Tue, 08 Mar 2022 16:50:50 +0000
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/
Unit 42
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed – we provide a technical analysis.
Tue, 08 Mar 2022 16:52:03 +0000
PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell
https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/
crowdstrike.com
PROPHET SPIDER Exploits Citrix ShareFile | CrowdStrike
Read our blog post to learn how PROPHET SPIDER continues to evolve their tradecraft while continuing to exploit known web-server vulnerabilities.
Tue, 08 Mar 2022 23:48:04 +0000
Emotet Redux
https://blog.lumen.com/emotet-redux/?utm_source=rss&utm_medium=rss&utm_campaign=emotet-redux
Lumen
Emotet Redux - Lumen
What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets Executive Summary Since its reemergence on Nov. 14, 2021, Black Lotus Labs has once again been tracking Emotet, one of the world’s most prolific malware…
Wed, 09 Mar 2022 11:25:19 +0000
Decrypted: Prometheus Ransomware
https://decoded.avast.io/threatresearch/decrypted-prometheus-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-prometheus-ransomware
Avast Threat Labs
Decrypted: Prometheus Ransomware - Avast Threat Labs
Avast Releases Decryptor for the Prometheus Ransomware. Prometheus is a ransomware strain written in C# that inherited a lot of code from an older strain called Thanos. Skip to how to use the Prometheus ransomware decryptor. How Prometheus Works Prometheus…
Wed, 09 Mar 2022 11:40:21 +0000
New Nokoyawa Ransomware Possibly Related to Hive
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
Trend Micro
New Nokoyawa Ransomware Possibly Related to Hive
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they…
Wed, 09 Mar 2022 16:07:56 +0000
Raccoon Stealer: “Trash panda” abuses Telegram
https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/?utm_source=rss&utm_medium=rss&utm_campaign=raccoon-stealer-trash-panda-abuses-telegram
Avast Threat Labs
Raccoon Stealer: “Trash panda” abuses Telegram - Avast Threat Labs
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is a password stealer capable of stealing not just passwords…
Wed, 09 Mar 2022 19:02:41 +0000
Russia-Ukraine Crisis Places Critical Infrastructure At High Risk
https://blog.cyble.com/2022/03/09/russia-ukraine-crisis-places-critical-infrastructure-at-high-risk/
Cyble
Russia-Ukraine Crisis Places Critical Infrastructure At High Risk
State-sponsored attackers, APT groups, and numerous hackers’ communities have been actively targeting the critical infrastructures.
Wed, 09 Mar 2022 19:13:31 +0000
Updated: Conti Ransomware
https://us-cert.cisa.gov/ncas/current-activity/2022/03/09/updated-conti-ransomware
Wed, 09 Mar 2022 19:44:35 +0000
FormBook spam campaign targets citizens of Ukraine️
https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%EF%B8%8F/
Thu, 10 Mar 2022 01:51:19 +0000
Daxin Backdoor: In-Depth Analysis, Part Two
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis
Security
Daxin Backdoor: In-Depth Analysis, Part Two
In the second of a two-part series of blogs, we examine the communications and networking features of Daxin.
Thu, 10 Mar 2022 12:50:52 +0000
Qakbot injects itself into the middle of your conversations
https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/
Sophos News
Qakbot injects itself into the middle of your conversations
The heavily distributed botnet delivers a wide variety of payloads – and scans your network for weaknesses
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation
https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/
https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/
PHOREAL Malware Targets the Southeast Asian Financial Sector
https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/
https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/
Thu, 10 Mar 2022 18:05:33 +0000
Ransomware: February 2022 review
https://blog.malwarebytes.com/threat-intelligence/2022/03/ransomware-february-2022-review/
Malwarebytes
Ransomware: February 2022 review
Get the latest information on ransomware trends with our monthly review.
Fri, 11 Mar 2022 00:38:32 +0000
Infostealer Being Distributed via YouTube
https://asec.ahnlab.com/en/32499/
ASEC BLOG
Infostealer Being Distributed via YouTube - ASEC BLOG
The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user…
Fri, 11 Mar 2022 17:22:38 +0000
New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware
https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/
Cyble
New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware
Cyble's research on a wiper malware named RURansom which was found attacking Russia.
Удалось продвинуться в автоматическом анализаторе TI-отчетов.
Пока получается вот такая сырая html-ка (удобнее, чем глазами парсить json) и артефакты, которые генерит движок.
Над описанием связей еще надо поработать и привести к STIX.
На этой неделе соберу из технической html-ки саммари для отчетов, публикуемых в телеге.
Остальная инфа после ручной модерации будет грузится в графовую базу в RST Cloud.
Пока получается вот такая сырая html-ка (удобнее, чем глазами парсить json) и артефакты, которые генерит движок.
Над описанием связей еще надо поработать и привести к STIX.
На этой неделе соберу из технической html-ки саммари для отчетов, публикуемых в телеге.
Остальная инфа после ручной модерации будет грузится в графовую базу в RST Cloud.
👍1
Mon, 14 Mar 2022 01:05:02 +0000
ASEC Weekly Malware Statistics (February 28th, 2022 – March 6th, 2022)
https://asec.ahnlab.com/en/32522/
ASEC BLOG
ASEC Weekly Malware Statistics (February 28th, 2022 - March 6th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 28th, 2022 (Monday) to March 6th, 2022 (Sunday). For the main category, info…
#technique
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
https://www.varonis.com/blog/synthetic-sid
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
https://www.varonis.com/blog/synthetic-sid
Varonis
Is this SID taken? Varonis Threat Labs Discovers Synthetic SID Injection Attack
A technique where threat actors with existing high privileges can inject synthetic SIDs into an ACL creating backdoors and hidden permission grants.