Blog

The Blueliv blog is home to the latest threat intelligence analysis, content from investigations, corporate news, information about our modular cyberthreat intelligence solutions, and more. Take some time to explore the archives and perspectives from our intelligence analysts and management team.

Threat actors target a vulnerable healthcare industry amid Coronavirus outbreak
As the outbreak of Covid-19 escalated earlier this month we observed that the global cybercrime community has capitalized on public fear. Initially targeting civilians through phishing campaigns in the guise of the World Health Organisation (WHO) and the US Centers for Disease Control and Prevention (CDC), as well as...
M00nD3v, HawkEye threat actor, sells malware after COVID-19 diagnosis
Key Points The information-stealing malware dubbed M00nD3v Logger was recently auctioned off on Hack Forums,  together with HakwEye Reborn.   The threat actor – operating under the alias “M00nD3v” – states that they sold the malware in response to being diagnosed with COVID-19.  M00nD3v was previously involved in sales...
Blueliv and King & Union announce strategic partnership for threat intelligence services
US-based cyber vendor harnesses Blueliv threat intelligence for its Avalon Cyber Analysis Platform and new suite of Culper Group services BARCELONA, Spain & ALEXANDRIA, Va. (US) – June 23, 2020 – Blueliv, a leading provider of enterprise-class threat intelligence solutions, and King & Union, creator of the Avalon Cyber...
Hacktivism Operations cloud
Analysis of the Top10 Hacktivist Operations
Key Points The most relevant hacktivist operations in the last 12 months were: #OpIceIsis, #OpChile, #OpChildSafety, #OpKillingBay and #OpBeast.  The operation #OpGeorgeFloyd, born after George Floyd was killed by police in Minneapolis in May 2020, amassed 8535 tweets in just three weeks.  Hacktivist attacks generally comprise DDoS attacks, publishing...
Protecting against business email compromise (BEC) means stopping stolen credentials at source
More than $26bn has been reported lost in business email compromise attacks in the last 4 years , according to the FBI’s IC3, though the true figure is undoubtedly far higher. Business email compromise attack techniques have also evolved significantly during that time, making them more difficult to identify using...
Blueliv's corporate image
How to develop efficient and advanced triage and investigation capabilities
To mature beyond the foundational elements of their security operations, SOC teams are pursuing more advanced means of triaging (i.e. grading and prioritizing) threats and launching rich, effective investigations. This is made possible by harnessing threat intelligence to fill-in a clearer picture of their threat landscape, respond to better effect...
What is digital risk protection?
Digital risk protection (DRP) is – in common with many other forms of security – the proactive defense of business assets against the threats they face. What sets DRP apart is its relevance to the growing digital maturity of organizations across all sectors. The further that organizations progress to...
Why Threat Intelligence is Central to Effective Vulnerability Prioritization
Vulnerability management is a persistent feature of good cybersecurity practice; a routine hygiene to help proactively reduce organizational risk. But vulnerability management is also a somewhat blunt instrument when faced with a critical mass of threats, each evolving at a different pace and each with unique implications for individual...
Hacker silhouette
Sounding the Pharma Alarma: An overview of the pharmaceutical threat landscape
The whole world is fighting the spread of COVID-19 and working to return to the lives we had before. Pharmaceutical and medical research teams in different countries are busy searching for a solution to win the battle against the virus. However, cybercriminals and threats don’t rest, even in an...
Escape from the Maze – Part 2
In the last article, we have covered the obfuscation techniques used by one of the loaders used by the Maze ransomware. It is recommended to read it before you start with the Maze DLL. In this article we will analyze in detail the obfuscation techniques used by the Maze...
Maze image
Escape from the Maze
Throughout this series of  articles we will showcase some of the techniques used by the ransomware Maze to make its analysis more difficult. Additionally, a series of scripts will be provided to deobfuscate and better follow the execution flow. Usually the ransomware Maze is in DLL form, which is...
Why Digital Risk is more than a margin maker for cyber channel partners
The arrival of Digital Risk as a market category is capturing the attention of cyber channel partners who see an opportunity to deliver extra value to customers pursuing digital transformation goals. In this blog we examine the role of threat intelligence (TI) in the digital risk equation, and as...
Shifting Cybersecurity Mindsets – how MSSPs can become the enablers of their customers’ digital transformations
Spin it however you want, there is no getting away from the fact that most cybersecurity interventions limit the possibilities and innovation of IT.  Just imagine a world with no cyber threats in its past, present or future – and how differently humankind might have harnessed technology without such anxieties...
Expanding MSSP service portfolios with threat intelligence
MSSPs are springing up everywhere; good news for enterprise customers because more providers means more choice, innovation and, price competitiveness. But MSSPs that have grown used to providing a high value, premium service needs to be cautious that their offerings don’t become commoditized. New entrants need to differentiate or...
Challenges for MSSPs wanting to take on threat intelligence
The market adoption of advanced threat intelligence capabilities is accelerating as managed security service providers (MSSP) partner up with threat intelligence vendors to enrich their existing service portfolios. MSSPs recognize the value that threat intelligence generates for their customers: reducing risk by adding context to threats so that they...
remote work five tips
Five tips for safer remote work
As we have been touching on in other blogs, cybercriminals continue to cash in while the world worries about the threat to life and liberty from COVID-19. The factors playing in their favor include: Fear, uncertainty and the thirst for information making users more susceptible to interaction with malicious...
Dark Commerce Blog
DARK COMMERCE: parallel economy provides easy on-ramp for would-be cybercriminals
The cybercriminal industry is evolving, with a growing shadow economy that trades goods and services in much the same way as the legitimate cybersecurity sector. Today we publish a new report and the first in a series analyzing this evolution – DARK COMMERCE: Exploring the cybercrime industry and its...
Business continuity during Coronavirus / COVID-19 outbreak
Blueliv is closely monitoring the rapidly changing developments related to the novel coronavirus, or COVID-19. As yet, we have little certainty around the long term impact that COVID-19 will have on our daily lives. However, it is important to communicate that Blueliv is prepared to handle the crisis in...
Cybercriminals taking advantage of the Coronavirus
In recent weeks, we have witnessed cybercriminals trying to cash in on global fears about the novel coronavirus. Analysts across various intelligence vendors have observed that cybercriminals are taking advantage of the outbreak. As many individuals search for the latest online information about COVID19, a variety of TTPs have...
Eight ways to improve cyber hygiene in the enterprise
Eight ways to improve cyber-hygiene in the enterprise
Good hygiene keeps you safe and healthy, as well as others around you. It’s the same with cyber-hygiene – the sets of practices that organizations are increasingly adopting in a structured way to complement their technological layers of cyberdefense. We highlight cyber-hygiene in many of our publications – alongside...
GOVERNANCE RISK COMPLIANCE
Governance, risk and compliance: how does threat intelligence help?
The mark of a well-run business is its ability to control and align all its operations to support whatever goals it wants to achieve; steering clear of risk, maximizing opportunity and ensuring compliance with regulation and industry standards. This is a significant undertaking, particularly for large organizations, commonly managed...
Deploying the right threat intelligence at the right level
Deploying the right threat intelligence at the right level
Threat intelligence has an influential role to play in organizations, but – like any technology-related solution – it must be applied in the right way to meet its full potential. This blog discusses how to maximize resources by deploying the right threat intelligence, at the right level, for your organization. There...
research-blog
Brief analysis of CVE-2020-0601
Microsoft has recently released a patch for a severe vulnerability affecting Windows 10, and Windows Server 2016 and 2019, as predicted by Brian Krebs amongst others on Monday 13 January 2020. CVE-2020-0601  The flaw, assigned the CVE identifier CVE-2020-0601, involves one of the most basic components of the Windows API, CryptoAPI, which...
research-blog
TOP 5 ATT&CK techniques used by Threat Actors tied to Iran
On the 3rd of January 2020, the Iranian Major General Qasem Soleimani was killed in a US drone strike ordered by President Donald Trump at Baghdad International Airport. Since then, popular demonstrations and military responses have been seen coming from Iran. It’s important to remember, however, that wars and...
Malware-vs-Antivirus-part-iii
Malware vs. Antivirus: the never-ending story (Part III)
In 2008, Eva Chen, Trend Micro’s CEO declared: “In the antivirus business, we have been lying to customers for 20 years”. Seven years later, Bryan Dye, Symantec SVP Information Security, stated, “ is dead”. Despite these declarations, antivirus remains a billion-dollar industry with millions of users, whether they are...
Malware-vs-Antivirus-part-ii
Malware vs. Antivirus: the never-ending story (Part II)
In 2008, Eva Chen, Trend Micro’s CEO declared: “In the antivirus business, we have been lying to customers for 20 years”. Seven years later, Bryan Dye, Symantec SVP Information Security, stated, “ is dead”. Despite these declarations, antivirus remains a billion-dollar industry with millions of users, whether they are...
Malware-vs-Antivirus-part-i
Malware vs. Antivirus: the never-ending story (Part I)
In 2008, Eva Chen, Trend Micro’s CEO declared: “In the antivirus business, we have been lying to customers for 20 years”. Seven years later, Bryan Dye, Symantec SVP Information Security, stated, “ is dead”. Despite these declarations, antivirus remains a billion-dollar industry with millions of users, whether they are...
ServHelper-evolution-TA505-campaigns
TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
Countries targeted by TA505 using ServHelper    Introduction ServHelper is a backdoor first spotted at the end of 2018 by Proofpoint and linked to TA505. This threat actor is known to have distributed Dridex and Locky in the past, in addition to FlawedAmmyy, FlawedGrace and Get2/SDBBot more recently, amongst others.   This blog post will offer some analysis on developments relating to ServHelper, including detail...
financial-services
Top security concerns for the Financial Services industry in 2020
Following on from the release of our whitepaper earlier this week, a survey has concluded that the Banking and Financial Services sector is struggling with a skills shortage along with the sheer volume of threats and alerts as it continues its ongoing battle against cybercrime. This is according to...
cyberthreat-intelligence-financial-services-banking
Follow the money: cyberthreat intelligence for Banking & Financial services
Banks and financial services handle some of the most valuable information to cybercriminals, from account and credit card data to sensitive PII (personally identifiable information). As such, these organizations remain at the forefront for risk as cybercriminals become increasingly sophisticated and malicious in their methods. A new generation of...
Breaches, Billions and Bitcoin – a look back on threats in 2019
2019 has been full of high-profile data breaches that have exposed credentials and personal data from millions of people and companies. And while many of these are ‘new releases’ that have stemmed from new cyberattacks, others are ‘compilations’ of records harvested over a far longer period and dumped onto...
Malware campaign targeting banks in Spain and Latin America
We have been tracking the footprint of an actor conducting a campaign targeting Latin American and Spanish users in recent months. The immediate objective of the campaign is the installation of a banking trojan on the users’ systems, with the goal of stealing sensitive financial information that can be...
What does good resilience look like
What does good resilience look like?
Business leaders can learn a lot about cyberdefense by studying how a lioness protects her cubs. Like any mother, she puts up the stiffest defenses against all known forms of attack. But she will also take care to instill resilience in her offspring in case, inevitably, those defenses at...
research-blog
Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis
On 4th November 2019 researchers and the media reported a massive ransomware attack against several Spanish companies. Some of this news was exaggerated as it transpired that just two companies confirmed a security incident. However, both companies were attacked by a different threat actor.  This blog post will seek to clarify some details concerning the attack against Everis, which was different to...
cybersecurity-congress-2019
Barcelona Cybersecurity Congress 2019: some key takeaways
Last week our home city hosted the Barcelona Cybersecurity Congress (#BCNCyberCon19), the second edition of an event focused on bringing together key cybersecurity players and industry professionals from around Europe. Our Head of Threat Intelligence, Jose Miguel Esparza, was invited to present at a roundtable on the final day,...
Roast the perfect blend of automation and human intelligence
Roast the perfect blend of automation and human intelligence
For those who enjoy a good cup of coffee, many more would surely choose a barista-made brew than take their chances from a vending machine. Automation, so the argument goes, is not a panacea. This coffee analogy is often brought out in debates about the emergence of security automation...
threat intel industry
Threat Exchange Network blog: October 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting IOCs...
corporate-blueliv
Blueliv shortlisted for three Security Excellence Awards for 2019
We are pleased to announced that we have been named as finalists by Computing.co.uk in their Security Excellence Awards. This year we have made the shortlist in three categories: Security Vendor of the Year Enterprise Security Award Enterprise Threat Detection Award This recognition builds on our success winning two...
threat intel industry
Demystifying threat intelligence: Part II
Following from our previous blog post, we seek to clear up some of the confusion around what threat intelligence (TI) is and is not in today’s market landscape. Here are the second 5 of 10 points that today’s threat intelligence absolutely is not. Threat intelligence is NOT just an...
threat intel industry
Demystifying threat intelligence: part I
As threat intelligence (TI) continues to evolve and mature, some outdated preconceptions remain. Much of this can be ascribed to the growing spectrum of TI suppliers offering different variations of the same basic concept; no wonder many customers are unsure. At one end, threat intelligence is pushing boundaries and...
Blueliv selected by EIT Digital as one of Europe’s best deep tech scaleups
Blueliv has been selected by EIT Digital, a leading European player in innovation and entrepreneurial education, as a finalist in its pan-European competition EIT Digital Challenge. The competition focuses on scaleups with deep tech products that leverage sophisticated, hard-to-reproduce digital technologies that fuel the digital transformation. A total of...
threat intel industry
State of the market: Threat Intel in 2019
Lifting the veil The threat intelligence market is growing rapidly but there is still some haziness in organizations’ understanding of the segment. Many consider threat intelligence the answer to thwarting the increasingly complex and devastating cyberattacks that plague organizations and individuals, but few understand exactly what it means beyond...
Cyberthreat intelligence retail
The cost of doing business: cyberthreat intelligence for retail & e-commerce
The internet has changed the way that goods and services are bought and sold. The retail and e-commerce sector continues to undergo rapid transformation as consumer expectation increases. We demand high quality experiences, products and services, on desktop and on mobile. On the back end, analytic engines, third-party integrations...
threat intel industry
Threat Exchange Network blog: August 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting...
threat intel industry
Threat Exchange Network blog: July 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting...
research-blog
An analysis of a spam distribution botnet: the inner workings of Onliner Spambot
  Table of contents Introduction Modular Design Worker Module Onliner Custom XOR key generation algorithm Checker SMTP Module Mailer Module Conclusion IOCs   Introduction Successful cybercrime campaigns make use of different elements working together to achieve their common goal. In the case of Onliner, the spambot appears to be...
EuskalHack
Last week, Blueliv was invited to participate in the fourth edition of EuskalHack in San Sebastián. Geared towards sharing information, the event hosted presentations focused on new discoveries, personal projects and tools from different disciplines in cybersecurity. These included both red team and blue team activities, both sharing information...
Evolution of Malware and Threat Actors
The world of malware and cybercrime has evolved a great deal in the last decade. The following blog post tracks this evolution, expanding on intelligence accessible through Threat Compass. The more we understand about the motivations and TTPs of threat actors, the stronger defenses we can build against cybercrime....
research-blog
Old tricks still work
There are many well-known anti-VM / anti-sandbox tricks in targeted malware. However, most up-to-date sandboxes have fixed them, or they can be fixed easily by modifying the VM in which the malware sample will run. In this article we will examine a particular technique that exploits a design flaw...
Blueliv als Finalist bei den GIT Security Awards 2020 ausgezeichnet
***English below*** Blueliv wurde als Finalist bei den GIT Security Awards 2020 ausgezeichnet. Unsere Flaggschifflösung Threat Compass wurde in der Kategorie A „IT Security and Safety for Automation, Cyber Security“ nominiert. Eine Expertenjury aus Vertretern zahlreicher deutscher Fachverbände (BHE, TÜV, VDMA, ZVEI), Systemintegratoren und Endanwendern brachte unsere modulare Threat...
threat intel industry
Threat Exchange Network blog: May 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting...
Data breach under GDPR: one year later
The European Union General Data Protection Regulation (GDPR) came into force on 25th May 2018. Just over a year later, European data protection regulators have reported nearly 90,000 data breach notifications so far, and notably these are only those which have been legally disclosed. Law firm DLA Piper recently suggested...
Shining a light on the darknet
A common visualization for the Internet is an iceberg. The indexed ‘surface’ web is less than 10% of what is visible, but 90% is non-indexed and known as the deep web. A small subset of the deep web includes hidden information and services: the dark web, or darknet. It’s...
Sweet Dream(s): An examination of instability in the darknet markets
These past few weeks in cyber underground news have seen the surprising hat trick of the passage of the self-imposed deadline for the closure of the notorious Dream Market, the law enforcement seizure of Valhalla Market, and the law enforcement takedown and arrests of admins associated with the Wall Street Market.  Many of the trends observed following...
industry-blog
Threat Exchange Network blog: April 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting...
Demo Free Trial MSSP
Program