#gethunting — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #gethunting, aggregated by home.social.
-
Happy Friday everyone!
A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.
According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.
The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.
If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!
Article Source:
Update on SVR Cyber Operations and Vulnerability Exploitation
https://www.ic3.gov/Media/News/2024/241010.pdfMitre source:
https://attack.mitre.org/groups/G0016/Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
-
Happy Friday Everyone!
The Check Point Software researchers help us into the weekend with the #readoftheday, and ironically it covers some things that we have been researching as of late!
In this article, the researchers detail how a threat actor used an Internet Shortcut (.url) file to open up the attacker website in Internet Explorer (a more vulnerable brower) instead of Chrome or Edge. This is accomplished through the use of a specially crafted .url file that contains the values "mhtml" and also "!x-usc". These tactics were last when threat actors were exploiting CVE-2021-40444 (Microsoft MSHTML Remote Code Execution Vulnerability)[2] and are seen again.
As you wait for the Threat Hunting Tip of the day, go read the entire article yourself and see what I missed! Enjoy and Happy Hunting!
RESURRECTING INTERNET EXPLORER: THREAT ACTORS USING ZERO-DAY TRICKS IN INTERNET SHORTCUT FILE TO LURE VICTIMS (CVE-2024-38112)
https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/Additional resource:
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting
-
Good day everyone!
Kaspersky brings us today's #readoftheday!
A new APT targeting Russian government who has been dubbed CloudSorcer. "It's a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration" (we can start to create hypotheses that include the use of notable TTPs such as Discovery, Command and Control, and Collection). The malware's backdoor module collects information about the victim's machine which includes the hostname, username, windows subversion information, and system uptime. Then a pipe is created ( in this case \\.\PIPE\[1428] [not sure if that is a constant]) that connects to the C2 module process. The researchers state "It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures."
Aaaaaaand this is where I am going to leave you hanging, on a nice cliff! Go and read the article and find out the rest of the details and for your threat hunting tip! Enjoy and Happy Hunting!
CloudSorcerer – A new APT targeting Russian government entities
https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting
-
Happy Monday everyone!
AhnLab, Inc. Security Intelligence Center (ASEC) brings us another technical report, this time on the hashtag#AsyncRAT and how adversaries are disguising them as an E-Book in the hashtag#readoftheday!
When a victim downloads what they think is an e-book, a malicious LNK file contains a PowerShell script, another compressed file masquerading as a video extension, and then a normal e-book file (gotta give the victim what they are expecting or run the risk of being caught). The script that runs modifies the attributes of the PowerShell script to hidden and then scans the machine for security products. These results will determine what the malware does next, but in each of the three methods it leads to some sort of scheduled task being used! There is plenty more details here, but don't take my word for it, read it! Enjoy and Happy Hunting!
AsyncRAT Disguised as an E-Book
https://asec.ahnlab.com/ko/67571/Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting
-
Happy Friday everyone!
#Cryptominers and #CVE20173506 is featured in today's #readoftheday! Trend Micro takes us through a riveting tale where the protagonist, #WaterSigbin, abuses a vulnerability in Oracle WebLogic Servers. After exploitation, a Base64-encoded payload is run that drops the initial stage loader named "wireguard2-3.exe", which masquerades itself as a legitimate VPN technology to help with it's defense evasion. It also plays a role in getting the attack to the next stages which involve DLL-reflection, C2 communication, and finally the #XMRig cyrptominer.
Significant details that are included is a scheduled task created for Windows Defender exclusion, some discovery using WMI, and another scheduled task for persistence. As usual, I am not going to spoil it all, go and have a read for yourself! Enjoy and Happy Hunting!
Notable MITRE ATT&CK TTPs (thanks to the authors):
TA0001 - Initial Access
T1190 - Exploit Public-Facing ApplicationTA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management InstumentationTA0005 - Defense Evasion
T1620 - Reflective Code Loading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify ToolsTA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled TaskTA0011 - Command And Control
T1571 - Non-Standard Port
T1071 - Application Layer ProtocolTA0007 - Discovery
T1057 - Process Discovery
T1012 - Query RegistryExamining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.htmlIntel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting
-
Happy Friday everyone!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2dArticle Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Wednesday everyone!
The Proofpoint Threat Research team paired up with the Team Cymru to dissect the #Latrodectus malware. "First seen being used by #TA577 and more recently #TA578, Latrodectus is a downloader that likes to evade sandbox environments." The researchers take a deep dive into the code to see what information they could extract and found PLENTY!
After you are done reading, why not take a Cyborg Security Community Hunt Package to hunt for a threat like this? In the article, the researchers mention that the malware sets an AutoRun registry key for persistence, which is a common technique used by different adversaries and malware due to the capability and functionality of those registry keys. So, take this hunt package with you, it's dangerous out there! Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135cSource of article:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Good day everyone!
The Microsoft Threat Intel team has recently dropped some new #ForestBlizzard TTPs and behaviors! They take a look at the malware the group used, named GooseEgg, and reveal how it set up a scheduled task for persistence calling on a batch file named servtask.bat. Find much more information in the article, but I am not going to spoil it! Enjoy and Happy Hunting!
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting
-
Happy Monday everyone!
I know this was posted a week or two back, but I wanted to bring it up again in another light. The first time I read it from a technical level looking for the usual TTPs and behaviors but while I was mowing my yard and listening to The Cybersecurity Defender's Podcast by @limacharlieio the participants mentioned something that I didn't even realize the first time I read it. They mentioned that #APT44, or Sandworm, is a very serious adversary due to the amount of capabilities they have and on so many different levels. From espionage to persistence to destructive activity, they are a very refined group and should be taken seriously. Thanks for the great insight! I hope you enjoy and Happy Hunting!
Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm
https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting
-
Happy Tuesday everyone!
Proofpoint researches observed activity from TA450 (AKA #MuddyWater) that involved social engineering and targeted Israeli employees. The researches noticed a change in the adversaries #TTPs, moving from using a PDF with malicious attachments to putting the malicious link in the email body.
Taking this information into account, how can we hunt for this? Well, we can always look for Microsoft Office programs executing strange behavior such as spawning abnormal processes (especially the abuse of [LOLBINS]) or making network connections. Or, as a wise old man said back in 1986 "It's dangerous to go alone! Take this."
Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4This hunt package has been designed to detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Enjoy and Happy Hunting!
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Monday everyone! I hope everyone is doing well!
Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Thursday everyone!
The Volexity team share their findings from a recent incident that involved the APT known as #CharmingKitten (aka #CharmingCypress) and what lengths this group went to make their attack look as convincing as possible. The Volexity team also shared technical details about the malware that was used, specific commands seen, and TTPs used. Enjoy and Happy Hunting!
CharmingCypress: Innovating Persistence
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/As always, I don't want to leave you empty handed! So take this Community Hunt Package from Cyborg Security to help you identify discovery behavior from adversaries!
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Good day everyone!
I have recently be researching worms and I wanted to share an article that was useful in identifying the Tactics, Techniques, and Procedures (TTPs) and behaviors associated with them. The #RaspberryRobin worm has been around for a while and reported on by Check Point Software Technologies Ltd researchers. This time around the researchers highlight more technical aspects and new capabilities but a couple of tactics that stood out to me was User Account Control (UAC) bypass to elevate privileges and the abuse of the registry run key to establish persistence. It's been an interesting topic to research and I hope you enjoy this article! Happy Hunting!
RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Friday to you all!
The Trend Micro researchers observed the #Kasseika ransomware leveraging the BYOVD (bring your own vulnerable driver) technique. They also analyzed the code and found that there was a lot in common with the #BlackMatter strain of ransomware as well, which would not be surprising, since these groups tend to help each other out, learn, and grow together to make the "best" malware that they can. Of course, they also witnessed some LOLBIN (living off the land binaries) abuse as well as a defense evasion technique used to kill antivirus services. There are plenty more details in the report, so I hope you enjoy! Happy Hunting!
Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver
https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting
-
Happy Tuesday everyone!
#APT37, aka #ScarCruft, is at it again! SentinelOne researchers noticed that they are targeting media organizations and others that are associated with North Korean affairs. The group leverages .LNK files, zip files, and phishing emails.
I found this article most interesting because of the multiple types of file formats that were used, to include .bat and .dat files, involved in the campaign. They also use a custom backdoor known as #RokRat to aid in their attack. This is a great article and worth the time! Enjoy and Happy Hunting!
Notable MITRE ATT&CK TTPs and Behaviors:
TA0001 - Initial Access
T1566.001 - Phishing: Spearphishing AttachmentTA0002 - Execution
T1059.001 - Command And Scripting Interpreter: Powershell
T1204.001 - User Execution: Malicious Link#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting