What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-06-16 22:15:07 | CVE-2021-32690 (lien direct) | Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on. | Tool Vulnerability | Uber | |
 |
2021-06-16 16:55:21 | Google Rolls out E2EE For Android Messages App (lien direct) | Google has finally enabled end-to-end encryption (E2EE) for the Messages app in Android but the privacy-enhancing tool remains somewhat limited. Google announced end-to-end encryption is now available in Android, but only for one-on-one conversations between users of the Messages app. | Tool | ||
 |
2021-06-15 15:00:03 | Box launches new free self-service cloud migration tool (lien direct) | Businesses moving less than 10TB that meet certain other conditions can take advantage of Box Shuttle to move data from on-premise systems to its cloud services without cost, but others may still have to pay. | Tool | ||
|
2021-06-15 13:20:07 | Accenture crowdsources 25 signals of business change (lien direct) | The firm offers an interactive tool to guide companies trying to navigate change in the "era of compressed transformation." | Tool | ||
 |
2021-06-15 11:54:20 | Wear your MASQ! New Device Fingerprint Spoofing Tool Available in Dark Web (lien direct) | The MASQ tool could be used by attackers to emulate device fingerprints thus allowing them to bypass fraud protection controls The Resecurity® HUNTER unit has identified a new tool available for sale in the Dark Web called MASQ, enabling bad actors to emulate device fingerprints thus allowing them to bypass fraud protection controls, including authentication mechanisms. One of the […] | Tool | ||
|
2021-06-14 21:00:28 | CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack (lien direct) | Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach. | Hack Tool | ||
|
2021-06-14 16:06:52 | IBM Watson Orchestrate uses AI to help improve sales, HR and operations (lien direct) | A new, personal interactive tool for professionals was recently unveiled at IBM's Think conference. | Tool | ||
 |
2021-06-14 15:01:00 | SOAR is an Architecture, Not a Product (lien direct) | Over the past several years, the rising star of security orchestration, automation, and response (SOAR) tools keeps climbing higher. As organizations struggle to handle the crush of alerts surging out of their security controls with not enough cybersecurity professionals to manage the work, SOAR products promise to bring some sanity to the process.
The promise is that SOAR platforms can help security operations teams to sail through the massive volume of alerts they face and better coordinate their security incident response lifecycle with custom playbooks tailored to an organization’s response policies. Many organizations are already starting to reap these benefits.
But as SOAR use cases evolve to real world situations and industry analysts adjust their definition of the market, it's becoming increasingly clear that SOAR is less of a singular platform and more of a comprehensive architecture for tying a lot of threads in the security stack together in a meaningful fashion, including threat intelligence platform (TIP) capabilities.
What is SOAR?
SOAR is part of the cybersecurity industry's long-term push toward improved security automation. As the name suggests, there are three core functions that SOAR products have historically delivered to security teams:
Orchestration: Customized security orchestration helps integrate the dozens of best-of-breed security tools that the typical SOC has accumulated over the years. These tools often do very specialized tasks but teams struggle because they don’t play nicely with one another. Orchestration within a SOAR product is usually used to aggregate data from a number of different sources to enrich alerts, consolidate and deduplicate alert data, and initiate remediation actions on third-party systems.
Automation: In the context of SOAR, security automation executes a sequence of tasks related to a security workflow without requiring much human intervention. It’s typically implemented via ‘playbooks’ that script automated processes to replace time-consuming but relatively simple processes, leaving skilled analysts freed up to carry out more advanced threat mitigation activities.
Response: Incident response consists of alert triage, case management, security incident investigation, threat indicator enrichment, and response actions. For example, a security event or alert should automatically pull in contextual data like IPs, domains, file hashes, user names, and email addresses to provide the analyst a rapid understanding of the security scenario. Then the analyst should be able to issue investigative, containment or response actions against the data.
To accomplish these tasks, SOAR uses threat intelligence to prioritize and enrich the incidents that they manage.
TIP and Gartner's Latest Definition of SOAR
This vital role of threat intelligence management in SOAR has grown to such prominence that many SOAR tools have started building in limited threat intelligence capabilities that mirror some of what a more fully featured TIP would offer.
In fact, Gartner's latest definition of SOAR now names the operationalization of threat intelligence as "table stakes" for SOAR tools. Its 2020 market guide says that SOAR convergence is now not only roping in security incident response platform (SIRP) and security orchestration and automation (SOA) technology, but also TIP technology.
Soar architectures are comprised of a combination of proven technologies, with threat intelligence platforms (TIPs) and the integrations they provide serving as a cornerstone.
But here's the thing, while SOAR is certainly enriched by TIP and while SOAR tools depend on native threat intelligence functionality, true SOAR benefits f |
Tool Threat | ||
|
2021-06-14 11:30:48 | Get your software ready for the next Windows update with this tool (lien direct) | Instead of running your own fleet of test PCs for software updates, why not let Microsoft manage them in the cloud? | Tool | ||
 |
2021-06-14 10:26:17 | Wireless Penetration Testing: Fern (lien direct) | Fern is a python based Wi-Fi cracker tool used for security auditing purposes. The program is able to crack and recover WEP/WPA/WPS keys and also run other network-based attacks on wireless or ethernet based networks. The tool is available both as open source and a premium model of the free | Tool | ||
|
2021-06-11 12:32:49 | Canada Privacy Watchdog Slams Police Use of Facial Recognition Tool (lien direct) | Federal police broke Canada's privacy laws by using a US company's controversial facial recognition software in hundreds of searches, an independent parliamentary watchdog ruled Thursday. | Tool | ||
 |
2021-06-11 12:05:33 | About the Unsuccessful Quest for a Deserialization Gadget (or: How I found CVE-2021-21481) (lien direct) | This blog post describes the research on SAP J2EE Engine 7.50 I did between October 2020 and January 2021. The first part describes how I set off to find a pure SAP deserialization gadget, which would allow to leverage SAP's P4 protocol for exploitation, and how that led me, by sheer coincidence, to an entirely unrelated, yet critical vulnerability, which is outlined in part two. The reader is assumed to be familiar with Java Deserialization and should have a basic understanding of Remote Method Invocation (RMI) in Java. PrologueIt was in 2016 when I first started to look into the topic of Java Exploitation, or, more precisely: into exploitation of unsafe deserialization of Java objects. Because of my professional history, it made sense to have a look at an SAP product that was written in Java. Naturally, the P4 protocol of SAP NetWeaver Java caught my attention since it is an RMI-like protocol for remote administration, similar to Oracle WebLogic's T3. In May 2017, I published a blog post about an exploit that was getting RCE by using the Jdk7u21 gadget. At that point, SAP had already provided a fix long ago. Since then, the subject has not left me alone. While there were new deserialization gadgets for Oracle's Java server product almost every month, it surprised me no one ever heard of an SAP deserialization gadget with comparable impact. Even more so, since everybody who knows SAP software knows the vast amount of code they ship with each of their products. It seemed very improbable to me that they would be absolutely immune against the most prominent bug class in the Java world of the past six years. In October 2020 I finally found the time and energy to set off for a new hunt. To my great disappointment, the search was in the end not successful. A gadget that yields RCE similar to the ones from the famous ysoserial project is still not in sight. However in January, I found a completely unprotected RMI call that in the end yielded administrative access to the J2EE Engine. Besides the fact that it can be invoked through P4 it has nothing in common with the deserialization topic. Even though a mere chance find, it is still highly critical and allows to compromise the security of the underlying J2EE server. The bug was filed as CVE-2021-21481. On march 9th 2021, SAP provided a fix. SAP note 3224022 describes the details. P4 and JNDI Listing 1 shows a small program that connects to a SAP J2EE server using P4: The only hint that this code has something to do with a proprietary protocol called P4 is the URL that starts with P4://. Other than that, everything is encapsulated by P4 RMI calls (for those who want to refresh their memory about JNDI). Furthermore, it is not obvious that what is going on behind the scenes has something to do with RMI. However, if you inspect more closely the types of the involved Java objects, you'll find that keysMngr is of type com.sun.proxy.$Proxy (implementing interface KeystoreManagerWrapper) and keysMngr.getKeystore() is a plain vanilla RMI-call. The argument (the name of the keystore to be instantiated) will be serialized and sent to the server which will return a serialized keystore object (in this case it won't because there is no keystore "whatever"). Also not obvious is that the instantiation of the InitialContext requires various RMI calls in the background, for example the instantiation of a RemoteLoginContext object that will allow to process the login with the provided credentials. Each of these RMI calls would in theory be a sink to send a deserialization gadget to. In the exploit I mentioned above, one of the first calls inside new InitialContext() was used to | Tool Vulnerability | ||
 |
2021-06-10 16:19:52 | Facebook is a hub of sex trafficking recruitment in the US, report says (lien direct) | “The Internet has become the dominant tool traffickers use to recruit victims." | Tool | ||
|
2021-06-10 10:22:50 | This open-source Microsoft benchmark is a powerful server testing tool (lien direct) | Storage is a vital component of a modern server. DISKSPD can provide valuable insights into how it performs under different workloads. | Tool | ||
|
2021-06-09 20:15:08 | CVE-2021-0086 (lien direct) | Improper permissions in the installer for the Intel(R) Brand Verification Tool before version 11.0.0.1225 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-06-09 19:15:09 | CVE-2020-8702 (lien direct) | Uncontrolled search path element in the Intel(R) Processor Diagnostic Tool before version 4.1.5.37 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-06-07 12:06:12 | New Google Tool Helps Developers Visualize Dependencies of Open Source Projects (lien direct) | Google has launched a new experimental tool designed to help application developers visualize the dependencies of open source projects. | Tool | ||
 |
2021-06-03 10:00:00 | (Déjà vu) Ransomware and Energy and Utilities (lien direct) | This is a blog series focused on providing energy and utility industries with helpful insights and practical, helpful information on cybersecurity. Intro The exponential growth of IoT devices in the energy and utilities industry has greatly increased focus on cybersecurity. Focus on cybersecurity across industries has increased recently, no doubt due to factors like COVID-19 forcing a jump in remote work. In 2020, we saw cybersecurity move from being a technical problem to a business issue. Along with the recognition that businesses really need to lead with a security-first mindset to be resilient, the CISO was elevated to a seat at the proverbial table as a true C-suite leader and trusted board advisor. Energy and utilities face unique challenges compared to other industries. According to McKinsey: “In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.” Let’s look at one type of common and profitable attack that could impact energy and utility companies – ransomware. What is ransomware? Ransomware is exactly as the name implies – something valuable to your business is being kept from you until a ransom is paid for its return. In simple terms, ransomware is extortion. Ransomware, a form of malicious software, blocks you from accessing your computer systems or files until you pay the cyber adversary to allow you access to your information. The ransom is typically requested in crypto currency because of its anonymity and ease of online payment – this translates to no tracing of the origin or destination of the funds, a common tactic of cyber criminals. Knowingly infecting a system with ransomware and requesting payment to unlock the system is a crime. Law enforcement agencies recommend not paying the ransom associated with ransomware. The thought is that if the ransom is paid, you as the victim of ransomware are then identified as an easy target for further cybercrime and the ransomware attack is perpetuated against others. Who is the target of ransomware? Cyber criminals seek the path of least resistance in their targets and strike against businesses that are easy targets. Ransomware is a business and the perpetrators, like any good businessperson, are looking for a strong ROI. The C | Ransomware Malware Tool Vulnerability Guideline | Deloitte | |
 |
2021-06-03 10:00:00 | Chinese cybercriminals spent three years creating a new backdoor to spy on governments (lien direct) | The new tool has been used in ongoing cyberespionage activities. | Tool | ||
|
2021-06-03 10:00:00 | Ransomware and energy and utilities (lien direct) | This is a blog series focused on providing energy and utility industries with helpful insights and practical, helpful information on cybersecurity. Intro The exponential growth of IoT devices in the energy and utilities industry has greatly increased focus on cybersecurity. Focus on cybersecurity across industries has increased recently, no doubt due to factors like COVID-19 forcing a jump in remote work. In 2020, we saw cybersecurity move from being a technical problem to a business issue. Along with the recognition that businesses really need to lead with a security-first mindset to be resilient, the CISO was elevated to a seat at the proverbial table as a true C-suite leader and trusted board advisor. Energy and utilities face unique challenges compared to other industries. According to McKinsey: “In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.” Let’s look at one type of common and profitable attack that could impact energy and utility companies – ransomware. What is ransomware? Ransomware is exactly as the name implies – something valuable to your business is being kept from you until a ransom is paid for its return. In simple terms, ransomware is extortion. Ransomware, a form of malicious software, blocks you from accessing your computer systems or files until you pay the cyber adversary to allow you access to your information. The ransom is typically requested in crypto currency because of its anonymity and ease of online payment – this translates to no tracing of the origin or destination of the funds, a common tactic of cyber criminals. Knowingly infecting a system with ransomware and requesting payment to unlock the system is a crime. Law enforcement agencies recommend not paying the ransom associated with ransomware. The thought is that if the ransom is paid, you as the victim of ransomware are then identified as an easy target for further cybercrime and the ransomware attack is perpetuated against others. Who is the target of ransomware? Cyber criminals seek the path of least resistance in their targets and strike against businesses that are easy targets. Ransomware is a business and the perpetrators, like any good businessperson, are looking for a strong ROI. The C | Ransomware Malware Tool Vulnerability Guideline | Deloitte | |
|
2021-06-02 09:08:39 | Exploit broker Zerodium is looking for Pidgin 0day exploits (lien direct) | Zero-day exploit broker Zerodium is looking for 0day exploits affecting the IM client tool Pidgin on Windows and Linux. Zero-day exploit broker Zerodium announced it is looking for 0day exploits affecting the IM client tool Pidgin on Windows and Linux. The company will pay up to $100,000 for zero-days in Pidgin, which is a free and open-source multi-platform instant […] | Tool | ||
|
2021-06-01 22:15:08 | CVE-2021-32657 (lien direct) | Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command line tool to administrate the Nextcloud users. | Tool Vulnerability | ||
|
2021-05-29 20:01:04 | Secure Search is a Browser Hijacker – How to Remove it Now? (lien direct) | Secured Search is a browser hijacker that changes your browser’s settings to promote securedsearch.com, let’s remove it. Secured Search is the same piece of software as ByteFence Secure Browsing. It’s supposedly a tool that improves browsing security and privacy. In reality, it’s a browser hijacker. It alters your browser’s settings to promote securedsearch.com (which is […] | Tool | ||
|
2021-05-28 16:26:42 | Engineered virus and goggles restore object recognition in a blind man (lien direct) | What started out as an experimental tool has evolved into a treatment. | Tool | ||
|
2021-05-28 11:15:07 | CVE-2021-20201 (lien direct) | A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection. | Tool | ||
|
2021-05-27 12:43:57 | Hackers compromised Japanese government offices via Fujitsu \'s ProjectWEB tool (lien direct) | Threat actors have compromised offices of multiple Japanese agencies via Fujitsu ‘s ProjectWEB information sharing tool. Threat actors have breached the offices of multiple Japanese agencies after they have gained access to projects that uses the Fujitsu ‘s ProjectWEB information sharing tool. ProjectWEB is a software-as-a-service (SaaS) platform for enterprise collaboration and file-sharing that was […] | Tool Threat | ||
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
|
2021-05-25 15:00:00 | Anomali Cyber Watch: Bizzaro Trojan Expands to Europe, Fake Call Centers Help Spread BazarLoader Malware, Toshiba Business Reportedly Hit by DarkSide Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BazarCall, DarkSide, Data breach, Malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Air India passenger data breach reveals SITA hack worse than first thought
(published: May 23, 2021)
Adding to the growing body of knowledge related to the March 2021 breach of SITA, a multinational information technology company providing IT and telecommunication services to the air transport industry, Air India announced over the weekend that the personal information of 4.5 million customers was compromised. According to the airline, the stolen information included passengers’ name, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. The compromise included data for passengers who registered with Indian Airlines between 26 August 2011 and 3 February 2021; nearly a decade. Air India adds to the growing list of SITA clients impacted by their data breach, including Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa.
Analyst Comment: Unfortunately, breaches like this are commonplace. While customers have no control over their information being included in such a breach, they can and should take appropriate actions once notified they may be impacted, Those actions can include changing passwords and credit cards associated with the breached accounts, engaging with credit reporting agencies for enhanced credit monitoring or freezing of credit inquiries without permission, and reaching out to companies that have reportedly been breached to learn what protections they may be offering their clients.
Tags: Data Breach, Airline, PII
BazarCall: Call Centers Help Spread BazarLoader Malware
(published: May 19, 2021)
Researchers from PaloAlto’s Unit42 released a breakdown of a new infection method for the BazarLoader malware. Once installed, BazarLoader provides backdoor access to an infected Windows host which criminals can use to scan the environment, send follow-up malware, and exploit other vulnerable hosts on the network. In early February 2021, researchers began to report a “call center” method of distributing BazarLoader. Actors would send phishing emails with trial subscription-based themes encouraging victims to phone a number to unsubscribe. If a victim called, the actor would answer the phone and direct the victim through a process to infect the computer with BazarLoader. Analysts dubbed this method of infection “BazarCall.”
Analyst Comment: This exemplifies social engineering tactics threat actors employ to trick users into installing malware on their machines. All social media users should be cautious when accepting unknown requests to connect, and particularly cautious when receiving communication from unknown users. Even if cal |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | ||
 |
2021-05-25 09:00:00 | Crimes d'opportunité: augmentation de la fréquence des compromis sur la technologie opérationnelle à faible sophistication Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises (lien direct) |
Les attaques contre les processus de contrôle soutenues par la technologie opérationnelle (OT) sont souvent perçues comme nécessairement complexes.En effet, perturber ou modifier un processus de contrôle pour provoquer un effet prévisible est souvent assez difficile et peut nécessiter beaucoup de temps et de ressources.Cependant, Maniant Threat Intelligence a observé des attaques plus simples, où les acteurs ayant différents niveaux de compétences et de ressources utilisent des outils et des techniques informatiques communs pour accéder et interagir avec les systèmes OT exposés.
L'activité n'est généralement pas sophistiquée et n'est normalement pas ciblée contre des organisations spécifiques
Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. The activity is typically not sophisticated and is normally not targeted against specific organizations |
Tool Threat Industrial | ★★★ | |
|
2021-05-24 17:37:34 | How to sync all your browser bookmarks with xBrowserSync (lien direct) | Here's how to use the free XBrowserSync tool to keep all your bookmarks synchronized and your internet life simplified. | Tool | ||
|
2021-05-24 10:00:00 | AWS IAM security explained (lien direct) | Executive summary AWS Policies are a key foundation in good cloud security, but they are often overlooked. In this blog, we take a quick look on some AWS Policies, particularly for Identity and Access Management (IAM), that could become problematic if not properly managed. We'll discuss how they can be used against us to generate attacks like: Ransomware, data exfiltration, credential abuse, and more. Finally, we'll suggest some Open Source tools for cloud policy assessment and pentesting. Analysis The first step in achieving good security is having effective policies to regulate what can and cannot be done in an environment, both physical devices and cloud infrastructure. These regulatory policies are frequently hard to define and keep up-to-date, especially in a fast-paced environment using infrastructure-as-a-service (IaaS). This blog looks at some changes in policies which can reduce success in some common attack types involving: exfiltration, ransomware, credential abuse, and more. For that reason, AT&T Alien Labs is sharing an easy ‘what to look for’ list in order to detect some red flags in AWS policy changes. It is our hope that this list will be helpful for security analysts and forensic investigators. Policies are spoiler alert, defined by AWS Policies, which define permissions for identities and resources. Every time AWS Identity and Access Management makes a request of any kind to a resource, a policy determines if the IAM is allowed or denied access to that specific resource under the policies for the involved parties. A full understanding of AWS policies (types, creation, enforcement, etc.) is outside the scope of this blog, but it can be found in AWS documentation. People implementing AWS policies should have knowledge of the organization, adapting policies to needs of the business. Afterwards, detection rules should be generated for red flags in CloudTrail or other security tools. By doing this, we are avoiding policy changes in a generic manner, for example using ‘*’ to cover the whole Principal without setting any Conditions to it (MFA, IP, usernames, etc.). The problem resides in changes occurring on a daily basis to the policies, which are often overlooked by analysts. The impact that these changes could have is as big as any other event or alert investigated. In order to classify all AWS actions involving a policy change that could be used by attackers, we’ll sort them based on the potential final attack type. Most of the following techniques would fall under Modify Cloud Compute Infrastructure (T1578) but we have attempted to classify them outside of their specific Cloud technique - as if the activity was happening in a traditional environment. Denial of Service (DoS) Endpoint Denial of Service (T1499): Adversaries may perform Endpoint DoS attacks to degrade or block the availability of services to users. This blockage could be used as an additional impact on top of Data Encrypted for Impact (T1486) to avoid or slow down recovery efforts in a ransomware attack. In this scenario, attackers could be trying to block access to several AWS resources like: S3, EC2 through EFS or EBS, or backups between others. | Ransomware Tool Threat Guideline | ||
|
2021-05-23 12:33:32 | Security Affairs newsletter Round 315 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia MSBuild tool used to deliver RATs filelessly Pakistan-linked Transparent Tribe APT expands its arsenal Two flaws could allow bypassing AMD […] | Ransomware Tool | APT 36 | |
 |
2021-05-21 16:59:00 | Ransomware Gang Gifts Decryption Tool to HSE (lien direct) | Cyber-criminals give Irish health system free decryption tool after crippling it with ransomware | Ransomware Tool | ||
|
2021-05-21 14:01:52 | Microsoft Unveils SimuLand: Open Source Attack Techniques Simulator (lien direct) | Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. | Tool | ||
|
2021-05-21 06:30:20 | Microsoft SimuLand, an open-source lab environment to simulate attack scenarios (lien direct) | Microsoft released SimuLand, an open-source tool that can be used to build lab environments to simulate attacks and verify their detection. Microsoft has released SimuLand, an open-source lab environment that allows to reproduce the techniques used in real attack scenarios. The tool could be used to test and improve Microsoft solutions, including Microsoft 365 Defender, […] | Tool | ||
 |
2021-05-20 13:00:00 | These Ex-Journalists Are Using AI to Catch Online Defamation (lien direct) | CaliberAI wants to help overstretched newsrooms with a tool that's like spell-check for libel. But its potential uses go far beyond traditional media. | Tool | ★★★★ | |
|
2021-05-20 10:30:48 | Microsoft Azure: This new tool makes it easier to manage virtual machines in the cloud (lien direct) | Microsoft's automated system management tools help businesses keep their Azure virtual infrastructures secure. | Tool | ||
 |
2021-05-20 10:05:27 | Kill The CAPTCHA: Stop Making Users Account For Your Lack Of Security (lien direct) | BACKGROUND: Earlier this week, Cloudflare drew attention drawn to the ineffectiveness of the CAPTCHA tool that so many of us annoyingly go along with, forcing us to count the number of traffic… | Tool | ||
|
2021-05-19 15:06:59 | My Mother Is Gone. But Her Digital Voice Helps Keep Me Well (lien direct) | I made the audio recording shortly before she passed. I didn't know that it would become a powerful tool to keep me motivated. | Tool | ||
|
2021-05-19 09:00:03 | This is how the Cobalt Strike penetration testing tool is being abused by cybercriminals (lien direct) | Cobalt Strike is a popular tool with cybersecurity professionals. Unfortunately, it's also utilized by threat actors. | Tool Threat | ||
 |
2021-05-18 07:28:42 | From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th) (lien direct) | I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function: | Tool | ||
|
2021-05-16 11:31:28 | MSBuild tool used to deliver RATs filelessly (lien direct) | Hackers abuses Microsoft Build Engine (MSBuild) to filelessly deliver malware on targeted Windows systems, including RAT and password-stealer. Researchers from Anomali observed threat actors abusing Microsoft Build Engine (MSBuild) to filelessly deliver remote access trojans and RedLine Stealer password-stealing malware on targeted Windows systems. “Anomali Threat Research discovered a campaign in which threat actors used […] | Malware Tool Threat | ||
 |
2021-05-14 17:36:33 | FIN7 Backdoor Masquerades as Ethical Hacking Tool (lien direct) | The financially motivated cybercrime gang behind the Carbanak RAT is back with the Lizar malware, which can harvest all kinds of info from Windows machines. | Tool | ||
 |
2021-05-14 14:54:38 | Gamers warned of downloading fake Afterburner overclocking tool to boost graphics card performance (lien direct) | A leading manufacturer of gaming hardware has warned internet users to be wary of downloading fake versions of free software it distributes to overclock GPUs. Read more in my article on the Hot for Security blog. | Tool Guideline | ||
|
2021-05-14 10:00:00 | Defending the client-side attack surface (lien direct) | It is strange to think that not that long ago the Internet was a very different place. A place filled with static text content, marked up in HTML, and served up alongside a few included image files; mostly consumed by a small population of persons with specific interests. Today’s Internet consumer demands a vibrant and responsive user experience customized to their individual interests. A localized cornucopia of options from around the globe, available on demand. While many advancements in platforms and networking have contributed to this evolution, the ability to execute script code in the browser is perhaps the most significant both in terms of user functionality and potential for security exposures. A “Client-Side Attack” occurs when a user (the client) downloads malicious code from the server, which is then interpreted and rendered by the client browser. The classic example of such an attack is Cross-Site Scripting, which has been a staple of the OWASP Top Ten since its inception. These flaws are pervasive. A 2019 report from Feroot CX Security and Privacy, the 2019 Feroot User Security and Privacy Report concluded that the hidden activities of third-party tools and scripts expose up to 97% of organizations to theft of customer data. More recently, the 2021 Hacker Report showed significant year over year increases in reported web-related security vulnerabilities and that 96% of hackers are working on hacking web applications. Sadly, these figures are far from surprising. According to that same 2019 Feroot report, modern web applications load an average of 21 third-party scripts as part of the user experience. This integration of third-party code creates a software supply chain that is assembled and executed on the client’s machine in near real time. The risk that one or more of the included scripts has been tampered with by threat actors at any given point in time is real and can have significant consequences as many organizations impacted by “web skimming” or “Magecart” attacks have learned. These attacks occur when an attacker inserts malicious script code, or a reference to include such code, into a payment or other transactional page. The code is downloaded and executed on the client browser which typically sends a copy of the sensitive information to a location of the attacker’s choice. Because of the subtle nature of these campaigns, they can be difficult to detect. For example, Warner Music recently disclosed that a number of the company’s on-line stores had fallen victim to such a campaign that lasted for several months.They are not alone. Many companies have been impacted by such campaigns and given the surge of online transactions as a result of the COVID-19 pandemic, it is no surprise that threat actor groups are increasingly focused on exploitation and monetization of such vulnerabilities. Even in the absence of malicious intent, simple human error can result in security impacting disclosures. If developers are passing sensitive details in the URL parameters or the page title of a web resource, analytics platforms may receive those elements. These may include usernames, credentials, or other information that could be considered Personally Identifiable Information (PII). Legitimate scripts may collect sensitive data from the website for analysis without the full understanding of | Tool Threat | ||
|
2021-05-14 09:53:26 | Report: Colonial Pipeline paid ransomware attackers $5 million, but still had to rely on its own backups (lien direct) | Bloomberg reports that the extortionists of Colonial Pipeline received almost $5 million worth of cryptocurrency, but that the tool they provided to decrypt IT systems wasn't up to the job. | Ransomware Tool | ||
|
2021-05-13 17:00:00 | Threat Actors Use MSBuild to Deliver RATs Filelessly (lien direct) | Authored by: Tara Gould and Gage Mele
Key Findings
Anomali Threat Research identified a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer
This campaign, which has low or zero detections on antivirus tools, appears to have begun in April 2021 and was still ongoing as of May 11, 2021.
We were unable to determine how the .proj files were distributed, and are unable to make a confident assessment on attribution because both RemcosRAT and RedLine Stealer are commodity malware.
Overview
Anomali Threat Research discovered a campaign in which threat actors used MSBuild - a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” - to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.[1] The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.” While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.
Figure 1 - Infection chain
Technical Analysis
MSBuild
MSBuild is a development tool used for building applications, especially where Visual Studio is not installed.[2] MSBuild uses XML project files that contain the specifications to compile the project and, within the configuration file, the “UsingTask” element defines the task that will be compiled by MSBuild. In addition, MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.
A fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected.[3] Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful.[4]
MSBuild Project File (.proj) Analysis
Analyzed File – imaadp32.proj
MD5 – 45c94900f312b2002c9c445bd8a59ae6
The file we analyzed is called “imaadp32.proj,” and as shown in Figure 2 below, is an MSBuild project file (.proj). For persistence, mshta is used to execute a vbscript that runs the project file, with a shortcut file (.lnk) added to the startup folder (Figure 3).
Figure 2 - MSBuild Project Schema for immadp32.proj
Figure 3 - .lnk Registry Run Key Created in Startup Folder
Following the creation of persistence, two large arrays of decimal bytes were decoded by the function shown in Figure 4.
|
Malware Tool Threat | ||
|
2021-05-13 14:54:27 | How to benchmark your websites with the open source Apache Bench tool (lien direct) | To always be ahead of the network admin game, you should be benchmarking your websites. Jack Wallen shows you how with the Apache Bench tool. | Tool | ||
 |
2021-05-13 13:00:00 | (Déjà vu) Microsoft build tool abused to deliver password-stealing malware (lien direct) | Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign. [...] | Malware Tool Threat | ||
|
2021-05-13 13:00:00 | Attackers abuse Microsoft dev tool to deploy Windows malware (lien direct) | Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy remote access tools and information-stealing malware filelessly as part of an ongoing campaign. [...] | Malware Tool Threat |
To see everything:
Our RSS (filtrered)
