Category: Fox-IT International blog

Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was…

Read more →

Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on…

Read more →

During a recent incident response case, we found traces of an adversary leveraging ConnectWise R1Soft Server Backup Manager software (hereinafter: R1Soft server software). The adversary used it as an initial point of access and as a platform to control downstream…

Read more →

This publication is part of our Annual Threat Monitor report that was released on the 8th of Febuary 2023. The Annual threat Monitor report can be found here. Authored by Alberto Segura Introduction Hydra, also known as BianLian, has been…

Read more →

Authored by Yun Zheng Hu Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given…

Read more →

Authored by Edwin van Vliet and Max Groot One year ago, Fox-IT and NCC Group released their blogpost detailing findings on detecting & responding to exploitation of CVE-2021-44228, better known as ‘Log4Shell’. Log4Shell was a textbook example of a code…

Read more →

Authored by Erik Schamper Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response…

Read more →

Authored by Erik Schamper Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response…

Read more →

Authored by Erik Schamper Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response…

Read more →

Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Introduction After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper…

Read more →

Max Groot & Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and…

Read more →

Authored by Alberto Segura (main author) and Rolf Govers (co-author) Summary Flubot is an Android based malware that has been distributed in the past 1.5 years inEurope, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims.Like the majority…

Read more →

This article has been indexed from Fox-IT International blog Authored by: Nikolaos Totosis, Nikolaos Pantazopoulos and Mike Stokkel Executive summary BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download…

Read more →

This article has been indexed from Fox-IT International blog Authors: Alberto Segura, Malware analyst Rolf Govers, Malware analyst & Forensic IT Expert NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android…

Read more →

This article has been indexed from Fox-IT International blog tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability…

Read more →

This article has been indexed from Fox-IT International blog tl;dr Run our new tool by adding -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability…

Read more →

This article has been indexed from Fox-IT International blog Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 12th at 19:15…

Read more →

This article has been indexed from Fox-IT International blog Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC)…

Read more →

This article has been indexed from Fox-IT International blog This post is by Nikolaos Pantazopoulos and Michael Sandee tl;dr – Executive Summary For the past few months NCC Group has been closely tracking the operations of TA505 and the development…

Read more →

This article has been indexed from Fox-IT International blog NCC Group’s global Cyber Incident Response Team have observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U…

Read more →

This article has been indexed from Fox-IT International blog Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible…

Read more →

This article has been indexed from Fox-IT International blog Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible…

Read more →

This article has been indexed from Fox-IT International blog Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the…

Read more →

fumik0_ & the RIFT Team TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany…

Read more →

Read the original article: RM3 – Curiosities of the wildest banking malware fumik0_ & the RIFT Team TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and…

Read more →

Read the original article: Abusing cloud services to fly under the radar tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through…

Read more →

Read the original article: Abusing cloud services to fly under the radar tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through…

Read more →

Read the original article: Decrypting OpenSSH sessions for fun and profit Author: Jelle Vergeer Introduction A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory…

Read more →

Read the original article: Decrypting OpenSSH sessions for fun and profit Author: Jelle Vergeer Introduction A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory…

Read more →

Read the original article: StreamDivert: Relaying (specific) network connections Author: Jelle Vergeer The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed.…

Read more →

Read the original article: Machine learning from idea to reality: a PowerShell case study Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 Author: Joost Jansen This blog provides a ‘look behind the scenes’ at…

Read more →

Read the original article: Machine learning from idea to reality: a PowerShell case study Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 Author: Joost Jansen This blog provides a ‘look behind the scenes’ at…

Read more →

Read the original article: A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC) Authors: Rich Warren of NCC Group FSAS & Yun Zheng Hu of Fox-IT, in close collaboration with Fox-IT’s RIFT. About the Research and Intelligence Fusion Team (RIFT):…

Read more →

Read the original article: A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC) Authors: Rich Warren of NCC Group FSAS & Yun Zheng Hu of Fox-IT, in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):…

Read more →

Read the original article: WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our…

Read more →

Read the original article: WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) and Michael Sandee 1. Introduction WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We…

Read more →

Read the original article: In-depth analysis of the new Team9 malware family Author: Nikolaos Pantazopoulos Co-author: Stefano Antenucci (@Antelox) And in close collaboration with NCC’s RIFT. 1. Introduction Publicly discovered in late April 2020, the Team9 malware family (also known…

Read more →

Read the original article: In-depth analysis of the new Team9 malware family Author: Nikolaos Pantazopoulos Co-author: Stefano Antenucci (@Antelox) And in close collaboration with NCC’s RIFT. 1. Introduction Publicly discovered in late April 2020, the Team9 malware family (also known…

Read more →

  Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to the same Active Directory domain, however only one network segment could connect to the internet. To…

Read more →

Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) [1]. This can be in the form of a continuous connection or connect the victim machine directly.…

Read more →

Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) [1]. This can be in the form of a continuous connection or connect the victim machine directly.…

Read more →