is made up of three parts, or modules; the core...
Community Content June 21, 2024 Threat Overview – Hunting for Credential Theft – Identify When an InfoStealer May be Stealing Sensitive Access The recent SnowFlake incident has brought to light the importance of protecting your credentials and access to sensitive tools. Infostealers are the highway in which many threat actors and access brokers garner their initial foothold in environments. This collection of hunt packages has been specifically put together to help organizations and teams detect...
Cyfirma
Published On : 2024-06-21 Share : 1. Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows Target Geographies: Congo, Croatia, Italy and United States Target Industries: Business Services, Construction, Education, Government, Manufacturing...
Cyjax
By Cymon / June 21, 2024 Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition analyses cyberattacks related to a new malware campaign targeting Docker APIs, a Phishing-as-a-Service platform attacking Microsoft 365, and an analysis of the cyberespionage group UNC3886. 1. Exposed Docker APIs targeted by crypto-mining malware Full report available for CYMON users here. Key Takeaways: Researchers have ...
Darren M.
Systemic Identity Compromise Response Report this article Darren M. Darren M. Blogger, Author, Architect, Secure DevOps Champion, Incident Responder, and Threat Hunter. Published May 30, 2024 + Follow From celebration to crisisImagine celebrating a successful financial quarter, only to have uninvited guests crash the party and ruin the entire mood. In cybersecurity, these uninvited guests can be hacktivists, cyber criminals, or even nation-states. Their attacks, ranging from accidental insider t...
Datadog Security Labs
June 19, 2024 aws threat detection twitter reddit on this page Key points and observationsAttacker activity: Pivoting on IP addresses and enumerating vaults, buckets, and secretsNotable AWS service: S3 GlacierNotable network infrastructure: CloudFlare WARP VPNNotable user agent: Signing API requestsSummary of attacker activityDetection opportunitiesHow Datadog can helpConclusionIndicators of compromise Martin McCloskey Senior Detection Engineer In this post, we explore a campaign we've witnessed...
Aleksandar Matev at Detect FYI
Dragos
Caitlin Sullivan Threats Share This LinkedIn Twitter Facebook Email RSS Mistakes are human. We downplay them. We excuse them as if we are a worthy exception to the rule. Our adversaries know them well – they expect it, they work to exploit it – after all, they are human too. On the bright side, many human mistakes are explainable, predictable, and repeated. As an industrial threat hunter, this is exceptionally good news. As a Dragos OT Watch Threat Hunter, I find opportunities every day to exerc...
Dragos, Inc. OT Cybersecurity Fundamentals Share This LinkedIn Twitter Facebook Email RSS Dragos is an industrial cybersecurity company leveraging software, intelligence, and professional services to safeguard civilization. The SANS Institute empowers cybersecurity professionals with high quality training, certifications, degree programs, and more to help them make the world a safer place. Together, we have created a blog series about OT cybersecurity fundamentals, crafted for practitioners and ...
Arda Büyükkaya at EclecticIQ
Arda Büyükkaya – June 18, 2024 Executive Summary In February 2024, EclecticIQ analysts discovered phishing campaigns targeting financial institutions. Threat actors employed embedded QR codes in PDF attachments to redirect victims to phishing URLs [1]. These campaigns were driven by a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which operates through a user-friendly interface accessible via Telegram bots, enabling the orchestration of phishing attacks. Figure 1 - Overview of ONNX s...
Efstratios Lontzetidis
Elastic Security Labs
AboutTopicsVulnerability updatesReportsToolsSubscribeStart Free TrialContact SalesOpen navigation menu22 June 2024•Joe Desimone•Samir BousseadenGrimResource - Microsoft Management Console for initial access and evasionAdversaries adapting to Microsoft's new security landscape9 min readAttack patternOverview After Microsoft disabled office macros by default for internet-sourced documents, other infection vectors like JavaScript, MSI files, LNK objects, and ISOs have surged in popularity. However,...
Ervin Zubic
Esentire
Jun 19, 2024 Fake IT Support Website Leading to Vidar Infection Jun 13, 2024 SolarMarker Impersonates Job Employment Website, Indeed, with a Team… VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Compare MDR Vendors Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Jun 12, 2024 Matanbuchus Malware THE THREAT Beginning in May 2024, and carrying into early June, eSentire has identified an increase...
Jun 13, 2024 SolarMarker Impersonates Job Employment Website, Indeed, with a Team… VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Compare MDR Vendors Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Jun 12, 2024 Matanbuchus Malware THE THREAT Beginning in May 2024, and carrying into early June, eSentire has identified an increase in observations of Matanbuchus malware. Matanbuchus is a loader...
Pei Han Liao at Fortinet
By Pei Han Liao | June 19, 2024 Article Contents By Pei Han Liao | June 19, 2024 Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: The stolen information can be used for future attack Severity Level: High The past few years have seen a significant increase in the number of Rust developers. Rust is a programming language focused on performance and reliability. However, for an attacker, its complicated assembly code is a significant merit. In May 2024, FortiGuard Labs...
Google Cloud Threat Intelligence
June 19, 2024Mandiant Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vuln...
Ron Bowes at GreyNoise Labs
Where we track a SolarWinds Serv-U vulnerability with a new honeypot, including tricking a human attacker into making mistakes solarwinds serv-u vulnerabilities honeypot cve cve-2024-28995 path-traversal ptr Author Ron Bowes Published June 18, 2024 On June 5, 2024, SolarWinds published an advisory detailing CVE-2024-28995 - a path-traversal vulnerability in Serv-U, discovered by Hussein Daher. The affected versions are: SolarWinds Serv-U 15.4.2 HF 1 and earlier are affected SolarWinds Serv-U 15....
Marshall Price at GuidePoint Security
Intel471
Jun 18, 2024 Security teams are faced with a reality: sometimes, adversaries are going to compromise an environment. A user may click on a link in a phishing email that leads to the download of malware that’s not caught by antivirus software. A threat actor may exploit an unpatched vulnerability in an internet-facing appliance that was not on an organization’s asset register. Compromised credentials could lead to an attacker taking over a highly privileged account, lending access to a domain con...
Keisuke Shikano at JPCERT/CC
鹿野 恵祐 (Keisuke Shikano) June 21, 2024 TSUBAME Report Overflow (Jan-Mar 2024) TSUBAME Email This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of January to March 2024. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here. Impacts in Japan from Observations in FY2023 JPCERT/CC a...
Rich Peckham at ‘Microsoft Security Experts’
Lex Crumpton, August Moore, and Amy L. Robertson at MITRE-Engenuity
Natto Thoughts
nattothoughts.substack.comCopy linkFacebookEmailNoteOtherRansom-War Part 3: Inflict Maximum DamageDmitry Medvedev’s June 13 call to do “maximum harm” to Western infrastructure is not so new: Russian strategists have thought about using ransomware to pressure adversary countries since at least 2016Natto TeamJun 19, 20242Share this postRansom-War Part 3: Inflict Maximum Damagenattothoughts.substack.comCopy linkFacebookEmailNoteOtherShare Summary:This is Part 3 of Natto Thoughts’ “Ransom-War” serie...
Jay Chen at Palo Alto Networks
14 min read Related ProductsCortexCortex XDRCortex XpansePrisma Cloud By:Jay Chen Published:18 June, 2024 at 3:00 AM PDT Categories:Cloud Cybersecurity ResearchThreat ResearchTrend Reports Tags:AWSAzureCortex XDRCortex XpanseIaaSMicrosoftPrisma CloudVirtual machines Share This post is also available in: 日本語 (Japanese)Executive Summary This post reviews strategies for identifying and mitigating potential attack vectors against virtual machine (VM) services in the cloud. Organizations can use this...
Tommy Madjar, Dusty Miller, and Selena Larson at Proofpoint
From Clipboard to Compromise: A PowerShell Self-Pwn Share with your network! June 17, 2024 Tommy Madjar, Dusty Miller, Selena Larson and the Proofpoint Threat Research Team Key findings Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. Researchers observed TA571 and the ClearFake activity cluster use this technique. Although the attack chain requires significant user interaction to be successful, the so...
Grace Chi at Pulsedive
Quantitative and qualitative insights inform our roadmap and best practices to achieve success in CTI networking. Grace Chi Jun 18, 2024 • 8 min read BackgroundThis is the final installment in a multi-part series based on the CTI Networking Report 2024, the sequel to my inaugural study from 2022. Check out Part 1 for more context around this research.ℹ️CTI Networking: The interaction of individuals for CTI-related work. This definition excludes personal purposes (e.g., career development, sales,...
Macie Thompson at Recon Infosec
Macie Thompson Hopefully you have read all about why we are excited to be offering Advanced Email Protection (AEP) to our customers. If you have not, check out that blog here. In this post we wanted to take a deeper dive into a few common phish attacks and the detection rules we use in Sublime Security to identify them so we can automatically quarantine them for customers. Spear Phishing When attackers use spear phishing as a method for credential harvesting, they frequently attempt to spoof com...
Recorded Future
Posted: 17th June 2024By: Insikt Group® Recorded Future’s Insikt Group identified that Vortax, a purported virtual meeting software, spreads three infostealers—Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). This extensive campaign targets cryptocurrency users, exploiting macOS vulnerabilities. Operated by the threat actor “markopolo,” this campaign has significant implications for macOS security, indicating a potential increase in AMOS attacks. The Travels of “markopolo”: Self-Proclaimed...
Posted: 20th June 2024By: Insikt Group® RansomHub, a new ransomware-as-a-service (RaaS) platform, emerged in February 2024, targeting Windows, Linux, and ESXi systems with malware written in Go and C++. Its high 90% commission rate attracts seasoned affiliates, leading to a surge in infections. RansomHub's affiliates have impacted 45 victims across eighteen countries, primarily targeting the IT sector. The ransomware leverages cloud storage backups and misconfigured Amazon S3 instances to extort...
Red Alert
Monthly Threat Actor Group Intelligence Report, April 2024 (ENG) This report is a summary of Threat Actor group activities analyzed by the NSHC ThreatRecon team based on data and information collected from 21 March 2024 to 20 April 2024. In April, activities by a total of 29 Threat Actor Groups were identified, in which activities by SectorJ groups were the most prominent by 34%, followed by SectorB and SectorC groups. Threat Actors identified in April carried out the highest number of attacks o...
Red Canary
J’yah Marshall at ReliaQuest
RexorVc0
_Overview📡This is not a déjà vu, this is an update and improvement of the NanoCore which I looked at years ago because my analysis seems to me very incomplete, and in addition we see how it has evolved and new versions of this malware have been released📡 NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc. It also serves as remote control f...
SANS Internet Storm Center
Video Meta Data: DJI Drones Published: 2024-06-16 Last Updated: 2024-06-18 18:24:28 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Many years ago, I wrote about the EXIF data in pictures taken with Smartphones. Smartphones often record extensive meta data, including GPS and accelerometer data. So I wondered how much similar data can be found in footage collected with a drone. As an example, I am using a DJI Mini Pro 4 drone. This is a very common and popular drone, and I have footage availabl...
Handling BOM MIME Files Published: 2024-06-19 Last Updated: 2024-06-19 09:23:22 UTC by Didier Stevens (Version: 1) 0 comment(s) A reader contacted me with an eml file (which turned out to be benign) that emldump.py could not parse correctly. I've written several diary entries explaining how to analyse MIME/eml files with my emldump.py tool, back in the days when threat actors were discovering all kinds of obfuscation tricks that I tried to defeat in my emldump.py tool. The output of emldump.py f...
No Excuses, Free Tools to Help Secure Authentication in Ubuntu Linux [Guest Diary] Published: 2024-06-20 Last Updated: 2024-06-20 01:19:16 UTC by Guy Bruneau (Version: 1) 1 comment(s) [This is a Guest Diary by Owen Slubowski, an ISC intern as part of the SANS.edu BACS program] Over the past 20 weeks I have had the privilege to take part in the SANS Internet Storm Center Internship. This has been an awesome chance to deploy and monitor a honeypot to explore what must be the fate of so many unsecu...
Internet Storm Center Sign In Sign Up Handler on Duty: Didier Stevens Threat Level: green previous Sysinternals' Process Monitor Version 4 Released Published: 2024-06-22 Last Updated: 2024-06-22 10:53:38 UTC by Didier Stevens (Version: 1) 0 comment(s) Version 4.01 of Sysinternals' Process Monitor (procmon) was released (just one day after the release of version 4.0). These releases bring improvements to performance and the user interface. And a new event for the Process start was added. This can...
Sansec
by Sansec Forensics TeamPublished in Threat Research − June 18, 2024One week after the release of a critical security fix, just a quarter of all Adobe Commerce and Magento stores has been patched.Update June 23th: Sergey Temnikov (aka spacewasp), who discovered the original issue, alerted us that third parties may gain API admin access without requiring a vulnerable Linux version (the iconv issue), which makes CosmicSting even more severe. He also suggested an improved emergency fix.Read his ana...
SOCRadar
Who is DragonForce Ransomware Modus Operandi of DragonForce Ransomware Victimology Impact and Response Conclusion Home Resources Blog Jun 20, 2024 9 Mins Read Dark Web Profile: DragonForce Ransomware DragonForce Ransomware has emerged as an intriguing adversary. Known for its prominent targets and unusual ways of communication, it has quickly gained notoriety among cybersecurity experts and victims alike. This post delves into the origins, operations, and distinctive features of the DragonForce ...
Emerging Threats: Chinese Cyber Espionage Campaign Uncovering Dark Web Threats The Surge in Ransomware Attacks Deconstructing Phishing and Stealer Log Threats Persistent Threats from DDoS Attacks Strategic Insights for Future Protection Home Resources Blog Jun 20, 2024 3 Mins Read Shedding Light on the Netherlands Threat Landscape Report In an era of dynamic change in digital threats, there is more need for knowledge of regional cybersecurity challenges than ever. Therefore, it is with great ple...
Who Is dAn0n Hacker Group Victimology Conclusion Data Protection Focus: Mitigating Risks Posed by dAn0n and Similar Threat Actors Home Resources Blog Jun 21, 2024 6 Mins Read Dark Web Profile: dAn0n Hacker Group Global law enforcement agencies have ramped up their efforts against ransomware, leading to the weakening of groups and even dethroned the long ruled LockBit. However, following these operations, many small groups emerged. In April, 2024, a group calling themselves the dAn0n Hacker Group...
Who is SpaceBears Victimology Conclusion Mitigation Strategy: Data Protection Focus SOCRadar: Enhancing Data Breach Detection and Mitigation Home Resources Blog Jun 20, 2024 7 Mins Read Dark Web Profile: SpaceBears Recent history could be termed the Age of Ransomware in the realm of cybercrime. However, threat actors have discovered a way to profit without the need for malware development or sophisticated methods. SpaceBears is a new participant in the Data Broker trend, which has gained momentu...
SpecterOps
Splunk
By Splunk Threat Research Team Share on X Share on Facebook Share on LinkedIn LNK (shortcut) files are a common starting point for many phishing campaigns. Threat actors abuse the unique properties of LNK files to deceive users and evade detection and prevention countermeasures, making them potent tools for compromising systems and networks.In this blog, we'll provide an in-depth analysis of recent LNK phishing campaigns, examining the tactics, techniques, and procedures (TTPs) employed by threa...
Stephan Berger
17 Jun 2024 Table of Contents Introduction Example #1: popen Example #2: proc_open There are more.. p0wny-shell weevely Hunting Webshells Yara-Rules for Webshell-Hunting Linux.Detection.Yara with Velociraptor Exchange.Generic.Detection.WebShells DetectRaptor webshell-scan What now? uac - Unix-like Artifacts Collector Conclusion This blog post discusses how to enhance PHP security using the disable_functions directive, which prevents specific PHP functions from being executed. We further explore ...
Systemd Path Activation - Poor Man's File Integrity 22 Jun 2024 Table of Contents Introduction The path unit: canary.path The service unit: canary.service Testing This blog post outlines a method for monitoring changes to files and directories in Linux using path units. Administrators and defenders can be notified of modifications by creating a new path unit, which watches for changes to files and directories and links it to a service unit that executes a script when changes are detected. This s...
Sucuri
Symantec Enterprise
Attackers were heavily focused on telecoms operators in a single Asian country.Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials. The attacks have been underway since at least 2021, with evidence to suggest that some of this activity may even date as far back as 2020. Virt...
Dan Schoenbaum at Team Cymru
Pure Signal, the world’s largest threat intelligence data ocean is now available as a Splunk DashboardOur mission at Team Cymru has always been to ‘save and improve human lives’. We empower defenders with the actionable intelligence they need to detect, analyze, and respond to threats quickly and effectively. With so many tools available, overwhelming volumes of alerts, and multiple dashboards, there is a strong desire to consolidate and simplify workstreams for SOC analysts. Last year, we launc...
Thinkst Thoughts
Publish DateJune 21, 2024 thinkstcanary This is the second post in an ongoing series that examines documented/public breaches with a special focus on Canary and Canarytoken deployment. The posts do not intend to imply that we would have been a silver bullet and prevented the breach; rather, our approach has been to help detect breaches. These posts are primarily intended to give our customers and users ideas for possible deployment options. In this 2nd blog post, we’ll look at: why attackers jus...
Aaron Goldstein at Todyl
Aaron GoldsteinJune 14, 2024Throughout the course of a day, the Todyl MXDR team reviews security alerts, investigates threats, and hunts for the unknown all on a recurring basis on behalf of their customers. While many suspicious behaviors are reviewed and remediated, itâs important to dissect some attacks to better understand the techniques used and ensure there are robust detections in place to highlight anything suspicious. A recent incident involved the use of multiple techniques which whe...
Peter Girnus, Aliakbar Zahravi, and Ahmed Mohamed Ibrahim at Trend Micro
We recently discovered a new threat actor group that we dubbed Void Arachne. This group targets Chinese-speaking users with malicious Windows Installer (MSI) files in a recent campaign. These MSI files contain legitimate software installer files for AI software and other popular software but are bundled with malicious Winos payloads. By: Peter Girnus, Aliakbar Zahravi, Ahmed Mohamed Ibrahim June 19, 2024 Read time: ( words) Save to Folio Subscribe Report highlights: We recently discovered a new ...