Centralization of EDR alerts, new detections and trackers… the novelties of November 2021

Nov 5, 2021

SEKOIA.IO aims to be as close as possible to the users of the platform, meeting their needs in a precise way, while taking into account their approach and user experience. In this dynamic, the platform continues to reinvent itself and evolve by regularly integrating new features while improving existing features. Discover in this article, all the news published in October 2021.

New Detection Rules

12 new detection rules added to the catalog!

These rules focus on the detection of the latest vulnerabilities such as Apache (CVE_2021-41773), as well as the most recent malware such as:

– MirrorBlast which is not exclusively associated with the cyber criminal group TA505.

– SquirrelWaffle which becomes the successor of Emotet, known as the number one threat used to download other malware like QakBot or Cobalt Strike.

New EDR rules

EDR rules have also been added to centralize and contextualize alerts from HarfangLab EDR in SEKOIA.IO XDR as part of the Open XDR Platform.

HarfangLab, is a publisher of EDR (Endpoint Detection and Response) software, a technology that allows to anticipate and neutralize modern and unknown cyberattacks, on computers and servers. Certified by ANSSI since 2020, HarfangLab counts among its clients large companies of international scope, operating in very sensitive sectors.

As a reminder, during the Cybersecurity Conference in Monaco last October, SEKOIA, HarfangLab, Pradeo, GLIMPS, Vade, announced the creation of the Open XDR Platform. Objective: to federate expertise in cybersecurity within a unified solution, to simplify deployment and strengthen the cyber defense of organizations.

Tracking Cyber Threats

7 new trackers

These trackers allow, among other functions, to monitor the Command & Control (C2) infrastructure of the following threats:

  • ManaTools

ManaTools is a tool for distributing malware and controlling it via a Command & Control (C2) panel. It has already been associated with several malware, such as RevengeRat, AzoRult, Lokibot, Formbook and AgentTesla.

  • FinFisher

FinFisher is spyware sold exclusively to governments and intelligence agencies and used in criminal investigations.

  • BazarLoader

BazarLoader is a widespread malware that allows attackers to penetrate the victim’s environment. Access to the system compromised by BazarLoader is often resold to ransomware gangs. 

  • TodayZoo

TodayZoo is a phishing kit used since December 2020 and newly documented by Microsoft.

Honeypots

We have observed and enriched our Observables and Cyber Threat Intelligence base with intelligence from the implementation of several honeypots exposing Apache services vulnerable to CVE-2021-41773 and CVE-2021-42013.

In order to share our analysis of the modus operandi of attackers operating these different vulnerabilities, SEKOIA.IO analysts have produced and published a new FLINT on this topic!

Chat with our team!

Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cyber security project in your organization? Make an appointment and meet us!

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ? Vous voulez découvrir nos produits de XDR et de CTI ? Vous avez un projet de cybersécurité dans votre organisation ? Prenez rendez-vous et rencontrons-nous !