Malwar3Ninja | Threatview.ioMar 30, 2024

[Threatview.io] ⚠️ Resources for responding to #CVE-2024-3094

1. Check if impacted by CVE-2024-3094 i.e running 5.5.1alpha-0.1, 5.6.0 till 5.6.1-1 of xz utils ❓

❌ xz -V

✔️ strings /usr/local/bin/xz | grep "(XZ Utils)"

✔️strings `which xz` | grep "(XZ Utils"

✔️for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done

2. Detailed analysis along with exploit code and detection : https://www.openwall.com/lists/oss-security/2024/03/29/4

✔️Confirmed #Debian Stable and OpenWRT are not impacted by CVE-2024-3094

⚠️Homebrew, Kali Linux and Debian, Alpine, RedHat and other flavors of linux using repository - Unstable/ Experimental/ BleedingEdge

3. Mitigation suggested: Downgrade to an uncompromised XZ Utils version (earlier than 5.6.0)
#Threathunt for any malicious or suspicious activity on systems where affected versions have been installed. 

4. #ThreatHunt query if using Defender & Sentinel
https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Vulnerability%20Management/InboundSSHConnectionToVulnerableXZMachine.md

5. #YARA rule: https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

6. Added hashes to Threatview.io OSINT Feeds :)

#threatintel
#DFIR
#CTI
#threatintelligence

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Taylor ParizoMar 20, 2024

RedCanary's "Better Know a Data Source" series is great. It's a new series so they only have two posts on Files and Network Telemetry but each provides a good starting point into building detections around the respective activity.
They also source their activity from MITRE ATT&CK data sources which to me have been underrepresented since their release.

https://redcanary.com/blog/better-know-a-data-source-network-telemetry/

https://redcanary.com/blog/better-know-a-data-source-files/
#ThreatHunt #InfoSec

Better know a data source: Network telemetry - Red Canary

Network-based telemetry has long been a staple in the cybersecurity professional’s toolkit, and remains so both now and in the future.

Red Canary
Weary AndroidJan 25, 2024

Threat Hunting: Endgame - I have just completed this room @RealTryHackMe! Check it out:

💙Gain applied hands-on threat hunting investigation skills.
💙Familiarise yourself with the "Actions on Objectives" phase.
💙Familiarise yourself with correlating and evaluating artifacts for a hypothesis.
💙Experience the threat hunting process for a defined scope.

https://tryhackme.com/room/threathuntingendgame #tryhackme #threathunt #actionsonobjectives #exfiltration #impact #collection #destruction #manipulation

TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!

TryHackMe
Malwar3Ninja | Threatview.ioDec 18, 2022

[Threatview.io] ⚡Our team conducted a hunt on the available domain telemetry data in our proactive hunter dataset for the known ssl certificate used by #icedid.

The IOC's contain indicators from period 01 January 2022 and fresh IOC's will be published on daily baisis in out IP/ domain blocklist feed on Threatview.io.

Check out our latest #Virustotal collection with IP's and Domains related to #Icedid #malware.

https://www.virustotal.com/gui/collection/48eb7f1b21f63c722ee5c76569ae317ceaf80731c700b489b6bff7c0cf0074e9

More details on ICEDID: https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid

#threatintel
#CTI
#DFIR
#threathunt

VirusTotal

VirusTotal

AcquiredsecNov 22, 2022

Two easy detection/hunt opportunities for this week and the last several weeks, months, years. #qakbot #bumblebee #malware #threathunt

ISO Files, JS, VBS, DLL OH MY 🦁 🐅 🐻

🚨 **regsvr outgoing IP connection events 🦆 🤖

🚨 **rundll32 outgoing IP connection events with rundll32 and a command parameter of CheckSettings in the cmdline telemetry 🐝

Heckin Teagan 🛩️Nov 21, 2022

Threat Hunting Help Request!

Alright lovelies, I'm putting this out in the Fediverse because i'm looking for advice/insight.

I've been tasked with formalizing a Threat Hunting program for ongoing/monthly hunts, and I'm looking for advice on resources to help me do that, or personal experiences.

We have a developing Threat Intel program that is utilizing information specific to our org, and I need a good way to take that in and develop a hunt from there.

Looking less for tool recommendations (though this is appreciated as well) and more for a higher level / managerial approach at the moment.

For example, what are your deliverables after you've conducted a hunt? Who do you deliver them to? What do you do with the results? etc.

Also love book recommendations, videos, etc!

thanks!

#infosecurity #cybersecurity #threathunting #infosec #threathunt #DFIR

Chris DiSalle  Nov 14, 2022
Cisco Talos is #hiring a load of different roles, nearly all remote! Everything from #DFIR Incident Commander, #Malware Reverse Engineer, #Research Engineer, #SecOps Engineer, #Threatintelligence Researcher, #Threathunt Analyst, etc. Feel free to reach out and discuss any opportunities if you are interested. https://talosintelligence.com/careers
Careers || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence