What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-08-12 15:00:00 | Aggah Using Compromised Websites to Target Businesses Across Asia, Including Taiwan Manufacturing Industry (lien direct) | Authored by: Tara Gould and Rory Gould
Key Findings
Spearphishing emails are targeting the manufacturing industry in Taiwan and Korea to spread malware.
Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts; delivering Warzone RAT.
Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group Aggah.
Overview
Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry in Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the threat group Aggah. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.
Aggah
Aggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42.[1] The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat.[2]
Unit 42 initially-believed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments.[3] However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script but stress this does not mean they are the Gorgon Group.[4]
Aggah has been consistently active since 2019, generally using the same identifiable TTPs. This past year was a notable year for the group, with a 2020 campaign targeting Italian organizations and manufacturing sectors around the world.[5] Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors.[6] Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT.[7] The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah.
Technical Analysis
Email
The infection process began with a custom spearphishing email masquerading as “FoodHub.co.uk”, an online food delivery service based in the United Kingdom. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The email in Figure 1 below was sent on July 8, 2021 to Fon-star International Technology, a Taiwan-based manufacturing company. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah.[8]
Figure 1 - Spoofed Spearphishing Email Sent to Fon Star
PowerPoint File
File name Purchase order 4500061977,pdf.ppam
MD5 b5a31dd4a6af746f32149f9706d68f45
When we analyzed the PowerPoint file, we found obfuscated macros (Figure 2) contained in the document that used MSHTA to execute JavaScript from “http://j[.]mp/4545h |
Malware Tool Threat | ||
 |
2021-08-12 14:28:43 | S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed [Podcast] (lien direct) | Latest episode - listen now! (And learn about the Navajo Nation's selfless cryptographic contribution to America.) | Tool | ||
 |
2021-08-12 13:51:56 | Windows 11 gets new versions of Snipping Tool, Mail, and Calculator (lien direct) | Microsoft is rolling out its first Windows 11 app updates with new versions of the Calculator, Mail and Calendar, and the Snipping Tool apps. [...] | Tool | ||
 |
2021-08-11 11:42:27 | Cobolt Strike Vulnerability Affects Botnet Servers (lien direct) | Cobolt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product. The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send... | Tool Vulnerability | ||
 |
2021-08-10 16:01:02 | Deploy this web interface to your data center for user account control (lien direct) | If you're looking for a tool to cut down on the time you spend managing user accounts, let Usermin hand some of those duties over to your end-users. | Tool | ||
|
2021-08-10 13:40:07 | Hate your job? Find a new one with this LinkedIn tool (lien direct) | As employers ramp up hiring, a free online tool helps people identify new career pathways and upskilling opportunities to make a career change a reality. | Tool | ||
|
2021-08-09 19:10:27 | How to use the Windows Media Creation Tool to create a Windows 10 ISO file (lien direct) | The free Windows Media Creation Tool from Microsoft grants you the power to create your own bootable Windows 10 backup, but you have to find and download it first. | Tool | ||
|
2021-08-09 13:58:40 | Microsoft\'s Azure Data Share: How to use this big data tool (lien direct) | Microsoft's cloud-hosted data sharing tools are for anyone who needs to work with big data. | Tool | ||
 |
2021-08-06 09:32:28 | Recap: Black Hat USA 2021 (lien direct) | Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements. As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats - especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration's recent Executive Order on cybersecurity, which impacts software security for organizations big and small. We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That's where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded. “I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.” Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure's full story here to see how they got it done. From Big Data to Open Source We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures. As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks. Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it's also rife with risk if left unchecked. This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs - our recent State of Software Security: Open Source Edition report found that just over half of | Tool Threat | ||
 |
2021-08-06 04:58:07 | Checklist Short: Finding Pegasus Tracks (lien direct) | A short Checklist this week, but an important one: A free tool to help detect Pegasus spyware on an iPhone! | Tool | ||
|
2021-08-05 17:01:12 | “Cobalt Strike” network attack tool patches crashtastic server bug (lien direct) | Ahhhh, the irony! Red-team network attack tool has its very own bug for Blue Teams to counterexploit. | Tool | ||
|
2021-08-04 13:40:37 | How to do machine learning without an army of data scientists (lien direct) | Commentary: Machine learning is still harder than it needs to be. The open-source tool ModelDB and the ML model management platform Verta can help. | Tool | ||
 |
2021-08-03 15:39:20 | capa 2.0: Better, Faster, Stronger (lien direct) | We are excited to announce version 2.0 of our open-source tool called
capa. capa automatically identifies capabilities in programs using an
extensible rule set. The tool supports both malware triage and deep
dive reverse engineering. If you haven't heard of capa before, or need
a refresher, check out our first
blog post. You can download capa 2.0 standalone binaries from
the project's release page and
checkout the source code on GitHub.
capa 2.0 enables anyone to contribute rules more easily, which makes
the existing ecosystem even more vibrant. This blog post details the
following major improvements included in capa 2.0:
New features and enhancements for the capa
explorer IDA Pro plugin, allowing you to interactively explore
capabilities and write new rules without switching windows
More concise and relevant results via identification of library
functions using FLIRT and the release of accompanying open-source
FLIRT signatures Hundreds of new rules describing
additional malware capabilities, bringing the collection up to 579
total rules, with more than half associated with ATT&CK
techniques Migration to Python 3, to make it easier to
integrate capa with other projects
capa explorer and Rule Generator
capa explorer is an IDAPython plugin that shows capa results
directly within IDA Pro. The version 2.0 release includes many
additions and improvements to the plugin, but we'd like to highlight
the most exciting addition: capa explorer now helps you write new capa
rules directly in IDA Pro!
Since we spend most of our time in reverse engineering tools such as
IDA Pro analyzing malware, we decided to add a capa rule generator.
Figure 1 shows the rule generator interface.
Figure 1: capa explorer rule generator interface
Once you've installed capa explorer using the Getting
Started guide, open the plugin by navigating to Edit >
Plugins > FLARE capa explorer. You can start using
the rule generator by selecting the Rule Generator tab at the
top of the capa explorer pane. From here, navigate your IDA Pro
Disassembly view to the function containing a technique you'd like to
capture and click the Analyze button. The rule generator will
parse, format, and display all the capa features that it finds in your
function. You can write your rule using the rule generator's three
main panes: Features, Preview, and Editor. Your
first step is to add features from the Features pane.
The Features pane is a tree view containing all the capa
features extracted from your function. You can filter for specific
features using the search bar at the top of the pane. Then, you can
add features by double-clicking them. Figure 2 shows this in action.
Figure 2: capa explorer feature selection
As you add features from the Features pane, the rule
generator automatically formats and adds them to the Preview
and Editor panes. The Preview and Editor panes
help you finesse the features that you've added and allow you to
modify other information like the rule's metadata.
The Editor pane is an interactive tree view that displays the
stat |
Malware Tool | ||
 |
2021-08-01 09:22:25 | procdump Version 10.1, (Sun, Aug 1st) (lien direct) | A new version of procdump, the Sysinternals tool to create process dumps, was released. | Tool | ||
|
2021-07-30 14:28:13 | Is Dark Mode actually saving your smartphone battery? (lien direct) | A new study compares situational use in light and dark mode and introduces a tool developers could use to assess app battery use. | Tool | ||
 |
2021-07-29 15:37:25 | How Low-level Hackers Access High-end Malware (lien direct) | Hacking tool downloads from underground forums are increasing, and the tools are becoming more sophisticated; low-level hackers are gaining access to hacked versions of sophisticated tools; access broking is growing; and existing tools are repurposed for more aggressive attacks. | Malware Tool | ||
 |
2021-07-29 00:00:00 | Pourquoi les fraudeurs nous blitz-ils avec des appels téléphoniques sur l'escroquerie? Why are fraudsters blitzing us with scam phone calls? (lien direct) |
Chair of Cybersecurity at MTU, Dr. Donna O\'Shea, contributed to this article in the Irish Times This week I have received a half dozen mobile calls from a number purporting to be very similar to my own. The caller ID shows an 087 number – like my own – and the subsequent four digits were also identical to mine, while the last three varied each time. In the jargon, this is known as “neighbour spoofing”, when a false caller ID is sent, seeming to come from the same area you live in, or a familiar looking number, to make it more likely that you will answer. When I did answer a not very convincing automated recording from “the department of social protection department” said fraud had been associated with my Personal Public Service Number (PPSN). Many of you will have received similar calls, trying to get you to “press a key” and talk to someone who tries to get you to divulge your PPSN, name, and in some cases, bank details. A recent scam text pretending to be from an Irish bank tells users that access to their account has been restricted due to a hacking attempt and invites them to input details to unlock it. These are all part of the seemingly endless cycle of scams which seem to have exploded over the past couple of years – and got increasingly sophisticated. But why is this happening? Let\'s look, as we would with any business, at the economics of the phone frauds. 1. Falling barriers to entry One of the first things with any business is to look at the barriers to getting involved. Whether for a criminal or legal enterprise, the cost of establishment is vital and can have a key bearing on activity levels and competition. Up to recent years, undertaking phone scams that involved hiding numbers and making thousands of calls required a significant level of technical knowledge. Now, according to Dr Donna O\'Shea, head of the computer science department of Cork Institute of Technology (CIT), the requisite “exploit” kits are downloadable, can leverage VOIP (voice over internet protocol) technology to call from PCs and display fake numbers on the user\'s phone. “You don\'t have to be a technical person to do it any more,” she said. It is still hard to account for the massive volumes of calls now happening, according to O\'Shea, but there appears to be a sharp rise in call numbers as well as increased sophistication. Relatively easily spotted calls from far-away countries are now replaced by more sophisticated “spoofing” – using numbers displaying themselves as “ordinary” Irish numbers. Showing a number close to your one is just one variant of this. It has also led to people “returning” calls to these numbers, which in some cases are valid numbers with real – and puzzled – owners. “You rang me”. . . “No I didn\'t . . .” At the moment incoming calls cannot be easily verified as coming from valid numbers. As the industry deregulated, numbers became portable – an 087 number can operate as part of the 086 network and so on – making checking incoming numbers to see if they are valid difficult – though here and internationally this issue is being examined. Some US operators have introduced controls, but it is a constant battle to stay ahead of the scammers. Not only it is relatively easy, but generating tens of thousands of phone calls is cheap, with operators taking on a tiny – or zero – cost per call. And so the “success” rate required to make money is tiny. Business Insider calculated in the US that some 2.5 million calls could be bought from a provider for just $875 by illegal telemarketers or scammers. Even if one in every 10,000 yielded revenue averaging $7 on average, the initial investment would be doubled. And of course, phone calls are just one variant of the scammers\' art, which also includes text messages and emails, all in many ways increasingly sophisticated, particularly texts allegedly from financial institutions which click through to plausible fake sites inviting you to enter your details. 2. | Tool Mobile Technical | ★★★ | |
 |
2021-07-28 19:38:41 | Wireless Penetration Testing: Wifipumpkin3 (lien direct) | Wifipumpkin3 is a framework that is built on python to give rogue access point attacks to red teamers and reverse engineers. In this article, we would look at how we can use this tool to create a bogus Wi-Fi access point for our victims to connect and how to exploit | Tool | ||
 |
2021-07-28 17:44:50 | Reboot of PunkSpider Tool at DEF CON Stirs Debate (lien direct) | Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON. | Tool | ||
 |
2021-07-27 16:12:56 | A Controversial Tool Calls Out Vulnerabilities Across the Web (lien direct) | PunkSpider is back, and crawling hundreds of millions of sites for vulnerabilities. | Tool | ||
|
2021-07-27 15:00:00 | Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows “PetitPotam” Network Attack – How to Protect Against It
(published: July 21, 2021)
Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle
APT31 Modus Operandi Attack Campaign Targeting France
(published: July 21, 2021)
The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers
StrongPity APT Group Deploys Android Malware for the First Time
(published: July 21, 2021)
Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r |
Malware Tool Vulnerability Threat | Uber APT 31 | |
|
2021-07-27 12:09:31 | Vulnerability in Popular Survey Tool Exploited in Possible Chinese Attacks on U.S. (lien direct) | A recently disclosed vulnerability affecting a popular survey creation tool has been exploited by a threat group that may be linked to China against organizations in the United States. | Tool Vulnerability Threat | ||
 |
2021-07-27 00:00:00 | Un été des exploits d'été des exploits de ransomware qui ont eu lieu à l'été 2021 A Summer of ExploitsA summary of ransomware exploits that took place in the summer of 2021Read More (lien direct) |
Over the past few weeks several dramatic vulnerabilities were exposed in different ubiquitous products and platforms, including the Microsoft Windows OS, the Solarwinds Serv-U Managed File Transfer and Serv-U Secure FTP products, and Kaseyaâs services.â1. Print Night Mare2. Print Nightmare Update3. Kaseya\'s Clients Important Notice4. CISA\'s public alert5. Reuters Article about Data ransom6. Microsoft\'s emergency patch fails7. SolarWinds Zero-day vulnerability8. SolarWinds alerted by Microsoft9. Kaseya restores servicesâSummary of the EventsâKaseyaWhat happened? On July 2nd, a cyber attack was launched against the IT solutions company Kaseya. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform to over 40,000organizations worldwide.The cyberattack has been attributed to the REvil/Sodinikibi ransomware group whose ransomware was first detected in April 2019. The groupâs usual propagation method is phishing emails containing malicious links. Some of the groupâs most prominent victim industries in the last two years were healthcare facilities and local governments. REvil has offered a decryption key, allegedly universal - able to unlock all encrypted systems, for the âbargainâ price of $70 million via bitcoin (BTC) cryptocurrency. On July 13th, all of REvilâs online activity stopped and the groups data-dump websites were shut down without further information, leaving the victims of their latest attacks hostage with encrypted files and no valid payment address or decryption keys.Who was impacted? On July 2nd Kaseya claimed that the attack affected only a small number of on-premise clients, In a press release published on July 5th the company estimated that the number of clients impacted by the attack is between 800 and 1500 businesses.âPrintNightmareWhat happened? On June 8th, Microsoft published a CVE advisory for a vulnerability in the Windows PrintSpooler service which is enabled by default in all Windows clients and servers across almost all modern Windows versions. This vulnerability was initially categorized as a low severity local privilege escalation (LPE) vulnerability by Microsoft and a patch for it was released on June 21st. A week later, researchers published a successful PoC of the exploitation and claimed that the vulnerability is in fact a high severity RCE and PE vulnerability. On July 1st, a separate vulnerability in the same Windows Print Spooler service was discovered, similar to the first vulnerability, this new âPrintNightmareââ was also a RCE andLPE vulnerability that would allow attackers system privileges with which they could install programs; view, change, or delete data; or create new accounts with full user rights.After the high severity of the vulnerability was acknowledged, Microsoft published an out-of band patch on July 6th and claimed to have fully addressed the public vulnerability. However, on July 7th researchers presented additional successful PoCs and claimed that the patch can be bypassed.Who was impacted? This vulnerability affects all modern unpatched client and server versions of Windows.According to Kaspersky, the vulnerability was already exploited but no further information regarding victims is currently available.âSolarwindsWhat happened? On July 9th, Solarwinds published an announcement claiming that they were informed by Microsoft of an exploited zero-day vulnerability in their Serv-U Managed File Transfer and Serv-U Secure FTP products.On July 10th, Solarwinds released a patch to fix the vulnerability and claimed that this event is unrelated to the Solarwinds supply chain attack that occurred in December of 2020.The vulnerability allows an attacker to run arbitrary code with privileges, and then install programs; view, change, or delete data; or | Ransomware Tool Vulnerability Studies | ★★★ | |
|
2021-07-26 12:23:41 | GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies (lien direct) | GitLab last week announced the release of a new open source tool designed to help software developers identify malicious code in their projects' dependencies. | Tool | ||
 |
2021-07-26 07:42:46 | Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System (lien direct) | Patrick DeSantis discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in the CODESYS Development System.
The CODESYS Development System is the IEC 61131-3 programming tool for industrial control and automation technology,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Tool | ||
 |
2021-07-26 07:13:02 | DIY security – are you doing it right? (lien direct) | There is no tool in the world that can fully replace a human when it comes to finding web vulnerabilities. A skilled security researcher is always able to find more than an automated scanner. There is just one problem. With a ratio of thousands of... Read more | Tool | ||
|
2021-07-24 06:47:29 | Agent.Tesla Dropped via a .daa Image and Talking to Telegram, (Sat, Jul 24th) (lien direct) | A few days ago, I found an interesting file delivered by email (why change a winning combination?). The file has a nice extension: “.daa†(Direct Access Archive). We already reported such files in 2019 and Didier wrote a diary[1] about them. Default Windows installation, can't process “.daa†files, you need a specific tool to open them (like PowerISO). I converted the archive into an ISO file and extracted the PE file inside it. | Tool | ||
 |
2021-07-23 10:03:07 | Kaseya obtained a universal decryptor for REvil ransomware attack (lien direct) | The software provider Kaseya announced to have obtained a universal decryptor for the REvil ransomware. Earlier this month, a massive supply chain attack conducted by the REvil ransomware gang hit the cloud-based managed service provider platform Kaseya, impacting both other MSPs using its VSA software and their customers. The VSA tool is used by MSPs to perform […] | Ransomware Tool | ||
|
2021-07-22 20:28:51 | The Kaseya Ransomware Nightmare Is Almost Over (lien direct) | A decryption tool has emerged, meaning any victims whose systems remain locked up can soon breathe easy. | Ransomware Tool | ||
|
2021-07-21 18:11:31 | NPM Package Steals Passwords via Chrome\'s Account-Recovery Tool (lien direct) | In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems via ChromePass. | Tool | ||
|
2021-07-21 09:00:00 | NPM package steals Chrome passwords on Windows via recovery tool (lien direct) | New npm malware has been caught stealing credentials from the Google Chrome web browser by using legitimate password recovery tools on Windows systems. Additionally, this malware listens for incoming connections from the attacker's C2 server and provides advanced capabilities, including screen and camera access. [...] | Malware Tool | ||
 |
2021-07-21 06:38:39 | Malicious NPM Package Caught Stealing Users\' Saved Passwords From Browsers (lien direct) | A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser.
The package in question, named "nodejs_net_server" and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent |
Tool Guideline | ||
 |
2021-07-20 23:15:37 | CVE-2021-32751 (lien direct) | Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application's command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command. | Tool Vulnerability | ||
|
2021-07-20 15:52:35 | How to quickly view your files and documents in Windows with QuickLook (lien direct) | The free QuickLook tool can display a variety of file types without you having to open them or launch their applications. | Tool | ||
|
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
|
2021-07-19 17:53:56 | Experts disclose critical flaws in Advantech router monitoring tool (lien direct) | Cisco Talos experts disclose details of several critical flaws in a router monitoring application developed by industrial and IoT firm Advantech. Cisco Talos researchers discovered multiple critical vulnerabilities in the R-SeeNet application developed by industrial and IoT firm Advantech. The application allows network administrators to monitor Advantech routers in their infrastructure. The monitoring tool collects […] | Tool | ||
|
2021-07-19 14:51:49 | Cisco Discloses Details of Critical Advantech Router Tool Vulnerabilities (lien direct) | Cisco's Talos threat intelligence and research unit has disclosed the details of several critical vulnerabilities affecting a router monitoring application made by Taiwan-based industrial and IoT solutions provider Advantech. The affected tool is R-SeeNet, which is designed to help network administrators monitor their Advantech routers. | Tool Threat | ||
 |
2021-07-19 13:00:00 | capa 2.0: mieux, plus fort, plus rapide capa 2.0: Better, Stronger, Faster (lien direct) |
Nous sommes ravis d'annoncer la version 2.0 de notre outil open source appelé CAPA.CAPA identifie automatiquement les capacités des programmes à l'aide d'un ensemble de règles extensible.L'outil prend en charge à la fois le triage de logiciels malveillants et l'ingénierie inverse de plongée profonde.Si vous avez déjà entendu parler de capa ou si vous avez besoin d'un rafraîchissement, consultez notre First BlogPost .Vous pouvez télécharger des binaires autonomes CAPA 2.0 à partir de la Page de publication et de vérifier le code source sur github .
CAPA 2.0 permet à quiconque de contribuer des règles plus facilement, ce qui rend l'écosystème existant encore plus dynamique.Ce billet de blog détaille le major suivant
We are excited to announce version 2.0 of our open-source tool called capa. capa automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. If you haven\'t heard of capa before, or need a refresher, check out our first blog post. You can download capa 2.0 standalone binaries from the project\'s release page and checkout the source code on GitHub. capa 2.0 enables anyone to contribute rules more easily, which makes the existing ecosystem even more vibrant. This blog post details the following major |
Malware Tool Technical | ★★★★ | |
|
2021-07-19 06:11:04 | Researchers Warn of Linux Cryptojacking Attackers Operating from Romania (lien direct) | A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang.
Dubbed "Diicot brute," the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to |
Tool Threat | ||
|
2021-07-17 11:11:29 | Wireless Penetration Testing: Wifite (lien direct) | Introduction Wifite is a wireless auditing tool developed by Derv82 and maintained by kimocoder. You can find the original repository here. In the latest Kali Linux, it comes pre-installed. It's a great alternative to the more tedious to use wireless auditing tools and provides simple CLI to interact and perform | Tool | ||
|
2021-07-17 07:17:24 | BASE85 Decoding With base64dump.py, (Sat, Jul 17th) (lien direct) | Xavier&#;x26;#;39;s diary entry "Multiple BaseXX Obfuscations" covers a malicious script that is encoded with different "base" encodings. Xavier starts with my tool base64dump.py, but he can not do the full decoding with base64dump, as it does not support BASE85. | Tool | ||
|
2021-07-16 13:34:21 | Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft (lien direct) | XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool | Tool | ||
 |
2021-07-16 10:08:19 | OneLogin Eases Adoption of Zero Trust Framework with Delegated Administration (lien direct) | OneLogin has announced the launch of its Delegated Administration offering, which enables organizations to adopt the Zero Trust principle of least privilege access. By empowering IT administrators to easily delegate access on a granular level, organizations can balance productivity requirements with the need to aggressively protect their organization against security threats. OneLogin's Delegated Administration tool […] | Tool | ||
|
2021-07-15 17:15:08 | CVE-2021-32750 (lien direct) | MuWire is a file publishing and networking tool that protects the identity of its users by using I2P technology. Users of MuWire desktop client prior to version 0.8.8 can be de-anonymized by an attacker who knows their full ID. An attacker could send a message with a subject line containing a URL with an HTML image tag and the MuWire client would try to fetch that image via clearnet, thus exposing the IP address of the user. The problem is fixed in MuWire 0.8.8. As a workaround, users can disable messaging functionality to prevent other users from sending them malicious messages. | Tool | ||
|
2021-07-13 15:00:00 | Cyber Threat Intelligence Combined with MITRE ATT&CK Provides Strategic Advantage over Cyber Threats (lien direct) | Many security executives have fundamental familiarity with the MITRE ATT&CK framework, although most perceive it within a narrow set of use cases specific to deeply-technical cyber threat intelligence (CTI) analysts. The truth though, is that when integrated into overall security operations, it can produce profound security and risk benefits. What is MITRE ATT&CK? MITRE ATT&CK serves as a global knowledge base for understanding threats across their entire lifecycle. The framework’s differentiator is its focus on tactics, techniques, and procedures (TTPs) that threats use to operate in the real world, rather than just on typical indicators like IP addresses, file hashes, registry keys, and so on. MITRE ATT&CK offers a rigorous and holistic method for understanding the types of adversaries operating in the wild and their most observed behaviors, and for defining and classifying those behaviors with a common taxonomy. This is an advantage that brings a much-needed level of organization to the chaotic threat landscape organizations face. MITRE ATT&CK has practical applications across a range of security functions when security tooling and processes are mapped to it. By characterizing threats and their TTPs in a standardized way and visualizing them through the MITRE ATT&CK matrix, the framework makes it easier for security leaders and their direct reports to determine and communicate the highest priority threats they are facing and to take more sweeping, strategic actions to mitigate them. In the Weeds? Yes and No At first glance, MITRE ATT&CK can be intimidating. It may even seem too technically in the weeds for executives who are grappling with leadership-level security concerns. However, the truth is that MITRE ATT&CK holds tremendous strategic potential. It can also help accelerate the cybersecurity maturation process. The framework does undoubtedly help security practitioners with their day-to-day technical analysis, making them better at their jobs. However, when used to its full potential, MITRE ATT&CK can help security executives gain better value out of existing technologies, with threat intelligence platforms (TIPs), SIEMs, and other security analytics tools being among these. More importantly, it helps establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. CISOs and other security executives could almost think of it as a tool that automates the creation of a roadmap, showing them precisely where the onramps to threats are located in their networks and what vehicles adversaries are using to enter. Let’s take a closer look at how MITRE ATT&CK works and why those in charge of security shouldn’t wait to adopt it into their strategic arsenals. Programmatic Benefits Having established that MITRE ATT&CK provides value to security leaders, let’s consider a few of the genuine benefits it delivers, as it isn’t just in the day-to-day minutiae of security operations where MITRE ATT&CK shines. Overlay. When an organization overlays its existing security posture and controls on top of MITRE ATT&CK-contextualized CTI, it becomes much easier to identify the riskiest control gaps present in the security ecosystem. Productivity. When looking at workflows and the teams available to respond to the MITRE ATT&CK-delineated TTPs most likely to target the organization, leaders can more easily identify at-risk talent and process gaps and then take steps to better address both. Prioritization. As security leaders go through their regularly scheduled validation of security coverage, they should leverage their CTI to identify the most common TTPs relevant to their environments. MITRE ATT&CK can crisply articulate this. With an understanding of where their biggest risks reside, executiv | Tool Threat Guideline | ||
|
2021-07-13 12:00:02 | Thinking of the cloud as a cost-saving tool puts businesses at a disadvantage, Accenture finds (lien direct) | The most successful companies consider cloud technology a continuum of tools for strategizing and transforming business practices, a study of leaders suggests. | Tool Guideline | ||
|
2021-07-12 20:15:09 | CVE-2021-24424 (lien direct) | The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | Tool Guideline | ||
|
2021-07-12 11:00:00 | GitHub\'s Commercial AI Tool Was Built From Open Source Code (lien direct) | Copilot is pitched as a helpful aid to developers. But some programmers object to the blind copying of blocks of code used to train the algorithm. | Tool | ★★★★ | |
|
2021-07-11 11:00:00 | A New Tool Shows How Google Results Vary Around the World (lien direct) | Search Atlas displays three sets of links-or images-from different countries for any search. | Tool | ||
|
2021-07-09 19:15:08 | CVE-2021-32753 (lien direct) | EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is created, the client_id and client_secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can then perform a dictionary-based password attack on the OAuth2 token endpoint of the API gateway to obtain an OAuth2 authentication token and use that token to make authenticated calls to EdgeX microservices from an untrusted network. OAuth2 is the default authentication method in EdgeX Edinburgh release. The default authentication method was changed to JWT in Fuji and later releases. Users should upgrade to the EdgeX Ireland release to obtain the fix. The OAuth2 authentication method is disabled in Ireland release. If unable to upgrade and OAuth2 authentication is required, users should create OAuth2 users directly using the Kong admin API and forgo the use of the `security-proxy-setup` tool to create OAuth2 users. | Tool Vulnerability |
To see everything:
Our RSS (filtrered)
