FIN is a group targeting financial assets including assets able to do financial transaction including PoS.
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-02-25}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Cobalt Strike IcedID Maze SystemBC |
2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International
@online{international:20210224:overview:95b80e0,
author = {Amnesty International},
title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}},
date = {2021-02-24},
organization = {Github (AmnestyTech)},
url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam},
language = {English},
urldate = {2021-02-25}
}
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown |
2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama
@techreport{haruyama:20210224:knock:f4903a2,
author = {Takahiro Haruyama},
title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}},
date = {2021-02-24},
institution = {VMWare Carbon Black},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf},
language = {Japanese},
urldate = {2021-02-26}
}
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader |
2021-02-22 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal
@online{vinopal:20210222:ryuk:e9c5fb4,
author = {Jiří Vinopal},
title = {{Ryuk Ransomware API Resolving in 10 minutes}},
date = {2021-02-22},
organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)},
url = {https://www.youtube.com/watch?v=7xxRunBP5XA},
language = {English},
urldate = {2021-02-25}
}
Ryuk Ransomware API Resolving in 10 minutes
Ryuk |
2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
@online{report:20210211:hancitor:9fa527e,
author = {The DFIR Report},
title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}},
date = {2021-02-11},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1359669513520873473},
language = {English},
urldate = {2021-02-18}
}
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor |
2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
@techreport{league:20210211:ctil:69c2ab8,
author = {CTI LEAGUE},
title = {{CTIL Darknet Report – 2021}},
date = {2021-02-11},
institution = {CTI LEAGUE},
url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf},
language = {English},
urldate = {2021-02-20}
}
CTIL Darknet Report – 2021
Conti Ransomware Mailto Maze REvil Ryuk |
2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20210209:learn:c08b657,
author = {Raphael Mudge},
title = {{Learn Pipe Fitting for all of your Offense Projects}},
date = {2021-02-09},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/},
language = {English},
urldate = {2021-02-10}
}
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike |
2021-02-09 ⋅ Securehat ⋅ Securehat
@online{securehat:20210209:extracting:0f4ae2f,
author = {Securehat},
title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}},
date = {2021-02-09},
organization = {Securehat},
url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader},
language = {English},
urldate = {2021-02-10}
}
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP |
2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team
@online{team:20210204:blockchain:4e63b2f,
author = {Chainalysis Team},
title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}},
date = {2021-02-04},
organization = {Chainanalysis},
url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer},
language = {English},
urldate = {2021-02-06}
}
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt |
2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team
@techreport{team:20210204:conti:27cb3a2,
author = {ClearSky Research Team},
title = {{CONTI Modus Operandi and Bitcoin Tracking}},
date = {2021-02-04},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf},
language = {English},
urldate = {2021-02-06}
}
CONTI Modus Operandi and Bitcoin Tracking
Conti Ransomware Ryuk |
2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210203:excel:8e949c9,
author = {Brad Duncan},
title = {{Excel spreadsheets push SystemBC malware}},
date = {2021-02-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/},
language = {English},
urldate = {2021-02-04}
}
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC |
2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp
@online{earp:20210202:how:923f969,
author = {Madeline Earp},
title = {{How Vietnam-based hacking operation OceanLotus targets journalists}},
date = {2021-02-02},
organization = {Committee to Protect Journalists},
url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists},
language = {English},
urldate = {2021-02-04}
}
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike |
2021-02-02 ⋅ CRONUP ⋅ CRONUP
@online{cronup:20210202:de:6ff4f3a,
author = {CRONUP},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-02-17}
}
De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
@online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity
Cobalt Strike Dridex |
2021-02-01 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
@online{intelligence:20210201:active:0a4f59f,
author = {Advanced Intelligence},
title = {{Tweet on Active Directory Exploitation by RYUK "one" group}},
date = {2021-02-01},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1356114606780002308},
language = {English},
urldate = {2021-02-04}
}
Tweet on Active Directory Exploitation by RYUK "one" group
Ryuk |
2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}},
date = {2021-02-01},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19860/},
language = {English},
urldate = {2021-02-06}
}
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil |
2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis
@online{koutroumpis:20210201:relay:596413f,
author = {Petros Koutroumpis},
title = {{Relay Attacks via Cobalt Strike Beacons}},
date = {2021-02-01},
organization = {pkb1s.github.io},
url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/},
language = {English},
urldate = {2021-02-04}
}
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk |
2021-01-28 ⋅ TrustedSec ⋅ Adam Chester
@online{chester:20210128:tailoring:d3f973c,
author = {Adam Chester},
title = {{Tailoring Cobalt Strike on Target}},
date = {2021-01-28},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/},
language = {English},
urldate = {2021-01-29}
}
Tailoring Cobalt Strike on Target
Cobalt Strike |
2021-01-28 ⋅ Huntress Labs ⋅ John Hammond
@techreport{hammond:20210128:analyzing:2f8dae2,
author = {John Hammond},
title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}},
date = {2021-01-28},
institution = {Huntress Labs},
url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf},
language = {English},
urldate = {2021-01-29}
}
Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk |
2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware constantly trying to bypass detection}},
date = {2021-01-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19640/},
language = {Korean},
urldate = {2021-02-04}
}
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
@online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring Ransomware MimiKatz |
2021-01-25 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
@online{intelligence:20210125:ryuk:25a96a7,
author = {Advanced Intelligence},
title = {{Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool}},
date = {2021-01-25},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1353546534676258816},
language = {English},
urldate = {2021-01-25}
}
Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool
Ryuk |
2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)},
title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}},
date = {2021-01-20},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/},
language = {English},
urldate = {2021-01-21}
}
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP |
2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210118:raindrop:9ab1262,
author = {Threat Hunter Team},
title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}},
date = {2021-01-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware},
language = {English},
urldate = {2021-01-21}
}
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb,
author = {Peter Mackenzie},
title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}},
date = {2021-01-17},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352},
language = {English},
urldate = {2021-01-21}
}
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti Ransomware |
2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier
@online{lussier:20210115:detecting:fecd6c3,
author = {Dan Lussier},
title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}},
date = {2021-01-15},
organization = {Medium Dansec},
url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64},
language = {English},
urldate = {2021-01-21}
}
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike |
2021-01-14 ⋅ RiskIQ ⋅ Jordan Herman
@online{herman:20210114:medialand:3f603bd,
author = {Jordan Herman},
title = {{MediaLand: Magecart and Bulletproof Hosting}},
date = {2021-01-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/5bea32aa},
language = {English},
urldate = {2021-01-21}
}
MediaLand: Magecart and Bulletproof Hosting
magecart |
2021-01-14 ⋅ RiskIQ ⋅ Team RiskIQ
@online{riskiq:20210114:new:29f2c96,
author = {Team RiskIQ},
title = {{New Analysis Puts Magecart Interconnectivity into Focus}},
date = {2021-01-14},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-medialand/},
language = {English},
urldate = {2021-01-18}
}
New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c,
author = {Ben Read and John Hultquist},
title = {{UNC2452: What We Know So Far}},
date = {2021-01-12},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/462719},
language = {English},
urldate = {2021-01-18}
}
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP |
2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen
@online{jansen:20210112:abusing:c38eeb6,
author = {Wouter Jansen},
title = {{Abusing cloud services to fly under the radar}},
date = {2021-01-12},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/},
language = {English},
urldate = {2021-01-18}
}
Abusing cloud services to fly under the radar
Cobalt Strike |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well
Cobalt Strike TrickBot |
2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621,
author = {Sudhakar Ramakrishna},
title = {{New Findings From Our Investigation of SUNBURST}},
date = {2021-01-11},
organization = {SolarWinds},
url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/},
language = {English},
urldate = {2021-01-18}
}
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP |
2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20210110:man1:54a4162,
author = {Jason Reaves},
title = {{MAN1, Moskal, Hancitor and a side of Ransomware}},
date = {2021-01-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618},
language = {English},
urldate = {2021-01-11}
}
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware |
2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr
@online{mcgarr:20210109:malware:dde1353,
author = {Connor McGarr},
title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}},
date = {2021-01-09},
organization = {Connor McGarr's Blog},
url = {https://connormcgarr.github.io/thread-hijacking/},
language = {English},
urldate = {2021-01-11}
}
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike |
2021-01-07 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210107:aversary:9771829,
author = {Insikt Group®},
title = {{Aversary Infrastructure Report 2020: A Defender's View}},
date = {2021-01-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf},
language = {English},
urldate = {2021-01-11}
}
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-07 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Brian Carter, HYAS
@online{kremez:20210107:crime:4c6f5c3,
author = {Vitali Kremez and Brian Carter and HYAS},
title = {{Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders}},
date = {2021-01-07},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders},
language = {English},
urldate = {2021-01-11}
}
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders
Ryuk |
2021-01-06 ⋅ Red Canary ⋅ Tony Lambert
@online{lambert:20210106:hunting:272410b,
author = {Tony Lambert},
title = {{Hunting for GetSystem in offensive security tools}},
date = {2021-01-06},
organization = {Red Canary},
url = {https://redcanary.com/blog/getsystem-offsec/},
language = {English},
urldate = {2021-01-11}
}
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
@online{research:20210105:earth:d7bb547,
author = {Trend Micro Research},
title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html},
language = {English},
urldate = {2021-01-10}
}
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike |
2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag
@online{haag:20210104:malleable:ab64356,
author = {Michael Haag},
title = {{Malleable C2 Profiles and You}},
date = {2021-01-04},
organization = {Medium haggis-m},
url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929},
language = {English},
urldate = {2021-01-05}
}
Malleable C2 Profiles and You
Cobalt Strike |
2020-12-28 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch
@online{barabosch:20201228:never:f7e93aa,
author = {Thomas Barabosch},
title = {{Never upload ransomware samples to the Internet}},
date = {2020-12-28},
organization = {0xC0DECAFE},
url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/},
language = {English},
urldate = {2021-01-01}
}
Never upload ransomware samples to the Internet
Ryuk |
2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck
@online{grimminck:20201226:spoofing:a0a5622,
author = {Stefan Grimminck},
title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}},
date = {2020-12-26},
organization = {Medium grimminck},
url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b},
language = {English},
urldate = {2021-01-01}
}
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ Fortinet ⋅ Udi Yavo
@online{yavo:20201221:what:716b31d,
author = {Udi Yavo},
title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}},
date = {2020-12-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack},
language = {English},
urldate = {2021-01-18}
}
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP |
2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f,
author = {Adam Hlavek and Kimberly Ortiz},
title = {{Russian cyber attack campaigns and actors}},
date = {2020-12-21},
organization = {IronNet},
url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors},
language = {English},
urldate = {2021-01-05}
}
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess |
2020-12-20 ⋅ Randhome ⋅ Etienne Maynier
@online{maynier:20201220:analyzing:3e15960,
author = {Etienne Maynier},
title = {{Analyzing Cobalt Strike for Fun and Profit}},
date = {2020-12-20},
organization = {Randhome},
url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/},
language = {English},
urldate = {2020-12-23}
}
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike |
2020-12-16 ⋅ RiskIQ ⋅ Mia Ihm, Cory Kennedy, Jordan Herman
@online{ihm:20201216:skimming:608e648,
author = {Mia Ihm and Cory Kennedy and Jordan Herman},
title = {{Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists}},
date = {2020-12-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/14924d61},
language = {English},
urldate = {2020-12-17}
}
Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists
magecart |
2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
@online{mansfield:20201216:tracking:25540bd,
author = {Paul Mansfield},
title = {{Tracking and combatting an evolving danger: Ransomware extortion}},
date = {2020-12-16},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion},
language = {English},
urldate = {2020-12-17}
}
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt |
2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421,
author = {Sophos Cyber Security Team},
title = {{solarwinds-threathunt}},
date = {2020-12-15},
organization = {Github (sophos-cybersecurity)},
url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt},
language = {English},
urldate = {2020-12-15}
}
solarwinds-threathunt
Cobalt Strike SUNBURST |
2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}},
date = {2020-12-15},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach},
language = {English},
urldate = {2020-12-17}
}
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST |
2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20201214:threat:032b92d,
author = {Unit 42},
title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}},
date = {2020-12-14},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST |
2020-12-14 ⋅ Medium Killbit ⋅ killbit
@online{killbit:20201214:applying:75d0dde,
author = {killbit},
title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}},
date = {2020-12-14},
organization = {Medium Killbit},
url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f},
language = {English},
urldate = {2020-12-17}
}
Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware
Maze |
2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb,
author = {BlackBerry Research and Intelligence team},
title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}},
date = {2020-12-11},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates},
language = {English},
urldate = {2020-12-14}
}
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker |
2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e,
author = {Joakim Kandefelt},
title = {{Cybereason vs. Ryuk Ransomware}},
date = {2020-12-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware},
language = {English},
urldate = {2020-12-14}
}
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot |
2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@online{unit42:20201210:threat:6ac31af,
author = {Unit42},
title = {{Threat Brief: FireEye Red Team Tool Breach}},
date = {2020-12-10},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ CyberInt ⋅ CyberInt
@online{cyberint:20201210:ryuk:e74b8f6,
author = {CyberInt},
title = {{Ryuk Crypto-Ransomware}},
date = {2020-12-10},
organization = {CyberInt},
url = {https://blog.cyberint.com/ryuk-crypto-ransomware},
language = {English},
urldate = {2020-12-14}
}
Ryuk Crypto-Ransomware
Ryuk TrickBot |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot |
2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201208:red:8ccdfcf,
author = {Raphael Mudge},
title = {{A Red Teamer Plays with JARM}},
date = {2020-12-08},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/},
language = {English},
urldate = {2021-01-11}
}
A Red Teamer Plays with JARM
Cobalt Strike |
2020-12-08 ⋅ Sophos ⋅ Sean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic
@online{gallagher:20201208:egregor:fe48cfd,
author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic},
title = {{Egregor ransomware: Maze’s heir apparent}},
date = {2020-12-08},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/},
language = {English},
urldate = {2020-12-08}
}
Egregor ransomware: Maze’s heir apparent
Egregor Maze |
2020-12-07 ⋅ Minerva Labs ⋅ Tom Roter
@online{roter:20201207:egregor:2d3dced,
author = {Tom Roter},
title = {{Egregor Ransomware - An In-Depth Analysis}},
date = {2020-12-07},
organization = {Minerva Labs},
url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis},
language = {English},
urldate = {2020-12-09}
}
Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet Ransomware |
2020-12-02 ⋅ Sansec ⋅ Sansec Threat Research Team
@online{team:20201202:persistent:4f26f93,
author = {Sansec Threat Research Team},
title = {{Persistent parasite in EOL Magento 2 stores wakes at Black Friday}},
date = {2020-12-02},
organization = {Sansec},
url = {https://sansec.io/research/magento-2-persistent-parasite},
language = {English},
urldate = {2020-12-14}
}
Persistent parasite in EOL Magento 2 stores wakes at Black Friday
magecart |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores
@online{flores:20201201:impact:415bf2e,
author = {Ryan Flores},
title = {{The Impact of Modern Ransomware on Manufacturing Networks}},
date = {2020-12-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html},
language = {English},
urldate = {2020-12-08}
}
The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil |
2020-12-01 ⋅ 360.cn ⋅ jindanlong
@online{jindanlong:20201201:hunting:b9e2674,
author = {jindanlong},
title = {{Hunting Beacons}},
date = {2020-12-01},
organization = {360.cn},
url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950},
language = {English},
urldate = {2021-01-10}
}
Hunting Beacons
Cobalt Strike |
2020-12-01 ⋅ mez0.cc ⋅ mez0
@online{mez0:20201201:cobalt:38336ed,
author = {mez0},
title = {{Cobalt Strike PowerShell Execution}},
date = {2020-12-01},
organization = {mez0.cc},
url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/},
language = {English},
urldate = {2020-12-14}
}
Cobalt Strike PowerShell Execution
Cobalt Strike |
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack |
2020-11-27 ⋅ Reflectiz ⋅ Reflectiz
@online{reflectiz:20201127:ico:a1bad28,
author = {Reflectiz},
title = {{The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned}},
date = {2020-11-27},
organization = {Reflectiz},
url = {https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/},
language = {English},
urldate = {2021-01-29}
}
The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned
magecart |
2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb,
author = {Lior Rochberger and Cybereason Nocturnus},
title = {{Cybereason vs. Egregor Ransomware}},
date = {2020-11-26},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware},
language = {English},
urldate = {2020-12-08}
}
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot |
2020-11-25 ⋅ SentinelOne ⋅ Jim Walter
@online{walter:20201125:egregor:5727f7a,
author = {Jim Walter},
title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}},
date = {2020-11-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/},
language = {English},
urldate = {2020-12-08}
}
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor |
2020-11-25 ⋅ Reflectiz ⋅ Idan Cohen
@online{cohen:20201125:csp:1b9a48e,
author = {Idan Cohen},
title = {{CSP, the Right Solution for the Web-Skimming Pandemic?}},
date = {2020-11-25},
organization = {Reflectiz},
url = {https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218},
language = {English},
urldate = {2021-01-29}
}
CSP, the Right Solution for the Web-Skimming Pandemic?
magecart |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani
@online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu
@online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike |
2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2,
author = {Elizabeth Montalbano},
title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}},
date = {2020-11-19},
organization = {Threatpost},
url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/},
language = {English},
urldate = {2020-11-23}
}
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk |
2020-11-18 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20201118:analyzing:abccd43,
author = {Joe Slowik},
title = {{Analyzing Network Infrastructure as Composite Objects}},
date = {2020-11-18},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects},
language = {English},
urldate = {2020-11-19}
}
Analyzing Network Infrastructure as Composite Objects
Ryuk |
2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1,
author = {Victoria Kivilevich},
title = {{Zooming into Darknet Threats Targeting Japanese Organizations}},
date = {2020-11-18},
organization = {KELA},
url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/},
language = {English},
urldate = {2020-11-19}
}
Zooming into Darknet Threats Targeting Japanese Organizations
Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware |
2020-11-17 ⋅ cyble ⋅ Cyble
@online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
@online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware |
2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax
@online{astrovax:20201114:deep:b50ae08,
author = {astrovax},
title = {{Deep Dive Into Ryuk Ransomware}},
date = {2020-11-14},
organization = {Medium 0xastrovax},
url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12},
language = {English},
urldate = {2021-01-25}
}
Deep Dive Into Ryuk Ransomware
Hermes Ryuk |
2020-11-11 ⋅ RiskIQ ⋅ Jordan Herman
@online{herman:20201111:magecart:8137a1f,
author = {Jordan Herman},
title = {{Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches}},
date = {2020-11-11},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/fda1f967},
language = {English},
urldate = {2020-11-18}
}
Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches
magecart |
2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a,
author = {Dmitry Bestuzhev and Fedor Sinitsyn},
title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}},
date = {2020-11-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/},
language = {English},
urldate = {2020-11-11}
}
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX |
2020-11-06 ⋅ Telsy ⋅ Telsy Research Team
@techreport{team:20201106:malware:7b6dd9d,
author = {Telsy Research Team},
title = {{Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze}},
date = {2020-11-06},
institution = {Telsy},
url = {https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf},
language = {English},
urldate = {2020-11-09}
}
Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
Maze |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Github (scythe-io) ⋅ SCYTHE
@online{scythe:20201105:ryuk:8d7c4de,
author = {SCYTHE},
title = {{Ryuk Adversary Emulation Plan}},
date = {2020-11-05},
organization = {Github (scythe-io)},
url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk},
language = {English},
urldate = {2020-11-11}
}
Ryuk Adversary Emulation Plan
Ryuk |
2020-11-05 ⋅ SCYTHE ⋅ Jorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9,
author = {Jorge Orchilles and Sean Lyngaas},
title = {{#ThreatThursday - Ryuk}},
date = {2020-11-05},
organization = {SCYTHE},
url = {https://www.scythe.io/library/threatthursday-ryuk},
language = {English},
urldate = {2020-11-06}
}
#ThreatThursday - Ryuk
BazarBackdoor Ryuk |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
@online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho
@online{marinho:20201103:attackers:9b3762b,
author = {Renato Marinho},
title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}},
date = {2020-11-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/26752},
language = {English},
urldate = {2020-11-06}
}
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-11-02 ⋅ SUCURI ⋅ Denis Sinegubko
@online{sinegubko:20201102:cssjs:e800099,
author = {Denis Sinegubko},
title = {{CSS-JS Steganography in Fake Flash Player Update Malware}},
date = {2020-11-02},
organization = {SUCURI},
url = {https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html},
language = {English},
urldate = {2020-11-04}
}
CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT |
2020-10-31 ⋅ splunk ⋅ Ryan Kovar
@online{kovar:20201031:ryuk:735f563,
author = {Ryan Kovar},
title = {{Ryuk and Splunk Detections}},
date = {2020-10-31},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html},
language = {English},
urldate = {2020-11-02}
}
Ryuk and Splunk Detections
Ryuk |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk |
2020-10-30 ⋅ Cofense ⋅ The Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a,
author = {The Cofense Intelligence Team},
title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}},
date = {2020-10-30},
organization = {Cofense},
url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/},
language = {English},
urldate = {2020-11-02}
}
The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201029:hacking:c8d5379,
author = {Lawrence Abrams},
title = {{Hacking group is targeting US hospitals with Ryuk ransomware}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot |
2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d,
author = {Brittany Barbehenn and Doel Santos and Brad Duncan},
title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}},
date = {2020-10-29},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot |
2020-10-29 ⋅ McAfee ⋅ McAfee Labs
@techreport{labs:20201029:mcafee:84eed4e,
author = {McAfee Labs},
title = {{McAfee Labs Threat Advisory Ransom-Ryuk}},
date = {2020-10-29},
institution = {McAfee},
url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf},
language = {English},
urldate = {2020-11-02}
}
McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201029:maze:f90b399,
author = {Lawrence Abrams},
title = {{Maze ransomware is shutting down its cybercrime operation}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/},
language = {English},
urldate = {2020-11-02}
}
Maze ransomware is shutting down its cybercrime operation
Egregor Maze |
2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT
@online{csirt:20201029:list:5fb0206,
author = {Swisscom CSIRT},
title = {{List of CobaltStrike C2's used by RYUK}},
date = {2020-10-29},
organization = {Github (Swisscom)},
url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt},
language = {English},
urldate = {2020-11-02}
}
List of CobaltStrike C2's used by RYUK
Cobalt Strike |
2020-10-29 ⋅ Reuters ⋅ Christopher Bing, Joseph Menn
@online{bing:20201029:building:ceeb50f,
author = {Christopher Bing and Joseph Menn},
title = {{Building wave of ransomware attacks strike U.S. hospitals}},
date = {2020-10-29},
organization = {Reuters},
url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP},
language = {English},
urldate = {2020-11-02}
}
Building wave of ransomware attacks strike U.S. hospitals
Ryuk |
2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4,
author = {Andrew Thompson},
title = {{Tweet on UNC1878 activity}},
date = {2020-10-29},
organization = {Twitter (@anthomsec)},
url = {https://twitter.com/anthomsec/status/1321865315513520128},
language = {English},
urldate = {2020-11-04}
}
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878 |
2020-10-29 ⋅ CNN ⋅ Vivian Salama, Alex Marquardt, Lauren Mascarenhas
@online{salama:20201029:several:88d8127,
author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas},
title = {{Several hospitals targeted in new wave of ransomware attacks}},
date = {2020-10-29},
organization = {CNN},
url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html},
language = {English},
urldate = {2020-11-02}
}
Several hospitals targeted in new wave of ransomware attacks
Ryuk |
2020-10-29 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs
@online{sophoslabs:20201029:similarities:408a640,
author = {SophosLabs},
title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}},
date = {2020-10-29},
organization = {Twitter (@SophosLabs)},
url = {https://twitter.com/SophosLabs/status/1321844306970251265},
language = {English},
urldate = {2020-11-02}
}
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk |
2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06,
author = {CISA and FBI and HHS},
title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}},
date = {2020-10-28},
institution = {CISA},
url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf},
language = {English},
urldate = {2020-11-02}
}
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk |
2020-10-28 ⋅ Youtube (SANS Institute) ⋅ Katie Nickels, Van Ta, Aaron Stephens
@online{nickels:20201028:spooky:3bf0a0a,
author = {Katie Nickels and Van Ta and Aaron Stephens},
title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}},
date = {2020-10-28},
organization = {Youtube (SANS Institute)},
url = {https://www.youtube.com/watch?v=CgDtm05qApE},
language = {English},
urldate = {2020-11-04}
}
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878 |
2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor
@techreport{condor:20201028:decade:b8d7422,
author = {Ruben Andrei Condor},
title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}},
date = {2020-10-28},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf},
language = {English},
urldate = {2020-11-02}
}
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze |
2020-10-28 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Van Ta, Aaron Stephens, Katie Nickels
@online{ta:20201028:star:16965fb,
author = {Van Ta and Aaron Stephens and Katie Nickels},
title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}},
date = {2020-10-28},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc},
language = {English},
urldate = {2020-11-02}
}
STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-28 ⋅ Github (aaronst) ⋅ Aaron Stephens
@online{stephens:20201028:unc1878:5f717f6,
author = {Aaron Stephens},
title = {{UNC1878 indicators}},
date = {2020-10-28},
organization = {Github (aaronst)},
url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456},
language = {English},
urldate = {2020-11-04}
}
UNC1878 indicators
Ryuk UNC1878 |
2020-10-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20201028:fbi:26b9480,
author = {Brian Krebs},
title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}},
date = {2020-10-28},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/},
language = {English},
urldate = {2020-11-02}
}
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk |
2020-10-28 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051,
author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos},
title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}},
date = {2020-10-28},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/},
language = {English},
urldate = {2020-11-02}
}
Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader |
2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
@online{iddon:20201027:mtr:3b62ca9,
author = {Greg Iddon},
title = {{MTR Casebook: An active adversary caught in the act}},
date = {2020-10-27},
organization = {Sophos Managed Threat Response (MTR)},
url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/},
language = {English},
urldate = {2020-11-02}
}
MTR Casebook: An active adversary caught in the act
Cobalt Strike |
2020-10-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201027:steelcase:25f66a9,
author = {Lawrence Abrams},
title = {{Steelcase furniture giant hit by Ryuk ransomware attack}},
date = {2020-10-27},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-28}
}
Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk |
2020-10-26 ⋅ Checkpoint ⋅ Itay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c,
author = {Itay Cohen and Eyal Itkin},
title = {{Exploit Developer Spotlight: The Story of PlayBit}},
date = {2020-10-26},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/},
language = {English},
urldate = {2020-10-27}
}
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil |
2020-10-26 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20201026:threatconnect:0e90cc3,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft}},
date = {2020-10-26},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/},
language = {English},
urldate = {2020-10-29}
}
ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk |
2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e,
author = {Hornetsecurity Security Lab},
title = {{Leakware-Ransomware-Hybrid Attacks}},
date = {2020-10-23},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/},
language = {English},
urldate = {2020-12-08}
}
Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt |
2020-10-22 ⋅ Sentinel LABS ⋅ Marco Figueroa
@online{figueroa:20201022:inside:228798e,
author = {Marco Figueroa},
title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}},
date = {2020-10-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/},
language = {English},
urldate = {2020-10-26}
}
An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk |
2020-10-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201022:french:6d52e19,
author = {Lawrence Abrams},
title = {{French IT giant Sopra Steria hit by Ryuk ransomware}},
date = {2020-10-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/},
language = {English},
urldate = {2020-10-26}
}
French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk |
2020-10-21 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
@online{sinitsyn:20201021:life:5906110,
author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov},
title = {{Life of Maze ransomware}},
date = {2020-10-21},
organization = {Kaspersky Labs},
url = {https://securelist.com/maze-ransomware/99137/},
language = {English},
urldate = {2020-10-23}
}
Life of Maze ransomware
Maze |
2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
@online{bsi:20201020:die:0683ad4,
author = {BSI},
title = {{Die Lage der IT-Sicherheit in Deutschland 2020}},
date = {2020-10-20},
organization = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2},
language = {German},
urldate = {2020-10-21}
}
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk |
2020-10-16 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20201016:threatconnect:2010d70,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}},
date = {2020-10-16},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/},
language = {English},
urldate = {2020-10-23}
}
ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk |
2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a,
author = {The Crowdstrike Intel Team},
title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}},
date = {2020-10-16},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/},
language = {English},
urldate = {2020-10-21}
}
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot |
2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303,
author = {Steve Ginty and Jon Gross},
title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}},
date = {2020-10-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/f0320980},
language = {English},
urldate = {2020-10-23}
}
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC |
2020-10-13 ⋅ VirusTotal ⋅ Gerardo Fernández, Vicente Diaz
@online{fernndez:20201013:tracing:14bb6fa,
author = {Gerardo Fernández and Vicente Diaz},
title = {{Tracing fresh Ryuk campaigns itw}},
date = {2020-10-13},
organization = {VirusTotal},
url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html},
language = {English},
urldate = {2020-10-23}
}
Tracing fresh Ryuk campaigns itw
Ryuk |
2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201012:trickbot:5c1e5bf,
author = {Threat Hunter Team},
title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}},
date = {2020-10-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption},
language = {English},
urldate = {2020-10-12}
}
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk |
2020-10-12 ⋅ Microsoft ⋅ Tom Burt
@online{burt:20201012:new:045c1c3,
author = {Tom Burt},
title = {{New action to combat ransomware ahead of U.S. elections}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/},
language = {English},
urldate = {2020-10-12}
}
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot |
2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07,
author = {StrangerealIntel},
title = {{Chimera, APT19 under the radar ?}},
date = {2020-10-11},
organization = {Github (StrangerealIntel)},
url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md},
language = {English},
urldate = {2020-10-15}
}
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk |
2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7,
author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen},
title = {{There is no safe place}},
date = {2020-10-08},
organization = {Bayerischer Rundfunk},
url = {https://web.br.de/interaktiv/ocean-lotus/en/},
language = {English},
urldate = {2020-10-12}
}
There is no safe place
Cobalt Strike |
2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
@online{team:20201006:double:bb0f240,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}},
date = {2020-10-06},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/},
language = {English},
urldate = {2020-10-12}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20201001:russias:3440982,
author = {Andy Greenberg},
title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}},
date = {2020-10-01},
organization = {Wired},
url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/},
language = {English},
urldate = {2020-10-05}
}
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter |
2020-10-01 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a,
author = {Kareem Hamdan and Lucas Miller},
title = {{Getting the Bacon from the Beacon}},
date = {2020-09-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/},
language = {English},
urldate = {2020-10-05}
}
Getting the Bacon from the Beacon
Cobalt Strike |
2020-09-29 ⋅ Microsoft ⋅ Microsoft
@techreport{microsoft:20200929:microsoft:6e5d7b0,
author = {Microsoft},
title = {{Microsoft Digital Defense Report}},
date = {2020-09-29},
institution = {Microsoft},
url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf},
language = {English},
urldate = {2020-10-05}
}
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
2020-09-29 ⋅ Github (Apr4h) ⋅ Apra
@online{apra:20200929:cobaltstrikescan:ab5f221,
author = {Apra},
title = {{CobaltStrikeScan}},
date = {2020-09-29},
organization = {Github (Apr4h)},
url = {https://github.com/Apr4h/CobaltStrikeScan},
language = {English},
urldate = {2020-10-05}
}
CobaltStrikeScan
Cobalt Strike |
2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
@online{team:20200925:double:fe3b093,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/},
language = {English},
urldate = {2020-10-02}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker |
2020-09-24 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200924:analysis:e1e4cc0,
author = {US-CERT},
title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}},
date = {2020-09-24},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a},
language = {English},
urldate = {2020-10-13}
}
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter |
2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d,
author = {Kaspersky Lab ICS CERT},
title = {{Threat landscape for industrial automation systems - H1 2020}},
date = {2020-09-24},
institution = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf},
language = {English},
urldate = {2020-10-04}
}
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware |
2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4,
author = {Nick Mavis and Joe Marshall and JON MUNSHAW},
title = {{The art and science of detecting Cobalt Strike}},
date = {2020-09-21},
institution = {Cisco Talos},
url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf},
language = {English},
urldate = {2020-09-23}
}
The art and science of detecting Cobalt Strike
Cobalt Strike |
2020-09-18 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20200918:us:7900e6a,
author = {Trend Micro},
title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}},
date = {2020-09-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html},
language = {English},
urldate = {2020-09-23}
}
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock |
2020-09-17 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie
@online{brandt:20200917:maze:714f603,
author = {Andrew Brandt and Peter Mackenzie},
title = {{Maze attackers adopt Ragnar Locker virtual machine technique}},
date = {2020-09-17},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/},
language = {English},
urldate = {2020-09-21}
}
Maze attackers adopt Ragnar Locker virtual machine technique
Maze |
2020-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200917:maze:81b8c38,
author = {Lawrence Abrams},
title = {{Maze ransomware now encrypts via virtual machines to evade detection}},
date = {2020-09-17},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/},
language = {English},
urldate = {2020-09-21}
}
Maze ransomware now encrypts via virtual machines to evade detection
Maze |
2020-09-03 ⋅ Twitter (@Arkbird_SOLG) ⋅ Arkbird
@online{arkbird:20200903:development:cf8dd7d,
author = {Arkbird},
title = {{Tweet on development in more_eggs}},
date = {2020-09-03},
organization = {Twitter (@Arkbird_SOLG)},
url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727},
language = {English},
urldate = {2020-09-15}
}
Tweet on development in more_eggs
More_eggs |
2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm
@online{vuonglvm:20200903:apt32:02bd8fc,
author = {vuonglvm},
title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}},
date = {2020-09-03},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/},
language = {Vietnamese},
urldate = {2020-09-09}
}
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike |
2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman
@online{herman:20200902:inter:93b8c50,
author = {Jordan Herman},
title = {{The Inter Skimmer Kit}},
date = {2020-09-02},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/30f22a00},
language = {English},
urldate = {2020-09-04}
}
The Inter Skimmer Kit
magecart DreamBot TeslaCrypt |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz |
2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea,
author = {cyberthreatinsider},
title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}},
date = {2020-08-20},
organization = {sensecy},
url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/},
language = {English},
urldate = {2020-11-04}
}
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk |
2020-08-20 ⋅ Seebug Paper ⋅ Malayke
@online{malayke:20200820:use:77d3957,
author = {Malayke},
title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}},
date = {2020-08-20},
organization = {Seebug Paper},
url = {https://paper.seebug.org/1301/},
language = {Chinese},
urldate = {2020-08-24}
}
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2 |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2020-08-25}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike |
2020-08-18 ⋅ Arete ⋅ Arete Incident Response
@techreport{response:20200818:is:72e08da,
author = {Arete Incident Response},
title = {{Is Conti the New Ryuk?}},
date = {2020-08-18},
institution = {Arete},
url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf},
language = {English},
urldate = {2020-08-25}
}
Is Conti the New Ryuk?
Conti Ransomware Ryuk |
2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5,
author = {Vitali Kremez},
title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}},
date = {2020-08-14},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1294320579311435776},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader |
2020-08-13 ⋅ SentinelOne ⋅ SentinelLabs
@online{sentinellabs:20200813:case:4560aed,
author = {SentinelLabs},
title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}},
date = {2020-08-13},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/},
language = {English},
urldate = {2020-08-14}
}
Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
Maze |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08-04 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200804:ransomware:e0320ee,
author = {Catalin Cimpanu},
title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}},
date = {2020-08-04},
organization = {ZDNet},
url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/},
language = {English},
urldate = {2020-08-18}
}
Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Maze |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08 ⋅ Temple University ⋅ CARE
@online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor |
2020-07-26 ⋅ Shells.System blog ⋅ Askar
@online{askar:20200726:inmemory:5556cad,
author = {Askar},
title = {{In-Memory shellcode decoding to evade AVs/EDRs}},
date = {2020-07-26},
organization = {Shells.System blog},
url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/},
language = {English},
urldate = {2020-07-30}
}
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike |
2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038,
author = {Jason Reaves and Joshua Platt},
title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}},
date = {2020-07-22},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/},
language = {English},
urldate = {2020-07-23}
}
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader |
2020-07-22 ⋅ SUCURI ⋅ Denis Sinegubko
@online{sinegubko:20200722:skimmers:abd9eb9,
author = {Denis Sinegubko},
title = {{Skimmers in Images & GitHub Repos}},
date = {2020-07-22},
organization = {SUCURI},
url = {https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html},
language = {English},
urldate = {2020-07-30}
}
Skimmers in Images & GitHub Repos
magecart |
2020-07-22 ⋅ On the Hunt ⋅ Newton Paul
@online{paul:20200722:analysing:2de83d7,
author = {Newton Paul},
title = {{Analysing Fileless Malware: Cobalt Strike Beacon}},
date = {2020-07-22},
organization = {On the Hunt},
url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/},
language = {English},
urldate = {2020-07-24}
}
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike |
2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200721:chinese:da6a239,
author = {Hossein Jazi and Jérôme Segura},
title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}},
date = {2020-07-21},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/},
language = {English},
urldate = {2020-07-22}
}
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot |
2020-07-20 ⋅ QuoIntelligence
@online{quointelligence:20200720:golden:4a88a80,
author = {QuoIntelligence},
title = {{Golden Chickens: Evolution Oof the MaaS}},
date = {2020-07-20},
url = {https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/},
language = {English},
urldate = {2020-07-23}
}
Golden Chickens: Evolution Oof the MaaS
More_eggs TerraLoader TerraStealer VenomLNK |
2020-07-15 ⋅ FireEye ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555,
author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt},
title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}},
date = {2020-07-15},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html},
language = {English},
urldate = {2020-07-16}
}
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware |
2020-07-11 ⋅ Trustwave ⋅ Peter Evans, Rodel Mendrez
@online{evans:20200711:injecting:3d78e32,
author = {Peter Evans and Rodel Mendrez},
title = {{Injecting Magecart into Magento Global Config}},
date = {2020-07-11},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/},
language = {English},
urldate = {2020-07-15}
}
Injecting Magecart into Magento Global Config
magecart |
2020-07-10 ⋅ Github (eset) ⋅ Matías Porolli
@online{porolli:20200710:evilnumindicators:639ec06,
author = {Matías Porolli},
title = {{Evilnum — Indicators of Compromise}},
date = {2020-07-10},
organization = {Github (eset)},
url = {https://github.com/eset/malware-ioc/tree/master/evilnum},
language = {English},
urldate = {2020-07-11}
}
Evilnum — Indicators of Compromise
EVILNUM More_eggs EVILNUM TerraStealer |
2020-07-09 ⋅ ESET Research ⋅ Matías Porolli
@online{porolli:20200709:more:24d8b63,
author = {Matías Porolli},
title = {{More evil: A deep look at Evilnum and its toolset}},
date = {2020-07-09},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/},
language = {English},
urldate = {2020-07-11}
}
More evil: A deep look at Evilnum and its toolset
EVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum |
2020-07-07 ⋅ GEMINI
@techreport{gemini:20200707:full:283dfdd,
author = {GEMINI},
title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}},
date = {2020-07-07},
institution = {},
url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf},
language = {English},
urldate = {2020-07-08}
}
Full list of all the 570+ sites that the Keeper gang hacked since April 2017
magecart |
2020-07-07 ⋅ GEMINI
@online{gemini:20200707:keeper:b2f882b,
author = {GEMINI},
title = {{"Keeper" Magecart Group Infects 570 Sites}},
date = {2020-07-07},
url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/},
language = {English},
urldate = {2020-07-08}
}
"Keeper" Magecart Group Infects 570 Sites
magecart |
2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo
@online{bao:20200707:cobalt:cf80aa8,
author = {Ladislav Bačo},
title = {{Cobalt Strike stagers used by FIN6}},
date = {2020-07-07},
organization = {MWLab},
url = {https://malwarelab.eu/posts/fin6-cobalt-strike/},
language = {English},
urldate = {2020-07-11}
}
Cobalt Strike stagers used by FIN6
Cobalt Strike |
2020-07-06 ⋅ Sansec ⋅ Sansec Threat Research Team
@online{team:20200706:north:1fb54b4,
author = {Sansec Threat Research Team},
title = {{North Korean hackers implicated in stealing from US and European shoppers}},
date = {2020-07-06},
organization = {Sansec},
url = {https://sansec.io/research/north-korea-magecart},
language = {English},
urldate = {2020-07-06}
}
North Korean hackers implicated in stealing from US and European shoppers
magecart |
2020-06-26 ⋅ Trend Micro ⋅ Joseph C Chen
@online{chen:20200626:us:8bce65c,
author = {Joseph C Chen},
title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}},
date = {2020-06-26},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/},
language = {English},
urldate = {2020-06-30}
}
US Local Government Services Targeted by New Magecart Credit Card Skimming Attack
magecart |
2020-06-25 ⋅ Malwarebytes ⋅ Jérôme Segura
@online{segura:20200625:web:2b712b2,
author = {Jérôme Segura},
title = {{Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files}},
date = {2020-06-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/},
language = {English},
urldate = {2020-06-29}
}
Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files
magecart |
2020-06-24 ⋅ Twitter (@3xp0rtblog) ⋅ 3xp0rt
@online{3xp0rt:20200624:new:6b725c2,
author = {3xp0rt},
title = {{Tweet on new version of TaurusStealer (v1.4)}},
date = {2020-06-24},
organization = {Twitter (@3xp0rtblog)},
url = {https://twitter.com/3xp0rtblog/status/1275746149719252992},
language = {English},
urldate = {2020-06-24}
}
Tweet on new version of TaurusStealer (v1.4)
TerraStealer |
2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3,
author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee},
title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}},
date = {2020-06-23},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/},
language = {English},
urldate = {2020-06-23}
}
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker |
2020-06-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6,
author = {Ionut Ilascu},
title = {{Ryuk ransomware deployed two weeks after Trickbot infection}},
date = {2020-06-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/},
language = {English},
urldate = {2020-06-30}
}
Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk |
2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}},
date = {2020-06-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos},
language = {English},
urldate = {2020-06-23}
}
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil |
2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra
@online{malhotra:20200622:indigodrop:6d5e7e1,
author = {Asheer Malhotra},
title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}},
date = {2020-06-22},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html},
language = {English},
urldate = {2020-06-24}
}
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot |
2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil
@online{singh:20200619:targeted:05d8d31,
author = {Atinderpal Singh and Nirmal Singh and Sahil Antil},
title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}},
date = {2020-06-19},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims},
language = {English},
urldate = {2020-06-21}
}
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike |
2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge
@online{mudge:20200619:beacon:bc8ae77,
author = {Raphael Mudge},
title = {{Beacon Object Files - Luser Demo}},
date = {2020-06-19},
organization = {Youtube (Raphael Mudge)},
url = {https://www.youtube.com/watch?v=gfYswA_Ronw},
language = {English},
urldate = {2020-06-23}
}
Beacon Object Files - Luser Demo
Cobalt Strike |
2020-06-18 ⋅ Quick Heal ⋅ Preksha Saxena
@online{saxena:20200618:maze:76ca64b,
author = {Preksha Saxena},
title = {{Maze ransomware continues to be a threat to the consumers}},
date = {2020-06-18},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/},
language = {English},
urldate = {2020-07-02}
}
Maze ransomware continues to be a threat to the consumers
Maze |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader |
2020-06-17 ⋅ Cognizant ⋅ Cognizant
@techreport{cognizant:20200617:notice:37fe994,
author = {Cognizant},
title = {{Notice of Data Breach}},
date = {2020-06-17},
institution = {Cognizant},
url = {https://oag.ca.gov/system/files/Letter%204.pdf},
language = {English},
urldate = {2020-06-18}
}
Notice of Data Breach
Maze |
2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200617:multistage:6358f3f,
author = {Hossein Jazi and Jérôme Segura},
title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}},
date = {2020-06-17},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/},
language = {English},
urldate = {2020-06-19}
}
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike |
2020-06-16 ⋅ BleepingComputer ⋅ Sergiu Gatlan
@online{gatlan:20200616:chipmaker:0e801b8,
author = {Sergiu Gatlan},
title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}},
date = {2020-06-16},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/},
language = {English},
urldate = {2020-06-17}
}
Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze |
2020-06-15 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly report: Incident Response trends in Summer 2020}},
date = {2020-06-15},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more},
language = {English},
urldate = {2020-06-19}
}
Quarterly report: Incident Response trends in Summer 2020
Ryuk |
2020-06-15 ⋅ Sansec ⋅ Sansec Threat Research Team
@online{team:20200615:magecart:09274cd,
author = {Sansec Threat Research Team},
title = {{Magecart strikes amid Corona lockdown}},
date = {2020-06-15},
organization = {Sansec},
url = {https://sansec.io/research/magecart-corona-lockdown},
language = {English},
urldate = {2020-06-16}
}
Magecart strikes amid Corona lockdown
magecart |
2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group
@online{group:20200615:striking:8fdf4bb,
author = {Exploit Development Group},
title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}},
date = {2020-06-15},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/},
language = {English},
urldate = {2020-06-16}
}
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike |
2020-06-15 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200615:web:a10a55d,
author = {Catalin Cimpanu},
title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}},
date = {2020-06-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/},
language = {English},
urldate = {2020-06-16}
}
Web skimmers found on the websites of Intersport, Claire's, and Icing
magecart |
2020-06-09 ⋅ RiskIQ ⋅ Jordan Herman
@online{herman:20200609:misconfigured:75c6908,
author = {Jordan Herman},
title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}},
date = {2020-06-09},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/},
language = {English},
urldate = {2020-06-10}
}
Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code
magecart |
2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal
@online{kristal:20200609:cobaltstrikeparser:a023ac8,
author = {Gal Kristal},
title = {{CobaltStrikeParser}},
date = {2020-06-09},
organization = {Github (Sentinel-One)},
url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py},
language = {English},
urldate = {2020-09-15}
}
CobaltStrikeParser
Cobalt Strike |
2020-06-05 ⋅ SUCURI ⋅ Denis Sinegubko
@online{sinegubko:20200605:evasion:86c8265,
author = {Denis Sinegubko},
title = {{Evasion Tactics in Hybrid Credit Card Skimmers}},
date = {2020-06-05},
organization = {SUCURI},
url = {https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html},
language = {English},
urldate = {2020-06-10}
}
Evasion Tactics in Hybrid Credit Card Skimmers
magecart |
2020-06-04 ⋅ Chianxin Virus Response Center
@online{center:20200604::a1c780b,
author = {Chianxin Virus Response Center},
title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}},
date = {2020-06-04},
url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw},
language = {Chinese},
urldate = {2020-07-16}
}
脚本系贼寇之风兴起,买卖体系堪比勒索软件
EVILNUM More_eggs |
2020-06-04 ⋅ Sophos Naked Security ⋅ Lisa Vaas
@online{vaas:20200604:nuclear:9d471e1,
author = {Lisa Vaas},
title = {{Nuclear missile contractor hacked in Maze ransomware attack}},
date = {2020-06-04},
organization = {Sophos Naked Security},
url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/},
language = {English},
urldate = {2020-06-04}
}
Nuclear missile contractor hacked in Maze ransomware attack
Maze |
2020-05-21 ⋅ BrightTALK (FireEye) ⋅ Kimberly Goody, Jeremy Kennelly
@online{goody:20200521:navigating:a2eae5f,
author = {Kimberly Goody and Jeremy Kennelly},
title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}},
date = {2020-05-21},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat},
language = {English},
urldate = {2020-06-05}
}
Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze |
2020-05-20 ⋅ Reflectiz ⋅ Reflectiz
@online{reflectiz:20200520:gocgle:47c4bc7,
author = {Reflectiz},
title = {{The Gocgle Malicious Campaign}},
date = {2020-05-20},
organization = {Reflectiz},
url = {https://www.reflectiz.com/the-gocgle-web-skimming-campaign/},
language = {English},
urldate = {2020-05-23}
}
The Gocgle Malicious Campaign
magecart |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal
@online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike |
2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1,
author = {Adam Ziaja},
title = {{Sodinokibi / REvil ransomware}},
date = {2020-05-07},
organization = {REDTEAM.PL},
url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html},
language = {English},
urldate = {2020-05-13}
}
Sodinokibi / REvil ransomware
Maze MimiKatz REvil |
2020-05-07 ⋅ FireEye Inc ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko
@online{goody:20200507:navigating:7147cb7,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko},
title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}},
date = {2020-05-07},
organization = {FireEye Inc},
url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html},
language = {English},
urldate = {2020-05-11}
}
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze |
2020-05-05 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb,
author = {Abdallah Elshinbary},
title = {{Deep Analysis of Ryuk Ransomware}},
date = {2020-05-05},
organization = {N1ght-W0lf Blog},
url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/},
language = {English},
urldate = {2020-05-10}
}
Deep Analysis of Ryuk Ransomware
Ryuk |
2020-05-04 ⋅ Blueliv ⋅ Blueliv Team
@online{team:20200504:escape:63ebdfa,
author = {Blueliv Team},
title = {{Escape from the Maze}},
date = {2020-05-04},
organization = {Blueliv},
url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/},
language = {English},
urldate = {2020-05-11}
}
Escape from the Maze
Maze |
2020-05-01 ⋅ CrowdStrike ⋅ Shaun Hurley
@online{hurley:20200501:many:22ed72c,
author = {Shaun Hurley},
title = {{The Many Paths Through Maze}},
date = {2020-05-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/},
language = {English},
urldate = {2020-05-05}
}
The Many Paths Through Maze
Maze |
2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}},
date = {2020-04-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/},
language = {English},
urldate = {2020-05-05}
}
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2020-05-15}
}
Ursnif via LOLbins
Cobalt Strike LOLSnif |
2020-04-19 ⋅ SecurityLiterate ⋅ Kyle Cucci
@online{cucci:20200419:reversing:4523233,
author = {Kyle Cucci},
title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}},
date = {2020-04-19},
organization = {SecurityLiterate},
url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/},
language = {English},
urldate = {2020-08-13}
}
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk |
2020-04-18 ⋅ Cognizant ⋅ Cognizant
@online{cognizant:20200418:cognizant:0e20ac0,
author = {Cognizant},
title = {{Cognizant Security Incident Update}},
date = {2020-04-18},
organization = {Cognizant},
url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update},
language = {English},
urldate = {2020-04-20}
}
Cognizant Security Incident Update
Maze |
2020-04-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200418:it:bb2d626,
author = {Lawrence Abrams},
title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}},
date = {2020-04-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/},
language = {English},
urldate = {2020-04-20}
}
IT services giant Cognizant suffers Maze Ransomware cyber attack
Maze |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key |
2020-04-14 ⋅ Intel 471 ⋅ Intel 471
@online{471:20200414:understanding:ca95961,
author = {Intel 471},
title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}},
date = {2020-04-14},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/},
language = {English},
urldate = {2020-04-26}
}
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot |
2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen
@online{villadsen:20200407:itg08:b0b782d,
author = {Ole Villadsen},
title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}},
date = {2020-04-07},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/},
language = {English},
urldate = {2020-04-13}
}
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike |
2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens
@online{ta:20200331:its:632dfca,
author = {Van Ta and Aaron Stephens},
title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}},
date = {2020-03-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html},
language = {English},
urldate = {2020-04-06}
}
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878 |
2020-03-26 ⋅ TechCrunch ⋅ Zack Whittaker
@online{whittaker:20200326:cyber:4b23d0a,
author = {Zack Whittaker},
title = {{Cyber insurer Chubb had data stolen in Maze ransomware attack}},
date = {2020-03-26},
organization = {TechCrunch},
url = {https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/},
language = {English},
urldate = {2020-03-27}
}
Cyber insurer Chubb had data stolen in Maze ransomware attack
Maze |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
@online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-26 ⋅ McAfee ⋅ Alexandre Mundo
@online{mundo:20200326:ransomware:05f2b18,
author = {Alexandre Mundo},
title = {{Ransomware Maze}},
date = {2020-03-26},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/},
language = {English},
urldate = {2020-03-26}
}
Ransomware Maze
Maze |
2020-03-25 ⋅ Bitdefender ⋅ Bitdefender Team
@techreport{team:20200325:technical:b3e1af1,
author = {Bitdefender Team},
title = {{A Technical Look into Maze Ransomware}},
date = {2020-03-25},
institution = {Bitdefender},
url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf},
language = {English},
urldate = {2020-04-20}
}
A Technical Look into Maze Ransomware
Maze |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200324:three:fb92d03,
author = {Lawrence Abrams},
title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}},
date = {2020-03-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/},
language = {English},
urldate = {2020-03-26}
}
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
@online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike |
2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten
@online{rusten:20200320:analysis:f82a963,
author = {Luke Rusten},
title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}},
date = {2020-03-20},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/},
language = {English},
urldate = {2020-06-22}
}
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike |
2020-03-18 ⋅ RiskIQ ⋅ Yonathan Klijnsma
@online{klijnsma:20200318:magecart:2ee4a78,
author = {Yonathan Klijnsma},
title = {{Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims}},
date = {2020-03-18},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-nutribullet/},
language = {English},
urldate = {2020-03-19}
}
Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims
magecart |
2020-03-12 ⋅ Cyberbit ⋅ Dor Neemani, Omer Fishel, Hod Gavriel
@techreport{neemani:20200312:lost:80ccbd2,
author = {Dor Neemani and Omer Fishel and Hod Gavriel},
title = {{Lost in the Maze}},
date = {2020-03-12},
institution = {Cyberbit},
url = {https://www.docdroid.net/dUpPY5s/maze.pdf},
language = {English},
urldate = {2020-03-22}
}
Lost in the Maze
Maze |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}},
date = {2020-03-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/},
language = {English},
urldate = {2020-03-09}
}
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike |
2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7,
author = {Lawrence Abrams},
title = {{Ransomware Attackers Use Your Cloud Backups Against You}},
date = {2020-03-03},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/},
language = {English},
urldate = {2020-03-04}
}
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-03-02 ⋅ c't ⋅ Christian Wölbert
@online{wlbert:20200302:was:1b9cc93,
author = {Christian Wölbert},
title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}},
date = {2020-03-02},
organization = {c't},
url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html},
language = {German},
urldate = {2020-03-02}
}
Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk |
2020-03 ⋅ Dragos ⋅ Joe Slowik
@techreport{slowik:202003:spyware:412ef8a,
author = {Joe Slowik},
title = {{Spyware Stealer Locker Wiper Locker Goga Revisited}},
date = {2020-03},
institution = {Dragos},
url = {https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf},
language = {English},
urldate = {2020-03-18}
}
Spyware Stealer Locker Wiper Locker Goga Revisited
LockerGoga |
2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
@online{decapua:20200225:feds:423f929,
author = {Joel DeCapua},
title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}},
date = {2020-02-25},
organization = {RSA Conference},
url = {https://www.youtube.com/watch?v=LUxOcpIRxmg},
language = {English},
urldate = {2020-03-04}
}
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus |
2020-02-24 ⋅ Max Kersten's Blog ⋅ Max Kersten
@online{kersten:20200224:closing:9d39fcf,
author = {Max Kersten},
title = {{Closing in on MageCart 12}},
date = {2020-02-24},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/},
language = {English},
urldate = {2020-02-25}
}
Closing in on MageCart 12
magecart |
2020-02-19 ⋅ Yoroi ⋅ Marco Ramilli
@online{ramilli:20200219:uncovering:4f04cd0,
author = {Marco Ramilli},
title = {{Uncovering New Magecart Implant Attacking eCommerce}},
date = {2020-02-19},
organization = {Yoroi},
url = {https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/},
language = {English},
urldate = {2020-02-20}
}
Uncovering New Magecart Implant Attacking eCommerce
magecart |
2020-02-19 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-17 ⋅ Max Kersten's Blog ⋅ Max Kersten
@online{kersten:20200217:following:07470c1,
author = {Max Kersten},
title = {{Following the tracks of MageCart 12}},
date = {2020-02-17},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/},
language = {English},
urldate = {2020-02-20}
}
Following the tracks of MageCart 12
magecart |
2020-02-13 ⋅ Quick Heal ⋅ Goutam Tripathy
@online{tripathy:20200213:deep:34e3281,
author = {Goutam Tripathy},
title = {{A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk}},
date = {2020-02-13},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/},
language = {English},
urldate = {2021-01-25}
}
A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk
Ryuk |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-02-12 ⋅ VMWare Carbon Black ⋅ Rachel E. King, AC
@online{king:20200212:ryuk:720c14e,
author = {Rachel E. King and AC},
title = {{Ryuk Ransomware Technical Analysis}},
date = {2020-02-12},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/},
language = {English},
urldate = {2020-11-19}
}
Ryuk Ransomware Technical Analysis
Ryuk |
2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12,
author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz},
title = {{2020 State of Malware Report}},
date = {2020-02-10},
institution = {Malwarebytes},
url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf},
language = {English},
urldate = {2020-02-13}
}
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor |
2020-02-07 ⋅ RiskIQ ⋅ Jordan Herman
@online{herman:20200207:magecart:185b67b,
author = {Jordan Herman},
title = {{Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign}},
date = {2020-02-07},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-group-12-olympics/},
language = {English},
urldate = {2020-02-09}
}
Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign
magecart |
2020-01-30 ⋅ ZATAZ ⋅ Damien Bancal
@online{bancal:20200130:cyber:0a267d4,
author = {Damien Bancal},
title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}},
date = {2020-01-30},
organization = {ZATAZ},
url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/},
language = {French},
urldate = {2020-02-03}
}
Cyber attaque à l’encontre des serveurs de Bouygues Construction
Maze |
2020-01-29 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200129:dod:57de65d,
author = {Catalin Cimpanu},
title = {{DOD contractor suffers ransomware infection}},
date = {2020-01-29},
organization = {ZDNet},
url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/},
language = {English},
urldate = {2020-02-03}
}
DOD contractor suffers ransomware infection
Ryuk |
2020-01-29 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20200129:tat:3d59e6e,
author = {ANSSI},
title = {{État de la menace rançongiciel}},
date = {2020-01-29},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf},
language = {English},
urldate = {2020-02-03}
}
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam |
2020-01-27 ⋅ QuoScient ⋅ QuoScient
@online{quoscient:20200127:chicken:3252d47,
author = {QuoScient},
title = {{The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors}},
date = {2020-01-27},
organization = {QuoScient},
url = {https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9},
language = {English},
urldate = {2020-01-28}
}
The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors
TerraRecon TerraStealer TerraTV VenomLNK |
2020-01-25 ⋅ Sanguine Security ⋅ Sanguine Labs
@online{labs:20200125:indonesian:1f0de05,
author = {Sanguine Labs},
title = {{Indonesian Magecart hackers arrested}},
date = {2020-01-25},
organization = {Sanguine Security},
url = {https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/},
language = {English},
urldate = {2020-01-27}
}
Indonesian Magecart hackers arrested
magecart |
2020-01-25 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental
@online{pimental:20200125:olympic:55cba30,
author = {Jacob Pimental},
title = {{Olympic Ticket Reseller Magecart Infection}},
date = {2020-01-25},
organization = {GoggleHeadedHacker Blog},
url = {https://www.goggleheadedhacker.com/blog/post/14},
language = {English},
urldate = {2020-01-27}
}
Olympic Ticket Reseller Magecart Infection
magecart |
2020-01-24 ⋅ ReversingLabs ⋅ Robert Simmons
@online{simmons:20200124:hunting:f99f1f9,
author = {Robert Simmons},
title = {{Hunting for Ransomware}},
date = {2020-01-24},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware},
language = {English},
urldate = {2020-01-29}
}
Hunting for Ransomware
Ryuk |
2020-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200124:new:05d5a6a,
author = {Lawrence Abrams},
title = {{New Ryuk Info Stealer Targets Government and Military Secrets}},
date = {2020-01-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/},
language = {English},
urldate = {2020-02-03}
}
New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk |
2020-01-22 ⋅ Deloitte ⋅ Deloitte
@online{deloitte:20200122:project:0a44796,
author = {Deloitte},
title = {{Project Lurus}},
date = {2020-01-22},
organization = {Deloitte},
url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF},
language = {English},
urldate = {2020-02-13}
}
Project Lurus
Maze |
2020-01-20 ⋅ Max Kersten's Blog ⋅ Max Kersten
@online{kersten:20200120:ticket:ad7af1c,
author = {Max Kersten},
title = {{Ticket resellers infected with a credit card skimmer}},
date = {2020-01-20},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/},
language = {English},
urldate = {2020-01-27}
}
Ticket resellers infected with a credit card skimmer
magecart |
2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38,
author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru},
title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}},
date = {2020-01-17},
institution = {Secureworks},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware |
2020-01-15 ⋅ PerimeterX ⋅ Guy Bary
@online{bary:20200115:analyzing:02aabc4,
author = {Guy Bary},
title = {{Analyzing Magecart Malware – From Zero to Hero}},
date = {2020-01-15},
organization = {PerimeterX},
url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/},
language = {English},
urldate = {2020-01-17}
}
Analyzing Magecart Malware – From Zero to Hero
magecart |
2020-01-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}},
date = {2020-01-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/},
language = {English},
urldate = {2020-01-15}
}
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk |
2020-01-10 ⋅ CSIS ⋅ CSIS
@techreport{csis:20200110:threat:7454f36,
author = {CSIS},
title = {{Threat Matrix H1 2019}},
date = {2020-01-10},
institution = {CSIS},
url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf},
language = {English},
urldate = {2020-01-22}
}
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:2020:state:e5941af,
author = {Blackberry Research},
title = {{State of Ransomware}},
date = {2020},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf},
language = {English},
urldate = {2021-01-01}
}
State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:d8faa3e,
author = {SecureWorks},
title = {{GOLD ULRICK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick},
language = {English},
urldate = {2020-05-23}
}
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:95fe871,
author = {SecureWorks},
title = {{GOLD VILLAGE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-village},
language = {English},
urldate = {2020-05-23}
}
GOLD VILLAGE
Maze |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT
Cobalt Strike Defray PyXie |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2019-12-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191226:ryuk:acc2284,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Stops Encrypting Linux Folders}},
date = {2019-12-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/},
language = {English},
urldate = {2020-01-08}
}
Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk |
2019-12-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191224:maze:33a4e28,
author = {Lawrence Abrams},
title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}},
date = {2019-12-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/},
language = {English},
urldate = {2020-02-13}
}
Maze Ransomware Releases Files Stolen from City of Pensacola
Maze |
2019-12-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191223:fbi:7c11cf8,
author = {Lawrence Abrams},
title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}},
date = {2019-12-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/},
language = {English},
urldate = {2020-01-08}
}
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
LockerGoga MegaCortex |
2019-12-23 ⋅ Norfolk
@online{norfolk:20191223:pos:5862d6d,
author = {Norfolk},
title = {{POS Malware Used at Fuel Pumps}},
date = {2019-12-23},
url = {https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/},
language = {English},
urldate = {2020-01-07}
}
POS Malware Used at Fuel Pumps
Grateful POS |
2019-12-21 ⋅ Decrypt ⋅ Adriana Hamacher
@online{hamacher:20191221:how:9d026a8,
author = {Adriana Hamacher},
title = {{How ransomware exploded in the age of Bitcoin}},
date = {2019-12-21},
organization = {Decrypt},
url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc},
language = {English},
urldate = {2020-01-13}
}
How ransomware exploded in the age of Bitcoin
Ryuk |
2019-12-19 ⋅ Malwarebytes ⋅ Jovi Umawing
@online{umawing:20191219:threat:552a941,
author = {Jovi Umawing},
title = {{Threat spotlight: the curious case of Ryuk ransomware}},
date = {2019-12-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/},
language = {English},
urldate = {2020-01-08}
}
Threat spotlight: the curious case of Ryuk ransomware
Ryuk |
2019-12-18 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits
@online{zsigovits:20191218:maze:22cb5d6,
author = {Albert Zsigovits},
title = {{Maze ransomware}},
date = {2019-12-18},
organization = {Github (albertzsigovits)},
url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md},
language = {English},
urldate = {2020-04-20}
}
Maze ransomware
Maze |
2019-12-17 ⋅ Cisco ⋅ JJ Cummings, Dave Liebenberg
@online{cummings:20191217:incident:44acf5c,
author = {JJ Cummings and Dave Liebenberg},
title = {{Incident Response lessons from recent Maze ransomware attacks}},
date = {2019-12-17},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html},
language = {English},
urldate = {2020-01-09}
}
Incident Response lessons from recent Maze ransomware attacks
Maze |
2019-12-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs
@online{krebs:20191216:ransomware:f4d7d8c,
author = {Brian Krebs},
title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}},
date = {2019-12-16},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/},
language = {English},
urldate = {2020-01-08}
}
Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
Maze |
2019-12-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191215:ryuk:74f6eab,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}},
date = {2019-12-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/},
language = {English},
urldate = {2020-01-13}
}
Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191211:maze:acb23da,
author = {Lawrence Abrams},
title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}},
date = {2019-12-11},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/},
language = {English},
urldate = {2020-01-09}
}
Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
Maze |
2019-12-09 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a,
author = {EmsiSoft Malware Lab},
title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}},
date = {2019-12-09},
organization = {Emsisoft},
url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/},
language = {English},
urldate = {2020-01-07}
}
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report
Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge
@online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike |
2019-12 ⋅ VISA ⋅ Visa Security Alert
@techreport{alert:201912:cybercrime:b12d39c,
author = {Visa Security Alert},
title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}},
date = {2019-12},
institution = {VISA},
url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf},
language = {English},
urldate = {2020-07-23}
}
Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants
Grateful POS |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response
Cobalt Strike |
2019-11-27 ⋅ Twitter (@Prosegur) ⋅ Prosegur
@online{prosegur:20191127:incident:bd76c3f,
author = {Prosegur},
title = {{Tweet on Incident of Information Security}},
date = {2019-11-27},
organization = {Twitter (@Prosegur)},
url = {https://twitter.com/Prosegur/status/1199732264386596864},
language = {English},
urldate = {2020-01-09}
}
Tweet on Incident of Information Security
Ryuk |
2019-11-21 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20191121:allied:a3d69d7,
author = {Lawrence Abrams},
title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}},
date = {2019-11-21},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/},
language = {English},
urldate = {2020-01-08}
}
Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
Maze |
2019-11-14 ⋅ Proofpoint ⋅ Bryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20191114:ta2101:e79f6fb,
author = {Bryan Campbell and Proofpoint Threat Insight Team},
title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}},
date = {2019-11-14},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us},
language = {English},
urldate = {2019-11-27}
}
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101 |
2019-11-08 ⋅ Twitter (@certbund) ⋅ CERT-Bund
@online{certbund:20191108:spam:0630ad5,
author = {CERT-Bund},
title = {{Tweet on Spam Mails containing MAZE}},
date = {2019-11-08},
organization = {Twitter (@certbund)},
url = {https://twitter.com/certbund/status/1192756294307995655},
language = {English},
urldate = {2020-01-08}
}
Tweet on Spam Mails containing MAZE
Maze |
2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg
@online{hungenberg:20191106:emotet:1605954,
author = {Thomas Hungenberg},
title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}},
date = {2019-11-06},
organization = {Heise Security},
url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html},
language = {German},
urldate = {2020-01-06}
}
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre
@online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike |
2019-11 ⋅ CCN-CERT ⋅ CCN-CERT
@online{ccncert:201911:informe:69b39b5,
author = {CCN-CERT},
title = {{Informe Código Dañino CCN-CERT ID-26/19}},
date = {2019-11},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html},
language = {Espanyol},
urldate = {2020-01-10}
}
Informe Código Dañino CCN-CERT ID-26/19
Ryuk |
2019-11-01 ⋅ CrowdStrike ⋅ Alexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e,
author = {Alexander Hanel and Brett Stone-Gross},
title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}},
date = {2019-11-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/},
language = {English},
urldate = {2019-12-20}
}
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER |
2019-10-18 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
@online{gatlan:20191018:maze:fb2c4b6,
author = {Sergiu Gatlan},
title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}},
date = {2019-10-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/},
language = {English},
urldate = {2019-12-17}
}
Maze Ransomware Now Delivered by Spelevo Exploit Kit
Maze |
2019-10-09 ⋅ Trend Micro ⋅ Joseph C. Chen
@online{chen:20191009:fin6:11bb05d,
author = {Joseph C. Chen},
title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}},
date = {2019-10-09},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/},
language = {English},
urldate = {2020-02-25}
}
FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops
magecart |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-08-29 ⋅ Security Intelligence ⋅ Ole Villadsen, Kevin Henson, Melissa Frydrych, Joey Victorino
@online{villadsen:20190829:moreeggs:8ff7351,
author = {Ole Villadsen and Kevin Henson and Melissa Frydrych and Joey Victorino},
title = {{More_eggs, Anyone? Threat Actor ITG08 Strikes Again}},
date = {2019-08-29},
organization = {Security Intelligence},
url = {https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/},
language = {English},
urldate = {2020-01-13}
}
More_eggs, Anyone? Threat Actor ITG08 Strikes Again
More_eggs FIN6 |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike |
2019-06-04 ⋅ Malwarebytes ⋅ Jérôme Segura
@online{segura:20190604:magecart:7c1581d,
author = {Jérôme Segura},
title = {{Magecart skimmers found on Amazon CloudFront CDN}},
date = {2019-06-04},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/},
language = {English},
urldate = {2019-12-20}
}
Magecart skimmers found on Amazon CloudFront CDN
magecart |
2019-05-19 ⋅ nrk ⋅ Henrik Lied, Peter Svaar, Dennis Ravndal, Anders Brekke, Kristine Hirsti
@online{lied:20190519:skreddersydd:e16c8d8,
author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti},
title = {{Skreddersydd dobbeltangrep mot Hydro}},
date = {2019-05-19},
organization = {nrk},
url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202},
language = {Norwegian},
urldate = {2019-11-21}
}
Skreddersydd dobbeltangrep mot Hydro
LockerGoga |
2019-05-13 ⋅ Amigo A
@online{a:20190513:chacha:840508a,
author = {Amigo A},
title = {{ChaCha Ransomware}},
date = {2019-05-13},
url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html},
language = {Russian},
urldate = {2019-12-02}
}
ChaCha Ransomware
Maze |
2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
@online{govcertch:20190509:severe:2767782,
author = {GovCERT.ch},
title = {{Severe Ransomware Attacks Against Swiss SMEs}},
date = {2019-05-09},
organization = {GovCERT.ch},
url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes},
language = {English},
urldate = {2019-07-11}
}
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
2019-05-04 ⋅ Abuse.io ⋅ Abuse.io
@online{abuseio:20190504:abuseio:d5062ca,
author = {Abuse.io},
title = {{Abuse.io Report - Lockergoga}},
date = {2019-05-04},
organization = {Abuse.io},
url = {https://www.abuse.io/lockergoga.txt},
language = {English},
urldate = {2020-01-07}
}
Abuse.io Report - Lockergoga
LockerGoga |
2019-05-03 ⋅ Trend Micro ⋅ Joseph C Chen
@online{chen:20190503:mirrorthief:05f07e5,
author = {Joseph C Chen},
title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}},
date = {2019-05-03},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/},
language = {English},
urldate = {2019-11-27}
}
Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada
magecart |
2019-05-01 ⋅ Red Canary ⋅ Tony Lambert
@online{lambert:20190501:frameworkpos:376a823,
author = {Tony Lambert},
title = {{FrameworkPOS and the adequate persistent threat}},
date = {2019-05-01},
organization = {Red Canary},
url = {https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/},
language = {English},
urldate = {2020-01-29}
}
FrameworkPOS and the adequate persistent threat
Grateful POS |
2019-04-26 ⋅ Malwarebytes ⋅ Jérôme Segura
@online{segura:20190426:github:ff4b558,
author = {Jérôme Segura},
title = {{GitHub hosted Magecart skimmer used against hundreds of e-commerce sites}},
date = {2019-04-26},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/},
language = {English},
urldate = {2019-12-20}
}
GitHub hosted Magecart skimmer used against hundreds of e-commerce sites
magecart |
2019-04-24 ⋅ Weixin ⋅ Tencent
@online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE |
2019-04-16 ⋅ Youtube (Norsk Hydro) ⋅ Norsk Hydro
@online{hydro:20190416:cyber:ada48a4,
author = {Norsk Hydro},
title = {{The cyber attack rescue operation in Hydro Toulouse}},
date = {2019-04-16},
organization = {Youtube (Norsk Hydro)},
url = {https://www.youtube.com/watch?v=o6eEN0mUakM},
language = {English},
urldate = {2020-01-13}
}
The cyber attack rescue operation in Hydro Toulouse
LockerGoga |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines
@online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike |
2019-04-05 ⋅ FireEye ⋅ Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59,
author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock},
title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}},
date = {2019-04-05},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html},
language = {English},
urldate = {2019-12-20}
}
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6 |
2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37,
author = {Noa Pinkas and Lior Rochberger and Matan Zatz},
title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}},
date = {2019-04-02},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware},
language = {English},
urldate = {2020-01-09}
}
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot |
2019-04-02 ⋅ HelpNetSecurity ⋅ Zeljka Zorz
@online{zorz:20190402:lockergoga:7fe224d,
author = {Zeljka Zorz},
title = {{A LockerGoga primer and decrypters for Mira and Aurora ransomwares}},
date = {2019-04-02},
organization = {HelpNetSecurity},
url = {https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/},
language = {English},
urldate = {2019-12-16}
}
A LockerGoga primer and decrypters for Mira and Aurora ransomwares
LockerGoga |
2019-03-26 ⋅ ANSSI ⋅ ANSSI
@techreport{anssi:20190326:informations:7965c3d,
author = {ANSSI},
title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}},
date = {2019-03-26},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf},
language = {French},
urldate = {2020-01-10}
}
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow
@online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown |
2019-03-21 ⋅ DoublePulsar ⋅ Kevin Beaumont
@online{beaumont:20190321:how:ecfbbf1,
author = {Kevin Beaumont},
title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}},
date = {2019-03-21},
organization = {DoublePulsar},
url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880},
language = {English},
urldate = {2019-11-29}
}
How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
LockerGoga |
2019-02-28 ⋅ RiskIQ ⋅ Yonathan Klijnsma
@online{klijnsma:20190228:magecart:e2b0173,
author = {Yonathan Klijnsma},
title = {{Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime}},
date = {2019-02-28},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/},
language = {English},
urldate = {2020-01-06}
}
Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime
magecart |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike |
2019-02-26 ⋅ Fox-IT ⋅ Fox IT
@online{it:20190226:identifying:689104d,
author = {Fox IT},
title = {{Identifying Cobalt Strike team servers in the wild}},
date = {2019-02-26},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/},
language = {English},
urldate = {2020-10-25}
}
Identifying Cobalt Strike team servers in the wild
Cobalt Strike |
2019-02-21 ⋅ Proofpoint ⋅ Proofpoint Threat Insight Team
@online{team:20190221:fake:e94f77a,
author = {Proofpoint Threat Insight Team},
title = {{Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers}},
date = {2019-02-21},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers},
language = {English},
urldate = {2019-12-20}
}
Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers
More_eggs |
2019-02-06 ⋅ CrowdStrike ⋅ Peyton Smith, Tim Parisi
@online{smith:20190206:threat:4f138dc,
author = {Peyton Smith and Tim Parisi},
title = {{Threat Actor "Magecart": Coming to an eCommerce Store Near You}},
date = {2019-02-06},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/},
language = {English},
urldate = {2019-12-20}
}
Threat Actor "Magecart": Coming to an eCommerce Store Near You
magecart |
2019-01-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20190130:new:5c2d8da,
author = {Ionut Ilascu},
title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}},
date = {2019-01-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/},
language = {English},
urldate = {2019-12-20}
}
New LockerGoga Ransomware Allegedly Used in Altran Attack
LockerGoga |
2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4,
author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer},
title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}},
date = {2019-01-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html},
language = {English},
urldate = {2019-12-20}
}
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER |
2019-01-10 ⋅ CrowdStrike ⋅ Alexander Hanel
@online{hanel:20190110:big:7e10bdf,
author = {Alexander Hanel},
title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}},
date = {2019-01-10},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/},
language = {English},
urldate = {2019-12-20}
}
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER |
2019-01-09 ⋅ McAfee ⋅ John Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477,
author = {John Fokker and Christiaan Beek},
title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}},
date = {2019-01-09},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/},
language = {English},
urldate = {2020-01-09}
}
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk |
2019 ⋅ Virus Bulletin ⋅ Gabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861,
author = {Gabriela Nicolao and Luciano Martins},
title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf},
language = {English},
urldate = {2020-01-05}
}
Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:fin6:791eaef,
author = {MITRE ATT&CK},
title = {{Group description: FIN6}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0037/},
language = {English},
urldate = {2019-12-20}
}
Group description: FIN6
FIN6 |
2018-12-29 ⋅ Los Angeles Times ⋅ Tony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d,
author = {Tony Barboza and Meg James and Emily Alpert Reyes},
title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}},
date = {2018-12-29},
organization = {Los Angeles Times},
url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html},
language = {English},
urldate = {2020-01-10}
}
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe
@online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold?
Cobalt Strike APT 29 |
2018-10-17 ⋅ MITRE ATT&CK ⋅ MITRE
@online{mitre:20181017:software:84822e8,
author = {MITRE},
title = {{Software Description: More_eggs}},
date = {2018-10-17},
organization = {MITRE ATT&CK},
url = {https://attack.mitre.org/software/S0284/},
language = {English},
urldate = {2020-01-10}
}
Software Description: More_eggs
More_eggs |
2018-10-08 ⋅ Morphisec ⋅ Michael Gorelik
@online{gorelik:20181008:cobalt:dece0e0,
author = {Michael Gorelik},
title = {{Cobalt Group 2.0}},
date = {2018-10-08},
organization = {Morphisec},
url = {https://blog.morphisec.com/cobalt-gang-2.0},
language = {English},
urldate = {2020-01-05}
}
Cobalt Group 2.0
More_eggs |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-06-25}
}
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
2018-10 ⋅ Group-IB ⋅ Group-IB
@techreport{groupib:201810:hitech:420711f,
author = {Group-IB},
title = {{Hi-Tech Crime Trends 2018}},
date = {2018-10},
institution = {Group-IB},
url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf},
language = {English},
urldate = {2021-02-09}
}
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter |
2018-09-27 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20180927:cybercriminals:a7f1c24,
author = {Counter Threat Unit ResearchTeam},
title = {{Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish}},
date = {2018-09-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish},
language = {English},
urldate = {2020-01-08}
}
Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish
More_eggs Cobalt |
2018-09-18 ⋅ Trend Micro ⋅ Joseph C Chen
@online{chen:20180918:magecart:af83872,
author = {Joseph C Chen},
title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}},
date = {2018-09-18},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/},
language = {English},
urldate = {2020-01-08}
}
Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
magecart |
2018-08-30 ⋅ NetScout ⋅ ASERT Team
@online{team:20180830:double:e5d9e22,
author = {ASERT Team},
title = {{Double the Infection, Double the Fun}},
date = {2018-08-30},
organization = {NetScout},
url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/},
language = {English},
urldate = {2020-01-08}
}
Double the Infection, Double the Fun
More_eggs CobInt |
2018-08-20 ⋅ Check Point ⋅ Itay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495,
author = {Itay Cohen and Ben Herzog},
title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}},
date = {2018-08-20},
organization = {Check Point},
url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/},
language = {English},
urldate = {2019-12-10}
}
Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike
Cobalt Strike |
2018-07-31 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20180731:multiple:15a3457,
author = {Vanja Svajcer},
title = {{Multiple Cobalt Personality Disorder}},
date = {2018-07-31},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html},
language = {English},
urldate = {2019-12-15}
}
Multiple Cobalt Personality Disorder
More_eggs |
2018-07-09 ⋅ RiskIQ ⋅ Yonathan Klijnsma, Jordan Herman
@online{klijnsma:20180709:inside:e92fff2,
author = {Yonathan Klijnsma and Jordan Herman},
title = {{Inside and Beyond Ticketmaster: The Many Breaches of Magecart}},
date = {2018-07-09},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/},
language = {English},
urldate = {2020-01-12}
}
Inside and Beyond Ticketmaster: The Many Breaches of Magecart
magecart |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike |
2018-03-02 ⋅ Reaqta ⋅ Reaqta
@online{reaqta:20180302:spearphishing:3d933a4,
author = {Reaqta},
title = {{Spear-phishing campaign leveraging on MSXSL}},
date = {2018-03-02},
organization = {Reaqta},
url = {https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/},
language = {English},
urldate = {2020-01-08}
}
Spear-phishing campaign leveraging on MSXSL
More_eggs |
2017-12-13 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
@online{kremez:20171213:update:50a1f16,
author = {Vitali Kremez},
title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}},
date = {2017-12-13},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html},
language = {English},
urldate = {2020-01-08}
}
Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth
Grateful POS |
2017-12-08 ⋅ RSA ⋅ Kent Beckman
@online{beckman:20171208:gratefulpos:0ba1053,
author = {Kent Beckman},
title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}},
date = {2017-12-08},
organization = {RSA},
url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season},
language = {English},
urldate = {2020-01-08}
}
GratefulPOS credit card stealing malware - just in time for the shopping season
Grateful POS |
2017-11-20 ⋅ Trend Micro ⋅ Ronnie Giagone, Lenart Bermejo, Fyodor Yarochkin
@online{giagone:20171120:cobalt:fb5c2ed,
author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin},
title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}},
date = {2017-11-20},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/},
language = {English},
urldate = {2019-10-29}
}
Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks
More_eggs Cobalt |
2017-08-07 ⋅ Trend Micro ⋅ Lenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin
@online{bermejo:20170807:backdoorcarrying:317ebe3,
author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin},
title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}},
date = {2017-08-07},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/},
language = {English},
urldate = {2020-01-09}
}
Backdoor-carrying Emails Set Sights on Russian-speaking Businesses
More_eggs |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl
@online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak |
2016-04 ⋅ FireEye ⋅ FireEye
@techreport{fireeye:201604:follow:5df2e81,
author = {FireEye},
title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}},
date = {2016-04},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf},
language = {English},
urldate = {2020-04-23}
}
Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6
Grateful POS FIN6 |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike
@online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website
Cobalt Strike |