Good day everyone! The DFIR Report released their latest report detailing an attack that involved two different adversaries, one acted as the distributor while the other filled the role of hands on keyboard. #TA551 was responsible for the phishing campaign and a #Nokoyawa ransomware affiliate was responsible for the rest! I hope you enjoy this and find it as useful as I did, and as always, #HappyHunting!

HTML Smuggling Leads to Domain Wide Ransomware
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

Some MITRE ATT&CK TTPs (Thanks to the DFIR team):
TA0001 - Initial Access
T1566.001 - Phishing: Spearphishing Attachment

TA0002 - Execution
T1509.001 - Command and Scripting Interpreter: Powershell

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task

TA0009 - Collection
T1560 - Archon Collected Data

TA0005 - Defense Evasion
T1027.006 -Obfuscated Files or Information: HTML Smuggling

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday #MitreMonday

I retooted (excuse me) @securityonion's post about #SecurityOnion's latest update. But I feel like I gotta shout the firm and their work out a little bit more.

Where I live, there was a VERY active campaign leveraging business email compromise (#BEC) to distribute malware. Threat actor mapped very cleanly against #TA551.

The actor was targeting small non-profits linked to multiple government entities. As part of community engagement in spreading the word about this attack, it was super great to be able to say to these non-profits who have been facing other hardships to be able to say, "Don't worry. There's an organization and tool that's got your back".

#SecurityGentifrication is a real thing. And each one of those non-profits that got compromised (only 3 to my count) increased the odds of a larger incident impacting more of us.