Month: October 2017

Coinhive Injections in WordPress Sites

Delaware, USA – October 31, 2017 – Coinhive remains the most popular platform for mining Monero cryptocurrency in user’s browsers. Despite the creation of a cryptocurrency miner modification, which allows users to control mining process in their browser and even disable it, the original version of the Coinhive JavaScript miner is actively used by attackers […]

Read More
Gaza Group Continue to Attack MENA Region

Delaware, USA – October 31, 2017 – Cybercriminals from Gaza group have been known since 2012, and they continue to carry out large-scale cyberespionage campaigns targeted organizations and politicians in the countries of the Middle East and North Africa. According to researchers from Kaspersky Lab, attackers in mid-2016 managed to penetrate networks of oil and […]

Read More
Matrix Ransomware is Back in Business

Delaware, USA – October 30, 2017 – The researcher from Malwarebytes reported the return of the Matrix Ransomware. This malware was discovered at the end of the last year and adversaries frequently updated this threat, but for several months there have been no campaigns with its use. Currently, the virus spreads through malvertising, targeting vulnerabilities […]

Read More
Using depends panels in Splunk for creating convenient drilldowns

In the previous article, we have examined simple integration with external web resources using drilldowns. If you missed it, follow the link: https://socprime.com/en/blog/simple-virus-total-integration-with-splunk-dashboards/ Today we will get acquainted with one more interesting variant of drilldowns in Splunk: using depends panels. Depends panels in Splunk: an interesting way to use drilldowns in dashboards   Very often there […]

Read More
New targets of Banking Trojan Ursnif

Delaware, USA – October 27, 2017 – Researchers from IBM X-Force shared information about the campaign using a new modification of the banking Trojan Ursnif (Gozi). This September, Adversaries started the campaign that targeted financial institutions in Japan. Ursnif is distributed not only through malicious email attachments but also through malvertising via Rig exploit kit. Currently, […]

Read More
Bad Rabbit Detector Basic SIEM Use Case

Delaware, USA – October 25, 2017 – Bad Rabbit Detector for ArcSight, QRadar and Splunk is released. You can download this SIEM case for free from Use Case Cloud. It contains all known Indicators of Compromise to detect the malicious activity of Bad Rabbit Ransomware worm. This threat was used to commit cyber-attacks on multiple […]

Read More
Security Advisory. Bad Rabbit Ransomware worm.

The research is based on OSINT evidence analysis, local evidence, feedback from attack victims and MITRE ATT&CK methodology used for actor attribution. SOC Prime would like to express gratitude to independent security researchers and specialized security companies who shared the reverse engineering reports and attack analysis on the public sources and their corporate blogs. On […]

Read More
Updating IBM QRadar

The efficient SIEM operation directly depends on fixing detected vulnerabilities and issues in its functioning. The primary method for this is updating the system to the latest version. Updates can include fixing security issues, releasing new functionality, improving system performance, patches, and so on. In my recent article, we reviewed how to create backups in […]

Read More
Recent ‘Fancy Bear’ Attacks

Delaware, USA – October 23, 2017 – Researchers from Proofpoint and Cisco Talos companies report on the growing activity of Fancy Bear group, also known as APT28. On October 18, researchers discovered a hastily planned attack on a number of companies in the US and Europe. Attackers sent MS Word documents containing ActiveX objects that […]

Read More
ArcSight. Optimizing EPS (Aggregation and Filtration)

Almost all of the ArcSight beginners face a situation when there are a high incoming EPS from the log sources, especially when it is critical to License limits or causes performance issues. To reduce incoming EPS, ArcSight has two native methods for event processing: Event Aggregation and Filtration. In this article, I will try to […]

Read More