ᴘᴀʀᴛʜɪ

Recruitment #Phishing for well-known orgs like Google, Meta, YouTube Full list of IOCs is here pastebin.com/K8EezySa ytjobsunit[.]com ytjobspartner[.]com ytjobsmember[.]com metaworkrooms-hiring[.]com metaworkrooms-careers[.]com

@Antonlovesdnb @HuntressLabs Love to have your thoughts on the macOS IR cases or Linux. How do they compare against Windows environments, how easy is it for TA's to laterally move, and what TTPs do you see in the wild?

Coming up on my 1 year anniversary with @HuntressLabs ! Taking this opportunity to go over some things myself and the team have seen in intrusions and drop some tips on basic things you can do to make your network more immune to compromise. Let's start with initial access - We see so much VPN compromise, it's by far our number 1 initial access vector - yes 0days for VPN appliance are there, but most of the time the compromise is a result of good ol' fashion credential stuffing or brute force. - Some VPN appliances have decent log retention, others do not and it really sucks when only ~1 hour worth of logs are available - if you're standing up a SIEM or any kind of log collection effort in your org, make sure that devices which are externally exposed are sending their telemetry to the SIEM. If your VPN appliance has different logging settings, check them out and enable as needed - this telemetry is gold during intrusions. - In addition to VPN appliances, we see a lot of RDP / RDS machines get compromised - same story here, no fancy 0days, just weak credentials in use. In some cases, MFA is in use, but has either been bypassed for the compromised user or has "failed open" - if you use RDP for your org, make sure that MFA is enabled somehow on it, if it is enabled, test to see what happens when the process that handles MFA crashes or is turned off. Also, make sure you have good procedures in place for turning MFA bypasses back off when they're applied. - Remember to keep an eye on your web applications, deserialization attacks aren't super common, but happen fairly often. Turn on IIS logging and enable POST request logging if possible. Remember that a standard penetration test often does not deep dive into custom web applications, invest in a good Appsec focused test if you have a custom application exposed externally. Turning to lateral movement - Once inside networks, threat actors move very quickly and unfortunately do not run into a lot of resistance. We typically see multiple accounts compromised in rapid succession, suggesting weak or shared passwords in use. You have no idea how happy it makes me to see "LOGON_TYPE_NOT_GRANTED" in the logs - Yes I know segmenting your network is probably a pain, but its a very effective security control. - In most cases we see, RDP is used for lateral movement and unfortunately, there is often no controls to prevent users from RDP'ing into servers they have no business need to RDP into. Check your Active Directory permissions and see what users can RDP into your file servers and domain controllers, you might be very surprised by what you find! - Impacket & impacket-related tooling is very popular for lateral movement, if you are in charge of defending a network and have telemetry and a lab environment, try to use WMIExec etc for yourself and compare the telemetry you see versus normal activity, this is a great way to build high-fidelity alerts. Aside from that, remove local admin where possible. Local admin rights enable credential access and lateral movement avenues that would be shut right down were a non-admin account in use. Looking at Execution / Impact - Do threat actors use fancy 0days ? Yes of course, but in the cases we work, we rarely see it. Most of the time, "just enough tradecraft" is employed, all a TA needs is FileZilla and 7Zip to ruin your day. - Tunneling tools like ngrok and plink are very popular, most often, these tools are being used to make RDP externally available to the TA - everyone loves a GUI I guess. How do adversaries get credentials ? - Registry credential dumping is extremely popular, same with LSASS credential dumping. Threat actors will also search local file systems and network shares for credentials and - guaranteed - will find them. By segmenting your network, limiting local admin access and hardening authentication silos within your AD environment ( things like a three-tiered admin model, or as close to it as you can get ) will limit the impact of credential theft drastically. - Brute forcing is old and boring I get it, but unfortunately it works, especially for less-monitored environments, some cases we've seen hundreds of thousands brute force attempts for hours before an account is successfully compromised. Don't sleep on brute forcing, ensure you have account lock out policies in place and some kind of monitoring for brute force attacks. Miscellaneous tidbits - Please, please, please - change your default Windows log sizes via GPO. By default, these log channels do not hold a lot of data, if a threat actor undertakes a brute force in the environment, security-relevant telemetry will be clobbered hampering any investigation efforts. - Have a standard naming convention for your organizations' workstations and servers, this makes it so much easier to orientate everything during an investigation and very often bubbles up malicious activity for workstations that don't fit the standard naming convention. - Have a plan in place in case of an incident, it's bound to happen and it's better to be prepared. What happens if certain hosts need to be offline, who do you call to get a potential insurance claim started? What is the threshold for a formal IR engagement - deciding all these things under pressure from an incident is not ideal. I think this post is long enough 😅 so I'll wrap it up 💙

#contagious_interview #DPRK #famous_chollima are spreading a malicious binary named "Uniswap Sniper Bot With GUI.exe" to steal #crypto wallets and browser information using #beavertail & #invisibileferret cc @Uniswap C2: 185.153.182[.]241:1224

@n3tl0kr @AccidentalCISO I second this. It’s been years since I set it up. Hassle free

@AccidentalCISO Actually, I use Zohomail too, forgot. Free up to 5 users, easy admin portal and no charge to map your MX records

I have a family member that wants a custom email domain for personal use (multiple users likely). What services are good for this without going all the way to M365 or Google Workspace? They are going to need easy to manage.

@cyb3rops Please try chrome to detect password reuse. This has been super helpful for us. You can also enforce password reset if there’s password reuse.

How do you prevent a corporate user from choosing the same password for a business service that he uses for some private accounts? How do you prevent a password sync from his corporate browser to his private one? How do you prevent browser extensions from leaking corporate credentials? I'm sure your org has answered these questions already.

Thanks @OrangeCon_nl for having me and @shivarahul_p. Had a good time and lots of learnings from the talks.

Awesome blog by @shivarahul_p on #microsoft graph API logs.

With Chrome 127 on Windows, we're introducing enhanced encryption to protect sensitive data, starting with your cookies🍪! This helps protect your personal information and keeps your online accounts secure from hackers. Read more about this protection: security.googleblog.com/2024/07/improv…

There's one more domain impersonating voov. voov-meeting[.]site #Lazarus #DPRK

@embee_research This is amazing @embee_research. I wish @ValidinLLC would allow us to perform a filter by the domain name for an ASN. That'd be amazing and time-saving. Maybe a feature request to the team :)

[7/] I wanted a high level view of the 2500+ results, so I utilised the export feature and brought in #CyberChef. Sorting by alphabetical order made the data much easier to digest. This revealed that the brands most commonly impersonated had a mail subdomain.

Uncovering 169 Phishing Domains With DNS Pivoting 🔥 Leveraging my new favourite DNS tool to pivot from an initial IOC to 169 domains impersonating popular fashion brands. [1/14] 🧵 #phishing #threatintel #malware

Threat actor's continuous campaign against #indian #airforce. The #malware uses Slack as its C2 as mentioned by the existing blog. MD5: 9f8eee2c2096fd9c78488d71af45e59a cyble.com/blog/cyber-esp… @IndianCERT

Related malicious URLs to this campaign. IOCs --> pastebin.com/BJs1hMeG malwarebytes.com/blog/threat-in…

And from this dropbox link in July 2023 : app.any.run/tasks/9371e4e6…

#APT #Sidewinder e2a3edc708016316477228de885f0c39 The decoy document is information about the itinerary of #Nepali Prime Minister Pushpa Kamal Dahal. After the macro code is run, multiple VBScript files, batch files, and ZIP files containing the #Nim backdoor will be released.

Related infrastructure 13.176.179.|41 193.43.72.|11 193.187.172.|73

#confluence #vulnerability #CVE-2023-22518. If you haven't patched it, please do it ASAP. If you are monitoring confluence logs, please monitor the below endpoints for incoming exploit attempts. confluence.atlassian.com/security/cve-2…

Based on VT intelligence it looks like attackers are targeting HDFC bank users as well. C2: owncloud-150509-0[.]cloudclusters.net owncloud-150476-0[.]cloudclusters.net owncloud-148461-0[.]cloudclusters.net roundcube-149741-0[.]cloudclusters.net

#phishing via #SMS, targeting 🇮🇳 #axisbank users. Uses the URL shortener t.ly and the kits are hosted on cloudclusters.net CC @cloudclusters @AxisBank 1/n

@Pepperfry Thank you

@cyber__sloth Dear Parthi, We are sorry to hear about your concern. Please allow us some time to check and get back to you on this.

@Pepperfry please help me with the order 309211269. I’ve been trying to reach out to the support via email, but no response.