{"id":5074,"date":"2023-03-28T11:13:27","date_gmt":"2023-03-28T16:13:27","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5074"},"modified":"2023-03-28T11:22:37","modified_gmt":"2023-03-28T16:22:37","slug":"incident-responder-news-2023-03-26","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2023\/03\/28\/incident-responder-news-2023-03-26\/","title":{"rendered":"Incident Responder News &#8211; 2023-03-26"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><a>Table of Contents<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Need for an Evolved Threat Intel Lifecycle<\/li>\n\n\n\n<li>CISA&#8217;s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems<\/li>\n\n\n\n<li>New Mirai malware variant infects Linux devices to build DDoS botnet<\/li>\n\n\n\n<li>Master the Art of Red Teaming with the Top 100 Free Red Team Tools<\/li>\n\n\n\n<li>NetWire Malware Site and Server Seized, Admin Arrested<\/li>\n\n\n\n<li>Six reasons why today\u2019s SOCs don\u2019t work \u2013 and why AI is the fix<\/li>\n\n\n\n<li>Introducing VT4Splunk &#8211; The official VirusTotal App for Splunk<\/li>\n\n\n\n<li>Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments<\/li>\n\n\n\n<li>CrowdStrike report reveals identities underneath siege, cloud information theft up<\/li>\n\n\n\n<li>Hacking ChatGPT: &#8216;The Dark Web&#8217;s Hottest Topic&#8217;<\/li>\n<\/ul>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>The Need for an Evolved Threat Intel Lifecycle<\/strong><br><em>Dan Cole<\/em><br><em>Threat Connect<\/em><br>The Traditional Intelligence Cycle<br>Planning and Direction<br>Collection<br>Processing<br>Analysis and Production<br>Dissemination and Integration<br>Limitations<br>Lack of Accountability<br>While the intel cycle does have a \u201cfeedback\u201d step, it\u2019s not strictly enforced and very often is not properly quantified.<br>Lack of Stakeholder Involvement<br>Intelligence doesn\u2019t exist for its own sake, so it\u2019s curious that the stakeholders it\u2019s supposed to benefit aren\u2019t even called out in the cycle!<br>The Evolved Intelligence Cycle<br>It explicitly calls out the personas involved in threat intelligence: Producers (CTI analysts, researchers, Captain Piett, etc.), and Consumers (SOC\/IR, threat hunters, leadership\/CISOs, red and blue teams, Admiral Ozzel, Darth Vader, etc.).<br>It takes into account the action part of threat intel (Dissemination is not action!), such as detection and enabling leadership to make strategic decisions.<br>Dissemination and Feedback are \u201cbridge\u201d steps between the two personas, which turns threat intelligence into a truly collaborative discipline across the entire security organization.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/threatconnect.com\/blog\/the-need-for-an-evolved-threat-intel-lifecycle\/\">https:\/\/threatconnect.com\/blog\/the-need-for-an-evolved-threat-intel-lifecycle\/<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>CISA&#8217;s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems<\/strong><br><em>Ravie Lakshmanan<\/em><br><em>The Hacker News<\/em><br>The U.S.<br>Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.<br><br>The list of vulnerabilities is below \u2013<br>CVE-2022-35914 (CVSS score: 9.8) \u2013 Teclib GLPI Remote Code Execution Vulnerability<br>CVE-2022-33891 (CVSS score: 8.8) \u2013 Apache Spark Command Injection Vulnerability<br>CVE-2022-28810 (CVSS score: 6.8) \u2013 Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/thehackernews.com\/2023\/03\/cisas-kev-catalog-updated-with-3-new.html\">https:\/\/thehackernews.com\/2023\/03\/cisas-kev-catalog-updated-with-3-new.html<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>New Mirai malware variant infects Linux devices to build DDoS botnet<\/strong><br><em>Bill Toulas<\/em><br><em>Bleeping Computer<\/em><br>Researchers from Palo Alto Networks\u2019 Unit 42 have noticed a brand new variant of the notorious Mirai botnet, spreading to Linux-based servers and IoT units with a purpose to create an unlimited swarm of DDoS (opens in new tab) grunts.<br><br>In an effort to infect the endpoints with the brand new V3G4 botnet, the attackers would brute-force weak, or default telnet\/SSH credentials, after which abuse one of many 13 recognized vulnerabilities to remotely execute code and set up the malware.<br><br>The botnet comes with a variety of attention-grabbing options, together with one wherein it tries to terminate, amongst different processes, these belonging to different botnet households.<br>So, it\u2019s protected to imagine that the risk actors are attempting to hijack already compromised endpoints from different risk actors.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-mirai-malware-variant-infects-linux-devices-to-build-ddos-botnet\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/new-mirai-malware-variant-infects-linux-devices-to-build-ddos-botnet\/<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>Master the Art of Red Teaming with the Top 100 Free Red Team Tools<\/strong><br><em>Rocky<\/em><br><em>Codelivly<\/em><br>Why Do You Need Red Team Tools?<br>Identify Weaknesses<br>Test Defenses<br>Validate Security Controls<br>Improve Security Posture<br>Compliance Requirements<br>Criteria for Selecting Red Team Tools<br>Functionality<br>Compatibility<br>Ease of Use<br>Customization<br>Documentation<br>Support<br>Cost<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.codelivly.com\/master-the-art-of-red-teaming-with-the-top-100-free-red-team-tools\/\">https:\/\/www.codelivly.com\/master-the-art-of-red-teaming-with-the-top-100-free-red-team-tools\/<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>NetWire Malware Site and Server Seized, Admin Arrested<\/strong><br><em>Habiba Rashid<\/em><br><em>Hack Read<\/em><br>NetWire malware has been utilized by various cybercrime groups, but its most notable use occurred in February 2022 when the ModifiedElephant APT group used the malware to plant incriminating evidence on victims\u2019 devices.<br>In a joint operation between the US Federal Bureau of Investigation (FBI), the European Union Agency for Law Enforcement Cooperation (Europol), and other international law enforcement agencies, the internet domain used to sell NetWire malware has been seized.<br><br>NetWire is a powerful tool used by cybercriminals to gain unauthorized access to computer systems and control them remotely.<br>It\u2019s worth noting that NetWire was used extensively in several cyberattacks, including those targeting the aviation and defence sectors in February 2022, thousands of global oil and gas and energy firms in August 2017, and attacks on the aerospace and travel sectors in May 2021.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.hackread.com\/netwire-malware-site-seized-admin-arrested\/\">https:\/\/www.hackread.com\/netwire-malware-site-seized-admin-arrested\/<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>Six reasons why today\u2019s SOCs don\u2019t work \u2013 and why AI is the fix<\/strong><br><em>Gonen Fink<\/em><br><em>SC Media<\/em><br>Require too much manpower:<br>Collecting, logging and indexing data for analysis takes a great deal of time, and every moment becomes precious during an attack.<br>It\u2019s not the fault of analysts, but simply no person could analyze this amount of data in an appropriate amount of time.<br>Are too slow:<br>Today\u2019s SOC needs a faster response time and introducing artificial intelligence can reduce that response time to minutes rather than days.<br>Have grown too reliant on incremental solutions: Building upon an existing SOC may feel like an easy fix, but in the long run it creates silos and won\u2019t solve the larger issues.<br>Find it hard to manage documentation, processes and procedures: Quite often, processes and protocols aren\u2019t regularly updated, or worse, stay stagnant, instead of continuously improving.<br>This<br>Have found that staying compliant causes confusion: Regulations and requirements are constantly changing, especially internationally.<br>Contribute to attrition: In addition to an industry skills shortage, making it difficult to find the right employees, high-stress levels exacerbated by SOC inefficiencies are contributing to further staff turnover.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.scmagazine.com\/perspective\/emerging-technology\/six-reasons-why-todays-socs-dont-work-and-why-ai-is-the-fix\">https:\/\/www.scmagazine.com\/perspective\/emerging-technology\/six-reasons-why-todays-socs-dont-work-and-why-ai-is-the-fix<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>Introducing VT4Splunk &#8211; The official VirusTotal App for Splunk<\/strong><br><em>Daniel Pascual<\/em><br><em>Virus Total Blog<\/em><br>TL;DR: VT4Splunk, VirusTotal\u2019s official Splunk plugin, correlates your telemetry with VirusTotal context to automate triage, expedite investigations and unearth threats dwelling undetected in your environment.<br>This extends Splunk\u2019s own VirusTotal plugin for their SOAR.<br>Next March 30th we will host a webinar along with Splunk to show how to do security investigations with Splunk and VirusTotal.<br>Register here!<br><br>VirusTotal had Splunk plugins for a while, most of theme developed by community contributors and other 3rd-parties.<br>For instance, VirusTotal\u2019s plugin for Splunk SOAR, which ranks #1 in the Threat Intelligence Reputation space is developed by our friends over at Splunk, and we highly recommend it.<br><br>However, we wanted to truly showcase what VirusTotal can do for your SIEM and VT4Splunk v1 is our proposed solutions.<br>It is free and you can download it from Splunkbase.<br>It is compatible with Splunk +8.x Enterprise and Cloud versions.<br>In a nutshell, VT4Splunk automatically enriches your Splunk logs with threat intelligence coming from VirusTotal, to gain superior visibility and understanding.<br>Let\u2019s dive into specific use cases and outcomes.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/blog.virustotal.com\/2023\/03\/introducing-vt4splunk-official.html\">https:\/\/blog.virustotal.com\/2023\/03\/introducing-vt4splunk-official.html<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments<\/strong><br><em>Cybersecurity &amp; Infrastructure Security Agency<\/em><br>Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.<br>The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services.<br>The tool enables users to:<br><br>Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.<br>Query, export, and investigate AAD, M365, and Azure configurations.<br>Extract cloud artifacts from Microsoft\u2019s AAD, Azure, and M365 environments without performing additional analytics.<br>Perform time bounding of the UAL.<br>Extract data within those time bounds.<br>Collect and review<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/03\/23\/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365\">https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/03\/23\/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>CrowdStrike report reveals identities underneath siege, cloud information theft up<\/strong><br><em>Venture Beat<\/em><br><em>Hobbies Hub<\/em><br>Cyberattacks exploiting gaps in cloud infrastructure \u2014 to steal credentials, identities and information \u2014 skyrocketed in 2022, rising 95%, with circumstances involving \u201ccloud-conscious\u201d menace actors tripling year-over-year.<br>That\u2019s based on CrowdStrike\u2019s 2023 International Menace Report.<br><br>The report finds dangerous actors transferring away from deactivation of antivirus and firewall applied sciences, and from log-tampering efforts, in search of as an alternative to \u201cmodify authentication processes and assault identities,\u201d it concludes.<br><br>The report discovered a 20% enhance within the variety of adversaries pursuing cloud information theft and extortion campaigns, and the largest-ever enhance in numbers of adversaries \u2014 33 new ones present in only a yr.<br>Prolific Scattered Spider and Slippery Spider attackers are behind many current hiigh-profile assaults on telecommunications, BPO and know-how corporations.<br>CrowdStrikes advises safety groups to fulfill the 1-10-60 rule: detecting threats inside the first minute, understanding the threats inside 10 minutes, and responding inside 60 minutes.<br>Cloud exploitation grew by 95%, and the variety of circumstances involving \u201dcloud-conscious\u201d menace actors almost tripled year-over-year, by CrowdStrike\u2019s measures.<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/hobbies-hub.com\/crowdstrike-report-reveals-identities-underneath-siege-cloud-information-theft-up\/\">https:\/\/hobbies-hub.com\/crowdstrike-report-reveals-identities-underneath-siege-cloud-information-theft-up\/<\/a><\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" height=\"16\" width=\"16\" src=\"http:\/\/blank.ico\/\">&nbsp;<strong>Hacking ChatGPT: &#8216;The Dark Web&#8217;s Hottest Topic&#8217;<\/strong><br><em>David Ramel<\/em><br><em>Virtualization &amp; Cloud Review<\/em><br>&#8220;Forum threads on ChatGPT rose 145 percent &#8212; from 37 to 91 in a month &#8212; as exploiting the bot became the dark web&#8217;s hottest topic,&#8221; the company said in a March 14 news release.<br><br>While most of the posts about the tool &#8212; which increased from 120 in January to 870 in February &#8212; were benign in nature, they were sprinkled with thread topics like:<br>How to break ChatGPT<br>Abusing ChatGPT to create Dark Web Marketplace scripts<br>New ChatGPT Trojan Binder<br>ChatGPT as a phishing too<br>chatgpt trojan<br>ChatGPT jailbreak 2.0<br>ChatGPT &#8211; progression of malware<br>According to industry sources, other relevant cybersecurity concerns include:<br>Corporate information stored by the chatbot could be accessed, leading to identity theft, fraud and other malicious activities.<br>Distribution of malware and viruses, which could steal data<br>Bypassing authentication and authorization systems<br><strong>Link:<\/strong>&nbsp;<a href=\"https:\/\/virtualizationreview.com\/articles\/2023\/03\/14\/chatgpt-dark-web.aspx\">https:\/\/virtualizationreview.com\/articles\/2023\/03\/14\/chatgpt-dark-web.aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Table of Contents &nbsp;The Need for an Evolved Threat Intel LifecycleDan ColeThreat ConnectThe Traditional Intelligence CyclePlanning and DirectionCollectionProcessingAnalysis and ProductionDissemination and IntegrationLimitationsLack of AccountabilityWhile the intel cycle does have a \u201cfeedback\u201d step, it\u2019s not strictly enforced and very often is not properly quantified.Lack of Stakeholder InvolvementIntelligence doesn\u2019t exist for its&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,38],"tags":[],"class_list":["post-5074","post","type-post","status-publish","format-standard","hentry","category-malware","category-security-operations"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/5074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=5074"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/5074\/revisions"}],"predecessor-version":[{"id":5075,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/5074\/revisions\/5075"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=5074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=5074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=5074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}