What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-10-26 23:52:48 | FormBook Malware Being Distributed as .NET (lien direct) | The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. FormBook operates by injecting into a running process memory, and the targets of injection are explorer.exe and arbitrary... | Spam Malware | ||
 |
2022-10-26 23:06:26 | Feds accuse Ukrainian of renting out PC-raiding Raccoon malware to fiends (lien direct) | Separately, charges slapped on alleged operator of dark market, The Real Deal Mark Sokolovsky, 26, a Ukrainian national, is being held in the Netherlands while he awaits extradition to America on cybercrime charges, the US Justice Department said on Tuesday.… | Malware | ||
 |
2022-10-26 22:30:00 | Point-of-sale malware used to steal 167,000 credit cards (lien direct) | >Categories: NewsTags: POS Tags: malware Tags: credit card Tags: credit identity theft Tags: C2 Tags: MajikPOS Tags: Treasure Hunter Researchers have discovered the theft of 167,000 sets of credit card detials by MajikPOS and Treasure Hunter POS malware (Read more...) | Malware | ★★ | |
 |
2022-10-26 21:39:00 | U.S. Charges Ukrainian Hacker Over Role in Raccoon Stealer Malware Service (lien direct) | A 26-year-old Ukrainian national has been charged in the U.S. for his alleged role in the Raccoon Stealer malware-as-a-service (MaaS) operation. Mark Sokolovsky, who was arrested by Dutch law enforcement after leaving Ukraine on March 4, 2022, in what's said to be a Porsche Cayenne, is currently being held in the Netherlands and awaits extradition to the U.S. "Individuals who deployed Raccoon | Malware | ||
|
2022-10-26 21:20:00 | Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans (lien direct) | The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy. "The FastFire malware is disguised as a Google security plugin, and the | Malware | ||
 |
2022-10-26 18:38:03 | Feds say Ukrainian man running malware service amassed 50M unique credentials (lien direct) | Wondering if your data got swept up by Raccoon? Here's how to find out. | Malware | ||
|
2022-10-26 14:00:00 | Malformed signature trick can bypass Mark of the Web (lien direct) | >Categories: NewsTags: MOTW Tags: mark of the web Tags: signature Tags: malformed Tags: malware Tags: ransomware Tags: bypass Tags: SmartScreen We take a look at reports that malware authors are using what appears to be a years-old bug to bypass Mark of the Web alerts. (Read more...) | Malware | ||
 |
2022-10-25 21:05:19 | US Charges Ukrainian \'Raccoon Infostealer\' With Cybercrimes (lien direct) | A Ukrainian man has been charged with computer fraud for allegedly infecting millions of computers with malware in a cybercrime operation known as "Raccoon Infostealer," the US Justice Department said Tuesday. | Malware | ||
|
2022-10-25 17:03:00 | Cybercriminals Used Two PoS Malware to Steal Details of Over 167,000 Credit Cards (lien direct) | Two point-of-sale (PoS) malware variants have been put to use by a threat actor to steal information related to more than 167,000 credit cards from payment terminals. According to Singapore-headquartered cybersecurity company Group-IB, the stolen data dumps could net the operators as much as $3.34 million by selling them on underground forums. While a significant proportion of attacks aimed at | Malware Threat | ||
 |
2022-10-25 16:53:00 | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 | |
 |
2022-10-25 15:02:37 | Ukrainian charged for operating Raccoon Stealer malware service (lien direct) | 26-year-old Ukrainian national Mark Sokolovsky has been charged for his involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation. [...] | Malware | ||
 |
2022-10-25 15:00:00 | POS Malware Used to Steal Details of Over 167,000 Credit Cards (lien direct) | The operators could make over $3m if they decide to sell the card dumps on underground forums | Malware | ||
 |
2022-10-25 14:59:22 | Two PoS Malware used to steal data from more than 167,000 credit cards (lien direct) | >Researchers reported that threat actors used 2 PoS malware variants to steal information about more than 167,000 credit cards. Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from point-of-sale payment terminals. On April 19, 2022, Group-IB researchers identified the C2 server of the POS malware called MajikPOS. […] | Malware Threat | ||
 |
2022-10-25 14:12:28 | (Déjà vu) Thousands Of Fake PoC Exploits In GitHub Repositories Deliver Malware – Expert Comments (lien direct) | A technical paper from the researchers at Leiden Institute of Advanced Computer Science details how researchers discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. In an inspection of 47,313 downloaded and checked repositories, fully 10.3% (4893), were found to “have symptoms of malicious intent.” This number […] | Malware | ||
|
2022-10-25 13:40:13 | Payment Card Attack Could Be Worth $3.3M (lien direct) | It has been reported that a PoS payment card attack involving a pair of malware variants was used to steal more than 167,000 payment records from 212 infected devices mostly in the U.S. Full story: Researchers uncover more than 167,000 stolen credit card numbers, primarily from the U.S. – CyberScoop | Malware | ||
|
2022-10-25 13:28:52 | Typosquat Campaign Mimics 27 Brands To Push Windows, Android Malware (lien direct) | It has been reported that the Typosquat campaign mimics 27 brands to push Windows, Android malware. Full story: Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com) | Malware | ||
 |
2022-10-25 13:27:54 | Massive Typosquatting Racket Pushes Malware at Windows, Android Users (lien direct) | Pas de details / No more details | Malware | ||
|
2022-10-25 01:04:42 | Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed (lien direct) | On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email. The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program,... | Malware | ||
|
2022-10-25 00:52:47 | (Déjà vu) ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place... | Ransomware Malware | ||
|
2022-10-24 22:11:11 | Payment terminal malware steals $3.3m worth of credit card numbers – so far (lien direct) | With shops leaving VNC and RDP open, quelle surprise Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals. If sold on underground forums, the haul could net the thieves upwards of $3.3 million.… | Malware | ||
|
2022-10-24 16:00:00 | Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App (lien direct) | The Veeamp malware was used by the Monti and Yanluowang ransomware groups in these attacks | Ransomware Malware | ★★ | |
 |
2022-10-24 14:45:43 | Android-Clicker Malware Garners Reaches 20 Million Downloads (lien direct) | Earlier today, a so-called “clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. Once notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads. Having been detected as Android/Clicker, […] | Malware | ||
|
2022-10-24 11:55:00 | SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan (lien direct) | SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk. "The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection | Malware | APT-C-17 | |
 |
2022-10-24 11:00:00 | Researchers uncover more than 167,000 stolen credit card numbers, primarily from the U.S. (lien direct) | >Using two malware variants, unknown operators managed to compile stolen card data potentially worth more than $3 million, researchers said. | Malware | ★★ | |
|
2022-10-24 09:30:00 | Clicker Malware Garners Estimated 20 Million Downloads (lien direct) | Google forced to remove over a dozen malicious apps | Malware | ||
 |
2022-10-24 07:12:13 | C2 Communications Through outlook.com, (Mon, Oct 24th) (lien direct) | Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. | Malware | ||
|
2022-10-23 11:15:19 | Thousands of GitHub repositories deliver fake PoC exploits with malware (lien direct) | Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. [...] | Malware | ||
|
2022-10-23 10:17:34 | Typosquat campaign mimics 27 brands to push Windows, Android malware (lien direct) | A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. [...] | Malware | ||
 |
2022-10-21 22:31:58 | VMware bug with 9.8 severity rating exploited to install witch\'s brew of malware (lien direct) | If you haven't patched CVE-2022-22954 yet, now would be an excellent time to do so. | Malware | ||
|
2022-10-21 22:17:00 | Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware (lien direct) | The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch | Malware | ||
 |
2022-10-21 13:15:23 | APT‑C‑50 updates FurBall Android malware – Week in security with Tony Anscombe (lien direct) | ESET Research spots a new version of Android malware known as FurBall that APT-C-50 is using in its wider Domestic Kitten campaign | Malware | ||
|
2022-10-21 11:00:36 | OldGremlin Ransomware Fierce Comeback Against Russian Targets (lien direct) | Earlier today. a ransomware group which unusually targets Russian organizations has upped its efforts this year, demanding larger ransoms from its victims and developing new malware for Linux, according to Group-IB. Yesterday, the security vendor released what it claimed was the first comprehensive report on the group known as “OldGremlin,” which was first spotted in 2020. […] | Ransomware Malware | ||
|
2022-10-21 10:28:32 | CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks. | Malware Vulnerability | ||
|
2022-10-21 10:28:06 | Good news, URSNIF no longer a banking trojan. Bad news, it\'s now a backdoor (lien direct) | And one designed to slip ransomware and data-stealing code onto infected machines URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims' Windows PCs, is evolving to support extortionware.… | Ransomware Malware | ||
 |
2022-10-21 10:00:00 | Do the recent DDoS attacks signal future web application risks? (lien direct) | Multiple reports in the media, including in Bloomberg US Edition, allege that Russian-associated cybercrime group Killnet is responsible for a series of distributed-denial-of-service (DDoS) attacks during the week of October 6 that took several state government and other websites offline. While most of the websites were restored within 48 hours, these volumetric attacks can leave even the most secure sites paralyzed and susceptible to further damage.
AT&T Alien Labs, the threat intelligence arm of AT&T Cybersecurity, suggests politically motivated cyber strikes such as the ones that hit web sites in October are nothing new. Killnet has a long history of successfully attacking both public and private organizations and businesses.
Research Killnet on the Alien Labs Open Threat Exchange (OTX),
among the largest open threat intelligence sharing communities in the world.
Figure 1: OTX pulse on Killnet.
“We have been following Killnet for years and have seen a marked increased activity in the last few weeks. Their attacks, however, appear to be opportunistic DDoS campaigns aimed at attracting media coverage,” says Research Director Santiago Cortes Diaz. “Their efforts seem to be coordinated with the Russian government as part of their FUD (fear, uncertainty and doubt) campaign around the geopolitical conflict.”
Aside from a temporary takedown that can disrupt operations, there is also a reputational cost to DDoS attacks. Moves against government websites potentially aim to destroy faith among voters that U.S. elections are a secure and insulated process. And, though the election process is mostly separated from the Internet, consecutive attacks of this nature could also negatively impact confidence in the United States’ digital defenses.
DDoS attacks, though typically short-lived, succeed in getting the public’s attention by causing a digital flood of information on websites with an otherwise regular flow of traffic. A botnet, a group of machines infected with malware and controlled as a malicious group, generates bogus requests and junk directed at the target while hiding within a site’s usual traffic patterns. DDoS attacks are not to be underestimated. They will likely continue to proliferate as hackers acquire access to more botnets and resources allowing them to commit larger attacks — and the resources will come with the next era of computing.
As organizations continue to deploy edge applications and take advantage of 5G, the threat of DDoS attacks is potentially compounded. To this point, in a survey of 1,500 global respondents for the AT&T Cybersecurity Insights Report: 5G and the Journey to the Edge, 83% believe attacks on web-based applications will present a big security challenge.
Why? Because along with the improvements in speed, capacity, and latency of 5G and edge computing, there is also going to be an explosion in connected devices. For example, in the same Insights Report, the top three use cases expected to be in production within three years for edge computing include: industrial IoT or OT, enterprise IoT, and industry-oriented consumer IoT functions — all of which are driven by applications that can be connected to the internet. This increase in devices and network quality as well as explosion in appli |
Malware Threat | ||
 |
2022-10-21 09:32:50 | ESET découvre une nouvelle version d\'un logiciel espion visant les citoyens iraniens, Furball, caché dans une application de traduction (lien direct) | ESET découvre une nouvelle version d'un logiciel espion visant les citoyens iraniens, Furball, caché dans une application de traduction • Les chercheurs d'ESET ont récemment identifié une nouvelle version du malware Android FurBall utilisée dans une campagne " Domestic Kitten ". • Cette dernière remonte au moins à 2016 et est toujours active. • Elle vise principalement les citoyens iraniens. • Nous avons découvert un nouvel échantillon obfusqué de Furball pour Android • Cet échantillon est diffusé à partir d'un faux site • L'échantillon analysé dispose de fonctionnalité d'espionnage restreinte pour tenter d'échapper à toute détection - Malwares | Malware | ||
|
2022-10-21 07:50:12 | News URSNIF variant doesn\'t support banking features (lien direct) | A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data. Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data. The new variant, first observed […] | Malware | ||
|
2022-10-21 03:56:17 | GuLoader Malware Disguised as a Word File Being Distributed in Korea (lien direct) | The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is as follows, and has an HTML file attached. When the user opens the attached HTML file, a compressed file is downloaded from the URL below. The compressed file contains an IMG file and the GuLoader malware is inside this IMG file. GuLoader... | Malware | ||
|
2022-10-21 02:30:43 | Attackers Abusing Various Remote Control Tools (lien direct) | Overview Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major malware programs used by attackers. Backdoor malware is installed... | Ransomware Malware | ||
|
2022-10-21 00:03:49 | sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) (lien direct) | Introduction | Malware | ||
 |
2022-10-20 20:23:00 | Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability (lien direct) | In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and the behavior after exploitation in more detail. | Malware Vulnerability | ||
|
2022-10-20 17:03:00 | Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens (lien direct) | The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall. "Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books," ESET researcher Lukas Stefanko said | Malware Threat | ||
|
2022-10-20 16:00:37 | Ursnif malware switches from bank account theft to initial access (lien direct) | A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan functionality. [...] | Malware | ||
 |
2022-10-20 15:44:24 | Intelligence Insights: October 2022 (lien direct) | AdSearch ghosts, Qbot returns with new tricks, and PureCrypter loads malware treats. All this and more in this month's Intelligence Insights. | Malware | ★★★ | |
|
2022-10-20 14:34:00 | These 16 Clicker Malware Infected Android Apps Were Downloaded Over 20 Million Times (lien direct) | As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud. The Clicker malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them, | Malware | ||
|
2022-10-20 14:09:00 | New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft (lien direct) | The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor | Ransomware Malware Threat | ||
|
2022-10-20 13:36:00 | Threat Hunting: Eight Tactics to Accelerating Threat Hunting (lien direct) | One of the more significant headaches in cyber security is the overuse of buzzwords and acronyms and the overlapping mutations of what they mean. Cyber threat Hunting has become one of those phrases, but it has gained clarity over the last few years as organizations strived to become more proactive. So what is threat hunting? Depending on who you ask, you may get somewhat different answers to the same question. Cyber threat hunting is a proactive approach to detecting suspicious activity from known or unknown, remediated, or unaddressed cyber threats within an organization’s networks. It involves finding malware such as viruses, Trojans, adware, spyware, ransomware, worms, bots, and botnets. The goal is for security analysts to find these threats before they cause damage to systems and data. It’s similar to how fire departments respond to fires; they go into buildings to ensure no additional problems before calling the firefighters. There is a vast collection of tools, skill sets, approaches, and processes to help identify advanced threats that could happen within the network. What is an effective hunting process for one organization may be a waste of time for another, depending on each company’s understanding of what threats they might face. Man-hours spent hunting are typically most beneficial for large organizations targeted by the cybercriminal community regularly, but that’s not to say that regular hunts for small/medium-sized enterprises can’t benefit from and identify threats by doing the same. Structured Threat Hunting The structured hunt is based on indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP). IOCs provide information about potential adversaries, such as IP addresses, domain names, operating system versions, etc. TTPs describe how attackers operate and what tools they use. Combining IOCs and TTPs makes it possible to build a picture of the adversary. This approach allows us to detect threats earlier and prevent attacks. In addition, we can quickly identify the threat actors because each activity is described in detail. Unstructured Threat Hunting The concept of unstructured hunting is relatively new. It wasn’t until 2013 that we began seeing the emergence of unstructured hunters. Unstructured hunting is a method of finding malicious software (malware), such as viruses, Trojans, worms, etc., without knowing exactly what type of malware you are looking for. Instead, the hunter relies on behavioral analysis to find these threats. In short, unstructured hunting is investigative work where a cyber threat hunter observes behavior and looks for anomalies. For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further. If he finds something suspicious, he could take action immediately or wait a few days to see if the same email addresses start sending again. Traditional Threat Hunting The traditional definition of threat hunting can be defined as a focused and intensive human/machine-assisted process aimed to identify the possibility of something malicious happening within the network or likely about to happen; this is based on abnormal network behavior, artifacts, or identification via active threat research. A good example of this would be: A large bank has team members whose part of their job is to consume threat reports related to activity targeting their vertical and other companies that match their Enterprise profile. > A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell executio | Spam Malware Tool Vulnerability Threat | ||
|
2022-10-20 11:03:41 | OldGremlin hackers use Linux ransomware to attack Russian orgs (lien direct) | OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines. [...] | Ransomware Malware | ||
 |
2022-10-20 09:58:54 | Check Point Research analyzes the newly emerged Black Basta Ransomware, alerts organizations to adopt prevention best practices (lien direct) | >Highlights: Check Point Research (CPR) puts a special spotlight on how the Black Basta gang delivers malware to its victims and provides best practices to lower risks of being victimized CPR details evasions and anti-analysis techniques of this ransomware, which was found to prevent security protections from detecting this malware Check Point Research provides links… | Malware | ||
|
2022-10-20 09:30:02 | Domestic Kitten campaign spying on Iranian citizens with new FurBall malware (lien direct) | >APT-C-50's Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app | Malware |
To see everything:
Our RSS (filtrered)
