Blog Entries

30. 08. 2024 Daniel Degasperi Blue Team, SEC4U

A Concrete Example of ES|QL and SOC Detection Rules

The purpose of this article is to show a real-life case study of the integration of the new Elastic ES|QL language within the detection rules used by the SOC to detect cyber threats. Overview ES|QL (Elasticsearch Query Language) is an SQL-like query language developed by Elastic specifically for querying time series and event data stored…

Read More
07. 06. 2024 Luca Zeni Blue Team, SEC4U

Akira Ransomware: How to Make an Efficient Detection Rule

In this article, we’re going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real case, we’ll see the study and analysis carried out to create a rule to monitor…

Read More
16. 05. 2024 Mirko Ioris SOCnews

SOC News | May 16 – Data stolen from SYNLAB published on the Dark Web

SYNLAB, European leader in medical diagnostic services, was the victim of a cyber attack last April. The compromised infrastructure is the one that runs Italians clinics only, other countries were not affected. In early May, ransomware group BlackBasta claimed responsibility for the attack, saying it had stolen 1.5TB of sensitive medical data from Italian citizens….

Read More
25. 01. 2024 Massimo Giaimo SOCnews

SOC News | Jan 01 – Kasseika Ransomware Uses BYOVD in His TTP

Kasseika Threat Actor has joined the club of Threat Actors that currently use Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus/EDR software before carrying out malicious activities, such as encrypting files. Kasseika abuses the Martini driver, part of the TG Soft’s VirIT Agent System. By using BYOVD attacks, the malware gains privileges it…

Read More
28. 09. 2023 Massimo Giaimo Blue Team, SEC4U

Ransomware Negotiation: Dos and Don’ts!

Double extortion ransomware attacks have reached very high numerical values. One of the key elements, when suffering such an attack, concerns the negotiation that can be initiated (not always!) with the ransomware gang. The analysis, carried out by the SEC4U team, of hundreds of negotiations makes it possible to apply a scientific approach to this…

Read More
07. 02. 2023 Massimo Giaimo Blue Team, SEC4U

Ransomware Attack ESXi Servers with (to confirm) CVE-2021-21974

These days the landscape of cybercriminal activities seems to have as the only protagonists the Threat Actors who are carrying out an attack on publicly exposed VMware ESXi infrastructures. The French National Computer Emergency Response Team (CERT) published a security advisory on the ESXiArgs ransomware on February 3, 2023. Other important information regarding the attack was published…

Read More

Archive