On December 9, 2021 it was widely announced that a zero-day vulnerability was identified and is already drawing the attention of cyber criminals. A lot has already been written across the internet about the most recent vulnerability in Java’s Log4j utility. We will do our best to keep this simple and to the point. If you develop your own applications using Java, you should be ... READ MORE
Forensics
Digital piracy through ransomware: A change in tides
Due to the tidal wave of ransomware attacks since 2018, the seas are changing, and the attackers are now becoming the attacked. A disparate group of entities have started to fight back against these modern-day pirates in an epic battle which will likely change how ransomware attacks are handled going forward. Years ago, digital pirates targeted healthcare and relatively ... READ MORE
Identifying Credit Card Skimmers Using Linux’s “strace” Command
RSM US LLP’s (RSM’s) digital forensics and incident response (DFIR) team recently worked a case where a client was informed that their website’s payment platform was suffering from an ongoing attack. Based on customer complaints and common point-of-purchase (CPP) notifications from issuing banks, the client feared that credit card information was being scraped from purchases ... READ MORE
Microsoft Exchange – CVE-2021-26855+
On March 2, 2021, Microsoft released several security updates to address at least seven critical vulnerabilities in supported versions of on-premise Microsoft Exchange Server. These vulnerabilities were observed being used in limited targeted attacks; however, due to the critical nature and publication of these vulnerabilities, Microsoft released guidance that all customers ... READ MORE
Investigating SolarWinds Impact
The recent disclosure of the SolarWinds Orion supply chain attack is just the latest widespread vulnerability that has targeted clients across the globe. This issue is still in the early stages of analysis by the cybersecurity community, and RSM is actively monitoring the situation and providing updated information on our War Room blog ... READ MORE
SolarWinds Orion Supply Chain Attack
On December 13, 2020, FireEye reported a major intrusion into several high-visibility targets stemming from malicious code inserted into SolarWinds Orion software update packages. An external nation-state-level threat actor compromised the network of the SolarWinds IT management software company, allowing them to insert their own code into legitimate digitally signed update ... READ MORE
FireEye Intrusion – Red Team Tools Stolen
There is a saying in the security community that it is not if an organization will suffer a cybersecurity event but when. Current events prove that this statement stands true even for sophisticated security firms such as FireEye. We are closely monitoring the situation and wanted to share our perspective at this point. I share the opinion of at least a few of my peers who ... READ MORE
Office 365—Magic Logs Uncovered
The Dark Ages According to the FBI’s 2019 IC3 report, the IC3 unit received 23,775 business email compromise (BEC) complaints with losses of over $1.7 billion (FBI IC3 Report[1]). We have found that, first and foremost, threat actors are trying to leverage compromised email accounts to perpetrate financial fraud. Though perhaps unintentional, a fraudster will likely access ... READ MORE
Using EDR as an Incident Response Tool
What is EDR? Endpoint detection and response (EDR) has been a buzzword in the world of cybersecurity for the last couple years, but what does that really mean? EDR tools are designed to continuously monitor systems for anomalous or malicious activity. A monitoring agent runs in the background, ideally on every endpoint in the environment, and the end user experiences little ... READ MORE
Manually upload EVTX log files to ELK with Winlogbeat and PowerShell
While the Elastic Stack (ELK) is typically used for live log monitoring, Winlogbeat can be modified to manually send cold logs, or old, inactive Windows Event Logs (EVTX) to ELK for analysis. This functionality allows an analyst to take EVTX files from images or data collected from potentially relevant systems and utilize the functionality of ELK for their ... READ MORE