Fri, 25 Feb 2022 19:41:50 +0000
Technical Analysis of PartyTicket Ransomware
https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware
Zscaler
Technical Analysis of PartyTicket Ransomware | Zscaler
PartyTicket Ransomware Used as a Diversion From Hermetic Wiper Attack
https://datastudio.google.com/reporting/844f1ec8-f136-40d0-8408-14625e34d28a/page/nklmC
Накидал данных по геопривязке IP индикаторов за 11.02 - 25.02
Выбрал топ по кол-ву индикаторов.
Накидал данных по геопривязке IP индикаторов за 11.02 - 25.02
Выбрал топ по кол-ву индикаторов.
Google Data Studio
IP IOCs by Geolocation (2022-02-11 - 2022.02.25)
Google Data Studio turns your data into informative dashboards and reports that are easy to read, easy to share, and fully customizable.
Sat, 26 Feb 2022 00:15:53 +0000
BlackCat ransomware
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware
LevelBlue
BlackCat ransomware
This blog was jointly written with Santiago Cortes. Executive summary LevelBlue Labs™ is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered…
Sat, 26 Feb 2022 19:07:46 +0000
HermeticWiper & resurgence of targeted attacks on Ukraine
https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine
Zscaler
HermeticWiper & resurgence of targeted attacks on Ukraine | Zscaler
Sun, 27 Feb 2022 01:23:17 +0000
Something strange is going on with Trickbot
https://intel471.com/blog/trickbot-2022-emotet-bazar-loader
Intel471
Something strange is going on with Trickbot
There hasn't been any new activity from the Trickbot malware in 2022. Why?
Sun, 27 Feb 2022 01:23:45 +0000
MAR–10369127–1.v1 – MuddyWater
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-055a
Mon, 28 Feb 2022 01:07:02 +0000
CoinMiner Being Distributed to Vulnerable MS-SQL Servers
https://asec.ahnlab.com/en/32143/
ASEC BLOG
CoinMiner Being Distributed to Unsecured MS-SQL Servers - ASEC BLOG
The ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL servers. The previous blogs explained the distribution cases of Cobalt Strike and Remcos RAT, but the majority of the discovered attacks are CoinMiners. – [ASEC Blog] Remcos…
Mon, 28 Feb 2022 11:24:52 +0000
Exclusive in-depth analysis: directly attack the key technical details of Ukraine’s cyber warfare
https://blog.360totalsecurity.com/en/exclusive-in-depth-analysis-directly-attack-the-key-technical-details-of-ukraines-cyber-warfare/
360 Total Security Blog
Exclusive-in-depth-analysis: directly-attack-the-key-technical-details-of-Ukraine's-cyber-warfare
Recently, 360 Security Center observed a state-level cyber warfare attack against Ukraine for the purpose of sabotage, including distributed denial of service (DDoS) attacks, phishing scams, exploits, supply chain attacks, malicious data wipes disguised as…
Mon, 28 Feb 2022 15:23:06 +0000
Broadcom Software Discloses APT Actors Deploying Daxin Malware in Global Espionage Campaign
https://us-cert.cisa.gov/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware
Коллеги, прошу прощения, что не все TI-отчеты попадают на канал.
Пока работает старая версия робота для определения TI-отчета в потоке новостей. Раньше, то что не смог определить робот я докидывал в канал руками.
Сейчас все силы бросил на дописывание новой версии робота.
Надеюсь, что через неделю запущу его в продакшен.
Пока работает старая версия робота для определения TI-отчета в потоке новостей. Раньше, то что не смог определить робот я докидывал в канал руками.
Сейчас все силы бросил на дописывание новой версии робота.
Надеюсь, что через неделю запущу его в продакшен.
👍1
Tue, 01 Mar 2022 14:18:27 +0000
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
Security
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
Espionage tool is the most advanced piece of malware Symantec researchers have seen from China-linked actors.
Tue, 01 Mar 2022 14:19:05 +0000
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/
Sophos News
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
An unpatched Microsoft Exchange Server let both ransomware actors in; Karma just stole data, while Conti encrypted.
Tue, 01 Mar 2022 14:20:28 +0000
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
Unit 42
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
An attack in early February targeted an energy organization in Ukraine with OutSteel and SaintBot. The attack is part of a larger campaign.
Tue, 01 Mar 2022 14:20:39 +0000
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
https://unit42.paloaltonetworks.com/sockdetour/
Unit 42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
SockDetour is a custom backdoor being used to maintain persistence, designed to serve as a backup backdoor in case the primary one is removed.
Tue, 01 Mar 2022 14:29:27 +0000
Elections GoRansom – a smoke screen for the HermeticWiper attack
https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/
Securelist
Elections GoRansom – a smoke screen for the HermeticWiper attack
We present our analysis of HermeticRansom (aka Elections GoRansom) ransomware that was likely used as a smokescreen for the HermeticWiper attack.
Tue, 01 Mar 2022 16:34:17 +0000
The InQuest Insider Issue #42 - Glowspark
https://inquest.net/newsletter/2022/03/inquest-insider-issue-42-glowspark
inquest.net
InQuest - Join the Hunt.
InQuest provides Deep File Inspection (DFI) for real-time protection and RetroHunting to leverage hindsight and apply today's intelligence to yesterday's data.
Tue, 01 Mar 2022 21:18:36 +0000
Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/
crowdstrike.com
How to Decrypt the PartyTicket Ransomware Targeting Ukraine | CrowdStrike
We explain how PartyTicket ransomware used in Ukraine attacks only superficially encrypts files, and outline how it's possible to recover the encrypted files.
Tue, 01 Mar 2022 22:51:28 +0000
Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement
https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
Proofpoint
SunSeed Malware Targets Refugees & EU Government | Proofpoint US
Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.
#technique
Rogue RDP – Revisiting Initial Access Methods
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
Rogue RDP – Revisiting Initial Access Methods
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
Black Hills Information Security, Inc.
Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security, Inc.
Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]