What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-09-28 10:00:00 | Stories from the SOC - C2 over port 22 (lien direct) | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses. The botnet malware utilizes malicious IP addresses that serve as intermediaries between compromised hosts and the central command server, which can use a wide range of Technique’s, Tactics, and Procedures (TTP’s) to deliver a payload in line with the malicious actor's goals.
Recently, one of these malicious IP addresses reached out to an asset in an organization over port 22 and created an unmitigated Secure Shell (SSH) session to the company's file server, a breach that was mitigated by the security best practices of this company preventing any follow up or lateral movement in the environment. This breach ultimately resulted in the IP getting blocklisted and stopped due to a healthy security posture that prevented malicious pivoting or exploitation.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The alarm initially came in due to an inbound connection from a known malicious IP as reported by the Open Threat Exchange (OTX) pulse related to Mirai botnet activity. OTX is open source threat sharing platform that contains a wide variety of Indicators of Compromise (IOC’s) that leverage user submitted data and the collective cybersecurity world to form an ever-evolving threat landscape.
The evidenced corresponding action ‘InboundConnectionAccepted’ is self-explanatory in that the connection was not mitigated and there was communication taking place over port 22. The associated event further detailed this inbound connection with the initiating processes, logged on user, and process parents. This revealed that the affected asset is a fileserver managed by SolarWinds software and it was likely this inbound connection was accepted in part due to typical network behavior and stateful firewall rules.
Expanded investigation
Events search
C2 activity typically utilizes positive feedback to gain persistence, relying on some sort of beacon placed in the victim’s environment that lets the attacker know there is a device or network ready for command execution. After seeing a successful connection occur with the malicious IP, the next step was to determine if the malicious IP address had further infiltrated the environment or attempted any lateral movement. A thorough search in the instance showed only the single referenced event as it pertains to the malicious IP however, the contextual events surrounding this successful connection corroborate attempted C2 activity.
Event deep dive
A further look into the event associated with the alarm shows that this is a fileserver utilizing Serv-U.exe, a File Transfer Protocol (FTP) software created by SolarWinds. The destination port 22 successfully hosted communication with the malicious IP and appears to have been automatically proxied by the software, which could also contribute to the reason this connection was accepte |
Malware Tool Threat | ||
 |
2022-09-28 08:26:13 | NUVOLA: the new Cloud Security tool (lien direct) | >nuvola is the new open-source cloud security tool to address the privilege escalation in cloud environments. nuvola is the new open source security tool made by the Italian cyber security researcher Edoardo Rosa (@_notdodo_), Security Engineer at Prima Assicurazioni. The tool was released during the RomHack 2022 security conference in Rome. The tool helps the […] | Tool | ||
 |
2022-09-27 16:51:00 | Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Fraud, Inbound connectors, Phishing, Ransomware, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Multimillion Dollar Global Online Credit Card Scam Uncovered
(published: September 23, 2022)
ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment.
Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing.
Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52
Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam
(published: September 22, 2022)
Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers.
Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam
NFT Malware Gets New Evasion Abilities
(published: September 22, 2022)
Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user |
Ransomware Spam Malware Tool Threat | ||
 |
2022-09-27 14:00:12 | Microsoft boosts phishing protection in Windows 11 22H2 (lien direct) | Security tool warns admins and users when a password is used on an untrusted site or stored locally In the latest version of Windows 11, Microsoft is introducing a feature in its Microsoft Defender SmartScreen tool designed to keep passwords safer.… | Tool | ||
 |
2022-09-27 13:51:25 | BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic (lien direct) | Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say. | Ransomware Tool | ||
|
2022-09-27 10:00:00 | Centralized Privacy Center: The key to meeting data privacy obligations (lien direct) | This blog was written by an independent guest blogger. Website owners generally have privacy policies and terms of service since they are necessary for compliance and ensuring website visitors get a personalized experience. As digital needs transform and data privacy laws evolve in nature, website owners that collect data are required to have a Privacy Center. Hundreds of millions of users share their personal information on websites, enabling websites to effectively interact with their users, innovate and grow their business. Businesses must ensure that websites maintain their customers' trust in handling their data, which gives shape to functions like a Privacy Center. What is a Privacy Center? From a user perspective, a Privacy Center makes it simple for users to maintain control over their personal information that has been shared with a website. For a business, a Privacy Center provides all the information users require about privacy policies, cookie policies, data subject access requests, do not track or sell, and much more in one accessible spot. Data privacy laws such as the European Union’s General Data Protection Regulations (GDPR) and the United States’ California Privacy Rights Act (CPRA)/California Consumer Privacy Act (CCPA) impose strict obligations on businesses regarding data processing activities, the usage of privacy policies, and transparent privacy practices. Consequently, businesses are increasingly coming to terms with the significance of Privacy Centers and how they can improve their compliance processes to avoid non-compliance penalties and make it easy to publish or update relevant policies from a single platform. What does a Privacy Center address? Data privacy laws regulate how companies manage users' personal data, and users' awareness of their digital rights only escalates the need for a privacy center to address the following main concerns: What private information of a user can a business access? How does the business handle personal data of users? What is the purpose of collecting this personal data? Does the business sell or share the personal data with third parties? How long does a company retain the personal data of users? Is there an option of opt-out or unsubscribing from receiving personalized services? Businesses can efficiently address these issues and others from a single platform on their website, such as Securiti’s Privacy Center. The tool is designed to address: Privacy Policy Terms of Service Cookie Policy Consent & Third Party Data Subject Requests Do Not Sell or Track When and why should a business have a Privacy Center? A Privacy Center, instead of separate policies for cookies, privacy policies, and others, is a user-friendly approach to disclosing data collection and processing activities. Large volumes of data collected If a business collects troves of data, a Privacy Center will enable the business to be transparent regarding data collection, processing, and sharing activities without overwhelming users. Looking for a single piece of information through a lengthy Privacy Policy page can be confusing and nerve-racking. A Privacy Center is an ideal platform for revealing various information in an understandable format. It is also simple for a user to locate relevant information without sifting through mountains of text. | Tool | ||
|
2022-09-26 06:22:16 | Exmatter exfiltration tool used to implement new extortion tactics (lien direct) | >Ransomware operators switch to new extortion tactics by using the Exmatter malware and adding new data corruption functionality. The data extortion landscape is constantly evolving and threat actors are devising new extortion techniques, this is the case of threat actors using the Exmatter malware. Cyderes Special Operations and Stairwell Threat Research researchers spotted a sample […] | Malware Tool Threat | ||
 |
2022-09-25 11:14:27 | Ransomware data theft tool may show a shift in extortion tactics (lien direct) | Data exfiltration malware known as Exmatter and previously linked with the BlackMatter ransomware group is now being upgraded with data corruption functionality that may indicate a new tactic that ransomware affiliates might switch to in the future. [...] | Ransomware Malware Tool | ||
 |
2022-09-23 08:41:43 | Kids Like Cookies, Malware Too!, (Fri, Sep 23rd) (lien direct) | Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[;1];, the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams storesÂ; ;session tokens in clear text on the file system. I wonâ;€;™;t discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user. | Malware Tool Vulnerability | ||
|
2022-09-22 18:31:41 | Malicious npm Package Poses as Tailwind Tool (lien direct) | Branded as a components library for two popular open source resources, Material Tailwind instead loads a Windows .exe that can run PowerShell scripts. | Tool | ||
|
2022-09-22 07:11:21 | RAT Delivered Through FODHelper , (Thu, Sep 22nd) (lien direct) | I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges. | Tool | ||
|
2022-09-21 15:45:32 | Over 39K unauthenticated Redis services on the internet targeted in cryptocurrency campaign (lien direct) | >Threat actors targeted tens thousands of unauthenticated Redis servers exposed on the internet as part of a cryptocurrency campaign. Redis, is a popular open source data structure tool that can be used as an in-memory distributed database, message broker or cache. The tool is not designed to be exposed on the Internet, however, researchers spotted […] | Tool | ||
 |
2022-09-20 20:17:02 | Uber exposes Lapsus$ extortion group for security breach (lien direct) | >In last week's security breach against Uber, the attackers downloaded internal messages from Slack as well as information from a tool used to manage invoices. | Tool | Uber | |
|
2022-09-20 15:00:00 | Anomali Cyber Watch: Uber and GTA 6 Were Breached, RedLine Bundle File Advertises Itself on YouTube, Supply-Chain Attack via eCommerce Fishpig Extensions, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Iran, Ransomware, Stealers, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hacker Pwns Uber Via Compromised VPN Account
(published: September 16, 2022)
On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker.
Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer
Self-Spreading Stealer Attacks Gamers via YouTube
(published: September 15, 2022)
Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.”
Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub |
Ransomware Malware Tool Vulnerability Threat Guideline | Uber Uber APT 41 APT 15 | |
|
2022-09-20 14:24:25 | Byos Releases Free Assessment Tool to Provide Companies with Tailored Network Security Recommendations (lien direct) | Assessment tool instantly generates a detailed report breaking down a company's current network security maturity and recommended next steps. | Tool | ||
|
2022-09-19 12:07:36 | VMware, Microsoft warn of widespread Chromeloader malware attacks (lien direct) | The operators of the Chromeloader adware are evolving their attack methods and gradually transforming the low-risk tool into a dangerous malware loader, seen dropping ransomware in some cases. [...] | Ransomware Malware Tool | ||
|
2022-09-19 10:00:00 | What is Data-as-a-Service (DaaS)? Understanding the benefits, and common use cases (lien direct) | This blog was written by an independent guest blogger. If you were looking at all the opportunities data unlocks for your businesses, you’ve probably stumbled upon DaaS. DaaS stands for data as a service, which may appear as something overly complicated and expensive to consider. It’s quite the opposite, and it has the power to help a company leverage IoT and cloud data without investing heavily in infrastructure and software. To truly assess whether it is complicated to implement and what benefits it delivers, you need to know what DaaS is. That’s why we will go over the definition of data as a service, its benefits, and common use cases. What is Data as a Service (DaaS) - The definition “As a service” has become a common term in the software industry, especially in the B2B niche as “Software as a Service”. It refers to one company renting the software to another company. You get a complete software product, ready to be used out-of-the-box. Now let’s go back to data as a service definition with that in mind: “Data as a service is a software sold by data provider companies and developed to deliver ready-to-use data to end-users.” There is one big difference between software as a service and data as a service. Unlike SaaS, which provides access to software tools, DaaS leverages software to provide data. It can provide either raw data or enable companies to use an API. Finally, DaaS may appear as only one service, but that’s not the case: it is a couple of services bundled into one solution. The most common services in a DaaS offer include: Data collection (including various sources such as IoT) Cloud data storage Data lifecycle management Data modeling and processing (including transformation, quality control, and replication) Data marketplace (enabling businesses to get the most relevant data for their needs) Benefits of data as a service The next big question you might have is whether it is worth implementing DaaS. That’s not an easy question to answer because every business is unique, especially regarding its data needs. To help you reach an informed decision, we’ve put together a list of benefits that DaaS offers. Reduced operational costs Data is great because it can offer answers to so many questions. However, you need a lot of data to have accurate and relevant insights. Storing and processing big data costs money because it requires massive internal storage capacity and processing power. Once you invest in DaaS, you will no longer need to continuously invest in your infrastructure and maintenance. The DaaS provider handles all these things internally and uses its own infrastructure, staff, and software to deliver ready-to-use data to you. Increased security You probably know how hard it is to handle security in your organization. There are many variables to consider, and each of them requires a unique approach and relevant cybersecurity solution. Unfortunately, data is a hot target these days, and cyber criminals seem to be on a constant lookout for backdoors they can exploit to get their hands on valuable data. When you start using DaaS, you can stop worrying about data security at least. DaaS providers use state-of-the-art cybersecurity solutions to keep data safe. They also have pristine backup policies to ensure you get access to data even if something unforeseen happens. Achieved compliance Using data fo | Tool | ||
 |
2022-09-14 14:35:30 | Bishop Fox Releases Open Source Cloud Hacking Tool \'CloudFox\' (lien direct) | Cybersecurity firm Bishop Fox has announced the release of CloudFox, an open source tool designed to help find exploitable attack paths in cloud infrastructure. The command line tool has been created for penetration testers and other offensive security professionals. | Tool | ||
 |
2022-09-14 09:30:58 | You never walk alone: The SideWalk backdoor gets a Linux variant (lien direct) | >ESET researchers have uncovered another tool in the already extensive arsenal of the SparklingGoblin APT group: a Linux variant of the SideWalk backdoor | Tool | ||
 |
2022-09-14 08:26:00 | AutoRabit launches devsecops tool for Salesforce environments (lien direct) | Devsecops firm AutoRabit is trying to address security issues arising from policy changes and misconfigurations in Salesforce environments with a new offering, CodeScan Shield.CodeScan Shield is the next iteration of AutoRabit's static code analysis tool, CodeScan, and elevates the capabilities of CodeScan with the help of a new module called OrgScan. The new module governs organizational policies by enforcing the security and compliance rules mandated for Salesforce environments.With OrgScan, a dashboard is created at the end of each scan and identifies any areas of concern. This puts the control back in an organization's hands, saving time and money, the company said.To read this article in full, please click here | Tool | ||
|
2022-09-13 22:34:00 | Bishop Fox Releases Cloud Enumeration Tool CloudFox (lien direct) | CloudFox is a command-line tool to help penetration testers understand unknown cloud environments. | Tool | ||
|
2022-09-13 19:50:24 | U-Haul Customer Contract Search Tool Compromised (lien direct) | Password compromise led to unauthorized access to a customer contract search tool over a five-month window, according to the company. | Tool | ||
|
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
|
2022-09-13 02:00:00 | CNAPP buyers guide: Top tools compared (lien direct) | Cloud security continues to be a vexing situation, and the tool set continues to become more complex, riddled with acronyms representing possible solutions. Now there's another: the cloud native application protection platform, or CNAPP. This tool combines the coverage of four separate products: A cloud infrastructure entitlements manager (CIEM) that manages overall access controls and risk management tasks A cloud workload protection platform (CWPP) that secures code across all kinds of cloud-based repositories and provides runtime protection across the entire development environment and code pipelines A cloud access security broker (CASB) that handles authentication and encryption tasks A cloud security posture manager (CSPM) that combines threat intelligence and remediation IT and security managers are looking for a few basic elements from these products, including more accurate threat detection, support for all workloads across multiple cloud deployments, and ways to implement preventable controls.To read this article in full, please click here | Tool Threat | ||
|
2022-09-12 21:28:40 | How Machine Learning Can Boost Network Visibility for OT Teams (lien direct) | Opswat says its new tool uses neural networks to protect critical environments through AI-assisted asset discovery, network visibility, and risk management. | Tool | ||
|
2022-09-12 16:28:35 | U-Haul discloses data breach exposing customer driver licenses (lien direct) | Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers' names and driver's license information. [...] | Data Breach Tool | ||
|
2022-09-08 16:51:52 | Bumblebee malware adds post-exploitation tool for stealthy infections (lien direct) | A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. [...] | Malware Tool | ||
 |
2022-09-08 11:00:00 | Your HP Support Assistant needs an update! (lien direct) | >Categories: Exploits and vulnerabilitiesCategories: NewsTags: HP Support Assistant Tags: DLL hijacking Tags: SYSTEM privileges Tags: CVE-2022-38395 HP has issued a new version of its HP Support Assistant tool because of a high severity DLL hijacking vulnerability. (Read more...) | Tool | ||
|
2022-09-08 10:00:00 | Why does preparing for AI attacks need to be your next big agenda? (lien direct) | This blog has been written by an independent guest blogger. Since its advent, the debate over its ethical and unethical use of AI has been ongoing. From movies to discussions and research, the likely adversarial impact AI has had over the world has been a constant cause of concern for every privacy and security-conscious person out there. AI indeed plays a core role in the modern milestones the world has achieved nowadays. Nevertheless, despite graphic movies like I-Robot splaying out the potential damages of integrating AI into normal functions of life, AI has continued to grow rapidly. Its roots and impacts are evident in every sphere of life, be it medical, technological, educational, or industrial sectors. Its flipside that everyone has long since been dreading is rapidly starting to take form. The emergence of AI-based attacks AI-based attacks are still relatively rare, but according to a survey by Forrester, 88% of security experts believe that these AI-powered attacks will become more common in recent years. For now, some of the most prevalent AI-based cyber-attacks that have surfaced are as follows: AI manipulation or data poisoning For a long time, AI manipulation or data poisoning has become the typical type of AI-based cyber-attack. It is an adversarial attack that features hackers implementing data poisoning on trained AI models forcing them to become malicious. Nowadays, the use of AI is prevalent in almost every organization. AI tools play an essential part in data storage and analysis along with protection from various cyber-attacks such as malware or phishing. Such tools that are designed to automate tasks, but may enable threat protection to become a target of data poisoning. Since the AI works by observing behavior patterns and pre-fed information, a hacker can easily remove the pre-fed information and feed the AI tool with malicious data. Such an act can cause an adversarial impact. For example, hackers can manipulate a phishing tool designed to detect and delete phishing emails into accepting them within its users' inboxes. One common example of data poisoning attacks is AI-manipulated deepfakes that have taken the social media platform by storm. AI-based social engineering attacks Since AI is designed to develop principles and tasks typically associated with human cognition, cybercriminals can exploit it for several nefarious purposes, such as enhancing social engineering attacks. AI works by trying to identify and replicate anomalies in human behavior, making them a convenient tool to persuade users into undermining systems and handing over confidential information. Apart from that, during the reconnaissance phase of an attack, AI can be used to study the target by scouring social media and various databases. AI can find out the behavioral patterns of the target, such as the language they use, their interests, and what topics they usually talk about. The information collected can be used to create a successful spear phishing or BEC attack. AI automation Another significant advantage cyber criminals have in using AI-based attacks is automation. AI tools can significantly endanger endpoint security by automating intrusion detection techniques and launching attacks at unprecedented speeds. Moreover, AI can also scour target networks, computers, and applications for possible vulnerabilities and loopholes that hackers can exploit. Apart from that, automation allows cybercriminals to launch significantly larger attack campaigns. With AI automating most of their work, such as vulnerability assessment and data analysis, cybercriminals now have the leve | Malware Tool Vulnerability Threat | ||
 |
2022-09-08 08:39:42 | Lazarus and the tale of three RATs (lien direct) |  By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern |
Malware Tool Vulnerability Threat Medical | APT 38 | |
 |
2022-09-07 22:15:08 | CVE-2022-36082 (lien direct) | mangadex-downloader is a command-line tool to download manga from MangaDex. When using `file:` command and `` is a web URL location (http, https), mangadex-downloader between versions 1.3.0 and 1.7.2 will try to open and read a file in local disk for each line of website contents. Version 1.7.2 contains a patch for this issue. | Tool | ★★★★★ | |
|
2022-09-07 21:15:08 | CVE-2022-36049 (lien direct) | Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0. | Tool Vulnerability | Uber | |
|
2022-09-07 15:53:37 | Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (lien direct) | The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control. | Malware Tool | ||
|
2022-09-07 15:00:00 | Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web
(published: September 5, 2022)
Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain
Ragnar Locker Ransomware Targeting the Energy Sector
(published: September 1, 2022)
Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind.
Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste |
Ransomware Malware Tool Threat Patching Guideline | Yahoo | |
 |
2022-09-06 11:02:07 | Attacks on Sysmon Revisited - SysmonEnte (lien direct) | In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attack difficult to detect in environments where no additional security products are installed.tl;dr:Suspend all threads of Sysmon.Create a limited handle to Sysmon and elevate it by duplication.Clone the pseudo handle of Sysmon to itself in order to bypass SACL as proposed by James Forshaw.Inject a hook manipulating all events (in particular ProcessAccess events on Sysmon).Resume all threads.We also release a POC called SysmonEnte.BackgroundAt Code White we are used to performing complex attacks against hardened and strictly monitored environments. A reasonable approach to stay under the radar of the blue team is to blend in with false positives by adapting normal process- and user behavior, carefully choosing host processes for injected tools and targeting specific user accounts.However, clients with whom we have been working for a while have reached a high level of maturity. Their security teams strictly follow all the hardening advice we give them and invest a lot of time in collecting and base-lining security related logs while constantly developing and adapting detection rules.We often see clients making heavy use of Sysmon, along with the Windows Event Logs and a traditional AV solution. For them, Sysmon is the root of trust for their security monitoring and its integrity must be ensured. However, an attacker who has successfully and covertly attacked, compromised the integrity of Sysmon and effectively breaks the security model of these clients.In order to undermine the aforementioned security-setup, we aimed at attacking Sysmon to tamper with events in a manner which is difficult to detect using Sysmon itself or the Windows Event Logs.Attacks on Sysmon and DetectionHaving done some Googling on how to blind Sysmon, we realized that all publicly documented ways are detectable via Sysmon itself or the Windows Event Logs (at least those we found) :Unloading Sysmon Driver - Detectable via Sysmon event id 255, Windows Security Event ID 4672.Attacks Via Custom Driver - Detectable via Sysmon event id 6, Driver loaded.Kill the Sysmon Service - Sysmon Event ID 10 (Process Access with at least PROCESS_TERMINATE flag set; The last event forwarded by Sysmon).Manipulating the Rules Registry Key - Event ID 16.Patching Sysmon in Memory - Event ID 10.While we were confident that we can kill Sysmon before throwing Event ID 5 (Process terminated) we thought that a host not sending any events would be suspicious and could be observed in a client's SIEM. Also, loading a signed, whitelisted and exploitable driver to attack from Kernel land was out of scope to maintain stability.Since all of these documented attack vectors are somehow detectable via Sysmon itself, the Windows Event Logs or can cause stability issues we needed a new attack vector with the following capabilities:Not detectable via Sysmon itselfNot detectable via Windows Event LogSysmon must stay aliveAttack from usermodeInjecting and manipulating the control flow of Sysmon seemed the most promising.Attack DescriptionSimilarly to SysmonQuiet or EvtMute, the idea is to inject code into Sysmon which redirects the | Tool | ||
 |
2022-09-06 09:23:00 | Dispelling 5 Myths and Misconceptions Surrounding File Integrity Monitoring (FIM) (lien direct) | >File integrity monitoring (FIM) started back in 1997 when Gene Kim launched Tripwire and its “Change Audit” solution. Just a few years later, Change Audit became FIM; this rebranded tool worked with the 12 security controls identified in Visa's Cardholder Information Security Program (CISP). CISP became PCI DSS 1.0, and things continued to evolve after that. Which brings us to […]… Read More | Tool | ||
 |
2022-09-05 15:00:00 | EvilProxy Phishing Toolkit Spotted on Dark Web Forums (lien direct) | The tool highlights the growth in attacks against online services and MFA authorization mechanisms | Tool | ||
|
2022-09-02 16:00:00 | US Police Deployed Obscure Smartphone Tracking Tool With No Warrants (lien direct) | It would allow police to search billions of mobile device-based records, including GPS data | Tool | ||
|
2022-09-01 16:50:00 | Security Operations are More Difficult Now More Than Ever. Buy Why? (lien direct) | According to recent research by ESG, 52% of respondents believe security operations are more difficult today than they were two years ago. Responses stated this was due to multiple factors, such as the increasingly dangerous threat landscape, a growing attack surface, the volume and complexity of security alerts, and public cloud proliferation. Today’s threats are more sophisticated than ever, making them more challenging to defend against. Security teams must constantly do more with less, protecting more data, endpoints, and applications. And, as the threat landscape evolves, so will they, but chances are they must do so with fewer resources. The growing list of challenges is never-ending. So what tops the list? An Ever-Growing Attack Surface Organizations are collecting and storing more data than ever, driven by more cloud-based applications and services. This new on-prem/off-prem environment has created more potential entry points for attackers. Additionally, many organizations lose track of their assets, failing to update policies and their security infrastructure, leaving them vulnerable to attacks that exploit known vulnerabilities. Another reason security teams face more challenges today is the increasing number of mobile devices and cloud apps used by employees. These devices and apps can provide a convenient way for employees to access company data, but they can also be a security risk if they are not adequately secured. The Evolving Threat Landscape As the attack surface grows, so does the number of potential threats. Security teams must now contend with a broader range of threats, including sophisticated malware, zero-day exploits, and ransomware. Additionally, attackers are becoming more brazen and are targeting high-profile organizations with well-funded security operations. In addition, the rise of social media has created new opportunities for hackers to launch cyber attacks. Social media platforms can spread malware or gather information about people’s online habits, used to launch targeted attacks and infiltrate enterprise organizations. Increasing Compliance Requirements Organizations must comply with an ever-growing number of regulations, such as the EU’s General Data Protection Regulation (GDPR), that require security teams to put in place additional controls and processes, which can be costly and time-consuming. Additionally, compliance failures can result in heavy fines and strain an already tight budget. Limited Resources According to (ISC)²'s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to defend organizations’ critical assets effectively. While the number of professionals required to fill the gap has decreased, the number of qualified cyber professionals will fall even further due to the growing demand for highly skilled individuals. Complex Tech Stack Enterprises frequently deploy new security tools and services to address changing needs and increased threats. As previously mentioned, a typical enterprise SOC may use a combination of twenty or more technologies, making it difficult to customize each solution for its environment. The interoperability issues caused by the possibility of using multiple vendors make it very challenging to get a complete picture of your overall security environment. The Need to Adapt Despite these challenges, security teams must find ways to adapt to protect their organizations effectively against ever-evolving threats. So what c | Malware Tool Threat Guideline | ||
 |
2022-09-01 13:20:32 | CrowdStrike Introduces Sandbox Scryer: A Free Threat-Hunting Tool for Generating MITRE ATT&CK and Navigator Data (lien direct) | Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling indicators of compromise (IOCs), understanding attack movement and hunting threats By allowing researchers to send thousands of samples to a sandbox for […] | Tool Threat | ★★ | |
|
2022-09-01 13:15:08 | CVE-2022-36055 (lien direct) | Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. | Tool | Uber | |
 |
2022-08-31 23:26:41 | RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github (lien direct) | The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by... | Malware Tool | ||
|
2022-08-31 20:15:08 | CVE-2022-36048 (lien direct) | Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected. | Tool Vulnerability | ||
|
2022-08-31 15:15:08 | CVE-2022-36035 (lien direct) | Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy. | Tool Vulnerability | Uber | |
 |
2022-08-31 10:00:00 | Examiner les journaux unifiés macOS Reviewing macOS Unified Logs (lien direct) |
En commençant par MacOS 10.12 (Sierra), Apple a introduit un changement de clé dans la façon dont la journalisation a été effectuée sur leurs systèmes.Ce nouveau système de journalisation a remplacé les journaux UNIX communs par des journaux unifiés macOS.Ces journaux peuvent fournir aux enquêteurs de la crisence un artefact précieux pour aider à étudier les systèmes MacOS ou d'autres appareils Apple.
Dans cet article de blog, nous couvrirons un aperçu des journaux unifiés et des défis présentés pour les utiliser lors d'une enquête.Avec ce billet de blog, nous avons également publié un outil intitulé « macOS-UnifiedLogs " pour aider à surmonter certains des défis dans l'analyse des données de journal, et à
Beginning with macOS 10.12 (Sierra), Apple introduced a key change to how logging was done on their systems. This new logging system replaced common Unix logs with macOS Unified Logs. These logs can provide forensic investigators a valuable artifact to aid in investigating macOS systems or other Apple devices. In this blog post, we will cover an overview of the Unified Logs and the challenges presented in using them during an investigation. Along with this blog post, we also released a tool called “macos-unifiedlogs" to help overcome some of the challenges in parsing log data, and to |
Tool | ★★★ | |
|
2022-08-30 22:21:30 | New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries (lien direct) | New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note. | Tool | ||
|
2022-08-30 15:01:00 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Hack Tool Vulnerability Threat Guideline Cloud | APT 37 APT 29 LastPass | |
|
2022-08-30 08:00:09 | ModernLoader delivers multiple stealers, cryptominers and RATs (lien direct) |  By Vanja SvajcerCisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Technical detailsInitial findingsIn June 2022, Cisco Talos identified an unusual command line execution in our telemetry. The decoded base64 command is below: Initial finding: A command executed on the system.The 31.41.244[.]231 IP is a Russian IP and hosts several other URLs with similar naming conventions. Autostart commandFollowing the discovery of the initial command, we identified two other command lines. They are a result of an autorun registered executable and the execution of a scheduled task. |
Malware Tool Threat | Yahoo | |
|
2022-08-29 15:15:09 | CVE-2022-0485 (lien direct) | A flaw was found in the copying tool `nbdcopy` of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image. | Tool | ||
|
2022-08-28 11:24:43 | Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons, (Sun, Aug 28th) (lien direct) | I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system&#;x26;#;39;s memory dumps. | Tool |
To see everything:
Our RSS (filtrered)
