All Categories

Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor
Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).
Read More

New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns
Commodity threat actors have recently begun to exploit cloud environments for smishing campaigns, employing techniques strikingly similar to those used in SES enumeration and abuse.
Read More

Legion: The Latest Threat in Mass Spam Attacks
Cado and Permiso researchers team up to do a breakdown of Legion's toolset and discuss the review some of the differences between Legion and the likes of AndroxGh0st and Greenbot.
Read More

Permiso extends cloud threat detection and response capabilities with the addition of support for Azure, Azure AD, and Microsoft 365
Permiso is thrilled to announce our latest release, which includes support for Azure, Azure AD, and Microsoft 365.
Read More

Our Approach to Detection: AndroxGh0st and GreenBot Edition
From atomic indicators to TTPs, in this article, the Permiso p0 Labs team discusses their approach to detecting AndroxGh0st and Greenbot persistence modules.
Read More

How Using Deprecated Policies Creates Overprivileged Permissions - AmazonEC2RoleforSSM vs AmazonSSMManagedInstanceCore
AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. We'll break down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies.
Read More