Category: Sekoia.io Blog

Executive Summary Introduction Recent reports about the People’s Republic of China (PRC) cyber capabilities highlighted its important arsenal mobilising institutional and military actors, as well as private companies providing hack-for-hire services for governmental operations. These findings pointed out the complexity…

Read more →

This blog post provides an overview of the observed Clickfix clusters and suggests detection rules based on an analysis of the various infection methods employed. La publication suivante ClickFix tactic: Revenge of detection est un article de Sekoia.io Blog. This…

Read more →

This blog post provides a chronological overview of the observed ClickFix campaigns. We further share technical details about a ClickFix cluster that uses fake Google Meet video conference pages to distribute infostealers. La publication suivante ClickFix tactic: The Phantom Meet…

Read more →

In hybrid and outsourced SOC models, managing access for different stakeholders—including internal security teams, MSSP personnel, and other IT departments—can be complex. Even different teams than security ones may need access to specific data, such as network logs for infrastructure…

Read more →

Discover Mamba 2FA, a previously unknown adversary-in-the-middle (AiTM) phishing kit, sold as phishing-as-a-service (PhaaS). La publication suivante Mamba 2FA: A new contender in the AiTM phishing ecosystem est un article de Sekoia.io Blog. This article has been indexed from Sekoia.io…

Read more →

Whether you’re an MSSP looking to enhance client offerings or an internal SOC team striving for operational excellence, adopting Detection-as-Code can be a game-changer. Here’s why it matters. La publication suivante Getting started with Detection-as-Code and Sekoia Platform est un…

Read more →

Understanding cyber threats and IoC (Indicators of Compromise) is crucial for protecting your organisation from cybercriminal activities. At Sekoia, we’ve embraced this by developing a comprehensive solution that combines Cyber Threat Intelligence (The Sekoia Intelligence product) with our detection platform,…

Read more →

Since mid 2023, Sekoia Threat Detection & Research team (TDR) investigated an infrastructure which controls compromised edge devices transformed into Operational Relay Boxes used to launch offensive cyber attack. La publication suivante Bulbature, beneath the waves of GobRAT est un…

Read more →

In today’s cybersecurity landscape, upgrading from legacy SIEM solutions to modern SOC platforms is no longer a question of if, but when. As we enter 2024, security teams must adapt to the increasingly complex threats they face, and relying on…

Read more →

On 17 September 2024, Sekoia’s Threat Detection & Research (TDR) team identified a notable infection chain targeting both Windows and Linux systems through our Oracle WebLogic honeypot. The attacker exploited CVE-2017-10271 and CVE-2020-14883 Weblogic vulnerabilities to deploy Python and Bash…

Read more →

To read the French version the article, click here. The European Union (EU) adopted a fundamental directive at the end of 2022 aimed at protecting critical sectors of the European economy from cyber threats. Directive (EU) 2022/2555, better known as…

Read more →

Our investigation uncovered 25 kurdish websites compromised by four different variants of a malicious script, ranging from the simplest, which obtains the device’s location, to the most complex, which prompts selected users to install a malicious Android application. La publication…

Read more →

This blogpost examines the use of WebDAV technology in hosting malicious files related to the Emmenhtal loader, then analyses the various final payloads delivered through this infrastructure, and concludes by exploring the possibility that the infrastructure is being offered as-a-service…

Read more →

Anticipating Paris 2024 Olympics cyber threats, Sekoia.io has conducted over July and August 2024 a proactive hunting of Olympics-typosquatted domains registered by malicious actors – cybercrime related and possibly APT campaigns – in order to detect any kind of operations…

Read more →

Key Takeaways The Sekoia TDR team has recently identified new staging servers, leading to the discovery of additional targets, implants, and botnet clusters tied to the Quad7 operators. The Quad7 botnet operators seem to be compromising several brands of SOHO…

Read more →

Platform enabled services In previous posts (see links below), I’ve outlined already the profound transformation of Security Operations Center (SOC) technologies. The journey from on-premise SOC solutions to Software-as-a-Service (SaaS) delivered platforms marks a significant milestone in this evolution. Gartner’s…

Read more →

Written by Mitigant (Kennedy Torkura) and Sekoia.io Threat Detection and Research (TDR) team (Erwan Chevalier and Guillaume Couchard). Introduction Enterprises are increasingly using cloud infrastructure to take advantage of its underlying benefits. Unlike traditional data centres, cloud infrastructure affords business…

Read more →

Key Takeaways Sekoia.io investigated the mysterious 7777 botnet (aka. Quad7 botnet), published by the independent researcher Git7w0rm inside the “The curious case of the 7777 botnet” blogpost.   This investigation allowed us to intercept network communications and malware deployed on…

Read more →

In today’s digital age, small and medium enterprises (SMEs) are facing unprecedented cybersecurity challenges. The threat landscape has evolved dramatically, with malicious actors constantly seeking out the weakest links, including those within supply chains. La publication suivante Technological Evolution and…

Read more →

This report was originally published for our customers on 20 June 2024. Today, the Check Point Research (CPR) team published a report on the same implant, providing details of recent MuddyWater campaigns. Introduction On June 9 2024, ClearSky tweeted about a new…

Read more →

At Sekoia.io, the integration of the MITRE ATT&CK framework into our Security Operations Center (SOC) platform is a cornerstone of our approach to cybersecurity. The ATT&CK framework serves as a comprehensive knowledge base of cyber adversary behavior and a taxonomy…

Read more →

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. La publication suivante Exposing FakeBat loader: distribution methods and adversary infrastructure est un article de Sekoia.io Blog. This…

Read more →

In my previous article, I gave an overview of the current transformation of the cybersecurity market, marked by major acquisitions and mergers among key players, and how new generation players profoundly affect SOC and MSSP models. We continue this series…

Read more →

The cybersecurity market is undergoing significant transformation marked by major acquisitions and mergers among key players. Traditional on-premise solutions are being replaced by comprehensive, SaaS-based platforms that offer faster deployment, lower costs, and superior capabilities. La publication suivante What’s up…

Read more →

The Filigran x Sekoia.io partnership announcement is an opportunity to put the spotlight back on the benefits of the integration between OpenCTI and Sekoia Threat Intelligence. La publication suivante Combining Sekoia Intelligence and OpenCTI est un article de Sekoia.io Blog. This article…

Read more →

This blog post provides an in-depth analysis of PikaBot, focusing on its anti-analysis techniques implemented in the different malware stages. La publication suivante PikaBot: a Guide to its Deep Secrets and Operations est un article de Sekoia.io Blog. This article…

Read more →

This time, we’re not revealing a new cyber threat investigation or analysis, but I want to share some insights about the team behind all Sekoia Threat Intelligence and Detection Engineering reports. Let me introduce you to the Sekoia TDR team.…

Read more →

This report was originally published for our customers on 14 May 2024. Executive summary Introduction On the eve of 2024, an election year in which more than 54% of the world’s population will be called to the polls, the pro-Russian…

Read more →

The managed security service market is blooming. Statista states it’s projected to reach 65.53 billion U.S. dollars in 2028. Although this forecast looks promising, MSSPs still compete and seek the right tools to manage multiple clients and enhance their offerings.…

Read more →

In the constantly evolving cybersecurity landscape, Sekoia.io is at the forefront of crafting sophisticated detection engineering strategies. This blog post dives into our approach to security and more specifically in the creation of detection rules. Aimed at both our existing…

Read more →

This report was originally published for our customers on 2 May 2024. As part of our critical vulnerabilities monitoring routine, Sekoia’s Threat & Detection Research (TDR) team deploys and supervises honeypots in different locations around the world to identify potential…

Read more →

Executive Summary Introduction 2024 marks a pivotal moment in global politics as an unusual number of elections have and will take place across various nations, encompassing approximately 54% of the world’s population. Elections serve as keystone events in democratic societies,…

Read more →

Key Takeaways In September 2023, we successfully sinkholed a command and control server linked to the PlugX worms. For just $7, we acquired the unique IP address tied to a variant of this worm, which had been previously documented by…

Read more →

The global shift towards cloud computing is undeniable. According to Statista, the worldwide public cloud computing market continues to grow and is expected to reach an estimated 679 billion U.S. dollars in 2024. AWS, Azure and Google Cloud services dominate…

Read more →

A broad introduction to AWS logs sources and relevant events for detection engineering La publication suivante AWS Detection Engineering est un article de Sekoia.io Blog. This article has been indexed from Sekoia.io Blog Read the original article: AWS Detection Engineering

Read more →

In 2024, the lines between EDR and XDR are becoming blurred. More and more vendors offer platforms that combine endpoint, network, cloud, and email security. All these tools are designed to block threats, though they differ in terms of scope…

Read more →

This blogpost was written by Glimps and Sekoia.io teams The Open XDR Platform is an alliance of specialized, complementary cybersecurity solution providers, that provide a rapid, coordinated response to the ever-increasing number and sophistication of cyberattacks. This modular, customizable approach provides analysts and security…

Read more →

Tycoon 2FA has become one of the most widespread AiTM phishing kits over the last few months. La publication suivante Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit est un article de Sekoia.io Blog.…

Read more →

Written by World Watch team from CERT Orange Cyberdefense (Marine PICHON, Vincent HINDERER, Maël SARP and Ziad MASLAH) and Sekoia TDR team (Livia TIBIRNA, Amaury G. and Grégoire CLERMONT) TL;DR Introduction On 25 January 2024 Microsoft released public guidance on…

Read more →

Indicators of Compromise (IOCs) serve as signals, hinting at potential security breaches or ongoing cyberattacks. These indicators consolidated in a single database range from IP addresses to file hashes and act as early warning signs, enabling organizations to detect and…

Read more →

In the ever-evolving landscape of cybersecurity, the battle against threats demands a multi-faceted approach. Organizations, now more than ever, need to leverage comprehensive Threat Intelligence to stay ahead of adversaries. At the forefront of this defense is Sekoia.io, a leading…

Read more →

In this report, we introduce key concepts and analyse the different crypter-related activities and the lucrative ecosystem of threat groups leveraging them in malicious campaigns. La publication suivante The Architects of Evasion: a Crypters Threat Landscape est un article de…

Read more →

Context Since the onset of the War in Ukraine, various groups identified as “nationalist hacktivists” have emerged, particularly on the Russian side, to contribute to the confrontation between Kyiv and Moscow. Among these entities, the pro-Russian group NoName057(16) has garnered…

Read more →

Context In September and October 2023, several open source publications, part of the Predator Files project coordinated by the European Investigative Collaborations, exposed the use of the Predator spyware by customers of Intellexa surveillance solutions. The intrusion set related to…

Read more →

Automation plays a pivotal role in streamlining operations, enhancing security posture, and minimizing risks. However, executing automation tasks can still be challenging for organizations with on-premises infrastructure due to technical complexities and constraints. To address this challenge, Sekoia.io has recently…

Read more →

This report provides an overview of the Scattered Spider evolution, its modus operandi and the toolset leveraged over the past years. Additionally, it delves into the Scattered Spider TTPs, as well as the latest ongoing campaigns, including their current targets.…

Read more →

According to Global Cybersecurity Outlook 2024 by WEF, 29% of organizations reported that they had been materially affected by a cyber incident in the past 12 months. Due to increasing risks and expanded attack surface, companies seek to establish reliable…

Read more →

Context Throughout 2023, Sekoia.io’s Threat Detection & Research (TDR) team actively tracked and monitored adversary C2 infrastructures set up and used by lucrative and state-sponsored intrusion sets to carry out malicious cyber activities. Our analysts identified more than 85,000 IP…

Read more →

This report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known Icebot), and to provide a comprehensive approach of the threat by detailing the related Techniques and Procedures. La publication suivante Unveiling…

Read more →

Expanding tech stack and increasing number of tools urge security operations teams to seek a one-stop solution for centralizing events and alerts. Under these conditions of growing risks, the Sekoia SOC platform becomes a silver-bullet solution for backing up SOC…

Read more →

Last month, Sekoia.io took part to NATO Cooperative Cyber Defence Centre of Excellence (CCDOE) Crossed Swords cyber exercise (aka XS23) organized in Tallinn, Estonia. Involving high-level expert teams from dozen of NATO member countries, Crossed Swords is a three-day unique…

Read more →

In September 2023, the Sekoia.io team embarked on a new intake development to integrate Zscaler ZIA logs into our SOC platform. After implementing Zscaler integration with a wide range of supported logs, events, and related built-in rules, our team shifted…

Read more →

Being PCI certified is a long journey. We started two years ago when we were discussing an extension of our coverage with a customer. This customer was processing card data and consequently had to be partnering with PCI-compliant security solutions…

Read more →

Sekoia.io recognizes the significant investment and effort that organizations have put into their existing security infrastructures. We also realize the flexibility needed to choose the best new tools for safeguarding critical assets and data. To enable this flexibility and streamline…

Read more →

Based on these observations and given the constantly evolving cyber threat landscape, we analysed cyber threats affecting previous editions of the Olympics, as well as the current geopolitical context to understand potential motivations of malicious actors to target this event,…

Read more →

Introduction  In the ever-changing cybersecurity landscape, Identity and Access Management (IAM) stands as the cornerstone of an organisation’s digital asset protection. IAM solutions play an essential role in managing user identities, controlling access to resources and ensuring compliance. As the…

Read more →

Investigation context On 7 December 2023, a joint advisory from the UK, USA, Canada, Australia and New Zealand attributed the previously known intrusion set Star Blizzard (aka CALISTO for Sekoia.io) to Russian Federal Security Bureau (FSB). The USA and UK…

Read more →

This report was originally published for our customers on 27 November 2023. As part of our critical vulnerabilities monitoring routine, Sekoia’s Threat & Detection Research (TDR) team deploys and supervises honeypots in different locations around the world to identify potential…

Read more →

Infection chains used by commodity malware are constantly evolving and use various tricks to bypass security measures and/or user awareness. BumbleBee, QNAPWorm, IcedID and Qakbot are all often used as first-stage malicious code, allowing other more specific payloads to be…

Read more →

Sekoia.io is proud to announce that it has achieved the Payment Card Industry Data Security Standard (PCI-DSS) compliance at Level 1. PCI-DSS compliance is a rigorous set of security standards designed to safeguard credit card information and audited by an…

Read more →

Introduction In the rapidly evolving cybersecurity landscape, staying ahead of potential threats requires a robust and comprehensive approach to managing IT assets. We are pleased to announce the beta release of our newest feature, Asset Discovery, which is designed to…

Read more →

This report aims at depicting recent trends in cyber threats impacting the financial sector worldwide. It focuses on principal tactics, techniques and procedures used by lucrative and state-sponsored intrusion sets by providing an analysis of evolutions observed in campaigns against…

Read more →

Introduction & Objectives DarkGate is sold as Malware-as-a-Service (MaaS) on various cybercrime forums by RastaFarEye persona, in the past months it has been used by multiple threat actors such as TA577 and Ducktail. DarkGate is a loader with RAT capabilities…

Read more →

Introduction The Query Builder is designed to simplify data exploration and enhance threat detection capabilities. This feature empowers Security Operations Center (SOC) teams to explore their data through an intuitive interface, enabling structured queries and insightful data aggregation for threat…

Read more →

This report was originally published for our customers on 26 October 2023. The world of online gaming, a thriving global community of millions, has become an enticing target for malicious actors seeking to exploit related vulnerabilities. In their engagement with…

Read more →

Given the recent events involving the Palestinian politico-military organisation Hamas which conducted on 7 October 2023 a military and terrorist operation in Israel, Sekoia.io took a deeper look into AridViper, an intrusion set suspected to be associated with Hamas. La…

Read more →