ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

Just Another Blue Teamer

Happy Friday everyone!

The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation (FBI) have released a advisory focusing on the ransomware threat. They provide us with some updates to the TTPs and Behaviors on the groups activity and what we can hunt for!

Behaviors (MITRE ATT&CK):
Initial Access - TA0001
Exploit Public-Facing Application - T1190 - the group exploited many CVEs to gain their initial foothold. They exploited Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE2021-34473, CVE-2021-34523, and CVE-2021-31207.

Defense Evasion - TA0005
Impair Defenses: Disable or Modify Tools - T1562.001 - Ghost
frequently runs a command to disable Windows Defender on network connected devices.

There are plenty of other technical and behavior artifacts in the report, so go check it out yourself! Enjoy and Happy Hunting!

: Ghost (Cring) Ransomware
cisa.gov/news-events/cybersecu

Intel 471 Cyborg Security, Now Part of Intel 471

Cybersecurity and Infrastructure Security Agency CISA#StopRansomware: Ghost (Cring) Ransomware | CISAThis joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.

To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:

Powershell Encoded Command Execution
hunter.cyborgsecurity.io/resea

hunter.cyborgsecurity.ioIntel 471 | HUNTER