Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Measurable Detection & Response: MITRE Engenuity’s ATT&CK Evaluations for Carbanak+FIN7

Measurable Detection & Response: MITRE Engenuity’s ATT&CK Evaluations for Carbanak+FIN7

The results for the 2020 ATT&CK Evaluations for Enterprise, performed by MITRE Engenuity, are out, and we’re excited about our participation and our journey as we were evaluated against the best solutions in the world. Based on the feedback during the evaluation process alongside measurable outcomes, we are delighted with our performance during our initial evaluation [read our press release here]. Notably, in addition to surfacing key indicators of behavior, attacks, and compromise, Uptycs linked the lateral movement of the attackers as they moved from host to host throughout the entire attack campaign.

Recent trends in malicious document techniques, targets, and attacks

Recent trends in malicious document techniques, targets, and attacks

Research by Ashwin Vamshi and Abhijit Mohanta

The Uptycs threat research team is monitoring ongoing targeted attacks and trends. We’ve recently seen threat actors and APT groups frequently using two document-based techniques: template injection and the Equation Editor exploit. In this piece, we’ll cover these oft-used techniques and provide details on the APT groups applying them.

Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs

Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs

Recently a heap-based buffer overflow vulnerability was discovered in the sudo utility by Qualys. Sudo is a command-line utility that allows a user to run commands in the context of other users with proper authentication. The vulnerability lets any user escalate the privileges to the root user. Qualys has shared technical details in their blog post, so in this post I’ll focus on how osquery and Uptycs can be used to detect the exploit and unpatched systems

Revenge RAT targeting users in South America

Revenge RAT targeting users in South America

The Uptycs threat research team recently came across multiple document samples that download Revenge RAT. The campaign currently seems to be active in Brazil. All of the malware samples we received have the same properties. One of the samples we received has the name “Rooming List Reservas para 3 Familias.docx” (SHA-256: 91611ac2268d9bf7b7cb2e71976c630f6b4bfdbb68774420bf01fd1493ed28c7). The document has only a few detections in VirusTotal.

Detecting the SolarWinds supply chain attack using osquery and Uptycs

Detecting the SolarWinds supply chain attack using osquery and Uptycs

On December 13, FireEye shared details on the SolarWinds supply chain attack, dubbed SUNBURST. The next day, Volexity shared additional information on the lateral movement and exfiltration activities of the attackers.

Uptycs EDR for Linux: Detection and visibility all the way through

Uptycs EDR for Linux: Detection and visibility all the way through

Despite the fact that Linux server endpoints comprise 90% of cloud workloads and a majority of on-premises enterprise workloads, they don’t usually get as much attention as productivity endpoints. Most EDR solutions focus on end users and don’t meet the unique requirements for production Linux servers, such as the need for 100% uptime and low resource consumption.