InQuest Newsletter #36

InQuest is excited to announce that we are making the proprietary Threat Intelligence that fuels our platforms available as a standalone offering to the public.

There is little debate about Threat Intelligence (TI) sourcing and the value it brings to organizations. Infrastructure tracking tradecraft is a requisite layer of augmentation for rapid response in today's threat landscape. By tracking threat actors through multiple anchors on TTPs and IOCs (IPs, domains, SSL certs), we're able to maintain knowledge of active campaigns even as they evolve day-to-day. Read more within this Press Release that details some early warning indicators.

InQuest Mail Provider Comparison

This month we tested 13,278 malicious file samples against Google and Microsoft's email defenses, and here's what made it through:

🏆 2,027 (15.2%) 🏆
Missed

GSuite

3,734 (28.1%)
Missed

O365 ATP + Phishing

InQuire for a free, personalized email security assessment!

Latest InQuest™ Blog Posts

Kimsuky Espionage Campaign

Posted on 2021-08-23 by Dmitry Melikov

A few days ago, we found an exciting Javascript file masquerading as a PDF that, upon activation, will drop and display a PDF (to maintain the ruse) as well as drop an executable. The document is a lure for the Korean Foreign Ministry document and its newsletter.

The Trystero Projects

Posted on 2021-08-25 by Josiah Smith

The "Trystero Project" is our code name for an experiment that we're actively conducting to measure the security efficacy of the two largest mail providers, Google (Workspace, aka GSuite) and Microsoft (O365), against real-world emerging malware.

InQuest™ Labs Research Spotlight

DRAKVUF

DRAKVUF is a virtualization based agentless black-box binary analysis system. DRAKVUF allows for in-depth execution tracing of arbitrary binaries, all without having to install any special software within the virtual machine used for analysis.

Cobalt Strike Configuration Extractor

Pure Python library and set of scripts to extract and parse configurations from Cobalt Strike Beacons. The library, libcsce, contains classes for building tools to work with Beacon configs. There are also two CLI scripts included that use the library to parse Beacon config data:

NetWire Log Decoder

Arsenal's NetWire Log Decoder carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire is a popular multi-platform remote access trojan (RAT) system

Global Security Events

Critical Vulnerability in Microsoft Azure Cosmos DB

ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database - Cosmos DB. The vulnerability, gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization.

The T-Mobile Breach Is Much Worse Than It Had to Be

In an email overnight, T-Mobile shared details about the data breach it confirmed Monday afternoon. They’re not great. Assorted data from more than 48 million people was compromised, and while that’s less than the 100 million that the hacker had initially advertised, the vast majority of those affected turn out not to be current T-Mobile customers at all.

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs.

Useful Links

Support

Social

Twitter

GitHub

InQuest™ Insider - Your monthly resource for the latest in cyber security news, trends, tips and tools. Subscribe here.

Unsubscribe here.

🏆 2,027 (15.2%) 🏆Missed

3,734 (28.1%)Missed