{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/intrusion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Google Workspace"],"_cs_severities":["medium"],"_cs_tags":["googleworkspace","intrusion","initial-access","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis alert focuses on identifying potentially malicious login attempts within Google Workspace environments. The detection is based on Google\u0026rsquo;s own flagging of a login as a potential \u0026ldquo;gov_attack_warning,\u0026rdquo; suggesting that Google\u0026rsquo;s threat intelligence attributes the activity to a government-backed actor. While specific targeting information is unavailable, this alert highlights a critical area for investigation within organizations utilizing Google Workspace, especially those handling sensitive data or operating in sectors of interest to nation-state actors. This detection provides an early warning of potential compromise or data exfiltration attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker attempts to log into a Google Workspace account using compromised or brute-forced credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLogin Attempt:\u003c/strong\u003e The login attempt triggers a \u0026ldquo;gov_attack_warning\u0026rdquo; within Google Workspace, indicating a potential government-backed threat actor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e If the compromised account has elevated privileges, the attacker may attempt to escalate privileges within the Google Workspace environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Potential):\u003c/strong\u003e The attacker may attempt to disable security features or modify audit logs to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Potential):\u003c/strong\u003e The attacker may establish persistent access through methods such as creating rogue apps or modifying account settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker gains access to sensitive data stored within Google Workspace, such as documents, emails, and files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Potential):\u003c/strong\u003e The attacker exfiltrates the stolen data to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The organization suffers a data breach, reputational damage, and potential financial losses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to the compromise of sensitive data within the Google Workspace environment, including confidential documents, emails, and other business-critical information. The potential consequences range from reputational damage and legal liabilities to financial losses and disruption of business operations. The number of affected users and the severity of the impact will depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u0026ldquo;gov_attack_warning\u0026rdquo; events in Google Workspace logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts promptly, focusing on the affected user account and associated activity.\u003c/li\u003e\n\u003cli\u003eReview the Google Workspace audit logs for any suspicious activity leading up to the \u0026ldquo;gov_attack_warning\u0026rdquo; event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Google Workspace accounts, especially those with elevated privileges.\u003c/li\u003e\n\u003cli\u003eMonitor Google Workspace activity logs for suspicious patterns, such as unusual login locations, failed login attempts, and changes to account settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:48:14Z","date_published":"2026-04-28T00:48:14Z","id":"/briefs/2024-01-23-gworkspace-govattack/","summary":"A Google Workspace login attempt flagged as a potential attack by a government-backed threat actor, indicating potential privilege escalation, defense evasion, persistence, initial access, or impact.","title":"Google Workspace Login Attempt with Government Attack Warning","url":"https://feed.craftedsignal.io/briefs/2024-01-23-gworkspace-govattack/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["honeypot","telnet","reconnaissance","intrusion","opencanary"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenCanary is a low-interaction honeypot designed to detect attackers on a network. This detection focuses on Telnet login attempts, a protocol rarely used legitimately in modern networks and thus a strong indicator of malicious activity. When an attacker attempts to log into a Telnet service on an OpenCanary node, it triggers this alert. This provides early warning of potential intrusion attempts, reconnaissance activities, or lateral movement by attackers who have already gained a foothold. The detection is based on OpenCanary\u0026rsquo;s logging functionality which records such login attempts, generating a log event with code 6001. This event signifies an attacker interacting with the Telnet service, which is unlikely in a well-secured and properly configured environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker scans the network for open ports, identifying a Telnet service.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to connect to the Telnet service on the OpenCanary node.\u003c/li\u003e\n\u003cli\u003eAttacker enters credentials (username and password) in an attempt to authenticate.\u003c/li\u003e\n\u003cli\u003eOpenCanary logs the Telnet login attempt, generating an event with logtype 6001.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the OpenCanary log event.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the alert to determine the source and intent of the Telnet login attempt.\u003c/li\u003e\n\u003cli\u003eIf the attempt is malicious, the security team takes steps to block the attacker and prevent further access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Telnet login could provide an attacker with unauthorized access to the network or specific systems. While Telnet itself may not grant immediate access to sensitive data, it can be used as a stepping stone for further exploitation and lateral movement. The compromise of even a single system can lead to data breaches, ransomware deployment, and significant disruption of services. OpenCanary serves as an early warning system, allowing defenders to identify and respond to such attempts before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOpenCanary - Telnet Login Attempt\u003c/code\u003e to your SIEM to detect unauthorized Telnet login attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eOpenCanary - Telnet Login Attempt\u003c/code\u003e rule to determine the source and intent of the connection.\u003c/li\u003e\n\u003cli\u003eReview the OpenCanary configuration to ensure it is properly deployed and monitoring the appropriate network segments.\u003c/li\u003e\n\u003cli\u003eConsider disabling the Telnet service on all legitimate systems on the network to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T14:30:00Z","date_published":"2024-10-26T14:30:00Z","id":"/briefs/2024-10-opencanary-telnet-login/","summary":"The OpenCanary Telnet Login Attempt detection identifies unauthorized login attempts to a Telnet service monitored by an OpenCanary node, indicating potential reconnaissance or intrusion attempts targeting the network.","title":"OpenCanary Telnet Login Attempt","url":"https://feed.craftedsignal.io/briefs/2024-10-opencanary-telnet-login/"}],"language":"en","title":"CraftedSignal Threat Feed — Intrusion","version":"https://jsonfeed.org/version/1.1"}