Search This Blog

Fishing the Internet

Publications

Get link
Facebook
X
Pinterest
Email
Other Apps

2022

Threat Hunting as a Proactive Security Measure in the Energy Sector (Fishing the Internet)
Threat-Hunting als proaktive Sicherheitsmaßnahme im Energiesektor (Tagesspiegel Background Cybersecurity)
The Rise of LNK Files (T1547.009) and Ways To Detect Them (Fishing the Internet)
Russia's War Against Ukraine: Effects on the Ukrainian LGBTQIA+ Community (with Insikt Group / Recorded Future)
Trust is good, testing is better: How to pentest Flutter apps (with Daniel Corak / Fishing the Internet)
Die zentralen Herausforderungen bei Cyberkriminalität (Tagesspiegel Background Cybersecurity)
Germany, Industrial Sector Hit Hardest by Ransomware in 2020 and 2021 (with Allan Liska, Charlotte Edwards / Recorded Future)
Ransomware Enforcement Operations in 2020 and 2021 (Recorded Future)
Wiper Malware: Purposes, MITRE Techniques, and Attacker's Trade-Offs (Fishing the Internet)
LOLBin Attacks With Scheduled Tasks (T1053.005) and How To Detect Them (Fishing the Internet)
Zero-Day: Das lukrative Geschäft mit Sicherheitslücken (Tagesspiegel Background Cybersecurity)
Vulnerabilities Disclosure mit chinesischer Prägung: Nutzen und Gefahren (with Nicolas Huppenbauer / inside-it.ch)

2021

Chaining Three Zero-Day Exploits in ITSM Software ServiceTonic for Remote Code Execution (with Daniel Corak / Security Research Labs)
Honeypot research shows variety of DDoS amplification methods (with Alberto del Rio / Security Research Labs)
Achieving Telerik Remote Code Execution 100 Times Faster (with Daniel Corak / Security Research Labs)
Incorrectly patched ZyXEL vulnerability becomes zero-day again (with Daniel Corak, Genco Altan Demir / Security Research Labs)

Get link
Facebook
X
Pinterest
Email
Other Apps

The Rise of LNK Files (T1547.009) and Ways To Detect Them

Microsoft Office macros have historically posed a significant threat as the preferred method of delivering malicious payloads, accounting for almost half of all deliveries. The reason is simple: Microsoft Office products are highly prevalent and macros are mostly either enabled or easily enabled through a single mouse click. With Microsoft’s decision to block macros by default, threat actors have adapted their delivery techniques towards macro alternatives (e.g., Emotet ). One of those alternatives are Microsoft shortcuts , which have, in comparison to zero days or other fancy exploits, generally not received the attention they (sh|c)hould . In what follows, I will first provide a brief introduction to why and how macros were blocked as well as how to bypass the protections that were put in place. I will then give an overview of LNK files, one common alternative to macros, show how they are used in the wild, and finally discuss various ways for detection. Microsoft's decision to...

Threat Hunting as a Proactive Security Measure in the Energy Sector

The situation in the European energy sector is tense: there is uncertainty about the supply, winter is just around the corner and the sector is being strategically and repeatedly attacked both in physical terms (e.g. Nord Stream or Ukrainian energy supply ), through disinformation campaigns and cyber attacks by actors close to Russia. Cyber attacks in particular could increasingly hit Europe's energy sector in the coming months in order to further aggravate the supply situation, fuel fears of a loss of control in Europe and thereby maintain credible deniability. It is warned that critical systems such as the energy sector may already be compromised. Proactive "threat hunting" is therefore repeatedly brought into play by different parties as an additional necessary security measure. But what exactly is behind the concept, which preconditions must be met and how can an effective "threat hunting" program be set up even by less mature IT security teams. Th...

LOLBin Attacks With Scheduled Tasks (T1053.005) and How To Detect Them

Based on a specific subset of Recorded Future’s research reporting, which focuses on emerging tools and TTPs, we saw a large increase in observations of the Scheduled Task technique (T1053.005), the sub-technique of Scheduled Task/Job (T1053), as compared to previous reporting by Recorded Future. In this blog, I will first give an overview of the technique and discuss why it is used by adversaries. Second, I show multiple ways to access the Windows Task Scheduler. Third, I show how the technique has been used by various threat actors to achieve persistence, lateral movement, code execution, detection evasion, and privilege escalation. Lastly, I will discuss ways to detect the malicious use of the technique. What are Scheduled Tasks? Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code to achieve persistence, lateral movement, execution, detection evasion, and privilege escalation. The Task Scheduler allows...

Julian-Ferdinand Vögele

Threat Research @Recorded Future, formerly IT Security @Security Research Labs, MSc Computer Science @UCL