What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-09 03:54:41 | Even the Most Advanced Threats Rely on Unpatched Systems (lien direct) | Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups. In fact, these tools can prove almost | Ransomware Tool Threat | ||
 |
2022-06-09 02:40:00 | RSA 2022: You\'re the New CISO. Want to Fix the Problem? Start by Simply Listening! (lien direct) | The new security boss needs to listen if they hope to win over a myriad of new constituencies in their first 90 days You just took over as the CISO, ready to dig in and make the most of this fantastic opportunity. With so much needing to be fixed, where do you start first? This topic received attention during the RSA 2022 security conference this week at a session that featured CISOs from Reddit, Amplitude and Robinhood. The CISOs recounted their first three months on the job, sharing the particular challenges they faced while building out their organizations’ strategies, policies and procedures. Any new CISO will need access to the best and most actionable intelligence possible about the shifting threats to their organizations. They’re walking into new situations where they’ll immediately be under the gun to translate all the data that they’re keeping tabs on into real business impact. All the while, they’ll be expected to report to their bosses in the C-suite both on the organization’s risks and security exposure as well as what they’re doing to stay ahead of the bad guys. Clearly, enterprises are going to need an updated approach to put them in a stronger position when it comes to threat detection and response. That doesn’t happen nearly enough, according to panelist Olivia Rose, the CISO of Amplitude. She noted that many new CISOs don’t listen carefully enough when they take over and risk ostracizing the people actually doing the work. Instead, she said the CISO’s first 30 days should be akin to a listening tour. The immediate goal is to build allies for any rethink of the organization's security posture. The longer-term goal is to implement the necessary tools and processes that will make it easier for the enterprise to stay on top of security threats. For example, one of the first things that another panelist, Caleb Sima, the CISO of Robinhood, did when he took over was to conduct an internal survey to measure the relationship between security and the rest of the organization. That was the jumping-off point for follow-up conversations with other departments about what they needed and how to improve the security relationship. After consulting with the engineering leadership and other stakeholders, he then built out planning decks with progress goals for his first year in preparation for a presentation of his findings to the executive team. It’s worth noting that this degree of sharing doesn’t need to be limited to the walls of an organization. Building on the advice outlined by Sima, new methods and tools are emerging to enable sharing within intelligence communities and among organizations that historically would have avoided sharing information for fear of spilling trade secrets. The Anomali platform, for example, makes threat intelligence sharing possible between ISACs, ISAOs, industry groups and other communities looking to share intelligence in a secure and trusted way. Winning Over the Board Perhaps no relationship – particularly during those first 90 days – is as critical as the one between the new CISO and the company’s board of directors. In the past, truth be told, the relationship left much to be desired. But in more recent years, more boards have recognized the strategic value of security and the monetary and reputational risks of data breaches. For new CISOs, it’s more important to articulate the nature of the gathering threats, real and potential, and the company’s defense capabilities – in plain English. That means keeping insights and implications very clear, with an emphasis on impact. Going even further, the CISO at some point early in their tenure will need to report progress t | Tool Threat Guideline | ||
 |
2022-06-08 21:24:02 | 0Patch released unofficial security patch for new DogWalk Windows zero-day (lien direct) | >0patch researchers released an unofficial security patch for a Windows zero-day vulnerability dubbed DogWalk. 0patch released an unofficial security patch for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) dubbed DogWalk. The issue impacts all Windows versions, starting from Windows 7 and Server Server 2008, including the latest releases. The flaw […] | Tool Vulnerability | ||
 |
2022-06-08 19:34:52 | This tool portably charges three devices at once (lien direct) | >Tired of hunting for multiple charging cables? Make your day simpler with the CHRGER™ Porta 3-in-1 Wireless Charger. | Tool | ||
 |
2022-06-08 09:57:00 | BrandPost: 4 Factors to Consider When Choosing a Cloud Workload Protection Platform (lien direct) | Every dollar spent on security must produce a return on investment (ROI) in the form of better detection or prevention. As an IT leader, finding the tool that meets this requirement is not always easy. It is tempting for CISOs and CIOs to succumb to the “shiny toy” syndrome: to buy the newest tool claiming to address the security challenges facing their hybrid environment.With cloud adoption on the rise, securing cloud assets will be a critical aspect of supporting digital transformation efforts and the continuous delivery of applications and services to customers well into the future.However, embracing the cloud widens the attack surface. That attack surface includes private, public, and hybrid environments. A traditional approach to security simply doesn't provide the level of security needed to protect this environment and requires organizations to have granular visibility over cloud events.To read this article in full, please click here | Tool Guideline | ||
|
2022-06-08 06:24:15 | Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability (lien direct) | An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue - referenced as DogWalk - relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a | Tool Vulnerability | ||
|
2022-06-07 19:27:00 | Get your resume past automated screenings with this AI tool (lien direct) | This artificial intelligence assistant helps you take your working future by the horns. | Tool | ||
|
2022-06-07 17:41:00 | Anomali Cyber Watch: Man-on-the-Side Attack Affects 48,000 IP Addresses, Iran Outsources Cyberespionage to Lebanon, XLoader Complex Randomization to Contact Mostly Fake C2 Domains, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Confluence, Iran, Lebanon, Sandbox evasion, Signed files, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinDealer Dealing on the Side
(published: June 2, 2022)
Kaspersky researchers detected a man-on-the-side attack used by China-sponsored threat group LuoYu. Man-on-the-side is similar to man-in-the-middle (MitM) attack; the attacker has regular access to the communication channel. In these attacks LuoYu were using a potent modular malware dubbed WinDealer that can serve as a backdoor, downloader, and infostealer. The URL that distributes WinDealer is benign, but on rare conditions serves the malware. One WinDealer sample was able to use a random IP from 48,000 IP addresses of two Chinese IP ranges. Another WinDealer sample was programmed to interact with a non-existent domain name, www[.]microsoftcom.
Analyst Comment: Man-on-the-side attacks are hard to detect. Defense would require a constant use of a VPN to avoid networks that the attacker has access to. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from advanced threat groups.
MITRE ATT&CK: [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Man-on-the-side attack, WinDealer, LuoYu, SpyDealer, Demsty, Man-in-the-middle, APT, EU, target-region:EU, North America, Russia, China, source-country:CN, target-country:CN, Germany, target-country:DE, Austria, target-country:AT, USA, target-country:US, Czech Republic, target-country:CZ, Russia, target-country:RU, India, target-country:IN.
Analysis of the Massive NDSW/NDSX Malware Campaign
(published: June 2, 2022)
Sucuri researchers describe the NDSW/NDSX (Parrot TDS) malware campaign that compromises websites to distribute other malware via fake update notifications. Currently one of the top threats involving compromised websites, NDSW/NDSX began operation in or before February 2019. This campaign utilizes various exploits including those based on newly-disclosed and zero-day vulnerabilities. After the compromise, the NDSW JavaScript is injected often followed by the PHP proxy script that loads the payload on the server side to hide the malware staging server. Next step involves the NDSX script downloading |
Malware Tool Vulnerability Threat | ||
 |
2022-06-07 16:00:00 | Evil Corp Hacker Group Changes Ransomware Tactics to Evade US Sanctions (lien direct) | The Russian hacker group has shifted tactics and tools with an aim to continue profiting from its nefarious activity | Ransomware Tool | ||
 |
2022-06-07 12:59:01 | (Déjà vu) New \'DogWalk\' Windows zero-day bug gets free unofficial patches (lien direct) | Free unofficial patches for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) have been released today through the 0patch platform. [...] | Tool Vulnerability | ||
|
2022-06-07 12:59:01 | Two-year-old Windows DIAGCAB zero-day gets unofficial patches (lien direct) | Free unofficial patches for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) have been released today through the 0patch platform. [...] | Tool Vulnerability | ||
 |
2022-06-07 12:00:40 | Detecting Follina: Microsoft Office remote code execution zero-day (lien direct) | >by Bhabesh Raj Rai, Security ResearchOn May 27, 2022, a security researcher highlighted a malicious document submitted to VirusTotal from Belarus. The document used Microsoft Office's remote template feature to download an HTML file remotely and subsequently load it, which executed a PowerShell payload via the Microsoft Support Diagnostic Tool (MSDT). Adversaries who can exploit [...] | Tool | ||
 |
2022-06-07 11:21:47 | Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw (lien direct) | The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario. | Tool Vulnerability | ||
 |
2022-06-06 23:26:16 | RSA 2022: Prometheus ransomware\'s flaws inspired researchers to try to build a near-universal decryption tool (lien direct) | Prometheus ransomware contained a weak random number generator that inspired researchers to try and build a one-size-fits-all decryptor. | Ransomware Tool | ||
|
2022-06-06 22:35:38 | Apple\'s New Feature Will Install Security Updates Automatically Without Full OS Update (lien direct) | Apple has introduced a Rapid Security Response feature in iOS 16 and macOS Ventura that's designed to deploy security fixes without the need for a full operating system version update. "macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid Security Response that works in between normal updates to easily keep security up to date without a | Tool | ||
|
2022-06-06 19:45:52 | Authy vs Google Authenticator: Two-factor authenticator comparison (lien direct) | >Check out these features from Authy and Google Authenticator before deciding which authentication tool is best for you. | Tool | ||
|
2022-06-06 17:51:29 | ClickUp vs Notion: Project management software comparison (lien direct) | >ClickUp and Notion are both top software tools designed to enable effective project management, but which is best for your business? | Tool | ||
|
2022-06-06 16:23:22 | How to always access your locked iOS device (lien direct) | >With this multifunctional iOS unlocking tool, you can solve various possible problems with your iPhone, iPad or iPod touch. Get a lifetime subscription of the tool for a limited time. | Tool | ||
 |
2022-06-06 13:45:45 | RSAC insights: \'CAASM\' tools and practices get into the nitty gritty of closing network security gaps (lien direct) | Reducing the attack surface of a company's network should, by now, be a top priority for all organizations. Related: Why security teams ought to embrace complexity As RSA Conference 2022 gets underway today in San Francisco, advanced systems to help … (more…) | Tool | ||
 |
2022-06-06 11:22:01 | A Warning To Enterprises: It\'s Time To Retire On-prem; Migration To Cloud And Modern AppSec Tools Critical To Future Threats, What Do You Think? (lien direct) | In light of the critical Atlassian zero-day (CVE-2022-26134) that's just making headlines, Information Security Experts emphasis why it is better time to move to cloud but what do you think? | Tool | ||
 |
2022-06-05 11:17:21 | The privately funded killer-asteroid spotter is here (lien direct) | It's a new tool for tracking space-rock trajectories-even with limited data. | Tool | ||
|
2022-06-03 23:46:21 | LuoYu APT delivers WinDealer malware via man-on-the-side attacks (lien direct) | >Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor An “extremely sophisticated” China-linked APT tracked as LuoYu was delivering malware called WinDealer via man-on-the-side attacks. Researchers from Kaspersky have uncovered an “extremely sophisticated” China-linked APT group, tracked as LuoYu, that has been observed using a malicious Windows tool called WinDealer. LuoYu has been active since at […] | Malware Tool | ||
|
2022-06-03 21:32:45 | AI and observability for IT operations: Does it improve performance? (lien direct) | >In a multi-cloud, multi-data center environment, IT needs new methods for tracking and troubleshooting applications. Observability tools can provide that. | Tool | ||
 |
2022-06-03 18:50:53 | New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild (lien direct) | FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.Why is this Significant?This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?The advisory released by Atlassian states that the following versions are affected:All supported versions of Confluence Server and Data CenterConfluence Server and Data Center versions after 1.3.0What Malware was Deployed to the Compromised Server?It was reported that China Chopper has been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.Has the Vendor Released an Advisory for CVE-2022-26134?Yes. See the Appendix for a link to "Confluence Security Advisory 2022-06-02".Has the Vendor Released a Patch?Yes, Atlassian has released a patch on June 3rd, 2022.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the China Chopper webshell that was reportedly deployed on known compromised Confluence servers:Java/Websh.D!trAll known network IOC's associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-26134. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?The advisory includes mitigation information. See the Appendix for a link to "Confluence Security Advisory 2022-06-02". | Malware Tool Vulnerability Threat | ||
|
2022-06-03 17:53:45 | Rally vs Jira: Project management software comparison (lien direct) | >Rally and Jira are both project management solutions meant to work with common agile methodologies. Jira excels in flexibility, while Rally is a highly dedicated tool meant to work within the agile framework. | Tool | ||
|
2022-06-03 14:22:25 | Parental controls: What they can and can\'t do for you (lien direct) | Parental controls are a helpful tool in keeping your children safe online. But they should not be considered a set and forget kind of tool. | Tool | ||
|
2022-06-03 12:42:41 | Evil Corp Pivots LockBit to Dodge U.S. Sanctions (lien direct) | The cybercriminal group is distancing itself from its previous branding by shifting tactics and tools once again in an aim to continue to profit from its nefarious activity. | Tool | ||
|
2022-06-03 09:37:18 | Ransomware Roundup - 2022/06/02 (lien direct) | FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica's public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called "HiveLeaks" on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, "the data encryption is often carried out during non-working hours or at the weekend" in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Don't fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to "HiveLeaks". Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for | Ransomware Malware Tool Threat | ||
|
2022-06-03 06:54:33 | Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (lien direct) | An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. "This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report. | Tool Threat | ||
|
2022-06-03 00:57:26 | Ahrefs vs. Semrush: Comparing the top SEO tools (lien direct) | >Ironically, the major difference between these two organic marketing suites may come down to pay-per-click features. | Tool | ||
 |
2022-06-03 00:28:07 | Atlassian: Unpatched critical flaw under attack right now to hijack Confluence (lien direct) | One suggested option: Turn the thing off until it can be fixed Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.… | Tool | ||
 |
2022-06-02 21:15:07 | CVE-2022-29085 (lien direct) | Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user. | Tool Vulnerability | ||
|
2022-06-02 19:40:18 | Adobe Sign vs DocuSign: Which tool is best for your business? (lien direct) | >Compare key features of top digital signature tools Adobe Sign and DocuSign for your company's operations and documentation needs. | Tool | ||
 |
2022-06-02 16:35:43 | Latest SOC Survey Anticipates Shift Toward MDR and XDR (lien direct) |
The challenges faced by Security Operations Centers (SOCs) around the world-workforce shortages, lack of visibility and automation, tool sprawl, and alert overload-continue to have a negative impact on SOC effectiveness and will likely result in increasing adoption of Managed Detection and Response (MDR) services and Extended Detection and Response (XDR) solutions. |
Tool | ||
|
2022-06-02 11:23:59 | Why Ransomware Timeline Shrinks By 94%? (lien direct) | Researchers at IBM’s X-Force team are reporting a 94% reduction in the duration of an enterprise ransomware attack from 2019 to 2021. Though the overall time was reduced, the attacker's tools appeared to remain mostly the same. Research showed that ransomware operators were most efficient against enterprises “who have not implemented effective measures to combat […] | Ransomware Tool | ||
|
2022-06-02 01:38:51 | SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (lien direct) | The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities. "Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity | Malware Tool Threat | APT-C-17 | |
|
2022-06-01 20:15:07 | CVE-2022-30190 (lien direct) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. | Tool | ||
|
2022-06-01 17:47:00 | Anomali Cyber Watch: TURLA\'s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chromeloader, Goodwill, MageCart, Saitama, Turla and Yashma. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Credit Card Stealer Targets PsiGate Payment Gateway Software
(published: May 25, 2022)
Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data.
Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056
Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX
How the Saitama Backdoor uses DNS Tunneling
(published: May 25, 2022)
MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2.
Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling
|
Ransomware Malware Tool Threat | APT 19 | |
 |
2022-06-01 15:49:28 | CrowdStrike Falcon Protects Customers from Follina (CVE-2022-30190) (lien direct) | On May 27, 2022, a remote code execution vulnerability was reported affecting the Microsoft Windows Support Diagnostic Tool (MSDT) The vulnerability, which is classified as a zero-day, can be invoked via weaponized Office documents, Rich Text Format (RTF) files, XML files and HTML files At time of writing, there is no patch available from the […] | Tool Vulnerability | ||
|
2022-06-01 14:36:44 | How to refine search results in Google Drive (lien direct) | >If you're having trouble locating files in Google Drive, Jack Wallen wants to introduce you to the built-in search filter tool that will help make the process faster and more accurate. | Tool | ||
|
2022-06-01 13:59:00 | (Déjà vu) CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina” (lien direct) | FortiGuard Labs researchers provide an analysis and assessment of CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE vulnerability “Follina.” Read to learn more about this critical vulnerability and how to take quick corrective action until Microsoft releases a patch.
|
Tool Vulnerability | ||
 |
2022-06-01 13:12:14 | Nouvelle vulnérabilité Microsoft Support Diagnostic Tool : comment y faire face (lien direct) | >Une nouvelle vulnérabilité a récemment été découverte dans Microsoft Office. En effet, Microsoft Support Diagnostic Tool (MSDT) peut être détourné contre les organisations. L'exploit semble exister depuis environ un mois, avec diverses modifications quant à ce qui doit être exécuté sur le système ciblé. The post Nouvelle vulnérabilité Microsoft Support Diagnostic Tool : comment y faire face first appeared on UnderNews. | Tool | ||
|
2022-06-01 09:10:12 | SideWinder hackers plant fake Android VPN app in Google Play Store (lien direct) | Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. [...] | Tool Threat | APT-C-17 | |
 |
2022-06-01 06:40:40 | Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution (lien direct) | A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Tool Vulnerability | ||
|
2022-06-01 05:15:09 | YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites (lien direct) | As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues. The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the | Tool | ||
 |
2022-06-01 00:00:00 | Rôles de cybersécurité Cyber Security Roles (lien direct) |
Être un expert en cybersécurité apporte un éventail de possibilités de carrière dans une grande variété d'industries.Il n'y a pas un chemin vers une carrière dans la cybersécurité et la réalité est que les professionnels de la cybersécurité peuvent avoir des antécédents de travail et des niveaux d'éducation différents.Ce qu'ils ont en commun, c'est une compréhension de la technologie et de la nécessité de protéger et de garder les réseaux, les données et les informations sécurisés à l'ère numérique.
Nous avons choisi 5 rôles d'emploi de cybersécurité qui sont actuellement à la demande par plusieurs industries.Les cyber-compétences fournissent des voies et des micro-informations d'identification qui vous renforceront dans les domaines suivants et nous nous assurons de recevoir la formation exacte nécessaire pour remplir ces rôles et améliorer votre carrière.
Architecte de sécurité - La responsabilité clé d'un architecte de sécurité est d'établir et de maintenir la cyber-sécurité des systèmes d'une entreprise.Ils sont essentiels à la sécurité d'une organisation traduisant des conditions réelles telles que les lois et les réglementations dans des solutions techniques qui gardent les systèmes en sécurité.
Analyste de cybersécurité & # 8211;Examine les données de plusieurs sources disparates dans le but de fournir des informations sur la sécurité et la confidentialité.Conception et implémente des algorithmes personnalisés, des processus de flux de travail et des dispositions à des ensembles de données complexes et à l'échelle de l'entreprise utilisés à des fins de modélisation, d'exploration de données et de recherche.
Ingénieur de sécurité réseau & # 8211; Les ingénieurs de sécurité occupent un rôle technique au sein d'une entreprise ou d'une organisation.Il s'agit de planifier, d'implémenter et d'exploiter les services / systèmes réseau, d'inclure des environnements matériels et virtuels.
La médecine légale numérique & # 8211;Utilise des données collectées auprès d'une variété d'outils de cyber-défense pour analyser les événements qui se produisent dans leur environnement à des fins d'atténuation des menaces.Mène des enquêtes détaillées sur les crimes informatiques établissant des preuves documentaires ou physiques, pour inclure les médias numériques et les journaux associés aux incidents de cyber-intrusion.
Secure Software Developer & # 8211;Tous les développeurs doivent être conscients de la sécurité lors de la conception et du développement de composants logiciels pour assurer la sécurité des données et tout système tiers.L'assurance de la sécurité est également un domaine clé de leur travail pour valider tous les composants combiner pour créer un système sécurisé.
Being a cyber security expert brings an array of career opportunities across a wide variety of industries. There is not one path to a career in cyber security and the reality is cyber security professionals can have different working backgrounds and levels of education. What they do have in common is an understanding of technology and the need to protect and keep networks, data and information secure in the digital age. We have picked 5 cyber security job roles that are currently in-demand by multiple industries. Cyber Skills provide pathways and micro credentials that will up skill you in the following areas and we ensure that you receive the exact training needed to fulfil these roles and enhance your career. Security Architect - The key responsibility of a security architect is to establish and maintain the cyber safety of a business\'s systems. They are key to the security of an organisation translating real world conditions such as laws and regulations into technical solutions keeping the systems Cyber Secure. Cyber Security Analyst – Examines data from multiple disparate sources with the goal of providing security and privacy insight. Designs and implements custom algorithms, workflow processes, and |
Tool Technical | ★★ | |
 |
2022-05-31 16:33:34 | New Microsoft Office “Follina” zero-day Already Shared on Ransomware Forums (lien direct) |
The new zero-day MS Word vulnerability recently discovered by Nao_Sec on May 27, 2022, titled 'Follina' (CVE-2022-30190) targeting Microsoft Office is being actively utilised, Minerva researchers found. The exploit targets a vulnerability in Microsoft's Windows Support Diagnostic Tool (MSDT) that occurs due to the ms-msdt MSProtocol URI scheme which could load code and execute via PowerShell despite macros being disabled. Successful exploitation of the CVE enables an attacker to execute arbitrary code on the targeted host. However, the attacker must socially engineer the victim into opening a specially crafted file to exploit this issue which requires a targeted effort to succeed making the vulnerability less prominent to unskilled actors but highly relevant to ransomware gangs such as CONTI, CL0P and ALPHV. To combat this new threat businesses must focus on threat prevention-an approach in which Minerva excels. |
Ransomware Tool Vulnerability Threat | ||
|
2022-05-31 12:29:00 | Microsoft gives mitigation advice for Follina vulnerability exploitable via Office apps (lien direct) | Attackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in a Windows component called the Microsoft Support Diagnostic Tool (MSDT) through weaponized Word documents. Microsoft has responded with mitigation advice that can be used to block the attacks until a permanent patch is released.An exploit for the vulnerability, now tracked as CVE-2022-30190, was found in the wild by an independent security research team dubbed nao_sec, which spotted a malicious Word document uploaded to VirusTotal from an IP in Belarus. However, more malicious samples dating from April have also been found, suggesting the vulnerability has been exploited for over a month.To read this article in full, please click here | Tool Vulnerability | ||
|
2022-05-31 12:24:44 | EnemyBot Malware Targets Web Servers, CMS Tools and Android OS (lien direct) | Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. | Malware Tool | ||
|
2022-05-31 11:19:10 | Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina (lien direct) | >Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite. Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as CVE-2022-30190 (CVSS score 7.8), in the Microsoft Office productivity suite. “On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows […] | Tool |
To see everything:
Our RSS (filtrered)
