Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.
Earlier this week Apple issued an update to macOS Big Sur bringing it up to version 11.3. This update included a security fix for a vulnerability within the macOS Gatekeeper security system, and given the ID of “CVE 2021-30657”. This vulnerability was disclosed to Apple by an expert macOS Security Researcher Cedric Owens (Twitter: @cedowens, GitHub: cedowens).
The results for the 2020 ATT&CK Evaluations for Enterprise, performed by MITRE Engenuity, are out, and we’re excited about our participation and our journey as we were evaluated against the best solutions in the world. Based on the feedback during the evaluation process alongside measurable outcomes, we are delighted with our performance during our initial evaluation [read our press release here]. Notably, in addition to surfacing key indicators of behavior, attacks, and compromise, Uptycs linked the lateral movement of the attackers as they moved from host to host throughout the entire attack campaign.
Research by Siddharth Sharma
Uptycs' threat research team recently detected several variants of the Linux-based botnet malware family, “Gafgyt”, via threat intelligence systems and our in-house osquery-based sandbox. Upon analysis, we identified several codes, techniques and implementations of Gafgyt, re-used from the infamous Mirai botnet.
- IcedID appears to be taking the place of Emotet, based on a significant influx of samples in our threat intelligence systems
- A majority of these IcedID samples are distributed via xlsm files attached to emails
- We’ve identified three ways these Excel 4 Macros are evading detection
Long-term cloud credentials are oftentimes (intentionally or accidentally) littered in source code, laptops/desktops, servers, cloud resources, etc. It’s easy for credentials to be copied across machines, creating sprawl that is at best, difficult to manage and at worst, unnecessarily increasing leakage risk. Furthermore, these types of credentials are only necessary when non-cloud infrastructure resources need to communicate with cloud resources; for example, data center servers trying to use AWS S3 bucket. Generally speaking, there is no good reason to have long term credentials anywhere else—employees should instead use temporary credentials by authenticating with the SSO service.