In a recent case, we tried to reconstruct the attacker's activities on an ESXi hypervisor. The logs available on the system were very limited, which made it difficult to analyze the attacker's activities. The ESXi hypervisor in particular offers detailed logs that can be used for forensic analysis if configured accordingly. The topic of forensic readiness in general was covered in a previous article, which is highly recommended reading. This article focuses on hypervisors, the risks they are exposed to and how to protect them.
Forensic readiness refers to a company's ability to carry out digital forensics efficiently. Every incident is a stressful situation for everyone involved. A high degree of maturity in forensic readiness can shorten the analysis time of incidents and increase the quality of statements about the incident.
In order to minimize monetary and reputational damage in the event of a successful IT security attack, immediate and correct response measures, a comprehensive overview of the extent of the cyber attack, and a full clarification of the incident are indispensable.
The registered number of IT security incidents as a result of the rapid development of new and adapted cyber attack methods is worrying - and can sometimes have serious financial consequences as well as reputational damage for companies.
According to Malware Bazaar, samples have been distributed since around mid-January. The final payload is a .NET RAT, which allows the attacker to send commands to the infected system.
In order to protect one's own company against phishing, awareness must first and foremost be created among employees. This can be done through workshops, phishing simulation or company policies.
In this article, we will look at artifacts that should always be collected during an incident on a Windows-based system to get the best possible picture of what happened.
Having previously made a name for itself on the criminal scene by attacking major companies such as Quanta Computer and Invernergy, REvil's latest attack on software company Kaseya and its update service is believed to have affected several hundred companies worldwide.