Active exploitation of Ivanti Sentry Administrator interface from: 185.183.33.137

Running Metasploit, and installing ncat with reverse shell /bin/sh

#ThreatIntel

This is a great article on Lateral Movement for beginners and experienced analysts. The Analyst1 team not only provides details on what it is and how to detect it but provide steps adversaries may take before and after attempting to laterally move as well as attacks that use it. A great read for a Saturday morning! Enjoy and Happy Hunting!

What Is Lateral Movement in Cybersecurity & How Do You Detect It?
https://analyst1.com/what-is-lateral-movement/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Friday everyone, I hope everyone had a successful week!

The Elastic Security Labs research team takes a deep dive into the #Blister loader and highlight the updates and what remains consistent. Armed with an upgraded hashing algorithm it still likes to hide its code in legitimate libraries, which ends up defeating some machine-learning models.

Revisting BLISTER: New development of the BLISTER loader
Elastic Security Labs dives deep into the recent evolution of the BLISTER loader malware family.
https://www.elastic.co/security-labs

MITRE ATT&CK TTPs (Thanks to the Elastic Team):
TA0005 - Defense Evasion
T1218.011 - System Binary Proxy Execution: Rundll32
T1480.001 - Execution Guardrails: Environmental Keying
T1036 - Masquerading
T1055.012 - Process Injection: Process Hollowing

TA0003 - Persistence
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys/ Startup Folder

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Really enjoying having been invited to use https://hunt.io and provide feedback on the service.

Incredibly useful adversary hunting platform and certainly useful for updated and verified lists of C2-infrastructure.

Not to mention their opendir inventory which has a surprising amount of stuff. One thing is for sure, threat actors will continue to suck at opsec.

#ThreatIntel #ThreatHunting

Summary:
The Cisco Talos Intelligence Group has identified a campaign that has been running since November 2021 that targets victims who deal with 3-D modeling and graphic design. Most of the victims appeared to deal with businesses in the French language-dominant countries. The targets appeared to be in roles and businesses that require the use of high GPU specifications as they are attractive targets for illicit crypto mining.

I hope you enjoy and Happy Hunting!

Cybercriminals target graphic designers with GPU miners
https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

"A classification of CTI Data feeds https://cert.at/en/blog/2023/9/cti-data-feeds" by @CERT_at #CTI #Security #ThreatIntel #threads #cybersecurity #cyber

Good day all! The Computer Emergency Response Team of Ukraine, CERT-UA reports on a targeted attack attributed to #APT28 they observed on critical energy infrastructure facility in Ukraine. It started with a #phishing email that contained a link to an archive that led to a downloaded zip file that contained three decoy JPGs and a bat file that would run on the victims computer. The BAT file would, again, open some decoy web pages, but more importantly would create a .bat and .vbs file. There was some discovery commands issued, TOR program downloaded and hidden on the victim's computer as a hidden service, and abused common ports (445,389,3389,443). Last but not least, a PowerShell script was used to collect the password hash of the account. Enjoy and Happy Hunting!

https://cert.gov.ua/article/5702579

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #CERTUA

Does anyone else enjoy a 40 page intel report to start their morning? Well, here it is!

The Morphisec research team provides an in-depth technical report on the #Chae$ malware. First discovered by Cybereason, the malware was seen targeting e-commerce customers in Latin America and now is on its 4th generation and has received some upgrades which include increases stealth capabilities and a shift to #Python. The malware includes 7 different modules which exhibit different behaviors. I won't spoil the rest of the fun, you're going to have to read on for yourself (honestly I couldn't fit all the relevant details in here there are so many!). Enjoy and Happy Hunting!

Threat Profile: Chae$ 4 Malware
https://www.morphisec.com/hubfs/Morphisec_Chae$4_Threat_Profile.pdf

#CyborgSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

While most of us celebrate Labor Day let's all try to take a moment to remember those who don't get to spend time with their loved ones today, wherever they may be and whatever they may be doing!

I don't know how this report slid under my radar but the ESET researched team unveil a "Marioesque" themed adversary, #MoustachedBouncer! They are a cyberespionage group that targets foreign embassies in Belarus with the use of their ISP level access and their tools #NightClub and #Disco. Using their (assumed) unique level of access, they compromise their targets by redirecting them to a fake #Microsoft update site which loads JavaScript code then leads to a zip file being downloaded. The team wasn't able to get the zip file, but they were still able to identify some TTPs and #LOLBINS abuse, such as creating a malicious scheduled task. I hope you enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #LaborDay

Among the stealers that Cisco Talos Intelligence Group has observed, the #SapphireStealer is a new one that appears to focus on browser credential theft with its straightforward techniques. It is capable of gathering host information, screenshots, cached browser credentials, and files stored on the system. It then creates its own directory and stores credentials in a passwords.txt file and screenshots then zips all the data up and exfiltrates it using Simple Mail Transfer Protocol (SMTP). PLUS, as an added bonus, the research team observed some operational security (OPSEC) failures by the adversary which led to some personal accounts that could be associated with the threat actor! Enjoy and Happy Hunting!

SapphireStealer: Open-source information stealer enables credential and data theft
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/

#CyberSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Happy Friday everyone! Two weeks ago I put this poll up on LinkedIn to help the community answer the question of: If you are a threat hunter, what roles/skills did you hold or gain to get there! And here are the results! Enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Information- and credential stealers continue to flood the criminal ecosystem. Certainly should be considered an enabler for a lot of criminal activity, easy way to get "into" the criminal market.

https://blog.talosintelligence.com/sapphirestealer-goes-open-source/

#ThreatIntel #CyberSecurity

The Intel 471 Team shares their knowledge about the different types of cryptocurrency malware, or cryware that poses a threat to investors. There are Drainers, stand-alone drainers, clippers, and different forms of cryptojacking malware. Enjoy and #HappyHunting!

Cryptocurrency Malware: An Ever-Adapting Threat
https://intel471.com/blog/cryptocurrency-malware-an-ever-adapting-threat

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Where there is cybercrime, there is crypto; and where there is crypto there is a need for conversion into cash services.

So with this introduction by Binance announcing Send Cash, I predict that some of these countries will begin to be favored by cyber criminals.

Anyone dare to predict otherwise? ;-)

https://www.binance.com/en/blog/payment/binance-announces-send-cash-in-latin-america-8142479410429401020

#Crypto #CyberCrime #ThreatIntel

... and woha Good Guy Canada producing, and publishing, a really nice analytical piece of reporting regarding a Baseline threat assessment: Cybercrime

Well-written, researched, and balanced between explanations, sources and recommendations.

https://www.cyber.gc.ca/en/guidance/baseline-cyber-threat-assessment-cybercrime

#CyberSecurity #National #NCSC #Inspiration #ThreatIntel

I read about the polyglot PDF/Word malware documents earlier this week.

Anyone seen these ITW and what sort of detection rate we're talking about here?

https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/

#CyberSecurity #ThreatIntel #PDF

Good day to everyone, I hope that everyone is safe today! Researchers from Trend Micro provide intel on a group that they named #EarthEstries. They witnessed a cyberespionage campaign that targeted governments and technology industries around the world! Once they gained access they installed #CobaltStrike on the victims system, used backdoors for repeated access, and then collected PDFs and DDF files. They provide in-depth technical details on the other tools that were used on top of all the useful information in this article. Enjoy and Happy Hunting!

Earth Estries Targets Government, Tech for Cyberespionage
https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into #UNC4841, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!

Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

VulzSec hackers group claims to target Japanese infrastructures under the campaign named "OperationJapan"

#Japan
#cti #threatintel
#OpJapan
#OpFukushima
#Anonymous
#VulzSec