Just Another Blue TeamerSep 2, 2023

Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Show threadSophos X-OpsApr 27, 2023

The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

4/6