resource center

Threat Intelligence
Resources

BOOK DEMO >
SUBSCRIBE >

Threat SnapShots

In what's looking like a new trend for 2023, we're seeing a sharp increase in phishing attacks that are using new and non-traditional file types, including OneNote notebooks, ISO files, and malicious shortcuts (.lnk). This is a natural evolution since Microsoft's decision last year to block macros in Office documents downloaded from the Internet. In this week's Threat SnapShot, we'll take a look at how attackers are weaponizing these file types, and discuss hunting and detection strategies you can use in your organization. References: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ - https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ SnapAttack Resources: - https://app.snapattack.com/threat/d73cf350-bebc-6c1a-9935-49ae195230ee - Threat: Trojanized OneNote - https://app.snapattack.com/detection/3f01059b-9371-4dbc-a0e8-064e13613a0d - Detection: Suspicious Extracted File from OneNote - https://app.snapattack.com/detection/49858b4b-d623-4efe-8357-91ace854075e - Detection: Suspicious Microsoft OneNote Child Process - https://app.snapattack.com/threat/b5d3c7a9-869d-41d2-82f3-88b262d4ea1b - Threat: Emotet .lnk Initial Infection - https://app.snapattack.com/threat/0b4d8a12-1def-2e9a-2c84-b2f76055a6ae - Threat: Emotet .lnk Initial Infection - PowerShell - https://app.snapattack.com/detection/a695abad-e258-4c02-a01b-b8fbf8212570 - Detection: Possible Malicious Shortcut Activity
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLkduWHJaMGV2elFz

Hunting for Non-Traditional Initial Access Vectors: OneNote Notebooks and Malicious Shortcuts (.lnk)

01/26/23

Malvertising is a growing way that threat actors and criminal organizations are gaining initial access to organizations. An unsuspecting user goes to their favorite search engine looking for an installer for a piece of software they need, such as Adobe Acrobat, AnyDesk, 7-zip, or Notepad++. At the top of the search results page is a sponsored ad that looks exactly like the installer they need. They click it, download and run the installer, and in the process become infected with a cryptominer, information stealer, ransomware, or even a Cobalt Strike beacon. In this week's Threat Snapshot, we'll take a look at two malicious installers masquerading as AnyDesk installers - one that distributes the IcedID (BokBot) malware, and another from TA505. We'll discuss detection strategies using our new IOC hunter, as well as behavioral detections you can use in your SIEM or EDR. References: - https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html - https://twitter.com/Unit42_Intel/status/1615470858067222568 - https://isc.sans.edu/diary/29448 SnapAttack Content: - https://app.snapattack.com/threat/7f5d75c8-1393-c9b6-59ad-673a848e254c - Threat: Google Ads Malvertising - Fake AnyDesk Installer (IcedID malware) - https://app.snapattack.com/threat/0e9122f3-8b70-fbc8-1da3-1cf820ef1bf2 - Threat: Google Ads Malvertising - Fake AnyDesk Installer (TA505 malware) - https://app.snapattack.com/detection/b3123391-b0b8-40f5-8a7a-87dcb4cc8fb6 - Detection: Unsigned DLLs loaded from rundll32/regsvr32 from non-standard directories - https://app.snapattack.com/detection/44df308b-8939-474c-baef-8fc4fca2ae90 - Detection: Rundll32 Registering Non DLL File - https://app.snapattack.com/detection/0af0a522-3d48-4c8d-b305-4d1cde528be3 - Detection: IcedID Loader - https://app.snapattack.com/detection/22ee4360-0e61-4b15-adb1-c13418d4a33b - Detection: Potential IcedID Rundll32 Function Name - https://app.snapattack.com/detection/7cea8a8d-81c7-44b0-9a74-f037f8cc3716 - Detection: Potential Ad Hosted Malware
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLjR2a05lTUVraV9B

Malvertising: Uncovering Malicious Installers from Google Ads

01/19/23

Threat actors are increasingly abusing legitimately signed Windows drivers in their attack chains. This class of attack, known as "Bring Your Own Vulnerable Driver" or BYOVD, enables adversaries to exploit these drivers to gain kernel level privileges, bypass LSA protections, or evade detection from EDRs. Even worse for defenders, since these are signed drivers with legitimate uses, most security products will not block or take action when they encounter them. And for backwards compatibility purposes, Windows will happily let these old, vulnerable drivers be installed and used. The BYOVD attacks have been used in the past by actors like the Lazarus Group (abusing a Dell driver) and BlackByte (abusing an MSI Afterburner driver) to blind security tools. More recently, Mandiant and CrowdStrike have been tracking a financially motivated attacker (UNC3944, SCATTERED SPIDER) using drivers, including an Intel network driver with an 8 year old CVE, as part of their campaigns. In this week's Threat SnapShot, we'll take a look at vulnerable Intel driver used in the most recent attacks, as well as the vulnerable Dell driver originally used by Lazarus group, and discuss threat hunting and mitigation strategies you can use in your organization today. References: - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware - https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/ - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ - https://twitter.com/M_haggis/status/1597636389449129984 - https://twitter.com/M_haggis/status/1612859960320458754 - https://twitter.com/M_haggis/status/1612856262148096005 SnapAttack Content: - https://app.snapattack.com/threat/df444cf5-e9d1-d8e0-e1e1-f6681cbfdf30 - Threat: BYOVD - Intel Network Driver (CVE-2015-2291) - https://app.snapattack.com/threat/289f7cbc-b938-18de-58e1-d4d83ab3517a - Threat: BYOVD - Disable LSA Protection via DBUtilDrv2.sys Driver - https://app.snapattack.com/detection/e4c08d58-380f-44d9-81a0-d3c23bc800cd - Detection: Vulnerable Driver Load - https://app.snapattack.com/detection/ee334dd0-b70e-48d3-b0f6-01aab44571ae - Detection: Hunting for Kernel Mode Driver Installation - https://app.snapattack.com/detection/dc870c1a-22af-415d-a903-226709a9774f - Detection: Kernel Driver Installed - https://app.snapattack.com/detection/2ce4a69d-c874-418c-81bc-c079c26e58ce - Detection: Driver Loaded from Suspicious Location
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLkxUNk9ZbjE0RWNv

Detecting UNC3944 / SCATTERED SPIDER's Bring Your Own Vulnerable Driver (BYOVD) Attacks

01/12/23

In this week's Threat SnapShot we'll dive into OWA SSRF, an actively exploited Exchange server vulnerability that combines CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit chain relates to ProxyNotShell, but it bypasses the URL rewrite mitigation guidance Microsoft provided in September prior to releasing their patch. We'll dive into the publicly available exploit POCs and discuss detection opportunities for this attack. And while threat actors have moved to using new methods like OWA SSRF to gain initial access, there have been existing behavioral detections such as looking for suspicious child processes (e.g., PowerShell) spawning from web servers that would protect organizations if deployed. References: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.huntress.com/blog/owassrf-explained-analyzing-the-microsoft-exchange-rce-vulnerability - https://github.com/CrowdStrike/OWASSRF - https://github.com/balki97/OWASSRF-CVE-2022-41082-POC SnapAttack Content: - https://app.snapattack.com/threat/e9075dbb-4f98-7416-bfc4-2af27b1dc771 - Threat: Exchange RCE via OWA SSRF - https://app.snapattack.com/detection/a207abea-89b0-490a-a9f4-6f1e5ab6b3f1 - Detection: Suspicious Shell Spawning from Web Server - https://app.snapattack.com/detection/93280938-6a26-47af-9b84-208e74570b92 - Detection: Potential OWASSRF Exploitation Attempt - Proxy - https://app.snapattack.com/detection/8d89dc60-4b77-4217-ab4e-c1a3949f98df - Detection: Potential OWASSRF Exploitation Attempt - Webserver
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLmc1MC0zZHl5MUhV

OWA SSRF: Active MS Exchange Exploit Bypassing ProxyNotLogon Mitigations

01/05/23

Load More... Subscribe

Threat SnapShots

In what's looking like a new trend for 2023, we're seeing a sharp increase in phishing attacks that are using new and non-traditional file types, including OneNote notebooks, ISO files, and malicious shortcuts (.lnk). This is a natural evolution since Microsoft's decision last year to block macros in Office documents downloaded from the Internet. In this week's Threat SnapShot, we'll take a look at how attackers are weaponizing these file types, and discuss hunting and detection strategies you can use in your organization. References: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/ - https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ SnapAttack Resources: - https://app.snapattack.com/threat/d73cf350-bebc-6c1a-9935-49ae195230ee - Threat: Trojanized OneNote - https://app.snapattack.com/detection/3f01059b-9371-4dbc-a0e8-064e13613a0d - Detection: Suspicious Extracted File from OneNote - https://app.snapattack.com/detection/49858b4b-d623-4efe-8357-91ace854075e - Detection: Suspicious Microsoft OneNote Child Process - https://app.snapattack.com/threat/b5d3c7a9-869d-41d2-82f3-88b262d4ea1b - Threat: Emotet .lnk Initial Infection - https://app.snapattack.com/threat/0b4d8a12-1def-2e9a-2c84-b2f76055a6ae - Threat: Emotet .lnk Initial Infection - PowerShell - https://app.snapattack.com/detection/a695abad-e258-4c02-a01b-b8fbf8212570 - Detection: Possible Malicious Shortcut Activity
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLkduWHJaMGV2elFz

Hunting for Non-Traditional Initial Access Vectors: OneNote Notebooks and Malicious Shortcuts (.lnk)

01/26/23

Malvertising is a growing way that threat actors and criminal organizations are gaining initial access to organizations. An unsuspecting user goes to their favorite search engine looking for an installer for a piece of software they need, such as Adobe Acrobat, AnyDesk, 7-zip, or Notepad++. At the top of the search results page is a sponsored ad that looks exactly like the installer they need. They click it, download and run the installer, and in the process become infected with a cryptominer, information stealer, ransomware, or even a Cobalt Strike beacon. In this week's Threat Snapshot, we'll take a look at two malicious installers masquerading as AnyDesk installers - one that distributes the IcedID (BokBot) malware, and another from TA505. We'll discuss detection strategies using our new IOC hunter, as well as behavioral detections you can use in your SIEM or EDR. References: - https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html - https://twitter.com/Unit42_Intel/status/1615470858067222568 - https://isc.sans.edu/diary/29448 SnapAttack Content: - https://app.snapattack.com/threat/7f5d75c8-1393-c9b6-59ad-673a848e254c - Threat: Google Ads Malvertising - Fake AnyDesk Installer (IcedID malware) - https://app.snapattack.com/threat/0e9122f3-8b70-fbc8-1da3-1cf820ef1bf2 - Threat: Google Ads Malvertising - Fake AnyDesk Installer (TA505 malware) - https://app.snapattack.com/detection/b3123391-b0b8-40f5-8a7a-87dcb4cc8fb6 - Detection: Unsigned DLLs loaded from rundll32/regsvr32 from non-standard directories - https://app.snapattack.com/detection/44df308b-8939-474c-baef-8fc4fca2ae90 - Detection: Rundll32 Registering Non DLL File - https://app.snapattack.com/detection/0af0a522-3d48-4c8d-b305-4d1cde528be3 - Detection: IcedID Loader - https://app.snapattack.com/detection/22ee4360-0e61-4b15-adb1-c13418d4a33b - Detection: Potential IcedID Rundll32 Function Name - https://app.snapattack.com/detection/7cea8a8d-81c7-44b0-9a74-f037f8cc3716 - Detection: Potential Ad Hosted Malware
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLjR2a05lTUVraV9B

Malvertising: Uncovering Malicious Installers from Google Ads

01/19/23

Threat actors are increasingly abusing legitimately signed Windows drivers in their attack chains. This class of attack, known as "Bring Your Own Vulnerable Driver" or BYOVD, enables adversaries to exploit these drivers to gain kernel level privileges, bypass LSA protections, or evade detection from EDRs. Even worse for defenders, since these are signed drivers with legitimate uses, most security products will not block or take action when they encounter them. And for backwards compatibility purposes, Windows will happily let these old, vulnerable drivers be installed and used. The BYOVD attacks have been used in the past by actors like the Lazarus Group (abusing a Dell driver) and BlackByte (abusing an MSI Afterburner driver) to blind security tools. More recently, Mandiant and CrowdStrike have been tracking a financially motivated attacker (UNC3944, SCATTERED SPIDER) using drivers, including an Intel network driver with an 8 year old CVE, as part of their campaigns. In this week's Threat SnapShot, we'll take a look at vulnerable Intel driver used in the most recent attacks, as well as the vulnerable Dell driver originally used by Lazarus group, and discuss threat hunting and mitigation strategies you can use in your organization today. References: - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware - https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/ - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ - https://twitter.com/M_haggis/status/1597636389449129984 - https://twitter.com/M_haggis/status/1612859960320458754 - https://twitter.com/M_haggis/status/1612856262148096005 SnapAttack Content: - https://app.snapattack.com/threat/df444cf5-e9d1-d8e0-e1e1-f6681cbfdf30 - Threat: BYOVD - Intel Network Driver (CVE-2015-2291) - https://app.snapattack.com/threat/289f7cbc-b938-18de-58e1-d4d83ab3517a - Threat: BYOVD - Disable LSA Protection via DBUtilDrv2.sys Driver - https://app.snapattack.com/detection/e4c08d58-380f-44d9-81a0-d3c23bc800cd - Detection: Vulnerable Driver Load - https://app.snapattack.com/detection/ee334dd0-b70e-48d3-b0f6-01aab44571ae - Detection: Hunting for Kernel Mode Driver Installation - https://app.snapattack.com/detection/dc870c1a-22af-415d-a903-226709a9774f - Detection: Kernel Driver Installed - https://app.snapattack.com/detection/2ce4a69d-c874-418c-81bc-c079c26e58ce - Detection: Driver Loaded from Suspicious Location
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLkxUNk9ZbjE0RWNv

Detecting UNC3944 / SCATTERED SPIDER's Bring Your Own Vulnerable Driver (BYOVD) Attacks

01/12/23

In this week's Threat SnapShot we'll dive into OWA SSRF, an actively exploited Exchange server vulnerability that combines CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit chain relates to ProxyNotShell, but it bypasses the URL rewrite mitigation guidance Microsoft provided in September prior to releasing their patch. We'll dive into the publicly available exploit POCs and discuss detection opportunities for this attack. And while threat actors have moved to using new methods like OWA SSRF to gain initial access, there have been existing behavioral detections such as looking for suspicious child processes (e.g., PowerShell) spawning from web servers that would protect organizations if deployed. References: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.huntress.com/blog/owassrf-explained-analyzing-the-microsoft-exchange-rce-vulnerability - https://github.com/CrowdStrike/OWASSRF - https://github.com/balki97/OWASSRF-CVE-2022-41082-POC SnapAttack Content: - https://app.snapattack.com/threat/e9075dbb-4f98-7416-bfc4-2af27b1dc771 - Threat: Exchange RCE via OWA SSRF - https://app.snapattack.com/detection/a207abea-89b0-490a-a9f4-6f1e5ab6b3f1 - Detection: Suspicious Shell Spawning from Web Server - https://app.snapattack.com/detection/93280938-6a26-47af-9b84-208e74570b92 - Detection: Potential OWASSRF Exploitation Attempt - Proxy - https://app.snapattack.com/detection/8d89dc60-4b77-4217-ab4e-c1a3949f98df - Detection: Potential OWASSRF Exploitation Attempt - Webserver
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLmc1MC0zZHl5MUhV

OWA SSRF: Active MS Exchange Exploit Bypassing ProxyNotLogon Mitigations

01/05/23

Load More... Subscribe