Blog

The Blueliv blog is home to the latest threat intelligence analysis, content from investigations, corporate news, information about our modular cyberthreat intelligence solutions, and more. Take some time to explore the archives and perspectives from our intelligence analysts and management team.

Our top reads

Over One Million Clubhouse User Records Leaked
This week was reported that user data from from over 1.3 million user records was leaked from the popular social media application Clubhouse, after being  scraped from an SQL database and leaked online via a popular hacker forum. This is the latest in a series of successful social media...
FAST FLUX
Fast Flux is a technique that was seen for the first time in 2007 – and that is still used today -which allows attackers to resist dismantling, the ability to hide the true command and control servers, phishing sites, malware or clandestine markets, and take on possible countermeasures and...
Vulnerable Microsoft Exchange servers leave thousands of organizations compromised
This week it was reported that tens of thousands of organizations around the world were compromised using several Microsoft Exchange 0-days. Since then attackers have been busy targeting the compromised organizations in what is now presumed to be a more devastating attack than 2020’s SolarWinds incident. In the days...
Attackers collaborate to exploit CVE-2021-21972 and CVE-2021-21973
Introduction Last Tuesday, Feb. 23, 2021, VMWare disclosed two vulnerabilities affecting vCenter Server and Cloud Foundation. Before the publication of the vulnerabilities, the company published a workaround to protect the servers that are meant to be a temporary solution until updates with the security patch can be deployed. This...
State of Underground Card Shops in 2021
(life after Joker’s Stash)   Table of Contents Introduction Active credit card shops FERum Shop Brian’s Club Thefreshstuffs Missing Credit Card Shops ValidCC VaultMarket Rescator Conclusions   Introduction    On February 15, 2021, after nearly 6.5 years in business, the prolific card shop Joker’s Stash closed its doors. Those behind...
Combating COMB: 3.2 billion credentials leaked in breach compilation
2021 has barely begun and we have already witnessed what appears to be the biggest compilation of breached credentials in our lifetime. The Compilation of Many Breaches (COMB) was recently made available via an online forum, as broken by CyberNews, and contains over 3.2 billion credentials built up of...
Threat intelligence vs. future data breaches
Data breaches are increasingly common as organizations across the globe continue to wake up to the reality that it’s a question of when, not if, they will fall victim. In a 2020 report on cyber security breaches, the UK government revealed that nearly half (46%) of businesses experienced a...
Threat Context for the SolarWinds Incident
The story so far In December 2020 the widely used business software application Orion, a product of the popular IT management company SolarWinds, was reported to have been tainted with nation-state malware that affected versions 2019.4 through to 2020.2.1 of the application released between March and June 2020. This...
Everything we know about the security gaps that led to this week’s Parler hack
Parler, the far-right social media platform that has garnered headlines after being used by Trump supporters to organise the now-infamous march on the US Capitol building, was taken down earlier this week. This was due to a combined effort from Android and Apple, both of which removed the app...
SolarWinds aftermath continues with SolarLeaks
Earlier this week a website presumably owned by the actors behind the SolarWinds breach surfaced, claiming to be selling data obtained using the SolarWinds backdoor. The site, using the domain solarleaks.net, displays only a PGP signed message, in which the actors share links to download the stolen information, which...
Threat actors’ dangerous and rising interest in the global energy industry
The energy sector is no stranger to digital transformation. Like so many industries before it, energy is currently in the midst of significant digital growth, thanks to developments in artificial intelligence (AI), the Internet of Things (IOT), blockchain, and big data. The result is a global energy sector that’s...
Predicting the chief security concerns of 2021
End of year predictions, evaluations and recommendations are commonplace in our industry, though no one could predict this time last year just quite how 2020 would pan out, and the far-reaching ramifications it would have. The office as we once knew it is, for now, a thing of the...
Using Qiling Framework to Unpack TA505 packed samples
  Table of Contents Introduction TA505 Packer Qiling Framework Proof of Concept IOC Conclusion References   Introduction  Threat Actors make use of packers when distributing their malware as they remain an effective way to evade detection and to make them more difficult to analyze. Manual analysis can defeat these...
RDPalooza: RDPs in the World of Cybercrime
  Key Points  Remote Desktop Protocol (RDP) is a built-in part of the Windows toolkit popular for facilitating remote work. Cybercriminals take interest in compromising RDP endpoints as they provide direct access into a victim environment via a graphic interface.   Internet-facing RDP endpoints – colloquially known among cybercriminals...
Blueliv Threat Exchange Network
November IOC highlights   Linux.Ngioweb botnet is updated to target IoT devices Recently, a new variant of Ngioweb with new capabilities has been found targeting multiple CPU arquitectures. Ngioweb bot malware is to implement Back-Connect Proxy on the victim’s machine.The attacker builds multiple bots into a Proxies Pool and...
Why SIEMs need threat intelligence to defeat Cyberthreats
Security professionals the world over crave compliance management and the ability to pull deep insights from their complex IT environments. This need was the catalyst for the initial adoption of security information and event management (SIEM), which, since its inception over a decade ago, has provided this and more,...
Threat intelligence vs. the rise in sophisticated ransomware
Ransomware, alongside COVID-19, has dominated the years’ headlines, positioning it as the most observed threat of 2020. Recorded ransomware attacks have multiplied dramatically since the beginning of 2020, accounting for a third of all recorded attacks in the past 12 months. Microsoft’s latest Digital Defense Report has taken a...
Blueliv Threat Exchange Network
October IOC highlights XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability Tech support browser lockers continue to be one of the most common web threats. There’s a slightly unusual campaign that has now been ongoing for several weeks. Threat actors are relying on Facebook to distribute...
How far does endpoint detection and response (EDR) take you to complete threat intelligence?
Lots of new cyber vendors are starting up all the time. Crunchbase’s list of top cybersecurity startups  is 1,089 businesses long. What you find is that everyone is specialized in their own particular segment; their own slice of technology to remedy a specific cybersecurity need. Which brings us to...
BLUELIV AND NEUROSOFT ANNOUNCE STRATEGIC PARTNERSHIP FOR THREAT INTELLIGENCE SERVICES
Greece-based cyber vendor harnesses Blueliv threat intelligence for its suite of services   BARCELONA, Spain & ATHENS, Greece – Sept 21, 2020 – Blueliv, a leading provider of enterprise-class threat intelligence solutions, and Neurosoft, a Managed Security Services Provider (MSSP), today announced a wide-ranging strategic partnership that will allow...
Rooty Dolphin uses Mekotio to target bank clients in South America and Europe
Key Points  Rooty Dolphin is a threat actor who uses Mekotio to target banks  Mekotio is a banking trojan with Brazilian origins  Rooty Dolphin started targeting South America but moved to Europe some months ago   Introduction  Blueliv Labs has been tracking the activities of different threat actors performing campaigns in Latam and Europe....
The RECON Vulnerability (CVE-2020-6287) and its Threat Context
Key takeaways  CVE-2020-6287 is a vulnerability present in SAP NetWeaver software that hinges on a missing authentication check. Successful weaponization of this vulnerability would allow attackers to abuse internet-facing SAP systems in a way that enables them to gain control over critical business processes. Numerous threat actors would be...
Maximize SOAR investment returns with contextualized threat intelligence
Automation creates efficiency. Reducing the need for humans to complete repetitive tasks has been fundamental to the evolution of technology since the very beginning and remains a key part of current thinking around optimal cybersecurity operations. Likewise orchestration, another fundamental tenet of using software to drive business value. Orchestration...
How incident response teams and orchestration SOCs benefit from threat intelligence
The work of a security analyst is more frustrating than it should be when there is too much information and never enough time. Incident response (IR) teams can find themselves similarly hamstrung; primed to jump on and mitigate cyber emergencies but not always arriving fast enough or having the...
Calculating the ROI of Digital Risk Protection (DRP)
Businesses see huge value in their digital assets, and this is fuelling the need to manage associated risks – making digital risk protection (DRP)  a significant corporate priority. DRP is a critical part of the cybersecurity toolset, and one that marks an important evolutionary step in the development of...
Threat intelligence in a post Covid-19 world. Where do we go from here?
Even before the start of 2020, industry watchers were predicting this would be a decade of digital disruption. Just 7 months in and another “D” has become prominent: “Dependency”. If the Covid pandemic has revealed anything then surely it is how the global economy, and society in general, relies...
Community Newsletter July 2020
Blueliv Threat Exchange Network: July IOC highlights Connection discovered between Chinese hacker group APT15 and defense contractor Cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an. Lookout’s report details...
Playing with GuLoader Anti-VM techniques
GuLoader is one of the most widely used loaders to distribute malware throughout 2020. Among the malware families distributed by GuLoader, we can find FormBook, AgentTesla and other commodity malware. A recent research performed by Check Point suggests that GuLoader code is almost identical to a loader named as...
Enhancing the value of threat intelligence via a mature, flexible API
The compelling business value of threat intelligence is best realised when it is used in the optimum way. And while there are many examples of repeatable good practice to adopt , by far the most advantageous approach is to apply threat intelligence to the precise needs of each organization. This...
What are AI and machine learning adding to threat intelligence – brains, brawn or both?
Too much information and not enough time. This, and the cost of labor, is why machines have been at the forefront of cyber defense for almost 50 years. It is also why new breakthroughs in software development, neural networks, machine learning and artificial intelligence (AI) are constantly harnessed by...
Threat actors target a vulnerable healthcare industry amid Coronavirus outbreak
As the outbreak of Covid-19 escalated earlier this month we observed that the global cybercrime community has capitalized on public fear. Initially targeting civilians through phishing campaigns in the guise of the World Health Organisation (WHO) and the US Centers for Disease Control and Prevention (CDC), as well as...
M00nD3v, HawkEye threat actor, sells malware after COVID-19 diagnosis
Key Points The information-stealing malware dubbed M00nD3v Logger was recently auctioned off on Hack Forums,  together with HakwEye Reborn.   The threat actor – operating under the alias “M00nD3v” – states that they sold the malware in response to being diagnosed with COVID-19.  M00nD3v was previously involved in sales...
Blueliv and King & Union announce strategic partnership for threat intelligence services
US-based cyber vendor harnesses Blueliv threat intelligence for its Avalon Cyber Analysis Platform and new suite of Culper Group services BARCELONA, Spain & ALEXANDRIA, Va. (US) – June 23, 2020 – Blueliv, a leading provider of enterprise-class threat intelligence solutions, and King & Union, creator of the Avalon Cyber...
Hacktivism Operations cloud
Analysis of the Top10 Hacktivist Operations
Key Points The most relevant hacktivist operations in the last 12 months were: #OpIceIsis, #OpChile, #OpChildSafety, #OpKillingBay and #OpBeast.  The operation #OpGeorgeFloyd, born after George Floyd was killed by police in Minneapolis in May 2020, amassed 8535 tweets in just three weeks.  Hacktivist attacks generally comprise DDoS attacks, publishing...
Protecting against business email compromise (BEC) means stopping stolen credentials at source
More than $26bn has been reported lost in business email compromise attacks in the last 4 years , according to the FBI’s IC3, though the true figure is undoubtedly far higher. Business email compromise attack techniques have also evolved significantly during that time, making them more difficult to identify using...
Blueliv's corporate image
How to develop efficient and advanced triage and investigation capabilities
To mature beyond the foundational elements of their security operations, SOC teams are pursuing more advanced means of triaging (i.e. grading and prioritizing) threats and launching rich, effective investigations. This is made possible by harnessing threat intelligence to fill-in a clearer picture of their threat landscape, respond to better effect...
What is digital risk protection?
Digital risk protection (DRP) is – in common with many other forms of security – the proactive defense of business assets against the threats they face. What sets DRP apart is its relevance to the growing digital maturity of organizations across all sectors. The further that organizations progress to...
Why Threat Intelligence is Central to Effective Vulnerability Prioritization
Vulnerability management is a persistent feature of good cybersecurity practice; a routine hygiene to help proactively reduce organizational risk. But vulnerability management is also a somewhat blunt instrument when faced with a critical mass of threats, each evolving at a different pace and each with unique implications for individual...
Hacker silhouette
Sounding the Pharma Alarma: An overview of the pharmaceutical threat landscape
The whole world is fighting the spread of COVID-19 and working to return to the lives we had before. Pharmaceutical and medical research teams in different countries are busy searching for a solution to win the battle against the virus. However, cybercriminals and threats don’t rest, even in an...
Escape from the Maze – Part 2
In the last article, we have covered the obfuscation techniques used by one of the loaders used by the Maze ransomware. It is recommended to read it before you start with the Maze DLL. In this article we will analyze in detail the obfuscation techniques used by the Maze...
Maze image
Escape from the Maze
Throughout this series of  articles we will showcase some of the techniques used by the ransomware Maze to make its analysis more difficult. Additionally, a series of scripts will be provided to deobfuscate and better follow the execution flow. Usually the ransomware Maze is in DLL form, which is...
Why Digital Risk is more than a margin maker for cyber channel partners
The arrival of Digital Risk as a market category is capturing the attention of cyber channel partners who see an opportunity to deliver extra value to customers pursuing digital transformation goals. In this blog we examine the role of threat intelligence (TI) in the digital risk equation, and as...
Shifting Cybersecurity Mindsets – how MSSPs can become the enablers of their customers’ digital transformations
Spin it however you want, there is no getting away from the fact that most cybersecurity interventions limit the possibilities and innovation of IT.  Just imagine a world with no cyber threats in its past, present or future – and how differently humankind might have harnessed technology without such anxieties...
Expanding MSSP service portfolios with threat intelligence
MSSPs are springing up everywhere; good news for enterprise customers because more providers means more choice, innovation and, price competitiveness. But MSSPs that have grown used to providing a high value, premium service needs to be cautious that their offerings don’t become commoditized. New entrants need to differentiate or...
Challenges for MSSPs wanting to take on threat intelligence
The market adoption of advanced threat intelligence capabilities is accelerating as managed security service providers (MSSP) partner up with threat intelligence vendors to enrich their existing service portfolios. MSSPs recognize the value that threat intelligence generates for their customers: reducing risk by adding context to threats so that they...
remote work five tips
Five tips for safer remote work
As we have been touching on in other blogs, cybercriminals continue to cash in while the world worries about the threat to life and liberty from COVID-19. The factors playing in their favor include: Fear, uncertainty and the thirst for information making users more susceptible to interaction with malicious...
Dark Commerce Blog
DARK COMMERCE: parallel economy provides easy on-ramp for would-be cybercriminals
The cybercriminal industry is evolving, with a growing shadow economy that trades goods and services in much the same way as the legitimate cybersecurity sector. Today we publish a new report and the first in a series analyzing this evolution – DARK COMMERCE: Exploring the cybercrime industry and its...
Business continuity during Coronavirus / COVID-19 outbreak
Blueliv is closely monitoring the rapidly changing developments related to the novel coronavirus, or COVID-19. As yet, we have little certainty around the long term impact that COVID-19 will have on our daily lives. However, it is important to communicate that Blueliv is prepared to handle the crisis in...
Cybercriminals taking advantage of the Coronavirus
In recent weeks, we have witnessed cybercriminals trying to cash in on global fears about the novel coronavirus. Analysts across various intelligence vendors have observed that cybercriminals are taking advantage of the outbreak. As many individuals search for the latest online information about COVID19, a variety of TTPs have...
Eight ways to improve cyber hygiene in the enterprise
Eight ways to improve cyber-hygiene in the enterprise
Good hygiene keeps you safe and healthy, as well as others around you. It’s the same with cyber-hygiene – the sets of practices that organizations are increasingly adopting in a structured way to complement their technological layers of cyberdefense. We highlight cyber-hygiene in many of our publications – alongside...
GOVERNANCE RISK COMPLIANCE
Governance, risk and compliance: how does threat intelligence help?
The mark of a well-run business is its ability to control and align all its operations to support whatever goals it wants to achieve; steering clear of risk, maximizing opportunity and ensuring compliance with regulation and industry standards. This is a significant undertaking, particularly for large organizations, commonly managed...
Deploying the right threat intelligence at the right level
Deploying the right threat intelligence at the right level
Threat intelligence has an influential role to play in organizations, but – like any technology-related solution – it must be applied in the right way to meet its full potential. This blog discusses how to maximize resources by deploying the right threat intelligence, at the right level, for your organization. There...
research-blog
Brief analysis of CVE-2020-0601
Microsoft has recently released a patch for a severe vulnerability affecting Windows 10, and Windows Server 2016 and 2019, as predicted by Brian Krebs amongst others on Monday 13 January 2020. CVE-2020-0601  The flaw, assigned the CVE identifier CVE-2020-0601, involves one of the most basic components of the Windows API, CryptoAPI, which...
research-blog
TOP 5 ATT&CK techniques used by Threat Actors tied to Iran
On the 3rd of January 2020, the Iranian Major General Qasem Soleimani was killed in a US drone strike ordered by President Donald Trump at Baghdad International Airport. Since then, popular demonstrations and military responses have been seen coming from Iran. It’s important to remember, however, that wars and...
Malware-vs-Antivirus-part-iii
Malware vs. Antivirus: the never-ending story (Part III)
In 2008, Eva Chen, Trend Micro’s CEO declared: “In the antivirus business, we have been lying to customers for 20 years”. Seven years later, Bryan Dye, Symantec SVP Information Security, stated, “ is dead”. Despite these declarations, antivirus remains a billion-dollar industry with millions of users, whether they are...
Demo Free Trial MSSP
Program