securityintelligence.com
Open in
urlscan Pro
2606:4700:3033::ac43:86d6
Public Scan
Submitted URL: http://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
Effective URL: https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
Submission: On November 06 via api from DE — Scanned from DE
Effective URL: https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/
Submission: On November 06 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOMGET /
<form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1">
<amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first="" submit-on-enter="" on="select:search.submit" tabindex="-1"
class="i-amphtml-element i-amphtml-layout-container i-amphtml-built i-amphtml-layout" i-amphtml-layout="container" role="combobox" aria-haspopup="listbox" aria-expanded="false" aria-owns="89_AMP_content_">
<input id="search__input" tabindex="-1" type="text" name="s" autocomplete="off" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required="" dir="auto" aria-autocomplete="both" role="textbox"
aria-controls="89_AMP_content_" aria-multiline="false">
<div class="i-amphtml-autocomplete-results" role="listbox" id="89_AMP_content_" hidden=""></div>
</amp-autocomplete>
<button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search">
<amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"
class="i-amphtml-element i-amphtml-layout-responsive i-amphtml-layout-size-defined i-amphtml-built i-amphtml-layout" i-amphtml-layout="responsive"><i-amphtml-sizer slot="i-amphtml-svc" style="padding-top: 100%;"></i-amphtml-sizer><img
decoding="async" alt="Search" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" class="i-amphtml-fill-content i-amphtml-replaced-content"></amp-img>
<span>Search</span>
</button>
<button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link">
<amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"
class="i-amphtml-element i-amphtml-layout-responsive i-amphtml-layout-size-defined i-amphtml-built i-amphtml-layout" i-amphtml-layout="responsive"><i-amphtml-sizer slot="i-amphtml-svc" style="padding-top: 100%;"></i-amphtml-sizer><img
decoding="async" alt="Close" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" class="i-amphtml-fill-content i-amphtml-replaced-content"></amp-img>
</button>
</form>
Text Content
SECURITY INTELLIGENCE News Series Topics X-Force Podcast News Series Topics Threat Research Podcast Search {{#articles}} {{TITLE}} {{/articles}} View All News {{#articles}} {{TITLE}} {{/articles}} View All Series Application Security Artificial Intelligence CISO Cloud Security Data Protection Endpoint Fraud Protection Identity & Access Incident Response Mainframe Network Risk Management Intelligence & Analytics Security Services Threat Hunting Zero Trust Infographic: Zero trust policy Timeline: Local Government Cyberattacks Industries Banking & Finance Energy & Utility Government Healthcare View All Topics {{#articles}} {{TITLE}} {{/articles}} View More From X-Force {{#articles}} {{TITLE}} {{/articles}} View All Episodes News Series TOPICS All Categories Application Security Identity & Access Artificial Intelligence Incident Response CISO Mainframe Cloud Security Mobile Security Data Protection Network Endpoint Risk Management Fraud Protection Threat Hunting Security Services Security Intelligence & Analytics Industries Banking & Finance Energy & Utility Government Healthcare X-Force Podcast HIVE0051’S LARGE SCALE MALICIOUS OPERATIONS ENABLED BY SYNCHRONIZED MULTI-CHANNEL DNS FLUXING Threat Intelligence -------------------------------------------------------------------------------- October 30, 2023 By Golo Mühr Claire Zaboeva Joe Fasulo 12 min read -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in Hive0051’s activity featuring the new multi-channel approach of rapidly rotating C2 infrastructure facilitating at least 1,027 active infections featuring more than 327 unique malicious domains observed in a single 24-hour period. While Hive0051 has leveraged DNS fluxing to avoid detection since at least as early as December 2022, the automated synchronized fluxing of dynamic DNS records across Telegram channels and Telegraph sites at scale points to a potential elevation in actor resources and capability devoted to ongoing operations. In addition, by deploying multiple consecutive stages of Hive0051’s exclusive Gamma variant malware, the actor is able to remap victims to separate sets of actor-controlled C2 fluxing clusters. Based on X-Force observations, these Gamma variants have evolved over time from the initial VBS-based GammaLoad variant, to include multiple obfuscation stages and several scripts designed to enumerate victims and spread malware via connected USB devices. Of note, the most recent iterations of the GammaLoad PowerShell variant moved to a fileless approach and stored all malicious code dispersed in the registry. Likewise, the same has been observed for the GammaSteel PowerShell variant used to exfiltrate files upon infection. X-Force assesses with high confidence that the evolution of rapid remapping of infrastructure to include multi-channel DNS fluxing, continuous malware development and the growing sophistication of malware and obfuscation is evidence of Hive0051’s increasingly elevated level of capability. KEY FINDINGS * For at least the last 12 months, Hive0051 has utilized a “multi-channel” fluxing approach to rapidly remap infrastructure to conduct operations and obfuscate activity. * X-Force is tracking multiple infrastructure clusters with dedicated Telegram channels, DNS apex domains, and Telegraph sites. * Hive0051 is able to graduate victims from one cluster to another by deploying multiple consecutive stages of Gamma variants. * Based on X-Force observations, Hive0051 has continuously evolved its malware development, experimenting with new techniques, adding obfuscation and several scripts designed to enumerate victims and spread malware to connected USB devices. * The recent PowerShell variant of the Gamma malware has switched to using a fileless approach, storing all malicious code dispersed in the Windows registry. The same has been observed for the GammaSteel PowerShell variant used to exfiltrate files and credentials upon infection. * It is highly likely that Hive0051 will continue to foster evolving methodologies to facilitate operations potentially indicating increasingly elevated levels of capability. ANALYSIS WHAT IS MULTI-CHANNEL DNS FLUXING? Standard DNS fluxing or fast-fluxing, is a technique threat actors use to rapidly rotate infrastructure by regularly changing the IP address their C2 domain points to in public DNS records. Hive0051 has adopted the novel use of multiple channels to store DNS records as opposed to a traditional DNS record configuration. In this methodology, public Telegram channels and Telegraph sites are essentially used as DNS servers and are fluxed in synchrony together with the DNS records. This enables Hive0051 to fallback to secondary channels in order to resolve the currently active C2 server, should the domain be blocked via any of the other channels. INFECTION CHAIN The use of fast fluxing in place of definite subdomains to facilitate operations is a relatively new technique employed by Hive0051 to obfuscate activity and avoid threat detection. During the course of routine tracking of Hive0051 activity, X-Force uncovered new HTA files delivering Hive0051’s exclusive GammaLoad malware. The machine-translated text of collected HTA filenames pointing to a wscript.exe executable, appear in multiple Slavic languages and are crafted to appear as legitimate legal or project notifications to manufacture a sense of urgency. Given past Hive0051 operations, the files were likely delivered via phishing campaigns; however, X-Force observed the added functionality featured in the uncovered VBS and PS GammaLoad variants which enables its spread via USB drives signaling the potential use of physical access via infected USB devices. Activation of the malicious links initiates the infection chain illustrated in the following diagram, which visualizes the various stages of a GammaLoad infection observed by X-Force. Fig. 1: GammaLoad multi-stage infection graph INFECTION VECTOR GammaLoad infections can be traced back to a number of malicious .XHMTL files. These contain obfuscated and Base64 encoded data, revealing a JavaScript dropper. Fig. 2: .XHMTL file containing space separated Base64 data Fig. 3: JavaScript dropper The dropper contains a payload which is decoded and downloaded by the browser as a RAR file. It also loads a remotely hosted resource, only displayed as a single pixel, in order to track successful downloads. The resulting RAR archive contains a folder and an .HTA file (HTML Application), both using enticing names designed to trick victims into opening it: Fig. 4: .HTA file with filename lure Once opened, the .HTA file runs a short VBScript block to download and execute another remote .HTA file via the windows binary mshta.exe. Fig. 5: .HTA downloader GAMMADROP: HTA VARIANT The downloaded .HTA is the VBScript-based GammaLoad installer, which has been used consistently for several months as of October 2023. It drops the embedded GammaLoad payload as a text file to: %APPDATA%\Microsoft\jealous Scroll to view full table Note that the filename differs among samples. The most recent variants also search for a specific process running on the host: QHActiveDefense.exe. This process is part of the 360 Total Security anti-virus software. If it is detected, the embedded GammaLoad payload is run using the command: wscript.exe “%APPDATA%\Microsoft\jealous” //e:vbscript /log /bpt /cbl //b Scroll to view full table without establishing persistence in the registry. If the installer does not detect the anti-virus process, it additionally writes the above command into a registry key at: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMedia Scroll to view full table The name of the registry key also varies between samples. Lastly, the installer attempts to open a document located at: C:\ProgramFiles (x86)\Microsoft Office\Office <version>\Document Microsoft Office.docx Scroll to view full table This may intentionally throw an unobtrusive error. GAMMALOAD: VBS VARIANT One of the most commonly observed variants of GammaLoad is written in VBS. It runs its main function in regular intervals of approx. 90 seconds. During a run, it will start by resolving its C2 server. GammaLoad has several techniques to accomplish this, also depending on the variant. All variants support resolving an IP via DNS. GammaLoad uses a unique mechanism, by executing a WMI query: select * from win32_pingstatus where address=‘<prefix><random_integer>.<apex_domain>’ Scroll to view full table This runs the ping command against a specific domain. The prefix used is often a hardcoded keyword found in VBScript, for example, “FileExists” or “Asc”. It is then concatenated with a random integer between 1 and 100 that is generated at runtime. Each sample also contains a hardcoded apex domain, which is used to build the subdomain for the DNS query. A few such example domains would be: FileExists64.blakurin[.]ru FileExists23.blakurin[.]ru Asc16.acaenaso[.]ru Asc88.acaenaso[.]ru Scroll to view full table Secondary mechanisms to resolve C2 IPs include querying hardcoded Telegram channels or Telegraph websites. Fig. 6: Telegram channel Fig. 7: GammaLoad parsing C2 IP from Telegram Fig. 8: Telegraph site displaying C2 IP and Telegram channel ID The more recent variants would not only resolve an IP address but also a corresponding Telegram channel ID. Both are written into text files and dropped to the %TEMP% directory or a folder within %APPDATA%. Once GammaLoad retrieves an active C2 IP address, it goes on to craft multiple HTTP requests. The target URLs would often contain multiple random integers at specific locations, as well as hardcoded paths. These differ between samples, just like the custom HTTP headers added to the requests. Below is a list of different attempted header variants incorporating hardcoded values: Referer: <hardcoded URL, mostly unrelated> Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: <hardcoded word> Content-Length: <hardcoded value> User-Agent: <used for profiling> Scroll to view full table Note that some of these headers are actually overwritten by the MSXML2.XMLHTTP object and cannot be manually set by the malware (such as Content-Length). This may be used to identify requests crafted by researchers, as well as non-matching hardcoded values such as Cookie. The User-Agent string follows a specific format. It usually contains a real user agent, followed by the C-drive serial number and the computer name environment variable. The information is likely used to register a victim with the C2 server and control further payloads. User-Agent: mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/85.0.4183.121 safari/537.36 opr/71.0.3770.284::<computername>_<serial_number_hex>::/.<hardcoded word>/. Scroll to view full table As a response, GammaLoad expects two types of payloads. If the response is between 5 and 20 characters long, it treats it as a new telegram ID and updates the corresponding file. Any longer response is deobfuscated, base64-decoded and executed as VBScript in memory. GAMMADROP: VBS VARIANT One of the GammaLoad payloads X-Force observed is a more sophisticated variant of GammaDrop. It consists of a large VBScript file, with multiple encoded and hardcoded payloads. Each of the components accomplishes a different task, by either deobfuscating others, establishing persistence, or being the next payload. This variant of GammaDrop creates a new scheduled task after dropping its payload. The payload is another variant of GammaLoad. Of note, GammaDrop already writes the two text files GammaLoad needs, containing a hardcoded IP address and Telegram chat ID. By deploying another variant of GammaLoad on an already infected host, the threat actor is able to sort victims and transfer them to a new C2 cluster. USB SPREADER GammaLoad also has the capability to spread via USB drives. It does this by copying itself recursively into subfolders of connected USB drives. In order to lure victims into executing it, GammaLoad uses enticing filenames for Windows shortcut files pointing to wscript.exe with a hidden payload. Fig. 9: Deobfuscated GammaLoad USB spreader The USB drives’ subfolders are recursively infected up to a depth of 3. GAMMALOAD: FILELESS PS VARIANT In addition to the VBScript-based variants, there is also a PowerShell version. Most of its functionality such as the USB spreading, C2 resolving and communication works very similarly. One observed advantage of the PowerShell version is the storing of all necessary code in the registry, making it almost completely fileless: Fig. 10: GammaLoad code stored in the registry In order to run, this variant dynamically loads and stores PowerShell code under the registry path HKCU:\System\ Scroll to view full table The following diagram illustrates how the different PowerShell execution blocks are used: Fig. 11: GammaLoad PowerShell registry execution Most of the code is executed as a PowerShell job after being loaded from the registry. Before copying to the USB drive, GammaLoad makes sure to merge all of the codebase back into a single PowerShell template, which also writes the initial registry persistence key and populates the registry again for the next victim. Just like the VBS variant, it chooses from a list of potentially luring filenames to create malicious shortcut files: Fig. 12: GammaLoad preparing shortcut file The PowerShell variant of GammaLoad also uses a different prefix for resolving its C2 address and is likely operated by a separate cluster of C2 servers. C2 INFRASTRUCTURE GammaLoad uses several different mechanisms to resolve its C2 server’s IP address. To avoid detection and takedown, the C2 infrastructure also makes use of a technique known as fast-fluxing. Every GammaLoad sample contains (or receives) a hardcoded apex domain, as well as a telegram channel ID. In some cases, there is an additional telegraph URL, which is used as well. The apex domain is set up with a wildcard DNS record, causing all subdomains to resolve. Since GammaLoad chooses random subdomains of a specific pattern, the DNS queries are always for a different subdomain. The C2 infrastructure consists of a large cluster of IP addresses. A GammaLoad sample’s apex domain rotates through these IP addresses, by having its DNS records changed frequently. Currently the IP addresses are updated between 1-3 times a day. Below is a table outlining the scale of one campaign. A large quantity of actor-controlled domain names resolves to one active C2 IP address. Fig. 13: Passive DNS results for GammaLoad (VBS) C2 The subdomains contain a specific keyword, which is hardcoded in each sample. For instance, a single day of activity in late September 2023 and a single C2 server, hosted more than 120 unique apex domains found in passive DNS data. Using the hardcoded prefixes X-Force was able to estimate a lower bound of infected victims within that 24-hour period – adding up to at least 247 infections. It is virtuality certain the actual number of infections is higher, as these calculations are based solely on directly observed unique keyword+apex pairs and DNS requests whose visibility is limited by the scope of available DNS telemetry. However, the number of infections may also be impacted by “intentional” infections caused by the engagement of researchers executing payloads within sandbox environments. Over the course of X-Force monitoring, Hive0051 has demonstrated a notable increase in volume of attacks. In late October 2023, a single C2 server hosted a minimum of 1,027 active GammaLoad VBS infections spanning across 327 unique domains in a single 24-hour period. For comparison, GammaLoad’s PowerShell variant uses a different prefix for its apex domains, consisting only of a random integer, in order to avoid generating duplicate subdomains: Fig. 14: Passive DNS results for GammaLoad (PS) C2 By looking at the domain history of some of these domains, we can pivot to find further IP addresses used for C2 communication: Fig. 15: Domain history for apex domain antarcticos[.]ru Fig. 16: Domain history for apex domain garibdo[.]ru Both domains show the same pool of rotated IP addresses in their historic DNS records, with only a few exceptions. This is an indicator that both domains are used by the same campaign and GammaLoad variant. Of note, GammaLoad fluxes its DNS records in sync with its multi-channel infrastructure; like Telegram and Telegraph. Every time the DNS record is updated, the corresponding telegram channel’s operator deletes the last message and sends a new one containing the latest IP address. This “multi-channel-fluxing” technique ensures correct dynamic IP resolving, even if the apex domain has been found and blocked by a DNS server. SECONDARY PAYLOADS After connecting to its C2 server, GammaLoad quickly downloads and executes further payloads. These are often VBS/PS scripts with different objectives. Firstly, it is not uncommon for GammaLoad to drop another stage of GammaLoad onto an infected host. This is often a different variant, containing a new apex domain and telegram channel ID. Presumably, this is done to “graduate” infected machines into another cluster after initial infection, making it easier to sort victim machines. The new C2 apex and telegram combination often has little to no overlap with the previous one. The next stage of GammaLoad may include additional functions that support more payloads, enumeration or USB spreading. GammaLoad also downloads data exfiltration and reconnaissance scripts within minutes of infection. These are often PowerShell-based, per the example below: Fig. 17: PowerShell reconnaissance script The full script collects the following information: * Screenshot * Anti-virus products * System info * * OS Name * OS Version * Original Install Date * System Boot Time * System Type * System Directory * Logon Server * Domain * Total Physical Memory * Available Physical Memory * Drives * Running processes * Registry keys (installed software): * * HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* * HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* * Desktop items * System drive serial number * Computer name GAMMASTEEL X-Force also observed a PowerShell-based GammaSteel variant residing in the registry, dispersed among different keys just like GammaLoad. GammaSteel makes use of a database file “layout.xml” to store pseudo-hashes of exfiltrated files and avoid duplicate uploads. The files are selected based on hardcoded extensions and copied into a temporary directory before the upload. Fig. 18: GammaSteel PowerShell variant This particular sample also used a hardcoded IP address as a fallback C2 server, obfuscated as an integer array: Fig. 19: GammaSteel script defining configuration values CONCLUSION Hive0051’s signature style is the use of relatively simple yet effective malware. Evidence of this is this group’s wide arsenal of different variants as well as the large scale of its campaigns and infrastructure, observed in passive DNS data. Hive0051 does not appear to focus on staying under the radar but rather relies on increasing obfuscation and using longer infection chains before deploying more novel or advanced variants. Over time Hive0051 has exhibited the tendency to reuse code, TTPs, and infrastructure. Nevertheless, Hive0051 has steadily introduced credible improvements and explored new techniques such as moving code to the registry, dispersing payloads, switching C2 request patterns, and adding further functionality to its toolsets. It is highly likely Hive0051 will continue to focus activity against entities based in and surrounding Ukraine given its established mission space and demonstrated operations tempo. The observed malware undergoes constant improvement, making it more resilient against detection and blocking. The new use of multi-channel DNS Fluxing capability to rapidly remap infrastructure to conduct activity may possibly point to an elevated threat capability. X-Force recommends entities in-region remain at heightened level of defensive security. RECOMMENDATIONS * Ensure anti-virus software and associated files are up to date. * Exercise caution with suspicious filetypes: * * .HTA * .HTML * .XHTML * .LNK * Hunt for processes executing malicious scripts: * * wscript.exe with arguments “//e:vbscript” and others such as “/log” “/bpt” or junk options * powershell.exe * Monitor for suspicious WMI queries: * * “Select * from win32_pingstatus where address=<C2_domain>” * Monitor for suspicious connections to Telegram and Telegraph services * Hunt for registry keys containing PowerShell code. * Search for existing signs of the indicated IoCs in your environment. * Keep applications and operating systems running at the current released patch level. * Exercise caution with attachments and links in emails. To learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler. If you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Golo Mühr IBM X-Force Research | Malware | Malware Analysis | Russia | X-Force Golo Mühr X-Force Threat Intelligence, IBM Claire Zaboeva Senior Strategic Cyber Threat Analyst, IBM Joe Fasulo Cyber Threat Researcher - IBM X-Force Continue Reading POPULAR Risk Management October 26, 2023 WHY CYBERSECURITY TRAINING ISN’T WORKING (AND HOW TO FIX IT) 3 min read - Early to a meeting, an employee decides to check direct messages on their favorite social network. Uh, oh. A message from the social network’s security team says their account has been hacked. They’ll need to click on the link to… CISO October 27, 2023 THE EVOLUTION OF 20 YEARS OF CYBERSECURITY AWARENESS 3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved… Artificial Intelligence October 31, 2023 COULD A THREAT ACTOR SOCIALLY ENGINEER CHATGPT? 3 min read - As the one-year anniversary of ChatGPT approaches, cybersecurity analysts are still exploring their options. One primary goal is to understand how generative AI can help solve security problems while also looking out for ways threat actors can use the technology.… MORE FROM THREAT INTELLIGENCE September 13, 2023 “AUTHORIZED” TO BREAK IN: ADVERSARIES USE VALID CREDENTIALS TO COMPROMISE CLOUD ENVIRONMENTS 4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past… September 12, 2023 EMAIL CAMPAIGNS LEVERAGE UPDATED DBATLOADER TO DELIVER RATS, STEALERS 11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader… September 7, 2023 NEW HIVE0117 PHISHING CAMPAIGN IMITATES CONSCRIPTION SUMMONS TO DELIVER DARKWATCHMAN MALWARE 8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as… August 3, 2023 BRINGING THREAT INTELLIGENCE AND ADVERSARY INSIGHTS TO THE FOREFRONT: X-FORCE RESEARCH HUB 3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and… TOPIC UPDATES Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. Subscribe today Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats. Cybersecurity News By Topic By Industry Exclusive Series Threat Research Podcast Events Contact About Us Follow us on social © 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences Sponsored by si-icon-eightbarfeature IBM web domains ibm.com, ibm.dev, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, merge.com, micromedex.com, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, resource.com, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, strongloop.com, teacheradvisor.org, think-exchange.com, thoughtsoncloud.com, trusteer.com, truven.com, truvenhealth.com, alphaevents.webcasts.com, betaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, redhat.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, altoromutual.com, blueworkslive.cn, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, silverpop.com, community.watsonanalytics.com, eclinicalos.com, datapower.com, ibmmarketingcloud.com, thinkblogdach.com, truqua.com, my-invenio.com, skills.yourlearning.ibm.com, bluewolf.com, asperasoft.com, instana.com, taos.com, envizi.com, carbondesignsystem.com About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your cookie preferences options. By visiting our website, you agree to our processing of information as described in IBM’s privacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here. Accept all Required only Cookie Preferences