From a recent Threat Actor Insight report titled "Navigating Through The Fog" "The DFIR Report’s Threat Intel Group identified an open directory on 2024-12-09. The directory was likely linked to a ransomware operator associated with the Fog group, first observed in mid-2024. Analysis of its contents revealed a comprehensive toolkit used for reconnaissance, exploitation, credential theft, and command-and-control activities. Among the tools were SonicWall Scanner for exploiting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for abusing Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for exploiting Active Directory vulnerabilities like vulnerability CVE-2020-1472. Victim data found in the directory indicated targets across multiple industries, including technology, education, and logistics, with a geographic focus on Italy, Greece, Brazil, and the USA." Threat Intel Services: https://lnkd.in/gfTNqTHV Detection Rules: https://lnkd.in/gFjUk2vS Contact Us: https://lnkd.in/gk-yfpJm
关于我们
The Digital Forensics and Incident Response (DFIR) Report. Real Intrusions by Real Attackers, The Truth Behind the Intrusion. In addition to our publicly available reports, we provide a range of specialized services to meet your needs, such as private reports, Command and Control tracking, personalized mentoring, and access to an exclusive detection ruleset. Explore our comprehensive offerings on our Services page at https://thedfirreport.com/services/.
- 网站
-
https://thedfirreport.com
The DFIR Report的外部链接
- 所属行业
- 安保服务
- 规模
- 超过 10,001 人
- 类型
- 私人持股
The DFIR Report员工
动态
-
??DFIR Labs CTF?? Our next CTF will be June 7 1630 UTC - 2030 UTC. ??Only $9.99 to join! ??Choose Elastic or Splunk as your SIEM ??Get access to a NEW, un-released case ??Top 5 are invited to join The DFIR Report team! Register: https://lnkd.in/gJTtb64f
-
We’re excited to be back at the SANS Ransomware Summit this year! This time, we’ll be delivering the keynote, sharing fresh insights on the ransomware landscape! It's free to join! ??
OH YEAH RANSOMWARE SUMMIT YEAH Join me for the FREE #RansomwareSummit Live Online on May 30 as #Cybersecurity experts share on #Ransomware prevention, detection, response, and recovery. Register For Free: https://lnkd.in/dqEHk6xA The DFIR Report
-
-
Another excellent report from our friends at Proofpoint!
???????? ?????? ?????????????? ????????????? ?????????? ??????????. Attackers are now using RMMs for initial access, not just for persistence and backup access. The reason being that ?????? & ???? ??????’?? ???????? ???????? ???? ??????????????????, making them an easy way in. Proofpoint’s latest research shows RMMs replacing traditional loaders. This is an incredibly detailed article from one of the best teams in the world on tracking email-related and phishing attack vectors. Thanks for the shoutout and for recognizing our work at DFIR Report in tracking these threats! ??Read the article here:
-
PYSA/Mespinoza Ransomware ??TTR 7.5 hours ??Koadic and Empire for C2 ??7+ Credential Access techniques ??ADRecon, APS, quser, net, arp, and nltest for Discovery ??RDP and PsExec for Lateral Movement ??Files exfiltrated ??PYSA ransomware for Impact Report: https://lnkd.in/e_YRCCm Threat Intel Services: https://lnkd.in/gfTNqTHV Detection Rules: https://lnkd.in/gFjUk2vS Contact Us: https://lnkd.in/gk-yfpJm
-
From a recent Private Threat Brief titled "Unpacking the Threat: From EarthTime Comes SecTopRAT, and SystemBC" "The intrusion began when a user downloaded and executed an executable impersonating DeskSoft’s EarthTime application. This binary initiated a chain of execution leading to the deployment of SecTopRat, a .NET-based remote access trojan (RAT) with information-stealing capabilities. During our investigation we discovered an Uncontrolled Search Path vulnerability in DeskSoft's EarthTime installer, this could allow attackers to replace installation files with malicious versions, leading to code execution. This issue affects all DeskSoft software, and we are awaiting a CVE assignment from MITRE. The discovery of Grixba, a reconnaissance tool linked to Play ransomware and a previous NetScan output containing data from a company reportedly compromised by DragonForce ransomware, suggests the likely objective of this intrusion was ransomware deployment." Threat Intel Services: https://lnkd.in/gfTNqTHV Detection Rules: https://lnkd.in/gFjUk2vS Contact Us: https://lnkd.in/gk-yfpJm
-
?? Huge THANK YOU to everyone who joined the DFIR Labs CTF this weekend! Over 200 people from around the world jumped in to tackle challenges based on a real case—and we hope you all had fun, learned something new, and sharpened your DFIR skills ???? Keep an eye on our socials for the next DFIR Labs CTF announcement! ?? Interested in running a CTF at your organization? Please fill out this form and we’ll get in touch: https://lnkd.in/gfJFji_M The case featured in this CTF is now available: https://lnkd.in/g3ymsFab
?? Congratulations to our winners ?? ??1st Place: d1d1d1 @DreSecX ??2nd Place: Mohanasundaram Adaikkappan ??3rd Place: m.frithnz @Friffnz We hope everyone enjoyed playing in our #DFIRLabsCTF!
-
-
?? Congratulations to our winners ?? ??1st Place: d1d1d1 @DreSecX ??2nd Place: Mohanasundaram Adaikkappan ??3rd Place: m.frithnz @Friffnz We hope everyone enjoyed playing in our #DFIRLabsCTF!
-
-
?? DFIR Labs CTF – Starts in 2 Hours! ?? Time is running out! Our next CTF kicks off at 16:00 UTC – there's still time to register! Register below ??
? DFIR Labs CTF – This Weekend! ? Join us for a new set of challenges featuring PCAP and binary analysis, plus a deep dive into a real-world APT intrusion. ???? We’re looking forward to it and hope you are too! Register for CTF: https://lnkd.in/gJTtb64f DFIR Labs Info: https://lnkd.in/gX5b7PMT
-
?? SOC L1/L2 Opening in #CPX in March 2025?? You want to directly access the technical interview with myself and my team members and get my referral for these positions ? Register to the next "the DFIR Report CTF" and finish with a better ranking than mine ! https://lnkd.in/d2k8f5Ta PS: No need to DM me before the end of the CTF. #CPX #thedfirreport