Nel mondo della cybersecurity, uno degli strumenti più efficaci per gestire il traffico di rete in modo proattivo è la whitelist. Sebbene spesso si parli di blacklist per bloccare siti e IP malevoli, la whitelist rappresenta un approccio altrettanto importante e, in molti casi, persino più sicuro ed efficiente. Ma Continue Reading
“Hey ESET, Wait for the Leak”: Dissecting the “OctoberSeventh” Wiper targeting ESET customers in Israel
On October 2024, attackers targeted Israeli organizations by exploiting a trusted source: ESET’s local partner, Comsecure. Apparently they compromised Comsecure’s infrastructure and used it to send phishing emails disguised as official communications from ESET. These emails contained a malicious download link purported to be a legitimate tool but actually housed Continue Reading
Ransomware Report: Unveiling Trends in Attack Payouts and Negotiations
Ransomware attacks represent a significant cybersecurity threat, affecting various sectors and individuals. This study examines a comprehensive dataset of ransomware payments and chat logs to better understand the strategies and patterns of attackers. The analysis focuses on major ransomware groups, including LockBit, Hive, BlackMatter, and Conti, covering 200 incidents from Continue Reading
Malware’s Shared Secrets: Code Similarity Insights for Ransomware Gangs Activities Tracking
On July 1, 2024, the cyber security vendor Halcyon, Inc., identified a novel ransomware strain they named LukaLocker (ref. here). In the article researchers from Halcyon reported a new ransomware operator, dubbed Volcano Demon, specialized in attacks using the LukaLocker encryptor. According to the source, the threat actor targets both Continue Reading
Unmasking the Bears’ Chrome Data Thief: The Android Cookie-Stealer Payload
On August 29, 2024, a blogpost by Google‘s Threat Analysis Group (TAG) reported the convergence of State-backed attackers and commercial surveillance vendors (CSVs) in their use of similar exploits for cyber-attacks. This phenomenon highlights a troubling trend where both types of actors leverage the same vulnerabilities to achieve their objectives, Continue Reading
The access violation that crashed the world: Technical insights of the BSOD in the CrowdStrike’s CSAgent.sys.
Important Disclaimer: Software bugs are an inherent part of software development. They have always existed and will continue to exist due to the complexity of modern systems and the inherent limitations of human error. The presence of a bug does not necessarily indicate that a software product is fundamentally flawed Continue Reading
Unveiling AzzaSec Ransomware: Technical insights into the group’s locker.
AzzaSec emerged as an Italian hacktivist group leveraging ransomware to further their political and ideological objectives. In recent days a lot of media attention has been dedicated to this group, especially in conjunction with the announcement of a R-a-a-S (Ransomware-as-a-Service) program adopted by the group in question. Since AzzaSec sells Continue Reading
Unveiling Obfuscated Batch Scripts: From UTF-8 to UTF-16 BOM Conversion
This morning I observed an Internet Shortcut file (sha256:0817cd8b0118e2f023342ad016ef443fd4c2e4657a373f9023807a231d16b0fa – Fattura Elettronica 11817929720.url) designed to compromise an Italian organization, containing these instructions: The .lnk file in its turn showed the following commands: This instructions are designed to perform two main actions: it moves a file and then starts it. First, Continue Reading
A Reverse Engineer’s journey with PowerShell and XWorm
Every now and then you come across new malware variants and find something that attracts a little attention. A few days ago I acquired a VBS file, directed via a malspam campaign against an Italian organization, that was approximately 409 MB in size (sha256:ADF773B49D8306E08B5232039E0DEA143E2C015CDC731F1BE86D7DD92FCCA6A9). After thinking I might find something Continue Reading
XZ BackDoor (CVE-2024-3094): a Multi-Year Effort by an Advanced Threat Actor
With this post I would like to provide a technical dive and considerations about the recently disclosed XZ BackDoor vulnerability (CVE-2024-3094). This vulnerability, which affects the XZ Utils library, a widely used data compression utility in Linux distributions, had the potential for severe consequences, including remote code execution (RCE) and Continue Reading