18 Post Tagged as research

ScarletCitizen: Defense Through Indirect Sharing

Earlier today, the Citizen Lab released a blog post outlining a technical shift in the tactics used by the Scarlet Mimic threat actor. Scarlet Mimic (SM) was first reported on by Palo Alto Networks in January, and the Citizen Lab report provides additional context on the actors, and their targets.

The researchers report that SM has repurposed parts of their malware command and control infrastructure to serve phishing attacks that mimic popular online providers, like

read more

Harnessing SSL Certificates Using Infrastructure Chaining

Infrastructure chaining leverages the relationships between highly-connected datasets to build out an investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity and substantiate assumptions during incident response. In this blog, we will focus on infrastructure chaining centered around SSL Certificates and how this data set complements traditional sources for infrastructure analysis.

Analysts can use certificate hashes and facets to conduct investigations and discover

read more

Operation DustySky Notes

Earlier this morning, Eyal from Clearsky Cyber Security published a paper on "Operation DustySky", a set of targeted campaigns attributed back to the Gaza Cybergang. When working with Clearsky, we observed some interesting details and overlap that didn't quite fit in the paper, so we wanted to publish them here.

We found this IP address to be interesting due to the SSL certificate, mix of dynamic DNS and registered domains and

read more

Save Time, Classify Your Queries

Ever find yourself coming across familiar looking infrastructure, but can't remember where or why or when you saw it? More importantly, are you able to remember if it were good, bad or just a figment of your imagination? Yeah, we've been there too and that's one of the primary reasons PassiveTotal included the ability for analysts to classify a domain or IP address within the platform.

When responding to incidents, client requests or what feels

read more

Augment Your Analysis

Last week we announced the addition of a new, free data source inside of PassiveTotal, Open Source Intelligence (OSINT). The source has already paid dividends in saving us time and helping add more context, but it wasn’t until last night when reviewing RSA’s GlassRAT report that it really sunk in how much this simple overlay could augment the analyst workflow.

Whenever we observe a new report or blog post with indicators, we make

read more