4n6 Week 27 – 2024 - THREAT INTELLIGENCE/HUNTING
本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Francis Guibernau at AttackIQ
Avertium
New Ransomware Groups to Watch - RA World and DragonForce July 3, 2024 executive summary In 2024, Comparitech reported that the average extortion demand for ransomware attacks exceeded $5.2 million in the first half of the year. This figure is based on 56 documented ransom demands from January to June 2024, with the highest being a [1]$100 million demand following an attack on India’s Regional Cancer Center in April 2024. The cybersecurity landscape has seen a significant surge in ransomware pay...
CERT-AGID
In corso campagne di phishing italiane a tema FedEx 04/07/2024 FedEx Il CERT-AgID ha identificato nel corso della settimana nuove campagne di phishing mirate agli utenti FedEx. Queste campagne, particolarmente subdole, cercano di sottrarre dati personali e finanziari attraverso false comunicazioni di spedizione. Dettagli della campagna Gli utenti ricevono un’email col seguente oggetto: “Hai (1) pacco in attesa presso il centro di distribuzione FedEx!!”. Il messaggio include dettagli verosimili s...
Sintesi riepilogativa delle campagne malevole nella settimana del 29 Giugno – 05 Luglio 2024 05/07/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 52 campagne malevole, di cui 35 con obiettivi italiani e 17 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 522 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle t...
Check Point
Permiso
Exploiting Cloud Secrets Management Repositories: Adversary Tactics and Mitigation Strategies Introduction Proper handling of sensitive information, such as passwords and API keys, is a crucial responsibility for any organization and cybersecurity professional using cloud services for their business operations. To keep your cloud secrets secure, it is a good security practice to use cloud secrets management tools, such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, Kubernetes Secre...
Cyble
Report an Incident Talk to Sales We are Hiring! LoginLogin ProductsMenu Toggle For Enterprises(B2B) and GovernmentsMenu Toggle Cyble VisionSee Cyble in ActionAward-winning cyber threat intelligence platform, designed to provide enhanced security through real-time intelligence and threat detection. Cyble HawkProtects sensitive information and assets from cyber threats with its specialized threat detection and intelligence capabilities built for federal bodies. For Enterprises(B2B) and Individuals...
Cyfirma
Cyfirma
Published On : 2024-07-04 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows Target Countries: Indonesia Target Industries: Government Introduction CYFIRMA Research and Advisory Team has found Brain Cipher while monitoring vario...
Cyjax
By Cymon / July 5, 2024 Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition covers alleged access to high-revenue organisations advertised by IntelBroker, TransparentTribe targeting the gaming industry with spyware, and an analysis of the FakeBat loader. 1. IntelBroker advertises alleged access to high-revenue organisations Full report available for CYMON users here. Key Takeaways: IntelBroker adv...
Darktrace
A Busy Agenda: Darktraceâs Detection of Qilin Ransomware-as-a-Service OperatorDarktrace: Microsoft UK Partner of the Year 2024 REsourcesDarktrace LibraryEventsWebinarsGlossaryAll ResourcesNavigating a New Threat Landscape: Breaking Down the AI Kill ChainWhite PaperBlogNewsroomCompanyCustomer PortalPartnersGet a DemoThoma Bravo Announces Offer to Acquire Darktrace plcContact usStart free trialProductsProducts OverviewCloudAppsEmailEndpointZero TrustOTNetworkAdditional productsDarktrace PREVENT...
James Coote at Delivr.to
Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
Detect FYI
Panos Koutsovasilis at Elastic
ByPanos Koutsovasilis01 July 2024Share on TwitterShare on LinkedInShare on FacebookShare by emailPrintThe need for tracing in LinuxProtecting mission-critical Linux machines is essential for any business. Sophisticated cyber attacks can start from a low-value target machine and pivot into high-value servers filled with sensitive information. However, many organizations face challenges when their infrastructure includes older Linux kernels that do not support modern tracing technologies. This pos...
Esentire
Jun 27, 2024 Bridging the Security Gap by Addressing Visibility Challenges with… Jun 27, 2024 Securing Passkeys: Thwarting Authentication Method Redaction Attacks VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Compare MDR Vendors Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Jun 26, 2024 MOVEit Authentication Bypass Vulnerability THE THREATeSentire is aware of claims that the MOVEit Transf...
Flashpoint
In this blog we outline the essential steps that organizations can take to safeguard against infostealer malware. SHARE THIS: Flashpoint July 1, 2024 Table Of ContentsTable of ContentsUnderstanding infostealer malwareThe infostealer lifecycle and TTPsProtecting against infostealer malwareProtect yourself against infostealers using Flashpoint Over the past seven years, Flashpoint has observed a significant rise in the use of infostealer malware. Their simplicity, vast availability, and low costs ...
HackTheBox
Learn how to detect AS-REP roasting attacks in part two of a special five-part series on critical Active Directory (AD) attack detections & misconfigurations. CyberJunkie & g4rg4m3l, Jul 03, 2024 Table of Contents Practice detecting AS-REP roasting with HTB Sherlocks Detecting AS-REP Roasting Filter logs by Event ID 4768 Correlating events to detect a compromised account Detecting AS-REP roasting with Splunk Remediation Welcome to part two of a special series on detecting Active Directory attack...
Haircutfish
Huntress
Hackers Are Hiding in Plain Sight: Insights from Our 2024 Cyber Threat ReportJuly 2, 2024Hackers Are Hiding in Plain Sight: Insights from Our 2024 Cyber Threat ReportBy: Team Huntress|Contributors:ShareIn the past year, hackers have started trading in the proverbial black hoodie and are opting instead for a âcloak of invisibility.â The result? Cybercriminals are hidingâoften in plain sightâand moving covertly in systems before unleashing havoc.In the Huntress 2024 Cyber Threat Report, ou...
I am Jakoby
Michael Zuckerman at Infoblox
DNS Early Detection – Breaking the Coral Raider Kill ChainJuly 2, 2024 Bulletin Who: Cybersecurity threat researchers have discovered a new malicious cyber campaign operated by the threat group Coral Raider. Per OSINT published in late April, the recent Coral Raider campaign operations appeared to have started in February 2024. What: Coral Raider appears to be distributing several types of infostealer malware, including Rhadamanthys, Lumma C2, and Cryptbot. The LUMMA C2 domains (see our previous...
Tom Philippe at InfoSec Write-ups
Intel471
Jul 01, 2024 Countering ransomware remains one of the top priorities for nations and their law enforcement and intelligence agencies. The growth of ransomware, which can largely be attributed to its high profits combined with the safe haven given to ransomware actors in Russia, has evolved into a cybercrime battle with no perfect solution. The transnational nature of this crime has caused law enforcement to mount complex technical operations against these groups. Those operations have aimed to i...
Brian Krebs at Krebs on Security
July 3, 2024 13 Comments Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is “x999xx,” the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups. x999xx is a wel...
Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights - June Updatekustoinsights.substack.comCopy linkFacebookEmailNoteOtherKusto Insights - June UpdateUgur Koc and Bert-Jan PalsJul 02, 20241Share this postKusto Insights - June Updatekustoinsights.substack.comCopy linkFacebookEmailNoteOtherShareWelcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from M...
Lina Lau at Xintra
By Lina Lau, July 3, 202411 min readMicrosoft Entra ID’s cross tenant synchronization feature allows an attacker the ability to laterally move to a partner tenant – opening an attack path for tenant-to-tenant lateral movement. This feature was released in March 2023 and the “legitimate” purpose of the feature was to allow automation of creation, deletion and updating of Entra B2B collaboration. In short, it allows collaboration for a multitenant organisation.By abusing cross tenant synchronisati...
Obsidian Security
Sebastien Meriot and Christophe Bacara at OVHcloud
By Sebastien Meriot and Christophe Bacara / 2024-07-02 / DDoS, Infrastructure, Security This article assumes a base understanding of Internet and networking concepts. A sharp increase of DDoS attacks have been observed since the beginning of 2023. A new trend is to send high packet rate attacks though. This article introduces the findings of our teams in order to bring new insights regarding this threat. Introduction Distributed Denial of Services attacks (DDoS) are a longstanding issue which re...
Phylum
Since May 26, 2024, Phylum has been monitoring a persistent supply chain attacker involving a trojanized version of jQuery. We initially discovered the malicious variant on npm, where we saw the compromised version published in dozens of packages over a month. After investigating, we found instances of the trojanized jQuery on other platforms, such as GitHub, and even as a CDN-hosted resource on jsDelivr.BackgroundThis attack stands out due to the high variability across packages. The published ...
Prodaft
By PRODAFT Team on July 1, 2024 Back What Is The Rhadamanthys Stealer? Share Back to main blog Share Rhadamanthys Stealer stands out in the ever-changing realm of cybersecurity threats as a significant contender, showing certain characteristics that mark it as a noteworthy Software as a Service (SaaS) to monitor closely. There are five compelling reasons why Rhadamanthys is poised to make waves in the cybersecurity landscape: 5 Reasons to Watch Out for Rhadamanthys 1. Constant Development and Im...
By PRODAFT Team on July 1, 2024 Back Understanding Prometheus TDS Share Back to main blog Share Introduction Prometheus TDS emerged in 2020 as a Traffic Distribution System service, providing a feature for filtering and the redirection of potential victims to phishing and malicious websites or documents. The main module lies in the administrative panel, where affiliates could configure parameters for their deceitful campaigns, enhancing malicious campaigns by more precise target exfiltration & r...
Recorded Future
Posted: 2nd July 2024By: Insikt Group® Summary In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the da...
Red Alert
Monthly Threat Actor Group Intelligence Report, May 2024 (KOR) 2024년 4월 21일에서 2024년 5월 20일까지 NSHC 위협분석 연구소(Threat Research Lab)에서 수집한 데이터와 정보를 바탕으로 분석한 해킹 그룹(Threat Actor Group)들의 활동을 요약 정리한 내용이다. 이번 5월에는 총 25개의 해킹 그룹들의 활동이 확인되었으며, SectorJ 그룹이 32%로 가장 많았으며, SectorA, SectorC 그룹의 활동이 그 뒤를 이었다. 이번 5월에 발견된 해킹 그룹들의 해킹 활동은 정부 기관과 정보 기술(Information Technology, IT) 분야에 종사하는 관계자 또는 시스템들을 대상으로 가장 많은 공격을 수행했으며, 지역별로는 유럽(Europe)과 동아시아(East Asia)에 위치한 국가들을 대상으로 한 해킹 활동이 가장 많은 것으로 확인된다. 1. SectorA 그룹 활동 특징 20...
ReliaQuest
Ryan Hicks at Kroll
Ryan HicksRyan HicksCLEARFAKE is the term used to describe the malicious in-browser JavaScript framework deployed on compromised webpages as part of drive-by compromise campaigns to deliver information stealers. It has the potential to impact all sectors. Although the CLEARFAKE fake browser update campaign (which was initially identified in Q2 2023) originally targeted Windows users, it expanded to macOS users in Q4 2023. CLEARFAKE’s technique involves tricking users into initiating fake updates...
SANS Internet Storm Center
Internet Storm Center Sign In Sign Up Handler on Duty: Jan Kopriva Threat Level: green previousnext SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH. Published: 2024-07-01 Last Updated: 2024-07-01 17:01:32 UTC by Johannes Ullrich (Version: 1) 0 comment(s) Qualys published a blog posts with details regarding a critical remote code execution vulnerability [1] This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to...
Overlooked Domain Name Resiliency Issues: Registrar Communications Published: 2024-07-05 Last Updated: 2024-07-05 11:54:02 UTC by Johannes Ullrich (Version: 1) 0 comment(s) I often think the Internet would work better without DNS. People unable to remember an IP address would be unable to use it. But on the other hand, there is more to DNS than translating a human-readable hostname to a "machine-readable" IP address. DNS does allow us to use consistent labels even as the IP address changes. Many...
Sekoia
SOCRadar
Who is Brain Cipher How Brain Cipher Works Conclusion How to Mitigate: Actions Against Leaked Builders? How Can SOCRadar Help? What Are the TTPs and IoCs for Brain Cipher? Home Resources Blog Jul 04, 2024 13 Mins Read Dark Web Profile: Brain Cipher The Brain Cipher ransomware group gained widespread attention after a high-profile attack on Indonesia’s National Data Center (Pusat Data Nasional – PDN), which disrupted essential public services, including immigration. On June 20, the cyberattack ta...
SonicWall
By Security NewsJuly 3, 2024The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time. QR codes are increasingly popular due to their versatility and ease of use. Beyond payments and feedback, QR codes have a wide range of applications across various industries such as marketing, retail, education, healthcare, hospitality, transportation, real estate, public services, entertainment, business operati...
Taz Wake
Linux Incident Response - Sticky Bits, SUID and SGID. Report this article Taz Wake Taz Wake Cyber security incident response | Threat hunting | Digital forensics | Certified SANS instructor & course author | I am not looking for any new certification training... Published Jul 1, 2024 + Follow When responding to an intrusion, responders need to be able to identify elements that might help the attackers or traces of attacker behaviour. In this article, we will look at three ways files (in Linux) c...
The One Tracker
Home Governance Toolbox Research Datasets Threat Feeds Ransomware Cyber A.I. Backstory Blog-Trace Home Governance (GRC) Toolbox Research Insights Datasets Threat Feeds Ransomware Cyber A.I. Backstory Blog-Trace Your Tracker Research Insights Collection of key security research published by various organizations, such as Gartner, SANS, Microsoft, and CREST, offers insights that are useful for security use cases. Governance (GRC) A one-stop bookmark for all security Standards, Frameworks, Checklis...
Trend Micro
We’ve recently seen a surge in attacks involving the Mekotio banking trojan. In this blog entry, we'll provide an overview of the trojan and what it does. By: Trend Micro Research July 04, 2024 Read time: ( words) Save to Folio Subscribe Introduction The Mekotio banking trojan is a sophisticated piece of malware that has been active since at least 2015, primarily targeting Latin American countries with the goal of stealing sensitive information — particularly banking credentials — from its targe...
Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly. By: Shubham Singh, Sunil Bharti July 05, 2024 Read time: ( words) Save to Folio Subscribe Summary Attackers can leverage the Jenkins Script Console to execute malicious Groovy scripts, leading to cybercriminal activities such as the deployment of cryptocurrency miners. Mis...
Uptycs
Uptycs Quarterly Cyber Threat Bulletin Q2 2024 July 2, 2024 Cloud Security Share Uptycs Threat Research Tags Cloud Security Vulnerabilities Threats Linux Security Uptycs Research Tags Cloud Security Vulnerabilities Threats Linux Security Uptycs Research The Uptycs quarterly cyber threat bulletin provides insights into the current threat landscape. This intel is derived from our threat intelligence systems, sources, and a world-class threat research team, which builds and proactively monitors the...
Mallox Ransomware Variant Targets Linux: Decryptor Discovered July 3, 2024 Vulnerabilities Share Tejaswini Sandapolla & Shilpesh Trivedi Tags Vulnerabilities Threats Linux Security Uptycs Research Tags Vulnerabilities Threats Linux Security Uptycs Research Overview Mallox ransomware, which is also known as Fargo, TargetCompany, Mawahelper, and so on, has been active since mid-2021. Their operation was also observed in transitioning into the Ransomware-as-a-Service distribution model from mid-202...
