May 19, 2020 | Dax Morrow

TrickBot BazarLoader In-Depth

Ofer Caspi, a fellow Alien Labs researcher, co-authored this blog. Executive Summary AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. On April 20th, 2020 independent security researchers “pancak3lullz” (@pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named …

May 11, 2020 | Tawnya Lancaster

A HIPAA Compliance Checklist

Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time,…

Get the latest
security news
in your inbox.

Subscribe via email


April 14, 2020 | Ashley Graves

Slack phishing attacks using webhooks

Background Slack is a cloud-based messaging platform that is commonly used in workplace communications. It is feature-rich, offering additional functionality such as video calling and screen sharing in addition to a marketplace containing thousands of third-party applications and add-ons. Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body,…

April 3, 2020 | Amy Pace

The Power of Community to Fight COVID-19 Cyber Threats

Cybercriminals are taking advantage of the fear and uncertainty surrounding the current global health and economic situation as well as sudden shifts and exposures in IT environments to launch COVID-19 related attack campaigns. The bad guys are moving full-steam ahead in their efforts to lure victims by playing on their fears. Fortunately, the security community is banding together to take…

March 27, 2020 | Ashley Graves

SIEM and security monitoring for Kubernetes explained

Photo by chuttersnap on Unsplash Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. It has recently seen rapid adoption across enterprise environments. Many environments rely on managed Kubernetes services such as Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) to take advantage of the benefits of both…

March 26, 2020 | Chris Doman

Sharepoint vulnerability exploited in the wild

The CVE-2019-0604 (Sharepoint) exploit and what you need to know AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604). One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom. An earlier report by the Canadian Cyber Security Centre…

February 4, 2020 | Javier Ruiz

Why should you use correlation rules on top of traditional signatures?

The AT&T Cybersecurity Alien Labs team is in charge of writing correlation rules and releasing threat intelligence updates on a day-to-day basis. When researchers in the team find new malware families or threats, we always try to find the best approach to keep our customers protected. In this blog, we will look into some of the differences between…

January 15, 2020 | Fernando Martinez

Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37

In 2019, several industry analyst reports confused the threat groups Molerats and APT-C-37 due to their similarity, and this has led to some confusion and inaccuracy of attribution. For example, both groups target the Middle East and North Africa region (with a special emphasis on Palestine territories). And, they both approach victims through the use of phishing emails that contain decoy…

January 9, 2020 | Fernando Dominguez

AT&T Alien Labs analysis of an active cryptomining worm

This blog post provides an overview of the AT&T Alien Labs™ technical analysis of the common malicious implants used by threat actors targeting vulnerable Exim, Confluence, and WebLogic servers. Upon exploitation, malicious implants are deployed on the compromised machine. While most of the attacks described below are historical, we at Alien Labs are continuing to see new…

December 11, 2019 | Jose Manuel Martin

Google Cloud Platform security monitoring with USM Anywhere

According to a 2019 Cyber Security Report published by the International Information System Security Certification Consortium, 93 percent of organizations say they are concerned about cloud security and 28 percent admit to having experienced cloud security incidents during the past year. The reality is, most companies lack the specialized knowledge and skills needed to provide that customer data stored in the cloud is…

December 4, 2019 | Chris Doman

The “Great Cannon” has been deployed again

Summary The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the…

October 9, 2019 | Amy Pace

What’s new in OTX

AT&T Alien Labs and the Open Threat Exchange (OTX) development team have been hard at work, continuing our development of the OTX platform. As some of you may have noticed, we’ve added some exciting new features and capabilities this last year to improve understanding within the OTX community of evolving and emerging threats. Malware analysis to…