Month: July 2017

Historical Correlation

What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past? While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several real life scenarios for this. The first […]

Read More
How to fix parsing issues in QRadar without technical support

All QRadar products can be divided into two groups: versions before 7.2.8 and all newest versions. In 7.2.8+ QRadar versions, all parsing changes are performed from the WEB console. To fix a parsing issue, you need to do the following steps: Create Search on Log Activity page in QRadar where you can get events with […]

Read More
CowerSnail – a three-megabyte backdoor

London, UK ā€“ July 27, 2017 ā€“ At the end of May, researchers from Kaspersky Lab discovered a SambaCry cryptocurrency miner for *nix systems, which exploited the EternalRed vulnerability. Soon they captured malware for Windows that was probably created by the same group (since both malware types used the same C2 server).

Read More
Deliver TI feeds into ArcSight without false positive triggers

Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight. This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.

Read More
Simple correlation scenario for Splunk using lookup tables

Events correlation plays an important role in the incident detection and allows us to focus on the events that really matter to the business services or IT/security processes.

Read More
The Trickbot Trojan moves into top gear

London, UK ā€“ July 25, 2017 ā€“ The Trickbot banking Trojan is used for Man-in-the-Browser attacks since mid-2016. Currently, adversaries use the Necurs botnet for its distribution. This botnet is tied to Locky and Jeff Ransomware attacks and is capable of sending millions of emails per day.

Read More
Banking Trojan NukeBot: First Tests

London, UK ā€“ July 20, 2017 ā€“ NukeBot’s author published its source code in the Darknet this spring. Since then various modifications of NukeBot banking Trojan began to appear on the Internet. Researchers from Kaspersky Lab have analyzed NukeBot modifications they found in recent months and shared the results.

Read More
New phishing campaign using OSX/Dok

London, UK ā€“ July 18, 2017 ā€“ Adversaries continue to improve OSX/Dok discovered at the end of April for banking credentials stealing. Researchers at Check Point report that a phishing campaign continues.

Read More
RAT Adwind strikes again

London, UK ā€“ July 13, 2017 ā€“ Researchers from Trend Micro reported an increased number of attacks using the cross-platform Remote Access Trojan Adwind. Their number has doubled over the past month.

Read More
New Modifications of POS Malware

London, UK ā€“ July 11, 2017 ā€“ The last two weeks the world’s attention has been drawn to NotPetya / GoldenEye APT attack. Thatā€™s why some other attacks attract less attention than they deserve. Researchers from the Securelist reported a new modification of Neutrino for POS terminals.

Read More