Table of Contents
- The Need for an Evolved Threat Intel Lifecycle
- CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
- New Mirai malware variant infects Linux devices to build DDoS botnet
- Master the Art of Red Teaming with the Top 100 Free Red Team Tools
- NetWire Malware Site and Server Seized, Admin Arrested
- Six reasons why today’s SOCs don’t work – and why AI is the fix
- Introducing VT4Splunk – The official VirusTotal App for Splunk
- Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
- CrowdStrike report reveals identities underneath siege, cloud information theft up
- Hacking ChatGPT: ‘The Dark Web’s Hottest Topic’
The Need for an Evolved Threat Intel Lifecycle
Dan Cole
Threat Connect
The Traditional Intelligence Cycle
Planning and Direction
Collection
Processing
Analysis and Production
Dissemination and Integration
Limitations
Lack of Accountability
While the intel cycle does have a “feedback” step, it’s not strictly enforced and very often is not properly quantified.
Lack of Stakeholder Involvement
Intelligence doesn’t exist for its own sake, so it’s curious that the stakeholders it’s supposed to benefit aren’t even called out in the cycle!
The Evolved Intelligence Cycle
It explicitly calls out the personas involved in threat intelligence: Producers (CTI analysts, researchers, Captain Piett, etc.), and Consumers (SOC/IR, threat hunters, leadership/CISOs, red and blue teams, Admiral Ozzel, Darth Vader, etc.).
It takes into account the action part of threat intel (Dissemination is not action!), such as detection and enabling leadership to make strategic decisions.
Dissemination and Feedback are “bridge” steps between the two personas, which turns threat intelligence into a truly collaborative discipline across the entire security organization.
Link: https://threatconnect.com/blog/the-need-for-an-evolved-threat-intel-lifecycle/
CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
Ravie Lakshmanan
The Hacker News
The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below –
CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
Link: https://thehackernews.com/2023/03/cisas-kev-catalog-updated-with-3-new.html
New Mirai malware variant infects Linux devices to build DDoS botnet
Bill Toulas
Bleeping Computer
Researchers from Palo Alto Networks’ Unit 42 have noticed a brand new variant of the notorious Mirai botnet, spreading to Linux-based servers and IoT units with a purpose to create an unlimited swarm of DDoS (opens in new tab) grunts.
In an effort to infect the endpoints with the brand new V3G4 botnet, the attackers would brute-force weak, or default telnet/SSH credentials, after which abuse one of many 13 recognized vulnerabilities to remotely execute code and set up the malware.
The botnet comes with a variety of attention-grabbing options, together with one wherein it tries to terminate, amongst different processes, these belonging to different botnet households.
So, it’s protected to imagine that the risk actors are attempting to hijack already compromised endpoints from different risk actors.
Link: https://www.bleepingcomputer.com/news/security/new-mirai-malware-variant-infects-linux-devices-to-build-ddos-botnet/
Master the Art of Red Teaming with the Top 100 Free Red Team Tools
Rocky
Codelivly
Why Do You Need Red Team Tools?
Identify Weaknesses
Test Defenses
Validate Security Controls
Improve Security Posture
Compliance Requirements
Criteria for Selecting Red Team Tools
Functionality
Compatibility
Ease of Use
Customization
Documentation
Support
Cost
Link: https://www.codelivly.com/master-the-art-of-red-teaming-with-the-top-100-free-red-team-tools/
NetWire Malware Site and Server Seized, Admin Arrested
Habiba Rashid
Hack Read
NetWire malware has been utilized by various cybercrime groups, but its most notable use occurred in February 2022 when the ModifiedElephant APT group used the malware to plant incriminating evidence on victims’ devices.
In a joint operation between the US Federal Bureau of Investigation (FBI), the European Union Agency for Law Enforcement Cooperation (Europol), and other international law enforcement agencies, the internet domain used to sell NetWire malware has been seized.
NetWire is a powerful tool used by cybercriminals to gain unauthorized access to computer systems and control them remotely.
It’s worth noting that NetWire was used extensively in several cyberattacks, including those targeting the aviation and defence sectors in February 2022, thousands of global oil and gas and energy firms in August 2017, and attacks on the aerospace and travel sectors in May 2021.
Link: https://www.hackread.com/netwire-malware-site-seized-admin-arrested/
Six reasons why today’s SOCs don’t work – and why AI is the fix
Gonen Fink
SC Media
Require too much manpower:
Collecting, logging and indexing data for analysis takes a great deal of time, and every moment becomes precious during an attack.
It’s not the fault of analysts, but simply no person could analyze this amount of data in an appropriate amount of time.
Are too slow:
Today’s SOC needs a faster response time and introducing artificial intelligence can reduce that response time to minutes rather than days.
Have grown too reliant on incremental solutions: Building upon an existing SOC may feel like an easy fix, but in the long run it creates silos and won’t solve the larger issues.
Find it hard to manage documentation, processes and procedures: Quite often, processes and protocols aren’t regularly updated, or worse, stay stagnant, instead of continuously improving.
This
Have found that staying compliant causes confusion: Regulations and requirements are constantly changing, especially internationally.
Contribute to attrition: In addition to an industry skills shortage, making it difficult to find the right employees, high-stress levels exacerbated by SOC inefficiencies are contributing to further staff turnover.
Link: https://www.scmagazine.com/perspective/emerging-technology/six-reasons-why-todays-socs-dont-work-and-why-ai-is-the-fix
Introducing VT4Splunk – The official VirusTotal App for Splunk
Daniel Pascual
Virus Total Blog
TL;DR: VT4Splunk, VirusTotal’s official Splunk plugin, correlates your telemetry with VirusTotal context to automate triage, expedite investigations and unearth threats dwelling undetected in your environment.
This extends Splunk’s own VirusTotal plugin for their SOAR.
Next March 30th we will host a webinar along with Splunk to show how to do security investigations with Splunk and VirusTotal.
Register here!
VirusTotal had Splunk plugins for a while, most of theme developed by community contributors and other 3rd-parties.
For instance, VirusTotal’s plugin for Splunk SOAR, which ranks #1 in the Threat Intelligence Reputation space is developed by our friends over at Splunk, and we highly recommend it.
However, we wanted to truly showcase what VirusTotal can do for your SIEM and VT4Splunk v1 is our proposed solutions.
It is free and you can download it from Splunkbase.
It is compatible with Splunk +8.x Enterprise and Cloud versions.
In a nutshell, VT4Splunk automatically enriches your Splunk logs with threat intelligence coming from VirusTotal, to gain superior visibility and understanding.
Let’s dive into specific use cases and outcomes.
Link: https://blog.virustotal.com/2023/03/introducing-vt4splunk-official.html
Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
Cybersecurity & Infrastructure Security Agency
Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.
The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services.
The tool enables users to:
Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
Query, export, and investigate AAD, M365, and Azure configurations.
Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
Perform time bounding of the UAL.
Extract data within those time bounds.
Collect and review
Link: https://www.cisa.gov/news-events/alerts/2023/03/23/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365
CrowdStrike report reveals identities underneath siege, cloud information theft up
Venture Beat
Hobbies Hub
Cyberattacks exploiting gaps in cloud infrastructure — to steal credentials, identities and information — skyrocketed in 2022, rising 95%, with circumstances involving “cloud-conscious” menace actors tripling year-over-year.
That’s based on CrowdStrike’s 2023 International Menace Report.
The report finds dangerous actors transferring away from deactivation of antivirus and firewall applied sciences, and from log-tampering efforts, in search of as an alternative to “modify authentication processes and assault identities,” it concludes.
The report discovered a 20% enhance within the variety of adversaries pursuing cloud information theft and extortion campaigns, and the largest-ever enhance in numbers of adversaries — 33 new ones present in only a yr.
Prolific Scattered Spider and Slippery Spider attackers are behind many current hiigh-profile assaults on telecommunications, BPO and know-how corporations.
CrowdStrikes advises safety groups to fulfill the 1-10-60 rule: detecting threats inside the first minute, understanding the threats inside 10 minutes, and responding inside 60 minutes.
Cloud exploitation grew by 95%, and the variety of circumstances involving ”cloud-conscious” menace actors almost tripled year-over-year, by CrowdStrike’s measures.
Link: https://hobbies-hub.com/crowdstrike-report-reveals-identities-underneath-siege-cloud-information-theft-up/
Hacking ChatGPT: ‘The Dark Web’s Hottest Topic’
David Ramel
Virtualization & Cloud Review
“Forum threads on ChatGPT rose 145 percent — from 37 to 91 in a month — as exploiting the bot became the dark web’s hottest topic,” the company said in a March 14 news release.
While most of the posts about the tool — which increased from 120 in January to 870 in February — were benign in nature, they were sprinkled with thread topics like:
How to break ChatGPT
Abusing ChatGPT to create Dark Web Marketplace scripts
New ChatGPT Trojan Binder
ChatGPT as a phishing too
chatgpt trojan
ChatGPT jailbreak 2.0
ChatGPT – progression of malware
According to industry sources, other relevant cybersecurity concerns include:
Corporate information stored by the chatbot could be accessed, leading to identity theft, fraud and other malicious activities.
Distribution of malware and viruses, which could steal data
Bypassing authentication and authorization systems
Link: https://virtualizationreview.com/articles/2023/03/14/chatgpt-dark-web.aspx