Table of contents
Sekoia.io aims to be as close as possible to the users of the platform, meeting their needs in a precise way, while taking into account their approach and user experience. In this dynamic, the platform continues to reinvent itself and evolve by regularly integrating new features while improving existing features. Discover in this article, all the news published in October 2021.
New Detection Rules
12 new detection rules added to the catalog!
Ces règles se concentrent sur la détection des dernières vulnérabilités comme Apache (CVE_2021-41773), ainsi que des malwares les plus récents comme :
– MirrorBlast which is not exclusively associated with the cyber criminal group TA505.
– SquirrelWaffle which becomes the successor of Emotet, known as the number one threat used to download other malware like QakBot or Cobalt Strike.
New EDR rules
EDR rules have also been added to centralize and contextualize alerts from HarfangLab EDR in SEKOIA.IO XDR as part of the Open XDR Platform.
HarfangLab, is a publisher of EDR (Endpoint Detection and Response) software, a technology that allows to anticipate and neutralize modern and unknown cyberattacks, on computers and servers. Certified by ANSSI since 2020, HarfangLab counts among its clients large companies of international scope, operating in very sensitive sectors.
As a reminder, during the Cybersecurity Conference in Monaco last October, SEKOIA, HarfangLab, Pradeo, GLIMPS, Vade, announced the creation of the Open XDR Platform. Objective: to federate expertise in cybersecurity within a unified solution, to simplify deployment and strengthen the cyber defense of organizations.
Tracking Cyber Threats
7 new trackers
These trackers allow, among other functions, to monitor the Command & Control (C2) infrastructure of the following threats:
- ManaTools
ManaTools is a tool for distributing malware and controlling it via a Command & Control (C2) panel. It has already been associated with several malware, such as RevengeRat, AzoRult, Lokibot, Formbook and AgentTesla.
- FinFisher
FinFisher is spyware sold exclusively to governments and intelligence agencies and used in criminal investigations.
- BazarLoader
BazarLoader is a widespread malware that allows attackers to penetrate the victim’s environment. Access to the system compromised by BazarLoader is often resold to ransomware gangs.
- TodayZoo
TodayZoo is a phishing kit used since December 2020 and newly documented by Microsoft.
Honeypots
We have observed and enriched our Observables and Cyber Threat Intelligence base with intelligence from the implementation of several honeypots exposing Apache services vulnerable to CVE-2021-41773 and CVE-2021-42013.
In order to share our analysis of the modus operandi of attackers operating these different vulnerabilities, Sekoia.io analysts have produced and published a new FLINT on this topic!
You can also read the following blog post :
- XDR Is Not EDR++
- What is cyber threat intelligence (CTI)?
- Centralisation d’alertes d’EDR, nouvelles détections et trackers… les nouveautés de nov. 2021
- SIGMA, design and MITRE ATT&CK… new features of the XDR and CTI platform
- Detail of an alert, observable database, new exclusive source … the novelties of October 2021
- The DPRK delicate sound of cyber