Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common...
10CVSS
9.9AI Score
0.976EPSS
Microsoft shifts to a new threat actor naming taxonomy
April 19, 2023 update – We have published a JSON file mapping old threat actor names with their new names in the updated taxonomy, summarized here: https://aka.ms/threatactors. We also added hunting queries that Microsoft customers can use while transitioning to the new taxonomy. See the Resources....
6.9AI Score
Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole
Welcome to this week's edition of the Threat Source newsletter. Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals. On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums,...
8.8CVSS
8.8AI Score
0.026EPSS
[The Lost Bots] S03E02: Finding unknowns, even spy balloons
When a balloon crossed through Canada and the United States, everyone lost their minds. The news was all-balloon, all-the-time. And the big, obvious, serious questions flew too: “why didn't we see the balloon sooner? Have there been other balloons?” That sounded pretty familiar to Rapid7 Detection....
6.6AI Score
FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers
Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. The domain seizures coincided with more than a...
6.9AI Score
3CXDesktopApp Backdoored in a Suspected Lazarus Campaign
Introduction The attack involved a compromised version of the 3CX VoIP desktop client, which was used to target 3CX's customers. The compromised 3CX application is a private automatic branch exchange (PABX) software and is available for Windows, macOS, Linux, Android, IOS and Chrome. Currently,...
7.8CVSS
8AI Score
0.0005EPSS
Welcome to this week's edition of the Threat Source newsletter. Everyone loves a good video of someone slipping on their icy steps in the winter, captured thanks to their home security camera or smart doorbell. But what about when that camera is just kind of chilling out and not catching the...
6.2AI Score
Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
Emergent threats evolve quickly. We will update this blog with new information as it comes to light and we are able to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Eoin Miller, Caitlin Condon, Stephen Fewer, Spencer McIntyre, and Christiaan Beek all contributed to this blog. On Wednesday,.....
7.8CVSS
7.6AI Score
0.0005EPSS
Financial cyberthreats in 2022
Financial gain remains the key driver of cybercriminal activity. In the past year, we've seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats.....
7.1AI Score
Microsoft Secure: Explore innovations transforming the future of security
Building a more secure future requires an end-to-end approach. There is no question that technology plays an essential role, but security will always be human-centered. That’s what Microsoft Secure is all about. It’s about sharing knowledge, best practices, and technology innovations that empower.....
6.9AI Score
Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.....
9.8CVSS
9.6AI Score
0.915EPSS
Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.....
9.8CVSS
9.6AI Score
0.915EPSS
DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
Adversary-in-the-middle (AiTM) phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by...
-0.4AI Score
When Dave Liebenberg started his first day at Talos, he had never even opened Terminal on a Mac before -- let alone written a Snort rule or infiltrated a dark web forum. He jokes that he was a trendsetter at Talos, becoming the first of many to break into security without having any prior...
6.4AI Score
Multi-repository variant analysis: a powerful new way to perform security research across GitHub
The security community identifies new vulnerabilities at an astonishing rate and helps developers all over the world secure their code. GitHub is actively facilitating this collaboration with tools like private vulnerability reporting and the GitHub Advisory Database. Today, we’re announcing the...
0.2AI Score
[The Lost Bots] S03E01: Tech Stack Consolidation and Bacon
It’s 2023, and according to Gartner, ESG, and everybody else, the vendor consolidation trend continues. Throwing tools at the problem isn’t working well, and creates problems of its own. So, this season of “Lost Bots” starts with Jeffrey Gardner, Detection and Response Practice Advisor and...
1AI Score
1.2AI Score
Microsoft Security Experts discuss evolving threats in roundtable chat
I don’t know about you, but we’re still catching our breath after 2022. Microsoft Security blocked more than 70 billion email and identity threats last year.1 In the same 12-month span, ransomware attacks impacted more than 200 large organizations in the United States alone, spanning government,...
-0.1AI Score
Microsoft Security Experts discuss evolving threats in roundtable chat
I don’t know about you, but we’re still catching our breath after 2022. Microsoft Security blocked more than 70 billion email and identity threats last year.1 In the same 12-month span, ransomware attacks impacted more than 200 large organizations in the United States alone, spanning government,...
-0.1AI Score
IoC detection experiments with ChatGPT
ChatGPT is a groundbreaking chatbot powered by the neural network-based language model text-davinci-003 and trained on a large dataset of text from the Internet. It is capable of generating human-like text in a wide range of styles and formats. ChatGPT can be fine-tuned for specific tasks, such as....
-0.4AI Score
Evasion Techniques Uncovered: An Analysis of APT Methods
By Christiaan Beek, with special thanks to Matt Green DLL search order hijacking is a technique used by attackers to elevate privileges on the compromised system, evade restrictions, and/or establish persistence on the system. The Windows operating system uses a common method to look for required.....
-0.2AI Score
Beyond the basics: Implementing an active defense
Active defense a key approach to protecting against major threats Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting...
0.5AI Score
XDR, the Beatles, and Blunt Instruments
Sometimes tools are blunt because there’s nothing else. Regarding economic controls for example, Fed Chair Jerome Powell said: “We have essentially interest rates, the balance sheet and forward guidance. They are famously blunt tools, they are not capable of surgical precision." Others are blunt...
-0.1AI Score
8.8AI Score
Hive! Hive! Hive! Ransomware site submerged by FBI
On January 26, 2023, the United States Department of Justice (DoJ) released details about a disruption campaign against the Hive ransomware group. The disruption campaign has reportedly had access to Hive's infrastructure since July of 2022. Its access became public on Thursday when Hive's dark...
0.6AI Score
Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
Summary Actions for ZCS administrators to take today to mitigate malicious cyber activity: • Patch all systems and prioritize patching known exploited vulnerabilities. • Deploy detection signatures and hunt for indicators of compromise (IOCs). • If ZCS was compromised, remediate malicious...
9.8CVSS
9.4AI Score
0.975EPSS
Microsoft Security innovations from 2022 to help you create a safer world today
The start of a new year is always a great time for reflection—to be grateful for all we have and the progress security teams have made as well as look ahead to how we can reshape the security landscape. I use this time to think about goals for the future, and to reflect on the highlights,...
-0.2AI Score
Microsoft Security innovations from 2022 to help you create a safer world today
The start of a new year is always a great time for reflection—to be grateful for all we have and the progress security teams have made as well as look ahead to how we can reshape the security landscape. I use this time to think about goals for the future, and to reflect on the highlights,...
-0.2AI Score
CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24...
9.8CVSS
AI Score
0.975EPSS
Dated, Vulnerable, Insecure Tech Is All Over the News. Hooray.
Save the links. Pass them around. And consider getting your copy of the new 2023 XDR Buyer’s Guide—because if this isn’t a time for reckoning and progress, what is? The news: on Wednesday, the United States grounded all flights coast-to-coast for the first time since 9/11. The Federal Aviation...
-0.8AI Score
Threat Source newsletter (Jan. 12, 2023): Did ChatGPT write our newsletter?
Welcome to this week's edition of the Threat Source newsletter. We tried to get ChatGPT to write this week's newsletter but it was at capacity, so you'll have to stick with us for another week. Or maybe that's just what the robots want you to think, you be the judge. The one big thing This week...
-0.2AI Score
Unbreakable Enterprise kernel security update
[5.15.0-6.80.3.1] - Revert 'rds: ib: Enable FC by default' (Hakon Bugge) [Orabug: 34964359] [5.15.0-6.80.3] - net/mlx5: Suppress error logging on UCTX creation (Marina) [Orabug: 34888471] - rds: ib: Fix leaked MRs during kexec (Hakon Bugge) [Orabug: 34892082] - uek-rpm: Add ptp_kvm.ko to core...
8.8CVSS
8.6AI Score
0.001EPSS
Ditch The Duct Tape: Reduce Security Sprawl With XDR
The New Year’s Day edition of The Wall Street Journal asked a big question in a big headline: “Can Southwest Airlines Buy Back Its Customers’ Love?” While other airlines rebounded from extreme winter weather and service disruptions, Southwest—always top-rated, with a famously loyal...
-0.6AI Score
Qualys Threat Research Unit: Threat Thursdays, December 2022
Welcome to the fourth edition of the Qualys Threat Research Unit’s (TRU) “Threat Research Thursday”, where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. This also happens to be the last edition for the year....
9.8CVSS
0.5AI Score
0.958EPSS
BlueNoroff introduces new methods bypassing MoTW
BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the group's activities and this October we observed the adoption of new...
-0.6AI Score
fl-cars.de Cross Site Scripting vulnerability OBB-3117897
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
-0.2AI Score
0.2AI Score