What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-01-29 09:48:52 | Experts Insight On New Cybercrime Tool Can Build Phishing Pages In Real-Time (lien direct) | A cybercrime group has developed a novel phishing toolkit that changes logos and text on a phishing page in real-time. The tool is named “LogoKit” is tracked by RiskIQ beleived… | Tool | ★★★★★ | |
 |
2021-01-29 00:33:49 | Fight against digital raids thanks to OSINT (lien direct) | Tags: OSINTviolenceharassmentThe following lines are the result of collaborative work, under the leadership of Justin Seitz. There are many of us working together, including Heartbroken and Nanardon.
OSINT is an acronym for Open Source Intelligence. It's a set of investigative techniques, allowing information to be retrieved from so-called open sources. Used by journalists, by police or in cybersecurity, OSINT can help to find information but it can also be used to protect yourself from malicious people. Violences against people, especially against women increased and diversified. Harassment, raids, doxxing, revenge porn by video or by pictures, identity theft or school harassment, etc. How to react? How to prevent them? Our goal is to give you simple resources, without the needs for special knowledge. It doesn't substitute support groups, law enforcement, health professionals or lawyers. We trust you. You are not responsible. Facts and situations we will use to illustrate ours kits are criminally and civilly repressed. You are not alone. The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available in this article are for general informational purposes only. Furthermore this article was written mainly in regards to French and European laws. Readers should consult their local laws and contact an attorney to obtain advice with respect to any particular legal matter. In recent years, there has been an increase in so-called digital raids. At the instigation of one or more people, usually from a public forum or discussion group, on Telegram, Signal, WhatsApp or Discord, individuals insult another person in a pack on a social network. The goal is to publicly harass and humiliate a person. In most countries, harassment, including digital harassment, is criminally and civilly reprehensible. Recording and archiving What to do if you are the victim of a digital raid? We adapt the answer according to the social network. The common element consists in archiving all received messages. For this, you can use a very handy browser extension: Fireshot. Available for Chrome as well as for Firefox, this tool allows you to save a web page, in image or PDF format. Go to your mentions or notifications or to the page that happens to be the target of offensive or hateful content and take screenshots of all the elements. Make sure that the current time and date appears.  Another tool can help you to archive messages: Single File. It is also an extension for |
Tool Guideline | ||
 |
2021-01-28 15:59:38 | TeamTNT group adds new detection evasion tool to its Linux miner (lien direct) | The TeamTNT cybercrime group has improved its Linux cryptocurrency miner by implementing open-source detection evasion capabilities. The TeamTNT cybercrime group has upgraded their Linux cryptocurrency miner by adding open-source detection evasion capabilities, AT&T Alien Labs researchers warn. Early this year, researchers from Trend Micro discovered that the TeamTNT botnet was improved with the ability to steal Docker […] | Tool | ||
 |
2021-01-28 10:57:02 | New toolkit can build phishing pages in real-time (lien direct) | A new phishing tool kit has been developed by a cybercrime group which allows criminals to change text and logos in real-time on phishing pages in order to adapt to victims. The kit is called LogoKit, and according to it RiskIQ is has already been seen in use online. RiskIQ has said that the toolkit […] | Tool | ★★ | |
 |
2021-01-28 05:45:03 | New cybercrime tool can build phishing pages in real-time (lien direct) | The new LogoKit phishing kit has already been spotted on more than 700 unique domains over the past month. | Tool | ||
 |
2021-01-27 21:43:22 | TeamTNT Cloaks Malware With Open-Source Tool (lien direct) | The detection-evasion tool, libprocesshider, hides TeamTNT's malware from process-information programs. | Malware Tool | ||
 |
2021-01-27 14:00:00 | How is Enterprise Security Like Writing a Novel? (lien direct) | Pen, paper and ink alone do not make a novel. In the same way, anti-malware, firewalls and SIEM tools alone do not make an enterprise secure. Too many organizations think that buying lots of security solutions and deploying them will make them secure. However, just having a security tool running does not make an enterprise […] | Tool | ||
 |
2021-01-27 11:00:00 | TeamTNT delivers malware with new detection evasion tool (lien direct) |
Executive Summary
AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.
The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.
Background
AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.
Analysis
The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.
The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as "hide a process under Linux using the ld preloader.'' Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.
The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide.
The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1):
Figure 1. base64 encoded script, via Alien Labs analysis.
Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will:
Modify the network DNS configuration.
Set persistence through systemd.
Drop and activate the new tool as service.
Download the latest IRC bot configuration.
Clear evidence of activities to complicate potential defender actions.
After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2):
Figure 2. Decoded bash script, via Alien Labs analysis.
The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to '/usr/local/lib/systemhealt.so', and then adds it preload via '/etc/ld.so.preload'. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4).
Figure 3/4. bash script features, via Alien Labs analysis.
The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file '/usr/bin/sbin' as you can s |
Malware Tool Threat | ||
 |
2021-01-27 10:16:09 | Linux malware uses open-source tool to evade detection (lien direct) | AT&T Alien Labs security researchers have discovered that the TeamTNT cybercrime group upgraded their Linux crypto-mining with open-source detection evasion capabilities. [...] | Malware Tool | ★★★ | |
 |
2021-01-27 09:51:40 | TriOp - tool for gathering (not just) security-related data from Shodan.io (tool drop), (Wed, Jan 27th) (lien direct) | If you're a regular reader of our Diaries, you may remember that over the last year and a half, a not insignificant portion of my posts has been devoted to discussing some of the trends in internet-connected systems. We looked at changes in the number of internet-facing machines affected by BlueKeep[1], SMBGhost[2], Shitrix[3] and several other vulnerabilities [4] as well as at the changes in TLS 1.3 support over time[5] and several other areas [6,7]. Today, we're going to take a look at the tool, that I've used to gather data, on which the Diaries were based, from Shodan.io. | Tool | ||
|
2021-01-26 13:00:00 | TrickBot\'s Survival Instinct Prevails - What\'s Different About the TrickBoot Version? (lien direct) | October 2020 saw the TrickBot Trojan, a prominent cybercrime gang’s tool of choice, suffer a takedown attempt by security vendors and law enforcement. Unfortunately, the takedown was not effective, and beyond coming back to life shortly after, TrickBot’s operators released a new and more persistent version of the malware. In this post, IBM Trusteer examines […] | Tool | ||
 |
2021-01-26 11:37:41 | Which AppSec Testing Type Should You Deploy First? (lien direct) |  The gold standard for creating an application security (AppSec) program is ??? and always will be ??? to follow best practices. By following preestablished and proven methods, you can ensure that you are maximizing the benefits of your AppSec program.
Unfortunately, time, budget, culture, expertise, and executive buy-in often restrict organizations from following best practices. But that doesn???t mean that you can???t create an impactful AppSec program. You should aim to follow best practices but ??? when you can???t ??? there are practical first steps you can take to position your program for future improvements.
Ideally, you should be using every testing type ??? static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing.
Each AppSec test has its own strengths and weaknesses, with no one tool able to do it all. If you choose not to employ a specific test, you could be leaving your application vulnerable. For example, if you don???t employ software composition analysis, you may miss vulnerabilities in your third-party code. And if you don???t employ dynamic analysis, you could miss configuration errors. But by using all of the testing types together, you can drive down risk across the entire application lifetime from development to testing to production.
If you don???t have the funds or support to employ every AppSec testing type, you should always begin with the test(s) that will have the most impact, in the shortest amount of time, for the least amount of money. This will depend on factors like your release cadence, risk tolerance, and budget.
For organizations releasing software less than four times a year, manual AppSec scans will probably suffice. But if you release software daily or weekly ??? likely in a CI/CD fashion ??? you will need to automate your AppSec scans with each code commit.
You also need to consider the speed of different scan types. Static analysis can provide immediate feedback with each commit. Penetration tests, on the other hand, are much slower because they rely on a human pen-tester to review the code.
But speed isn???t the only concern. You also need to consider the risk of your applications. An application housing sensitive data ??? like banking information ??? needs to undergo more in-depth AppSec tests than a lower-risk application. In-depth AppSec tests, like penetration testing, may take longer but they are critical in preventing cyberattacks. It really comes down to weighing the risk vs. time to market. In some instances, it may be okay to release software with low- or medium-severity risks. But for high-severity risks, you should break the build until the vulnerability is remediated.
Budget is also a major factor. Penetration tests are considerably more expensive than other testing types. So, if you???re on a tight budget, frequent pen tests may not be feasible. You might be better off pen-testing on an annual or bi-annual basis.
Once you???ve successfully implemented the AppSec testing type(s) that provides the most value to your organization, it???s time to start making the case for additional scans. As always, consider your budget, risk tolerance, and technology when adding to your AppSec mix.ツ?
To learn more about AppSec best practices and practical first steps, check out our guide, Application Security Best Practices vs. Practicalities: What to Strive for and Where to Start, and keep an eye out for our upcomin |
Tool Vulnerability | ||
 |
2021-01-25 11:31:02 | Microsoft: Our free tool helps to improve your websites (lien direct) | Microsoft Clarity is a specialist tool that brings user experience analysis to the desktop with just a few clicks. | Tool | ||
 |
2021-01-24 17:08:14 | Comprehensive Guide on Dirsearch (lien direct) | In this article, we will learn how we can use Dirsearch. It is a simple command-line tool designed to brute force directories and files in websites. Which is a Python-based command-line website directory scanner designed to brute force site structure including directories and files. Table of Content Introduction to Dirsearch | Tool | ||
|
2021-01-24 15:05:15 | Video: Doc & RTF Malicious Document, (Sun, Jan 24th) (lien direct) | I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files. | Tool | ||
|
2021-01-22 12:17:49 | The new Microsoft Edge browser will warn you if your password has been leaked online (lien direct) | The new Edge 88 browser includes tough new security features, including a password generator and a tool for monitoring whether your login details have been exposed to the dark web. | Tool | ||
|
2021-01-21 22:32:00 | How to edit a CentOS network connection from the command line (lien direct) | If you're struggling to edit your CentOS network connections from the command line, Jack Wallen shows you a tool that will ease that struggle. | Tool | ||
|
2021-01-21 20:02:55 | New smart hospital platform could be the digital transformation tool healthcare needs (lien direct) | Zyter Smart Hospitals software promises to combine disparate systems, IoT devices, apps, and sensors into one big network of efficient, streamlined care. | Tool | ||
 |
2021-01-21 14:08:16 | SolarWinds Attacks Highlight Importance of Operation-Centric Approach (lien direct) |
We're still learning the full extent of the SolarWinds supply chain attacks. On January 11, for instance, researchers published a technical breakdown of a malicious tool detected as SUNSPOT that was employed as part of the infection chain involving the IT management software provider's Orion platform. |
Tool | Solardwinds Solardwinds | |
 |
2021-01-21 12:00:00 | How One Rabbi Uses Roleplaying Games to Build Community (lien direct) | Spirituality is only one tool in this community leader's toolkit for bringing people closer together. Character sheets are another. | Tool Guideline | ||
 |
2021-01-20 20:15:15 | CVE-2021-1264 (lien direct) | A vulnerability in the Command Runner tool of Cisco DNA Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation by the Command Runner tool. An attacker could exploit this vulnerability by providing crafted input during command execution or via a crafted command runner API call. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center. | Tool Vulnerability | ||
|
2021-01-20 13:01:02 | FireEye releases an auditing tool to detect SolarWinds hackers\' activity (lien direct) | Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks. Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks. The experts explained how the UNC2452 and other threat actors breached […] | Tool Threat | ★★★★★ | |
 |
2021-01-19 19:04:57 | FireEye Releases New Open Source Tool in Response to SolarWinds Hack (lien direct) | FireEye Mandiant on Tuesday announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the name currently assigned by the cybersecurity firm to the threat group that attacked IT management company SolarWinds. | Hack Tool Threat | ||
|
2021-01-19 17:15:12 | CVE-2020-35929 (lien direct) | In TinyCheck before commits 9fd360d and ea53de8, the installation script of the tool contained hard-coded credentials to the backend part of the tool. This information could be used by an attacker for unauthorized access to remote data. | Tool | ★★ | |
|
2021-01-19 14:09:38 | SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader (lien direct) | The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network. [...] | Tool | Solardwinds | |
|
2021-01-19 14:00:04 | FireEye releases tool for auditing networks for techniques used by SolarWinds hackers (lien direct) | New Azure AD Investigator is now available via GitHub. | Tool | ||
|
2021-01-17 11:53:58 | New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th) (lien direct) | Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity. | Tool | ||
|
2021-01-16 14:14:01 | Siemens fixed tens of flaws in Siemens Digital Industries Software products (lien direct) | Siemens has addressed tens of vulnerabilities in Siemens Digital Industries Software products that can allow arbitrary code execution. Siemens has addressed 18 vulnerabilities affecting some products of Siemens Digital Industries Software which provides product lifecycle management (PLM) solutions. The vulnerabilities affect Siemens JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format) and […] | Tool | ||
 |
2021-01-14 21:28:41 | Craft brewers now have a new tool for sniffing out trace flavor compounds (lien direct) | Thiols impart a pleasant fruity aroma, but they can be difficult to track and measure. | Tool | ★★★★★ | |
|
2021-01-14 15:48:27 | How to install the Hestia Control Panel for an Apache/NGINX PHP-FPM web-based config tool (lien direct) | Hestia is a web-based GUI for configuring NGINX, Apache, and PHP-FPM. Jack Wallen shows you how to get this up and running on Ubuntu Server 20.04. | Tool | ||
|
2021-01-12 17:44:59 | Install Virtualmin on Ubuntu 20.04 for a cPanel/CentOS-like web hosting control panel (lien direct) | If you're looking for a cPanel/CentOS replacement, Jack Wallen thinks Virtualmin might do the job. He'll show you what the tool has to offer and how to install it on Ubuntu Server. | Tool | ||
|
2021-01-12 08:38:14 | (Déjà vu) Bitdefender releases free decrypter for Darkside ransomware (lien direct) | Security firm Bitdefender released a tool that allows victims of the Darkside ransomware to recover their files without paying the ransom. Good news for the victims of the Darkside ransomware, they could recover their files for free using a tool that was released by the security firm Bitdefender. The decrypter seems to work for all […] | Ransomware Tool | ★★★★ | |
|
2021-01-11 23:00:00 | What is STRIDE and How Does It Anticipate Cyberattacks? (lien direct) | STRIDE threat modeling is an important tool in a security expert’s arsenal. Threat modeling provides security teams with a practical framework for dealing with a threat. For example, the STRIDE model offers a proven methodology of next steps. It can suggest what defenses to include, the likely attacker’s profile, likely attack vectors and the assets […] | Tool Threat | ||
 |
2021-01-11 22:29:57 | Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor (lien direct) | As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform.
Called "Sunspot," the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop.
"This |
Malware Tool Mobile | Solardwinds Solardwinds | |
|
2021-01-11 18:47:09 | Decryptor Released for Ransomware That Allegedly Helped Cybercriminals Make Millions (lien direct) | Bitdefender on Monday announced the availability of a free tool that organizations can use to recover files encrypted by DarkSide, a piece of ransomware that cybercriminals claim helped them make millions. | Ransomware Tool | ||
|
2021-01-11 15:52:48 | Free decrypter released for victims of Darkside ransomware (lien direct) | A new tool released today by Romanian security firm Bitdefender allows victims of the Darkside ransomware to recover their files without paying the ransom demand. | Ransomware Tool | ||
|
2021-01-11 14:58:51 | Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th) (lien direct) | Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Part+1+of+3/26958/ and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Playing+with+Code+Part+2+of+3/26964/), for any client I typically create 4 inventories: | Tool | ||
|
2021-01-08 12:00:00 | The DC Mobs Could Become a Mythologized Recruitment Tool (lien direct) | Wednesday's riot in Washington was the result of conspiracy theories, anti-government sentiment, and online extremism-and it could start a movement. | Tool | ||
|
2021-01-08 09:48:08 | Ezuri memory loader used in Linux and Windows malware (lien direct) | Multiple threat actors have recently started using the Ezuri memory loader as a loader to executes malware directly into the victims’ memory. According to researchers from AT&T's Alien Labs, malware authors are choosing the Ezuri memory loader for their malicious codes. The Ezuri memory loader tool allows to load and execute a payload directly into […] | Malware Tool Threat | ||
|
2021-01-08 01:54:44 | ALERT: North Korean hackers targeting South Korea with RokRat Trojan (lien direct) | A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The |
Tool Cloud | APT 37 | |
|
2021-01-07 15:41:12 | Windows PsExec zero-day vulnerability gets a free micropatch (lien direct) | A free micropatch fixing a local privilege escalation (LPE) vulnerability in Microsoft's Windows PsExec management tool is now available through the 0patch platform. [...] | Tool Vulnerability | ||
|
2021-01-07 11:00:00 | Malware using new Ezuri memory loader (lien direct) |
This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs
Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.
The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in '/proc/PID/fd/' which is visible only in the filesystem.
Figure 1 shows a code snippet from the loader, containing the information it uses in order to decrypt the payload using the AES algorithm.
Figure 1. Loader code snippet via Alien Labs analysis.
The loader, written in Golang, is taken from the "Ezuri" code on GitHub via the user guitmz. This user originally created the ELF loader around March 2019, when he wrote a blog about the technique to run ELF executables from memory and shared the loader on his github. Additionally, a similar user ‘TMZ’ (presumably associated with the previously mentioned ‘guitmz’) posted this same code in late August, on a small forum where malware samples are shared.
The guitmz user even ran tests against VirusTotal to prove the efficiency of the code, uploading a detected Linux.Cephei sample (35308b8b770d2d4f78299262f595a0769e55152cb432d0efc42292db01609a18) with 30/61 AV detections in VirusTotal, compared to the zero AV detections by the same sample hidden with the Ezuri code (ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f).
|
Malware Tool Threat | ||
|
2021-01-06 19:08:48 | How to view stats on your Linux servers with Saidar (lien direct) | Jack Wallen introduces you to a tool that can help you view system statistics and resource usage on your Linux servers. | Tool | ★★ | |
 |
2021-01-06 16:58:00 | ElectroRAT Drains Crypto Wallets (lien direct) | Attacker creates fake companies and new remote access tool to steal cryptocurrency in year-long campaign | Tool | ||
|
2021-01-06 15:56:20 | Microsoft makes the Windows 10 File Recovery tool easier to use (lien direct) | Microsoft released today a new simplified version of the Windows File Recovery tool to test on the latest Windows 10 Insider build. [...] | Tool | ||
|
2021-01-05 22:28:17 | RCE \'Bug\' Found and Disputed in Popular PHP Scripting Framework (lien direct) | Impacted are PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework and some Laminas Project releases. | Tool | ||
|
2021-01-05 20:34:57 | Crypto-Hijacking Campaign Leverages New Golang RAT (lien direct) | Reseachers are raising the alarm for a newly identified operation leveraging a new Remote Access Tool (RAT) written in Golang to steal crypto-currency from unsuspecting users. | Tool | ||
|
2021-01-05 14:34:10 | Netfox Detective: An Alternative Open-Source Packet Analysis Tool , (Tue, Jan 5th) (lien direct) | [This is a guest diary by Yee Ching Tok (personal website here (https://poppopretn.com)). Feedback welcome either via comments or our contact page (https://isc.sans.edu/contact.html)] | Tool | ||
|
2021-01-05 07:08:04 | Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users (lien direct) | Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems.
Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and |
Malware Tool | ||
|
2021-01-05 04:59:54 | Ransomware Attacks Linked to Chinese Cyberspies (lien direct) | China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim's files. | Ransomware Tool | APT 27 APT 27 |
To see everything:
Our RSS (filtrered)
