Blog Entries

21. 03. 2024 Massimo Giaimo SOCnews

SOC News | Mar 21 – IABs and Bulk Sales

Much has already been said about Initial Access Brokers (IABs) so I will limit myself to a brief description and then delve into the main theme of this article. The theme of Initial Access Brokers was summarized fantastically in the Initial Access Broker Landscape project by Curated Intelligence, reported in this link, which I recommend…

Read More
20. 02. 2024 Massimo Giaimo SOCnews

SOC News | Feb 20 – Lockbit Infrastructure Seizure

On 19 February, through an operation coordinated by the National Crime Agency (NCA), a large part of the infrastructure of the Lockbit ransomware gang was seized. The ransomware gang, active since 2019, is undoubtedly best known within the field of double extortion ransomware attacks, having published claims relating to 2,591 attacked organizations over the years….

Read More
09. 02. 2024 Massimo Giaimo SOCnews

SOC News | Feb 07 – FortiOS Critical Vulnerabilities

On February 8, 2024, Fortinet disclosed 2 critical vulnerabilities which could allow remote code or command execution. The vulnerabilities are as follows: FortiOS – Format String Bug in fgfmd, with CVSS severity 9.8 The versions prone to this vulnerability are: Version Affected Solution FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiOS 7.2…

Read More
03. 02. 2024 Massimo Giaimo SOCnews

SOC News | Feb 04 – AnyDesk Compromise

Starting February 1st, rumors regarding a possible compromise of AnyDesk began to circulate online. These rumors became more insistent as the contents of the January 29 Release Notes were noted. What initially appeared to be just normal maintenance activity on Anydesk’s infrastructure was later revealed to actually be a compromise. AnyDesk has in fact made…

Read More
25. 01. 2024 Massimo Giaimo SOCnews

SOC News | Jan 01 – Kasseika Ransomware Uses BYOVD in His TTP

Kasseika Threat Actor has joined the club of Threat Actors that currently use Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus/EDR software before carrying out malicious activities, such as encrypting files. Kasseika abuses the Martini driver, part of the TG Soft’s VirIT Agent System. By using BYOVD attacks, the malware gains privileges it…

Read More
24. 12. 2023 Massimo Giaimo SOCnews

SMTP Smuggling – A Quick Summary

SEC Consult researchers showed that some software allows a bad actor to inject a specially crafted email message concealing a second message hidden inside the body of the original message. This passes into the inbound SMTP server, which interprets the text as a separate second message. The attack relies on incorrect handling of the <CR><LF>.<CR><LF> sequence of…

Read More
20. 12. 2023 Massimo Giaimo Exposure Assessment, SEC4U

EPSS implementation in SATAYO

The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild , as my colleague Beatrice Dall’Omo has already had the opportunity to talk about in this article. EPSS was developed by FIRST ( with the aim of assisting those responsible…

Read More
14. 12. 2023 Massimo Giaimo SEC4U

Enrichment of the Ransomfeed Project

There are community projects that, once implemented, become true points of reference. One of these is certainly the DRM – Dashboard Ransomware Monitor project. This project, founded by Dario Fadda in 2020, monitors ransomware groups through scraping activities, to store claims regarding victims within a permanent RSS feed. However not everyone knows that starting from…

Read More
28. 09. 2023 Massimo Giaimo Blue Team, SEC4U

Ransomware Negotiation: Dos and Don’ts!

Double extortion ransomware attacks have reached very high numerical values. One of the key elements, when suffering such an attack, concerns the negotiation that can be initiated (not always!) with the ransomware gang. The analysis, carried out by the SEC4U team, of hundreds of negotiations makes it possible to apply a scientific approach to this…

Read More
23. 06. 2023 Massimo Giaimo Blue Team, SEC4U

SOC vs. MDR: Understanding the Key Differences for Comprehensive Cybersecurity

Introduction In today’s increasingly complex cybersecurity landscape, it is crucial for organizations to adopt effective solutions to protect their data and digital assets from ever-evolving threats. Two commonly used services in this regard are SOC (Security Operations Center) and MDR (Managed Detection and Response). While both aim to ensure cybersecurity, there are important differences that…

Read More
11. 06. 2023 Massimo Giaimo SEC4U

HackInBo – talk “pompompurin & co. – stories of seizures!”

On Friday 9 June 2023 I had the opportunity to participate as a speaker at the HackInBo Business event, one of the most important conferences on cyber security in Italy. During the talk I presented, I talked about the history of RaidForum, BreachForum and ExposedForum and the Genesis and Solomon marketplaces, recounting the seizures actions…

Read More
01. 06. 2023 Massimo Giaimo Red Team

TIBER-EU: Enhancing Cybersecurity Resilience in the Financial Sector

As technology continues to advance at an unprecedented pace, the financial sector faces increasing risks and challenges in safeguarding sensitive data and ensuring the security of critical systems. In response to this evolving threat landscape, the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA) introduced a groundbreaking framework known as TIBER-EU…

Read More
07. 02. 2023 Massimo Giaimo Blue Team, SEC4U

Ransomware Attack ESXi Servers with (to confirm) CVE-2021-21974

These days the landscape of cybercriminal activities seems to have as the only protagonists the Threat Actors who are carrying out an attack on publicly exposed VMware ESXi infrastructures. The French National Computer Emergency Response Team (CERT) published a security advisory on the ESXiArgs ransomware on February 3, 2023. Other important information regarding the attack was published…

Read More
18. 01. 2023 Massimo Giaimo Blue Team, SEC4U

Interview with a Member of the GhostSec Group

The Initial Message The last few days have been quite hectic with regard to cyber security in the industrial systems sector. The frenzy of these days began on January 11 with this message that appeared on the Telegram channel ( of the GhostSec group: The message was accompanied by a couple of screenshots: So are…

Read More
21. 12. 2022 Massimo Giaimo Blue Team, SEC4U

Protected: Some Insight into the Differences between AV and EDR

There is no excerpt because this is a protected post.

Read More