It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-16042023

Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

#Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-16042023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

Conti Ransom Gang Starts Selling Access to Victims - The Conti ransomware affiliate program appears to have altered its business plan r... https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/ #contiransomware #digitalshadows #fabianwosar #ransomware #ivanrighi #emsisoft #other #fin12 #revil #ryuk

Conti Ransom Gang Starts Selling Access to Victims https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/ #Contiransomware #DigitalShadows #FabianWosar #Ransomware #IvanRighi #Emsisoft #Other #FIN12 #rEvil #Ryuk