What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-08-25 21:15:09 | CVE-2023-40583 (lien direct) | libp2p est une pile réseau et une bibliothèque modularisées à partir du projet IPFS et regroupées séparément pour que d'autres outils puissent être utilisés.Dans go-libp2p, en utilisant des enregistrements homologues signés, un acteur malveillant peut stocker une quantité arbitraire de données dans la mémoire d'un nœud distant.Cette mémoire n'est pas récupérée et la victime peut donc manquer de mémoire et planter.Si les utilisateurs de go-libp2p en production ne surveillent pas la consommation de mémoire au fil du temps, il pourrait s'agir d'une attaque silencieuse, c'est-à-dire que l'attaquant pourrait faire tomber les nœuds sur une période de temps (la durée dépend des ressources du nœud, c'est-à-dire un nœud go-libp2p sur unUn serveur virtuel avec 4 Go de mémoire prend environ 90 secondes pour s'arrêter ; sur un serveur plus grand, cela peut prendre un peu plus de temps.) Ce problème a été corrigé dans la version 0.27.4.
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4. |
Tool | ||
|
2023-08-25 21:15:08 | CVE-2023-32678 (lien direct) | Zulip est un outil de collaboration d'équipe open source avec un fil de discussion thématique qui combine le courrier électronique et le chat.Les utilisateurs qui étaient abonnés à un flux privé et qui en ont été supprimés depuis conservent la possibilité de modifier des messages/sujets, de déplacer des messages vers d'autres flux et de supprimer les messages auxquels ils avaient accès, si d'autres autorisations d'organisation pertinentes le permettent.Actions.Par exemple, un utilisateur peut pouvoir modifier ou supprimer ses anciens messages publiés dans un tel flux privé.Un administrateur pourra supprimer les anciens messages (auxquels il avait accès) du flux privé.Ce problème a été résolu dans Zulip Server version 7.3.
Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3. |
Tool | ||
|
2023-08-25 21:15:08 | CVE-2023-40571 (lien direct) | weblogic-framework est un outil de détection des vulnérabilités weblogic.Les versions 0.2.3 et antérieures ne vérifient pas les paquets de données renvoyés et il existe une vulnérabilité de désérialisation qui peut conduire à l'exécution de code à distance.Lorsque weblogic-framework reçoit l'écho de la commande, il désérialise directement les données renvoyées par le serveur sans les vérifier.Dans le même temps, le chargeur de classe charge de nombreux appels de désérialisation.Dans ce cas, les données sérialisées malveillantes renvoyées par le serveur provoqueront l'exécution de code à distance.La version 0.2.4 contient un correctif pour ce problème.
weblogic-framework is a tool for detecting weblogic vulnerabilities. Versions 0.2.3 and prior do not verify the returned data packets, and there is a deserialization vulnerability which may lead to remote code execution. When weblogic-framework gets the command echo, it directly deserializes the data returned by the server without verifying it. At the same time, the classloader loads a lot of deserialization calls. In this case, the malicious serialized data returned by the server will cause remote code execution. Version 0.2.4 contains a patch for this issue. |
Tool Vulnerability | ||
 |
2023-08-25 10:00:49 | Fuite de lockbit, opportunités de recherche sur les outils divulgués par les TA Lockbit leak, research opportunities on tools leaked from TAs (lien direct) |
En septembre 2022, plusieurs professionnels de l’information sur la sécurité ont écrit et confirmé la fuite d’un constructeur pour le ransomware Lockbit 3.Dans cet article, nous fournissons l'analyse du constructeur et des versions récemment découvertes.
In September of 2022, multiple security news professionals wrote about and confirmed the leakage of a builder for Lockbit 3 ransomware. In this post we provide the analysis of the builder and recently discovered builds. |
Tool | ★★★ | |
 |
2023-08-24 16:39:44 | Les chercheurs en sécurité signalent une augmentation des cyberattaques mondiales de 8% Sicherheitsforscher melden Anstieg der weltweiten Cyber-Angriffe um 8 Prozent (lien direct) |
Le rapport de sécurité en milieu d'année du point de contrôle 2023 montre que les anciennes et nouvelles formes de cyber-criminels mettent en dies, car Ki et USB-Ger & Auml; Te deviennent des complices inattendus.Au & szlig; Erdem est attiré par Lockbit3 parmi les ransomwares au cours de la première année de 2023.
San Carlos, Californie, États-Unis & # 8211;23 août 2023-véritable Research Point (RCR), le ministère du renseignement des menaces deVérifier Point & Reg;Software Technologies Ltd. (NASDAQ: CHKP),un fournisseur mondial de Cyber Securityl & ouml;Le rapport couvre une augmentation inquiétante de 8% dans les cyberattaques mondiales dans le monde au deuxième trimestre de 2023 à & # 8211;Le st & auml; rksten augmente au cours des deux dernières années.Les chercheurs en sécurité expliquent comment les attaquants d'une manière sophistiquée de la génération N & Aumle se combinent avec des outils bien connus tels que USB-Ger & Auml;Le rapport montre également comment les attaques de ransomwares sont intensifiées au cours de la première année de l'année, car de nouveaux groupes de ransomwares étaient sur les lieux.
-
rapports spéciaux
/ /
Prime Time
Der Check Point 2023 Mid-Year Security Report zeigt, dass sich alte und neue Formen der Cyber-Kriminalität vermischen, denn KI und USB-Geräte werden zu unerwarteten Komplizen. Außerdem ist Lockbit3 der Spitzenreiter unter den Ransomwares in der ersten Jahreshälfte 2023 gewesen. SAN CARLOS, Kalifornien, USA – 23. August 2023 - Check Point Research (CPR), die Threat-Intelligence-Abteilung von Check Point® Software Technologies Ltd. (NASDAQ: CHKP), einem weltweit führenden Anbieter von Cyber-Sicherheitslösungen, hat seinen 2023 Mid-Year Security Report veröffentlicht. Der Bericht deckt einen beunruhigenden Anstieg von acht Prozent bei den wöchentlichen Cyber-Angriffen weltweit im zweiten Quartal 2023 auf – der stärkste Anstieg in den letzten zwei Jahren. Die Sicherheitsforscher gehen darauf ein, wie Angreifer auf raffinierte Weise KI-Technologie der nächsten Generation mit altbekannten Tools wie USB-Geräten kombinieren, um neuartige Attacken durchzuführen. Der Bericht zeigt auch, wie Ransomware-Angriffe in der ersten Jahreshälfte eskaliert sind, da neue Ransomware-Gruppen auf den Plan getreten waren. - Sonderberichte / primetime |
Tool | ★★★ | |
 |
2023-08-24 10:00:00 | La cybersécurité est-elle en tant que service (CSAAS) la réponse: déplacer plus vite |Faire plus Is Cybersecurity as a Service (CSaaS) the answer: Move faster | Do more (lien direct) |
Cybersecurity comme avantage concurrentiel L'économie est dans l'esprit des chefs d'entreprise.Les plans C reconnaissent la survie dépend de la capacité de protéger les systèmes et les informations.Ils doivent repenser la résilience, atténuer les risques, déployer stratégiquement les actifs et les investissements et attribuer la responsabilité.Faire plus avec moins est le mantra en cours dans les industries technologiques et le cyberespace. Alors que les hauts dirigeants revisitent leurs stratégies de croissance, c'est un excellent moment pour évaluer où ils se trouvent sur le spectre du cyber-risque et l'importance des coûts de complexité.Bien que ceux-ci varieront à l'autre des unités commerciales, des industries et des géographies, maintenant pour le cyber, il existe un nouveau modèle de livraison avec le paiesimplification. Entrez la cybersécurité en tant que modèle de consommation de services CSAAS, ou cybersécurité en tant que service, est une approche basée sur l'abonnement à la cybersécurité qui offre aux organisations la protection de la cybersécurité à la demande.Il s'agit d'un modèle de paiement avec un fournisseur tiers, où les services peuvent varier et être adaptés aux besoins de l'organisation.Ces services peuvent inclure la surveillance des menaces, le respect des normes de l'industrie, la formation des employés et les tests de pénétration, ce qui simule une attaque contre le réseau. L'un des principaux avantages du CSAAS est qu'il enlève le fardeau de l'entreprise pour maintenir une équipe de cybersécurité, qui peut être difficile à embaucher aujourd'hui.Il permet également aux organisations de se développer à mesure que leur entreprise se développe sans avoir à continuer de recruter et d'embaucher des professionnels de la cybersécurité. Tous les fournisseurs CSAAS ne sont pas créés égaux Lors du choix d'un fournisseur CSAAS, plusieurs facteurs doivent être pris en compte pour vous assurer de sélectionner le bon pour votre entreprise.Ces facteurs comprennent: Expertise technique et profondeur des services: Recherchez un fournisseur offrant une gamme complète de services de cybersécurité au-delà des tests de pénétration. La réputation des CSAAS: vérifiez si le fournisseur a de l'expérience dans votre industrie et s'ils ont des clients comme votre entreprise.Assurez-vous également qu'ils sont financièrement stables. Taille des CSAAS: assurez-vous que le fournisseur peut évoluer avec les besoins de votre entreprise à mesure que vous grandissez. Termes et conditions de la relation: Lisez la petite impression pour comprendre tous les détails dans divers scénarios.Comprendre leurs politiques et procédures. Structure des coûts et des frais: assurez-vous que le modèle de tarification du fournisseur est transparent et qu'il n'y a pas de coûts cachés. Outils et technologie: assurez-vous que la technologie du fournisseur est solide et utilise les derniers outils pour fournir des services de cybersécurité. Support: Vérifiez si le fournisseur peut prendre en charge votre entreprise 24h / 24 et 7j / 7, principalement si vous opérez dans plusieurs fuseaux horaires. Conformité réglementaire: Assurez-vous que le vendeur peut respecter la conformité réglementaire dont vous avez besoin dans votre industrie. Compte tenu de ces facteurs, vous pouvez choisir un fournisseur de CSAAS qui répond aux besoins de votre entreprise et offre une protection de cybersécurité pour protéger votre entreprise des cyber-menaces. Évaluez vos besoins uniques de cybersécurité Différentes industries sont à différents stades de maturité avec la transformation numérique, et dans chaque secteur, certaines organisations ont progressé beaucoup plus rapidement que d'autres.Par conséquent, il est essentiel d'évaluer les exigences de cybersécuri | Tool Threat | ★★ | |
|
2023-08-23 20:15:08 | CVE-2023-40025 (lien direct) | ARGO CD est un outil de livraison continu Gitops déclaratif pour Kubernetes.Toutes les versions du CD ARGO à partir de la version 2.6.0 ont un bogue où les sessions d'ouverture du terminal Web n'expirent pas.Ce bogue permet aux utilisateurs d'envoyer des messages WebSocket même si le jeton a déjà expiré.Le scénario le plus simple est lorsqu'un utilisateur ouvre la vue terminale et la laisse ouverte pendant une période prolongée.Cela permet à l'utilisateur d'afficher des informations sensibles même lorsqu'elle aurait déjà dû être déconnectée.Un patch pour cette vulnérabilité a été publié dans les versions CD ARGO suivantes: 2.6.14, 2.7.12 et 2.8.1.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. A patch for this vulnerability has been released in the following Argo CD versions: 2.6.14, 2.7.12 and 2.8.1. |
Tool Vulnerability | Uber | |
|
2023-08-23 11:50:30 | Connaissances en matière de cybersécurité : les Français au 7ème rang mondial (lien direct) | Connaissances en matière de cybersécurité : les Français au 7ème rang mondial L'étude montre que la sensibilisation à la protection de la vie privée en ligne et à la cybersécurité est en baisse dans le monde entier La majorité des Français savent comment créer des mots de passe robustes. Les Français ne connaissent pas les outils en ligne qui protègent la vie privée. Seuls 11 % des Français sont des cyberstars (très compétents dans le domaine). L'étude montre que la sensibilisation à la protection de la vie privée en ligne et à la cybersécurité est en baisse dans le monde entier La majorité des Français savent comment créer des mots de passe robustes. Les Français ne connaissent pas les outils en ligne qui protègent la vie privée. Seuls 11 % des Français sont des cyberstars (très compétents dans le domaine). - Investigations | Tool | ★★★★ | |
|
2023-08-23 10:43:47 | Décryptage cyberattaque - HP constate que les hackers combinent des méthodes simples pour tromper les outils de détection et déployer des logiciels malveillants multilingues (lien direct) | Décryptage cyberattaque - HP constate que les hackers combinent des méthodes simples pour tromper les outils de détection et déployer des logiciels malveillants multilingues - Malwares | Tool | ★★★ | |
 |
2023-08-23 10:00:00 | Versa améliore le package SASE avec des outils de sécurité basés sur l'IA Versa enhances SASE package with AI-based security tools (lien direct) |
Versa renforce les fonctionnalités de gestion de la sécurité de l'IA de son package intégré Secure Access Service Edge (SASE) pour inclure une amélioration de la détection de logiciels malveillants pour la protection avancée des menaces, la microsegmentation du réseau et la protection génératrice de l'IA pour aider les clients à mieux détecter et atténuer rapidement les menaces à leur réseauService et applications. Le fournisseur prend en charge AI dans son intégré Package Versa Sase qui inclut SD WAN, un pare-feu de nouvelle génération et d'application Web, la prévention des intrusions, le support zéro fiducie et la prévention de la perte de données. Pour lire cet article en entier, veuillez cliquer ici
Versa is bolstering the AI security management features of its integrated Secure Access Service Edge (SASE) package to include improved malware detection for Advanced Threat Protection, network microsegmention and generative AI protection to help customers better detect and quickly mitigate threats to their networked service and applications.The vendor supports AI in its integrated Versa SASE package that includes SD WAN, a next-generation and web application firewall, intrusion prevention, zero trust support and data loss prevention.To read this article in full, please click here |
Malware Tool Threat | ★★ | |
|
2023-08-23 10:00:00 | Défense de menace mobile ou buste Mobile threat defense or bust (lien direct) |
The case for unified endpoint management and mobile threat defense The evolution of endpoint management Unified endpoint management (UEM) has played a significant role over the years in enabling companies to improve the productivity and security of their corporate mobile devices and applications. In the early days of endpoint management there were separate workflows and products as it pertains to traditional endpoints, such as desktops and laptops, versus mobile devices. Over time, administrators grew frustrated with the number of tools they were required to learn and manage so developers moved toward an integrated solution where all endpoint devices, regardless of type, could be inventoried, managed, and have consistent policies applied through a single pane of glass. Today, UEMs allow IT administrators to be more productive by enabling them to set and enforce policies as to the type of data and applications an employee can access, providing the administrators with granular control and more effective security. These UEM platforms boast security features including the ability to identify jailbroken or rooted devices, enforcing passcodes, and enabling companies to wipe the data from mobile devices in the event they become lost or stolen. In general, UEMs have and continue to play an integral part in improving the management and productivity of business-critical mobile endpoints. Possible avenues for attack However, in today’s environment, companies are experiencing a significant rise in the number of sophisticated and targeted malware attacks whose goal is to capture their proprietary data. Only a few years ago, losing a mobile device meant forfeiture of content such as text messages, photographs, contacts, and calling information. Today’s smartphones have become increasingly sophisticated not only in their transactional capabilities but also represent a valuable target, storing a trove of sensitive corporate and personal data, and in many cases include financial information. If the phone stores usernames and passwords, it may allow a malicious actor to access and manipulate a user’s account via banking or e-commerce websites and apps. To give you a sense of the magnitude of the mobile security issues: The number of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022 In 2021, banking trojan attacks on Android devices have increased by 80% In 2022, 80% of phishing attacks targeted mobile devices or were designed to function on both mobile devices and desktops In 2022, 43% of all compromised devices were fully exploited, not jailbroken or rooted-an increase of 187% YOY Attack vectors come in various forms, with the most common categorized below: Device-based threats – These threats are designed to exploit outdated operating systems, risky device configurations and jailbroken/rooted devices. App threats – Malicious apps can install malware, spyware or rootkits, or share information with the developer or third parties unbeknownst to the user, including highly sensitive business and personal data. Web and content threats – Threats may be transmitted | Malware Tool Vulnerability Threat | ★★★ | |
|
2023-08-22 10:00:00 | Tirer parti de l'AT & amp; T cybersecurity Consulting pour un robuste centre d'excellence de la fiducie zéro Leveraging AT&T Cybersecurity Consulting for a robust Zero Trust Center of Excellence (lien direct) |
As cybersecurity becomes increasingly complex, having a centralized team of experts driving continuous innovation and improvement in their Zero Trust journey is invaluable. A Zero Trust Center of Excellence (CoE) can serve as the hub of expertise, driving the organization\'s strategy in its focus area, standardizing best practices, fostering innovation, and providing training. It can also help organizations adapt to changes in the cybersecurity landscape, such as new regulations or technologies, ensuring they remain resilient and secure in the face of future challenges. The Zero Trust CoE also ensures that organization’s stay up-to-date with the latest security trends, technologies, and threats, while constantly applying and implementing the most effective security measures.
Zero Trust is a security concept that continues to evolve but is centered on the belief that organizations should not automatically trust anything inside or outside of their perimeters. Instead, organizations must verify and grant access to anything and everything trying to connect to their systems and data. This can be achieved through a unified strategy and approach by centralizing the organization\'s Zero Trust initiatives into a CoE. Below are some of the benefits realized through a Zero Trust CoE.
A critical aspect of managing a Zero Trust CoE effectively is the use of Key Performance Indicators (KPIs). KPIs are quantifiable measurements that reflect the performance of an organization in achieving its objectives. In the context of a Zero Trust CoE, KPIs can help measure the effectiveness of the organization\'s Zero Trust initiatives, providing valuable insights that can guide decision-making and strategy.
Creating a Zero Trust CoE involves identifying the key roles and responsibilities that will drive the organization\'s Zero Trust initiatives. This typically includes a leadership team, a Zero Trust architecture team, a engineering team, a policy and compliance team, an education and training team, and a research and development team. These teams will need to be organized to support the cross-functional collaboration necessary for enhancing productivity.
A Zero Trust CoE should be organized in a way that aligns with the organization\'s overall strategy and goals, while also ensuring effective collaboration and communication. AT&T Cybersecurity consultants can also provide valuable leadership and deep technical guidance for each of the teams. Below is an approach to structuring the different members of the CoE team:
Leadership team: This team is responsible for setting the strategic direction of the CoE. It typically includes senior executives and leaders from various departments, such as IT, security, and business operations.
Zero Trust architects: This individual or team is responsible for designing and implementing the Zero Trust architecture within the organization. They work closely with the leadership team to ensure that the architecture aligns with the organization\'s strategic goals.
Engineering team: This team is responsible for the technical implementation of the Zero Trust strategy. This includes network engineers, security analysts, and other IT professionals.
Policy and compliance team: This team is responsible for developing and enforcing policies related to Zero Trust. They also ensure that the organization follows compliance with relevant regulations and standards.
Education and training team: This team is responsible for educating and training staff members about Zero Trust principles and practices. They develop training materials, conduct works |
Tool Vulnerability | ★★★ | |
|
2023-08-21 19:15:08 | CVE-2023-4373 (lien direct) | Validation inadéquate des autorisations lors de l'utilisation d'outils distants et de macros dans les versions de Devolutions Remote Desktop Manager 2023.2.19 et permet un utilisateur antérieur à initier une connexion sans droits d'exécution appropriés via la fonction d'outils distants.
Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop Manager versions 2023.2.19 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature. |
Tool | ||
 |
2023-08-21 16:30:00 | Des robots AI trompeurs répartissent les logiciels malveillants, soulèvent des problèmes de sécurité Deceptive AI Bots Spread Malware, Raise Security Concerns (lien direct) |
ESET a déclaré que Facebook a promu le téléchargement de ce qui semblait être l'outil Bard AI de Google \\
ESET said Facebook promoted the download of what seemed to be Google\'s Bard AI tool |
Tool | ★★ | |
|
2023-08-21 10:00:00 | Volatility Workbench: Empowering Memory Forensics Investigations (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computer\'s volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs.
Volatility Workbench, a powerful tool built on the Volatility Framework, is specifically designed to simplify and enhance the process of memory forensics. This article explores the capabilities of Volatility Workbench, highlighting its importance in uncovering critical evidence and facilitating comprehensive memory analysis.
Understanding Volatility Framework:
Volatility Framework is a robust tool used for memory analysis. It operates through a command-line interface and offers a wide range of commands and plugins. It enables investigators to extract essential data from memory dumps - including running processes, network connections, and passwords. However, it requires technical expertise to utilize effectively.
Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Volatility framework can be downloaded here. The Volativity Foundation provides these tools.
Introducing Volatility Workbench:
Volatility Workbench is a user-friendly graphical interface built on the Volatility Framework. It simplifies memory analysis by providing a visual interface that is more accessible, even for users with limited command-line experience. With Volatility Workbench, investigators can perform memory analysis tasks without the need for extensive command-line knowledge. Volatility Workbench can be downloaded here.
One of the key advantages of Volatility Workbench is its user-friendly interface, designed to simplify the complex process of memory forensics. With its graphical interface, investigators can navigate through various analysis options and settings effortlessly. The tool presents information in a visually appealing manner - with graphs, charts, and timelines, making it easier to interpret and draw insights from extracted data.
The initial interface when the Volatility Workbench is started looks like this:
The Volatility Workbench offers options to browse and select memory dump files in formats such as *.bin, *.raw, *.dmp, and *.mem. Once a memory dump file is chosen, the next step is to select the platform or operating system that the system being analyzed is using.
Once the memory image file and platform is selected, click on Get Process List in Volatility Workbench.
It will begin memory scanning. After that, you can use the multiple option in the command tab by selecting a valid command. The description of the command will be available in the dia |
Malware Tool | ★★ | |
|
2023-08-21 08:30:00 | Cuba Ransomware Group vole les informations d'identification via Veeam Exploit Cuba Ransomware Group Steals Credentials Via Veeam Exploit (lien direct) |
Le gang russe exploite un ensemble complet d'outils d'attaque
Russian gang operates comprehensive set of attack tools |
Ransomware Tool | ★★ | |
 |
2023-08-19 07:00:00 | LFI Space Tool – Pour tester rapidement la présence de failles LFI sur vos applications web (lien direct) | LFI Space Tool est un outil " tout-en-un " conçu pour détecter les vulnérabilités d’inclusion de fichiers locaux (LFI) dans les applications web notamment grâce à des dorks LFI. L’outil permet de faciliter l’identification des failles de sécurité potentielles grâce à deux méthodes de repérage : la recherche de dorks Google et … Suite | Tool | ★★★★ | |
 |
2023-08-18 16:27:00 | La nouvelle variante de ransomware BlackCat adopte des outils avancés d'impacket et REMCOM New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools (lien direct) |
Microsoft a révélé jeudi qu'il avait trouvé une nouvelle version du ransomware BlackCat (aka alphv et noberus) qui incorpore des outils comme l'impacque et REMCom pour faciliter le mouvement latéral et l'exécution du code distant.
"L'outil d'impacket a des modules de dumping et de service à distance qui pourraient être utilisés pour un large déploiement du ransomware BlackCat dans des environnements cibles", la société \'s
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company\'s |
Ransomware Tool | ★★ | |
|
2023-08-18 10:00:00 | Implémentation en toute sécurité Active Directory sur Windows Server 2019 Securely implementing Active Directory on Windows Server 2019 (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The installation of Active Directory (AD) on Windows Server 2019 calls for a thorough understanding of technical nuances and a steadfast dedication to security best practices. This guide will walk you through the process of securely implementing Active Directory, ensuring the highest level of protection for the information and resources within your company. Planning and design Start by carefully planning and designing. Analyze your organization\'s requirements, network topology, and security requirements in great detail. Establish the necessary number of organizational units (OUs), domains, and user and group structures. Make a thorough design plan that complies with your organization\'s compliance standards and security guidelines. Installing Windows Server 2019 Install Windows Server 2019 on a dedicated system that satisfies the system minimums. Use the most recent Windows Server 2019 ISO and adhere to recommended procedures for a secure installation. Set a strong password for the Administrator account and enable Secure Boot if it is supported in the BIOS/UEFI settings for hardware security. Choose the right deployment type Select the domain controller (DC) installation as the Active Directory deployment type. By doing this, you can be confident that your server is a dedicated domain controller overseeing your domain\'s directory services, authentication, and security policies. Install Active Directory Domain Services (AD DS) role Add the Active Directory Domain Services (AD DS) role to Windows Server 2019. For the installation, use Server Manager or PowerShell. Select the appropriate forest and domain functional levels during the procedure and specify the server as a domain controller. Choose an appropriate Forest Functional Level (FFL) Select the highest Forest Functional Level (FFL) compatible with your domain controllers. This enables access to the most recent AD features and security upgrades. Examine the FFL specifications and confirm that every domain controller currently in use can support the selected level. Secure DNS configuration AD heavily relies on DNS for name resolution and service location. Ensure that DNS is configured securely by: a. Using Active Directory Integrated Zones for DNS storage, enabling secure updates and zone replication through AD. b. Implementing DNSSEC to protect against DNS data tampering and for secure zone signing. c. Restricting zone transfers to authorized servers only, preventing unauthorized access to DNS data. d. Implementing DNS monitoring and logging for suspicious activities using tools like DNS auditing and query logging. Use strong authentication protocols Configure Active Directory to use strong authentication protocols such as Kerberos. To stop credential-based attacks, disable older, less secure protocols like NTLM and LM hashes. Ensure domain controllers are set up to favor robust authentication techniques over weak ones when performing authentication. Securing administrative accounts Safeguard administrative accounts by: a. Creating complicated, one-of-a-kind passwords for each administrative account, following the password policy guidelines, and rotating passwords frequently. b. Adding multi-factor authentication (MFA) to all administrative accounts to improve login security and reduce the risk of credential theft. c. Enforcing the principle of least privilege, role-based access control (RBAC), and limiting the use of administrative accounts to authorized personnel only. d. To reduce the attack surface and potential insider threats, administrative account privileges should be regularly reviewed, and extra access rights should be removed. | Tool Threat | ★★ | |
|
2023-08-17 19:56:00 | New Labrat Campaign exploite Gitlab Flaw for Cryptojacking and Proxyjacking Activities New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities (lien direct) |
Une nouvelle opération à motivation financière surnommée Labrat a été observée en armement une faille critique désormais réglée à Gitlab dans le cadre d'une campagne de cryptojacking et de proxyjacking.
"L'attaquant a utilisé des outils basés sur une signature non détectés, des outils de logiciels malveillants multiplateformes sophistiqués et furtifs, des outils de logiciels de commande et de contrôle (C2) qui ont contourné les pare-feu et les rootkits basés sur le noyau pour cacher leur présence", Sysdig
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig |
Tool | ★★ | |
|
2023-08-17 18:15:17 | CVE-2023-40165 (lien direct) | Rubygems.org est le service d'hébergement de Gem (Library) de Ruby Community \\.La validation des entrées insuffisante a permis aux acteurs malveillants de remplacer toute version de gemm téléchargée qui avait une plate-forme, un numéro de version ou un nom de gemm correspondant `/ - \ d /`, en remplaçant définitivement le téléchargement légitime dans le seau de stockage canonique et en déclenchant une purge CDN immédiatede sorte que le joyau malveillant soit servi immédiatement.Les mainteneurs ont vérifié tous les gemmes correspondant au modèle `/ - \ d /` et peuvent confirmer qu'aucun `.gem est inattendu.En conséquence, nous pensons que cette vulnérabilité n'a pas été exploitée.Le moyen le plus simple de s'assurer que les applications d'un utilisateur n'ont pas été exploitées par cette vulnérabilité est de vérifier que tous vos .Gems téléchargés ont une somme de contrôle qui correspond à la somme de contrôle enregistrée dans la base de données RubyGems.org.Le contributeur de Rubygems Maciej Mensfeld a écrit un outil pour vérifier automatiquement que tous les fichiers .gem téléchargés correspondent aux sommes de contrôle enregistrées dans la base de données Rubygems.org.Vous pouvez l'utiliser en fonctionnant: «Bundle Ajouter Bundler-Integrity» suivi par `Bundle Exec Bundler-Integrity».Ni cet outil ni quoi que ce soit d'autre ne peut prouver que vous n'étiez pas exploité, mais le peut aider votre enquête en comparant rapidement les sommes de contrôle de RubyGems API avec la somme de contrôle des fichiers sur votre disque.Le problème a été corrigé avec une validation d'entrée améliorée et les modifications sont en direct.Aucune action n'est requise de la partie de l'utilisateur.Il est conseillé aux utilisateurs de valider leurs joyaux locaux.
rubygems.org is the Ruby community\'s primary gem (library) hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching `/-\d/`, permanently replacing the legitimate upload in the canonical gem storage bucket, and triggering an immediate CDN purge so that the malicious gem would be served immediately. The maintainers have checked all gems matching the `/-\d/` pattern and can confirm that no unexpected `.gem`s were found. As a result, we believe this vulnerability was _not_ exploited. The easiest way to ensure that a user\'s applications were not exploited by this vulnerability is to check that all of your downloaded .gems have a checksum that matches the checksum recorded in the RubyGems.org database. RubyGems contributor Maciej Mensfeld wrote a tool to automatically check that all downloaded .gem files match the checksums recorded in the RubyGems.org database. You can use it by running: `bundle add bundler-integrity` followed by `bundle exec bundler-integrity`. Neither this tool nor anything else can prove you were not exploited, but the can assist your investigation by quickly comparing RubyGems API-provided checksums with the checksums of files on your disk. The issue has been patched with improved input validation and the changes are live. No action is required on the part of the user. Users are advised to validate their local gems. |
Tool Vulnerability | ||
 |
2023-08-17 18:05:31 | Ce que vous devez savoir sur Cisco Unified Communications Manager SQL Injection Vulnérabilité (CVE-2023-20211) What You Need to Know About Cisco Unified Communications Manager SQL Injection Vulnerability (CVE-2023-20211) (lien direct) |
Dans le monde connecté d'aujourd'hui, des outils efficaces comme le Cisco Unified Communications Manager (Unified CM) et ...
In today’s connected world, efficient tools like the Cisco Unified Communications Manager (Unified CM) and... |
Tool Vulnerability | ★★★ | |
 |
2023-08-17 15:33:00 | \\ 'jouer \\' groupe de ransomware ciblant les MSP dans le monde entier dans une nouvelle campagne \\'Play\\' Ransomware Group Targeting MSPs Worldwide in New Campaign (lien direct) |
Les attaquants utilisent des outils de surveillance et de gestion à distance chez MSPS pour obtenir un accès sans entrave aux réseaux cibles.
Attackers use remote monitoring and management tools at MSPs to gain unfettered access to target networks. |
Ransomware Tool | ★★ | |
 |
2023-08-17 13:01:00 | Amélioration de la sécurité du code avec une AI générative: Utilisation de la correction de Veracode pour sécuriser le code généré par Chatgpt Enhancing Code Security with Generative AI: Using Veracode Fix to Secure Code Generated by ChatGPT (lien direct) |
L'intelligence artificielle (IA) et le codage compagnon peuvent aider les développeurs à écrire des logiciels plus rapidement que jamais.Cependant, alors que les entreprises cherchent à adopter un codage compagnon propulsé par l'IA, elles doivent être conscientes des forces et des limites des différentes approches & # 8211;en particulier en ce qui concerne la sécurité du code.
Regardez cette vidéo de 4 minutes pour voir un développeur générer du code non sécurisé avec ChatGpt, trouvez la faille avec une analyse statique et sécurisez-la avec Veracode Fix pour développer rapidement une fonction sans écrire de code.
La vidéo ci-dessus expose les nuances de la sécurité générative du code AI.Alors que les outils de codage compagnon généraliste comme ChatGpt Excel dans la création de code fonctionnel, la qualité et la sécurité du code sont souvent insuffisantes.Des solutions spécialisées comme le correctif Veracode construit pour exceller dans le code d'insécurité de remédiation apportent une compétence de sécurité vitale à une IA générative.En utilisant des outils généralistes et spécialisés en collaboration, les organisations peuvent permettre à leurs équipes d'accélérer le développement de logiciels qui rencontre fonctionnellement et…
Artificial Intelligence (AI) and companion coding can help developers write software faster than ever. However, as companies look to adopt AI-powered companion coding, they must be aware of the strengths and limitations of different approaches – especially regarding code security. Watch this 4-minute video to see a developer generate insecure code with ChatGPT, find the flaw with static analysis, and secure it with Veracode Fix to quickly develop a function without writing any code. The video above exposes the nuances of generative AI code security. While generalist companion coding tools like ChatGPT excel at creating functional code, the quality and security of the code often falls short. Specialized solutions like Veracode Fix built to excel at remediation insecure code bring a vital security skillset to generative AI. By using generalist and specialist AI tools in collaboration, organizations can empower their teams to accelerate software development that meets functional and… |
Tool | ChatGPT ChatGPT | ★★ |
 |
2023-08-17 08:01:00 | Cuba Ransomware déploie de nouveaux outils: BlackBerry découvre des cibles, y compris le secteur des infrastructures critiques aux États-Unis et l'intégrateur informatique en Amérique latine Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America (lien direct) |
BlackBerry a découvert et documenté de nouveaux outils utilisés par le Cuba Ransomware Threat Group.La bonne nouvelle est que Blackberry protège contre les ransomwares de Cuba.
BlackBerry has discovered and documented new tools used by the Cuba ransomware threat group. The good news is that BlackBerry protects against Cuba ransomware. |
Ransomware Tool Threat | ★★ | |
 |
2023-08-16 21:14:00 | CISA, les experts mettent en garde contre les vulnérabilités Citrix exploitées par des pirates CISA, experts warn of Citrix vulnerabilities being exploited by hackers (lien direct) |
Des alarmes ont été soulevées sur plusieurs vulnérabilités affectant les produits de Citrix qui sont largement exploités par une variété d'acteurs de menace.Mercredi, l'Agence américaine de sécurité de la cybersécurité et de l'infrastructure a déclaré qu'une vulnérabilité affectant l'outil de collaboration de contenu Citrix avait été exploitée et a obligé aux agences civiles fédérales américaines [corriger le problème d'ici septembre
Alarms have been raised about several vulnerabilities affecting products from Citrix that are being exploited widely by a variety of threat actors. On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency said a vulnerability affecting the Citrix Content Collaboration tool had been exploited and mandated that U.S. federal civilian agencies [patch the issue by September |
Tool Vulnerability Threat | ★★ | |
|
2023-08-16 19:03:00 | CISA publie un plan pour les outils de surveillance à distance après l'exploitation des ransomwares à l'État-nation CISA publishes plan for remote monitoring tools after nation-state, ransomware exploitation (lien direct) |
Une collaboration entre l'agence de défense de Cybersecurity des États-Unis et les sociétés privées a publié mercredi son premier plan pour résoudre les problèmes de sécurité avec les outils de surveillance et de gestion à distance (RMM).Le logiciel RMM est généralement utilisé par les services informatiques de la plupart des grandes organisations du monde
A collaboration between the U.S.\'s cybersecurity defense agency and private companies published its first plan to address security issues with remote monitoring and management (RMM) tools on Wednesday. RMM software is typically used by the IT departments of most large organizations around the world as a way to get remote access to a computer to |
Ransomware Tool | ★★ | |
 |
2023-08-16 18:00:17 | Ransomware attaque la montée en flèche alors que l'IA génératrice devient un outil de marchandise dans l'arsenal de l'acteur de menace Ransomware Attacks Surge as Generative AI Becomes a Commodity Tool in the Threat Actor\\'s Arsenal (lien direct) |
|
Ransomware Tool Threat | ★★ | |
|
2023-08-16 16:29:00 | Google présente la première clé de sécurité FIDO2 résiliente quantique Google Introduces First Quantum Resilient FIDO2 Security Key (lien direct) |
Google a annoncé mardi la première mise en œuvre de la clé de sécurité FIDO2 résiliente quantique dans le cadre de son initiative OpenK Security Keys.
"Cette implémentation optimisée sur le matériel open source utilise un nouveau schéma de signature hybride ECC / Dilithium qui profite de la sécurité de l'ECC contre les attaques standard et la résilience de Dilithium \\ contre les attaques quantiques", Elie Bursztein et Fabian Kaczmarczyck
Google on Tuesday announced the first quantum resilient FIDO2 security key implementation as part of its OpenSK security keys initiative. "This open-source hardware optimized implementation uses a novel ECC/Dilithium hybrid signature schema that benefits from the security of ECC against standard attacks and Dilithium\'s resilience against quantum attacks," Elie Bursztein and Fabian Kaczmarczyck |
Tool General Information | ★★★ | |
|
2023-08-16 16:15:11 | CVE-2023-39250 (lien direct) | Les outils d'intégration de stockage Dell pour VMware (DSITV) 06.01.00.016 contiennent une vulnérabilité de divulgation d'informations.Un utilisateur malveillant local à faible privilégie pourrait potentiellement exploiter cette vulnérabilité pour récupérer une clé de chiffrement qui pourrait aider à d'autres attaques.
Dell Storage Integration Tools for VMware (DSITV) 06.01.00.016 contain an information disclosure vulnerability. A local low-privileged malicious user could potentially exploit this vulnerability to retrieve an encryption key that could aid in further attacks. |
Tool Vulnerability | ||
|
2023-08-16 11:00:00 | Proxynation: le lien sombre entre les applications proxy et les logiciels malveillants ProxyNation: The dark nexus between proxy apps and malware (lien direct) |
Executive summary
AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.
In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.
In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.
Key takeaways:
In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
The application is silently installed by malware on infected machines without user knowledge and interaction.
The proxy application is signed and has zero anti-virus detection.
The proxy is written in Go programming language and is spread by malware both on Windows and macOS.
Analysis
In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy - relying on users looking for interesting things, like cracked software and games.
The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1)
Figure 1. As on Virus Total: Proxy application – zero detections.
After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.
Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.
As shown in the figure 2 above, the malware uses specific Inno |
Malware Tool Threat Prediction | ★★ | |
|
2023-08-16 10:00:00 | Histoires du SOC - dévoiler les tactiques furtives du malware aukill Stories from the SOC - Unveiling the stealthy tactics of Aukill malware (lien direct) |
Executive summary
On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client\'s print server to disable the server\'s installed EDR solution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a vulnerable version.
AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system\'s C:\Windows\System32\drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.
In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T MXDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.
Investigating the first phase of the attack
Initial intrusion
The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.
Establishing a beachhead
After compromising the local administrator account, the attackers used the "\Users\Administrator\Music\aSentinel" folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous "Music" folder name helping to conceal their malicious activities.
AuKill malware has been found to operate using two Windows services named "aSentinel.exe" and "aSentinelX.exe" in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like "aSophos.exe" and "aSophosX.exe".
Establishing persistence
We also discovered "aSentinel.exe" running from "C:\Windows\system32", indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the "\Users\Administrator\Music\aSentinel" direct |
Ransomware Malware Tool Threat Studies | ★★★★ | |
|
2023-08-15 19:41:00 | Monti Ransomware revient avec de nouvelles variantes Linux et des tactiques d'évasion améliorées Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics (lien direct) |
Les acteurs de la menace derrière le ransomware de Monti ont refait surface après une pause de deux mois avec une nouvelle version Linux de l'encrypteur dans ses attaques ciblant le gouvernement et les secteurs juridiques.
Monti a émergé en juin 2022, des semaines après que le groupe de ransomwares continu a fermé ses opérations, imitant délibérément les tactiques et les outils associés à ce dernier, y compris son code source divulgué.Pas plus.
The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. Not anymore. |
Ransomware Tool Threat | ★★ | |
 |
2023-08-15 13:00:00 | Menace de chasse 101: comment dépasser les attaquants Threat hunting 101: How to outthink attackers (lien direct) |
> La chasse aux menaces implique la recherche de menaces et d'adversaires dans une infrastructure numérique de l'organisation que les outils de sécurité existants ne détectent pas.Il recherche de manière proactive des menaces dans l'environnement en supposant que l'adversaire est en train de compromettre l'environnement ou a compromis l'environnement.Les chasseurs de menaces peuvent avoir des objectifs et des mentalités différents tandis que [& # 8230;]
>Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don’t detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while […] |
Tool Threat | ★★ | |
|
2023-08-15 10:00:00 | Pourquoi la sécurité de l'API est-elle la prochaine grande chose en cybersécurité? Why is API security the next big thing in Cybersecurity? (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. APIs, formally known as application programming interfaces, occupy a significant position in modern software development. They revolutionized how web applications work by facilitating applications, containers, and microservices to exchange data and information smoothly. Developers can link APIs with multiple software or other internal systems that help businesses to interact with their clients and make informed decisions. Despite the countless benefits, hackers can exploit vulnerabilities within the APIs to gain unauthorized access to sensitive data resulting in data breaches, financial losses, and reputational damage. Therefore, businesses need to understand the API security threat landscape and look out for the best ways to mitigate them. The urgent need to enhance API security APIs enable data exchanges among applications and systems and help in the seamless execution of complex tasks. But as the average number of APIs rises, organizations often overlook their vulnerabilities, making them a prime target of hackers. The State of API Security Q1 Report 2023 survey finding concluded that the attacks targeting APIs had increased 400% during the past six months. Security vulnerabilities within APIs compromise critical systems, resulting in unauthorized access and data breaches like Twitter and Optus API breaches. Cybercriminals can exploit the vulnerabilities and launch various attacks like authentication attacks, distributed denial-of-service attacks (DDoS), and malware attacks. API security has emerged as a significant business issue as another report reveals that by 2023, API abuses will be the most frequent attack vector causing data breaches, and also, 50% of data theft incidents will happen due to insecure APIs. As a result, API security has. become a top priority for organizations to safeguard their data, which may cost businesses $75 billion annually. Why does API security still pose a threat in 2023? Securing APIs has always been a daunting task for most organizations, mainly because of the misconfigurations within APIs and the rise in cloud data breaches. As the security landscape evolved, API sprawl became the top reason that posed a threat to API security. API sprawl is the uncontrolled proliferation of APIs across an organization and is a common problem for enterprises with multiple applications, services, and development teams. As more APIs are created, they expanded the attack surface and emerged as an attractive target for hackers. The issue is that the APIs are not always designed by keeping security standards in mind. This leads to a lack of authorization and authentication, exposing sensitive data like personally identifiable information (PII) or other business data. API sprawl | Malware Tool Vulnerability Threat Cloud | Uber | ★★★ |
|
2023-08-14 21:15:13 | CVE-2023-39950 (lien direct) | EFibootGuard est un simple chargeur de démarrage UEFI avec prise en charge de la commutation en toute sécurité entre les ensembles de partition actuels et mis à jour.La validation et la désinfection insuffisantes ou manquantes de l'entrée des fichiers d'environnement de chargeur de démarrage indigne de la fiducie peuvent provoquer des accidents et probablement également des injections de code dans `BG_SETENV`) ou des programmes en utilisant` LIBEBGENV`.Ceci est déclenché lorsque les composants affectés tentent de modifier un environnement manipulé, en particulier ses variables utilisateur.En outre, `BG_PRINTENV` peut s'écraser sur des accès de lecture non valides ou signaler les résultats non valides.Le binaire EFI EFI Boot Guard \\ est pas affecté par ce problème.EFI Boot Guard Release V0.15 contient des correctifs requis pour désinfecter et valider l'environnement de chargeur de démarrage avant de le traiter dans Userspace.Sa bibliothèque et ses outils doivent être mis à jour, les programmes doivent donc être liés statiquement à celui-ci.Une mise à jour de l'exécutable Bootloader EFI n'est pas requise.La seule façon d'éviter le problème avec une version non corrigée EFI Boot Guard est d'éviter les accès aux variables de l'utilisateur, en particulier des modifications.
efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets. Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files can cause crashes and probably also code injections into `bg_setenv`) or programs using `libebgenv`. This is triggered when the affected components try to modify a manipulated environment, in particular its user variables. Furthermore, `bg_printenv` may crash over invalid read accesses or report invalid results. Not affected by this issue is EFI Boot Guard\'s bootloader EFI binary. EFI Boot Guard release v0.15 contains required patches to sanitize and validate the bootloader environment prior to processing it in userspace. Its library and tools should be updated, so should programs statically linked against it. An update of the bootloader EFI executable is not required. The only way to prevent the issue with an unpatched EFI Boot Guard version is to avoid accesses to user variables, specifically modifications to them. |
Tool | ||
|
2023-08-14 16:39:00 | La plupart des attaques DDOS liées au jeu, aux litiges commerciaux, au FBI et aux procureurs disent Most DDoS attacks tied to gaming, business disputes, FBI and prosecutors say (lien direct) |
Las Vegas & # 8211; La majorité des attaques de déni de service distribué (DDOS) sont lancées en réponse aux différends sur les affaires ou les jeux, selon des responsables fédéraux enquêtant sur les incidents.Les attaques DDOS se produisent lorsque quelqu'un rend un service ou un outil indisponible en le surchargeant avec des demandes.La grande majorité de la couverture médiatique des attaques DDOS ces dernières années
LAS VEGAS – The majority of distributed denial-of-service (DDoS) attacks are launched in response to disputes over business or gaming, according to federal officials investigating the incidents. DDoS attacks occur when someone makes a service or tool unavailable by overloading it with requests. The vast majority of media coverage of DDoS attacks in recent years |
Tool | ★★ | |
 |
2023-08-14 15:01:22 | La plate-forme OpenXDR stellar Cyber \\ est désormais disponible sur Oracle Cloud Infrastructure Stellar Cyber\\'s OpenXDR Platform Now Available On Oracle Cloud Infrastructure (lien direct) |
Silicon Valley-based cybersecurity company, Stellar Cyber, announced today that their OpenXDR platform is now accessible to those that use Oracle Cloud Infrastructure (OCI). Customers who have adopted the cloud and seek simpler and smarter solutions to improve their security can now purchase Stellar Cyberr\'s platform via the Oracle Cloud Marketplace, applying Oracle Universal Credits (OUCs) toward the purchase price. How does OpenXDR technology help businesses to better manage the security of their cloud structures, and what does this new partnership mean for Oracle Cloud users? Table Of ContentsCapabilities of Stellar Cyber\'s OpenXDR PlatformNow Available on Oracle Cloud InfrastructureThe Future of Cloud Security Capabilities of Stellar Cyber\'s OpenXDR Platform Stellar Cyber has developed Open Extended Detection and Response (OpenXDR) to facilitate security for both companies facing a large volume of attacks and overwhelmed security professionals. To achieve this, it unites the capabilities of several tools that are essential for security - many of which used to be incompatible. Some of the security solutions that are currently integrated into the platform are NextGen SIEM and Network Detection and Response (NDR). One of the key issues that the company has focused on since its beginning is the large quantity of data that is incoming from versatile incompatible security tools. Today, the issue of having to manage and make sense of large amounts of data is more emphasized than ever before. Why? Because organizations have added more security points to their systems - mostly to protect the new cloud technology that is now a regular part of their network. For instance, the data management solution integrated within OpenXDR can gather insights that are generated from versatile tools the platform supports. To make the reports more accurate and comprehensive, it can correlate the findings gathered from the tools it supports. As a result, the professionals retain visibility of ever-growing attack surfaces and get correct as well as actionable reports on the state of security in real-time. This helps them to react to sophisticated threats early - before they escalate into major security incidents. The tools that can be found under Stellar Cyber\'s umbrella platform are AI and machine-learning-powered. This means that they promptly and automatically mitigate well-known threats, but they continually learn about the company and use the findings to detect anomalies early. Also, they\'re available from a single dashboard since the platform unites the capabilities of versatile previously siloed solutions in one place. For those that already use Oracle Cloud, the new collaborations mean they\'ll now have the capabilities of the OpenXDR platform at their disposal as well. “Stellar Cyber is committed to providing the critical capabilities security teams need to deliver consistent security outcomes-all for a single license and price on a single platform,” said Jim O\'Hara, Chief Revenue Officer at Stellar Cyber. “This simple yet comprehensive model makes it easy for customers to measure how our Open XDR platform dramatically impacts their security ROI.” Now Available on Oracle Cloud Infrastructure Oracle Clou | Tool Threat Cloud | ★★ | |
|
2023-08-14 14:47:00 | Microsoft révèle des vulnérabilités graves dans le logiciel d'automatisation industrielle de codesys Microsoft reveals severe vulnerabilities in CODESYS industrial automation software (lien direct) |
Las Vegas & # 8211; Seize nouvelles vulnérabilités ont été découvertes par les chercheurs de Microsoft affectant les outils utilisés dans les opérations industrielles du monde entier.Le chercheur en sécurité Microsoft Vladimir Eliezer Tokarev a décrit les problèmes affectant CodeSys - un logiciel d'automatisation industriel largement utilisé - Pendant une présentation à la sécurité BlackHatConférence la semaine dernière et Microsoft [a également publié le sien
LAS VEGAS – Sixteen new vulnerabilities have been uncovered by Microsoft researchers affecting tools used in industrial operations around the world. Microsoft security researcher Vladimir Eliezer Tokarev outlined the issues affecting CODESYS - a widely-used industrial automation software - during a presentation at the BlackHat security conference last week, and Microsoft [also published its own |
Tool Vulnerability Industrial Conference | ★★ | |
 |
2023-08-14 14:30:00 | Indicateurs du scanner de compromis pour Citrix ADC Zero-Day (CVE-2023-3519) Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) (lien direct) |
mandiant a récemment publié un Article de blog sur le compromis de Citrix NetScaler Delivery Controller (ADC) et des appareils de passerelle NetScaler liés à la vulnérabilité du jour zéro suivi sous le nom de cve-2023-3519 .Le CVE-2023-3519 est une vulnérabilité zéro-jour qui peut permettre l'exécution du code distant, et a été observé exploité dans la nature par un acteur de menace cohérent avec une Chine-Nexus basée sur des capacités connues et une histoire de ciblage des ADC Citrix.Récemment, la preuve de concepts pour exploiter cette vulnérabilité a été publiquement posté .
Aujourd'hui, nous publions un outil pour aider
Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution, and has been observed being exploited in the wild by a threat actor consistent with a China-nexus based on known capabilities and history of targeting Citrix ADCs. Recently, proof-of-concepts to exploit this vulnerability have been publicly posted. Today we are releasing a tool to help |
Tool Vulnerability Threat | ★★★ | |
|
2023-08-11 20:10:00 | Générateur d'alimentation en Afrique du Sud ciblée avec des logiciels malveillants Droxidat Southern African power generator targeted with DroxiDat malware (lien direct) |
Les chercheurs ont découvert une cyberattaque suspectée ciblant un générateur d'énergie en Afrique australe avec une nouvelle variante du malware SystemBC.L'attaque a été menée par un groupe de pirates inconnu en mars de cette année, selon un rapport de la société de cybersécurité SecureList .Les pirates ont utilisé un outil de frappe de cobalt et du droxidat - un
Researchers have uncovered a suspected cyberattack targeting a power generator in southern Africa with a new variant of the SystemBC malware. The attack was carried out by an unknown hacker group in March of this year, according to a report by cybersecurity firm Securelist. The hackers used a Cobalt Strike tool and DroxiDat - a |
Malware Tool | ★★★ | |
|
2023-08-11 10:00:00 | Image Steganography: dissiper les secrets dans les pixels Image steganography: Concealing secrets within pixels (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
In the realm of information security and covert communication, image steganography serves as a powerful technique for hiding sensitive data within innocent-looking images. By embedding secret messages or files within the pixels of an image, steganography enables covert transmission without arousing suspicion. This article aims to delve into the world of image steganography, exploring its principles, techniques, and real-world applications.
Understanding image steganography
Image steganography is the practice of concealing information within the data of digital images without altering their visual appearance. The hidden data can include text, images, audio, or any other form of binary information.
Image steganography serves as a clandestine communication method, providing a means to transmit sensitive information without arousing the suspicion of adversaries or unauthorized individuals. It offers an additional layer of security and confidentiality in digital communication.
Steganography vs. Cryptography: While cryptography focuses on encrypting data to render it unreadable, steganography aims to hide the existence of the data itself, making it inconspicuous within an image. Steganography can be used in conjunction with encryption to further enhance the security of covert communication.
Techniques of image steganography
LSB substitution: The Least Significant Bit (LSB) substitution method involves replacing the least significant bits of pixel values with secret data. As the least significant bits have minimal impact on the visual appearance of the image, this technique allows for the hiding of information without noticeably altering the image.
Spatial domain techniques: Various spatial domain techniques involve modifying the pixel values directly to embed secret data. These techniques include modifying pixel intensities, color values, or rearranging pixels based on a predefined pattern.
Transform domain techniques: Transform domain techniques, such as Discrete Cosine Transform (DCT) or Discrete Fourier Transform (DFT), manipulate the frequency domain representation of an image to embed secret data. This allows for the concealment of information within the frequency components of an image.
Spread spectrum techniques: Inspired by radio frequency communication, spread spectrum techniques spread the secret data across multiple pixels by slightly modifying their values. This method makes the hidden data more robust against detection and extraction attempts.
Adaptive steganography: Adaptive techniques dynamically adjust the embedding process based on the image content and local characteristics, making the hidden data even more resistant to detection. This approach enhances security and makes it harder for adversaries to identify stego images.
Let’s see a working example of image steganography using a free tool called OpenStego, the same can be downloaded from here. You will be required to have Java Runtime Environment for OpenStego to work on your system.
Once, you’ve installed OpenStego, you will see its interface as shown below:
It has multiple options including Hide Data and Extract Data - more about these options can be found at official documentation of the tool.
We need to have two files, Message File (Which will be hidden data or data we want to hide) and Cover File (The file which we will use as a cover to hide the message file.)
I have downloaded two image files for the same.
|
Tool | ★★★ | |
|
2023-08-11 03:15:31 | CVE-2023-31246 (lien direct) | Les autorisations par défaut incorrectes dans certains logiciels d'outils SDP Intel (R) avant la version 1.4 Build 5 peuvent permettre à un utilisateur authentifié d'activer potentiellement l'escalade de privilèges via l'accès local.
Incorrect default permissions in some Intel(R) SDP Tool software before version 1.4 build 5 may allow an authenticated user to potentially enable escalation of privilege via local access. |
Tool | ||
|
2023-08-11 03:15:27 | CVE-2023-28938 (lien direct) | La consommation de ressources non contrôlées dans certains logiciels Intel (R) SSD Tools avant la version MDADM-4.2-RC2 peut permettre à un utilisateur privilégié d'activer potentiellement le déni de service via un accès local.
Uncontrolled resource consumption in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a priviledged user to potentially enable denial of service via local access. |
Tool | ||
|
2023-08-11 03:15:25 | CVE-2023-28736 (lien direct) | Le débordement de tampon dans certains logiciels Intel (R) SSD Tools avant la version MDADM-4.2-RC2 peut permettre à un utilisateur privilégié d'activer potentiellement l'escalade des privilèges via l'accès local.
Buffer overflow in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a privileged user to potentially enable escalation of privilege via local access. |
Tool | ||
|
2023-08-11 03:15:19 | CVE-2023-25944 (lien direct) | L'élément de chemin de recherche incontrôlé dans certains logiciels d'outils Intel (R) téléchargés avant le 3 février 2023 peut permettre à un utilisateur authentifié d'activer potentiellement l'escalade du privilège via l'accès local.
Uncontrolled search path element in some Intel(R) VCUST Tool software downloaded before February 3nd 2023 may allow an authenticated user to potentially enable escalation of privilege via local access. |
Tool | ||
|
2023-08-10 18:39:58 | Le rôle de l'AI \\ dans la cybersécurité: Black Hat USA 2023 révèle comment les grands modèles de langage façonnent l'avenir des attaques de phishing et de la défense AI\\'s Role in Cybersecurity: Black Hat USA 2023 Reveals How Large Language Models Are Shaping the Future of Phishing Attacks and Defense (lien direct) |
à Black Hat USA 2023, une session dirigée par une équipe de chercheurs en sécurité, dont Fredrik Heiding, Bruce Schneier, Arun Vishwanath et Jeremy Bernstein, ont dévoilé une expérience intrigante.Ils ont testé de grands modèles de langue (LLM) pour voir comment ils ont fonctionné à la fois dans l'écriture de courriels de phishing convaincants et les détecter.Ceci est le PDF document technique . L'expérience: l'élaboration des e-mails de phishing L'équipe a testé quatre LLM commerciaux, y compris le chatppt de l'Openai \\, Bard de Google \\, Claude \\ de Google et Chatllama, dans des attaques de phishing expérimentales contre les étudiants de Harvard.L'expérience a été conçue pour voir comment la technologie de l'IA pouvait produire des leurres de phishing efficaces. Heriding, chercheur à Harvard, a souligné qu'une telle technologie a déjà eu un impact sur le paysage des menaces en facilitant la création de courriels de phishing.Il a dit: "GPT a changé cela. Vous n'avez pas besoin d'être un orateur anglais natif, vous n'avez pas besoin de faire beaucoup. Vous pouvez entrer une invite rapide avec seulement quelques points de données." L'équipe a envoyé des e-mails de phishing offrant des cartes-cadeaux Starbucks à 112 étudiants, en comparant Chatgpt avec un modèle non AI appelé V-Triad.Les résultats ont montré que l'e-mail V-Triad était le plus efficace, avec un taux de clic de 70%, suivi d'une combinaison V-Triad-Chatgpt à 50%, Chatgpt à 30% et le groupe témoin à 20%. Cependant, dans une autre version du test, Chatgpt a fonctionné beaucoup mieux, avec un taux de clic de près de 50%, tandis que la combinaison V-Triad-Chatgpt a mené avec près de 80%.Heriding a souligné qu'un LLM non formé et à usage général a pu créer rapidement des attaques de phishing très efficaces. Utilisation de LLMS pour la détection de phishing La deuxième partie de l'expérience s'est concentrée sur l'efficacité des LLM pour déterminer l'intention des e-mails suspects.L'équipe a utilisé les e-mails de Starbucks de la première partie de l'expérience et a demandé aux LLM de déterminer l'intention, qu'elle ait été composée par un humain ou une IA, d'identifier tout aspect suspect et d'offrir des conseils sur la façon de répondre. Les résultats étaient à la fois surprenants et encourageants.Les modèles avaient des taux de réussite élevés dans l'identification des e-mails marketing, mais ont eu des difficultés avec l'intention des e-mails de phishing V-Triad et Chatgpt.Ils se sont mieux comportés lorsqu'ils sont chargés d'identifier le contenu suspect, les résultats de Claude \\ étant mis en évidence pour non seulement pour obtenir des résultats élevés dans les tests de détection mais aussi fournir des conseils judicieux pour les utilisateurs. La puissance de phishing de LLMS Dans l'ensemble, Heriding a conclu que les LLMS prêtesété formé sur toutes les données de sécurité.Il a déclaré: "C'est vraiment quelque chose que tout le monde peut utiliser en ce moment. C'est assez puissant." L'expér |
Tool Threat | ChatGPT ChatGPT | ★★ |
 |
2023-08-10 12:36:30 | DTX Europe 2023 (lien direct) | DTX rassemble des esprits créatifs, des experts techniques et les derniers outils nécessaires pour stimuler le changement et générer de la valeur dans les organisations d'aujourd'hui.«Votre maison de transformation numérique» couvrant le cloud, les réseaux et les infrastructures;données, analyses et IA;Génie logiciel et DevOps;et la cybersécurité, l'événement présente la technologie, les solutions et les stratégies essentielles pour faire avancer les projets numériques [& # 8230;]
DTX brings together creative minds, technical experts and the latest tools needed to drive change and generate value across today\'s organisations. “Your Home of Digital Transformation” Covering cloud, networks and infrastructure; data, analytics and AI; software engineering and DevOps; and cyber security, the event showcases the technology, solutions and strategies essential to advance digital projects […] |
Tool | ★★★ | |
 |
2023-08-10 12:01:36 | Rendre le chrome plus sécurisé en apportant une épingle clé sur Android Making Chrome more secure by bringing Key Pinning to Android (lien direct) |
Posted by David Adrian, Joe DeBlasio and Carlos Joan Rafael Ibarra Lopez, Chrome Security
Chrome 106 added support for enforcing key pins on Android by default, bringing Android to parity with Chrome on desktop platforms. But what is key pinning anyway?
One of the reasons Chrome implements key pinning is the “rule of two”. This rule is part of Chrome\'s holistic secure development process. It says that when you are writing code for Chrome, you can pick no more than two of: code written in an unsafe language, processing untrustworthy inputs, and running without a sandbox. This blog post explains how key pinning and the rule of two are related.
The Rule of Two
Chrome is primarily written in the C and C++ languages, which are vulnerable to memory safety bugs. Mistakes with pointers in these languages can lead to memory being misinterpreted. Chrome invests in an ever-stronger multi-process architecture built on sandboxing and site isolation to help defend against memory safety problems. Android-specific features can be written in Java or Kotlin. These languages are memory-safe in the common case. Similarly, we\'re working on adding support to write Chrome code in Rust, which is also memory-safe.
Much of Chrome is sandboxed, but the sandbox still requires a core high-privilege “broker” process to coordinate communication and launch sandboxed processes. In Chrome, the broker is the browser process. The browser process is the source of truth that allows the rest of Chrome to be sandboxed and coordinates communication between the rest of the processes.
If an attacker is able to craft a malicious input to the browser process that exploits a bug and allows the attacker to achieve remote code execution (RCE) in the browser process, that would effectively give the attacker full control of the victim\'s Chrome browser and potentially the rest of the device. Conversely, if an attacker achieves RCE in a sandboxed process, such as a renderer, the attacker\'s capabilities are extremely limited. The attacker cannot reach outside of the sandbox unless they can additionally exploit the sandbox itself.
Without sandboxing, which limits the actions an attacker can take, and without memory safety, which removes the ability of a bug to disrupt the intended control flow of the program, the rule of two requires that the browser process does not handle untrustworthy inputs. The relative risks between sandboxed processes and the browser process are why the browser process is only allowed to parse trustworthy inputs and specific IPC messages.
Trustworthy inputs are defined extremely strictly: A “trustworthy source” means that Chrome can prove that the data comes from Google. Effectively, this means that in situations where the browser process needs access to data from e |
Tool | ★★ | |
|
2023-08-09 21:39:00 | DARPA lance un concours de deux ans pour construire des outils d'IA pour réparer les vulnérabilités DARPA Launches Two-Year Contest to Build AI Tools to Fix Vulnerabilities (lien direct) |
Un défi sera offert aux équipes pour créer des outils à l'aide de l'IA afin de résoudre les défis de vulnérabilité de l'Open Source.
A challenge will be offered to teams to build tools using AI in order to solve open source\'s vulnerability challenges. |
Tool Vulnerability | ★★ |
To see everything:
Our RSS (filtrered)
