In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas).…
Tag: EDR
SUMMARY
Read More Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground it when it goes wrong? An Active Adversary Special Report.
Remote Desktop Protocol: The Series
Part 1: Remote Desktop Protocol: Introduction (post, video)Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) (post, video)Part 3: RDP: Queries for Investigation (post, video)Part 4: RDP Time Zone Bias (post, video)Part 5: Executing the External RDP Query (post, video)Part 6: Executing the 4624_4625 Login Query (post, video)GitHub query repository: SophosRapidResponse/OSQueryTranscript repository: sophoslabs/video-transcriptsYouTube playlist: Remote Desktop Protocol: The SeriesRemote Desktop Protocol (RDP) was developed by Microsoft to allow users, administrators, and others to connect to remote computers over a network connection using a handy graphical user interface (GUI).…
Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here.
On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers.…
Cyber threat intelligence (CTI) is a framework for collecting, processing, and analyzing information about potential or ongoing cyber threats.
Put simply, it’s the collection of various types of threat intelligence, such as IOCs, TTPs used by threat actors, and their motivations and capabilities, with the ultimate goal of understanding your system’s attack surface and proactively patching vulnerabilities.…
So you found yourself responding to an alert about one of your employees downloading a malicious version of Advanced IP Scanner? This has become fairly common, as system admins and IT technicians want to download the tool to use legitimately within their environment. But threat actors have been hosting very convincing malicious versions that are being discovered through malvertising (e.g.,…
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Read More tldr: In this article, we take a deeper dive into a prevalent “DLL sideloading” attack technique we’ve been observing in real-world attacks, including many of those we discovered, to understand its variations, how it works, and how we can detect it.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
This is part two in our series on building honeypots with Falco, vcluster, and other assorted open source tools. For the previous installment, see Building honeypots with vcluster and Falco: Episode I.
When Last We Left our HeroesIn the previous article, we discussed high-interaction honeypots and used vcluster to build an intentionally-vulnerable SSH server inside of its own cluster so it couldn’t hurt anything else in the environment when it got owned.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America.
Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer.…
[This is a Guest Diary by Nathaniel Jakusz, an ISC intern as part of the SANS.edu BACS program]
Although Endpoint Detection and Response (EDR) tools are the gold standard in endpoint security, they are not a fire and forget tool. Even the highest Gartner rated endpoint solution will not provide the desired level of security.…
In December 2023, Sophos X-Ops received a report of a false positive detection on an executable signed by a valid Microsoft Hardware Publisher Certificate. However, the version info for the supposedly clean file looked a little suspicious.
Figure 1: Version info of the detected file. Note the typos ‘Copyrigth’ and ‘rigths’
The file’s metadata indicates that it is a “Catalog Authentication Client Service” by “Catalog Thales ” – possibly an attempt to impersonate the legitimate company Thales Group.…
Key Points
In early April 2024, ReliaQuest investigated numerous similar incidents targeting customers in the health care sector.We concluded that these intrusions form part of a new campaign targeting health care organizations with the goal of accessing banking information.The attacks used social engineering techniques against help desk staff to bypass account access controls.…[This is a guest diary by John Moutos]
IntroEver since the LockBit source code leak back in mid-June 2022 [1], it is not surprising that newer ransomware groups have chosen to adopt a large amount of the LockBit code base into their own, given the success and efficiency that LockBit is notorious for.…
Introduction
In the ongoing cat-and-mouse game between cyber attackers and defenders, the battleground has shifted from traditional malware tactics to more sophisticated methods of infiltration. One such technique gaining traction is SMB (Server Message Block) staging, a maneuver that allows attackers to bypass antivirus software and gain unauthorized access to systems.…
The world of cyber security faces new and more complex threats every day. Among these threats, which we encounter anew each day, one of the most significant is malicious software designed to steal personal and corporate information, known as “stealers”. Stealers can be considered one of today’s unseen yet most dangerous corporate threats.…
What’s happening?
Read More Given the intricate landscape of cybersecurity, the misuse of Windows Management Instrumentation (WMI) stands out as a pervasive threat. WMI facilitates centralized management of Windows devices by providing a consistent and well-documented interface that can be utilized by various management applications developed by Microsoft and third-party vendors.…
You can’t talk about hunting for persistence techniques without mentioning scheduled tasks. As in the case of persistence via Windows services, described in a previous blog post, techniques related to scheduled tasks also allow for the use of a dual approach to persistence hunting:
Both the creation and execution of tasks can be hunted with simple yet different hypotheses, so let’s dive in and explore them.…