What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-09-30 14:22:27 | .NET 5, Source Generators, and Supply Chain Attacks (lien direct) | IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it. Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar. Source Generators introduction Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code. Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency. Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…; As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file. Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect. Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet. Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ using System; using System.Collections.Generic; using System.Text; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Text; namespace SourceGeneratorSamples { [Generator] public class HelloWorldGenerator : ISourceGenerator { public void Execute(SourceGeneratorContext context) { // begin creating the source we'll inject into the users compilation var sourceBuilder = new StringBuilder(@" using System; namespace HelloWorldGenerated { public static class HelloWorld { public static void SayHello() { Console.WriteLine(""Hello from generated code!""); Console.WriteLine(""The following syntax trees existed in the compilation that created this program:""); "); // using the context, get a list of syntax trees in the users compilation var syntaxTrees = context.Compilation.SyntaxTrees; // add the filepath of each tree to the class we're building foreach (SyntaxTree tree in syntaxTrees) { sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");"); } // finish creating the source to inject sourceBuilder.Append(@" } } }"); // inject the created source into the users compilation context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8)); } public void Initialize(InitializationContext context) { // No initialization required for thi | Malware Tool Threat | ||
|
2020-11-19 16:23:50 | Healthcare Orgs: What You Need to Know About TrickBot and Ryuk (lien direct) |  In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.
In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?
The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???
What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:
C:\Windows\
C:\Windows\SysWOW64\
C:\Users\[Username]\AppData\Roaming\
From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.
BazarLoader and Ryuk ransomware
CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.
???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???
BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject l |
Ransomware Malware Tool Threat Patching | ★★★ |
1
We have: 2 articles.
We have: 2 articles.
To see everything:
Our RSS (filtrered)
