What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-04-05 17:31:41 | Infosec control attributes paper completed (lien direct) |  Yesterday, I completed and published the white paper on information security control attributes. Today I drafted a set of comments on ISO/IEC JTC 1/SC 27's proposed Preliminary Work Item for ISO/IEC 27028, using content from the white paper to build a 'donor document' with fairly minor changes in accordance with ISO's rquired structure and format. It includes the following summary: "This document extends the concept of 'control attributes' introduced in ISO/IEC 27002:2022, discussing a wider variety of factors potentially worth bearing in mind when considering, selecting, designing, using and reviewing information security controls. Control attributes are a powerful and flexible tool for information security management purposes, a novel way to design, manage and improve an organisation's approach to mitigating unacceptable information risks, supplementing more traditional or conventional methods. The document includes pragmatic suggestions on how to make use of control attributes in the business context, with a worked example illustrating the approach." Once the comments are submitted, we must wait patiently to see how much of it (if any!) makes it through to the Working Draft, blended with inputs and comments from other committee members. Although it seems to take 'forever' to develop new standards, I'm hoping that the donor document will set the project off to a flying start.Meanwhile, I'm actively looking for opportunities for clients to start using control attributes as an integral part of their ISO27k information risk and security management activities - designing better, more relevant and meaningful security metrics for instance. If that or any other ideas in the paper catch your imagination, please comment below or email me (Gary@isect.com). I see a lot of potential business value in control attributes: how about you? |
Tool | ||
 |
2022-04-05 10:50:32 | GitHub now scans for secret leaks in developer workflows (lien direct) | The new tool aims to protect developers against API and token exposure. | Tool | ||
 |
2022-04-05 02:28:02 | Hackers Breach Mailchimp Email Marketing Firm to Launch Crypto Phishing Scams (lien direct) | Email marketing service Mailchimp on Monday revealed a data breach that resulted in the compromise of an internal tool to gain unauthorized access to customer accounts and stage phishing attacks. The development was first reported by Bleeping Computer. The company, which was acquired by financial software firm Intuit in September 2021, told the publication that it became aware of the incident | Data Breach Tool | ||
 |
2022-04-04 22:42:16 | Azure Synapse vs Snowflake: ETL tool comparison (lien direct) | Azure Synapse and Snowflake are both good ETL platforms, so how do you choose between them? See how their features stack up and which one is more suitable for your use cases. | Tool | ||
|
2022-04-04 15:46:16 | Easily manage your Google activity with this handy tool (lien direct) | Try this very useful tool to manage all your activity on Google and increase your privacy. Jack Wallen shows you how. | Tool | ||
 |
2022-04-04 00:00:00 | MITRE Engenuity ATT&CK Tests (lien direct) | Trend Micro Vision One achieved a protection score of 100% in this year's evaluation, proving once again that it is an invaluable tool that provides higher confidence detections for security operations teams.
|
Tool | ||
 |
2022-04-01 23:15:08 | CVE-2019-14839 (lien direct) | It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc. | Tool | ||
|
2022-03-31 19:08:37 | Qlik vs Tableau: BI tool comparison (lien direct) | Qlik Sense and Tableau are business intelligence tools that have a lot to offer. See the BI tools' features compare. | Tool | ||
|
2022-03-31 18:36:01 | Looker vs Tableau: BI tool comparison (lien direct) | Choosing the right BI tool for your needs requires thorough consideration of features and capabilities. See which of these two top-notch solutions, Looker and Tableau, might be a good fit for your organization. | Tool | ||
|
2022-03-31 17:09:23 | Asana vs Monday: Project management software comparison (lien direct) | Building tasks and projects in a project management software tool doesn't have to be difficult. Asana and monday.com are easy-to-use platforms with robust PM features. Compare them now. | Tool | ||
 |
2022-03-31 10:00:00 | The Need to Share (lien direct) | The Benefits of Sharing Threat Intelligence Inside and Outside Your Organization Welcome to this week’s blog. I hope you’re enjoying this series and what you’ve read so far if you’ve been following along. If you’re new, welcome as I dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number seven on our Top 10 List of the Challenges Cybersecurity Professionals Face is "Lack of ability to share threat intelligence cross-functionally." In an August blog, I wrote about President Biden’s Executive Order that sought to ensure that IT service providers share threat information about incidents with the federal government and collect and preserve data that could aid threat detection, investigation, and response. My comment was that before we share information as an industry, organizations need to break down their silos to share threat intelligence internally. It was not surprising to see this surface as one of the Top 10 Challenges organizations face. (I know, a clock is right twice a day, too, I’m taking the win here. Even if no one else is reading, I enjoy writing these.) Digital transformation has quickly expanded attack surfaces. Now more than ever, global organizations must balance a rapidly evolving cybersecurity threat landscape against business requirements. Threat information sharing is critical for security teams and organizations to protect themselves from cyber-attacks. The problem with sharing threat intelligence is that most organizations don’t know where to start. Enter Cyber Fusion Thirty years ago, military intelligence organizations developed the concept of cyber fusion, which combines HUMINT (human Intelligence) with COMINT (computer intelligence). They used the idea to collaborate with different intelligence communities and gain an in-depth understanding of the threat landscape. Cyber fusion is becoming increasingly popular in the cybersecurity industry, with organizations creating cyber fusion centers or using technologies like threat intelligence management or XDR (extended detection and response) solutions to eliminate silos, enhance threat visibility, and increase cyber resilience and collaboration between security teams. Cyber fusion offers a unified approach to cybersecurity by combining the intelligence from different teams into one cohesive picture. It also helps to integrate contextualized strategic, tactical, and operational threat intelligence for immediate threat prediction, detection, and analysis. How to Start Sharing Threat Intelligence Internally Cyber fusion takes a proactive approach to cybersecurity that helps organizations break down barriers and open communications across their entire organization to help them identify and address cyber risks before they become an issue. A cyber fusion approach helps foster collaboration among different departments within the company to focus on areas that ensure protection against relevant threats. By getting more people involved in keeping up with security issues and cyber incidents, organizations can ensure their investments and resources focus right where they need to be. Click on the image below to download our new ebook to learn more about how you can utilize cyber fusion to help break down silos within your organization. | Tool Threat Guideline | ||
|
2022-03-30 19:19:10 | How to benchmark a website with the Siege command-line tool (lien direct) | Need to stress-test your websites to see how well they're performing? Jack Wallen shows you how with the command-line Siege tool. | Tool | ||
|
2022-03-30 17:15:10 | CVE-2021-44310 (lien direct) | An issue was discovered in Firmware Analysis and Comparison Tool v3.2. With administrator privileges, the attacker could perform stored XSS attacks by inserting JavaScript and HTML code in user creation functionality. | Tool | ||
|
2022-03-30 17:15:10 | CVE-2021-44312 (lien direct) | An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page. | Tool | ||
|
2022-03-30 15:15:08 | CVE-2022-25619 (lien direct) | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86. | Tool Vulnerability | ||
|
2022-03-30 15:08:45 | How to install the Matomo web analytics platform on Ubuntu Server 20.04 (lien direct) | Website analysis is an important aspect of administration. If your company needs to track such data, there's an open-source tool for that very purpose. Jack Wallen shows you how to deploy Matomo. | Tool | ||
|
2022-03-30 09:40:44 | This new ransomware targets data visualization tool Jupyter Notebook (lien direct) | Misconfigured environments are the entry point for the ransomware strain. | Ransomware Tool | ||
|
2022-03-29 18:14:00 | Anomali Cyber Watch: North Korean APTs Used Chrome Zero-Day, Russian Energy Sector SCADA Targeting Unsealed, Lapsus$ Breached Microsoft - Finally Arrested, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Drive-by, ICS, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hive Ransomware Ports Its Linux VMware ESXi Encryptor to Rust
(published: March 27, 2022)
The Hive ransomware operators actively copy features first introduced in the BlackCat/ALPHV ransomware to make their ransomware samples more efficient and harder to reverse engineer. They have converted all their builds (targeting Windows, Linux, VMware ESXi) from Golang to the Rust programming language. They also moved from storing the victim's Tor negotiation page credentials in the encryptor executable to requiring the attacker to supply the user name and login password as a command-line argument when launching the malware.
Analyst Comment: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Hive, Ransomware, BlackCat, VMware ESXi, Rust, Tor
US Says Kaspersky Poses Unacceptable Risk to National Security
(updated: March 25, 2022)
On March 25, 2022, the US Federal Communications Commission (FCC) added three new entities to its Covered List: China Mobile International USA Inc., China Telecom (Americas) Corp, and AO Kaspersky Labs. The action is aimed to secure US networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests. Previously the FCC Covered List had five Chinese entities added in March 2021 including Huawei and ZTE. Kaspersky denied the allegations and stressed that the company “will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate.” Earlier the same day, HackerOne blocked Kaspersky from its bug bounty program.
Analyst Comment: It seems that the FCC decision does not directly affect private parties using Kaspersky antivirus and other security products. There is no public data showing directly that Kaspersky is currently involved in cyberespionage or some malware distribution activity, but such suspicions were raised in previous years. Direct connections of Kaspersky to Russia and its own Federal Security Services (FSB) makes it both a potential security risk and a reputation risk as the military conflict in Ukraine leads to new sanctions and increased cyber activity.
Tags: Russia, USA, China, Ukraine, Kaspersky, FCC, FSB, Huawei, ZTE, China Mobile, China Telecom
|
Ransomware Malware Tool Vulnerability Threat Guideline | ★★★★★ | |
|
2022-03-25 20:44:17 | Zoho Analytics vs. Qlik Sense: BI tool comparison (lien direct) | Business intelligence tools are vital to organizations seeking information to make sound decisions. This comparison of BI platforms Zoho Analytics and Qlik Sense will help you determine if either is the best choice for you. | Tool | ★★★ | |
|
2022-03-25 19:15:10 | CVE-2022-1049 (lien direct) | A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. | Tool | ||
|
2022-03-25 18:15:22 | CVE-2022-24778 (lien direct) | The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user. | Tool | ||
|
2022-03-25 17:23:38 | SaaS startup aims to eliminate digital friction in remote transactions and reduce tool overload (lien direct) | Reach combines video chat, document collaboration and e-signature into one platform with no download required. | Tool | ||
|
2022-03-25 16:54:44 | LogRhythm vs. SolarWinds: SIEM tool comparison (lien direct) | In a world of escalating security threats, organizations need a solid platform to defend their critical assets. As you weigh your options, consider the features that LogRhythm and SolarWinds offer. | Tool | ||
|
2022-03-25 13:06:32 | How to use the Google Meet quality tool to solve conferencing problems (lien direct) | With the Meet quality tool, a Google Workspace administrator may help people in the organization troubleshoot conferencing challenges. | Tool | ||
|
2022-03-25 03:08:04 | IBM QRadar vs. LogRhythm: SIEM tool comparison (lien direct) | Organizations rely on security information and event management tools to detect, analyze and respond to security threats. Compare the features offered by two top SIEM platforms: IBM QRadar and LogRhythm. | Tool | ||
|
2022-03-24 22:25:58 | Focalboard is a kanban tool that anyone can use for better task management (lien direct) | If you're looking for a kanban board that's simple to install and use to help you get control over your mounting tasks, Jack Wallen believes Focalboard might be just the ticket. | Tool | ||
|
2022-03-24 17:57:19 | SolarWinds vs. Splunk: SIEM tool comparison (lien direct) | SIEM tools help IT pros get ahead of potential threats with features for monitoring, detecting, analyzing and responding to attacks. See what SolarWinds and Splunk have to offer your security team. | Tool | ||
|
2022-03-24 17:48:08 | Tableau vs. Databox: BI tool comparison (lien direct) | Organizations are turning data into actionable insights thanks to business intelligence platforms, but it's critical to select the right BI platform for the job. See how Tableau vs. Databox compare. | Tool | ||
|
2022-03-24 17:10:08 | Exabeam vs. Splunk: SIEM tool comparison (lien direct) | Security information and event management software has become increasingly essential for any modern business. See the similarities and differences of two top offerings: Exabeam and Splunk. | Tool | ||
 |
2022-03-24 00:00:00 | Penetration Testing with Azure Cloud Shell (lien direct) | Penetration Testing with Azure Cloud ShellAzure Cloud Shell is a useful tool for admins, but also makes for a great staging area for attackers. Azure Cloud Shell is a useful tool for admins, but also makes for a great staging area for attackers looking to get signature flagged tooling into a target environment without dealing with EDR solutions or Antivirus. | Tool | ||
|
2022-03-23 22:15:13 | CVE-2022-24768 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or `sync` and `override` access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges. A patch for this vulnerability has been released in Argo CD versions 2.3.2, 2.2.8, and 2.1.14. Some mitigation measures are available but do not serve as a substitute for upgrading. To avoid privilege escalation, limit who has push access to Application source repositories or `sync` + `override` access to Applications; and limit which repositories are available in projects where users have `update` access to Applications. To avoid unauthorized resource inspection/tampering, limit who has `delete`, `get`, or `action` access to Applications. | Tool Vulnerability | Uber | |
|
2022-03-23 22:07:53 | Power BI vs. Tableau: Business intelligence tools comparison (lien direct) | Power BI and Tableau are business intelligence tools. Which top BI tool best fits your needs? We compare features and more. | Tool | ||
|
2022-03-23 21:50:11 | QRadar vs. Splunk: SIEM tool comparison (lien direct) | Choosing a SIEM platform for your organization requires a close look at how well various solutions deliver what you need. Learn about the relative merits of two solid options: IBM QRadar and Splunk. | Tool | ||
|
2022-03-23 21:15:08 | CVE-2022-24730 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `get` access for a repository containing a Helm chart can craft an API request to the `/api/v1/repositories/{repo_url}/appdetails` endpoint to leak the contents of out-of-bounds files from the repo-server. The malicious payload would reference an out-of-bounds file, and the contents of that file would be returned as part of the response. Contents from a non-YAML file may be returned as part of an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from other Applications' source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The patches prevent path traversal and limit access to users who either A) have been granted Application `create` privileges or B) have been granted Application `get` privileges and are requesting details for a `repo_url` that has already been used for the given Application. There are currently no known workarounds. | Tool Vulnerability | Uber | |
|
2022-03-23 21:15:08 | CVE-2022-24731 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been granted `create` or `update` access to Applications can leak the contents of any text file on the repo-server. By crafting a malicious Helm chart and using it in an Application, the attacker can retrieve the sensitive file's contents either as part of the generated manifests or in an error message. The attacker would have to know or guess the location of the target file. Sensitive files which could be leaked include files from another Application's source repositories or any secrets which have been mounted as files on the repo-server. This vulnerability is patched in Argo CD versions 2.1.11, 2.2.6, and 2.3.0. The problem can be mitigated by avoiding storing secrets in git, avoiding mounting secrets as files on the repo-server, avoiding decrypting secrets into files on the repo-server, and carefully limiting who can `create` or `update` Applications. | Tool Vulnerability | Uber | |
|
2022-03-23 20:15:08 | CVE-2021-27428 (lien direct) | GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. | Tool | ||
|
2022-03-23 19:13:59 | How to deploy the Redash data visualization dashboard with the help of Docker (lien direct) | Jack Wallen shows you how easily you can deploy the powerful data visualization tool Redash as a Docker container. | Tool | ||
 |
2022-03-23 00:26:45 | Joint CyberSecurity Advisory Alert on AvosLocker Ransomware (lien direct) | FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world. Why is this Significant?This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.What is AvosLocker?AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them. AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.How Widespread is AvosLocker Ransomware?The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".What Vulnerabilities are Exploited by AvosLocker?The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.What Tools is AvosLocker Known to Utilize?The advisory references the following tools:Cobalt StrikeEncoded PowerShell scriptsPuTTY Secure Copy client tool "pscp.exe"RcloneAnyDeskScannerAdvanced IP ScannerWinLister What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:W32/Cryptor.OHU!tr.ransomW32/Filecoder.OHU!tr.ransomELF/Encoder.A811!tr.ransomLinux/Filecoder_AvosLocker.A!trPossibleThreatFortiGuard Labs provides the following AV coverage against ProxyShell:MSIL/proxyshell.A!trMSIL/proxyshell.B!trFortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privil | Ransomware Malware Tool Vulnerability Threat Patching | ★★ | |
|
2022-03-22 21:41:49 | LogRhythm vs. Splunk: SIEM tool comparison (lien direct) | LogRhythm and Splunk are security information and event management solutions with many similarities. Check out this features comparison of LogRhythm and Splunk to help you decide between these SIEM tools. | Tool | ||
|
2022-03-22 21:00:40 | 5 kanban boards to help you better manage big projects (lien direct) | A kanban board is an excellent visualization project management tool that makes it easier to track progress and collaborate. These five kanban board options are ideal to use when managing large projects. | Tool | ||
|
2022-03-22 17:05:52 | How to take screenshots in Windows 11 with the Snipping Tool (lien direct) | Here's how to capture, edit and save screenshots in Windows 11 using the Snipping Tool, which is a lot simpler than you think. | Tool | ||
|
2022-03-22 16:58:00 | Anomali Cyber Watch: Russia Targets Ukraine with New Malware, Targeted Phishing Campaigns Give Way to Wizard Spider, Certificates Stolen by Lapsus$ Are Being Abused, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Code signing, Naver, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Double Header: IsaacWiper and CaddyWiper
(published: March 18, 2022)
Data destruction is one of the common objectives for Russia in its ongoing cyberwar with Ukraine. During the February-March 2022 military escalation, three new wipers were discovered. On February 23, 2022, HermeticWiper, on February 24, 2022, IsaacWiper, and, later in March 2022, CaddyWiper. Malwarebytes researchers assess that all three wipers have been written by different authors and have no code overlap. IsaacWiper and CaddyWiper are light in comparison to the more complex HermeticWiper. CaddyWiper has an additional check to exclude wiping Domain Controllers probably to leave an opportunity for malware propagation.
Analyst Comment: Focus on intrusion prevention and having a proper disaster recovery plan in place: have anti-phishing training, keep your systems updated, regularly backup your data to an offline storage.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485
Tags: CaddyWiper, IsaacWiper, HermeticWiper, Wiper, Data destruction, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
UAC-0035 (InvisiMole) Attacks Ukrainian Government Organizations
(published: March 18, 2022)
The Computer Emergency Response Team for Ukraine (CERT-UA) detected a new UAC-0035 (InvisiMole) phishing campaign targeting Ukrainian government organizations. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon (Primitive Bear) group. The new campaign features an attached archive, together with a shortcut (LNK) file. If the LNK file is opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy the LoadEdge backdoor. LoadEdge deploys additional malware and modules including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and RC2CL backdoor module.
Analyst Comment: Users should be trained to recognize spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, BAT to name a few) should be reported.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] User Execution - T1204
Tags: InvisiMole, UAC-0035, TunnelMole, Gamaredon, Primitive Bear, Russia, Ukraine, LNK, HTA, DNS, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Exposing Initial Access Broker with Ties to Co |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-21 15:15:07 | CVE-2020-24772 (lien direct) | In Dreamacro 1.1.0, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). | Tool | ||
 |
2022-03-19 10:51:07 | Emsisoft releases free decryptor for the victims of the Diavol ransomware (lien direct) | Cybersecurity firm Emsisoft released a free decryptor that allows the victims of the Diavol ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. In January, the FBI officially linked the Diavol ransomware operation to the infamous TrickBot […] | Ransomware Tool | ||
|
2022-03-18 12:00:05 | How to keep one window always on top with Microsoft PowerToys (lien direct) | A PowerToys tool known as Always on Top will keep any specific window visible when you're juggling multiple windows. | Tool | ||
|
2022-03-18 06:32:57 | (Déjà vu) Microsoft releases open-source tool for checking MikroTik Routers compromise (lien direct) | Microsoft released an open-source tool to secure MikroTik routers and check for indicators of compromise for Trickbot malware infections. Microsoft has released an open-source tool, dubbed RouterOS Scanner, that can be used to secure MikroTik routers and check for indicators of compromise associated with Trickbot malware infections. “This analysis has enabled us to develop a […] | Malware Tool | ||
|
2022-03-17 18:07:18 | LokiLocker Ransomware with Built-in Wiper Functionality (lien direct) | FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.Why is this Significant?This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.What is LokiLocker Ransomware?LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a ".Loki" file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.LokiLocker has a built-in configuration file, which contains information such as the attacker's email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.How is LokiLocker Ransomware Distributed?While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet's telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage:W32/DelShad.GRG!tr.ransomW32/DelShad.GSE!tr.ransomW32/DelShad.GUJ!tr.ransomW32/Filecoder.AKJ!trW32/Generic.AC.171!trW32/PossibleThreatW32/Ramnit.AMSIL/Filecoder.AKJ!trMSIL/Filecoder.AKJ!tr.ransomMSIL/Filecoder_LokiLocker.D!trMSIL/Filecoder.4AF0!tr.ransomMSIL/Filecoder.64CF!tr.ransomPossibleThreatAll known network IOC's are blocked by the FortiGuard WebFiltering client. | Ransomware Malware Tool | ||
|
2022-03-17 17:38:52 | Zabbix vs. Paessler PRTG network monitoring (lien direct) | When considering a network monitoring tool for your IT infrastructure, Zabbix and Paessler PRTG are two prominent options, and we'll explore which one is right for your needs. | Tool | ||
 |
2022-03-17 16:48:08 | Microsoft Releases Open Source Tool for Securing MikroTik Routers (lien direct) | Microsoft this week released an open source tool that can be used to secure MikroTik routers and check for signs of abuse associated with the Trickbot malware. | Tool | ||
|
2022-03-16 16:02:02 | How to install one of the best system monitors for the Linux desktop (lien direct) | Looking for the last, best system monitor you could ever imagine for the Linux desktop? Jack Wallen is certain he's found that tool in System Monitoring Center. | Tool |
To see everything:
Our RSS (filtrered)
