Expertise

Endpoint Detection & Response systems (EDR), delivered by in-house teams or as part of a managed service, are a feature of modern intrusion detection and remediation operations. This success is a problem for attackers, and malicious actors have worked to find new ways to evade EDR detection capabilities. As with all arms races, these approaches to evading detection are creative and effective. One of the primary methods utilized in modern attack frameworks, hands on keyboard operations and even malicious binaries revolves around memory manipulation.

Memory manipulation is nothing new; most readers will be familiar with process injection, thread hijacking, process hollowing and so on. That said, some recent tools/techniques are focused less on deployment and more on circumventing EDR telemetry acquisition techniques or alerting mechanisms. Elaborate hooking and exploitation of native functionality is now employed with impressive success rates.

WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.

The focus of this research is on prompt engineering and how changes in inputs affected the resulting synthetic text output of large language models.

The AWS S3 pre-sign URL functionality is pretty well documented. However, when combined with IAM role assumption, specifically with Service Roles, there are risks that present themselves that an average AWS admin might not be aware of.

WithSecure™  discovered multiple issues with how a brand named Megafeis handles account and smart padlock management. By combining these issues, it is possible for an attacker within bluetooth range of one of the affected models of Megafeis smartlocks to take over and open a targeted lock armed only with its MAC address.

WithSecure™ Intelligence has discovered thousands of videos advertising fraudulent web-based apps that pose as USDT (Tether) investment schemes. These videos, hosted on YouTube, promise returns that scale on the amount of currency invested. YouTube channels with significant numbers of subscribers and view counts post new videos of this type on a daily basis. Some of the participating channels are even YouTube verified accounts.