IBM X-Force Research – Page 3

Defining the Cobalt Strike Reflective Loader

Posted on March 10, 2023 by Bobby Cooke

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams […]

The post Defining the Cobalt Strike Reflective Loader appeared first on Security Intelligence.

Continue reading Defining the Cobalt Strike Reflective Loader→

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Posted on February 22, 2023 by Mitch Mayne

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands […]

The post Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023 appeared first on Security Intelligence.

Continue reading Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023→

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Posted on February 21, 2023 by Ruben Boonen

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put […]

The post Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers appeared first on Security Intelligence.

Continue reading Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers→

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

Posted on January 20, 2023 by Valentina Palmiotti

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but […]

The post Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP” appeared first on Security Intelligence.

Continue reading Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”→

Self-Checkout This Discord C2

Posted on January 17, 2023 by John Dwyer

In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated […]

The post Self-Checkout This Discord C2 appeared first on Security Intelligence.

Continue reading Self-Checkout This Discord C2→

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

Posted on December 13, 2022 by Chris Thompson

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows […]

The post Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism appeared first on Security Intelligence.

Continue reading Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism→

RansomExx Upgrades to Rust

Posted on November 22, 2022 by Charlotte Hammond

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this […]

The post RansomExx Upgrades to Rust appeared first on Security Intelligence.

Continue reading RansomExx Upgrades to Rust→

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Posted on October 17, 2022 by Rio Sherri

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a […]

The post Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 appeared first on Security Intelligence.

Continue reading Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1→

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

Posted on October 13, 2022 by Matt Dunn

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a […]

The post How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell appeared first on Security Intelligence.

Continue reading How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell→

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

Posted on September 14, 2022 by Chris Caridi

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM […]

The post Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments appeared first on Security Intelligence.

Continue reading Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments→