Comparing the Security of Public vs. Private Cloud: Safeguarding Your Digital Assets
In today’s data-driven world, the choice between public and private cloud solutions is a critical decision for businesses and organizations. While both offer their own advantages and flexibility, security is often a top concern when it comes to managing digital assets in the cloud. In this article, we will delve into the nuances of security in public and private clouds and help you make…
How Cybercriminals Misuse QR Codes for Malicious Purposes
In today’s digital world, Quick Response (QR) codes have become an integral part of our daily lives. These square-shaped patterns of black squares on a white background may seem harmless, but they have become a potent weapon in the hands of cybercriminals. In this article, we’ll delve into the underbelly of QR codes and explore how threat actors exploit this technology to their advantage.…
Emergence of AI-Powered Threat Actors: Newly Advertised GPT Services
Hackers Leverage Advanced AI Models for Sinister Purposes, Ushering in a New Era of Cyber Threats In a concerning development for cybersecurity experts and organizations worldwide, a new breed of threat actors has emerged, wielding the power of artificial intelligence (AI) for malicious purposes. Operating under the moniker “Lortan,” this mysterious entity has introduced two disturbing AI-based services named CRONOZ-GPT and EVIL-GPT, signaling a…
A New Malware Targeting Latin America
A concerning new development has emerged in the cybersecurity landscape, as a financial malware named ‘JanelaRAT’ has been unleashed with a specific focus on targeting users across Latin America (LATAM). This malicious software, detected by cybersecurity firm Zscaler ThreatLabz in June 2023, is proving to be a formidable threat capable of extracting sensitive information from compromised Microsoft Windows systems. JanelaRAT’s strategic approach is to…
Fuzzing Tests for API Security: A Vital Component, but Not Enough
APIs (Application Programming Interfaces) play a crucial role in today’s interconnected digital world, facilitating seamless data exchange between different applications and systems. As APIs become increasingly prevalent, ensuring their security is of paramount importance. Fuzz testing, or fuzzing, is a popular technique used to identify vulnerabilities in software systems, including APIs. In this article, we will delve into what fuzzing tests are for API…
The Power of Remote Access Service: Benefits and Security Best Practices
In today’s interconnected world, remote access service has become a crucial tool for businesses and individuals alike. Whether it’s accessing files from a different location or collaborating with team members in real-time, remote access service provides unparalleled convenience and flexibility. In this blog post, we will explore what remote access service is, who can benefit from it, and essential security measures to ensure its…
Understanding Shadow Admins: The Hidden Threat to Your Network
Shadow Admins have long been a hidden cybersecurity risk, quietly existing in many IT environments, often unbeknownst to IT teams. They are users that aren’t part of recognized Active Directory (AD) administrative groups, such as Domain Admins, Enterprise Admins, Schema Admins, Administrators, and the like, yet they possess administrative privileges that allow them to wield a significant level of control within an organization’s IT…
VirusTotal Code Insight: A New Tool for Analyzing Malicious Code
VirusTotal, a popular online platform for scanning and analyzing files and URLs for malware and security threats, has announced the launch of its newest tool called VirusTotal Code Insight. This advanced solution aims to provide a deeper understanding of malicious code by revealing its underlying structure and functionality. In this article, we will explore the features of VirusTotal Code Insight and how it can…
Hiring Level 1 Analysts for a 24/7 SOC: Process and Interview Questions
As managers of a Security Operations Center (SOC) in an enterprise company, hiring Level 1 analysts to work 24/7 is a critical task. Also it is – level 1 analyst recruitment – may be one of the most exposed transactions by SOC managers, because of the high rates of circulation of Level 1 analysts. The success of your SOC will largely depend on the…
Web Scraping for OSINT: Techniques and Best Practices
Open Source Intelligence (OSINT) is a valuable tool for gathering information about individuals, organizations, and events from publicly available sources. One of the most popular OSINT techniques is web scraping, which involves automatically extracting data from websites. In this article, I will explain what web scraping is, how it works, and some best practices for using it effectively. What is Web Scraping? Web scraping…
Social Media Analysis for OSINT
Social media has become a powerful tool for OSINT professionals to gather information about individuals, companies, and organizations. Social media platforms such as Twitter, Facebook, LinkedIn, and Instagram can provide valuable insights into a target’s behavior, preferences, interests, and connections. In this article, we will explore how to perform social media analysis for OSINT purposes. Step 1: Define Your Target The first step in…
MISP vs OpenCTI: An Overview
Open-source intelligence (OSINT) platforms like MISP and OpenCTI are designed to help organizations collect, analyze, and share threat intelligence data. These platforms offer a range of features and capabilities, but there are significant differences between them. In this article, we’ll explore the differences between MISP and OpenCTI, so you can make an informed decision about which platform is right for your organization. MISP: MISP…
Are Free Antivirus Programs Enough?
According to a recent study, 61 percent of Americans rely on free antivirus programs to protect their devices from malware and other online threats. While this may seem like a cost-effective solution, it can actually leave individuals vulnerable to cyber attacks. Free antivirus programs offer basic protection against viruses, but they often lack the advanced features and updates necessary to keep up with rapidly…
To Pay or Not to Pay: Debating Ransomware Payments
Ransomware attacks are a growing threat to organizations around the world, with cybercriminals using increasingly sophisticated tactics to infiltrate computer systems and hold valuable data hostage. In the aftermath of an attack, businesses and organizations are often left with a difficult decision: should they pay the ransom demanded by the hackers to regain access to their data? This question has sparked intense debate among…
What to Know About Dark Web Search Engines
The Dark Web is a section of the internet that is not indexed by regular search engines like Google, Bing, or Yahoo. It is a part of the internet that is not easily accessible and is used by individuals who want to remain anonymous. The Dark Web is notorious for illegal activities such as drug trafficking, human trafficking, and the sale of illegal goods…
Virustotal Adds Mandiant’s CAPA and GoReSym Capabilities
Virustotal is the biggest community for sharing/learning malicious files platform. It aggregates many antivirus and scan engines and allows users to check a file is malicious or not according to tens of antivirus products and scan engines. Google acquired Virustotal in 2012 and Mandiant last year. While waiting eagerly about the integration of Google and Mandiant solutions, Virustotal announced that they increased Virustotal’s capabilities…
Are You Ready for EOS of Win Server 2012?
Microsoft is ending its support of Windows Server 2012 R2 on 10th of October 2023. Its official EOS date was 9th of October 2018 but 2023 will also be the extended EOS date. Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers. As we remember from past experiences, big decisions like…
Beware of Fake/Malicious CVE PoCs
In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities. The discovery is including vulnerabilities discovered between 2017 and 2021.…
A Glimpse into AI and the SOCs of the Future
About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty…
Still Have 445 Port Open to Internet?
CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the…
Parrot is Used to Conduct Malicious Campaigns
Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites. The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications. Parrot TDS acts as a gateway for…
Everything About Attack Surface Management
For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them. Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.…
Biggest Insider Threat – Lapsus$ Job Advertisement
A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day. Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain…
Conti CVEs Leaked
On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account. Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some…
CTI does not mean Fraud Detection
Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on…
Image Reverse Search
With the growth of social media usage, fake news and social media scams are growing too. For many reasons, we need to correct the posts before we believe and/or share them. Image reverse shell is an OSINT technique, very important because of these social media and news scams and as easy as it is important. To see if the news is true, one of…
DFIR Problems in the Cloud
As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more. From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to…
Threat Hunting III – Pyramid of Pain
As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them. The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube…
Zone Identifier Commands
With Zone Identifier, we can say whether a file downloaded from internet or not. A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and…
Searching for IoC with Redline
Redline is a free tool for investigation malicious activity through memory and file analysis. It has a lot of features for investigation but in this post, we will only mention searching for IoCs in the endpoint with Redline. In previous post, we created an IoC to detect WinSCP.exe. Now, we will search it with Redline as the example. We will go on with “Create…
Data Collection with Redline
As we discuss before, Redline is a great tool for investigating endpoints. In this post, we will explain how to collect memory data with Redline. First, in the main page of Redline, we click on “Create a Standard Collector” button. In the opened window, we click on “Edit your script” label and be sure we choose all we need for memory analysis. Then we…
Creating IoCs with Mandiant IOCe
In “Open Threat Exchange” post we mentioned that shared IoCs by other parties on Open Threat Exchange. Open IoCs are nice since they are manufacturer independent and can be used in a lot of different technologies for detecting threats. Viewing Existing IoCs In this post, we will mention on Mandiant IOC Editor. First of all, Mandiant IOCe could be used to view open IoCs…
Open Threat Exchange
Open Threat Exchange is a threat intelligence platform from Alien Vault. It is not limited to use this platform to get intel information. When you register and log in to OTX, you can easily see the summary of the threats in “Subscribed Pulses” section. Let’s choose a threat, called “Wiper luring the Olympic Games”. When we click, we can see details of the threat…
Threat Hunting II – Recommendations
An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting. Knowledge of Topology and Environment The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should…
Threat Hunting I – Understanding Threat Hunting
Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively…
Incident Handling and Response to Insider Threats
Because an insider is an employee, is a trusted person and has access to various data, insider threats are major risks for organizations. Organizations are investing to prevent perimeter against external threat but focusing less on internal threats. This is the other factor that making insider threat more risky. Attacks may come from different type of employees. These attackers may be system admins or…
Product Review: Cyber AI Analyst
Best enterprise security solution finalists announced by SCMagazine. DarkTrace’s Cyber AI Analyst is one of these solutions, and since I like its mentality, want to write something about it. For most of the organizations, one of the biggest problems of today is to have and keep qualified analysts. Because of the attacks developing day by day, newly established and growing SOCs and growing teams,…
XSS Detection and Prevention
XSS is a common and very popular vulnerability also took place in Owasp Top10 from the beginning. XSS is hard to detect and very dangerous since an attacker can gain the ability what user can do and see like passwords, financial information, etc. XSS has two mail types called Stored XSS which is when malicious script directly injected to the vulnerable application, and Reflected…
Data Carving with Foremost
Foremost is a valuable tool for Linux Forensics. It is a console tool and you can recover files based on their different properties. This is basicly data carving process. Foremost can work on image files that created by Safeback, Encase, and dd. As a part of forensic analysis, data carving must be understood. It is a forensic technique of reassembling files from the raw…