What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-21 11:12:00 | Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild (lien direct) | Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which shipped in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The latest version of Cobalt Strike is version 4.7.2. Cobalt | Tool Threat | ||
|
2022-11-18 18:23:00 | LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities (lien direct) | The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta. "The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal said in a write-up published Thursday. Aside from being dropped | Malware Tool Threat | ★★★ | |
 |
2022-11-18 15:03:25 | Anatomy of a Stored Cross-site Scripting Vulnerability in Apache Spark (lien direct) | One of the services that Veracode offers is a consultation with an Application Security Consultant – a seasoned software developer and application security expert. In the context of a consultation, my team works with the software engineers of Veracode's customers to understand and, ideally, remediate security flaws found by the Veracode tool suite. There is a well-defined difference between a security flaw (a defect that can lead to a vulnerability) and a vulnerability (an exploitable condition within code that allows an attacker to attack it). While working with potentially dozens of different customer applications every week, we usually have a strong gut feeling for when a security flaw might constitute an exploitable vulnerability and should receive extra attention. During one of our consultations, a set of similar Cross-site Scripting (XSS) flaws was discovered by Veracode Static Analysis in what turned out to be 3rd party JavaScript files belonging to Apache Spark. After some… | Tool Vulnerability Guideline | ||
 |
2022-11-16 19:00:00 | Plus intelligent, pas plus difficile: comment hiérarchiser intelligemment le risque de surface d'attaque Smarter, Not Harder: How to Intelligently Prioritize Attack Surface Risk (lien direct) |
Il y a un dicton commun dans la cybersécurité: «Vous ne pouvez pas protéger ce que vous ne savez pas», et cela s'applique parfaitement à la surface d'attaque d'une organisation donnée.
De nombreuses organisations ont des risques cachés tout au long de leur infrastructure informatique et de sécurité étendue.Que le risque soit introduit par la croissance du nuage organique, l'adoption de dispositifs IoT ou par des fusions et acquisitions, le risque caché est dormant.En conséquence, les équipes informatiques et de sécurité n'ont pas toujours une image à jour de l'écosystème étendu qu'ils doivent défendre.Les outils hérités ont souvent des listes statiques de l'inventaire des actifs \\ 'connu
There\'s a common saying in cyber security, “you can\'t protect what you don\'t know,” and this applies perfectly to the attack surface of any given organization. Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant. As a result, IT and security teams do not always have an up-to-date picture of the extended ecosystem they need to defend. Legacy tools often have static lists of the \'known\' asset inventory |
Tool Cloud | ★★★★ | |
 |
2022-11-16 17:18:43 | DuckDuckGo\'s Android anti-tracking tool offers stronger third-party protections (lien direct) | App Tracking Protection blocks outbound traffic to listed tracking firms. | Tool | ||
 |
2022-11-16 03:26:00 | Anomali Cyber Watch: Amadey Bot Started Delivering LockBit 3.0 Ransomware, StrelaStealer Delivered by a HTML/DLL Polyglot, Spymax RAT Variant Targeted Indian Defense, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Infostealers, Maldocs, Phishing, Ransomware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
KmsdBot: The Attack and Mine Malware
(published: November 10, 2022)
KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations.
Analyst Comment: Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7
Massive ois[.]is Black Hat Redirect Malware Campaign
(published: November 9, 2022)
Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&A sites.
Analyst Comment: WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads
LockBit 3.0 Being Distributed via Amadey Bot
(published: November 8, 2022)
Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey B |
Ransomware Spam Malware Tool Threat | ||
 |
2022-11-15 12:16:34 | Another Event-Related Spyware App (lien direct) | Last month, we were warned not to install Qatar’s World Cup app because it was spyware. This month, it’s Egypt’s COP27 Summit app: The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users’ emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the application, and two of the outside experts. The app also provides Egypt’s Ministry of Communications and Information Technology, which created it, with other so-called backdoor privileges, or the ability to scan people’s devices... | Tool | ||
 |
2022-11-11 19:15:11 | CVE-2022-41882 (lien direct) | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. As a workaround, users can block the Nextcloud Desktop client 3.6.0 by setting the `minimum.supported.desktop.version` system config to `3.6.1` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing files can still be used. Another workaround would be to enforce shares to be accepted by setting the `sharing.force_share_accept` system config to `true` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing shares can still be abused. | Tool | ||
|
2022-11-11 16:15:12 | CVE-2022-26508 (lien direct) | Improper authentication in the Intel(R) SDP Tool before version 3.0.0 may allow an unauthenticated user to potentially enable information disclosure via network access. | Tool | ||
|
2022-11-11 16:15:12 | CVE-2022-26024 (lien direct) | Improper access control in the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ★★★★ | |
 |
2022-11-11 11:26:33 | New BadBazaar Android malware linked to Chinese cyberspies (lien direct) | A previously undocumented Android spyware tool named 'BadBazaar' has been discovered targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang. [...] | Malware Tool | ||
 |
2022-11-10 11:00:00 | The pros and cons of the digital transformation in banking (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Digital transformation in banking began following the creation of the internet in the 1990s as a way for banks to deliver services to their customers more conveniently. Today, it has completely changed how most people interact with their banks. From opening a new account to making transactions and applying for loans, you can access all banking services directly from your computer or smartphone. According to an FDIC survey on banking behavior, over 80% of account holders engage in some form of digital banking. The popularity of digital banking stems from the convenience and level of personalization that it offers. But is digital banking good for you, or do the risks, such as cybersecurity issues, outweigh the benefits? Below, let’s explore some of the pros and cons of digital transformation in banking. Pros of digital transformation in banking Digital banking offers several advantages to the modern banking customer. Here are a few: 24/7 Access to your bank One of the most significant benefits of digital banking is that it gives you round-the-clock access to your account. You don’t have to wait for working hours to deposit your funds, get an account statement, change your account details, or transact funds. You can do it at any time from wherever you are. Additionally, you don’t have to waste time in long queues in the banking hall. Digital banking is like having your personal bank right in your pocket. Better rates, lower fees Banks typically charge account maintenance and transaction fees to cover expenses like employees, bank premises, etc. Since digital banking allows customers to serve themselves directly over the internet, there’s less demand for bank employees and multiple brick-and-mortar branches. Therefore, banks embracing digital transformation have lower overheads and can offer their customers lower fees and higher interest rates. These benefits are especially pronounced for purely digital banks without physical premises. Better customer experience A 2021 survey by Deloitte Insights found that digital-first banks routinely outperform traditional banks in multiple areas that matter most to customers, including simplicity of transactions, transaction speed, and the overall quality of the banking experience. Digital banks provide a smoother experience compared to traditional banks. For instance, transacting on a digital bank takes just a few minutes on your smartphone or laptop. In contrast, simply making a transaction in a traditional bank could take close to an hour as you must get to the physical bank, wait in line, fill out transaction forms, and speak to a teller. In addition, digital banks offer features like budgeting tools that make it easier to manage your money. They also update you on every aspect of your account with text and email alerts, such as when you make transactions, when you don’t have enough money for an upcoming bill, and so on. This makes the digital banking experience much better than what you get with a traditional bank. Automated payments With digital banks, it’s amazingly easy to automate your payments. You can set up payments that you want to make from your account every month, s | Ransomware Malware Tool | Deloitte Deloitte | |
|
2022-11-09 16:15:12 | CVE-2021-34569 (lien direct) | In WAGO I/O-Check Service in multiple products an attacker can send a specially crafted packet containing OS commands to crash the diagnostic tool and write memory. | Tool | ||
|
2022-11-08 16:00:00 | Anomali Cyber Watch: Active Probing Revealed Cobalt Strike C2s, Black Basta Ransomware Connected to FIN7, Robin Banks Phishing-as-a-Service Became Stealthier, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Active scanning, EDR evasion, Infostealers, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
(published: November 3, 2022)
Cobalt Strike remains a popular post-exploitation tool for threat actors trying to evade threat detection. Cobalt Strike’s Beacons use advanced, flexible command-and-control (C2) communication profiles for stealth communication with an attacker-controlled Linux application called Team Server. Beacon implants can covertly utilize the DNS protocol or communicate via HTTP/HTTPs using the the default Malleable C2 profile or Malleable C2 Gmail profile. Palo Alto researchers probed the Internet for these three types of communication to find previously-unknown active Team Server instances. Researchers were preselecting suspicious IP addresses with Shodan, actively probing them with stager requests and initializing a connection with the netcat tool to test, verify and extract communication profile settings (such as the served stager bytes).
Analyst Comment: Network fingerprinting and active scanning technologies allow for proactive identification of threats such as Cobalt Strike’s C2 IP addresses. Network defenders and intelligence feed providers can get better coverage by improving their collaboration and coverage via threat intelligence platforms such as ThreatStream provided by Anomali.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: detection:Cobalt Strike Beacon, detection:Cobalt Strike, detection:Cobalt Strike Team Server, Cobalt Strike stager, Active scanning, Shodan, netcat, Post-exploitation tool, Gmail, DNS, TCP, HTTP, Windows
Abusing Microsoft Customer Voice to Send Phishing Links
(published: November 3, 2022)
Avanan researchers detected a phishing campaign that abuses Microsoft Dynamics 365 Customer Voice since at least September 2022. These phishing emails come from legitimate email address surveys@email.formspro.microsoft.com, and clicking the link opens the Microsoft’s Customer Voice domain on a page with URL starting with: customervoice.microsoft.com/Pages/ResponsePage.aspx?id=... At the same time, a user clicking on the embedded “Play Voicemail” link redirects to an attacker-controlled phishing page asking for Microsoft account login credentials.
Analyst Comment: Organizations can use services like Anomali Digital Risk Protection, which defends your brand against brand abuse and continuously monitors domains for cybersquatters and domain hijacking to prevent phishing and malware attacks. Users are advised to always check the current domain by hovering over the URL, especially before entering credentials.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: Customer Voice, Phishing, Microsoft, Forms Pro
Black Basta Ransomware |
Ransomware Malware Tool Threat | ||
|
2022-11-08 11:00:00 | Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals (lien direct) | The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. Threat actors have been creating legitimate-looking phishing campaigns, which have been a big driver for this trend. Although some of the tools for MFA can be complex, proper authentication/authorization is an absolute fundamental that every enterprise should embrace. Where should we start with fundamentals? People, Process & Technology Let’s have a little more strategic look at this, though. To provide a holistic approach to security, a higher-level perspective is necessary. Your Process must be sound. Yes, that means policy-level guidance. Yes, that means that standards need to be in place. Finally, it means that procedures to provide more detailed guidance must be available for employees. Again, perspective is essential. Nobody wants to work on the process first. Indeed, I was guilty of having a negative view of process early in my career. Let’s take the first example and reveal how the process might assist. An enterprise policy statement might provide simple guidance that access to all company resources requires management approval (as a policy). How does an enterprise define who needs access to specific resources? Glad you asked. Standards can be used to and determine data classification and controls for accessing and protecting the various categories of data. An access control standard would also be appropriate to complement the data categories. So far, we have policy-level guidance, data classification, and access control standards which guide the controls necessary to control access to company resources. Where does the requirement for MFA live? That is a good question; my thoughts are likely in the standards area. However, requiring MFA could be a policy, standard, or process/procedure level requirement. The next reasonable question is: where do the requirements for implementing an MFA belong? In an authentic consultant manner, I would say: It depends. Take that with the lighthearted intention I meant it with. Implementing MFA may be a process/procedure used by IT. Why did I say, “maybe?” The reality is that there may be automation that handles this. It is possible that HR defines each employee’s role, and based on that, an HR system provides that through API to the systems used to provide authentication/authorization. Doesn’t that sound pleasantly streamlined? More likely, things are not that automated. If they are, then kudos to your enterprise. There are likely multiple processes and procedures required before even setting this up, but I think most of the folks reading this will understand where I’m trying to go with this. HR will have processes and procedures around defining roles and requesting implementation. IT will have processes and procedures focused on implementing the solution. The information security team will have processes and procedures for monitoring authentication/authorization mechanisms. This is just to state that Process is as important as the tool or technology chosen to meet the need. None of these documents state which tool or Technology to use. That is the point. If you have policy guidance and standards that define the need and processes to guide implementing MFA, then the Technology should be interchangeable. So, the first fundamental which should be a foundation is sound process. I spoke about various teams here (IT and HR). That is another fundamental: People. People need to understand the requirements. People need to understand their role, and people need to be part of the solution. Finally, the last high-level fundamental is Technology. But I said Technology could be interchanged. Yes, in many cases it ca | Ransomware Tool Vulnerability Threat Guideline | ||
|
2022-11-07 20:16:00 | This Hidden Facebook Tool Lets Users Remove Their Email or Phone Number Shared by Others (lien direct) | Facebook appears to have silently rolled out a tool that allows users to remove their contact information, such as phone numbers and email addresses, uploaded by others. The existence of the tool, which is buried inside a Help Center page about "Friending," was first reported by Business Insider last week. It's offered as a way for "Non-users" to "exercise their rights under applicable laws." | Tool | ||
 |
2022-11-06 08:00:00 | AORT – Un outil de reconnaissance pour vos séances de Bug Bounty (lien direct) | Si vous travaillez dans la sécurité, que vous pratiquez le pentest, le Bug Bounty ou tout simplement si vous avez un site et que vous êtes curieux, voici un super script nommé All In One Recon Tool – AORT. Ce script permet de faire de la reconnaissance autour d’un nom … Suite | Tool | ||
 |
2022-11-04 17:00:00 | Black Basta Ransomware Attacks Linked to FIN7 Threat Actor (lien direct) | The hacker behind a tool used by Black Basta had access to the source code used by FIN7 | Ransomware Tool Threat | ||
 |
2022-11-03 09:55:17 | Ransomware Black Basta |Attaques Déployer des outils d'évasion EDR personnalisés liés à l'acteur de la menace FIN7 Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor (lien direct) |
Les TTP opérationnels Black Basta sont décrits ici en détail, révélant des outils et techniques inconnus auparavant et un lien vers FIN7.
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7. |
Ransomware Tool Threat | ★★★ | |
 |
2022-11-03 06:00:00 | BrandPost: New SOC Performance Report: Security Analysts Are Overworked and Under Resourced (lien direct) | The SOC is the engine that protects organizations worldwide today. Its core mission remains to help the enterprise manage cyber risk. The new Devo SOC Performance Report shows that security professionals behind the scenes are feeling the pain due to too much work and not enough resources.That means that SOC leaders today have a real balancing act when it comes to retaining analysts amid immense talent shortages and turnover. Respondents reported that average time to fill a SOC position is seven months. And 71% of SOC professionals said they're likely to quit their job, with the top reasons being information and work overload, followed by lack of tool integration, and alert fatigue.To read this article in full, please click here | Tool Guideline | ||
 |
2022-11-02 20:53:42 | Informatica vs Data Ladder: Data quality solutions comparison (lien direct) | >Informatica MDM and Data Ladder are both data quality solutions. Discover which tool best fits your organization's needs for data quality by reading this comparison. | Tool | ||
 |
2022-11-02 12:30:43 | Neuf employés sur dix ont besoin d\'une formation de base en matière de cybersécurité (lien direct) | Selon les résultats d'un test effectué à l'aide de l'outil Kaspersky Gamified Assessment Tool auprès de 3907 employés, seuls 11% d'entre eux ont démontré d'excellentes compétences en termes de sensibilisation à la cybersécurité. Les sujets les moins qualifiés ont commis la plupart de leurs erreurs au niveau de la navigation sur Internet. - Investigations | Tool | ||
|
2022-11-01 15:00:00 | Anomali Cyber Watch: Active Probing Revealed ShadowPad C2s, Fodcha Hides Behind Obscure TLDs, Awaiting OpenSSL 3.0 Patch, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DDoS, OpenSSL, Ransomware, Russia, Spyware, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)
(published: October 27, 2022)
ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).
Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP
Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity
(published: October 27, 2022)
The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop).
Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction.
MITRE ATT&CK: [MITRE ATT&CK] Replicat |
Ransomware Malware Hack Tool Vulnerability Threat Guideline | APT 41 | |
|
2022-11-01 10:00:00 | Choosing a DAST solution: What to pay attention to? (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The majority of today's web applications contain dangerous vulnerabilities. To analyze their security, one cannot do without a dynamic scanner. DAST (Dynamic Application Security Testing) tools allow you to detect and evaluate security problems quickly. Let me tell you what to look for when choosing such a tool. According to various studies, 70% of vulnerabilities have to do with errors in the code. Using vulnerabilities in your web application code, hackers can distribute malware, launch cryptojacking attacks, employ phishing and redirect users to malicious sites, hack a phone remotely, or steal personal data using social engineering techniques. Yes, sure, it is impossible to create perfectly secure software, but it is quite possible to reduce the number of vulnerabilities and increase the level of product security. To do this, you can rely on DevSecOps - a process that links development and security and where software is checked and tested for vulnerabilities at every stage of its creation. The DevSecOps process is very voluminous; it may include numerous information security tools. In this article, I want to talk about DAST and how to choose the right scanner for dynamic application analysis. Together we will figure out what tool characteristics and parameters you need to pay attention to and what product types are currently available on the market. What is DAST, and how does it work? Dynamic application security testing is one of the secure development practices where an automated analysis of a deployed and functioning application is carried out. The dynamic scanner checks all access points via HTTP, simulates external attacks using common vulnerabilities, and simulates various user actions. The tool determines which APIs the service has, sends verification requests, uses, where possible, incorrect data (quotes, delimiters, special characters, and more). The dynamic scanner sends and analyzes a large number of requests. The analysis of the sent request and the received response, as well as their comparison with a regular request, allows you to find different security problems. Most scanners have similar functions and modus operandi. Their main components are a crawler and an analyzer. The crawler traverses every link on every page it can reach, examining the contents of files, pressing buttons, and going through a dictionary of possible page names. This process allows you to estimate the size of the attack surface and possible attack vectors taking into account the existing ways of interacting with the application. The analyzer checks the application directly. It can work in passive or active mode. In the first case, the analyzer studies only information that the crawler sends to it. In the second, the analyzer sends requests with incorrect data to the points found by the crawler and to other places that are not currently present on the pages but can be used in the application. It then infers the presence of a vulnerability based on the server's responses. What should you pay attention to when choosing a DAST tool? Scan quality This | Tool Vulnerability Studies Guideline | ||
 |
2022-10-31 18:22:00 | Experian tool exposed partial Social Security numbers, putting customers at risk (lien direct) | >The problem with using Social Security numbers to authenticate consumers goes much deeper than Experian, experts say. | Tool | ||
|
2022-10-26 18:31:00 | Accelerating Security Resilience at a Fraction of the Cost (lien direct) | Manage security in the current macro and help increase business revenue and EPS with a scalable SOC
IMAGINE accelerating security resilience at a fraction of the cost – an operating foundation at scale to change how we play the infinite game of cybersecurity and even shift the security cost to the bad guys.
Muhammed Ali was not the strongest and toughest boxer – he owned the middle of the ring, using his speed to play the infinite and shift the hard work to his adversaries – he was the greatest.
Elevating Security Resilience requires focused visibility to deliver the punches – the underlying foundation must be automated to keep up with scale at a fraction of the cost.
The popular mantra says, “every business is a digital business; you’re digital, or you’re dead.” This could not be truer in today’s world. While digital transformation has been an ongoing trend, Covid-19 accelerated that transformation beyond normal. Companies transformed their digital processes 20-25[1] times faster than before due to the onset of the pandemic. The changes included customer interactions, employee engagement, back-office processes, supply chain, and more. It’s a cliché to state that cyber becomes a core business risk as businesses get more digitally connected. Scan the SEC filings of any publicly listed company, and it’s amply clear that digital transformation unlocks massive growth but also expands the risk profile for most organizations. Cyber resilience is business resilience. The corollary holds equally true – cyber fragility impedes business growth.
 Figure 1: Digital transformation & cyber risk
The traditional approach to cybersecurity has focused on a tech-centric approach to security, evolving a technology acronym soup, continuously trying to find the smarter tool to speed up and scale security operations. This approach, somewhat successful at the lower levels of digital transformation, has become unmanageable and incredibly expensive for businesses. In spending time with board directors, management teams, CIOs, and CISOs, we’ve realized that there is a dire need to pause and reset the foundational thinking with an eye on more effective delivery that can scale at a manageable cost.
When an attacker targets an organization, they start by first conducting reconnaissance and understanding a company’s business model, profile, and strategy. Security needs to focus on the WHY - the business context. Why are they an interesting target, and what can they do to deter the attackers? This fusion of business context with security is critical to transforming security for the modern enterprise and helping executives answer key questions on business risk and resilience.
As Einstein aptly said, “we cannot solve our problems with the same thinking we used to create them.”
Sprucing up Security Operations
A recent ESG survey highlighted that 52% of security professionals consider security today more complex today than two years ago[2]. There are several drivers for this, including changing threat landscape, growing attack surface, higher volume and complexity of security alerts, growing adoption of public cloud services, keeping up with operational needs of SecOps technologies, and collecting and growing more data.
Elevating security necessitates a step back first to understand the goal.
“The core purpose of security operations in a business is to drive operational resilience and |
Tool Threat Guideline | ||
|
2022-10-25 16:53:00 | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 | |
 |
2022-10-25 08:00:00 | Quarterly Report: Incident Response Trends in Q3 2022 (lien direct) |  Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarterBy Caitlin Huey.For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming tool Brute Ratel and the recently discovered Manjusaka and Alchimist attack frameworks. .jpg) TargetingAttackers targeted the education sector the most of any vertical this quarter, closely followed by the financial services, government, and energy sectors, respectively. For the first time since Q4 2021, telecommunications was not the top-targeted vertical. While the reason for the education sector being more frequently targeted this quarter is unknown, this is a popular time |
Ransomware Tool Vulnerability Threat Guideline | ||
 |
2022-10-24 16:06:34 | Ex-cop abused police tool in Snapshot sextortion plot that stole sexually explicit photos and videos (lien direct) | A former officer at Louisville Metro Police has admitted his part in a conspiracy that stalked and extorted young women online, breaking into their Snapchat accounts in order to steal their naked photos and videos. Read more in my article on the Hot for Security blog. | Tool | ||
|
2022-10-21 06:00:00 | BlackByte ransomware uses new data theft tool for double-extortion (lien direct) | A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly. [...] | Ransomware Tool | ||
|
2022-10-20 13:36:00 | Threat Hunting: Eight Tactics to Accelerating Threat Hunting (lien direct) | One of the more significant headaches in cyber security is the overuse of buzzwords and acronyms and the overlapping mutations of what they mean. Cyber threat Hunting has become one of those phrases, but it has gained clarity over the last few years as organizations strived to become more proactive. So what is threat hunting? Depending on who you ask, you may get somewhat different answers to the same question. Cyber threat hunting is a proactive approach to detecting suspicious activity from known or unknown, remediated, or unaddressed cyber threats within an organization’s networks. It involves finding malware such as viruses, Trojans, adware, spyware, ransomware, worms, bots, and botnets. The goal is for security analysts to find these threats before they cause damage to systems and data. It’s similar to how fire departments respond to fires; they go into buildings to ensure no additional problems before calling the firefighters. There is a vast collection of tools, skill sets, approaches, and processes to help identify advanced threats that could happen within the network. What is an effective hunting process for one organization may be a waste of time for another, depending on each company’s understanding of what threats they might face. Man-hours spent hunting are typically most beneficial for large organizations targeted by the cybercriminal community regularly, but that’s not to say that regular hunts for small/medium-sized enterprises can’t benefit from and identify threats by doing the same. Structured Threat Hunting The structured hunt is based on indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP). IOCs provide information about potential adversaries, such as IP addresses, domain names, operating system versions, etc. TTPs describe how attackers operate and what tools they use. Combining IOCs and TTPs makes it possible to build a picture of the adversary. This approach allows us to detect threats earlier and prevent attacks. In addition, we can quickly identify the threat actors because each activity is described in detail. Unstructured Threat Hunting The concept of unstructured hunting is relatively new. It wasn’t until 2013 that we began seeing the emergence of unstructured hunters. Unstructured hunting is a method of finding malicious software (malware), such as viruses, Trojans, worms, etc., without knowing exactly what type of malware you are looking for. Instead, the hunter relies on behavioral analysis to find these threats. In short, unstructured hunting is investigative work where a cyber threat hunter observes behavior and looks for anomalies. For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further. If he finds something suspicious, he could take action immediately or wait a few days to see if the same email addresses start sending again. Traditional Threat Hunting The traditional definition of threat hunting can be defined as a focused and intensive human/machine-assisted process aimed to identify the possibility of something malicious happening within the network or likely about to happen; this is based on abnormal network behavior, artifacts, or identification via active threat research. A good example of this would be: A large bank has team members whose part of their job is to consume threat reports related to activity targeting their vertical and other companies that match their Enterprise profile. > A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell executio | Spam Malware Tool Vulnerability Threat | ||
 |
2022-10-20 13:01:02 | Announcing GUAC, a great pairing with SLSA (and SBOM)! (lien direct) | Posted by Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team Supply chain security is at the fore of the industry's collective consciousness. We've recently seen a significant rise in software supply chain attacks, a Log4j vulnerability of catastrophic severity and breadth, and even an Executive Order on Cybersecurity. It is against this background that Google is seeking contributors to a new open source project called GUAC (pronounced like the dip). GUAC, or Graph for Understanding Artifact Composition, is in the early stages yet is poised to change how the industry understands software supply chains. GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata. True to Google's mission to organize and make the world's information universally accessible and useful, GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding. Thanks to community collaboration in groups such as OpenSSF, SLSA, SPDX, CycloneDX, and others, organizations increasingly have ready access to: Software Bills of Materials (SBOMs) (with SPDX-SBOM-Generator, Syft, kubernetes bom tool) signed attestations about how software was built (e.g. SLSA with SLSA3 Github Actions Builder, Google Cloud Build) vulnerability databases that aggregate information across ecosystems and make vulnerabilities more discoverable and actionable (e.g. OSV.dev, Global Security Database (GSD)). These data are useful on their own, but it's difficult to combine and synthesize the information for a more comprehensive view. The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization's software assets. To help address this issue we've teamed up with Kusari, Purdue University, and Citi to create GUAC, a free tool to bring together many different sources of software security metadata. We're excited to share the project's proof of concept, which lets you query a small dataset of software metadata including SLSA provenance, SBOMs, and OpenSSF Scorecards. What is GUAC Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database-normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance. Conceptually, GUAC occupies the “aggregation and synthesis” layer of the software supply chain transparency logical model: | Tool Vulnerability | Uber | |
|
2022-10-19 15:39:00 | Experts Warn of Stealthy PowerShell Backdoor Disguising as Windows Update (lien direct) | Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process. "The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims," Tomer Bar, director of security research at | Tool Threat | ||
|
2022-10-18 15:17:00 | European Police Arrest a Gang That Hacked Wireless Key Fobs to Steal Cars (lien direct) | Law enforcement authorities in France, in collaboration with Spain and Latvia, have disrupted a cybercrime ring that leveraged a hacking tool to steal cars without having to use a physical key fob. "The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away," Europol said in a press statement. The coordinated | Tool | ||
|
2022-10-18 15:00:00 | Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, Hacktivism, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Ransom Cartel Ransomware: A Possible Connection With REvil
(published: October 14, 2022)
Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys.
Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Software Deployment Tools - T1072 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - |
Ransomware Malware Tool Threat | APT 27 | |
|
2022-10-17 16:51:38 | Malware dev claims to sell new BlackLotus Windows UEFI bootkit (lien direct) | A threat actor is selling on hacking forums what they claim to be a new UEFI bootkit named BlackLotus, a malicious tool with capabilities usually linked to state-backed threat groups. [...] | Tool Threat | ||
 |
2022-10-13 14:59:19 | The discovery of Alchimist C2 tool, revealed a new attack framework to target Windows, macOS, and Linux systems (lien direct) | >Experts discovered a new attack framework, including a C2 tool dubbed Alchimist, used in attacks against Windows, macOS, and Linux systems. Researchers from Cisco Talos discovered a new, previously undocumented attack framework that included a C2 dubbed Alchimist. The framework is likely being used in attacks aimed at Windows, macOS, and Linux systems. The experts […] | Tool | ||
|
2022-10-13 08:00:07 | Alchimist: A new attack framework in Chinese for Mac, Linux and Windows (lien direct) |  By Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton.Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.The Alchimist has a web interface in Simplified Chinese with remote administration features.The attack framework is designed to target Windows, Linux and Mac machines. Alchimist and Insekt binaries are implemented in GoLang.This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies. Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools.Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild. "Alchimist" is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist's beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server.Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands. Among the remaining tools, Cisco Talos found a Mach-O dropper embedded with an exploit to target a known vulnerability CVE-2021-4034, a privilege escalation issue in polkit's pkexec utility, and a Mach-O bind shell backdoor. The Qualys Research Team discovered CVE-2021-4034 in November 2021, and in January 2022, the U.S.'s National Security Agency Cybersecurity Director warned that the vulnerability was being exploited in the wild. The server also contained dual-use tools like psexec and netcat, along with a scanning tool called "fscan," which the author defines as an "intranet scanning tool," essentially all the necessary tools for lateral movement. Alchimist framework The attack framework we discovered during the course of this research consists of a standalone C2 server called "Alchimist" and its corresponding implants the authors call the "Insekt" RAT family.Alchimist isn't the first self-contained framework we've discovered recently, with Manjusaka being another single file-based C2 framework disclosed by Talos recently. Both follow the same design philosophy, albeit implemented in different ways, to the point where they both seem to have the same list of requirements despite being implemented by different programmers. However, Manjusaka and Alchimist have virtually the same set of feat |
Malware Tool Vulnerability Threat | ||
|
2022-10-12 18:06:00 | Anomali Cyber Watch: Emotet Added Two New Modules, LofyGang Distributed 200 Malicious Packages, Bumblebee Loader Expanded Its Reach, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Brazil, China, Data loss, Infostealers, and Loaders. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
VMware Report Exposes Emotet Malware’s Supply Chain
(published: October 10, 2022)
VMware researchers analyzed the Emotet malware-as-a-service evolution and its command-and-control (C2) infrastructure. In June 2022, Emotet added two new modules: one stealing credit card information from Google Chrome browsers, and another one that leverages the SMB protocol to spread laterally. Emotet’s main component is a DLL file that stores a highly obfuscated list of C2 IP:port pairs. More than half of the ports counted were port 8080 used as a proxy port on compromised legitimate servers abused to proxy traffic to the real C2 servers.
Analyst Comment: For network defenders it is important to strengthen email security and implement network segmentation whenever possible. Despite its continuous evolution, Emotet botnets can reuse previously identified infrastructure. Block known network-based indicators available via Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Signed Script Proxy Execution - T1216 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Email Collection - T1114
Tags: mitre-software:Emotet, mitre-group:Wizard Spider, SMB, Proxy, Botnet, Malware-as-a-service, Windows
LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM
(published: October 7, 2022)
Checkmarx Security researchers described a financially-motivated threat actor group dubbed LofyGang (Lofy). This group aims at stealing credentials and credit card data by distributing approximately 200 malicious packages and fake hacking tools on code-hosting platforms, such as NPM and GitHub. LofyGang uses package name typosquatting and the starjacking technique of displaying fake popularity statistics. The first LofyGang package typically does not have a malicious behavior besides getting the second-stage malicious package. For its command-and-control communication the group often abuses legitimate services such as Discord, GitHub, glitch, Heroku, and Repl.it.
Analyst Comment: Developers should be extra cautious and sensitized to the growing exploitation of the open source eco |
Ransomware Malware Tool Threat | ||
|
2022-10-12 08:00:00 | Gagner une visibilité dans l'activité des attaquants avec des campagnes de menace Gain Visibility Into Attacker Activity with Threat Campaigns (lien direct) |
Alors que les attaquants mènent des opérations, ils changent souvent leurs tactiques et leurs techniques, introduisent des outils avec de nouvelles capacités et utilisent de nouvelles infrastructures pour mener à bien leur mission.Il peut être difficile pour les équipes de sécurité de maintenir la conscience de ces évolutions et de prendre les mesures appropriées en fonction de tout changement.Pour mieux aider ces équipes, Mandiant propose désormais une fonctionnalité de campagnes de menace dans mandiant avantage de la menace Pour fournir aux professionnels de la sécurité des professionnels avec les professionnels de la sécurité avecUn moyen rapide de rester à jour sur les campagnes actives affectant leurs industries et régions.
Les campagnes de menace aident à hiérarchiser
As attackers conduct operations, they often change their tactics and techniques, introduce tools with new capabilities, and use new infrastructure to carry out their mission. It can be difficult for security teams to maintain awareness of these evolutions and take appropriate actions based on any changes. To better assist these teams, Mandiant is now offering a Threat Campaigns feature within Mandiant Advantage Threat Intelligence to provide security professionals with a quick way to stay updated on active campaigns affecting their industries and regions. Threat Campaigns helps prioritize |
Tool Threat | ★★★ | |
|
2022-10-12 02:00:00 | Top considerations when choosing a multi-factor authentication solution (lien direct) | Passwords clearly are not enough to protect networks. Any security guidance will tell you that multi-factor authentication (MFA) is a key method to keep attackers out. But what type of MFA should your firm deploy? Choosing multi-factor tokens and tools depends on your firm, your needs, and how attackers are likely to target your firm. Planning ahead will minimize deployment and migration issues when new tokens or new phones are issued.These are the most important considerations when choosing an MFA solution.Know what the MFA solution will and will not protect You have several decisions to make when deciding what MFA tool to use. First, review how the tool protects your network. Often when adding MFA to existing on-premises applications, it may not fully protect your organization from some attacks. Case in point is the recent Exchange Server zero-day attack. MFA in this situation did not protect servers. At least one victim used on-premises Exchange Server with a third-party MFA application. While it protected parts of the authentication process, it did not protect Outlook Web Access (OWA), which uses basic authentication. MFA didn't protect that part of the site, so the attackers could go around MFA and attack the servers. Consider exactly what the MFA solution you choose protects, then review what authentication processes are still exposed.To read this article in full, please click here | Tool | ||
|
2022-10-11 10:00:00 | PCI DSS v4.0 (lien direct) | 2022 is the year that much of the world managed, to varying degrees of success, to get back to normal. People ramped up traveling, returned to in-person activities and many returned to the office. The pandemic changed most aspects of day-to-day life, but hackers and other bad actors generally continued making life difficult for businesses, governments, and non-profit entities. As a result, there have been some innovative new ways to target networks and IT infrastructures that keep CISOs and their teams up at night. A sample of those types of concerning threat vectors include Ransomware as a Service, targeting IOT/OT infrastructure, general supply chain attacks. Tried and true methods, like phishing, and targeting unpatched or outdated systems to find vulnerabilities also continued. Data shows that threats are increasing in volume and impact across every industry and government agency. The Cybersecurity and Infrastructure Security Agency (CISA) recently reported that 14 critical US sectors have been the subject to intense ransomware attacks and the FBI identified over 2,000 ransomware attacks between January and July of 2022. (source) CheckPoint estimates that 1 out of 40 organizations will be hit by a ransomware attack and 84% of those sees some amount of data exfiltration. IBM appraises the average cost of a data breach at $4.3M and the recovery time from such attacks is approximately 22 days. And with all of that said, the World Economic Forum still attributes 95% of all data breaches to human error. The cybersecurity industry is fighting back. The PCI Security Standards Council (PCI SSC) sorted through over 6,000 pieces of feedback from over 200 organizations, to help it create the new standard aimed at significantly reducing the success of these types of attacks in the future. On May 31, 2022, the PCI SSC released version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS). This provides an accepted baseline of technical and operational requirements designed to protect various types of user account data. The updated standard and Summary of Changes document are available now on the PCI SSC website. Version 4.0 is a significant update to the standard, so to enable organizations to understand the new requirements and plan, execute and test updates, the current version of 3.2.1 remains active through March 31, 2024. Assessors are undergoing training and certification for the new standard now, and once available, they will be able to assess to either the current or new standard, based upon the plans of the organization. The new standard had many expected updates based upon evolving payment card industry security needs. There are also changes to the frequency of expected effort, shifting from specific durations between work to the idea that security is a continuous process. The stated goals for PCI DSS v4.0 are as follows: Continue to Meet the Security Needs of the Payment Industry; Promote Security as Continuous Process; Add Flexibility for Different Meth | Ransomware Data Breach Tool Vulnerability Threat Guideline | ||
|
2022-10-10 09:20:00 | The Fresh Phish Market: Dans les coulisses de la plate-forme de la caféine en tant que service The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform (lien direct) |
Tout en étudiant l'activité de phishing ciblant mandiant La défense gérée Les clients en mars 2022, les analystes de défense gérés ont découvert des acteurs malveillants utilisant une plate-forme de phishing-as-a-service (PHAAS) partagée appelée «caféine».Cette plate-forme a une interface intuitive et a un coût relativement faible tout en fournissant une multitude de fonctionnalités et d'outils à ses clients criminels pour orchestrer et automatiser les éléments de base de leurs campagnes de phishing.Ces caractéristiques incluent (sans s'y limiter) les mécanismes de libre-service pour élaborer des kits de phishing personnalisés, gérer les pages de redirection intermédiaire et final
While investigating phishing activity targeting Mandiant Managed Defense customers in March 2022, Managed Defense analysts discovered malicious actors using a shared Phishing-as-a-Service (PhaaS) platform called “Caffeine”. This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns. These features include (but are not limited to) self-service mechanisms to craft customized phishing kits, manage intermediary redirect pages and final |
Tool | ★★★★ | |
|
2022-10-07 18:34:00 | The essentials of GRC and cybersecurity - How they empower each other (lien direct) | Understanding the connection between GRC and cybersecurity When talking about cybersecurity, Governance, Risk, and Compliance (GRC) is often considered the least exciting part of business protection. However, its importance can't be ignored, and this is why. While cybersecurity focuses on the technical side of protecting systems, networks, devices, and data, GRC is the tool that will help the | Tool | ||
 |
2022-10-07 15:30:04 | CISA Adds CVE-2022-36804 to the Known Exploited Vulnerabilities Catalog (lien direct) | FortiGuard Labs is aware that the Cybersecurity & Infrastructure Security Agency (CISA) recently added CVE-2022-36804 (Atlassian Bitbucket Server and Data Center Command Injection Vulnerability) to their Known Exploited Vulnerabilities catalog. The catalog list vulnerabilities that are being actively exploited in the wild and require federal agencies to apply patches by the due date. Successfully exploiting CVE-2022-36804 allows an attacker to execute arbitrary commands.Why is this Significant?This is significant because the vulnerability is in widely used Bitbucket Server and Data Center and is being actively exploited in the wild. Successful exploitation allows a remote attacker to execute arbitrary commands.The vulnerability is rated Critical by Atlassian, has a CVSS score of 9.9, and attack complexity is listed as low.What is Bitbucket?Bitbucket is a widely used repository management and collaboration tool that provides a code storage location for developers and enables them to manage, track and control their code.When was CVE-2022-36804 Discovered?The vulnerability was disclosed by Atlassian on August 24, 2022.What is CVE-2022-36804?CVE-2022-36804 is a critical command injection vulnerability that affects Atlassian's Bitbucket Server and Data Center. Successful exploitation of the vulnerability allows an attacker that has access to a publicly repository or has read access to a private repository to run arbitrary commands.What Version of Bitbucket Server and Datacenter does the Vulnerability Affect?The vulnerability affects the following versions of Bitbucket Server and Datacenter:7.6 prior to 7.6.177.17.0 prior to 7.17.107.21 prior to 7.21.48.0 prior to 8.0.38.1 prior to 8.1.38.2 prior to 8.2.28.3 prior to 8.3.1Has the Vendor Released an Advisory?Yes, Atlassian released an advisory on August 24, 2022.Has the Vendor Released a Patch for CVE-2022-36804?Yes, Atlassian released fixed versions on August 21, 2022.What is the Status of Protection?FortiGuard Labs has the following IPS protection in place for CVE-2022-36804:Atlassian.Bitbucket.Server.CVE-2022-36804.Command.InjectionAny Suggested Mitigation?Atlassian provided the mitigation information in the advisory. For details, see the Appendix for a link to "Bitbucket Server and Data Center Advisory 2022-08-24". | Tool Vulnerability | ||
|
2022-10-07 10:00:00 | Ransomware - undeniably top of mind (lien direct) | A brief walk down memory lane: Ransomware is not a new threat Ransomware’s first documented attack was relatively rudimentary. It was delivered via floppy disk containing a malware program in 1989 that told its victims to pay $189 in ransom to a PO Box in Panama. Today ransomware criminals are significantly more sophisticated, thanks to advances in cyber methods and cryptocurrencies. Not all Ransomware is created equally. Like all malware, malicious codes vary in sophistication and modularity. As such, not all ransomware codes are made the same. While some are ordinary and even obtained freely on open-source platforms and forums, others are highly sophisticated and operated exclusively by elite cybercrime syndicates. How do we prepare for a ransomware incident? Overcoming a ransomware incident is all about preparation while responding with uncertainty identifies the lack of an effective plan. Today’s media coverage is mainly focused on how Ransomware affects people. Unless you are in the cybersecurity profession or aspiring to be, you may be unaware that Ransomware is no different than other malicious software. The same cybersecurity tools and processes to protect systems from trivial malware like crypto miners are the same for Ransomware. The media is not covering stories about malicious software performing cryptocurrency mining operations as an end-user because the only thing stolen by malicious crypto mining software is processor time. Align to a model, describe, and communicate A good plan must be easy to communicate and measure, and there are several organizations that offer helpful frameworks and recommendations such as NIST and CISA. As you analyze what is best for your organization, consider the ever-changing threat landscape and how you plan to adjust. The following model offers an agile approach to reducing the risk of a ransomware incident: Assess – identify gaps including people, process, and technology (where are we today?) Plan – take action to address gaps (enable measurement) Practice – test people, process, and technology (phishing, social engineering) Measure – how are we doing? identify remaining gaps Adjust – close remaining gaps Testing is a critical to step to confirming technology, people, and process work cohesively, yet is often overlooked. As you establish your plan, emphasize testing and measurements to ensure the desired outcomes are being obtained. Communicate with key stakeholders and align to promote a culture of awareness. The elephant in the room: To pay or not to pay: All businesses need to be prepared for “if, not when.” Cyber criminals exploit vulnerabilities, not always a specific business. The average time to dwell is closing in on 300 days. Once exploited, a malicious actor can work their way to financial information. If financial information is known, the ransom is set at our below an expected threshold. This is critical for small and medium businesses due to limited resources and ownership having extreme emotional ties to the firm. Malicious actors strike on the emotional vulnerability and negotiate payment based on known financials. Establishing a plan is critical to reducing the risk of emotion driving the decision to pay. Paying a ransom is a business financial decision, like converting cash to crypto on your balance sheet. It can also be considered illegal and not an option as you effectively support terrorism. Outside of legal issues, something to consider: How much data entry must be inputted to offset from the last backup? Is this possible/feasible? Often this amount exceeds the ransom demand. What assuran | Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2022-10-06 10:34:00 | BrandPost: Overcoming Cybersecurity Implementation Challenges (lien direct) | Cybersecurity has long been one of the most complex landscapes an organization must navigate; with each new threat or vulnerability, complexity continues to grow. This is especially true for organizations that have traditionally taken a point product approach to their security because implementing new security measures properly and reliably takes time and expertise. Today, as more businesses look to digitize their services, dealing with these cybersecurity challenges is no longer optional.Every new tool must be installed, tested, and validated, and then people must be trained to leverage them well. On average, organizations are adopting dozens of different products, services, and tools for their cybersecurity. So, finding ways to make implementing cybersecurity smoother, faster, and more efficient has become a key goal for cybersecurity professionals. As businesses plan for a post-pandemic and digitally accelerated era, many CISOs across multiple industries strive for simplicity and focus on reducing their security vendor blueprint as part of their annual KPIs. Implementation, in particular, has always been an important consideration for successful cybersecurity programs because of the time, expense, personnel, and expertise often required not only to implement individual point products but to stitch them together in order to avoid security gaps while also eliminating redundancies. In the event of a serious incident, security operations center (SOC) analysts typically confess to switching between multiple vendor consoles and event types in order to decipher alerts. Organizations and teams need a better approach, so they're not either continually exposed or overworked from the alerts created by overlap.To read this article in full, please click here | Tool Threat | ||
|
2022-10-06 05:00:00 | Dashlane launches new Dark Web Insights tool, MFA authenticator app, small biz Starter plan (lien direct) | Password manager vendor Dashlane has announced updates to its suite of enterprise offerings. These include a new Dark Web Insights tool that provides a breakdown of compromised passwords, a standalone authenticator app for enabling account multi-factor authentication (MFA), and a low-cost starter plan for small businesses. The firm has also introduced new live phone support service whereby users can request and book a call directly with Dashlane's support team.Breached employee credentials on dark web pose significant threat to businesses In a press release, Dashlane stated that its new Dark Web Insights tool “continuously scans” more than 20 billion records attached to hacks or data breaches on the dark web, providing users with a bespoke breakdown of compromised passwords across their organization. Dark Web Insights also provides admins the ability to scan their organization for incidences of breached credentials and invite non-Dashlane using, breached employees to begin using Dashlane through built-in seat provisioning. The firm said that, by pairing this alert function with the ability to generate new, random, and unique passwords, admins can take action quickly once alerted about compromised credentials.To read this article in full, please click here | Tool Threat | ★★★ | |
 |
2022-10-06 00:00:00 | Cinq fonctionnalités SonarCloud pour les développeurs qui veulent du code propre Five SonarCloud features for developers that want Clean Code (lien direct) |
Que vous travailliez sur un nouveau projet ou existant, vous pourriez considérer le code propre comme un idéal, quelque part loin hors de portée.Soit \\ passer plus de 5 fonctionnalités clés qui font de SonarCloud l'outil parfait pour les développeurs et les équipes de développement afin de livrer du code propre de manière cohérente et efficace, sans perturber le flux de travail de développement existant.
Whether you\'re working on a new project or an existing one, you might think of Clean Code as an ideal, somewhere far out of reach. Let\'s go over 5 key features that make SonarCloud the perfect tool for developers and development teams to deliver Clean Code consistently and efficiently, without disrupting the existing development workflow. |
Tool Tool | ★★★ | |
|
2022-10-05 12:15:00 | North Korea\'s Lazarus group uses vulnerable Dell driver to blind security solutions (lien direct) | The notorious North Korean state-sponsored hacker group Lazarus has begun exploiting a known vulnerability in an OEM driver developed by Dell to evade detection by security solutions. This is a prime example of why it's important to always keep third-party PC manufacturer software, which is often neglected, up to date, as well as to add vulnerable versions to blocklists.“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver,” security researchers from antivirus firm ESET said in a recent report. “This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”To read this article in full, please click here | Tool Vulnerability | APT 38 |
To see everything:
Our RSS (filtrered)
