Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time.…
Tag: SOC
SUMMARY
Read More The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.…
Recent postsHomeMalware Analysis
Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough
Lena aka LambdaMamba
Read More I am a Cybersecurity Analyst, Researcher, and ANY.RUN Ambassador. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things!…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
THE THREAT
Read More eSentire has observed an increase in Adversary-in-the-Middle (AitM) phishing attacks, starting in mid-September 2023. AitM phishing attacks involve socially-engineering end-users into opening malicious links contained in emails. Data is then proxied or relayed through attacker-controlled infrastructure, leading to the theft of user credentials, including Multi-Factor Authentication (MFA) codes and session cookies that would grant access to various accounts.…
Executive Summary
Read More Menlo Labs recently identified a phishing campaign targeting executives in senior level roles across various industries, but primarily Banking and Financial services, Insurance providers, Property Management and Real Estate, and Manufacturing.
The key findings based on our research of the phishing campaign are as follows:
The campaign started in July and has continued into the month of August.…The Sonatype Security Research team is currently tracking an ongoing campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external server.…
Executive Summary
Read More eSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut down three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit Ransomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately $91 million since the group’s inception, and that is just U.S.…
Introduction
Read More Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Recent postsHomeMalware Analysis
XWorm: Technical Analysis of a New Malware Version
Read More In this article, we will take a look at the latest version of an XWorm sample — a widespread malicious program that is advertised for sale on underground forums.
We will analyze the functionality of our sample, as well as extract its configuration. …
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact.…
.blog-text h3 {color: #693840;font-family:"NeueMachina-Regular", Sans-serif;}.blog-text h2 {color: #E82F49;font-family:"NeueMachina-Regular", Sans-serif;}.blog-text img{max-width: 500px !important}ul {list-style: none;}.blog-text ul li::before {content: "2022";color: #E82F49;font-weight: bold;display: inline-block;width: 1em; margin-left: -1em;}figure div {width: 100%;}td {padding: 5px}figure figcaption {text-align: center;}table p{margin-bottom:0px!important;}
Read More By Gerardo Corona & Julio Vidal Ocelot Team
ContextRansomware gangs have found a profitable market in LATAM, but they are not alone, they need region-based actors to provide them the initial access to the companies.…
We all have thoughts that keep us up at night.
Will the ticking noise the car made end up being an expensive repair? When will YouTube superstar John Hammond respond to my posted fanfiction? And are there user agents in Microsoft 365’s security telemetry that we can use to detect potential business email compromise (BEC)?…
Case Study
Read More WhiteSnake Stealer first appeared on hacking forums at the beginning of February 2022.
The stealer collects data from various browsers such as Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, and CentBrowser. Besides browsing data, it also collects data from Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!,…
Since November 2022, the eSentire Threat Response Unit (TRU) has observed the resurgence of what we believe to be a malicious campaign targeting the manufacturing, commercial, and healthcare organizations. The campaign is similar to the one reported by Trend Micro researchers in December 2020. The campaign is believed to be conducted by native Russian speaking threat actor(s).…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Since December 2022, the eSentire Threat Response Unit (TRU) has observed Aurora Stealer malware infections in the manufacturing industry. It’s distributed via fake Google Ads for Notepad++ installer. Aurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera, Brave, Mozilla Firefox, Chrome, etc.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…