#ThreatHunting

How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

September 20, 2024 by Xynik

September 20, 2024 at 11:25AM The article discusses the Ransomhub ransomware’s utilization of EDRKillShifter to disable EDR and antivirus protections. Ransomhub also exploits the Zerologon vulnerability to take control of networks without authentication. The group has attacked various industries, employed spear-phishing, and used the affiliate model. Trend Micro’s Vision One telemetry data aided in uncovering … Read more

Copy2Pwn Zero-Day Exploited to Bypass Windows Protections

August 16, 2024 by Xynik

August 16, 2024 at 06:10AM Trend Micro’s Zero Day Initiative (ZDI) revealed a zero-day vulnerability, CVE-2024-38213, named Copy2Pwn, which cybercriminals exploited to bypass Windows protections. Microsoft fixed this flaw in June 2024 but only disclosed it in August. ZDI discovered it during the analysis of attacks by a threat group named Water Hydra for bypassing … Read more

After the Dust Settles: Post-Incident Actions

August 8, 2024 by Xynik

August 8, 2024 at 11:00AM After a cybersecurity incident, organizations should conduct a thorough review of the attack to understand its timeline, actions taken, and response efficiency. This post-mortem analysis helps in identifying gaps and potential improvements in processes. Sharing incident data and learnings with others in the industry enhances cybercrime prevention. Establishing a timeframe … Read more

Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma

July 19, 2024 by Xynik

July 19, 2024 at 03:24AM The Play ransomware group has developed a new Linux variant targeting ESXi environments, with potential collaboration with Prolific Puma. The ransomware utilizes evasion techniques and custom-built tools. To mitigate the risk of attacks on ESXi environments, it’s recommended to implement strong access controls, network segmentation, regular backups, and security monitoring. … Read more

Secureworks Elevates State of Cybersecurity for Mid-Market Customers With Managed Detection and Response Offering

July 16, 2024 by Xynik

July 16, 2024 at 05:50PM Secureworks® introduces Taegis™ ManagedXDR Plus, a Managed Detection and Response (MDR) offering tailored for mid-market companies’ unique cybersecurity requirements. It provides customized use cases, compliance reports, and alerting to address evolving cyber threats and regulations while working within limited budgets. The new tier offers expanded threat hunting, premium support, and … Read more

Command Zero Emerges From Stealth Mode to Speed Up Cyber Investigations

July 9, 2024 by Xynik

July 9, 2024 at 11:51AM Startup Command Zero has secured $21 million in seed funding to fuel its AI and automation-powered cybersecurity investigation platform. The Austin-based company aims to address the bottleneck in security operations with its user-friendly platform, combining expert investigative questions, autonomous methods, and advanced Language Learning Models. The investment round was led … Read more

Turning Jenkins Into a Cryptomining Machine From an Attacker’s Perspective

July 5, 2024 by Xynik

July 5, 2024 at 05:04AM Summary: The blog entry discusses how attackers can use the Jenkins Script Console for cryptomining by executing malicious Groovy scripts if the console is not properly configured. Misconfigurations and vulnerable Jenkins servers can enable remote code execution and the deployment of cryptocurrency miners. The entry also provides mitigations and indicators … Read more

Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups

June 14, 2024 by Xynik

June 14, 2024 at 08:43AM The blog entry analyzes the Noodle RAT backdoor, indicating it is used by Chinese-speaking groups involved in espionage and cybercrime. It covers the history, functionalities, communication protocols, and similarities to other malware such as Gh0st RAT and Rekoobe. The potential server-side components of Noodle RAT were also disclosed. For more … Read more

Noodle RAT: Reviewing the New Backdoor Used by Chinese-Speaking Groups

June 11, 2024 by Xynik

June 11, 2024 at 04:39AM Summary: This blog post analyzes the Noodle RAT backdoor, used by Chinese-speaking groups in cybercrime and espionage. It covers the backdoor’s history, capabilities for Windows and Linux, command-and-control communication, backdoor commands, similarities with Gh0st RAT and Rekoobe, and the discovery of a control panel and builder for Noodle RAT. Authors: … Read more

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

June 6, 2024 by Xynik

June 6, 2024 at 03:59AM Summary: A novel cryptojacking attack campaign called Commando Cat exploits exposed Docker remote API servers to deploy cryptocurrency miners using Docker images from the open-source Commando project. Malicious actors use the cmd.cat/chattr image to gain initial access, employing techniques like chroot and volume binding to access the host system. Recommendations … Read more