The internet of 2024 is laden with cheap and simple tools to aid with countless development tasks. With great numbers of free and accessible tools comes a great risk of exploitation by bad actors. Over the past few months, fake/mock API services have risen in prominence within this problem space.

Their appearance within state-sponsored APT campaigns was observed by CERT-UA in connection to the ongoing Russia-Ukraine War, signaling threat actor tradecraft that may have been long exploited before appearing in the spotlight. Forecasting increased use of this tool for nefarious ends, being able to separate legitimate use from abuse is necessary for handling potential incidents.

Read more about the abuse of Mock APIs.

InQuest Email Attack Simulation

This month we harvested 552 samples from the wild capable of bypassing either Microsoft or Google. Of those, Microsoft missed 165 (30%), and Google missed 182 (33%). InQuest, MailTAC for reference, missed only 30 (5%). The distribution of misses by file type is depicted below:

InQuest EAS includes samples sourced from 50+ industry leading blogs. This month, we sourced 413 samples from these blogs for inclusion in attack simulation.

Want to validate the efficacy of your email security stack? InQuire here for a one-month free email attack simulation.

Lab's IOC Lead Time

Every month, we conduct an analysis to ascertain the lead time for our C2 (Command and Control) and TI (Threat Intelligence) compared to public blogs. Over the past 30 days, we've examined a total of 41838 indicators. Our findings reveal 1001 instances of C2 victories and 5920 successes in Threat Intelligence and Dark Web (TIDB) across 130 distinct sources. This data points to an average lead time of 773 days for these indicators, covering 16% of the observed IOCs.

InQuest Latest Blog Posts

100 Days of YARA 2024: Halfway Point

Posted on 2024-02-19 by Pedram Amini

We’re halfway through (yes it’s already the 50th day of 2024) the third year of the “100 Days of YARA” challenge, represented on Twitter via the hashtag #100DaysOfYARA. If you’re not familiar with the effort, it was inspired by #100DaysOfCode and encourages participants to engage with YARA for the first 100 days of the year. The challenge involves contributing to the community in any way, shape, or form.

InQuest Labs Research Spotlight

Windows

Windows in a Docker container.

Dopamine

Rootless arm64e jailbreak for iOS 15.0 - 16.5.1 (arm64e) and iOS 15.0 - 16.6.1 (arm64).

AWSGoat

AWSGoat is a vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS.

Global Security Events

MalDocs in Word and Excel: A Persistent Cybersecurity Challenge

In the ever-evolving world of cybersecurity, new threats emerge daily. However, some old vulnerabilities, specifically in Microsoft Word and Excel, continue to pose significant risks. These include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802, which are still effectively used in cyberattacks despite not being zero-day vulnerabilities.

Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments

Over the past weeks, researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the attack and offers suggestions that affected organizations can implement to protect themselves from it.

Hackers Reportedly Steal 189GB Of Epic Games Data

Ransomware group Mogilevich claims that it hacked into Fortnite developer Epic Games last night and stole 189GB of data comprised of "emails, passwords, full names, payment information, source code," and more.

Useful Links

Support

Social

X.com

GitHub

InQuest Insider - Your monthly resource for the latest in cyber security news, trends, tips, and tools. Subscribe here.

Unsubscribe here.