A Global Perspective of the SideWinder APT
AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years.…
Malware using new Ezuri memory loader
This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk.…
Get the latest security news in your inbox.
RSS
TrickBot BazarLoader In-Depth
Ofer Caspi, a fellow Alien Labs researcher, co-authored this blog. Executive Summary AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. On April 20th, 2020 independent security researchers “pancak3lullz” (@pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named …
A HIPAA Compliance Checklist
Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time,…
Slack phishing attacks using webhooks
Background Slack is a cloud-based messaging platform that is commonly used in workplace communications. It is feature-rich, offering additional functionality such as video calling and screen sharing in addition to a marketplace containing thousands of third-party applications and add-ons. Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body,…
The Power of Community to Fight COVID-19 Cyber Threats
Cybercriminals are taking advantage of the fear and uncertainty surrounding the current global health and economic situation as well as sudden shifts and exposures in IT environments to launch COVID-19 related attack campaigns. The bad guys are moving full-steam ahead in their efforts to lure victims by playing on their fears. Fortunately, the security community is banding together to take…
SIEM and security monitoring for Kubernetes explained
Photo by chuttersnap on Unsplash Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. It has recently seen rapid adoption across enterprise environments. Many environments rely on managed Kubernetes services such as Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) to take advantage of the benefits of both…
Sharepoint vulnerability exploited in the wild
The CVE-2019-0604 (Sharepoint) exploit and what you need to know AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604). One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom. An earlier report by the Canadian Cyber Security Centre…
Why should you use correlation rules on top of traditional signatures?
The AT&T Cybersecurity Alien Labs team is in charge of writing correlation rules and releasing threat intelligence updates on a day-to-day basis. When researchers in the team find new malware families or threats, we always try to find the best approach to keep our customers protected. In this blog, we will look into some of the differences between…
Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37
In 2019, several industry analyst reports confused the threat groups Molerats and APT-C-37 due to their similarity, and this has led to some confusion and inaccuracy of attribution. For example, both groups target the Middle East and North Africa region (with a special emphasis on Palestine territories). And, they both approach victims through the use of phishing emails that contain decoy…
AT&T Alien Labs analysis of an active cryptomining worm
This blog post provides an overview of the AT&T Alien Labs™ technical analysis of the common malicious implants used by threat actors targeting vulnerable Exim, Confluence, and WebLogic servers. Upon exploitation, malicious implants are deployed on the compromised machine. While most of the attacks described below are historical, we at Alien Labs are continuing to see new…
Google Cloud Platform security monitoring with USM Anywhere
According to a 2019 Cyber Security Report published by the International Information System Security Certification Consortium, 93 percent of organizations say they are concerned about cloud security and 28 percent admit to having experienced cloud security incidents during the past year. The reality is, most companies lack the specialized knowledge and skills needed to provide that customer data stored in the cloud is…
