Readers Note : This is a summarized post of a detailed write up by the Elastic Security Intelligence and Analytics team. A deep dive on UAC Bypass is available to read here.

We wanted to call out some great adjacent research from the team at Sophoslabs Uncut that was released on December 21, 2021. Research groups frequently analyze similar (or in this case, identical) campaigns through their own unique lens. This is fantastic for the security community, as the campaign gets more eyes and different perspectives applied towards the same problem.

Elastic Security engineers have documented a less tedious way to find network beaconing from Cobalt Strike. In their full analysis (), Elastic Security team researchers Andrew Pease, Derek Ditch, and Daniel Stepanic walk users through the Elastic fleet policy, how to collect the beacon, beacon configuration, how to analyze its activity, and how you can set it up in your organization’s environment.

Elastic Security has verified a new destructive malware targeting Ukraine: Operation Bleeding Bear. Over the weekend, Microsoft released details about this multi-stage and destructive malware campaign that the Ukrainian National Cyber Security Coordination Center has been referring to as Operation Bleeding Bear.

The early stages of an intrusion usually include initial access, execution, persistence, and command-and-control (C2) beaconing. When structured threats use zero-days, these first two stages are often not detected. It can often be challenging and time-consuming to identify persistence mechanisms left by an advanced adversary as we saw in the 2020 SUNBURST supply chain compromise. Could we then have detected SUNBURST in the initial hours or days by finding its C2 beacon?

Following the discovery of Log4Shell, a vulnerability in Log4J2, Elastic released a blog post describing how users of our platform can leverage Elastic Security to help defend their networks. We also released an advisory detailing how Elastic products and users are impacted.

With our recent 7.16 Elastic Security product release, we improved our existing Linux malware feature by adding memory protection. In this blog, brought to you by Elastic’s Engineering Security Team, we lean into this recent advancement to show how we are protecting the world’s data from attack.

The Elastic Security team identified a noteworthy cluster of malicious activity after reviewing our threat prevention telemetry. A valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security community. We also discovered a novel malware loader used in the campaign, which we’ve named BLISTER. The majority of the malware samples observed have very low, or no, detections in VirusTotal.

Welcome to Elastic’s Log4j2 vulnerability information hub. Here we will explain what the specific Log4j2 vulnerability is, why it matters, and what tools and resources Elastic is providing to help negate the opportunity for malware exploits, cyberattacks, and other cybersecurity risks stemming from Log4j2.

CIOs are remaking the IT function — no longer will security and developer teams be siloed. Recent survey data from 451 Research, part of S&P Global Market Intelligence, and published by Elastic shows a major shift in who is using application security tools, suggesting that DevSecOps is not just an idea, but a growing reality for IT decision makers. IT decision-makers allocated application security tools to 48% of development teams in 2020, compared to just 29% in 2015.