Key Points

Escalated tensions between Iran and Israel could give rise to cyber threats.Several advanced persistent threat (APT) groups are involved on both sides: APT34, APT35, and CyberAv3ngers in Iran, and Predatory Sparrow in Israel.Iranian-affiliated APTs utilize a wide array of TTPs, including spearphishing and drive-by compromise, to significantly expand the attack surface for companies with ties to Israel or Israeli vendors.…
Read More
Securonix Threat Research Security Advisory – Fast Track/Early-Warning Coverage Advisory (FCA) By Securonix Threat Research: D.Iuzvyk, T. Peck, O.Kolesnikov

Apr 24, 2024

tldr:

The Securonix Threat Research Team has been monitoring a new ongoing social engineering attack campaign (tracked by STR as DEV#POPPER) likely associated with North Korean threat actors who are targeting developers using fake interviews to deliver a Python-based RAT.…

Read More

By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr:

The Securonix Threat Research team (STR) observed an interesting attack campaign which leveraged SSLoad malware and Cobalt Strike implants resulting in the attackers being able to pivot and take over the entire network domain.

SSLoad malware was the primary vector deployed by threat actors during the FROZEN#SHADOW campaign along with Cobalt Strike and ScreenConnect RMM (remote monitoring and management) software.…

Read More

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.…

Read More

In the 1960s and ’70s, the US firearms market saw an influx of cheaply-made, imported handguns. Legislators targeted the proliferation of these inexpensive and frequently unreliable weapons, ostensibly because they were believed to pose a risk to their owners and facilitate criminality. This was not an issue unique to the US or to that time period, of course; in the UK, where handguns are now strictly regulated, criminals often resort to reactivated, or even home-made or antique, firearms.…

Read More

Summary: A notorious Russian APT group known as APT28 has been using a post-compromise tool called “GooseEgg” to steal credentials by exploiting a Windows Print Spooler bug.

Threat Actor: APT28 (aka Strontium, Forest Blizzard) | APT28 Victim: Various government, non-governmental, education, and transportation sector organizations | Various victims

Key Point :

APT28 has been using the GooseEgg tool since potentially April 2019 to exploit the CVE-2022-38028 vulnerability and steal credentials.…
Read More

Summary: Attackers are increasingly exploiting vulnerabilities in computer systems to gain initial network access, with a 6% increase in intrusions through vulnerability exploitation in 2023, according to Mandiant’s M-Trends 2024 Report. Additionally, researchers observed a rise in the exploitation of zero-day vulnerabilities, with Chinese cyber espionage groups being the most prolific attackers in this regard.…

Read More

Summary: Researchers at SafeBreach discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files, even after both vendors claim to have patched the problem.

Threat Actor: N/A

Victim: Microsoft and Kaspersky

Key Point:

Researchers found that Microsoft Defender and Kaspersky’s Endpoint Detection and Response (EDR) can be manipulated to detect false positive indicators of malicious files and delete them.…
Read More

Organizations are increasingly turning to cloud computing for IT agility, resilience and scalability. Amazon Web Services (AWS) stands at the forefront of this digital transformation, offering a robust, flexible and cost-effective platform that helps businesses drive growth and innovation. 

However, as organizations migrate to the cloud, they face a complex and growing threat landscape of sophisticated and cloud-conscious threat actors.…

Read More

We have been tracking a threat actor who’s behind several malvertising campaigns impersonating popular software downloads. That advertiser uses different identities but their tactics, techniques and procedures are very similar from one campaign to the next.

We have connected this threat actor with the distribution of stealers, often indirectly using known loaders such as FakeBat for Windows, while using Atomic Stealer for Mac.…

Read More

Summary: The article discusses how a security researcher reverse-engineered and weaponized Palo Alto Networks’ extended detection and response (XDR) software, demonstrating the potential for attackers to exploit such tools for malicious purposes.

Threat Actor: Shmuel Cohen | Shmuel Cohen Victim: Palo Alto Networks | Palo Alto Networks

Key Point :

A security researcher reverse-engineered and weaponized Palo Alto Networks’ XDR software, using it to deploy a reverse shell and ransomware.…
Read More
Summary

In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas).…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More

What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground it when it goes wrong? An Active Adversary Special Report.

Remote Desktop Protocol: The Series

Part 1: Remote Desktop Protocol: Introduction (post, video)Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) (post, video)Part 3: RDP: Queries for Investigation (post, video)Part 4: RDP Time Zone Bias (post, video)Part 5: Executing the External RDP Query (post, video)Part 6: Executing the 4624_4625 Login Query (post, video)GitHub query repository: SophosRapidResponse/OSQueryTranscript repository: sophoslabs/video-transcriptsYouTube playlist: Remote Desktop Protocol: The Series

Remote Desktop Protocol (RDP) was developed by Microsoft to allow users, administrators, and others to connect to remote computers over a network connection using a handy graphical user interface (GUI).…

Read More

Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here.

On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers.…

Read More

Cyber threat intelligence (CTI) is a framework for collecting, processing, and analyzing information about potential or ongoing cyber threats.  

Put simply, it’s the collection of various types of threat intelligence, such as IOCs, TTPs used by threat actors, and their motivations and capabilities, with the ultimate goal of understanding your system’s attack surface and proactively patching vulnerabilities.…

Read More

So you found yourself responding to an alert about one of your employees downloading a malicious version of Advanced IP Scanner? This has become fairly common, as system admins and IT technicians want to download the tool to use legitimately within their environment. But threat actors have been hosting very convincing malicious versions that are being discovered through malvertising (e.g.,…

Read More
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr: In this article, we take a deeper dive into a prevalent “DLL sideloading” attack technique we’ve been observing  in real-world attacks, including many of those we discovered, to understand its variations, how it works, and how we can detect it.…

Read More