Tag: Detection Content

GraphRunner Activity Detection: Hackers Apply a Post-Exploitation Toolset to Abuse Microsoft 365 Default Configurations
GraphRunner Activity Detection: Hackers Apply a Post-Exploitation Toolset to Abuse Microsoft 365 Default Configurations

Microsoft 365 (M365) is leveraged by over a million global companies, which can pose severe threats to the customers relying on this popular software in case of compromise. Since it possesses a set of default configurations, adversaries can set their eyes on them and exploit the latter exposing affected users to significant security risks, which […]

Read More
CVE-2023-20198 Detection: Cisco IOS XE Zero-Day Vulnerability Actively Exploited to Install Implants
CVE-2023-20198 Detection: Cisco IOS XE Zero-Day Vulnerability Actively Exploited to Install Implants

Hard on the heels of a new surge in the long-running Balada Injector campaign exploiting CVE-2023-3169, another critical security bug in popular software products comes to the spotlight. A new privilege escalation vulnerability affecting Cisco IOS XE software is actively exploited in the wild to help install implants on the impacted devices. The uncovered zero-day […]

Read More
SOC Prime Threat Bounty Digest — September 2023 Results
SOC Prime Threat Bounty Digest — September 2023 Results

Meet the new Threat Bounty Program digest that covers the recent news and updates of SOC Prime’s crowdsourced detection engineering initiative. Threat Bounty Content Submissions In September, the members of the Threat Bounty Program submitted 629 rules for review by the SOC Prime team before the publication for monetization. After the review and quality assessment, […]

Read More
UAC-0165 Activity Detection: Destructive Cyber Attacks Targeting Ukrainian Telecom Providers 
UAC-0165 Activity Detection: Destructive Cyber Attacks Targeting Ukrainian Telecom Providers 

CERT-UA researchers notify defenders of the persistent malicious campaign impacting more than 11 telecom providers. The UAC-0165 group behind these destructive attacks has been targeting the Ukrainian telecom sector for a period of over 5 months aiming to cripple the critical infrastructure, which fuels the need for thorough research among defenders to preempt potential threats. […]

Read More
Balada Injector Malware Campaign Detection: Hackers Exploit a tagDiv Composer Vulnerability Infecting Thousands of WordPress Sites
Balada Injector Malware Campaign Detection: Hackers Exploit a tagDiv Composer Vulnerability Infecting Thousands of WordPress Sites

Over a month ago, defenders warned the peer community of CVE-2023-4634, a critical WordPress vulnerability actively exploited in the wild and impacting an overwhelming number of WordPress sites across the globe. Following that campaign, another malicious operation comes to the forefront. A fresh surge in the long-lasting Balada Injector malware campaign has already impacted over […]

Read More
LostTrust Ransomware Detection: SFile and Mindware Advancement, Successor of MetaEncryptor Gang
LostTrust Ransomware Detection: SFile and Mindware Advancement, Successor of MetaEncryptor Gang

Novel LostTrust ransomware emerged in the cyber threatscape in early spring 2023. However, the adversary campaign hit the headlines only in September when ransomware operators were observed leveraging data leak sites and payloads quite similar to the offensive tools used by the MetaEncryptor gang. Defenders are raising concerns in response to the growing threats as […]

Read More
SmokeLoader Malware Detection: UAC-0006 Hackers Launch a Wave of Phishing Attacks Against Ukraine Targeting Accountants
SmokeLoader Malware Detection: UAC-0006 Hackers Launch a Wave of Phishing Attacks Against Ukraine Targeting Accountants

In early October 2023, the UAC-0006 group was observed behind a series of at least four cyber attacks targeting Ukraine, as CERT-UA researchers report. Attackers applied a similar adversary toolkit as in previous campaigns, leveraging SmokeLoader in the latest phishing operation.  SmokeLoader Delivery: UAC-0006 Attack Analysis  On October 6, 2023, CERT-UA released four alerts notifying […]

Read More
CVE-2023-22515 Detection: A Critical Zero-Day in Confluence Data Center & Server Under Active Exploitation
CVE-2023-22515 Detection: A Critical Zero-Day in Confluence Data Center & Server Under Active Exploitation

Atlassian has recently notified defenders of a critical privilege escalation vulnerability in its Confluence software. The uncovered issue identified as CVE-2023-22515 poses severe risks to impacted Confluence installations as it is actively weaponized by attackers. Detect CVE-2023-22515 Exploits With the ever-increasing numbers of CVEs leveraged in real-world attacks, proactive detection of vulnerability exploitation remains one […]

Read More
CVE-2023-42793 Detection: An Authentication Bypass Vulnerability Leading to RCE on JetBrains TeamCity Server
CVE-2023-42793 Detection: An Authentication Bypass Vulnerability Leading to RCE on JetBrains TeamCity Server

Hot on the heels of the adversary campaigns abusing the CVE-2023-29357 vulnerability in Microsoft SharePoint Server causing a pre-auth RCE chain, another security flaw that can enable attackers to perform RCE causes a stir in the cyber threatscape. A critical vulnerability in the JetBrains TeamCity CI/CD server tracked as CVE-2023-42793 allows adversaries to gain RCE on […]

Read More
Frequent SIGMA Mistakes Series
Frequent SIGMA Mistakes Series

Part 2: Environment-Dependent Terms Overview of Series This is part 2 of a multi-part series that will cover frequent mistakes SOC Prime observes regularly in SIGMA. We will cover everything from common rule logic errors to common schema problems, and even some more obscure “gotchas” to think about. Some of these ideas will extend beyond […]

Read More