What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-05-19 00:00:00 | Cyber risk management: Attribution strategies (lien direct) | Discover the importance of cyber attribution, the benefits, and the right tools to assist your efforts so you can better manage cyber risk across your digital attack surface. | Tool | ||
 |
2022-05-18 20:04:37 | Microsoft warns of attacks targeting MSSQL servers using the tool sqlps (lien direct) | >Microsoft warns of brute-forcing attacks targeting Microsoft SQL Server (MSSQL) database servers exposed online. Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary). Microsoft warned of […] | Tool Threat | ||
 |
2022-05-18 17:16:21 | How storytelling can make you a more effective presenter (lien direct) | >Our natural human instinct for sharing and hearing stories can be a highly effective tool for presenting information of all sorts. | Tool | ||
 |
2022-05-18 15:41:53 | Hacking the Microsoft Sculpt keyboard (lien direct) |  In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional). Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.Under the wrist rest are anot |
Malware Tool | ||
 |
2022-05-18 15:15:10 | CVE-2022-29518 (lien direct) | Screen Creator Advance2, HMI GC-A2 series, and Real time remote monitoring and control tool Screen Creator Advance2 versions prior to Ver.0.1.1.3 Build01, HMI GC-A2 series(GC-A22W-CW, GC-A24W-C(W), GC-A26W-C(W), GC-A24, GC-A24-M, GC-A25, GC-A26, and GC-A26-J2), and Real time remote monitoring and control tool(Remote GC) allows a local attacker to bypass authentication due to the improper check for the Remote control setting's account names. This may allow attacker who can access the HMI from Real time remote monitoring and control tool may perform arbitrary operations on the HMI. As a result, the information stored in the HMI may be disclosed, deleted or altered, and/or the equipment may be illegally operated via the HMI. | Tool | ||
 |
2022-05-18 09:45:06 | Microsoft warns partners to revoke unused authorizations that drive your software (lien direct) | June debut of zero trust GDAP tool should make it harder for crims to attack through MSPs and resellers Microsoft has advised its reseller community it needs to pay attention to the debut of improve security tooling aimed at making it harder for attackers to worm their way into your systems through partners.… | Tool | ||
 |
2022-05-18 09:03:33 | Privileged pod escalations in Kubernetes and GKE (lien direct) | Posted by GKE and Anthos Platform Security Teams At the KubeCon EU 2022 conference in Valencia, security researchers from Palo Alto Networks presented research findings on “trampoline pods”-pods with an elevated set of privileges required to do their job, but that could conceivably be used as a jumping off point to gain escalated privileges.The research mentions GKE, including how developers should look at the privileged pod problem today, what the GKE team is doing to minimize the use of privileged pods, and actions GKE users can take to protect their clusters.Privileged pods within the context of GKE securityWhile privileged pods can pose a security issue, it's important to look at them within the overall context of GKE security. To use a privileged pod as a “trampoline” in GKE, there is a major prerequisite – the attacker has to first execute a successful application compromise and container breakout attack. Because the use of privileged pods in an attack requires a first step such as a container breakout to be effective, let's look at two areas:features of GKE you can use to reduce the likelihood of a container breakoutsteps the GKE team is taking to minimize the use of privileged pods and the privileges needed in them.Reducing container breakoutsThere are a number of features in GKE along with some best practices that you can use to reduce the likelihood of a container breakout:Use GKE Sandbox to strengthen the container security boundary. Over the last few months, GKE Sandbox has protected containers running it against several newly discovered Linux kernel breakout CVEs.Adopt GKE Autopilot for new clusters. Autopilot clusters have default policies that prevent host access through mechanisms like host path volumes and host network. The container runtime default seccomp profile is also enabled by default on Autopilot which has prevented several breakouts.Subscribe to GKE Release Channels and use autoupgrade to keep nodes patched automatically against kernel vulnerabilities.Run Google's Container Optimized OS, the minimal and hardened container optimized OS that makes much of the disk read-only.Incorporate binary authorization into your SDLC to require that containers admitted into the cluster are from trusted build systems and up-to-date on patching.Use Secure Command Center's Container Threat Detection or supported third-party tools to detect the most common runtime attacks.More information can be found in the GKE Hardening Guide.How GKE is reducing the use of privileged pod | Tool Threat | Uber | |
 |
2022-05-18 04:22:22 | Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang (lien direct) | The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. "Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT said in a new report shared with The | Tool | ||
|
2022-05-17 21:15:08 | CVE-2022-29162 (lien direct) | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. | Tool | ★★★ | |
 |
2022-05-17 15:01:00 | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 15 APT 34 | |
 |
2022-05-17 13:00:36 | Zero Trust and SASE: Better Together for Financial Institutions (lien direct) | >A Zero Trust cybersecurity model, enabled by a modern Secure Access Services Edge (SASE) architecture, gives financial institutions powerful tools to support new ways of working without compromising their ability to compete and innovate. | Tool | ||
 |
2022-05-17 10:30:19 | Hackers can steal your Tesla Model 3, Y using new Bluetooth attack (lien direct) | Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices. [...] | Tool | ||
 |
2022-05-17 09:05:52 | Use Your Browser Internal Password Vault... or Not?, (Tue, May 17th) (lien direct) | Passwords... a so hot topic&#;x26;#;x21; Recently big players (Microsoft, Apple &#;x26; Google) announced that they would like to suppress (or, at least, reduce)&#;xc2;&#;xa0;the use of classic passwords&#;x5b;1&#;x5d;. In the meantime, they remain the most common way to authenticate users against many online services. Modern Browsers offer lightweight password management tools ("vaults")&#;xc2;&#;xa0;that help users to save their passwords in a central repository. So they don&#;x26;#;39;t have to remember them, and they follow the golden rule that we, infosec people, are recommending for a long time: to not&#;xc2;&#;xa0;share passwords across services.&#;xc2;&#;xa0;But it is really safe? | Tool | ||
|
2022-05-17 01:50:51 | U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (lien direct) | The U.S. Justice Department on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit sharing arrangements. Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the | Ransomware Tool | ||
|
2022-05-16 17:31:54 | Gradle vs. Maven: DevOps tools comparison (lien direct) | >Gradle and Maven are two of the top build automation tools available for developers. Learn how these tools differ to find the right DevOps tool for your projects. | Tool | ||
 |
2022-05-16 17:21:06 | Researchers Devise New Type of Bluetooth LE Relay Attacks (lien direct) | Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations. | Tool | ||
|
2022-05-15 10:00:00 | Windows admins frustrated by Quick Assist moving to Microsoft Store (lien direct) | Windows admins have been expressing their dismay at Microsoft's decision to move the Quick Assist remote assistance tool to the Microsoft Store. [...] | Tool | ||
|
2022-05-13 21:16:51 | (Déjà vu) Google Created \'Open Source Maintenance Crew\' to Help Secure Critical Projects (lien direct) | Google on Thursday announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers | Tool Vulnerability | ||
|
2022-05-13 05:26:14 | Google Created \'Open-Source Maintenance Crew\' to Help Secure Critical Projects (lien direct) | Google on Thursday announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers | Tool Vulnerability | ||
 |
2022-05-12 22:13:56 | 5 Tips For Creating Bulletproof Passwords (lien direct) | >
While biometric tools like facial ID and fingerprints have become more common when it comes to securing our data and...
|
Tool | ||
|
2022-05-12 12:55:35 | How Innovation Turns 5G Security from a Reactive to Proactive Tool (lien direct) | >5G security for enterprise rides on the viability of enterprise-grade security that safeguards the new business-critical operations against cyber threats. | Tool | ||
 |
2022-05-12 09:48:04 | NCSC launches free email security check (lien direct) | The UK’s National Cyber Security Centre (NCSC) has released a free tool designed to help organisations check whether their email security settings are sufficient. The Email Security Check service was released yesterday by the NCSC, an offshoot of the UK spy agency GCHQ. The tool works to look up publicly available information on anti-spoofing standards such as […] | Tool | ★★ | |
 |
2022-05-11 16:05:43 | Mettre les choses en contexte |Campagnes de menace de temps Putting Things in Context | Timelining Threat Campaigns (lien direct) |
La visualisation des données fait partie intégrante de la recherche sur les menaces.Voyez comment nous avons utilisé cet outil d'analyse de la chronologie pour suivre l'activité dans le cyber-conflit ukrainien.
Visualizing data is integral to threat research. See how we used this timeline analysis tool to track activity in the Ukrainian cyber conflict. |
Tool Threat | ★★ | |
|
2022-05-11 15:15:08 | CVE-2021-34605 (lien direct) | A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vulnerability can be triggered by manually opening an infected project file, or by initiating an upload program request from an infected Xinje PLC. This can result in remote code execution, information disclosure and denial of service of the system running the XINJE XD/E Series PLC Program Tool. | Tool Vulnerability | ||
|
2022-05-11 15:15:08 | CVE-2021-34606 (lien direct) | A vulnerability exists in XINJE XD/E Series PLC Program Tool in versions up to v3.5.1 that can allow an authenticated, local attacker to load a malicious DLL. Local access is required to successfully exploit this vulnerability. This means the potential attacker must have access to the system and sufficient file-write privileges. If exploited, the attacker could place a malicious DLL file on the system, that when running XINJE XD/E Series PLC Program Tool will allow the attacker to execute arbitrary code with the privileges of another user's account. | Tool Vulnerability | ||
|
2022-05-10 17:08:00 | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
Ransomware Malware Tool Vulnerability Threat | APT 29 APT 28 | ★★★ |
 |
2022-05-10 03:00:00 | Cohesity launches FortKnox to protect data from ransomware attacks (lien direct) | Data management specialist Cohesity is launching a new data isolation and recovery tool called FortKnox, in a bid to help customers protect their data from ransomware attacks.FortKnox provides an additional layer of off-site protection for customers by keeping data in a secure 'vault,' with physical separation, network and management isolation to keep threat actors from accessing sensitive data.An object lock requires a minimum of two or more people to approve critical actions, such as changes of vault policy, and access can be managed using granular role-based access control, multi-factor authentication, and encryption both in-flight and at rest.To read this article in full, please click here | Ransomware Tool Threat | ||
 |
2022-05-09 10:49:02 | A scanning tool for open-sourced software packages? Yes, please! (lien direct) | OpenSSF recently introduced a dynamic analysis tool for all OSS packages when uploaded to open source repositories. | Tool | ||
 |
2022-05-09 08:29:06 | New tool release: Discovering the origin host to bypass web application firewalls (lien direct) | Pas de details / No more details | Tool | ||
|
2022-05-05 20:26:37 | Vagrant vs Docker: Compare DevOps tools (lien direct) | Finding the right DevOps tool can be tricky. There are a variety of factors to weigh in deciding what solution will work best for your projects. Learn more about two of the top solutions: Vagrant and Docker. | Tool | ||
|
2022-05-05 20:03:50 | What is the ONLYOFFICE Community feature, and why should you use it? (lien direct) | ONLYOFFICE is not only a great web-based office suite and project management tool but an effective platform to keep your teams engaged with one another and the company. | Tool | ||
|
2022-05-05 19:09:54 | Check Point vs Palo Alto: Comparing EDR software (lien direct) | Check Point and Palo Alto are providers of effective endpoint detection and response tools to allow you to surpass detection-based cyber defense and improve your organization's ability to manage cybersecurity risk. But which tool is best for you? | Tool | ||
|
2022-05-05 16:26:47 | How to use KDE Plasma\'s Konsole SSH plugin (lien direct) | Looking for an incredibly easy tool to manage your SSH connections? KDE's terminal application has a handy trick up its sleeve. | Tool | ||
|
2022-05-05 11:00:56 | Les vulnérabilités dans Avast et AVG mettent des millions en danger Vulnerabilities in Avast And AVG Put Millions At Risk (lien direct) |
Deux défauts de haute sévérité dans les outils de sécurité des utilisateurs finaux populaires permettent aux attaquants d'élever les privilèges et les dispositifs de compromis.
Two high-severity flaws in popular end user security tools allow attackers to elevate privileges and compromise devices. |
Tool Vulnerability | ★★★ | |
|
2022-05-04 18:37:00 | Are moodables the next best thing in IoT? (lien direct) | More Americans are suffering from depression than ever before. With moodable sensors, we might finally have an IoT tool for mental wellness. | Tool | ||
|
2022-05-04 18:14:46 | How to move from an Android phone to an iPhone (lien direct) | You can more easily switch from an Android phone to an iPhone via a tool called Move to iOS. We'll show you how. | Tool | ||
|
2022-05-03 17:20:31 | Notion vs Trello: Project management software comparison (lien direct) | If your company is considering which project management and communication tool to choose, you should compare the features of Notion and Trello. | Tool | ||
|
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
|
2022-05-03 14:36:25 | Amazon CloudWatch vs Pingdom: Monitoring tool comparison (lien direct) | Let's compare the features of two popular website monitoring tools, Pingdom and Amazon CloudWatch, to determine what makes each one unique and what you should consider before adopting each tool. | Tool | ||
|
2022-05-03 14:08:13 | The COVID-19 gender gap: Addressing bias at work can help bring women back to the office (lien direct) | The global pandemic highlighted inequities at the workplace and the greater stresses women face. Here's how a new tool that uses science to uncover bias at work can improve workplaces for women. | Tool | ||
|
2022-05-03 06:08:45 | Package Analysis dynamic analyzes packages in open-source repositories (lien direct) | The Open Source Security Foundation (OpenSSF) is working on a tool to conduct a dynamic analysis of packages uploaded to popular open-source repositories. The Open Source Security Foundation (OpenSSF) announced the release of the first version of a new tool, dubbed Package Analysis, to perform dynamic analysis of the packages uploaded to popular open-source repositories. […] | Tool | ||
|
2022-05-02 22:46:55 | CyberArk vs BeyondTrust: Compare IAM solutions (lien direct) | It's time to upgrade your IAM software, but which security tool should you choose? See how the features of CyberArk and BeyondTrust compare. | Tool | ||
|
2022-05-02 20:15:08 | CVE-2021-41810 (lien direct) | Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable | Tool | ||
 |
2022-05-02 09:30:00 | UNC3524: Eye Spy sur votre e-mail UNC3524: Eye Spy on Your Email (lien direct) |
Mise à jour (novembre 2022): Nous avons fusionné UNC3524 avec APT29. L'activité UNC3524 décrite dans ce post est désormais attribuée à APT29.
Depuis décembre 2019, Mandiant a observé que les acteurs avancés des menaces augmentent leur investissement dans des outils pour faciliter la collecte de courriels en vrac dans les environnements de victime, en particulier en ce qui concerne leur soutien aux objectifs d'espionnage présumés.Les e-mails et leurs pièces jointes offrent une riche source d'informations sur une organisation, stockée dans un emplacement centralisé pour les acteurs de menace à collecter.La plupart des systèmes de messagerie, qu'ils soient sur site ou dans le cloud, offrent
UPDATE (November 2022): We have merged UNC3524 with APT29. The UNC3524 activity described in this post is now attributed to APT29. Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer |
Tool Threat | APT 29 | ★★ |
|
2022-05-01 21:51:22 | Here\'s a New Tool That Scans Open-Source Repositories for Malicious Packages (lien direct) | The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the | Tool | ||
|
2022-04-29 21:12:21 | Datadog vs New Relic: Compare DevOps tools (lien direct) | Datadog vs. New Relic: Which is the best DevOps tool for your business? This guide will help you choose. | Tool | ||
 |
2022-04-29 17:32:59 | Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage (lien direct) |  socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username, socialscan returns whether it is available, taken or invalid on online platforms.
Other similar tools check username availability by requesting the profile page of the username in question and based on information like the HTTP status code or error text on the requested page, determine whether a username is already taken.
Read the rest of Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage now! Only available at Darknet.
|
Tool | ||
|
2022-04-29 14:45:19 | LogMeIn vs GoToMyPC: Compare remote desktop software (lien direct) | LogMeIn and GoToMyPC are two of the top remote access software solutions. Read this feature comparison to learn which remote desktop tool is right for your business. | Tool | ||
|
2022-04-29 13:09:34 | OneLogin vs Okta: Comparing IAM solutions (lien direct) | Which identity and access management software should you choose? Compare the features of OneLogin and Okta to see if either is the right IAM tool for your business. | Tool | ||
|
2022-04-28 11:00:00 | More Tools, More Problems: Why It\'s Important to Ensure Security Tools Work Together (lien direct) | Welcome to blog #six as I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience. In the last blog, I wrote about the challenges that organizations have with disparate tools, highlighted by the fact that mature enterprise organizations deployed over 130 security tools on average. That blog is a perfect introduction to number five on our list of challenges enterprise organizations face: ‘Solutions not customized to the types of risks we face.’ More Tools, More Problems Most security teams use several security management tools to help them manage their security infrastructure. While each tool was acquired for a specific reason and purpose, introducing each tool into an existing security tech stack poses a different challenge. Unfortunately, there’s no one size fits all approach. Every new security tool introduced requires integration to use the tool effectively. It takes a lot of time and effort to implement a tool properly into your environment and processes. There would most likely need training involved for those analysts who would be using the new tools. While necessary, these tasks take time and attention away from everyday activities and can significantly decrease a security team’s effectiveness before they’re fully integrated into their workflow. Increasing in Multiple Tools Increases Security Complexity The increasing adoption of cybersecurity solutions has created more consequences and challenges for organizations and their IT teams. With each addition of a new solution, another problem emerges Tool sprawl. Tool sprawl is when an organization invests in various tools that make it harder for IT teams to manage and orchestrate the solution. Time is a precious commodity, especially in cybersecurity. It takes time to collect information from multiple tools and disparate data sources, then correlate it manually with the necessary intelligence. Instead of responding quickly to an attack, analysts will waste time collecting the data and relevant intelligence needed to understand what kind of attacks they are dealing with and which actions they should take. Instead of fixing a problem, security teams may suddenly find that they’ve added more. How Cybersecurity Tools Grew Out of Control Traditional cybersecurity operations were designed to manage anti-viruses, install and monitor firewalls, protect data, and help users manage passwords. It was evident by the mid-1990s that investing in cybersecurity would be necessary. Organizations now had a budget for security and had to figure out which parts of their infrastructure were most vulnerable. As their strategy evolved, organizations began investing in hiring cybersecurity experts but realized people are expensive. They then began buying various tools to complement their security professionals. They soon realized that there was a security tool you could buy that could help resolve the situation for any potential problem. The desire to throw tools at a situation continues today. Cybersecurity budgets have increased since the pandemic sped up digital transformation efforts and increased an organization’s attack surface. Board members and Executives realize the need to invest more in cybersecurity. New security products continue to spring up, promising to solve problems and secure all the various parts of businesses’ technology stacks. Unfortunately, when adding tools, too many organizations make the mistake of looking for a quick fix, working in silos to solve one problem rather than t | Tool Threat Guideline |
To see everything:
Our RSS (filtrered)
