Quick Wins with Network Flow Analysis

While this article focuses on the use of Team Cymru’s Pure Signal™ platform — the Augury™ solution — readers will gain some great guidance on how to use flows in their analysis in general. The Augury dataset comprises network flows records that are downloadable as CSV. Compared to the direct utility of some other Augury... Continue Reading →

Dissecting DDoS Attacks

Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade online services. This blog post will explain, in extremely basic terms, a specific type of attack called a Reflection/Amplification DDoS Attack. This post is not intended to serve as a comprehensive technical guide, but merely a relatively non-technical overview for the novice.... Continue Reading →

Puzzle Me This: Context From Curiosity

One definition of 'proxy' is "a figure that can be used to represent the value of something in a calculation." Proxy servers are used for various purposes, some for hiding their true origination IP address for malicious intent; while others for circumventing totalitarian government censorship. Regardless of the use of proxies, with Augury we make... Continue Reading →

How the Iranian Cyber Security Agency Detects Emissary Panda Malware

Other threat intelligence groups have previously publicised that the Chinese-attributed threat group, Emissary Panda (aka APT27, TG-3390, BRONZE UNION, Iron Tiger and LuckyMouse), have been targeting various sectors in the Middle East, including government organisations. On 15 December 2019, Iran's Minister of Communications and Information Technology, Mohammad Javad Azari-Jahromi, announced that Iranian authorities had detected foreign spying malware on their government servers which they attributed... Continue Reading →

Detecting Cyber Recon Using Network Signals

Author: David Monnier What's the value of a packet? How about three packets? In this post I'll show how you can identify potential reconnaissance being conducted on a network, including identifying the potential target, by taking specific note of one type of ICMP packet being produced by your border device. ICMP, or Internet Control Message... Continue Reading →

Azorult – what we see using our own tools

The Value of Being Able to Perform Threat Analysis outside the Boundaries of Your Enterprise... Looking at Dmitry Bestuzhev’s piece about AZORult cryptominer spreading as a fake ProtonVPN installer[1],   I took a glance in Augury at what we have for the malware hashes he provided and many are still very low in terms of their detection... Continue Reading →

Webmin Vulnerability and Port Scanning Activity

The Webmin website states, "Webmin is a web-based interface for system administration for Unix." Many Hosting providers offer Webmin administration with their Virtual Private Servers. Recently, a presentation revealed backdoor code injected into the source for Webmin.  According to a Hacker News story published August 20: "The story started when Turkish researcher Özkan Mustafa Akkuş... Continue Reading →

Up ↑