Security Operations – Sophos News
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” 21 January 2025 at 05:30

Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”

21 January 2025 at 05:30

Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware.

A screenshot of Python code from an obfuscated copy of RPivot dropped by the STAC5143 attackers.

Figure 2:Sophos Central investigation screen of threat actor’s incoming activity captured by Microsoft Office 365 integration

Security Operations – Sophos News
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces 19 December 2024 at 09:11

Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces

Security Operations – Sophos News

By:gallagherseanm

19 December 2024 at 09:11

A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar

A screenshot of a Rockstar2FA "decoy" page, a fake auto dealer site.

Screen shots of the developer view of Chrome showing web requests sent from a Rockstar2FA phishing portal.

A pie chart showing the distribution of top-level domains the 10 most heavily used domain names were registered with. A third were .ru, a fifth were .com.

A bar chart showing the distribution of TLDs and number of URLs detected per month for Rockstar2FA. The number of .ru domains decreased significantly over time.

A screenshot of a failed connection error for a Rockstar decoy page.

A screenshot of an animated Office365 logo for Outlook used by Rockstar's phishing portal pages.

A screenshot of a Chrome developer view of a Rockstar pages.dev phishing portal failing to connect to a backend server.

Figure 9: the EnteraID log for a sign-in by the adversary-in-the-middle script on the phishing service’s back-end server.

Figure 10: the HTTP header data for a phishing page’s backend server communications on a separate host

Figure 11: A developer browser view of the phishing page protectivewearsupplies[.]doclawfederal[.]com/wQBPg/

Figure12: The document object model of a Rockstar2FA phishing page

Figure 13: The DOM of an older FlowerStorm phishing page (from June 2024)

Figure 14: The DOM of a newer FlowerStorm phishing page; the algorithm generating the title and function names uses a combination of two botanical-themed words

Figure 15: A chart plotting daily page detections for Rockstar2FA and FlowerStorm through the end of November 2024

Figure 16: The ten countries most targeted by attackers using FlowerStorm, based on Sophos detections

Figure 17: The ten business sectors most targeted by attackers using FlowerStorm

Security Operations – Sophos News
The Bite from Inside: The Sophos Active Adversary Report 12 December 2024 at 08:00

The Bite from Inside: The Sophos Active Adversary Report

Security Operations – Sophos News

By:Angela Gunn

12 December 2024 at 08:00

A sea change in available data fuels fresh insights from the first half of 2024

A bar chart showing an increase in LOLbins in the span between 2021 and the first half of 2024; the totals increased from just over 100 to nearly 190

A stacked bar chart showing the relationship between artifact and LOLbin counts between 2021 and the first half of 2024, as described in text

A bar chart showing the prevalence of the top 29 LOLbins noted in the first half of 2024, ranging from RDP at just under 90 percent to findstr.exe at 10 percent

A table showing the changes in prevalence of the top 29 1H24 LOLbins between 2023 and the first half of the year; all but five of the listed LOLbins increased in frequency of usage

A table showing RDP usage in attacks in 2022, 2023, and the first half of 2024

Five funnel-shaped charts showing the prevalence of ransomware attributions between 2020 and the first half of 2024; in this format they resemble different types of trees as described in text

A table showing the root causes of 1H24 cases for the entire report, for IR's portion of the data, and for MDR's portion of the data

A table showing changes in artifact prevalence in AAR cases from 2021 to the first half of 2024

A world map showing locations in which cases appearing in this report occurred

Security Operations – Sophos News
Sophos excels in the 2024 MITRE ATT&CK® Evaluations: Enterprise 11 December 2024 at 09:55

Sophos excels in the 2024 MITRE ATT&CK® Evaluations: Enterprise

Security Operations – Sophos News

By:rajansanhotra

11 December 2024 at 09:55

Results from the latest ATT&CK Evaluations for endpoint detection and response solutions.

MITRE ATT&CK Evaluation vendor performance

Sophos named a Gartner® Peer Insights™ Customers’ Choice for Managed Detection and Response (MDR) Services for the 2nd time

Security Operations – Sophos News

By:rajansanhotra

3 December 2024 at 09:53

Sophos is the only vendor named a Customers’ Choice across Endpoint Protection Platforms, Network Firewalls, and Managed Detection and Response

Security Operations – Sophos News
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” 20 November 2024 at 11:12

Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater”

Security Operations – Sophos News

By:gallagherseanm

20 November 2024 at 11:12

Sophos MDR has observed a new campaign that uses targeted phishing to entice the target to download a legitimate remote machine management tool to dump credentials. We believe with moderate confidence that this activity, which we track as STAC 1171, is related to an Iranian threat actor commonly referred to as MuddyWater or TA450. The […]

Screenshot of download site used by STAC

A screen shot of activity associated with the adversary's Atera RMM tool.

Security Operations – Sophos News
Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats 31 October 2024 at 07:56

Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats

Security Operations – Sophos News

By:Ross McKerchar

31 October 2024 at 07:56

Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices

A graphic with an abriged timeline of Pacific Rim related activity. The full timeline is in text in the appendix linked from this report.

Threat Research – Sophos News
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” 21 January 2025 at 05:30

Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”

Threat Research – Sophos News

By:gallagherseanm

21 January 2025 at 05:30

Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware.