The #APT known as #Kimsuky strikes again, this time targeting think tanks, academia, and media organizations with a social engineering. The goal? Stealing Google and subscription credentials of a news and analysis service that focuses on North Korea. Enjoy and Happy Hunting!
Link in the comments!
This one is a little different. In this article, SentinelLabs mentioned ReconShark being used. Can you provide me with any TTPs that are associated with that #malware?
Germany's domestic intelligence apparatus (BfV), South Korea's National Intelligence Service (NIS) and the U.S. National Security Agency (NSA) warn about cyber attacks mounted by a threat actor tracked as Kimsuky, using #socialengineering and #malware to target think tanks, academia, and news media sectors.
"Kimsuky has been observed leveraging open source information ( #OSINT ) to identify potential targets of interest and subsequently craft their online personas to appear more legitimate by creating email addresses that resemble email addresses of real individuals they seek to impersonate.
The adoption of spoofed identities is a tactic embraced by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with the victims. The adversary is also known to compromise the email accounts of the impersonated individuals to concoct convincing email messages.
#Kimsuky actors tailor their themes to their target's interests and will update their content to reflect current events discussed among the community of North Korea watchers.
Besides using multiple personas to communicate with a target, the electronic missives come with bearing with password-protected malicious documents, either attached directly or hosted on Google Drive or Microsoft OneDrive."
A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.
I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.
Really serious, impacted orgs should shut down the server. Thread follows. #threatintel
Happy Tuesday everyone! #APT37 is the topic of today's #readoftheday, specifically ThreatMon takes a deep-dive into the #RokRat malware, which is a remote access trojan (RAT). Enjoy and Happy Hunting!
Link to article in the comments!
AS usual I am going to leave one of the MITRE ATT&CK blank. I would like to see if any of you that see this can help FILL in that blank! If so, leave your thoughts in the comments OR send me a DM!
Notable MITRE ATT&CK TTPs:
TA0007 - Discovery
T1087 - Account Discovery
T1083 - File and Directory Discovery
T1018 - Remote System Discovery
T1082 - System Information Discovery
TA0009 - Collection
T[What technique covers the threat actor capturing information under the TEMP folder?] - Good luck!
TA0011 - Command And Control
T1071.001 - Application Layer Protocol: Web Protocols
TA0002 - Execution
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
We at CrowdStrike are looking for a colleague that helps me study threats to the cloud! We are a remote first company, have a great data set, and I need some help to handle this influx of cloud cases. You would work as my direct counterpart in the Global Threat Analysis Cell which is focused on finding trends and clusters activities to adversaries with the intent of producing threat intelligence. The next SPIDER/…/PANDA/BEAR could carry a name that you chose:
Last night my co-authors and I turned in the final chapter's first draft for our book, Practical Detection Engineering: A hands-on guide to planning, developing, and validating threat detections. Still got a few rounds of technical reviews and copy edits but definitely a big milestone for us.
When performing competitor analysis we found that despite the numerous amazing blog posts from industry experts, there wasn't a complete book focused solely on detection engineering, so hopefully we can fill that gap for the field! The book is scheduled to release in early August and is available for pre-order on Amazon now: https://www.amazon.com/Practical-Detection-Engineering-Confidently-detections/dp/1801076715
If you have a Packt subscription, it'll be in the eBook library too.
Thanks in advance for anyone who decides to invest in our work and check it out!
Researchers have developed DarkBERT, a language model pretrained on dark web data, to help cybersecurity pros extract cyber threat intelligence (CTI) from the Internet’s virtual underbelly.
Lost my toot on it from last month, but I recommend you patch any #Zyxel Zywall devices for CVE-2023-28771 - it's super exploitable, pre-auth and facing to internet by design. #CVE202328771#vulnerabilities
from what i've seen about the new wave of DM spam:
another cryptocurrency based advance fee fraud, the threat actor appears to be chinese this time (terms are used on the site that are typically used on chinese sites, like "VIP" levels for paid membership)
this time you're given creds to an account with lots of assets; you can't "withdraw" without a password you don't have, you can "transfer out" but only to another paid account
i reported it to google safe browsing and to MS equivalent
I’ve independently confirmed #BlackBasta hit #ABB. They’re not on the portal, even unindexed, so may be paying. It’s a standard Black Basta playbook attack - all the usual TTPs. Exfil, too. #threatintel
Really good blog by @recon_infosec on a new* ransomware group, with some interesting new detection opportunities - for example, they use Cloudflare for remote access rather than CobaltStrike - zero EDR and AV coverage. #threatintel
Pretty much certain some of the things in this will become common.
Does anyone know of good accounts or instances to follow that report the latest cyber security threats and vulnerabilities taking place around the world? Used to have some good hashtags to follow on Twitter, but now I’m trying to replicate the same feed on Mastodon.