What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-10-06 05:04:20 | Threat hunting in large datasets by clustering security events (lien direct) | By Tiago Pereira.
Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams.This post walks through threat hunting on large datasets...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Tool Threat | ||
 |
2021-10-06 04:25:00 | Six fonctions à activer pour améliorer vos cyber-défenses Six Functions to Activate to Improve Your Cyber Defenses (lien direct) |
Les conversations sur la cybersécurité sont de plus en plus axées sur les outils et les activités du Centre des opérations de sécurité (SOC).S'il est impossible de nier l'importance du SOC à la stratégie de sécurité d'une organisation, le SOC fait partie de la portée beaucoup plus large de cyber-défense .Lorsque la cyber-défense-qui englobe le SOC-ISN \\ 'n'a pas été correctement hiérarchisée, l'efficacité des personnes, des processus et des capacités utilisées pour défendre les environnements des dernières attaques est affectée.
Les cyber-défenses robustes sont nécessaires pour éviter les compromis, réduire l'impact des attaques et permettre aux organisations de continuer à fonctionner dans
Conversations on cyber security are increasingly focused on Security Operations Center (SOC) tools and activities. While it is impossible to deny the importance of the SOC to an organization\'s security strategy, the SOC is part of the much broader scope of Cyber Defense. When Cyber Defense-which encompasses the SOC-isn\'t properly prioritized, the effectiveness of people, processes and capabilities used to defend environments from the latest attacks is impacted. Robust Cyber Defenses are needed to prevent compromise, reduce attack impact, and enable organizations to continue to operate in |
Tool | ★★★ | |
 |
2021-10-06 00:00:00 | Using CRIMZON⢠to assess cybersecurity hazards with an insurance portfolioThe CRIMZON⢠framework allows insurance carriers to gain insights into the hazard of cyber without needing to run external scans.Read More (lien direct) | In recent years, the rise to prominence of cyber risk, both as a peril and as a line of business, has created opportunities and threats to insurance companies in equal measure. Insurance executives, exposure managers and underwriters need now more than ever to understand, quantify and manage their exposures, in order to sustain profitability and to protect their balance sheets. By definition, cyber events occur due to vulnerable technology. It is therefore tempting to conclude that understanding these exposures requires knowing the full map of technologies and service providers an insured relies upon, including the granular details on how data is stored and accessed. The issue with this approach is that while this information is certainly valuable to assess the risk, it is challenging to obtain atscale due to the difficulties that arise from accessing and analyzing the data properly. Help in solving this dilemma is provided by using techniques to analyze the cyber footprint of an insured,mapping the technologies and service providers most exposed to the external world. The premise being that such analysis provides insurers with the same point of view of potential threat actors. It is fair to say this is currently the gold standard of cyber hazard analysis. Insurance carriers with large affirmative cyberbooks rely on external scans for underwriting as well as for portfolio management, often augmenting this data with information provided by the insured, mostly from third-party vendors. A direct relationship with the insured is the best way forward to understand their level of risk, however,itâs disingenuous to assume every stakeholder in the insurance industry is able to access the same level of data. Within the same company, portfolio managers often donât have access to the same level of details as underwriters, and across entities reinsurers rely on their clients passing on data, which requires overcoming hurdles around data confidentiality as well as technical limitations on data volumes.Moreover, external scans are expensive and might not be a viable option when cyber coverage is offered as an endorsement on other lines of business.Assessing hazard insured by insured is therefore not always possible and cannot be expected to be the only way. Kovrr has developed an open framework, CRIMZON, which allows insurance stakeholders to understand hazard without running expensive analysis tools and collecting only a minimum amount of data points. This framework is designed to answer basic questions on cyber risk accumulations and estimates of Probable Maximum Loss (PML). It allows full flexibility around the type of risk analyzed,whether the focus is ransomware or cyber liability, and is consistent and compatible with the catastrophe model methodology deployed in our probabilistic cyber risk quantification solution.âââMr. Hetul Patel, Advisor to Kovrr and Chief Actuary atLiberty Mutual Re said: âCRIMZON⢠are a novel way to address the very real need for better cyber risk aggregation.Recent events have clearly highlighted that cyber loss events canât be managed through the traditional tools that reinsurers currently use. CRIMZON have the potential to create a market standard, similar to the way cresta zones are used for natural catastrophe modelling. The use of which goes beyond aggregate and risk management, and into outward reinsurance purchasing and attracting third party capital.â ââGrouping Companies Together by CRIMZONâ¢Kovrrâs open framework Cyber Risk Accumulation Zones (CRIMZONâ¢) groups companies together based on three characteristics: industry, location and entity size. This framework for grouping is based on research that shows that companies sharing these characteristics tend to share cyber risks. Cyber attacks would then be more likely to spread through companies within the same CRIMZON rather than hitting companies randomly.For example, a cyber attack might b | Ransomware Tool Threat | ★★★ | |
 |
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
 |
2021-10-04 19:15:08 | CVE-2021-41118 (lien direct) | The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. In affected versions unsanitised input of regular expression date within the parameters of the DPL parser function, allowed for the possibility of ReDoS (Regex Denial of Service). This has been resolved in version 3.3.6. If you are unable to update you may also set `$wgDplSettings['functionalRichness'] = 0;` or disable DynamicPageList3 to mitigate. | Tool | ||
|
2021-10-04 18:15:09 | CVE-2021-32762 (lien direct) | Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. | Tool Vulnerability | ||
|
2021-10-04 11:00:00 | The Need for Intelligence-Driven XDR to Address Security Team Challenges (lien direct) | As organizations continue to expand and evolve their digital footprint, security staff struggle to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. These challenges are even more difficult due to limited staff and expertise. Enter extended detection and response or XDR. Depending on who you ask, you'll get differing opinions about what XDR is, where it came from, and whether or not you need it. The fact is security teams continue to struggle with too many security tools from different vendors, with little integration of data or relevant threat intelligence. These tools generate an alarming volume of alerts, leading to analysts chasing false positives or not looking into data because they lack the intelligence and expertise to prioritize the alerts that matter. They’re also working in siloed environments, which makes it hard to collaborate and leads to more problems, including: Overwhelming volumes of data make it difficult to prioritize security efforts and response They lack insight into global threats and incidents and are unable to recognize the potential impact of known and unknown threats The detection technologies they’ve installed are riddled with false positives that waste staff time The reliance on a single vendor and the inability to tune security controls across multi-vendor security stacks makes it harder to prioritize investigations and incident response efforts This is where XDR solutions come into play. We’ve aligned ourselves with Gartner’s definition of XDR, which states: "XDR is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components." In layman's terms: XDR provides a holistic, more straightforward view of threats across an organization's entire technology landscape, providing the real-time information needed to deliver threats to the right people for better, faster outcomes. Security teams can no longer only rely on the same tools they’ve used for threat detection and response. Automation and big data management are needed to collect data across all installed security telemetry, along with advanced intelligence to understand and correlate threats. The improved automation allows teams to sift through the never-ending deluge of data to pinpoint relevant threats and quickly respond to those that matter before they turn into something catastrophic. Anomali’s XDR solution combines our global threat intelligence with extended detection capabilities to stop breaches and attackers. Anomali XDR delivers: Unified threat detection utilizing all installed security telemetry Precision detection with timely alerts to stop threats earlier Increased ROI with less administrative overhead Higher fidelity alerts to reduce false positives and empower stretched IT teams Retrospective search capabilities across 5+ years Take a look at our webinar to learn more about how we can help you Pinpoint Relevant Threats w | Tool Threat Guideline | ||
 |
2021-10-03 15:39:54 | Video: CVE-2021-40444 Maldocs: Extracting URLs, (Sun, Oct 3rd) (lien direct) | In this video, reacting to a reader&#;x26;#;39;s comment, I explain how you can add your own regex to my re-search.py tool (without changing the code). | Tool | ★★★★ | |
|
2021-10-01 10:15:09 | New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st) (lien direct) | LOLBAS (“Living Off the Land Binaries And Scriptsâ€) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation). | Tool | ||
 |
2021-10-01 09:55:31 | Android, Java bug bunting tool Mariana Trench goes open source (lien direct) | Mariana Trench originated as an internal Facebook tool. | Tool | ||
 |
2021-09-30 20:25:27 | How to run network diagnostic tests on Chrome OS (lien direct) | Is your Chromebook having networking issues? Jack Wallen introduces you to a tool that could help you solve those problems. | Tool | ||
 |
2021-09-30 15:32:05 | Fake Amnesty International Pegasus scanner used to infect Windows (lien direct) | Threat actors are trying to capitalize on the recent revelations on Pegasus spyware from Amnesty International to drop a less-known remote access tool called Sarwent. [...] | Tool Threat | ||
 |
2021-09-30 14:22:27 | .NET 5, Source Generators, and Supply Chain Attacks (lien direct) | IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it. Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar. Source Generators introduction Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code. Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency. Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…; As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file. Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect. Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet. Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ using System; using System.Collections.Generic; using System.Text; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Text; namespace SourceGeneratorSamples { [Generator] public class HelloWorldGenerator : ISourceGenerator { public void Execute(SourceGeneratorContext context) { // begin creating the source we'll inject into the users compilation var sourceBuilder = new StringBuilder(@" using System; namespace HelloWorldGenerated { public static class HelloWorld { public static void SayHello() { Console.WriteLine(""Hello from generated code!""); Console.WriteLine(""The following syntax trees existed in the compilation that created this program:""); "); // using the context, get a list of syntax trees in the users compilation var syntaxTrees = context.Compilation.SyntaxTrees; // add the filepath of each tree to the class we're building foreach (SyntaxTree tree in syntaxTrees) { sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");"); } // finish creating the source to inject sourceBuilder.Append(@" } } }"); // inject the created source into the users compilation context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8)); } public void Initialize(InitializationContext context) { // No initialization required for thi | Malware Tool Threat | ||
 |
2021-09-30 13:25:16 | New CISA Tool Helps Organizations Assess Insider Threat Risks (lien direct) | The United States Cybersecurity and Infrastructure Security Agency (CISA) this week released a tool to help organizations assess their insider threat risk posture. | Tool Threat | ||
 |
2021-09-30 07:19:56 | (Déjà vu) CISA releases Insider Risk Mitigation Self-Assessment Tool (lien direct) | The US CISA has released a new tool that allows to assess the level of exposure of organizations to insider threats and devise their own defense plans against such risks. The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Insider Risk Mitigation Self-Assessment Tool, a new tool that allows organizations to assess their […] | Tool | ||
|
2021-09-30 06:22:42 | Facebook released Mariana Trench tool to find flaws in Android and Java apps (lien direct) | Facebook released Mariana Trench, an internal open-source tool that can be used to identify vulnerabilities in Android and Java applications. The Facebook security team has open-sourced the code for Mariana Trench, an internal open-source tool used by the company experts to identify vulnerabilities in Android and Java applications. The name comes from the Mariana Trench, the […] | Tool | ||
|
2021-09-29 19:32:34 | Facebook Open-Sources \'Mariana Trench\' Code Analysis Tool (lien direct) | Facebook's security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications. | Tool | ||
 |
2021-09-29 17:00:40 | Google Maps tracks global warming with new “Fire” layer, tree canopy tool (lien direct) | "Fire" will be a top-level layer just like traffic, satellite, and transit maps. | Tool | ||
|
2021-09-29 16:11:22 | Facebook open-sources tool to find Android app security flaws (lien direct) | Facebook today open-sourced a static analysis tool its software and security engineers use internally to find potentially dangerous security and privacy flaws in the company's Android and Java applications. [...] | Tool | ||
|
2021-09-29 14:17:43 | CISA releases tool to help orgs fend off insider threat risks (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool that allows public and private sector organizations to assess their vulnerability to insider threats and devise their own defense plans against such risks. [...] | Tool Vulnerability Threat | ||
 |
2021-09-29 10:59:29 | Facebook Releases New Tool That Finds Security and Privacy Bugs in Android Apps (lien direct) | Facebook on Wednesday announced it's open-sourcing Mariana Trench, an Android-focused static analysis platform the company uses to detect and prevent security and privacy bugs in applications created for the mobile operating system at scale.
"[Mariana Trench] is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production," the |
Tool | ||
 |
2021-09-29 10:51:00 | FoggyWeb malware latest tool of dangerous Nobelium APT (lien direct) | Pas de details / No more details | Malware Tool | ||
|
2021-09-28 11:19:08 | ImmuniWeb Launches Free Tool for Identifying Unprotected Cloud Storage (lien direct) | Switzerland-based web and application security company ImmuniWeb on Tuesday announced the launch of a free online tool designed to help organizations identify unprotected cloud storage. | Tool | ★★★ | |
|
2021-09-28 01:32:38 | New BloodyStealer Trojan Steals Gamers\' Epic Games and Steam Accounts (lien direct) | A new advanced trojan sold on Russian-speaking underground forums comes with capabilities to steal users' accounts on popular online video game distribution services, including Steam, Epic Games Store, and EA Origin, underscoring a growing threat to the lucrative gaming market.
Cybersecurity firm Kaspersky, which coined the malware "BloodyStealer," said it first detected the malicious tool in |
Malware Tool Threat | ||
|
2021-09-23 20:48:44 | Urgent Apple iOS and macOS Updates Released to Fix Actively Exploited Zero-Days (lien direct) | Apple on Thursday released security updates to fix multiple security vulnerabilities in older versions of iOS and macOS that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users.
Chief among them is CVE-2021-30869, a type confusion flaw |
Tool | ||
 |
2021-09-22 16:00:00 | How to Build a Winning Cybersecurity Resume (lien direct) | Career advancement is an art form with many facets. One vital tool is your cybersecurity resume, the quality of which can mean the difference between getting an interview for your dream job and not being considered at all. Following the standard advice on building a resume will give you a standard resume that won’t set […] | Tool | ||
|
2021-09-21 21:57:41 | How to use the FILTER() dynamic array function in Excel (lien direct) | Microsoft Excel's new FILTER() function is a great tool for reporting and dashboards. We'll show you how to use it to get more done. | Tool | ||
 |
2021-09-21 19:57:00 | Automation in Reverse Engineering C++ STL/Template Code (lien direct) | There are three major elements to reverse engineering C++ code that uses STL container classes: Determining in the first place that an STL container is being used, and which category, i.e., std::list vs. std::vector vs. std::set Determining the element type, i.e., T in the categories above Creating data types in your reverse engineering tool of choice, and applying those types to the decompilation or disassembly listing. Though all of those elements are important, this entry focuses on the last one: creating instantiated STL data types, and more specifically, types that can be used in Hex-Rays. The main contribution of this entry is simply its underlying idea, as I have never seen it published anywhere else; the code itself is simple enough, and can be adapted to any reverse engineering framework with a type system that supports user-defined structures. I have spent the pandemic working on a new training class on C++ reverse engineering; the images and concepts in this blog entry are taken from the class material. The class goes into much more depth than this entry, such as by material on structure and type reconstruction, and having individual sections on each of the common STL containers. (If you are interested in the forthcoming C++ training class, it will be completed early next year, and available for in-person delivery when the world is more hospitable. If you would like to be notified when public in-person classes for the C++ course is ready, please sign up on our no-spam, very low-volume, course notification mailing list. (Click the button that says "Provide your email to be notified of public course availability".) ) Overview and MotivationAt a language level, C++ templates are one of the most complex features of any mainstream programming language. Their introduction in the first place -- as opposed to a restricted, less-powerful version -- was arguably a bad mistake. They are vastly overcomplicated, and in earlier revisions, advanced usage was relegated to true C++ experts. Over time, their complexity has infested other elements of the language, such as forming the basis for the C++11 auto keyword. However, the basic, original ideas behind C++ templates were inconspicuous enough, and are easy to explain to neophytes. Moreover, reverse engineers do not need to understand the full complexity of C++ templates for day-to-day work. Let's begin with a high-level overview of which problems in C software development that C++ templates endeavored to solve, and roughly how they solved them. Put simply, many features of C++ were designed to alleviate situations where common practice in C was to copy and paste existing code and tweak it slightly. In particular, templates alleviate issues with re-using code for different underlying data types. C does offer one alternative to copy-and-paste in this regard -- the macro preprocessor -- though it is a poor, cumbersome, and limited solution. Let's walk through a small real-world example. Suppose we had code to shuffle the contents of a char array, and we wanted to re-use it to shuffle int arrays. | Tool Guideline | ||
|
2021-09-21 16:09:00 | Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam Malware Tool Vulnerability Threat | ||
|
2021-09-21 14:54:13 | Microsoft PC Health Check adds detailed Windows 11 compatibility info (lien direct) | Microsoft has released an updated PC Health Check tool that provides detailed information about whether a device's hardware is compatible with Windows 11. [...] | Tool | ||
|
2021-09-21 10:49:49 | MPT\'s Value at Veracode (lien direct) | You finally have some budget to buy tools for your application security (AppSec) program! GREAT! Purchasing the correct tools for your AppSec pogram can be overwhelming. Even when looking only at point solutions, there still may be some confusion on the value that various tools can provide. Sometimes you'll find the perfect tool, but others may offer you a similar tool with added manual penetration testing (MPT) as part of the overall bundle. That seems like a great idea for the budget. Let's dive in and see what these types of value these other offerings really provide. First, let's cover the shortcoming of other Automated Tools + Manual Penetration Testing bundles. This is going to be pretty high level and will avoid comprehensive dives for ease of consumption. If you read anything, read the short bulleted list! Who is doing your MPT as part of this engagement? Veracode has world-famous authors and hackers on their MPT teams. Please reach out and ask for our MPT team profile and then google them! Chances are that your bundled MPT is being conducted by offshore teams to provide cost savings. Apps don't get great coverage with MPT This is a light MPT engagement when bundled. Ask for regular pricing so you can see the difference. Typically you can gauge the effectiveness of the offering by comparing the 1-day retail price of MPT to what is offered in the bundled offering. Cheap MPT and any other labor-intensive-based offerings DO NOT SCALE! Think about it. MPT on demand? Do they have people staffed and waiting for you to make a request? How is it that the queue is not long? Also, claimed less than 1% FP rates due to manual labor scrubbing DO NOT SCALE. Remember, anything labor-intensive requires people being on payroll and WORKING. If they are not WORKING, they are on stand-by. We all know that no one is hired to be on stand-by. Why Veracode's Manual Penetration Testing value can NOT be beaten Veracode's value in MPT can be summarized into four major points. Single Pane Looking Glass reports Comprehensive Security Analysis Value, Remediation and AppSec Program Assistance, and scalability. Single pane looking glass report Veracode has a single pane looking glass capability that is unmatched in the industry. You can purchase Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration testing. Then you can generate a report with all the findings on one PDF in the context of a single application. With our big data analytics tools, you can then generate views on the entire organization portfolio or per team application's security posture. Comprehensive security analysis value If you already are a customer of our automated tools, then MPT with Veracode generates a value proposition that CAN NOT be beaten. For example, if you are running daily/weekly SAST, DAST, and SCA checks. MPT will skip all the findings in those reports. This allows us to find more complex and nefarious things that automated tools simply can not do. With other MPT offerings, the vendors must use the hours and will not know to skip the low-hanging fruit that our tools already caught such as SQL Injections, cross-site scripting, etc. Since other vendors don't have access to the same analysis, they must generate as many findings as they can per hour. When you compare hour for hour MPT offerings against Veracode- you will find that Veracode can do more with an hour of MPT than any other vendor can. Remediation and AppSec program assistance Other vendors won't have the experience in providing remediation advice or AppSec program assistance that Veracode has. Don't spend hours looking for answers. Speak to one of our services experts to help you fix the findings we generate or help manage your application security program. This is not an extra add-on, this is included upfront so it is easy to forecast and budget. If your security or dev teams have questions- Veracode is there to help. Scalability No other Vendor can scale like Veracode. In our automated tools, we don't lean on manual labor to generate better findings. I | Tool | ||
|
2021-09-20 19:00:00 | Zero Trust: Follow a Model, Not a Tool (lien direct) | The zero trust model is going mainstream, and for good reason. The rise in advanced attacks, plus IT trends that include the move to hybrid cloud and remote work, demand more exacting and granular defenses. Zero trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This […] | Tool | ||
 |
2021-09-17 16:24:00 | (Déjà vu) Free REvil Decryptor Launched (lien direct) | New Bitdefender tool unlocks many files encrypted by REvil ransomware prior to July 13 | Ransomware Tool | ||
|
2021-09-16 15:49:03 | (Déjà vu) Bitdefender offers free decryptor for REvil ransomware victims (lien direct) | The free decryption tool will help victims restore their encrypted files from attacks made before July 13, 2021, says Bitdefender. | Ransomware Tool | ||
|
2021-09-15 19:15:09 | CVE-2021-33701 (lien direct) | DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability. | Tool Guideline | ||
|
2021-09-15 17:15:10 | CVE-2021-39392 (lien direct) | The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. | Tool | ||
 |
2021-09-14 22:44:26 | ELFant in the Room – capa v3 (lien direct) | Since our initial public
release of capa, incident responders and reverse engineers have
used the tool to automatically identify capabilities in Windows
executables. With our newest code and ruleset updates, capa v3 also
identifies capabilities in Executable and Linkable Format (ELF) files,
such as those used on Linux and other Unix-like operating systems.
This blog post describes the extended analysis and other improvements.
You can download capa v3 standalone binaries from the project's release page and
checkout the source code on GitHub.
ELF File Format Support
capa finds capabilities in programs by parsing executable file
formats, disassembling code, and then recognizing features in
functions. In versions v1 and v2, capa only understood the PE file
format, so its analysis was restricted to Windows programs. Thanks to
our colleagues at Intezer, capa
now recognizes ELF files! This means you can use the tool to identify
behaviors in malware that targets Linux computers. Figure 1 shows a
rule that describes techniques to fetch the current user on Linux.
Figure 1: capa rule identifying
capabilities on Linux
We're excited Intezer leverages capa and thrilled they are sharing
their improvements with the community. In addition to the code
updates, Intezer proposed 36 capa rules to identify various
capabilities in ELF files, such as reconnaissance, persistence, and
host interaction techniques. Please read Intezer's
blog post for more details.
New Features capa Can Recognize
As we taught capa to recognize ELF files, we also wanted rule
authors to tune their rules to find behaviors specific to different
operating systems (OS), CPU architectures, and file formats. For
example, the APIs exposed by Windows are very different from those
found on Linux systems; therefore, rules should clearly designate
which pattern to use on Windows versus Linux.
Based on discussions and feedback collected from users and
contributors, we've extended capa's rule format to describe OSes, CPU
architectures, and file formats. The rule shown in Figure 2 uses os features to distinguish techniques used to get
networking interface information on Windows and Linux. Note that the
rule is explicit about which APIs are found on each OS, making it easy
for both humans and machines to interpret the matching logic.
Figure 2: capa rule using the os feature
to distinguish OS specific features
We've also added arch (such as arch: i386 for 32-bit Intel code) and format (such as format:
elf for ELF files) features to distinguish between CPU
architectures and file formats. To learn more about these and capa's
rule syntax see the rule
format documentation on GitHub.
Unfortunately, rules with these new features are not backwards
compatible with older versions of capa. Therefore, you should prefer
to upgrade your capa installation to take advantage of our enhanced rules.
Substring Features
To make many rules easier to read, we've added a convenience feature
named substring that acts |
Malware Tool Guideline | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
|
2021-09-14 14:30:00 | How to configure Invoice Plane for in-app invoice mailing (lien direct) | Invoice Plane is a powerful open-source invoicing tool perfectly suited for small-business data centers. Jack Wallen shows you how to add invoice emailing to the application. | Tool | ||
|
2021-09-14 06:00:39 | Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks (lien direct) | Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild. Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack […] | Tool Threat | ||
|
2021-09-13 20:42:07 | Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide (lien direct) | Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild.
The as-yet undetected version of the penetration testing tool - codenamed "Vermilion Strike" - marks one of the rare Linux ports, which has been |
Tool | ||
|
2021-09-09 14:00:00 | Optimizing Your Cybersecurity with Intelligence-Powered Detection (lien direct) | The recent large-scale cyberattacks have shown that any organization, regardless of size or industry, may be targeted at any time. Despite deploying multiple tools, security teams struggle to pinpoint relevant threats, wasting time sifting through incoming data and false positives and cannot act swiftly to real threats facing their business. A recent Dark Reading study revealed that while many organizations have improved their threat detection capabilities over the last few years, they lack threat visibility and are still reliant on too many manual processes. These shortcomings in combating cyber threats result in alert fatigue, smoldering fires, and siloed threat intelligence. The question then becomes: “How can my organization optimize its threat detection system?” Threat Detection as Process There are multiple ways to detect a potential threat. These can include global threat intelligence, human expertise in threat identification, and advanced tools for identifying malicious activity. While all are essential elements, they need to working effectively to create an optimized security program. Too often, the security process goes in one direction, from threat intelligence gathering to analysis and monitoring by the security operations center (SOC) and then on to security engineering to prioritize remediation. Creating a collaborative system with feedback loops between security teams and other key stakeholders is a much more effective way to avoid siloed intelligence and rapidly identify relevant threats. In this security ecosystem approach, the threat intel team automates intelligence gathering, prioritizes against intelligence initiatives, and incorporates any new requirements coming from security engineering. The SOC then monitors and prioritizes the continually updating threat requirements to help the threat team find relevant attacks. Security engineering prioritizes remediation and then feeds the revised intelligence requirements back to the SOC, reflecting any changes in vulnerabilities. Intelligence-Powered Threat Detection Implementing an effective collaborative system with two-way fluid communication requires intelligence-powered threat detection. Detection enables intelligent orchestration through your security organization and ensures that the global intelligence is relevant. Machine learning is leveraged to make sure severity scoring is conducted quickly and effectively. An intelligence-driven platform can process millions of indicators of compromise (IoCs) and billions of internal log entries, operationalizing threat data and automatically showing security teams what is relevant to them and which data are actionable intelligence. The identified indicators of interest can then be fed directly to the endpoints and firewalls for blocking. Extended Detection and Response or XDR Extended detection and response or XDR is a security framework that unifies threat detection and response into a single platform. It collects and correlates data automatically from disparate security components installed in a customer's environment. XDR can provide better security than isolated tools by reducing the complexity of security configuration and incident response. For example, you can extinguish smoldering fires using XDR, as big data support on the backend enables quick indexing and searches going back years. Alert fatigue is relieved by the automated updating of IRs and allowing threat intelligence teams to focus on relevant IoCs. And, because it bridges different tools and systems, XDR can also facilitate feedback loops between cybersecurity teams and stakeholders. Vendor-agnostic XDR platforms | Tool Threat | ||
|
2021-09-08 21:15:10 | CVE-2021-30605 (lien direct) | Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls. | Tool | ||
|
2021-09-08 18:43:43 | Machine learning is a great tool for cybersecurity, but be cautious, expert says (lien direct) | Supervised and unsupervised machine learning are good ways to detect threats. But what's the difference? | Tool | ||
|
2021-09-08 17:15:09 | CVE-2021-28571 (lien direct) | Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | Tool Vulnerability | ★★ | |
|
2021-09-08 16:57:12 | Canonical announces new Anbox Cloud Appliance on AWS Marketplace (lien direct) | The tool can be used by developers for prototyping, sandboxing and putting Android apps into production on 5G devices. | Tool | ||
|
2021-09-08 01:42:01 | US-built Databases a Potential Tool of Taliban Repression (lien direct) | Over two decades, the United States and its allies spent hundreds of millions of dollars building databases for the Afghan people. The nobly stated goal: Promote law and order and government accountability and modernize a war-ravaged land. | Tool | ||
|
2021-09-07 20:15:07 | CVE-2021-37631 (lien direct) | Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9. If you are unable to update it is advised to disable the Deck plugin. | Tool | ||
|
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
 |
2021-09-07 12:00:00 | Pharmacies Stepped Up During Covid-and Changed for Good (lien direct) | Pharmacies have long been perceived as commodities. Now, they're a central tool for removing barriers to health care. | Tool |
To see everything:
