TeamViewer, the popular remote access software developed by the company of the same name, discovered an irregularity in its internal IT environment on 26 June. They disclosed the potential breach in a statement the following day, stating that they had immediately begun an investigation to implement remediation measures. In an update on Friday 28th, TeamViewer…
Read MoreIn this article, we’re going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real case, we’ll see the study and analysis carried out to create a rule to monitor…
Read MoreIn this blog, I’ll propose and describe a solution for detecting potential infostealers targeting Chromium-based browsers, taking a cue from the research exposed by Google’s Chrome Security Team (Detecting browser data theft using Windows Event Logs). Obviously a solution using Elastic 🙂 ! What is an Infostealer (in a nutshell) ? In the realm of…
Read MoreOn May 21, Veeam published details about four different vulnerabilities detected in their product Veeam Backup Enterprise Manager (VBEM). One of them is critical and allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. CVE Number CVSS Score EPSS Score CVE-2024-29849 9.8 (Critical) 0.04% (Low) CVE-2024-29850…
Read MoreSYNLAB, European leader in medical diagnostic services, was the victim of a cyber attack last April. The compromised infrastructure is the one that runs Italians clinics only, other countries were not affected. In early May, ransomware group BlackBasta claimed responsibility for the attack, saying it had stolen 1.5TB of sensitive medical data from Italian citizens….
Read MoreDuring the last week of April, our Attacker Centric SOC detected multiple new cyber attacker group websites in the Dark Web. Called Dedicated Leak Sites (DLS), they are widely used by ransomware gangs to publish stolen confidential data when the victim refuses to pay the ransom. Usually, after an attack is claimed, a small amount of…
Read MoreCisco Talos identified a previously unknown state-sponsored actor behind ArcaneDoor, a sophisticated cyber espionage campaign targeting the perimeter network devices of several vendors. This actor is now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The initial attack vector is still unknown, but the attacker exploited two previously unknown vulnerabilities. An…
Read MoreUsing our CTI SATAYO platform, we identified an artifact belonging to AMMEGA’s data breach. AMMEGA is a multinational manufacturing company based in the Netherlands with revenues of $1.2 billion. It was the victim of an attack carried out by the Cactus ransomware gang in early March. The ransomware operators exfiltrated 3 TB of data and…
Read MoreOn March 25, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog is updated regularly and contains those vulnerabilities most likely to be used in attacks. Organizations should monitor and review it periodically, and prioritize their patching efforts based on it. I’ll provide a…
Read MoreMuch has already been said about Initial Access Brokers (IABs) so I will limit myself to a brief description and then delve into the main theme of this article. The theme of Initial Access Brokers was summarized fantastically in the Initial Access Broker Landscape project by Curated Intelligence, reported in this link, which I recommend…
Read MoreThis article explains how the Cyber Threat Intelligence platform SATAYO serves as a powerful resource to optimize processes and strengthen threat coverage within the WĂĽrth Phoenix Attacker Centric SOC. We will analyze the utilization of SATAYO’s internal resources for creating Detection Rules and managing SOC alerts. Additionally, we will examine how the logs in SIEM…
Read MoreOn March 4, 2024, JetBrains released TeamCity version 2023.11.4, which patches two authentication bypass vulnerabilities in the web component of TeamCity. These vulnerabilities were discovered in February by Rapid7’s vulnerability research team and allow a remote unauthenticated attacker to perform a complete compromise of a vulnerable TeamCity installation, including unauthenticated RCE (remote code execution). CVE…
Read MoreOn 19 February, through an operation coordinated by the National Crime Agency (NCA), a large part of the infrastructure of the Lockbit ransomware gang was seized. The ransomware gang, active since 2019, is undoubtedly best known within the field of double extortion ransomware attacks, having published claims relating to 2,591 attacked organizations over the years….
Read MoreOn February 8, 2024, Fortinet disclosed 2 critical vulnerabilities which could allow remote code or command execution. The vulnerabilities are as follows: FortiOS – Format String Bug in fgfmd, with CVSS severity 9.8 The versions prone to this vulnerability are: Version Affected Solution FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiOS 7.2…
Read MoreStarting February 1st, rumors regarding a possible compromise of AnyDesk began to circulate online. These rumors became more insistent as the contents of the January 29 Release Notes were noted. What initially appeared to be just normal maintenance activity on Anydesk’s infrastructure was later revealed to actually be a compromise. AnyDesk has in fact made…
Read More