Threat Intelligence – Threat Intelligence

Unusual user agent VPN attempts CitrixReceiver/23.11.1.41 Windows/10.0 AuthManager/23.11.0.9 (Release) X1Class CWACapable CWA/23.11.1.41

We're seeing unusual patterns of login attempts against our customers netscalers with the only thing in common the user-agent: CitrixReceiver/23.11.1.41 Windows/10.0 AuthManager/23.11.0.9 (Release) X1Class CWACapable CWA/23.11.1.41 Some are brute force…

threatinfo December 26, 2024

Threat Intelligence

Netscaler Credential Stuffing Attack

We have recently identified another new persistent citrix netscaler credential stuffing attack against one of our customers using recently compromised credentials from users who had fallen victim to infostealers. This…

threatinfo December 24, 2024

sentinel Threat Intelligence

Credential stuffing attacks against Azure Portal from Set User Agent and Device

We have recently identified a persistent credential stuffing attack against some of our customers. Credential stuffing is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system.…

threatinfo December 17, 2024

Nifi sentinel Threat Intelligence

Pushing Bulk Indicators to Multiple Sentinel Instances for a MSSP

Problem We manage a MISP instance which receives over 130,000 IOCs every day from multiple sources which we need to push to over 22 Microsoft Sentinel instances which we manage.…

threatinfo November 29, 2024

Threat Intelligence

Actor targeting Palo Alto VPN

User names used by actor seen using VPNs with Canadian source IP addresses 10/05/2024. Replace targetDomain below with the domain of the VPN service (i.e. victim Domain) monitor paservice@targetDomain admin@targetDomain…

threatinfo May 12, 2024

sentinel siem Threat Intelligence

Why is the Sentinel Threat Intelligence Indicator API so full of bugs

Microsoft have an API to add IOCs to the threat intelligence module in sentinel which can you read about here. My issue with it, is that is is full of…

threatinfo March 14, 2024

Threat Intelligence

MISP Database Size Getting Too Large

MISP MYSQL database growing too large and starting to get out of control? API calls getting slower and slower? Maybe its time to start doing some spring cleaning! Find below…

threatinfo March 11, 2024

Threat Intelligence

MISP – An Internal Error has occured – HTTP Status code 500

If you receive a "An internal error has occured" error message when clicking on various menu functions in the MISP UI. This is potentially due to model cache issues. This…

threatinfo March 7, 2024

Threat Intelligence

Whats a threat activity cluster?

A threat activity cluster is a grouping of security alerts which are related to a unique or similar activity taking place in an environment. It leverages less of the standard IOCs in…

threatinfo February 25, 2024

Threat Intelligence

WSO Shell used in a Phishing-as-a-Service (PhaaS) 365 harvesting phishing campaign

1. Initial Incident Late 2023, we observed several of our users , working in different locations with different email domains but all either executive assistants or members of the different…

threatinfo January 13, 2024