Why do #APT groups prefer to use Open Source RATs?

You can check #SOCRadar's blog.

Link: https://socradar.io/open-source-rats-leveraged-by-apt-groups/

#OSINT #ThreatIntel #intelligence #CTI #infosec #cybersecurity #malware #threathunting #TTPs #IoCs

Don’t approach your threat profile irrationally – use our #PiDay #TTPs Matrix to slice through the infinite universe of threats and bring more (mathematically) constant focus on the ones that matter most: https://hubs.la/Q01GPxgV0

Whether you’re a freshly-baked analyst/operator or a crusty infosec veteran, the piping hot and fresh content in Tidal’s free Community Edition is sure to ins-pie-re the next step in your threat-informed defense journey!

Our latest matrix features seven timely threats:

PyPI Malicious Packages: A recent report from Sonatype highlighted software supply chain compromises, where four Python packages hosted on the PyPI software registry contained malicious code that could drop malware, delete system utilities, & tamper with files containing authorization keys

AppleSeed: According to the MITRE ATT&CK knowledge base, “AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.”

Raspberry Robin: A highly active worm that spreads through removable media and abuses built-in Windows utilities after initial infection. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware

Chocolatey Backdoor: Last March, Proofpoint identified an attack on French organizations in multiple sectors that used Chocolatey, an open-source package installer, to fetch malicious scripts that delivered the Serpent backdoor (this represents one of the first documented uses of Chocolatey in a cyber campaign)

(Key) LimeRAT: Trellix researchers documented a July 2022 spearphishing campaign targeting government agencies across South Asia, Europe, and North America that ultimately delivered AsyncRAT & LimeRAT. As a special bonus, this set of Pi Day techniques fittingly features T1056.001 (Input Capture: Keylogging)!

Banana Sulfate: This small set derives from Sekoia.io’s investigation into a large and sophisticated but unattributed infrastructure cluster last February
Golden Chickens: Security researchers assess this is a malware-as-a-service provider whose customers include FIN6, Cobalt Group, and the Evilnum APT group.

#SharedWithTidal #threatinformeddefense #threatintel #threatintelligence

Feds warn about right Royal ransomware rampage that runs the gamut of TTPs - Wondering which cybercrime tools, techniques and procedures to focus on? How about any an... https://nakedsecurity.sophos.com/2023/03/03/feds-warn-about-right-royal-ransomware-rampage-that-runs-the-gamut-of-ttps/ #ransomware #dataloss #mitre #royal #cisa #ttps

“A web application that assists network defenders, analysts, and researcher in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.”, thanks @cisainfrasec
#cybersecurity #blueteam #infosec #ttps
https://github.com/cisagov/decider

Coinbase shares experience following a social engineering attack involving SMS phishing. Company says no customer funds or customer information were impacted.

Kudos to the company for sharing Tactics, Techniques, and Procedures, TTPs

https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study

#cryptocurrency #smsphishing #phishing #ttps #incidentresponse

#cybersecurity Is critical in today's world. #CyberThreatIntelligence & #TTPS are key to staying secure & knowing potential risks. Why are they important to you? #SecurityAwareness #CyberSecurityAwareness #CyberSecurityMatters #CyberSecurityTips

https://redbeardsec.com/cyber-threat-intelligence-ttps-why-are-they-important-to-you/

A rich #training #offer at BSides Milano we have top-notch trainings, in some case for the first time in #Italy! All #in-person! The #event will be held from 4 to 8 July 2023. From 4 to 7 we will be focus on #learnitall on the 8 we will deep dive in our #amazing #conference. Ticket will be available from tonight for the trainings. We have an early bird rate until 30th April.
Are you ready? We are!! join our group SecurityBsidesItalia #linkedin or on #discord https://lnkd.in/dBu7wkJG for detailed info! #cyber #threatintelligence #threatintel #cloud #redteaming #redteam #blueteam #threathunting #exploitation #secureboot #TTE #multicloud #hybridcloud #voip #Linux #Windows #LTE #baseband #deception #detection #evasion #edr #BSML23 #AWS #Azure #AzureAD #GCP #devops #cicd #RTOS #FalseFlag #HoneyNet #IDAPro #Python #reverseengineering #Ghidra #network #MITRE #TTPs #persistence #commandandcontrol #lateralmovement #osint #obfuscation #malware #malwareanalysis .
Reserve your your spot!! https://lnkd.in/dZf-yyPv

@BSidesMilano #Spotlight #training @GroupIB #ThreatHunting #ThreatIntelligence #DFIR #investigation #forensics #ttps #malware

With #Hive ransomware infrastructure taken down last week and speculation of similar action against #LockBit, which groups will likely take the “top” #RaaS spots in the first part of the year? If you don’t track #ransomware-as-a-service closely, you may not realize how many other groups regularly carry out attacks (or at least claim & extort victims publicly)

Since the takedown on Thursday, five RaaS groups have claimed nearly 30 victims publicly, with LockBit 3.0, #Clop, and #ViceSociety leading the pack. In our ransomware landscape briefing last week, a participant asked which group concerned us most into the new year. My answer is “most” seen in the slide here (but if I had to narrow, I choose LockBit in the short-term, and Vice Society in the medium/longer term)

Last week I argued that many, if not most, of the “top” groups (measured quickly by last year’s victim count) should be on most security teams’ radars. While there are some notable trends in victim sectors, like a relative increase in attacks on public services organizations, in general most of the leading groups are associated with a broad range of victim verticals (a similar trend holds for victim size too – a relative rise in mid-sized organizations, but still a notable number of large enterprises like in years past)

Rather than burn resources trying to track each new victim associated with each group every day, there is value in identifying top common tactics, techniques, & procedures among groups with generally similar motivations & victim patterns, and focusing response drills, defensive reinforcements, log source & detection tuning, and, where resources allow, unit testing or adversary simulation or emulation around that subset of TTPs

Our living matrix of top ransom & extortion group #TTPs is found here, covering nearly 30 groups and 175 techniques, although the cluster of top common ones is much smaller. Click the labels in the ribbon at the top to see source references for every mapping and procedural details for many: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a

You can also catch the recording of last week’s session and slides with this and similar metrics & graphics on-demand here: https://www.brighttalk.com/webcast/19703/570527

#threatinformeddefense #TTP #risk

Cyber-threat intelligence is the key to protecting yourself online! #Cybersecurity is something we all need to take seriously - understand why cyber-threat intelligence is important to you and how to use it to stay safe. #CyberThreatIntelligence #TTPS #SecurityAwareness

https://redbeardsec.com/cyber-threat-intelligence-ttps-why-are-they-important-to-you/

From a #ThreatIntelligence perspective, the #TTPs would be:

- #T1059.003: Command and Scripting Interpreter: Unix Shell. SHC payloads to be run still need a shell to be identified in the system and that the code inside the payload is, in fact, a shell script.
- #T1027.002: Obfuscated Files or Information: Software Packed with #SHC.
- #T1622: Debugger Evasion by using SHC with '-r'.
- #T1105: Ingress Tool Transfer by downloading payloads from Github.
- #T1496: Resource Hijacking with #XMRig.

Great post about “Emulating the Politically Motivated North Korean Adversary Andariel” #threatintel #blueteam #detection #ttps #cybersecurity

https://www.attackiq.com/2022/12/22/emulating-the-politically-motivated-north-korean-adversary-andariel/

#MuddyWater #APT group is back with updated #TTPs

Source
https://securityaffairs.co/wordpress/139505/apt/muddywater-changs-ttps.html

Recorded Future‘s Insikt Group exposed TAG-53’s credential harvesting infrastructure used for Russia-aligned #espionage operations. Infrastructure #TTPs likely overlap with what had previously been reported on Callisto Group, COLDRIVER or SEABORGIUM https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations

Ismael Valenzuela, @Joseliyo_Jstnk y yo hemos estado trabajando en el análisis de las amenazas cibernéticas en España, Chile, México, Argentina, Brasil, Colombia y Ecuador con sus motivaciones, y sus TTPs.

Lo acabamos de publicar en https://github.com/blackberry/threat-research-and-intelligence/tree/main/Talks/2022-11-25%20-%20XVI%20Jornadas%20STIC%20CCN-CERT

#ttps #mitredefend #mitreattack #jupyternotebook #threatsighting

Some tech interests: #phishing #yara #soc #malware #edr #sigma #soar #metrics #elastic #mobiletechnology #smartwatch #homeautomation #TTPs #infosec #blueteam #evs #3dprinting #vr #attacksimulation #purpleteam #memes

Enforcing a #GPO that removes the local mounting options of image files was one of my smarter decisions recently! It seems the TTP of hidden DLLs running from LNK files is really the go to as of late.

#hardening #security #ttps

@0xF21D those were just what came up, #incindent #breach #TTPs
I dunno, those could also match, but i figure if you check out the sec operstions ppl you follow you'll see what they use as name for the hashtags and in that way be able to trim

I am mapping Mitre #TTPs to Kubernetes, welp.

Do you think that `kubectl proxy` should be mapped to T1599?

https://attack.mitre.org/techniques/T1599/

It's a built-in TCP proxy, pretty much like SSH port forwarding.

#FBI, #CISA, and #HHS released a join CSA (#StopRansomware: Hive Ransomware) to disseminate HIVE #IOCs and #TTPs dated 17NOV2022. This includes mitigations, likelihood, and impact. As always, if you become a victim of ransomware, notify your local FBI field office or CISA. Linky below:

https://www.cisa.gov/uscert/ncas/alerts/aa22-321a