What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-09-08 16:57:12 | Canonical announces new Anbox Cloud Appliance on AWS Marketplace (lien direct) | The tool can be used by developers for prototyping, sandboxing and putting Android apps into production on 5G devices. | Tool | ||
 |
2021-09-08 01:42:01 | US-built Databases a Potential Tool of Taliban Repression (lien direct) | Over two decades, the United States and its allies spent hundreds of millions of dollars building databases for the Afghan people. The nobly stated goal: Promote law and order and government accountability and modernize a war-ravaged land. | Tool | ||
 |
2021-09-07 20:15:07 | CVE-2021-37631 (lien direct) | Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9. If you are unable to update it is advised to disable the Deck plugin. | Tool | ||
 |
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
 |
2021-09-07 12:00:00 | Pharmacies Stepped Up During Covid-and Changed for Good (lien direct) | Pharmacies have long been perceived as commodities. Now, they're a central tool for removing barriers to health care. | Tool | ||
 |
2021-09-06 13:42:08 | New Chainsaw tool helps IR teams analyze Windows event logs (lien direct) | Incident responders and blue teams have a new tool called Chainsaw that speeds up searching through Windows event log records to identify threats. [...] | Tool | ||
 |
2021-09-04 02:08:38 | Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash (lien direct) | Apple is temporarily hitting the pause button on its controversial plans to screen users' devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.
"Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the |
Tool | ||
|
2021-09-02 14:00:00 | What Is a Cyber Fusion Center? (lien direct) | Drive Organization-Wide Visibility, Reduce Time to Detection, and Protect Critical Assets With a Cyber Fusion Center The continual and evolving threats to information systems are a constant battle that prompted the creation of cyber intelligence analysts who provide contextualized data, information, and intelligence to those tasked with detecting and defending against attacks. Cyber defense systems need to become more responsive to internal vulnerabilities and adapt to external threats as attack methods evolve more quickly. It is this intelligence that enables them to do so. The cyber fusion center is the hub for actionable threat intelligence. Structurally, it pulls together information and coordinates efforts across security teams; SOC, IT, physical security, fraud, etc. It also integrates multiple automation tools, collecting data from internal and external sources, curating data, and providing actionable intelligence to stakeholders to make informed decisions. Designing a Cyber Fusion Center Organizational Considerations When Creating Your Cyber Fusion Center The primary goal and advantage of having a cyber fusion center is making cybersecurity an integral part of your organization. It allows you to manage risk holistically. Keeping this in mind, processes that produce actionable intel should be modeled first before creating organizational and system structures. Acknowledging that existing systems are managed by different groups and integrating competing priorities is essential. Systems will also need to be integrated, with redundancies identified and streamlined. Finally, each organization will have its own culture that should be taken into consideration throughout this process. Teams: Is Your Cyber Fusion Center Communicating Cross-Functionally? Resilient cyber fusion centers start with a circular flow of communication with priority intelligence requirement (PIR)-driven inputs. This cyber intelligence provides the most timely and comprehensive intelligence on external threats to the security operations center (SOC) for detection, monitoring, threat hunting, and, when needed, incident response. In return, those acting on the threats can recommend adjustments to PIRs that continually improve the necessary intelligence to inform proactive threat detection and respond better. That feedback ensures that the threat intelligence team remains focused on collecting and delivering threat intelligence aligned to organizational PIRs. In addition, this flow of intelligence should be infused with relevant information from functional areas with high-risk vulnerabilities (e.g., Human Resources, Finance, Fraud, etc.). For example, a cyber intelligence team might discover a new ransomware campaign utilizing a specific tool and architecture. That intelligence is reported to the SOC with additional context of the group most likely responsible for the campaign, their other known tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). The likelihood that the newly discovered campaign could impact the organization is based on a deeper understanding of the culprits’ motives, objectives, and previous actions. This type of intelligence empowers the SOC to prioritize response actions proactively to improve the organization’s security posture against both the immediate threat posed by the indicators of compromise (IOCs) and future threats posed by the same actor and their campaigns. Tools: Managing Your Security Stack With a Cyber Fusion Center While organizational processes are the basis for creating an effective cyber fusion center, automation tools are also essential. The risks of not automating can include missed threats, dormant threats, siloed threat intel, and unaligned intel. You can enrich global threat intelligence through associated intelligence, peer sharing, and local telemetry; this enrichment begins | Ransomware Tool Threat | ||
|
2021-08-31 16:40:00 | Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities, and XSS . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the "Anomali Cyber Watch" tag.
Trending Cyber News and Threat Intelligence
Widespread Credential Phishing Campaign Abuses Open Redirector Links
(published: August 26, 2021)
Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.
Analyst Comment: Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Domain Trust Discovery - T1482
Tags: Phishing, Microsoft, North America, Anomali Cyber Watch
FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware
(published: August 25, 2021)
FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.
Analyst Comment: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
 |
2021-08-31 11:42:33 | Microsoft warns of phishing campaign abusing \'open redirects\' (lien direct) | Office 365 customers have been warned by Microsoft of an ongoing phishing campaign that abuses open redirects, an email sales and marketing tool that redirects a visitor to an untrusted site. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying […] | Tool | ||
|
2021-08-31 11:12:09 | Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs (lien direct) | Cybercriminals are making strides towards attacks with malware that executes code from the graphics processing unit (GPU) of a compromised system. [...] | Malware Tool | ||
 |
2021-08-30 18:53:57 | Karkinos – Beginner Friendly Penetration Testing Tool (lien direct) |  Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a âSwiss Army Knifeâ for pen-testing and/or hacking CTFâs.
Karkinos Beginner Friendly Penetration Testing Tool Features
Encoding/Decoding characters
Encrypting/Decrypting text or files
Reverse shell handling
Cracking and generating hashes
How to Install Karkinos Beginner Friendly Penetration Testing Tool
Dependencies are:
Any server capable of hosting PHP
Tested with PHP 7.4.9
Tested with Python 3.8
Make sure it is in your path as:
Windows: python
Linux: python3
If it is not, please change the commands in includes/pid.php
Pip3
Raspberry Pi Zero friendly :) (crack hashes at your own risk)
Then:
git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip You can also unzip it manually using file explorer.
Read the rest of Karkinos – Beginner Friendly Penetration Testing Tool now! Only available at Darknet.
|
Tool | ||
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-24 15:42:13 | New iOS Zero-Click Exploit Defeats Apple \'BlastDoor\' Sandbox (lien direct) | Security researchers at Citizen Lab are documenting a new Apple iOS zero-click exploit being used to hijack data from fully patched iPhones in Bahrain. Citizen Lab said it found technical evidence connecting the new exploit to the Pegasus high-end spyware tool sold by controversial Israeli software vendor NSO Group. | Tool | ||
 |
2021-08-24 09:40:00 | Microsoft Power Apps Tool Exposed 38 Million Records by Default (lien direct) | Configuration muddle has now been largely resolved by Redmond | Tool | ||
|
2021-08-23 14:09:14 | Windows 365 Business: How this new tool can help your organization (lien direct) | Simon Bisson tried out the new Microsoft 365 tool, which allows you to create virtual machines for your staff working from home. Here's what he learned. | Tool | ||
 |
2021-08-23 03:00:00 | Considerations when deciding on a new SIEM or SOAR tool (lien direct) | Pas de details / No more details | Tool | ||
|
2021-08-20 19:15:10 | CVE-2021-36011 (lien direct) | Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | Tool Vulnerability | ||
|
2021-08-19 13:33:45 | How AutoKey can make repetitive tasks, like configuring Netplan, easier (lien direct) | AutoKey is a handy GUI tool that can take the repetition out of a lot of your daily Linux admin tasks. | Tool | ||
|
2021-08-18 18:15:08 | CVE-2021-37617 (lien direct) | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system. | Tool Guideline | ||
|
2021-08-18 16:15:07 | CVE-2021-32728 (lien direct) | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading. | Tool | ||
 |
2021-08-18 16:00:00 | Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon (lien direct) | Recently, X-Force Red released a tool called Windows Feature Hunter, which identifies targets for dynamic link library (DLL) side-loading on a Windows system using Frida. To provide a defensive counter-measure perspective for DLL side-loading, X-Force Incident Response has released SideLoaderHunter, which is a system profiling script and Sysmon configuration designed to identify evidence of side-loading […] | Tool | ||
 |
2021-08-18 11:23:54 | Tetris: Chinese Espionage Tool (lien direct) | I’m starting to see writings about a Chinese espionage tool that exploits website vulnerabilities to try and identify Chinese dissidents. | Tool | ||
 |
2021-08-18 08:01:01 | Détecter le contenu intégré dans les documents OOXML Detecting Embedded Content in OOXML Documents (lien direct) |
Sur les pratiques avancées, nous recherchons toujours de nouvelles façons de trouver des activités malveillantes et de suivre les adversaires au fil du temps.Aujourd'hui, nous partageons une technique que nous utilisons pour détecter et regrouper les documents Microsoft Office spécifiquement ceux du Office Open XML (OOXML) Format de fichier.De plus, nous libérons un outil afin que les analystes et défenseurs puissent générer automatiquement des règles YARA en utilisant cette technique.
Format de fichier OOXML
En commençant par Microsoft Office 2007, le format de fichier par défaut pour les documents Excel, PowerPoint et Word est passé d'un format basé sur un objet liant et intégrant (OLE) vers OOXML.Pour
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we\'re sharing a technique we use to detect and cluster Microsoft Office documents-specifically those in the Office Open XML (OOXML) file format. Additionally, we\'re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique. OOXML File Format Beginning with Microsoft Office 2007, the default file format for Excel, PowerPoint, and Word documents switched from an Object Linking and Embedding (OLE) based format to OOXML. For |
Tool | ★★★ | |
 |
2021-08-18 07:03:22 | Hamburg\'s data protection agency (DPA) states that using Zoom violates GDPR (lien direct) | The German state’s data protection agency (DPA) warns that the use of the videoconferencing platform Zoom violates the European Union’s GDPR. The German state’s data protection agency (DPA) warns that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR). The DPA is concerned by the transfer of […] | Tool | ||
|
2021-08-17 17:56:00 | Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Colonial Pipeline Reports Data Breach After May Ransomware Attack
(published: August 16, 2021)
Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA
Indra — Hackers Behind Recent Attacks on Iran
(published: August 14, 2021)
Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | APT 27 APT 27 | |
|
2021-08-17 17:48:20 | SolarWinds makes DBA xPress free to support DataOps (lien direct) | The new tool should help make cloud migrations less painful for database managers, according to the company. | Tool | ||
 |
2021-08-17 13:58:12 | Apple: CSAM Image-Detection Backdoor \'Narrow\' in Scope (lien direct) | Computing giant tries to reassure users that the tool won't be used for mass surveillance. | Tool | ||
|
2021-08-16 19:15:13 | CVE-2021-22932 (lien direct) | An issue has been identified in the CTX269106 mitigation tool for Citrix ShareFile storage zones controller which causes the ShareFile file encryption option to become disabled if it had previously been enabled. Customers are only affected by this issue if they previously selected “Enable Encryption� in the ShareFile configuration page and did not re-select this setting after running the CTX269106 mitigation tool. ShareFile customers who have not run the CTX269106 mitigation tool or who re-selected “Enable Encryption� immediately after running the tool are unaffected by this issue. | Tool | ||
 |
2021-08-15 09:36:02 | Nmap for Pentester: Password Cracking (lien direct) | We will process the showcase for Nmap Brute NSE Script for dictionary attack in this article since Nmap is such a large tool that it can’t be covered in one post. If you’re wondering whether or not a brute-force assault using Nmap is doable. Yes, Nmap includes an NSE-based script | Tool | ||
|
2021-08-13 18:05:09 | How to install Webmin on Rocky Linux (lien direct) | With Webmin, you can better secure and manage your instances of Rocky Linux. Jack Wallen walks you through the process of getting this web-based tool up and running. | Tool | ||
|
2021-08-13 12:15:07 | CVE-2021-37350 (lien direct) | Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | Tool Vulnerability | ★★★★ | |
|
2021-08-13 08:07:19 | Google open-sourced Allstar tool to secure GitHub repositories (lien direct) | Google has open-sourced the Allstar tool that can be used to secure GitHub projects and prevent security misconfigurations. Google has open-sourced the Allstar tool that can be used to secure GitHub projects by enforcing a set of security policies to prevent misconfiguration. “Allstar is a GitHub App installed on organizations or repositories to set and enforce security policies. Its […] | Tool | ||
|
2021-08-12 15:00:00 | Aggah Using Compromised Websites to Target Businesses Across Asia, Including Taiwan Manufacturing Industry (lien direct) | Authored by: Tara Gould and Rory Gould
Key Findings
Spearphishing emails are targeting the manufacturing industry in Taiwan and Korea to spread malware.
Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts; delivering Warzone RAT.
Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group Aggah.
Overview
Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry in Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the threat group Aggah. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.
Aggah
Aggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42.[1] The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat.[2]
Unit 42 initially-believed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments.[3] However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script but stress this does not mean they are the Gorgon Group.[4]
Aggah has been consistently active since 2019, generally using the same identifiable TTPs. This past year was a notable year for the group, with a 2020 campaign targeting Italian organizations and manufacturing sectors around the world.[5] Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors.[6] Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT.[7] The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah.
Technical Analysis
Email
The infection process began with a custom spearphishing email masquerading as “FoodHub.co.uk”, an online food delivery service based in the United Kingdom. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The email in Figure 1 below was sent on July 8, 2021 to Fon-star International Technology, a Taiwan-based manufacturing company. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah.[8]
Figure 1 - Spoofed Spearphishing Email Sent to Fon Star
PowerPoint File
File name Purchase order 4500061977,pdf.ppam
MD5 b5a31dd4a6af746f32149f9706d68f45
When we analyzed the PowerPoint file, we found obfuscated macros (Figure 2) contained in the document that used MSHTA to execute JavaScript from “http://j[.]mp/4545h |
Malware Tool Threat | ||
 |
2021-08-12 14:28:43 | S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed [Podcast] (lien direct) | Latest episode - listen now! (And learn about the Navajo Nation's selfless cryptographic contribution to America.) | Tool | ||
|
2021-08-12 13:51:56 | Windows 11 gets new versions of Snipping Tool, Mail, and Calculator (lien direct) | Microsoft is rolling out its first Windows 11 app updates with new versions of the Calculator, Mail and Calendar, and the Snipping Tool apps. [...] | Tool | ||
|
2021-08-11 11:42:27 | Cobolt Strike Vulnerability Affects Botnet Servers (lien direct) | Cobolt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product. The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send... | Tool Vulnerability | ||
|
2021-08-10 16:01:02 | Deploy this web interface to your data center for user account control (lien direct) | If you're looking for a tool to cut down on the time you spend managing user accounts, let Usermin hand some of those duties over to your end-users. | Tool | ||
|
2021-08-10 13:40:07 | Hate your job? Find a new one with this LinkedIn tool (lien direct) | As employers ramp up hiring, a free online tool helps people identify new career pathways and upskilling opportunities to make a career change a reality. | Tool | ||
|
2021-08-09 19:10:27 | How to use the Windows Media Creation Tool to create a Windows 10 ISO file (lien direct) | The free Windows Media Creation Tool from Microsoft grants you the power to create your own bootable Windows 10 backup, but you have to find and download it first. | Tool | ||
|
2021-08-09 13:58:40 | Microsoft\'s Azure Data Share: How to use this big data tool (lien direct) | Microsoft's cloud-hosted data sharing tools are for anyone who needs to work with big data. | Tool | ||
 |
2021-08-06 09:32:28 | Recap: Black Hat USA 2021 (lien direct) | Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements. As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats - especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration's recent Executive Order on cybersecurity, which impacts software security for organizations big and small. We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That's where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded. “I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.” Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure's full story here to see how they got it done. From Big Data to Open Source We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures. As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks. Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it's also rife with risk if left unchecked. This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs - our recent State of Software Security: Open Source Edition report found that just over half of | Tool Threat | ||
 |
2021-08-06 04:58:07 | Checklist Short: Finding Pegasus Tracks (lien direct) | A short Checklist this week, but an important one: A free tool to help detect Pegasus spyware on an iPhone! | Tool | ||
|
2021-08-05 17:01:12 | “Cobalt Strike” network attack tool patches crashtastic server bug (lien direct) | Ahhhh, the irony! Red-team network attack tool has its very own bug for Blue Teams to counterexploit. | Tool | ||
|
2021-08-04 13:40:37 | How to do machine learning without an army of data scientists (lien direct) | Commentary: Machine learning is still harder than it needs to be. The open-source tool ModelDB and the ML model management platform Verta can help. | Tool | ||
 |
2021-08-03 15:39:20 | capa 2.0: Better, Faster, Stronger (lien direct) | We are excited to announce version 2.0 of our open-source tool called
capa. capa automatically identifies capabilities in programs using an
extensible rule set. The tool supports both malware triage and deep
dive reverse engineering. If you haven't heard of capa before, or need
a refresher, check out our first
blog post. You can download capa 2.0 standalone binaries from
the project's release page and
checkout the source code on GitHub.
capa 2.0 enables anyone to contribute rules more easily, which makes
the existing ecosystem even more vibrant. This blog post details the
following major improvements included in capa 2.0:
New features and enhancements for the capa
explorer IDA Pro plugin, allowing you to interactively explore
capabilities and write new rules without switching windows
More concise and relevant results via identification of library
functions using FLIRT and the release of accompanying open-source
FLIRT signatures Hundreds of new rules describing
additional malware capabilities, bringing the collection up to 579
total rules, with more than half associated with ATT&CK
techniques Migration to Python 3, to make it easier to
integrate capa with other projects
capa explorer and Rule Generator
capa explorer is an IDAPython plugin that shows capa results
directly within IDA Pro. The version 2.0 release includes many
additions and improvements to the plugin, but we'd like to highlight
the most exciting addition: capa explorer now helps you write new capa
rules directly in IDA Pro!
Since we spend most of our time in reverse engineering tools such as
IDA Pro analyzing malware, we decided to add a capa rule generator.
Figure 1 shows the rule generator interface.
Figure 1: capa explorer rule generator interface
Once you've installed capa explorer using the Getting
Started guide, open the plugin by navigating to Edit >
Plugins > FLARE capa explorer. You can start using
the rule generator by selecting the Rule Generator tab at the
top of the capa explorer pane. From here, navigate your IDA Pro
Disassembly view to the function containing a technique you'd like to
capture and click the Analyze button. The rule generator will
parse, format, and display all the capa features that it finds in your
function. You can write your rule using the rule generator's three
main panes: Features, Preview, and Editor. Your
first step is to add features from the Features pane.
The Features pane is a tree view containing all the capa
features extracted from your function. You can filter for specific
features using the search bar at the top of the pane. Then, you can
add features by double-clicking them. Figure 2 shows this in action.
Figure 2: capa explorer feature selection
As you add features from the Features pane, the rule
generator automatically formats and adds them to the Preview
and Editor panes. The Preview and Editor panes
help you finesse the features that you've added and allow you to
modify other information like the rule's metadata.
The Editor pane is an interactive tree view that displays the
stat |
Malware Tool | ||
 |
2021-08-01 09:22:25 | procdump Version 10.1, (Sun, Aug 1st) (lien direct) | A new version of procdump, the Sysinternals tool to create process dumps, was released. | Tool | ||
|
2021-07-30 14:28:13 | Is Dark Mode actually saving your smartphone battery? (lien direct) | A new study compares situational use in light and dark mode and introduces a tool developers could use to assess app battery use. | Tool | ||
|
2021-07-29 15:37:25 | How Low-level Hackers Access High-end Malware (lien direct) | Hacking tool downloads from underground forums are increasing, and the tools are becoming more sophisticated; low-level hackers are gaining access to hacked versions of sophisticated tools; access broking is growing; and existing tools are repurposed for more aggressive attacks. | Malware Tool | ||
 |
2021-07-29 00:00:00 | Pourquoi les fraudeurs nous blitz-ils avec des appels téléphoniques sur l'escroquerie? Why are fraudsters blitzing us with scam phone calls? (lien direct) |
Chair of Cybersecurity at MTU, Dr. Donna O\'Shea, contributed to this article in the Irish Times This week I have received a half dozen mobile calls from a number purporting to be very similar to my own. The caller ID shows an 087 number – like my own – and the subsequent four digits were also identical to mine, while the last three varied each time. In the jargon, this is known as “neighbour spoofing”, when a false caller ID is sent, seeming to come from the same area you live in, or a familiar looking number, to make it more likely that you will answer. When I did answer a not very convincing automated recording from “the department of social protection department” said fraud had been associated with my Personal Public Service Number (PPSN). Many of you will have received similar calls, trying to get you to “press a key” and talk to someone who tries to get you to divulge your PPSN, name, and in some cases, bank details. A recent scam text pretending to be from an Irish bank tells users that access to their account has been restricted due to a hacking attempt and invites them to input details to unlock it. These are all part of the seemingly endless cycle of scams which seem to have exploded over the past couple of years – and got increasingly sophisticated. But why is this happening? Let\'s look, as we would with any business, at the economics of the phone frauds. 1. Falling barriers to entry One of the first things with any business is to look at the barriers to getting involved. Whether for a criminal or legal enterprise, the cost of establishment is vital and can have a key bearing on activity levels and competition. Up to recent years, undertaking phone scams that involved hiding numbers and making thousands of calls required a significant level of technical knowledge. Now, according to Dr Donna O\'Shea, head of the computer science department of Cork Institute of Technology (CIT), the requisite “exploit” kits are downloadable, can leverage VOIP (voice over internet protocol) technology to call from PCs and display fake numbers on the user\'s phone. “You don\'t have to be a technical person to do it any more,” she said. It is still hard to account for the massive volumes of calls now happening, according to O\'Shea, but there appears to be a sharp rise in call numbers as well as increased sophistication. Relatively easily spotted calls from far-away countries are now replaced by more sophisticated “spoofing” – using numbers displaying themselves as “ordinary” Irish numbers. Showing a number close to your one is just one variant of this. It has also led to people “returning” calls to these numbers, which in some cases are valid numbers with real – and puzzled – owners. “You rang me”. . . “No I didn\'t . . .” At the moment incoming calls cannot be easily verified as coming from valid numbers. As the industry deregulated, numbers became portable – an 087 number can operate as part of the 086 network and so on – making checking incoming numbers to see if they are valid difficult – though here and internationally this issue is being examined. Some US operators have introduced controls, but it is a constant battle to stay ahead of the scammers. Not only it is relatively easy, but generating tens of thousands of phone calls is cheap, with operators taking on a tiny – or zero – cost per call. And so the “success” rate required to make money is tiny. Business Insider calculated in the US that some 2.5 million calls could be bought from a provider for just $875 by illegal telemarketers or scammers. Even if one in every 10,000 yielded revenue averaging $7 on average, the initial investment would be doubled. And of course, phone calls are just one variant of the scammers\' art, which also includes text messages and emails, all in many ways increasingly sophisticated, particularly texts allegedly from financial institutions which click through to plausible fake sites inviting you to enter your details. 2. | Tool Mobile Technical | ★★★ |
To see everything:
Our RSS (filtrered)
