Phishing is the weapon of choice for many adversaries. And it’s easy to understand why: Users fall victim to attacks in under 60 seconds on average, novice cybercriminals can launch effective phishing campaigns thanks to off-the-shelf phishing kits and generative AI, and above all, it works — 71% of organizations reported at least one successful attack in 2023.…
Tag: XDR
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…
We recently discovered a new threat actor group that we dubbed Void Arachne. This group targets Chinese-speaking users with malicious Windows Installer (MSI) files in a recent campaign. These MSI files contain legitimate software installer files for AI software and other popular software but are bundled with malicious Winos payloads.…
Executive Summary
Read More
This post reviews strategies for identifying and mitigating potential attack vectors against virtual machine (VM) services in the cloud. Organizations can use this information to understand the potential risks associated with their VM services and strengthen their defense mechanisms. This research focuses on VM services offered by three major cloud service providers (CSPs): Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP).…
LNK Phishing Campaign and Evolution
Read More
With that background covered, let’s delve into several active campaigns we’ve observed, each leveraging the .LNK file format as the initial trigger for initiating the infection chain on targeted hosts or systems.
We’ll explore the tactics, techniques, and procedures (TTPs) employed by threat actors in these campaigns.…
Key Takeaways
In late 2023, a large organization was the victim of a serious cyber attack. Sygnia’s forensic investigation into the attack revealed a sophisticated threat actor who exhibited robust capabilities and employed a methodical approach. The evidence gathered suggests the involvement of a China-nexus state-sponsored threat actor.…
Read More
Threat Actor: Unknown | Unknown Victim: American Manufacturing Company | American Manufacturing Company Price: $25,000 (open to negotiation) Exfiltrated Data Type: Not specified
Additional Information:
The threat actor is allegedly offering VPN access to the network of a large manufacturing company based in the USA. The access includes domain admin and NTDS rights for two main domains, posing a significant security risk.…AhnLab SEcurity intelligence Center (ASEC) has been publishing the Online Scams series to inform the readers about the ever-evolving scams. Prevention and blocking are the two most important measures to mitigate the damage inflicted by scams. Various security providers are supporting features to detect and block the damage from scams, financial frauds, and phishing.…
In May 2023, in a threat hunt across Sophos Managed Detection and Response telemetry, Sophos MDR’s Mark Parsons uncovered a complex, long-running Chinese state-sponsored cyberespionage operation we have dubbed “Crimson Palace” targeting a high-profile government organization in Southeast Asia.
MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe,…
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.…
This time, we’re not revealing a new cyber threat investigation or analysis, but I want to share some insights about the team behind all Sekoia Threat Intelligence and Detection Engineering reports. Let me introduce you to the Sekoia TDR team.
TL;DR Sekoia Threat Detection & Research (TDR) is a multidisciplinary team dedicated to Cyber Threat Intelligence and Detection Engineering for the Sekoia SOC Platform.…Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives. Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.…
In a recent investigation by Bitdefender Labs, a series of cyberattacks targeting high-level organizations in South China Sea countries revealed a previously unknown threat actor. We’ve designated this group “Unfading Sea Haze” based on their persistence and focus on the region. The targets and nature of the attacks suggest alignment with Chinese interests.…
This post is also available in: 日本語 (Japanese)
Executive SummaryA Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and Asia since at least late 2022.…
Summary: This content highlights the misuse of the client management tool Quick Assist by the threat actor Storm-1811 in social engineering attacks, targeting users for financial gain.
Threat Actor: Storm-1811 | Storm-1811 Victim: Users targeted in social engineering attacks | Users targeted in social engineering attacks
Key Point :
Storm-1811, a financially motivated cybercriminal group, has been observed misusing the client management tool Quick Assist to target users in social engineering attacks.…The Uptycs Threat Research Team has uncovered a large-scale, ongoing operation within the Log4j campaign. Initially detected within our honeypot collection, upon discovery, the team promptly initiated an in-depth analysis to delve into the complexities of this dynamic campaign.…
Summary: LogRhythm and Exabeam have announced a merger in the SIEM market, with the deal expected to close in the third quarter of this year.
Threat Actor: N/A
Victim: N/A
Key Point :
LogRhythm and Exabeam have reached an agreement to merge in the SIEM market.…More than 30.6 billion records have been exposed in 2024 so far based on 8,839 publicly disclosed incidents. Intensifying cybersecurity efforts has thus become more critical than ever for organizations the world over. But that requires having the whole picture on hand, and that’s only possible if users can take a closer look inside and outside their networks.…
Executive Summary
Read More
This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
Malicious actors occasionally employ DNS tunneling as a covert communications channel, because it can bypass conventional network firewalls.…
Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites, cracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that researchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn this post, we examine lateral movement techniques, showcasing some that we have observed in the wild within cloud environments. Lateral movement can be achieved by leveraging both cloud APIs and access to compute instances, with access at the cloud level potentially extending to the latter.…
It’s been little more than a week since Apple rolled out an unprecedented 74 new rules to its XProtect malware signature list in version 2192. A further 10 rules were appended in version 2193 on April 30th. Cupertino’s security team were clearly hoping that a concerted effort would serve to disrupt prolific adware distributor Adload’s assault on macOS devices.…
Threat Actor: Unknown | Unknown Victim: Italian Red Cross | Italian Red Cross Price: Not specified Exfiltrated Data Type: Internal source codes, databases, backups, and more
Additional Information:
The breach into the Italian Red Cross network was executed by an unknown threat actor. The threat actor gained access to the network using a simple PHP shell and became the administrator of the company’s Active Directory.…Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.…
Summary: A notorious Russian APT group known as APT28 has been using a post-compromise tool called “GooseEgg” to steal credentials by exploiting a Windows Print Spooler bug.
Threat Actor: APT28 (aka Strontium, Forest Blizzard) | APT28 Victim: Various government, non-governmental, education, and transportation sector organizations | Various victims
Key Point :
APT28 has been using the GooseEgg tool since potentially April 2019 to exploit the CVE-2022-38028 vulnerability and steal credentials.…
CrowdStrike Falcon® Next-Gen SIEM enables companies to search, investigate and hunt down threats, including detection of advanced ransomware targeting VMware ESXi
Initial access to the ESXi infrastructure1 is typically gained through lateral movement using valid credentials
eCrime actors target and deploy ransomware in ESXi environments to increase the impact and scale of their attacks, which can be devastating for organizations
Read More
CrowdStrike Falcon Next-Gen SIEM, the definitive AI-native platform for detecting, investigating and hunting down threats, enables advanced detection of ransomware targeting VMware ESXi environments. …
Summary: Researchers at SafeBreach discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files, even after both vendors claim to have patched the problem.
Threat Actor: N/A
Victim: Microsoft and Kaspersky
Key Point:
Researchers found that Microsoft Defender and Kaspersky’s Endpoint Detection and Response (EDR) can be manipulated to detect false positive indicators of malicious files and delete them.…Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.…
Summary: The article discusses how a security researcher reverse-engineered and weaponized Palo Alto Networks’ extended detection and response (XDR) software, demonstrating the potential for attackers to exploit such tools for malicious purposes.
Threat Actor: Shmuel Cohen | Shmuel Cohen Victim: Palo Alto Networks | Palo Alto Networks
Key Point :
A security researcher reverse-engineered and weaponized Palo Alto Networks’ XDR software, using it to deploy a reverse shell and ransomware.…At its core, threat hunting is the practice of proactively searching for signs of malicious activities or indicators of compromise (IOCs) before threat actors gain a deep foothold within your organization’s environment.
This involves observing both attacker behaviors (e.g., evidence of lateral movement, privilege escalation attempts, anomalous user activity) and indicators (e.g.,…
Introduction
Read More
To enhance our threat intelligence, improve detection and identify new threats, Sekoia.io analysts perform continuous hunting and detection engineering every day to give our customers more options to protect themselves. Sekoia.io Threat Detection & Research (TDR) team is there to fill our SOC platform with detection rules and CTI.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis threat brief is frequently updated as new threat intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.…
Executive Summary
Read More
Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly.
A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.…
Phishing is one of the most common and effective cyberattack vectors that threat actors use to compromise email accounts, steal sensitive data, and deliver malware. Recently, we have observed a new trend in phishing campaigns that leverage QR codes embedded in emails to evade detection and trick users into visiting malicious links.…
This is part two in our series on building honeypots with Falco, vcluster, and other assorted open source tools. For the previous installment, see Building honeypots with vcluster and Falco: Episode I.
When Last We Left our HeroesIn the previous article, we discussed high-interaction honeypots and used vcluster to build an intentionally-vulnerable SSH server inside of its own cluster so it couldn’t hurt anything else in the environment when it got owned.…
Threat detection and response are critical components of a robust cybersecurity strategy. However, simply relying on automated detections is no longer enough to protect your organization from downtime.
To reduce the chances of business disruption from advanced and unknown threats, security teams must operationalize threat intelligence by conducting proactive, hypothesis-driven threat hunts.…
Programmatically filter uncommon DNS Requests with Cisco Umbrella APIs
Read More
We use the Internet in our everyday lives to get work done, manage our lives, and even socialize. We take this Internet usage for granted these days, but the reality is that we are communicating more than ever on a global scale, instantaneously, and often, with folks we’ve never met in-person or with third-party services we don’t fully understand.…
When discussing Windows services and how to hunt for their abuse, it is worth mentioning that there are several threat hunting hypotheses that we can leverage. This is very common in threat hunting tradecraft in general and for persistence-related techniques in particular.
When you are dealing with Windows services techniques, all your hypotheses can be split into two big groups: Hunting for service creation (aka “establishment” aka “installation”) and Hunting for service execution (some time after the service was created/established).…
As cyber adversaries become more sophisticated, detecting and neutralizing potential threats before they can cause any harm has become a top priority for cybersecurity professionals. It is also why threat hunting is a crucial skill. By mastering the art of cyber threat hunting, security professionals can build a robust defense and shield their organization from the ever-persistent menace of cyber threats.…
CrowdStrike is committed to protecting our customers from the latest and most sophisticated cybersecurity threats. We are actively monitoring activity surrounding CVE-2024-3094, a recently identified vulnerability in XZ Utils. In this blog, we discuss the significance of this vulnerability, how CrowdStrike protects its customers from adversaries attempting exploitation, and how this issue can be discovered with CrowdStrike Falcon® Exposure Management, CrowdStrike Falcon® Insight XDR and CrowdStrike Falcon® for IT.…
____________________ Summary: The XZ Utils Data Compression Library has a vulnerability that impacts multiple Linux distributions. It is recommended to downgrade to an uncompromised version or migrate to updated releases.
Key Points: * The vulnerability, CVE-2024-3094, has a critical severity level. * The vulnerability is a result of a supply chain compromise in versions 5.6.0 and 5.6.1 of XZ Utils.…
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.…
DNS Early Detection – Proof of Value Study
Read More
In this blog, we present a proof of value study demonstrating the value of detecting attempted DNS exfiltration and Command and Control (C2) communications. Our focus is on two anonymized customers: a large e-commerce/retail company (Customer #1) and an educational institution (Customer #2).…
Executive Summary
Read More
StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim’s email login information, which they can then use to perform further attacks.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors.…
CVE-2024-27198 and CVE-2024-27199 are vulnerabilities within the TeamCity On-Premises platform that can allow attackers to gain administrative control over affected systems.
On March 4, 2024, JetBrains disclosed two critical vulnerabilities — CVE-2024-27198 and CVE-2024-27199 — within the TeamCity On-Premises platform that allow attackers to bypass authentication measures and gain administrative control over affected servers.…
Executive Summary
Read More
This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006.…
Executive Summary
Read More
This article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader infrastructure and an overview of its capabilities. BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims.…
PRESS RELEASE
DENVER, March 5, 2024 – Red Canary today announced full coverage of its detection and response capabilities to include all major cloud infrastructure and platform services providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Red Canary can detect suspicious activity across all major cloud environments and seamlessly correlate that data with other leading cloud security products, enabling enterprises to find and stop threats before they can cause damage.…
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…