John Dwyer – WindowsTechs.com

X-Force uncovers global NetScaler Gateway credential harvesting campaign

Posted on October 6, 2023 by John Dwyer

This post was made possible through the contributions of Bastien Lardy and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The […]

The post X-Force uncovers global NetScaler Gateway credential harvesting campaign appeared first on Security Intelligence.

Continue reading X-Force uncovers global NetScaler Gateway credential harvesting campaign→

X-Force releases detection & response framework for managed file transfer software

Posted on August 9, 2023 by John Dwyer

How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response […]

The post X-Force releases detection & response framework for managed file transfer software appeared first on Security Intelligence.

Continue reading X-Force releases detection & response framework for managed file transfer software→

Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain

Posted on July 18, 2023 by John Dwyer

This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker […]

The post Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain appeared first on Security Intelligence.

Continue reading Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain→

X-Force Prevents Zero Day from Going Anywhere

Posted on March 30, 2023 by John Dwyer

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While […]

The post X-Force Prevents Zero Day from Going Anywhere appeared first on Security Intelligence.

Continue reading X-Force Prevents Zero Day from Going Anywhere→

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

Posted on March 20, 2023 by John Dwyer

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as […]

The post When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule appeared first on Security Intelligence.

Continue reading When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule→

Self-Checkout This Discord C2

Posted on January 17, 2023 by John Dwyer

In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated […]

The post Self-Checkout This Discord C2 appeared first on Security Intelligence.

Continue reading Self-Checkout This Discord C2→

Beware of What Is Lurking in the Shadows of Your IT

Posted on December 21, 2022 by John Dwyer

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT […]

The post Beware of What Is Lurking in the Shadows of Your IT appeared first on Security Intelligence.

Continue reading Beware of What Is Lurking in the Shadows of Your IT→

What Drives Incident Responders: Key Findings from the 2022 Incident Responder Study

Posted on October 24, 2022 by John Dwyer

Cyberattacks seldom happen when it’s convenient. In fact, it’s relatively common for them to occur on weekends or holidays — threat actors capitalize on the fact that there is fewer staff on site, and those who are there are focused on the coming weekend or time off. It’s also not uncommon for attacks of this […]

The post What Drives Incident Responders: Key Findings from the 2022 Incident Responder Study appeared first on Security Intelligence.

Continue reading What Drives Incident Responders: Key Findings from the 2022 Incident Responder Study→

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

Posted on June 1, 2022 by John Dwyer

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021: 2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware […]

The post Countdown to Ransomware: Analysis of Ransomware Attack Timelines appeared first on Security Intelligence.

Continue reading Countdown to Ransomware: Analysis of Ransomware Attack Timelines→

Solving the Data Problem Within Incident Response

Posted on April 25, 2022 by John Dwyer

One of the underappreciated aspects of incident response (IR) is that it often starts as a data problem. In many cases, IR teams are presented with an effect such as malware or adversary activity and charged with determining the cause through the identification of evidence that ties the cause and effect together within an environment […]

The post Solving the Data Problem Within Incident Response appeared first on Security Intelligence.

Continue reading Solving the Data Problem Within Incident Response→