What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-05-11 15:30:00 | "Greatness" Phishing Tool Exploits Microsoft 365 Credentials (lien direct) | Les résultats proviennent de chercheurs en sécurité de Cisco Talos
The findings come from security researchers at Cisco Talos |
Tool | ★★★ | |
 |
2023-05-11 11:30:10 | Analyse du malware de voler Redline Analyse der RedLine Stealer Malware (lien direct) |
Le voleur Redline est apparu pour la première fois dans M & AUML; RZ 2020.Dans le passé, il a été utilisé à maintes reprises par les membres désormais découverts du groupe Lapsus $, mais est toujours offert dans les forums DarkNet pour quelques centaines d'euros.Ce vol est un outil basé sur les performances pour collecter des données d'enregistrement à partir d'une variété de sources, notamment un navigateur Web, des clients FTP, des applications de messagerie, Steam, des clients de messagerie instantanéeet les VPN.De plus, les logiciels malveillants peuvent collecter des cookies d'authentification et des numéros de carte qui sont dans les navigateurs, les protocoles de chat,Les fichiers locaux et même les bases de données Kryptow & Auml; Hermungwallet sont enregistrées.
-
malware
/ /
cybersecurite_home_droite
RedLine Stealer tauchte erstmals im März 2020 auf. Genutzt wurde sie in der Vergangenheit immer wieder von den inzwischen aufgedeckten Mitgliedern der Lapsus$-Gruppe, wird aber auch immer noch in Darknet-Foren für wenige Hundert Euro angeboten. Bei diesem Stealer handelt es sich um ein leistungsfähiges Tool zum Sammeln von Anmeldedaten aus einer Vielzahl von Quellen, darunter Webbrowser, FTP-Clients, E-Mail-Apps, Steam, Instant-Messaging-Clients und VPNs. Darüber hinaus kann die Malware Authentifizierungs-Cookies und Kartennummern sammeln, die in Browsern, Chat-Protokollen, lokalen Dateien und sogar Kryptowährungs-Wallet-Datenbanken gespeichert sind. - Malware / cybersecurite_home_droite |
Malware Tool | ★★ | |
 |
2023-05-10 20:13:00 | OneNote documents have emerged as a new malware infection vector (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Intro
In February 2022, Microsoft disabled VBA macros on documents due to their frequent use as a malware distribution method. This move prompted malware authors to seek out new ways to distribute their payloads, resulting in an increase in the use of other infection vectors, such as password-encrypted zip files and ISO files.
OneNote documents have emerged as a new infection vector, which contain malicious code that executes when the document is interacted with. Emotet and Qakbot, among other high-end stealers and crypters, are known malware threats that use OneNote attachments.
Researchers are currently developing new tools and analysis strategies to detect and prevent these OneNote attachments from being used as a vehicle for infection. This article highlights this new development and discusses the techniques that malicious actors use to compromise a system.
Attack chain
With the disablement of VBA macros, threat actors have turned to using OneNote attachments as a new way to install malware on an endpoint. OneNote attachments can contain embedded file formats, such as HTML, ISO, and JScripts, which can be exploited by malicious actors. OneNote attachments are particularly appealing to attackers because they are interactive and designed to be added on to and interacted with, rather than just viewed. This makes it easier for malicious actors to include enticing messages and clickable buttons that can lead to infection. As a result, users should exercise caution when interacting with OneNote attachments, even if they appear to be harmless. It is essential to use updated security software and to be aware of the potential risks associated with interactive files.
Email – Social engineering
Like most malware authors, attackers often use email as the first point of contact with victims. They employ social engineering techniques to persuade victims to open the program and execute the code on their workstations.
In a recent phishing attempt, the attacker sent an email that appeared to be from a trustworthy source and requested that the recipient download a OneNote attachment. However, upon opening the attachment, the code was not automatically updated as expected. Instead, the victim was presented with a potentially dangerous prompt.
In this case, as with many OneNote attachments, the malicious actor intends for the user to click on the "Open" button presented in the document, which executes the code. Traditional security tools are not effective in detecting this type of threat.
One tool that can be used for analyzing Microsoft Office documents, including OneNote attachments, is Oletools. The suite includes the command line executable olevba, which can be helpful in detecting and analyzing malicious code.
Upon attempting to execute the tool on the OneNote attachment, an error occurred. As a result, the focus of the analysis shifted towards a dynamic approach. By placing the document in a sandbox, we discovered a chain of scripts that were executed to download and run an executable or DLL file, resulting in more severe infections like ransomware, stealers, and wipers.
Tactics and techniques
This particular campaign |
Malware Tool Threat | ★★★ | |
 |
2023-05-10 16:32:00 | Cisco met en garde contre le nouveau outil de la grandeur \\ 'Phishing-As-A-Service vu dans la nature Cisco warns of new \\'Greatness\\' phishing-as-a-service tool seen in the wild (lien direct) |
Un nouvel outil de phishing-as-a-Service (PaaS) permet aux pirates de recrue d'incorporer les caractéristiques «certaines des plus avancées» dans leurs cyberattaques, ont averti mercredi les chercheurs.Semblable à d'autres services criminels, les plates-formes de PaaS abaissent la barre à l'entrée pour la cybercriminalité, offrant aux pirates non qualifiés la possibilité d'automatiser les tâches impliquées dans la création de victimes dans la saisie de leurs références sur
A new phishing-as-a-service (PaaS) tool is allowing rookie hackers to incorporate “some of the most advanced” features into their cyberattacks, researchers warned Wednesday. Similar to other criminal services, PaaS platforms lower the bar to entry for cybercrime, offering unskilled hackers the ability to automate the tasks involved in tricking victims into entering their credentials on |
Tool Cloud | ★★ | |
 |
2023-05-10 14:59:36 | E / S 2023: Ce qui est nouveau dans la sécurité et la confidentialité d'Android I/O 2023: What\\'s new in Android security and privacy (lien direct) |
Posted by Ronnie Falcon, Product Manager Android is built with multiple layers of security and privacy protections to help keep you, your devices, and your data safe. Most importantly, we are committed to transparency, so you can see your device safety status and know how your data is being used. Android uses the best of Google\'s AI and machine learning expertise to proactively protect you and help keep you out of harm\'s way. We also empower you with tools that help you take control of your privacy. I/O is a great moment to show how we bring these features and protections all together to help you stay safe from threats like phishing attacks and password theft, while remaining in charge of your personal data. Safe Browsing: faster more intelligent protection Android uses Safe Browsing to protect billions of users from web-based threats, like deceptive phishing sites. This happens in the Chrome default browser and also in Android WebView, when you open web content from apps. Safe Browsing is getting a big upgrade with a new real-time API that helps ensure you\'re warned about fast-emerging malicious sites. With the newest version of Safe Browsing, devices will do real-time blocklist checks for low reputation sites. Our internal analysis has found that a significant number of phishing sites only exist for less than ten minutes to try and stay ahead of block-lists. With this real-time detection, we expect we\'ll be able to block an additional 25 percent of phishing attempts every month in Chrome and Android1. Safe Browsing isn\'t just getting faster at warning users. We\'ve also been building in more intelligence, leveraging Google\'s advances in AI. Last year, Chrome browser on Android and desktop started utilizing a new image-based phishing detection machine learning model to visually inspect fake sites that try to pass themselves off as legitimate log-in pages. By leveraging a TensorFlow Lite model, we\'re able to find 3x more2 phishing sites compared to previous machine learning models and help warn you before you get tricked into signing in. This year, we\'re expanding the coverage of the model to detect hundreds of more phishing campaigns and leverage new ML technologies. This is just one example of how we use our AI expertise to keep your data safe. Last year, Android used AI to protect users from 100 billion suspected spam messages and calls.3 Passkeys helps move users beyond passwords For many, passwords are the primary protection for their online life. In reality, they are frustrating to create, remember and are easily hacked. But hackers can\'t phish a password that doesn\'t exist. Which is why we are excited to share another major step forward in our passwordless journey: Passkeys. | Spam Malware Tool | ★★★ | |
 |
2023-05-10 14:15:16 | CVE-2022-41610 (lien direct) | Autorisation incorrecte dans l'outil de configuration Intel (R) EMA avant la version 1.0.4 et Intel (R) MC avant la version 2.4, le logiciel peut permettre à un utilisateur authentifié d'activer potentiellement le déni de service via un accès local.
Improper authorization in Intel(R) EMA Configuration Tool before version 1.0.4 and Intel(R) MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access. |
Tool | ||
|
2023-05-10 14:15:14 | CVE-2022-40971 (lien direct) | Les autorisations par défaut incorrectes pour l'outil Intel (R) HDMI firmware de mise à jour pour NUC avant la version 1.79.1.1 peuvent permettre à un utilisateur authentifié d'activer potentiellement l'escalade du privilège via l'accès local.
Incorrect default permissions for the Intel(R) HDMI Firmware Update Tool for NUC before version 1.79.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. |
Tool | ||
|
2023-05-10 14:15:10 | CVE-2022-21162 (lien direct) | Le chemin de recherche non contrôlé de l'outil Intel (R) HDMI firmware de mise à jour pour NUC avant la version 1.79.1.1 peut permettre à un utilisateur authentifié d'activer potentiellement l'escalade du privilège via l'accès local.
Uncontrolled search path for the Intel(R) HDMI Firmware Update tool for NUC before version 1.79.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. |
Tool | ||
 |
2023-05-10 14:14:00 | Le gouvernement américain neutralise l'outil de cyber-espionnage de serpent le plus sophistiqué de la Russie U.S. Government Neutralizes Russia\\'s Most Sophisticated Snake Cyber Espionage Tool (lien direct) |
Le gouvernement américain a annoncé mardi la perturbation par le tribunal d'un réseau mondial compromis par une souche de logiciels malveillante avancée connue sous le nom de serpent exercé par le Federal Security Service (FSB) de Russie.
Snake, surnommé "l'outil de cyber-espionnage le plus sophistiqué", est le travail d'un groupe parrainé par l'État russe appelé Turla (aka Iron Hunter, Secret Blizzard, Summit, Uroburos, Venomous Bear,
The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as Snake wielded by Russia\'s Federal Security Service (FSB). Snake, dubbed the "most sophisticated cyber espionage tool," is the handiwork of a Russian state-sponsored group called Turla (aka Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, |
Malware Tool | ★★ | |
 |
2023-05-10 13:15:00 | L'outil gratuit déverrouille certaines données cryptées dans les attaques de ransomwares Free Tool Unlocks Some Encrypted Data in Ransomware Attacks (lien direct) |
L'outil "White Phoenix" automatisé pour récupérer des données sur les fichiers partiellement chiffrés a frappé avec des ransomwares est disponible sur GitHub.
"White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub. |
Ransomware Tool | ★★★ | |
|
2023-05-09 20:40:00 | Le FBI désarme le Russe FSB \\ 'Snake \\' MALWARE NAIGNET FBI Disarms Russian FSB \\'Snake\\' Malware Network (lien direct) |
Operation "Medusa" disabled Turla\'s Snake malware with an FBI-created tool called Perseus.
Operation "Medusa" disabled Turla\'s Snake malware with an FBI-created tool called Perseus. |
Malware Tool | ★★ | |
 |
2023-05-09 20:02:00 | Anomali Cyber Watch: l'environnement virtuel personnalisé cache Fluorshe Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
(published: May 5, 2023)
McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information
Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows
Eastern Asian Android Assault – FluHorse
(published: May 4, 2023)
Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.
Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com |
Malware Tool Threat | APT 37 APT 43 | ★★★ |
|
2023-05-09 15:15:10 | CVE-2023-31143 (lien direct) | Mage-AI est un outil de pipeline de données open source pour transformer et intégrer les données.Ceux qui utilisent Mage à partir de la version 0.8.34 et avant 0,8,72 avec l'authentification de l'utilisateur activé peuvent être affectés par une vulnérabilité.Le terminal était accessible par des utilisateurs qui ne sont pas signés ou qui n'ont pas d'autorisations d'éditeur.La version 0.8.72 contient un correctif pour ce problème.
mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue. |
Tool | ||
|
2023-05-09 13:32:00 | Les fédéraux continuent les retraits de sites DDOS-for-Hire \\ 'BOOTER \\' Feds continue takedowns of DDoS-for-hire \\'booter\\' sites (lien direct) |
Les forces de l'ordre américaines ont saisi 13 autres domaines Internet qui ont accueilli des services de «botter» pour attaquer des sites Web, ont déclaré lundi les procureurs et quatre personnes arrêtées lors d'un balayage précédent ont plaidé coupable à des accusations connexes.Il s'agit de la troisième vague des crises des domaines du booter du ministère de la Justice, qui permettent aux clients payants de lancer un puissant déni de service distribué (DDOS)
U.S. law enforcement has seized 13 more internet domains that hosted “booter” services for attacking websites, prosecutors said Monday, and four people arrested in a previous sweep have pleaded guilty to related charges. It\'s the Department of Justice\'s third wave of seizures of booter domains, which allow paying customers to launch powerful distributed denial-of-service (DDoS) |
Tool | ★★ | |
 |
2023-05-09 13:00:00 | Cyberheistnews Vol 13 # 19 [Watch Your Back] Nouvelle fausse erreur de mise à jour Chrome Attaque cible vos utilisateurs CyberheistNews Vol 13 #19 [Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users (lien direct) |
CyberheistNews Vol 13 #19 | May 9th, 2023
[Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users
Compromised websites (legitimate sites that have been successfully compromised to support social engineering) are serving visitors fake Google Chrome update error messages.
"Google Chrome users who use the browser regularly should be wary of a new attack campaign that distributes malware by posing as a Google Chrome update error message," Trend Micro warns. "The attack campaign has been operational since February 2023 and has a large impact area."
The message displayed reads, "UPDATE EXCEPTION. An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update." A link is provided at the bottom of the bogus error message that takes the user to what\'s misrepresented as a link that will support a Chrome manual update. In fact the link will download a ZIP file that contains an EXE file. The payload is a cryptojacking Monero miner.
A cryptojacker is bad enough since it will drain power and degrade device performance. This one also carries the potential for compromising sensitive information, particularly credentials, and serving as staging for further attacks.
This campaign may be more effective for its routine, innocent look. There are no spectacular threats, no promises of instant wealth, just a notice about a failed update. Users can become desensitized to the potential risks bogus messages concerning IT issues carry with them.
Informed users are the last line of defense against attacks like these. New school security awareness training can help any organization sustain that line of defense and create a strong security culture.
Blog post with links:https://blog.knowbe4.com/fake-chrome-update-error-messages
A Master Class on IT Security: Roger A. Grimes Teaches You Phishing Mitigation
Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they\'re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more.
Join Roger A. Grimes, KnowBe4\'s Data-Driven Defense Evangelist, |
Ransomware Data Breach Spam Malware Tool Threat Prediction | NotPetya NotPetya APT 28 ChatGPT ChatGPT | ★★ |
|
2023-05-09 01:15:08 | CVE-2023-28764 (lien direct) | Plateforme SAP BusinessObjects - Versions 420, 430, L'outil de conception d'informations transmet des informations sensibles comme clarteText dans les binaires sur le réseau.Cela pourrait permettre à un attaquant non authentifié de connaissances profondes pour obtenir des informations sensibles telles que les informations d'identification des utilisateurs et les noms de domaine, ce qui peut avoir un faible impact sur la confidentialité et aucun impact sur l'intégrité et la disponibilité du système.
SAP BusinessObjects Platform - versions 420, 430, Information design tool transmits sensitive information as cleartext in the binaries over the network. This could allow an unauthenticated attacker with deep knowledge to gain sensitive information such as user credentials and domain names, which may have a low impact on confidentiality and no impact on the integrity and availability of the system. |
Tool | ||
|
2023-05-09 01:00:00 | New Bazel Ruleset aide les développeurs à construire des images de conteneurs sécurisées New Bazel Ruleset Helps Developers Build Secure Container Images (lien direct) |
Un nouvel ensemble de règles de Bazel, un outil de construction et de test open source de Google, permet aux développeurs de créer des images Docker et de générer des factures de matériaux logicielles sur ce qui se trouve à l'intérieur des conteneurs.
A new ruleset from Bazel, an open source build and test tool from Google, allows developers to create Docker images and generate software bills of materials about what is inside the containers. |
Tool | ★★ | |
|
2023-05-05 20:47:00 | (Déjà vu) Satori dévoile le scanner des autorisations de données universelles, un outil open source gratuit qui met en lumière l'autorisation d'accès aux données Satori Unveils Universal Data Permissions Scanner, a Free Open Source Tool that Sheds Light on Data Access Authorization (lien direct) |
Abordant des données d'accès aux données auxquelles les entreprises sont couramment confrontées par les entreprises, le leader de la sécurité des données lance le premier outil d'analyse d'autorisation open source pour fournir une visibilité universelle dans les autorisations d'accès aux données dans plusieurs magasins de données.
Addressing data access blindspots commonly faced by enterprises, data security leader launches the first open-source authorization analysis tool to provide universal visibility into data access permissions across multiple data stores. |
Tool | Satori Satori | ★★ |
|
2023-05-05 15:53:00 | Les organisations lents pour patcher Goanywhere MFT vulnérabilité même après les attaques de ransomwares de Clop Organizations slow to patch GoAnywhere MFT vulnerability even after Clop ransomware attacks (lien direct) |
Des dizaines d'organisations sont toujours exposées à des cyberattaques grâce à une vulnérabilité largement abusée dans Goanywhere MFT - un outil Web qui aide les organisations à transférer des fichiers - selon de nouvelles recherches.Depuis février, le groupe Ransomware Clop a exploité des dizaines de plus grandes entreprises et gouvernements du monde \\ à travers une vulnérabilité zéro-jour que Goanywhere a suivi comme CVE-2023-0669.Les gouvernements
Dozens of organizations are still exposed to cyberattacks through a widely-abused vulnerability in GoAnywhere MFT - a web-based tool that helps organizations transfer files - according to new research. Since February, the Clop ransomware group has exploited dozens of the world\'s largest companies and governments through a zero-day vulnerability GoAnywhere tracked as CVE-2023-0669. The governments |
Ransomware Tool Vulnerability | ★★ | |
|
2023-05-05 15:49:00 | N. Corée des pirates de Kimsuky utilisant un nouvel outil Recon Reonshark dans les dernières cyberattaques N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks (lien direct) |
L'acteur de menace nord-coréen parrainé par l'État connu sous le nom de Kimsuky a été découvert à l'aide d'un nouvel outil de reconnaissance appelé Reonshark dans le cadre d'une campagne mondiale en cours.
"[Reonshark] est activement livré à des individus spécifiquement ciblés par le biais de courriels de lance-phishing, des liens OneDrive menant à des téléchargements de documents et à l'exécution de macros malveillants", cherche aux chercheurs de Sentinélone Tom Hegel
The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel |
Tool Threat | APT 43 | ★★★ |
 |
2023-05-05 14:00:25 | APTS cible l'accès MSP aux réseaux clients & # 8211;Semaine en sécurité avec Tony Anscombe APTs target MSP access to customer networks – Week in security with Tony Anscombe (lien direct) |
> Le récent compromis des réseaux de plusieurs sociétés via l'abus d'un outil d'accès à distance utilisé par MSPS illustre pourquoi les acteurs de menace alignés par l'État devraient être sur les radars des fournisseurs de services informatiques
>The recent compromise of the networks of several companies via the abuse of a remote access tool used by MSPs exemplifies why state-aligned threat actors should be on the radars of IT service providers |
Tool Threat | ★★ | |
|
2023-05-04 21:15:11 | CVE-2023-30328 (lien direct) | Un problème dans l'outil d'aide de MailButler GmbH SHIMO VPN Client pour MacOS V5.0.4 permet aux attaquants de contourner l'authentification via la réutilisation de PID.
An issue in the helper tool of Mailbutler GmbH Shimo VPN Client for macOS v5.0.4 allows attackers to bypass authentication via PID re-use. |
Tool | ||
|
2023-05-04 15:28:11 | Satori Unveils Universal Data Permissions Scanner, A Free Open-Source Tool that Sheds Light on Data Access Authorization (lien direct) | Satori dévoile un scanner d'autorisations de données universels, un outil libre open-source qui met en lumière l'autorisation d'accès aux données
Adommagent les pointslits d'accès aux données communément confrontés par les entreprises, le leader de la sécurité des données lance le premier outil d'analyse d'autorisation open source pour fournir une visibilité universelle dans les autorisations d'accès aux données dans plusieurs magasins de données
-
revues de produits
Satori Unveils Universal Data Permissions Scanner, A Free Open-Source Tool that Sheds Light on Data Access Authorization Addressing data access blindspots commonly faced by enterprises, data security leader launches the first open-source authorization analysis tool to provide universal visibility into data access permissions across multiple data stores - Product Reviews |
Tool | Satori Satori | ★★ |
|
2023-05-04 14:15:11 | CVE-2023-30619 (lien direct) | Tuleap Open ALM est un outil de libre et open source pour la traçabilité de bout en bout des développements d'application et de système.Le titre d'un artefact n'est pas correctement échappé dans l'info-bulle.Un utilisateur malveillant ayant la capacité de créer un artefact ou de modifier un titre de terrain pourrait forcer la victime à exécuter du code incontrôlé.Ce problème a été corrigé dans la version 14.7.99.143.
Tuleap Open ALM is a Libre and Open Source tool for end to end traceability of application and system developments. The title of an artifact is not properly escaped in the tooltip. A malicious user with the capability to create an artifact or to edit a field title could force victim to execute uncontrolled code. This issue has been patched in version 14.7.99.143. |
Tool | ||
 |
2023-05-04 13:55:19 | Kimsuky évolue les capacités de reconnaissance dans la nouvelle campagne mondiale Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign (lien direct) |
L'acteur de menace lié à la RPDR déploie un outil de reconnaissance précédemment invisible \\ 'Reonshark \' dans la vague d'attaques en cours.
DPRK-linked threat actor deploys previously unseen reconnaissance tool \'ReconShark\' in wave of ongoing attacks. |
Tool Threat | ★★★ | |
 |
2023-05-04 09:30:00 | Nouvelles intégrations d'intelligence de menace mandiante pour MISP, Splunk Siem et Soar, et Cortex Xsoar par Palo Alto Networks New Mandiant Threat Intelligence Integrations for MISP, Splunk SIEM and SOAR, and Cortex XSOAR by Palo Alto Networks (lien direct) |
Les professionnels de la sécurité sont souvent submergés par le nombre de consoles de gestion ou de plates-formes dont ils ont besoin pour sauter un jour donné.L'automatisation et le partage d'informations sur les flux de travail existants peuvent décharger ces équipes en éliminant les tâches banales et en réduisant l'erreur humaine.
Les intégrations SaaS mandiant gagnent du temps et aident à rendre les équipes de sécurité plus proactives.L'API de renseignement Mandiant Threat permet aux équipes de sécurité d'intégrer Intelligence de menace mandiante Données directement dans leurs outils de sécurité et flux de travail existants.
dans le cadre de notre engagement en cours à aider les équipes de sécurité à travailler
Security professionals are often overwhelmed by the number of management consoles or platforms they need to jump between on any given day. Automating and sharing information into existing workflows can unburden these teams by eliminating mundane tasks and reducing human error. Mandiant SaaS integrations save time and help make security teams more proactive. The Mandiant Threat Intelligence API allows security teams to integrate Mandiant Threat Intelligence data directly into their existing security tools and workflows. As part of our ongoing commitment to helping security teams work |
Tool Threat Cloud | ★★ | |
|
2023-05-03 10:00:00 | En regardant un test de pénétration à travers les yeux d'une cible Looking at a penetration test through the eyes of a target (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Analyzing an organization’s security posture through the prism of a potential intruder’s tactics, techniques, and procedures (TTPs) provides actionable insights into the exploitable attack surface. This visibility is key to stepping up the defenses of the entire digital ecosystem or its layers so that the chance of a data breach is reduced to a minimum. Penetration testing (pentesting) is one of the fundamental mechanisms in this area. The need to probe the architecture of a network for weak links through offensive methods co-occurred with the emergence of the “perimeter security” philosophy. Whereas pentesting has largely bridged the gap, the effectiveness of this approach is often hampered by a crude understanding of its goals and the working principles of ethical hackers, which skews companies’ expectations and leads to frustration down the line. The following considerations will give you the big picture in terms of prerequisites for mounting a simulated cyber incursion that yields positive security dividends rather than being a waste of time and resources. Eliminating confusion with the terminology Some corporate security teams may find it hard to distinguish a penetration test from related approaches such as red teaming, vulnerability testing, bug bounty programs, as well as emerging breach and attack simulation (BAS) services. They do overlap in quite a few ways, but each has its unique hallmarks. Essentially, a pentest is a manual process that boils down to mimicking an attacker’s actions. Its purpose is to find the shortest and most effective way into a target network through the perimeter and different tiers of the internal infrastructure. The outcome is a snapshot of the system’s protections at a specific point in time. In contrast to this, red teaming focuses on exploiting a segment of a network or an information / operational technology (IT/OT) system over an extended period. It is performed more covertly, which is exactly how things go during real-world compromises. This method is an extremely important prerequisite for maintaining OT cybersecurity, an emerging area geared toward safeguarding industrial control systems (ICS) at the core of critical infrastructure entities. Vulnerability testing, in turn, aims to pinpoint flaws in software and helps understand how to address them. Bug bounty programs are usually limited to mobile or web applications and may or may not match a real intruder’s behavior model. In addition, the objective of a bug bounty hunter is to find a vulnerability and submit a report as quickly as possible to get a reward rather than investigating the problem in depth. BAS is the newest technique on the list. It follows a “scan, exploit, and repeat” logic and pushes a deeper automation agenda, relying on tools that execute the testing with little to no human involvement. These projects are continuous by nature and generate results dynamically as changes occur across the network. By and large, there are two things that set pentesting aside from adjacent security activities. Firstly, it is done by humans and hinges on manual offensive tactics, for the most part. Secondly, it always presupposes a comprehensive assessment of the discovered security imperfections and prioritization of the fixes based on how critical the vulnerable infrastructure components are. Choosing a penetration testing team worth its salt Let’s zoom into what factors to consider when approaching companies in this area, how to find professionals amid eye-catching marketing claims, and what pitfalls this process may entail. As a rule, the following criteria are the name of t | Data Breach Tool Vulnerability Threat Industrial | ★★ | |
 |
2023-05-02 22:37:26 | Astuces d'ingénierie inverse: identifier les protocoles de réseau opaques Reverse engineering tricks: identifying opaque network protocols (lien direct) |
Lately, I\'ve been reverse engineering a reasonably complex network protocol, and I ran into a mystery - while the protocol is generally an unencrypted binary protocol, one of the messages was large and random. In an otherwise unencrypted protocol, why is one of the messages unreadable? It took me a few hours to accomplish what should have been a couple minutes of effort, and I wanted to share the trick I ultimately used! I\'m going to be intentionally vague on the software, and even modify a few things to make it harder to identify; I\'ll probably publish a lot more on my work blog once I\'m finished this project! Binary protocols Let\'s take a look at the binary protocol! If you\'re familiar with protocols and just want to see the “good stuff”, feel free to skip down to the next header. A “binary protocol” is a network protocol that uses unprintable characters (as opposed to a protocol like HTTP, which is something you can type on your keyboard). Often, you\'ll use a tool like Wireshark to grab a sample of network traffic (a “packet capture”, or “PCAP”) and, if it\'s not encrypted, you can start drawing conclusions about what the client and server expect. In a PCAP, you might see requests / responses that look like this: Outbound: 08 00 00 00 2c 00 00 00 ....,... Inbound: 40 00 00 00 2c 00 00 00 55 53 52 53 05 00 00 00 @...,... USRS.... 2c 00 00 00 02 00 00 00 55 38 f9 ed 21 59 47 f5 ,....... U8..!YG. 8f 9d 43 59 33 5c 2e 92 00 00 00 00 c4 54 f4 01 ..CY3\.. .....T.. 8d b4 43 e7 9e 9f ea db 4e 76 1a 7a 00 00 00 00 ..C..... Nv.z.... I don\'t want to get too buried in the weeds on how this protocol actually works, but when you work with unknown binary protocols a lot, certain things start to stand out. First, let\'s talk about endianness! The way integers are encoded into protocols vary based on the protocol, but a very common way to encode a 4-byte (32-bit) number is either big endian (8 => 00 00 00 08) or little endian (8 => 08 00 00 00). There are historic reasons both exist, and both are common to see, but based on the structure of those messages, we can guess that the first 4 bytes are either a big-endian integer with the value 0x08000000 or a little-endian integer with the value 0x00000008. The latter seems more likely, because that would make a great length value; speaking of lengths… Second, let\'s talk about TCP - TCP is a streaming protocol, which means there is no guarantee that if you send 100 bytes, the receiver will receive those 100 bytes all at once. You ARE guaranteed that if you received data, it\'ll be the correct bytes in the correct order; however, you might get 50 now and 50 later, or 99 now and 1 later, or maybe the next 50 bytes will be attached and you\'ll get 150 bytes all at once. As a result, TCP-based services nearly always encode a length value near the start, allowing protocols to unambiguously receive complete messages. Because of all that, one of the first things I do when approaching a new protocol is try to identify the length field. In this case, you\'ll note that the packet that starts with 0x08 is 8 bytes long, and the packet that starts with 0x40 is 0x40 bytes long. That looks promising! And, as it turns out, is correct. Once we have a length field, the next thing to consider is how the client and server multiplex messages. In an HTTP protocol, there\'s a URI, which tells the server where to direct the request. In a binary protocol, there isn\'t typical | Tool | ★★★ | |
|
2023-05-02 17:26:00 | BouldSpy Android Spyware: Tool présumé du gouvernement iranien pour espionner des groupes minoritaires BouldSpy Android Spyware: Iranian Government\\'s Alleged Tool for Spying on Minority Groups (lien direct) |
Un nouveau logiciel de surveillance Android éventuellement utilisé par le gouvernement iranien a été utilisé pour espionner plus de 300 personnes appartenant à des groupes minoritaires.
Le logiciel malveillant, surnommé Bouldspy, a été attribué à une confiance modérée au commandement des forces de l'ordre de la République islamique d'Iran (Faraja).Les victimes ciblées comprennent les Kurdes iraniens, les Baluchis, les Azéris et les groupes chrétiens arméniens.
"Le logiciel espion
A new Android surveillanceware possibly used by the Iranian government has been used to spy on over 300 individuals belonging to minority groups. The malware, dubbed BouldSpy, has been attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Targeted victims include Iranian Kurds, Baluchis, Azeris, and Armenian Christian groups. "The spyware |
Tool | ★★ | |
 |
2023-05-02 07:30:00 | UK Cyber Security Council lance un outil de cartographie de certification UK Cyber Security Council launches certification mapping tool (lien direct) |
Un nouveau logiciel de surveillance Android éventuellement utilisé par le gouvernement iranien a été utilisé pour espionner plus de 300 personnes appartenant à des groupes minoritaires.
Le logiciel malveillant, surnommé Bouldspy, a été attribué à une confiance modérée au commandement des forces de l'ordre de la République islamique d'Iran (Faraja).Les victimes ciblées comprennent les Kurdes iraniens, les Baluchis, les Azéris et les groupes chrétiens arméniens.
"Le logiciel espion
A new Android surveillanceware possibly used by the Iranian government has been used to spy on over 300 individuals belonging to minority groups. The malware, dubbed BouldSpy, has been attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Targeted victims include Iranian Kurds, Baluchis, Azeris, and Armenian Christian groups. "The spyware |
Tool | ★★ | |
|
2023-05-01 23:16:00 | Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption (lien direct) |
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Remapping, Cloud C2s, Infostalers, Iran, Corée du Nord, Rats, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
Réaction en chaîne: Rokrat & rsquo; s.Lien manquant
(Publié: 1er mai 2023)
Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud.
Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32
Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows
|
Ransomware Malware Tool Vulnerability Threat Prediction Cloud | APT 37 APT 37 APT 35 | ★★ |
 |
2023-04-30 07:08:18 | La pertinence des invites dans l'IA et la cybersécurité The Relevance of Prompts in AI and Cybersecurity (lien direct) |
L'introduction à l'incitation à l'intelligence artificielle (IA) est devenue un sujet de plus en plus populaire ces dernières années en raison de son potentiel à révolutionner diverses industries.La capacité d'automatiser les tâches, d'analyser de grandes quantités de données et de faire des prédictions a fait de l'IA un outil précieux pour les entreprises et les chercheurs.Cependant, le développement de systèmes d'IA efficaces peut être un [& # 8230;]
Introduction to Prompting Artificial Intelligence (AI) has become an increasingly popular topic in recent years due to its potential to revolutionize various industries. The ability to automate tasks, analyze vast amounts of data, and make predictions has made AI a valuable tool for businesses and researchers alike. However, developing effective AI systems can be a […] |
Tool | ★★ | |
|
2023-04-28 16:15:10 | CVE-2023-30853 (lien direct) | Gradle Build Action permet aux utilisateurs d'exécuter une génération Gradle dans leur flux de travail GitHub Actions.Une vulnérabilité a un impact sur les workflows GitHub à l'aide de l'action Gradle Build avant la version 2.4.2 qui ont exécuté l'outil Gradle Build avec le cache de configuration activé, exposant potentiellement des secrets configurés pour le référentiel.
Les secrets configurés pour les actions GitHub sont normalement transmis à l'outil Gradle Build via des variables d'environnement.En raison de la façon dont l'outil Gradle Build enregistre ces variables d'environnement, ils peuvent être persistés dans une entrée dans le cache GitHub Actions.Ces données stockées dans le cache GitHub Actions peuvent être lues par un flux de travail GitHub Actions exécutant dans un contexte non fiable, tel que celui exécutant pour une demande de traction soumise par un développeur via une fourche de référentiel.
Cette vulnérabilité a été découverte en interne par le biais de la revue du code, et nous n'avons vu aucune preuve de son exploitation dans la nature.Cependant, en plus de mettre à niveau l'action Gradle Build, les utilisateurs affectés doivent supprimer toutes les entrées de cache potentiellement vulnérables et peuvent choisir de faire pivoter tous les secrets potentiellement affectés.
Gradle Build Action V2.4.2 et plus récent n'enregistrent plus ces données sensibles pour une utilisation ultérieure, empêchant une fuite continue des secrets via le cache GitHub Actions.
Bien que la mise à niveau vers la dernière version de l'action Gradle Build empêchera la fuite de secrets à l'avenir, des actions supplémentaires peuvent être nécessaires en raison des entrées de cache GitHub actuelles ou précédentes contenant ces informations.
Les entrées de cache actuelles resteront vulnérables jusqu'à ce qu'elles soient supprimées de force ou qu'elles expirent naturellement après 7 jours de ne pas être utilisés.Les entrées potentiellement vulnérables peuvent être facilement identifiées dans l'interface utilisateur GitHub en recherchant une entrée de cache avec la clé correspondant à `Configuration-cache- *`.Les responsables recommandent que les utilisateurs de l'action Gradle Build inspectent leur liste des entrées de cache et suppriment manuellement tout ce qui correspond à ce modèle.
Bien que les responsables n'ont vu aucune preuve de cette vulnérabilité exploitée, ils recommandent de faire du vélo de secrets de référentiel si vous ne pouvez pas être certain que ceux-ci n'ont pas été compromis.Un compromis pourrait se produire si un utilisateur exécute un workflow GitHub Actions pour une demande de traction tentant d'exploiter ces données.
Les panneaux d'avertissement à rechercher dans une demande de traction comprennent:
- apporter des modifications aux fichiers de flux de travail des actions GitHub d'une manière qui peut tenter de lire / extraire les données de la maison de Gradle User Home ou des répertoires ` /. Gradle`.
- Apporter des modifications à Gradle Build Files ou à d'autres fichiers exécutables qui peuvent être invoqués par un flux de travail GitHub Actions, d'une manière qui pourrait tenter de lire / extraire des informations de ces emplacements.
Certaines solutions de contournement pour limiter l'impact de cette vulnérabilité sont disponibles:
- Si le projet Gradle ne se optait pas à utiliser le cache de configuration, il n'est pas vulnérable.
- Si le projet Gradle opt à utiliser le Cabined-Cache par défaut, alors l'argument de ligne de commande `--configuration-cache` peut être utilisé pour désactiver cette fonctionnalité dans un flux de travail GitHub Actions.
Dans tous les cas, nous recommandons que les utilisateurs inspectent soigneusement toute demande de traction avant d'approuver l'exécution des workflows GitHub Actions.Il peut être prudent d'exiger l'approbation de tous les RP des contributeurs externes.
Gradle Build Action allows users to execute a Gradle Bui |
Tool Vulnerability | ||
 |
2023-04-28 01:30:56 | (Déjà vu) Chaton charmant utilisant de nouveaux logiciels malveillants dans des attaques multi-pays Charming Kitten Using New Malware in Multi-Country Attacks (lien direct) |
Charming Kitten, le tristement célèbre groupe iranien de l'État-nation, vise activement les victimes à travers l'Europe, les États-Unis, l'Inde et le Moyen-Orient avec un nouveau logiciel malveillant surnommé Bellaciao.Le malware est le dernier de leur vaste trousse à outils personnalisée.Bellaciao a été découverte par Bitdefender, qui décrivent le malware comme a & # 8220; compte-gouttes personnalisé & # 8221;C'est capable de fournir des charges utiles de logiciels malveillants sur [& # 8230;]
Charming Kitten, the infamous Iranian nation-state group, is actively targeting victims across Europe, U.S., India and Middle East with a new malware dubbed BellaCiao. The malware is the latest in their expansive custom tool kit. BellaCiao was discovered by Bitdefender, who describe the malware as a “personalised dropper” that’s capable of delivering malware payloads onto […] |
Malware Tool | APT 35 APT 35 | ★★ |
|
2023-04-26 21:01:00 | Des pirates chinois repérés en utilisant la variante Linux de Pingpull dans les cyberattaques ciblées Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks (lien direct) |
Le groupe chinois de l'État national surnommé Alloy Taurus utilise une variante Linux d'une porte dérobée appelée Pingpull ainsi qu'un nouvel outil sans papiers nommé Sword2033.
Cela \\ est selon les résultats de l'unité 42 de Palo Alto Networks, qui a découvert une récentes activités malveillantes menées par le groupe ciblant l'Afrique du Sud et le Népal.
Le taureau en alliage est le surnom de constellation affecté à un
The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033. That\'s according to findings from Palo Alto Networks Unit 42, which discovered recent malicious cyber activity carried out by the group targeting South Africa and Nepal. Alloy Taurus is the constellation-themed moniker assigned to a |
Tool | ★★ | |
|
2023-04-26 11:00:21 | Célébrer SLSA v1.0: sécuriser la chaîne d'approvisionnement des logiciels pour tout le monde Celebrating SLSA v1.0: securing the software supply chain for everyone (lien direct) |
Bob Callaway, Staff Security Engineer, Google Open Source Security team Last week the Open Source Security Foundation (OpenSSF) announced the release of SLSA v1.0, a framework that helps secure the software supply chain. Ten years of using an internal version of SLSA at Google has shown that it\'s crucial to warding off tampering and keeping software secure. It\'s especially gratifying to see SLSA reaching v1.0 as an open source project-contributors have come together to produce solutions that will benefit everyone. SLSA for safer supply chains Developers and organizations that adopt SLSA will be protecting themselves against a variety of supply chain attacks, which have continued rising since Google first donated SLSA to OpenSSF in 2021. In that time, the industry has also seen a U.S. Executive Order on Cybersecurity and the associated NIST Secure Software Development Framework (SSDF) to guide national standards for software used by the U.S. government, as well as the Network and Information Security (NIS2) Directive in the European Union. SLSA offers not only an onramp to meeting these standards, but also a way to prepare for a climate of increased scrutiny on software development practices. As organizations benefit from using SLSA, it\'s also up to them to shoulder part of the burden of spreading these benefits to open source projects. Many maintainers of the critical open source projects that underpin the internet are volunteers; they cannot be expected to do all the work when so many of the rewards of adopting SLSA roll out across the supply chain to benefit everyone. Supply chain security for all That\'s why beyond contributing to SLSA, we\'ve also been laying the foundation to integrate supply chain solutions directly into the ecosystems and platforms used to create open source projects. We\'re also directly supporting open source maintainers, who often cite lack of time or resources as limiting factors when making security improvements to their projects. Our Open Source Security Upstream Team consists of developers who spend 100% of their time contributing to critical open source projects to make security improvements. For open source developers who choose to adopt SLSA on their own, we\'ve funded the Secure Open Source Rewards Program, which pays developers directly for these types of security improvements. Currently, open source developers who want to secure their builds can use the free SLSA L3 GitHub Builder, which requires only a one-time adjustment to the traditional build process implemented through GitHub actions. There\'s also the SLSA Verifier tool for software consumers. Users of npm-or Node Package Manager, the world\'s largest software repository-can take advantage of their recently released beta SLSA integration, which streamlines the process of creating and verifying SLSA provenance through the npm command line interface. We\'re also supporting the integration of Sigstore into many major | Tool Patching | ★★ | |
|
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
 |
2023-04-25 13:41:53 | Apiiro lance l'outil d'exploration de surface d'attaque d'application Apiiro Launches Application Attack Surface Exploration Tool (lien direct) |
Explorateur de graphiques à risque APIIRO \\ aide les équipes de sécurité à comprendre la surface d'attaque de leur application.
Apiiro\'s Risk Graph Explorer helps security teams to understand their application attack surface. |
Tool | ★★ | |
 |
2023-04-24 21:05:35 | Comment les démons abusent d'un pilote de Microsoft Windows hors de jour pour infecter les victimes How fiends abuse an out-of-date Microsoft Windows driver to infect victims (lien direct) |
C'est comme ces téléfilms où un espion coupe un fil et toute la sécurité du bâtiment \\ sort Les épandeurs de ransomware ont construit un outil pratique qui abuse d'un hors de-Date du pilote Microsoft Windows pour désactiver les défenses de sécurité avant de déposer des logiciels malveillants dans les systèmes ciblés.… | Malware Tool | ★★ | |
|
2023-04-24 19:14:00 | Ransomware hackers utilisant l'outil Aukill pour désactiver le logiciel EDR à l'aide de l'attaque BYOVD Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack (lien direct) |
Les acteurs de la menace utilisent un "outil d'évasion de défense" sans papiers auparavant surnommé Aukill qui a conçu pour désactiver le logiciel de détection et de réponse (EDR) au moyen d'une propre attaque de conducteur vulnérable (BYOVD).
"L'outil Aukill abuse d'une version obsolète du pilote utilisé par la version 16.32 de l'utilitaire Microsoft, Process Explorer, pour désactiver les processus EDR avant le déploiement
Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that\'s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack. "The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying |
Ransomware Tool Threat | ★★ | |
|
2023-04-24 18:15:09 | CVE-2023-26059 (lien direct) | Un problème a été découvert à Nokia Netact avant 22 SP1037.Dans l'onglet outil de configuration du site, les attaquants peuvent télécharger un fichier zip qui, lorsqu'il est traité, exploite XSS stockée.L'option de téléchargement de l'outil de configuration du site ne valide pas le contenu du fichier.L'application est dans une zone démilitarisée derrière un pare-feu de périmètre et sans exposition à Internet.L'attaque ne peut être effectuée que par un utilisateur interne.
An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user. |
Tool | ||
|
2023-04-24 11:30:09 | Si vous ne avez pas correctement corrigé Microsoft Process Explorer, préparez-vous à être pwned If you haven\\'t patched Microsoft Process Explorer, prepare to get pwned (lien direct) |
Aukill abuse d'un outil obsolète pour désactiver les processus de sécurité avant l'attaque Les gangs ransomwares abusent d'un pilote logiciel Microsoft à l'attention pour désactiver les défenses de sécurité avant de déposer des logiciels malveillants dans les systèmes ciblés.… | Malware Tool | ★★★★ | |
|
2023-04-24 00:08:44 | BSIDESSF 2023 Écritures: Too-Latte (exploitation Java de difficulté moyenne) BSidesSF 2023 Writeups: too-latte (medium-difficulty Java exploitation) (lien direct) |
too-latte is a challenge I wrote based on CVE-2023-0669, which is an unsafe deserialization vulnerability in Fortra\'s GoAnywhere MFT software. I modeled all the vulnerable code off, as much as I could, that codebase. It\'s obviously themed quite differently. Write-up If you use a tool like jadx to unpack the servlets, you\'ll find, through some layers of indirection, this code in TokenWorker.java (that operates on the token parameter): public static String unbundle(String token, KeyConfig keyConfig) throws Exception { token = token.substring(0, token.indexOf("$")); return new String(decompress(verify(decrypt(decode(token.getBytes(StandardCharsets.UTF_8)), keyConfig.getVersion()), keyConfig)), StandardCharsets.UTF_8); } The decode function decodes the token parameter from Base64. The decrypt function decrypts the token with a static key. The actual decryption code is under several layers of indirection, because Java is Java, but the TokenEncryptor class has a key, IV, and algorithm: private static final byte[] IV = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 | Tool Vulnerability | ★★ | |
|
2023-04-24 00:08:44 | BSIDESSF 2023 Écritures: ROP TEPTING ZOO (Défi de l'éducation!) BSidesSF 2023 Writeups: ROP Petting Zoo (educational challenge!) (lien direct) |
ROP Petting Zoo is a challenge designed to teach the principles of return-oriented programming. It\'s mostly written in Javascript, with a backend powered by a Ruby web server, along with a tool I wrote called Mandrake. Source code is shared between the three parts of the challenge, and is available here. Mandrake is a debugger / tracer I wrote that executes a binary and traces all code run between two points. It will show registers, memory, all the good stuff. ROP Petting Zoo is kind of a wrapper around that. Basically, you have a list of potential ROP gadgets and libc calls. You build a stack from all the ROP gadgets, hit Execute!, and the harness will return to the first address on the stack. Everything is running forreal in a container, so you get to see what would actually happen if this is a real exploit! The challenges are very guided / on-rails, with tutorials that show the exact steps you will need to take, but here are the solutions I wrote. It\'s helpful to remember that when a function is called, the arguments are, in order, passed in the registers rdi, rsi, rdx, and rcx. Level 1 print_flag() -> Immediately return to print_flag pop rdi / ret -> Pop the next value into register rdi 0 -> This is what\'s popped into rdi exit -> Return to exit(rdi) aka exit(0) Level 2 return_flag() -> Returns the flag in rax mov rdi, rax / ret -> Moves the flag pointer into rdi puts -> Return to puts(rdi) or puts(flag) pop rdi / ret -> Pop the next value into rdi 0 -> This is what\'s popped into rdi exit -> Return to exit(rdi) aka exit(0) Level 3 This part unfortunately ran a lot slower than I\'d intended, but hopefully it\'s educational enough: write_flag_to_file() -> Writes the flag to a file, returns the name in rax mov rdi, rax / ret -> Moves the filename to rdi, the first param | Tool | ★★★ | |
|
2023-04-23 23:23:00 | CISA ajoute un problème de bug d'imprimante, de chrome zéro-jour et de chatppt pour exploiter le catalogue des vulnérabilités CISA adds printer bug, Chrome zero-day and ChatGPT issue to exploited vulnerabilities catalog (lien direct) |
L'Agence de sécurité de la cybersécurité et de l'infrastructure (CISA) a ajouté un problème affectant un outil de logiciel de gestion d'impression populaire à sa liste de vulnérabilités exploitées vendredi.Papercut est une société de logiciels qui produit des logiciels de gestion d'impression pour Canon, Epson, Xerox, Brother et presque toutes les autres grandes marques d'imprimantes.Leurs outils sont largement utilisés au sein des agences des gouvernements,
The Cybersecurity and Infrastructure Security Agency (CISA) added an issue affecting a popular print management software tool to its list of exploited vulnerabilities on Friday. PaperCut is a software company that produces printing management software for Canon, Epson, Xerox, Brother and almost every other major printer brand. Their tools are widely used within governments agencies, |
Tool | ChatGPT ChatGPT | ★★★ |
|
2023-04-22 03:15:10 | CVE-2023-25510 (lien direct) | Nvidia Cuda Toolkit SDK pour Linux et Windows contient une déréférence du pointeur nul à Cuobjdump, où un utilisateur local exécutant l'outil contre un binaire mal formé peut entraîner un déni de service limité.
NVIDIA CUDA Toolkit SDK for Linux and Windows contains a NULL pointer dereference in cuobjdump, where a local user running the tool against a malformed binary may cause a limited denial of service. |
Tool | ||
 |
2023-04-21 23:49:48 | Utilisation de détecter facile à… détecter facilement Using Detect It Easy to… detect it easy (lien direct) |
J'adore le détecter facilement.Il est mon outil de prédilection en ce qui concerne les échantillons malveillants et dépasse continuellement mes attentes & # 8230;Sauf les moments où j'ai oublié d'utiliser [& # 8230;]
I love Detect It Easy. It’s my go-to tool when it comes to triaging malicious samples and it continuously exceeds my expectations… Except the times when I forgot to use […] |
Tool | ★★ | |
|
2023-04-20 17:15:07 | CVE-2023-23938 (lien direct) | Tuleap est un libre & amp;Outil source pour la traçabilité de bout en bout des développements d'application et de système.Les versions affectées sont soumises à une attaque de script de site croisé qui peut être injectée au nom d'une couleur de sélection de valeurs de boîte d'un tracker, puis reflétée dans l'administration du tracker.Un privilège administratif est requis, mais un attaquant avec des droits d'administration des trackers pourrait utiliser cette vulnérabilité pour forcer une victime à exécuter du code incontrôlé dans le contexte de son navigateur.Ce problème a été résolu dans la version 14.5.99.4 dans l'édition communautaire de Tuleap.Il est conseillé aux utilisateurs de mettre à niveau.Il n'y a aucune solution de contournement connue pour ce problème.
Tuleap is a Free & Source tool for end to end traceability of application and system developments. Affected versions are subject to a cross site scripting attack which can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this vulnerability to force a victim to execute uncontrolled code in the context of their browser. This issue has been addressed in Tuleap Community Edition version 14.5.99.4. Users are advised to upgrade. There are no known workarounds for this issue. |
Tool Vulnerability | ||
|
2023-04-20 16:52:00 | Fortra met en lumière Goanywhere MFT Zero-Day Exploit utilisé dans les attaques de ransomwares Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks (lien direct) |
Fortra, l'entreprise derrière Cobalt Strike, a mis en lumière une vulnérabilité d'exécution de code à distance (RCE) zéro-jour dans son outil GOANYWORD MFT qui a été soumis à une exploitation active par les acteurs du ransomware pour voler des données sensibles.
Le défaut de haute sévérité, suivi sous le nom de CVE-2023-0669 (score CVSS: 7.2), concerne un cas d'injection de commande pré-authentifiée qui pourrait être abusée pour réaliser l'exécution du code.Le
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The |
Ransomware Tool Vulnerability | ★★ | |
|
2023-04-19 16:58:00 | Les pirates pakistanais utilisent le poseidon de logiciels malveillants Linux pour cibler les agences gouvernementales indiennes Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies (lien direct) |
L'acteur avancé de menace persistante (APT) basée au Pakistan connu sous le nom de Tribe Transparent a utilisé un outil d'authentification à deux facteurs (2FA) utilisé par les agences gouvernementales indiennes comme ruse pour livrer une nouvelle porte dérobée Linux appelée Poséidon.
"Poséidon est un logiciel malveillant en charge utile de deuxième étape associé à la tribu transparente", a déclaré le chercheur en sécurité UptyCS Tejaswini Sandapolla dans un rapport technique publié cette semaine.
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. |
Malware Tool Threat | APT 36 | ★★ |
.gif){kind=link}
To see everything:
Our RSS (filtrered)
