What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-07-21 18:11:31 | NPM Package Steals Passwords via Chrome\'s Account-Recovery Tool (lien direct) | In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems via ChromePass. | Tool | ||
 |
2021-07-21 09:00:00 | NPM package steals Chrome passwords on Windows via recovery tool (lien direct) | New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. Additionally, this malware listens for incoming connections from the attacker's C2 server and provides advanced capabilities, including screen and camera access. [...] | Malware Tool | ||
 |
2021-07-21 06:38:39 | Malicious NPM Package Caught Stealing Users\' Saved Passwords From Browsers (lien direct) | A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser.
The package in question, named "nodejs_net_server" and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent |
Tool Guideline | ||
 |
2021-07-20 23:15:37 | CVE-2021-32751 (lien direct) | Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application's command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command. | Tool Vulnerability | ||
 |
2021-07-20 15:52:35 | How to quickly view your files and documents in Windows with QuickLook (lien direct) | The free QuickLook tool can display a variety of file types without you having to open them or launch their applications. | Tool | ||
 |
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
 |
2021-07-19 17:53:56 | Experts disclose critical flaws in Advantech router monitoring tool (lien direct) | Cisco Talos experts disclose details of several critical flaws in a router monitoring application developed by industrial and IoT firm Advantech. Cisco Talos researchers discovered multiple critical vulnerabilities in the R-SeeNet application developed by industrial and IoT firm Advantech. The application allows network administrators to monitor Advantech routers in their infrastructure. The monitoring tool collects […] | Tool | ||
 |
2021-07-19 14:51:49 | Cisco Discloses Details of Critical Advantech Router Tool Vulnerabilities (lien direct) | Cisco's Talos threat intelligence and research unit has disclosed the details of several critical vulnerabilities affecting a router monitoring application made by Taiwan-based industrial and IoT solutions provider Advantech. The affected tool is R-SeeNet, which is designed to help network administrators monitor their Advantech routers. | Tool Threat | ||
 |
2021-07-19 13:00:00 | capa 2.0: mieux, plus fort, plus rapide capa 2.0: Better, Stronger, Faster (lien direct) |
Nous sommes ravis d'annoncer la version 2.0 de notre outil open source appelé CAPA.CAPA identifie automatiquement les capacités des programmes à l'aide d'un ensemble de règles extensible.L'outil prend en charge à la fois le triage de logiciels malveillants et l'ingénierie inverse de plongée profonde.Si vous avez déjà entendu parler de capa ou si vous avez besoin d'un rafraîchissement, consultez notre First BlogPost .Vous pouvez télécharger des binaires autonomes CAPA 2.0 à partir de la Page de publication et de vérifier le code source sur github .
CAPA 2.0 permet à quiconque de contribuer des règles plus facilement, ce qui rend l'écosystème existant encore plus dynamique.Ce billet de blog détaille le major suivant
We are excited to announce version 2.0 of our open-source tool called capa. capa automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. If you haven\'t heard of capa before, or need a refresher, check out our first blog post. You can download capa 2.0 standalone binaries from the project\'s release page and checkout the source code on GitHub. capa 2.0 enables anyone to contribute rules more easily, which makes the existing ecosystem even more vibrant. This blog post details the following major |
Malware Tool Technical | ★★★★ | |
|
2021-07-19 06:11:04 | Researchers Warn of Linux Cryptojacking Attackers Operating from Romania (lien direct) | A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang.
Dubbed "Diicot brute," the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to |
Tool Threat | ||
 |
2021-07-17 11:11:29 | Wireless Penetration Testing: Wifite (lien direct) | Introduction Wifite is a wireless auditing tool developed by Derv82 and maintained by kimocoder. You can find the original repository here. In the latest Kali Linux, it comes pre-installed. It's a great alternative to the more tedious to use wireless auditing tools and provides simple CLI to interact and perform | Tool | ||
 |
2021-07-17 07:17:24 | BASE85 Decoding With base64dump.py, (Sat, Jul 17th) (lien direct) | Xavier&#;x26;#;39;s diary entry "Multiple BaseXX Obfuscations" covers a malicious script that is encoded with different "base" encodings. Xavier starts with my tool base64dump.py, but he can not do the full decoding with base64dump, as it does not support BASE85. | Tool | ||
|
2021-07-16 13:34:21 | Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft (lien direct) | XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool | Tool | ||
 |
2021-07-16 10:08:19 | OneLogin Eases Adoption of Zero Trust Framework with Delegated Administration (lien direct) | OneLogin has announced the launch of its Delegated Administration offering, which enables organizations to adopt the Zero Trust principle of least privilege access. By empowering IT administrators to easily delegate access on a granular level, organizations can balance productivity requirements with the need to aggressively protect their organization against security threats. OneLogin's Delegated Administration tool […] | Tool | ||
|
2021-07-15 17:15:08 | CVE-2021-32750 (lien direct) | MuWire is a file publishing and networking tool that protects the identity of its users by using I2P technology. Users of MuWire desktop client prior to version 0.8.8 can be de-anonymized by an attacker who knows their full ID. An attacker could send a message with a subject line containing a URL with an HTML image tag and the MuWire client would try to fetch that image via clearnet, thus exposing the IP address of the user. The problem is fixed in MuWire 0.8.8. As a workaround, users can disable messaging functionality to prevent other users from sending them malicious messages. | Tool | ||
|
2021-07-13 15:00:00 | Cyber Threat Intelligence Combined with MITRE ATT&CK Provides Strategic Advantage over Cyber Threats (lien direct) | Many security executives have fundamental familiarity with the MITRE ATT&CK framework, although most perceive it within a narrow set of use cases specific to deeply-technical cyber threat intelligence (CTI) analysts. The truth though, is that when integrated into overall security operations, it can produce profound security and risk benefits. What is MITRE ATT&CK? MITRE ATT&CK serves as a global knowledge base for understanding threats across their entire lifecycle. The framework’s differentiator is its focus on tactics, techniques, and procedures (TTPs) that threats use to operate in the real world, rather than just on typical indicators like IP addresses, file hashes, registry keys, and so on. MITRE ATT&CK offers a rigorous and holistic method for understanding the types of adversaries operating in the wild and their most observed behaviors, and for defining and classifying those behaviors with a common taxonomy. This is an advantage that brings a much-needed level of organization to the chaotic threat landscape organizations face. MITRE ATT&CK has practical applications across a range of security functions when security tooling and processes are mapped to it. By characterizing threats and their TTPs in a standardized way and visualizing them through the MITRE ATT&CK matrix, the framework makes it easier for security leaders and their direct reports to determine and communicate the highest priority threats they are facing and to take more sweeping, strategic actions to mitigate them. In the Weeds? Yes and No At first glance, MITRE ATT&CK can be intimidating. It may even seem too technically in the weeds for executives who are grappling with leadership-level security concerns. However, the truth is that MITRE ATT&CK holds tremendous strategic potential. It can also help accelerate the cybersecurity maturation process. The framework does undoubtedly help security practitioners with their day-to-day technical analysis, making them better at their jobs. However, when used to its full potential, MITRE ATT&CK can help security executives gain better value out of existing technologies, with threat intelligence platforms (TIPs), SIEMs, and other security analytics tools being among these. More importantly, it helps establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. CISOs and other security executives could almost think of it as a tool that automates the creation of a roadmap, showing them precisely where the onramps to threats are located in their networks and what vehicles adversaries are using to enter. Let’s take a closer look at how MITRE ATT&CK works and why those in charge of security shouldn’t wait to adopt it into their strategic arsenals. Programmatic Benefits Having established that MITRE ATT&CK provides value to security leaders, let’s consider a few of the genuine benefits it delivers, as it isn’t just in the day-to-day minutiae of security operations where MITRE ATT&CK shines. Overlay. When an organization overlays its existing security posture and controls on top of MITRE ATT&CK-contextualized CTI, it becomes much easier to identify the riskiest control gaps present in the security ecosystem. Productivity. When looking at workflows and the teams available to respond to the MITRE ATT&CK-delineated TTPs most likely to target the organization, leaders can more easily identify at-risk talent and process gaps and then take steps to better address both. Prioritization. As security leaders go through their regularly scheduled validation of security coverage, they should leverage their CTI to identify the most common TTPs relevant to their environments. MITRE ATT&CK can crisply articulate this. With an understanding of where their biggest risks reside, executiv | Tool Threat Guideline | ||
|
2021-07-13 12:00:02 | Thinking of the cloud as a cost-saving tool puts businesses at a disadvantage, Accenture finds (lien direct) | The most successful companies consider cloud technology a continuum of tools for strategizing and transforming business practices, a study of leaders suggests. | Tool Guideline | ||
|
2021-07-12 20:15:09 | CVE-2021-24424 (lien direct) | The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | Tool Guideline | ||
 |
2021-07-12 11:00:00 | GitHub\'s Commercial AI Tool Was Built From Open Source Code (lien direct) | Copilot is pitched as a helpful aid to developers. But some programmers object to the blind copying of blocks of code used to train the algorithm. | Tool | ★★★★ | |
|
2021-07-11 11:00:00 | A New Tool Shows How Google Results Vary Around the World (lien direct) | Search Atlas displays three sets of links-or images-from different countries for any search. | Tool | ||
|
2021-07-09 19:15:08 | CVE-2021-32753 (lien direct) | EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is created, the client_id and client_secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can then perform a dictionary-based password attack on the OAuth2 token endpoint of the API gateway to obtain an OAuth2 authentication token and use that token to make authenticated calls to EdgeX microservices from an untrusted network. OAuth2 is the default authentication method in EdgeX Edinburgh release. The default authentication method was changed to JWT in Fuji and later releases. Users should upgrade to the EdgeX Ireland release to obtain the fix. The OAuth2 authentication method is disabled in Ireland release. If unable to upgrade and OAuth2 authentication is required, users should create OAuth2 users directly using the Kong admin API and forgo the use of the `security-proxy-setup` tool to create OAuth2 users. | Tool Vulnerability | ||
 |
2021-07-09 03:00:00 | Choose the right ITSM tool for digital era success (lien direct) | Pas de details / No more details | Tool | ||
|
2021-07-08 19:21:05 | Wireless Penetration Testing: Aircrack-ng (lien direct) | In our series of Wireless Penetration Testing, this time we are focusing on a tool that has been around for ages. This is the tool that has given birth to many of the Wireless Attacks and tools. Aircrack-ng is not a tool but it is a suite of tools that | Tool | ||
 |
2021-07-07 16:00:00 | REvil Ransomware Gang Launches Major Supply Chain Attack Through Kaseya, Downstream Impact May Affect Over 1,500 Customers (lien direct) | On July 2, 2021, Kaseya customers were notified of a compromise affecting the company’s VSA product in a way that poisoned the product’s update mechanism with malicious code. VSA is a remote monitoring and management tool for networks and endpoints intended for use by enterprise customers and managed service providers (MSPs). According to Kaseya, it […] | Ransomware Tool | ||
|
2021-07-07 05:53:11 | [Whitepaper] XDR vs. NDR/NTA – What do Organizations Truly Need to Stay Safe? (lien direct) | Security teams whose organizations are outside the Fortune 500 are faced with a dilemma. Most teams will have to choose between deploying either a network traffic analysis (NTA) or network detection and response (NDR) tool or an endpoint detection and response (EDR) tool to supplement their existing stacks.
On the other hand, some organizations are getting the best of both options by switching |
Tool | ||
 |
2021-07-06 16:16:57 | Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory (lien direct) |  Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths.
It takes a starting and ending point and will use Neo4j pathfinding algorithms to find the most efficient ACL based privilege escalation path.
Features of Aclpwn.Py Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.Py currently has the following features:
Direct integration with BloodHound and the Neo4j graph database (fast pathfinding)
Supports any reversible ACL based attack chain (no support for resetting user passwords right now)
Advanced pathfinding (Dijkstra) to find the most efficient paths
Support for exploitation with NTLM hashes (pass-the-hash)
Saves restore state, easy rollback of changes
Can be run via a SOCKS tunnel
Written in Python (2.7 and 3.5+), so OS independent
Installation of Aclpwn.py ACL Based Privilege Escalation
Aclpwn.py is compatible with both Python 2.7 and 3.5+.
Read the rest of Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory now! Only available at Darknet.
|
Tool | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
|
2021-07-06 12:00:00 | This AI Helps Police Track Social Media. Does It Go Too Far? (lien direct) | Law enforcement officials say the tool can help them combat misinformation. Civil liberties advocates say it can be used for mass surveillance. | Tool | ||
|
2021-07-05 04:59:25 | REvil ransomware asks $70 million to decrypt all Kaseya attack victims (lien direct) | REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack. The gang wants $70 million in Bitcoin for the tool that allows all affected businesses to recover their files. [...] | Ransomware Tool | ||
|
2021-07-04 23:42:47 | Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw (lien direct) | Microsoft is urging Azure users to update the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core.
The issue, tracked as CVE-2021-26701 (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn't impacted by the flaw. |
Tool Vulnerability | ||
|
2021-07-03 19:33:06 | Finding Strings With oledump.py, (Sat, Jul 3rd) (lien direct) | In diary entry "CFBF Files Strings Analysis" I show how to extract strings from CFBF/ole files with my tool oledump.py. | Tool | ||
|
2021-07-03 18:01:06 | Kaseya VSA supply-chain ransomware attack hit hundreds of companies (lien direct) | A supply attack by REvil ransomware operators against Kaseya VSA impacted multiple managed service providers (MSPs) and their clients. A new supply chain attack made the headlines, this afternoon, the REvil ransomware gang hit the cloud-based MSP platform impacting MSPs and their customers. Kaseya has 40,000 customers, not all use the VSA tool which is […] | Ransomware Tool | ||
|
2021-07-03 12:30:24 | IT Software Firm Kaseya Hit By Supply Chain Ransomware Attack (lien direct) | Supply chain cyberattack by REvil ransomware gang on IT management tool could have wide blast radius | Ransomware Tool | ||
|
2021-07-02 02:56:26 | New Google Scorecards Tool Scans Open-Source Software for More Security Risks (lien direct) | Google has launched an updated version of Scorecards, its automated security tool that produces a "risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis.
"With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe," Google's Open |
Tool | ||
 |
2021-07-01 12:58:11 | (Déjà vu) CISA Ransomware Assessment Tool Released (lien direct) | BACKGROUND: The Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). RRA is a security audit self-assessment… | Ransomware Tool | ||
|
2021-07-01 11:33:44 | (Déjà vu) US CISA releases a Ransomware Readiness Assessment (RRA) tool (lien direct) | The US CISA has released the Ransomware Readiness Assessment (RRA), a new ransomware self-assessment security audit tool. The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new ransomware self-assessment security audit tool for the agency’s Cyber Security Evaluation Tool (CSET). RRA could be used by organizations to determine […] | Ransomware Tool | ||
|
2021-07-01 11:28:24 | (Déjà vu) CISA Adds Ransomware Module to Cyber Security Evaluation Tool (lien direct) | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday announced the release of a new module for its Cyber Security Evaluation Tool (CSET), namely the Ransomware Readiness Assessment (RRA). | Ransomware Tool | ||
|
2021-07-01 07:49:00 | (Déjà vu) US Cybersecurity and Infrastructure Security Agency launches ransomware assessment tool (lien direct) | Pas de details / No more details | Ransomware Tool | ||
|
2021-06-30 19:01:14 | Leaked Babuk Locker ransomware builder used in new attacks (lien direct) | A leaked tool used by the Babuk Locker operation to create custom ransomware executables is now being used by another threat actor in a very active campaign targeting victims worldwide. [...] | Ransomware Tool Threat | ||
|
2021-06-30 16:59:19 | IBM Gifts Threat Hunting Tool to Open Cybersecurity Alliance (lien direct) | IBM Corp. on Wednesday announced that it is contributing the Kestrel open-source programming language for threat hunting to the Open Cybersecurity Alliance (OCA). | Tool Threat | ||
|
2021-06-30 16:26:33 | CISA releases new ransomware self-assessment security audit tool (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). [...] | Ransomware Tool | ||
|
2021-06-30 15:43:11 | Windows 11 makes TPM Diagnostics tool its first optional feature (lien direct) | Windows 11 comes with a new optional feature called 'TPM Diagnostics' that allows administrators to query the data stored on a device's TPM security processor. [...] | Tool | ||
|
2021-06-30 00:10:13 | GitHub Launches \'Copilot\' - AI-Powered Code Completion Tool (lien direct) | GitHub on Tuesday launched a technical preview of a new AI-powered pair programming tool that aims to help software developers write better code across a variety of programming languages, including Python, JavaScript, TypeScript, Ruby, and Go.
Copilot, as the code synthesizer is called, has been developed in collaboration with OpenAI, and leverages Codex, a new AI system that's trained on |
Tool | ||
|
2021-06-29 18:06:17 | How legitimate security tool Cobalt Strike is being used in cyberattacks (lien direct) | Normally used by organizations for penetration testing, Cobalt Strike is exploited by cybercriminals to launch attacks, says Proofpoint. | Tool | ||
|
2021-06-29 17:39:43 | How to scan your RHEL-based Linux servers for outdated libraries with CloudLinux UChecker (lien direct) | Your Linux server libraries might be out of date, leading to security issues. CloudLinux has a tool that can quickly list those out-of-date libraries on AlamaLinux or a similar distribution. | Tool Guideline | ||
|
2021-06-29 16:29:00 | Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, NetFilter, Ransomware, QBot, Wizard Spider, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Signed a Malicious Netfilter Rootkit
(published: June 25, 2021)
Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.
Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.
MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: Netfilter, China
Dell BIOSConnect Flaws Affect 30 Million Devices
(published: June 24, 2021)
Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.
Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect
Malicious Spam Campaigns Delivering Banking Trojans
(published: June 24, 2021)
Analysis from two mid-March 2021 spam campaignts revealed that th |
Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching | APT 30 | |
 |
2021-06-29 11:30:29 | Speed or Security? Don\'t Compromise (lien direct) | “Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff's words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital. In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems. A lack of an efficient and flexible AppSec program becomes an issue when you look at the data: Cyberattacks occur every 39 seconds. 60 percent of developers are releasing code 2x faster than before. 76 percent of applications have least at least one security flaw on first scan. 85 percent of orgs admit to releasing vulnerable code to production because of time restraints. A mere 15 percent of orgs say that all of their development teams participate in formal security training. But there's good news, too. We know from our annual State of Software Security report that frequent scanning with the right tools in the right parts of your software development lifecycle can help your team close security findings much faster. For example, scanning via API alone cuts remediation time for 50 percent of flaws by six days, slamming that window of opportunity shut for cyberattackers. The Veracode Static Analysis family helps you do just that. It plugs into critical parts of your software development lifecycle (SDLC), providing automated feedback right in your IDE and pipeline so that your developers can improve the quality of their code while they work. You can also run a full policy scan before deployment to understand what your developers need to focus on and to prove compliance. Together, these scans throughout My Code, Our Code, and Production Code boost quality and security to reduce the risk of an expensive and time-consuming breach down the road. Automation and developer education In addition to having the right scans in the right places, there are supporting steps you can take to ensure the quality of your code without sacrificing speed. Automation through integrations is an important piece of the puzzle because it speeds everything up and boosts efficiency. The automated feedback from Veracode Static Analysis means your team of developers has clear insight into existing flaws so they can begin prioritization to eliminate the biggest risks first. Automation also sets the standard for consistency which, as you go, improves speed. Developer education also helps close gaps in information and communication with security counterparts so that they can work towards a common goal. It goes both ways – if the security leaders at your organization can walk the walk and talk the talk of the developer, everyone will have an easier time communicating goals and solving security problems. One way to close those gaps is through hands-on developer education with a tool like Veracode Security Labs. The platform utilizes real applications in contained environments that developers can hack or patch in real-time so that they learn to think like an attacker and stay one step ahead. Like Static Analysis, Security Labs helps meet compliance needs too, with customized education in the languages your developers use most. The prioritization conundrum Security debt can feel like a horror movie villain as it lingers in the background. But it isn't always teeming with high-risk flaws that should be tackled first, and so it's important to carefully consider how to approach prioritization. A recent analyst report, Building an Enterprise DevSecOps Program, found that everything can feel like a priority: “During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which | Hack Tool Vulnerability Guideline | ||
|
2021-06-29 09:00:51 | Cobalt Strike Usage Explodes Among Cybercrooks (lien direct) | The legit security tool has shown up 161 percent more, year-over-year, in cyberattacks, having “gone fully mainstream in the crimeware world.” | Tool | ||
 |
2021-06-28 10:00:00 | Asset management in the age of digital transformation (lien direct) | Over the past year or so, organizations have rapidly accelerated their digital transformation by employing technologies like cloud and containers to support the shift to IoT and address the expanding remote workforce. Visibility Matters: This digital shift calls for a new approach to asset visibility as traditional asset administration responsibilities like inventory, software support, and license oversight are often the purview of IT and addressed with IT inventory-focused tools. Along the way, many organizations have lost control over their IT asset inventory as they rush to adopt new transformation technologies that have blurred the boundaries of their traditional network perimeters. This lack of visibility into an IT environment undermines the foundations of enterprise security and compliance infrastructure and puts an organization at serious risk of a breach. What you don't know can hurt you! Fundamentally, security teams need to monitor IT asset health from a cybersecurity perspective to help detect security tool blind spots and responding to exposures quickly. It isn't easy to secure something in the world of cybersecurity if you don't know it exists. That's why cybersecurity asset management (or CSAM) is a critical component of the foundation of cybersecurity operations across businesses of all types. By providing a security team a real-time directory of IT assets and their associated security risks, CSAM is one of the building blocks of a proactive, end-to-end security strategy. Asset inventory challenges: Overall, the process of getting asset inventory can be cumbersome and time-consuming for an organization, but a few immediate challenges are: Collecting data from multiple sources, especially in a large, distributed environment. Over the past year, organizations have rapidly accelerated their digital transformation by utilizing technologies such as cloud and container that support the shift to IoT and a remote workforce. Many organizations have lost control over their IT asset inventory as they rush to adopt these new strategies that have blurred the boundaries of their network perimeters. Testing/validating compliance More and more compliance / best practices frameworks are moving towards a risk-based or maturity-focused goal. This requires organizations to know where they stand concerning control objectives, not "at some point in time" but rather "at any point in time." Without a comprehensive and almost real-time inventory of all assets within an organization, it is nearly impossible to validate compliance in a programmatic fashion. Implementing cyber asset inventory management To maintain a complete, detailed, and continuously updated inventory of all your IT assets, wherever they reside (on-premises, in cloud instances, or mobile endpoints), you need an automated, cloud-based system that gives you the following capabilities It needs to provide complete visibility of your IT environment – all IT assets include hardware and software It needs to perform continuous and automatic updates of the IT and security data It needs to be rapidly scalable without the need for additional hardware It needs to help highlight and rank the criticality of assets It needs interactive and customizable reporting features so you can slice/dice the data as required and ensure the reporting is consumable across multiple audiences. Cybersecurity is a team sport. Having the ability to identify tooling that can consolidate workloads and meet cross-organizational functional requirements can be a massive win for the organization. Asset management crucial to Zero T | Tool | ||
|
2021-06-28 09:40:27 | Too Many Vulnerabilities and Too Little Time: How Do I Ship the Product? (lien direct) | The percentage of open source code in the enterprise has been estimated to be in the 40 percent to 70 percent range. This doesn't make the headlines anymore, but even if your company falls in the average of this range, there is no dearth of work to do to clean up, comply with AppSec policies, and ship the product. Phew! So where do you start when it comes to resolving all the vulnerabilities uncovered in your open source libraries? By prioritizing the findings from your scans and addressing the most critical and relevant vulnerabilities first. How do you prioritize? CVSS severities are an obvious choice, but considering the percentage of open source code you are dealing with, and depending on the language under the scanner, this alone might not bring the vulnerabilities to be addressed to a manageable number within your resource and time constraints. We will look at some common prioritization approaches before looking at Veracode's recommendation based on our deep expertise gathered from advising hundreds of customers about this aspect of their AppSec program. Common prioritization approaches You can resolve your findings to comply with your AppSec policy by prioritizing alongside one of a few dimensions. Here is the list of most common prioritization approaches: Threat-focused approach: This zeroes in on the flaws that are actively targeted in the wild through malware, exploit kits, ransomware, or threat actors. Vulnerability-focused approach: This prioritizes flaws and vulnerabilities according to how critical they are. For example, how easy they are to exploit, what their exploitation impact looks like, or if there is a public exploit available. Asset-focused approach: This gives the highest priorities to vulnerabilities that are associated with critical assets, and then orders the rest by how dangerous they are. Some organizations measure the exploitability of different flaws and vulnerabilities, taking a threat-focused approach as outlined above. This can also factor in the maturity of known flaws which sometimes impacts how easy it is to remediate, or how exploitable it is out in the wild. While these approaches are a good starting point and cover the broad base of risk, there is an additional piece of information that can make it easy for security stakeholders and developers to prioritize their Software Composition Analysis (SCA) scan findings when operating under tight resource and time constraints. Vulnerable methods: a powerful arrow in your AppSec quiver If the goal of AppSec is to ship clean code fast, then Veracode's vulnerable methods feature is a powerful arrow in your quiver to hit that target. Veracode's vulnerable methods feature goes beyond severities and exploitability to answer the key question for prioritization: How is this finding from the SCA scan relevant to my code? It answers that question by pointing to the precise function/method that makes a library vulnerable. This allows you to quickly assess whether it is worth the effort to remediate an SCA finding. Once a library is known to be vulnerable, our security research team researches and documents the exact function/method that makes it vulnerable. This team (say hello to them if you visit Singapore) of security experts, data scientists, and programmers continue to add new languages to our repository of languages for which we provide vulnerable methods coverage. When you're ready to tackle your security backlog, examine how particular applications use vulnerable methods and prioritize them in a way that reduces the immediate threat quickly. Getting ahead of possible exploits while reducing debt Security debt and unresolved vulnerabilities can feel daunting to developers and security professionals, especially as open source code only continues to increase its footprint in enterprise applications. But with a powerful tool like Veracode's vulnerable methods, you can go beyond severity or exploitability and focus on what really matters to your organization. Learn more about Veracode's Software Composition Analysis solution by readi | Tool Threat |
To see everything:
Our RSS (filtrered)
