June 20, 2019 | Jaime Blasco

Hunting for Linux library injection with Osquery

When analyzing malware and adversary activity in Windows environments, DLL injection techniques are commonly used, and there are plenty of resources on how to detect these activities. When it comes to Linux, this is less commonly seen in the wild. I recently came across a great blog from TrustedSec that describes a few techniques and tools that can be used…

May 24, 2019 | Jose Manuel Martin

Monitoring Box Security with USM Anywhere

Introduction We recently announced the release of the new AlienApp for Box in USM Anywhere, which uses the Box Events API to track and detect detailed activity on Box. This new addition to the AlienApps ecosystem provides an extra layer of security to cloud storage services that many enterprises are outsourcing to Box. Beyond monitoring and data collection,…

Get the latest security news in your inbox.

Subscribe via Email

May 20, 2019 | Fernando Martinez

Adversary simulation with USM Anywhere

By Fernando Martinez and Javier Ruiz of AT&T Alien Labs. In our previous blog, we analyzed how it is possible to map malware threats using the MITRE ATT&CK™ framework. In this blog, we will test the USM Anywhere platform against red team techniques and adversary simulations. We performed this analysis as part of our continuous…

May 10, 2019 | Chris Doman

Sharepoint vulnerability exploited in the wild

The CVE-2019-0604 (Sharepoint) exploit and what you need to know AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604). One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom. An earlier report by the Canadian Cyber Security Centre…

May 2, 2019 | James Quinn

Reversing Gh0stRAT part 2: the DDOS-ening

This is a guest post James Quinn, a SOC analyst from Binary Defense. In Part 1 of the Reversing Gh0stRAT series, we talked about a partial Gh0stRAT variant which used an encryption algorithm to hide its traffic.  In part 2, we will be talking about a much more complete Gh0stRAT sample which allows a hacker to take total…

May 1, 2019 | Tawnya Lancaster

Who’s phishing in your cloud? And, some suggestions for detecting it

An example of how to detect platform or service attacks Oh, the places we go . . . with apps in the cloud.   A comprehensive, six-month study released by Proofpoint, in March reports that (oh, to our surprise), attackers are “leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute …

April 2, 2019 | Tom Hegel

Xwo - A Python-based bot scanner

Jaime Blasco and Chris Doman collaborated on this blog. Overview: Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families…

March 25, 2019 | James Quinn

The odd case of a Gh0stRAT variant

This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.  As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors.  Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving…

March 14, 2019 | Tom Hegel

Making it Rain - Cryptocurrency Mining Attacks in the Cloud

By Chris Doman and Tom Hegel Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of. One of the most widely observed objectives of attacking an organization'…

March 6, 2019 | Chris Doman

Internet of Termites

Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops. That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible: Termite is a useful…

March 5, 2019 | Javier Ruiz

Troubleshooting TrickBot and RevengeRAT Malware with USM Anywhere

MITRE ATT&CK™ (Adversarial Tactics, Techniques and Common Knowledge) is a framework for understanding attackers’ behaviors and actions. We are pleased to announce that AlienVault USM Anywhere and Open Threat Exchange (OTX)  now include MITRE ATT&CK™ information. By mapping alarms to their corresponding ATT&CK techniques,…

February 22, 2019 | Tawnya Lancaster

A HIPAA Compliance Checklist for 2019

Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time,…

Watch a Demo ›
Get Price Free Trial