What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-08-07 07:00:00 | Comment scanner des QRCode depuis le Terminal Linux ? (lien direct) | Si vous travaillez essentiellement sur PC Linux et que vous n’avez de smartphone sous la main pour scanner un éventuel QRCode, j’ai ce qu’il vous faut. Il s’agit d’un petit tool qui s’appelle Qrscan et qui permet au choix d’utiliser la webcam de votre PC pour scanner un QRCode sur … Suite | Tool | ||
 |
2022-08-04 14:00:00 | Hackers deploy new ransomware tool in attacks on Albanian government websites (lien direct) | >The hackers linked to the Iranian government claimed to have attacked Albania for hosting an opposition group conference. | Ransomware Tool | ||
 |
2022-08-04 13:34:26 | Protect domain-joined computer passwords with Windows\' Local Administrator Password Solution (lien direct) | Windows finally includes a tool to manage local admin passwords, but admins will still need to do some work to make it useful. | Tool | ||
 |
2022-08-04 08:00:13 | Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns (lien direct) |  By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.Executive SummaryDark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.What is "Dark Utilities?"In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.  Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing develo |
Spam Malware Hack Tool Threat Guideline | APT 19 | |
 |
2022-08-04 05:55:40 | New Woody RAT Malware Being Used to Target Russian Organizations (lien direct) | An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign. The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190) | Malware Tool Vulnerability Threat | ★★★★★ | |
 |
2022-08-03 17:15:45 | Manjusaka, a new attack tool similar to Sliver and Cobalt Strike (lien direct) | >Researchers spotted a Chinese threat actors using a new offensive framework called Manjusaka which is similar to Cobalt Strike. Talos researchers observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated to “cow flower” from the Simplified Chinese writing) that is similar to Sliver and Cobalt Strike tools. The […] | Tool Threat | ||
 |
2022-08-03 07:19:00 | Qualys adds external attack management capability to cloud security platform (lien direct) | Cloud security and compliance software company Qualys on Wednesday announced it is adding external attack surface management (EASM) capabilities to the Qualys Cloud Platform.The new capability will be integrated into Qualys CSAM (cybersecurity asset management) 2.0, an inventory monitoring and resolution tool to help security teams gain visibility into previously unknown internet-facing assets.“Achieving full asset visibility remains one of cybersecurity's most elusive goals,” said Sumedh Thakar, Qualys CEO, in a press release. ”CyberSecurity Asset Management 2.0 solves this by providing both the holistic, external attacker-level and internal view of the attack surface to address the increased threat landscape comprehensively.”To read this article in full, please click here | Tool Threat | ||
|
2022-08-03 02:00:00 | Tips to prevent RDP and other remote attacks on Microsoft networks (lien direct) | One long-favored way that ransomware enters your system is through Microsoft's Remote Desktop Protocol (RDP) attacks. Years ago when we used Microsoft's Terminal Services (from which RDP evolved) for shared remote access inside or outside of an office, attackers would use a tool called TSGrinder. It would first review a network for Terminal Services traffic on port 3389. Then attackers would use tools to guess the password to gain network access. They would go after administrator accounts first. Even if we changed the administrator account name or moved the Terminal Services protocol to another port, attackers would often sniff the TCP/IP traffic and identify where it was moved to.To read this article in full, please click here | Ransomware Tool | ||
 |
2022-08-02 19:31:09 | Axis Raises the Bar With Modern-Day ZTNA Service that Boasts Hyper-Intelligence, Simplicity, and 350 Global Edges (lien direct) | Launches industry's first ZTNA Migration Tool and ZTNA Buyback Program, setting the stage for migration away from ZTNA 1.0. | Tool | ||
 |
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
|
2022-08-02 12:30:55 | LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender (lien direct) | >An affiliate of the LockBit 3.0 RaaS operation has been abusing the Windows Defender command-line tool to deploy Cobalt Strike payloads. During a recent investigation, SentinelOne researchers observed threat actors associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads. The attackers initially compromise the target […] | Tool Threat | ||
 |
2022-08-02 09:00:00 | Microsoft announces new external attack surface audit tool (lien direct) | Microsoft has announced a new security product allowing security teams to spot Internet-exposed resources in their organization's environment that attackers could use to breach their networks. [...] | Tool | ||
|
2022-08-02 01:07:34 | LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload (lien direct) | A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads. According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server. "Once initial | Ransomware Tool Threat | ||
 |
2022-08-01 20:15:08 | CVE-2022-31188 (lien direct) | CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue. | Tool | ★★ | |
|
2022-07-31 23:31:03 | Australian Hacker Charged with Creating, Selling Spyware to Cyber Criminals (lien direct) | A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by domestic violence perpetrators and child sex offenders. Jacob Wayne John Keen, who currently resides at Frankston, Melbourne, is said to have created the remote access trojan (RAT) when he was 15, in addition to working as the administrator for the tool from 2013 until its | Tool | ||
 |
2022-07-30 14:53:14 | LockBit Operators Abusing Microsoft Defender To Load Cobalt Strike Beacon (lien direct) | >Researchers from the cybersecurity company, SentinelOne have discovered that Microsoft's Windows Defender is being abused by a threat actor associated with the LockBit 3.0 ransomware operation to load Cobalt Strike beacons onto potentially compromised systems and evade EDR and AV detection tools. The researchers found that Microsoft Defender's command line tool “MpCmdRun.exe” was abused to […] | Ransomware Tool Threat | ||
 |
2022-07-27 21:58:53 | We\'re likely only seeing \'the tip of the iceberg\' of Pegasus spyware use against the US (lien direct) | House intel chair raises snoop tool concerns as Google and others call for greater crack down Google and internet rights groups have called on Congress to weigh in on spyware, asking for sanctions and increased enforcement against so-called legit surveillanceware makers.… | Tool | ||
|
2022-07-27 18:49:47 | Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (lien direct) | Microsoft flagged the company's Subzero tool set as on offer to unscrupulous governments and shady business interests. | Tool | ||
|
2022-07-27 14:00:00 | The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (lien direct) | IT admins can lock some of the obvious open doors in business applications, but system visibility is key. Build automatic monitoring defenses and adopt a Git-like tool so you can "version" your business apps to restore prior states. | Tool | ||
|
2022-07-27 12:57:00 | BrandPost: How a Cybersecurity Program Can Counter Configuration Drift (lien direct) | Once your organization is secured, you'll need to ensure that your environment doesn't stray from its protected state. Configuration drift may be inevitable, but you can leverage best practices to minimize its consequences.Why does configuration drift occur? Whether by choice or chance, change happens in IT environments. Software updates roll out, ad hoc decisions take effect, end users change settings, and new systems come in. When these decisions are made in haste, security considerations can be incomplete or missing altogether.Even if systems were secure to start with, the once-hardened IT environments develop “gaps” over time. It's not always easy to keep track of the changes that can lead to configuration drift. You'll need a management tool that provides you with a big (and granular) picture so that your team can effectively monitor and remedy the situation.To read this article in full, please click here | Tool Guideline | ||
|
2022-07-26 17:10:00 | Anomali Cyber Watch: Cozy Bear Abuses Google Drive API, Complex Lightning Framework Targets Linux, Google Ads Hide Fraudulent Redirects, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Bots, China, Linux, Malspam, Mobil, Russia, and Spearhishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware
(published: July 21, 2022)
Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it.
Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229
Google Ads Lead to Major Malvertising Campaign
(published: July 20, 2022)
Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac |
Malware Tool Threat Guideline | APT 29 | |
 |
2022-07-26 09:07:19 | Hitting ransomware for six: marking the anniversary of a valuable cybercrime tool (lien direct) | >For the past six years, a free project has helped ransomware victims to avoid paying criminals or suffering prolonged recovery times. Today marks the sixth anniversary of Europol's No More Ransom initiative. During the last decade, the threat of ransomware has ratcheted steadily upwards. Criminals are targeting organisations of all sizes across various industries, crippling ... | Ransomware Tool Threat | ★★★★ | |
 |
2022-07-26 00:00:00 | Better Together: AWS and Trend Micro (lien direct) | This post relays the latest threat detection tool innovation of AWS - Amazon GuardDuty Malware Protection. This tool works closely with Trend Micro cloud solutions, providing another valuable layer of defense in our fight against a shared adversary. | Malware Tool Threat | ||
 |
2022-07-25 10:00:00 | The future of email threat detection (lien direct) | This blog was written by an independent guest blogger. As businesses continue to adopt cloud integration and remote work increases, security teams are facing more visibility challenges as well as an influx of security event data. There is more need to understand the threats than ever before, as the threat surface area increases, and tactics increase. Cyber threats are becoming more sophisticated and occurring more frequently, forcing organizations to rely on quality threat detection to protect their data, employees, and reputation. With the vast majority of cybercrime beginning with phishing or spear-phishing email, an effective security solution should focus on your email system. To combat these attacks, you'll need threat detection services with multiple layers in their approach as no single threat detection tool is equipped to prevent every type of attack. This article will explore the future of security strategies to help keep email and data safe. Security Information and Event Management (SIEM) Ransomware attacks continue to rise, and SecOps teams are having difficulty preventing attacks before damage can be done. This results in pursuing solutions that accelerate detection and response while increasing operational efficiencies. Traditional security information and event management (SIEM) are no longer effective in reducing risks and burdens on security teams lacking staff, especially with overwhelming alerts and false positives. SIEMs were originally designed for log collection and compliance storage and later evolved to include the correlation of log data sources to detect threats. Functionality continued to grow to eventually integrate log, network, and endpoint data into one location and match up with security events. This helped analysts to explore commonalities and develop rules surrounding the related events that SIEM could use to help detect known threats. Organizations looking to minimize cyber risk among in-person, cloud, remote, and hybrid infrastructures require unified data collection, as well as a series of analytics, Machine Learning (ML), Artificial Intelligence (AI), and targeted automation for a shorter response time. The problem with current threat protection Attacks are more targeted than ever before, making it necessary to understand more about the user and protect them individually. The need for business intelligence encouraged by data requires increasing the quality of threat detection and response capabilities and to properly defend your assets, you need to know what the threats are. CEO of Rivery, Ben Hemo said, “The ‘data tsunami’ that companies are experiencing means they are desperately looking for tools, solutions, and services that will help them control this unprecedented flow of data hitting them from all directions, sources, and databases. It is no surprise that the data management market is poised for huge growth.” Security teams have had to adapt to the security ecosystem by devising new and creative methods out of pressure to replace SIEM tools with limited resources. Unfortunately, time to build, ongoing maintenance, scale, and long-term customer needs have introduced challenges. Practitioners will likely make the move toward solutions that can keep up the pace with high-performance production environments due to a growing need for cloud-native, high-scale detection and response platforms. Business Email Compromise (BEC) Employees with authority are frequently impersonated in dangerous email scams because of their role within the company and the access that they have to confidential information. Business email compromise, or whaling, is a popular attack that cybercriminals use to target victims based on hierarchy, their role in the company, and their access to valuable information. These attacks are | Tool Threat Guideline | ||
|
2022-07-20 16:04:39 | Acronis Cyber Protect Home Office: The full image backup tool to meet today\'s demanding needs (lien direct) | Jack Wallen tests the Acronis Cyber Protect Home Office app, a disaster recovery tool anyone can use to create a full disk clone of crucial systems with ease. | Tool | ||
|
2022-07-19 15:10:00 | Anomali Cyber Watch: H0lyGh0st Ransomware Earns for North Korea, OT Unlocking Tools Drop Sality, Switch-Case-Oriented Programming for ChromeLoader, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, North Korea, Obfuscation, Phishing, Ransomware, Russia, Trojans, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Digium Phones Under Attack: Insight Into the Web Shell Implant
(published: July 15, 2022)
Palo Alto Unit42 researchers have uncovered a large-scale campaign targeting Elastix VoIP telephony servers used in Digium phones. The attackers were exploiting CVE-2021-45461, a remote code execution (RCE) vulnerability in the Rest Phone Apps (restapps) module. The attackers used a two-stage malware: initial dropper shell script was installing the PHP web shell backdoor. The malware achieves polymorphism through binary padding by implanting a random junk string into each malware download. This polymorphism allowed Unit42 to detect more than 500,000 unique malware samples from late December 2021 till the end of March 2022. The attackers use multilayer obfuscation, schedules tasks, and new user creation for persistence.
Analyst Comment: Potentially affected FreePBX users should update their restapps (the fixed versions are 15.0.20 and 16.0.19, or newer). New polymorphic threats require a defense-in-depth strategy including malware sandbox detection and orchestrating multiple security appliances and applications.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: CVE-2021-45461, Digium Asterisk, PHP Web Shell, Binary padding, Rest Phone Apps, restapps, FreePBX, Elastix
North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware
(published: July 14, 2022)
Microsoft researchers have linked an emerging ransomware group, H0lyGh0st Ransomware (DEV-0530) to financially-motivated North Korean state-sponsored actors. In June-October 2021, H0lyGh0st used SiennaPurple ransomware family payloads written in C++, then switched to variants of the SiennaBlue ransomware family written in Go. Microsoft detected several successfully compromised small-to-mid-sized businesses, including banks, event and meeting planning companies, manufacturing organizations, and schools.
Analyst Comment: Small-to-mid-sized businesses should consider enforcing multi-factor authentication (MFA) on all accounts, cloud hardening, and regular deployment of updates with Active Directory being the top priority.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Scheduled Task - T1053 | |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2022-07-18 19:49:05 | MLNK Builder 4.2 released in Dark Web – malicious shortcut-based attacks are on the rise (lien direct) | >Cybercriminals released a new MLNK Builder 4.2 tool for malicious shortcuts (LNK) generation with an improved Powershell and VBS Obfuscator Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, has detected an update of one of the most popular tools used by cybercriminals to generate malicious LNK files, so frequently used for […] | Tool | ||
|
2022-07-18 02:59:54 | Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems (lien direct) | Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers (PLCs) and co-opt the machines to a botnet. The software "exploited a vulnerability in the firmware which allowed it to retrieve the password on command," Dragos security researcher Sam Hanson said. "Further, the software was a malware | Tool Vulnerability | ||
 |
2022-07-18 00:00:00 | Unleash the Kraken: What the Latest Secureworks Tool Means for You (lien direct) | Unleash the Kraken: What the Latest Secureworks Tool Means for YouWith 1.4 trillion password guesses per second, Secureworks password cracking machine challenges whether many passwords are truly secure.With the right equipment, password cracking is a breeze. Learn why the Secureworks Counter Threat Unit is the best choice. | Tool Threat | ||
|
2022-07-15 18:15:08 | CVE-2022-31157 (lien direct) | LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds. | Tool | ||
|
2022-07-15 18:15:08 | CVE-2022-31158 (lien direct) | LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the Nonce Claim Value was not being validated against the nonce value sent in the Authentication Request. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds. | Tool | ||
|
2022-07-15 13:46:43 | Password recovery tool infects industrial systems with Sality malware (lien direct) | A threat actor is infecting industrial control systems (ICS) to create a botnet through password "cracking" software for programmable logic controllers (PLCs). [...] | Malware Tool Threat | ||
|
2022-07-15 02:00:00 | The CSO guide to top security conferences, 2022 (lien direct) | There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don't have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts.Fortunately, plenty of great conferences are coming up in the months ahead.If keeping abreast of security trends and evolving threats is critical to your job - and we know it is - then attending some top-notch security conferences is on your must-do list for 2022.From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you.To read this article in full, please click here | Tool | ||
|
2022-07-14 20:15:08 | CVE-2022-31156 (lien direct) | Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files. | Tool | ||
|
2022-07-12 22:15:08 | CVE-2022-31102 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which have single sign on (SSO) enabled. The exploit also assumes the attacker has 1) access to the API server's encryption key, 2) a method to add a cookie to the victim's browser, and 3) the ability to convince the victim to visit a malicious `/auth/callback` link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access. Exploiting the XSS would allow the attacker to impersonate the victim, but would not grant any privileges which the attacker could not otherwise gain using the encryption key. A patch for this vulnerability has been released in the following Argo CD versions 2.4.5 and 2.3.6. There is currently no known workaround. | Tool Vulnerability | Uber | |
|
2022-07-12 22:15:08 | CVE-2022-31105 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) OpenID Connect (OIDC) provider. A patch for this vulnerability has been released in Argo CD versions 2.4.5, 2.3.6, and 2.2.11. There are no complete workarounds, but a partial workaround is available. Those who use an external OIDC provider (not the bundled Dex instance), can mitigate the issue by setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap. This mitigation only forces certificate validation when the API server handles login flows. It does not force certificate verification when verifying tokens on API calls. | Tool Vulnerability | Uber | |
 |
2022-07-12 14:08:04 | An Analysis of Infrastructure linked to the Hagga Threat Actor (lien direct) | >Summary As this research reveals, mapping out adversary infrastructure has distinct advantages that enable a proactive response to future threats. A well resourced team with access to the right tools can monitor changes to adversary infrastructure in real time, discoveries can become strategic advantages when fully exploited. This blog is geared towards the practitioner threat [...] | Tool Threat | ★★★★ | |
 |
2022-07-12 12:44:28 | How to Set Up a VPN on an iPhone in 2022 (lien direct) | >A virtual private network (VPN) is a tool that hides your geolocation and protects your privacy while you're online. It... | Tool | ||
|
2022-07-12 10:00:00 | DevSecOps monitor and decommission (lien direct) | This is the final article of the DevSecOps series and how it overlays onto DevOps lifecycle. In the first article, we discussed build and test in DevSecOps. In the second article, we covered securing the different components of the deploy and operate process. The final phases of the DevOps lifecycle are monitoring the deployed applications and eventually decommissioning when they are no longer needed. The goal for DevSecOps is to have awareness and visibility into the entire application lifecycle to keep the system secured, healthy, and available. And when it’s time to decommission, follow the business processes to safely transition users and retire the application. Monitoring A system must be able to manage the failure of any application or hardware component. The goal of monitoring is to reduce the risk of failure by providing awareness and visibility into the behavior and health of applications and the overall system. When establishing a continuous monitoring program, consider the following security related items as part of the overall strategy. The health of all applications and systems are visible through monitoring. Understand the threats and vulnerabilities that put each application at risk. Identify and create policies that define what security controls are needed, where they should be applied, and track gaps in controls using a risk register. Logs and event data gathered by the tools should be segmented from the application, centrally collected, correlated, analyzed, and reported on for investigation. All stakeholders have a role in security, and they need to be trained on how to take action to protect the organization. Risk management must be dynamic to provide continuous monitoring and proactive resolution of security issues. Monitoring starts with the planning phase and continues through the entire lifecycle of the application. It should be designed into the application and not an afterthought at the end of delivery. Empowering stakeholders with monitoring information can provide greater security to keep applications healthy and available throughout their lifecycle. Decommission The most important step when decommissioning an application is obtaining awareness and support through a transition plan and schedule with the stakeholders and users. Companies can ease the transition by having an overlap period between the new application and the one being retired. During the overlap period, users can be moved in groups to ease the efforts needed to support and troubleshoot migrating users. Once users are transitioned and the legacy application is ready to be decommissioned, backups of the system should be performed. Any supporting infrastructure is turned down and returned to the pool of available resources. This reduces the attack surface of the organization and the administrative overhead of keeping a system secured. Developers also have a role in decommissioning the application. The following items should be addressed as part of retiring an application. Developers and any stakeholders with code checked out of the application source code repository need to check in their final versions and delete the code off their development workstations. The repository should have any merge requests to feature, or the master branches denied or approved before archiving. Developers should clean up the feature branches to reduce the size and complexity of the archived repository. Once the source code repository is cleaned up, it should be set to read-only and access removed for everyone except the necessary] stakeholders. Only the DevOps administrator should have access to the application c | Tool Threat | ||
|
2022-07-11 22:59:00 | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
Ransomware Malware Tool Vulnerability Threat Patching | APT 29 | |
|
2022-07-11 21:38:10 | \'Luna Moth\' Group Ransoms Data Without the Ransomware (lien direct) | Unsophisticated campaigns use off-the-shelf RATs and other tools to exfiltrate data and demand a ransom to keep it private. | Ransomware Tool | ||
 |
2022-07-11 16:51:29 | MimiKatz for Pentester: Kerberos (lien direct) | >This write-up will be part of a series of articles on the tool called Mimikatz which was created in the programming language C. it is | Tool | ||
 |
2022-07-11 03:01:00 | Defending Aircraft Networks Against Cybersecurity Breaches (lien direct) | >The aviation industry is both vast and complex. More than 45,000 flights and 2.9 million passengers travel through U.S. airspace every day, requiring high-tech tools and extensive communications networks. All of that data and complexity makes the sector a prime target for cybercriminals. Worryingly, only 49% of non-governmental organizations have fully adopted NIST security standards. […]… Read More | Tool | ||
 |
2022-07-08 17:49:27 | Launch of News-Style Programme Endeavours to Raise Awareness of Cybersecurity (lien direct) | The UK Cyber Security Council, International Cyber Expo and ITN Business will be co-creators of a unique news-style programme produced to raise awareness and understanding of cyber security. The Information Age has brought enormous economic and social progress to many parts of the world and has proved to be a powerful tool for connectivity, freedom […] | Tool | ||
 |
2022-07-08 15:48:47 | Unifying Security and Development (lien direct) | Most developers don't learn about secure coding in the college IT programs. And once they join the workforce, they often don't have the time to learn about secure coding. The responsibility of training developers in secure coding best practices usually falls on security practitioners. Security practitioners are notoriously overworked, often lacking the bandwidth to train developers. Organizations are thus turning to AppSec learning experiences built specifically for development teams. These learning experiences deliver the tools and skills needed to keep an AppSec program on track. According to PeerSpot, the number one ranked solution in application security training software is Veracode Security Labs, which gives developers tools and hands-on training to tackle modern threats and adopt secure coding practices. PeerSpot members who use the platform share why it is deserving of its high ranking. Making the Choice for Veracode Security Labs Veracode Security Labs empowers developers… | Tool Threat | ||
|
2022-07-08 14:04:16 | Emsisoft: Victims of AstraLocker and Yashma ransomware can recover their files for free (lien direct) | >Emsisoft has released a free decryption tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft released a free decryptor tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. The security firm states that the […] | Ransomware Tool | ||
|
2022-07-08 05:30:27 | Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (lien direct) | LockBit ransomware attacks are constantly evolving by making use of a wide range of techniques to infect targets while also taking steps to disable endpoint security solutions. "The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to achieve their goal," Cybereason security analysts Loïc Castel and Gal Romano said. | Ransomware Tool | ||
|
2022-07-07 21:33:41 | Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival \'Brute Ratel\' Pen Test Tool (lien direct) | The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries. | Tool | ||
|
2022-07-07 10:00:00 | How can SOC analysts use the cyber kill chain? (lien direct) | This blog was written by an independent guest blogger. Security Operation Centers (SOCs) offer a robust method of ensuring cybersecurity and safety within an organization. Their demand has continued to grow, specifically with a significant rise in cyber-attacks amidst a looming cybersecurity skills gap. However, despite a typical SOC analyst's immense training and knowledge, mitigating the increase in cyber-attacks is no easy job. Compared to 2020, cybercrime has risen by 50% in 2021, which ultimately demands the use of robust security models such as the Cyber Kill Chain Model, which can help attain strong cybersecurity for organizations. Developed in 2011, the Cyber Kill Model is a widely accepted security model that helps SOC analysts and security practitioners attain security from several cyber-attacks. However, despite its usefulness, the model is yet to achieve the proper recognition it deserves. What is a cyber kill chain? The cyber kill chain model is a cyber security attack framework that helps explain how a specific cyber-attack is executed. In theory, the framework helps break down the steps taken by threat actors while conducting a successful cyber-attack. According to the model, there are seven stages of a cyber-attack that are: Reconnaissance Weaponization Delivery Exploitation Installation Command and control (C2) Actions on objectives The cyber kill chain model essentially debunks the traditional castle and moat method of attaining cyber security for organizations. Instead, the model helps identify, analyze and prevent cyber-attacks altogether. Developed as part of the Intelligence Driven Defense model for identifying and preventing cyber-attacks and data exfiltration, the model is widely accepted and used by various security practitioners. It is recognized as one of the most informative methods for understanding cyber-attacks and places emphasis on both the technology-driven and the social engineering-driven aspects of an attack. A proper understanding of the model can help prevent various attacks such as data breaches, privilege escalation, phishing, malware, ransomware, social engineering, and many more. How do SOC analysts use the cyber kill chain? SOC systems are built within organizations to monitor, detect, investigate, and respond to various cyber-attacks. The teams are charged with protecting sensitive data and the organization's assets, such as personal data, business systems, brand integrity, and intellectual property. Amidst this, the cyber kill chain model can effectively help them identify and mitigate a myriad of cyber-attacks. The seven stages of the cyber kill model demonstrate a specific goal along with a threat actor's path. SOC teams can therefore use the Cyber Kill Chain model to understand these attacks and implement security controls to prevent and detect the cyber-attacks before it thoroughly infiltrates the organization's network in the following method: 1. Reconnaissance This is the first stage of the cyber kill chain and involves the threat actor researching the potential target before the actual attack. Since the threat actor is on the hunt for vulnerabilities within the organization's cybersecurity posture, SOC analysts can ensure security through various means. They can use threat intelligence and network Intrusion Detection System (IDS) to mitigate the attack. Moreover, to minimize the chances of an attack, SOC analysts can also maintain an | Ransomware Malware Hack Tool Threat | ||
 |
2022-07-07 09:47:33 | Hackers Using \'Brute Ratel C4\' Red-Teaming Tool to Evade Detection (lien direct) | The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks. | Tool |
To see everything:
Our RSS (filtrered)
