Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Linux Commands and Utilities Commonly Used by Attackers

Linux Commands and Utilities Commonly Used by Attackers

Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.

When Gatekeeper looks the other way: Alerting on the new macOS vulnerability [April 2021]

When Gatekeeper looks the other way: Alerting on the new macOS vulnerability [April 2021]

Earlier this week Apple issued an update to macOS Big Sur bringing it up to version 11.3. This update included a security fix for a vulnerability within the macOS Gatekeeper security system, and given the ID of “CVE 2021-30657”. This vulnerability was disclosed to Apple by an expert macOS Security Researcher Cedric Owens (Twitter: @cedowens, GitHub: cedowens).

Measurable Detection & Response: MITRE Engenuity’s ATT&CK Evaluations for Carbanak+FIN7

Measurable Detection & Response: MITRE Engenuity’s ATT&CK Evaluations for Carbanak+FIN7

The results for the 2020 ATT&CK Evaluations for Enterprise, performed by MITRE Engenuity, are out, and we’re excited about our participation and our journey as we were evaluated against the best solutions in the world. Based on the feedback during the evaluation process alongside measurable outcomes, we are delighted with our performance during our initial evaluation [read our press release here]. Notably, in addition to surfacing key indicators of behavior, attacks, and compromise, Uptycs linked the lateral movement of the attackers as they moved from host to host throughout the entire attack campaign.

Mirai code re-use in Gafgyt

Mirai code re-use in Gafgyt

Research by Siddharth Sharma

Uptycs' threat research team recently detected several variants of the Linux-based botnet malware family, “Gafgyt”, via threat intelligence systems and our in-house osquery-based sandbox. Upon analysis, we identified several codes, techniques and implementations of Gafgyt, re-used from the infamous Mirai botnet

IcedID campaign spotted being spiced with Excel 4 Macros

IcedID campaign spotted being spiced with Excel 4 Macros

Research by Ashwin Vamshi and Abhijit Mohanta

Quick-Look Summary:

  • IcedID appears to be taking the place of Emotet, based on a significant influx of samples in our threat intelligence systems
  • A majority of these IcedID samples are distributed via xlsm files attached to emails
  • We’ve identified three ways these Excel 4 Macros are evading detection

Where secrets lie: Reduce credential leakage risk by inventorying AWS access keys

Where secrets lie: Reduce credential leakage risk by inventorying AWS access keys

Long-term cloud credentials are oftentimes (intentionally or accidentally) littered in source code, laptops/desktops, servers, cloud resources, etc. It’s easy for credentials to be copied across machines, creating sprawl that is at best, difficult to manage and at worst, unnecessarily increasing leakage risk. Furthermore, these types of credentials are only necessary when non-cloud infrastructure resources need to communicate with cloud resources; for example, data center servers trying to use AWS S3 bucket. Generally speaking, there is no good reason to have long term credentials anywhere else—employees should instead use temporary credentials by authenticating with the SSO service. 

Page 1 of 21: