⚠️ #Geacon #IOCs and breakdown provided by @SentinelOne ⚠️
Geacon Brings #CobaltStrike Capabilities to #macOS
Threat Actors
https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/?&web_view=true

#Hacking #ThreatIntelligence #AttackSurfaceReduction

If you use #RDP, make sure it's strictly internal, and limited only to specific #admin accounts, and that you *DO NOT* have any #3389 open publicly. That IP will be found (quickly), and your #endpoint will be attacked, if not #breached. #BianLian has shifted their attack model. @cisacyber dropped an advisory this week, here's a decent summary of what's up: https://www.darkreading.com/threat-intelligence/bianlian-cybercrime-group-changes-attack-methods-cisa-advisory-notes?_mc=NL_DR_EDT_DR_weekly_20230518&cid=NL_DR_EDT_DR_weekly_20230518&sp_aid=116563&elq_cid=38046155&sp_eh=144c4ccfdc4bcabeefa4110f1ea26cecf2a866a1c04b99a946a3df0524ced34c&sp_eh=144c4ccfdc4bcabeefa4110f1ea26cecf2a866a1c04b99a946a3df0524ced34c&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Weekly_05.18.23&sp_cid=48613&utm_content=DR_NL_Dark%20Reading%20Weekly_05.18.23

#Hacking #ThreatIntelligence #Cloud #CloudAttackSurface #DataExfiltration #Exfil #AttackSurfaceReduction #Ransomware

#Infostealers are a growing threat. Sure, they've been around for decades, but now it's becoming a much larger market on the #Darkweb. “What we are seeing is an entire #underground #economy and #supporting #infrastructure built around #infostealers, making it not only possible but also potentially #lucrative for relatively #lowskilled #threatactors to get involved,”
https://www.scmagazine.com/news/threat-intelligence/data-log-thefts-explode-as-infostealers-gain-popularity-with-cybercriminals?external_id=HBwZ-n4B490LDY0Z-dKj&external_id_source=mrkto&mkt_tok=MTg4LVVOWi02NjAAAAGLzUgAldBXEeVNitVuN5rpvANUjNCaIIBnTmArpblpBWE5hgFJSS9PoGhu7RxEp5cWxLUDxbLdJ7juuAc83cEfRAyiFxOpe18Kant7MXUMhA

#Hacking #ThreatIntelligence #Cloud #CloudAttackSurface #TOR #DataExfiltration #Exfil #RussianMarket #Cyberespionage #RussiaAPT #ChinaAPT #APT #UseMFA #AttackSurfaceReduction

⚠️ #MIcrosoftServiceHealth #Advisory MO497128: For everyone who lost the use of their #MicrostfOffice desktop apps today, it's because of an issue that Microsoft is dealing with, related directly to #Defender #AttackSurfaceReduction, or #ASR rules. Specifically: "Block Win32 API calls from Office Macros" with ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b.

#Hotfix:
Admins can put the ASR rule into #Audit Mode to avoid further impact. Please note that you may need to re-enable the rule once the issue has been fully resolved. This can be done through one of the following methods:

- Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode

- Using Intune: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#mem

- Using Group Policy: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy

#TheMoreYouKnow #SysAdmins

This was the result of an #ASR #AttackSurfaceReduction rule called "Win32 Imports from Office Macro Code" being set to "Block" causing it to delete all of the shortcuts from ProgramData\Microsoft\Windows\Start Menu\Programs

Attention! Microsoft Defender issue!

Starting with security intelligence version 1.381.2140.0 (or others depending on OS) Attack Surface Reduction (ASR) will remove .LNK files in start menu and taskbar once they are clicke on. This will trigger an ASR alert in some but not all cases ("Block Win32 API calls from Office macro"). Setting this to audit might help.

This is affecting every environement I have looked at now, so just wanted to share it so as many people as possible.

#MicrosoftDefender #ASR #AttackSurfaceReduction

I am running into an issue with adding an #AttackSurfaceReduction rule exclusion.

Last week, a team member called saying an Adobe plugin wouldn't work. I checked the Windows #Defender logs and it stated that the plugin's executable was attempting to create a child process from Adobe. I added an #ASR Only Per Rule Exclusions entry for the fully qualified path of the plugin's executable as it was displayed in the Windows Defender warning.

The ASR Rule Block Adobe Reader from creating child processes is in Block mode.

I opened the device in Intune and clicked Sync.

A few days later, the team member contacts IT again and says that they are getting the same error as previously (and that it never was working).

I ran the #ASRAnalyzer (https://github.com/4D5A/MDATP_PoSh_Scripts/blob/master/ASR/ASR_Analyzer_v2.2.ps1) on the team member's computer and it did not show any ASR Exclusions.

As a temporary workaround, I changed the ASR Rule so it is in Audit mode. Oddly, the computer updated and sees the ASR Rule is in Audit mode, but it still does not see the ASR Per Rule Exclusion.

Has anyone else seen this issue?

I added the ASR Per Rule Exclusion in two formats, and neither one is listed on the computer. I used the fully qualified path without quotation marks (i.e. C:\Program Files (x86)\Vendor\Application.exe) and the fully qualified path with quotation marks (i.e. "C:\Program Files (x86)\Vendor\Application.exe").

Thank you in advance for any suggestions!