Blog Entries

30. 08. 2024 Daniel Degasperi Blue Team, SEC4U

A concrete example of ES|QL and SOC detection rules

The purpose of this article is to show a real-life case study of the integration of the new Elastic ES|QL language within the detetion rules used by the SOC to detect cyber threats. Overview ES|QL (Elasticsearch Query Language) is a SQL-like query language developed by Elastic specifically for querying time series and event data stored…

Read More
05. 08. 2024 Simone Ragonesi Artificial Intelligence, Offensive Security, Red Team

Exploiting the Matrix: Offensive Techniques for Attacking AI Models

There’s no way around it: Artificial Intelligence is reshaping our world in profound ways, and it’s here to stay. In recent years we’ve entered a golden age for specialized hardware and algorithms suited to enhance machine learning models. These technologies are now bringing significant advances across various sectors, from finance to healthcare, from e-commerce to…

Read More
31. 07. 2024 Gianluca Piccolo ctf-writeups

CTF Exploit: Not A Democratic Election

Hello everyone, today I’d like to show you how we exploited the Not a democratic election challenge from HTB Business CTF 2024. This challenge is of type Blockchain and is based on Solidity Smart Contracts for Ethereum. Since the official exploit uses Foundry, and I couldn’t run Foundry on my workstation, I’d like to report…

Read More
31. 07. 2024 Mirko Ioris SEC4U, SOCnews

July 19 – The Day Cyber Security Almost Caused a Global IT Blackout

On Friday morning, July 19th, a major computer outage caused problems in Microsoft computers all over the world. There were delays and flight cancellations at several airports, and malfunctions in the computer systems of banks, shops, hospitals and the media. The IT blackout was caused by a faulty update released for Falcon Sensor, the EDR…

Read More
16. 07. 2024 Beatrice Dall'Omo Blue Team, Red Team, SEC4U

Automate Business Processes with APIs: python-gvm

Have you already read this blog post Adding soar features to the soc part 1 vulnerability management? If not, you have to! It explains the SOAR features leveraged by the Würth Phoenix SOC and how we implement our Vulnerability Management process.  In this article, I’ll take a step back, focusing on what happens before the…

Read More
30. 06. 2024 Mirko Ioris SOCnews

SOC News | June 30 – TeamViewer Victim of a Security Breach

TeamViewer, the popular remote access software developed by the company of the same name, discovered an irregularity in its internal IT environment on 26 June. They disclosed the potential breach in a statement the following day, stating that they had immediately begun an investigation to implement remediation measures. In an update on Friday 28th, TeamViewer…

Read More
07. 06. 2024 Luca Zeni Blue Team, SEC4U

Akira Ransomware: How to Make an Efficient Detection Rule

In this article, we’re going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real case, we’ll see the study and analysis carried out to create a rule to monitor…

Read More
24. 05. 2024 Daniel Degasperi Blue Team, SEC4U

How To Detect a Chromium Browser Stealer With Elastic

In this blog, I’ll propose and describe a solution for detecting potential infostealers targeting Chromium-based browsers, taking a cue from the research exposed by Google’s Chrome Security Team (Detecting browser data theft using Windows Event Logs). Obviously a solution using Elastic 🙂 ! What is an Infostealer (in a nutshell) ? In the realm of…

Read More
24. 05. 2024 Mirko Ioris SOCnews

SOC News | May 24 – Patch This Veeam Critical Vulnerability Now

On May 21, Veeam published details about four different vulnerabilities detected in their product Veeam Backup Enterprise Manager (VBEM). One of them is critical and allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. CVE Number CVSS Score EPSS Score CVE-2024-29849 9.8 (Critical) 0.04% (Low) CVE-2024-29850…

Read More
16. 05. 2024 Mirko Ioris SOCnews

SOC News | May 16 – Data stolen from SYNLAB published on the Dark Web

SYNLAB, European leader in medical diagnostic services, was the victim of a cyber attack last April. The compromised infrastructure is the one that runs Italians clinics only, other countries were not affected. In early May, ransomware group BlackBasta claimed responsibility for the attack, saying it had stolen 1.5TB of sensitive medical data from Italian citizens….

Read More
30. 04. 2024 Mirko Ioris SOCnews

SOC News | Apr 30 – New Cyber Attacker Groups Detected

During the last week of April, our Attacker Centric SOC detected multiple new cyber attacker group websites in the Dark Web. Called Dedicated Leak Sites (DLS), they are widely used by ransomware gangs to publish stolen confidential data when the victim refuses to pay the ransom. Usually, after an attack is claimed, a small amount of…

Read More
26. 04. 2024 Mirko Ioris SOCnews

SOC News | Apr 26 – ArcaneDoor: A New Espionage Campaign

Cisco Talos identified a previously unknown state-sponsored actor behind ArcaneDoor, a sophisticated cyber espionage campaign targeting the perimeter network devices of several vendors. This actor is now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The initial attack vector is still unknown, but the attacker exploited two previously unknown vulnerabilities. An…

Read More
24. 04. 2024 Mirko Ioris SOCnews

SOC News | Apr 24 – Full AMMEGA Data Breach Published

Using our CTI SATAYO platform, we identified an artifact belonging to AMMEGA’s data breach. AMMEGA is a multinational manufacturing company based in the Netherlands with revenues of $1.2 billion. It was the victim of an attack carried out by the Cactus ransomware gang in early March. The ransomware operators exfiltrated 3 TB of data and…

Read More
28. 03. 2024 Mirko Ioris SOCnews

SOC News | Mar 28 – New Vulnerabilities Added to the KEV Catalog

On March 25, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog is updated regularly and contains those vulnerabilities most likely to be used in attacks. Organizations should monitor and review it periodically, and prioritize their patching efforts based on it. I’ll provide a…

Read More
21. 03. 2024 Massimo Giaimo SOCnews

SOC News | Mar 21 – IABs and Bulk Sales

Much has already been said about Initial Access Brokers (IABs) so I will limit myself to a brief description and then delve into the main theme of this article. The theme of Initial Access Brokers was summarized fantastically in the Initial Access Broker Landscape project by Curated Intelligence, reported in this link, which I recommend…

Read More

Archive