On November 12, 2024, a joint cybersecurity advisory was released by agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom. This advisory highlights the **top routinely exploited vulnerabilities of 2023**, offering insights into persistent threats and the measures organizations can take to protect themselves.

In 2022, Microsoft began blocking macros originating from the internet in Office, pushing both pentesters and threat actors to explore new methods for initial access. Fast forward to October 2024, and APT29 is leveraging one of those methods—Rogue RDP—discovered as a workaround back in 2022. In this video, we dive into a recent spearphishing campaign uncovered by the Ukrainian CERT, where attackers used Rogue RDP to gain initial access to targets. This video will provide you practical detection opportunities that can be used to hunt for this activity in your environment.

FIN7 is dead… right? In this week’s Threat SnapShot we breakdown a SentinelOne report on the group FIN7. We focus on detection strategies for their latest tools, covering three main tools: Powertrash (an obfuscated PowerShell script for payload loading), a batch script for persistence, and AU Kill (an antivirus neutralizer). For each tool, we explain its function and offer specific detection methods.

Our CTO, Fred Frey, met with Teddy Powers from Google Cloud Security at the Google Massachusetts Ave Office to discuss the topic: "Turning Novel Threats into Detections Easily with SnapAttack." Discover how SnapAttack can integrate with Mandiant's threat intelligence, security validation, and Google Chronicle to enhance detection and create actionable workflows for your organization.

Have you ever read a threat report and thought, “These tools could definitely be superhero names”? Well, you’re not alone! In this video, we dive into the recent APT41 campaign and explore the detection opportunities that arise from it. From tools like BlueBeam, AntSword, DustPan, and PineGrove, we break down how these were used in APT41’s latest operations and how you can detect them in your environment.

Discover how to detect the GrimResource attack, a novel code execution technique leveraging Microsoft Management Console (MMC) files. This threat snapshot video breaks down Elastic Security Labs' research on this stealthy initial access vector that evades common defenses. Key points covered: Learn practical steps to protect your systems against this emerging threat. *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*

You've probably heard of Microsoft's new Recall feature by now. It's a info stealer's dream come true. There has been a lot of information release about how this new feature is a security nightmare and how it works. But today we are going to dig in and discover how to actually detect abuse of this new feature.

Welcome to this week's episode of SnapAttack Threat Snapshot! In this video, we'll dive into CVE-2024-32002, a critical remote code execution (RCE) vulnerability in Git that leverages symlink handling in repositories with submodules. This vulnerability can be exploited through a simple git clone command, potentially allowing attackers to execute arbitrary code on the victim's machine. *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*

In this episode, we dive into CVE-2024-30051, a critical out-of-bounds write vulnerability in the Desktop Window Manager. This bug, similar to CVE-2023-36033, allows attackers to escalate privileges to SYSTEM by exploiting a heap overflow in dwmcore.dll. CVE-2024-30051 has been actively exploited to deploy malware like Qakbot, as identified by Kaspersky. This video covers the process of hunting down a sample, executing it in a sandbox environment, and creating effective detections using logs from the exploit’s activity.

Since 2021, ransomware groups have set their sights on VMware ESXi hypervisors, with the SEXi variant, emerging in 2024, being the most recent threat. The Babuk Locker was one of the first to target ESXi, and its leaked source code enabled other strains like ESXiArgs, BlackBasta, and Clop to develop customized variants terminating VMs and encrypting data on ESXi servers. While employing similar tactics like exploiting vulnerabilities and encrypting VM files, these ESXi-focused ransomware exhibit patterns that provide detection opportunities across the board. By analyzing past attacks, we can better prepare for future threats targeting our virtualization environments. Join the SnapAttack community to access in-depth detection content covered in this video and stay ahead of evolving ransomware targeting ESXi.