Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving an attempted Cobalt Strike execution.
The investigation uncovered twists and turns with pre-ransomware activities, tunneling tools, and attackers taking a page out of the defender’s playbook. The attacker took careful steps to maintain access to the environment through persistence that mimicked normal user behavior. This blog covers the techniques, indicators of compromise (IoCs), and detections for Rapid7 customers.
Read more…
Source: Rapid7
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Source code of Carbanak trojan found on VirusTotal
April 23, 2019
The source code of one of the world’s most dangerous malware strains has been uploaded and left available on VirusTotal for two years, and almost nobody has noticed. It was discovered by security researchers from US cyber-security firm FireEye, analyzed for the past two years, and made public today, so other members of the cyber-security community ...
- NSA releases Ghidra, a free software reverse engineering toolkit
March 6, 2019
At the RSA security conference today, the National Security Agency, released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade. The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost. The NSA’s general plan was to release Ghidra so ...
- The APT Name Game: How Grim Threat Actors Get Goofy Monikers
February 5, 2019
What’s in a name? When it comes to advanced persistent threat groups, it is often quite a bit. While their monikers’ may seem whimsical – Fancy Bear, Nomadic Octopus, Ocean Lotus and Darkhotel – the reality is these are not arbitrary names. In fact, many are similar to schoolyard nicknames or a type of shorthand – ...
- NSA to release a free reverse engineering tool
January 6, 2019
The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco. The software’s name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can ...
- Phone-Cracking Firm Found a Way to Unlock Any iPhone Model
February 26, 2018
Remember the infamous encryption fight between Apple and the FBI for unlocking an iPhone belonging to a terrorist behind the San Bernardino mass shooting that took place two years ago? After Apple refused to help the feds access data on the locked iPhone, the FBI eventually paid over a million dollar to a third-party company for unlocking the ...
- How airplane crash investigations can improve cybersecurity
February 21, 2018
While some countries struggle with safety, U.S. airplane travel has lately had a remarkable safety record. In fact, from 2014 through 2017, there were no fatal commercial airline crashes in the U.S. But those years were fraught with other kinds of trouble: Security breaches and electronic espionage affected nearly every adult in the U.S., along with the power grid in Ukraine and the 2016 ...