Subscribe
Happy June! We have been working on some improvements to the Intelligence database page.
Unified filter system: Say goodbye to scattered filters! We've introduced a centralized filter menu that works for both Objects and Observables. Click "F" and navigate with your keyboard with ease.
Show/Hide columns: Tired of seeing columns with information that do not matter to your specific usecase? You can now choose which columns you want to see/enable by using the show/hide columns on the top right of the table.
Drag & drop reordering: Like things your way? Drag and drop columns to organize them however you like. ๏ธ
Default pagination: We've increased the default number of items shown per page to 25 for easier browsing.
And that's not IT. You can now have a quick overview of the telemetry data directly from the Intelligence table. When searching for a list of observables, quickly determine if what you're looking for has already been seen in Sekoia, either locally (in your Workspace) or globally (from all our clients).
To enable it, click on the "Columns" button and select Global and Workspace Telemetry.
We recommend you disable columns you don't use to ease navigation.
We are thrilled to introduce a new feature that enhances your ability to provide valuable feedback and improve the accuracy of Sekoia's indicators!
You can now easily report potential false positives directly within Sekoia. This feature is available in two convenient locations:
Alerts: When reviewing an alert triggered by an indicator, you can now directly report it as a false positive within the alert details. Keep in mind that alerts are automatically closed if the indicator is revoked.
Intelligence Database (Object Details): While viewing a CTI object in the Intelligence Database, you'll see a new option to flag the indicator as a potential false positive.
Once you submit your request for revocation, a Zendesk ticket is automatically created, and both our Product Expertise and Support (PES) team and the Threat Detection and Research team are notified.
They review the request within few days and determine whether the IOC should be revoked. If it's the case, you will be notified.
This new feature not only helps you maintain a more accurate threat intelligence system but also contributes to the overall improvement of Sekoiaโs reliability and performance.
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added mostly cyber criminal threats sold on underground forums:
Sekoia.io proactively monitors new threats and invites you to read our latest blogpost about Mallox affiliate leveraging PureCrypter!
Sekoia.io proactively monitors new threats and invites you to read our latest blog post on Mallox affiliate leveraging PureCrypter in MS-SQL exploitation campaigns, both malware monitored by our OSINT collection playbooks.
We are thrilled to announce the Threat Landscape for the Sekoia SOC Platform! This major feature brings providing real-time insights into the latest adversary trends and active intrusions in your network.
Boost Visibility into Active Intrusions:
Identify active intrusions in your network with enhanced real-time monitoring and detailed insights. Detect and respond to threats swiftly, staying ahead of breaches with a clear understanding of the threat landscape.
Stay Updated on Adversaries:
Learn about the latest adversary trends, campaigns, and exploited vulnerabilities. Anticipate new risks and adjust your defenses with comprehensive views of emerging threats, keeping your organization protected.
Enhance your Risk Reporting with Real-Time Data:
Access real-time threat statistics and rankings to improve reporting capabilities. Prioritize and communicate security needs effectively with detailed, up-to-date data on critical threats.
Sekoia.io analysts conducted an in-depth analysis of the emerging Tycoon 2FA Attack-in-The-Middle (AiTM) Phishing-as-a-Service (PhaaS). Tycoon 2FA became widespread in the months following its release and is currently massively used in numerous phishing campaigns.
In this FLINT, we present an in-depth analysis of Tycoon 2FA and the recent developments we spotted in the phishing kit. Additionally, this report provides tracking opportunities to actively monitor the infrastructure and mitigate risks associated with Tycoon 2FA. We also share details on our investigation of the Bitcoin transactions allegedly attributed to "Saad Tycoon Group".
Related resources:
Sekoia.io analysts published an overview detailing the activities of Scattered Spider, a lucrative intrusion set engaged in social engineering, ransomware, extortion campaigns, and other advanced techniques.
In this report, we provide our analysis of the progressive evolution of the intrusion set's modus operandi, motivations, victimology, and Tactics, Techniques, and Procedures (TTPs). Over the past years, Scattered Spider's operational strategy shifted significantly from targeted phishing to the deployment of BlackCat ransomware, resulting in an expansion of their arsenal and adjustments of their targeting.
We actively tracked the dedicated phishing infrastructure, enabling us to monitor the recent campaigns and changes in their targeting.
Related resources:
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox.
This time, we have mostly added cybercrime threats:
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox.
This time, we have mostly added cybercrime threats:
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, it includes the following threats:
Sekoia.io proactively monitors new "fake updates" threats and malware they deliver. If you want to know more about the newcomer "fake updates" threat ClearFake, you can read our analysis in the blogpost on ClearFake!
Sekoia.io analysts conducted an in-depth analysis of the emerging Dadsec Attack-in-The-Middle (AiTM) Phishing-as-a-Service (PhaaS). The Dadsec OTT platform quickly became widespread and used in numerous phishing campaigns, including the trendy and evasive QR code phishing attacks. Dadsec OTT phishing pages mainly aim to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication.
We published results of our analysis in the FLINT FLINT 2023-043 - Dadsec OTT: a new prevalent PhaaS using AitM phishing aiming at presenting the context about the threat, how the Dadsec phishing kit works, as well as tracking and detection opportunities related to this threat.
Related resources:
We are excited to introduce our latest project, SEKOIA.IO for AWS Network Firewall! This project aims to seamlessly integrate the Sekoia CTI with your AWS security equipment, starting with Network Firewall and soon expanding to include GuardDuty. By leveraging this integration, you will gain enhanced protection and access to valuable threat intelligence. ๐ช
Sekoia's CTI consists of 6 million high-quality IoCs, which have only experienced 130 revocations in the past 6 months. These IoCs are created by a team of 20 analysts and are sourced from over 450 different sources.
The SEKOIA.IO for AWS Network Firewall repository on Github is publicly available. Inside, you will find a CDK script that allows for the automatic deployment of all necessary resources within your AWS tenant. Once deployed, a Lambda function will retrieve IoCs from our feed and populate rule groups that can be applied to your Network Firewall instances.
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, it includes the following threats:
Sekoia.io proactively monitors new widespread malware and we invite you to read our FLINT about ClearFake, a new "fake updates" threat!
Sekoia.io analysts investigated ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. ClearFake is another โfake updatesโ threat leveraging social engineering to trick the user into running a fake web browser update, as for SocGholish and FakeSG malware.
We analysed in depth ClearFake and shared the results of our investigation in the FLINT 2023-037 (ClearFake: a newcomer to the "fake updates" threats landscape). It aims at presenting a technical analysis of the ClearFake installation flow, the malware delivered by ClearFake, the C2 infrastructure and tracking opportunities.
Related resources:
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) as well as analysis of Hatching Triage sandbox. This time, we have added mostly cyber criminal threats sold on underground forums:
Sekoia.io proactively monitors new loaders, as well as the malware downloaded in next-stage payload. If you want to know more about the newly discovered loader CustomerLoader, you can read our analysis in the blogpost on CustomerLoader!
Sekoia.io analysts published a FLINT which introduces our tracking methodology for the prevalent infostealer families. It also presents the number of active C2 servers detected in recent weeks and our analysis of the infostealer trends.
In the report, we shared our tracking methods based on server fingerprinting and pattern searching, for the most widespread infostealers sold as Malware-as-a-Service: Lumma, Mystic, Raccoon, Rhadamanthys, RisePro, Stealc and Vidar.
The detailed heuristics are used to proactively collect exclusive IoCs and provide our customers with actionable intelligence. Their results can be found in the Intelligence Center under the "Sekoia.io C2 Tracker" source.
Related resources:
When Sekoia.io analysts are coming across new or trendy threats (malware, threat groups, phishing, etc.), we generally try to find heuristics to track their infrastructure. This proactive hunting approach allows us to collect exclusive indicators of compromise (IoCs) on a weekly basis. In recent weeks, we have added Command & Control (C2) trackers for:
IoCs collected from these trackers can be found in the Sekoia.io Intelligence Center by filtering on the source "Sekoia.io C2 Tracker". If you want to know more about the above-mentioned threats, please visit their card and their model made by the analysts!
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added mostly cybercrime threats sold on underground forums:
Sekoia.io proactively monitors new widespread malware and we invite you to read our FLINT about CustomerLoader!
Sekoia.io analysts identified an undocumented .NET loader aimed at downloading, decrypting and executing next-stage payloads. In early June 2023, this new loader was actively distributed by multiple threat actors using malicious phishing emails, YouTube videos and web pages impersonating legitimate websites.
We analysed in depth CustomerLoader and shared the results of our investigation in the FLINT 2023-029 (CustomerLoader: a new malware distributing a wide variety of payloads). It aims at presenting a technical analysis of CustomerLoader, an overview of more than 30 known and distributed malware families, and details on three infection chains observed distributing the loader.
Related resources:
Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added:
SEKOIA proactively monitors new malware advertised on underground forums or Telegram channels, as well as the threat groups operating them. If you want to know more about these malware families, read the associated malware object in the SEKOIA.IO Intelligence Center.
With Telemetry on Objects you now can have a valuable insights that can help you make more informed decisions. With this feature, you can instantly view how many times an IoC has been spotted within your workspace or on the Sekoia.io platform. This level of visibility can be crucial in identifying potential threats and vulnerabilities, allowing you to take proactive measures to mitigate risks.
Sekoia.io proactively monitors emerging ransomware, intrusion sets distributing them and threat actors launching new ransomware operations. Sekoia.ioโs Intelligence Center is regularly updated with tactical, operational and strategic intelligence on these threats.
In recent months, we observed a surge in newly launched ransomware operations. Here are some of the most prominent ransomware distributed in financially motivated campaigns since early 2023:
Of note, besides these newly launched ransomware operations, Sekoia.io also closely monitors the new variants, as well as the new distribution methods of known ransomware.
If you want to know more about these threats, read the associated malware, intrusion set and threat actor objects in the Sekoia.io Intelligence Center.
TDR analysts released a report analysing the evolution of the TA505 intrusion set activities over time. We focused on three early 2023 campaigns attributed to TA505, involving the exploitation of zero-day vulnerabilities in GoAnywhere and PaperCut software, as well as the wide distribution of the LOBSHOT malware using Google Ads.
From our observations, TA505 shows increased activity since early 2023, featuring an ever-changing set of techniques and malware arsenal.
Related resources:
Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added mostly cyber criminal threats sold on underground forums:
Sekoia.io proactively monitors new information stealers and we invite you to read our latest blogpost about Russian-speaking infostealer ecosystem!
Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added:
SEKOIA proactively monitors new malware advertised on underground forums or Telegram channels, as well as the threat groups operating them. If you want to know more about these malware families, read the associated malware object in the SEKOIA.IO Intelligence Center.
Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we added:
SEKOIA proactively monitors new information stealers and we invite you to read our latest blogposts about Stealc!
References:
SEKOIA.IO analysts uncovered a new infostealer advertised by its alleged developer as Stealc since January 2023. We associated to this stealer malware samples of a new infostealer family spread in the wild.
We analysed in depth Stealc stealer and shared the results of our investigation in the FLINT 2023-012 (Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 1). SEKOIA.IO will publish a write-up focused on the reverse engineering of Stealc.
Related resources:
When SEKOIA.IO analysts are coming across new or trendy threats (malware, threat groups, phishing, etc.), we generally try to find heuristics to track their infrastructure. This proactive hunting approach allows us to collect exclusive indicators of compromise (IoCs) on a weekly basis. In recent weeks, we have added Command & Control (C2) trackers for:
IoCs collected from these trackers can be found in the SEKOIA.IO Intelligence Center by filtering on the source "SEKOIA C2 Tracker". If you want to know more about the above-mentioned threats, please visit their card and their model made by the analysts!
Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added:
SEKOIA.IO already tracked several of these threats by using internal tools, such as SEKOIA C2 Tracker or SEKOIA YARA Tracker. You can find the associated exclusives IoCs by browsing the malware pages in the Intelligence Center.
SEKOIA.IO analysts highlighted the trends related to ransomware activity in the second half of 2022.
The ransomware threat marked a very high level since mid-2022, similar to the previous year. During the last six months, ransomware groups incresingly adopted new TTPs such as callback phishing, intermittent encryption and rewriting malware code in new languages to enhance their capabilities.
From our observations, the democratisation of the ransomware threat reached an almost unprecedented level. This is reflected by ransomware operators delegating some tasks to other threat actors such as Initial Access Brockers, fraudulent call centre operators and pentesters hired on cybercrime forums.
We shared our analysis in the FLINT 2023-009 - S2 2022 Ransomware Threat Landscape.
When SEKOIA.IO analysts are coming across new or trendy threats (malware, threat groups, phishing, etc.), we generally try to find heuristics to track their infrastructure. This proactive hunting approach allows us to collect exclusive indicators of compromise (IoCs) on a weekly basis. In recent weeks, we have added Command & Control (C2) trackers for:
IoCs collected from these trackers can be found in the SEKOIA.IO Intelligence Center by filtering on the source "SEKOIA C2 Tracker". If you want to know more about the above-mentioned threats, please visit their card and their model made by the analysts!