This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.
Category: Threat Intelligence
Adventures in the land of BumbleBee – a new malicious loader
BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis
LAPSUS$: Recent techniques, tactics and procedures
This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.
Conti-nuation: methods and techniques observed in operations post the leaks
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
Mining data from Cobalt Strike beacons
Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of dissect.cobaltstrike, our Python library for studying and parsing Cobalt Strike … Continue reading Mining data from Cobalt Strike beacons
Detecting Karakurt – an extortion focused threat actor
NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.
Log4Shell: Reconnaissance and post exploitation network detection
Note: This blogpost will be live-updated with new information. NCC Group's RIFT is intending to publish PCAPs of different exploitation methods in the near future - last updated December 15th at 17:30 UTC tl;dr In the wake of the CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832 (a.k.a. Log4Shell) vulnerability publication, NCC Group's RIFT immediately started investigating the vulnerability in … Continue reading Log4Shell: Reconnaissance and post exploitation network detection
Tracking a P2P network related to TA505
For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. During our research, we encountered a number of binary files that we have attributed to the developer(s) of ‘Grace’ (i.e. FlawedGrace), a remote administration tool (RAT) used exclusively by TA505
“We wait, because we know you.” Inside the ransomware negotiation economics.
Pepijn Hack, Cybersecurity Analyst, Fox-IT, part of NCC Group Zong-Yu Wu, Threat Analyst, Fox-IT, part of NCC Group Abstract Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning … Continue reading “We wait, because we know you.” Inside the ransomware negotiation economics.
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the … Continue reading TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access