LeeArchinal

joined 2 years ago
sorted by: new top controversial old
Happy Friday everyone! in c/[email protected]
[–] [email protected] 2 points 1 week ago

To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:

Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db

#huntoftheday #gethunting

5
Happy Friday everyone! (ioc.exchange)
 

Happy Friday everyone!

The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation (FBI) have released a #cybersecurity advisory focusing on the #Ghost ransomware threat. They provide us with some updates to the TTPs and Behaviors on the groups activity and what we can hunt for!

Behaviors (MITRE ATT&CK):
Initial Access - TA0001
Exploit Public-Facing Application - T1190 - the group exploited many CVEs to gain their initial foothold. They exploited Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE2021-34473, CVE-2021-34523, and CVE-2021-31207.

Defense Evasion - TA0005
Impair Defenses: Disable or Modify Tools - T1562.001 - Ghost
frequently runs a command to disable Windows Defender on network connected devices.

There are plenty of other technical and behavior artifacts in the report, so go check it out yourself! Enjoy and Happy Hunting!

#StopRansomware: Ghost (Cring) Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

1
Happy Wednesday everyone! (ioc.exchange)
 

Happy Wednesday everyone!

Some good news from the Bitdefender research team! They took a look at the #ransomware strain dubbed #ShrinkLocker and its behaviors and discovered that it abuses a built-in #Windows feature for encryption. It modifies BitLocker (a Windows security feature that encrypts drives to protect data from theft or exposure if a device is lost or stolen) and, if needed, installs it, then re-encrypts the system using a randomly generated password which is delivered to the attacker. Using this feature and paired with Group Policy Objects (GPOs) and scheduled tasks, encrypting an entire network doesn't take much time at all.

The good news: The BitDefender team discovered a window of opportunity for data recovery and have made the decryption tool publicly available. They walk you through the process to recover your data.

Artifacts to hunt for:
Some highlights from the report-

  • Look for scheduled tasks that were created that run .vbs scripts and may be in strange locations or have names that are spelled incorrectly or do not match your normal naming convention (if you have one). In this case, "ADHelathCheck" appears that it should have been "ADHealthCheck".
  • If scheduled task visibility is an issue, look for svchost.exe being the parent process of abnormal living-off-the-land binaries.
  • Monitor RDP connections and identify abuse. This may not be easy but having a baseline or understanding of your environment is paramount.

Well, that is all for now! I hope you enjoy the article and get some good hunts in! Happy Hunting!

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again
https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again

Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday Cyborg Security, Now Part of Intel 471

1
Happy Friday everyone! (fedia.io)
 

Happy Friday everyone!

This is another shoutout to all those trying to get into tech! Here is a great resource to look for that job that may just get your foot in the door. It allows you to filter on a bunch of different job categories and locations, top tech jobs by company, and more. I will let you know that I have never used this site to gain employment, nor have I actively pursued employment using this site, it is just something that someone in my feed made me aware of and after checking it out, I thought I would share with everyone else! Enjoy and Happy Job Hunting!

https://trueup.io/

#CyberSecurity #ITSecurity #techjobs #HappyHunting

Happy Monday everyone! in c/[email protected]
[–] [email protected] 2 points 5 months ago

@[email protected] @[email protected]
This could make a lot of crypto bros pretty sad.

2
Happy Monday everyone! (ioc.exchange)
 

Happy Monday everyone!

On September 3rd the Federal Bureau of Investigation (FBI) released a Public Service Announcement that raises the awareness of some "well-disguised" social engineering attacks. These attacks have been attributed to The Democratic People's Republic of Korea ("DPRK" aka North Korea) and is targeting the #crypto industry.

Some examples of the effort that is put into these types of attacks, especially from a nation state actor, are:

  • The group conducts some serious "pre-operational" research of their victims.
  • They individualize the fake scenarios by initiating prolonged conversations with their victims to build rapport. It's not just a drive by/hope for the best encounter.
  • They impersonate individuals their victims may know or follow, like prominent people associated with certain technologies, possibly an influencer.

And the FBI shares some indicators that you may be at the end of a social engineering attack:

  • Requests to execute code or download applications.
  • Conduct a "pre-employment" test or debugging exercise.
  • Offers of employment from prominent cryptocurrency or tech firms

Well, this one's a little different, but enjoy the article and Happy Hunting!

North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks
https://www.ic3.gov/Media/Y2024/PSA240903

Cyborg Security Intel 471 #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

5
Happy Tuesday all! (ioc.exchange)
 

Happy Tuesday all!

A hacktivist group named Head Mare is making its presence known in Russia and Belarus and Kaspersky shares the technical details they discovered. Recently the group has been abusing CVE-2023-38831 (a vulnerability in WinRAR) to gain initial access and to execute arbitrary code on the victim's machine. Once on the machine the group uses different strains of ransomware, off the shelf toolkits (Sliver), and good ol' Mimikatz.

As far as the techniques, well, there is one that cannot be ignored, the Registry Run key used for Persistence but what was interesting was the defense evasion techniques they showed, which they accomplished in a two-step fashion. First, they created scheduled tasks that had names that hinted they are part of legitimate operations (MicrosoftUpdateCore and MicrosoftUpdateCoree) and then had the malware that was dropped imitate legitimate software names (OneDrive.exe and VLC.exe) which were stored in the C:\ProgramData\ directory, which is a more trust-worthy directory, unlike the AppData or Users\Public directory.

As usual, read further for more interesting TTPs and stand by for the Threat Hunting Tip of the Day! Enjoy and Happy Hunting!

Head Mare: adventures of a unicorn in Russia and Belarus
https://securelist.com/head-mare-hacktivists/113555/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone! in c/[email protected]
[–] [email protected] 1 points 6 months ago

Thank you all for awaiting patiently for your Threat Hunt Tip of the Day! And here you go!

I am not going to touch on the Windows Registry Run key that was mentioned, I lost track of how many times I shared that hunt package, even though it still proves to be useful, but what I will talk about are RMM tools. This list consists of tools like AnyDesk (seen in the Microsoft article), TeamViewer, AteraAgent, and many more!

How do you approach this? Hopefully you have an inventory and hopefully you have an application allow-list. If you have both of these, its a great start, but if you are like some organizations and living in the wild-west, it might be tougher. I would simply create a list of all the RMMs out there that have been abused by threat actors and search for them in your environment. Compare that to the software inventory if you have it and compare that to the application allow-list (if you have that as well) and then see what your data is telling you. This could be a quick win, especially if you see AnyDesk floating around your environment but no one approved it! Well, what are you waiting for? Go get those items and get hunting! Happy Hunting!

Nice little resource for RMMs from Red Canary!
https://redcanary.com/threat-detection-report/trends/rmm-tools/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #huntoftheday

1
Good day everyone! (ioc.exchange)
 

Good day everyone!

Microsoft brings us the #readoftheday with a threat group known as #PeachSandstorm. Believed to be operating out of Iran the group deployed a new custom malware, the Tickler backdoor and it sounds like they conduct espionage campaigns.

Looking at the behaviors, we can see a tried and true persistence mechanism (throw your answer in the comments if you spotted it as well, its something I have mentioned too many times to count!) and then another technique used by many adversaries: drop a LEGIT remote monitoring and management (RMM) tool, in this case, AnyDesk. But I am going to leave you guessing where we are going with this one! Enjoy the article and Happy Hunting!

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday everyone! in c/[email protected]
[–] [email protected] 1 points 6 months ago

For your Threat Hunting Tip of the Day:

Masquerading is a common technique used by attackers and by using legitimate names for their malicious programs it makes the victims more likely to click the application. But, as a hunter, what can you do? Easy: Look at the process chain!

Part of Threat Hunting is learning your environment and by identifying process chains that are legitimate in your environment, you can start to look for process chains that may not make sense. So when you are looking at "legit" sounding apps that are executing, make sure you look at the parent process!

Good luck and Happy Hunting!

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting!

4
Happy Wednesday everyone! (ioc.exchange)
 

Happy Wednesday everyone!

Today's #readoftheday is a tale of victims getting compromised when they tried to download pirated movies! Mandiant (part of Google Cloud) reports that it all started with a zip file whos title hinted that it would be a movie but really contained a malicious LNK (Microsoft Shortcut files) that executes a PowerShell downloader script which leads to the #PEAKLIGHT malware, another PowerShell-based downloader.

Interestingly, one of the variations uses an executable named Setup.exe which appears to be masquerading as a legitimate application, which is a common technique that is used by threat actors to gain trust from their victims!

As always, enjoy the rest of the article, I hope you have time to read it for yourself, and stay tuned for your Threat Hunting Tip of the Day!

PEAKLIGHT: Decoding the Stealthy Memory-Only Malwarehttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone! in c/[email protected]
[–] [email protected] 1 points 6 months ago

For your threat hunting tip of the day:

Once the malware was downloaded it started reaching out to some non-standard ports. Not only did the ports stick out as odd but the executables or programs doing it seemed strange as well. One example is the MSBuild.exe (an executable masquerading as a legitimate process) connected to an IP over port 6000.

Using speedguide.net as a reference to see what legitimate programs use port 6000, I see Medal of Honor Rising Sun, Madden NFL 2005, Army of Two for the PlayStation 3, and other games. BUT, if we look at the first part of the table we see that it has been used by different trojans. So the question you should ask yourself is this: Is someone playing PlayStation in my corporate environment, and an old one at that, or is this strange port something I should look into?

So, look for non-standard ports that aren't tied to business or legitimate processes and do some research to see what they possibly could be! I hope this helps! Enjoy and Happy Hunting!

@[email protected] Security @Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting

1
Good day everyone! (ioc.exchange)
 

Good day everyone!

Today's #readoftheday is brought to you by AnyRun and describes a campaign that has targeted Chinese-speaking users and distributing the malware known as #ValleyRAT. A RAT, which stands for remote access trojan, is a type of malware that is designed to allow the attacker to access and control a victim's machine. This one targets the Windows operating system and employs a range of techniques to evade detection and is delivered when the first-stage loader is disguised as a legitimate application like Microsoft Office. When the unsuspecting victim executes the malware a decoy document is deployed and the executable loads the shellcode that advances the attack to the next stage.

Attackers have long since used files that are masqueraded as legitimate process, executables, and so on as well as using the technique of dropping a decoy document when the user executes malware. The idea here is a layered effect: one, the adversary abuses the trust a user has for legitimate file names and THEN provides something that the victim may have been expecting, basically giving the victim something as to not raise an alarm. This may be the delay that the attacker needs to get a stronger foothold in the environment and gain persistence.

Stay tuned for your threat hunting tip of the day, but until then, Happy Hunting!

New ValleyRAT Campaign Spotted with Advanced Techniques
https://any.run/cybersecurity-blog/new-valleyrat-campaign/?utm_source=linkedin&utm_medium=post&utm_campaign=threat-intelligence-explained&utm_content=blog&utm_term=220824/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Monday, or should I say, Happy #DFIRDay! in c/[email protected]
[–] [email protected] 1 points 6 months ago

Here is your Threat Hunting Tip of the Day:

In the The DFIR Report the attackers abused #PowerShell to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the "-encodedcommand" parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?

You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!

I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!

Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db

Cyborg Security #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting

5
Happy Monday, or should I say, Happy #DFIRDay! (ioc.exchange)
 

Happy Monday, or should I say, Happy #DFIRDay!

That's right, The DFIR Report has dropped another one of their awesome reports, this time covering an attack that involved the #BlackSuit ransomware. There was a dash of #CobaltStrike, #SystemBC, some encoded Powershell commands for defense evasion (and to keep you guessing on what the command really is!), LSASS access for credentials, and ultimately led to the ransomware being deployed. This report provides a great example of all the things the adversary needs to do to be successful in an attack and all the information they need from your environment to do it!

Stay tuned for your Threat Hunting Tip of the Day but while you wait, enjoy the article! Happy Hunting!

And I promise you I am not going to take the easy way out and hit you with the AutoRun registry key hunt package again!

BlackSuit Ransomware
https://thedfirreport.com/2024/08/26/blacksuit-ransomware/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Friday all! in c/[email protected]
[–] [email protected] 1 points 6 months ago

Threat Hunting Tip of the Day:

I know I normally steer you to a Cyborg Security and Intel 471 Hunt package but something about this report stuck out that could be an issue in many organizations and that can be summed up to one word: visibility!

Under the "Data Access and Impact (TA0010 and TA0040) section, it states that "CloudTrail S3 data logging and S3 server access logging was not enabled...no logs existed that showed exfiltration activity from the S3 buckets." [1]

Lesson learned: IF you are migrating to the cloud or bringing new hardware/software, assets, etc into your environment, please take time to assess what level of logging exists, and determine what is valuable to ingest. Taking that time will be worth it in the long run and allow your analysts to dig through logs, create detections, and threat hunt in your environment! Enjoy and Happy Hunting!

[1] https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

#CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting

3
Happy Friday all! (ioc.exchange)
 

Happy Friday all!

My #readoftheday is brought to you by Palo Alto Networks Unit 42! In this article, the researchers focus on a threat actor known as #BlingLIbra who is the group behind the #ShinyHunters ransomware and their Tactics, Techniques, and Procedures (TTPs) and behaviors. They do a great job at breaking down each MITRE ATT&CK Tactic and provide relevant artifacts and information on how the adversary accomplished that goal.

As always, once I am completely done with it I will provide my Threat Hunting Tip of the day, so stay tuned and enjoy! Happy Hunting!

Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone! in c/[email protected]
[–] [email protected] 1 points 6 months ago

@[email protected] Looking at the report, I have to make an assumption: Since the malware is able to monitor the clipboard, maybe the user copied and pasted some admin creds OR since it is able to extract passwords and information from browsers if the victim has privileged creds stored in extensions or their browser password manager they could get them from there.

Good day everyone! in c/[email protected]
[–] [email protected] 1 points 6 months ago

For your Threat Hunting Tip of the Day:

I have covered this one many times, but I will continue to beat this horse as long as it exists. Adversaries WILL abuse the Run Registry Key for persistence, old malware will and new malware will and even future malware will. Why? Because of the function: Execute on logon.

So, if you are hunting for this, first make sure you have visibility into that registry key, emulate the traffic if you need to. Then make sure your tools have the visibility, that means you can hunt for it. Then, you can take this Intel 471 Free Community Hunt Package and drop it in your tool to begin the hunt! Enjoy and Happy Hunting!

Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c

Cyborg Security #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting

3
Good day everyone! (ioc.exchange)
 

Good day everyone!

Check Point Software researchers provide us a detailed report on a newly discovered malware the #StyxStealer! It is capable of "stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency" and contains defense evasion techniques. While the malware may be new, one technique that stood out isn't! The use of the Windows run registry key for persistence (Software\Microsoft\Windows\CurrentVersion\Run) is not.

This registry key is abused because of the function it carries with it: you can reference an executable or script or whatever you want in the registry details and it will execute once a user logs in. This removes the need for the adversary to have to social engineer or compromise a host over and over again.

Knowing that, enjoy the article and stay tuned for your Threat Hunting Tip of the Day!

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

2
Happy Wednesday! (ioc.exchange)
 

Happy Wednesday!

Taking time to read another great article from Cisco Talos this time focused on North Korean actors that are using the MoonPeak malware which is a new remote access trojan (RAT) that appears to be under development. This report covers a LOT of information surrounding the Command and Control (C2) traffic and infrastructure.

Looking at the report, there is a lot of ways you can handle hunting for this threat but the best approach I would take is an unstructured hunt first. The report mentions ports being used that are non-standard (with some standard ones as well). Without directly hunting for Port 8936, or 9936, you can start to see what is normal in your environment. What ports appear the most in the data and can be tied to a legitimate process. Exclude those and start seeing what else you can find. Work through this "rinse-and-repeat" method to reduce the noise by removing the "normal" and then see what is left! Should be abnormal or just strange business processes! Enjoy and Happy Hunting!

MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #HappyHunting #readoftheday

view more: next ›