This is a great article on Lateral Movement for beginners and experienced analysts. The Analyst1 team not only provides details on what it is and how to detect it but provide steps adversaries may take before and after attempting to laterally move as well as attacks that use it. A great read for a Saturday morning! Enjoy and Happy Hunting!

What Is Lateral Movement in Cybersecurity & How Do You Detect It?
https://analyst1.com/what-is-lateral-movement/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Friday everyone, I hope everyone had a successful week!

The Elastic Security Labs research team takes a deep dive into the #Blister loader and highlight the updates and what remains consistent. Armed with an upgraded hashing algorithm it still likes to hide its code in legitimate libraries, which ends up defeating some machine-learning models.

Revisting BLISTER: New development of the BLISTER loader
Elastic Security Labs dives deep into the recent evolution of the BLISTER loader malware family.
https://www.elastic.co/security-labs

MITRE ATT&CK TTPs (Thanks to the Elastic Team):
TA0005 - Defense Evasion
T1218.011 - System Binary Proxy Execution: Rundll32
T1480.001 - Execution Guardrails: Environmental Keying
T1036 - Masquerading
T1055.012 - Process Injection: Process Hollowing

TA0003 - Persistence
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/ Startup Folder

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Summary:
The Cisco Talos Intelligence Group has identified a campaign that has been running since November 2021 that targets victims who deal with 3-D modeling and graphic design. Most of the victims appeared to deal with businesses in the French language-dominant countries. The targets appeared to be in roles and businesses that require the use of high GPU specifications as they are attractive targets for illicit crypto mining.

I hope you enjoy and Happy Hunting!

Cybercriminals target graphic designers with GPU miners
https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day all! The Computer Emergency Response Team of Ukraine, CERT-UA reports on a targeted attack attributed to #APT28 they observed on critical energy infrastructure facility in Ukraine. It started with a #phishing email that contained a link to an archive that led to a downloaded zip file that contained three decoy JPGs and a bat file that would run on the victims computer. The BAT file would, again, open some decoy web pages, but more importantly would create a .bat and .vbs file. There was some discovery commands issued, TOR program downloaded and hidden on the victim's computer as a hidden service, and abused common ports (445,389,3389,443). Last but not least, a PowerShell script was used to collect the password hash of the account. Enjoy and Happy Hunting!

https://cert.gov.ua/article/5702579

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #CERTUA

Does anyone else enjoy a 40 page intel report to start their morning? Well, here it is!

The Morphisec research team provides an in-depth technical report on the #Chae$ malware. First discovered by Cybereason, the malware was seen targeting e-commerce customers in Latin America and now is on its 4th generation and has received some upgrades which include increases stealth capabilities and a shift to #Python. The malware includes 7 different modules which exhibit different behaviors. I won't spoil the rest of the fun, you're going to have to read on for yourself (honestly I couldn't fit all the relevant details in here there are so many!). Enjoy and Happy Hunting!

Threat Profile: Chae$ 4 Malware
https://www.morphisec.com/hubfs/Morphisec_Chae$4_Threat_Profile.pdf

#CyborgSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

While most of us celebrate Labor Day let's all try to take a moment to remember those who don't get to spend time with their loved ones today, wherever they may be and whatever they may be doing!

I don't know how this report slid under my radar but the ESET researched team unveil a "Marioesque" themed adversary, #MoustachedBouncer! They are a cyberespionage group that targets foreign embassies in Belarus with the use of their ISP level access and their tools #NightClub and #Disco. Using their (assumed) unique level of access, they compromise their targets by redirecting them to a fake #Microsoft update site which loads JavaScript code then leads to a zip file being downloaded. The team wasn't able to get the zip file, but they were still able to identify some TTPs and #LOLBINS abuse, such as creating a malicious scheduled task. I hope you enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #LaborDay

Among the stealers that Cisco Talos Intelligence Group has observed, the #SapphireStealer is a new one that appears to focus on browser credential theft with its straightforward techniques. It is capable of gathering host information, screenshots, cached browser credentials, and files stored on the system. It then creates its own directory and stores credentials in a passwords.txt file and screenshots then zips all the data up and exfiltrates it using Simple Mail Transfer Protocol (SMTP). PLUS, as an added bonus, the research team observed some operational security (OPSEC) failures by the adversary which led to some personal accounts that could be associated with the threat actor! Enjoy and Happy Hunting!

SapphireStealer: Open-source information stealer enables credential and data theft
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/

#CyberSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Happy Friday everyone! Two weeks ago I put this poll up on LinkedIn to help the community answer the question of: If you are a threat hunter, what roles/skills did you hold or gain to get there! And here are the results! Enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

The Intel 471 Team shares their knowledge about the different types of cryptocurrency malware, or cryware that poses a threat to investors. There are Drainers, stand-alone drainers, clippers, and different forms of cryptojacking malware. Enjoy and #HappyHunting!

Cryptocurrency Malware: An Ever-Adapting Threat
https://intel471.com/blog/cryptocurrency-malware-an-ever-adapting-threat

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Good day to everyone, I hope that everyone is safe today! Researchers from Trend Micro provide intel on a group that they named #EarthEstries. They witnessed a cyberespionage campaign that targeted governments and technology industries around the world! Once they gained access they installed #CobaltStrike on the victims system, used backdoors for repeated access, and then collected PDFs and DDF files. They provide in-depth technical details on the other tools that were used on top of all the useful information in this article. Enjoy and Happy Hunting!

Earth Estries Targets Government, Tech for Cyberespionage
https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into #UNC4841, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!

Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone! The DFIR Report released their latest report detailing an attack that involved two different adversaries, one acted as the distributor while the other filled the role of hands on keyboard. #TA551 was responsible for the phishing campaign and a #Nokoyawa ransomware affiliate was responsible for the rest! I hope you enjoy this and find it as useful as I did, and as always, #HappyHunting!

HTML Smuggling Leads to Domain Wide Ransomware
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

Some MITRE ATT&CK TTPs (Thanks to the DFIR team):
TA0001 - Initial Access
T1566.001 - Phishing: Spearphishing Attachment

TA0002 - Execution
T1509.001 - Command and Scripting Interpreter: Powershell

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task

TA0009 - Collection
T1560 - Archon Collected Data

TA0005 - Defense Evasion
T1027.006 -Obfuscated Files or Information: HTML Smuggling

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday #MitreMonday

Good day everyone! The ReliaQuest Threat Research team recently provided a wrap up of the most commonly used loaders, the top 80% which comprised of only three different malware! These big three are #QBot, #SocGholish, and #RaspberryRobin. THEN, they not only provided the data sheet to provide to your management or C-suite, they broke them down even further to include technical details as well! Thank you to the Threat Research team for such a great report, I hope you enjoy it as much as I did, and Happy Hunting!

The 3 Malware Loaders Behind 80% of Incidents
https://www.reliaquest.com/blog/the-3-malware-loaders-behind-80-of-incidents/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Friday everyone! The Check Point Software Technologies Ltd research team provides detailed insight into what DNS Tunneling is, how adversaries use it, and how they are currently analyzing them! Enjoy and Happy Hunting!

TUNNEL WARFARE: EXPOSING DNS TUNNELING CAMPAIGNS USING GENERATIVE MODELS – COINLOADER CASE STUDY
https://research.checkpoint.com/2023/tunnel-warfare-exposing-dns-tunneling-campaigns-using-generative-models-coinloader-case-study/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

I hope is everyone is having a Happy Threat Hunting Thursday! This was a really interesting article by Cisco Talos Intelligence Group focusing on the #Lazarus group and how they found new malware by analyzing the infrastructure that was being reused. Check out the behaviors that the APT group has exhibited as well as characteristics of the #DeimosC2 malware! Enjoy and Happy Hunting!

Lazarus Group's infrastructure reuse leads to discovery of new malware
https://blog.talosintelligence.com/lazarus-collectionrat/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone! I stumbled upon a report from Check Point Software Technologies Ltd titled "2023 Mid-Year Cyber Security Report" and I had to check it out. It provides a great breakdown of the cyber landscape as seen in the first half of 2023 and contains a LOT of good information! Enjoy and Happy Hunting!

**Unfortunately this is behind an info-wall so you will have to sign up to receive it.**

2023 MID-YEAR CYBER SECURITY REPORT: REPORT REVEALS 48 RANSOMWARE GROUPS HAVE BREACHED OVER 2,200 VICTIMS
https://research.checkpoint.com/2023/2023-mid-year-cyber-security-report-report-reveals-48-ransomware-groups-have-breached-over-2200-victims/
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Researchers from ReversingLabs have discovered another campaign that targets Roblox API users on the rpm repository, mainly targeting developers who are creating scripts to run on the gaming platform. They use techniques like "typo-equating" to make their packages look legitimate which, when installed, enumerates the users computer, determines the operating system, and ultimately delivers the #LunaGrabber on the victim's machine. Enjoy and Happy Hunting!

Fake Roblox packages target npm with Luna Grabber information stealing-malware
https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday everyone! I am finally back after taking a week off after #BlackHatUSA and ready to roll! I really enjoyed this article from Group-IB on "how to hunt" for DLL side-loading, or MITRE ATT&CK T1574.002 - Hijack Execution Flow: DLL side-loading. I also appreciate that they started with a hypothesis, rather than an alert, that really speaks about threat hunting as a proactive process, not a reactive one. Enjoy and Happy Hunting!

Hunting Rituals #1: Threat hunting for DLL side-loading
https://www.group-ib.com/blog/hunting-rituals-dll-side-loading/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

I get this question a lot from my #network, so I thought I would look to the community for help! If you are currently filing a Threat Hunter role, what was your position that preceded it?

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting