October 15, 2019 | Ashley Graves

Security monitoring for managed cloud Kubernetes

Photo by chuttersnap on Unsplash Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. It has recently seen rapid adoption across enterprise environments. Many environments rely on managed Kubernetes services such as Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) to take advantage of the benefits of both…

October 9, 2019 | Amy Pace

What’s new in OTX

AT&T Alien Labs and the Open Threat Exchange (OTX) development team have been hard at work, continuing our development of the OTX platform. As some of you may have noticed, we’ve added some exciting new features and capabilities this last year to improve understanding within the OTX community of evolving and emerging threats. Malware analysis to…

Get the latest security news in your inbox.

Subscribe via Email

August 14, 2019 | Sankeerti Haniyur

Entity extraction for threat intelligence collection

Introduction This research project is part of my Master’s program at the University of San Francisco, where I collaborated with the AT&T Alien Labs team. I would like to share a new approach to automate the extraction of key details from cybersecurity documents. The goal is to extract entities such as country of origin, industry targeted,…

July 17, 2019 | Tom Hegel

Newly identified StrongPity operations

Summary Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples - we assess the campaign operated from the second half of 2018 into today (July 2019). This post details new malware and new infrastructure which is…

July 9, 2019 | Tawnya Lancaster

A peek into malware analysis tools

So, what is malware analysis and why should I care? With the commercialization of cybercrime, malware variations continue to increase at an alarming rate, and this is putting many a defender on their back foot. Malware analysis — the basis for understanding the inner workings and intentions of malicious programs — has grown into a complex mix of technologies in…

June 20, 2019 | Jaime Blasco

Hunting for Linux library injection with Osquery

When analyzing malware and adversary activity in Windows environments, DLL injection techniques are commonly used, and there are plenty of resources on how to detect these activities. When it comes to Linux, this is less commonly seen in the wild. I recently came across a great blog from TrustedSec that describes a few techniques and tools that can be used…

May 24, 2019 | Jose Manuel Martin

Monitoring Box Security with USM Anywhere

Introduction We recently announced the release of the new AlienApp for Box in USM Anywhere, which uses the Box Events API to track and detect detailed activity on Box. This new addition to the AlienApps ecosystem provides an extra layer of security to cloud storage services that many enterprises are outsourcing to Box. Beyond monitoring and data collection,…

May 20, 2019 | Fernando Martinez

Adversary simulation with USM Anywhere

By Fernando Martinez and Javier Ruiz of AT&T Alien Labs. In our previous blog, we analyzed how it is possible to map malware threats using the MITRE ATT&CK™ framework. In this blog, we will test the USM Anywhere platform against red team techniques and adversary simulations. We performed this analysis as part of our continuous…

May 10, 2019 | Chris Doman

Sharepoint vulnerability exploited in the wild

The CVE-2019-0604 (Sharepoint) exploit and what you need to know AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604). One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom. An earlier report by the Canadian Cyber Security Centre…

May 2, 2019 | James Quinn

Reversing Gh0stRAT part 2: the DDOS-ening

This is a guest post James Quinn, a SOC analyst from Binary Defense. In Part 1 of the Reversing Gh0stRAT series, we talked about a partial Gh0stRAT variant which used an encryption algorithm to hide its traffic.  In part 2, we will be talking about a much more complete Gh0stRAT sample which allows a hacker to take total…

May 1, 2019 | Tawnya Lancaster

Who’s phishing in your cloud? And, some suggestions for detecting it

An example of how to detect platform or service attacks Oh, the places we go . . . with apps in the cloud.   A comprehensive, six-month study released by Proofpoint, in March reports that (oh, to our surprise), attackers are “leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute …

April 2, 2019 | Tom Hegel

Xwo - A Python-based bot scanner

Jaime Blasco and Chris Doman collaborated on this blog. Overview: Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families…

Watch a Demo ›
Get Price Free Trial