What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-01-03 17:07:44 | Can these researchers help defend satellite systems targeted by hackers? (lien direct) | >As threats against space systems increase, a new tool aims to improve efforts to defend against cyberattacks. | Tool | ★★ | |
 |
2022-12-29 16:30:00 | Anomali Cyber Watch: Zerobot Added New Exploits and DDoS Methods, Gamaredon Group Bypasses DNS, ProxyNotShell Exploited Prior to DLL Side-Loading Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, Bypassing DNS, DDoS, Infostealers, Layoffs, Spearphishing, Supply chain, and Zero-day vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New RisePro Stealer Distributed by the Prominent PrivateLoader
(published: December 22, 2022)
RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies.
Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform).
MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | |
Malware Tool Threat | ★★ | |
 |
2022-12-29 07:36:08 | HardCIDR – Network CIDR and Range Discovery Tool (lien direct) | HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. | Tool | ★★★ | |
 |
2022-12-26 20:15:10 | CVE-2019-9011 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames. | Tool | ||
|
2022-12-26 19:15:10 | CVE-2020-12069 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), the password-hashing feature requires insufficient computational effort. | Tool | ||
|
2022-12-26 19:15:10 | CVE-2020-12067 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. | Tool | ||
 |
2022-12-22 11:00:00 | Cybersecurity for seniors this holiday season: all generations are a target (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Gift for cyber well being During the holiday season, it is essential to take extra precautions when it comes to cybersecurity. Cybercriminals may be more active than usual, looking for ways to exploit unsuspecting users. Protect yourself and your loved ones, ensure that you and they are up to date with the latest security software, and be mindful of potential scams. Furthermore, only visit trusted websites and know the risks before making technological purchases. Cyber security can seem complicated, but anyone can protect themselves from common cyber threats with the correct information. Additionally, be aware of the various scams aimed at senior citizens during the holidays, such as fake holiday deals, phishing emails, fake charities, sweepstakes, or even threats to disconnect a senior's utilities. Taking these extra precautions can help ensure a safe and secure holiday season. The pandemic has highlighted the need for an intergenerational cyber awareness program to help seniors and their grandchildren stay safe online. Using a grandchild's name for a password may be cute, but it's not always the safest option. Educating them and their grandchildren about the risks and best practices of using technology is essential to promote cyber well-being for seniors. A conversation between generations can be a powerful tool for increasing cyber security and safety. By providing age-appropriate lessons, we can create a strong bond across generations and make sure that everyone can stay safe online No matter your age, staying informed about cyber security is essential today. Elder fraud is becoming increasingly common, with scams taking different forms, such as fraudulent phone calls, phishing attempts through email and social media, or shopping scams. It is essential for everyone to be aware of the risks associated with the online world and to be responsible digital citizens. To make this easier, it takes a "cyber village" to help raise savvy cyber citizens. For example, I have been able to explain the importance of cyber to my grandparents. They enjoy using iPad and social media to stay connected and are a great example of how anyone can become a responsible digital citizen. Be aware of the potential dangers of oversharing online, particularly on social media. Personal details such as your name, family member's name, home address, telephone numbers, and even answers to your secret question when you set passwords should be kept private. Be wary if you're ever contacted online by someone who requests this information. It is best to ignore unsolicited requests for personal information, including Social Security numbers, bank account numbers, and passwords. Be on the lookout for any suspicious deals, discounts, or coupons that may be sent to you via email. It is essential to be aware of phishing scams, which often involve requests for you to act urgently to take advantage of a deal or prize. Also, be mindful of attachments containing malicious content, as they can infect your computer with a virus. Be vigilant and know how to spot any malicious baits confidently. A password manager can be your friend: Change the default password if you have a device that will connect to the Internet. A device is not just your phone or laptop; everything from your Internet router, TVs, and home thermostats to Wi-Fi is included. What does a strong password look like? Use a phrase instead of a word. "Passphrases" are easy to remember but difficult to guess. If the field allows, use spaces as special characters for added strength, making the phrase easier to type. Longer is stronger for passwords. The best passwords are at least ten characters and include some capitalization and punctuation. Typing the passphrase becomes a habit (usually within a few | Tool | ★ | |
 |
2022-12-22 00:00:00 | Le rapport Threat Lab de WatchGuard révèle que la principale menace emprunte exclusivement des connexions chiffrées (lien direct) | Paris, le 4 janvier 2023 – WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, publie son dernier Rapport trimestriel sur la sécurité Internet, qui présente les grandes tendances en matière de malwares et de menaces pour la sécurité des réseaux et des endpoints analysées par les chercheurs du Threat Lab de WatchGuard au 3ème trimestre 2022. Ses conclusions clés révèlent notamment que la principale menace du trimestre en matière de logiciels malveillants a été détectée exclusivement via des connexions chiffrées, que les attaques ICS conservent leur popularité, que le logiciel malveillant LemonDuck évolue au-delà du cryptominage, et qu'un moteur de triche Minecraft diffuse une charge utile malveillante. " Nous ne saurions trop insister sur l'importance d'activer l'inspection HTTPS, même si elle nécessite quelques réglages et exceptions pour fonctionner correctement. La majorité des logiciels malveillants utilisent le protocole chiffré HTTPS, et ces menaces ne sont pas détectées en l'absence d'inspection ", a déclaré Corey Nachreiner, Chief Security Officer chez WatchGuard Technologies. " À juste titre, les plus grands objets de convoitise des cybercriminels, comme les serveurs Exchange ou les systèmes de gestion SCADA, méritent également un maximum d'attention. Lorsqu'un correctif est disponible, il est important de procéder immédiatement à la mise à jour, car les cybercriminels finiront par tirer profit de toute organisation qui n'a pas encore mis en œuvre le dernier correctif. " Le rapport sur la sécurité Internet du 3ème trimestre contient d'autres résultats clés, notamment : La grande majorité des logiciels malveillants empruntent des connexions chiffrées – Bien qu'il soit arrivé 3ème dans la liste classique des 10 principaux malwares du 3ème trimestre, Agent.IIQ a pris la tête de la liste des logiciels malveillants chiffrés pour cette même période. De fait, en regardant les détections de ce malware sur ces deux listes, il apparaît que toutes les détections d'Agent.IIQ proviennent de connexions chiffrées. Au 3ème trimestre, si une appliance Firebox inspectait le trafic chiffré, 82 % des logiciels malveillants détectés passaient par une connexion chiffrée, ce qui correspond à seulement 18 % de détections sans chiffrement. Si le trafic chiffré n'est pas inspecté sur Firebox, il est très probable que ce ratio moyen s'applique et que l'entreprise passe à côté d'une énorme partie des logiciels malveillants. Les systèmes ICS et SCADA restent les cibles d'attaques les plus courantes – Ce trimestre, une attaque de type injection SQL ayant touché plusieurs fournisseurs a fait son apparition dans la liste des dix principales attaques réseau. Advantech fait partie des entreprises concernées. Son portail WebAccess est utilisé pour les systèmes SCADA dans une variété d'infrastructures critiques. Un autre exploit sérieux au 3ème trimestre, également classé parmi les cinq principales attaques réseau en termes de volume, a visé les versions 1.2.1 et antérieures du logiciel U.motion Builder de Schneider Electric. Un rappel brutal du fait que les cybercriminels ne se contentent pas d'attendre tranquillement la prochaine opportunité, mais qu'ils cherchent activement à compromettre les systèmes chaque fois que cela est possible. Les vulnérabilités des serveurs Exchange continuent de poser des risques – La C | Ransomware Malware Tool Threat | APT 3 | ★★★ |
 |
2022-12-21 15:51:30 | How to Run Kubernetes More Securely (lien direct) | The open source container tool is quite popular among developers - and threat actors. Here are a few ways DevOps teams can take control. | Tool Threat | Uber | ★★ |
|
2022-12-20 21:15:10 | CVE-2022-41596 (lien direct) | The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components. | Tool Vulnerability | ||
|
2022-12-20 20:46:00 | Anomali Cyber Watch: APT5 Exploited Citrix Zero-Days, Azov Data Wiper Features Advanced Anti-Analysis Techniques, Inception APT Targets Russia-Controlled Territories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Belarus, China, Data wiping, Russia, Ukraine and Zero-days. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT5: Citrix ADC Threat Hunting Guidance
(published: December 13, 2022)
On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware.
Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
(published: December 12, 2022)
In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots.
Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote Access Tools - T12 |
Malware Tool Vulnerability Threat Patching Prediction | APT 5 | ★★★ |
|
2022-12-19 11:00:00 | What is SASE (lien direct) | Secured Access Service Edge (SASE) is an evolving cloud-focused architecture that was released by Gartner in 2019. SASE is designed to solve the problem of network performance and limited security visibility for distributed corporate business systems (infrastructure, platforms, and applications) in the cloud or in the corporate data center as well as the distributed workforce. SASE is complex and resource intensive but can be transformative and provide cost savings with the right partners, like AT&T Cybersecurity, to execute this type of strategic initiative. SASE benefits include the networking technology called Software Defined Wide Area Network (SD-WAN) and four security capabilities called the Secure Service Edge (SSE).
SD-WAN
SD-WAN operates on top (overlay) of an existing Internet circuit. Unlike a dedicated/private WAN circuit, SD-WAN can break out Internet destined traffic closer to where the distributed workforce is located. Internal traffic is backhauled through the SD-WAN network to the data center or cloud where the corporate business systems reside.
Components of the Secure Service Edge
Security Services Edge (SSE) incorporates four main security components used to protect business systems and workforce. These capabilities are cloud-based to support distributed systems and workforce. SSE capabilities include the following:
Zero Trust Network Access (ZTNA) – Provides segmentation of business systems and users through access control policies.
Firewall as a Service (FWaaS) – Centralized security policy enforcement that can be applied across multiple business locations to give security greater visibility into the network traffic and provide consistent policy enforcement across business systems and users.
Secure Web Gateway (SWG) – Centralized web-based policy enforcement that blocks unapproved Internet traffic while protecting the distributed workforce.
Cloud Access Security Broker (CASB) – Helps security understand where company data is stored (on-premise or in the cloud) and enforce the business data compliance policies.
How SASE works
The traditional cybersecurity model operated by building security perimeters around the corporate office and data center where the workforce and applications reside. Security controls were located inside a DMZ between the corporate office and data center so that traffic could be efficiently monitored, managed, and inspected.
Today, business systems and users have moved out of the corporate office and data center into a distributed environment. This creates the following risks.
Business systems
Lack of centralized visibility and control.
Difficulty tracking and securing sensitive data.
Additional costs for security solutions.
Non-compliance with regulatory or industry requirements.
Swivel-chair tasks between network and security to support the organization.
Inefficient routing of network traffic.
Users
Unknown (home/public Wi-Fi) networks accessing the corporate network.
Employees accessing business systems from unmanaged devices.
Inconsistent security profiles between office and VPN user |
Tool | ★★ | |
|
2022-12-17 00:15:08 | CVE-2022-23531 (lien direct) | GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5. | Tool Vulnerability | ||
|
2022-12-16 23:15:09 | CVE-2022-23530 (lien direct) | GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths. | Tool | ||
|
2022-12-15 19:15:17 | CVE-2022-23526 (lien direct) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. | Tool | Uber | |
|
2022-12-15 19:15:17 | CVE-2022-23525 (lien direct) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. | Tool | Uber | |
|
2022-12-15 19:15:16 | CVE-2022-23524 (lien direct) | Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. | Tool | Uber | |
 |
2022-12-14 16:18:18 | Improper use of password managers leaves people vulnerable to identity theft (lien direct) | >A password manager can be a useful and effective tool for creating, controlling and applying complex and secure passwords, but if you don't use it the right way, you can open yourself up to account compromise and even identity theft. | Tool | ★★ | |
 |
2022-12-14 10:30:00 | New Google Tool Helps Devs Root Out Open Source Bugs (lien direct) | Free OSV-Scanner searches transitive dependencies | Tool | ★ | |
|
2022-12-13 16:00:00 | Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
|
2022-12-13 14:15:09 | CVE-2022-38124 (lien direct) | Debug tool in Secomea SiteManager allows logged-in administrator to modify system state in an unintended manner. | Tool | ||
 |
2022-12-13 13:00:47 | Announcing OSV-Scanner: Vulnerability Scanner for Open Source (lien direct) | Posted by Rex Pan, software engineer, Google Open Source Security TeamToday, we're launching the OSV-Scanner, a free tool that gives open source developers easy access to vulnerability information relevant to their project. Last year, we undertook an effort to improve vulnerability triage for developers and consumers of open source software. This involved publishing the Open Source Vulnerability (OSV) schema and launching the OSV.dev service, the first distributed open source vulnerability database. OSV allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format. The OSV-Scanner is the next step in this effort, providing an officially supported frontend to the OSV database that connects a project's list of dependencies with the vulnerabilities that affect them. OSV-Scanner Software projects are commonly built on top of a mountain of dependencies-external software libraries you incorporate into a project to add functionalities without developing them from scratch. Each dependency potentially contains existing known vulnerabilities or new vulnerabilities that could be discovered at any time. There are simply too many dependencies and versions to keep track of manually, so automation is required. Scanners provide this automated capability by matching your code and dependencies against lists of known vulnerabilities and notifying you if patches or updates are needed. Scanners bring incredible benefits to project security, which is why the 2021 U.S. Executive Order for Cybersecurity included this type of automation as a requirement for national standards on secure software development.The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer's list of packages and the information in vulnerability databases. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners: Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database) Anyone can suggest improvements to advisories, resulting in a very high quality database The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer's list of packages The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them Running OSV-Scanner on your project will first find all the transitive dependencies that are being used by analyzing manifests, SBOMs, and commit hashes. The scanner then connects this information with the OSV database and displays the vulnerabilities relevant to your project. | Tool Vulnerability | ★★★ | |
 |
2022-12-13 00:00:00 | Liste de contrôle des fonctions de cyber-gamme et liste des fournisseurs européens Cyber Range Features Checklist & List of European Providers (lien direct) |
En 2021, l'ECSO a lancé un appel à l'action pour identifier et réunir les fournisseurs de cyber-gamme européens et les utilisateurs finaux.L'objectif de cette initiative était de consolider les approches des services et des concepts européens en activité de cyber-gamme, promouvoir et soutenir le développement de meilleures pratiques et directives qui définissent la «cyber-gamme européenne» et son absorption, et aident à façonner le développement ultérieur de l'Europeanplates-formes et solutions de cyber-gamme.
Le Dr Donna O \\ 'Shea, président de la cybersécurité de MTU, faisait partie du groupe de travail qui s'est réunie pour promouvoir et soutenir les meilleures pratiques et développer des directives qui définissent les cyber-gammes.À partir de quoi, ECSO a identifié les caractéristiques clés d'une plate-forme de cyber-gamme, présentée sous la forme d'une liste de contrôle pour les utilisateurs finaux et les groupes.Cette liste de contrôle peut être exploitée par les utilisateurs finaux pour définir leurs exigences de cyber-gamme et leurs critères d'attribution ultérieurs pour les appels d'offres électroniques à des fins d'approvisionnement.L'ECSO, par son appel à l'action, a également identifié les fournisseurs de cyber-gammes européens, prévoyant la première fois un point central et un référentiel de ces fournisseurs.
Présentation de la cyber-gamme
La définition de l'ECSO \\ d'une gamme de cyber est la suivante: «Une gamme de cyber est une plate-forme pour le développement, la livraison et l'utilisation d'environnements de simulation interactifs».
Une cyber-gamme permet et prend en charge:
La R&I avancée en cybersécurité, permettant aux organisations du secteur public et privé de tester, dans un environnement de sable sécurisé, la cyber-résilience de leurs systèmes numériques contre les cyberattaques, ce qui permet d'identifier et de corriger les faiblesses avant que les cybercriminels ne puissent les exploiter.
Recherche interdisciplinaire sur la compréhension des tactiques d'ingénierie psychosociale des attaques de cybersécurité, soutenant le développement de facteurs humains combinés et de solutions technologiques pour atténuer ces attaques.
Formation des compétences avancées de cybersécurité pour les apprenants académiques et en milieu de travail qui pourront perfectionner leurs compétences dans les environnements de formation très réalistes que les cyber-gammes peuvent offrir.
Pour plus d'informations sur la valeur de cette liste de contrôle des fonctionnalités ESCO Cyber Range aux utilisateurs finaux, le marché et les fournisseurs européens du cyber-gamme, les alternatives open source et les outils de pénétration sur le Web, veuillez visiter le rapport complet: la liste de contrôle des fonctionnalités Cyber Range et la listedes fournisseurs européens
In 2021, ECSO launched a Call to Action to identify and bring together European cyber range providers and end users. The aim of this initiative was to consolidate the approaches of European cyber range-enabled services and concepts, promote and support the development of best practices and guidelines that define the “European Cyber Range” and its uptake, and help shape the further development of European cyber range platforms and solutions. Dr. Donna O\'Shea, Chair of Cybersecurity at MTU, was part of the working group that came together to promote and support the best practices and develop guidelines that define cyber ranges. From which, ECSO has identified the key features of a cyber range platform, presented in the form of a checklist for end users and groups. This checklist can be leveraged by end users to define their cyber range requirements and subsequent award criteria for electronic tenders for procurement purposes. ECSO, through its Call to Action, has also identified European cyber range providers, providing for the first time a central point and repository of these providers. Cyber Range Overview ECSO\'s definition of a cyb |
Tool Threat | ★★ | |
 |
2022-12-09 19:52:16 | Importing Docker Logs with CrowdStrike Falcon LogScale Collector (lien direct) | Docker is the primary tool used for containerizing workloads. If your company wants to build containers with quality, then you'll need access to your Docker container logs for debugging, validation and optimization. While engineering teams can view container logs through straightforward CLI tools (think docker logs), these tools don't provide a mechanism for storing or […] | Tool | ★★ | |
 |
2022-12-08 16:19:09 | Hacked corporate email accounts used to send MSP remote access tool (lien direct) | MuddyWater hackers, a group associated with Iran's Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. [...] | Tool | ★★★ | |
 |
2022-12-07 01:41:18 | Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) (lien direct) | In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions, with its distribution still being continued to this day. RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github As of November 30th, 2022, when the keywords based on the last... | Malware Tool | ★★★ | |
|
2022-12-06 17:09:00 | Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, In-memory evasion, Infostealers, North Korea, Phishing, Ransomware, Search engine optimization, and Signed malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese Gambling Spam Targets World Cup Keywords
(published: December 2, 2022)
Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu).
Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou
Leaked Android Platform Certificates Create Risks for Users
(published: December 2, 2022)
On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked.
Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature.
Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware
Blowing Cobalt Strike Out of the Water With Memory Analysis
(published: December 2, 2022)
The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me |
Spam Malware Tool Threat Medical | APT 38 | ★★★ |
 |
2022-12-06 14:30:00 | CyberheistNews Vol 12 #49 [Keep An Eye Out] Beware of New Holiday Gift Card Scams (lien direct) |
CyberheistNews Vol 12 #49 | December 6th, 2022
[Keep An Eye Out] Beware of New Holiday Gift Card Scams
By Roger A. Grimes
Every holiday season brings on an increase in gift card scams. Most people love to buy and use gift cards. They are convenient, easy to buy, easy to use, easy to gift, usually allow the receiver to pick just what they want, and are often received as a reward for doing something.
The gift card market is estimated in the many hundreds of BILLIONS of dollars. Who doesn't like to get a free gift card? Unfortunately, scammers often use gift cards as a way to steal value from their victims. There are dozens of ways gift cards can be used by scammers to steal money.
Roger covers these three scams in a short [VIDEO] and in detail on the KnowBe4 blog:
You Need to Pay a Bill Using Gift Cards
Maliciously Modified Gift Cards in Stores
Phish You for Information to Supposedly Get a Gift Card
Blog post with 2:13 [VIDEO] and links you can share with your users and family:https://blog.knowbe4.com/beware-of-holiday-gift-card-scams
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, December 7 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
NEW! KnowBe4 Mobile Learner App - Users Can Now Train Anytime, Anywhere!
NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
NEW! AI-Driven phishing and training recommendations for your end users
Did You Know? You can upload your own training video and SCORM modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 50,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, December 7 @ 2:00 PM (ET)
Save My Spot!https://event.on24.com/wcc/r/3947028/0273119CCBF116DBE42DF81F151FF99F?partnerref=CHN3
|
Ransomware Data Breach Spam Hack Tool Guideline | ★★★ | |
 |
2022-12-06 09:44:51 | Tanium comments on log4j vulnerability ahead of anniversary (lien direct) | Tanium comments on log4j vulnerability ahead of anniversary. This weekend (10th December), it will have been a year since the Log4shell critical vulnerability in the widely used logging tool Log4j, which is used by millions of computers worldwide running online services.The commentary from Matt Psencik, Director, Endpoint Security Specialist, Tanium on the vulnerability and what has changed in the year since. - Opinion | Tool Vulnerability | ★★★ | |
 |
2022-12-06 08:38:00 | Don\'t become an unwitting tool in Russia\'s cyber war (lien direct) | Pas de details / No more details | Tool | ★★ | |
 |
2022-12-06 06:00:00 | Action1 launches threat actor filtering to block remote management platform abuse (lien direct) | Action1 has announced new AI-based threat actor filtering to detect and block abuse of its remote management platform. The cloud-native patch management, remote access, and remote monitoring and management (RMM) firm stated its platform has been upgraded to spot abnormal user behavior and automatically block threat actors to prevent attackers exploiting its tool to carry out malicious activity. The release comes amid a trend of hackers misusing legitimate systems management platforms to deploy ransomware or steal data from corporate environments.Action1 platform enhanced to identify and terminate RMM abuse In an announcement, Action1 stated that the new enhancement helps ensure that any attempt at misuse of its remote management platform is identified and terminated before cybercriminals accomplish their goals. “It scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1's dedicated security team to investigate the issue,” it added.To read this article in full, please click here | Ransomware Tool Threat | ★★ | |
 |
2022-12-05 15:00:00 | VM Flare: un flareytale ouvert au public FLARE VM: A FLAREytale Open to the Public (lien direct) |
Flare VM est une collection de scripts d'installations logicielles pour les systèmes Windows qui vous permet de configurer et de maintenir facilement un environnement d'ingénierie inverse sur une machine virtuelle (VM).Des milliers d'ingénieurs inverses, d'analystes de logiciels malveillants et de chercheurs en sécurité comptent sur des VM Flare pour configurer Windows et pour installer une collection d'experts d'outils de sécurité.
Nos mises à jour les plus récentes rendent la machine virtuelle Flare plus ouverte et maintenable.Cela permet à la communauté d'ajouter et de mettre à jour facilement les outils et de les rendre rapidement à la disposition de tous.Nous avons travaillé dur pour ouvrir les packages qui détaillent comment installer
FLARE VM is a collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a virtual machine (VM). Thousands of reverse engineers, malware analysts, and security researchers rely on FLARE VM to configure Windows and to install an expert collection of security tools. Our most recent updates make FLARE VM more open and maintainable. This allows the community to easily add and update tools and to make them quickly available to everyone. We\'ve worked hard to open source the packages which detail how to install |
Malware Tool | ★★★ | |
|
2022-12-02 04:33:00 | BrandPost: Improving Cyber Hygiene with Multi-Factor Authentication and Cyber Awareness (lien direct) | Using multi-factor authentication (MFA) is one of the key components of an organizations Identity and Access Management (IAM) program to maintain a strong cybersecurity posture. Having multiple layers to verify users is important, but MFA fatigue is also real and can be exploited by hackers.Enabling MFA for all accounts is a best practice for all organizations, but the specifics of how it is implemented are significant because attackers are developing workarounds. That said, when done correctly – and with the right pieces in place – MFA is an invaluable tool in the cyber toolbox and a key piece of proper cyber hygiene. This is a primary reason why MFA was a key topic for this year's cybersecurity awareness month. For leaders and executives, the key is to ensure employees are trained to understand the importance of the security tools – like MFA – available to them while also making the process easy for them.To read this article in full, please click here | Tool Guideline | ★★ | |
|
2022-11-30 13:15:10 | CVE-2022-24441 (lien direct) | The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: | Tool Vulnerability | ||
|
2022-11-30 06:15:11 | CVE-2022-46338 (lien direct) | g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data. | Tool | ||
|
2022-11-29 16:00:00 | Anomali Cyber Watch: Caller-ID Spoofing Actors Arrested, Fast-Moving Qakbot Infection Deploys Black Basta Ransomware, New YARA Rules to Detect Cobalt Strike, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Caller-ID spoofing, False-flag, Phishing, Ransomware, Russia, the UK, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Voice-Scamming Site “iSpoof” Seized, 100s Arrested in Massive Crackdown
(published: November 25, 2022)
iSpoof was a threat group offering spoofing for caller phone numbers (also known as Caller ID, Calling Line Identification). iSpoof core group operated out of the UK with presence in other countries. In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof. On November 24, 2022, Europol announced a joint operation involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK, and the USA, that led to the arrest of 142 suspects and seizure of iSpoof websites.
Analyst Comment: Threat actors can spoof Caller ID (Calling Line Identification) similar to spoofing the “From:” header in an email. If contacted by an organization you should not confirm any details about yourself, take the caller’s details, disconnect and initiate a call back to the organization yourself using a trusted number. Legitimate organizations understand scams and fraud and do not engage in unsolicited calling.
Tags: iSpoof, Teejai Fletcher, United Kingdom, source-country:UK, Caller ID, Calling Line Identification, Voice-scamming, Social engineering
New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers
(published: November 25, 2022)
On November 21, 2022, multiple organizations in Ukraine were targeted with new ransomware written in .NET. It was dubbed RansomBoggs by ESET researchers who attributed it to the Russia-sponsored Sandworm Team (aka Iridium, BlackEnergy). Sandworm distributed RansomBoggs from the domain controller using the same PowerShell script (PowerGap) that was seen in its previous attacks. RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated key. The key is RSA encrypted prior to storage and the encrypted files are appended with a .chsch extension.
Analyst Comment: Ransomware remains one of the most dangerous types of malware threats and even some government-sponsored groups are using it. Sandworm is a very competent actor group specializing in these forms of attack. Organizations with exposure to the military conflict in Ukraine, or considered by the Russian state to be providing support relating to the conflict, should prepare offline backups to minimize the effects of a potential data-availability-denial attack.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: detection:RansomBoggs, detection:Filecoder.Sullivan, malware-type:Ransomware, AES-256, PowerShell, detection:PowerGap, mitre-group:Sandworm Team, actor:Iridium, Russia |
Ransomware Malware Tool Threat Guideline | ★★★★ | |
|
2022-11-29 16:00:00 | US Census Bureau Head Fends Off Critics of \'Differential Privacy\' Tool (lien direct) | Santos defended differential privacy against prominent researchers | Tool | ★★ | |
|
2022-11-28 13:58:00 | BrandPost: Threat Notification Isn\'t the Solution – It\'s a Starting Point (lien direct) | Most organizations have the tools in place to receive notification of attacks or suspicious events. But taking the information gleaned from cybersecurity tools is only step one in handling a security threat.“The goal of a security practitioner is to link those data sets together and do something with the information,” says Mat Gangwer, VP of managed detection and response at Sophos. “The threat notification is just the beginning.”It's a common misconception that a tool has effectively blocked or remediated an issue simply because the IT or security team have received a notification of malicious activity.To read this article in full, please click here | Tool Threat | ★★ | |
|
2022-11-24 09:16:37 | Westcon-Comstor to add Okta solution to its distribution portfolio in France, Spain, Portugal, Italy and Greece (lien direct) | Westcon-Comstor to add Okta solution to its distribution portfolio in France, Spain, Portugal, Italy and Greece Agreement delivers Okta's identity-first Zero Trust security solution to the channel-a vital security tool in an era of remote work - Business News | Tool | ||
 |
2022-11-23 11:10:00 | Nighthawk Likely to Become Hackers\' New Post-Exploitation Tool After Cobalt Strike (lien direct) | A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities. Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2." However, there are no | Tool Threat | ★★★★ | |
|
2022-11-22 23:47:00 | Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Signed malware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads
(published: November 17, 2022)
From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.
Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows
Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment
(published: November 16, 2022)
From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.
Analyst Comment: Evasion through URI fragmentation hides the token value from traff |
Ransomware Malware Tool Threat Guideline Medical | APT 38 | ★★★★ |
|
2022-11-22 18:15:10 | CVE-2022-41950 (lien direct) | super-xray is the GUI alternative for vulnerability scanning tool xray. In 0.2-beta, a privilege escalation vulnerability was discovered. This caused inaccurate default xray permissions. Note: this vulnerability only affects Linux and Mac OS systems. Users should upgrade to super-xray 0.3-beta. | Tool Vulnerability | ||
|
2022-11-22 10:00:00 | Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk (lien direct) | C2 framework could be the next Cobalt Strike, says Proofpoint | Tool Threat | ||
 |
2022-11-21 22:06:09 | Joint CyberSecurity Advisory on a U.S. Federal Agency Breached by Iranian Threat Actors (lien direct) | FortiGuard Labs is aware of a joint advisory (AA22-320A) issued by Cybersecurity and Infrastructure security Agency (CISA) and the Federal Bureau of Investigation (FBI) on November 16, 2022. The advisory is related to an Iranian government-sponsored campaign where threat actors breached an unnamed U.S. federal agency and deployed a crypto miner and a hacktool to the compromised network.Why is this Significant?This is significant because threat actors backed by the Iranian government compromised a U.S. federal agency and deployed XMRig (crypto miner) and Mimikatz (a post-exploit tool used for credential harvesting).In February 2022, Iranian threat actors reportedly compromised a federal government agency by exploiting CVE-2021-44228, also known as Log4Shell, in an unpatched VMware Horizon server. This signifies the importance of timely patching of vulnerable systems.How did the Attack Occur?The initial infection vector was exploitation of CVE-2021-44228 (Log4Shell) in a vulnerable VMware Horizon server. Once the attacker got a foot in the door to the victim's network, the attacker downloaded and installed XMRig (mining software for Monero cyrptocurrency) after excluding the victim's C:\ drive from scanning by Windows Defender. The attacker leveraged RDP to move laterally to other systems on the victim's network, deployed PsExec (a free Microsoft tool execute processes on other systems) and Mimikatz (an open-source tool for credential harvesting) and implanted Ngrok (a dual use tunneling tool). Also, the attacker accessed the domain controller and retrieved a list of machines that belong to the domain furthering compromise.What is CVE-2021-44228 (Log4Shell)?CVE-2021-44228 is a remote code execution vulnerability in the popular Java-based logging utility Log4j2. The vulnerability was disclosed to the public by Apache in early December, however Proof-of-Concept (PoC) code for CVE-2021-44228 was believed to be available earlier.FortiGuard Labs previously released Outbreak Alert and Threat Signal for CVE-2022-44228. See the Appendix for a link to "Outbreak Alert: Apache Log4j2 Vulnerability" and "Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)".What is the Status of Coverage? FortiGuard Labs detects the malicious files in the advisory that are available with the following AV signatures:Riskware/CoinMinerPossibleThreatAll reported network IOCs in the advisory are blocked by Webfiltering.FortiGuard Labs has IPS coverage in place for CVE-2021-44228 (Log4Shell):Apache.Log4j.Error.Log.Remote.Code.Execution | Tool Vulnerability Threat Patching | ★★★ | |
 |
2022-11-21 11:41:21 | Google provides rules to detect tens of cracked versions of Cobalt Strike (lien direct) | >Researchers at Google Cloud identified 34 different hacked release versions of the Cobalt Strike tool in the wild. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to […] | Tool | ||
|
2022-11-21 11:12:00 | Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild (lien direct) | Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which shipped in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The latest version of Cobalt Strike is version 4.7.2. Cobalt | Tool Threat | ||
|
2022-11-18 18:23:00 | LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities (lien direct) | The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta. "The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal said in a write-up published Thursday. Aside from being dropped | Malware Tool Threat | ★★★ | |
 |
2022-11-18 15:03:25 | Anatomy of a Stored Cross-site Scripting Vulnerability in Apache Spark (lien direct) | One of the services that Veracode offers is a consultation with an Application Security Consultant – a seasoned software developer and application security expert. In the context of a consultation, my team works with the software engineers of Veracode's customers to understand and, ideally, remediate security flaws found by the Veracode tool suite. There is a well-defined difference between a security flaw (a defect that can lead to a vulnerability) and a vulnerability (an exploitable condition within code that allows an attacker to attack it). While working with potentially dozens of different customer applications every week, we usually have a strong gut feeling for when a security flaw might constitute an exploitable vulnerability and should receive extra attention. During one of our consultations, a set of similar Cross-site Scripting (XSS) flaws was discovered by Veracode Static Analysis in what turned out to be 3rd party JavaScript files belonging to Apache Spark. After some… | Tool Vulnerability Guideline | ||
|
2022-11-16 19:00:00 | Plus intelligent, pas plus difficile: comment hiérarchiser intelligemment le risque de surface d'attaque Smarter, Not Harder: How to Intelligently Prioritize Attack Surface Risk (lien direct) |
Il y a un dicton commun dans la cybersécurité: «Vous ne pouvez pas protéger ce que vous ne savez pas», et cela s'applique parfaitement à la surface d'attaque d'une organisation donnée.
De nombreuses organisations ont des risques cachés tout au long de leur infrastructure informatique et de sécurité étendue.Que le risque soit introduit par la croissance du nuage organique, l'adoption de dispositifs IoT ou par des fusions et acquisitions, le risque caché est dormant.En conséquence, les équipes informatiques et de sécurité n'ont pas toujours une image à jour de l'écosystème étendu qu'ils doivent défendre.Les outils hérités ont souvent des listes statiques de l'inventaire des actifs \\ 'connu
There\'s a common saying in cyber security, “you can\'t protect what you don\'t know,” and this applies perfectly to the attack surface of any given organization. Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant. As a result, IT and security teams do not always have an up-to-date picture of the extended ecosystem they need to defend. Legacy tools often have static lists of the \'known\' asset inventory |
Tool Cloud | ★★★★ | |
 |
2022-11-16 17:18:43 | DuckDuckGo\'s Android anti-tracking tool offers stronger third-party protections (lien direct) | App Tracking Protection blocks outbound traffic to listed tracking firms. | Tool |
To see everything:
Our RSS (filtrered)
