What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-11-23 20:30:00 | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware Spam Malware Tool Vulnerability Threat Patching | ||
 |
2021-11-22 16:15:08 | CVE-2021-43558 (lien direct) | A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. | Tool | ||
 |
2021-11-22 14:59:00 | Scrum or kanban: Which agile software development tool is best for your project? (lien direct) | Project management is key to an efficient and agile development cycle. But when faced with choosing either kanban or scrum, which route do you take? Jack Wallen has some advice. | Tool | ||
|
2021-11-19 19:15:08 | CVE-2021-40391 (lien direct) | An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. | Tool Vulnerability Guideline | ||
 |
2021-11-19 10:21:31 | Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware (lien direct) | FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)". | Ransomware Tool Vulnerability Guideline | ||
 |
2021-11-18 14:00:50 | Spear-Phishing Campaign Exploits Glitch Platform to Steal Credentials (lien direct) | Threat actors are targeting Middle-East-based employees of major corporations in a scam that uses a specific 'ephemeral' aspect of the project-management tool to link to SharePoint phishing pages. | Tool Threat | ||
 |
2021-11-18 12:00:00 | Présentation du cadre de criminalistique numérique et de réponse aux incidents de Mandiant \\ pour les systèmes OT intégrés Introducing Mandiant\\'s Digital Forensics and Incident Response Framework for Embedded OT Systems (lien direct) |
La collecte et l'analyse des données médico-légales sont un composant central du processus de réponse de l'incident.Ce processus est central pour déterminer l'existence et la portée subséquente d'un compromis, les outils utilisés par les adversaires et leurs capacités.Cependant, l'obtention des données de criminalistique numérique et de réponse aux incidents (DFIR) n'est pas toujours une tâche simple, en particulier lorsque des systèmes de technologie opérationnelle (OT) sont impliqués.
Les réseaux OT comprennent souvent une variété de produits peu communs et parfois obscurs qui exploitent régulièrement des composants logiciels et de micrologiciels embarqués.Un bon exemple de ceci est en temps réel
Collecting and analyzing forensic data is a core component of the incident response process. This process is central to determining the existence, and subsequent scope of a compromise, the tools used by adversaries, and their capabilities. However, obtaining digital forensics and incident response (DFIR) data is not always a simple task, especially when operational technology (OT) systems are involved. OT networks often include a variety of uncommon and sometimes obscure products that regularly leverage embedded software and firmware components. A good example of this is real-time |
Tool Industrial | ★★★ | |
 |
2021-11-17 20:46:21 | New firefighting tool delivers water directly to blazing EV batteries (lien direct) | Technique uses less water to bring battery temps down to normal. | Tool | ||
|
2021-11-17 19:15:08 | CVE-2021-33089 (lien direct) | Improper access control in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC8i3BE, NUC8i5BE, NUC8i7BE before version 1.78.4.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-11-17 19:15:08 | CVE-2021-0096 (lien direct) | Improper authentication in the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN, NUC7i7DN before version 1.78.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-11-17 19:15:08 | CVE-2021-33090 (lien direct) | Incorrect default permissionsin the software installer for the Intel(R) NUC HDMI Firmware Update Tool for NUC10i3FN, NUC10i5FN, NUC10i7FN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access. | Tool | ||
|
2021-11-16 20:48:00 | macOS Monterey includes an absolute gem of a feature for those looking to up their efficiency game (lien direct) | With macOS Monterey comes a tool that can help you create user friendly, repeatable actions to help optimize your daily life in numerous ways. | Tool | ||
|
2021-11-16 17:34:00 | Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
(published: November 8, 2021)
US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.
Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075
Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China
REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom
(published: November 9, 2021)
A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t |
Ransomware Data Breach Malware Tool Vulnerability Threat Medical | APT 38 APT 27 APT 1 | |
|
2021-11-16 14:00:00 | How Nobl9\'s new tool could help developers tame technical debt (lien direct) | Commentary: Tech debt is a major hurdle to developer productivity. Nobl9's new Hydrogen is here to help. | Tool | ||
|
2021-11-16 13:16:47 | BlackMatter Uses New Custom Data Exfiltration Tool (lien direct) | FortiGuard Labs is aware that a BlackMatter ransomware affiliate started to use a new custom data exfiltration tool called "Exmatter". The tool is used to steal specific file types from predetermined directories and upload them to an attacker's server. This process happens before the ransomware is deployed to the victim's network.Why is this Significant?This is significant because Exmatter appears to target specific file types which the attacker thinks are valuable so it can steal them as quickly as possible. That allows the attacker to spend less time on the network before deploying the BlackMatter ransomware.What File Types is Exmatter Designed to Steal?According to security vendor Symantec, files with the following file extensions on the compromised machine are targeted by Exmatter: .doc.docx.xls.xlsx.pdf.msg.png.ppt.pptx.sda.sdm.sdw.csv.xlsm.zip.json.config.ts.cs.js.asp.pstAre There Multiple Versions of Exmatter?According to the security vendor, there are at least four versions of Exmatter that were used by a BlackMatter affiliate. Newer versions include additional file extensions to steal, as well as specific strings in file names that Exmatter excludes from the exfiltration targets. One directory target was shortened so that Exmatter can search for more files for exfiltration. Also SFTP server details used for uploading the stolen data were updated with Webdav to serve as a backup in case the SFTP transmission did not work.What is the Significance of the Updates Made to Exmatter?It is significant because the attacker used lessons learned from the networks of previous victims to update Exmatter to make data exfiltration more efficient and effective against future victims.What does FortiGuard Labs Know About BlackMatter Ransomware?BlackMatter ransomware is a fairly new Ransomware-as-a-Service (RaaS) and was discovered in late July 2021. The group posted ads on hacking forums recruiting affiliates and asking to buy access to compromised corporate networks to deploy ransomware. FortiGuard Labs has previously released two Threat Signals on BlackMatter ransomware. See the Appendix for a link to the Threat Signal, "Meet BlackMatter: Yet Another RaaS in the Wild" and to the Threat Signal, "Joint CyberSecurity Advisory on BlackMatter Ransomware (AA21-291A)."What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Exmatter:MSIL/Agent.7AAD!trW32/Crypt!trPossibleThreatAll Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client. | Ransomware Tool Threat | ||
 |
2021-11-11 17:00:01 | Google debuts ClusterFuzzLite security tool for CI, CD workflows (lien direct) | The fuzzing solution is set to bolster software supply chain security. | Tool | ||
|
2021-11-11 16:04:21 | How to tame cloud infrastructure sprawl with open source CloudQuery (lien direct) | Commentary: The cloud makes infrastructure sprawl easier and worse than ever. Here's an open source tool to help you keep it in control. | Tool | ||
|
2021-11-11 15:42:13 | How to easily transfer files between computers with croc (lien direct) | If you're looking for an easy command-line tool to transfer files between systems on the same LAN, Jack Wallen believes croc is the tool for the job. | Tool | ||
|
2021-11-10 16:53:37 | Unity purchases Weta Digital\'s visual-effects tool suite for $1.6 billion (lien direct) | Major deal continues the slow merging of movie-creation and game-creation tools. | Tool | ||
 |
2021-11-10 16:07:38 | RPC Firewall Dubbed \'Ransomware Kill Switch\' Released to Open Source (lien direct) | Today at Black Hat London, Zero Networks announced the release of its RPC firewall – also dubbed the 'ransomware kill switch' – into open source. The tool provides granular control over RPC, capable of blocking the use of lateral movement hacker tools and stopping almost all ransomware in its tracks. | Ransomware Tool | ||
|
2021-11-10 16:00:00 | Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, Braktooth, Linux, Gamaredon, Magecart and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released
(published: November 5, 2021)
A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.
Analyst Comment: Users are urged to patch or employ workarounds as soon as possible.
Tags: Bluetooth, BrakTooth, Exploit, Vulnerability
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
(published: November 4, 2021)
Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel.
Analyst Comment: TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15.
Tags: Linux, TIPC, Vulnerabiltity
Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB
(published: November 4, 2021)
The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities.
Analyst Comment: Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection
|
Ransomware Data Breach Malware Tool Vulnerability Threat | ||
 |
2021-11-10 09:27:57 | Shadow IT Makes People More Vulnerable to Phishing, (Wed, Nov 10th) (lien direct) | Shadow IT is a real problem in many organizations. Behind this term, we speak about pieces of hardware or software that are installed by users without the approval of the IT department. In many cases, shadow IT is used because internal IT teams are not able to provide tools in time. Think about a user who needs to safely exchange files with partners and no tool is available. A change request will be created to deploy one but, with the lack of (time|money|resources), the project will take time. Unfortunately, the user needs the tool now, so an alternative path will be used like a cloud file sharing service. | Tool | ||
 |
2021-11-10 00:08:40 | 14 New Security Flaws Found in BusyBox Linux Utility for Embedded Devices (lien direct) | Cybersecurity researchers on Tuesday disclosed 14 critical vulnerabilities in the BusyBox Linux utility that could be exploited to result in a denial-of-service (DoS) condition and, in select cases, even lead to information leaks and remote code execution.
The security weaknesses, tracked from CVE-2021-42373 through CVE-2021-42386, affect multiple versions of the tool ranging from 1.16-1.33.1, |
Tool Guideline | ||
|
2021-11-09 15:52:51 | Security Tool Guts: How Much Should Customers See? (lien direct) | Yaron Kassner, CTO of Silverfort, delves into the pros and cons of transparency when it comes to cybersecurity tools' algorithms. | Tool | ||
|
2021-11-08 21:44:35 | How to download a Windows 10 ISO file without using the Media Creation Tool (lien direct) | It is possible to download a Windows 10 ISO file directly from Microsoft without using their tool first, but they don't make it easy. This how-to shows you the elaborate procedure. | Tool | ||
|
2021-11-08 18:15:09 | CVE-2021-24701 (lien direct) | The Quiz Tool Lite WordPress plugin through 2.3.15 does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | Tool | ||
|
2021-11-05 23:15:08 | CVE-2021-41228 (lien direct) | TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range. | Tool | ||
 |
2021-11-05 17:22:00 | DOD Licenses Data Carver (lien direct) | Digital forensics tool that salvages previously unrecoverable content can now be licensed from DC3 | Tool | ||
|
2021-11-05 17:00:57 | BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released (lien direct) | CISA is urging vendors to patch, given the release of public exploit code & a proof of concept tool for bugs that open billions of devices – phones, PCs, toys, etc. – to DoS & code execution. | Tool | ||
|
2021-11-05 14:58:45 | Researchers Release PoC Tool Targeting BrakTooth Bluetooth Vulnerabilities (lien direct) | The United States Cybersecurity and Infrastructure Security Agency (CISA) this week warned on proof-of-concept (PoC) code for the BrakTooth Bluetooth vulnerabilities now being publicly available. | Tool | ★★★ | |
 |
2021-11-04 23:07:34 | CISA recommends vendors to fix BrakTooth issues after the release of PoC tool (lien direct) | CISA urges vendors to address BrakTooth flaws after researchers have released public exploit code and a proof of concept tool for them. US CISA is urging vendors to address BrakTooth flaws after security researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against potential Bluetooth exploits. “On November […] | Tool | ||
 |
2021-11-04 15:15:31 | CISA urges vendors to patch BrakTooth bugs after exploits release (lien direct) | Researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip (SoC) security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress. [...] | Tool | ||
|
2021-11-03 15:14:53 | Google Docs gets a new insert tool to make life even easier (lien direct) | Google has added a new feature to Docs that makes inserting certain items and objects incredibly efficient. | Tool | ||
|
2021-11-02 19:15:58 | Starlink nightmare: Moving service location a few feet delays orders until 2023 (lien direct) | PSA: Using Starlink website map tool sends preorderers to "back of the line." | Tool | ||
|
2021-11-02 18:15:08 | CVE-2021-41232 (lien direct) | Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use. | Tool Vulnerability | ||
|
2021-11-02 15:00:00 | Anomali Cyber Watch: Russian Intelligence Targets IT Providers, Malspam Abuses Squid Games, Another npm Library Compromise, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data leak, Critical services, Money laundering, Phishing, Ransomware, and Supply-chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BlackMatter: New Data Exfiltration Tool Used in Attacks
(published: November 1, 2021)
Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild.
Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation.
MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention
Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations
(published: October 31, 2021)
Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei.
Analyst Comment: Iran has not provided evidence behind the attribution, so |
Ransomware Malware Tool Threat Guideline | APT 29 APT 29 | |
|
2021-11-02 11:22:35 | BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool (lien direct) | The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports. | Ransomware Tool | ||
|
2021-11-01 15:21:34 | Check out Drafts on macOS: It\'s a multi-purpose text editor that does it all (lien direct) | Every once in a while, you come across a tool that is so useful, you can't believe you worked so long without it. Drafts, for macOS, is one such tool. | Tool | ||
|
2021-11-01 10:08:00 | BlackMatter Group Speeds Up Data Theft with New Tool (lien direct) | Exmatter delivers custom exfiltration to accelerate ransomware attacks | Ransomware Tool | ||
 |
2021-10-31 17:43:10 | Powercat for Pentester (lien direct) | Introduction Powercat is a simple network utility used to perform low-level network communication operations. The tool is an implementation of the well-known Netcat in Powershell. Traditional anti-viruses are known to allow Powercat to execute. The installed size of the utility is 68 KB. The portability and platform independence of the | Tool | ||
|
2021-10-31 13:40:35 | Video: Phishing ZIP With Malformed Filename, (Sun, Oct 31st) (lien direct) | This is a video for my diary entry "Phishing ZIP With Malformed Filename", where I show how to use my zipdump.py tool to visualize the special characters inside malformed filenames. | Tool | ||
 |
2021-10-29 14:31:12 | Software Composition Analysis Mitigates Systemic Risk in the Popular NPM Repository (lien direct) | Chris Wysopal, Veracode Chief Technology Officer and Co-Founder, recently sat down to discuss the open source supply chain attack on the popular npm repository. Below is the transcript and corresponding video of his reaction. Just a few days ago, we saw a classic open source supply chain attack where someone modified a JavaScript library, UA-Parser-JS, which is in the npm repository. The attackers modified the library to include password stealers and crypto miners so that the applications of anyone who downloaded that version would be compromised. With an attack like this, the applications that are using this library with this code are going to be running that code with the privileges that they have, wherever they're deployed. In this case, it was malicious code that was planted. I'm sure it was done in such a way that everyone using those libraries is going to become vulnerable. If it's password-stealing code, it's going to grab the passwords and send them to the attackers. In the case of crypto miners, it's going to suck up resources and CPU time and send the money to the attacker's wallets. It's important if you're using any kind of open source – which 99 percent of people building applications are – to use an open source software composition analysis (SCA) tool. What that can do is determine what open source you're using. Veracode SCA does this. Another important thing to do is make sure the vulnerability database that your SCA tool uses is current and up to date. At Veracode, we scan all the open source repos every single night. When this malicious code was inserted, we detected it right away. All of our customers were alerted that if they're using this version of the code, they need to update to the non-vulnerable version immediately. Veracode's recent State of Software Security: Open Source Edition report shows that 79 percent of the open source libraries that developers include are set it and forget it, which means they include it once and they never update it. But the updates tend to be relatively straightforward. In fact, 92 percent of open source flaws can be fixed with an update. And 69 percent of updates are a minor version change or less. It is really important to have good and timely information about the vulnerabilities in the libraries you're using and a good process for updating the libraries … hopefully in a very automated manner. That way you're updating these libraries without any manual effort, probably in minutes or hours instead of months. That could be the difference between an attacker compromising you or not. This is why it's so important to stay on top of all the known vulnerabilities in the open source libraries you're using as part of your application, because when you include that third-party code, your application is likely to become vulnerable to those same problems. Don't fall victim to an open source attack. Learn how Veracode Software Composition Analysis can protect your code. Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter. | Tool Vulnerability | ||
 |
2021-10-28 17:20:00 | CIA sought revenge against Julian Assange over hacking tool leaks, court hears (lien direct) | Pas de details / No more details | Tool | ||
 |
2021-10-28 13:00:00 | Protecting your device information with Private Set Membership (lien direct) | Posted by Kevin Yeo and Sarvar Patel, Private Computing Team At Google, keeping you safe online is our top priority, so we continuously build the most advanced privacy-preserving technologies into our products. Over the past few years, we've utilized innovations in cryptographic research to keep your personal information private by design and secure by default. As part of this, we launched Password Checkup, which protects account credentials by notifying you if an entered username and password are known to have been compromised in a prior data breach. Using cryptographic techniques, Password Checkup can do this without revealing your credentials to anyone, including Google. Today, Password Checkup protects users across many platforms including Android, Chrome and Google Password Manager.Another example is Private Join and Compute, an open source protocol which enables organizations to work together and draw insights from confidential data sets. Two parties are able to encrypt their data sets, join them, and compute statistics over the joint data. By leveraging secure multi-party computation, Private Join and Compute is designed to ensure that the plaintext data sets are concealed from all parties.In this post, we introduce the next iteration of our research, Private Set Membership, as well as its open-source availability. At a high level, Private Set Membership considers the scenario in which Google holds a database of items, and user devices need to contact Google to check whether a specific item is found in the database. As an example, users may want to check membership of a computer program on a block list consisting of known malicious software before executing the program. Often, the set's contents and the queried items are sensitive, so we designed Private Set Membership to perform this task while preserving the privacy of our users. Protecting your device information during enrollmentBeginning in Chrome 94, Private Set Membership will enable Chrome OS devices to complete the enrollment process in a privacy-preserving manner. Device enrollment is an integral part of the out-of-box experience that welcomes you when getting started with a Chrome OS device. The device enrollment process requires checking membership of device information in encrypted Google databases, including checking if a device is enterprise enrolled or determining if a device was pre-packaged with a license. The correct end state of your Chrome OS device is determined using the results of these membership checks.During the enrollment process, we protect your Chrome OS devices by ensuring no information ever leaves the device that may be decrypted by anyone else when using Private Set Membership. Google will never learn any device information and devices will not learn any unnecessary information about other devices. To our knowledge, this is the first instance of advanced cryptographic tools being leveraged to protect device information during the enrollment process.A deeper look at Private Set MembershipPrivate Set Membership is built upon two cryptographic tools:Homomorphic encryption is a powerful cryptographic tool that enables computation over encrypted data without the need f | Tool | ||
|
2021-10-27 19:58:37 | (Déjà vu) Avast released a free decryptor for Babuk ransomware (lien direct) | Researchers from cybersecurity firm Avast released a decryption tool for Babuk ransomware that allows victims to recover their files for free. Cybersecurity firm Avast has released a decryption tool for Babuk ransomware that allows victims to recover their files for free. The decryptor was created using the leaked source code and decryption keys. Babuk is […] | Ransomware Tool | ||
|
2021-10-27 14:35:13 | Free decryptor released for Atom Silo and LockFile ransomware (lien direct) | Avast has just released a decryption tool that will help AtomSilo and LockFile ransomware victims recover some of their files for free, without having to pay a ransom. [...] | Ransomware Tool | ||
|
2021-10-27 13:31:24 | No longer in preview, Microsoft Azure Purview is ready to help govern your data (lien direct) | Microsoft's data classification tool is now out of preview. We talked to Microsoft's Mike Flasko about its future. | Tool | ||
|
2021-10-27 11:52:12 | Babuk ransomware decryptor released to recover files for free (lien direct) | Czech cybersecurity software firm Avast has created and released a decryption tool to help Babuk ransomware victims recover their files for free. [...] | Ransomware Tool | ★★★★ | |
 |
2021-10-27 09:30:06 | Wslink: Unique and undocumented malicious loader that runs as a server (lien direct) | There are no code, functionality or operational similarities to suggest that this is a tool from a known threat actor | Tool Threat | ||
|
2021-10-25 05:49:34 | Emsisoft created a free decryptor for past victims of the BlackMatter ransomware (lien direct) | Experts from cybersecurity firm Emsisoft announced the availability of a free decryptor for past victims of the BlackMatter ransomware. Cybersecurity firm Emsisoft has released a free decryption tool for past victims of the BlackMatter ransomware. The researchers found a vulnerability in the encryption process implemented in the BlackMatter ransomware that allowed them to recover encrypted […] | Ransomware Tool Vulnerability |
To see everything:
Our RSS (filtrered)
