80000 pupils’ data, their parents’ data, their teachers’ data. All because somebody didn’t update their internet facing remote access server. #helsinki#infosec#breach#cybersecurity
The City of #Helsinki Education Division #databreach has upto 120000 victims: "the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division."
To round out the Elastic series on "Dissecting #Remcos#RAT: An in-depth analysis of a widespread 2024 malware", part 4 focuses on the actionable intel that threat hunters and detection engineers can use to improve the security posture of their organization. What I really appreciate from this is the freedom to share what they know and what they built, but also the levels of coverage they provide. They aren't just looking at a single event type but sharing different artifacts and evidence left behind when it is executed, registry keys that it has modified, command and control artifacts, and many more. Having this multi-event type focus provides organizations more opportunities to catch the malicious activity! Enjoy and Happy Hunting!
I post most stuff on Infosec Exchange and Telegram (https://t.me/TheDarkWebInformer).. but may leave out things such as OSINT, Ransomware, and things that are quickly evolving.
The focus of the third part of Elastic's "Dissecting #REMCOS#RAT: An in-depth analysis of a widespread 2024 malware" is all about the command and control (C2) configuration and commands. Looking at the long list of capabilities, it is easy to see why this is a formidable malware indeed. Some of the commands that can be issued control the persistence between two registry run keys, can enable key logging, it can disable the User Account Control (UAC) within the registry and much more. I really don't have enough space or time to list everything that it is capable of, you just have to check it out yourself!
One of the TTPs and Behaviors that shows up time and time again when it comes to persistence is the abuse of the AutoRun registry key locations. In this instance, we see that the Remcos rat can modifies the CurrentVersion\Run keys in both the HKCU and HKLM hive. As always, if we can help we do! Cyborg Security has a community hunt package that captures this activity as well as other registry run locations. Enjoy and Happy Hunting!
Jumping around a bit because that is just how my brain works! But, here is Elastic's part two of their "Dissecting #REMCOS#RAT: An in-depth analysis of a widespread 2024 malware" series. This episode they focus on the watchdog, keylogger, and screen and audio recording capabilities and much more! The technical details here are amazing and I can't wait to finish the rest of the series!
Enjoy and Happy Hunting!
“We take the privacy and confidentiality of your information seriously.”
TRANSLATION:
“Every time we have a data breach we’ll let you know about it! Mainly ‘cuz we are required to in order to minimize our legal liability… and of course after we’ve consulted with our legal firm and our new 3rd party incident response vendor.”
A malicious lookalike domain for Scotiabank Canada scotiabankcanada-auth[.]com was recently registered 5/5/2024. This domain features a landing page with a reCAPTCHA that changes languages depending on the user's geolocation. It resolves to a Russian IP 141[.]8[.]193[.]14 hosting a number of other malicious lookalikes for Scotiabank, the Royal Bank of Canada, and Telus Mobility. These domains appear to be used for phishing. auth-scotiaonline-scotiabank-secure[.]com previously resolved to a page imitating the Scotiabank login page shown in the screenshot below.