What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-01-18 02:00:00 | Why it\'s time to review your on-premises Microsoft Exchange patch status (lien direct) | We start the patching year of 2023 looking at one of the largest releases of vulnerability fixes in Microsoft history. The January 10 Patch Tuesday update patched one actively exploited zero-day vulnerability and 98 security flaws. The update arrives at a time when short- and long-term technology and budget decisions need to be made.This is particularly true for organizations using on-premises Microsoft Exchange Servers. Start off 2023 by reviewing the most basic communication tool you have in your business: your mail server. Is it as protected as it could be from the threats that lie ahead of us in the coming months? The attackers know the answer to that question.To read this article in full, please click here | Tool Vulnerability Patching | ★★ | |
 |
2023-01-17 22:15:10 | CVE-2022-41953 (lien direct) | Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources. | Tool | ||
 |
2023-01-17 14:22:28 | Action1 Provides Free Tool to Eliminate Organizations\' Exposure to Compromise after LastPass Breach (lien direct) | Action1 Provides Free Tool to Eliminate Organizations' Exposure to Compromise after LastPass Breach Action1's free offering enables IT teams to gain visibility into all browsers on which LastPass extension is installed, helping them mitigate the risks to their environments posed by the infamous breach. - Product Reviews | Tool | LastPass | ★★★ |
|
2023-01-17 10:14:00 | BrandPost: Optimize Your Security Investments with the Right MDR Provider (lien direct) | Traditionally, Managed Detection and Response (MDR) providers deliver MDR in one of two ways. The first is to use the customer's existing technology with select and heavily curated third-party technology integrations.“They are what we call 'bring your own technology' providers,” says Eric Kokonas, Global Head of Analyst Relations with Sophos. “Those providers take advantage of a customer's existing tool set. They say, you've made investments in security tools. We're going to provide the people and processes, and we're going to help you leverage those tools to detect and respond to advanced threats.”To read this article in full, please click here | Tool | ★ | |
 |
2023-01-16 15:39:59 | A Detailed Guide on Evil-Winrm (lien direct) | Background Evil-winrm tool is originally written by the team Hackplayers. The purpose of this tool is to make penetration testing easy as possible especially in | Tool | ★★★★ | |
|
2023-01-16 02:00:00 | How AI chatbot ChatGPT changes the phishing game (lien direct) | ChatGPT, OpenAI's free chatbot based on GPT-3.5, was released on 30 November 2022 and racked up a million users in five days. It is capable of writing emails, essays, code and phishing emails, if the user knows how to ask.By comparison, it took Twitter two years to reach a million users. Facebook took ten months, Dropbox seven months, Spotify five months, Instagram six weeks. Pokemon Go took ten hours, so don't break out the champagne bottles, but still, five days is pretty impressive for a web-based tool that didn't have any built-in name recognition.To read this article in full, please click here | Tool | ChatGPT | ★★ |
|
2023-01-14 01:15:14 | CVE-2023-22471 (lien direct) | Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the Nextcloud Deck app is upgraded to 1.6.5 or 1.7.3 or 1.8.2. | Tool | ||
|
2023-01-14 01:15:13 | CVE-2023-22470 (lien direct) | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated potentially causing a DoS when performed multiple times. There are currently no known workarounds. It is recommended that the Nextcloud Server is upgraded to 1.6.5 or 1.7.3 or 1.8.2. | Tool | ||
 |
2023-01-13 09:23:21 | Threat Actors Exploit CVE-2022-44877 RCE Vulnerability in CentOS Web Panel (CWP) (lien direct) | The recently patched critical vulnerability in Control Web Panel (CWP), a server management tool known as... | Tool Vulnerability Threat | ★★★ | |
|
2023-01-13 00:52:34 | Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack (lien direct) | The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware... | Malware Tool Threat | ★★ | |
 |
2023-01-12 18:00:00 | Donner un sens à la gestion externe de la surface des attaques: l'état actuel et futur de la catégorie Making Sense of External Attack Surface Management: The Current and Future State of the Category (lien direct) |
La catégorie externe de gestion de la surface d'attaque (EASM) a vu le jour alors que les fournisseurs de sécurité ont cherché à améliorer les lacunes de la visibilité des actifs et de l'énumération de la vulnérabilité créée par l'héritageDes outils qui n'ont pas réussi à s'adapter à l'évolution de la dynamique de l'informatique et à la croissance des écosystèmes numériques.Parmi les défis liés à la visibilité sur les actifs inconnus, les organisations sont confrontées au risque introduit par les actifs tiers, y compris les applications.Le Équipe d'action de cybersécurité Google (GCAT) prédit des actifs et des dépendances tiers dans le cloud nécessitera des mises à jour de la gestion des risques
The external attack surface management (EASM) category came into existence as security vendors sought to improve the gaps in asset visibility and vulnerability enumeration created by legacy tools that failed to adapt to the evolving dynamics of enterprise IT and the growth of digital ecosystems. Among challenges with gaining visibility into unknown assets, organizations are faced with risk introduced by third party assets, including applications. The Google Cybersecurity Action Team (GCAT) predicts third-party assets and dependencies within the cloud will necessitate updates to risk management |
Tool Vulnerability Cloud | ★★★ | |
|
2023-01-12 03:57:00 | CloudSek launches free security tool that helps users win bug bounty (lien direct) | Cybersecurity firm CloudSek has launched BeVigil, a tool that can tell users how safe the apps installed on their phone are, and helps users and developers win bug bounty by helping them identify and report bugs in the code.BeVigil scans all the apps installed on a user's phone and rates them as dangerous, risky, or safe. Running as a web application for the past one year, BeVigil has already scanned over a million apps and rated them. The tool also alerts software companies and app developers about vulnerabilities found through the app, and helps users and developers win bug bounty contests from various software companies by giving them access to the code of apps running on their phone and reporting bugs.To read this article in full, please click here | Tool | ★★ | |
|
2023-01-11 13:45:01 | EfficientIP Launches Free Tool to Detect Enterprises Risk of Data Exfiltration (lien direct) | EfficientIP Launches Free Tool to Detect Enterprises Risk of Data Exfiltration New tool enables organisations to ethically hack their own network and test DNS Robustness - Business News | Hack Tool | ★★ | |
|
2023-01-10 22:15:16 | CVE-2023-21725 (lien direct) | Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability. | Tool | ||
|
2023-01-10 21:15:12 | CVE-2023-22469 (lien direct) | Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2. | Tool | ||
|
2023-01-10 18:02:16 | GDB Tricks: Tricking the Application into Generating Test Data (lien direct) | While reverse engineering a Linux binary, I ran into a fairly common situation: I wanted to understand how a decompression function works, but I didn't have compressed data to test with. In this blog, I'll look at how to we can manipulate the instruction pointer in the GNU debugger (gdb) to trick the software into generating test data for us! I posted this on Mastodon awhile back, but I cleaned it up and expanded it a bit to make it a full blog post. I did this work in the context of my research team at Rapid7 - you can check out all of our work on the Rapid7 Research Blog (secret rss link!)! Anyway, while working on an application, I ran into a function called LZ4_decompress_safe. I wanted to learn how it worked, but EVERYTHING I tried to decompress returned an error - even test data generated by a legitimtae LZ4 library! I'm not sure why it didn't work - maybe they modified it? Maybe it's a different version? Maybe the lz4 CLI tool has more or less file headers? - Dunno! But let's make the application create its own test data! I know (from Googling) that the signatures for the decompress and compress functions are: int __fastcall LZ4_decompress_safe(const char *src, char *dst, int compressedSize, int dstCapacity) int __fastcall LZ4_compress(const char *src, char *dst, int srcSize, int dstCapacity) The calling code looks like: mov ecx, dword ptr [rsp+80h+capacity] ; dstCapacity mov edx, dword ptr [rsp+88h+size] ; compressedSize mov rsi, cs:buffer ; dst mov rdi, [rsp+88h+out_buffer] ; src call LZ4_decompress_safe ; I can't figure out how to get this to work :( The functions have the exact same signature, which is super handy! I put a breakpoint on the function LZ4_decompress_safe, which will stop execution when the application attempts to decompress data: (gdb) b *LZ4_decompress_safe Breakpoint 4 at 0x40bc40 (gdb) run Starting program: [...] Then I sent a message to the server with the “this message is compressed!” flag set, but with uncompressed data (specifically, the contents of /etc/passwd - my go-to for longer test data). So basically, the server will think the data is compressed, but it's actually not. When the service tries to decompress the packet, it'll hit the breakpoint: (gdb) run Starting program: [...] Breakpoint 4, 0x000000000040bc40 in LZ4_decompress_safe () The calling convention on x64 Linux means that the first three arguments are placed in the rdi, rsi, and rdx registers. We want the dst buffer, which is the second argument, so we print out rsi: (gdb) print/x $rsi $63 = 0x6820f0 | Tool | ★★★★ | |
 |
2023-01-10 17:00:00 | Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL (lien direct) | The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments. | Tool | Uber | ★★ |
 |
2023-01-10 16:30:00 | Anomali Cyber Watch: Turla Re-Registered Andromeda Domains, SpyNote Is More Popular after the Source Code Publication, Typosquatted Site Used to Leak Company\'s Data (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Artificial intelligence, Expired C2 domains, Data leak, Mobile, Phishing, Ransomware, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
OPWNAI : Cybercriminals Starting to Use ChatGPT
(published: January 6, 2023)
Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool.
Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware.
MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System
Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP
Turla: A Galaxy of Opportunity
(published: January 5, 2023)
Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022.
Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated |
Ransomware Malware Tool Threat | ChatGPT APT-C-36 | ★★ |
 |
2023-01-10 12:18:55 | ChatGPT-Written Malware (lien direct) | I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild. …within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. “It's still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,” company researchers wrote. “However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.”... | Malware Tool Prediction | ChatGPT | ★★ |
 |
2023-01-09 21:15:11 | Python Package Index found stuffed with AWS keys and malware (lien direct) | British developer uses homegrown scanning tool to check for risks The Python Package Index, or PyPI, continues to surprise and not in a good way.… | Malware Tool | ★★ | |
 |
2023-01-09 18:47:58 | MITRE ATT&CK and the Art of Building Better Defenses (lien direct) |
MITRE's Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a critical tool for security practitioners seeking to understand how attackers move, operate, and conduct their attacks. Designed to look at attacks from the attacker's perspective, it catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations. |
Tool | ★★ | |
|
2023-01-09 14:15:10 | CVE-2023-22472 (lien direct) | Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. | Tool | ||
|
2023-01-09 02:00:00 | 11 top XDR tools and how to evaluate them (lien direct) | Little in the modern IT world lends itself to manual or siloed management, and this is doubly true in the security realm. The scale of modern enterprise computing and modern application stack architecture requires security tools that can bring visibility into the security posture of modern IT components and integrate tightly to bring real-time threat detection, possibly even automating aspects of threat mitigation. This need has given rise to extended detection and response (XDR) tools.What is XDR and what does it do? XDR is a relatively new class of security tool that combines and builds on the strongest elements of security incident and event management (SIEM), endpoint detection and response (EDR), and even security orchestration and response (SOAR). In fact, some XDR platforms listed here are the fusion of existing tools the vendor has offered for some time.To read this article in full, please click here | Tool Threat | ★★ | |
|
2023-01-08 18:03:09 | A Detailed Guide on Kerbrute (lien direct) | Background Kerbrute is a tool used to enumerate valid Active directory user accounts that use Kerberos pre-authentication. Also, this tool can be used for password | Tool | ★★★★ | |
|
2023-01-06 15:15:09 | CVE-2023-22475 (lien direct) | Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens prior to sha-fb61290. An attacker who discovers an HTTP-based Canarytoken (a URL) can use this to execute Javascript in the Canarytoken's trigger history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. This vulnerability is similar to CVE-2022-31113, but affected parameters reported differently from the Canarytoken trigger request. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. Canarytokens Docker images sha-fb61290 and later contain a patch for this issue. | Tool Vulnerability | ||
|
2023-01-05 23:47:00 | Distribution of NetSupport RAT Malware Disguised as a Pokemon Game (lien direct) | NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environments. Even though they may... | Malware Tool Threat | ★★ | |
 |
2023-01-05 17:26:49 | New malware campaign exploits Windows error reporting tool (lien direct) | K7 Security Labs reports that unidentified threat actors are using a DLL sideloading technique to deploy malware into victims' systems after gaining entry through abuse of the Windows Problem Reporting tool, according to BleepingComputer. | Malware Tool Threat | ★★ | |
 |
2023-01-05 16:21:00 | Mitigate the LastPass Attack Surface in Your Environment with this Free Tool (lien direct) | The latest breach announced by LastPass is a major cause for concern to security stakeholders. As often occurs, we are at a security limbo – on the one hand, as LastPass has noted, users who followed LastPass best practices would be exposed to practically zero to extremely low risk. However, to say that password best practices are not followed is a wild understatement. The reality is that there | Tool | LastPass | ★★★ |
|
2023-01-05 05:50:00 | Focusing on Your Adversary (lien direct) | Every day, we hear news stories or read articles about data breaches and other cyber security threats. As malicious threat actors and the risk of cyber threats increase, protecting networks and valuable information becomes more critical. So what can organizations do to ensure their networks remain secure? Organizations must understand their adversaries’ identities to keep data safe and protect it from cyber-attacks. This article will explore the different types of threats facing enterprise organizations and what they can do to stay ahead of them. Evolving Cyber Attacks Cyber attacks are constantly evolving as attackers continue to find new ways to exploit vulnerabilities. This includes: Increased use of artificial intelligence (AI) and machine learning: Attackers are using AI and machine learning to automate and improve the effectiveness of their attacks. For example, AI can be used to generate convincing phishing emails or to bypass security systems. Rise of ransomware: Ransomware attacks, which involve encrypting a victim’s data and demanding a ransom to decrypt it, have become increasingly common in recent years. Ransomware attacks can significantly impact businesses, disrupting operations and resulting in financial losses. More targeted attacks: Rather than broad-based attacks that aim to compromise as many systems as possible, attackers are increasingly using targeted attacks designed to exploit a particular organization’s vulnerabilities. Increased focus on mobile devices: Mobile devices, such as smartphones and tablets, are becoming increasingly vulnerable to cyber-attacks. As a result, attackers focus more on exploiting these devices’ vulnerabilities. Increased use of cloud services: As more organizations move to the cloud, attackers are finding new ways to exploit vulnerabilities in these systems. For example, attackers may try to gain access to an organization’s cloud-based data or disrupt its cloud-based operations. It’s not only crucial for organizations to stay up-to-date on the latest trends in cyber attacks and to implement appropriate security measures to protect against them. It’s even more important to pinpoint your adversaries to understand their TTPs to protect and predict their next attack. Types of Adversaries There are many different types of cybersecurity adversaries that organizations have to deal with. Some common types of adversaries include: Hackers: Individuals or groups who attempt to gain unauthorized access to systems or networks for various reasons, such as stealing data, disrupting operations, or causing damage. Cybercriminals: Individuals or groups who use the internet to commit crimes, such as identity theft, fraud, or extortion. Cyber Terrorists: A group that’s goal is to disrupt operations, cause harm, and destroy data. Increasingly targeting critical infrastructures such as power plants, water treatment facilities, transportation systems, and healthcare providers. Nation-state actors: Governments or government-sponsored organizations that use cyber attacks as part of their foreign policy or military operations. Insider threats: Individuals with legitimate access to an organization’s systems or networks use that access to cause harm or steal sensitive information. Malicious insiders: These are individuals who are intentionally malicious and seek to cause harm to an organization’s systems or networks. Hacktivists: The term “hacktivists” refers to people who use hacking techniques to disrupt computer systems and networks in pursuit of political goals. Hackers often work alone, though some groups do exist. Script Kiddies: Originally used to describe young hackers, it now refer | Ransomware Malware Tool Vulnerability Threat Industrial Prediction | ★★★ | |
|
2023-01-04 16:30:00 | Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Data breaches, North Korea, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays
(published: January 1, 2023)
Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.
Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.
MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel
Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux
Linux Backdoor Malware Infects WordPress-Based Websites
(published: December 30, 2022)
Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.
Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use |
Malware Tool Vulnerability Threat Patching Medical | APT 38 LastPass | ★★ |
|
2023-01-04 15:19:00 | Attackers use stolen banking data as phishing lure to deploy BitRAT (lien direct) | In a case that highlights how attackers can leverage information from data breaches to enhance their attacks, a group of attackers is using customer information stolen from a Colombian bank in phishing attacks with malicious documents, researchers report. The group, which might have been responsible for the data breach in the first place, is distributing an off-the-shelf Trojan program called BitRAT that has been sold on the underground market since February 2021.Stolen data used to add credibility to future attacks Researchers from security firm Qualys spotted the phishing lures that involved Excel documents with malicious documents but appeared to contain information about real people. Looking more into the information, it appeared the data was taken from a Colombian cooperative bank. After looking at the bank's public web infrastructure, researchers found logs that suggested the sqlmap tool was used to perform an SQL injection attack. They also found database dump files that attackers created.To read this article in full, please click here | Data Breach Tool | ★ | |
 |
2023-01-04 14:15:00 | New Phishing Campaign Impersonates Flipper Zero to Target Cyber Professionals (lien direct) | The threat actor is using an angler phishing technique to leverage the shortage of the popular hacking tool | Tool Threat | ★★★★ | |
 |
2023-01-04 12:16:37 | Hackers abuse Windows error reporting tool to deploy malware (lien direct) | Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique. [...] | Malware Tool | ★★ | |
 |
2023-01-03 17:07:44 | Can these researchers help defend satellite systems targeted by hackers? (lien direct) | >As threats against space systems increase, a new tool aims to improve efforts to defend against cyberattacks. | Tool | ★★ | |
|
2022-12-29 16:30:00 | Anomali Cyber Watch: Zerobot Added New Exploits and DDoS Methods, Gamaredon Group Bypasses DNS, ProxyNotShell Exploited Prior to DLL Side-Loading Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, Bypassing DNS, DDoS, Infostealers, Layoffs, Spearphishing, Supply chain, and Zero-day vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New RisePro Stealer Distributed by the Prominent PrivateLoader
(published: December 22, 2022)
RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies.
Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform).
MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | |
Malware Tool Threat | ★★ | |
 |
2022-12-29 07:36:08 | HardCIDR – Network CIDR and Range Discovery Tool (lien direct) | HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. | Tool | ★★★ | |
|
2022-12-26 20:15:10 | CVE-2019-9011 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames. | Tool | ||
|
2022-12-26 19:15:10 | CVE-2020-12069 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), the password-hashing feature requires insufficient computational effort. | Tool | ||
|
2022-12-26 19:15:10 | CVE-2020-12067 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. | Tool | ||
 |
2022-12-22 11:00:00 | Cybersecurity for seniors this holiday season: all generations are a target (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Gift for cyber well being During the holiday season, it is essential to take extra precautions when it comes to cybersecurity. Cybercriminals may be more active than usual, looking for ways to exploit unsuspecting users. Protect yourself and your loved ones, ensure that you and they are up to date with the latest security software, and be mindful of potential scams. Furthermore, only visit trusted websites and know the risks before making technological purchases. Cyber security can seem complicated, but anyone can protect themselves from common cyber threats with the correct information. Additionally, be aware of the various scams aimed at senior citizens during the holidays, such as fake holiday deals, phishing emails, fake charities, sweepstakes, or even threats to disconnect a senior's utilities. Taking these extra precautions can help ensure a safe and secure holiday season. The pandemic has highlighted the need for an intergenerational cyber awareness program to help seniors and their grandchildren stay safe online. Using a grandchild's name for a password may be cute, but it's not always the safest option. Educating them and their grandchildren about the risks and best practices of using technology is essential to promote cyber well-being for seniors. A conversation between generations can be a powerful tool for increasing cyber security and safety. By providing age-appropriate lessons, we can create a strong bond across generations and make sure that everyone can stay safe online No matter your age, staying informed about cyber security is essential today. Elder fraud is becoming increasingly common, with scams taking different forms, such as fraudulent phone calls, phishing attempts through email and social media, or shopping scams. It is essential for everyone to be aware of the risks associated with the online world and to be responsible digital citizens. To make this easier, it takes a "cyber village" to help raise savvy cyber citizens. For example, I have been able to explain the importance of cyber to my grandparents. They enjoy using iPad and social media to stay connected and are a great example of how anyone can become a responsible digital citizen. Be aware of the potential dangers of oversharing online, particularly on social media. Personal details such as your name, family member's name, home address, telephone numbers, and even answers to your secret question when you set passwords should be kept private. Be wary if you're ever contacted online by someone who requests this information. It is best to ignore unsolicited requests for personal information, including Social Security numbers, bank account numbers, and passwords. Be on the lookout for any suspicious deals, discounts, or coupons that may be sent to you via email. It is essential to be aware of phishing scams, which often involve requests for you to act urgently to take advantage of a deal or prize. Also, be mindful of attachments containing malicious content, as they can infect your computer with a virus. Be vigilant and know how to spot any malicious baits confidently. A password manager can be your friend: Change the default password if you have a device that will connect to the Internet. A device is not just your phone or laptop; everything from your Internet router, TVs, and home thermostats to Wi-Fi is included. What does a strong password look like? Use a phrase instead of a word. "Passphrases" are easy to remember but difficult to guess. If the field allows, use spaces as special characters for added strength, making the phrase easier to type. Longer is stronger for passwords. The best passwords are at least ten characters and include some capitalization and punctuation. Typing the passphrase becomes a habit (usually within a few | Tool | ★ | |
 |
2022-12-22 00:00:00 | Le rapport Threat Lab de WatchGuard révèle que la principale menace emprunte exclusivement des connexions chiffrées (lien direct) | Paris, le 4 janvier 2023 – WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, publie son dernier Rapport trimestriel sur la sécurité Internet, qui présente les grandes tendances en matière de malwares et de menaces pour la sécurité des réseaux et des endpoints analysées par les chercheurs du Threat Lab de WatchGuard au 3ème trimestre 2022. Ses conclusions clés révèlent notamment que la principale menace du trimestre en matière de logiciels malveillants a été détectée exclusivement via des connexions chiffrées, que les attaques ICS conservent leur popularité, que le logiciel malveillant LemonDuck évolue au-delà du cryptominage, et qu'un moteur de triche Minecraft diffuse une charge utile malveillante. " Nous ne saurions trop insister sur l'importance d'activer l'inspection HTTPS, même si elle nécessite quelques réglages et exceptions pour fonctionner correctement. La majorité des logiciels malveillants utilisent le protocole chiffré HTTPS, et ces menaces ne sont pas détectées en l'absence d'inspection ", a déclaré Corey Nachreiner, Chief Security Officer chez WatchGuard Technologies. " À juste titre, les plus grands objets de convoitise des cybercriminels, comme les serveurs Exchange ou les systèmes de gestion SCADA, méritent également un maximum d'attention. Lorsqu'un correctif est disponible, il est important de procéder immédiatement à la mise à jour, car les cybercriminels finiront par tirer profit de toute organisation qui n'a pas encore mis en œuvre le dernier correctif. " Le rapport sur la sécurité Internet du 3ème trimestre contient d'autres résultats clés, notamment : La grande majorité des logiciels malveillants empruntent des connexions chiffrées – Bien qu'il soit arrivé 3ème dans la liste classique des 10 principaux malwares du 3ème trimestre, Agent.IIQ a pris la tête de la liste des logiciels malveillants chiffrés pour cette même période. De fait, en regardant les détections de ce malware sur ces deux listes, il apparaît que toutes les détections d'Agent.IIQ proviennent de connexions chiffrées. Au 3ème trimestre, si une appliance Firebox inspectait le trafic chiffré, 82 % des logiciels malveillants détectés passaient par une connexion chiffrée, ce qui correspond à seulement 18 % de détections sans chiffrement. Si le trafic chiffré n'est pas inspecté sur Firebox, il est très probable que ce ratio moyen s'applique et que l'entreprise passe à côté d'une énorme partie des logiciels malveillants. Les systèmes ICS et SCADA restent les cibles d'attaques les plus courantes – Ce trimestre, une attaque de type injection SQL ayant touché plusieurs fournisseurs a fait son apparition dans la liste des dix principales attaques réseau. Advantech fait partie des entreprises concernées. Son portail WebAccess est utilisé pour les systèmes SCADA dans une variété d'infrastructures critiques. Un autre exploit sérieux au 3ème trimestre, également classé parmi les cinq principales attaques réseau en termes de volume, a visé les versions 1.2.1 et antérieures du logiciel U.motion Builder de Schneider Electric. Un rappel brutal du fait que les cybercriminels ne se contentent pas d'attendre tranquillement la prochaine opportunité, mais qu'ils cherchent activement à compromettre les systèmes chaque fois que cela est possible. Les vulnérabilités des serveurs Exchange continuent de poser des risques – La C | Ransomware Malware Tool Threat | APT 3 | ★★★ |
|
2022-12-21 15:51:30 | How to Run Kubernetes More Securely (lien direct) | The open source container tool is quite popular among developers - and threat actors. Here are a few ways DevOps teams can take control. | Tool Threat | Uber | ★★ |
|
2022-12-20 21:15:10 | CVE-2022-41596 (lien direct) | The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components. | Tool Vulnerability | ||
|
2022-12-20 20:46:00 | Anomali Cyber Watch: APT5 Exploited Citrix Zero-Days, Azov Data Wiper Features Advanced Anti-Analysis Techniques, Inception APT Targets Russia-Controlled Territories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Belarus, China, Data wiping, Russia, Ukraine and Zero-days. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT5: Citrix ADC Threat Hunting Guidance
(published: December 13, 2022)
On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware.
Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
(published: December 12, 2022)
In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots.
Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote Access Tools - T12 |
Malware Tool Vulnerability Threat Patching Prediction | APT 5 | ★★★ |
|
2022-12-19 11:00:00 | What is SASE (lien direct) | Secured Access Service Edge (SASE) is an evolving cloud-focused architecture that was released by Gartner in 2019. SASE is designed to solve the problem of network performance and limited security visibility for distributed corporate business systems (infrastructure, platforms, and applications) in the cloud or in the corporate data center as well as the distributed workforce. SASE is complex and resource intensive but can be transformative and provide cost savings with the right partners, like AT&T Cybersecurity, to execute this type of strategic initiative. SASE benefits include the networking technology called Software Defined Wide Area Network (SD-WAN) and four security capabilities called the Secure Service Edge (SSE).
SD-WAN
SD-WAN operates on top (overlay) of an existing Internet circuit. Unlike a dedicated/private WAN circuit, SD-WAN can break out Internet destined traffic closer to where the distributed workforce is located. Internal traffic is backhauled through the SD-WAN network to the data center or cloud where the corporate business systems reside.
Components of the Secure Service Edge
Security Services Edge (SSE) incorporates four main security components used to protect business systems and workforce. These capabilities are cloud-based to support distributed systems and workforce. SSE capabilities include the following:
Zero Trust Network Access (ZTNA) – Provides segmentation of business systems and users through access control policies.
Firewall as a Service (FWaaS) – Centralized security policy enforcement that can be applied across multiple business locations to give security greater visibility into the network traffic and provide consistent policy enforcement across business systems and users.
Secure Web Gateway (SWG) – Centralized web-based policy enforcement that blocks unapproved Internet traffic while protecting the distributed workforce.
Cloud Access Security Broker (CASB) – Helps security understand where company data is stored (on-premise or in the cloud) and enforce the business data compliance policies.
How SASE works
The traditional cybersecurity model operated by building security perimeters around the corporate office and data center where the workforce and applications reside. Security controls were located inside a DMZ between the corporate office and data center so that traffic could be efficiently monitored, managed, and inspected.
Today, business systems and users have moved out of the corporate office and data center into a distributed environment. This creates the following risks.
Business systems
Lack of centralized visibility and control.
Difficulty tracking and securing sensitive data.
Additional costs for security solutions.
Non-compliance with regulatory or industry requirements.
Swivel-chair tasks between network and security to support the organization.
Inefficient routing of network traffic.
Users
Unknown (home/public Wi-Fi) networks accessing the corporate network.
Employees accessing business systems from unmanaged devices.
Inconsistent security profiles between office and VPN user |
Tool | ★★ | |
|
2022-12-17 00:15:08 | CVE-2022-23531 (lien direct) | GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5. | Tool Vulnerability | ||
|
2022-12-16 23:15:09 | CVE-2022-23530 (lien direct) | GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths. | Tool | ||
|
2022-12-15 19:15:17 | CVE-2022-23526 (lien direct) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. | Tool | Uber | |
|
2022-12-15 19:15:17 | CVE-2022-23525 (lien direct) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. | Tool | Uber | |
|
2022-12-15 19:15:16 | CVE-2022-23524 (lien direct) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. | Tool | Uber |
To see everything:
Our RSS (filtrered)
