What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-13 18:30:20 | Russia-linked APT targets Ukraine by exploiting the Follina RCE vulnerability (lien direct) | >Ukraine’s Computer Emergency Response Team (CERT) warns that the Russia-linked Sandworm APT group may exploit the Follina RCE vulnerability. Ukraine’s Computer Emergency Response Team (CERT) is warning that the Russia-linked Sandworm APT may be exploiting the recently discovered Follina RCE. The issue, tracked as CVE-2022-30190, impacts the Microsoft Windows Support Diagnostic Tool (MSDT). Nation-state actors […] | Tool Vulnerability | ||
 |
2022-06-13 16:46:00 | Malware Intelligence Dashboards (lien direct) | Anomali Threat Research has released two, Malware Intelligence focused dashboards to assist cybersecurity and cyber threat intelligence professionals in organizing IOCs and strategic intelligence on relevant threats. These two dashboards are titled:
Malware Intelligence - Ransomware
Malware Intelligence - Remote Access Tools and Trojans
Ransomware and remote access tools and trojans are malware types used by threat actors spanning all levels of sophistication, from cybercriminal to advanced persistent threat to nation-state. Ransomware threat actors continue to be highly active and generate significant amounts of illicit funds, and learning more about how these threat actors operate can assist in taking proactive measures against such attacks.
Remote access tools are persistently abused by threat actors for malicious purposes. Knowing which tools the actors use and how they are used is important when making cybersecurity decisions to protect against this malware type; among numerous other variables.
These Malware Intelligence dashboards help amalgamate relevant information into a centralized location to assist in providing crucial contextual information in addition to the most recent IOCs made available through commercial and open-source threat feeds that users manage on ThreatStream.
Dashboards in ThreatStream provide a quick, digestible and timely source of key metrics on threat intelligence indicators. In ThreatStream you can access a number of different dashboard types: standard dashboards available out of the box; themed dashboards developed by the Anomali Threat Research Team; custom dashboards defined by by you; and specialized dashboards to support our Intelligence Initiatives or Lens+ specific data. From this month we greatly improve how an individual user can organize their dashboard views, enabling them to easily hide or show any dashboards available to them. Users show or hide any of the standard dashboards, as well as up to 10 other dashboards at any time. Management and ordering is now simplified so users can drag and drop visible dashboards to reorder according to priority and preference.
Key Capabilities
Users can now granularly manage their dashboards from across their organization and supplementary sources
Dashboards can be drawn from a library created by / visible to the user
Users can show / hide any standard ThreatStream dashboards
User can develop up to 10 custom dashboards for display.
Users will be able to drag and drop to edit the dashboard order and specify the user’s default dashboard (from April).
Customers can still avail of the Custom and ATR themed dashboards as previously
Benefits
Easy management of the rich set of dashboards available in ThreatStream
Quickly and easily access the right insights at the right time, in the right display order
Note: This screen now uses our new user interface design style - we hope you like it!
Malware Intelligence - Ransomware
Pulls OSINT and primary intelligence feeds related to ransomware samples, actors who use ransomware, and TTPs associated with known ransomware families, among others, and displays the data in 10 widgets.
Observables, IOCs, and threat models related to ransomware.
Malware Intelligence - Remote Access Tools and Trojans
Pulls OSINT and primary intelligence feeds related to remote access tool and trojan samples, actors who use these tools and trojans, and TTPs associated with known remote access tool and trojan families, among others, and displays the data in 10 widgets.
|
Ransomware Malware Tool Threat | ||
 |
2022-06-13 16:16:26 | API Security: Best Tools and Resources (lien direct) | Every organisation is facing a multitude of security challenges. These range from getting the basics right, like ensuring the correct firewall is in place, to higher-level challenges, such as API security and data privacy. One of the greatest challenges facing organizations these days is a comprehensive approach to API security. With an expanding number […] | Tool | ||
 |
2022-06-13 12:40:35 | PingPull RAT Activity Observed in New in the Wild Attacks (GALLIUM APT) (lien direct) | FortiGuard Labs is aware of a newly discovered in-the-wild remote access tool (RAT) used by GALLIUM APT, called PingPull. GALLIUM has targeted telecommunication, financial and governmental verticals, specifically in Africa, Europe and Southeast Asia in the past.GALLIUM was first detailed by CyberReason and Microsoft in 2019 in an operation targeting telecom providers stealing call detail records (CDR) that contain transactional information of SMS messages, sent and received phone calls, timestamps and other records. GALLIUM uses various off the shelf tools, and modified open source tools and malware to attack organizations for various campaigns. PingPull was observed by Palo Alto Networks in this latest campaign. Usage of the China Chopper webshell is commonly associated with this APT group as well.Powered by the CTABecause of our partnership in the Cyber Threat Alliance alongside other trusted partner organizations, Fortinet customers were protected in advance of this announcement.What is PingPull?PingPull is a remote access trojan (RAT). What makes PingPull novel is the usage of ICMP (Internet Control Message Protocol) which is not a typical TCP/UDP packet, that allows the threat actor to evade detection as it is not often monitored for anomalous activity. PingPull can also leverage HTTPS and TCP as well for further evasion. PingPull has been observed to install itself as a service for persistence. Besides containing typical RAT functionality, PingPull allows for a reverse shell further adding insult to injury. Previous RATs used by GALLIUM were modified versions of Poison Ivy and Gh0st Rat.Who is GALLIUM?GALLIUM is an APT group attributed to the Chinese government. The modus operandi of this group is to use various off the shelf tools to eventually compromise an organization via the utilization of stolen certificates to ultimately perform lateral movement within. Due to non-standardized APT naming conventions, GALLIUM is also known as Operation Soft Cell (CyberReason).What is the Status of Coverage?FortiGuard customers are protected against PingPull RAT by the following (AV) signatures:W32/PossibleThreatW64/Agent.BGA!trAll known URIs are blocked by the WebFiltering Client. | Malware Tool Threat | ||
 |
2022-06-13 10:28:07 | Russian hackers start targeting Ukraine with Follina exploits (lien direct) | Ukraine's Computer Emergency Response Team (CERT) is warning that the Russian hacking group Sandworm may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) currently tracked as CVE-2022-30190. [...] | Tool Vulnerability | ||
 |
2022-06-13 10:00:00 | DevSecOps deploy and operate processes (lien direct) | In the previous article, we covered the release process and how to secure the parts and components of the process. The deploy and operate processes are where developers, IT, and security meet in a coordinated handoff for sending an application into production.
The traditional handoff of an application is siloed where developers send installation instructions to IT, IT provisions the physical hardware and installs the application, and security scans the application after it is up and running. A missed instruction could cause inconsistency between environments. A system might not be scanned by security leaving the application vulnerable to attack. DevSecOps focus is to incorporate security practices by leveraging the security capabilities within infrastructure as code (IaC), blue/green deployments, and application security scanning before end-users are transitioned to the system.
Infrastructure as Code
IaC starts with a platform like Ansible, Chef, or Terraform that can connect to the cloud service provider’s (AWS, Azure, Google Cloud) Application Programming Interface (API) and programmatically tells it exactly what infrastructure to provision for the application. DevOps teams consult with developers, IT and security to build configuration files with all of the requirements that describe what the cloud service provider needs to provision for the application. Below are some of the more critical areas that DevSecOps covers using IaC.
Capacity planning - This includes rules around autoscaling laterally (automatically adding servers to handle additional demand, elastically) and scaling up (increasing the performance of the infrastructure like adding more RAM or CPU). Elasticity from autoscaling helps prevent non-malicious or malicious Denial of Service incidents.
Separation of duty – While IaC helps break down silos, developers, IT, and security still have direct responsibility for certain tasks even when they are automated. Accidentally deploying the application is avoided by making specific steps of the deploy process responsible to a specific team and cannot be bypassed.
Principal of least privilege – Applications have the minimum set of permissions required to operate and IaC ensures consistency even during the automated scaling up and down of resources to match demand. The fewer the privileges, the more protection systems have from application vulnerabilities and malicious attacks.
Network segmentation – Applications and infrastructure are organized and separated based on the business system security requirements. Segmentation protects business systems from malicious software that can hop from one system to the next, otherwise known as lateral movement in an environment.
Encryption (at rest and in transit) – Hardware, cloud service providers and operating systems have encryption capabilities built into their systems and platforms. Using the built-in capabilities or obtaining 3rd party encryption software protects the data where it is stored. Using TLS certificates for secured web communication between the client and business system protects data in transit. Encryption is a requirement for adhering with industry related compliance and standards criteria.
Secured (hardened) image templates – Security and IT develop the baseline operating system configuration and then create image templates that can be reused as part of autoscaling. As requirements change and patches are released, the baseline image is updated and redeployed.
Antivirus and vulnerability management tools – These tools are updated frequently to keep up with the dynamic security landscape. Instead of installing these tools in the baseline image, consider installing the tools t |
Tool Vulnerability Guideline | ||
 |
2022-06-12 19:39:36 | Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks (lien direct) | The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East. "The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a report published last week. " | Malware Tool Threat | ||
 |
2022-06-10 17:44:17 | Overhaul your SEO with this automation tool (lien direct) | >WordLift SEO Tool for Google Sheets is a cost-effective and beginner-friendly SEO tool that quickly identifies opportunities to improve the way you create content. | Tool | ||
|
2022-06-10 15:48:57 | Don\'t worry about losing data, thanks to this budget-friendly tool (lien direct) | Never worry about lost or corrupted files ever again. MiniTool Power Data Recovery Personal is an affordable solution that can help you recover data from any source. | Tool | ||
|
2022-06-09 13:00:33 | Google to preview new Vertex AI tools at its virtual AI Summit (lien direct) | >Google's new tools and partnerships are designed to make machine learning easier to deploy and work with in the real world. | Tool | ||
|
2022-06-09 09:17:56 | (Déjà vu) Unofficial Security Patch Released For Microsoft Zero-Day Vulnerability (lien direct) | As the Follina flaw continues to be exploited in the wild, an unofficial security patch for a new Windows zero-day vulnerability in the Microsoft Diagnostic Tool (MSDT) has been made available. Referenced as DogWalk, the issue relates to a path traversal flaw that, when a potential target opens a specially created “.diagcab” archive file that […] | Tool Vulnerability | ||
 |
2022-06-09 07:48:00 | Hackers using stealthy Linux backdoor Symbiote to steal credentials (lien direct) | Researchers have come across a stealthy Linux backdoor that uses sophisticated techniques to hide itself on compromised servers and steal credentials. Dubbed Symbiote because it injects itself into existing processes, the threat has been in development since at least November 2021 and seems to have been used against the financial sector in Latin America."Symbiote is a malware that is highly evasive," researchers from BlackBerry said in a new report. "Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as AVs and EDRs should be statically linked to ensure they are not “infected” by userland rootkits."To read this article in full, please click here | Malware Tool Threat | ||
|
2022-06-09 03:54:41 | Even the Most Advanced Threats Rely on Unpatched Systems (lien direct) | Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups. In fact, these tools can prove almost | Ransomware Tool Threat | ||
|
2022-06-09 02:40:00 | RSA 2022: You\'re the New CISO. Want to Fix the Problem? Start by Simply Listening! (lien direct) | The new security boss needs to listen if they hope to win over a myriad of new constituencies in their first 90 days You just took over as the CISO, ready to dig in and make the most of this fantastic opportunity. With so much needing to be fixed, where do you start first? This topic received attention during the RSA 2022 security conference this week at a session that featured CISOs from Reddit, Amplitude and Robinhood. The CISOs recounted their first three months on the job, sharing the particular challenges they faced while building out their organizations’ strategies, policies and procedures. Any new CISO will need access to the best and most actionable intelligence possible about the shifting threats to their organizations. They’re walking into new situations where they’ll immediately be under the gun to translate all the data that they’re keeping tabs on into real business impact. All the while, they’ll be expected to report to their bosses in the C-suite both on the organization’s risks and security exposure as well as what they’re doing to stay ahead of the bad guys. Clearly, enterprises are going to need an updated approach to put them in a stronger position when it comes to threat detection and response. That doesn’t happen nearly enough, according to panelist Olivia Rose, the CISO of Amplitude. She noted that many new CISOs don’t listen carefully enough when they take over and risk ostracizing the people actually doing the work. Instead, she said the CISO’s first 30 days should be akin to a listening tour. The immediate goal is to build allies for any rethink of the organization's security posture. The longer-term goal is to implement the necessary tools and processes that will make it easier for the enterprise to stay on top of security threats. For example, one of the first things that another panelist, Caleb Sima, the CISO of Robinhood, did when he took over was to conduct an internal survey to measure the relationship between security and the rest of the organization. That was the jumping-off point for follow-up conversations with other departments about what they needed and how to improve the security relationship. After consulting with the engineering leadership and other stakeholders, he then built out planning decks with progress goals for his first year in preparation for a presentation of his findings to the executive team. It’s worth noting that this degree of sharing doesn’t need to be limited to the walls of an organization. Building on the advice outlined by Sima, new methods and tools are emerging to enable sharing within intelligence communities and among organizations that historically would have avoided sharing information for fear of spilling trade secrets. The Anomali platform, for example, makes threat intelligence sharing possible between ISACs, ISAOs, industry groups and other communities looking to share intelligence in a secure and trusted way. Winning Over the Board Perhaps no relationship – particularly during those first 90 days – is as critical as the one between the new CISO and the company’s board of directors. In the past, truth be told, the relationship left much to be desired. But in more recent years, more boards have recognized the strategic value of security and the monetary and reputational risks of data breaches. For new CISOs, it’s more important to articulate the nature of the gathering threats, real and potential, and the company’s defense capabilities – in plain English. That means keeping insights and implications very clear, with an emphasis on impact. Going even further, the CISO at some point early in their tenure will need to report progress t | Tool Threat Guideline | ||
|
2022-06-08 21:24:02 | 0Patch released unofficial security patch for new DogWalk Windows zero-day (lien direct) | >0patch researchers released an unofficial security patch for a Windows zero-day vulnerability dubbed DogWalk. 0patch released an unofficial security patch for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) dubbed DogWalk. The issue impacts all Windows versions, starting from Windows 7 and Server Server 2008, including the latest releases. The flaw […] | Tool Vulnerability | ||
|
2022-06-08 19:34:52 | This tool portably charges three devices at once (lien direct) | >Tired of hunting for multiple charging cables? Make your day simpler with the CHRGER™ Porta 3-in-1 Wireless Charger. | Tool | ||
|
2022-06-08 09:57:00 | BrandPost: 4 Factors to Consider When Choosing a Cloud Workload Protection Platform (lien direct) | Every dollar spent on security must produce a return on investment (ROI) in the form of better detection or prevention. As an IT leader, finding the tool that meets this requirement is not always easy. It is tempting for CISOs and CIOs to succumb to the “shiny toy” syndrome: to buy the newest tool claiming to address the security challenges facing their hybrid environment.With cloud adoption on the rise, securing cloud assets will be a critical aspect of supporting digital transformation efforts and the continuous delivery of applications and services to customers well into the future.However, embracing the cloud widens the attack surface. That attack surface includes private, public, and hybrid environments. A traditional approach to security simply doesn't provide the level of security needed to protect this environment and requires organizations to have granular visibility over cloud events.To read this article in full, please click here | Tool Guideline | ||
|
2022-06-08 06:24:15 | Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability (lien direct) | An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue - referenced as DogWalk - relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a | Tool Vulnerability | ||
|
2022-06-07 19:27:00 | Get your resume past automated screenings with this AI tool (lien direct) | This artificial intelligence assistant helps you take your working future by the horns. | Tool | ||
|
2022-06-07 17:41:00 | Anomali Cyber Watch: Man-on-the-Side Attack Affects 48,000 IP Addresses, Iran Outsources Cyberespionage to Lebanon, XLoader Complex Randomization to Contact Mostly Fake C2 Domains, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Confluence, Iran, Lebanon, Sandbox evasion, Signed files, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinDealer Dealing on the Side
(published: June 2, 2022)
Kaspersky researchers detected a man-on-the-side attack used by China-sponsored threat group LuoYu. Man-on-the-side is similar to man-in-the-middle (MitM) attack; the attacker has regular access to the communication channel. In these attacks LuoYu were using a potent modular malware dubbed WinDealer that can serve as a backdoor, downloader, and infostealer. The URL that distributes WinDealer is benign, but on rare conditions serves the malware. One WinDealer sample was able to use a random IP from 48,000 IP addresses of two Chinese IP ranges. Another WinDealer sample was programmed to interact with a non-existent domain name, www[.]microsoftcom.
Analyst Comment: Man-on-the-side attacks are hard to detect. Defense would require a constant use of a VPN to avoid networks that the attacker has access to. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from advanced threat groups.
MITRE ATT&CK: [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Man-on-the-side attack, WinDealer, LuoYu, SpyDealer, Demsty, Man-in-the-middle, APT, EU, target-region:EU, North America, Russia, China, source-country:CN, target-country:CN, Germany, target-country:DE, Austria, target-country:AT, USA, target-country:US, Czech Republic, target-country:CZ, Russia, target-country:RU, India, target-country:IN.
Analysis of the Massive NDSW/NDSX Malware Campaign
(published: June 2, 2022)
Sucuri researchers describe the NDSW/NDSX (Parrot TDS) malware campaign that compromises websites to distribute other malware via fake update notifications. Currently one of the top threats involving compromised websites, NDSW/NDSX began operation in or before February 2019. This campaign utilizes various exploits including those based on newly-disclosed and zero-day vulnerabilities. After the compromise, the NDSW JavaScript is injected often followed by the PHP proxy script that loads the payload on the server side to hide the malware staging server. Next step involves the NDSX script downloading |
Malware Tool Vulnerability Threat | ||
 |
2022-06-07 16:00:00 | Evil Corp Hacker Group Changes Ransomware Tactics to Evade US Sanctions (lien direct) | The Russian hacker group has shifted tactics and tools with an aim to continue profiting from its nefarious activity | Ransomware Tool | ||
|
2022-06-07 12:59:01 | (Déjà vu) New \'DogWalk\' Windows zero-day bug gets free unofficial patches (lien direct) | Free unofficial patches for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) have been released today through the 0patch platform. [...] | Tool Vulnerability | ||
|
2022-06-07 12:59:01 | Two-year-old Windows DIAGCAB zero-day gets unofficial patches (lien direct) | Free unofficial patches for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) have been released today through the 0patch platform. [...] | Tool Vulnerability | ||
 |
2022-06-07 12:00:40 | Detecting Follina: Microsoft Office remote code execution zero-day (lien direct) | >by Bhabesh Raj Rai, Security ResearchOn May 27, 2022, a security researcher highlighted a malicious document submitted to VirusTotal from Belarus. The document used Microsoft Office's remote template feature to download an HTML file remotely and subsequently load it, which executed a PowerShell payload via the Microsoft Support Diagnostic Tool (MSDT). Adversaries who can exploit [...] | Tool | ||
 |
2022-06-07 11:21:47 | Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw (lien direct) | The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario. | Tool Vulnerability | ||
 |
2022-06-06 23:26:16 | RSA 2022: Prometheus ransomware\'s flaws inspired researchers to try to build a near-universal decryption tool (lien direct) | Prometheus ransomware contained a weak random number generator that inspired researchers to try and build a one-size-fits-all decryptor. | Ransomware Tool | ||
|
2022-06-06 22:35:38 | Apple\'s New Feature Will Install Security Updates Automatically Without Full OS Update (lien direct) | Apple has introduced a Rapid Security Response feature in iOS 16 and macOS Ventura that's designed to deploy security fixes without the need for a full operating system version update. "macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid Security Response that works in between normal updates to easily keep security up to date without a | Tool | ||
|
2022-06-06 19:45:52 | Authy vs Google Authenticator: Two-factor authenticator comparison (lien direct) | >Check out these features from Authy and Google Authenticator before deciding which authentication tool is best for you. | Tool | ||
|
2022-06-06 17:51:29 | ClickUp vs Notion: Project management software comparison (lien direct) | >ClickUp and Notion are both top software tools designed to enable effective project management, but which is best for your business? | Tool | ||
|
2022-06-06 16:23:22 | How to always access your locked iOS device (lien direct) | >With this multifunctional iOS unlocking tool, you can solve various possible problems with your iPhone, iPad or iPod touch. Get a lifetime subscription of the tool for a limited time. | Tool | ||
 |
2022-06-06 13:45:45 | RSAC insights: \'CAASM\' tools and practices get into the nitty gritty of closing network security gaps (lien direct) | Reducing the attack surface of a company's network should, by now, be a top priority for all organizations. Related: Why security teams ought to embrace complexity As RSA Conference 2022 gets underway today in San Francisco, advanced systems to help … (more…) | Tool | ||
 |
2022-06-06 11:22:01 | A Warning To Enterprises: It\'s Time To Retire On-prem; Migration To Cloud And Modern AppSec Tools Critical To Future Threats, What Do You Think? (lien direct) | In light of the critical Atlassian zero-day (CVE-2022-26134) that's just making headlines, Information Security Experts emphasis why it is better time to move to cloud but what do you think? | Tool | ||
 |
2022-06-05 11:17:21 | The privately funded killer-asteroid spotter is here (lien direct) | It's a new tool for tracking space-rock trajectories-even with limited data. | Tool | ||
|
2022-06-03 23:46:21 | LuoYu APT delivers WinDealer malware via man-on-the-side attacks (lien direct) | >Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor An “extremely sophisticated” China-linked APT tracked as LuoYu was delivering malware called WinDealer via man-on-the-side attacks. Researchers from Kaspersky have uncovered an “extremely sophisticated” China-linked APT group, tracked as LuoYu, that has been observed using a malicious Windows tool called WinDealer. LuoYu has been active since at […] | Malware Tool | ||
|
2022-06-03 21:32:45 | AI and observability for IT operations: Does it improve performance? (lien direct) | >In a multi-cloud, multi-data center environment, IT needs new methods for tracking and troubleshooting applications. Observability tools can provide that. | Tool | ||
|
2022-06-03 18:50:53 | New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild (lien direct) | FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.Why is this Significant?This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?The advisory released by Atlassian states that the following versions are affected:All supported versions of Confluence Server and Data CenterConfluence Server and Data Center versions after 1.3.0What Malware was Deployed to the Compromised Server?It was reported that China Chopper has been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.Has the Vendor Released an Advisory for CVE-2022-26134?Yes. See the Appendix for a link to "Confluence Security Advisory 2022-06-02".Has the Vendor Released a Patch?Yes, Atlassian has released a patch on June 3rd, 2022.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the China Chopper webshell that was reportedly deployed on known compromised Confluence servers:Java/Websh.D!trAll known network IOC's associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-26134. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?The advisory includes mitigation information. See the Appendix for a link to "Confluence Security Advisory 2022-06-02". | Malware Tool Vulnerability Threat | ||
|
2022-06-03 17:53:45 | Rally vs Jira: Project management software comparison (lien direct) | >Rally and Jira are both project management solutions meant to work with common agile methodologies. Jira excels in flexibility, while Rally is a highly dedicated tool meant to work within the agile framework. | Tool | ||
|
2022-06-03 14:22:25 | Parental controls: What they can and can\'t do for you (lien direct) | Parental controls are a helpful tool in keeping your children safe online. But they should not be considered a set and forget kind of tool. | Tool | ||
|
2022-06-03 12:42:41 | Evil Corp Pivots LockBit to Dodge U.S. Sanctions (lien direct) | The cybercriminal group is distancing itself from its previous branding by shifting tactics and tools once again in an aim to continue to profit from its nefarious activity. | Tool | ||
|
2022-06-03 09:37:18 | Ransomware Roundup - 2022/06/02 (lien direct) | FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.What is Hive Ransomware?Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica's public health system was reportedly compromised by the ransomware.As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called "HiveLeaks" on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates. Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, "the data encryption is often carried out during non-working hours or at the weekend" in an attempt to encrypt as many files as possible without being noticed.Typical ransom note left behind by Hive ransomware below:Your network has been breached and all data is encrypted.To decrypt all the data you will need to purchase our decryption software.Please contact our sales department at: xxxx://[removed].onion/ Login: [removed] Password: [removed] Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Don't fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/ The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to "HiveLeaks". Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations. In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.See the Appendix for | Ransomware Malware Tool Threat | ||
|
2022-06-03 06:54:33 | Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (lien direct) | An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. "This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report. | Tool Threat | ||
|
2022-06-03 00:57:26 | Ahrefs vs. Semrush: Comparing the top SEO tools (lien direct) | >Ironically, the major difference between these two organic marketing suites may come down to pay-per-click features. | Tool | ||
 |
2022-06-03 00:28:07 | Atlassian: Unpatched critical flaw under attack right now to hijack Confluence (lien direct) | One suggested option: Turn the thing off until it can be fixed Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.… | Tool | ||
 |
2022-06-02 21:15:07 | CVE-2022-29085 (lien direct) | Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user. | Tool Vulnerability | ||
|
2022-06-02 19:40:18 | Adobe Sign vs DocuSign: Which tool is best for your business? (lien direct) | >Compare key features of top digital signature tools Adobe Sign and DocuSign for your company's operations and documentation needs. | Tool | ||
 |
2022-06-02 16:35:43 | Latest SOC Survey Anticipates Shift Toward MDR and XDR (lien direct) |
The challenges faced by Security Operations Centers (SOCs) around the world-workforce shortages, lack of visibility and automation, tool sprawl, and alert overload-continue to have a negative impact on SOC effectiveness and will likely result in increasing adoption of Managed Detection and Response (MDR) services and Extended Detection and Response (XDR) solutions. |
Tool | ||
|
2022-06-02 11:23:59 | Why Ransomware Timeline Shrinks By 94%? (lien direct) | Researchers at IBM’s X-Force team are reporting a 94% reduction in the duration of an enterprise ransomware attack from 2019 to 2021. Though the overall time was reduced, the attacker's tools appeared to remain mostly the same. Research showed that ransomware operators were most efficient against enterprises “who have not implemented effective measures to combat […] | Ransomware Tool | ||
|
2022-06-02 01:38:51 | SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (lien direct) | The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities. "Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity | Malware Tool Threat | APT-C-17 | |
|
2022-06-01 20:15:07 | CVE-2022-30190 (lien direct) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. | Tool | ||
|
2022-06-01 17:47:00 | Anomali Cyber Watch: TURLA\'s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chromeloader, Goodwill, MageCart, Saitama, Turla and Yashma. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Credit Card Stealer Targets PsiGate Payment Gateway Software
(published: May 25, 2022)
Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data.
Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056
Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX
How the Saitama Backdoor uses DNS Tunneling
(published: May 25, 2022)
MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2.
Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling
|
Ransomware Malware Tool Threat | APT 19 |
To see everything:
Our RSS (filtrered)
