Vittoria, to Russia
@Vittoria@mastodon.social avatar

#Russia is waging a disinformation campaign aimed at tarnishing the reputation of the #IOC and stoking fears of violence at this summer's #Paris Games, according to a new report from Microsoft's Threat Analysis Center. The influence operations use a mix of fake videos, fictitious news stories, and AI-generated impersonations, including the faked voice of Hollywood star Tom Cruise. FRANCE24's Kethevane Gorjestani tells us more.
#France #Ukraine

https://www.youtube.com/watch?v=WFe4qtVVZew

dubbel, to python
@dubbel@mstdn.io avatar

Reported 15 malicious #PyPI packages: asyncioo, asyyncio, asyincio, aasyncio, etc...

On install they decrypt Fernet encrypted code, which loads further code from https://funcaptcha[.]ru/paste2?package=asyncioo (replace the parameter with the package name).

I was blocked from accessing that code (am on mobile right now, so I don't have the means to investigate for real, Fernet decryption was already fun :abloblamp: ).

Anyone else able to access it?

#IOC #threatIntel #python

Russia accuses Olympic Committee of ‘racism and neo-Nazism’ over opening ceremony decision (kyivindependent.com)

The Kremlin has accused the International Olympic Committee (IOC) of “racism and neo-Nazism” over its decision to bar athletes from Russia and Belarus from participating in the opening ceremony of the Paris Olympics this summer.

simontsui, to macos

BitDefender identified a MacOS backdoor written in Rust that has possible link to ALPHV/BlackCat ransomware group. "Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients. ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model." IOC provided.
🔗 https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/

simontsui, to Facebook

Trustwave discovered Ov3r_Stealer, an infostealer distributed using Facebook advertising and phishing emails. Their report provides an in-depth dive into Ov3r_Stealer, exposing what the Threat Hunt team learned about the threat actors, their techniques, tactics, and procedures and how the malware functions. Observed IOC listed.

🔗 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-spiderlabs-uncovers-ov3r_stealer-malware-spread-via-phishing-and-facebook-advertising/

#Ov3r_Stealer #cybercrime #facebook #threatintel #IOC #Trustwave

simontsui, to random

Rapid7 found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. Rapid7 provided a technical analysis of a BlackHunt sample, describing functionalities and MITRE ATT&CK techniques. IOC provided.
🔗 https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/

#BlackHunt #ransomware #Rapid7 #LockBit #REvil #cybercrime #threatintel #IOC

simontsui, to Cybersecurity

Fortinet reports on a Python infostealer that is distributed using a malicious Excel document. They attributed the campaign to Vietnam-based threat actors. Fortinet describes the initial infection vector, attack stages and the stealer. They also provide IOC.
🔗 https://www.fortinet.com/blog/threat-research/python-info-stealer-malicious-excel-document

simontsui, to random

Akamai provided details about a new variant of the FritzFrog botnet, which abuses the 2021 Log4Shell vulnerability CVE-2021-44228 (10.0 critical). The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible. The malware also now also includes a module to exploit CVE-2021-4034, a privilege escalation in the polkit Linux component. This module enables the malware to run as root on vulnerable servers. IOC provided.
🔗 https://www.akamai.com/blog/security-research/2024/feb/fritzfrog-botnet-new-capabilities-log4shell

#FritzFrog #botnet #IOC #Log4Shell #CVE_2021_44228 #CVE_2021_4034 #threatintel #IOC

simontsui, to Mexico

Unit 42 reports on a new variant of Mispadu Stealer, an infostealer targeting specific regions and URLs associated with Mexico. The infostealer was discovered while hunting for the SmartScreen CVE-2023-36025 security feature bypass vulnerability. They provided a sample analysis, and IOC.
🔗 https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/

#Mispadu #threatintel #IOC #CVE_2023_36025 #SmartScreen #infostealer #Mexico #Unit42

simontsui, to random

Cloudflare blog on Thanksgiving 2023 security incident:

"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."

The attack started in October with the compromise of Okta, but the threat actor only began targeting our systems using those credentials from the Okta compromise in mid-November.
🔗 https://blog.cloudflare.com/thanksgiving-2023-security-incident

simontsui, to random

**Sekoia reports on DiceLoader (aka Icebot), a malware used by cybercriminal group FIN7 since 2021. They detail how DiceLoader is dropped by a PowerShell script along with other malware of the intrusion set’s arsenal such as Carbanak RAT. A technical analysis of DiceLoader describes its features and C2 communication and infrastructure. "Surprisingly the analysed sample does not have any technique for anti-analysis" as well as lacking sandbox detection. IOC and Yara rules provided.
🔗 https://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/

#DiceLoader #Icebot #FIN7 #IOC #threatintel #malware

simontsui, to Ukraine

Ukraine's CERT-UA provides IOC and technical instructions for removing DIRTYMOE malware, which has worm-like capabilities and creates a DDoS botnet. The DIRTYMOE/Purple Fox infection of 2000+ affected computers and activity is tracked by the identifier UAC-0027.
🔗https://cert.gov.ua/article/6277422

#Ukraine #CERTUA #UAC0027 #cyberespionage #DIRTYMOE #PurpleFox #malware #IOC #threatintel

hanse_mina, to Ukraine

The Russian Olympic team has been officially stripped of its gold medal in the team figure skating event at the 2022 Winter Olympic Games, following the four-year suspension of team member Kamila #Valieva for doping.

https://www.pravda.com.ua/eng/news/2024/01/30/7439502/

#Ukraine #Russia #IOC #Olympics #China

simontsui, to random

Mandiant reported on UNC4990, an actor who heavily uses USB devices for initial infection. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain. Our research shows this campaign has been ongoing since at least 2020. IOC provided.
🔗 https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware
See related Ars Technica article: https://arstechnica.com/security/2024/01/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation/

#UNC4990 #cybercrime #ArsTechnica #IOC #threatintel

simontsui, to Cybersecurity

Fortinet reports on the FAUST variant of Phobos ransomware, providing insights into the process of downloading the payload file from an MS Excel document embedded with VBA script. Their analysis uncovered a threat actor employing a fileless attack to deploy shellcode, injecting the final FAUST payload into the victim's system. The FAUST variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution. IOC provided.
🔗 https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust

#Fortinet #FAUST #Phobos #ransomware #IOC #threatintel #cybersecurity

simontsui, to random

Trend Micro: Kasseika ransomware abuses the Martini driver in “bring-your-own-vulnerable-driver” (BYOVD) attacks, to terminate antivirus processes and services for the deployment of ransomware. Trend Micro assesses that an actor in Kasseika acquired or bought access to BlackMatter ransomware’s source code. They provided IOC.
🔗 https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html

#Kasseika #BYOVD #ransomware #BlackMatter #DarkSide #cybercrime #IOC #threatIntel #trendmicro

simontsui, to Cybersecurity

Unit 42: BianLian group is one of the most active and prevalent extortion groups (top 10 most active). Maintaining their TTPs of infiltrating corporate networks, the BianLian group has shown adaptiveness to the ransomware market demands. They have shifted from double-extortion into being focused solely on extortion efforts, pressuring their victims into paying the ransom without encrypting their files. A possible connection to the Makop ransomware group was also found, due to their mutual use of a custom tool. IOC provided.
🔗 https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

#Unit42 #BianLian #Ransomware #ThreatIntel #IOC #Makop #doubleextortion #cybercrime #cybersecurity

hanse_mina, to Ukraine

Statement from Marta Kostyuk, a pro tennis player from Ukraine.

https://nitter.net/marta_kostyuk/status/1749010889863496030

#Ukraine #Russia #IOC #Olympics

simontsui, to random

Ron Bowes @iagox86 at @greynoise describes payloads leveraging the Ivanti Connect Secure vulnerabilities #CVE202346805 and #CVE202421887 to install cryptominers. IOC provided.
🔗 https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers

#threatintel #Ivanti #ConnectSecure #zeroday #vulnerability #eitw #IOC #KEV

simontsui, to random

Proofpoint reported that the financially motivated threat actor TA866 continued an email campaign containing PDFs with malicious OneDrive links. This would launch a multi-step infection chain delivering WasabiSeed and Screenshotter payloads. IOC included.
🔗 https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta866-returns-large-email-campaign

#TA866 #IOC #threatintel #OneDrive #WasabiSeed #Screenshotter

simontsui, to microsoft

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
🔗 https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

aliide, to Ukraine

On forthcoming film Athletes of War and the IOC decision to let complicit Russian athletes compete in Paris this year.

“Our conditions are different from those of the Russian athletes. We have missiles flying over our heads,” says wrestler and Olympic medalist Iryna Koliadenko. “We may not wake up.”

https://cepa.org/article/ukraines-dead-athletes-haunt-2024-olympics/

simontsui, to random

CISA and FBI released a joint Cybersecurity Advisory (CSA), Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware.
🔗 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

#CISA #FBI #securityadvisory #Androxgh0st #IOC #TTP #threatintel

SI_FalconTeam, to infosec German

#100DaysofYARA

Today: Hunting for a code signing certificate issued to "D2innovation Co.,LTD"

Malicious use of this certificate have been attributed to #Kimsuky #APT by @asdasd13asbz (https://twitter.com/asdasd13asbz/status/1744279858778456325)

We currently can't confirm whether this is a stolen certificate, an impersonation or a shell/front corporation. The website for "d2innovation[.]jp" has been inactive/HTTP403 since early 2023 according to the Internet Archive.

So far we have found five samples signed with this certificate. The earliest compilation timestamps go back to the 13th of December 2023. One sample has a header timestamp set to 0 (1970-01-01). Using a cutoff date in the rule might limit hunting results.

Some samples are already available on @abuse_ch Malware Bazaar. We'll share the missing ones in a minute.

#IOC
27ef6917fe32685fdf9b755eb8e97565
88f183304b99c897aacfa321d58e1840
87429e9223d45e0359cd1c41c0301836
7b6d02a459fdaa4caa1a5bf741c4bd42
7457dc037c4a5f3713d9243a0dfb1a2c

Samples can be found here: https://bazaar.abuse.ch/browse.php?search=serial_number:8890cab1cd510cd20dab4ce5948cbc3a

#infosec #cybersecurity

byakushin, to iPhone Finnish

VERY elaborate #iPhone #exploit reported by #Kaspersky security researchers who apparently were as a bonus targeted by it. Video includes indicators of compromise. This must have been an expensive operation to burn.
https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers
#ccc #security #ioc

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • osvaldo12
  • DreamBathrooms
  • mdbf
  • InstantRegret
  • ngwrru68w68
  • magazineikmin
  • everett
  • thenastyranch
  • Youngstown
  • slotface
  • cisconetworking
  • kavyap
  • ethstaker
  • JUstTest
  • modclub
  • GTA5RPClips
  • khanakhh
  • tacticalgear
  • Durango
  • rosin
  • normalnudes
  • Leos
  • provamag3
  • tester
  • cubers
  • anitta
  • lostlight
  • All magazines