The Cisco Talos Intelligence Group researchers discovered a new remote access trojan (#RAT) that they dubbed "SugarGh0st". The adversary was "targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korean".
In one of the attacks, the adversary used a shortcut file with a double extension, which is a technique adversaries use to abuse the default settings of Windows, which is to hide the extensions, so the user may not suspect anything. Some of the capabilities include video and screen capture as well as the ability to clear tracks by deleting event logs. Check out the rest of the technical details and the second infection chain in the article! Enjoy and Happy Hunting!
I can't believe #BlackHatEurope is starting on Monday! That means this is the last week to register for Cyborg Security's Threat Hunter training delivered by me! We will cover some resources that we can use for researching prior to our hunt, we will demonstrate how to extract key artifacts from an intel report and turn those artifacts into something useful, and then we will get into the data to hunt for evidence of malicious adversary behavior! It's going to be a fun time, good discussions, and a great chance to get some hands on experience hunting and pivoting through an investigation. I can't wait! Until then, Happy Hunting!
A list of Google Workspace default settings, and how they should be set for improved security.
BTW - the worst Google Workspace default setting is in Google Groups, and if you use Google Workspace - I'd be pretty sure it's impacting you right now.
Drown out the sounds of your family discussing politics and other crap this Thanksgiving with the relative calm of real life information security stories!
The InfoSec Diaries on Audiobook, perfect for pretending like you’re on an urgent work call so you can’t talk to uncle Phil about computers:
Fake job scams are through the roof at the moment, for obvious reasons.
Not only do they suck because they are generally a terrible way to scam people who are having an especially hard time, but they also place employees of the impersonated companies at risk.
The Blue Team Diaries story, Recruit - is a tale about the impact of such a scam, based on real world events of course. You can find it on Kindle (Unlimted members download for free) and Audible. It's also part of the Blue Team Diaries paperback, which you can find at most places books are sold.
As planned (but a little later than I would have wanted) comes Part 2 of my posts related to the Palo Alto Networks Unit 42 article on #AgonizingSerpens. In my first installment, I covered the TTPs and behaviors of the APT that were presented by the team and in this post I am going to cover the TTPs and behaviors observed by the first wiper they discussed, the #MultiLayerWiper. Enjoy and Happy Hunting!
Google Workspace comes with a bunch of great security features, but not all of them are enabled by default.
So - this guide lists several of the default security-related settings in Google Workspace, and how I recommend adjusting them to provide a decent starting point.
The NCC Group has created a series that I look forward to finishing, titled "Unveiling the Dark Side: A Deep Dive into Active Ransomware Families". The first installment covers the #BlackCat#ransomware (a.k.a. #ALPHV) and an incident that they observed that it was involved in that included new service and new accounts being created, and data being staged and believed to be exfiltrated. If you like technical reports like I do, this is one you don't want to miss! Enjoy and Happy Hunting!
📢 Excited for #BlackHatEurope? Don't miss my in-depth training session "Beyond IOCs: How to Effectively Threat Hunt using TTPs and Behaviors". Dive deep into cybersecurity models, tools, methodologies, and get hands-on with interactive threat hunting exercises. Master the art of operationalizing intel and presenting findings! 🔍🛡️
Why are so many enterprise security teams so incredibly inept when it comes to basic communication skills and the ability to work together towards a common goal?
Any team / business unit can be bad at these things (and often are in the "enterprise") but the problem seems especially prevalent with security teams.
And no, branding your teams / culture as devsecops does not fix the problem.
With the recent activity reported by the CERT-UA researchers, we focus on the apt known as the #Sandworm Team, or (UAC-0165 as tracked by the Ukraine CERT). They recently targeted "at least 11 telecommunications providers" and conducted scans, installed backdoors, and cleared their tracks.
Normally I post something about a threat intel report but I have been reading the Microsoft Digital Defense Report for 2023 and there is just too much to post. That being said, I am going to share some of the numbers Microsoft presented and my thoughts on them. Let's start with ransomware:
📊 80-90% of all successful ransomware compromises originate from unmanaged devices.
📊 70% of organizations encountering human-operated ransomware had fewer than 500 employees.
📊 13% of human-operated ransomware attacks that moved into the ransom phase included some form of data exfiltration.
📈 Human-operated ransomware attacks are up more than 200%
#infosec#blueteam
I have a weird issue and I need some help. I am dealing with an adversary who is impersonating our brand, but has now hidden the impersonation behind a login page as a way to stop takedown efforts. In order to register, they don't want an e-mail, they want a phone number in their country code to which a verification text message is sent.
Is there an app or service like the google phone service that can let me send or receive text messages from a number in another country?