Arctic Wolf’s Post

The acknowledgment of the United States government's use of artificial intelligence (AI) to uncover breaches in the face of sophisticated cyber threats, such as those posed by the Chinese hacking group Volt Typhoon, marks a significant milestone in cybersecurity defense strategies. Rob Joyce's revelation underscores the evolving nature of cyber warfare, where traditional detection methods may fall short against adversaries adept at leveraging legitimate credentials. By harnessing AI capabilities, authorities can augment their ability to detect and mitigate cyber intrusions swiftly, thereby enhancing the resilience of critical infrastructure and safeguarding against potential disruptions. This strategic integration of AI into cybersecurity operations represents a proactive step towards staying ahead of rapidly evolving threats in an increasingly interconnected digital landscape. #ai #cybersecurity

🚨 EMERGING THREAT – CVE-2024-3400 - PALO ALTO OS COMMAND INJECTION VULNERABILITY CVE-2024-3400 is a unauthenticated remote code execution vulnerability identified in devices utilizing GlobalProtect, and was identified by Volexity Threat Researchers on April of 2024. Reported to impact PAN-OS firewalls running versions 10.2, 11.0 and 11.1, this security flaw has been observed to be actively exploited (since March 26th) and considered critical in nature - Palo Alto Networks and Unit 42 labeling its exploitation as Operation MidnightEclipse. When exploited, it allows malicious actors to execute arbitrary code as a privileged user on the victim's firewall - with initial post exploitation being observed to include the utilization of a reverse shell, downloading of tools and subsequent lateral movement within the targeted environment. **Immediate action is critical, and we've released this hunt collection to enable organizations to hunt for active exploitation of this vulnerability in their environment. Get the hunt collection: https://lnkd.in/gxDWyjkg) Join the HUNTER Community today and get free access to behavioral hunting content: https://lnkd.in/gU76jZ5N 🔗 Hunt Packages: - CURL/WGET Download and Execute - Potential Payload Download Followed by Execution: https://lnkd.in/gw2GDTa3 - Remote Interactive Connections from Unexpected Locations: https://lnkd.in/gs6hw4jy - CURL/WGET Activity Associated with Time Zone Lookups: https://lnkd.in/gNi9irg2 - Usage of chmod to Enable Execution - Potential Payload Staging: https://lnkd.in/gNC9wTY5 For detailed insights and more information, get the full report in the comments. 👇 #emergingthreat #phobosransomware #threathunting #cybersecurity #infosec #threatupdate

What if the best way to protect your systems is to invite hackers to break them? Today, we are excited to share a new blog post where we dive into the realm of Bug Bounty program. We uncover the details of what this program is all about, provide a scenario of how it can come in handy, and briefly discuss Zerocopter’s role in the process. Check out our blog to gain a better understanding of Bug Bounty programs Read more here:  https://lnkd.in/ecp7cn7k #bugbounty #zerocopter

#ICSOT #IoTSecurity Vulnerabilities affecting a Nice Linear physical access product, including an exploited flaw, patched five years after their disclosure. The post Exploited Building Access System Vulnerability Patched 5 Years After Disclosure appeared first on SecurityWeek. https://lnkd.in/gRWSnCbx

Trend Micro Search: Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear: Our blog entry provides an in-depth analysis of Earth Hundun's Waterbear and Deuterbear malware. Check it out!

https://lnkd.in/dXZTJSxn "The group’s focus lies in intercepting call records, metadata, and sensitive communications. It has exploited vulnerabilities in systems associated with sensitive operations like court-authorized wiretaps, raising alarms about potential compromises in judicial and law enforcement networks." "Isolating critical systems and continuously monitoring network activity is crucial to detect and mitigate threats early." #malware #apt #salttyphoon

An interesting case of ICS (Industrial control system hacking) this would likely not have happened if the routers/gateways had used strong certificat based authentication. Now is the time to secure your ICS networks. #iec62443

On a recent Incident Response case, while working through the timeline of a compromised server, I discovered two failed logins (Security Event Logs, EventID 4625) coming from a bogus-looking workstation name. In our case, M0PiKq77YTWxWQAP. A few seconds later, a second failed login was recorded with another hostname but with the same pattern. We found this hostname-pattern on another server in the network. The failed logins were connected to the activities of the attacker. After searching around, I stumbled upon this Sigma rule here [1]: selection: EventID: - 4625 - 4624 LogonType: 3 AuthenticationPackageName: 'NTLM' WorkstationName|re: '^[A-Za-z0-9]{16}$' Which reflects our case pretty well. The threat actor used - at one point in the intrusion chain - Metasploit. This might be a good hunting or detection rule to setup within the Security event logs. However, while digging through the relevant Metasploit code, I could not find the function that generates this hostname (to be sure that's really the default hostname-pattern of Metasploit). 🤔 [1] https://lnkd.in/gm7fFK8b [2] https://lnkd.in/gugMN4-i

Important to have proper IT Inventory to identify fake/generated hostname in SIEM alerts

Sigma rule will fail detection if the metasploit code is modified with client name length. Code creates random alpha numberic string and fixes the client name and brute force behaviour seem to be passive to evade detection. I believe one way of detecting this would be an anomalous workstation authenticating by creating a rolling 60 days baseline and also compare with asset inventory to remove false positives #threatdetection #sigmarule