In the realm of cybersecurity, understanding the various data types within an infrastructure is essential for effective defense and management. These data types serve as the foundation for identifying, analyzing, and responding to potential threats. Let’s delve into the four critical data types: traffic data, state data, event data, statistical data, and organizational data, to understand their significance and application in security.…
Tag: EDR
BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges. At this level of access, attackers can accomplish a lot: hide malware, dump credentials, and, crucially, attempt to disable EDR solutions.…
[This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program [1].
IntroFrom a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to capture the attention of several members, myself included.…
SUMMARY
Read More
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Background
Read More
On December 19, 2023, the Justice Department Office of Public Affairs issued a press release indicating that the FBI had “disrupted the ALPHV/BlackCat ransomware variant.” This variant of ransomware is offered to affiliates as “ransomware-as-a-service” (RaaS). The FBI also developed a decryption tool that was made available to organizations impacted by this RaaS variant, in an effort to help them recover and resume business operations. …
It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.
Fast forward to 2024 and the same malvertising campaigns are still going on.…
Key Points
Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver.
Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update.
The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. …
Read More
Background
Read More
On December 19, 2023, the Justice Department Office of Public Affairs issued a press release indicating that the FBI had “disrupted the ALPHV/BlackCat ransomware variant.” This variant of ransomware is offered to affiliates as “ransomware-as-a-service” (RaaS). The FBI also developed a decryption tool that was made available to organizations impacted by this RaaS variant, in an effort to help them recover and resume business operations. …
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr: In order for malware to successfully infect its target, code obfuscation passed into cmd.exe is frequently used. Let’s look at some real-world examples of what threat actors are doing, and how they can be detected.…
Bitdefender Labs recently helped with an investigation that unfortunately aligns with two key predictions we made for 2024: the rapid rise of opportunistic ransomware and the growing risk of coordinated attacks. This ransomware attack was coordinated and impacted two separate companies simultaneously.…
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania.
Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).…
Written by: Ofir Rozmann, Chen Evgi, Jonathan Leathery
Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania.
Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).…
Table of Contents:
Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.
In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.…
PIKABOT at a glance
Read More
PIKABOT is a widely deployed loader malicious actors utilize to distribute payloads such as Cobalt Strike or launch ransomware. On February 8th, the Elastic Security Labs team observed new PIKABOT campaigns, including an updated variant. This version of the PIKABOT loader uses a new unpacking method and heavy obfuscation.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
DarkVNC is a hidden utility based on the Virtual Network Computing (VNC) technology, initially promoted on an Exploit forum in 2016. The primary distinction between hVNC and VNC lies in their intended usage and the degree of transparency: VNC can serve as a legitimate tool for remote desktop sharing, while hVNC is associated with stealthy or potentially malicious activities, often operating without the user’s knowledge or consent.…
Authors: Tejaswini Sandapolla, Shilpesh Trivedi
The 8220 Gang, a notorious Chinese-based threat actor group, has once again surfaced in the spotlight with a renewed assault on cloud based infrastructure. This latest campaign, unfolding from May 2023 through February 2024, showcases the gang’s strategic pivot towards more sophisticated tactics and techniques, targeting both Linux and Windows platforms.…
Originating in the latter part of 2023, this Ransomware-as-a-Service (RaaS) operation has drawn attention due to its technical lineage and operational tactics resembling those of the notorious Hive ransomware group. With law enforcement agencies previously disrupting Hive, Hunters International’s rise just after the operation underscores the persistent and adaptive nature of cybercriminal networks.…
Today’s attackers are taking advantage of changing business dynamics to target people everywhere they work. Staying current on the latest cybersecurity attack vectors and threats is an essential part of securing the enterprise against breaches and compromised data.…
SUMMARY
Read More
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site.…