#ThreatIntel

#MedusaLocker #Ransomware #OSINT #ThreatIntel #darkweb #TOR

16 hours ago

Medusa Locker Ransomware Victim: ACCU Reference Medical Lab - https://www.redpacketsecurity.com/medusalocker-ransomware-victim-accu-reference-medical-lab/

#MedusaLocker #Ransomware #OSINT #ThreatIntel #darkweb #TOR

16 hours ago

Medusa Locker Ransomware Victim: Sagent - https://www.redpacketsecurity.com/medusalocker-ransomware-victim-sagent/

#MedusaLocker #Ransomware #OSINT #ThreatIntel #darkweb #TOR

16 hours ago

Medusa Locker Ransomware Victim: Campbell County Schools - https://www.redpacketsecurity.com/medusalocker-ransomware-victim-campbell-county-schools/

happygeek :unverified: + :verified: = $0

18 hours ago

By me @Forbes: This Lockdown Mode trick replaces the original on a victim’s iPhone for additional stealth longevity. Advice is to update to iOS 17 which gives LM kernel protection.

#infosec #iPhone #iOS #lockdown #threatintel

https://www.forbes.com/sites/daveywinder/2023/12/06/new-iphone-security-warning-as-malicious-lockdown-mode-trick-revealed/

Akira Ransomware Victim: Aqualectra Holdings - https://www.redpacketsecurity.com/akira-ransomware-victim-aqualectra-holdings/

#Akira, #darkweb, #databreach, #ransomware, #threatintel, #tor

Akira Ransomware Victim: Compass Group Italia - https://www.redpacketsecurity.com/akira-ransomware-victim-compass-group-italia/

#Akira, #darkweb, #databreach, #ransomware, #threatintel, #tor

CISA: CISA Removes One Known Exploited Vulnerability From Catalog - https://www.redpacketsecurity.com/cisa-cisa-removes-one-known-exploited-vulnerability-from-catalog-06-12-2023/

CISA: Multiple Vulnerabilities Affecting Web-Based Court Case and Document Management Systems - https://www.redpacketsecurity.com/cisa-multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systems-06-12-2023/

CISA: CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs - https://www.redpacketsecurity.com/cisa-cisa-and-partners-release-joint-advisory-on-irgc-affiliated-cyber-actors-exploiting-plcs-06-12-2023/

CISA: CISA Releases Four Industrial Control Systems Advisories - https://www.redpacketsecurity.com/cisa-cisa-releases-four-industrial-control-systems-advisories-06-12-2023/

#ThreatIntel #TypoSquatting #DataScience

1 day ago

Time to update my TA422 (APT28, Fancy Bear) intelligence gaps.
https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week
#ThreatIntel

STRÖMBLAD

1 day ago

Looking for studies, reports and articles detailing the "real" threat posed by attackers leveraging typosquatting as part of the attack chain.

If you are aware of any such reports I would greatly appreciate a nudge towards where I might find them.

Trying to understand how common the problem is and the characteristics of these attacks.

#CISA #Adobe #ColdFusion #CVE202326360 #IOC #threatintel

2 days ago

CISA Releases Advisory on Threat Actors Exploiting CVE-2023-26360 Vulnerability in Adobe ColdFusion to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution.
🔗 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a

#BlueNoroff #APT #NorthKorea #cybercrime #IOC #threatintel

2 days ago

Kaspersky details a malicious loader variant that targets macOS. Kaspersky assumes this is Bluenoroff, the North Korean state-sponsored APT. IOC included.
🔗 https://securelist.com/bluenoroff-new-macos-malware/111290/

#DarkGate #MaaS #Threatintel #IOC #cybercrime #MITREAttack #TTPs

3 days ago

Zscaler: DarkGate Malware-as-a-Service (MaaS) is employing a new attack vector that uses ZIP files containing VBS (Visual Basic Script) files for malware deployment. DarkGate has been observed using obfuscated JavaScript code injection in its attack sequence. DarkGate activity surged in late September and early October 2023. Their domains/hostnames are primarily associated with US/Netherlands and 50-60 days old. MITRE ATT&CK TTPs and IOC provided.
🔗 https://www.zscaler.com/blogs/security-research/darkgate-campaign-activity-trends

NetSec Kahn :verified_paw:

3 days ago

Time to test @frameworkcomputer and Insyde to see how fast they can release a BIOS upgrade for this!

https://www.darkreading.com/endpoint-security/critical-logofail-bugs-secure-boot-bypass-millions-pcs

#threatIntel

Pyrzout :vm:

3 days ago

US Health Department Urges Hospitals to Patch Critical Citrix Bleed Bug https://www.bleepingcomputer.com/news/security/us-health-dept-urges-hospitals-to-patch-critical-citrix-bleed-bug/?&web_view=true #ThreatIntel&InfoSharing

SarlackLab

4 days ago

Command-and-control domain tree, 2023-11-20 to 2023-12-03 #ThreatIntel
https://abjuri5t.github.io/SarlackLab/

*.at[.]ply[.]gg
*.apigw[.]tencentcs[.]com
*.compute[.]amazonaws[.]com
*.compute-1[.]amazonaws[.]com
*.23-101-206-34[.]cprapid[.]com
*.199-101-135-49[.]cprapid[.]com

4 days ago

Does anyone actively use AlienVault OTX for Intel feeds?
I haven’t used it in years but I’m thinking of setting up a feed again.
#ThreatIntel

4 days ago

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks - https://www.redpacketsecurity.com/over-vulnerable-microsoft-exchange-servers-exposed-to-attacks/

HTC Global Services aka HTC Inc aka Caretech, a healthcare MSP with 11k staff and access to hospitals across the US are still dealing with a ransomware group. They failed to patch for #CitrixBleed. #threatintel

Just over 60 credit unions across the US are offline due to ransomware at Ongoing Operations LLC, their cloud provider (also known as Cloudworks).

Ongoing Operations failed to patch for #CitrixBleed. #threatintel

Cyber Toufan are back wiping companies who do business with Israel.

I think they realised companies have been restoring using their dumps (they also wipe backups). #threatintel

#cyberespionage #AeroBlade #threatintel #IOC

BlackBerry reported on a new commercial cyberespionage group called AeroBlade specifically targeting the U.S. Aerospace industry. With network infrastructure and weaponization that became operational in September 2022 and an offensive phase that began July 2023, this threat actor has improved their toolset for successful data exfiltration. IOC provided.
🔗 https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry

trojan_Foxtrot

#threatintel
#kimsuky
#sanctions

Anyone care to wager Kimsuky’s next move?

Okay, my toot about the PLC thing has an update - I see two ransomware groups now exploiting PLCs to gain internal network access to critical infrastructure. #threatintel

Just Another Blue Teamer

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday

Happy Friday! I hope the week was kind to you!

The Cisco Talos Intelligence Group researchers discovered a new remote access trojan (#RAT) that they dubbed "SugarGh0st". The adversary was "targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korean".

In one of the attacks, the adversary used a shortcut file with a double extension, which is a technique adversaries use to abuse the default settings of Windows, which is to hide the extensions, so the user may not suspect anything. Some of the capabilities include video and screen capture as well as the ability to clear tracks by deleting event logs. Check out the rest of the technical details and the second infection chain in the article! Enjoy and Happy Hunting!

New SugarGh0st RAT targets Uzbekistan government and South Korea
https://blog.talosintelligence.com/new-sugargh0st-rat/

#UAC0006 #CERTUA #cybercrime #IOC #threatintel

Ukraine’s CERT-UA put out a threat actor profile on the financially motivated cybercriminal group it tracked since 2013 as UAC-0006. Known tools/malware used are listed, as well as the typical attack chain. They included past CERT-UA articles on UAC-0006, and attached IOC.
🔗 https://cert.gov.ua/article/6276584

#cyberespionage #APT #IOC #threatintel #AgentRacoon #Ntospy

Unit 42 reported a series of related attacks against the Middle East and Africa and the United States. They assess with medium confidence that this threat activity cluster aligns to nation-state related threat actors. Tools used in the attacks include a new backdoor called Agent Racoon and a new malware called Ntospy. IOC provided.
🔗 https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

I’ve seen another ransomware group exploiting Qlik Sense. Currently it is a very low number of attacks so you might want to patch. #threatintel

FjordPhantom Android malware uses virtualization to evade detection - https://www.redpacketsecurity.com/fjordphantom-android-malware-uses-virtualization-to-evade-detection/

Staples confirms cyberattack behind service outages, delivery issues - https://www.redpacketsecurity.com/staples-confirms-cyberattack-behind-service-outages-delivery-issues/

WhatsApp's new Secret Code feature hides your locked chats - https://www.redpacketsecurity.com/whatsapp-s-new-secret-code-feature-hides-your-locked-chats/

#databreach #HaveIBeenPwnedLatestBreaches #HIBP #OSINT #Security #threatintel #TroyHunt

Go Ninja - 4,999,001 breached accounts - https://www.redpacketsecurity.com/go-ninja-4-999-001-breached-accounts/

HTC Global Services hit by AlphV/BlackCat. Entry via Caretech, one of their business units. Unpatched for #CitrixBleed as of today. #threatintel

Re #CitrixBleed - I have evidence that a ransomware group and an APT had the exploit on October 23nd, two days before the AssetNote public write up went live. #threatintel

grey

As an industry when are we going to start sharing honeypot data more openly? The honeypot explosion is insane. Every threat intel org seems to spin up their own generic honeypots that are the same as everyone else's. Of the ~13,000 f5 big-ip TMUI pages I can find exposed to the open internet - ~12,300 are easily detectable honeypots... #threatintel #cti #intel #f5 #honeypot

Just Another Blue Teamer

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Thursday everyone!

I can't believe #BlackHatEurope is starting on Monday! That means this is the last week to register for Cyborg Security's Threat Hunter training delivered by me! We will cover some resources that we can use for researching prior to our hunt, we will demonstrate how to extract key artifacts from an intel report and turn those artifacts into something useful, and then we will get into the data to hunt for evidence of malicious adversary behavior! It's going to be a fun time, good discussions, and a great chance to get some hands on experience hunting and pivoting through an investigation. I can't wait! Until then, Happy Hunting!

Registration ends on December 2nd, so don't miss out! Link below 👇 !
https://www.blackhat.com/eu-23/training/schedule/#beyond-iocs-how-to-effectively-threat-hunt-using-ttps-and-behaviors-virtual-32372

#SugarGh0stRAT #Gh0stRAT #cyberespionage #IOC #threatintel #Uzbekistan #SouthKorea

Cisco Talos: Chinese-speaking threat actor (assessed w/ low confidence) is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea with SugarGh0st RAT, assessed w/ high confidence to be a variant of Gh0st RAT. Two infection chains described, IOC provided.
🔗 https://blog.talosintelligence.com/new-sugargh0st-rat/

Pyrzout :vm:

CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack https://www.securityweek.com/cisa-warns-of-unitronics-plc-exploitation-following-water-utility-hack/?&web_view=true #ThreatIntel&InfoSharing

Dollar Tree hit by third-party data breach impacting 2 million people - https://www.redpacketsecurity.com/dollar-tree-hit-by-third-party-data-breach-impacting-million-people/

Just checking in on all the MSMQ vulnerabilities in 2023 including #QueueJumper - from honeypots, I didn’t see a single exploitation attempt, just scanning.

There also still isn’t a proof of concept exploit that reaches remote code execution still. #threatintel

https://www.bloomberg.com/news/articles/2023-11-29/okta-says-hackers-stole-data-for-all-customer-support-users

Remember the Okta breach a few months ago, where they explained it only impacted 1% of customers?

Turns it out is 100% of customers. They also stole data about Okta's staff, but they apparently didn't tell themselves either.

ArcticWolf are reporting "Qlik Sense Exploited in Cactus Ransomware Campaign" https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/

Thread time as there's some additional detail I want to add: 🧵

https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger

Reminder that history repeats itself and so do binaries. Finger is back!

http://windowsir.blogspot.com/2023/11/roll-up_28.html
#DFIR #ThreatIntel

Jackie Singh

https://youtube.com/watch?v=_Ov_jBhsQZk

Why have trolls have been attacking me since April?

...And why have those same trolls been attacking the same victim, sci-fi author Patrick Tomlinson, for five years?

Watch 👀 or listen to my Conference Keynote:

"Psychologically-Motivated Threat Actors"

Slides are linked in the video description! #infosec #appsec #cybersecurity #threatintel

InfectedSlurs Botnet Resurrects Mirai With Zero-Days - https://www.redpacketsecurity.com/infectedslurs-botnet-resurrects-mirai-with-zero-days/

#threatintel #Akamai_Security_Incident_Response_Team #Mirai_botnet #Zero-day_exploits

Manuel D'Orso

https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/attck-workbench/

ATT&CK Workbench is an impressive piece of software for #threatintel, the missing piece to actually make the topologies usable.

I hope a #D3FEND integration will be available in the future.

Awesome-Threat-Intel-Blogs
My RSS feed grows stronger every day.
https://github.com/signalscorps/awesome-threat-intel-blogs
#ThreatIntel #RSS #InfoSec

BlackCat ransomware group have claimed Fidelity National Financial, a Fortune500 company. HT @AlvieriD #threatintel

Bloomberg report ICBC have been able to recover treasury trading in the US as a key system runs Novell Netware, and LockBit didn’t have a payload to encrypt it. #threatintel https://www.bloomberg.com/news/articles/2023-11-22/icbc-partners-wary-to-resume-trading-with-bank-after-cyberattack

#IOC #cybercrime #APT #cyberthreatintelligence #threatintel #Kaspersky

Kaspersky reports on hrserv.dll, a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Based on the compile timestamps, its origins date back to at least 2021. "the malware’s characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior." Without explicitly writing it, Kaspersky suggests that the threat actor is a China-based APT. IOC included.
Link: https://securelist.com/hrserv-apt-web-shell/111119/

#northkorea #APT #cyberespionage #IOC #threatintel #cyberthreatintelligence

Unit 42 discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with North Korea. The first campaign “Contagious Interview,” has threat actors pose as employers to lure software developers into installing malware through the interview process (attributed with moderate confidence to North Korean state-sponsored actor). The second campaign "Wagemole" has threat actors seek unauthorized employment with organizations based in the US and other parts of the world, with potential for both financial gain and espionage (attributed with high confidence to North Korean state-sponsorship). Attack chains and IOC included.
Link: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/

#PlayRansomware #PlayCrypt #ransomware #RaaS #cybercrime #IOC #threatintel

Adlumin reports that Play ransomware (aka PlayCrypt) is now being offered as Ransomware-as-a-Service (RaaS). Play ransomware has been responsible for attacks on companies and government organizations worldwide since it was first discovered in 2022. Adlumin recently identified and stopped PlayCrypt attacks that had nearly identical tactics, techniques and procedures (TTPs). The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it. IOC shared.
Links: https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/ See related The Hacker News reporting.

#CVE202346604 #ActiveMQ #Apache #Kinsing #cryptojacking #threatintel #IOC

Trend Micro reports active exploitation of the Apache ActiveMQ vulnerability CVE-2023-46604 (CVSS: 10.0 critical severity, reported exploited as a zero-day since at least 10 October 2023, disclosed 26 October by Apache, Proof of Concept available, added to CISA's KEV Catalog on 02 November) to download and infect Linux systems with the Kinsing malware (also known as h2miner) and cryptocurrency miner. Trend Micro describes the Kinsing attack chain and provide IOC.
Link: https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html

#CVE #Vulnerability #OSINT #ThreatIntel #Cyber

Microsoft .NET, .NET Framework and Visual Studio privilege escalation | CVE-2023-36049 - https://www.redpacketsecurity.com/microsoft-net-net-framework-and-visual-studio-privilege-escalation-cve-2023-36049-5/

I've been wondering why Wazuh wasn't logging PowerShell script blocks or really anything pertaining to T1059. Turns out I forgot with every agent update, I need to restart the manager as well. Hooray we now have Powershell monitoring
#Wazuh #SIEM #MITRE #ThreatIntel

#LitterDrifter #Gamaredon #Russia #FSB #Cyberespionage #IOC #threatintel #worm #Shuckworm #ACTINIUM #Ukraine #UkraineRussiaWar

Check Point analyzed a USB propagating worm named “LitterDrifter” linked to Russia state-sponsored Gamaredon (aka Primitive Bear, ACTINIUM, and Shuckworm) assessed by Security Service of Ukraine to be Russian Federal Security Service(FSB) officers. Gamaredon continues to focus on wide variety Ukrainian targets, but Check Point notes that LitterDrifter have spread beyond its intended targets. They provide a technical analysis of LitterDrifter, comprised of a spreading module and C2 module. IOC provided.
Link: https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/

Wade Baker

https://www.cyentia.com/multi-source-analysis-of-top-mitre-attck-techniques/

One week ago,@cyentiainst and Tidal Cyber published a study that provides a consensus view of the top ATT&CK techniques reported across 22 popular sources.

It's been well-received so far, but I'm sure there are many #infosec professionals out there who don't know about it yet and would benefit from it to build a more threat-informed defense. If you find this research valuable, please share it with your networks - thanks!

Download the report below (no registration required) and watch a replay of the webinar we hosted to launch it. #threatintel #threathunting #threatintelligence #threatdetection#incidentresponse

#CISA #Fortinet #Rhysida #Ransomware #TTPs #IOC #threatintel #cybercrime #MITREATTACK #threathunting

Fortinet also provided an extensive analysis of the Rhysida Ransomware Group. The Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed around 50 victims so far in 2023. In a 17 page report, Fortinet described Rhysida's TTPs, threat hunting queries, IOC and MITRE ATT&CK mapping.
Link: https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware

I’ve noticed a bunch of victims of one ransomware group all have something in common - they all run #3CX, with it internet accessible.

3CX PBX is very common in SMB space, but there’s so many coming through lately that it is raising my eyebrows. One to watch. #threatintel

#CISA #Rhysida #Ransomware #TTPs #IOC #threatintel #cybercrime

CISA, FBI, and MS-ISAC Release a joint cybersecurity advisory #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.
Link: https://www.cisa.gov/news-events/alerts/2023/11/15/cisa-fbi-and-ms-isac-release-advisory-rhysida-ransomware

#databreach #HaveIBeenPwnedLatestBreaches #HIBP #OSINT #Security #threatintel #TroyHunt

Avito - 2,721,835 breached accounts - https://www.redpacketsecurity.com/avito-2-721-835-breached-accounts/

Taggart :donor:

Super handy detection for #GootLoader and others: for some reason, they think it's cute to make scheduled tasks using a changed working directory and the DOS shortname of the executable. But since no ~~human would stack books like this~~ regular scheduled task does this, an explicit DOS shortname with a ~1 in the task execution is a fairly solid detection signal.

#ThreatIntel #GootLoader

PowerShell view of a malicious scheduled task with an executable of MANAGI~1.js

#RoyalRansomware #ransomware #Royal #TTPs #IOC #threatintel

FBI and CISA released an update to joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware. The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.
Link: https://www.cisa.gov/news-events/alerts/2023/11/13/cisa-releases-update-royal-ransomware-advisory

4 weeks ago

If you present Outlook Web App to the internet, make sure you are fully up to date with Microsoft Exchange Server including both the latest Cumulative Update and the latest Security Update on top.

One of my honeypot orgs has been owned using a vulnerability I’ve not seen before, post authentication to OWA. Actor went hands on keyboard, looks ransomwaresque. #threatintel

4 weeks ago

DP World cyber attack thread. It’s ransomware, entry point is Citrix Netscaler #CitrixBleed. https://www.theage.com.au/national/ports-to-remain-closed-as-afp-investigates-cybersecurity-breach-20231111-p5ej9i.html

FT and Bloomberg are reporting the Industrial and Commercial Bank of China US trading arm Citrix ransomware incident is Lockbit. #threatintel

A ransomware attack on the Industrial and Commercial Bank of China has disrupted the US Treasury market #threatintel https://www.ft.com/content/8dd2446b-c8da-4854-9edc-bf841069ccb8

Cybersecurity companies, please do not post Indicators of Compromise as an image please #IOC #threatintel

Mandiant has a new blog out on #CitrixBleed which backs up a key point from my blog https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966

The initial exploit string isn’t logged.. at all.

There’s some good hunting stuff in the blog (ICA sessions) - I’d say combine it with the GetUserName thing in my blog for assurance.

The other big take away is a ton of orgs have been compromised and don’t know yet. #threatintel

IAintShootinMis

https://www.justinmcafee.com/2023/08/show-and-tell.html?m=1

Getting ready for this weeks Show and Tell!

You're running a #cybersecurity show and tell at your company too, right? To help stakeholders and executives understand the real threats to our environments and kick out #FUD?

If not, heres a helpful guide to help you start your own!

#infosec #news #threatintel

Here’s the most recent #CitrixBleed exploitation data from @greynoise. 114 unique IPs spraying the internet and stealing session tokens. #threatintel

#threatintel #mspaint
https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18?sk=6c6a183bfaa9f69eff86c9c25e4c2326

CitrixBleed in Citrix Netscaler/ADC is under mass exploitation. A ransomware group has distributed an exploit to their operators too.

IAintShootinMis

#InfoSec #threatintel #Logging

Gonna write this up better later. But thanks to @tbaraki , we found a fluke in Microsoft's SignonLogs table. Sometime in the last few days they made UserPrincipalName case sensitive.

So our alerts looking for breakglassadmin@CompanyName.onmicrosoft.com started failing because we were using (==) instead of (has).

Would highly recommend you check your alerting and see which operands you're using in your queries.

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

Interesting Citrix Netscaler bug being mass exploited in the wild for about a month.

This is the HTTP request:

GET /oauth/idp/.well-known/openid-configuration HTTP/1.1
Host: a <repeated 24812 times>
Connection: close

It replies with system memory, which includes session tokens that you can use it gain remote access, bypassing authentication including MFA.

I think this one may have more legs than people realise. #threatintel

https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview

Something I didn’t know - Microsoft have finally started surfacing Graph API query logs in the past month or two. Previously this wasn’t available.

Threat actors are definitely already abusing Graph API, had incidents for it as it’s a detection evasion (including in MS own security stack). The US State department might want to collect these and look for anomalous activity, you should too. I don’t know the limitations on it yet. #threatintel

The Cisco IOS XE zero day CVE-2023-20198 doing the rounds is legit - it looks like thousands of boxes were backdoored before Cisco disclosed - so even if you patch, you’re still owned.

Reconfigure your boxes with the Cisco instructions and look for unknown local accounts. #threatintel

Sophos X-Ops

During a recent investigation, Sophos X-Ops discovered a trojanized Windows installer for CloudChat, an instant messaging application. Looking into this supply chain attack further, we found that the official distribution server for the application had been compromised, and delivered a Window installer modified to load an additional, malicious DLL. This DLL contained an encrypted payload that connected back to a C2 server to download and execute the next stage malware. We contacted the vendor when we found this issue, but at the time of posting haven’t received a response.

#Sophosxops #threatintel

RansomedVC are apparently going after cybersecurity people today. They forgot to redact the username of the Accenture account they compromised (it’s in the Chrome tag).

BTW the Accenture compromise looks like a single user, evilginx2 MFA session token theft. #threatintel

Apparently RansomedVC couldn’t go 4 minutes without sticking their dick in something again. #threatintel

Everest ransomware group want to cut out middleman fees, asking to buy corporate access directly. #threatintel

Filip 🌱 ❄️ 🦀

#Samsung #GooglePixel #TeamPixel

The #Fairphone is the closest thing I found to what I am searching for, but it seems to have troubles with performance/overheating and I am pretty sure it is not as secure as a #Google #Pixel or #SamsungGalaxy.

Any #threatIntel experts or #infoSec people that can chime in with their opinion/research? Would really appreciate it!

Lyca Mobile’s announcement page for their ransomware data breach is back, HT @carlypage

They confirm data exfil including customer details, passport scans and card payment information.

I can't see the announcement on their actual website frontpage, I might be missing it though.

I think it's a wake up call for telcos.
https://www.lycamobile.co.uk/en/update

Advisory: https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

There's a zero day in Confluence being exploited in the wild, to bypass authentication. Vendor aren't calling it zero day (of course) but it is.

CVE-2023-22515 - allows you to use /setup URL to create a new admin user on existing instance.

FAQ:
https://confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html

#threatintel #vulnerability

Lyca Mobile (UK telco) offline since Saturday, ransomware. https://www.ispreview.co.uk/index.php/2023/10/lyca-mobile-uk-confirm-cyber-attack-responsible-for-disruption.html #threatintel

An org hit by ransomware is telling me the threat actor got in via WS_FTP, for infos, so you might want to prioritise patching that. #threatintel

PSA: you will want to identify SharePoint servers at your network boundary and get them patched for CVE-2023-29357 and CVE-2023–24955.

Those are vulns from earlier this year which I expect to see in the wild exploitation by ransomware groups in coming weeks.

Also, if you think you are patched you might want to actually check. OS patching doesn’t work - your SharePoint admins need to manually patch the cluster. #threatintel

Taggart :donor: