In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID.
IcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion.
The threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of malicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment.…
Read More Tag: EDR
Executive Summary:
Read More The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN).…
Threat Actor: Unknown | Unknown Victim: Italian Red Cross | Italian Red Cross Price: Not specified Exfiltrated Data Type: Internal source codes, databases, backups, and more
Additional Information:
The breach into the Italian Red Cross network was executed by an unknown threat actor. The threat actor gained access to the network using a simple PHP shell and became the administrator of the company’s Active Directory.…Summary: ThreatLocker, a global cybersecurity company, has raised $115M in Series D funding to enhance its Zero Trust endpoint security solution and expand its global presence.
Threat Actor: ThreatLocker | ThreatLocker Victim: N/A
Key Point :
ThreatLocker provides organizations with a Zero Trust approach to cybersecurity, offering enterprise-level server and endpoint security by blocking untrusted software and protecting against various cyber threats.…Key Points
Escalated tensions between Iran and Israel could give rise to cyber threats.Several advanced persistent threat (APT) groups are involved on both sides: APT34, APT35, and CyberAv3ngers in Iran, and Predatory Sparrow in Israel.Iranian-affiliated APTs utilize a wide array of TTPs, including spearphishing and drive-by compromise, to significantly expand the attack surface for companies with ties to Israel or Israeli vendors.…On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Securonix Threat Research Security Advisory – Fast Track/Early-Warning Coverage Advisory (FCA)
By Securonix Threat Research: D.Iuzvyk, T. Peck, O.Kolesnikov
Read More Apr 24, 2024
tldr:The Securonix Threat Research Team has been monitoring a new ongoing social engineering attack campaign (tracked by STR as DEV#POPPER) likely associated with North Korean threat actors who are targeting developers using fake interviews to deliver a Python-based RAT.…
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr:The Securonix Threat Research team (STR) observed an interesting attack campaign which leveraged SSLoad malware and Cobalt Strike implants resulting in the attackers being able to pivot and take over the entire network domain.
SSLoad malware was the primary vector deployed by threat actors during the FROZEN#SHADOW campaign along with Cobalt Strike and ScreenConnect RMM (remote monitoring and management) software.…
Morphisec has successfully identified and prevented a new variant of IDAT loader. …
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.…
In the 1960s and ’70s, the US firearms market saw an influx of cheaply-made, imported handguns. Legislators targeted the proliferation of these inexpensive and frequently unreliable weapons, ostensibly because they were believed to pose a risk to their owners and facilitate criminality. This was not an issue unique to the US or to that time period, of course; in the UK, where handguns are now strictly regulated, criminals often resort to reactivated, or even home-made or antique, firearms.…
Summary: A notorious Russian APT group known as APT28 has been using a post-compromise tool called “GooseEgg” to steal credentials by exploiting a Windows Print Spooler bug.
Threat Actor: APT28 (aka Strontium, Forest Blizzard) | APT28 Victim: Various government, non-governmental, education, and transportation sector organizations | Various victims
Key Point :
APT28 has been using the GooseEgg tool since potentially April 2019 to exploit the CVE-2022-38028 vulnerability and steal credentials.…Summary: Attackers are increasingly exploiting vulnerabilities in computer systems to gain initial network access, with a 6% increase in intrusions through vulnerability exploitation in 2023, according to Mandiant’s M-Trends 2024 Report. Additionally, researchers observed a rise in the exploitation of zero-day vulnerabilities, with Chinese cyber espionage groups being the most prolific attackers in this regard.…
Summary: Researchers at SafeBreach discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files, even after both vendors claim to have patched the problem.
Threat Actor: N/A
Victim: Microsoft and Kaspersky
Key Point:
Researchers found that Microsoft Defender and Kaspersky’s Endpoint Detection and Response (EDR) can be manipulated to detect false positive indicators of malicious files and delete them.…Organizations are increasingly turning to cloud computing for IT agility, resilience and scalability. Amazon Web Services (AWS) stands at the forefront of this digital transformation, offering a robust, flexible and cost-effective platform that helps businesses drive growth and innovation.
However, as organizations migrate to the cloud, they face a complex and growing threat landscape of sophisticated and cloud-conscious threat actors.…
We have been tracking a threat actor who’s behind several malvertising campaigns impersonating popular software downloads. That advertiser uses different identities but their tactics, techniques and procedures are very similar from one campaign to the next.
We have connected this threat actor with the distribution of stealers, often indirectly using known loaders such as FakeBat for Windows, while using Atomic Stealer for Mac.…
Summary: The article discusses how a security researcher reverse-engineered and weaponized Palo Alto Networks’ extended detection and response (XDR) software, demonstrating the potential for attackers to exploit such tools for malicious purposes.
Threat Actor: Shmuel Cohen | Shmuel Cohen Victim: Palo Alto Networks | Palo Alto Networks
Key Point :
A security researcher reverse-engineered and weaponized Palo Alto Networks’ XDR software, using it to deploy a reverse shell and ransomware.…
Summary
Read More In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas).…
SUMMARY
Read More Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground it when it goes wrong? An Active Adversary Special Report.
Remote Desktop Protocol: The Series
Part 1: Remote Desktop Protocol: Introduction (post, video)Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) (post, video)Part 3: RDP: Queries for Investigation (post, video)Part 4: RDP Time Zone Bias (post, video)Part 5: Executing the External RDP Query (post, video)Part 6: Executing the 4624_4625 Login Query (post, video)GitHub query repository: SophosRapidResponse/OSQueryTranscript repository: sophoslabs/video-transcriptsYouTube playlist: Remote Desktop Protocol: The SeriesRemote Desktop Protocol (RDP) was developed by Microsoft to allow users, administrators, and others to connect to remote computers over a network connection using a handy graphical user interface (GUI).…