What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Malware Tool Vulnerability Threat Guideline | APT 41 APT 15 APT 15 | |
 |
2022-03-10 21:51:37 | Crooks target Ukraine\'s IT Army with a tainted DDoS tool (lien direct) | Threat actors are spreading password-stealing malware disguised as a security tool to target Ukraine’s IT Army. Cisco Talos researchers have uncovered a malware campaign targeting Ukraine’s IT Army, threat actors are using infostealer malware mimicking a DDoS tool called the “Liberator.” The Liberator tool is circulating among pro-Ukraina hackers that use it to target Russian […] | Malware Tool Threat | ||
 |
2022-03-10 19:54:00 | Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers (lien direct) | Be careful when downloading a tool to cyber-target Russia: It could be an infostealer wolf dressed in sheep's clothing that grabs your cryptocurrency info instead. | Tool | ||
 |
2022-03-10 18:36:26 | Malwarebytes vs. ESET: Which anti-malware solution is best for you? (lien direct) | If you've been trying to decide which anti-malware tool is best for your needs, you've come to the right place. This resource summarizes two of the top anti-malware solutions: Malwarebytes and ESET. | Tool | ||
 |
2022-03-09 23:15:08 | CVE-2022-24753 (lien direct) | Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe config -e`, `stripe community`, and `stripe open`. MacOS and Linux are unaffected. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the current user. The update addresses the vulnerability by throwing an error in these situations before the code can run.Users are advised to upgrade to version 1.7.13. There are no known workarounds for this issue. | Tool Vulnerability | ||
 |
2022-03-09 22:50:59 | Biden considers digital dollar-here\'s how it could differ from regular money (lien direct) | Digital currency may have advantages but could also be tool for surveillance. | Tool | ||
|
2022-03-09 16:43:32 | How to quickly deploy a Linux distribution with GUI applications via a container (lien direct) | If you need to spin up a quick Linux desktop for development or testing purposes, one of the easiest is with a new tool called Distrobox. Jack Wallen shows you how. | Tool | ||
 |
2022-03-08 18:54:00 | Anomali Cyber Watch: Daxin Hides by Hijacking TCP Connections, Belarus Targets Ukraine and Poland, Paying a Ransom is Not a Guarantee, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Belarus, China, Data breach, Data leak, Oil and gas, Phishing, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the attached IOCs and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Samsung Confirms Galaxy Source Code Breach but Says no Customer Information was Stolen
(published: March 7, 2022)
South American threat actor group Lapsus$ posted snapshots and claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech company Samsung. On March 7, 2022, Samsung confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. Earlier, in February 2022, Lapsus$ had stolen 1TB data from GPU giant Nvidia and tried to negotiate with the company.
Analyst Comment: Companies should implement cybersecurity best practices to guard their source code and other proprietary data. Special attention should be paid to workers working from home and the security of contractors who have access to such data.
Tags: Lapsus$, South Korea, South America, Data breach
Beware of Malware Offering “Warm Greetings From Saudi Aramco”
(published: March 5, 2022)
Malwarebytes researchers discovered a new phishing campaign impersonating Saudi Aramco and targeting oil and gas companies. The attached pdf file contained an embedded Excel object which would download a remote template that exploits CVE-2017-11882 to download and execute the FormBook information stealer.
Analyst Comment: Organizations should train their users to recognize and report phishing emails. To mitigate this Formbook campaign, users should not handle emails coming from outside of the organization while being logged on with administrative user rights.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Template Injection - T1221
Tags: FormBook, CVE-2017-11882, Oil And Gas, Middle East, Saudi Aramco, Excel, Phishing, Remote template
Paying a Ransom Doesn’t Put an End to the Extortion
(published: March 2, 2022)
Venafi researchers conducted a survey regarding recent ransomware attacks and discovered that 83% of successful ransomware attacks include additional extortion methods, containing: threatening to extort customers (38%), stolen data exposure (35%), and informing customers that their data has been stolen (32%). 35% of those who paid the ransom were still unable to recover their data, 18% of victims had their data exposed despite the fact that they paid the ransom.
Analyst Comment: This survey shows that ransomware payments are not as reliable in preventing further damages to the victimized organization as previously thought. Educate employees on t |
Ransomware Malware Tool Threat | ||
|
2022-03-08 18:53:00 | Task management vs. project management: Which is best for your team? (lien direct) | If your teams are struggling to meet deadlines, you might need to consider either a project management or task management platform to keep them on track. Jack Wallen explains each and helps you understand which tool is the best fit. | Tool | ||
|
2022-03-08 17:21:15 | Network monitoring tools every admin should know (lien direct) | Network monitors are an absolute must-have for any network administrator. But which tool, out of the thousands, should you consider for your tool kit? Jack Wallen offers up his five favorites. | Tool | ||
 |
2022-03-08 15:01:20 | U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool (lien direct) | A threat group believed to be sponsored by the Chinese government has breached the networks of U.S. state governments, including through the exploitation of a zero-day vulnerability. | Tool Threat | ||
|
2022-03-04 17:15:07 | CVE-2022-24727 (lien direct) | Weblate is a web based localization tool with tight version control integration. Prior to version 4.11.1, Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new components are not affected. The issues were fixed in the 4.11.1 release. | Tool | ||
 |
2022-03-04 10:50:16 | Telegram now favoured by hacktivists, cybercriminals (lien direct) | As the conflict in Ukraine progresses, Telegram messaging has emerged as a favourite tool for both hacktivists and cybercriminals alike. Research from the cybersecurity company Check Point suggests that there are six times as many groups on the messaging apps since February 24. Some topic-specific groups have grown significantly, some even reaching more than 250,000 members. […] | Tool | ★★★ | |
|
2022-03-03 23:52:51 | A 40,000-year-old Chinese stone tool culture unlike any other (lien direct) | Not every culture left a mark on those around it. | Tool | ||
|
2022-03-01 17:55:46 | Daxin Espionage Backdoor Ups the Ante on Chinese Malware (lien direct) | Via node-hopping, the espionage tool can reach computers that aren't even connected to the internet. | Malware Tool | ||
|
2022-03-01 16:01:00 | Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-01 15:50:29 | How to configure the ONLYOFFICE CRM for your business needs (lien direct) | The ONLYOFFICE CRM tool can help you improve your customer relations, and it only takes a few minutes to get it set up to meet the needs of your business. Jack Wallen shows you how. | Tool | ||
|
2022-03-01 12:00:00 | Anomali February Quarterly Product Release (lien direct) | Anomali has made its mark delivering Threat Intelligence powered detection and response with its ThreatStream, Match, and Lens portfolio. Now, we've expanded upon that leadership position by continuing to innovate and deliver the essential capabilities and XDR solutions our customers have been wanting. Key Highlights for this Quarter Include: Introducing Match in the Cloud Announcing The Anomali Platform Increased Insights with Intelligence Initiatives Extended Rules Engine Supporting Advanced Search Queries On-Prem 5.3 Release with Intelligence Initiatives and More Cybersecurity Insights Report and Blog Series Read more below to see what our incredible team has been working on this quarter. Introducing Match in the Cloud At the core of this new release is the hard work the team has done to introduce Match, Anomali’s big data threat detection engine, as a cloud-native deployment. By moving Match to the cloud, we’ve introduced new cloud capabilities that work together with existing ThreatStream and Lens capabilities in a cloud-native environment. With Match Cloud, we have unlocked our capability to ingest data from any telemetry source and access our global repository of threat intelligence to deliver high-performance indicator correlation at a rate of 190 trillion EPS. With Match Cloud, customers can add internal log sources and telemetry freely, leveraging the power of resource-intensive technologies that improve overall effectiveness and efficiencies. Match is available in both cloud and on-premise deployment options. Take our interactive tour to learn more. Announcing the Anomali Platform As I mentioned above, moving Match to the cloud created synergistic threat detection and response capabilities in a cloud-native environment across the entire Anomali portfolio. With that, we’re able to offer fully cloud-native multi-tenant solutions that easily integrate into existing security tech stacks. We’re excited to introduce The Anomali Platform, a cloud-native extended detection and response (XDR) solution. The Anomali Platform is made up of critical components that work together to ingest security data from any telemetry source and correlate it with our global repository of threat intelligence to drive detection, prioritization, analysis, and response. Included in the Anomali Platform are: Anomali Match Anomali ThreatStream Anomali Lens By combining big data management, machine learning, and the world’s largest global threat intelligence repository, organizations can understand what’s happening inside and outside their network within seconds. Read the Enterprise Management Associates (EMA) Impact Brief to see what they had to say about The Anomali Platform or take our interactive tour to learn more. And keep an eye out for our live event coming in Mid-April. Increased Insights with | Tool Threat Guideline | ||
|
2022-03-01 09:16:53 | Remote Utilities Software Distributed in Ukraine via Fake Evacuation Plan Email (lien direct) | FortiGuard Labs is aware that a copy of Remote Manipulator System (RMS) was submitted from Ukraine to VirusTotal on February 28th, 2022. The RMS is a legitimate remote administration tool that allows a user to remotely control another computer. The file name is in Ukrainian and is "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" in translation to English. The SSU likely stands for the Security Service of Ukraine. Why is this Significant?This is significant because given its file name, the country where the file was submitted to VirusTotal and the current situation in Ukraine, the file may have been distributed to Ukrainians.What does the File Do?The file silently installs a copy of legitimate Remote Utilities software to the compromised machine. The software allows a remote user to control the compromised machine.Based on the telemetry FortiGuard Labs collected, there is one IP address in Ukraine that connected to the remote IP that likely belongs to the attacker. How was the File Distributed to the Targets?Most likely via links in email.CERT-UA published a warning today that "the representatives of the Center for Combating Disinformation began to receive requests for information from the mail of the Ukrainian Security Service. Such notifications are fake and are a cyberattack". The email below is reported have been used in the attack.Machine translation:Email subject: Evacuation plan from: SBU (Urgent) -28.02.2022 day off: 534161WARNING! This is an external sheet: do not click on the links or open a tab if you do not trust the editor.Report a suspicious list to ib@gng.com.ua.Security Service of UkraineGood afternoon, you need to have acquainted with the electronic evacuation plan until 01.03.2022, to give data on the number of employees, fill in the document in accordance with Form 198\00-22SBU-98.To ensure confidentiality of the transferred data, the password: 2267903645 is set on the deposit.See the document on:hxxps://mega.nz/file/[reducted]Mirror 2: hxxps://files.dp.ua/en/[reducted]Mirror 3: hxxps://dropmefiles.com/[reducted]While the remote files were not available at the time of the investigation, the email and "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" are likely connected based on the email content and the file name. Can the File Attributed to a Particular Threat Actor?It's possible that a threat actor distributed the file to target Ukraine. However, while the Remote Utilities software is silently installed on the compromised machine, it displays an icon in Windows's taskbar. Since most threat actors aim to hide their activities, this is potentially an act of novice attacker who tries to take advantage of the current situation in Ukraine.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in this attack:Riskware/RemoteAdmin_RemoteUtilities | Tool Threat | ||
 |
2022-03-01 00:01:03 | China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks (lien direct) | A previously undocumented espionage tool has been deployed against selected governments and other critical infrastructure targets as part of a long-running espionage campaign orchestrated by China-linked threat actors since at least 2013. Broadcom's Symantec Threat Hunter team characterized the backdoor, named Daxin, as a technologically advanced malware, allowing the attackers to carry out a | Malware Tool Threat | ||
 |
2022-02-28 15:00:00 | Prêt, définissez, allez - les internes de Golang et la récupération des symboles Ready, Set, Go - Golang Internals and Symbol Recovery (lien direct) |
golang (go) est une langue compilée introduite par Google en 2009. Le langage, l'exécution et l'outillage ont évolué considérablement depuis lors.Ces dernières années, les fonctionnalités GO telles que la compilation croisée facile à utiliser, les exécutables autonomes et l'excellent outillage ont fourni aux auteurs malveillants un nouveau langage puissant pour concevoir des logiciels malveillants multiplateformes.Malheureusement pour les indexes, l'outillage pour séparer le code d'auteur malware du code d'exécution GO a pris du retard.
Aujourd'hui, Mandiant publie un outil nommé Goresym Pour analyser les informations sur les symboles GO et autres métadonnées intégrées.Ce billet de blog
Golang (Go) is a compiled language introduced by Google in 2009. The language, runtime, and tooling has evolved significantly since then. In recent years, Go features such as easy-to-use cross-compilation, self-contained executables, and excellent tooling have provided malware authors with a powerful new language to design cross-platform malware. Unfortunately for reverse engineers, the tooling to separate malware author code from Go runtime code has fallen behind. Today, Mandiant is releasing a tool named GoReSym to parse Go symbol information and other embedded metadata. This blog post |
Malware Tool | ★★★★ | |
 |
2022-02-28 11:50:14 | File Transfer Filter Bypass: Exe2Hex (lien direct) | Introduction Exe2hex is a tool developed by g0tmilk which can be found here. The tool transcribes EXE into a series of hexadecimal strings which can | Tool | ||
|
2022-02-26 00:15:08 | CVE-2022-21706 (lien direct) | Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization (potentially as a role with elevated permissions) can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges. This issue has been patched in release 4.10. There are no known workarounds for this issue. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory, you can discuss them on the [developer community Zulip server](https://zulip.com/developer-community/), or email the [Zulip security team](mailto:security@zulip.com). | Tool Vulnerability | ||
|
2022-02-24 21:53:39 | CISA adds two Zabbix flaws to its Known Exploited Vulnerabilities Catalog (lien direct) | US CISA added two flaws impacting Zabbix infrastructure monitoring tool to its Known Exploited Vulnerabilities Catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities impacting the Zabbix infrastructure monitoring tool to its Known Exploited Vulnerabilities Catalog. Threat actors are actively exploiting the two vulnerabilities that are reported in the following table: CVE ID Vulnerability Name Due […] | Tool Vulnerability Threat | ||
|
2022-02-24 19:15:08 | CVE-2020-14481 (lien direct) | The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE. | Tool | ||
|
2022-02-24 15:00:00 | LITE SUR LECTURE: Télégramme malveillant repéré dans la dernière activité de cyber-espionnage iranienne Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity (lien direct) |
En novembre 2021, Défense gérée mandiante détecté et répondu à un UNC3313 Intrusion chez un client du Moyen-Orient.Au cours de l'enquête, Mandiant a identifié de nouveaux logiciels malveillants ciblés, gramdoor et Starwhale , qui implémentent les fonctionnalités de porte-portefeuille simples.Nous avons également identifié UNC3313 Utiliser un logiciel d'accès à distance accessible au public pour maintenir l'accès à l'environnement.UNC3313 a initialement eu accès à cette organisation par le biais d'un e-mail de phishing ciblé et des outils de sécurité offensifs open-source modifiés et à effet de levier pour identifier les systèmes accessibles et se déplacer latéralement.Unc3313 déplacé
In November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle East government customer. During the investigation, Mandiant identified new targeted malware, GRAMDOOR and STARWHALE, which implement simple backdoor functionalities. We also identified UNC3313 use publicly available remote access software to maintain access to the environment. UNC3313 initially gained access to this organization through a targeted phishing email and leveraged modified, open-source offensive security tools to identify accessible systems and move laterally. UNC3313 moved |
Malware Tool | ★★★★ | |
|
2022-02-23 23:15:07 | CVE-2022-23653 (lien direct) | B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file. | Tool Vulnerability | ||
|
2022-02-23 18:46:00 | Anomali Cyber Watch: EvilPlayout: Attack Against Iran\'s State Broadcaster, Microsoft Teams Targeted With Takeover Trojans, \'Ice phishing\' on the blockchain and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Emotet, Ice Phishing, Iran, Trickbot and Zoho. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilPlayout: Attack Against Iran’s State Broadcaster
(published: February 18, 2022)
Checkpoint Researchers have released an article detailing their findings regarding a wave of cyber attacks directed at Iranian broadcast infrastructure during late January 2022. IRIB, an Iranian state broadcaster, was compromised, with malicious executables and wipers being responsible for the attack. Said malware had multiple functions, including hijacking of several tv stations to play recordings of political opposition leaders demanding the assassination of Iran’s supreme leader. Additional functionality includes custom backdoors, screenshot capability and several bash scripts to download other malicious executables. The malware appears new, with no previous appearances, nor has there been any actor attribution as of the date of publication.
Analyst Comment: Utilize all telemetry and feed it into a SIEM to help identify malicious activity within your network. Anomali Match can collide this telemetry against global intelligence to assist in identifying malicious indicators within your network. A defense in depth approach will also mitigate the damage any compromises can do to your infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113
Tags: Iran, IRIB, Ava, Telewebion
Microsoft Teams Targeted With Takeover Trojans
(published: February 17, 2022)
Researchers at Avanan have documented a new phishing technique that threat actors are using that abuses the trust users of Microsoft Teams have for the platform to deliver malware. Threat Actors send phishing links to victims which initiate a chat on the platform, after which they will post a link to a dll file within the chat box. When clicked, it will install a trojan of choice on the target machine. With over 279 million users, this presents a new attack vector for threat actors to abuse.
Analyst Comment: Never click on a link or open attachments from untrusted senders when receiving email. Be skeptical of strangers attempting to move conversation to another platform, even if you use that platform. Be wary of links posted in apps that are used for communication, as links that are posted on trusted platforms are not trustworthy themselves.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Trusted Relationship - T1199
Tags: Microsoft Teams, trojan, phishing
Red Cross: State Hackers Breached our Network Using Zoho bug
(published: February 16, 2022)
The International Committee of the Red Cross (ICRC) suffered a data breach during January 2022. The incident led to the exfiltration of over 515,000 individual's PII, linked to their Restoring Family Links pro |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2022-02-23 12:38:05 | CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool (lien direct) | The United States Cybersecurity and Infrastructure Security Agency (CISA) this week expanded its Known Exploited Vulnerabilities Catalog with two critical flaws in the Zabbix enterprise monitoring solution. | Tool | ||
|
2022-02-23 00:39:07 | Chinese Experts Uncover Details of Equation Group\'s Bvp47 Covert Hacking Tool (lien direct) | Researchers from China's Pangu Lab have disclosed details of a "top-tier" backdoor put to use by the Equation Group, an advanced persistent threat (APT) with alleged ties to the cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA). Dubbed "Bvp47" owing to numerous references to the string "Bvp" and the numerical value "0x47" used in the encryption algorithm, the | Tool Threat | ||
|
2022-02-22 15:00:00 | Mandiant en vedette sur la liste de la sécurité 100 de CRN \\'s 2022 Mandiant Featured on CRN\\'s 2022 Security 100 List (lien direct) |
Alors que les organisations cherchent à renforcer leur posture de sécurité et à renforcer leurs défenses contre un paysage de menace en constante évolution, Mandiant reste dédié à les équiper d'outils de pointe et de services gérés.Après tout, une sécurité efficace nécessite la fusion de la technologie et des talents.
Depuis qu'il a rejoint Mandiant, j'ai vu de première main comment nous mettons notre mission pour que chaque organisation soit sécurisée des cyber-menaces et confiant dans leur action de préparation-into.Et c'est à travers cet objectif que nous approchons de la chaîne, s'alignant avec des partenaires clés qui partagent la mise en marché aux vues similaires
As organizations seek to strengthen their security posture and bolster their defenses against a continuously evolving threat landscape, Mandiant remains dedicated to equipping them with industry-leading tools and managed services. After all, effective security requires the fusion of technology and talent. Since joining Mandiant, I\'ve seen first-hand how we put our mission-to make every organization secure from cyber threats and confident in their readiness-into action. And it is through this lens that we approach the channel, aligning with key partners who share like-minded go-to-market |
Tool Threat | ★★★ | |
|
2022-02-21 23:22:21 | Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike (lien direct) | Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. "Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers," South Korean | Tool Vulnerability Threat | ||
|
2022-02-18 00:37:46 | New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager (lien direct) | Multiple security vulnerabilities have been disclosed in Canonical's Snap software packaging and deployment system, the most critical of which can be exploited to escalate privilege to gain root privileges. Snaps are self-contained application packages that are designed to work on operating systems that use the Linux kernel and can be installed using a tool called snapd. Tracked | Tool | ||
|
2022-02-17 19:14:22 | How to use the ONLYOFFICE project management tool (lien direct) | Looking to manage your projects in-house but aren't sure what software to use? ONLYOFFICE includes such a tool and might serve you well. Jack Wallen shows you the ropes. | Tool | ||
|
2022-02-17 01:22:21 | This New Tool Can Retrieve Pixelated Text from Redacted Documents (lien direct) | The practice of blurring out text using a method called pixelation may not be as secure as previously thought. While the most foolproof way of concealing sensitive textual information is to use opaque black bars, other redaction methods like pixelation can achieve the opposite effect, enabling the reversal of pixelized text back into its original form. Dan Petro, a lead researcher at offensive | Tool Guideline | ||
 |
2022-02-17 00:00:00 | WatchGuard et Ava6 présentent " Red SOC ", un service d\'EDR managé inédit, dédié aux PME, ETI et autres collectivités (lien direct) | Paris, le 17 février 2022 - WatchGuard® Technologies, leader mondial en matière de sécurité et d'intelligence réseau, de Wi-Fi sécurisé, d'authentification multifacteur et de protection avancée des postes de travail, et son partenaire Ava6, ESN française spécialiste de la cybersécurité, présentent un service d'EDR managé inédit, baptisé Red SOC. Le service repose sur la technologie Endpoint Protection Detection and Response (EPDR) reconnue de WatchGuard Technologies et est opéré par les experts du SOC endpoint d'Ava6, 24h sur 24 et 7 jours sur 7. Avec Red SOC, WatchGuard et Ava6 entendent rendre accessible le SOC endpoint – traditionnellement réservé aux grandes comptes – et l'EDR managé aux PME, ETI et autres collectivités souhaitant renforcer leur niveau de sécurité face aux cyberattaques et notamment les ransomwares. Pascal Le Digol, Country Manager France chez WatchGuard Technologies déclare : " Même si les entreprises ont compris qu'il était urgent de hausser le niveau de sécurité de leur système d'information, elles sont généralement confrontées à plusieurs problématiques. Les PME ont peu de moyens et de ressources à allouer à la cybersécurité, alors que les ETI et les collectivités équipées ou souhaitant s'équiper en EDR managé n'ont pas la capacité de former des équipes de sécurité capables de traiter les nombreuses alertes remontées par les solutions. Avec Ava6, nous avons eu l'idée de créer l'offre Red SOC pour permettre à ces entreprises d'accéder à une solution de sécurité de haut niveau tout en en externalisant la supervision à une équipe de professionnels. Grâce à Red SOC, nous espérons permettre à de nombreuses entreprises et collectivités d'élever leur niveau de sécurité ". Red SOC : Rendre le SOC endpoint et l'EDR managé accessibles au plus grand nombre d'entreprises et de collectivités Red SOC s'articule autour de l'offre logicielle WatchGuard Endpoint Protection Detection and Response (EPDR), et allie technologie et expertise humaine de pointe pour permettre aux entreprises de tirer le meilleur profit de leur solution EDR. La technologie WatchGuard détecte les comportements malveillants susceptibles d'intervenir sur les endpoints (ordinateur de bureau, PC portable, tablette, smartphone et serveur), tandis qu'Ava6 se charge de piloter les actions de remédiation, afin de neutraliser les attaques avant qu'elles ne se propagent dans le système d'information de l'entreprise. La solution WatchGuard joue le rôle de maillon central d'un SOC endpoint car elle collecte, enregistre et agrège les données, à savoir les logs ; une équipe d'experts en sécurité se charge dès lors de délivrer le service permettant de tirer la quintessence de la solution logicielle : en analysant les données et les événements remontés par la solution, les incidents sont qualifiés, ce qui permet d'accélérer la détection ainsi que la remédiation des attaques et autres menaces détectées. Outre la surveillance des endpoints, le suivi et la réponse aux incidents et autres alertes, l'équipe de consultants en sécurité d'Ava6 prend également en charge les mises à jour de la solution WatchGuard et son maintien en conditions de sécurité. Une offre EDR modulaire, packagée as-a-Service L'offre Red SOC est modulaire et s'adapte à la typologie et aux besoins spécifiques de l'entreprise clie | Tool Threat | ★★★ | |
|
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-02-15 16:15:09 | CVE-2022-23604 (lien direct) | x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround. | Tool Vulnerability | ||
|
2022-02-15 15:00:00 | La nouvelle offre de validation de la sécurité mandiante avantage aide les organisations à répondre avec confiance à la question: sommes-nous en mesure d'empêcher une attaque de ransomware? New Mandiant Advantage Security Validation Offering Helps Organizations Confidently Answer the Question: Are We Able to Prevent a Ransomware Attack? (lien direct) |
Les titres quotidiens disent que la fréquence et la prolifération des ransomwares accélèrent.Non seulement les intervenants incidents de Mandiant ont vu des attaques de ransomwares augmenter considérablement ces dernières années, mais les rançons eux-mêmes sont passés de 416 millions de dollars pour tous les 2020 à 590 millions de dollars pour les six premiers mois de 2021, selon le U.S.Trésor .Les organisations, grandes et petites, reconnaissent que sans les bons outils en place, ils pourraient être la prochaine victime.
Les acteurs de la menace continuent d'augmenter leur jeu avec des attaques de plus en plus agressives et sophistiquées, passant des ransomwares standard
Daily headlines say it all-the frequency and proliferation of ransomware is accelerating. Not only have Mandiant\'s incident responders seen ransomware attacks increase dramatically in recent years, ransoms themselves have increased from $416 million for all of 2020 to $590 million for the first six months of 2021, according to the U.S. Treasury. Organizations, large and small, recognize that without the right tools in place they could be the next victim. Threat actors continue to up their game with increasingly aggressive and sophisticated attacks, shifting from standard ransomware |
Ransomware Tool | ★★★ | |
|
2022-02-10 20:15:07 | CVE-2022-23630 (lien direct) | Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled. | Tool | ||
 |
2022-02-10 10:00:00 | CISO Stories Podcast: Creating Security Budget Where There is No Budget (lien direct) |
Over the years, security departments acquire tool after tool, sometimes integrated, and many times under-utilized. Kevin Richards, President at Secure Systems Innovation, walks through a very creative method for getting the budget you need, and explains how to leverage the current environment to “find” new sources of funding for the right cybersecurity investments - check it out... |
Tool | ||
|
2022-02-07 23:31:56 | How to use DuckDuckGo on your PC and mobile devices (lien direct) | You can use the privacy-oriented search tool through desktop browser extensions and a mobile app. | Tool | ||
|
2022-02-07 22:01:44 | Google Cloud Gets Virtual Machine Threat Detection (lien direct) | Google on Monday announced the public preview of a new tool to help identify threats within virtual machines (VMs) running on its Google Cloud infrastructure. | Tool Threat | ||
|
2022-02-07 19:13:06 | (Déjà vu) Avast released a free decryptor for TargetCompany ransomware (lien direct) | Cybersecurity firm Avast has released a decryption tool to allow victims of TargetCompany ransomware to recover their files for free. Czech cybersecurity software firm Avast has released a decryption tool that could allow victims of the TargetCompany ransomware to recover their files for free under certain circumstances. The experts warn that the decryptor consumes most of the […] | Tool | ||
|
2022-02-07 18:33:58 | Linux Privilege Escalation: PwnKit (CVE 2021-4034) (lien direct) | Introduction Team Qualys discovered a local privilege escalation vulnerability in PolicyKit's (polkit) setuid tool pkexec which allows low-level users to run commands as privileged users. | Tool Vulnerability | ||
|
2022-02-06 13:49:13 | Argo CD flaw could allow stealing sensitive data from Kubernetes Apps (lien direct) | A flaw in Argo CD tool for Kubernetes could be exploited by attackers to steal sensitive data from Kubernetes Apps. A zero-day vulnerability, tracked as CVE-2022-24348, in the Argo CD tool for Kubernetes could be exploited by attackers to steal sensitive data from Kubernetes Apps, including passwords and API keys. The flaw received a CVSS […] | Tool | Uber | |
|
2022-02-06 00:03:38 | Working with PDFs is a breeze with PDF Converter Pro (lien direct) | PDF Converter Pro is an all-in-one tool that allows you create or convert PDF documents into a variety of formats or from a variety of formats with ease. | Tool | ||
|
2022-02-05 21:48:25 | New Argo CD Bug Could Let Hackers Steal Secret Info from Kubernetes Apps (lien direct) | Users of the Argo continuous deployment (CD) tool for Kubernetes are being urged to push through updates after a zero-day vulnerability was found that could allow an attacker to extract sensitive information such as passwords and API keys. The flaw, tagged as CVE-2022-24348 (CVSS score: 7.7), affects all versions and has been addressed in versions 2.3.0, 2.2.4, and 2.1.9. Cloud security firm | Tool Vulnerability | Uber | |
|
2022-02-04 15:23:32 | Ditto wants to help you sync critical data in real time, even without an internet connection (lien direct) | If fractured databases have ever created a headache for your business, Ditto may have the offline syncing tool you've been looking for. | Tool | ||
|
2022-02-04 13:19:05 | (Déjà vu) Retail giant Target open sources Merry Maker e-skimmer detection tool (lien direct) | Retail giant Target is going to open-source an internal tool, dubbed Merry Maker, designed to detect e-skimming attacks. Retail giant Target announced the release in open-source of an internal tool, dubbed Merry Maker, designed to detect e-skimming attacks. Merry Maker is a tool designed by Target security developers Eric Brandel and Caleb Walch (@ebrandel and @cawalch) to […] | Tool |
To see everything:
Our RSS (filtrered)
