Security Dive
New articles!
Distributed Denial of 2023?
Domain Spoofing
Writeup Drive Hackthebox
Articles
Analysis of Ivanti 0-days, CVE-2023-46805 and CVE-2024-21887
Introduction On January 10, 2024, the cybersecurity organization Volexity reported the active exploitation of two critical zero-day vulnerabilities in Ivanti…
From zero to certificate hero. The 5 Steps to a mature Certificate Lifecycle Management
Imagine. Your important website/customer portal/service tools/VPN/… goes down unexpectedly. Everyone is running around stressed to the
Citrix NetScaler flaw exposing sensitive data
Introduction On 10th of October 2023 Citrix Systems released a security bulletin for one critical and one high severity vulnerabilities. Critical vulnerability identified as CVE-2023-4966, was discovered in Citrix
Navigating CVE-2023-22515 in Confluence Data Center and Server
Introduction This letter serves as an urgent notification regarding a critical vulnerability, CVE-2023-22515, which affects Atlassian Confluence Data Center and Server. Confluence is
Using EDR telemetry for offensive research
About EDR EDR – Endpoint Detection and Response – is a type of security solution, with agents running on endpoints (workstations, servers, etc.). Its first role is detection of…
Storm-0588 Azure AD Token Forging Attack
Key Takeaways Azure Active Directory (AAD) Compromise: The incident involves the compromise of OpenID signing keys within the Azure AD environment, indicating a significant security threat to…
Downfall Vulnerability (CVE-2022-40982)
Key Takeaways Downfall Vulnerability Scope: The Downfall vulnerability, tracked as CVE-2022-40982, affects multiple Intel microprocessor families from Skylake through Ice Lake, enabling attackers to steal sensitive data, including passwords, encryption
The escalation of invasive wiretapping in Cyber Warfare
Key Takeaways Wiretapping, previously associated primarily with spy cinema, has become a real and evolving threat in today's digital world, with state actors and APT groups…
Roaming and racing to get SYSTEM – CVE-2023-37250
Introduction In my previous blog post (https://atos.net/en/lp/securitydive/creating-persistent-local-privilege-escalation-with-temporarily-elevated-legitimate-installers) I mentioned potential
Outlaw APT group - From initial access to crypto mining
Foreword Eviden Digital Security regularly performs incident response and gathers information on various groups of attackers. In the summer 2022, a…
Insider Threat – What if the Big Bad Wolf was already in?
Insider threat is considered as one of the top-10 concerns in cyberspace in 2023. It is as prominent cause of…
CA/Browser Forum S/MIME Certificate Requirements, what is it and what to do about it?
Introduction Protecting email is an often overlooked but sometimes necessary feature. Email can be encrypted to prevent…
Detailed analysis of the Zero- Day vulnerability in MOVEit transfer
Key Takeaways •A common feature among all exploited devices is a webshell named 'human2.aspx' located in the 'C:\MOVEitTransfer\wwwroot' public HTML
AIsaac and AWS Security Lake When Data lakes meets AI
Navigating the sea of security data: why organizations need data lakes Imagine you're a fisherman, casting your net into the vast ocean in…
Snake Malware
Taken down by the FBI after 20 years of existence Key Takeaways In a coordinated operation FBI with other organizations took down the Snake malware operational infrastructure. Snake malware has been linked with the…
BumbleBee hunting with a Velociraptor
BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently analyzed by Angelo Violetti of SEC Defence - the Digital Forensics and…
CA Browser Forum Code Signing Certificate Requirements
As long as computers exist, they needed programming code to run. Almost as long as code is running, people have been trying to change the code in…
Cl0p Ransomware Group activity related to data leaks from GoAnywhere MFT
The essentials The Threat Actor TA505 is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs) It targets…
Creating Persistent Local Privilege Escalation with Temporarily Elevated Legitimate Installers
The interesting case of WinSCP A couple of months ago, while analyzing one of our environments, we had noticed instances of the LogonUI.exe…
SOCCRATES – Automation and Orchestration of Security Operations
SOCCRATES (SOC & CSIRT Response to Attacks & Threats) is a EU-funded research and innovation project that brings together some of the best European expertise in the…
Are privacy-enhancing technologies the holy grail to privacy?
According to Gartner, by 2025, 60% of large organizations will use one or more privacy-enhancing computation techniques in analytics, business intelligence or cloud computing.…
How to build an agile SOC?
Companies are spending more than ever to protect their digital assets. Gartner predicts that worldwide spending on information security and risk management products and services will hit $188.3 billion…
AI-based detections in SOC
We are currently experiencing the 4th Industrial Revolution (4IR). If adoption of digital technology was the defining feature of the 3rd Industrial Revolution, then interconnection between these technologies as well…
The top five steps to PKI success
PKI and Certificate Lifecycle Management aren't the hottest or sexiest topics, but they are a fundamental part of any well-run security program. Below, we will outline five
The EU Cyber Resilience Act: Brace for impact
In September 2022, the European Commission presented a proposal for a new Cyber Resilience Act (CRA) to protect consumers and businesses from vulnerable IT products. It…
Attacking Local Self-Protection Mechanisms – a case study of CVE-2019-3613 and CVE-2022-3859
Introduction to Trellix CVE 2022-3859 On 29th November Trellix (former McAfee) released…
CISO’s perspectives - The 4 recommendations to sleep without a worry
1. Sleeping-well CISO: myth or reality? Considering the countless cyber threats that go on, what threat keeps you up at…
10 security tips to protect your organizations against ransomware
The business of Ransomware is flourishing, boosted by anonymity of the attackers, limited number of criminal cases being prosecuted, automation of attack methods and…
Cyber insurance: Challenges and reassurances in a maturing market
Over the past twenty years, data has become the new gold, providing valuable insights across IT infra, AI and automation, and support functions. At…
Setting hardware Root-of-Trust from Edge to Cloud, and how to use it
Atos presented during the European Cyber Week its unique approach to ensure platform firmware resilience in a…
The top 3 recommendations to get your incident response team ready for the Holiday season
The winter season, with the end-of-year celebrations, is a very specific and sensitive period for
MITRE ATTACK Evaluations : malicious activities reported by Atos MDR
Since 2018, MITRE Engenuity has been conducting ATT&CK Evaluations focused on evaluating the potential capability of products to detect and protect against known…
How to accelerate analysis of Windows Event logs
As Windows auditing subsystem is complex, this article focuses on part of it: the Event Logger. In modern Windows systems audit events are saved to files…
Taking off with PKI: How to get the basics right
Public key infrastructure (PKI) is evolving into one of the most pervasive technologies. It is everywhere around us, often without people even realizing…
OSINT of Exchange 0-day campaign
Introduction Reports of new 0-day vulnerabilities electrify the Cybersecurity community, especially when they affect commonly used products. Recent news about the successor of the infamous ProxyShell -CVE-2022-41040, CVE
Color teaming 101: understanding Security Teams
Cybersecurity is just like a planet in a huge spectrum of cyberspace. Like how we have various planets in space, similarly we have various teams in cyberspace. So, fasten…
Deepfake and PII - an Inside Threat concept supported by Artificial Intelligence
Executive Summary Deepfake is a photo manipulation technology that has been developed in an open-source model since 2018…
New DDoS threats on the rise for emergency calling services
Emergency calling services need to offer a 24/7 availability to the citizens. Unfortunately this is not always true due to new cyber threats…
Analysis of the most important CWEs for hardware security
Over the last few years, technological advances have continued to accelerate exponentially to meet the growing demand for reliable connectivity and robust security. As…
Risks from the Cyberattacks in the RU-UA conflict
Risks from the Cyberattacks in the RU-UA conflict Executive Summary With the ongoing conflict between Russia and Ukraine escalating, the risk remains high for…
Focus on information exchange between DevSecOps
Red Team Lessons Learned Series – Episode 3 Focus on information exchange between DevSecOps Introduction In this series of blog posts I wanted to highlight…
Do not neglect security in development systems
Red Team Lessons Learned Series – Episode 2 Do not neglect security in development systems Introduction In this series of blog posts I wanted to highlight…
Never feel afraid to report a security incident
Red Team Lessons Learned Series – Episode 1 Never feel afraid to report a security incident Introduction In this series of blog posts I wanted…
How to secure your organization against ransomware with EDR or MDR
Ransomware is one of the most significant cyber threats to face organizations today. Time and again, threat actors have leveraged known…
Misconfigured firebase: A real-time cyber threat
Misconfigured firebase: A real-time cyber threat Every day, we hear about customer data being compromised, data posted on the dark web for sale, or a similar cybersecurity…
Poorly configured S3 Buckets – A hacker’s delight
Poorly configured S3 Buckets A hacker’s delight In today’s technological climate, finding the best way to store, share, and manage ever-increasing data sets is a
Surge in malware loaders activity, a dangerous trend before the Christmas Holidays
Surge in malware loaders activity A dangerous trend before the Christmas Holidays The Christmas Holidays are almost upon as. We…
Log4Shell - Unauthenticated RCE 0-day exploit
Log4Shell – Unauthenticated RCE 0-day exploit (CVE-2021-44228) In this blog, we provide background on Log4Shell vulnerability (CVE-2021-44228), detection guidance and we recommend mitigations. Vulnerability
External remote services attacks
External remote services attacks How to stop one of today’s most common intrusion methods? Cybersecurity incidents are on the rise. 64% of companies have suffered at least one incident. Ransomware grew by…
Public to public credential access
Introduction The goal of this post is to draw some attention to a couple of very simple and effective attack vectors that let our team stealthily compromise an entire shared…
Offensive Linux tricks every defender should know about
Offensive Linux tricks every defender should know about Everyone doing a proper job of administrating nix-like systems should know these scenarios. The list below was put together
BlackMatter ransomware
Introduction Atos Digital Security regularly performs incident response and gathers information on various groups of attackers. Among them, BlackMatter stands out for its remarkably rapid rise despite its recent inception. This new group of attackers…
Cloud attacks: How to secure a growing threat vector
Cloud attacks: How to secure a growing threat vector The cloud is a double-edged sword. On the one hand, organizations have used the…
Vertical specialized attacks- industry
Vertical-specialized attacks: how to stay safe when your industry is under attack Cybersecurity has always been complex. These unique security challenges come from many places — your products, your digital…
Discovering Potentially Abusable Binaries with streamlined PE Import Table searching
Introduction I decided to put this blog post together only to share a simple idea which could potentially be useful or inspirational to…
Phishing campaign using HTML Smuggling to get your Office365 credentials
Threat Actors constantly evolve in their campaigns to be more successful as security tools are getting better and well-trained employees are more vigilant…
IOC Diversification as an Approach to Eradication Avoidance
A while ago, during my first Red Team engagement with Atos, I came up with a tactical anti-eradication approach, which was directly inspired by my former…
Server-Side Template Injection
Templates are pre-formatted documents, which already contain certain information. A template engine is a specific kind of template processing module that exhibits all major features of a modern programming language. The developers…
Avaddon Ransomware Analysis
Atos Digital Security regularly performs incident response and gather information on various attacker groups. Among them, Avaddon stands out for its modus operandi and its rise.
Critical Exchange Vulnerability: Quick Grab on Detection & Mitigation
Microsoft has detected multiple zero-day exploits on the on-premises version of the Microsoft Exchange Server (2013,2016, and 2019). Microsoft attributes this campaign with