Securonix Threat Labs Advisory: On Conti Ransomware Tradecraft Detection
Securonix Threat Labs R&D/Securonix Threat Research team has been actively monitoring and investigating the details of the malicious activity associated with the Conti Malicious Ransomware Operator (MRO) (tracked by STR as RE$GRG) linked by the FBI to more than 400 cyberattacks against organizations worldwide.
In this post are some of the key technical details taking into account the latest Conti MRO tradecraft leak with our recommendations on some possible Securonix predictive indicators/security analytics that can help detect the current and potentially future attack variants (the indicators may be updated as we receive more information).
Securonix Threat Labs Initial Coverage Advisory: Detection of PrintNightmare Windows Print Spooler Exploitation Activity (CVE-2021-1675, CVE-2021-34527)
Securonix Threat Labs R&D/Securonix Threat Research team has been actively monitoring and investigating the details of the critical PrintNightmare attacks (see Figure 1) [1, 3] targeting zero-day Microsoft Windows Print Spooler Service RCE Vulnerabilities (CVE-2021-1675, CVE-2021-34527).
In this advisory are some of the key technical details and our recommendations on some possible Securonix predictive indicators/security analytics that can be used to detect the current and potentially future attack variants (the indicators may be updated as we receive more information).
Threats from the Wild - Episode 3: Multi-Factor Authentication (MFA) Bypass 101: Pass-the-Cookie/Pass-the-Identity (PTC/PTI) Attack Detection Using Logs
The significant increase in remote work/work-from-home (WFH) over the past year as well as the recent high-profile attacks bypassing MFA that involved Solarwinds and cloud providers have heightened the need for the blue teams to better understand and detect attempts by the malicious threat actors to bypass MFA.
In this presentation, Oleg Kolesnikov, VP of Threat R&D/Securonix Threat Labs, will provide some of the key technical insights into the latest MFA bypass attacks carried out by malicious threat actors in the wild, including:
- Introduction to MFA bypass attacks in context of WFH focusing on pass-the-cookie/pass-the-identity (PTC/PTI) attack vectors.
- Latest observations from the wild including attack tools and examples of how malicious threat actors can use PTC/PTI to compromise MFA-enabled accounts, e.g. Azure, Github, etc.
- Demo of an PTC attack in action.
- What possible PTC/PTI attacks might look like in your cloud and EDR logs.
- Some insights into the relevant detection/hunting use cases to help you increase the chances of detecting such attacks in your environments.
Initial Coverage Advisory: Darkside Ransomware Targeting Critical Infrastructure Providers
Securonix Threat Labs R&D/Securonix Threat Research team has been actively monitoring and investigating the details of the critical targeted Darkside ransomware attacks (tracked by Securonix Threat Research as RE$HOOD) with some of the recent victims including Colonial Pipeline Networks, and many others (see Figure 1).
Darkside/RE$HOOD is an active malicious ransomware operator (MRO) that also offers a ransomware-as-a-service (RaaS) affiliate program. Securonix Threat Research has observed at least 64 victims being exploited by Darkside/RE$HOOD MRO or its affiliates since January 2021.