What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-09-14 06:00:39 | Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks (lien direct) | Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild. Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack […] | Tool Threat | ||
 |
2021-09-13 20:42:07 | Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide (lien direct) | Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild.
The as-yet undetected version of the penetration testing tool - codenamed "Vermilion Strike" - marks one of the rare Linux ports, which has been |
Tool | ||
 |
2021-09-09 14:00:00 | Optimizing Your Cybersecurity with Intelligence-Powered Detection (lien direct) | The recent large-scale cyberattacks have shown that any organization, regardless of size or industry, may be targeted at any time. Despite deploying multiple tools, security teams struggle to pinpoint relevant threats, wasting time sifting through incoming data and false positives and cannot act swiftly to real threats facing their business. A recent Dark Reading study revealed that while many organizations have improved their threat detection capabilities over the last few years, they lack threat visibility and are still reliant on too many manual processes. These shortcomings in combating cyber threats result in alert fatigue, smoldering fires, and siloed threat intelligence. The question then becomes: “How can my organization optimize its threat detection system?” Threat Detection as Process There are multiple ways to detect a potential threat. These can include global threat intelligence, human expertise in threat identification, and advanced tools for identifying malicious activity. While all are essential elements, they need to working effectively to create an optimized security program. Too often, the security process goes in one direction, from threat intelligence gathering to analysis and monitoring by the security operations center (SOC) and then on to security engineering to prioritize remediation. Creating a collaborative system with feedback loops between security teams and other key stakeholders is a much more effective way to avoid siloed intelligence and rapidly identify relevant threats. In this security ecosystem approach, the threat intel team automates intelligence gathering, prioritizes against intelligence initiatives, and incorporates any new requirements coming from security engineering. The SOC then monitors and prioritizes the continually updating threat requirements to help the threat team find relevant attacks. Security engineering prioritizes remediation and then feeds the revised intelligence requirements back to the SOC, reflecting any changes in vulnerabilities. Intelligence-Powered Threat Detection Implementing an effective collaborative system with two-way fluid communication requires intelligence-powered threat detection. Detection enables intelligent orchestration through your security organization and ensures that the global intelligence is relevant. Machine learning is leveraged to make sure severity scoring is conducted quickly and effectively. An intelligence-driven platform can process millions of indicators of compromise (IoCs) and billions of internal log entries, operationalizing threat data and automatically showing security teams what is relevant to them and which data are actionable intelligence. The identified indicators of interest can then be fed directly to the endpoints and firewalls for blocking. Extended Detection and Response or XDR Extended detection and response or XDR is a security framework that unifies threat detection and response into a single platform. It collects and correlates data automatically from disparate security components installed in a customer's environment. XDR can provide better security than isolated tools by reducing the complexity of security configuration and incident response. For example, you can extinguish smoldering fires using XDR, as big data support on the backend enables quick indexing and searches going back years. Alert fatigue is relieved by the automated updating of IRs and allowing threat intelligence teams to focus on relevant IoCs. And, because it bridges different tools and systems, XDR can also facilitate feedback loops between cybersecurity teams and stakeholders. Vendor-agnostic XDR platforms | Tool Threat | ||
 |
2021-09-08 21:15:10 | CVE-2021-30605 (lien direct) | Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls. | Tool | ||
 |
2021-09-08 18:43:43 | Machine learning is a great tool for cybersecurity, but be cautious, expert says (lien direct) | Supervised and unsupervised machine learning are good ways to detect threats. But what's the difference? | Tool | ||
|
2021-09-08 17:15:09 | CVE-2021-28571 (lien direct) | Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | Tool Vulnerability | ★★ | |
|
2021-09-08 16:57:12 | Canonical announces new Anbox Cloud Appliance on AWS Marketplace (lien direct) | The tool can be used by developers for prototyping, sandboxing and putting Android apps into production on 5G devices. | Tool | ||
 |
2021-09-08 01:42:01 | US-built Databases a Potential Tool of Taliban Repression (lien direct) | Over two decades, the United States and its allies spent hundreds of millions of dollars building databases for the Afghan people. The nobly stated goal: Promote law and order and government accountability and modernize a war-ravaged land. | Tool | ||
|
2021-09-07 20:15:07 | CVE-2021-37631 (lien direct) | Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9. If you are unable to update it is advised to disable the Deck plugin. | Tool | ||
|
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
 |
2021-09-07 12:00:00 | Pharmacies Stepped Up During Covid-and Changed for Good (lien direct) | Pharmacies have long been perceived as commodities. Now, they're a central tool for removing barriers to health care. | Tool | ||
 |
2021-09-06 13:42:08 | New Chainsaw tool helps IR teams analyze Windows event logs (lien direct) | Incident responders and blue teams have a new tool called Chainsaw that speeds up searching through Windows event log records to identify threats. [...] | Tool | ||
|
2021-09-04 02:08:38 | Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash (lien direct) | Apple is temporarily hitting the pause button on its controversial plans to screen users' devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.
"Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the |
Tool | ||
|
2021-09-02 14:00:00 | What Is a Cyber Fusion Center? (lien direct) | Drive Organization-Wide Visibility, Reduce Time to Detection, and Protect Critical Assets With a Cyber Fusion Center The continual and evolving threats to information systems are a constant battle that prompted the creation of cyber intelligence analysts who provide contextualized data, information, and intelligence to those tasked with detecting and defending against attacks. Cyber defense systems need to become more responsive to internal vulnerabilities and adapt to external threats as attack methods evolve more quickly. It is this intelligence that enables them to do so. The cyber fusion center is the hub for actionable threat intelligence. Structurally, it pulls together information and coordinates efforts across security teams; SOC, IT, physical security, fraud, etc. It also integrates multiple automation tools, collecting data from internal and external sources, curating data, and providing actionable intelligence to stakeholders to make informed decisions. Designing a Cyber Fusion Center Organizational Considerations When Creating Your Cyber Fusion Center The primary goal and advantage of having a cyber fusion center is making cybersecurity an integral part of your organization. It allows you to manage risk holistically. Keeping this in mind, processes that produce actionable intel should be modeled first before creating organizational and system structures. Acknowledging that existing systems are managed by different groups and integrating competing priorities is essential. Systems will also need to be integrated, with redundancies identified and streamlined. Finally, each organization will have its own culture that should be taken into consideration throughout this process. Teams: Is Your Cyber Fusion Center Communicating Cross-Functionally? Resilient cyber fusion centers start with a circular flow of communication with priority intelligence requirement (PIR)-driven inputs. This cyber intelligence provides the most timely and comprehensive intelligence on external threats to the security operations center (SOC) for detection, monitoring, threat hunting, and, when needed, incident response. In return, those acting on the threats can recommend adjustments to PIRs that continually improve the necessary intelligence to inform proactive threat detection and respond better. That feedback ensures that the threat intelligence team remains focused on collecting and delivering threat intelligence aligned to organizational PIRs. In addition, this flow of intelligence should be infused with relevant information from functional areas with high-risk vulnerabilities (e.g., Human Resources, Finance, Fraud, etc.). For example, a cyber intelligence team might discover a new ransomware campaign utilizing a specific tool and architecture. That intelligence is reported to the SOC with additional context of the group most likely responsible for the campaign, their other known tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). The likelihood that the newly discovered campaign could impact the organization is based on a deeper understanding of the culprits’ motives, objectives, and previous actions. This type of intelligence empowers the SOC to prioritize response actions proactively to improve the organization’s security posture against both the immediate threat posed by the indicators of compromise (IOCs) and future threats posed by the same actor and their campaigns. Tools: Managing Your Security Stack With a Cyber Fusion Center While organizational processes are the basis for creating an effective cyber fusion center, automation tools are also essential. The risks of not automating can include missed threats, dormant threats, siloed threat intel, and unaligned intel. You can enrich global threat intelligence through associated intelligence, peer sharing, and local telemetry; this enrichment begins | Ransomware Tool Threat | ||
|
2021-08-31 16:40:00 | Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities, and XSS . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the "Anomali Cyber Watch" tag.
Trending Cyber News and Threat Intelligence
Widespread Credential Phishing Campaign Abuses Open Redirector Links
(published: August 26, 2021)
Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.
Analyst Comment: Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Domain Trust Discovery - T1482
Tags: Phishing, Microsoft, North America, Anomali Cyber Watch
FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware
(published: August 25, 2021)
FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.
Analyst Comment: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
 |
2021-08-31 11:42:33 | Microsoft warns of phishing campaign abusing \'open redirects\' (lien direct) | Office 365 customers have been warned by Microsoft of an ongoing phishing campaign that abuses open redirects, an email sales and marketing tool that redirects a visitor to an untrusted site. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying […] | Tool | ||
|
2021-08-31 11:12:09 | Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs (lien direct) | Cybercriminals are making strides towards attacks with malware that executes code from the graphics processing unit (GPU) of a compromised system. [...] | Malware Tool | ||
 |
2021-08-30 18:53:57 | Karkinos – Beginner Friendly Penetration Testing Tool (lien direct) |  Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a âSwiss Army Knifeâ for pen-testing and/or hacking CTFâs.
Karkinos Beginner Friendly Penetration Testing Tool Features
Encoding/Decoding characters
Encrypting/Decrypting text or files
Reverse shell handling
Cracking and generating hashes
How to Install Karkinos Beginner Friendly Penetration Testing Tool
Dependencies are:
Any server capable of hosting PHP
Tested with PHP 7.4.9
Tested with Python 3.8
Make sure it is in your path as:
Windows: python
Linux: python3
If it is not, please change the commands in includes/pid.php
Pip3
Raspberry Pi Zero friendly :) (crack hashes at your own risk)
Then:
git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip You can also unzip it manually using file explorer.
Read the rest of Karkinos – Beginner Friendly Penetration Testing Tool now! Only available at Darknet.
|
Tool | ||
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-24 15:42:13 | New iOS Zero-Click Exploit Defeats Apple \'BlastDoor\' Sandbox (lien direct) | Security researchers at Citizen Lab are documenting a new Apple iOS zero-click exploit being used to hijack data from fully patched iPhones in Bahrain. Citizen Lab said it found technical evidence connecting the new exploit to the Pegasus high-end spyware tool sold by controversial Israeli software vendor NSO Group. | Tool | ||
 |
2021-08-24 09:40:00 | Microsoft Power Apps Tool Exposed 38 Million Records by Default (lien direct) | Configuration muddle has now been largely resolved by Redmond | Tool | ||
|
2021-08-23 14:09:14 | Windows 365 Business: How this new tool can help your organization (lien direct) | Simon Bisson tried out the new Microsoft 365 tool, which allows you to create virtual machines for your staff working from home. Here's what he learned. | Tool | ||
 |
2021-08-23 03:00:00 | Considerations when deciding on a new SIEM or SOAR tool (lien direct) | Pas de details / No more details | Tool | ||
|
2021-08-20 19:15:10 | CVE-2021-36011 (lien direct) | Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | Tool Vulnerability | ||
|
2021-08-19 13:33:45 | How AutoKey can make repetitive tasks, like configuring Netplan, easier (lien direct) | AutoKey is a handy GUI tool that can take the repetition out of a lot of your daily Linux admin tasks. | Tool | ||
|
2021-08-18 18:15:08 | CVE-2021-37617 (lien direct) | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system. | Tool Guideline | ||
|
2021-08-18 16:15:07 | CVE-2021-32728 (lien direct) | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading. | Tool | ||
 |
2021-08-18 16:00:00 | Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon (lien direct) | Recently, X-Force Red released a tool called Windows Feature Hunter, which identifies targets for dynamic link library (DLL) side-loading on a Windows system using Frida. To provide a defensive counter-measure perspective for DLL side-loading, X-Force Incident Response has released SideLoaderHunter, which is a system profiling script and Sysmon configuration designed to identify evidence of side-loading […] | Tool | ||
 |
2021-08-18 11:23:54 | Tetris: Chinese Espionage Tool (lien direct) | I’m starting to see writings about a Chinese espionage tool that exploits website vulnerabilities to try and identify Chinese dissidents. | Tool | ||
 |
2021-08-18 08:01:01 | Détecter le contenu intégré dans les documents OOXML Detecting Embedded Content in OOXML Documents (lien direct) |
Sur les pratiques avancées, nous recherchons toujours de nouvelles façons de trouver des activités malveillantes et de suivre les adversaires au fil du temps.Aujourd'hui, nous partageons une technique que nous utilisons pour détecter et regrouper les documents Microsoft Office spécifiquement ceux du Office Open XML (OOXML) Format de fichier.De plus, nous libérons un outil afin que les analystes et défenseurs puissent générer automatiquement des règles YARA en utilisant cette technique.
Format de fichier OOXML
En commençant par Microsoft Office 2007, le format de fichier par défaut pour les documents Excel, PowerPoint et Word est passé d'un format basé sur un objet liant et intégrant (OLE) vers OOXML.Pour
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we\'re sharing a technique we use to detect and cluster Microsoft Office documents-specifically those in the Office Open XML (OOXML) file format. Additionally, we\'re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique. OOXML File Format Beginning with Microsoft Office 2007, the default file format for Excel, PowerPoint, and Word documents switched from an Object Linking and Embedding (OLE) based format to OOXML. For |
Tool | ★★★ | |
|
2021-08-18 07:03:22 | Hamburg\'s data protection agency (DPA) states that using Zoom violates GDPR (lien direct) | The German state’s data protection agency (DPA) warns that the use of the videoconferencing platform Zoom violates the European Union’s GDPR. The German state’s data protection agency (DPA) warns that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR). The DPA is concerned by the transfer of […] | Tool | ||
|
2021-08-17 17:56:00 | Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Colonial Pipeline Reports Data Breach After May Ransomware Attack
(published: August 16, 2021)
Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA
Indra — Hackers Behind Recent Attacks on Iran
(published: August 14, 2021)
Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | APT 27 APT 27 | |
|
2021-08-17 17:48:20 | SolarWinds makes DBA xPress free to support DataOps (lien direct) | The new tool should help make cloud migrations less painful for database managers, according to the company. | Tool | ||
 |
2021-08-17 13:58:12 | Apple: CSAM Image-Detection Backdoor \'Narrow\' in Scope (lien direct) | Computing giant tries to reassure users that the tool won't be used for mass surveillance. | Tool | ||
|
2021-08-16 19:15:13 | CVE-2021-22932 (lien direct) | An issue has been identified in the CTX269106 mitigation tool for Citrix ShareFile storage zones controller which causes the ShareFile file encryption option to become disabled if it had previously been enabled. Customers are only affected by this issue if they previously selected “Enable Encryption� in the ShareFile configuration page and did not re-select this setting after running the CTX269106 mitigation tool. ShareFile customers who have not run the CTX269106 mitigation tool or who re-selected “Enable Encryption� immediately after running the tool are unaffected by this issue. | Tool | ||
 |
2021-08-15 09:36:02 | Nmap for Pentester: Password Cracking (lien direct) | We will process the showcase for Nmap Brute NSE Script for dictionary attack in this article since Nmap is such a large tool that it can’t be covered in one post. If you’re wondering whether or not a brute-force assault using Nmap is doable. Yes, Nmap includes an NSE-based script | Tool | ||
|
2021-08-13 18:05:09 | How to install Webmin on Rocky Linux (lien direct) | With Webmin, you can better secure and manage your instances of Rocky Linux. Jack Wallen walks you through the process of getting this web-based tool up and running. | Tool | ||
|
2021-08-13 12:15:07 | CVE-2021-37350 (lien direct) | Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | Tool Vulnerability | ★★★★ | |
|
2021-08-13 08:07:19 | Google open-sourced Allstar tool to secure GitHub repositories (lien direct) | Google has open-sourced the Allstar tool that can be used to secure GitHub projects and prevent security misconfigurations. Google has open-sourced the Allstar tool that can be used to secure GitHub projects by enforcing a set of security policies to prevent misconfiguration. “Allstar is a GitHub App installed on organizations or repositories to set and enforce security policies. Its […] | Tool | ||
|
2021-08-12 15:00:00 | Aggah Using Compromised Websites to Target Businesses Across Asia, Including Taiwan Manufacturing Industry (lien direct) | Authored by: Tara Gould and Rory Gould
Key Findings
Spearphishing emails are targeting the manufacturing industry in Taiwan and Korea to spread malware.
Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts; delivering Warzone RAT.
Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group Aggah.
Overview
Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry in Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the threat group Aggah. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.
Aggah
Aggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42.[1] The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat.[2]
Unit 42 initially-believed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments.[3] However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script but stress this does not mean they are the Gorgon Group.[4]
Aggah has been consistently active since 2019, generally using the same identifiable TTPs. This past year was a notable year for the group, with a 2020 campaign targeting Italian organizations and manufacturing sectors around the world.[5] Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors.[6] Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT.[7] The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah.
Technical Analysis
Email
The infection process began with a custom spearphishing email masquerading as “FoodHub.co.uk”, an online food delivery service based in the United Kingdom. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The email in Figure 1 below was sent on July 8, 2021 to Fon-star International Technology, a Taiwan-based manufacturing company. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah.[8]
Figure 1 - Spoofed Spearphishing Email Sent to Fon Star
PowerPoint File
File name Purchase order 4500061977,pdf.ppam
MD5 b5a31dd4a6af746f32149f9706d68f45
When we analyzed the PowerPoint file, we found obfuscated macros (Figure 2) contained in the document that used MSHTA to execute JavaScript from “http://j[.]mp/4545h |
Malware Tool Threat | ||
 |
2021-08-12 14:28:43 | S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed [Podcast] (lien direct) | Latest episode - listen now! (And learn about the Navajo Nation's selfless cryptographic contribution to America.) | Tool | ||
|
2021-08-12 13:51:56 | Windows 11 gets new versions of Snipping Tool, Mail, and Calculator (lien direct) | Microsoft is rolling out its first Windows 11 app updates with new versions of the Calculator, Mail and Calendar, and the Snipping Tool apps. [...] | Tool | ||
|
2021-08-11 11:42:27 | Cobolt Strike Vulnerability Affects Botnet Servers (lien direct) | Cobolt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product. The main components of the security tool are the Cobalt Strike client — also known as a Beacon — and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific “malleability” customizations, such as how often the client is to report to the server or specific data to periodically send... | Tool Vulnerability | ||
|
2021-08-10 16:01:02 | Deploy this web interface to your data center for user account control (lien direct) | If you're looking for a tool to cut down on the time you spend managing user accounts, let Usermin hand some of those duties over to your end-users. | Tool | ||
|
2021-08-10 13:40:07 | Hate your job? Find a new one with this LinkedIn tool (lien direct) | As employers ramp up hiring, a free online tool helps people identify new career pathways and upskilling opportunities to make a career change a reality. | Tool | ||
|
2021-08-09 19:10:27 | How to use the Windows Media Creation Tool to create a Windows 10 ISO file (lien direct) | The free Windows Media Creation Tool from Microsoft grants you the power to create your own bootable Windows 10 backup, but you have to find and download it first. | Tool | ||
|
2021-08-09 13:58:40 | Microsoft\'s Azure Data Share: How to use this big data tool (lien direct) | Microsoft's cloud-hosted data sharing tools are for anyone who needs to work with big data. | Tool | ||
 |
2021-08-06 09:32:28 | Recap: Black Hat USA 2021 (lien direct) | Black Hat USA 2021 kicked off this week and we enjoyed the show! In addition to hosting a Cards and Coding virtual casino night to discuss the future of cybersecurity (and give away some prizes), we held a Lunch & Learn with Wallace Dalrymple, CISO of Emerging Markets at Advantasure. In the session, our Founder and CTO Chris Wysopal chatted with Wallace about how Veracode and Advantasure worked together to build a mature application security (AppSec) program while addressing modern software security requirements. As Chris noted when the Lunch & Learn session began, the pandemic drove many organizations to digitally transform most functions of business, quickly, which meant increased security threats - especially for organizations in the healthcare industry where Advantasure thrives. The effort to produce more secure code is especially critical after the Biden Administration's recent Executive Order on cybersecurity, which impacts software security for organizations big and small. We know from our annual State of Software Security report that 75 percent of apps in the healthcare industry have security flaws, and 26 percent have high-severity vulnerabilities. To get ahead of this risk in the pandemic (during which they saw an uptick of cyberattacks by 50%), Advantasure knew they needed to bolster their AppSec program and set themselves up for a successful digital transformation. That's where Veracode came in, helping Wallace and his team build a stronger security program and enable their developers to become more security-minded. “I believe in: if you write it, you own it. You really have to have that buy-in from development, from project managers to deployment teams and release teams, all the way up to the management,” Wallace said. Speaking about Veracode Security Labs he continued, “Veracode provides a platform where we can actually provide a tool for developers to not just learn – not just watch a webinar – but to actually be hands-on and understand the coding mistakes they make through real-time feedback.” Wallace elaborated that their developers have been able to embrace new tools as part of their existing processes, giving them ownership over the efforts and boosting security adoption. If you missed the Lunch & Learn, you can read Advantasure's full story here to see how they got it done. From Big Data to Open Source We also had the chance to sit in on some sessions, one of which delved into the security of big data infrastructures: The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures. Sheila A. Berta of Dreamlab Technologies spoke about data ingestion, storage, processing, and access, as well as the techniques threat actors use to get into data infrastructures. As Head of Research for Dreamlab Technologies, Sheila asked the question, “What is a security problem and what is not a security problem in Big Data infrastructures?” What it comes down to, she said, is that security teams need to stay on top of methodologies and keep their skills sharp if they want to proficiently evaluate the security of these infrastructures. The methodology presented by Sheila came with new attack vectors in data; for example, she discussed techniques like the remote attack of a centralized cluster configuration managed by ZooKeeper, as well as relevant security recommendations to prevent these attacks. Another interesting session titled Securing Open Source Software – End-to-End, at Massive Scale, Together was held by Christopher Robinson, the Director of Security Communications at Intel, and Jennifer Fernick, SVP & Global Head of Research at NCC Group. In their discussion, they highlighted that, while open source software is foundational to the Internet, it's also rife with risk if left unchecked. This is a problem we work to combat here at Veracode with tools like Software Composition Analysis and developer enablement programs - our recent State of Software Security: Open Source Edition report found that just over half of | Tool Threat | ||
 |
2021-08-06 04:58:07 | Checklist Short: Finding Pegasus Tracks (lien direct) | A short Checklist this week, but an important one: A free tool to help detect Pegasus spyware on an iPhone! | Tool | ||
|
2021-08-05 17:01:12 | “Cobalt Strike” network attack tool patches crashtastic server bug (lien direct) | Ahhhh, the irony! Red-team network attack tool has its very own bug for Blue Teams to counterexploit. | Tool |
To see everything:
Our RSS (filtrered)
