DiscoverResearch Saturday
Research Saturday
Claim Ownership

Research Saturday

Author: N2K Networks

Subscribed: 54Played: 718
Share

Description

Every Saturday, we sit down with cybersecurity researchers to talk shop about the latest threats, vulnerabilities, and technical discoveries.

335 Episodes
Reverse
Robert Duncan from Netcraft is sharing their research on "Phishception - SendGrid abused to host phishing attacks impersonating itself." Netcraft has recently observed that criminals abused Twilio SendGrid’s email delivery, API, and marketing services to launch a phishing campaign impersonating itself.  Hackers behind this novel phishing campaign used SendGrid’s Tracking Settings feature, which allows users to track clicks, opens, and subscriptions with SendGrid. The malicious link was masked behind a tracking link hosted by SendGrid.  Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: Phishception – SendGrid is abused to host phishing attacks impersonating itself Learn more about your ad choices. Visit megaphone.fm/adchoices
This week we are joined by Jamie MacColl and Dr. Pia Hüsch from RUSI discussing their work on "Ransomware: Victim Insights on Harms to Individuals, Organisations and Society." The research reveals some of the harms caused by ransomware, including physical, financial, reputational, psychological and social harms. Researchers state "Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society." Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: Ransomware: Victim Insights on Harms to Individuals, Organisations and Society Learn more about your ad choices. Visit megaphone.fm/adchoices
This week we are joined by, Selena Larson from Proofpoint, who is discussing their research, "Bumblebee Buzzes Back in Black." Bumblebee is a sophisticated downloader used by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing. After a four month hiatus, Proofpoint researchers found that the downloader returned. Its return aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware. The research can be found here: Bumblebee Buzzes Back in Black  Learn more about your ad choices. Visit megaphone.fm/adchoices
Assaf Dahan and Daniel Frank from Palo Alto Networks Cortex sit down with Dave to talk about their research "Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor." From late 2020 to late 2022, Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union. The research states "They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites." The research can be found here: Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Learn more about your ad choices. Visit megaphone.fm/adchoices
Ori David from Akamai is sharing their research "Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal." FritzFrog takes advantage of the fact that only internet facing applications were prioritized for Log4Shell patching and targets internal hosts, meaning that a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation.  The research states "FritzFrog has traditionally hopped around by using SSH brute force, and has successfully compromised thousands of targets over the years as a result." Over the years Akamai has seen more than 20,000 FritzFrog attacks, and 1,500+ victims. The research can be found here: Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal Learn more about your ad choices. Visit megaphone.fm/adchoices
Ransomware is coming.

Ransomware is coming.

2024-02-1028:03

Jon DiMaggio, Chief Security Strategist for Analyst1, is discussing his research on "Ransomware Diaries Volume 4: Ransomed and Exposed - The Story of RansomedVC." While there is evidence to support that RansomedVC runs cybercrime operations, Jon questions the claims it made regarding the authenticity of the data it stole and the methods it used to extort victims. The research states "I uncovered sensitive information about the group's leader, Ransomed Support (also known as Impotent), relating to secrets from his past." In this episode John shares his 6 key findings after spending months engaging with the lead criminal who runs RansomedVC. The research can be found here: Ransomware Diaries Volume 4: Ransomed and Exposed - The Story of RansomedVC Learn more about your ad choices. Visit megaphone.fm/adchoices
Johannes Ullrich from SANS talking about the Internet Storm Center and how they do research. Internet Storm Center was created as a mix of manual reports submitted by security analysts during Y2K and automated firewall collection started by DShield. The research shares how SANS used their "agile honeypots" to "zoom in" on events to more effectively collect data targeting specific vulnerabilities. Internet Storm Center has been noted on three separate attacks that were observed. The research can be found here: Jenkins Brute Force Scans Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887) Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527 Learn more about your ad choices. Visit megaphone.fm/adchoices
Jaron Bradley from Jamf Threat Labs is sharing their work on "Jamf Threat Labs discovers new malware embedded in pirated applications." Jamf Threat Labs has detected a series of pirated macOS applications that have been modified to communicate to attacker infrastructure. The research states "These applications are being hosted on Chinese pirating websites in order to gain victims." The discovery marks new and advanced malware, similar to the ZuRu malware, first discovered by Objective-See in 2021 within the iTerm2 application. The research can be found here: Jamf Threat Labs discovers new malware embedded in pirated applications Learn more about your ad choices. Visit megaphone.fm/adchoices
Jon Williams from Bishop Fox is sharing their research on "It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices
Ryan Westman, Senior Manager, Threat Intelligence, eSentire's Threat Response Unit (TRU), is discussing their research "Two Russian-speaking cyber gangs attack employees from 23 different companies." They are using malicious Google ads, promoting popular business software such as Zoom, Slack, and Adobe. The customers targeted are companies in the manufacturing, software, legal, retail and healthcare industries. The attacking threat actors belong to the Russian-speaking Malware-as-a-Service (MaaS) groups called BatLoader and FakeBat. The research can be found here: Two Competing, Russian-Speaking Cybercrime Groups Attack Employees from 23 Companies in the Manufacturing, Software, Legal, Retail, and Healthcare Sectors Using Malicious Google Ads Learn more about your ad choices. Visit megaphone.fm/adchoices
Guilherme Venere from Cisco Talos joins to discuss their research on "A deep dive into Phobos ransomware, recently deployed by 8Base group." Cisco Talos discovered that 8Base’s Phobos ransomware payload contains an embedded configuration, which is a significant difference between 8Base’s Phobos variant and other Phobos samples that have been observed in the wild since 2019.  In this 2-part research series, Talos conducts a deep dive into the Phobos ransomware, including its affiliate structure, activity and capabilities, as well as the one private key that could enable decryption of all the samples analyzed.  The research can be found here: A deep dive into Phobos ransomware, recently deployed by 8Base group Understanding the Phobos affiliate structure and activity Learn more about your ad choices. Visit megaphone.fm/adchoices
Host of the CyberWire Daily podcast segment Threat Vector, David Moulton sits down with Mike "Siko" Sikorski from Palo Alto Networks Unit 42 to discuss their research on "Fighting Ursa Aka APT28: Illuminating a Covert Campaign." Unit 42 just published new threat intelligence on Fighting Ursa (aka APT28), a group associated with Russia's military intelligence, on how they are exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) to target organizations in NATO member countries, Ukraine, Jordan, and the UAE. These organizations are of strategic importance in defense, foreign affairs, economy, energy, transportation, and telecommunications. The research can be found here: Fighting Ursa Aka APT28: Illuminating a Covert Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
Dana Behling, researcher from Carbon Black, sharing their work on "Hunting Vulnerable Kernel Drivers." The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers, six of which allow kernel memory access, accepting firmware access. TAU reported the issues to the vendors whose drivers had valid signatures at the time of discovery, but only two vendors fixed the vulnerabilities. TAU is calling for more comprehensive approaches in the future than the current banned-list method used by Microsoft. The research states "By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges." The research can be found here: Hunting Vulnerable Kernel Drivers Learn more about your ad choices. Visit megaphone.fm/adchoices
Ryan from Bishop Fox joins to describe their work on "Building an Exploit for FortiGate Vulnerability CVE-2023-27997." After Lexfo published details of a pre-authentication remote code injection vulnerability in the Fortinet SSL VPN, Bishop Fox worked up a proof of concept demo. This research share how they were able to create that proof-of-concept exploit, step by step. The researchers state "Our debugging environment consisted of a FortiGate 7.2.4 virtual machine which we modified to disable some self-verification functionality. After bypassing these integrity checks, we were able to install an SSH server, BusyBox, and debugging tools such as GDB." The research can be found here: Building an Exploit for FortiGate Vulnerability CVE-2023-27997 Learn more about your ad choices. Visit megaphone.fm/adchoices
Asheer Malhotra from Cisco Talos discussing their research and findings on "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan." Cisco Talos' research team, released research attributing the work of the espionage-focused threat actor, YoroTrooper, to individuals based in Kazakhstan. The research states "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region." They also found that the YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. The research can be found here: Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan Learn more about your ad choices. Visit megaphone.fm/adchoices
Aleksandar Milenkoski and JAGS from SentinelOne sits down to share their work on "Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit." After observing a new threat activity cluster by an unknown threat actor in August of this year, SentinelLabs dubbed it Sandman. The research states "Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent." Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, they call this malware "LuaDream," which exfiltrates system and user information, paving the way for further precision attacks. The research can be found here: Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit Learn more about your ad choices. Visit megaphone.fm/adchoices
Danny Adamitis from Lumen's Black Lotus Labs sits down to discuss their work on "No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action." Last March Lumen's Black Lotus Lab researchers discovered a novel malware called HiatusRAT that targeted business-grade routers. The research states "In the latest campaign, we observed a shift in reconnaissance and targeting activity; in June we observed reconnaissance against a U.S. military procurement system, and targeting of Taiwan-based organizations." This shift in information gathering and targeting preference exhibited in the latest campaign is synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment. The research can be found here: No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action Learn more about your ad choices. Visit megaphone.fm/adchoices
Sysdig's Alessandro Brucato and Michael Clark join Dave to discuss their work on "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." Attackers are targeting what are typically considered secure AWS services, like AWS Fargate and Amazon SageMaker. This means that defenders generally aren’t as concerned with their security from end-to-end. The research states "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances." This poses additional challenges targeting multiple services since it requires finding and killing all miners in each exploited service. The research can be found here: AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation Learn more about your ad choices. Visit megaphone.fm/adchoices
Amit Malik from Uptycs joins us to discuss their research titled "Unwanted Guests: Mitigating Remote Access Trojan Infection Risk." Uptycs threat research team identified a new threat referred to as QwixxRAT. The Uptycs team discovered this tool being widely distributed by the threat actor through Telegram and Discord platforms. The research states "QwixxRAT is meticulously designed to harvest an expansive range of information from browser histories and credit card details, to keylogging insights." This newly found tool poses a risk to both businesses and individual users The research can be found here: Unwanted Guests: Mitigating Remote Access Trojan Infection Risk Learn more about your ad choices. Visit megaphone.fm/adchoices
Targets from DuckTail.

Targets from DuckTail.

2023-10-0715:28

Deepen Desai from Zscaler joins to take a look into their research about "DuckTail." In May of 2023, Zscaler ThreatLabz began an intelligence collection operation to decode DuckTail’s maneuvers. Through an intensive three-month period of monitoring, Zscaler was able obtain unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. The research states "DuckTail threat actors primarily target users working in the digital marketing and advertising space. Unfortunately, the tech layoffs occurring in 2022 and 2023 introduced more eager candidates into the digital market - meaning more prime targets for DuckTail." The research can be found here: A Look Into DuckTail Learn more about your ad choices. Visit megaphone.fm/adchoices
loading
Comments 
Download from Google Play
Download from App Store