⚠️ New #Phishing #Vector⚠️
Saw a new phishing vector hit my systems today: #QR Code #Phishing. Had a user report that they got a "Security Authentication" request via email, which presented a QR code for them to scan. I collected the #IOCs for this one just now on my #GitHub. Direct link: https://github.com/Geekmaster-General/IOCs/blob/main/Phishing%20Email%20IOCs

Been seeing a lot more very sophisticated MocuSign (#docusign) #phishing emails this week. I have been updating my #IOC list on my #GitHub. Fraudsters are doing a much better job on their contents, even using legitimate non-phishing sites as proxy to redirect to the actual #phishing site so they get by email scanners - but they haven't yet gotten past my #endpoint protections (so far, so good).

Keep up-to-date on my findings on my #IOCs #Repository so you can add them to your platforms as well. I update them multiple times per week: https://github.com/Geekmaster-General/IOCs/tree/main

Updated my #DocuSign #Phishing #IOCs: https://github.com/Geekmaster-General/IOCs/blob/main/DocuSign%20IOCs

Command-and-control IPv4 map, 2023-07-30 to 2023-08-12 #IOCs
https://abjuri5t.github.io/SarlackLab/

185.215.113[.]0/24
82.115.223[.]0/24
185.106.92[.]0/24
45.15.156[.]0/24
194.36.177[.]0/24
94.142.138[.]0/24
77.73.134[.]0/24
91.103.252[.]0/24
193.106.190[.]0/23

Great blog post by a colleague of mine who asks why "Security through obscurity" is not dead in 2023! How many "#cybersecurity #incidents" is it going to take to finally realize that keeping your #securitycontrols a secret is a good thing? How many times does the #cybercommunity have to demonstrate that sharing of #threatintelligence, #TTPs, #IOCs, #securityconcepts, #AwarenessTraining methods, #zerodays, and everything else that goes along with having a #DefenseInDepth approach to a #HealthySecurityProgram, is ACTUALLY THE GOOD THING 🤨

(ahem)

You want to know about the platform I architected? No problem! 👌🏻
You want to know what Threat Intelligence I gather? Check my GitHub (link on my profile 😁).
You want the keys to my kingdom? 🤣 No, but thanks for playing 👍🏻

I'm NOT saying #compromise yourself or open some dark #backdoor to your systems. Just share the knowledge of how you're protecting stuff! Everyone is more #secure for it, and the next generation will make it better.

https://kalahari.substack.com/p/security-through-obscurity?sd=pf

Command-and-control domain tree, 2023-06-27 to 2023-07-10 #IOCs
https://abjuri5t.github.io/SarlackLab/

*.gz[.]apigw[.]tencentcs[.]com
*.sh[.]apigw[.]tencentcs[.]com
*.bj[.]apigw[.]tencentcs[.]com
*.z01[.]azurefd[.]net
*.com[.]s3[.]bucket-amazon[.]com

Command-and-control IPv4 map, 2023-06-26 to 2023-07-09 #IOCs
https://abjuri5t.github.io/SarlackLab/

176.111.174[.]0/24
77.91.68[.]0/24
103.234.72[.]0/24
79.110.49[.]0/24
91.103.252[.]0/24
45.12.253[.]0/24
45.154.98[.]0/24
87.251.67[.]0/24
94.142.138[.]0/24
185.252.179[.]0/24

While translating the #VulkanFiles I found some #Russian #C2Servers plainly listed. I have updated my #IOC list on my #Github page: https://github.com/Geekmaster-General/IOCs/blob/main/Russian%20C2%20servers%20from%20Vulkan%20Files%20Leak

#cyber #cyberthreat #iocs #indicators #cyberwarfare #hackeddocs

Command-and-control domain tree, 2023-06-05 to 2023-06-18 #IOCs
https://abjuri5t.github.io/SarlackLab/

*.gz[.]apigw[.]tencentcs[.]com
*.sh[.]apigw[.]tencentcs[.]com
*.z01[.]azurefd[.]net
*.bj[.]apigw[.]tencentcs[.]com
*.com[.]s3[.]bucket-amazon[.]com

If you can't answer whether you have #MOVEit in your environment, now is the time to engage all elements of your IT team. There are two recently assigned #CVEs:

#CVE-2023-35036 (June 9, 2023)
#CVE-2023-34362 (May 31, 2023)

If you identify unpatched instances of MOVEit in your environment, you may want to consider moving to the detect/assess phase of the #NIST Incident Response framework.

Details and #iocs here:

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

#cybersecurity

Why do #APT groups prefer to use Open Source RATs?

You can check #SOCRadar's blog.

Link: https://socradar.io/open-source-rats-leveraged-by-apt-groups/

#OSINT #ThreatIntel #intelligence #CTI #infosec #cybersecurity #malware #threathunting #TTPs #IoCs

🚨 #Chinese #APT Alert - #VoltTyphoon - Details and #IOCs 🚨

Remember the #Chinese #spy #balloon that made world news? Check this shit out: https://www.darkreading.com/endpoint/-volt-typhoon-china-backed-apt-infiltrates-us-critical-infrastructure?_mc=NL_DR_EDT_DR_weekly_20230525&cid=NL_DR_EDT_DR_weekly_20230525&sp_aid=116660&elq_cid=38046155&sp_eh=144c4ccfdc4bcabeefa4110f1ea26cecf2a866a1c04b99a946a3df0524ced34c&sp_eh=144c4ccfdc4bcabeefa4110f1ea26cecf2a866a1c04b99a946a3df0524ced34c&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Weekly_05.25.23&sp_cid=48686&utm_content=DR_NL_Dark%20Reading%20Weekly_05.25.23

#IOCs provided by the #NSA in a #JointAdvisory here: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

#CyberSecurity #Cyberespionage #YARA #Fortinet #SOHO

⚠️ #Geacon #IOCs and breakdown provided by @SentinelOne ⚠️
Geacon Brings #CobaltStrike Capabilities to #macOS
Threat Actors
https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/?&web_view=true

#Hacking #ThreatIntelligence #AttackSurfaceReduction

Reported malicious python package "colors5", downloading an executable on setup from
https://resetname.peanutgamerdot.repl[.]co/Built.exe

It's the best documented malicious package I've seen, with helpful comments like

# write the malware to a file
# attempt to add a windows defender exclusion if the person runs our batch as admin
#run the malware

The only attempt at evasion is the screen-full of newlines before this code. :blob_confused:

#python #PyPI #malware #IoCs #ThreatIntel

Command-and-control IPv4 map, 2023-04-11 to 2023-04-24 #IOCs
https://abjuri5t.github.io/SarlackLab/

143.92.58[.]96/30
94.142.138[.]0/24
45.15.156[.]0/24
103.231.31[.]128/26
37.220.87[.]0/24
91.215.85[.]0/24
45.227.255[.]192/26
83.217.11[.]0/24
179.60.146[.]0/24

Seeing more similar samples today, all coming from malicious #Google ads. Some keywords have been "pdf-tools" and "Advanced IP Scanner".

Payloads are MSIX files containing a PowerShell script which downloads the #Redline stealer.

IOCs:
adv-sect[.]site
advert-job[.]ru
pdf-editor[.]store
advanced-ip-scanner[.]world/

Ad Domains:
tucsontreeservicecompany[.]com
branchmanconstruction[.]com

#iocs #malware #malvertising

Command-and-control IPv4 map, 2023-03-26 to 2023-04-08 #IOCs
https://abjuri5t.github.io/SarlackLab/

94.142.138[.]0/24
202.79.174[.]24/29
45.15.156[.]0/24
46.161.27[.]160/28
45.9.74[.]0/24
83.217.11[.]0/24
37.220.87[.]0/24
45.227.255[.]192/26
185.106.92[.]0/24
77.73.134[.]0/24

⚠️ #SupplyChainHackAlert ⚠️
You may have heard that #3CX got compromised. You can get details here: https://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp or here https://www.3cx.com/blog/news/desktopapp-security-alert/

#IOCs here: https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/

If you use this platform, and have one of the compromised versions running, uninstall it and use the web interface for now, then wait for the new release.

My latest blog: Decoding a New JavaScript Malware Campaign!
🔗​ https://www.th3protocol.com/2023/New-JS-Malware-Fake-Invoices

Earlier today researchers from HuntressLabs shared observations about a #AvosLocker case involving RClone. They identified initial access as a javascript file named “Invoice-DocuSign-Mar03-2023.js"

In my blog post I walk through analyzing this JavaScript malware, identifying persistency and decoding C2 traffic!
#IOCs: https://github.com/colincowie/colincowie.github.io/blob/master/assets/iocs/js_avoslocker/file_iocs.csv

🔗​ poc for decoding the C2 traffic:
https://gist.github.com/colincowie/2bb637259c38e1c6da3f2464ec92ed0e

💬​ Authors Note:
Recently I've been feeling a little bit burnt out - this research excited me and provided some internal encouragement 😃

#ThreatIntel #CTI #Malware #Ransomware #JavaScript #VirusTotal​​

Command-and-control domain tree, 2023-02-21 to 2023-03-06 #IOCs
https://abjuri5t.github.io/SarlackLab/

*.apigw[.]tencentcs[.]com
*.ssndob[.]cn[.]com
*.z01[.]azurefd[.]net
*.dnsv1[.]com[.]cn
*.w[.]kunluncan[.]com
*.prod[.]fastly[.]net