FIN is a group targeting financial assets including assets able to do financial transaction including PoS.
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta @online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-02-25}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations Cobalt Strike IcedID Maze SystemBC |
2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International @online{international:20210224:overview:95b80e0,
author = {Amnesty International},
title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}},
date = {2021-02-24},
organization = {Github (AmnestyTech)},
url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam},
language = {English},
urldate = {2021-02-25}
}
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders OceanLotus Cobalt Strike KerrDown |
2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama @techreport{haruyama:20210224:knock:f4903a2,
author = {Takahiro Haruyama},
title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}},
date = {2021-02-24},
institution = {VMWare Carbon Black},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf},
language = {Japanese},
urldate = {2021-02-26}
}
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation Cobalt Strike |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader |
2021-02-22 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal @online{vinopal:20210222:ryuk:e9c5fb4,
author = {Jiří Vinopal},
title = {{Ryuk Ransomware API Resolving in 10 minutes}},
date = {2021-02-22},
organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)},
url = {https://www.youtube.com/watch?v=7xxRunBP5XA},
language = {English},
urldate = {2021-02-25}
}
Ryuk Ransomware API Resolving in 10 minutes Ryuk |
2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210211:hancitor:9fa527e,
author = {The DFIR Report},
title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}},
date = {2021-02-11},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1359669513520873473},
language = {English},
urldate = {2021-02-18}
}
Tweet on Hancitor Activity followed by cobaltsrike beacon Cobalt Strike Hancitor |
2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE @techreport{league:20210211:ctil:69c2ab8,
author = {CTI LEAGUE},
title = {{CTIL Darknet Report – 2021}},
date = {2021-02-11},
institution = {CTI LEAGUE},
url = {https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf},
language = {English},
urldate = {2021-02-20}
}
CTIL Darknet Report – 2021 Conti Ransomware Mailto Maze REvil Ryuk |
2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20210209:learn:c08b657,
author = {Raphael Mudge},
title = {{Learn Pipe Fitting for all of your Offense Projects}},
date = {2021-02-09},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/},
language = {English},
urldate = {2021-02-10}
}
Learn Pipe Fitting for all of your Offense Projects Cobalt Strike |
2021-02-09 ⋅ Securehat ⋅ Securehat @online{securehat:20210209:extracting:0f4ae2f,
author = {Securehat},
title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}},
date = {2021-02-09},
organization = {Securehat},
url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader},
language = {English},
urldate = {2021-02-10}
}
Extracting the Cobalt Strike Config from a TEARDROP Loader Cobalt Strike TEARDROP |
2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team @online{team:20210204:blockchain:4e63b2f,
author = {Chainalysis Team},
title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}},
date = {2021-02-04},
organization = {Chainanalysis},
url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer},
language = {English},
urldate = {2021-02-06}
}
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains DoppelPaymer Egregor Maze SunCrypt |
2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team @techreport{team:20210204:conti:27cb3a2,
author = {ClearSky Research Team},
title = {{CONTI Modus Operandi and Bitcoin Tracking}},
date = {2021-02-04},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf},
language = {English},
urldate = {2021-02-06}
}
CONTI Modus Operandi and Bitcoin Tracking Conti Ransomware Ryuk |
2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20210203:excel:8e949c9,
author = {Brad Duncan},
title = {{Excel spreadsheets push SystemBC malware}},
date = {2021-02-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/},
language = {English},
urldate = {2021-02-04}
}
Excel spreadsheets push SystemBC malware Cobalt Strike SystemBC |
2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp @online{earp:20210202:how:923f969,
author = {Madeline Earp},
title = {{How Vietnam-based hacking operation OceanLotus targets journalists}},
date = {2021-02-02},
organization = {Committee to Protect Journalists},
url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists},
language = {English},
urldate = {2021-02-04}
}
How Vietnam-based hacking operation OceanLotus targets journalists Cobalt Strike |
2021-02-02 ⋅ CRONUP ⋅ CRONUP @online{cronup:20210202:de:6ff4f3a,
author = {CRONUP},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-02-17}
}
De ataque con Malware a incidente de Ransomware Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report @online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity Cobalt Strike Dridex |
2021-02-01 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence @online{intelligence:20210201:active:0a4f59f,
author = {Advanced Intelligence},
title = {{Tweet on Active Directory Exploitation by RYUK "one" group}},
date = {2021-02-01},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1356114606780002308},
language = {English},
urldate = {2021-02-04}
}
Tweet on Active Directory Exploitation by RYUK "one" group Ryuk |
2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210201:bluecrab:df21c0a,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}},
date = {2021-02-01},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19860/},
language = {English},
urldate = {2021-02-06}
}
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment Cobalt Strike REvil |
2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis @online{koutroumpis:20210201:relay:596413f,
author = {Petros Koutroumpis},
title = {{Relay Attacks via Cobalt Strike Beacons}},
date = {2021-02-01},
organization = {pkb1s.github.io},
url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/},
language = {English},
urldate = {2021-02-04}
}
Relay Attacks via Cobalt Strike Beacons Cobalt Strike |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk? BazarBackdoor Cobalt Strike Ryuk |
2021-01-28 ⋅ TrustedSec ⋅ Adam Chester @online{chester:20210128:tailoring:d3f973c,
author = {Adam Chester},
title = {{Tailoring Cobalt Strike on Target}},
date = {2021-01-28},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/},
language = {English},
urldate = {2021-01-29}
}
Tailoring Cobalt Strike on Target Cobalt Strike |
2021-01-28 ⋅ Huntress Labs ⋅ John Hammond @techreport{hammond:20210128:analyzing:2f8dae2,
author = {John Hammond},
title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}},
date = {2021-01-28},
institution = {Huntress Labs},
url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf},
language = {English},
urldate = {2021-01-29}
}
Analyzing Ryuk Another Link in the Cyber Attack Chain BazarBackdoor Ryuk |
2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20210128:bluecrab:44d2e64,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware constantly trying to bypass detection}},
date = {2021-01-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19640/},
language = {Korean},
urldate = {2021-02-04}
}
BlueCrab ransomware constantly trying to bypass detection Cobalt Strike REvil |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT @online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware Cobalt Strike Cring Ransomware MimiKatz |
2021-01-25 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence @online{intelligence:20210125:ryuk:25a96a7,
author = {Advanced Intelligence},
title = {{Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool}},
date = {2021-01-25},
organization = {Twitter (@IntelAdvanced)},
url = {https://twitter.com/IntelAdvanced/status/1353546534676258816},
language = {English},
urldate = {2021-01-25}
}
Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool Ryuk |
2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC) @online{team:20210120:deep:1cc0551,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)},
title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}},
date = {2021-01-20},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/},
language = {English},
urldate = {2021-01-21}
}
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Cobalt Strike SUNBURST TEARDROP |
2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20210118:raindrop:9ab1262,
author = {Threat Hunter Team},
title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}},
date = {2021-01-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware},
language = {English},
urldate = {2021-01-21}
}
Raindrop: New Malware Discovered in SolarWinds Investigation Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie @online{mackenzie:20210117:conti:db7f1cb,
author = {Peter Mackenzie},
title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}},
date = {2021-01-17},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352},
language = {English},
urldate = {2021-01-21}
}
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders Cobalt Strike Conti Ransomware |
2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier @online{lussier:20210115:detecting:fecd6c3,
author = {Dan Lussier},
title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}},
date = {2021-01-15},
organization = {Medium Dansec},
url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64},
language = {English},
urldate = {2021-01-21}
}
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike Cobalt Strike |
2021-01-14 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20210114:medialand:3f603bd,
author = {Jordan Herman},
title = {{MediaLand: Magecart and Bulletproof Hosting}},
date = {2021-01-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/5bea32aa},
language = {English},
urldate = {2021-01-21}
}
MediaLand: Magecart and Bulletproof Hosting magecart |
2021-01-14 ⋅ RiskIQ ⋅ Team RiskIQ @online{riskiq:20210114:new:29f2c96,
author = {Team RiskIQ},
title = {{New Analysis Puts Magecart Interconnectivity into Focus}},
date = {2021-01-14},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-medialand/},
language = {English},
urldate = {2021-01-18}
}
New Analysis Puts Magecart Interconnectivity into Focus grelos magecart Raccoon |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist @online{read:20210112:unc2452:6e54c6c,
author = {Ben Read and John Hultquist},
title = {{UNC2452: What We Know So Far}},
date = {2021-01-12},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/462719},
language = {English},
urldate = {2021-01-18}
}
UNC2452: What We Know So Far Cobalt Strike SUNBURST TEARDROP |
2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen @online{jansen:20210112:abusing:c38eeb6,
author = {Wouter Jansen},
title = {{Abusing cloud services to fly under the radar}},
date = {2021-01-12},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/},
language = {English},
urldate = {2021-01-18}
}
Abusing cloud services to fly under the radar Cobalt Strike |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well Cobalt Strike TrickBot |
2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna @online{ramakrishna:20210111:new:296b621,
author = {Sudhakar Ramakrishna},
title = {{New Findings From Our Investigation of SUNBURST}},
date = {2021-01-11},
organization = {SolarWinds},
url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/},
language = {English},
urldate = {2021-01-18}
}
New Findings From Our Investigation of SUNBURST Cobalt Strike SUNBURST TEARDROP |
2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves @online{reaves:20210110:man1:54a4162,
author = {Jason Reaves},
title = {{MAN1, Moskal, Hancitor and a side of Ransomware}},
date = {2021-01-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618},
language = {English},
urldate = {2021-01-11}
}
MAN1, Moskal, Hancitor and a side of Ransomware Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware |
2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr @online{mcgarr:20210109:malware:dde1353,
author = {Connor McGarr},
title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}},
date = {2021-01-09},
organization = {Connor McGarr's Blog},
url = {https://connormcgarr.github.io/thread-hijacking/},
language = {English},
urldate = {2021-01-11}
}
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking Cobalt Strike |
2021-01-07 ⋅ Recorded Future ⋅ Insikt Group® @techreport{group:20210107:aversary:9771829,
author = {Insikt Group®},
title = {{Aversary Infrastructure Report 2020: A Defender's View}},
date = {2021-01-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf},
language = {English},
urldate = {2021-01-11}
}
Aversary Infrastructure Report 2020: A Defender's View Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-07 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Brian Carter, HYAS @online{kremez:20210107:crime:4c6f5c3,
author = {Vitali Kremez and Brian Carter and HYAS},
title = {{Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders}},
date = {2021-01-07},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders},
language = {English},
urldate = {2021-01-11}
}
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders Ryuk |
2021-01-06 ⋅ Red Canary ⋅ Tony Lambert @online{lambert:20210106:hunting:272410b,
author = {Tony Lambert},
title = {{Hunting for GetSystem in offensive security tools}},
date = {2021-01-06},
organization = {Red Canary},
url = {https://redcanary.com/blog/getsystem-offsec/},
language = {English},
urldate = {2021-01-11}
}
Hunting for GetSystem in offensive security tools Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research @online{research:20210105:earth:d7bb547,
author = {Trend Micro Research},
title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html},
language = {English},
urldate = {2021-01-10}
}
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Cobalt Strike |
2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag @online{haag:20210104:malleable:ab64356,
author = {Michael Haag},
title = {{Malleable C2 Profiles and You}},
date = {2021-01-04},
organization = {Medium haggis-m},
url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929},
language = {English},
urldate = {2021-01-05}
}
Malleable C2 Profiles and You Cobalt Strike |
2020-12-28 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch @online{barabosch:20201228:never:f7e93aa,
author = {Thomas Barabosch},
title = {{Never upload ransomware samples to the Internet}},
date = {2020-12-28},
organization = {0xC0DECAFE},
url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/},
language = {English},
urldate = {2021-01-01}
}
Never upload ransomware samples to the Internet Ryuk |
2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck @online{grimminck:20201226:spoofing:a0a5622,
author = {Stefan Grimminck},
title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}},
date = {2020-12-26},
organization = {Medium grimminck},
url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b},
language = {English},
urldate = {2021-01-01}
}
Spoofing JARM signatures. I am the Cobalt Strike server now! Cobalt Strike |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén @online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation Carbanak Cobalt Strike Ryuk |
2020-12-21 ⋅ Fortinet ⋅ Udi Yavo @online{yavo:20201221:what:716b31d,
author = {Udi Yavo},
title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}},
date = {2020-12-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack},
language = {English},
urldate = {2021-01-18}
}
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack Cobalt Strike SUNBURST TEARDROP |
2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz @online{hlavek:20201221:russian:804662f,
author = {Adam Hlavek and Kimberly Ortiz},
title = {{Russian cyber attack campaigns and actors}},
date = {2020-12-21},
organization = {IronNet},
url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors},
language = {English},
urldate = {2021-01-05}
}
Russian cyber attack campaigns and actors WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess |
2020-12-20 ⋅ Randhome ⋅ Etienne Maynier @online{maynier:20201220:analyzing:3e15960,
author = {Etienne Maynier},
title = {{Analyzing Cobalt Strike for Fun and Profit}},
date = {2020-12-20},
organization = {Randhome},
url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/},
language = {English},
urldate = {2020-12-23}
}
Analyzing Cobalt Strike for Fun and Profit Cobalt Strike |
2020-12-16 ⋅ RiskIQ ⋅ Mia Ihm, Cory Kennedy, Jordan Herman @online{ihm:20201216:skimming:608e648,
author = {Mia Ihm and Cory Kennedy and Jordan Herman},
title = {{Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists}},
date = {2020-12-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/14924d61},
language = {English},
urldate = {2020-12-17}
}
Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists magecart |
2020-12-16 ⋅ Accenture ⋅ Paul Mansfield @online{mansfield:20201216:tracking:25540bd,
author = {Paul Mansfield},
title = {{Tracking and combatting an evolving danger: Ransomware extortion}},
date = {2020-12-16},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion},
language = {English},
urldate = {2020-12-17}
}
Tracking and combatting an evolving danger: Ransomware extortion DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt |
2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team @online{team:20201215:solarwindsthreathunt:4357421,
author = {Sophos Cyber Security Team},
title = {{solarwinds-threathunt}},
date = {2020-12-15},
organization = {Github (sophos-cybersecurity)},
url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt},
language = {English},
urldate = {2020-12-15}
}
solarwinds-threathunt Cobalt Strike SUNBURST |
2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20201215:tactics:bba1b4f,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}},
date = {2020-12-15},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach},
language = {English},
urldate = {2020-12-17}
}
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach Cobalt Strike SUNBURST |
2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20201214:threat:032b92d,
author = {Unit 42},
title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}},
date = {2020-12-14},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: SolarStorm and SUNBURST Customer Coverage Cobalt Strike SUNBURST |
2020-12-14 ⋅ Medium Killbit ⋅ killbit @online{killbit:20201214:applying:75d0dde,
author = {killbit},
title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}},
date = {2020-12-14},
organization = {Medium Killbit},
url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f},
language = {English},
urldate = {2020-12-17}
}
Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware Maze |
2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team @online{team:20201211:mountlocker:9c495cb,
author = {BlackBerry Research and Intelligence team},
title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}},
date = {2020-12-11},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates},
language = {English},
urldate = {2020-12-14}
}
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates Cobalt Strike Mount Locker |
2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt @online{kandefelt:20201210:cybereason:0267d5e,
author = {Joakim Kandefelt},
title = {{Cybereason vs. Ryuk Ransomware}},
date = {2020-12-10},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware},
language = {English},
urldate = {2020-12-14}
}
Cybereason vs. Ryuk Ransomware BazarBackdoor Ryuk TrickBot |
2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42 @online{unit42:20201210:threat:6ac31af,
author = {Unit42},
title = {{Threat Brief: FireEye Red Team Tool Breach}},
date = {2020-12-10},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: FireEye Red Team Tool Breach Cobalt Strike |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ CyberInt ⋅ CyberInt @online{cyberint:20201210:ryuk:e74b8f6,
author = {CyberInt},
title = {{Ryuk Crypto-Ransomware}},
date = {2020-12-10},
organization = {CyberInt},
url = {https://blog.cyberint.com/ryuk-crypto-ransomware},
language = {English},
urldate = {2020-12-14}
}
Ryuk Crypto-Ransomware Ryuk TrickBot |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES) Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020 Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity Cobalt Strike QakBot |
2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201208:red:8ccdfcf,
author = {Raphael Mudge},
title = {{A Red Teamer Plays with JARM}},
date = {2020-12-08},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/},
language = {English},
urldate = {2021-01-11}
}
A Red Teamer Plays with JARM Cobalt Strike |
2020-12-08 ⋅ Sophos ⋅ Sean Gallagher, Anand Aijan, Gabor Szappanos, Syed Shahram, Bill Kearney, Mark Loman, Peter Mackenzie, Sergio Bestulic @online{gallagher:20201208:egregor:fe48cfd,
author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic},
title = {{Egregor ransomware: Maze’s heir apparent}},
date = {2020-12-08},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/},
language = {English},
urldate = {2020-12-08}
}
Egregor ransomware: Maze’s heir apparent Egregor Maze |
2020-12-07 ⋅ Minerva Labs ⋅ Tom Roter @online{roter:20201207:egregor:2d3dced,
author = {Tom Roter},
title = {{Egregor Ransomware - An In-Depth Analysis}},
date = {2020-12-07},
organization = {Minerva Labs},
url = {https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis},
language = {English},
urldate = {2020-12-09}
}
Egregor Ransomware - An In-Depth Analysis Egregor Maze Sekhmet Ransomware |
2020-12-02 ⋅ Sansec ⋅ Sansec Threat Research Team @online{team:20201202:persistent:4f26f93,
author = {Sansec Threat Research Team},
title = {{Persistent parasite in EOL Magento 2 stores wakes at Black Friday}},
date = {2020-12-02},
organization = {Sansec},
url = {https://sansec.io/research/magento-2-persistent-parasite},
language = {English},
urldate = {2020-12-14}
}
Persistent parasite in EOL Magento 2 stores wakes at Black Friday magecart |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary) @online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores @online{flores:20201201:impact:415bf2e,
author = {Ryan Flores},
title = {{The Impact of Modern Ransomware on Manufacturing Networks}},
date = {2020-12-01},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html},
language = {English},
urldate = {2020-12-08}
}
The Impact of Modern Ransomware on Manufacturing Networks Maze Petya REvil |
2020-12-01 ⋅ 360.cn ⋅ jindanlong @online{jindanlong:20201201:hunting:b9e2674,
author = {jindanlong},
title = {{Hunting Beacons}},
date = {2020-12-01},
organization = {360.cn},
url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950},
language = {English},
urldate = {2021-01-10}
}
Hunting Beacons Cobalt Strike |
2020-12-01 ⋅ mez0.cc ⋅ mez0 @online{mez0:20201201:cobalt:38336ed,
author = {mez0},
title = {{Cobalt Strike PowerShell Execution}},
date = {2020-12-01},
organization = {mez0.cc},
url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/},
language = {English},
urldate = {2020-12-14}
}
Cobalt Strike PowerShell Execution Cobalt Strike |
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them Cobalt Strike |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall @techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack |
2020-11-27 ⋅ Reflectiz ⋅ Reflectiz @online{reflectiz:20201127:ico:a1bad28,
author = {Reflectiz},
title = {{The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned}},
date = {2020-11-27},
organization = {Reflectiz},
url = {https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/},
language = {English},
urldate = {2021-01-29}
}
The ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned magecart |
2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus @online{rochberger:20201126:cybereason:8301aeb,
author = {Lior Rochberger and Cybereason Nocturnus},
title = {{Cybereason vs. Egregor Ransomware}},
date = {2020-11-26},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware},
language = {English},
urldate = {2020-12-08}
}
Cybereason vs. Egregor Ransomware Cobalt Strike Egregor IcedID ISFB QakBot |
2020-11-25 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20201125:egregor:5727f7a,
author = {Jim Walter},
title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}},
date = {2020-11-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/},
language = {English},
urldate = {2020-12-08}
}
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone Cobalt Strike Egregor |
2020-11-25 ⋅ Reflectiz ⋅ Idan Cohen @online{cohen:20201125:csp:1b9a48e,
author = {Idan Cohen},
title = {{CSP, the Right Solution for the Web-Skimming Pandemic?}},
date = {2020-11-25},
organization = {Reflectiz},
url = {https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218},
language = {English},
urldate = {2021-01-29}
}
CSP, the Right Solution for the Web-Skimming Pandemic? magecart |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani @online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis Cobalt Strike |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu @online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go Cobalt Strike |
2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano @online{montalbano:20201119:exploits:f40feb2,
author = {Elizabeth Montalbano},
title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}},
date = {2020-11-19},
organization = {Threatpost},
url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/},
language = {English},
urldate = {2020-11-23}
}
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies Quasar RAT Ryuk |
2020-11-18 ⋅ DomainTools ⋅ Joe Slowik @online{slowik:20201118:analyzing:abccd43,
author = {Joe Slowik},
title = {{Analyzing Network Infrastructure as Composite Objects}},
date = {2020-11-18},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects},
language = {English},
urldate = {2020-11-19}
}
Analyzing Network Infrastructure as Composite Objects Ryuk |
2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich @online{kivilevich:20201118:zooming:f28a9c1,
author = {Victoria Kivilevich},
title = {{Zooming into Darknet Threats Targeting Japanese Organizations}},
date = {2020-11-18},
organization = {KELA},
url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/},
language = {English},
urldate = {2020-11-19}
}
Zooming into Darknet Threats Targeting Japanese Organizations Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware |
2020-11-17 ⋅ cyble ⋅ Cyble @online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations Cobalt Strike Meterpreter |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse @online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM Cobalt Strike TrickBot |
2020-11-16 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201116:ransomwareasaservice:11a5a8b,
author = {Intel 471},
title = {{Ransomware-as-a-service: The pandemic within a pandemic}},
date = {2020-11-16},
organization = {Intel 471},
url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/},
language = {English},
urldate = {2020-11-17}
}
Ransomware-as-a-service: The pandemic within a pandemic Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware |
2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax @online{astrovax:20201114:deep:b50ae08,
author = {astrovax},
title = {{Deep Dive Into Ryuk Ransomware}},
date = {2020-11-14},
organization = {Medium 0xastrovax},
url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12},
language = {English},
urldate = {2021-01-25}
}
Deep Dive Into Ryuk Ransomware Hermes Ryuk |
2020-11-11 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20201111:magecart:8137a1f,
author = {Jordan Herman},
title = {{Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches}},
date = {2020-11-11},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/fda1f967},
language = {English},
urldate = {2020-11-18}
}
Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches magecart |
2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn @online{bestuzhev:20201111:targeted:e2e0c3a,
author = {Dmitry Bestuzhev and Fedor Sinitsyn},
title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}},
date = {2020-11-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/},
language = {English},
urldate = {2020-11-11}
}
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends” Egregor Maze RagnarLocker |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez @online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike BazarBackdoor Cobalt Strike Ryuk |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research @online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink Cobalt Strike |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS @online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777 Cobalt Strike PyXie RansomEXX |
2020-11-06 ⋅ Telsy ⋅ Telsy Research Team @techreport{team:20201106:malware:7b6dd9d,
author = {Telsy Research Team},
title = {{Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze}},
date = {2020-11-06},
institution = {Telsy},
url = {https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf},
language = {English},
urldate = {2020-11-09}
}
Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze Maze |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom BazarBackdoor Cobalt Strike Ryuk |
2020-11-05 ⋅ Github (scythe-io) ⋅ SCYTHE @online{scythe:20201105:ryuk:8d7c4de,
author = {SCYTHE},
title = {{Ryuk Adversary Emulation Plan}},
date = {2020-11-05},
organization = {Github (scythe-io)},
url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk},
language = {English},
urldate = {2020-11-11}
}
Ryuk Adversary Emulation Plan Ryuk |
2020-11-05 ⋅ SCYTHE ⋅ Jorge Orchilles, Sean Lyngaas @online{orchilles:20201105:threatthursday:a3297b9,
author = {Jorge Orchilles and Sean Lyngaas},
title = {{#ThreatThursday - Ryuk}},
date = {2020-11-05},
organization = {SCYTHE},
url = {https://www.scythe.io/library/threatthursday-ryuk},
language = {English},
urldate = {2020-11-06}
}
#ThreatThursday - Ryuk BazarBackdoor Ryuk |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst @online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK Cobalt Strike Ryuk Zloader |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna @online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho @online{marinho:20201103:attackers:9b3762b,
author = {Renato Marinho},
title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}},
date = {2020-11-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/26752},
language = {English},
urldate = {2020-11-06}
}
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike Cobalt Strike |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-11-02 ⋅ SUCURI ⋅ Denis Sinegubko @online{sinegubko:20201102:cssjs:e800099,
author = {Denis Sinegubko},
title = {{CSS-JS Steganography in Fake Flash Player Update Malware}},
date = {2020-11-02},
organization = {SUCURI},
url = {https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html},
language = {English},
urldate = {2020-11-04}
}
CSS-JS Steganography in Fake Flash Player Update Malware magecart NetSupportManager RAT |
2020-10-31 ⋅ splunk ⋅ Ryan Kovar @online{kovar:20201031:ryuk:735f563,
author = {Ryan Kovar},
title = {{Ryuk and Splunk Detections}},
date = {2020-10-31},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html},
language = {English},
urldate = {2020-11-02}
}
Ryuk and Splunk Detections Ryuk |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect @online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect BazarBackdoor Cobalt Strike Ryuk |
2020-10-30 ⋅ Cofense ⋅ The Cofense Intelligence Team @online{team:20201030:ryuk:9166a9a,
author = {The Cofense Intelligence Team},
title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}},
date = {2020-10-30},
organization = {Cofense},
url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/},
language = {English},
urldate = {2020-11-02}
}
The Ryuk Threat: Why BazarBackdoor Matters Most BazarBackdoor Ryuk |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201029:hacking:c8d5379,
author = {Lawrence Abrams},
title = {{Hacking group is targeting US hospitals with Ryuk ransomware}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Hacking group is targeting US hospitals with Ryuk ransomware Ryuk |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ @online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed Cobalt Strike Ryuk |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team @online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak Cobalt Strike Ryuk TrickBot |
2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan @online{barbehenn:20201029:threat:de33a6d,
author = {Brittany Barbehenn and Doel Santos and Brad Duncan},
title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}},
date = {2020-10-29},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/},
language = {English},
urldate = {2020-11-02}
}
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector Anchor BazarBackdoor Ryuk TrickBot |
2020-10-29 ⋅ McAfee ⋅ McAfee Labs @techreport{labs:20201029:mcafee:84eed4e,
author = {McAfee Labs},
title = {{McAfee Labs Threat Advisory Ransom-Ryuk}},
date = {2020-10-29},
institution = {McAfee},
url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf},
language = {English},
urldate = {2020-11-02}
}
McAfee Labs Threat Advisory Ransom-Ryuk Ryuk |
2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201029:maze:f90b399,
author = {Lawrence Abrams},
title = {{Maze ransomware is shutting down its cybercrime operation}},
date = {2020-10-29},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/},
language = {English},
urldate = {2020-11-02}
}
Maze ransomware is shutting down its cybercrime operation Egregor Maze |
2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT @online{csirt:20201029:list:5fb0206,
author = {Swisscom CSIRT},
title = {{List of CobaltStrike C2's used by RYUK}},
date = {2020-10-29},
organization = {Github (Swisscom)},
url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt},
language = {English},
urldate = {2020-11-02}
}
List of CobaltStrike C2's used by RYUK Cobalt Strike |
2020-10-29 ⋅ Reuters ⋅ Christopher Bing, Joseph Menn @online{bing:20201029:building:ceeb50f,
author = {Christopher Bing and Joseph Menn},
title = {{Building wave of ransomware attacks strike U.S. hospitals}},
date = {2020-10-29},
organization = {Reuters},
url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP},
language = {English},
urldate = {2020-11-02}
}
Building wave of ransomware attacks strike U.S. hospitals Ryuk |
2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson @online{thompson:20201029:unc1878:26c88d4,
author = {Andrew Thompson},
title = {{Tweet on UNC1878 activity}},
date = {2020-10-29},
organization = {Twitter (@anthomsec)},
url = {https://twitter.com/anthomsec/status/1321865315513520128},
language = {English},
urldate = {2020-11-04}
}
Tweet on UNC1878 activity BazarBackdoor Ryuk TrickBot UNC1878 |
2020-10-29 ⋅ CNN ⋅ Vivian Salama, Alex Marquardt, Lauren Mascarenhas @online{salama:20201029:several:88d8127,
author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas},
title = {{Several hospitals targeted in new wave of ransomware attacks}},
date = {2020-10-29},
organization = {CNN},
url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html},
language = {English},
urldate = {2020-11-02}
}
Several hospitals targeted in new wave of ransomware attacks Ryuk |
2020-10-29 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs @online{sophoslabs:20201029:similarities:408a640,
author = {SophosLabs},
title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}},
date = {2020-10-29},
organization = {Twitter (@SophosLabs)},
url = {https://twitter.com/SophosLabs/status/1321844306970251265},
language = {English},
urldate = {2020-11-02}
}
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader Buer Ryuk |
2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS @techreport{cisa:20201028:aa20302a:80b6a06,
author = {CISA and FBI and HHS},
title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}},
date = {2020-10-28},
institution = {CISA},
url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf},
language = {English},
urldate = {2020-11-02}
}
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector Anchor_DNS Anchor BazarBackdoor Ryuk |
2020-10-28 ⋅ Youtube (SANS Institute) ⋅ Katie Nickels, Van Ta, Aaron Stephens @online{nickels:20201028:spooky:3bf0a0a,
author = {Katie Nickels and Van Ta and Aaron Stephens},
title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}},
date = {2020-10-28},
organization = {Youtube (SANS Institute)},
url = {https://www.youtube.com/watch?v=CgDtm05qApE},
language = {English},
urldate = {2020-11-04}
}
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast Ryuk UNC1878 |
2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor @techreport{condor:20201028:decade:b8d7422,
author = {Ruben Andrei Condor},
title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}},
date = {2020-10-28},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf},
language = {English},
urldate = {2020-11-02}
}
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware sLoad Emotet Maze |
2020-10-28 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Van Ta, Aaron Stephens, Katie Nickels @online{ta:20201028:star:16965fb,
author = {Van Ta and Aaron Stephens and Katie Nickels},
title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}},
date = {2020-10-28},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc},
language = {English},
urldate = {2020-11-02}
}
STAR Webcast: Spooky RYUKy: The Return of UNC1878 Ryuk |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock @online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-28 ⋅ Github (aaronst) ⋅ Aaron Stephens @online{stephens:20201028:unc1878:5f717f6,
author = {Aaron Stephens},
title = {{UNC1878 indicators}},
date = {2020-10-28},
organization = {Github (aaronst)},
url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456},
language = {English},
urldate = {2020-11-04}
}
UNC1878 indicators Ryuk UNC1878 |
2020-10-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20201028:fbi:26b9480,
author = {Brian Krebs},
title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}},
date = {2020-10-28},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/},
language = {English},
urldate = {2020-11-02}
}
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals Ryuk |
2020-10-28 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos @online{gallagher:20201028:hacks:8e1d051,
author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos},
title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}},
date = {2020-10-28},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/},
language = {English},
urldate = {2020-11-02}
}
Hacks for sale: inside the Buer Loader malware-as-a-service Buer Ryuk Zloader |
2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon @online{iddon:20201027:mtr:3b62ca9,
author = {Greg Iddon},
title = {{MTR Casebook: An active adversary caught in the act}},
date = {2020-10-27},
organization = {Sophos Managed Threat Response (MTR)},
url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/},
language = {English},
urldate = {2020-11-02}
}
MTR Casebook: An active adversary caught in the act Cobalt Strike |
2020-10-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201027:steelcase:25f66a9,
author = {Lawrence Abrams},
title = {{Steelcase furniture giant hit by Ryuk ransomware attack}},
date = {2020-10-27},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-28}
}
Steelcase furniture giant hit by Ryuk ransomware attack Ryuk |
2020-10-26 ⋅ Checkpoint ⋅ Itay Cohen, Eyal Itkin @online{cohen:20201026:exploit:9ec173c,
author = {Itay Cohen and Eyal Itkin},
title = {{Exploit Developer Spotlight: The Story of PlayBit}},
date = {2020-10-26},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/},
language = {English},
urldate = {2020-10-27}
}
Exploit Developer Spotlight: The Story of PlayBit Dyre Maze PyLocky Ramnit REvil |
2020-10-26 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20201026:threatconnect:0e90cc3,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft}},
date = {2020-10-26},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/},
language = {English},
urldate = {2020-10-29}
}
ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft Ryuk |
2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201023:leakwareransomwarehybrid:ae1de8e,
author = {Hornetsecurity Security Lab},
title = {{Leakware-Ransomware-Hybrid Attacks}},
date = {2020-10-23},
organization = {Hornetsecurity},
url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/},
language = {English},
urldate = {2020-12-08}
}
Leakware-Ransomware-Hybrid Attacks Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt |
2020-10-22 ⋅ Sentinel LABS ⋅ Marco Figueroa @online{figueroa:20201022:inside:228798e,
author = {Marco Figueroa},
title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}},
date = {2020-10-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/},
language = {English},
urldate = {2020-10-26}
}
An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques Ryuk |
2020-10-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20201022:french:6d52e19,
author = {Lawrence Abrams},
title = {{French IT giant Sopra Steria hit by Ryuk ransomware}},
date = {2020-10-22},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/},
language = {English},
urldate = {2020-10-26}
}
French IT giant Sopra Steria hit by Ryuk ransomware Ryuk |
2020-10-21 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Nikita Galimov, Vladimir Kuskov @online{sinitsyn:20201021:life:5906110,
author = {Fedor Sinitsyn and Nikita Galimov and Vladimir Kuskov},
title = {{Life of Maze ransomware}},
date = {2020-10-21},
organization = {Kaspersky Labs},
url = {https://securelist.com/maze-ransomware/99137/},
language = {English},
urldate = {2020-10-23}
}
Life of Maze ransomware Maze |
2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI @online{bsi:20201020:die:0683ad4,
author = {BSI},
title = {{Die Lage der IT-Sicherheit in Deutschland 2020}},
date = {2020-10-20},
organization = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2},
language = {German},
urldate = {2020-10-21}
}
Die Lage der IT-Sicherheit in Deutschland 2020 Clop Emotet REvil Ryuk TrickBot |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours BazarBackdoor Cobalt Strike Ryuk |
2020-10-16 ⋅ ThreatConnect ⋅ ThreatConnect Research Team @online{team:20201016:threatconnect:2010d70,
author = {ThreatConnect Research Team},
title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}},
date = {2020-10-16},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/},
language = {English},
urldate = {2020-10-23}
}
ThreatConnect Research Roundup: Possible Ryuk Infrastructure Ryuk |
2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20201016:wizard:12b648a,
author = {The Crowdstrike Intel Team},
title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}},
date = {2020-10-16},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/},
language = {English},
urldate = {2020-10-21}
}
WIZARD SPIDER Update: Resilient, Reactive and Resolute BazarBackdoor Conti Ransomware Ryuk TrickBot |
2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross @online{ginty:20201014:wellmarked:9176303,
author = {Steve Ginty and Jon Gross},
title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}},
date = {2020-10-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/f0320980},
language = {English},
urldate = {2020-10-23}
}
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure Cobalt Strike |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack Cobalt Strike Ryuk SystemBC |
2020-10-13 ⋅ VirusTotal ⋅ Gerardo Fernández, Vicente Diaz @online{fernndez:20201013:tracing:14bb6fa,
author = {Gerardo Fernández and Vicente Diaz},
title = {{Tracing fresh Ryuk campaigns itw}},
date = {2020-10-13},
organization = {VirusTotal},
url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html},
language = {English},
urldate = {2020-10-23}
}
Tracing fresh Ryuk campaigns itw Ryuk |
2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20201012:trickbot:5c1e5bf,
author = {Threat Hunter Team},
title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}},
date = {2020-10-12},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption},
language = {English},
urldate = {2020-10-12}
}
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure Ryuk TrickBot |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez @online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon BazarBackdoor Cobalt Strike Ryuk |
2020-10-12 ⋅ Microsoft ⋅ Tom Burt @online{burt:20201012:new:045c1c3,
author = {Tom Burt},
title = {{New action to combat ransomware ahead of U.S. elections}},
date = {2020-10-12},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/},
language = {English},
urldate = {2020-10-12}
}
New action to combat ransomware ahead of U.S. elections Ryuk TrickBot |
2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel @online{strangerealintel:20201011:chimera:a423a07,
author = {StrangerealIntel},
title = {{Chimera, APT19 under the radar ?}},
date = {2020-10-11},
organization = {Github (StrangerealIntel)},
url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md},
language = {English},
urldate = {2020-10-15}
}
Chimera, APT19 under the radar ? Cobalt Strike Meterpreter |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return BazarBackdoor Cobalt Strike Ryuk |
2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen @online{tanriverdi:20201008:there:620f4e7,
author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen},
title = {{There is no safe place}},
date = {2020-10-08},
organization = {Bayerischer Rundfunk},
url = {https://web.br.de/interaktiv/ocean-lotus/en/},
language = {English},
urldate = {2020-10-12}
}
There is no safe place Cobalt Strike |
2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20201006:double:bb0f240,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}},
date = {2020-10-06},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/},
language = {English},
urldate = {2020-10-12}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 2 Maze MedusaLocker REvil |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3) @techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20201001:russias:3440982,
author = {Andy Greenberg},
title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}},
date = {2020-10-01},
organization = {Wired},
url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/},
language = {English},
urldate = {2020-10-05}
}
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency Cobalt Strike Meterpreter |
2020-10-01 ⋅ US-CERT ⋅ US-CERT @online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller @online{hamdan:20200929:getting:c01923a,
author = {Kareem Hamdan and Lucas Miller},
title = {{Getting the Bacon from the Beacon}},
date = {2020-09-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/},
language = {English},
urldate = {2020-10-05}
}
Getting the Bacon from the Beacon Cobalt Strike |
2020-09-29 ⋅ Microsoft ⋅ Microsoft @techreport{microsoft:20200929:microsoft:6e5d7b0,
author = {Microsoft},
title = {{Microsoft Digital Defense Report}},
date = {2020-09-29},
institution = {Microsoft},
url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf},
language = {English},
urldate = {2020-10-05}
}
Microsoft Digital Defense Report Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot |
2020-09-29 ⋅ Github (Apr4h) ⋅ Apra @online{apra:20200929:cobaltstrikescan:ab5f221,
author = {Apra},
title = {{CobaltStrikeScan}},
date = {2020-09-29},
organization = {Github (Apr4h)},
url = {https://github.com/Apr4h/CobaltStrikeScan},
language = {English},
urldate = {2020-10-05}
}
CobaltStrikeScan Cobalt Strike |
2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team @online{team:20200925:double:fe3b093,
author = {The Crowdstrike Intel Team},
title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}},
date = {2020-09-25},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/},
language = {English},
urldate = {2020-10-02}
}
Double Trouble: Ransomware with Data Leak Extortion, Part 1 DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker |
2020-09-24 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200924:analysis:e1e4cc0,
author = {US-CERT},
title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}},
date = {2020-09-24},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a},
language = {English},
urldate = {2020-10-13}
}
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor Cobalt Strike Meterpreter |
2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT @techreport{cert:20200924:threat:2d7986d,
author = {Kaspersky Lab ICS CERT},
title = {{Threat landscape for industrial automation systems - H1 2020}},
date = {2020-09-24},
institution = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf},
language = {English},
urldate = {2020-10-04}
}
Threat landscape for industrial automation systems - H1 2020 Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware |
2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW @techreport{mavis:20200921:art:d9702a4,
author = {Nick Mavis and Joe Marshall and JON MUNSHAW},
title = {{The art and science of detecting Cobalt Strike}},
date = {2020-09-21},
institution = {Cisco Talos},
url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf},
language = {English},
urldate = {2020-09-23}
}
The art and science of detecting Cobalt Strike Cobalt Strike |
2020-09-18 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20200918:us:7900e6a,
author = {Trend Micro},
title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}},
date = {2020-09-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html},
language = {English},
urldate = {2020-09-23}
}
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks Cobalt Strike ColdLock |
2020-09-17 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Peter Mackenzie @online{brandt:20200917:maze:714f603,
author = {Andrew Brandt and Peter Mackenzie},
title = {{Maze attackers adopt Ragnar Locker virtual machine technique}},
date = {2020-09-17},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/},
language = {English},
urldate = {2020-09-21}
}
Maze attackers adopt Ragnar Locker virtual machine technique Maze |
2020-09-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200917:maze:81b8c38,
author = {Lawrence Abrams},
title = {{Maze ransomware now encrypts via virtual machines to evade detection}},
date = {2020-09-17},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/},
language = {English},
urldate = {2020-09-21}
}
Maze ransomware now encrypts via virtual machines to evade detection Maze |
2020-09-03 ⋅ Twitter (@Arkbird_SOLG) ⋅ Arkbird @online{arkbird:20200903:development:cf8dd7d,
author = {Arkbird},
title = {{Tweet on development in more_eggs}},
date = {2020-09-03},
organization = {Twitter (@Arkbird_SOLG)},
url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727},
language = {English},
urldate = {2020-09-15}
}
Tweet on development in more_eggs More_eggs |
2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm @online{vuonglvm:20200903:apt32:02bd8fc,
author = {vuonglvm},
title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}},
date = {2020-09-03},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/},
language = {Vietnamese},
urldate = {2020-09-09}
}
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2) Cobalt Strike |
2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20200902:inter:93b8c50,
author = {Jordan Herman},
title = {{The Inter Skimmer Kit}},
date = {2020-09-02},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/30f22a00},
language = {English},
urldate = {2020-09-04}
}
The Inter Skimmer Kit magecart DreamBot TeslaCrypt |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020 Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour Cobalt Strike Mailto MimiKatz |
2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider @online{cyberthreatinsider:20200820:global:34ee2ea,
author = {cyberthreatinsider},
title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}},
date = {2020-08-20},
organization = {sensecy},
url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/},
language = {English},
urldate = {2020-11-04}
}
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities Clop Maze REvil Ryuk |
2020-08-20 ⋅ Seebug Paper ⋅ Malayke @online{malayke:20200820:use:77d3957,
author = {Malayke},
title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}},
date = {2020-08-20},
organization = {Seebug Paper},
url = {https://paper.seebug.org/1301/},
language = {Chinese},
urldate = {2020-08-24}
}
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks Cobalt Strike Empire Downloader PoshC2 |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2020-08-25}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike |
2020-08-18 ⋅ Arete ⋅ Arete Incident Response @techreport{response:20200818:is:72e08da,
author = {Arete Incident Response},
title = {{Is Conti the New Ryuk?}},
date = {2020-08-18},
institution = {Arete},
url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf},
language = {English},
urldate = {2020-08-25}
}
Is Conti the New Ryuk? Conti Ransomware Ryuk |
2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez @online{kremez:20200814:zloader:cbd9ad5,
author = {Vitali Kremez},
title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}},
date = {2020-08-14},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1294320579311435776},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leading to Cobaltstrike Installation Cobalt Strike Zloader |
2020-08-13 ⋅ SentinelOne ⋅ SentinelLabs @online{sentinellabs:20200813:case:4560aed,
author = {SentinelLabs},
title = {{Case Study: Catching a Human-Operated Maze Ransomware Attack In Action}},
date = {2020-08-13},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/},
language = {English},
urldate = {2020-08-14}
}
Case Study: Catching a Human-Operated Maze Ransomware Attack In Action Maze |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg @online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08-04 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200804:ransomware:e0320ee,
author = {Catalin Cimpanu},
title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}},
date = {2020-08-04},
organization = {ZDNet},
url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/},
language = {English},
urldate = {2020-08-18}
}
Ransomware gang publishes tens of GBs of internal data from LG and Xerox Maze |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang @techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08 ⋅ Temple University ⋅ CARE @online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor |
2020-07-26 ⋅ Shells.System blog ⋅ Askar @online{askar:20200726:inmemory:5556cad,
author = {Askar},
title = {{In-Memory shellcode decoding to evade AVs/EDRs}},
date = {2020-07-26},
organization = {Shells.System blog},
url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/},
language = {English},
urldate = {2020-07-30}
}
In-Memory shellcode decoding to evade AVs/EDRs Cobalt Strike |
2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt @online{reaves:20200722:enter:71d9038,
author = {Jason Reaves and Joshua Platt},
title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}},
date = {2020-07-22},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/},
language = {English},
urldate = {2020-07-23}
}
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) ISFB Maze TrickBot Zloader |
2020-07-22 ⋅ SUCURI ⋅ Denis Sinegubko @online{sinegubko:20200722:skimmers:abd9eb9,
author = {Denis Sinegubko},
title = {{Skimmers in Images & GitHub Repos}},
date = {2020-07-22},
organization = {SUCURI},
url = {https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html},
language = {English},
urldate = {2020-07-30}
}
Skimmers in Images & GitHub Repos magecart |
2020-07-22 ⋅ On the Hunt ⋅ Newton Paul @online{paul:20200722:analysing:2de83d7,
author = {Newton Paul},
title = {{Analysing Fileless Malware: Cobalt Strike Beacon}},
date = {2020-07-22},
organization = {On the Hunt},
url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/},
language = {English},
urldate = {2020-07-24}
}
Analysing Fileless Malware: Cobalt Strike Beacon Cobalt Strike |
2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200721:chinese:da6a239,
author = {Hossein Jazi and Jérôme Segura},
title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}},
date = {2020-07-21},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/},
language = {English},
urldate = {2020-07-22}
}
Chinese APT group targets India and Hong Kong using new variant of MgBot malware KSREMOTE Cobalt Strike MgBot |
2020-07-20 ⋅ QuoIntelligence @online{quointelligence:20200720:golden:4a88a80,
author = {QuoIntelligence},
title = {{Golden Chickens: Evolution Oof the MaaS}},
date = {2020-07-20},
url = {https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/},
language = {English},
urldate = {2020-07-23}
}
Golden Chickens: Evolution Oof the MaaS More_eggs TerraLoader TerraStealer VenomLNK |
2020-07-15 ⋅ FireEye ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt @online{brubaker:20200715:financially:f217555,
author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt},
title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}},
date = {2020-07-15},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html},
language = {English},
urldate = {2020-07-16}
}
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware |
2020-07-11 ⋅ Trustwave ⋅ Peter Evans, Rodel Mendrez @online{evans:20200711:injecting:3d78e32,
author = {Peter Evans and Rodel Mendrez},
title = {{Injecting Magecart into Magento Global Config}},
date = {2020-07-11},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/},
language = {English},
urldate = {2020-07-15}
}
Injecting Magecart into Magento Global Config magecart |
2020-07-10 ⋅ Github (eset) ⋅ Matías Porolli @online{porolli:20200710:evilnumindicators:639ec06,
author = {Matías Porolli},
title = {{Evilnum — Indicators of Compromise}},
date = {2020-07-10},
organization = {Github (eset)},
url = {https://github.com/eset/malware-ioc/tree/master/evilnum},
language = {English},
urldate = {2020-07-11}
}
Evilnum — Indicators of Compromise EVILNUM More_eggs EVILNUM TerraStealer |
2020-07-09 ⋅ ESET Research ⋅ Matías Porolli @online{porolli:20200709:more:24d8b63,
author = {Matías Porolli},
title = {{More evil: A deep look at Evilnum and its toolset}},
date = {2020-07-09},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/},
language = {English},
urldate = {2020-07-11}
}
More evil: A deep look at Evilnum and its toolset EVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum |
2020-07-07 ⋅ GEMINI @techreport{gemini:20200707:full:283dfdd,
author = {GEMINI},
title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}},
date = {2020-07-07},
institution = {},
url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf},
language = {English},
urldate = {2020-07-08}
}
Full list of all the 570+ sites that the Keeper gang hacked since April 2017 magecart |
2020-07-07 ⋅ GEMINI @online{gemini:20200707:keeper:b2f882b,
author = {GEMINI},
title = {{"Keeper" Magecart Group Infects 570 Sites}},
date = {2020-07-07},
url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/},
language = {English},
urldate = {2020-07-08}
}
"Keeper" Magecart Group Infects 570 Sites magecart |
2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo @online{bao:20200707:cobalt:cf80aa8,
author = {Ladislav Bačo},
title = {{Cobalt Strike stagers used by FIN6}},
date = {2020-07-07},
organization = {MWLab},
url = {https://malwarelab.eu/posts/fin6-cobalt-strike/},
language = {English},
urldate = {2020-07-11}
}
Cobalt Strike stagers used by FIN6 Cobalt Strike |
2020-07-06 ⋅ Sansec ⋅ Sansec Threat Research Team @online{team:20200706:north:1fb54b4,
author = {Sansec Threat Research Team},
title = {{North Korean hackers implicated in stealing from US and European shoppers}},
date = {2020-07-06},
organization = {Sansec},
url = {https://sansec.io/research/north-korea-magecart},
language = {English},
urldate = {2020-07-06}
}
North Korean hackers implicated in stealing from US and European shoppers magecart |
2020-06-26 ⋅ Trend Micro ⋅ Joseph C Chen @online{chen:20200626:us:8bce65c,
author = {Joseph C Chen},
title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}},
date = {2020-06-26},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/},
language = {English},
urldate = {2020-06-30}
}
US Local Government Services Targeted by New Magecart Credit Card Skimming Attack magecart |
2020-06-25 ⋅ Malwarebytes ⋅ Jérôme Segura @online{segura:20200625:web:2b712b2,
author = {Jérôme Segura},
title = {{Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files}},
date = {2020-06-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/},
language = {English},
urldate = {2020-06-29}
}
Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files magecart |
2020-06-24 ⋅ Twitter (@3xp0rtblog) ⋅ 3xp0rt @online{3xp0rt:20200624:new:6b725c2,
author = {3xp0rt},
title = {{Tweet on new version of TaurusStealer (v1.4)}},
date = {2020-06-24},
organization = {Twitter (@3xp0rtblog)},
url = {https://twitter.com/3xp0rtblog/status/1275746149719252992},
language = {English},
urldate = {2020-06-24}
}
Tweet on new version of TaurusStealer (v1.4) TerraStealer |
2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee @online{pantazopoulos:20200623:wastedlocker:112d6b3,
author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee},
title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}},
date = {2020-06-23},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/},
language = {English},
urldate = {2020-06-23}
}
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Cobalt Strike ISFB WastedLocker |
2020-06-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20200623:ryuk:c63b0c6,
author = {Ionut Ilascu},
title = {{Ryuk ransomware deployed two weeks after Trickbot infection}},
date = {2020-06-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/},
language = {English},
urldate = {2020-06-30}
}
Ryuk ransomware deployed two weeks after Trickbot infection Ryuk |
2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20200623:sodinokibi:7eff193,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}},
date = {2020-06-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos},
language = {English},
urldate = {2020-06-23}
}
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike Cobalt Strike REvil |
2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra @online{malhotra:20200622:indigodrop:6d5e7e1,
author = {Asheer Malhotra},
title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}},
date = {2020-06-22},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html},
language = {English},
urldate = {2020-06-24}
}
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike Cobalt Strike IndigoDrop |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves @online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server Cobalt Strike TrickBot |
2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil @online{singh:20200619:targeted:05d8d31,
author = {Atinderpal Singh and Nirmal Singh and Sahil Antil},
title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}},
date = {2020-06-19},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims},
language = {English},
urldate = {2020-06-21}
}
Targeted Attack Leverages India-China Border Dispute to Lure Victims Cobalt Strike |
2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge @online{mudge:20200619:beacon:bc8ae77,
author = {Raphael Mudge},
title = {{Beacon Object Files - Luser Demo}},
date = {2020-06-19},
organization = {Youtube (Raphael Mudge)},
url = {https://www.youtube.com/watch?v=gfYswA_Ronw},
language = {English},
urldate = {2020-06-23}
}
Beacon Object Files - Luser Demo Cobalt Strike |
2020-06-18 ⋅ Quick Heal ⋅ Preksha Saxena @online{saxena:20200618:maze:76ca64b,
author = {Preksha Saxena},
title = {{Maze ransomware continues to be a threat to the consumers}},
date = {2020-06-18},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/},
language = {English},
urldate = {2020-07-02}
}
Maze ransomware continues to be a threat to the consumers Maze |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC) @techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader |
2020-06-17 ⋅ Cognizant ⋅ Cognizant @techreport{cognizant:20200617:notice:37fe994,
author = {Cognizant},
title = {{Notice of Data Breach}},
date = {2020-06-17},
institution = {Cognizant},
url = {https://oag.ca.gov/system/files/Letter%204.pdf},
language = {English},
urldate = {2020-06-18}
}
Notice of Data Breach Maze |
2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura @online{jazi:20200617:multistage:6358f3f,
author = {Hossein Jazi and Jérôme Segura},
title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}},
date = {2020-06-17},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/},
language = {English},
urldate = {2020-06-19}
}
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature Cobalt Strike |
2020-06-16 ⋅ BleepingComputer ⋅ Sergiu Gatlan @online{gatlan:20200616:chipmaker:0e801b8,
author = {Sergiu Gatlan},
title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}},
date = {2020-06-16},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/},
language = {English},
urldate = {2020-06-17}
}
Chipmaker MaxLinear reports data breach after Maze Ransomware attack Maze |
2020-06-15 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey @online{liebenberg:20200615:quarterly:c2dcd77,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly report: Incident Response trends in Summer 2020}},
date = {2020-06-15},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more},
language = {English},
urldate = {2020-06-19}
}
Quarterly report: Incident Response trends in Summer 2020 Ryuk |
2020-06-15 ⋅ Sansec ⋅ Sansec Threat Research Team @online{team:20200615:magecart:09274cd,
author = {Sansec Threat Research Team},
title = {{Magecart strikes amid Corona lockdown}},
date = {2020-06-15},
organization = {Sansec},
url = {https://sansec.io/research/magecart-corona-lockdown},
language = {English},
urldate = {2020-06-16}
}
Magecart strikes amid Corona lockdown magecart |
2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group @online{group:20200615:striking:8fdf4bb,
author = {Exploit Development Group},
title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}},
date = {2020-06-15},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/},
language = {English},
urldate = {2020-06-16}
}
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability Cobalt Strike |
2020-06-15 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200615:web:a10a55d,
author = {Catalin Cimpanu},
title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}},
date = {2020-06-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/},
language = {English},
urldate = {2020-06-16}
}
Web skimmers found on the websites of Intersport, Claire's, and Icing magecart |
2020-06-09 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20200609:misconfigured:75c6908,
author = {Jordan Herman},
title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}},
date = {2020-06-09},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/},
language = {English},
urldate = {2020-06-10}
}
Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code magecart |
2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal @online{kristal:20200609:cobaltstrikeparser:a023ac8,
author = {Gal Kristal},
title = {{CobaltStrikeParser}},
date = {2020-06-09},
organization = {Github (Sentinel-One)},
url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py},
language = {English},
urldate = {2020-09-15}
}
CobaltStrikeParser Cobalt Strike |
2020-06-05 ⋅ SUCURI ⋅ Denis Sinegubko @online{sinegubko:20200605:evasion:86c8265,
author = {Denis Sinegubko},
title = {{Evasion Tactics in Hybrid Credit Card Skimmers}},
date = {2020-06-05},
organization = {SUCURI},
url = {https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html},
language = {English},
urldate = {2020-06-10}
}
Evasion Tactics in Hybrid Credit Card Skimmers magecart |
2020-06-04 ⋅ Chianxin Virus Response Center @online{center:20200604::a1c780b,
author = {Chianxin Virus Response Center},
title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}},
date = {2020-06-04},
url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw},
language = {Chinese},
urldate = {2020-07-16}
}
脚本系贼寇之风兴起,买卖体系堪比勒索软件 EVILNUM More_eggs |
2020-06-04 ⋅ Sophos Naked Security ⋅ Lisa Vaas @online{vaas:20200604:nuclear:9d471e1,
author = {Lisa Vaas},
title = {{Nuclear missile contractor hacked in Maze ransomware attack}},
date = {2020-06-04},
organization = {Sophos Naked Security},
url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/},
language = {English},
urldate = {2020-06-04}
}
Nuclear missile contractor hacked in Maze ransomware attack Maze |
2020-05-21 ⋅ BrightTALK (FireEye) ⋅ Kimberly Goody, Jeremy Kennelly @online{goody:20200521:navigating:a2eae5f,
author = {Kimberly Goody and Jeremy Kennelly},
title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}},
date = {2020-05-21},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat},
language = {English},
urldate = {2020-06-05}
}
Navigating MAZE: Analysis of a Rising Ransomware Threat Maze |
2020-05-20 ⋅ Reflectiz ⋅ Reflectiz @online{reflectiz:20200520:gocgle:47c4bc7,
author = {Reflectiz},
title = {{The Gocgle Malicious Campaign}},
date = {2020-05-20},
organization = {Reflectiz},
url = {https://www.reflectiz.com/the-gocgle-web-skimming-campaign/},
language = {English},
urldate = {2020-05-23}
}
The Gocgle Malicious Campaign magecart |
2020-05-14 ⋅ Lab52 ⋅ Dex @online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal @online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration Cobalt Strike |
2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja @online{ziaja:20200507:sodinokibi:f5c5cd1,
author = {Adam Ziaja},
title = {{Sodinokibi / REvil ransomware}},
date = {2020-05-07},
organization = {REDTEAM.PL},
url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html},
language = {English},
urldate = {2020-05-13}
}
Sodinokibi / REvil ransomware Maze MimiKatz REvil |
2020-05-07 ⋅ FireEye Inc ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko @online{goody:20200507:navigating:7147cb7,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko},
title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}},
date = {2020-05-07},
organization = {FireEye Inc},
url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html},
language = {English},
urldate = {2020-05-11}
}
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents Maze |
2020-05-05 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary @online{elshinbary:20200505:deep:f5661cb,
author = {Abdallah Elshinbary},
title = {{Deep Analysis of Ryuk Ransomware}},
date = {2020-05-05},
organization = {N1ght-W0lf Blog},
url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/},
language = {English},
urldate = {2020-05-10}
}
Deep Analysis of Ryuk Ransomware Ryuk |
2020-05-04 ⋅ Blueliv ⋅ Blueliv Team @online{team:20200504:escape:63ebdfa,
author = {Blueliv Team},
title = {{Escape from the Maze}},
date = {2020-05-04},
organization = {Blueliv},
url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/},
language = {English},
urldate = {2020-05-11}
}
Escape from the Maze Maze |
2020-05-01 ⋅ CrowdStrike ⋅ Shaun Hurley @online{hurley:20200501:many:22ed72c,
author = {Shaun Hurley},
title = {{The Many Paths Through Maze}},
date = {2020-05-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/},
language = {English},
urldate = {2020-05-05}
}
The Many Paths Through Maze Maze |
2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200428:ransomware:3205f3a,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}},
date = {2020-04-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/},
language = {English},
urldate = {2020-05-05}
}
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report @online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2020-05-15}
}
Ursnif via LOLbins Cobalt Strike LOLSnif |
2020-04-19 ⋅ SecurityLiterate ⋅ Kyle Cucci @online{cucci:20200419:reversing:4523233,
author = {Kyle Cucci},
title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}},
date = {2020-04-19},
organization = {SecurityLiterate},
url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/},
language = {English},
urldate = {2020-08-13}
}
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware Ryuk |
2020-04-18 ⋅ Cognizant ⋅ Cognizant @online{cognizant:20200418:cognizant:0e20ac0,
author = {Cognizant},
title = {{Cognizant Security Incident Update}},
date = {2020-04-18},
organization = {Cognizant},
url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update},
language = {English},
urldate = {2020-04-20}
}
Cognizant Security Incident Update Maze |
2020-04-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200418:it:bb2d626,
author = {Lawrence Abrams},
title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}},
date = {2020-04-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/},
language = {English},
urldate = {2020-04-20}
}
IT services giant Cognizant suffers Maze Ransomware cyber attack Maze |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp @online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures Cobalt Strike MimiKatz Operation Skeleton Key |
2020-04-14 ⋅ Intel 471 ⋅ Intel 471 @online{471:20200414:understanding:ca95961,
author = {Intel 471},
title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}},
date = {2020-04-14},
organization = {Intel 471},
url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/},
language = {English},
urldate = {2020-04-26}
}
Understanding the relationship between Emotet, Ryuk and TrickBot Emotet Ryuk TrickBot |
2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen @online{villadsen:20200407:itg08:b0b782d,
author = {Ole Villadsen},
title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}},
date = {2020-04-07},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/},
language = {English},
urldate = {2020-04-13}
}
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework More_eggs Anchor TrickBot |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer @online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability Cobalt Strike |
2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens @online{ta:20200331:its:632dfca,
author = {Van Ta and Aaron Stephens},
title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}},
date = {2020-03-31},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html},
language = {English},
urldate = {2020-04-06}
}
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit Ryuk TrickBot UNC1878 |
2020-03-26 ⋅ TechCrunch ⋅ Zack Whittaker @online{whittaker:20200326:cyber:4b23d0a,
author = {Zack Whittaker},
title = {{Cyber insurer Chubb had data stolen in Maze ransomware attack}},
date = {2020-03-26},
organization = {TechCrunch},
url = {https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/},
language = {English},
urldate = {2020-03-27}
}
Cyber insurer Chubb had data stolen in Maze ransomware attack Maze |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight @online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-26 ⋅ McAfee ⋅ Alexandre Mundo @online{mundo:20200326:ransomware:05f2b18,
author = {Alexandre Mundo},
title = {{Ransomware Maze}},
date = {2020-03-26},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/},
language = {English},
urldate = {2020-03-26}
}
Ransomware Maze Maze |
2020-03-25 ⋅ Bitdefender ⋅ Bitdefender Team @techreport{team:20200325:technical:b3e1af1,
author = {Bitdefender Team},
title = {{A Technical Look into Maze Ransomware}},
date = {2020-03-25},
institution = {Bitdefender},
url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf},
language = {English},
urldate = {2020-04-20}
}
A Technical Look into Maze Ransomware Maze |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller @online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Speculoos Cobalt Strike |
2020-03-25 ⋅ Wilbur Security ⋅ JW @online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours Cobalt Strike Ryuk TrickBot |
2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200324:three:fb92d03,
author = {Lawrence Abrams},
title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}},
date = {2020-03-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/},
language = {English},
urldate = {2020-03-26}
}
Three More Ransomware Families Create Sites to Leak Stolen Data Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch @online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon Cobalt Strike |
2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten @online{rusten:20200320:analysis:f82a963,
author = {Luke Rusten},
title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}},
date = {2020-03-20},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/},
language = {English},
urldate = {2020-06-22}
}
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41) Cobalt Strike |
2020-03-18 ⋅ RiskIQ ⋅ Yonathan Klijnsma @online{klijnsma:20200318:magecart:2ee4a78,
author = {Yonathan Klijnsma},
title = {{Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims}},
date = {2020-03-18},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-nutribullet/},
language = {English},
urldate = {2020-03-19}
}
Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims magecart |
2020-03-12 ⋅ Cyberbit ⋅ Dor Neemani, Omer Fishel, Hod Gavriel @techreport{neemani:20200312:lost:80ccbd2,
author = {Dor Neemani and Omer Fishel and Hod Gavriel},
title = {{Lost in the Maze}},
date = {2020-03-12},
institution = {Cyberbit},
url = {https://www.docdroid.net/dUpPY5s/maze.pdf},
language = {English},
urldate = {2020-03-22}
}
Lost in the Maze Maze |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200304:ryuk:31f2ce0,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}},
date = {2020-03-04},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/},
language = {English},
urldate = {2020-03-09}
}
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection Ryuk TrickBot |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge @online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC Cobalt Strike |
2020-03-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200303:ransomware:8be6fa7,
author = {Lawrence Abrams},
title = {{Ransomware Attackers Use Your Cloud Backups Against You}},
date = {2020-03-03},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/},
language = {English},
urldate = {2020-03-04}
}
Ransomware Attackers Use Your Cloud Backups Against You DoppelPaymer Maze |
2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-03-02 ⋅ c't ⋅ Christian Wölbert @online{wlbert:20200302:was:1b9cc93,
author = {Christian Wölbert},
title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}},
date = {2020-03-02},
organization = {c't},
url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html},
language = {German},
urldate = {2020-03-02}
}
Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen Emotet Ryuk |
2020-03 ⋅ Dragos ⋅ Joe Slowik @techreport{slowik:202003:spyware:412ef8a,
author = {Joe Slowik},
title = {{Spyware Stealer Locker Wiper Locker Goga Revisited}},
date = {2020-03},
institution = {Dragos},
url = {https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf},
language = {English},
urldate = {2020-03-18}
}
Spyware Stealer Locker Wiper Locker Goga Revisited LockerGoga |
2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua @online{decapua:20200225:feds:423f929,
author = {Joel DeCapua},
title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}},
date = {2020-02-25},
organization = {RSA Conference},
url = {https://www.youtube.com/watch?v=LUxOcpIRxmg},
language = {English},
urldate = {2020-03-04}
}
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus |
2020-02-24 ⋅ Max Kersten's Blog ⋅ Max Kersten @online{kersten:20200224:closing:9d39fcf,
author = {Max Kersten},
title = {{Closing in on MageCart 12}},
date = {2020-02-24},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/},
language = {English},
urldate = {2020-02-25}
}
Closing in on MageCart 12 magecart |
2020-02-19 ⋅ Yoroi ⋅ Marco Ramilli @online{ramilli:20200219:uncovering:4f04cd0,
author = {Marco Ramilli},
title = {{Uncovering New Magecart Implant Attacking eCommerce}},
date = {2020-02-19},
organization = {Yoroi},
url = {https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/},
language = {English},
urldate = {2020-02-20}
}
Uncovering New Magecart Implant Attacking eCommerce magecart |
2020-02-19 ⋅ FireEye ⋅ FireEye @online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020 Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild Cobalt Strike GRUNT MimiKatz |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza @online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-17 ⋅ Max Kersten's Blog ⋅ Max Kersten @online{kersten:20200217:following:07470c1,
author = {Max Kersten},
title = {{Following the tracks of MageCart 12}},
date = {2020-02-17},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/},
language = {English},
urldate = {2020-02-20}
}
Following the tracks of MageCart 12 magecart |
2020-02-13 ⋅ Quick Heal ⋅ Goutam Tripathy @online{tripathy:20200213:deep:34e3281,
author = {Goutam Tripathy},
title = {{A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk}},
date = {2020-02-13},
organization = {Quick Heal},
url = {https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/},
language = {English},
urldate = {2021-01-25}
}
A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk Ryuk |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019 Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-02-12 ⋅ VMWare Carbon Black ⋅ Rachel E. King, AC @online{king:20200212:ryuk:720c14e,
author = {Rachel E. King and AC},
title = {{Ryuk Ransomware Technical Analysis}},
date = {2020-02-12},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/},
language = {English},
urldate = {2020-11-19}
}
Ryuk Ransomware Technical Analysis Ryuk |
2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz @techreport{kujawa:20200210:2020:3fdaf12,
author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz},
title = {{2020 State of Malware Report}},
date = {2020-02-10},
institution = {Malwarebytes},
url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf},
language = {English},
urldate = {2020-02-13}
}
2020 State of Malware Report magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor |
2020-02-07 ⋅ RiskIQ ⋅ Jordan Herman @online{herman:20200207:magecart:185b67b,
author = {Jordan Herman},
title = {{Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign}},
date = {2020-02-07},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-group-12-olympics/},
language = {English},
urldate = {2020-02-09}
}
Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign magecart |
2020-01-30 ⋅ ZATAZ ⋅ Damien Bancal @online{bancal:20200130:cyber:0a267d4,
author = {Damien Bancal},
title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}},
date = {2020-01-30},
organization = {ZATAZ},
url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/},
language = {French},
urldate = {2020-02-03}
}
Cyber attaque à l’encontre des serveurs de Bouygues Construction Maze |
2020-01-29 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20200129:dod:57de65d,
author = {Catalin Cimpanu},
title = {{DOD contractor suffers ransomware infection}},
date = {2020-01-29},
organization = {ZDNet},
url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/},
language = {English},
urldate = {2020-02-03}
}
DOD contractor suffers ransomware infection Ryuk |
2020-01-29 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20200129:tat:3d59e6e,
author = {ANSSI},
title = {{État de la menace rançongiciel}},
date = {2020-01-29},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf},
language = {English},
urldate = {2020-02-03}
}
État de la menace rançongiciel Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam |
2020-01-27 ⋅ QuoScient ⋅ QuoScient @online{quoscient:20200127:chicken:3252d47,
author = {QuoScient},
title = {{The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors}},
date = {2020-01-27},
organization = {QuoScient},
url = {https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9},
language = {English},
urldate = {2020-01-28}
}
The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors TerraRecon TerraStealer TerraTV VenomLNK |
2020-01-25 ⋅ Sanguine Security ⋅ Sanguine Labs @online{labs:20200125:indonesian:1f0de05,
author = {Sanguine Labs},
title = {{Indonesian Magecart hackers arrested}},
date = {2020-01-25},
organization = {Sanguine Security},
url = {https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/},
language = {English},
urldate = {2020-01-27}
}
Indonesian Magecart hackers arrested magecart |
2020-01-25 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental @online{pimental:20200125:olympic:55cba30,
author = {Jacob Pimental},
title = {{Olympic Ticket Reseller Magecart Infection}},
date = {2020-01-25},
organization = {GoggleHeadedHacker Blog},
url = {https://www.goggleheadedhacker.com/blog/post/14},
language = {English},
urldate = {2020-01-27}
}
Olympic Ticket Reseller Magecart Infection magecart |
2020-01-24 ⋅ ReversingLabs ⋅ Robert Simmons @online{simmons:20200124:hunting:f99f1f9,
author = {Robert Simmons},
title = {{Hunting for Ransomware}},
date = {2020-01-24},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware},
language = {English},
urldate = {2020-01-29}
}
Hunting for Ransomware Ryuk |
2020-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200124:new:05d5a6a,
author = {Lawrence Abrams},
title = {{New Ryuk Info Stealer Targets Government and Military Secrets}},
date = {2020-01-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/},
language = {English},
urldate = {2020-02-03}
}
New Ryuk Info Stealer Targets Government and Military Secrets Ryuk |
2020-01-22 ⋅ Deloitte ⋅ Deloitte @online{deloitte:20200122:project:0a44796,
author = {Deloitte},
title = {{Project Lurus}},
date = {2020-01-22},
organization = {Deloitte},
url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF},
language = {English},
urldate = {2020-02-13}
}
Project Lurus Maze |
2020-01-20 ⋅ Max Kersten's Blog ⋅ Max Kersten @online{kersten:20200120:ticket:ad7af1c,
author = {Max Kersten},
title = {{Ticket resellers infected with a credit card skimmer}},
date = {2020-01-20},
organization = {Max Kersten's Blog},
url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/},
language = {English},
urldate = {2020-01-27}
}
Ticket resellers infected with a credit card skimmer magecart |
2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru @techreport{kiyotaka:20200117:is:969ff38,
author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru},
title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}},
date = {2020-01-17},
institution = {Secureworks},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Is It Wrong to Try to Find APT Techniques in Ransomware Attack? Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware |
2020-01-15 ⋅ PerimeterX ⋅ Guy Bary @online{bary:20200115:analyzing:02aabc4,
author = {Guy Bary},
title = {{Analyzing Magecart Malware – From Zero to Hero}},
date = {2020-01-15},
organization = {PerimeterX},
url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/},
language = {English},
urldate = {2020-01-17}
}
Analyzing Magecart Malware – From Zero to Hero magecart |
2020-01-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20200114:ryuk:b2e47fa,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}},
date = {2020-01-14},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/},
language = {English},
urldate = {2020-01-15}
}
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices Ryuk |
2020-01-10 ⋅ CSIS ⋅ CSIS @techreport{csis:20200110:threat:7454f36,
author = {CSIS},
title = {{Threat Matrix H1 2019}},
date = {2020-01-10},
institution = {CSIS},
url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf},
language = {English},
urldate = {2020-01-22}
}
Threat Matrix H1 2019 Gustuff magecart Emotet Gandcrab Ramnit TrickBot |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:2020:state:e5941af,
author = {Blackberry Research},
title = {{State of Ransomware}},
date = {2020},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf},
language = {English},
urldate = {2021-01-01}
}
State of Ransomware Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:d8faa3e,
author = {SecureWorks},
title = {{GOLD ULRICK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick},
language = {English},
urldate = {2020-05-23}
}
GOLD ULRICK Empire Downloader Ryuk TrickBot WIZARD SPIDER |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:95fe871,
author = {SecureWorks},
title = {{GOLD VILLAGE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-village},
language = {English},
urldate = {2020-05-23}
}
GOLD VILLAGE Maze |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT Cobalt Strike Defray PyXie |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2019-12-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191226:ryuk:acc2284,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Stops Encrypting Linux Folders}},
date = {2019-12-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/},
language = {English},
urldate = {2020-01-08}
}
Ryuk Ransomware Stops Encrypting Linux Folders Ryuk |
2019-12-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191224:maze:33a4e28,
author = {Lawrence Abrams},
title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}},
date = {2019-12-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/},
language = {English},
urldate = {2020-02-13}
}
Maze Ransomware Releases Files Stolen from City of Pensacola Maze |
2019-12-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191223:fbi:7c11cf8,
author = {Lawrence Abrams},
title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}},
date = {2019-12-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/},
language = {English},
urldate = {2020-01-08}
}
FBI Issues Alert For LockerGoga and MegaCortex Ransomware LockerGoga MegaCortex |
2019-12-23 ⋅ Norfolk @online{norfolk:20191223:pos:5862d6d,
author = {Norfolk},
title = {{POS Malware Used at Fuel Pumps}},
date = {2019-12-23},
url = {https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/},
language = {English},
urldate = {2020-01-07}
}
POS Malware Used at Fuel Pumps Grateful POS |
2019-12-21 ⋅ Decrypt ⋅ Adriana Hamacher @online{hamacher:20191221:how:9d026a8,
author = {Adriana Hamacher},
title = {{How ransomware exploded in the age of Bitcoin}},
date = {2019-12-21},
organization = {Decrypt},
url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc},
language = {English},
urldate = {2020-01-13}
}
How ransomware exploded in the age of Bitcoin Ryuk |
2019-12-19 ⋅ Malwarebytes ⋅ Jovi Umawing @online{umawing:20191219:threat:552a941,
author = {Jovi Umawing},
title = {{Threat spotlight: the curious case of Ryuk ransomware}},
date = {2019-12-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/},
language = {English},
urldate = {2020-01-08}
}
Threat spotlight: the curious case of Ryuk ransomware Ryuk |
2019-12-18 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits @online{zsigovits:20191218:maze:22cb5d6,
author = {Albert Zsigovits},
title = {{Maze ransomware}},
date = {2019-12-18},
organization = {Github (albertzsigovits)},
url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md},
language = {English},
urldate = {2020-04-20}
}
Maze ransomware Maze |
2019-12-17 ⋅ Cisco ⋅ JJ Cummings, Dave Liebenberg @online{cummings:20191217:incident:44acf5c,
author = {JJ Cummings and Dave Liebenberg},
title = {{Incident Response lessons from recent Maze ransomware attacks}},
date = {2019-12-17},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html},
language = {English},
urldate = {2020-01-09}
}
Incident Response lessons from recent Maze ransomware attacks Maze |
2019-12-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20191216:ransomware:f4d7d8c,
author = {Brian Krebs},
title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}},
date = {2019-12-16},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/},
language = {English},
urldate = {2020-01-08}
}
Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up Maze |
2019-12-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191215:ryuk:74f6eab,
author = {Lawrence Abrams},
title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}},
date = {2019-12-15},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/},
language = {English},
urldate = {2020-01-13}
}
Ryuk Ransomware Likely Behind New Orleans Cyberattack Ryuk |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191211:maze:acb23da,
author = {Lawrence Abrams},
title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}},
date = {2019-12-11},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/},
language = {English},
urldate = {2020-01-09}
}
Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand Maze |
2019-12-09 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab @online{lab:20191209:caution:05ff83a,
author = {EmsiSoft Malware Lab},
title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}},
date = {2019-12-09},
organization = {Emsisoft},
url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/},
language = {English},
urldate = {2020-01-07}
}
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay Ryuk |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird @techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge @online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization Cobalt Strike |
2019-12 ⋅ VISA ⋅ Visa Security Alert @techreport{alert:201912:cybercrime:b12d39c,
author = {Visa Security Alert},
title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}},
date = {2019-12},
institution = {VISA},
url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf},
language = {English},
urldate = {2020-07-23}
}
Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants Grateful POS |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen @techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response Cobalt Strike |
2019-11-27 ⋅ Twitter (@Prosegur) ⋅ Prosegur @online{prosegur:20191127:incident:bd76c3f,
author = {Prosegur},
title = {{Tweet on Incident of Information Security}},
date = {2019-11-27},
organization = {Twitter (@Prosegur)},
url = {https://twitter.com/Prosegur/status/1199732264386596864},
language = {English},
urldate = {2020-01-09}
}
Tweet on Incident of Information Security Ryuk |
2019-11-21 ⋅ Bleeping Computer ⋅ Lawrence Abrams @online{abrams:20191121:allied:a3d69d7,
author = {Lawrence Abrams},
title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}},
date = {2019-11-21},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/},
language = {English},
urldate = {2020-01-08}
}
Allied Universal Breached by Maze Ransomware, Stolen Data Leaked Maze |
2019-11-14 ⋅ Proofpoint ⋅ Bryan Campbell, Proofpoint Threat Insight Team @online{campbell:20191114:ta2101:e79f6fb,
author = {Bryan Campbell and Proofpoint Threat Insight Team},
title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}},
date = {2019-11-14},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us},
language = {English},
urldate = {2019-11-27}
}
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations Maze TA2101 |
2019-11-08 ⋅ Twitter (@certbund) ⋅ CERT-Bund @online{certbund:20191108:spam:0630ad5,
author = {CERT-Bund},
title = {{Tweet on Spam Mails containing MAZE}},
date = {2019-11-08},
organization = {Twitter (@certbund)},
url = {https://twitter.com/certbund/status/1192756294307995655},
language = {English},
urldate = {2020-01-08}
}
Tweet on Spam Mails containing MAZE Maze |
2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg @online{hungenberg:20191106:emotet:1605954,
author = {Thomas Hungenberg},
title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}},
date = {2019-11-06},
organization = {Heise Security},
url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html},
language = {German},
urldate = {2020-01-06}
}
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail Emotet Ryuk TrickBot |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre @online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header Cobalt Strike |
2019-11 ⋅ CCN-CERT ⋅ CCN-CERT @online{ccncert:201911:informe:69b39b5,
author = {CCN-CERT},
title = {{Informe Código Dañino CCN-CERT ID-26/19}},
date = {2019-11},
organization = {CCN-CERT},
url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html},
language = {Espanyol},
urldate = {2020-01-10}
}
Informe Código Dañino CCN-CERT ID-26/19 Ryuk |
2019-11-01 ⋅ CrowdStrike ⋅ Alexander Hanel, Brett Stone-Gross @online{hanel:20191101:wizard:a34a09e,
author = {Alexander Hanel and Brett Stone-Gross},
title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}},
date = {2019-11-01},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/},
language = {English},
urldate = {2019-12-20}
}
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN Ryuk WIZARD SPIDER |
2019-10-18 ⋅ Bleeping Computer ⋅ Sergiu Gatlan @online{gatlan:20191018:maze:fb2c4b6,
author = {Sergiu Gatlan},
title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}},
date = {2019-10-18},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/},
language = {English},
urldate = {2019-12-17}
}
Maze Ransomware Now Delivered by Spelevo Exploit Kit Maze |
2019-10-09 ⋅ Trend Micro ⋅ Joseph C. Chen @online{chen:20191009:fin6:11bb05d,
author = {Joseph C. Chen},
title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}},
date = {2019-10-09},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/},
language = {English},
urldate = {2020-02-25}
}
FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops magecart |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research @online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish 8.t Dropper Cobalt Strike |
2019-08-29 ⋅ Security Intelligence ⋅ Ole Villadsen, Kevin Henson, Melissa Frydrych, Joey Victorino @online{villadsen:20190829:moreeggs:8ff7351,
author = {Ole Villadsen and Kevin Henson and Melissa Frydrych and Joey Victorino},
title = {{More_eggs, Anyone? Threat Actor ITG08 Strikes Again}},
date = {2019-08-29},
organization = {Security Intelligence},
url = {https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/},
language = {English},
urldate = {2020-01-13}
}
More_eggs, Anyone? Threat Actor ITG08 Strikes Again More_eggs FIN6 |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender @techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats More_eggs Cobalt Strike |
2019-06-04 ⋅ Malwarebytes ⋅ Jérôme Segura @online{segura:20190604:magecart:7c1581d,
author = {Jérôme Segura},
title = {{Magecart skimmers found on Amazon CloudFront CDN}},
date = {2019-06-04},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/},
language = {English},
urldate = {2019-12-20}
}
Magecart skimmers found on Amazon CloudFront CDN magecart |
2019-05-19 ⋅ nrk ⋅ Henrik Lied, Peter Svaar, Dennis Ravndal, Anders Brekke, Kristine Hirsti @online{lied:20190519:skreddersydd:e16c8d8,
author = {Henrik Lied and Peter Svaar and Dennis Ravndal and Anders Brekke and Kristine Hirsti},
title = {{Skreddersydd dobbeltangrep mot Hydro}},
date = {2019-05-19},
organization = {nrk},
url = {https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202},
language = {Norwegian},
urldate = {2019-11-21}
}
Skreddersydd dobbeltangrep mot Hydro LockerGoga |
2019-05-13 ⋅ Amigo A @online{a:20190513:chacha:840508a,
author = {Amigo A},
title = {{ChaCha Ransomware}},
date = {2019-05-13},
url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html},
language = {Russian},
urldate = {2019-12-02}
}
ChaCha Ransomware Maze |
2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch @online{govcertch:20190509:severe:2767782,
author = {GovCERT.ch},
title = {{Severe Ransomware Attacks Against Swiss SMEs}},
date = {2019-05-09},
organization = {GovCERT.ch},
url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes},
language = {English},
urldate = {2019-07-11}
}
Severe Ransomware Attacks Against Swiss SMEs Emotet LockerGoga Ryuk TrickBot |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc. @techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
2019-05-04 ⋅ Abuse.io ⋅ Abuse.io @online{abuseio:20190504:abuseio:d5062ca,
author = {Abuse.io},
title = {{Abuse.io Report - Lockergoga}},
date = {2019-05-04},
organization = {Abuse.io},
url = {https://www.abuse.io/lockergoga.txt},
language = {English},
urldate = {2020-01-07}
}
Abuse.io Report - Lockergoga LockerGoga |
2019-05-03 ⋅ Trend Micro ⋅ Joseph C Chen @online{chen:20190503:mirrorthief:05f07e5,
author = {Joseph C Chen},
title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}},
date = {2019-05-03},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/},
language = {English},
urldate = {2019-11-27}
}
Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada magecart |
2019-05-01 ⋅ Red Canary ⋅ Tony Lambert @online{lambert:20190501:frameworkpos:376a823,
author = {Tony Lambert},
title = {{FrameworkPOS and the adequate persistent threat}},
date = {2019-05-01},
organization = {Red Canary},
url = {https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/},
language = {English},
urldate = {2020-01-29}
}
FrameworkPOS and the adequate persistent threat Grateful POS |
2019-04-26 ⋅ Malwarebytes ⋅ Jérôme Segura @online{segura:20190426:github:ff4b558,
author = {Jérôme Segura},
title = {{GitHub hosted Magecart skimmer used against hundreds of e-commerce sites}},
date = {2019-04-26},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/},
language = {English},
urldate = {2019-12-20}
}
GitHub hosted Magecart skimmer used against hundreds of e-commerce sites magecart |
2019-04-24 ⋅ Weixin ⋅ Tencent @online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed Cobalt Strike SOUNDBITE |
2019-04-16 ⋅ Youtube (Norsk Hydro) ⋅ Norsk Hydro @online{hydro:20190416:cyber:ada48a4,
author = {Norsk Hydro},
title = {{The cyber attack rescue operation in Hydro Toulouse}},
date = {2019-04-16},
organization = {Youtube (Norsk Hydro)},
url = {https://www.youtube.com/watch?v=o6eEN0mUakM},
language = {English},
urldate = {2020-01-13}
}
The cyber attack rescue operation in Hydro Toulouse LockerGoga |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines @online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers Cobalt Strike |
2019-04-05 ⋅ FireEye ⋅ Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock @online{mckeague:20190405:picksix:d101a59,
author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock},
title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}},
date = {2019-04-05},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html},
language = {English},
urldate = {2019-12-20}
}
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware LockerGoga Ryuk FIN6 |
2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz @online{pinkas:20190402:triple:10a3e37,
author = {Noa Pinkas and Lior Rochberger and Matan Zatz},
title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}},
date = {2019-04-02},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware},
language = {English},
urldate = {2020-01-09}
}
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk Ryuk TrickBot |
2019-04-02 ⋅ HelpNetSecurity ⋅ Zeljka Zorz @online{zorz:20190402:lockergoga:7fe224d,
author = {Zeljka Zorz},
title = {{A LockerGoga primer and decrypters for Mira and Aurora ransomwares}},
date = {2019-04-02},
organization = {HelpNetSecurity},
url = {https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/},
language = {English},
urldate = {2019-12-16}
}
A LockerGoga primer and decrypters for Mira and Aurora ransomwares LockerGoga |
2019-03-26 ⋅ ANSSI ⋅ ANSSI @techreport{anssi:20190326:informations:7965c3d,
author = {ANSSI},
title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}},
date = {2019-03-26},
institution = {ANSSI},
url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf},
language = {French},
urldate = {2020-01-10}
}
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK Ryuk |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor Cobalt Strike KerrDown |
2019-03-21 ⋅ DoublePulsar ⋅ Kevin Beaumont @online{beaumont:20190321:how:ecfbbf1,
author = {Kevin Beaumont},
title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}},
date = {2019-03-21},
organization = {DoublePulsar},
url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880},
language = {English},
urldate = {2019-11-29}
}
How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business LockerGoga |
2019-02-28 ⋅ RiskIQ ⋅ Yonathan Klijnsma @online{klijnsma:20190228:magecart:e2b0173,
author = {Yonathan Klijnsma},
title = {{Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime}},
date = {2019-02-28},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/},
language = {English},
urldate = {2020-01-06}
}
Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime magecart |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman @online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem Cobalt Strike |
2019-02-26 ⋅ Fox-IT ⋅ Fox IT @online{it:20190226:identifying:689104d,
author = {Fox IT},
title = {{Identifying Cobalt Strike team servers in the wild}},
date = {2019-02-26},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/},
language = {English},
urldate = {2020-10-25}
}
Identifying Cobalt Strike team servers in the wild Cobalt Strike |
2019-02-21 ⋅ Proofpoint ⋅ Proofpoint Threat Insight Team @online{team:20190221:fake:e94f77a,
author = {Proofpoint Threat Insight Team},
title = {{Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers}},
date = {2019-02-21},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers},
language = {English},
urldate = {2019-12-20}
}
Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers More_eggs |
2019-02-06 ⋅ CrowdStrike ⋅ Peyton Smith, Tim Parisi @online{smith:20190206:threat:4f138dc,
author = {Peyton Smith and Tim Parisi},
title = {{Threat Actor "Magecart": Coming to an eCommerce Store Near You}},
date = {2019-02-06},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/},
language = {English},
urldate = {2019-12-20}
}
Threat Actor "Magecart": Coming to an eCommerce Store Near You magecart |
2019-01-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20190130:new:5c2d8da,
author = {Ionut Ilascu},
title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}},
date = {2019-01-30},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/},
language = {English},
urldate = {2019-12-20}
}
New LockerGoga Ransomware Allegedly Used in Altran Attack LockerGoga |
2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer @online{goody:20190111:nasty:3c872d4,
author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer},
title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}},
date = {2019-01-11},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html},
language = {English},
urldate = {2019-12-20}
}
A Nasty Trick: From Credential Theft Malware to Business Disruption Ryuk TrickBot GRIM SPIDER WIZARD SPIDER |
2019-01-10 ⋅ CrowdStrike ⋅ Alexander Hanel @online{hanel:20190110:big:7e10bdf,
author = {Alexander Hanel},
title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}},
date = {2019-01-10},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/},
language = {English},
urldate = {2019-12-20}
}
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER |
2019-01-09 ⋅ McAfee ⋅ John Fokker, Christiaan Beek @online{fokker:20190109:ryuk:350f477,
author = {John Fokker and Christiaan Beek},
title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}},
date = {2019-01-09},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/},
language = {English},
urldate = {2020-01-09}
}
Ryuk Ransomware Attack: Rush to Attribution Misses the Point Ryuk |
2019 ⋅ Virus Bulletin ⋅ Gabriela Nicolao, Luciano Martins @techreport{nicolao:2019:shinigamis:8397861,
author = {Gabriela Nicolao and Luciano Martins},
title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}},
date = {2019},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf},
language = {English},
urldate = {2020-01-05}
}
Shinigami's Revenge: The Long Tail of Ryuk Malware Ryuk |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:fin6:791eaef,
author = {MITRE ATT&CK},
title = {{Group description: FIN6}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0037/},
language = {English},
urldate = {2019-12-20}
}
Group description: FIN6 FIN6 |
2018-12-29 ⋅ Los Angeles Times ⋅ Tony Barboza, Meg James, Emily Alpert Reyes @online{barboza:20181229:malware:d5d8d0d,
author = {Tony Barboza and Meg James and Emily Alpert Reyes},
title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}},
date = {2018-12-29},
organization = {Los Angeles Times},
url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html},
language = {English},
urldate = {2020-01-10}
}
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S. Ryuk |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr @online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe @online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold? Cobalt Strike APT 29 |
2018-10-17 ⋅ MITRE ATT&CK ⋅ MITRE @online{mitre:20181017:software:84822e8,
author = {MITRE},
title = {{Software Description: More_eggs}},
date = {2018-10-17},
organization = {MITRE ATT&CK},
url = {https://attack.mitre.org/software/S0284/},
language = {English},
urldate = {2020-01-10}
}
Software Description: More_eggs More_eggs |
2018-10-08 ⋅ Morphisec ⋅ Michael Gorelik @online{gorelik:20181008:cobalt:dece0e0,
author = {Michael Gorelik},
title = {{Cobalt Group 2.0}},
date = {2018-10-08},
organization = {Morphisec},
url = {https://blog.morphisec.com/cobalt-gang-2.0},
language = {English},
urldate = {2020-01-05}
}
Cobalt Group 2.0 More_eggs |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels @techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-06-25}
}
ATT&CKing FIN7 Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
2018-10 ⋅ Group-IB ⋅ Group-IB @techreport{groupib:201810:hitech:420711f,
author = {Group-IB},
title = {{Hi-Tech Crime Trends 2018}},
date = {2018-10},
institution = {Group-IB},
url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf},
language = {English},
urldate = {2021-02-09}
}
Hi-Tech Crime Trends 2018 BackSwap Cobalt Strike Cutlet Meterpreter |
2018-09-27 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20180927:cybercriminals:a7f1c24,
author = {Counter Threat Unit ResearchTeam},
title = {{Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish}},
date = {2018-09-27},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish},
language = {English},
urldate = {2020-01-08}
}
Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish More_eggs Cobalt |
2018-09-18 ⋅ Trend Micro ⋅ Joseph C Chen @online{chen:20180918:magecart:af83872,
author = {Joseph C Chen},
title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}},
date = {2018-09-18},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/},
language = {English},
urldate = {2020-01-08}
}
Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites magecart |
2018-08-30 ⋅ NetScout ⋅ ASERT Team @online{team:20180830:double:e5d9e22,
author = {ASERT Team},
title = {{Double the Infection, Double the Fun}},
date = {2018-08-30},
organization = {NetScout},
url = {https://asert.arbornetworks.com/double-the-infection-double-the-fun/},
language = {English},
urldate = {2020-01-08}
}
Double the Infection, Double the Fun More_eggs CobInt |
2018-08-20 ⋅ Check Point ⋅ Itay Cohen, Ben Herzog @online{cohen:20180820:ryuk:5756495,
author = {Itay Cohen and Ben Herzog},
title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}},
date = {2018-08-20},
organization = {Check Point},
url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/},
language = {English},
urldate = {2019-12-10}
}
Ryuk Ransomware: A Targeted Campaign Break-Down Ryuk |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida @online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC @online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike Cobalt Strike |
2018-07-31 ⋅ Cisco Talos ⋅ Vanja Svajcer @online{svajcer:20180731:multiple:15a3457,
author = {Vanja Svajcer},
title = {{Multiple Cobalt Personality Disorder}},
date = {2018-07-31},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html},
language = {English},
urldate = {2019-12-15}
}
Multiple Cobalt Personality Disorder More_eggs |
2018-07-09 ⋅ RiskIQ ⋅ Yonathan Klijnsma, Jordan Herman @online{klijnsma:20180709:inside:e92fff2,
author = {Yonathan Klijnsma and Jordan Herman},
title = {{Inside and Beyond Ticketmaster: The Many Breaches of Magecart}},
date = {2018-07-09},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/},
language = {English},
urldate = {2020-01-12}
}
Inside and Beyond Ticketmaster: The Many Breaches of Magecart magecart |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa @online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10) Cobalt Strike |
2018-03-02 ⋅ Reaqta ⋅ Reaqta @online{reaqta:20180302:spearphishing:3d933a4,
author = {Reaqta},
title = {{Spear-phishing campaign leveraging on MSXSL}},
date = {2018-03-02},
organization = {Reaqta},
url = {https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/},
language = {English},
urldate = {2020-01-08}
}
Spear-phishing campaign leveraging on MSXSL More_eggs |
2017-12-13 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez @online{kremez:20171213:update:50a1f16,
author = {Vitali Kremez},
title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}},
date = {2017-12-13},
organization = {Vitali Kremez Blog},
url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html},
language = {English},
urldate = {2020-01-08}
}
Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth Grateful POS |
2017-12-08 ⋅ RSA ⋅ Kent Beckman @online{beckman:20171208:gratefulpos:0ba1053,
author = {Kent Beckman},
title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}},
date = {2017-12-08},
organization = {RSA},
url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season},
language = {English},
urldate = {2020-01-08}
}
GratefulPOS credit card stealing malware - just in time for the shopping season Grateful POS |
2017-11-20 ⋅ Trend Micro ⋅ Ronnie Giagone, Lenart Bermejo, Fyodor Yarochkin @online{giagone:20171120:cobalt:fb5c2ed,
author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin},
title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}},
date = {2017-11-20},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/},
language = {English},
urldate = {2019-10-29}
}
Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks More_eggs Cobalt |
2017-08-07 ⋅ Trend Micro ⋅ Lenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin @online{bermejo:20170807:backdoorcarrying:317ebe3,
author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin},
title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}},
date = {2017-08-07},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/},
language = {English},
urldate = {2020-01-09}
}
Backdoor-carrying Emails Set Sights on Russian-speaking Businesses More_eggs |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl @online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel Cobalt Strike |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response @online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks Cobalt Strike KLRD MimiKatz Odinaff Anunak |
2016-04 ⋅ FireEye ⋅ FireEye @techreport{fireeye:201604:follow:5df2e81,
author = {FireEye},
title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}},
date = {2016-04},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf},
language = {English},
urldate = {2020-04-23}
}
Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6 Grateful POS FIN6 |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike @online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website Cobalt Strike |