Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!
Good day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into #UNC4841, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!
This is a really well researched long-form piece regarding the history and evolution of #ransomware, and how it is likely to continue to evolve by attacking weaknesses in #cryptocurrencies:
As always, the ultimate observation is that organizations need to improve their current #cybersecurity ecosystem and IT security culture, which often go underfunded.
Today we published an advisory for Busybox cpio. When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.
Mit Exodus, #fdroid und trackercontrol können #android Benutzers unerwünschte "Nebenwirkungen" von apps ergründen und datensparsame Alternativen finden.
Nach einer 10-monatigen Mastodon-Eingewöhnung bin ich heute in mein neues digitales #digitalcourage - Zuhause umgezogen. Ich fühle mich hier inhaltlich etwas besser aufgehoben und freue mich auf viele interessante Beiträge.
Den sozialen #datenkraken - Netzwerken und Apps des Meta-Konzerns habe ich bereits vor vielen Jahren den Rücken gekehrt und versuche kontinuierlich mein Bewusstsein für digitale #selbstbestimmung weiter zu schärfen.
Not a day goes by that I don't miss working in the IT Security field. I left the field more than 15 years ago because of a horrible manager. Leaving was a mistake. Sadly, with the length of time that I've been out of the field, and my age (56), my wanting to rejoin the field is probably just a dream at this point. #ITSecurity#CyberSecurity#infosec
Der Verlust von Daten ist meist sehr ärgerlich. Habt ihr schon einmal eine Datei verloren, der ihr heute noch nachtrauert? Oder konnte euch eine Sicherung schon vor einer persönlichen Katastrophe „retten“? Wir sind gespannt auf eure Kommentare!
Follow the Trend Micro researchers as they dissect the Big Head Ransomware variants. What I look for in these types of reports are the behaviors that are uncovered through the analysis and how I can apply these artifacts to a hunt in my environment. For example, one artifact they discovered how the malware was designed to delete the backups on the compromised machine. Recognizing and learning these behaviors is crucial to conducting a successful threat hunt! Enjoy and Happy Hunting!
Old customer infrastructure based on #Proxmox 5 and an ancient #Dell server running an outdated #pfSense.
They asked me to update everything because the ERP provider (a small software house) accessing via #VPN claims the pfSense version is too old. I agree and decide to upgrade Proxmox.
On the old Dell, I install #OpenBSD and, in agreement with the ERP provider, a #Wireguard VPN.
After a few days, they 'recall' me because, for their internal compliance and following their '#security manual,' they need to enter the password manually every time they connect, and Wireguard doesn't support user/password concept.
They ask for the possibility to change the PSK with each access to ensure that the one in their configuration files is not the current one - an absurd operation. I don't have a maintenance contract and can't take this responsibility, as it doesn't make sense. Clearly, they agreed on Wireguard without even knowing what it was.
To avoid issues, I ask them what to install instead. They suggest #OpenVPN might be acceptable. I proceed accordingly. They contact me again: 'The version of OpenVPN is not suitable, and OpenBSD is not certified according to our security procedures.' I ask them to tell me what is certified. They respond: '#Debian 7, #Wheezy - and the version of OpenVPN from Debian 7.'
I politely point out that Debian 7 reached its End of Life in 2016, and even the extended LTS has been unsupported for 3 years. They don't care, they must abide by their manual - it's safe for them.
The customer asks me to accommodate them anyway, but I reflect on the fact that when they inevitably get compromised, it will be my fault for installing something so outdated today.
I declined the job - limiting myself to updating Proxmox.
I'm not sure if I'm more offended by the bureaucracy of certain 'internal manuals' or by the closed-mindedness of certain colleagues who can't stand up against such dynamics.
My interpretation of this article is that hospitals, clinics, insurance companies, etc. need to get links and repost icons for Facebook, Twitter, etc. OFF their websites. If you work for a big institution -- talk to your marketing team as they are used to doing this routinely. If you are a small provider, look at your website -- especially if you created it years ago back when no one thought of the problems and you just wanted some traffic.
TITLE: FTC, HHS warn health providers not to use tracking tech in websites, apps
The Federal Trade Commission (FTC) and Department of Health and Human Services (HHS) sent a joint letter to about 130 hospital systems and telehealth providers Thursday, warning of security risks posed by tracking technologies such as the Meta/Facebook Pixel and Google Analytics.
<https://therecord.media/apps-website-tracking-healthcare-ftc-hhs-warning>
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords #infosec @infosec@a.gup.pe #telehealth #netneutrality #socialengineering #marketing #seo #therapy
#psychology #counseling #socialwork #psychotherapy @psychotherapist@a.gup.pe @psychotherapists@a.gup.pe @psychology@a.gup.pe @socialpsych@a.gup.pe @socialwork@a.gup.pe @psychiatry@a.gup.pe
@infosec@a.gup.pe #mentalhealth #psychiatry #healthcare
Google Analytics is now a topic of conversation on the Baltimore Therapist listserv.
Your point about classism is well taken.
QUESTION: Am I correct in assuming that Google Analytics is likely to be harvesting client-side data and storing it? Asking for an educated guess as we might not know...
For the less-than-tech-saavy medical professionals and therapists in the room -- what log analyzers might they ask for when they speak to their marketing and IT teams about this issue?
The next installment of the SentinelOne and #VXUnderground blog series features Millie Nym as they demonstrate their unique reverse engineering techniques as they analyze a sample of ArechClient2. Enjoy and Happy Hunting!
As usual, for this #miniCTF, I am going to leave out a piece of information and it is your job to find it! DM me with the answer or leave a comment!
Hint: Check the links in the article!
Notable MITRE ATT&CK TTPs:
TA0005 - Defense Evasion
T1055.? - Process Injection: [fill in this blank]
T1562 - Impair Defenses: Disable or Modify Tools
T1112 - Modify Registry
TA0009 - Collection
T1005 - Data from Local System
Happy Monday everyone! Rapid7 is the source of this #miniCTF and they highlight the recent activity of the #APT known as Blackmoon, aka KRBanker. Blackmoon is back with a new campaign that is designed to deploy unwanted programs and persistence, or to stay in the victims' environment as long as possible. Enjoy and #HappyHunting!
Link is in the comments!
I mention multiple Mitre TTPs but can you find any I left out? And I MAY have messed up some of the numbers on some of them! Let me know what needs corrected!
Notable MITRE ATT&CK TTPs:
Enterprise Matrix
TA0028 - Persistence
T1547.010 - Boot or Logon Autostart Execution: Port Monitors
T1543.001 - Create or Modify System Process: Windows Service
TA0005 - Defense Evasion
T1055.012 - Process Injection: Process Hollowing
T1562.001 - Impair Defenses: Disable or Modify Tools
We are looking for a #security expert joining our team as a senior security engineer in #munich, Germany. If you are interested or know somebody else, please DM me for details.
German language is not required, we speak English internally.
Fediverse-vise I am living more in a ham radio bubble than in an infosec one so if you have security folks as followers, please boost.
#HappyMonday everyone! I am back from a weeklong "vacation" with an article from the SentinelOne blog but the research was conducted by Pol Thill. There was a challenge thrown down by #VXUnderground and SentinelOne looking for research that was conducted but not previously published, which I think is a really interesting concept and needs to happen more often!
Anyways, here is Pol's research on Neo_Net, the Kingpin of Spanish eCrime! Enjoy and Happy Hunting!
Link in the comments!
Notable MITRE ATT&CK TTPs and Behaviors:
Mobile Matrix:
TA0035 - Collection
T1636.004 - Protected User Data: SMS Messages
TA0037 - Command and Control
T1437.001 - Application Layer Protocol: Web Protocols
T1481.003 - Web Service: One-Way Communication
Kennt jemand eine Website mit einer Erklärung zum #Fediverse bzw. #Mastodon für #Marketing menschen?
Also für die lieben Kollegen:innen von mir auf der Arbeit, die unsere Blog-Posts, Stellenausschreibungen, etc. auf Linkedin/Xing/Twitter posten.
Also ich möchte ihnen das mal pitchen, weil ich denke dass einige unserer Dinge (viel #ITsecurity) hier auch gut ankommen könnten.
Aber ich hab von Marketing keine Ahnung und weiß nicht, womit man die gut überzeugen kann.
Happy Friday everyone! Travel the world with the Check Point Software Technologies Ltd research team as they report how #CamaroDragon spread uncontrollably. Enjoy and Happy Hunting!
Link in the comments!
Here is your #miniCTF challenge
Beginner: What MITRE ATT&CK relates to the way the malware propagates?
Intermediate: There are at least two means of persistence mentioned in this article. What are they and what are their Technique/sub-technique IDs and titles?
Extra Credit: What log sources and event codes from those log sources will capture either the beginner's or intermediate (or both) challenges activity?