101010.pl

Sajid Nawaz Khan :donor:For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.<a href="https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping" rel="nofollow noopener" translate="no" target="_blank">https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping</a><a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#cobaltstrike</a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#malwareanalysis</a> <a href="https://infosec.exchange/tags/forensics" class="mention hashtag" rel="nofollow noopener" target="_blank">#forensics</a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#blueteam</a>

IT NewsEuropol shuts down almost 600 IP addresses in Cobalt Strike cybercrime crackdown - Nearly 600 IP addresses have been dismantled by Europol as part of a concerted eff... - <a href="https://readwrite.com/europol-shuts-600-ip-addresses-cobalt-strike-cybercrime-crackdown/" rel="nofollow noopener" translate="no" target="_blank">https://readwrite.com/europol-shuts-600-ip-addresses-cobalt-strike-cybercrime-crackdown/</a> <a href="https://schleuss.online/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#cobaltstrike</a> <a href="https://schleuss.online/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#technology</a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://schleuss.online/tags/europol" class="mention hashtag" rel="nofollow noopener" target="_blank">#europol</a>

The Spamhaus Project<a href="https://bird.makeup/users/europol" class="u-url mention" rel="nofollow noopener" target="_blank">@europol</a> strikes back at Cobalt Strike - another brilliantly coordinated effort with hat tips to <a href="https://ioc.exchange/@abuse_ch" class="u-url mention" rel="nofollow noopener" target="_blank">@abuse_ch</a> and Spamhaus Technology Ltd for their involvement and support too 👏 This international operation has taken action against criminal abuse with Operation Morpheus.Abuse reports are being sent from us to network owners hosting active Cobalt Strike servers. Network operators, if you receive an abuse report, we urge you to take swift action 🙏 Read more here: <a href="https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike" rel="nofollow noopener" translate="no" target="_blank">https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike</a><a href="https://infosec.exchange/tags/CTI" class="mention hashtag" rel="nofollow noopener" target="_blank">#CTI</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/botnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#botnet</a> <a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#cobaltstrike</a> <a href="https://infosec.exchange/tags/operationmorpheus" class="mention hashtag" rel="nofollow noopener" target="_blank">#operationmorpheus</a>

abuse.ch :verified:Europol coordinates global action against criminal abuse of Cobalt Strike 🔥 We are very proud that together with our partner <a href="https://infosec.exchange/@spamhaus" class="u-url mention" rel="nofollow noopener" target="_blank">@spamhaus</a> we are part of this international operation 👏 🎉 Indicators on rogue Cobalt Strike botnet C2 servers related to the operation are being made available on ThreatFox 🦊 :➡ <a href="https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" rel="nofollow noopener" translate="no" target="_blank">https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/</a>In addition, The Spamhaus Project is sending out abuse reports to network owners hosting such rogue (active) Cobalt Strike servers 📨 . If you are a network operator receiving such an abuse report, you should take action on it swiftly 🙏 Further reading: 👉 <a href="https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike" rel="nofollow noopener" translate="no" target="_blank">https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike</a><a href="https://ioc.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybercrime</a> <a href="https://ioc.exchange/tags/CTI" class="mention hashtag" rel="nofollow noopener" target="_blank">#CTI</a> <a href="https://ioc.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://ioc.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://ioc.exchange/tags/botnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#botnet</a> <a href="https://ioc.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#cobaltstrike</a> <a href="https://ioc.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a>

BradPost I wrote for my employer at <a href="https://www.linkedin.com/posts/unit42_ssload-cobaltstrike-timelythreatintel-activity-7187091840968351744-xqe-" rel="nofollow noopener" translate="no" target="_blank">https://www.linkedin.com/posts/unit42_ssload-cobaltstrike-timelythreatintel-activity-7187091840968351744-xqe-</a> and <a href="https://twitter.com/Unit42_Intel/status/1781326222019932535" rel="nofollow noopener" translate="no" target="_blank">https://twitter.com/Unit42_Intel/status/1781326222019932535</a>024-04-18 (Thursday): <a href="https://infosec.exchange/tags/SSLoad" class="mention hashtag" rel="nofollow noopener" target="_blank">#SSLoad</a> infection leads to <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> DLL. In this case we saw no follow-up Cobalt Strike C2 traffic. List of indicators available at <a href="https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-18-IOCs-from-SSLoad-infection-with-Cobalt-Strike-DLL.txt" rel="nofollow noopener" translate="no" target="_blank">https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-18-IOCs-from-SSLoad-infection-with-Cobalt-Strike-DLL.txt</a>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> of the <a href="https://infosec.exchange/tags/SSLoad" class="mention hashtag" rel="nofollow noopener" target="_blank">#SSLoad</a> infection traffic leading to the <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> DLL along with the associated malware/artifacts are available at <a href="https://malware-traffic-analysis.net/2024/04/18/index.html" rel="nofollow noopener" translate="no" target="_blank">https://malware-traffic-analysis.net/2024/04/18/index.html</a>

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲See how the attackers use <a href="https://infosec.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a>'s reverse VNC to buy an iPhone 14 from the Apple Store and then drop <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> on the victim machine. Thanks to <a href="https://infosec.exchange/@malware_traffic" class="u-url mention" rel="nofollow noopener" target="_blank">@malware_traffic</a> for sharing the <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> file! <a href="https://netresec.com/?b=23A4de6" rel="nofollow noopener" translate="no" target="_blank">https://netresec.com/?b=23A4de6</a>

Xavier «X» Santolaria :verified_paw: :donor:📨 Latest issue of my curated <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> and <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> list of resources for week #40/2023 is out! It includes the following and much more:🇺🇸 🗳️ D.C. Board of <a href="https://infosec.exchange/tags/Elections" class="mention hashtag" rel="nofollow noopener" target="_blank">#Elections</a> confirms voter data stolen in site hack 🔓 🪪 <a href="https://infosec.exchange/tags/MGM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MGM</a> Resorts confirms hackers stole customers’ personal data during <a href="https://infosec.exchange/tags/cyberattack" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyberattack</a> 🔓 🧬 <a href="https://infosec.exchange/tags/DNA" class="mention hashtag" rel="nofollow noopener" target="_blank">#DNA</a> testing service 23andMe investigating theft of user data 🔓 🎧 <a href="https://infosec.exchange/tags/Sony" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sony</a> confirms <a href="https://infosec.exchange/tags/databreach" class="mention hashtag" rel="nofollow noopener" target="_blank">#databreach</a> impacting thousands in the U.S. 📱 💥 Lyca Mobile Group Services Significantly Disrupted by Cyberattack 🔓 🕵🏻‍♂️ <a href="https://infosec.exchange/tags/NATO" class="mention hashtag" rel="nofollow noopener" target="_blank">#NATO</a> investigating breach, <a href="https://infosec.exchange/tags/leak" class="mention hashtag" rel="nofollow noopener" target="_blank">#leak</a> of internal documents 🔓 🇪🇺 European Telecommunications Standards Institute Discloses Data Breach 🔓 🏨 <a href="https://infosec.exchange/tags/MotelOne" class="mention hashtag" rel="nofollow noopener" target="_blank">#MotelOne</a> discloses data breach following <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> attack 🇰🇵 💰 North Korea's <a href="https://infosec.exchange/tags/Lazarus" class="mention hashtag" rel="nofollow noopener" target="_blank">#Lazarus</a> Group Launders $900 Million in <a href="https://infosec.exchange/tags/Cryptocurrency" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cryptocurrency</a> 🇧🇪 🇨🇳 <a href="https://infosec.exchange/tags/Alibaba" class="mention hashtag" rel="nofollow noopener" target="_blank">#Alibaba</a> accused of ‘possible espionage’ at European hub 🇨🇳 <a href="https://infosec.exchange/tags/China" class="mention hashtag" rel="nofollow noopener" target="_blank">#China</a>-linked cyberspies <a href="https://infosec.exchange/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#backdoor</a> <a href="https://infosec.exchange/tags/semiconductor" class="mention hashtag" rel="nofollow noopener" target="_blank">#semiconductor</a> firms with <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> 🥸 Meet LostTrust <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> — A likely rebrand of the <a href="https://infosec.exchange/tags/MetaEncryptor" class="mention hashtag" rel="nofollow noopener" target="_blank">#MetaEncryptor</a> gang 🇬🇾 🇨🇳 <a href="https://infosec.exchange/tags/Guyana" class="mention hashtag" rel="nofollow noopener" target="_blank">#Guyana</a> Governmental Entity Hit by <a href="https://infosec.exchange/tags/DinodasRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#DinodasRAT</a> in <a href="https://infosec.exchange/tags/CyberEspionage" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberEspionage</a> Attack 🇷🇺 🇺🇸 <a href="https://infosec.exchange/tags/FBI" class="mention hashtag" rel="nofollow noopener" target="_blank">#FBI</a> most-wanted Russian hacker reveals why he burned his passport 🇺🇸 🏥 <a href="https://infosec.exchange/tags/FDA" class="mention hashtag" rel="nofollow noopener" target="_blank">#FDA</a> cyber mandates for <a href="https://infosec.exchange/tags/medicaldevices" class="mention hashtag" rel="nofollow noopener" target="_blank">#medicaldevices</a> goes into effect ☁️ 🔓 Number of Internet-Exposed <a href="https://infosec.exchange/tags/ICS" class="mention hashtag" rel="nofollow noopener" target="_blank">#ICS</a> Drops Below 100,000 ☁️ <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> Warns of Cyber Attacks Attempting to Breach Cloud via <a href="https://infosec.exchange/tags/SQL" class="mention hashtag" rel="nofollow noopener" target="_blank">#SQL</a> Server Instance 🦠 📈 <a href="https://infosec.exchange/tags/QakBot" class="mention hashtag" rel="nofollow noopener" target="_blank">#QakBot</a> Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks 🔓 🍏 <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#Apple</a> Warns of Newly Exploited iOS 17 Kernel Zero-Day 🎣 🧑🏻‍💼 US Executives Targeted in <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> Attacks Exploiting Flaw in Indeed Job Platform 🦠 🏦 <a href="https://infosec.exchange/tags/Zanubis" class="mention hashtag" rel="nofollow noopener" target="_blank">#Zanubis</a> <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> Banking Trojan Poses as Peruvian Government App to Target Users 🦠 🇮🇷 Iranian APT Group <a href="https://infosec.exchange/tags/OilRig" class="mention hashtag" rel="nofollow noopener" target="_blank">#OilRig</a> Using New Menorah <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> for Covert Operations 🔐 ☁️ <a href="https://infosec.exchange/tags/Amazon" class="mention hashtag" rel="nofollow noopener" target="_blank">#Amazon</a> to make <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> mandatory for 'root' <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener" target="_blank">#AWS</a> accounts by mid-2024 🛡️ 🧅 <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> Defender no longer flags <a href="https://infosec.exchange/tags/Tor" class="mention hashtag" rel="nofollow noopener" target="_blank">#Tor</a> Browser as malware 👀 X-Force uncovers global <a href="https://infosec.exchange/tags/NetScaler" class="mention hashtag" rel="nofollow noopener" target="_blank">#NetScaler</a> Gateway credential harvesting campaign 🐛 💰 Zero-days for hacking <a href="https://infosec.exchange/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> are now worth millions of dollars 🩹 <a href="https://infosec.exchange/tags/Cisco" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cisco</a> fixes hard-coded root credentials in Emergency Responder 🔓 Vulnerabilities in <a href="https://infosec.exchange/tags/Supermicro" class="mention hashtag" rel="nofollow noopener" target="_blank">#Supermicro</a> BMCs could allow for unkillable server <a href="https://infosec.exchange/tags/rootkits" class="mention hashtag" rel="nofollow noopener" target="_blank">#rootkits</a> 🔓 🐧 Looney Tunables: New <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#Linux</a> Flaw Enables Privilege Escalation on Major Distributions 🐍 Warning: <a href="https://infosec.exchange/tags/PyTorch" class="mention hashtag" rel="nofollow noopener" target="_blank">#PyTorch</a> Models Vulnerable to Remote Code Execution via ShellTorch 🩹 Microsoft Edge, Teams get fixes for zero-days in <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#opensource</a> libraries 🔓 🔥 Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw ☁️ Cloudflare <a href="https://infosec.exchange/tags/DDoS" class="mention hashtag" rel="nofollow noopener" target="_blank">#DDoS</a> protections ironically bypassed using <a href="https://infosec.exchange/tags/Cloudflare" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cloudflare</a> 📚 This week's recommended reading is: "8 Steps to Better Security: A Simple Cyber Resilience Guide for Business" by Kim Crawley Subscribe to the <a href="https://infosec.exchange/tags/infosecMASHUP" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosecMASHUP</a> newsletter to have it piping hot in your inbox every week-end ⬇️<a href="https://infosec-mashup.santolaria.net/p/infosec-mashup-week-402023" rel="nofollow noopener" translate="no" target="_blank">https://infosec-mashup.santolaria.net/p/infosec-mashup-week-402023</a>

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:"🚨 Earth Lusca's New Linux Backdoor: SprySOCKS Unveiled! 🐙"Earth Lusca, a China-linked threat actor, has been spotted employing a novel Linux backdoor, dubbed "SprySOCKS". This malware seems to have evolved from the open-source Windows backdoor Trochilus. The backdoor showcases swift behavior and a SOCKS implementation, hence the name. 🐍💼SprySOCKS's structure is reminiscent of the RedLeaves backdoor, a RAT known to infect Windows machines. This backdoor is still under development, with different versions observed. Its interactive shell seems to draw inspiration from the Linux variant of the Derusbi malware. 🕵️‍♂️🔍Recent activities of Earth Lusca indicate a focus on Southeast Asia, Central Asia, and the Balkans. Their primary targets? Government departments in foreign affairs, technology, and telecommunications. They've been exploiting server-based N-day vulnerabilities, including CVE-2022-40684, CVE-2022-39952, and more. Once inside, they deploy Cobalt Strike for lateral movement, aiming to exfiltrate sensitive data and conduct long-term espionage. 🌍🎯Source: <a href="https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" rel="nofollow noopener" target="_blank">Trend Micro Research</a>Tags: <a href="https://infosec.exchange/tags/EarthLusca" class="mention hashtag" rel="nofollow noopener" target="_blank">#EarthLusca</a> <a href="https://infosec.exchange/tags/SprySOCKS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SprySOCKS</a> <a href="https://infosec.exchange/tags/LinuxBackdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinuxBackdoor</a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/APT" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT</a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntelligence</a> <a href="https://infosec.exchange/tags/RedLeaves" class="mention hashtag" rel="nofollow noopener" target="_blank">#RedLeaves</a> <a href="https://infosec.exchange/tags/Trochilus" class="mention hashtag" rel="nofollow noopener" target="_blank">#Trochilus</a> <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> 🌐🔐🖥️

securityaffairsPower Generator in South <a href="https://infosec.exchange/tags/Africa" class="mention hashtag" rel="nofollow noopener" target="_blank">#Africa</a> hit with <a href="https://infosec.exchange/tags/DroxiDat" class="mention hashtag" rel="nofollow noopener" target="_blank">#DroxiDat</a> and <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> <a href="https://securityaffairs.com/149432/cyber-crime/power-generator-droxidat.html" rel="nofollow noopener" translate="no" target="_blank">https://securityaffairs.com/149432/cyber-crime/power-generator-droxidat.html</a> <a href="https://infosec.exchange/tags/securityaffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#securityaffairs</a> <a href="https://infosec.exchange/tags/APT" class="mention hashtag" rel="nofollow noopener" target="_blank">#APT</a>

Brad2023-05-22 (Mon) & 2023-05-23 (Tue): TA577 pushes <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a>2023-05-24 (Wed): TA577 back to pushing <a href="https://infosec.exchange/tags/Qabkot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qabkot</a> (<a href="https://infosec.exchange/tags/Qbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qbot</a>)Pikabot:- <a href="https://malware-traffic-analysis.net/2023/05/22/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/22/index.html</a>- <a href="https://malware-traffic-analysis.net/2023/05/23/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/23/index.html</a>Qakbot (TA570 obama264): - <a href="https://malware-traffic-analysis.net/2023/05/24/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/24/index.html</a>I was lucky enough to get <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> with the two Pikabot infections, so I wrote tweets for my employer on the bird site.See the above links for <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> files, malware samples, IOCs, and links to my employer's tweets for the Pikabot activity.

BradTweet I wrote for my employer at the bird site: <a href="https://twitter.com/Unit42_Intel/status/1659199751265595392" rel="nofollow noopener" target="_blank">https://twitter.com/Unit42_Intel/status/1659199751265595392</a>2023-05-17 (Wednesday): Today, this week's BB28 <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a>-style distribution chain pushed <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> instead of Qakbot. Followed up with <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> using <a href="https://infosec.exchange/tags/DNSTunneling" class="mention hashtag" rel="nofollow noopener" target="_blank">#DNSTunneling</a>. We later saw additional Cobalt Strike traffic over HTTPS. List of IOCs available at <a href="https://github.com/pan-unit42/tweets/blob/master/2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt" rel="nofollow noopener" target="_blank">https://github.com/pan-unit42/tweets/blob/master/2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt</a>A carved <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> of the infection traffic (removed everything not related to the <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> & <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a>) and the associated malware/registry updates available at <a href="https://malware-traffic-analysis.net/2023/05/17/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/17/index.html</a>

securityskeptic :donor: :verified:MSFT obtains court order to sinkhole Cobalt Strike C&C traffic. The order lists 16 John Does as Appendix A of the order identifies the Hosting Companies/Data Centers Where Defendants Placed the Command and Control Servers and the 1000 or so C&C IP addresses. It also includes the Whois for the ~110 C&C domains. The contact data for these are redacted or unavailable from the ccTLD operator. So... _none_ of the domain registrations yielded the name and contact of a party that could be named as a defendant in the action?Microsoft's attorneys have filed dozens of orders like this one. Surely they asked for a Whois reveal or asked for billing data.So... _none_ of the domain registration BILLING DATA yielded the name and contact of a party that could be named as a defendant in the action?<a href="https://www.databreachtoday.com/microsoft-gets-court-order-to-sinkhole-cobalt-strike-traffic-a-21650" rel="nofollow noopener" target="_blank">https://www.databreachtoday.com/microsoft-gets-court-order-to-sinkhole-cobalt-strike-traffic-a-21650</a><a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#cobaltstrike</a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener" target="_blank">#c2</a> <a href="https://infosec.exchange/tags/whois" class="mention hashtag" rel="nofollow noopener" target="_blank">#whois</a> <a href="https://infosec.exchange/tags/itsalwaysdns" class="mention hashtag" rel="nofollow noopener" target="_blank">#itsalwaysdns</a> <a href="https://infosec.exchange/tags/exceptwhenitsIPs" class="mention hashtag" rel="nofollow noopener" target="_blank">#exceptwhenitsIPs</a>Set aside privacy protection (it can be managed for all natural person's complete and accurate contact data) but share with me:

Opalsec :verified:The cyber crims are working through the holidays, and so are we. Here's Monday's newsletter on all the developments in infosec, just for you:<a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf" rel="nofollow noopener" translate="no" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf</a>International law enforcement agencies notched up another win last week, having successfully taken down the notorious Initial Access Broker Genesis Marketplace last week - or did they? The site remains active and the admins appear to have gotten away unscathed, so what victory was there to be had?<a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a>, in collaboration with <a href="https://infosec.exchange/tags/Fortra" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fortra</a> and the Health ISAC, are commencing work to dismantle infrastructure used by actors abusing cracked versions of the offensive Cobalt Strike framework. It'll be an uphill battle, and it remains to be seen if they can make a dent in the sprawling global footprint achieved by the cyber crim's implant of choice.Be warned - a PoC exploit has been released for a CVSS 10.0 Sandbox Escape vulnerability impacting the VM2 JavaScript Sandbox, which itself has >16 million monthly downloads on <a href="https://infosec.exchange/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#npm</a>. Researchers have also uncovered a vulnerability in <a href="https://infosec.exchange/tags/WiFi" class="mention hashtag" rel="nofollow noopener" target="_blank">#WiFi</a> APs that could allow hijacking and snooping of client traffic; <a href="https://infosec.exchange/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#Apple</a> patches two actively exploited 0-days in <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#iOS</a>, <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#iPadOS</a> and <a href="https://infosec.exchange/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#macOS</a>, and <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#CISA</a> urges patching of <a href="https://infosec.exchange/tags/Zimbra" class="mention hashtag" rel="nofollow noopener" target="_blank">#Zimbra</a> bugs exploited by Russian APTs.The <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#redteam</a> have some great tooling and tradecraft to help with Microsoft <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#MFA</a> enumeration and performing port forwarding on compromised <a href="https://infosec.exchange/tags/Cisco" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cisco</a> gear, while the <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#blueteam</a> are again spoiled for choice - a new database of exploited drivers, research on abuse of SFX archives for persistence, and threat models for <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener" target="_blank">#AWS</a> KMS and CI/CD pipelines - take your pick!Check out the newsletter and catch all this and much more excellent threat and tradecraft research, to help you gear up for the week ahead: <a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf" rel="nofollow noopener" translate="no" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf</a>Happy Easter Monday to everyone lucky enough to be enjoying the holiday, I hope you're all having a great break wherever you are, and a reminder that if you're travelling on the roads, to please drive safe!<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cyber" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyber</a> <a href="https://infosec.exchange/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#news</a> <a href="https://infosec.exchange/tags/cybernews" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybernews</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infosecnews" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosecnews</a> <a href="https://infosec.exchange/tags/informationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#informationsecurity</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/newsletter" class="mention hashtag" rel="nofollow noopener" target="_blank">#newsletter</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#technology</a> <a href="https://infosec.exchange/tags/hacker" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacker</a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerabilities</a> <a href="https://infosec.exchange/tags/exploit" class="mention hashtag" rel="nofollow noopener" target="_blank">#exploit</a> <a href="https://infosec.exchange/tags/PoC" class="mention hashtag" rel="nofollow noopener" target="_blank">#PoC</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/soc" class="mention hashtag" rel="nofollow noopener" target="_blank">#soc</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/DarkWeb" class="mention hashtag" rel="nofollow noopener" target="_blank">#DarkWeb</a> <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> <a href="https://infosec.exchange/tags/IAB" class="mention hashtag" rel="nofollow noopener" target="_blank">#IAB</a> <a href="https://infosec.exchange/tags/InitialAccessBroker" class="mention hashtag" rel="nofollow noopener" target="_blank">#InitialAccessBroker</a> <a href="https://infosec.exchange/tags/GenesisMarketplace" class="mention hashtag" rel="nofollow noopener" target="_blank">#GenesisMarketplace</a>

Hackread.comMicrosoft and cybersecurity firm Forta have joined forces to take down the malicious infrastructure of <a href="https://mstdn.social/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a>, which is used in large-scale ransomware attacks.Read: <a href="https://www.hackread.com/microsoft-fortra-cobalt-strike-infrastructure/" rel="nofollow noopener" target="_blank">https://www.hackread.com/microsoft-fortra-cobalt-strike-infrastructure/</a> <a href="https://mstdn.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> <a href="https://mstdn.social/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybercrime</a> <a href="https://mstdn.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mstdn.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://mstdn.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a>

Opalsec :verified:Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:<a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf" rel="nofollow noopener" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf</a><a href="https://infosec.exchange/tags/Emotet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Emotet</a> are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners. We’ve highlighted a report on the Xenomorph <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> <a href="https://infosec.exchange/tags/InTune" class="mention hashtag" rel="nofollow noopener" target="_blank">#InTune</a> to deliver payloads and an in-memory dropper to abuse the <a href="https://infosec.exchange/tags/BYOVD" class="mention hashtag" rel="nofollow noopener" target="_blank">#BYOVD</a> technique and evade EDR solutions.A joint investigation by <a href="https://infosec.exchange/tags/Mandiant" class="mention hashtag" rel="nofollow noopener" target="_blank">#Mandiant</a> and <a href="https://infosec.exchange/tags/SonicWall" class="mention hashtag" rel="nofollow noopener" target="_blank">#SonicWall</a> has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by <a href="https://infosec.exchange/tags/Fortinet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fortinet</a> this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.<a href="https://infosec.exchange/tags/HiatusRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#HiatusRAT</a> is a novel malware targeting <a href="https://infosec.exchange/tags/DrayTek" class="mention hashtag" rel="nofollow noopener" target="_blank">#DrayTek</a> routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent <a href="https://infosec.exchange/tags/BatLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#BatLoader</a> and <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a> campaigns are also worth taking note of, as is <a href="https://infosec.exchange/tags/GoBruteforcer" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoBruteforcer</a>, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.Those in Vulnerability Management should take particular note of the <a href="https://infosec.exchange/tags/Veeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#Veeam</a> vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the <a href="https://infosec.exchange/tags/VMWare" class="mention hashtag" rel="nofollow noopener" target="_blank">#VMWare</a> Cloud Foundation product in the last two months, so make sure you’re patched against it.<a href="https://infosec.exchange/tags/Redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#Redteam</a> members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a>’s reflective loading capability;The <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#blueteam</a> has some great tradecraft tips from <a href="https://infosec.exchange/@inversecos" class="u-url mention" rel="nofollow noopener" target="_blank">@inversecos</a> on <a href="https://infosec.exchange/tags/Azure" class="mention hashtag" rel="nofollow noopener" target="_blank">#Azure</a> DFIR, as well as tools to help scan websites for malicious objects, and to combat the new <a href="https://infosec.exchange/tags/Stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#Stealc</a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#infostealer</a> and well-established Raccoon Stealer.Catch all this and much more in this week's newsletter:<a href="https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf" rel="nofollow noopener" target="_blank">https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cyber" class="mention hashtag" rel="nofollow noopener" target="_blank">#cyber</a> <a href="https://infosec.exchange/tags/news" class="mention hashtag" rel="nofollow noopener" target="_blank">#news</a> <a href="https://infosec.exchange/tags/cybernews" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybernews</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infosecnews" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosecnews</a> <a href="https://infosec.exchange/tags/informationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#informationsecurity</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/newsletter" class="mention hashtag" rel="nofollow noopener" target="_blank">#newsletter</a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#technology</a> <a href="https://infosec.exchange/tags/hacker" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacker</a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerabilities</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/soc" class="mention hashtag" rel="nofollow noopener" target="_blank">#soc</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/DarkWeb" class="mention hashtag" rel="nofollow noopener" target="_blank">#DarkWeb</a> <a href="https://infosec.exchange/tags/mdm" class="mention hashtag" rel="nofollow noopener" target="_blank">#mdm</a> <a href="https://infosec.exchange/tags/dprk" class="mention hashtag" rel="nofollow noopener" target="_blank">#dprk</a> <a href="https://infosec.exchange/tags/FortiOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#FortiOS</a> <a href="https://infosec.exchange/tags/FortiProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#FortiProxy</a>

Xavier «X» Santolaria :verified_paw: :donor:This week's <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> newsletter issue is out! Have a look at it. It includes, but not only:<ul><li>CISA warns of actively exploited <a href="https://infosec.exchange/tags/Plex" class="mention hashtag" rel="nofollow noopener" target="_blank">#Plex</a> bug after <a href="https://infosec.exchange/tags/LastPass" class="mention hashtag" rel="nofollow noopener" target="_blank">#LastPass</a> breach</li><li>Brazil seizing <a href="https://infosec.exchange/tags/FlipperZero" class="mention hashtag" rel="nofollow noopener" target="_blank">#FlipperZero</a> shipments to prevent use in crime</li><li><a href="https://infosec.exchange/tags/IBM" class="mention hashtag" rel="nofollow noopener" target="_blank">#IBM</a> X-Force on defining the <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> Reflective Loader</li><li>Security researchers targeted with new <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> via job offers on <a href="https://infosec.exchange/tags/LinkedIn" class="mention hashtag" rel="nofollow noopener" target="_blank">#LinkedIn</a></li><li>Alleged NetWire RAT Operator Arrested in Croatia as FBI Seizes Website</li><li>Xenomorph <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> malware now steals data from 400 banks</li><li><a href="https://infosec.exchange/tags/GitHub" class="mention hashtag" rel="nofollow noopener" target="_blank">#GitHub</a> makes 2FA mandatory next week for active developers</li><li>The <a href="https://infosec.exchange/tags/Akuvox" class="mention hashtag" rel="nofollow noopener" target="_blank">#Akuvox</a> E11 door phone/intercom is riddled with security holes</li><li>Custom Chinese Malware Found on <a href="https://infosec.exchange/tags/SonicWall" class="mention hashtag" rel="nofollow noopener" target="_blank">#SonicWall</a> Appliance</li><li>Building Great OT Incident Response Tabletop Exercises, by <a href="https://infosec.exchange/@hacks4pancakes" class="u-url mention" rel="nofollow noopener" target="_blank">@hacks4pancakes</a> </li><li>Warning: Don't Let <a href="https://infosec.exchange/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> Manage Your <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> </li><li><a href="https://infosec.exchange/tags/Fortinet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fortinet</a> warns of new critical unauthenticated RCE <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a></li><li><a href="https://infosec.exchange/tags/Veeam" class="mention hashtag" rel="nofollow noopener" target="_blank">#Veeam</a> fixes bug that lets hackers breach <a href="https://infosec.exchange/tags/backup" class="mention hashtag" rel="nofollow noopener" target="_blank">#backup</a> infrastructure</li><li>AI-Powered '<a href="https://infosec.exchange/tags/BlackMamba" class="mention hashtag" rel="nofollow noopener" target="_blank">#BlackMamba</a>' Keylogging Attack Evades Modern <a href="https://infosec.exchange/tags/EDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#EDR</a> Security</li><li>Hard-coded secrets up 67% as secrets sprawl threatens software supply chain</li><li><a href="https://infosec.exchange/tags/Emotet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Emotet</a> malware attacks return after three-month break</li></ul>.. And many more. Subscribe to receive it directly in your inbox every Sunday!<a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/newsletter" class="mention hashtag" rel="nofollow noopener" target="_blank">#newsletter</a> <a href="https://0x58.substack.com/p/my-shared-links-week-102023" rel="nofollow noopener" target="_blank">https://0x58.substack.com/p/my-shared-links-week-102023</a>

BradOriginally posted at: <a href="https://twitter.com/Unit42_Intel/status/1623707361184477185" rel="nofollow noopener" target="_blank">https://twitter.com/Unit42_Intel/status/1623707361184477185</a>2023-02-08 (Wednesday) As follow-up to an <a href="https://infosec.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a> (<a href="https://infosec.exchange/tags/Bokbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bokbot</a>) infection, I saw a <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using thefirstupd[.]com as its domain. IoCs available at <a href="https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt" rel="nofollow noopener" target="_blank">https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt</a>

BradOriginally posted on Twitter at: <a href="https://twitter.com/Unit42_Intel/status/1620531956504055812" rel="nofollow noopener" target="_blank">https://twitter.com/Unit42_Intel/status/1620531956504055812</a>2023-01-31 (Tuesday) - <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a> (<a href="https://infosec.exchange/tags/Qbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qbot</a>) returns after one month hiatus, now using OneNote (.one) files as initial lure. Saw <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> on 104.237.219[.]36 using ciruvowuto[.]com as the domain. Also saw VNC traffic from this infection. IoCs available at <a href="https://github.com/pan-unit42/tweets/blob/master/2023-01-31-BB12-Qakbot-infection-IOCs.txt" rel="nofollow noopener" target="_blank">https://github.com/pan-unit42/tweets/blob/master/2023-01-31-BB12-Qakbot-infection-IOCs.txt</a><a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> and malware samples at <a href="https://www.malware-traffic-analysis.net/2023/01/31/index.html" rel="nofollow noopener" target="_blank">https://www.malware-traffic-analysis.net/2023/01/31/index.html</a>VNC traffic on 78.31.67[.]7 port 443.Overall, this is the same type of Qakbot activity seen last year. The only real difference is the OneNote files.

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener" target="_blank">#hack100days</a> : day 14d : Watched Mudge’s lateral movement video for <a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#cobaltstrike</a>. <a href="https://infosec.exchange/tags/activedirectory" class="mention hashtag" rel="nofollow noopener" target="_blank">#activedirectory</a> and <a href="https://infosec.exchange/tags/windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#windows</a> refresher. <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

Recent searches

Search options

Administered by:

Server stats:

#cobaltstrike