Select Page
Screenshot of BlackCat ransomware deployment options and subcommands with corresponding descriptions.

The many lives of BlackCat ransomware

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation ... continue reading
Figure 1 displays a diagram depicting a typical attack flow for XorDdos malware. The attacker communicates with a bot to SSH brute force a target device and download XorDdos. The malware then performs several techniques for evasion and persistence before connecting with the attacker's C2 server to send data and receive commands.

Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices

In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as ... continue reading
World map with circles of varying sizes located in several countries regions to indicate the threat's impact.

Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware

As announced today, Microsoft took action against the ZLoader trojan by working with telecommunications providers around the world to disrupt key ZLoader infrastructure. We used our research into this threat to enrich our protection technologies and ensure this infrastructure could ... continue reading
Screenshot of an application UI with lines of code. One of said code lines is highlighted, with an annotation written in a non-English language.

SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965

On March 31, 2022, vulnerabilities in the Spring Framework for Java were publicly disclosed. Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations ... continue reading
Screenshot of phishing email used in by ACTINIUM

ACTINIUM targets Ukrainian organizations

The Microsoft Threat Intelligence Center (MSTIC) is sharing information on a threat group named ACTINIUM, which has been operational for almost a decade and has consistently pursued access to organizations in Ukraine or entities related to Ukrainian affairs. MSTIC previously ... continue reading
A timeline detailing UpdateAgent's evolution between September 2020 and October 2021 and the techniques the trojan adopted with each update. The timeline is further detailed in the following section:

The evolution of a Mac trojan: UpdateAgent’s progression

Our discovery and analysis of a sophisticated Mac trojan in October exposed a year-long evolution of a malware family—and depicts the rising complexity of threats across platforms. The trojan, tracked as UpdateAgent, started as a relatively basic information-stealer but was ... continue reading
:smile:

Azure Monitor: Audit your Azure and non-Azure SQL Server

Hi everyone, time passed since my last post. Hope you missed me Today I am going to cover an interesting aspect on how to capture security audit events from both Azure and non-Azure SQL Server machines. Most of you probably ... continue reading
Top 20 most visited blog posts for IT Pros in 2021

Top 20 most visited blog posts for IT Pros in 2021

From our first post on the 17th of September 2018, where Rick Claus introduced Microsoft's "Cloud Ops Advocate" team, we've published nearly 600 articles on this ITOps Talk blog! To end the year, we wanted to highlight some of our ... continue reading
Screenshot of Threat and Vulnerability Management

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code ... continue reading
Diagram showing components of Qakbot campaigns as building blocks

A closer look at Qakbot’s latest building blocks (and how to knock them down)

Multiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be many attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize ... continue reading