Blog Entries

30. 04. 2024 Mirko Ioris SOCnews

SOC News | Apr 30 – New Cyber Attacker Groups Detected

During the last week of April, our Attacker Centric SOC detected multiple new cyber attacker group websites in the Dark Web. Called Dedicated Leak Sites (DLS), they are widely used by ransomware gangs to publish stolen confidential data when the victim refuses to pay the ransom. Usually, after an attack is claimed, a small amount of…

Read More
26. 04. 2024 Mirko Ioris SOCnews

SOC News | Apr 26 – ArcaneDoor: A New Espionage Campaign

Cisco Talos identified a previously unknown state-sponsored actor behind ArcaneDoor, a sophisticated cyber espionage campaign targeting the perimeter network devices of several vendors. This actor is now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The initial attack vector is still unknown, but the attacker exploited two previously unknown vulnerabilities. An…

Read More
24. 04. 2024 Mirko Ioris SOCnews

SOC News | Apr 24 – Full AMMEGA Data Breach Published

Using our CTI SATAYO platform, we identified an artifact belonging to AMMEGA’s data breach. AMMEGA is a multinational manufacturing company based in the Netherlands with revenues of $1.2 billion. It was the victim of an attack carried out by the Cactus ransomware gang in early March. The ransomware operators exfiltrated 3 TB of data and…

Read More
28. 03. 2024 Mirko Ioris SOCnews

SOC News | Mar 28 – New Vulnerabilities Added to the KEV Catalog

On March 25, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog is updated regularly and contains those vulnerabilities most likely to be used in attacks. Organizations should monitor and review it periodically, and prioritize their patching efforts based on it. I’ll provide a…

Read More
21. 03. 2024 Massimo Giaimo SOCnews

SOC News | Mar 21 – IABs and Bulk Sales

Much has already been said about Initial Access Brokers (IABs) so I will limit myself to a brief description and then delve into the main theme of this article. The theme of Initial Access Brokers was summarized fantastically in the Initial Access Broker Landscape project by Curated Intelligence, reported in this link, which I recommend…

Read More
15. 03. 2024 Luca Zeni Blue Team, SEC4U

SATAYO and SOC: in the New Midlands

This article explains how the Cyber Threat Intelligence platform SATAYO serves as a powerful resource to optimize processes and strengthen threat coverage within the Würth Phoenix Attacker Centric SOC. We will analyze the utilization of SATAYO’s internal resources for creating Detection Rules and managing SOC alerts. Additionally, we will examine how the logs in SIEM…

Read More
11. 03. 2024 Mirko Ioris SOCnews

SOC News | Mar 11 – JetBrains TeamCity Authentication Bypass Vulnerabilities

On March 4, 2024, JetBrains released TeamCity version 2023.11.4, which patches two authentication bypass vulnerabilities in the web component of TeamCity. These vulnerabilities were discovered in February by Rapid7’s vulnerability research team and allow a remote unauthenticated attacker to perform a complete compromise of a vulnerable TeamCity installation, including unauthenticated RCE (remote code execution). CVE…

Read More
20. 02. 2024 Massimo Giaimo SOCnews

SOC News | Feb 20 – Lockbit Infrastructure Seizure

On 19 February, through an operation coordinated by the National Crime Agency (NCA), a large part of the infrastructure of the Lockbit ransomware gang was seized. The ransomware gang, active since 2019, is undoubtedly best known within the field of double extortion ransomware attacks, having published claims relating to 2,591 attacked organizations over the years….

Read More
09. 02. 2024 Massimo Giaimo SOCnews

SOC News | Feb 07 – FortiOS Critical Vulnerabilities

On February 8, 2024, Fortinet disclosed 2 critical vulnerabilities which could allow remote code or command execution. The vulnerabilities are as follows: FortiOS – Format String Bug in fgfmd, with CVSS severity 9.8 The versions prone to this vulnerability are: Version Affected Solution FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiOS 7.2…

Read More
03. 02. 2024 Massimo Giaimo SOCnews

SOC News | Feb 04 – AnyDesk Compromise

Starting February 1st, rumors regarding a possible compromise of AnyDesk began to circulate online. These rumors became more insistent as the contents of the January 29 Release Notes were noted. What initially appeared to be just normal maintenance activity on Anydesk’s infrastructure was later revealed to actually be a compromise. AnyDesk has in fact made…

Read More
25. 01. 2024 Massimo Giaimo SOCnews

SOC News | Jan 01 – Kasseika Ransomware Uses BYOVD in His TTP

Kasseika Threat Actor has joined the club of Threat Actors that currently use Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus/EDR software before carrying out malicious activities, such as encrypting files. Kasseika abuses the Martini driver, part of the TG Soft’s VirIT Agent System. By using BYOVD attacks, the malware gains privileges it…

Read More
04. 01. 2024 Mirko Ioris Blue Team, SEC4U

Hacker Group Activities and Cyber Security Concerns | Second Semester 2023

A Security Operation Center (SOC) is a service where the customer is an active participant. Establishing a good relationship with the customer is an important requirement for handling security incidents more efficiently. Our SOC analysts produce and deliver several reports, most of them on a monthly basis. They are usually presented to clients during a…

Read More
24. 12. 2023 Massimo Giaimo SOCnews

SMTP Smuggling – A Quick Summary

SEC Consult researchers showed that some software allows a bad actor to inject a specially crafted email message concealing a second message hidden inside the body of the original message. This passes into the inbound SMTP server, which interprets the text as a separate second message. The attack relies on incorrect handling of the <CR><LF>.<CR><LF> sequence of…

Read More
22. 12. 2023 Giacomo Giallombardo ctf-writeups, SEC4U

WP-CTF23 Write-up, OSINT Challenges

During WP-CTF 2023 hosted at Würth Phoenix headquarters, a fresh set of CTF challenges were unveiled. These challenges spanned various fields, including OSINT, Digital Forensics, and Blockchain investigations. In this article, I’m going to delve into the solutions for some challenges presented by the Würth-Phoenix security team. THE FIRST CHALLENGE The first challenge, titled “There…

Read More
20. 12. 2023 Massimo Giaimo Exposure Assessment, SEC4U

EPSS implementation in SATAYO

The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild , as my colleague Beatrice Dall’Omo has already had the opportunity to talk about in this article. EPSS was developed by FIRST ( with the aim of assisting those responsible…

Read More