MastodonTech.de

Sophos X-OpsA year ago, Sophos X-Ops published our research into threat actor attitudes towards AI. We went into the underground forums to see what they were saying about AI. At the time, we found threat actors were skeptical, grappling with the same issues, problems, and concerns everyone was. A year later, we've returned to see what, if anything has changed. Overall, we've seen a slight shift, but the song remains the same overall: skeptical. Get more details in our latest report here: <a href="https://news.sophos.com/en-us/2025/01/28/update-cybercriminals-still-not-fully-on-board-the-ai-train-yet/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2025/01/28/update-cybercriminals-still-not-fully-on-board-the-ai-train-yet/</a> <a href="https://infosec.exchange/tags/sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#ai</a>

Sophos X-OpsContinue getting ready for the new year with part two of our two part series on “Patch Prioritization.”. Here we go into <a href="https://infosec.exchange/tags/EPSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#EPSS</a>, <a href="https://infosec.exchange/tags/SSVC" class="mention hashtag" rel="nofollow noopener" target="_blank">#SSVC</a>, <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#KEV</a>, and other tools and frameworks. <a href="https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-2-alternative-frameworks" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-2-alternative-frameworks</a> <a href="https://infosec.exchange/tags/sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#sophosxops</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/patching" class="mention hashtag" rel="nofollow noopener" target="_blank">#patching</a> <a href="https://infosec.exchange/tags/patchprioritization" class="mention hashtag" rel="nofollow noopener" target="_blank">#patchprioritization</a>

Sophos X-OpsGet ready for the new year by taking time to better understand how to prioritize your patching. Read understanding <a href="https://infosec.exchange/tags/CVSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#CVSS</a> part one of our two part series on “Patch Prioritization.”. <a href="https://news.sophos.com/en-us/2024/12/27/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-1-cvss/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2024/12/27/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-1-cvss/</a><a href="https://infosec.exchange/tags/sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#sophosxops</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/patching" class="mention hashtag" rel="nofollow noopener" target="_blank">#patching</a> <a href="https://infosec.exchange/tags/patchprioritization" class="mention hashtag" rel="nofollow noopener" target="_blank">#patchprioritization</a>

Sophos X-OpsAdditionally, case data reveals a 3-week delay before Akira posts victim information on their leaksite. Research indicates 127 victims have been posted to their leak site over the last 6 months. Sophos X-Ops is tracking 2 active Akira threat clusters (STAC5881, STAC5397), with the STAC5397 also deploying Fog ransomware. We commonly observe them leveraging PsExec, Advanced IP Scanner, SoftPerfect Network Scanner, 7-zip, Rclone, AnyDesk, WinRAR, WInSCP and Filezilla software during intrusions.<a href="https://infosec.exchange/tags/Akira" class="mention hashtag" rel="nofollow noopener" target="_blank">#Akira</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsSophos X-Ops has just released a brand-new Active Adversary Report, covering the first six months of 2024 – a little light holiday reading, as one does. For the first time ever, data from MDR's customer-facing Incident Response team is fully incorporated with data from our dedicated Incident Response team. The result is our largest dataset ever, with 190 entries normalized across 63 fields. Perhaps the most startling finding of all is that abuse of LOLbins was up, way up, in the first half of the year. The AAR analysis team thought it might be a hallucination brought on by ingesting all that MDR data but... it isn't. The report has details, including what (besides RDP) is getting a workout. (Spoiler: You name it. Some of these attackers are just odd.)We worked on a great number of ransomware cases in 1H24, as you'd expect. What you might not expect is which ransomware brands were most often involved, especially if you follow the headlines about high-profile law-enforcement activities. The new report looks at how the scene shaped up after the February 2024 LockBit takedown and points out a data pattern that you might not have glimpsed in the usual day-to-day news coverage.Finally, as AAR stands on the cusp of its sixth year of data (the first AAR was published in 2021, covering 2020 and the then-new IR team), we revisited some of our older investigations -- dwell time, time-to-Active-Directory, and many more. Updated information on these topics and many more is in the report. Enjoy!<a href="https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsSophos X-Ops teams are monitoring and responding to attacks against Cleo products VLTrader, Harmony, and LexiCom prior to version 5.8.0.23 in each as outlined in this advisory: <a href="https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending" rel="nofollow noopener" translate="no" target="_blank">https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending</a>. Sophos MDR and Labs teams can confirm seeing 50+ unique hosts targeted by these attacks at this time.All observed impacted customers have a branch or operate within the North Americas, primarily the US. We note the majority of observed affected customers are retail organizations.Sophos MDR threat hunting currently shows the first attack on 2024-12-06 at 17:47 UTC.We will continue to monitor and provide updates as we have more information.<a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a>

Sophos X-OpsFor 5 years, Sophos has been engaged in defensive and counter-offensive operations against China-based <a href="https://infosec.exchange/tags/NationState" class="mention hashtag" rel="nofollow noopener" target="_blank">#NationState</a> adversaries targeting perimeter devices like <a href="https://infosec.exchange/tags/firewalls" class="mention hashtag" rel="nofollow noopener" target="_blank">#firewalls</a> for surveillance and sabotage.The attacks unfolded in two waves: the first aimed to build proxy networks, often used by Chinese groups to hide further operations. The second targeted critical infrastructure in South and Southeast Asia.Sophos uncovered links to groups like Volt Typhoon, APT31, APT41, and Chinese educational institutions. Now, we’re sharing insights from our detailed "Pacific Rim" report to help others defend against these persistent attackers.Sophos X-Ops is happy to collaborate with others and share additional detailed IOCs on a case-by-case basis. Contact us via pacific_rim@sophos.com. For the full story, please see our landing page: <a href="https://www.sophos.com/en-us/content/pacific-rim" rel="nofollow noopener" translate="no" target="_blank">https://www.sophos.com/en-us/content/pacific-rim</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a>

Sophos X-OpsLast year, <a href="https://infosec.exchange/tags/SophosXOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#SophosXOps</a> presented research about this <a href="https://infosec.exchange/tags/EDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#EDR</a> killing tool at Microsoft's Blue Hat conference. The kernel drivers, custom-built by the people selling this tool to ransomware gangs, had been signed with Microsoft's own WHQL certificates, lending them the appearance of legitimacy they had not earned.(Our prior research is here: <a href="https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/</a>)

Sophos X-OpsLast week we released our first Active Adversary Report for 2024, covering a selection of Incident Response cases from the last half of 2023. Our analysis found that though the last half of last year was a relatively quiet time in the ongoing struggle between attackers and defenders, the good guys may not be taking full advantage of the lull.<a href="https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsWe have recently found yet another campaign, where AuKill was deployed to attempt disabling EDR agents on the targeted system. The malware introduced minor changes, specifically by using a custom packer and implementing anti analysis techniques. However, in terms of core functionalities and purpose of the EDRKiller, there are no major differences between the version of AuKill we're seeing in March 2024 and the version we reported on in April 2023. Therefore, defenders can and should continue to be on the lookout for AuKill and follow our published guidance: <a href="https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsEach year, Sophos releases an annual threat report. This year, we took a different approach: rather than looking at the whole threat landscape, we focused on the biggest cybercrime threats to small and medium businesses.<a href="https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/</a>. <a href="https://infosec.exchange/tags/sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> /1

Sophos X-OpsWe have just posted our latest research with our observations and analysis into ConnectWise ScreenConnect attacks.We’ve observed multiple attacks in the past 48 hours. This has included a malware that was built using the LockBit 3 ransomware builder tool leaked in 2022: this may not have originated with the actual LockBit developers. But we’re also seeing RATS, infostealers, password stealers and other ransomware. All of this shows that many different attackers are targeting ScreenConnect.Anyone using ScreenConnect should take steps to immediately isolate vulnerable servers and clients, patch them and check for any signs of compromise.We have extensive guidance and threat hunting material from our teams to help.We’ll provide updates to our blog with more information as appropriate.<a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/" rel="nofollow noopener" translate="no" target="_blank">https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/</a>

Sophos X-OpsWhile the world digests what, precisely, the LockBit takedown this week entails and how much it’s likely to kneecap the ransomware gang, we’d just like to point out how prevalent the family is – literally, what Conti was to 2021, LockBit was to 2023. Here’s a graphic from our upcoming Active Adversary Report , showing precisely how, as seen by the Sophos X-Ops Incident Response team, Conti in 2021 and LockBit in 2023 represented literally double the volume of infections of the nearest “competitors .”<a href="https://infosec.exchange/tags/sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/lockbit" class="mention hashtag" rel="nofollow noopener" target="_blank">#lockbit</a> <a href="https://infosec.exchange/tags/lockbit_takedown" class="mention hashtag" rel="nofollow noopener" target="_blank">#lockbit_takedown</a>

Sophos X-OpsHey everyone. <a href="https://infosec.exchange/@threatresearch" class="u-url mention" rel="nofollow noopener" target="_blank">@threatresearch</a> here on the X-Ops thread with a quick update about <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a> After last August's international takedown of infrastructure that controlled the Qakbot botnet, a lot of people – including some here at Sophos – thought we hadn't seen the last of the <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#spam</a>-delivered <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> Unfortunately, we and others were right. Someone with access to the source code has been experimenting with new builds, making incremental changes. 1/ <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/SophosXOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#SophosXOps</a>

Sophos X-OpsFrom SysAid’s write up about active attacks attributed to Cl0p."- Checks all running processes for any process beginning with the name “Sophos” [and only Sophos] and if found, exits. - If no matching processes are found, starts the user.exe malware." SysAid On-Prem Software customers should read and apply the update discussed to address CVE-2023-47246 Vulnerability.<a href="https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification" rel="nofollow noopener" translate="no" target="_blank">https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsA few weeks ago, we saw a challenge posted online where a technical user was looking for the most elaborate, complex Regular Expression (eg., regex) that someone uses on a regular basis for a practical reason.<a href="https://twitter.com/timhwang/status/1694812433242612159" rel="nofollow noopener" translate="no" target="_blank">https://twitter.com/timhwang/status/1694812433242612159</a>We asked around our team of researchers, and we found what might be the largest, most complex regex anyone has ever seen: 272,816 UTF-8 characters in length, created for our Data Loss Prevention product. The regex is designed to detect postal addresses in files or messages transmitted over the internet, and the reason it is so long is that it can detect a large variety of international post address formats, using local languages and character sets. It can tell if someone is transmitting lists of addresses in Gaelic or Malay, Norwegian or Chinese, Russian or Finnish or Tamil. According to the researcher who created the regex, John Bryan, this regex is scanning a file or email every second of every day, somewhere in the world.It is far too large to show the entire thing on one screenshot (plus, there's some proprietary data in there), so we've generated a screenshot that highlights a few key locations within this massive regex, and that shows the entire thing in a human-viewable scale.So, challenge accepted, and challenge met. <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsDuring a recent investigation, Sophos X-Ops discovered a trojanized Windows installer for CloudChat, an instant messaging application. Looking into this supply chain attack further, we found that the official distribution server for the application had been compromised, and delivered a Window installer modified to load an additional, malicious DLL. This DLL contained an encrypted payload that connected back to a C2 server to download and execute the next stage malware. We contacted the vendor when we found this issue, but at the time of posting haven’t received a response.<a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a>

Sophos X-OpsMicrosoft Tuesday released patches for 104 vulnerabilities, including 80 for Windows. Ten other product groups are also affected. Of the 104 CVEs addressed, 11 are considered Critical in severity; ten of those are in Windows, while one falls in the Microsoft Common Data Model SDK. (The Common Data Model is a metadata system for business-related data.) One CVE, an Important-severity denial-of-service issue (CVE-2023-38171), affects not only Windows but both .NET and Visual Studio. <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/patchtuesday" class="mention hashtag" rel="nofollow noopener" target="_blank">#patchtuesday</a> <a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a>

Sophos X-OpsIn mid-August, the Sophos X-Ops Incident Response team was brought in to address a cyber incident impacting a telecommunications company. Shortly after, when the customer was onboarded to Sophos MDR services, a detection was generated for a service creation for the Cloudflared tunneling service from a suspicious path. The resulting investigation led Sophos MDR Ops analysts and SophosLabs researchers to uncover a backdoor leveraging a loading function similar to that previously seen within the TinyTurla backdoor.<a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/TinyTurla" class="mention hashtag" rel="nofollow noopener" target="_blank">#TinyTurla</a> <a href="https://infosec.exchange/tags/NotSoTinyTurla" class="mention hashtag" rel="nofollow noopener" target="_blank">#NotSoTinyTurla</a> <a href="https://infosec.exchange/tags/SophosXops" class="mention hashtag" rel="nofollow noopener" target="_blank">#SophosXops</a>

Sophos X-OpsSophos is currently tracking a campaign by threat actors targeting unpatched Citrix NetScaler systems exposed to the internet. Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs.<a href="https://infosec.exchange/tags/Sophosxops" class="mention hashtag" rel="nofollow noopener" target="_blank">#Sophosxops</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cve20233519" class="mention hashtag" rel="nofollow noopener" target="_blank">#cve20233519</a>

Frühere Suchanfragen

Suchoptionen

Verwaltet von:

Serverstatistik:

#sophosxops