Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.
2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20210420:cobaltstrike:d18d4c4,
author = {Jason Reaves},
title = {{CobaltStrike Stager Utilizing Floating Point Math}},
date = {2021-04-20},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718},
language = {English},
urldate = {2021-04-20}
}
CobaltStrike Stager Utilizing Floating Point Math
Cobalt Strike |
2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210419:analysing:c6bff49,
author = {Erik Hjelmvik},
title = {{Analysing a malware PCAP with IcedID and Cobalt Strike traffic}},
date = {2021-04-19},
organization = {Netresec},
url = {https://netresec.com/?b=214d7ff},
language = {English},
urldate = {2021-04-20}
}
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID |
2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens
@online{stevens:20210418:decoding:18e5319,
author = {Didier Stevens},
title = {{Decoding Cobalt Strike Traffic}},
date = {2021-04-18},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=ysN-MqyIN7M},
language = {English},
urldate = {2021-04-20}
}
Decoding Cobalt Strike Traffic
Cobalt Strike |
2021-04-15 ⋅ CISA ⋅ US-CERT
@online{uscert:20210415:malware:27f4af4,
author = {US-CERT},
title = {{Malware Analysis Report (AR21-105A): SUNSHUTTLE}},
date = {2021-04-15},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a},
language = {English},
urldate = {2021-04-16}
}
Malware Analysis Report (AR21-105A): SUNSHUTTLE
GoldMax |
2021-04-15 ⋅ North Atlantic Treaty Organization ⋅ NATO
@online{nato:20210415:north:823013b,
author = {NATO},
title = {{North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia}},
date = {2021-04-15},
organization = {North Atlantic Treaty Organization},
url = {https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en},
language = {English},
urldate = {2021-04-16}
}
North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia
SUNBURST |
2021-04-15 ⋅ Ministry of foreign affairs of the Republic of Latvia ⋅ Ministry of foreign affairs of the Republic of Latvia
@online{latvia:20210415:latvias:9f5fa8a,
author = {Ministry of foreign affairs of the Republic of Latvia},
title = {{Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities}},
date = {2021-04-15},
organization = {Ministry of foreign affairs of the Republic of Latvia},
url = {https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities},
language = {English},
urldate = {2021-04-16}
}
Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities
SUNBURST |
2021-04-15 ⋅ European Council ⋅ Council of the European Union
@online{union:20210415:declaration:f535296,
author = {Council of the European Union},
title = {{Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation}},
date = {2021-04-15},
organization = {European Council},
url = {https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation},
language = {English},
urldate = {2021-04-16}
}
Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation
SUNBURST |
2021-04-15 ⋅ Ministry of Foreign Affairs Republic of Poland ⋅ Ministry of Foreign Affairs Republic of Poland
@online{poland:20210415:statement:3a57d39,
author = {Ministry of Foreign Affairs Republic of Poland},
title = {{Statement on Solar Winds Orion cyberattacks}},
date = {2021-04-15},
organization = {Ministry of Foreign Affairs Republic of Poland},
url = {https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks},
language = {English},
urldate = {2021-04-16}
}
Statement on Solar Winds Orion cyberattacks
SUNBURST |
2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210414:april:4a29cb5,
author = {Brad Duncan},
title = {{April 2021 Forensic Quiz: Answers and Analysis}},
date = {2021-04-14},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/27308},
language = {English},
urldate = {2021-04-14}
}
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike |
2021-04-09 ⋅ F-Secure ⋅ Riccardo Ancarani, Giulio Ginesi
@online{ancarani:20210409:detecting:01d28ed,
author = {Riccardo Ancarani and Giulio Ginesi},
title = {{Detecting Exposed Cobalt Strike DNS Redirectors}},
date = {2021-04-09},
organization = {F-Secure},
url = {https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors},
language = {English},
urldate = {2021-04-14}
}
Detecting Exposed Cobalt Strike DNS Redirectors
Cobalt Strike |
2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner
@online{warner:20210407:using:a7d19fd,
author = {Justin Warner},
title = {{Using Kaitai Struct to Parse Cobalt Strike Beacon Configs}},
date = {2021-04-07},
organization = {Medium sixdub},
url = {https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e},
language = {English},
urldate = {2021-04-09}
}
Using Kaitai Struct to Parse Cobalt Strike Beacon Configs
Cobalt Strike |
2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
@online{reaves:20210405:trickbot:a6b0592,
author = {Jason Reaves and Joshua Platt},
title = {{TrickBot Crews New CobaltStrike Loader}},
date = {2021-04-05},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c},
language = {English},
urldate = {2021-04-06}
}
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot |
2021-04-01 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210401:covid19:6a96e45,
author = {Joe Slowik},
title = {{COVID-19 Phishing With a Side of Cobalt Strike}},
date = {2021-04-01},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#},
language = {English},
urldate = {2021-04-06}
}
COVID-19 Phishing With a Side of Cobalt Strike
Cobalt Strike |
2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
@online{duncan:20210401:hancitors:8876ca1,
author = {Brad Duncan},
title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}},
date = {2021-04-01},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/},
language = {English},
urldate = {2021-04-06}
}
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor |
2021-03-31 ⋅ Red Canary ⋅ Red Canary
@techreport{canary:20210331:2021:cd81f2d,
author = {Red Canary},
title = {{2021 Threat Detection Report}},
date = {2021-03-31},
institution = {Red Canary},
url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf},
language = {English},
urldate = {2021-04-06}
}
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot |
2021-03-30 ⋅ GuidePoint Security ⋅ Drew Schmitt
@online{schmitt:20210330:yet:9855592,
author = {Drew Schmitt},
title = {{Yet Another Cobalt Strike Stager: GUID Edition}},
date = {2021-03-30},
organization = {GuidePoint Security},
url = {https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/},
language = {English},
urldate = {2021-04-06}
}
Yet Another Cobalt Strike Stager: GUID Edition
Cobalt Strike |
2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210329:sodinokibi:4c63e20,
author = {The DFIR Report},
title = {{Sodinokibi (aka REvil) Ransomware}},
date = {2021-03-29},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/},
language = {English},
urldate = {2021-03-30}
}
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil |
2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens
@online{stevens:20210321:finding:92a9a4d,
author = {Didier Stevens},
title = {{Finding Metasploit & Cobalt Strike URLs}},
date = {2021-03-21},
organization = {YouTube (dist67)},
url = {https://www.youtube.com/watch?v=WW0_TgWT2gs},
language = {English},
urldate = {2021-03-25}
}
Finding Metasploit & Cobalt Strike URLs
Cobalt Strike |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
@techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-18 ⋅ Github (cisagov) ⋅ CISA
@online{cisa:20210318:cisa:49f510f,
author = {CISA},
title = {{CISA Hunt and Incident Response Program (CHIRP)}},
date = {2021-03-18},
organization = {Github (cisagov)},
url = {https://github.com/cisagov/CHIRP},
language = {English},
urldate = {2021-03-19}
}
CISA Hunt and Incident Response Program (CHIRP)
SUNBURST |
2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
@techreport{prodaft:20210318:silverfish:f203208,
author = {PRODAFT},
title = {{SilverFish GroupThreat Actor Report}},
date = {2021-03-18},
institution = {PRODAFT Threat Intelligence},
url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf},
language = {English},
urldate = {2021-04-06}
}
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic |
2021-03-18 ⋅ CISA ⋅ US-CERT
@online{uscert:20210318:alert:bff148c,
author = {US-CERT},
title = {{Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool}},
date = {2021-03-18},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-077a},
language = {English},
urldate = {2021-03-19}
}
Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
SUNBURST |
2021-03-17 ⋅ CISA ⋅ US-CERT
@techreport{uscert:20210317:solarwinds:3d7860a,
author = {US-CERT},
title = {{SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures}},
date = {2021-03-17},
institution = {CISA},
url = {https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf},
language = {English},
urldate = {2021-03-19}
}
SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures
SUNBURST |
2021-03-16 ⋅ McAfee ⋅ McAfee ATR
@techreport{atr:20210316:technical:8c4909a,
author = {McAfee ATR},
title = {{Technical Analysis of Operation Diànxùn}},
date = {2021-03-16},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf},
language = {English},
urldate = {2021-03-22}
}
Technical Analysis of Operation Diànxùn
Cobalt Strike |
2021-03-16 ⋅ Elastic ⋅ Joe Desimone
@online{desimone:20210316:detecting:4091130,
author = {Joe Desimone},
title = {{Detecting Cobalt Strike with memory signatures}},
date = {2021-03-16},
organization = {Elastic},
url = {https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures},
language = {English},
urldate = {2021-03-22}
}
Detecting Cobalt Strike with memory signatures
Cobalt Strike |
2021-03-16 ⋅ Mimecast ⋅ Mimecast
@online{mimecast:20210316:incident:2c3e79a,
author = {Mimecast},
title = {{Incident Report}},
date = {2021-03-16},
organization = {Mimecast},
url = {https://www.mimecast.com/incident-report/},
language = {English},
urldate = {2021-03-22}
}
Incident Report
SUNBURST |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
@online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat |
2021-03-10 ⋅ US-CERT ⋅ CISA
@online{cisa:20210310:remediating:23bf74d,
author = {CISA},
title = {{Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise}},
date = {2021-03-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/remediating-apt-compromised-networks},
language = {English},
urldate = {2021-03-12}
}
Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST |
2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20210310:nimzaloader:f6960d4,
author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team},
title = {{NimzaLoader: TA800’s New Initial Access Malware}},
date = {2021-03-10},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware},
language = {English},
urldate = {2021-03-12}
}
NimzaLoader: TA800’s New Initial Access Malware
BazarNimrod Cobalt Strike |
2021-03-09 ⋅ splunk ⋅ Security Research Team
@online{team:20210309:cloud:4deeb78,
author = {Security Research Team},
title = {{Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021}},
date = {2021-03-09},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html},
language = {English},
urldate = {2021-03-11}
}
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Cobalt Strike |
2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210308:bazar:ba050d7,
author = {The DFIR Report},
title = {{Bazar Drops the Anchor}},
date = {2021-03-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/},
language = {English},
urldate = {2021-03-10}
}
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike |
2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29,
author = {Katie Nickels and Adam Pennington and Jen Burns},
title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}},
date = {2021-03-08},
organization = {Youtube (SANS Digital Forensics and Incident Response)},
url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU},
language = {English},
urldate = {2021-03-11}
}
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP |
2021-03-08 ⋅ x0r19x91.gitlab.io ⋅ Suvaditya Sur
@online{sur:20210308:sunshuttle:a45d8a5,
author = {Suvaditya Sur},
title = {{Sunshuttle Malware}},
date = {2021-03-08},
organization = {x0r19x91.gitlab.io},
url = {https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/},
language = {English},
urldate = {2021-03-11}
}
Sunshuttle Malware
GoldMax |
2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens
@online{stevens:20210307:pcaps:980212d,
author = {Didier Stevens},
title = {{PCAPs and Beacons}},
date = {2021-03-07},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/27176},
language = {English},
urldate = {2021-03-11}
}
PCAPs and Beacons
Cobalt Strike |
2021-03-04 ⋅ Microsoft ⋅ Ramin Nafisi, Andrea Lelli, Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{nafisi:20210304:goldmax:3fa3f68,
author = {Ramin Nafisi and Andrea Lelli and Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team},
title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}},
date = {2021-03-04},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware},
language = {English},
urldate = {2021-03-06}
}
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
SUNBURST TEARDROP UNC2452 |
2021-03-04 ⋅ Microsoft ⋅ Ramin Nafisi, Andrea Lelli
@online{nafisi:20210304:goldmax:f699172,
author = {Ramin Nafisi and Andrea Lelli},
title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}},
date = {2021-03-04},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/},
language = {English},
urldate = {2021-03-07}
}
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
GoldMax |
2021-03-04 ⋅ FireEye ⋅ Lindsay Smith, Jonathan Leathery, Ben Read
@online{smith:20210304:new:53f1d8d,
author = {Lindsay Smith and Jonathan Leathery and Ben Read},
title = {{New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452}},
date = {2021-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html},
language = {English},
urldate = {2021-03-06}
}
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
UNC2452 |
2021-03-01 ⋅ Microsoft ⋅ Microsoft
@online{microsoft:20210301:detect:330c71c,
author = {Microsoft},
title = {{Detect and defend against the recent nation-state cyber attack}},
date = {2021-03-01},
organization = {Microsoft},
url = {https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance},
language = {English},
urldate = {2021-03-04}
}
Detect and defend against the recent nation-state cyber attack
SUNBURST |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210301:investigation:a7851d5,
author = {Joshua Platt and Jason Reaves},
title = {{Investigation into the state of Nim malware}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811},
language = {English},
urldate = {2021-03-04}
}
Investigation into the state of Nim malware
BazarNimrod Cobalt Strike |
2021-03-01 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08,
author = {Joshua Platt and Jason Reaves},
title = {{Nimar Loader}},
date = {2021-03-01},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e},
language = {English},
urldate = {2021-03-04}
}
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare |
2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c,
author = {Eric Loui and Sergei Frankoff},
title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}},
date = {2021-02-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout},
language = {English},
urldate = {2021-03-02}
}
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
RansomEXX Griffon Carbanak Cobalt Strike IcedID MimiKatz PyXie RansomEXX REvil |
2021-02-26 ⋅ YouTube (Oversight Committee) ⋅ Oversight Committee
@online{committee:20210226:weathering:6dfb09f,
author = {Oversight Committee},
title = {{Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign}},
date = {2021-02-26},
organization = {YouTube (Oversight Committee)},
url = {https://www.youtube.com/watch?v=dV2QTLSecpc},
language = {English},
urldate = {2021-03-25}
}
Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign
SUNBURST |
2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400,
author = {Bryce Abdo and Brendan McKeague and Van Ta},
title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}},
date = {2021-02-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html},
language = {English},
urldate = {2021-03-02}
}
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Cobalt Strike Egregor IcedID Maze SystemBC |
2021-02-25 ⋅ Microsoft ⋅ Microsoft
@online{microsoft:20210225:codeql:a43a525,
author = {Microsoft},
title = {{CodeQL queries to hunt for Solorigate activity}},
date = {2021-02-25},
organization = {Microsoft},
url = {https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign},
language = {English},
urldate = {2021-02-25}
}
CodeQL queries to hunt for Solorigate activity
SUNBURST |
2021-02-25 ⋅ BrightTALK (FireEye) ⋅ Andrew Rector, Matt Bromiley, Mandiant
@online{rector:20210225:light:005aa58,
author = {Andrew Rector and Matt Bromiley and Mandiant},
title = {{Light in the Dark: Hunting for SUNBURST}},
date = {2021-02-25},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/469525},
language = {English},
urldate = {2021-02-20}
}
Light in the Dark: Hunting for SUNBURST
SUNBURST |
2021-02-25 ⋅ Microsoft ⋅ Microsoft Identity Security Team
@online{team:20210225:microsoft:bd11fce,
author = {Microsoft Identity Security Team},
title = {{Microsoft open sources CodeQL queries used to hunt for Solorigate activity}},
date = {2021-02-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/},
language = {English},
urldate = {2021-02-25}
}
Microsoft open sources CodeQL queries used to hunt for Solorigate activity
SUNBURST |
2021-02-24 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
@online{gatlan:20210224:nasa:646b084,
author = {Sergiu Gatlan},
title = {{NASA and the FAA were also breached by the SolarWinds hackers}},
date = {2021-02-24},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/},
language = {English},
urldate = {2021-02-25}
}
NASA and the FAA were also breached by the SolarWinds hackers
SUNBURST |
2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty International
@online{international:20210224:overview:95b80e0,
author = {Amnesty International},
title = {{Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders}},
date = {2021-02-24},
organization = {Github (AmnestyTech)},
url = {https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam},
language = {English},
urldate = {2021-02-25}
}
Overview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders
OceanLotus Cobalt Strike KerrDown |
2021-02-24 ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama
@techreport{haruyama:20210224:knock:f4903a2,
author = {Takahiro Haruyama},
title = {{Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation}},
date = {2021-02-24},
institution = {VMWare Carbon Black},
url = {https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf},
language = {Japanese},
urldate = {2021-02-26}
}
Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation
Cobalt Strike |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader |
2021-02-19 ⋅ THE NEW STACK ⋅ Lior Sonntag, Dror Alon
@online{sonntag:20210219:behind:a40f5e6,
author = {Lior Sonntag and Dror Alon},
title = {{Behind the Scenes of the SunBurst Attack}},
date = {2021-02-19},
organization = {THE NEW STACK},
url = {https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/},
language = {English},
urldate = {2021-02-20}
}
Behind the Scenes of the SunBurst Attack
SUNBURST |
2021-02-17 ⋅ apirro ⋅ Ariel Levy
@online{levy:20210217:detect:e5bdc1b,
author = {Ariel Levy},
title = {{Detect and prevent the SolarWinds build-time code injection attack}},
date = {2021-02-17},
organization = {apirro},
url = {https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack},
language = {English},
urldate = {2021-02-20}
}
Detect and prevent the SolarWinds build-time code injection attack
SUNBURST |
2021-02-17 ⋅ YouTube (The White House) ⋅ Anne Neuberger
@online{neuberger:20210217:update:f24ad1e,
author = {Anne Neuberger},
title = {{Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor}},
date = {2021-02-17},
organization = {YouTube (The White House)},
url = {https://youtu.be/Ta_vatZ24Cs?t=59},
language = {English},
urldate = {2021-02-18}
}
Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor
SUNBURST |
2021-02-17 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210217:targeting:6deceed,
author = {Erik Hjelmvik},
title = {{Targeting Process for the SolarWinds Backdoor}},
date = {2021-02-17},
organization = {Netresec},
url = {https://netresec.com/?b=212a6ad},
language = {English},
urldate = {2021-02-18}
}
Targeting Process for the SolarWinds Backdoor
SUNBURST |
2021-02-16 ⋅ Accenture ⋅ Alexandrea Berninger
@online{berninger:20210216:hard:55e809e,
author = {Alexandrea Berninger},
title = {{Hard lessons learned: Threat intel takeaways from the community response to Solarigate}},
date = {2021-02-16},
organization = {Accenture},
url = {https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate},
language = {English},
urldate = {2021-02-20}
}
Hard lessons learned: Threat intel takeaways from the community response to Solarigate
SUNBURST TEARDROP |
2021-02-16 ⋅ FireEye ⋅ Matt Bromiley, Andrew Rector, Robert Wallace
@online{bromiley:20210216:light:5541ad4,
author = {Matt Bromiley and Andrew Rector and Robert Wallace},
title = {{Light in the Dark: Hunting for SUNBURST}},
date = {2021-02-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html},
language = {English},
urldate = {2021-02-20}
}
Light in the Dark: Hunting for SUNBURST
SUNBURST |
2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
@online{report:20210211:hancitor:9fa527e,
author = {The DFIR Report},
title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}},
date = {2021-02-11},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1359669513520873473},
language = {English},
urldate = {2021-02-18}
}
Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor |
2021-02-09 ⋅ Securehat ⋅ Securehat
@online{securehat:20210209:extracting:0f4ae2f,
author = {Securehat},
title = {{Extracting the Cobalt Strike Config from a TEARDROP Loader}},
date = {2021-02-09},
organization = {Securehat},
url = {https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader},
language = {English},
urldate = {2021-02-10}
}
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP |
2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20210209:learn:c08b657,
author = {Raphael Mudge},
title = {{Learn Pipe Fitting for all of your Offense Projects}},
date = {2021-02-09},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/},
language = {English},
urldate = {2021-02-10}
}
Learn Pipe Fitting for all of your Offense Projects
Cobalt Strike |
2021-02-08 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20210208:malware:3a963a6,
author = {US-CERT},
title = {{Malware Analysis Report (AR21-039A): SUNBURST}},
date = {2021-02-08},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a},
language = {English},
urldate = {2021-02-09}
}
Malware Analysis Report (AR21-039A): SUNBURST
SUNBURST |
2021-02-08 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20210208:malware:f32efbc,
author = {US-CERT},
title = {{Malware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP}},
date = {2021-02-08},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b},
language = {English},
urldate = {2021-02-09}
}
Malware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP
TEARDROP |
2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20210203:excel:8e949c9,
author = {Brad Duncan},
title = {{Excel spreadsheets push SystemBC malware}},
date = {2021-02-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/},
language = {English},
urldate = {2021-02-04}
}
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC |
2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp
@online{earp:20210202:how:923f969,
author = {Madeline Earp},
title = {{How Vietnam-based hacking operation OceanLotus targets journalists}},
date = {2021-02-02},
organization = {Committee to Protect Journalists},
url = {https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists},
language = {English},
urldate = {2021-02-04}
}
How Vietnam-based hacking operation OceanLotus targets journalists
Cobalt Strike |
2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
@online{report:20210202:recent:5272ed0,
author = {The DFIR Report},
title = {{Tweet on recent dridex post infection activity}},
date = {2021-02-02},
organization = {Twitter (@TheDFIRReport)},
url = {https://twitter.com/TheDFIRReport/status/1356729371931860992},
language = {English},
urldate = {2021-02-04}
}
Tweet on recent dridex post infection activity
Cobalt Strike Dridex |
2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
@online{fernndez:20210202:de:6ff4f3a,
author = {Germán Fernández},
title = {{De ataque con Malware a incidente de Ransomware}},
date = {2021-02-02},
organization = {CRONUP},
url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware},
language = {Spanish},
urldate = {2021-03-02}
}
De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210201:bluecrab:df21c0a,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment}},
date = {2021-02-01},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19860/},
language = {English},
urldate = {2021-02-06}
}
BlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment
Cobalt Strike REvil |
2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis
@online{koutroumpis:20210201:relay:596413f,
author = {Petros Koutroumpis},
title = {{Relay Attacks via Cobalt Strike Beacons}},
date = {2021-02-01},
organization = {pkb1s.github.io},
url = {https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/},
language = {English},
urldate = {2021-02-04}
}
Relay Attacks via Cobalt Strike Beacons
Cobalt Strike |
2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210131:bazar:c3b3859,
author = {The DFIR Report},
title = {{Bazar, No Ryuk?}},
date = {2021-01-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/},
language = {English},
urldate = {2021-02-02}
}
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk |
2021-01-29 ⋅ Aon ⋅ Partha Alwar, Carly Battaile, Alex Parsons
@online{alwar:20210129:cloudy:e701758,
author = {Partha Alwar and Carly Battaile and Alex Parsons},
title = {{Cloudy with a Chance of Persistent Email Access}},
date = {2021-01-29},
organization = {Aon},
url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/},
language = {English},
urldate = {2021-02-09}
}
Cloudy with a Chance of Persistent Email Access
SUNBURST |
2021-01-28 ⋅ Check Point ⋅ Lior Sonntag
@online{sonntag:20210128:deep:99eb275,
author = {Lior Sonntag},
title = {{Deep into the SunBurst Attack}},
date = {2021-01-28},
organization = {Check Point},
url = {https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/},
language = {English},
urldate = {2021-02-02}
}
Deep into the SunBurst Attack
SUNBURST |
2021-01-28 ⋅ YouTube (Microsoft Security Community) ⋅ Microsoft
@online{microsoft:20210128:microsoft:9c8f303,
author = {Microsoft},
title = {{Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender}},
date = {2021-01-28},
organization = {YouTube (Microsoft Security Community)},
url = {https://www.youtube.com/watch?v=-Vsgmw2G4Wo},
language = {English},
urldate = {2021-03-19}
}
Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender
SUNBURST |
2021-01-28 ⋅ AhnLab ⋅ ASEC Analysis Team
@online{team:20210128:bluecrab:44d2e64,
author = {ASEC Analysis Team},
title = {{BlueCrab ransomware constantly trying to bypass detection}},
date = {2021-01-28},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/19640/},
language = {Korean},
urldate = {2021-02-04}
}
BlueCrab ransomware constantly trying to bypass detection
Cobalt Strike REvil |
2021-01-28 ⋅ TrustedSec ⋅ Adam Chester
@online{chester:20210128:tailoring:d3f973c,
author = {Adam Chester},
title = {{Tailoring Cobalt Strike on Target}},
date = {2021-01-28},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/},
language = {English},
urldate = {2021-01-29}
}
Tailoring Cobalt Strike on Target
Cobalt Strike |
2021-01-26 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
@online{gatlan:20210126:mimecast:ef80465,
author = {Sergiu Gatlan},
title = {{Mimecast links security breach to SolarWinds hackers}},
date = {2021-01-26},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/},
language = {English},
urldate = {2021-01-27}
}
Mimecast links security breach to SolarWinds hackers
SUNBURST |
2021-01-26 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
@online{cert:20210126:sunburst:0170800,
author = {Kaspersky Lab ICS CERT},
title = {{SunBurst industrial victims}},
date = {2021-01-26},
organization = {Kaspersky Labs},
url = {https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/},
language = {English},
urldate = {2021-01-27}
}
SunBurst industrial victims
SUNBURST |
2021-01-26 ⋅ Fidelis ⋅ Chris Kubic
@online{kubic:20210126:ongoing:c57f443,
author = {Chris Kubic},
title = {{Ongoing Analysis of SolarWinds Impacts}},
date = {2021-01-26},
organization = {Fidelis},
url = {https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/},
language = {English},
urldate = {2021-01-27}
}
Ongoing Analysis of SolarWinds Impacts
SUNBURST |
2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
@online{csirt:20210126:cring:f12c487,
author = {Swisscom CSIRT},
title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}},
date = {2021-01-26},
organization = {Twitter (@swisscom_csirt)},
url = {https://twitter.com/swisscom_csirt/status/1354052879158571008},
language = {English},
urldate = {2021-01-27}
}
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring Ransomware MimiKatz |
2021-01-26 ⋅ Mimecast ⋅ Mimecast Contributing Writer
@online{writer:20210126:important:b395e4f,
author = {Mimecast Contributing Writer},
title = {{Important Security Update}},
date = {2021-01-26},
organization = {Mimecast},
url = {https://www.mimecast.com/blog/important-security-update/},
language = {English},
urldate = {2021-01-27}
}
Important Security Update
SUNBURST |
2021-01-25 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210125:twentythree:d3fad49,
author = {Erik Hjelmvik},
title = {{Twenty-three SUNBURST Targets Identified}},
date = {2021-01-25},
organization = {Netresec},
url = {https://netresec.com/?b=211cd21},
language = {English},
urldate = {2021-01-25}
}
Twenty-three SUNBURST Targets Identified
SUNBURST |
2021-01-25 ⋅ ZenGo ⋅ Tal Be'ery
@online{beery:20210125:ungilded:97355a8,
author = {Tal Be'ery},
title = {{Ungilded Secrets: A New Paradigm for Key Security}},
date = {2021-01-25},
organization = {ZenGo},
url = {https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/},
language = {English},
urldate = {2021-01-26}
}
Ungilded Secrets: A New Paradigm for Key Security
SUNBURST |
2021-01-24 ⋅ Medium vrieshd ⋅ VriesHD
@online{vrieshd:20210124:finding:ef9bdc1,
author = {VriesHD},
title = {{Finding SUNBURST victims and targets by using passive DNS, OSINT}},
date = {2021-01-24},
organization = {Medium vrieshd},
url = {https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc},
language = {English},
urldate = {2021-01-25}
}
Finding SUNBURST victims and targets by using passive DNS, OSINT
SUNBURST |
2021-01-22 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210122:solarwinds:b82c2df,
author = {Threat Hunter Team},
title = {{SolarWinds: How Sunburst Sends Data Back to the Attackers}},
date = {2021-01-22},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data},
language = {English},
urldate = {2021-01-25}
}
SolarWinds: How Sunburst Sends Data Back to the Attackers
SUNBURST |
2021-01-22 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210122:change:ed52aef,
author = {Joe Slowik},
title = {{Change in Perspective on the Utility of SUNBURST-related Network Indicators}},
date = {2021-01-22},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#},
language = {English},
urldate = {2021-01-25}
}
Change in Perspective on the Utility of SUNBURST-related Network Indicators
SUNBURST |
2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)},
title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}},
date = {2021-01-20},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/},
language = {English},
urldate = {2021-01-21}
}
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP |
2021-01-19 ⋅ Github (fireeye) ⋅ FireEye
@online{fireeye:20210119:mandiant:26223c8,
author = {FireEye},
title = {{Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs}},
date = {2021-01-19},
organization = {Github (fireeye)},
url = {https://github.com/fireeye/Mandiant-Azure-AD-Investigator},
language = {English},
urldate = {2021-01-21}
}
Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs
SUNBURST |
2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210118:raindrop:9ab1262,
author = {Threat Hunter Team},
title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}},
date = {2021-01-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware},
language = {English},
urldate = {2021-01-21}
}
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP |
2021-01-17 ⋅ a12d404 ⋅ Markus Piéton
@online{piton:20210117:backdooring:fa3eabe,
author = {Markus Piéton},
title = {{Backdooring MSBuild}},
date = {2021-01-17},
organization = {a12d404},
url = {https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html},
language = {English},
urldate = {2021-01-21}
}
Backdooring MSBuild
SUNBURST |
2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
@online{mackenzie:20210117:conti:db7f1cb,
author = {Peter Mackenzie},
title = {{Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders}},
date = {2021-01-17},
organization = {Twitter (@AltShiftPrtScn)},
url = {https://twitter.com/AltShiftPrtScn/status/1350755169965924352},
language = {English},
urldate = {2021-01-21}
}
Tweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders
Cobalt Strike Conti Ransomware |
2021-01-15 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210115:solarwinds:46d0db6,
author = {Threat Hunter Team},
title = {{SolarWinds: Insights into Attacker Command and Control Process}},
date = {2021-01-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control},
language = {English},
urldate = {2021-01-21}
}
SolarWinds: Insights into Attacker Command and Control Process
SUNBURST |
2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier
@online{lussier:20210115:detecting:fecd6c3,
author = {Dan Lussier},
title = {{Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike}},
date = {2021-01-15},
organization = {Medium Dansec},
url = {https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64},
language = {English},
urldate = {2021-01-21}
}
Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike
Cobalt Strike |
2021-01-14 ⋅ Microsoft ⋅ Microsoft 365 Defender Team
@online{team:20210114:increasing:dc031fe,
author = {Microsoft 365 Defender Team},
title = {{Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender}},
date = {2021-01-14},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/},
language = {English},
urldate = {2021-01-18}
}
Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
SUNBURST |
2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7,
author = {PT ESC Threat Intelligence},
title = {{Higaisa or Winnti? APT41 backdoors, old and new}},
date = {2021-01-14},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/},
language = {English},
urldate = {2021-02-09}
}
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
2021-01-14 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210114:devils:ce9d4c8,
author = {Joe Slowik},
title = {{The Devil’s in the Details: SUNBURST Attribution}},
date = {2021-01-14},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution},
language = {English},
urldate = {2021-01-18}
}
The Devil’s in the Details: SUNBURST Attribution
SUNBURST |
2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c,
author = {Ben Read and John Hultquist},
title = {{UNC2452: What We Know So Far}},
date = {2021-01-12},
organization = {BrightTALK (FireEye)},
url = {https://www.brighttalk.com/webcast/7451/462719},
language = {English},
urldate = {2021-01-18}
}
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP |
2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen
@online{jansen:20210112:abusing:c38eeb6,
author = {Wouter Jansen},
title = {{Abusing cloud services to fly under the radar}},
date = {2021-01-12},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/},
language = {English},
urldate = {2021-01-18}
}
Abusing cloud services to fly under the radar
Cobalt Strike |
2021-01-11 ⋅ Kaspersky Labs ⋅ Georgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12,
author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu},
title = {{Sunburst backdoor – code overlaps with Kazuar}},
date = {2021-01-11},
organization = {Kaspersky Labs},
url = {https://securelist.com/sunburst-backdoor-kazuar/99981/},
language = {English},
urldate = {2021-01-11}
}
Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST |
2021-01-11 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210111:robust:5683220,
author = {Erik Hjelmvik},
title = {{Robust Indicators of Compromise for SUNBURST}},
date = {2021-01-11},
organization = {Netresec},
url = {https://netresec.com/?b=211f30f},
language = {English},
urldate = {2021-01-21}
}
Robust Indicators of Compromise for SUNBURST
SUNBURST |
2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621,
author = {Sudhakar Ramakrishna},
title = {{New Findings From Our Investigation of SUNBURST}},
date = {2021-01-11},
organization = {SolarWinds},
url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/},
language = {English},
urldate = {2021-01-18}
}
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP |
2021-01-11 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
@online{team:20210111:sunspot:70e8a4c,
author = {CrowdStrike Intelligence Team},
title = {{SUNSPOT: An Implant in the Build Process}},
date = {2021-01-11},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/},
language = {English},
urldate = {2021-01-21}
}
SUNSPOT: An Implant in the Build Process
SUNBURST |
2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20210111:trickbot:d1011f9,
author = {The DFIR Report},
title = {{Trickbot Still Alive and Well}},
date = {2021-01-11},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/},
language = {English},
urldate = {2021-01-11}
}
Trickbot Still Alive and Well
Cobalt Strike TrickBot |
2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
@online{reaves:20210110:man1:54a4162,
author = {Jason Reaves},
title = {{MAN1, Moskal, Hancitor and a side of Ransomware}},
date = {2021-01-10},
organization = {Medium walmartglobaltech},
url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618},
language = {English},
urldate = {2021-01-11}
}
MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker Zeppelin Ransomware |
2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr
@online{mcgarr:20210109:malware:dde1353,
author = {Connor McGarr},
title = {{Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking}},
date = {2021-01-09},
organization = {Connor McGarr's Blog},
url = {https://connormcgarr.github.io/thread-hijacking/},
language = {English},
urldate = {2021-01-11}
}
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Cobalt Strike |
2021-01-08 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20210108:alert:874cda9,
author = {US-CERT},
title = {{Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments}},
date = {2021-01-08},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-008a},
language = {English},
urldate = {2021-01-11}
}
Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
SUNBURST SUPERNOVA |
2021-01-08 ⋅ splunk ⋅ Marcus LaFerrera, John Stoner, Lily Lee, James Brodsky, Ryan Kovar
@online{laferrera:20210108:golden:d31442a,
author = {Marcus LaFerrera and John Stoner and Lily Lee and James Brodsky and Ryan Kovar},
title = {{A Golden SAML Journey: SolarWinds Continued}},
date = {2021-01-08},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html},
language = {English},
urldate = {2021-01-11}
}
A Golden SAML Journey: SolarWinds Continued
SUNBURST |
2021-01-07 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20210107:aversary:9771829,
author = {Insikt Group®},
title = {{Aversary Infrastructure Report 2020: A Defender's View}},
date = {2021-01-07},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf},
language = {English},
urldate = {2021-01-11}
}
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-07 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210107:solarwinds:29f7094,
author = {Threat Hunter Team},
title = {{SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar}},
date = {2021-01-07},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga},
language = {English},
urldate = {2021-01-11}
}
SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
SUNBURST |
2021-01-07 ⋅ TRUESEC ⋅ Sebastian Olsson
@online{olsson:20210107:avoiding:e492089,
author = {Sebastian Olsson},
title = {{Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)}},
date = {2021-01-07},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst},
language = {English},
urldate = {2021-01-11}
}
Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)
SUNBURST |
2021-01-06 ⋅ CISA ⋅ US-CERT
@online{uscert:20210106:supply:e8f4577,
author = {US-CERT},
title = {{Supply Chain Compromise}},
date = {2021-01-06},
organization = {CISA},
url = {https://www.cisa.gov/supply-chain-compromise},
language = {English},
urldate = {2021-03-19}
}
Supply Chain Compromise
SUNBURST |
2021-01-06 ⋅ Red Canary ⋅ Tony Lambert
@online{lambert:20210106:hunting:272410b,
author = {Tony Lambert},
title = {{Hunting for GetSystem in offensive security tools}},
date = {2021-01-06},
organization = {Red Canary},
url = {https://redcanary.com/blog/getsystem-offsec/},
language = {English},
urldate = {2021-01-11}
}
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2 |
2021-01-06 ⋅ Department of Justice ⋅ Department of Justice
@online{justice:20210106:department:b7e85eb,
author = {Department of Justice},
title = {{Department of Justice Statement on Solarwinds Update}},
date = {2021-01-06},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update},
language = {English},
urldate = {2021-01-11}
}
Department of Justice Statement on Solarwinds Update
SUNBURST |
2021-01-06 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20210106:attck:841bad7,
author = {MITRE ATT&CK},
title = {{ATT&CK Navigator layer for UNC2452}},
date = {2021-01-06},
organization = {MITRE},
url = {https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json},
language = {English},
urldate = {2021-01-11}
}
ATT&CK Navigator layer for UNC2452
SUNBURST |
2021-01-06 ⋅ Github (SentinelLabs) ⋅ SentinelLabs
@online{sentinellabs:20210106:solarwindscountermeasures:c2aa91e,
author = {SentinelLabs},
title = {{SolarWinds_Countermeasures}},
date = {2021-01-06},
organization = {Github (SentinelLabs)},
url = {https://github.com/SentineLabs/SolarWinds_Countermeasures},
language = {English},
urldate = {2021-01-11}
}
SolarWinds_Countermeasures
SUNBURST |
2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research
@online{research:20210105:earth:d7bb547,
author = {Trend Micro Research},
title = {{Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration}},
date = {2021-01-05},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html},
language = {English},
urldate = {2021-01-10}
}
Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
Cobalt Strike |
2021-01-05 ⋅ Sangfor ⋅ Clairvoyance Safety Laboratory
@online{laboratory:20210105:red:9ddfb7a,
author = {Clairvoyance Safety Laboratory},
title = {{Red team's perspective on the TTPs in Sunburst's backdoor}},
date = {2021-01-05},
organization = {Sangfor},
url = {https://www.4hou.com/posts/KzZR},
language = {Chinese},
urldate = {2021-01-11}
}
Red team's perspective on the TTPs in Sunburst's backdoor
SUNBURST |
2021-01-04 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20210104:finding:d869bd9,
author = {Erik Hjelmvik},
title = {{Finding Targeted SUNBURST Victims with pDNS}},
date = {2021-01-04},
organization = {Netresec},
url = {https://netresec.com/?b=2113a6a},
language = {English},
urldate = {2021-01-05}
}
Finding Targeted SUNBURST Victims with pDNS
SUNBURST |
2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag
@online{haag:20210104:malleable:ab64356,
author = {Michael Haag},
title = {{Malleable C2 Profiles and You}},
date = {2021-01-04},
organization = {Medium haggis-m},
url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929},
language = {English},
urldate = {2021-01-05}
}
Malleable C2 Profiles and You
Cobalt Strike |
2021-01-04 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel
@online{reichel:20210104:some:9e72d62,
author = {Dominik Reichel},
title = {{Some small detail on compiler used for TEARDROP}},
date = {2021-01-04},
organization = {Twitter (@TheEnergyStory)},
url = {https://twitter.com/TheEnergyStory/status/1346096298311741440},
language = {English},
urldate = {2021-01-11}
}
Some small detail on compiler used for TEARDROP
TEARDROP |
2020-12-31 ⋅ IronNet ⋅ IronNet
@online{ironnet:20201231:solarwindssunburst:1422ef4,
author = {IronNet},
title = {{SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action}},
date = {2020-12-31},
organization = {IronNet},
url = {https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action},
language = {English},
urldate = {2021-01-05}
}
SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action
SUNBURST |
2020-12-31 ⋅ Microsoft ⋅ MSRC Team
@online{team:20201231:microsoft:c94b7aa,
author = {MSRC Team},
title = {{Microsoft Internal Solorigate Investigation Update}},
date = {2020-12-31},
organization = {Microsoft},
url = {https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/},
language = {English},
urldate = {2021-01-04}
}
Microsoft Internal Solorigate Investigation Update
SUNBURST |
2020-12-30 ⋅ Recorded Future ⋅ John Wetzel
@techreport{wetzel:20201230:solarwinds:59c847b,
author = {John Wetzel},
title = {{SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution}},
date = {2020-12-30},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf},
language = {English},
urldate = {2021-01-05}
}
SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution
SUNBURST |
2020-12-29 ⋅ CyberArk ⋅ Shaked Reiner
@online{reiner:20201229:golden:8601f2d,
author = {Shaked Reiner},
title = {{Golden SAML Revisited: The Solorigate Connection}},
date = {2020-12-29},
organization = {CyberArk},
url = {https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection},
language = {English},
urldate = {2021-01-05}
}
Golden SAML Revisited: The Solorigate Connection
SUNBURST |
2020-12-29 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20201229:extracting:1640842,
author = {Erik Hjelmvik},
title = {{Extracting Security Products from SUNBURST DNS Beacons}},
date = {2020-12-29},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons},
language = {English},
urldate = {2021-01-04}
}
Extracting Security Products from SUNBURST DNS Beacons
SUNBURST |
2020-12-28 ⋅ Microsoft ⋅ Microsoft 365 Defender Team
@online{team:20201228:using:f8e8574,
author = {Microsoft 365 Defender Team},
title = {{Using Microsoft 365 Defender to protect against Solorigate}},
date = {2020-12-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/},
language = {English},
urldate = {2021-01-01}
}
Using Microsoft 365 Defender to protect against Solorigate
SUNBURST TEARDROP |
2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck
@online{grimminck:20201226:spoofing:a0a5622,
author = {Stefan Grimminck},
title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}},
date = {2020-12-26},
organization = {Medium grimminck},
url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b},
language = {English},
urldate = {2021-01-01}
}
Spoofing JARM signatures. I am the Cobalt Strike server now!
Cobalt Strike |
2020-12-25 ⋅ Comae ⋅ Matt Suiche
@online{suiche:20201225:sunburst:4169084,
author = {Matt Suiche},
title = {{SUNBURST & Memory Analysis}},
date = {2020-12-25},
organization = {Comae},
url = {https://www.comae.com/posts/sunburst-memory-analysis/},
language = {English},
urldate = {2020-12-26}
}
SUNBURST & Memory Analysis
SUNBURST |
2020-12-24 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel
@online{reichel:20201224:teardrop:8b014ba,
author = {Dominik Reichel},
title = {{Tweet on TEARDROP sample}},
date = {2020-12-24},
organization = {Twitter (@TheEnergyStory)},
url = {https://twitter.com/TheEnergyStory/status/1342041055563313152},
language = {English},
urldate = {2021-01-01}
}
Tweet on TEARDROP sample
TEARDROP |
2020-12-24 ⋅ FireEye ⋅ Stephen Eckels, Jay Smith, William Ballenthin
@online{eckels:20201224:sunburst:3fcb239,
author = {Stephen Eckels and Jay Smith and William Ballenthin},
title = {{SUNBURST Additional Technical Details}},
date = {2020-12-24},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html},
language = {English},
urldate = {2020-12-26}
}
SUNBURST Additional Technical Details
SUNBURST |
2020-12-23 ⋅ Prevasio ⋅ Sergei Shevchenko
@techreport{shevchenko:20201223:dns:0f3f013,
author = {Sergei Shevchenko},
title = {{DNS Tunneling In The SolarWinds Supply Chain Attack}},
date = {2020-12-23},
institution = {Prevasio},
url = {https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf},
language = {English},
urldate = {2021-01-01}
}
DNS Tunneling In The SolarWinds Supply Chain Attack
SUNBURST |
2020-12-23 ⋅ Qianxin ⋅ Qi AnXin CERT
@online{cert:20201223:solarwindsapt:a237c40,
author = {Qi AnXin CERT},
title = {{从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战}},
date = {2020-12-23},
organization = {Qianxin},
url = {https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q},
language = {Chinese},
urldate = {2020-12-23}
}
从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战
SUNBURST |
2020-12-23 ⋅ CrowdStrike ⋅ Michael Sentonas
@online{sentonas:20201223:crowdstrike:ee76d67,
author = {Michael Sentonas},
title = {{CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory}},
date = {2020-12-23},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/},
language = {English},
urldate = {2021-01-01}
}
CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
SUNBURST |
2020-12-23 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20201223:timeline:466b51a,
author = {Unit 42},
title = {{A Timeline Perspective of the SolarStorm Supply-Chain Attack}},
date = {2020-12-23},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline},
language = {English},
urldate = {2020-12-26}
}
A Timeline Perspective of the SolarStorm Supply-Chain Attack
SUNBURST TEARDROP |
2020-12-22 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy
@online{hardy:20201222:sunburst:78b5056,
author = {Colin Hardy},
title = {{SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims}},
date = {2020-12-22},
organization = {Youtube (Colin Hardy)},
url = {https://www.youtube.com/watch?v=mbGN1xqy1jY},
language = {English},
urldate = {2020-12-23}
}
SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
SUNBURST |
2020-12-22 ⋅ Prevasio ⋅ Sergei Shevchenko
@online{shevchenko:20201222:sunburst:9670fa6,
author = {Sergei Shevchenko},
title = {{Sunburst Backdoor, Part III: DGA & Security Software}},
date = {2020-12-22},
organization = {Prevasio},
url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html},
language = {English},
urldate = {2021-01-01}
}
Sunburst Backdoor, Part III: DGA & Security Software
SUNBURST |
2020-12-22 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201222:solarwinds:b77e372,
author = {Threat Hunter Team},
title = {{SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection}},
date = {2020-12-22},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection},
language = {English},
urldate = {2020-12-23}
}
SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
SUNBURST |
2020-12-22 ⋅ Zscaler ⋅ Zscaler
@online{zscaler:20201222:hitchhikers:1875e0b,
author = {Zscaler},
title = {{The Hitchhiker’s Guide to SolarWinds Incident Response}},
date = {2020-12-22},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response},
language = {English},
urldate = {2021-01-10}
}
The Hitchhiker’s Guide to SolarWinds Incident Response
SUNBURST |
2020-12-22 ⋅ Microsoft ⋅ Alex Weinert
@online{weinert:20201222:azure:b2fee7b,
author = {Alex Weinert},
title = {{Azure AD workbook to help you assess Solorigate risk}},
date = {2020-12-22},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718},
language = {English},
urldate = {2020-12-23}
}
Azure AD workbook to help you assess Solorigate risk
SUNBURST |
2020-12-22 ⋅ Medium mitre-attack ⋅ Matt Malone, Adam Pennington
@online{malone:20201222:identifying:259fcd9,
author = {Matt Malone and Adam Pennington},
title = {{Identifying UNC2452-Related Techniques for ATT&CK}},
date = {2020-12-22},
organization = {Medium mitre-attack},
url = {https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714},
language = {English},
urldate = {2020-12-23}
}
Identifying UNC2452-Related Techniques for ATT&CK
SUNBURST TEARDROP UNC2452 |
2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28,
author = {Mattias Wåhlén},
title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}},
date = {2020-12-22},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/},
language = {English},
urldate = {2021-01-01}
}
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk |
2020-12-22 ⋅ FBI ⋅ FBI
@online{fbi:20201222:pin:ea37578,
author = {FBI},
title = {{PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities}},
date = {2020-12-22},
organization = {FBI},
url = {https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view},
language = {English},
urldate = {2020-12-26}
}
PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities
SUNBURST |
2020-12-22 ⋅ Checkpoint ⋅ Check Point Research
@online{research:20201222:sunburst:f3cfd5f,
author = {Check Point Research},
title = {{SUNBURST, TEARDROP and the NetSec New Normal}},
date = {2020-12-22},
organization = {Checkpoint},
url = {https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/},
language = {English},
urldate = {2020-12-23}
}
SUNBURST, TEARDROP and the NetSec New Normal
SUNBURST TEARDROP |
2020-12-21 ⋅ SophosLabs Uncut ⋅ SophosLabs Threat Research
@online{research:20201221:how:42cc330,
author = {SophosLabs Threat Research},
title = {{How SunBurst malware does defense evasion}},
date = {2020-12-21},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/},
language = {English},
urldate = {2020-12-23}
}
How SunBurst malware does defense evasion
SUNBURST UNC2452 |
2020-12-21 ⋅ McAfee ⋅ Mo Cashman, Arnab Roy
@online{cashman:20201221:how:10d8756,
author = {Mo Cashman and Arnab Roy},
title = {{How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise}},
date = {2020-12-21},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/},
language = {English},
urldate = {2020-12-23}
}
How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise
SUNBURST |
2020-12-21 ⋅ Fortinet ⋅ Udi Yavo
@online{yavo:20201221:what:716b31d,
author = {Udi Yavo},
title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}},
date = {2020-12-21},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack},
language = {English},
urldate = {2021-01-18}
}
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP |
2020-12-21 ⋅ IronNet ⋅ Peter Rydzynski
@online{rydzynski:20201221:solarwindssunburst:cabeea6,
author = {Peter Rydzynski},
title = {{SolarWinds/SUNBURST: DGA or DNS Tunneling?}},
date = {2020-12-21},
organization = {IronNet},
url = {https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling},
language = {English},
urldate = {2021-01-05}
}
SolarWinds/SUNBURST: DGA or DNS Tunneling?
SUNBURST |
2020-12-21 ⋅ Microsoft ⋅ MSRC Team
@online{team:20201221:solorigate:7c7ab64,
author = {MSRC Team},
title = {{Solorigate Resource Center}},
date = {2020-12-21},
organization = {Microsoft},
url = {https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/},
language = {English},
urldate = {2021-01-01}
}
Solorigate Resource Center
SUNBURST TEARDROP |
2020-12-21 ⋅ Microsoft ⋅ Alex Weinert
@online{weinert:20201221:understanding:ea5a2f8,
author = {Alex Weinert},
title = {{Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.}},
date = {2020-12-21},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610},
language = {English},
urldate = {2020-12-23}
}
Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.
SUNBURST |
2020-12-20 ⋅ Twitter (@TychoTithonus) ⋅ Royce Williams
@online{williams:20201220:solarwindssunburst:c93e0ce,
author = {Royce Williams},
title = {{SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis}},
date = {2020-12-20},
organization = {Twitter (@TychoTithonus)},
url = {https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs},
language = {English},
urldate = {2021-02-18}
}
SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis
SUNBURST |
2020-12-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka
@online{amawaka:20201220:look:8cd19a2,
author = {Asuna Amawaka},
title = {{A Look into SUNBURST’s DGA}},
date = {2020-12-20},
organization = {Medium Asuna Amawaka},
url = {https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947},
language = {English},
urldate = {2021-02-18}
}
A Look into SUNBURST’s DGA
SUNBURST |
2020-12-20 ⋅ Randhome ⋅ Etienne Maynier
@online{maynier:20201220:analyzing:3e15960,
author = {Etienne Maynier},
title = {{Analyzing Cobalt Strike for Fun and Profit}},
date = {2020-12-20},
organization = {Randhome},
url = {https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/},
language = {English},
urldate = {2020-12-23}
}
Analyzing Cobalt Strike for Fun and Profit
Cobalt Strike |
2020-12-19 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201219:solarwinds:0129ee8,
author = {Lawrence Abrams},
title = {{The SolarWinds cyberattack: The hack, the victims, and what we know}},
date = {2020-12-19},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/},
language = {English},
urldate = {2020-12-19}
}
The SolarWinds cyberattack: The hack, the victims, and what we know
SUNBURST |
2020-12-18 ⋅ Sentinel LABS ⋅ James Haughom
@online{haughom:20201218:solarwinds:8e1f0c5,
author = {James Haughom},
title = {{SolarWinds SUNBURST Backdoor: Inside the APT Campaign}},
date = {2020-12-18},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/},
language = {English},
urldate = {2020-12-19}
}
SolarWinds SUNBURST Backdoor: Inside the APT Campaign
SUNBURST |
2020-12-18 ⋅ IBM ⋅ Gladys Koskas
@online{koskas:20201218:sunburst:c79fb22,
author = {Gladys Koskas},
title = {{SUNBURST indicator detection in QRadar}},
date = {2020-12-18},
organization = {IBM},
url = {https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar},
language = {English},
urldate = {2021-01-10}
}
SUNBURST indicator detection in QRadar
SUNBURST |
2020-12-18 ⋅ Kaspersky Labs ⋅ Igor Kuznetsov, Costin Raiu
@online{kuznetsov:20201218:sunburst:85b411a,
author = {Igor Kuznetsov and Costin Raiu},
title = {{Sunburst: connecting the dots in the DNS requests}},
date = {2020-12-18},
organization = {Kaspersky Labs},
url = {https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/},
language = {English},
urldate = {2020-12-18}
}
Sunburst: connecting the dots in the DNS requests
SUNBURST |
2020-12-18 ⋅ Costin Raiu
@online{raiu:20201218:from:4f8eb88,
author = {Costin Raiu},
title = {{Tweet from Costin Raiu about confirmed TEARDROP sample}},
date = {2020-12-18},
url = {https://twitter.com/craiu/status/1339954817247158272},
language = {English},
urldate = {2020-12-19}
}
Tweet from Costin Raiu about confirmed TEARDROP sample
TEARDROP |
2020-12-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201218:analyzing:9486213,
author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers}},
date = {2020-12-18},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/},
language = {English},
urldate = {2020-12-19}
}
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452 |
2020-12-18 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20201218:continuous:71ffa78,
author = {Joe Slowik},
title = {{Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident}},
date = {2020-12-18},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident},
language = {English},
urldate = {2020-12-18}
}
Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
SUNBURST |
2020-12-18 ⋅ ThreatConnect ⋅ ThreatConnect
@online{threatconnect:20201218:tracking:765f272,
author = {ThreatConnect},
title = {{Tracking Sunburst-Related Activity with ThreatConnect Dashboards}},
date = {2020-12-18},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards},
language = {English},
urldate = {2020-12-19}
}
Tracking Sunburst-Related Activity with ThreatConnect Dashboards
SUNBURST |
2020-12-18 ⋅ Cloudflare ⋅ Nick Blazier, Jesse Kipp
@online{blazier:20201218:quirk:fe216c8,
author = {Nick Blazier and Jesse Kipp},
title = {{A quirk in the SUNBURST DGA algorithm}},
date = {2020-12-18},
organization = {Cloudflare},
url = {https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/},
language = {English},
urldate = {2020-12-18}
}
A quirk in the SUNBURST DGA algorithm
SUNBURST |
2020-12-18 ⋅ Elastic ⋅ Camilla Montonen, Justin Ibarra
@online{montonen:20201218:combining:13fef73,
author = {Camilla Montonen and Justin Ibarra},
title = {{Combining supervised and unsupervised machine learning for DGA detection}},
date = {2020-12-18},
organization = {Elastic},
url = {https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection},
language = {English},
urldate = {2020-12-18}
}
Combining supervised and unsupervised machine learning for DGA detection
SUNBURST |
2020-12-17 ⋅ Youtube (Colin Hardy) ⋅ Colin Hardy
@online{hardy:20201217:sunburst:059bdbe,
author = {Colin Hardy},
title = {{SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering}},
date = {2020-12-17},
organization = {Youtube (Colin Hardy)},
url = {https://www.youtube.com/watch?v=JoMwrkijTZ8},
language = {English},
urldate = {2020-12-18}
}
SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
SUNBURST |
2020-12-17 ⋅ McAfee ⋅ Christiaan Beek, Cedric Cochin, Raj Samani
@online{beek:20201217:additional:cd38b54,
author = {Christiaan Beek and Cedric Cochin and Raj Samani},
title = {{Additional Analysis into the SUNBURST Backdoor}},
date = {2020-12-17},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/},
language = {English},
urldate = {2020-12-18}
}
Additional Analysis into the SUNBURST Backdoor
SUNBURST |
2020-12-17 ⋅ Prevasio ⋅ Sergei Shevchenko
@online{shevchenko:20201217:sunburst:9b615cf,
author = {Sergei Shevchenko},
title = {{Sunburst Backdoor, Part II: DGA & The List of Victims}},
date = {2020-12-17},
organization = {Prevasio},
url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html},
language = {English},
urldate = {2020-12-23}
}
Sunburst Backdoor, Part II: DGA & The List of Victims
SUNBURST |
2020-12-17 ⋅ Netresec ⋅ Erik Hjelmvik
@online{hjelmvik:20201217:reassembling:2a2f222,
author = {Erik Hjelmvik},
title = {{Reassembling Victim Domain Fragments from SUNBURST DNS}},
date = {2020-12-17},
organization = {Netresec},
url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS},
language = {English},
urldate = {2020-12-18}
}
Reassembling Victim Domain Fragments from SUNBURST DNS
SUNBURST |
2020-12-17 ⋅ Twitter (@megabeets_) ⋅ Itay Cohen
@online{cohen:20201217:sunburst:7931c48,
author = {Itay Cohen},
title = {{Tweet on SUNBURST malware discussing some of its evasion techniques}},
date = {2020-12-17},
organization = {Twitter (@megabeets_)},
url = {https://twitter.com/megabeets_/status/1339308801112027138},
language = {English},
urldate = {2020-12-18}
}
Tweet on SUNBURST malware discussing some of its evasion techniques
SUNBURST |
2020-12-17 ⋅ splunk ⋅ John Stoner
@online{stoner:20201217:onboarding:cef2450,
author = {John Stoner},
title = {{Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued}},
date = {2020-12-17},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html},
language = {English},
urldate = {2021-01-11}
}
Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued
SUNBURST |
2020-12-17 ⋅ TRUESEC ⋅ Fabio Viggiani
@online{viggiani:20201217:solarwinds:f367284,
author = {Fabio Viggiani},
title = {{The SolarWinds Orion SUNBURST supply-chain Attack}},
date = {2020-12-17},
organization = {TRUESEC},
url = {https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/},
language = {English},
urldate = {2020-12-18}
}
The SolarWinds Orion SUNBURST supply-chain Attack
SUNBURST |
2020-12-17 ⋅ Microsoft ⋅ Brad Smith
@online{smith:20201217:moment:cd1089e,
author = {Brad Smith},
title = {{A moment of reckoning: the need for a strong and global cybersecurity response}},
date = {2020-12-17},
organization = {Microsoft},
url = {https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/},
language = {English},
urldate = {2020-12-18}
}
A moment of reckoning: the need for a strong and global cybersecurity response
SUNBURST |
2020-12-17 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201217:alert:1d517b0,
author = {US-CERT},
title = {{Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations}},
date = {2020-12-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-352a},
language = {English},
urldate = {2020-12-18}
}
Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
SUNBURST |
2020-12-17 ⋅ TrustedSec ⋅ Trustedsec
@online{trustedsec:20201217:solarwinds:8185fab,
author = {Trustedsec},
title = {{SolarWinds Backdoor (Sunburst) Incident Response Playbook}},
date = {2020-12-17},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306},
language = {English},
urldate = {2020-12-18}
}
SolarWinds Backdoor (Sunburst) Incident Response Playbook
SUNBURST |
2020-12-16 ⋅ Twitter (@0xrb) ⋅ R. Bansal
@online{bansal:20201216:list:aa0388d,
author = {R. Bansal},
title = {{List of domain infrastructure including DGA domain used by UNC2452}},
date = {2020-12-16},
organization = {Twitter (@0xrb)},
url = {https://twitter.com/0xrb/status/1339199268146442241},
language = {English},
urldate = {2020-12-17}
}
List of domain infrastructure including DGA domain used by UNC2452
SUNBURST |
2020-12-16 ⋅ Github (RedDrip7) ⋅ RedDrip7
@online{reddrip7:20201216:script:4476c58,
author = {RedDrip7},
title = {{A script to decode SUNBURST DGA domain}},
date = {2020-12-16},
organization = {Github (RedDrip7)},
url = {https://github.com/RedDrip7/SunBurst_DGA_Decode},
language = {English},
urldate = {2020-12-17}
}
A script to decode SUNBURST DGA domain
SUNBURST |
2020-12-16 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201216:intel471s:f245d05,
author = {Intel 471},
title = {{Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground}},
date = {2020-12-16},
organization = {Intel 471},
url = {https://twitter.com/Intel471Inc/status/1339233255741120513},
language = {English},
urldate = {2020-12-17}
}
Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground
SUNBURST |
2020-12-16 ⋅ Pastebin ⋅ Anonymous
@online{anonymous:20201216:paste:a02ef52,
author = {Anonymous},
title = {{Paste of subdomain & DGA domain names used in SolarWinds attack}},
date = {2020-12-16},
organization = {Pastebin},
url = {https://pastebin.com/6EDgCKxd},
language = {English},
urldate = {2021-01-13}
}
Paste of subdomain & DGA domain names used in SolarWinds attack
SUNBURST UNC2452 |
2020-12-16 ⋅ Qianxin ⋅ Red Raindrop Team
@online{team:20201216:solarwinds:0871f46,
author = {Red Raindrop Team},
title = {{中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!}},
date = {2020-12-16},
organization = {Qianxin},
url = {https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug},
language = {Chinese},
urldate = {2020-12-17}
}
中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!
SUNBURST |
2020-12-16 ⋅ Cloudflare ⋅ Jesse Kipp, Malavika Balachandran Tadeusz
@online{kipp:20201216:trend:29b2a2d,
author = {Jesse Kipp and Malavika Balachandran Tadeusz},
title = {{Trend data on the SolarWinds Orion compromise}},
date = {2020-12-16},
organization = {Cloudflare},
url = {https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/},
language = {English},
urldate = {2020-12-18}
}
Trend data on the SolarWinds Orion compromise
SUNBURST |
2020-12-16 ⋅ Twitter @cybercdh) ⋅ Colin Hardy
@online{hardy:20201216:3:c3e0e68,
author = {Colin Hardy},
title = {{Tweet on 3 key actions SUNBURST performs as soon as it's invoked}},
date = {2020-12-16},
organization = {Twitter @cybercdh)},
url = {https://twitter.com/cybercdh/status/1339241246024404994},
language = {English},
urldate = {2020-12-18}
}
Tweet on 3 key actions SUNBURST performs as soon as it's invoked
SUNBURST |
2020-12-16 ⋅ Twitter (@FireEye) ⋅ FireEye
@online{fireeye:20201216:sunburst:310ef08,
author = {FireEye},
title = {{Tweet on SUNBURST from FireEye detailing some additional information}},
date = {2020-12-16},
organization = {Twitter (@FireEye)},
url = {https://twitter.com/FireEye/status/1339295983583244302},
language = {English},
urldate = {2020-12-17}
}
Tweet on SUNBURST from FireEye detailing some additional information
SUNBURST |
2020-12-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams
@online{abrams:20201216:fireeye:d24dc6f,
author = {Lawrence Abrams},
title = {{FireEye, Microsoft create kill switch for SolarWinds backdoor}},
date = {2020-12-16},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/},
language = {English},
urldate = {2020-12-17}
}
FireEye, Microsoft create kill switch for SolarWinds backdoor
SUNBURST |
2020-12-16 ⋅ Microsoft ⋅ Shain Wray
@online{wray:20201216:solarwinds:98db0a9,
author = {Shain Wray},
title = {{SolarWinds Post-Compromise Hunting with Azure Sentinel}},
date = {2020-12-16},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095},
language = {English},
urldate = {2020-12-17}
}
SolarWinds Post-Compromise Hunting with Azure Sentinel
SUNBURST |
2020-12-16 ⋅ Cyborg Security ⋅ Josh Meltzer
@online{meltzer:20201216:sunburst:6866abc,
author = {Josh Meltzer},
title = {{SUNBURST: SolarWinds Supply-Chain Attack}},
date = {2020-12-16},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/},
language = {English},
urldate = {2020-12-23}
}
SUNBURST: SolarWinds Supply-Chain Attack
SUNBURST |
2020-12-16 ⋅ ReversingLabs ⋅ Tomislav Pericin
@online{pericin:20201216:sunburst:02a2fd8,
author = {Tomislav Pericin},
title = {{SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience}},
date = {2020-12-16},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth},
language = {English},
urldate = {2020-12-17}
}
SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience
SUNBURST |
2020-12-15 ⋅ Twitter @cybercdh) ⋅ Colin Hardy
@online{hardy:20201215:cyberchef:9f25c79,
author = {Colin Hardy},
title = {{Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.}},
date = {2020-12-15},
organization = {Twitter @cybercdh)},
url = {https://twitter.com/cybercdh/status/1338885244246765569},
language = {English},
urldate = {2020-12-17}
}
Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.
SUNBURST |
2020-12-15 ⋅ Corelight ⋅ John Gamble
@online{gamble:20201215:finding:50ef51c,
author = {John Gamble},
title = {{Finding SUNBURST Backdoor with Zeek Logs & Corelight}},
date = {2020-12-15},
organization = {Corelight},
url = {https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/},
language = {English},
urldate = {2020-12-15}
}
Finding SUNBURST Backdoor with Zeek Logs & Corelight
SUNBURST |
2020-12-15 ⋅ 360 Threat Intelligence Center ⋅ Advanced Threat Institute
@online{institute:20201215:operation:899bf4d,
author = {Advanced Threat Institute},
title = {{Operation Falling Eagle-the secret of the most influential supply chain attack in history}},
date = {2020-12-15},
organization = {360 Threat Intelligence Center},
url = {https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q},
language = {Chinese},
urldate = {2020-12-18}
}
Operation Falling Eagle-the secret of the most influential supply chain attack in history
SUNBURST |
2020-12-15 ⋅ Twitter @cybercdh) ⋅ Colin Hardy
@online{hardy:20201215:some:5b19d5f,
author = {Colin Hardy},
title = {{Tweet on some more capabilties of SUNBURST backdoor}},
date = {2020-12-15},
organization = {Twitter @cybercdh)},
url = {https://twitter.com/cybercdh/status/1338975171093336067},
language = {English},
urldate = {2020-12-18}
}
Tweet on some more capabilties of SUNBURST backdoor
SUNBURST |
2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421,
author = {Sophos Cyber Security Team},
title = {{solarwinds-threathunt}},
date = {2020-12-15},
organization = {Github (sophos-cybersecurity)},
url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt},
language = {English},
urldate = {2020-12-15}
}
solarwinds-threathunt
Cobalt Strike SUNBURST |
2020-12-15 ⋅ Prevasio ⋅ Sergei Shevchenko
@online{shevchenko:20201215:sunburst:7f6b5db,
author = {Sergei Shevchenko},
title = {{Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware}},
date = {2020-12-15},
organization = {Prevasio},
url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html},
language = {English},
urldate = {2020-12-17}
}
Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware
SUNBURST |
2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}},
date = {2020-12-15},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach},
language = {English},
urldate = {2020-12-17}
}
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST |
2020-12-15 ⋅ Cyborg Security ⋅ Austin Jackson
@online{jackson:20201215:threat:00bfb46,
author = {Austin Jackson},
title = {{Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)}},
date = {2020-12-15},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/},
language = {English},
urldate = {2020-12-23}
}
Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)
SUNBURST |
2020-12-14 ⋅ Twitter (@lordx64) ⋅ Taha Karim
@online{karim:20201214:one:5d9f92c,
author = {Taha Karim},
title = {{Tweet on a one liner to decrypt SUNBURST backdoor}},
date = {2020-12-14},
organization = {Twitter (@lordx64)},
url = {https://twitter.com/lordx64/status/1338526166051934213},
language = {English},
urldate = {2020-12-15}
}
Tweet on a one liner to decrypt SUNBURST backdoor
SUNBURST |
2020-12-14 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20201214:sunburst:12e5814,
author = {Threat Hunter Team},
title = {{Sunburst: Supply Chain Attack Targets SolarWinds Users}},
date = {2020-12-14},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds},
language = {English},
urldate = {2020-12-19}
}
Sunburst: Supply Chain Attack Targets SolarWinds Users
SUNBURST TEARDROP |
2020-12-14 ⋅ Volexity ⋅ Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{cash:20201214:dark:7d54c5d,
author = {Damien Cash and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{Dark Halo Leverages SolarWinds Compromise to Breach Organizations}},
date = {2020-12-14},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/},
language = {English},
urldate = {2020-12-15}
}
Dark Halo Leverages SolarWinds Compromise to Breach Organizations
SUNBURST |
2020-12-14 ⋅ Twitter (@ItsReallyNick) ⋅ Nick Carr
@online{carr:20201214:summarizing:67227be,
author = {Nick Carr},
title = {{Tweet on summarizing post-compromise actvity of UNC2452}},
date = {2020-12-14},
organization = {Twitter (@ItsReallyNick)},
url = {https://twitter.com/ItsReallyNick/status/1338382939835478016},
language = {English},
urldate = {2020-12-14}
}
Tweet on summarizing post-compromise actvity of UNC2452
SUNBURST |
2020-12-14 ⋅ Olaf Hartong
@online{hartong:20201214:fireeye:d7c17f5,
author = {Olaf Hartong},
title = {{FireEye Sunburst KQL Detections}},
date = {2020-12-14},
url = {https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f},
language = {English},
urldate = {2020-12-15}
}
FireEye Sunburst KQL Detections
SUNBURST |
2020-12-14 ⋅ splunk ⋅ Ryan Kovar
@online{kovar:20201214:using:7fa58c8,
author = {Ryan Kovar},
title = {{Using Splunk to Detect Sunburst Backdoor}},
date = {2020-12-14},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html},
language = {English},
urldate = {2020-12-15}
}
Using Splunk to Detect Sunburst Backdoor
SUNBURST |
2020-12-14 ⋅ Twitter (@KimZetter) ⋅ Kim Zetter
@online{zetter:20201214:thread:783b5ed,
author = {Kim Zetter},
title = {{Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452}},
date = {2020-12-14},
organization = {Twitter (@KimZetter)},
url = {https://twitter.com/KimZetter/status/1338305089597964290},
language = {English},
urldate = {2020-12-14}
}
Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452
SUNBURST |
2020-12-14 ⋅ TrustedSec ⋅ Nick Gilberti, Tyler Hudak
@online{gilberti:20201214:solarwinds:394f5d5,
author = {Nick Gilberti and Tyler Hudak},
title = {{SolarWinds Orion and UNC2452 – Summary and Recommendations}},
date = {2020-12-14},
organization = {TrustedSec},
url = {https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/},
language = {English},
urldate = {2020-12-16}
}
SolarWinds Orion and UNC2452 – Summary and Recommendations
SUNBURST |
2020-12-14 ⋅ Solarwind ⋅ Solarwind
@online{solarwind:20201214:security:a763c2a,
author = {Solarwind},
title = {{Security Advisory on SolarWinds Supply chain attack FAQ}},
date = {2020-12-14},
organization = {Solarwind},
url = {https://www.solarwinds.com/securityadvisory/faq},
language = {English},
urldate = {2021-01-04}
}
Security Advisory on SolarWinds Supply chain attack FAQ
SUNBURST SUPERNOVA |
2020-12-14 ⋅ Cado Security ⋅ Christopher Doman
@online{doman:20201214:responding:639d2ce,
author = {Christopher Doman},
title = {{Responding to Solarigate}},
date = {2020-12-14},
organization = {Cado Security},
url = {https://www.cadosecurity.com/post/responding-to-solarigate},
language = {English},
urldate = {2020-12-14}
}
Responding to Solarigate
SUNBURST |
2020-12-14 ⋅ Sophos ⋅ Ross McKerchar
@online{mckerchar:20201214:incident:fa87d28,
author = {Ross McKerchar},
title = {{Incident response playbook for responding to SolarWinds Orion compromise}},
date = {2020-12-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/},
language = {English},
urldate = {2020-12-15}
}
Incident response playbook for responding to SolarWinds Orion compromise
SUNBURST |
2020-12-14 ⋅ Solarwind ⋅ Solarwind
@online{solarwind:20201214:security:68f32e4,
author = {Solarwind},
title = {{Security Advisory on SolarWinds Supply chain attack}},
date = {2020-12-14},
organization = {Solarwind},
url = {https://www.solarwinds.com/securityadvisory},
language = {English},
urldate = {2021-01-01}
}
Security Advisory on SolarWinds Supply chain attack
SUNBURST SUPERNOVA |
2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20201214:threat:032b92d,
author = {Unit 42},
title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}},
date = {2020-12-14},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST |
2020-12-14 ⋅ Youtube (Ali Hadi) ⋅ Ali Hadi
@online{hadi:20201214:learning:f4175a9,
author = {Ali Hadi},
title = {{Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor}},
date = {2020-12-14},
organization = {Youtube (Ali Hadi)},
url = {https://www.youtube.com/watch?v=cMauHTV-lJg},
language = {English},
urldate = {2020-12-18}
}
Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor
SUNBURST |
2020-12-14 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20201214:unraveling:d212099,
author = {Joe Slowik},
title = {{Unraveling Network Infrastructure Linked to the SolarWinds Hack}},
date = {2020-12-14},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack},
language = {English},
urldate = {2020-12-15}
}
Unraveling Network Infrastructure Linked to the SolarWinds Hack
SUNBURST |
2020-12-14 ⋅ Cisco Talos ⋅ Nick Biasini
@online{biasini:20201214:threat:63acc35,
author = {Nick Biasini},
title = {{Threat Advisory: SolarWinds supply chain attack}},
date = {2020-12-14},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more},
language = {English},
urldate = {2020-12-19}
}
Threat Advisory: SolarWinds supply chain attack
SUNBURST TEARDROP |
2020-12-13 ⋅ CISA ⋅ CISA
@online{cisa:20201213:active:44eb4a4,
author = {CISA},
title = {{Active Exploitation of SolarWinds Software}},
date = {2020-12-13},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software},
language = {English},
urldate = {2020-12-15}
}
Active Exploitation of SolarWinds Software
SUNBURST |
2020-12-13 ⋅ VX-Underground
@online{vxunderground:20201213:directory:a270772,
author = {VX-Underground},
title = {{Directory: /samples/Exotic/UNC2452/SolarWinds Breach/}},
date = {2020-12-13},
url = {https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/},
language = {English},
urldate = {2020-12-14}
}
Directory: /samples/Exotic/UNC2452/SolarWinds Breach/
SUNBURST |
2020-12-13 ⋅ FireEye ⋅ Andrew Archer, Doug Bienstock, Chris DiGiamo, Glenn Edwards, Nick Hornick, Alex Pennino, Andrew Rector, Scott Runnels, Eric Scales, Nalani Fraiser, Sarah Jones, John Hultquist, Ben Read, Jon Leathery, Fred House, Dileep Jallepalli, Michael Sikorski, Stephen Eckels, William Ballenthin, Jay Smith, Alex Berry, Nick Richard, Isif Ibrahima, Dan Perez, Marcin Siedlarz, Ben Withnell, Barry Vengerik, Nicole Oppenheim, Ian Ahl, Andrew Thompson, Matt Dunwoody, Evan Reese, Steve Miller, Alyssa Rahman, John Gorman, Lennard Galang, Steve Stone, Nick Bennett, Matthew McWhirt, Mike Burns, Omer Baig, Nick Carr, Christopher Glyer, Ramin Nafisi, Microsoft
@online{archer:20201213:highly:9fe1728,
author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft},
title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}},
date = {2020-12-13},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html},
language = {English},
urldate = {2020-12-19}
}
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452 |
2020-12-13 ⋅ Github (fireeye) ⋅ FireEye
@online{fireeye:20201213:sunburst:04e594f,
author = {FireEye},
title = {{SUNBURST Countermeasures}},
date = {2020-12-13},
organization = {Github (fireeye)},
url = {https://github.com/fireeye/sunburst_countermeasures},
language = {English},
urldate = {2020-12-19}
}
SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452 |
2020-12-13 ⋅ Microsoft ⋅ Microsoft Security Intelligence
@online{intelligence:20201213:trojanmsilsolorigatebdha:f470d89,
author = {Microsoft Security Intelligence},
title = {{Trojan:MSIL/Solorigate.B!dha}},
date = {2020-12-13},
organization = {Microsoft},
url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha},
language = {English},
urldate = {2020-12-14}
}
Trojan:MSIL/Solorigate.B!dha
SUNBURST |
2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb,
author = {BlackBerry Research and Intelligence team},
title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}},
date = {2020-12-11},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates},
language = {English},
urldate = {2020-12-14}
}
MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471
@online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
@online{unit42:20201210:threat:6ac31af,
author = {Unit42},
title = {{Threat Brief: FireEye Red Team Tool Breach}},
date = {2020-12-10},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/},
language = {English},
urldate = {2020-12-15}
}
Threat Brief: FireEye Red Team Tool Breach
Cobalt Strike |
2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}},
date = {2020-12-09},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf},
language = {English},
urldate = {2020-12-15}
}
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil |
2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
@online{duncan:20201209:recent:0992506,
author = {Brad Duncan},
title = {{Recent Qakbot (Qbot) activity}},
date = {2020-12-09},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/rss/26862},
language = {English},
urldate = {2020-12-10}
}
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot |
2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends from Fall 2020}},
date = {2020-12-09},
organization = {Cisco},
url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html},
language = {English},
urldate = {2020-12-10}
}
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk |
2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201208:red:8ccdfcf,
author = {Raphael Mudge},
title = {{A Red Teamer Plays with JARM}},
date = {2020-12-08},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/},
language = {English},
urldate = {2021-01-11}
}
A Red Teamer Plays with JARM
Cobalt Strike |
2020-12-08 ⋅ Securonix ⋅ Oleg Kolesnikov, Den Iyzvyk
@techreport{kolesnikov:20201208:detecting:ba06a76,
author = {Oleg Kolesnikov and Den Iyzvyk},
title = {{Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks}},
date = {2020-12-08},
institution = {Securonix},
url = {https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf},
language = {English},
urldate = {2021-01-10}
}
Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks
SUNBURST |
2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce,
author = {twitter (@redcanary)},
title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}},
date = {2020-12-02},
organization = {Red Canary},
url = {https://twitter.com/redcanary/status/1334224861628039169},
language = {English},
urldate = {2020-12-08}
}
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot |
2020-12-01 ⋅ 360.cn ⋅ jindanlong
@online{jindanlong:20201201:hunting:b9e2674,
author = {jindanlong},
title = {{Hunting Beacons}},
date = {2020-12-01},
organization = {360.cn},
url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950},
language = {English},
urldate = {2021-01-10}
}
Hunting Beacons
Cobalt Strike |
2020-12 ⋅ FireEye ⋅ FireEye
@online{fireeye:202012:solarwinds:4ce144e,
author = {FireEye},
title = {{Solarwinds Breach Resource Center}},
date = {2020-12},
organization = {FireEye},
url = {https://www.fireeye.com/current-threats/sunburst-malware.html},
language = {English},
urldate = {2021-03-02}
}
Solarwinds Breach Resource Center
SUNBURST |
2020-12-01 ⋅ mez0.cc ⋅ mez0
@online{mez0:20201201:cobalt:38336ed,
author = {mez0},
title = {{Cobalt Strike PowerShell Execution}},
date = {2020-12-01},
organization = {mez0.cc},
url = {https://mez0.cc/posts/cobaltstrike-powershell-exec/},
language = {English},
urldate = {2020-12-14}
}
Cobalt Strike PowerShell Execution
Cobalt Strike |
2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201130:threat:2633df5,
author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)},
title = {{Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them}},
date = {2020-11-30},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/},
language = {English},
urldate = {2020-12-01}
}
Threat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them
Cobalt Strike |
2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681,
author = {Mitchell Clarke and Tom Hall},
title = {{It's not FINished The Evolving Maturity in Ransomware Operations}},
date = {2020-11-30},
institution = {FireEye},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf},
language = {English},
urldate = {2020-12-14}
}
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack |
2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb,
author = {Lior Rochberger and Cybereason Nocturnus},
title = {{Cybereason vs. Egregor Ransomware}},
date = {2020-11-26},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware},
language = {English},
urldate = {2020-12-08}
}
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot |
2020-11-25 ⋅ SentinelOne ⋅ Jim Walter
@online{walter:20201125:egregor:5727f7a,
author = {Jim Walter},
title = {{Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone}},
date = {2020-11-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/},
language = {English},
urldate = {2020-12-08}
}
Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
Cobalt Strike Egregor |
2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani
@online{ancarani:20201120:detecting:79afa40,
author = {Riccardo Ancarani},
title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}},
date = {2020-11-20},
organization = {F-Secure Labs},
url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis},
language = {English},
urldate = {2020-11-23}
}
Detecting Cobalt Strike Default Modules via Named Pipe Analysis
Cobalt Strike |
2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59,
author = {Catalin Cimpanu},
title = {{The malware that usually installs ransomware and you need to remove right away}},
date = {2020-11-20},
organization = {ZDNet},
url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/},
language = {English},
urldate = {2020-11-23}
}
The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
2020-11-20 ⋅ 360 netlab ⋅ JiaYu
@online{jiayu:20201120:blackrota:ee43da1,
author = {JiaYu},
title = {{Blackrota, a highly obfuscated backdoor developed by Go}},
date = {2020-11-20},
organization = {360 netlab},
url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/},
language = {Chinese},
urldate = {2020-11-23}
}
Blackrota, a highly obfuscated backdoor developed by Go
Cobalt Strike |
2020-11-17 ⋅ cyble ⋅ Cyble
@online{cyble:20201117:oceanlotus:d33eb97,
author = {Cyble},
title = {{OceanLotus Continues With Its Cyber Espionage Operations}},
date = {2020-11-17},
organization = {cyble},
url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/},
language = {English},
urldate = {2020-11-18}
}
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter |
2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
@online{althouse:20201117:easily:172bd6d,
author = {John Althouse},
title = {{Easily Identify Malicious Servers on the Internet with JARM}},
date = {2020-11-17},
organization = {Salesforce Engineering},
url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a},
language = {English},
urldate = {2020-12-03}
}
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot |
2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
@online{ilascu:20201109:fake:c6dd7b3,
author = {Ionut Ilascu},
title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}},
date = {2020-11-09},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/},
language = {English},
urldate = {2020-11-11}
}
Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae,
author = {Vitali Kremez},
title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}},
date = {2020-11-06},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike},
language = {English},
urldate = {2020-11-09}
}
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk |
2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{adair:20201106:oceanlotus:f7b11ac,
author = {Steven Adair and Thomas Lancaster and Volexity Threat Research},
title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}},
date = {2020-11-06},
organization = {Volexity},
url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/},
language = {English},
urldate = {2020-11-09}
}
OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
Cobalt Strike KerrDown APT32 |
2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20201106:cobalt:05fe8fc,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.2 – Everything but the kitchen sink}},
date = {2020-11-06},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/},
language = {English},
urldate = {2020-11-09}
}
Cobalt Strike 4.2 – Everything but the kitchen sink
Cobalt Strike |
2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384,
author = {Ryan Tracey and Drew Schmitt and CRYPSIS},
title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}},
date = {2020-11-06},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/},
language = {English},
urldate = {2020-11-12}
}
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX |
2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85,
author = {TheAnalyst},
title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}},
date = {2020-11-05},
organization = {Twitter (@ffforward)},
url = {https://twitter.com/ffforward/status/1324281530026524672},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader |
2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201105:ryuk:ceaa823,
author = {The DFIR Report},
title = {{Ryuk Speed Run, 2 Hours to Ransom}},
date = {2020-11-05},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/},
language = {English},
urldate = {2020-11-06}
}
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk |
2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
@online{vigna:20201104:trick:a59a333,
author = {Giovanni Vigna},
title = {{Trick or Threat: Ryuk ransomware targets the health care industry}},
date = {2020-11-04},
organization = {VMRay},
url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/},
language = {English},
urldate = {2020-11-06}
}
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-11-03 ⋅ InfoSec Handlers Diary Blog ⋅ Renato Marinho
@online{marinho:20201103:attackers:9b3762b,
author = {Renato Marinho},
title = {{Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike}},
date = {2020-11-03},
organization = {InfoSec Handlers Diary Blog},
url = {https://isc.sans.edu/diary/26752},
language = {English},
urldate = {2020-11-06}
}
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike
Cobalt Strike |
2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0,
author = {ThreatConnect},
title = {{UNC 1878 Indicators from Threatconnect}},
date = {2020-10-30},
organization = {Github (ThreatConnect-Inc)},
url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv},
language = {English},
urldate = {2020-11-06}
}
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk |
2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT
@online{csirt:20201029:list:5fb0206,
author = {Swisscom CSIRT},
title = {{List of CobaltStrike C2's used by RYUK}},
date = {2020-10-29},
organization = {Github (Swisscom)},
url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt},
language = {English},
urldate = {2020-11-02}
}
List of CobaltStrike C2's used by RYUK
Cobalt Strike |
2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
@online{team:20201029:bazar:1846b93,
author = {The Red Canary Team},
title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}},
date = {2020-10-29},
organization = {Red Canary},
url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/},
language = {English},
urldate = {2020-11-02}
}
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot |
2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
@online{riskiq:20201029:ryuk:0643968,
author = {RiskIQ},
title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}},
date = {2020-10-29},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/0bcefe76},
language = {English},
urldate = {2020-11-02}
}
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk |
2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b,
author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock},
title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}},
date = {2020-10-28},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html},
language = {English},
urldate = {2020-11-02}
}
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878 |
2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
@online{iddon:20201027:mtr:3b62ca9,
author = {Greg Iddon},
title = {{MTR Casebook: An active adversary caught in the act}},
date = {2020-10-27},
organization = {Sophos Managed Threat Response (MTR)},
url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/},
language = {English},
urldate = {2020-11-02}
}
MTR Casebook: An active adversary caught in the act
Cobalt Strike |
2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201018:ryuk:fbaadb8,
author = {The DFIR Report},
title = {{Ryuk in 5 Hours}},
date = {2020-10-18},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/},
language = {English},
urldate = {2020-10-19}
}
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk |
2020-10-14 ⋅ RiskIQ ⋅ Steve Ginty, Jon Gross
@online{ginty:20201014:wellmarked:9176303,
author = {Steve Ginty and Jon Gross},
title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}},
date = {2020-10-14},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/f0320980},
language = {English},
urldate = {2020-10-23}
}
A Well-Marked Trail: Journeying through OceanLotus's Infrastructure
Cobalt Strike |
2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
@online{gallagher:20201014:theyre:99f5d1e,
author = {Sean Gallagher},
title = {{They’re back: inside a new Ryuk ransomware attack}},
date = {2020-10-14},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/},
language = {English},
urldate = {2020-10-16}
}
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC |
2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1,
author = {Roman Marshanski and Vitali Kremez},
title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}},
date = {2020-10-12},
organization = {Advanced Intelligence},
url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon},
language = {English},
urldate = {2020-10-13}
}
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk |
2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07,
author = {StrangerealIntel},
title = {{Chimera, APT19 under the radar ?}},
date = {2020-10-11},
organization = {Github (StrangerealIntel)},
url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md},
language = {English},
urldate = {2020-10-15}
}
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter |
2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20201008:ryuks:e47d8fa,
author = {The DFIR Report},
title = {{Ryuk’s Return}},
date = {2020-10-08},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/10/08/ryuks-return/},
language = {English},
urldate = {2020-10-09}
}
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk |
2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen
@online{tanriverdi:20201008:there:620f4e7,
author = {Hakan Tanriverdi and Max Zierer and Ann-Kathrin Wetter and Kai Biermann and Thi Do Nguyen},
title = {{There is no safe place}},
date = {2020-10-08},
organization = {Bayerischer Rundfunk},
url = {https://web.br.de/interaktiv/ocean-lotus/en/},
language = {English},
urldate = {2020-10-12}
}
There is no safe place
Cobalt Strike |
2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f,
author = {Health Sector Cybersecurity Coordination Center (HC3)},
title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}},
date = {2020-10-02},
institution = {Health Sector Cybersecurity Coordination Center (HC3)},
url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf},
language = {English},
urldate = {2020-11-02}
}
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot |
2020-10-01 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20201001:russias:3440982,
author = {Andy Greenberg},
title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}},
date = {2020-10-01},
organization = {Wired},
url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/},
language = {English},
urldate = {2020-10-05}
}
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter |
2020-10-01 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller
@online{hamdan:20200929:getting:c01923a,
author = {Kareem Hamdan and Lucas Miller},
title = {{Getting the Bacon from the Beacon}},
date = {2020-09-29},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/},
language = {English},
urldate = {2020-10-05}
}
Getting the Bacon from the Beacon
Cobalt Strike |
2020-09-29 ⋅ Github (Apr4h) ⋅ Apra
@online{apra:20200929:cobaltstrikescan:ab5f221,
author = {Apra},
title = {{CobaltStrikeScan}},
date = {2020-09-29},
organization = {Github (Apr4h)},
url = {https://github.com/Apr4h/CobaltStrikeScan},
language = {English},
urldate = {2020-10-05}
}
CobaltStrikeScan
Cobalt Strike |
2020-09-24 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200924:analysis:e1e4cc0,
author = {US-CERT},
title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}},
date = {2020-09-24},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a},
language = {English},
urldate = {2020-10-13}
}
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter |
2020-09-21 ⋅ Cisco Talos ⋅ Nick Mavis, Joe Marshall, JON MUNSHAW
@techreport{mavis:20200921:art:d9702a4,
author = {Nick Mavis and Joe Marshall and JON MUNSHAW},
title = {{The art and science of detecting Cobalt Strike}},
date = {2020-09-21},
institution = {Cisco Talos},
url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf},
language = {English},
urldate = {2020-09-23}
}
The art and science of detecting Cobalt Strike
Cobalt Strike |
2020-09-18 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20200918:us:7900e6a,
author = {Trend Micro},
title = {{U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks}},
date = {2020-09-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html},
language = {English},
urldate = {2020-09-23}
}
U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
Cobalt Strike ColdLock |
2020-09-03 ⋅ Viettel Cybersecurity ⋅ vuonglvm
@online{vuonglvm:20200903:apt32:02bd8fc,
author = {vuonglvm},
title = {{APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)}},
date = {2020-09-03},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/},
language = {Vietnamese},
urldate = {2020-09-09}
}
APT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)
Cobalt Strike |
2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b,
author = {David Liebenberg and Caitlin Huey},
title = {{Quarterly Report: Incident Response trends in Summer 2020}},
date = {2020-09-01},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html},
language = {English},
urldate = {2020-09-03}
}
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk |
2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200831:netwalker:29a1511,
author = {The DFIR Report},
title = {{NetWalker Ransomware in 1 Hour}},
date = {2020-08-31},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/},
language = {English},
urldate = {2020-08-31}
}
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz |
2020-08-20 ⋅ Seebug Paper ⋅ Malayke
@online{malayke:20200820:use:77d3957,
author = {Malayke},
title = {{Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks}},
date = {2020-08-20},
organization = {Seebug Paper},
url = {https://paper.seebug.org/1301/},
language = {Chinese},
urldate = {2020-08-24}
}
Use ZoomEye to track multiple Redteam C&C post-penetration attack frameworks
Cobalt Strike Empire Downloader PoshC2 |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2020-08-25}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike |
2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5,
author = {Vitali Kremez},
title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}},
date = {2020-08-14},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1294320579311435776},
language = {English},
urldate = {2020-11-09}
}
Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader |
2020-08-06 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20200806:chinese:32c43e3,
author = {Andy Greenberg},
title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}},
date = {2020-08-06},
organization = {Wired},
url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/},
language = {English},
urldate = {2020-11-04}
}
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f,
author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang},
title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}},
date = {2020-08-04},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf},
language = {English},
urldate = {2020-11-04}
}
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-26 ⋅ Shells.System blog ⋅ Askar
@online{askar:20200726:inmemory:5556cad,
author = {Askar},
title = {{In-Memory shellcode decoding to evade AVs/EDRs}},
date = {2020-07-26},
organization = {Shells.System blog},
url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/},
language = {English},
urldate = {2020-07-30}
}
In-Memory shellcode decoding to evade AVs/EDRs
Cobalt Strike |
2020-07-22 ⋅ On the Hunt ⋅ Newton Paul
@online{paul:20200722:analysing:2de83d7,
author = {Newton Paul},
title = {{Analysing Fileless Malware: Cobalt Strike Beacon}},
date = {2020-07-22},
organization = {On the Hunt},
url = {https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/},
language = {English},
urldate = {2020-07-24}
}
Analysing Fileless Malware: Cobalt Strike Beacon
Cobalt Strike |
2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200721:chinese:da6a239,
author = {Hossein Jazi and Jérôme Segura},
title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}},
date = {2020-07-21},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/},
language = {English},
urldate = {2020-07-22}
}
Chinese APT group targets India and Hong Kong using new variant of MgBot malware
KSREMOTE Cobalt Strike MgBot |
2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo
@online{bao:20200707:cobalt:cf80aa8,
author = {Ladislav Bačo},
title = {{Cobalt Strike stagers used by FIN6}},
date = {2020-07-07},
organization = {MWLab},
url = {https://malwarelab.eu/posts/fin6-cobalt-strike/},
language = {English},
urldate = {2020-07-11}
}
Cobalt Strike stagers used by FIN6
Cobalt Strike |
2020-06-23 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3,
author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee},
title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}},
date = {2020-06-23},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/},
language = {English},
urldate = {2020-06-23}
}
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker |
2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
@online{team:20200623:sodinokibi:7eff193,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike}},
date = {2020-06-23},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos},
language = {English},
urldate = {2020-06-23}
}
Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Cobalt Strike REvil |
2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5,
author = {Joshua Platt and Jason Reaves},
title = {{Inside a TrickBot Cobalt Strike Attack Server}},
date = {2020-06-22},
organization = {Sentinel LABS},
url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/},
language = {English},
urldate = {2020-06-23}
}
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot |
2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra
@online{malhotra:20200622:indigodrop:6d5e7e1,
author = {Asheer Malhotra},
title = {{IndigoDrop spreads via military-themed lures to deliver Cobalt Strike}},
date = {2020-06-22},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html},
language = {English},
urldate = {2020-06-24}
}
IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Cobalt Strike IndigoDrop |
2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil
@online{singh:20200619:targeted:05d8d31,
author = {Atinderpal Singh and Nirmal Singh and Sahil Antil},
title = {{Targeted Attack Leverages India-China Border Dispute to Lure Victims}},
date = {2020-06-19},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims},
language = {English},
urldate = {2020-06-21}
}
Targeted Attack Leverages India-China Border Dispute to Lure Victims
Cobalt Strike |
2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge
@online{mudge:20200619:beacon:bc8ae77,
author = {Raphael Mudge},
title = {{Beacon Object Files - Luser Demo}},
date = {2020-06-19},
organization = {Youtube (Raphael Mudge)},
url = {https://www.youtube.com/watch?v=gfYswA_Ronw},
language = {English},
urldate = {2020-06-23}
}
Beacon Object Files - Luser Demo
Cobalt Strike |
2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
@techreport{acsc:20200618:advisory:ed0f53c,
author = {Australian Cyber Security Centre (ACSC)},
title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}},
date = {2020-06-18},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf},
language = {English},
urldate = {2020-06-19}
}
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader |
2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura
@online{jazi:20200617:multistage:6358f3f,
author = {Hossein Jazi and Jérôme Segura},
title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}},
date = {2020-06-17},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/},
language = {English},
urldate = {2020-06-19}
}
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
Cobalt Strike |
2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group
@online{group:20200615:striking:8fdf4bb,
author = {Exploit Development Group},
title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}},
date = {2020-06-15},
organization = {NCC Group},
url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/},
language = {English},
urldate = {2020-06-16}
}
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Cobalt Strike |
2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal
@online{kristal:20200609:cobaltstrikeparser:a023ac8,
author = {Gal Kristal},
title = {{CobaltStrikeParser}},
date = {2020-06-09},
organization = {Github (Sentinel-One)},
url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py},
language = {English},
urldate = {2020-09-15}
}
CobaltStrikeParser
Cobalt Strike |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal
@online{kristal:20200511:anatomy:4ece947,
author = {Gal Kristal},
title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}},
date = {2020-05-11},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/},
language = {English},
urldate = {2020-05-13}
}
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
Cobalt Strike |
2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report
@online{report:20200424:ursnif:e983798,
author = {The DFIR Report},
title = {{Ursnif via LOLbins}},
date = {2020-04-24},
organization = {The DFIR Report},
url = {https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/},
language = {English},
urldate = {2021-03-16}
}
Ursnif via LOLbins
Cobalt Strike LOLSnif TeamSpy |
2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53,
author = {CyCraft Technology Corp},
title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}},
date = {2020-04-16},
organization = {Medium CyCraft},
url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730},
language = {English},
urldate = {2020-11-04}
}
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key |
2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer
@online{heinemeyer:20200402:catching:b7f137d,
author = {Max Heinemeyer},
title = {{Catching APT41 exploiting a zero-day vulnerability}},
date = {2020-04-02},
organization = {Darktrace},
url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/},
language = {English},
urldate = {2020-04-13}
}
Catching APT41 exploiting a zero-day vulnerability
Cobalt Strike |
2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
@online{knight:20200326:dukes:df85f94,
author = {Scott Knight},
title = {{The Dukes of Moscow}},
date = {2020-03-26},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/},
language = {English},
urldate = {2020-05-18}
}
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke |
2020-03-25 ⋅ Wilbur Security ⋅ JW
@online{jw:20200325:trickbot:17b0dc3,
author = {JW},
title = {{Trickbot to Ryuk in Two Hours}},
date = {2020-03-25},
organization = {Wilbur Security},
url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/},
language = {English},
urldate = {2020-03-26}
}
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot |
2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller
@online{glyer:20200325:this:0bc322f,
author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller},
title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}},
date = {2020-03-25},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html},
language = {English},
urldate = {2020-04-14}
}
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
Speculoos Cobalt Strike |
2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch
@online{klopsch:20200322:mustang:56f3768,
author = {Andreas Klopsch},
title = {{Mustang Panda joins the COVID-19 bandwagon}},
date = {2020-03-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/},
language = {English},
urldate = {2020-03-27}
}
Mustang Panda joins the COVID-19 bandwagon
Cobalt Strike |
2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten
@online{rusten:20200320:analysis:f82a963,
author = {Luke Rusten},
title = {{Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)}},
date = {2020-03-20},
organization = {RECON INFOSEC},
url = {https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/},
language = {English},
urldate = {2020-06-22}
}
Analysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)
Cobalt Strike |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge
@online{mudge:20200304:cobalt:176b61e,
author = {Raphael Mudge},
title = {{Cobalt Strike joins Core Impact at HelpSystems, LLC}},
date = {2020-03-04},
organization = {Cobalt Strike},
url = {https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/},
language = {English},
urldate = {2020-03-04}
}
Cobalt Strike joins Core Impact at HelpSystems, LLC
Cobalt Strike |
2020-03-03 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom |
2020-02-19 ⋅ FireEye ⋅ FireEye
@online{fireeye:20200219:mtrends:193613a,
author = {FireEye},
title = {{M-Trends 2020}},
date = {2020-02-19},
organization = {FireEye},
url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020},
language = {English},
urldate = {2020-02-20}
}
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
@online{svajcer:20200218:building:0a80664,
author = {Vanja Svajcer},
title = {{Building a bypass with MSBuild}},
date = {2020-02-18},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html},
language = {English},
urldate = {2020-02-20}
}
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-01-22 ⋅ Thomas Barabosch
@online{barabosch:20200122:malware:f805475,
author = {Thomas Barabosch},
title = {{The malware analyst’s guide to PE timestamps}},
date = {2020-01-22},
url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/},
language = {English},
urldate = {2021-01-25}
}
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP |
2020-01-05 ⋅ NSA, FBI, CISA, ODNI
@online{nsa:20200105:joint:ba51a6d,
author = {NSA and FBI and CISA and ODNI},
title = {{Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)}},
date = {2020-01-05},
url = {https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure},
language = {English},
urldate = {2021-01-11}
}
Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)
SUNBURST |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:97e5784,
author = {SecureWorks},
title = {{GOLD NIAGARA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-niagara},
language = {English},
urldate = {2020-05-23}
}
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:tin:ccd6795,
author = {SecureWorks},
title = {{TIN WOODLAWN}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn},
language = {English},
urldate = {2020-05-23}
}
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:1892bc8,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:983570b,
author = {SecureWorks},
title = {{GOLD KINGSWOOD}},
date = {2020},
organization = {Secureworks},
url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood},
language = {English},
urldate = {2020-05-23}
}
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:gold:8050e44,
author = {SecureWorks},
title = {{GOLD DUPONT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/gold-dupont},
language = {English},
urldate = {2020-05-23}
}
GOLD DUPONT
Cobalt Strike Defray PyXie |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-05 ⋅ Github (blackorbird) ⋅ blackorbird
@techreport{blackorbird:20191205:apt32:0afe4e7,
author = {blackorbird},
title = {{APT32 Report}},
date = {2019-12-05},
institution = {Github (blackorbird)},
url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf},
language = {Japanese},
urldate = {2020-01-10}
}
APT32 Report
Cobalt Strike |
2019-12-05 ⋅ Raphael Mudge
@online{mudge:20191205:cobalt:219044e,
author = {Raphael Mudge},
title = {{Cobalt Strike 4.0 – Bring Your Own Weaponization}},
date = {2019-12-05},
url = {https://blog.cobaltstrike.com/},
language = {English},
urldate = {2019-12-06}
}
Cobalt Strike 4.0 – Bring Your Own Weaponization
Cobalt Strike |
2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen
@techreport{thomasen:20191129:cyber:1aae987,
author = {Thomas Thomasen},
title = {{Cyber Threat Intelligence & Incident Response}},
date = {2019-11-29},
institution = {Deloitte},
url = {https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf},
language = {English},
urldate = {2020-03-04}
}
Cyber Threat Intelligence & Incident Response
Cobalt Strike |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-05 ⋅ tccontre Blog ⋅ tccontre
@online{tccontre:20191105:cobaltstrike:02e37af,
author = {tccontre},
title = {{CobaltStrike - beacon.dll : Your No Ordinary MZ Header}},
date = {2019-11-05},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html},
language = {English},
urldate = {2019-12-17}
}
CobaltStrike - beacon.dll : Your No Ordinary MZ Header
Cobalt Strike |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-06-04 ⋅ Bitdefender ⋅ Bitdefender
@techreport{bitdefender:20190604:blueprint:ce0583c,
author = {Bitdefender},
title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}},
date = {2019-06-04},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf},
language = {English},
urldate = {2019-12-18}
}
An APT Blueprint: Gaining New Visibility into Financial Threats
More_eggs Cobalt Strike |
2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b,
author = {Verizon Communications Inc.},
title = {{2019 Data Breach Investigations Report}},
date = {2019-05-08},
institution = {Verizon Communications Inc.},
url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf},
language = {English},
urldate = {2020-05-10}
}
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam |
2019-04-24 ⋅ Weixin ⋅ Tencent
@online{tencent:20190424:sea:a722d68,
author = {Tencent},
title = {{"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed}},
date = {2019-04-24},
organization = {Weixin},
url = {https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A},
language = {English},
urldate = {2020-01-13}
}
"Sea Lotus" APT organization's attack techniques against China in the first quarter of 2019 revealed
Cobalt Strike SOUNDBITE |
2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines
@online{lines:20190415:cobalt:7b3c086,
author = {Neil Lines},
title = {{Cobalt Strike. Walkthrough for Red Teamers}},
date = {2019-04-15},
organization = {PenTestPartners},
url = {https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/},
language = {English},
urldate = {2019-12-17}
}
Cobalt Strike. Walkthrough for Red Teamers
Cobalt Strike |
2019-04 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:201904:oceanlotus:8ceeac3,
author = {Macnica Networks},
title = {{OceanLotus Attack on Southeast Asian Automotive Industry}},
date = {2019-04},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpression_automobile.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin Perlow
@online{perlow:20190324:jeshell:439ae8b,
author = {Kevin Perlow},
title = {{JEShell: An OceanLotus (APT32) Backdoor}},
date = {2019-03-24},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/},
language = {English},
urldate = {2020-05-19}
}
JEShell: An OceanLotus (APT32) Backdoor
Cobalt Strike KerrDown |
2019-02-27 ⋅ Morphisec ⋅ Michael Gorelik, Alon Groisman
@online{gorelik:20190227:new:5296a0b,
author = {Michael Gorelik and Alon Groisman},
title = {{New Global Cyber Attack on Point of Sale Sytem}},
date = {2019-02-27},
organization = {Morphisec},
url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems},
language = {English},
urldate = {2020-01-09}
}
New Global Cyber Attack on Point of Sale Sytem
Cobalt Strike |
2019-02-26 ⋅ Fox-IT ⋅ Fox IT
@online{it:20190226:identifying:689104d,
author = {Fox IT},
title = {{Identifying Cobalt Strike team servers in the wild}},
date = {2019-02-26},
organization = {Fox-IT},
url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/},
language = {English},
urldate = {2020-10-25}
}
Identifying Cobalt Strike team servers in the wild
Cobalt Strike |
2018-11-19 ⋅ FireEye ⋅ Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr
@online{dunwoody:20181119:not:e581291,
author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr},
title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}},
date = {2018-11-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Cobalt Strike |
2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe
@online{joe:20181118:cozybear:4801301,
author = {Joe},
title = {{CozyBear – In from the Cold?}},
date = {2018-11-18},
organization = {Stranded on Pylos Blog},
url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/},
language = {English},
urldate = {2020-01-09}
}
CozyBear – In from the Cold?
Cobalt Strike APT 29 |
2018-10-01 ⋅ FireEye ⋅ Regina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888,
author = {Regina Elwell and Katie Nickels},
title = {{ATT&CKing FIN7}},
date = {2018-10-01},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf},
language = {English},
urldate = {2020-06-25}
}
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-10 ⋅ Group-IB ⋅ Group-IB
@techreport{groupib:201810:hitech:420711f,
author = {Group-IB},
title = {{Hi-Tech Crime Trends 2018}},
date = {2018-10},
institution = {Group-IB},
url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf},
language = {English},
urldate = {2021-02-09}
}
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter |
2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida
@online{endo:20180803:volatility:4597ce0,
author = {Takuya Endo and Yukako Uchida},
title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}},
date = {2018-08-03},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html},
language = {English},
urldate = {2019-07-11}
}
Volatility Plugin for Detecting Cobalt Strike Beacon
Cobalt Strike |
2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC
@online{jpcertcc:20180731:scanner:d1757d9,
author = {JPCERT/CC},
title = {{Scanner for CobaltStrike}},
date = {2018-07-31},
organization = {Github (JPCERTCC)},
url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py},
language = {English},
urldate = {2020-01-13}
}
Scanner for CobaltStrike
Cobalt Strike |
2018-05-21 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20180521:confirmed:ad336b5,
author = {Yoshihiro Ishikawa},
title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}},
date = {2018-05-21},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html},
language = {Japanese},
urldate = {2019-10-27}
}
Confirmed new attacks by APT attacker group menuPass (APT10)
Cobalt Strike |
2017-06-06 ⋅ FireEye ⋅ Ian Ahl
@online{ahl:20170606:privileges:9598d5f,
author = {Ian Ahl},
title = {{Privileges and Credentials: Phished at the Request of Counsel}},
date = {2017-06-06},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html},
language = {English},
urldate = {2019-12-20}
}
Privileges and Credentials: Phished at the Request of Counsel
Cobalt Strike |
2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
@online{response:20161011:odinaff:36b35db,
author = {Symantec Security Response},
title = {{Odinaff: New Trojan used in high level financial attacks}},
date = {2016-10-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks},
language = {English},
urldate = {2019-12-05}
}
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak |
2012 ⋅ Cobalt Strike ⋅ Cobalt Strike
@online{strike:2012:cobalt:8522cdd,
author = {Cobalt Strike},
title = {{Cobalt Strike Website}},
date = {2012},
organization = {Cobalt Strike},
url = {https://www.cobaltstrike.com/support},
language = {English},
urldate = {2020-01-13}
}
Cobalt Strike Website
Cobalt Strike |