home.social

#ttps — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #ttps, aggregated by home.social.

  1. Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunnel infrastructure and the attacker’s #TTPs with a principal focus on detection opportunities.

    blog.sekoia.io/detecting-multi

  2. Happy Monday everyone!

    Coming out of a brief lull in activity, I have a #readoftheday for you! This comes from a CYFIRMA article that takes a look at the APT #VoltTyphoon. They share vulnerabilities that have been recently exploited and (my favorite part) recent #TTPs and #behaviors that are associated with the group! I like how well it is documented that I am not even going to recreate it here! I will definitely diving back into their archives to see if there are more of these profile articles! Enjoy and Happy Hunting!

    APT PROFILE – VOLT TYPHOON
    cyfirma.com/research/apt-profi

    Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

  3. Go beyond technology limits with #Roota, a public-domain language for collective cyber defense.

    Cross-platform query translation, correlation, mapping to #TTPs, and more to enable every cyber defender to speak any cybersecurity language.

    Learn more: roota.io

  4. Go beyond technology limits with #Roota, a public-domain language for collective cyber defense.

    Cross-platform query translation, correlation, mapping to #TTPs, and more to enable every cyber defender to speak any cybersecurity language.

    Learn more: roota.io

  5. Go beyond technology limits with #Roota, a public-domain language for collective cyber defense.

    Cross-platform query translation, correlation, mapping to #TTPs, and more to enable every cyber defender to speak any cybersecurity language.

    Learn more: roota.io

  6. Happy Friday everyone!

    A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.

    According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.

    The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.

    If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!

    Article Source:
    Update on SVR Cyber Operations and Vulnerability Exploitation
    ic3.gov/Media/News/2024/241010

    Mitre source:
    attack.mitre.org/groups/G0016/

    Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471

  7. Happy Friday everyone!

    I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.

    To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!

    UAC Bypass Attempt via Elevated COM Abuse
    hunter.cyborgsecurity.io/resea

    Article Source:
    elastic.co/security-labs/disse

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting

  8. Happy Thursday everyone!

    If you can't tell by my previous posts, I like to focus on the details found in intel reports but today I found a report that takes a high-level view of recent attacks that involved APT groups attack the Middle East. Researchers at positive technologies provide great insight to not only the groups that are involved but the #TTPs and behaviors that they exhibit, the countries and industries targeted the most, and how you could prepare yourself! Enjoy and Happy Hunting!

    How APT groups operate in the Middle East
    ptsecurity.com/ww-en/analytics

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  9. Happy Tuesday everyone!

    Proofpoint researches observed activity from TA450 (AKA #MuddyWater) that involved social engineering and targeted Israeli employees. The researches noticed a change in the adversaries #TTPs, moving from using a PDF with malicious attachments to putting the malicious link in the email body.

    Taking this information into account, how can we hunt for this? Well, we can always look for Microsoft Office programs executing strange behavior such as spawning abnormal processes (especially the abuse of [LOLBINS]) or making network connections. Or, as a wise old man said back in 1986 "It's dangerous to go alone! Take this."

    Potential Maldoc Execution Chain Observed
    hunter.cyborgsecurity.io/resea

    This hunt package has been designed to detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Enjoy and Happy Hunting!

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

  10. Happy Monday everyone! I hope everyone is doing well!

    Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

  11. Threat actors tend to reuse their tactics, techniques, and procedures (#TTPs). In this article, our SME, @cfragoso, provides 2 methodologies and useful #cybersecurity practices to understand & analyze historical attack patterns.

    Learn more about TTPs: maltego.com/blog/analyzing-att

  12. LinkedIn
    What are the common and proven #phishing Tactics, Techniques, and Procedures (#TTPs)? Threat actors tend to clone legitimate websites of well-known brands to trick their victims and obtain confidential data.

    Map out the phishing domains in 5 steps with #Maltego NOW: maltego.com/blog/hunting-phish

  13. (1/6)
    Explore the latest resources on threat intelligence with #Maltego!

    You will learn how to analyze attack patterns and #TTPs, explore your attack surface assessments, as well as outline the infrastructure deployed by a #malware group.

    Follow the thread 👇

  14. How can #CyberSecurity professionals gain a better understanding of their adversary's #TTPs? In #Maltego, you can gather and analyze information from @mitreattack's MISP Project, STIX, and Filigran's #OpenCTI.

    Predict your enemy's next move with Maltego: maltego.com/blog/analyzing-att

  15. Great blog post by a colleague of mine who asks why "Security through obscurity" is not dead in 2023! How many "#cybersecurity #incidents" is it going to take to finally realize that keeping your #securitycontrols a secret is a good thing? How many times does the #cybercommunity have to demonstrate that sharing of #threatintelligence, #TTPs, #IOCs, #securityconcepts, #AwarenessTraining methods, #zerodays, and everything else that goes along with having a #DefenseInDepth approach to a #HealthySecurityProgram, is ACTUALLY THE GOOD THING 🤨

    (ahem)

    You want to know about the platform I architected? No problem! 👌🏻
    You want to know what Threat Intelligence I gather? Check my GitHub (link on my profile 😁).
    You want the keys to my kingdom? 🤣 No, but thanks for playing 👍🏻

    I'm NOT saying #compromise yourself or open some dark #backdoor to your systems. Just share the knowledge of how you're protecting stuff! Everyone is more #secure for it, and the next generation will make it better.

    kalahari.substack.com/p/securi

  16. A rich #training #offer at BSides Milano we have top-notch trainings, in some case for the first time in #Italy! All #in-person! The #event will be held from 4 to 8 July 2023. From 4 to 7 we will be focus on #learnitall on the 8 we will deep dive in our #amazing #conference. Ticket will be available from tonight for the trainings. We have an early bird rate until 30th April.
    Are you ready? We are!! join our group SecurityBsidesItalia #linkedin or on #discord lnkd.in/dBu7wkJG for detailed info! #cyber #threatintelligence #threatintel #cloud #redteaming #redteam #blueteam #threathunting #exploitation #secureboot #TTE #multicloud #hybridcloud #voip #Linux #Windows #LTE #baseband #deception #detection #evasion #edr #BSML23 #AWS #Azure #AzureAD #GCP #devops #cicd #RTOS #FalseFlag #HoneyNet #IDAPro #Python #reverseengineering #Ghidra #network #MITRE #TTPs #persistence #commandandcontrol #lateralmovement #osint #obfuscation #malware #malwareanalysis .
    Reserve your your spot!! lnkd.in/dZf-yyPv

  17. A rich #training #offer at BSides Milano we have top-notch trainings, in some case for the first time in #Italy! All #in-person! The #event will be held from 4 to 8 July 2023. From 4 to 7 we will be focus on #learnitall on the 8 we will deep dive in our #amazing #conference. Ticket will be available from tonight for the trainings. We have an early bird rate until 30th April.
    Are you ready? We are!! join our group SecurityBsidesItalia #linkedin or on #discord lnkd.in/dBu7wkJG for detailed info! #cyber #threatintelligence #threatintel #cloud #redteaming #redteam #blueteam #threathunting #exploitation #secureboot #TTE #multicloud #hybridcloud #voip #Linux #Windows #LTE #baseband #deception #detection #evasion #edr #BSML23 #AWS #Azure #AzureAD #GCP #devops #cicd #RTOS #FalseFlag #HoneyNet #IDAPro #Python #reverseengineering #Ghidra #network #MITRE #TTPs #persistence #commandandcontrol #lateralmovement #osint #obfuscation #malware #malwareanalysis .
    Reserve your your spot!! lnkd.in/dZf-yyPv

  18. A rich #training #offer at BSides Milano we have top-notch trainings, in some case for the first time in #Italy! All #in-person! The #event will be held from 4 to 8 July 2023. From 4 to 7 we will be focus on #learnitall on the 8 we will deep dive in our #amazing #conference. Ticket will be available from tonight for the trainings. We have an early bird rate until 30th April.
    Are you ready? We are!! join our group SecurityBsidesItalia #linkedin or on #discord lnkd.in/dBu7wkJG for detailed info! #cyber #threatintelligence #threatintel #cloud #redteaming #redteam #blueteam #threathunting #exploitation #secureboot #TTE #multicloud #hybridcloud #voip #Linux #Windows #LTE #baseband #deception #detection #evasion #edr #BSML23 #AWS #Azure #AzureAD #GCP #devops #cicd #RTOS #FalseFlag #HoneyNet #IDAPro #Python #reverseengineering #Ghidra #network #MITRE #TTPs #persistence #commandandcontrol #lateralmovement #osint #obfuscation #malware #malwareanalysis .
    Reserve your your spot!! lnkd.in/dZf-yyPv

  19. A rich #training #offer at BSides Milano we have top-notch trainings, in some case for the first time in #Italy! All #in-person! The #event will be held from 4 to 8 July 2023. From 4 to 7 we will be focus on #learnitall on the 8 we will deep dive in our #amazing #conference. Ticket will be available from tonight for the trainings. We have an early bird rate until 30th April.
    Are you ready? We are!! join our group SecurityBsidesItalia #linkedin or on #discord lnkd.in/dBu7wkJG for detailed info! #cyber #threatintelligence #threatintel #cloud #redteaming #redteam #blueteam #threathunting #exploitation #secureboot #TTE #multicloud #hybridcloud #voip #Linux #Windows #LTE #baseband #deception #detection #evasion #edr #BSML23 #AWS #Azure #AzureAD #GCP #devops #cicd #RTOS #FalseFlag #HoneyNet #IDAPro #Python #reverseengineering #Ghidra #network #MITRE #TTPs #persistence #commandandcontrol #lateralmovement #osint #obfuscation #malware #malwareanalysis .
    Reserve your your spot!! lnkd.in/dZf-yyPv

  20. A rich #training #offer at BSides Milano we have top-notch trainings, in some case for the first time in #Italy! All #in-person! The #event will be held from 4 to 8 July 2023. From 4 to 7 we will be focus on #learnitall on the 8 we will deep dive in our #amazing #conference. Ticket will be available from tonight for the trainings. We have an early bird rate until 30th April.
    Are you ready? We are!! join our group SecurityBsidesItalia #linkedin or on #discord lnkd.in/dBu7wkJG for detailed info! #cyber #threatintelligence #threatintel #cloud #redteaming #redteam #blueteam #threathunting #exploitation #secureboot #TTE #multicloud #hybridcloud #voip #Linux #Windows #LTE #baseband #deception #detection #evasion #edr #BSML23 #AWS #Azure #AzureAD #GCP #devops #cicd #RTOS #FalseFlag #HoneyNet #IDAPro #Python #reverseengineering #Ghidra #network #MITRE #TTPs #persistence #commandandcontrol #lateralmovement #osint #obfuscation #malware #malwareanalysis .
    Reserve your your spot!! lnkd.in/dZf-yyPv

  21. From a #ThreatIntelligence perspective, the #TTPs would be:

    - #T1059.003: Command and Scripting Interpreter: Unix Shell. SHC payloads to be run still need a shell to be identified in the system and that the code inside the payload is, in fact, a shell script.
    - #T1027.002: Obfuscated Files or Information: Software Packed with #SHC.
    - #T1622: Debugger Evasion by using SHC with '-r'.
    - #T1105: Ingress Tool Transfer by downloading payloads from Github.
    - #T1496: Resource Hijacking with #XMRig.

  22. Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched #Citrix #NetScaler systems exposed to the internet. Our data indicates strong similarity between #attacks using CVE-2023-3519 delivering #malware and #webshells and previous attacks using a number of the same #TTPs.

    #Sophosxops #threatintel #cve20233519

  23. Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched #Citrix #NetScaler systems exposed to the internet. Our data indicates strong similarity between #attacks using CVE-2023-3519 delivering #malware and #webshells and previous attacks using a number of the same #TTPs.

    #Sophosxops #threatintel #cve20233519

  24. Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched #Citrix #NetScaler systems exposed to the internet. Our data indicates strong similarity between #attacks using CVE-2023-3519 delivering #malware and #webshells and previous attacks using a number of the same #TTPs.

    #Sophosxops #threatintel #cve20233519

  25. Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched #Citrix #NetScaler systems exposed to the internet. Our data indicates strong similarity between #attacks using CVE-2023-3519 delivering #malware and #webshells and previous attacks using a number of the same #TTPs.

    #Sophosxops #threatintel #cve20233519

  26. Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched #Citrix #NetScaler systems exposed to the internet. Our data indicates strong similarity between #attacks using CVE-2023-3519 delivering #malware and #webshells and previous attacks using a number of the same #TTPs.

    #Sophosxops #threatintel #cve20233519

  27. Don’t approach your threat profile irrationally – use our #PiDay #TTPs Matrix to slice through the infinite universe of threats and bring more (mathematically) constant focus on the ones that matter most: hubs.la/Q01GPxgV0

    Whether you’re a freshly-baked analyst/operator or a crusty infosec veteran, the piping hot and fresh content in Tidal’s free Community Edition is sure to ins-pie-re the next step in your threat-informed defense journey!

    Our latest matrix features seven timely threats:

    PyPI Malicious Packages: A recent report from Sonatype highlighted software supply chain compromises, where four Python packages hosted on the PyPI software registry contained malicious code that could drop malware, delete system utilities, & tamper with files containing authorization keys

    AppleSeed: According to the MITRE ATT&CK knowledge base, “AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.”

    Raspberry Robin: A highly active worm that spreads through removable media and abuses built-in Windows utilities after initial infection. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware

    Chocolatey Backdoor: Last March, Proofpoint identified an attack on French organizations in multiple sectors that used Chocolatey, an open-source package installer, to fetch malicious scripts that delivered the Serpent backdoor (this represents one of the first documented uses of Chocolatey in a cyber campaign)

    (Key) LimeRAT: Trellix researchers documented a July 2022 spearphishing campaign targeting government agencies across South Asia, Europe, and North America that ultimately delivered AsyncRAT & LimeRAT. As a special bonus, this set of Pi Day techniques fittingly features T1056.001 (Input Capture: Keylogging)!

    Banana Sulfate: This small set derives from Sekoia.io’s investigation into a large and sophisticated but unattributed infrastructure cluster last February
    Golden Chickens: Security researchers assess this is a malware-as-a-service provider whose customers include FIN6, Cobalt Group, and the Evilnum APT group.

    #SharedWithTidal #threatinformeddefense #threatintel #threatintelligence

  28. Coinbase shares experience following a social engineering attack involving SMS phishing. Company says no customer funds or customer information were impacted.

    Kudos to the company for sharing Tactics, Techniques, and Procedures, TTPs

    coinbase.com/blog/social-engin

    #cryptocurrency #smsphishing #phishing #ttps #incidentresponse

  29. Today's the day! You won't want to miss our review of the top #TTPs across the first quarter of 2023. We'll also be talking defensive takeaways and what we can learn from the first quarter as we head into the rest of the year. Join us at noon ET!
    #threatintel #cyberdefense #threatinformeddefense #cybersecurity

    brighttalk.com/webcast/19703/5

  30. With #Hive ransomware infrastructure taken down last week and speculation of similar action against #LockBit, which groups will likely take the “top” #RaaS spots in the first part of the year? If you don’t track #ransomware-as-a-service closely, you may not realize how many other groups regularly carry out attacks (or at least claim & extort victims publicly)

    Since the takedown on Thursday, five RaaS groups have claimed nearly 30 victims publicly, with LockBit 3.0, #Clop, and #ViceSociety leading the pack. In our ransomware landscape briefing last week, a participant asked which group concerned us most into the new year. My answer is “most” seen in the slide here (but if I had to narrow, I choose LockBit in the short-term, and Vice Society in the medium/longer term)

    Last week I argued that many, if not most, of the “top” groups (measured quickly by last year’s victim count) should be on most security teams’ radars. While there are some notable trends in victim sectors, like a relative increase in attacks on public services organizations, in general most of the leading groups are associated with a broad range of victim verticals (a similar trend holds for victim size too – a relative rise in mid-sized organizations, but still a notable number of large enterprises like in years past)

    Rather than burn resources trying to track each new victim associated with each group every day, there is value in identifying top common tactics, techniques, & procedures among groups with generally similar motivations & victim patterns, and focusing response drills, defensive reinforcements, log source & detection tuning, and, where resources allow, unit testing or adversary simulation or emulation around that subset of TTPs

    Our living matrix of top ransom & extortion group #TTPs is found here, covering nearly 30 groups and 175 techniques, although the cluster of top common ones is much smaller. Click the labels in the ribbon at the top to see source references for every mapping and procedural details for many: app.tidalcyber.com/share/9a0fd

    You can also catch the recording of last week’s session and slides with this and similar metrics & graphics on-demand here: brighttalk.com/webcast/19703/5

    #threatinformeddefense #TTP #risk

  31. Great blog post by a colleague of mine who asks why "Security through obscurity" is not dead in 2023! How many "#cybersecurity #incidents" is it going to take to finally realize that keeping your #securitycontrols a secret is a good thing? How many times does the #cybercommunity have to demonstrate that sharing of #threatintelligence, #TTPs, #IOCs, #securityconcepts, #AwarenessTraining methods, #zerodays, and everything else that goes along with having a #DefenseInDepth approach to a #HealthySecurityProgram, is ACTUALLY THE GOOD THING 🤨

    (ahem)

    You want to know about the platform I architected? No problem! 👌🏻
    You want to know what Threat Intelligence I gather? Check my GitHub (link on my profile 😁).
    You want the keys to my kingdom? 🤣 No, but thanks for playing 👍🏻

    I'm NOT saying #compromise yourself or open some dark #backdoor to your systems. Just share the knowledge of how you're protecting stuff! Everyone is more #secure for it, and the next generation will make it better.

    kalahari.substack.com/p/securi

  32. Great blog post by a colleague of mine who asks why "Security through obscurity" is not dead in 2023! How many "#cybersecurity #incidents" is it going to take to finally realize that keeping your #securitycontrols a secret is a good thing? How many times does the #cybercommunity have to demonstrate that sharing of #threatintelligence, #TTPs, #IOCs, #securityconcepts, #AwarenessTraining methods, #zerodays, and everything else that goes along with having a #DefenseInDepth approach to a #HealthySecurityProgram, is ACTUALLY THE GOOD THING 🤨

    (ahem)

    You want to know about the platform I architected? No problem! 👌🏻
    You want to know what Threat Intelligence I gather? Check my GitHub (link on my profile 😁).
    You want the keys to my kingdom? 🤣 No, but thanks for playing 👍🏻

    I'm NOT saying #compromise yourself or open some dark #backdoor to your systems. Just share the knowledge of how you're protecting stuff! Everyone is more #secure for it, and the next generation will make it better.

    kalahari.substack.com/p/securi