What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-08-30 15:01:00 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Hack Tool Vulnerability Threat Guideline Cloud | APT 37 APT 29 LastPass | |
 |
2022-08-18 08:00:00 | Ukraine and the fragility of agriculture security (lien direct) |  By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H |
Ransomware Threat Guideline Cloud | NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
|
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
|
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
 |
2022-04-28 17:15:39 | CVE-2022-29413 (lien direct) | Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin | Guideline Cloud | APT 37 | |
 |
2018-08-09 13:00:01 | Examining Code Reuse Reveals Undiscovered Links Among North Korea\'s Malware Families (lien direct) | 
This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story. Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to …
|
Malware Guideline Medical Cloud | APT 38 APT 37 | |
 |
2018-04-06 12:08:04 | New Strain of ATM Jackpotting Malware Discovered (lien direct) | >A new type of ATM jackpotting malware has been discovered. Dubbed ATMJackpot, the malware appears to be still under development, and to have originated in Hong Kong. There are no current details of any deployment or use. ATMJackpot was discovered and analyzed by Netskope Threat Research Labs. It has a smaller footprint than earlier strains of jackpotting malware, but serves the same purpose: to steal money from automated teller machines (ATMs). ATM jackpotting -- also known as a logical attack -- is the use of malware to control cash dispensing from individual ATMs. The malware can be delivered locally to each ATM via a USB port, or remotely by compromising the ATM operator network. Jackpotting has become an increasing problem in recent years, originally and primarily in Europe and Asia. In 2017, Europol warned that ATM attacks were increasing. "The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately," said Steven Wilson, head of Europol's EC3 cybercrime center. The first attacks against ATMs in the U.S. were discovered in January 2018 following an alert issued by the Secret Service. In March 2018, the alleged leader of the Carbanak group was arrested in Spain. Carbanak is believed to have stolen around $1.24 million over the preceding years. Its method was to compromise the servers controlling ATM networks by spear-phishing bank employers, and then use foot soldiers (mules) to collect money dispensed from specific ATMs at specific times. It is not clear whether the ATMJackpot malware discovered by Netskope is intended to be manually installed via USB on individual ATMs, or downloaded from a compromised network. Physical installation on an ATM is not always difficult. In July 2017, IOActive described how its researchers could gain access to the Diebold Opteva ATM. It was achieved by inserting a metal rod through a speaker hole and raising a metal locking bar. From there they were able to reverse engineer software to get access to the money vault. Jackpotting malware is designed to avoid the need to physically break into the vault. It can be transferred via a USB port to the computer part of the ATM that controls the vault. Most ATMs use a version of Windows that is well understood by criminals. ATMJackpot malware first registers the windows class name 'Win' with a procedure for the malware activity. The malware then populates the options on the window and initiates a connection with the XFS manager. The XFS subsystem provides a common API to access and manipulate the ATM devices from different vendors. The malware then opens a session with the service providers and registers to monitor events. It opens a session with the cash dispenser, the card reader and the PIN pad servic | Guideline Cloud | APT 37 | |
|
2018-04-03 18:30:03 | New KevDroid Android Backdoor Discovered (lien direct) | >Security researchers have discovered a new Android Remote Access Trojan (RAT) that can steal a great deal of information from infected devices. Dubbed KevDroid, the mobile threat can steal contacts, messages, and phone history, while also able to record phone calls, Talos reports. Two variants of the malware have been identified so far. One of the variants exploits CVE-2015-3636 to gain root access, but both implement the same call recording capabilities, taken from an open-source project on GitHub. Once it has infected a device, the first KevDroid variant can gather and siphon information such as installed applications, phone number, phone unique ID, location, stored contacts information, stored SMS, call logs, stored emails, and photos. | Guideline Cloud | APT 37 | |
|
2018-02-21 15:20:05 | North Korea Cyber Threat \'More Aggressive Than China\': US Firm (lien direct) | North Korean hackers are becoming more aggressive than their Chinese counterparts, a leading US cybersecurity firm warned Tuesday, as it identified a Pyongyang-linked group as an "advanced persistent threat". | Guideline Cloud | APT 37 | |
 |
2017-12-15 14:00:00 | Things I Hearted This Week 15th December 2017 (lien direct) |
Continuing the trend from last week, I’ll continue trying to put a positive spin on the week’s security news.
Why? I hear you ask. Well, I’ve been mulling over the whole optimist thing, and glass half full analogy and it does work wonders. Side note, a tweet about half full / empty glasses and infosec took on a life of its own a few days ago.
But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.”
So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits
Mirai Mirai on the wall
I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.”
It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty.
The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard
Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity
Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo
Bug Laundering Bounties
Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom.
Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email.
The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)?
Leaked email shows HBO negotiating with hackers | Calgary Herald
Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today
Uber used bug bounty program to launder blackmail payment to hacker | ars Technica
Inside a low budget consumer hardware espionage implant
I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference.
|
Guideline Medical Cloud | Uber APT 38 APT 37 |
1
We have: 11 articles.
We have: 11 articles.
To see everything:
Our RSS (filtrered)
