Featured Post ─

Series B: Scaling the Paradigm Shift

Raising money is often anti-climatic --- the fundraising process is done, and it’s right back to execution and growth.  It’s important to occasionally sit back and reflect.

David Ratner

David Ratner

February 25, 2021

Featured Post ─

The SolarWinds Hack: Understanding The Adversary Infrastructure

The capabilities and possible victims of the recent SolarWinds hack and the SunBurst backdoor are becoming clearer as the cybersecurity community continues to investigate the attack. HYAS has performed our own research, collected data leveraging our unique sources, and we wanted to share some unique insights that add to the industry’s understanding of this attack. This blog delves into the infrastructure used by SunBurst to compromise targets and points out another network monitoring solution that may have been compromised. 

HYAS Intel Team

HYAS Intel Team

December 23, 2020

Featured Post ─

Latest Roaming Mantis Campaign Targets Banks in Japan and Turkey

Summary Roaming Mantis is a Chinese-speaking threat actor group that has been active since at least 2017. The group primarily targets the customers of financial institutions with smishing attacks that deliver the FakeSpy (aka Moqhao) Android trojan, which is designed to steal its victims’ information. From October to November 2020, HYAS Intelligence Services observed a Roaming Mantis campaign targeting a Japanese and Turkish bank that stole the banking credentials of their customers, which were then used in credential stuffing attacks on the banks’ websites.    HYAS analysis of the Roaming Mantis campaign revealed extensive abuse of Dynamic DNS (DDNS) services with over 15,000 DNS domains used to host campaign infrastructure from which the actors launched their attacks. Threat Analysis Overview Threat actors frequently abuse Dynamic DNS (DDNS) services and infrastructure for malicious purposes such as distributing malware, command & control (C2) infrastructure, or phishing campaigns. The low cost of DDNS services and the capability they provide threat actors to quickly build, customize, and operationalize domains and C2 infrastructure for campaigns makes them an attractive option. In addition, DDNS services provide threat actors with a cover of anonymity as no publicly available registration information is required compared to traditional domain registration. HYAS Intelligence Services regularly observes threat actor abuse of DDNS services in various campaigns to launch and carry out attacks. This threat report details how the Roaming Mantis threat actor group has targeted financial institutions in Japan and Turkey and provides suggested mitigation measures. 

HYAS Intel Team

HYAS Intel Team

December 14, 2020

Blog

Series B: Scaling the Paradigm Shift
Blog

Series B: Scaling the Paradigm Shift

Raising money is often anti-climatic --- the fundraising process is done, and it’s right back to execution and growth.  It’s imp...

David Ratner

David Ratner

February 25, 2021

Lazarus Group “Operation Dream Job”: Lessons in Attack Infrastructure
Blog

Lazarus Group “Operation Dream Job”: Lessons in Attack Infrastructure

The Lazarus Group (aka Hidden Cobra, Labyrinth Chollima, Zinc, Guardians of Peace) is a threat actor group that has been attribu...

HYAS Intel Team

HYAS Intel Team

February 11, 2021

Inside Ryuk Crime (Crypto) Ledger & Asian Crypto Traders
Blog

Inside Ryuk Crime (Crypto) Ledger & Asian Crypto Traders

The following article is co-authored by threat intelligence researchers from HYAS and Advanced Intelligence and cross-posted to ...

HYAS Intel Team

HYAS Intel Team

January 7, 2021

The SolarWinds Hack: Understanding The Adversary Infrastructure
Blog

The SolarWinds Hack: Understanding The Adversary Infrastructure

The capabilities and possible victims of the recent SolarWinds hack and the SunBurst backdoor are becoming clearer as the cybers...

HYAS Intel Team

HYAS Intel Team

December 23, 2020

Mapping Adversary Infrastructure: A Real-world (North Korean) Example
Blog

Mapping Adversary Infrastructure: A Real-world (North Korean) Example

The news article “Hackers use fake media domains to trick North Korea researchers” by Nils Weisensee appeared in NKNews.org on D...

HYAS Intel Team

HYAS Intel Team

December 22, 2020

Simplifying Threat Investigations: New HYAS Insight Playbooks for Microsoft Azure Sentinel
Blog

Simplifying Threat Investigations: New HYAS Insight Playbooks for Microsoft Azure Sentinel

The HYAS Insight Logic Apps connector for Microsoft Azure Sentinel was announced and generally available in October and is alrea...

HYAS

HYAS

December 9, 2020

DNS: The High Fidelity but Underutilized Threat Signal
Blog

DNS: The High Fidelity but Underutilized Threat Signal

Malware in general, and ransomware in particular, is the scourge of enterprises today. You can look at the headlines around inci...

Todd Thiemann

Todd Thiemann

December 1, 2020

Investigating Brand Infringement with HYAS Insight
Blog

Investigating Brand Infringement with HYAS Insight

HYAS Insight is a key tool for SOC and fraud teams for use cases like incident response and fraud investigation. Something that ...

Todd Thiemann

Todd Thiemann

November 10, 2020

Turbocharging Threat Investigations: HYAS Insight Connector for Microsoft Azure Sentinel
Blog

Turbocharging Threat Investigations: HYAS Insight Connector for Microsoft Azure Sentinel

Enterprises are embracing digital transformation to speed business during a pandemic, and that changes how they appear online to...

HYAS

HYAS

October 28, 2020

DNS over HTTPS: Balancing Security and Privacy
Blog

DNS over HTTPS: Balancing Security and Privacy

DNS over HTTPS (DoH) is making news headlines again and causing some consternation in enterprise security circles. With Microsof...

Todd Thiemann

Todd Thiemann

September 28, 2020

First West Credit Union Speeds Cyber Fraud Investigations with HYAS
Blog

First West Credit Union Speeds Cyber Fraud Investigations with HYAS

Something I regularly get asked is, “How do enterprises use HYAS Insight to accelerate their investigations?” I spoke with a HYA...

Todd Thiemann

Todd Thiemann

September 8, 2020

Accelerate Investigation & Attribution with Avalon and HYAS Insight
Blog

Accelerate Investigation & Attribution with Avalon and HYAS Insight

Investigating security incidents is seldom a straightforward process. Investigations are typically performed by disparate and di...

Todd Thiemann

Todd Thiemann

August 27, 2020

Threat Reports

Lazarus Group “Operation Dream Job”: Lessons in Attack Infrastructure
Threat Reports

Lazarus Group “Operation Dream Job”: Lessons in Attack Infrastructure

The Lazarus Group (aka Hidden Cobra, Labyrinth Chollima, Zinc, Guardians of Peace) is a threat actor group that has been attribu...

HYAS Intel Team

HYAS Intel Team

February 11, 2021

Inside Ryuk Crime (Crypto) Ledger & Asian Crypto Traders
Threat Reports

Inside Ryuk Crime (Crypto) Ledger & Asian Crypto Traders

The following article is co-authored by threat intelligence researchers from HYAS and Advanced Intelligence and cross-posted to ...

HYAS Intel Team

HYAS Intel Team

January 7, 2021

The SolarWinds Hack: Understanding The Adversary Infrastructure
Threat Reports

The SolarWinds Hack: Understanding The Adversary Infrastructure

The capabilities and possible victims of the recent SolarWinds hack and the SunBurst backdoor are becoming clearer as the cybers...

HYAS Intel Team

HYAS Intel Team

December 23, 2020

Mapping Adversary Infrastructure: A Real-world (North Korean) Example
Threat Reports

Mapping Adversary Infrastructure: A Real-world (North Korean) Example

The news article “Hackers use fake media domains to trick North Korea researchers” by Nils Weisensee appeared in NKNews.org on D...

HYAS Intel Team

HYAS Intel Team

December 22, 2020

Latest Roaming Mantis Campaign Targets Banks in Japan and Turkey
Threat Reports

Latest Roaming Mantis Campaign Targets Banks in Japan and Turkey

Summary Roaming Mantis is a Chinese-speaking threat actor group that has been active since at least 2017. The group primarily ta...

HYAS Intel Team

HYAS Intel Team

December 14, 2020

The “Silent Night” Zloader/Zbot
Threat Reports

The “Silent Night” Zloader/Zbot

ZeuS is probably the most famous banking Trojan ever released. Since its source code leaked, various new variants are making the...

HYAS Intel Team

HYAS Intel Team

May 21, 2020

Fraud-as-a-Service In The Time Of COVID-19
Threat Reports

Fraud-as-a-Service In The Time Of COVID-19

Any catastrophe is an opportunity for cybercriminals, and coronavirus/COVID-19 is no exception. Given public concern about the p...

HYAS Intel Team

HYAS Intel Team

April 17, 2020

Magecart Group 4 – A link with Cobalt Group?
Threat Reports

Magecart Group 4 – A link with Cobalt Group?

Note: This blog post is a collaboration between the Malwarebytes and HYAS Threat Intelligence teams.

HYAS Intel Team

HYAS Intel Team

October 4, 2019

Hunting APT33 Campaign Infrastructure
Threat Reports

Hunting APT33 Campaign Infrastructure

Geopolitical risk is just one of many considerations that global enterprises and institutions must factor into their businesses,...

HYAS Intel Team

HYAS Intel Team

September 20, 2019

CVE-2017-0199 Targeting Brazilian Users
Threat Reports

CVE-2017-0199 Targeting Brazilian Users

Recently we came across an interesting sample that warranted further investigation. The file in question was named “Reservar Gru...

HYAS Intel Team

HYAS Intel Team

September 10, 2019

New Advanced Phishing Kits Target Digital Platforms
Threat Reports

New Advanced Phishing Kits Target Digital Platforms

The difference between an obvious phish and a successful one is often the technical skill and attention to detail of the phish’s...

HYAS Intel Team

HYAS Intel Team

July 10, 2019

Exploring a Lokibot and Azorult Actor’s Infrastructure
Threat Reports

Exploring a Lokibot and Azorult Actor’s Infrastructure

Investigating attacker infrastructure is the bread and butter of HYAS Comox. One of the routine tasks we need to do as investiga...

HYAS

HYAS

June 15, 2019