What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-07-12 14:08:04 | An Analysis of Infrastructure linked to the Hagga Threat Actor (lien direct) | >Summary As this research reveals, mapping out adversary infrastructure has distinct advantages that enable a proactive response to future threats. A well resourced team with access to the right tools can monitor changes to adversary infrastructure in real time, discoveries can become strategic advantages when fully exploited. This blog is geared towards the practitioner threat [...] | Tool Threat | ★★★★ | |
 |
2022-07-12 12:44:28 | How to Set Up a VPN on an iPhone in 2022 (lien direct) | >A virtual private network (VPN) is a tool that hides your geolocation and protects your privacy while you're online. It... | Tool | ||
 |
2022-07-12 10:00:00 | DevSecOps monitor and decommission (lien direct) | This is the final article of the DevSecOps series and how it overlays onto DevOps lifecycle. In the first article, we discussed build and test in DevSecOps. In the second article, we covered securing the different components of the deploy and operate process. The final phases of the DevOps lifecycle are monitoring the deployed applications and eventually decommissioning when they are no longer needed. The goal for DevSecOps is to have awareness and visibility into the entire application lifecycle to keep the system secured, healthy, and available. And when it’s time to decommission, follow the business processes to safely transition users and retire the application. Monitoring A system must be able to manage the failure of any application or hardware component. The goal of monitoring is to reduce the risk of failure by providing awareness and visibility into the behavior and health of applications and the overall system. When establishing a continuous monitoring program, consider the following security related items as part of the overall strategy. The health of all applications and systems are visible through monitoring. Understand the threats and vulnerabilities that put each application at risk. Identify and create policies that define what security controls are needed, where they should be applied, and track gaps in controls using a risk register. Logs and event data gathered by the tools should be segmented from the application, centrally collected, correlated, analyzed, and reported on for investigation. All stakeholders have a role in security, and they need to be trained on how to take action to protect the organization. Risk management must be dynamic to provide continuous monitoring and proactive resolution of security issues. Monitoring starts with the planning phase and continues through the entire lifecycle of the application. It should be designed into the application and not an afterthought at the end of delivery. Empowering stakeholders with monitoring information can provide greater security to keep applications healthy and available throughout their lifecycle. Decommission The most important step when decommissioning an application is obtaining awareness and support through a transition plan and schedule with the stakeholders and users. Companies can ease the transition by having an overlap period between the new application and the one being retired. During the overlap period, users can be moved in groups to ease the efforts needed to support and troubleshoot migrating users. Once users are transitioned and the legacy application is ready to be decommissioned, backups of the system should be performed. Any supporting infrastructure is turned down and returned to the pool of available resources. This reduces the attack surface of the organization and the administrative overhead of keeping a system secured. Developers also have a role in decommissioning the application. The following items should be addressed as part of retiring an application. Developers and any stakeholders with code checked out of the application source code repository need to check in their final versions and delete the code off their development workstations. The repository should have any merge requests to feature, or the master branches denied or approved before archiving. Developers should clean up the feature branches to reduce the size and complexity of the archived repository. Once the source code repository is cleaned up, it should be set to read-only and access removed for everyone except the necessary] stakeholders. Only the DevOps administrator should have access to the application c | Tool Threat | ||
 |
2022-07-11 22:59:00 | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
Ransomware Malware Tool Vulnerability Threat Patching | APT 29 | |
 |
2022-07-11 21:38:10 | \'Luna Moth\' Group Ransoms Data Without the Ransomware (lien direct) | Unsophisticated campaigns use off-the-shelf RATs and other tools to exfiltrate data and demand a ransom to keep it private. | Ransomware Tool | ||
 |
2022-07-11 16:51:29 | MimiKatz for Pentester: Kerberos (lien direct) | >This write-up will be part of a series of articles on the tool called Mimikatz which was created in the programming language C. it is | Tool | ||
 |
2022-07-11 03:01:00 | Defending Aircraft Networks Against Cybersecurity Breaches (lien direct) | >The aviation industry is both vast and complex. More than 45,000 flights and 2.9 million passengers travel through U.S. airspace every day, requiring high-tech tools and extensive communications networks. All of that data and complexity makes the sector a prime target for cybercriminals. Worryingly, only 49% of non-governmental organizations have fully adopted NIST security standards. […]… Read More | Tool | ||
 |
2022-07-08 17:49:27 | Launch of News-Style Programme Endeavours to Raise Awareness of Cybersecurity (lien direct) | The UK Cyber Security Council, International Cyber Expo and ITN Business will be co-creators of a unique news-style programme produced to raise awareness and understanding of cyber security. The Information Age has brought enormous economic and social progress to many parts of the world and has proved to be a powerful tool for connectivity, freedom […] | Tool | ||
 |
2022-07-08 15:48:47 | Unifying Security and Development (lien direct) | Most developers don't learn about secure coding in the college IT programs. And once they join the workforce, they often don't have the time to learn about secure coding. The responsibility of training developers in secure coding best practices usually falls on security practitioners. Security practitioners are notoriously overworked, often lacking the bandwidth to train developers. Organizations are thus turning to AppSec learning experiences built specifically for development teams. These learning experiences deliver the tools and skills needed to keep an AppSec program on track. According to PeerSpot, the number one ranked solution in application security training software is Veracode Security Labs, which gives developers tools and hands-on training to tackle modern threats and adopt secure coding practices. PeerSpot members who use the platform share why it is deserving of its high ranking. Making the Choice for Veracode Security Labs Veracode Security Labs empowers developers… | Tool Threat | ||
 |
2022-07-08 14:04:16 | Emsisoft: Victims of AstraLocker and Yashma ransomware can recover their files for free (lien direct) | >Emsisoft has released a free decryption tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft released a free decryptor tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. The security firm states that the […] | Ransomware Tool | ||
 |
2022-07-08 05:30:27 | Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (lien direct) | LockBit ransomware attacks are constantly evolving by making use of a wide range of techniques to infect targets while also taking steps to disable endpoint security solutions. "The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to achieve their goal," Cybereason security analysts Loïc Castel and Gal Romano said. | Ransomware Tool | ||
|
2022-07-07 21:33:41 | Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival \'Brute Ratel\' Pen Test Tool (lien direct) | The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries. | Tool | ||
|
2022-07-07 10:00:00 | How can SOC analysts use the cyber kill chain? (lien direct) | This blog was written by an independent guest blogger. Security Operation Centers (SOCs) offer a robust method of ensuring cybersecurity and safety within an organization. Their demand has continued to grow, specifically with a significant rise in cyber-attacks amidst a looming cybersecurity skills gap. However, despite a typical SOC analyst's immense training and knowledge, mitigating the increase in cyber-attacks is no easy job. Compared to 2020, cybercrime has risen by 50% in 2021, which ultimately demands the use of robust security models such as the Cyber Kill Chain Model, which can help attain strong cybersecurity for organizations. Developed in 2011, the Cyber Kill Model is a widely accepted security model that helps SOC analysts and security practitioners attain security from several cyber-attacks. However, despite its usefulness, the model is yet to achieve the proper recognition it deserves. What is a cyber kill chain? The cyber kill chain model is a cyber security attack framework that helps explain how a specific cyber-attack is executed. In theory, the framework helps break down the steps taken by threat actors while conducting a successful cyber-attack. According to the model, there are seven stages of a cyber-attack that are: Reconnaissance Weaponization Delivery Exploitation Installation Command and control (C2) Actions on objectives The cyber kill chain model essentially debunks the traditional castle and moat method of attaining cyber security for organizations. Instead, the model helps identify, analyze and prevent cyber-attacks altogether. Developed as part of the Intelligence Driven Defense model for identifying and preventing cyber-attacks and data exfiltration, the model is widely accepted and used by various security practitioners. It is recognized as one of the most informative methods for understanding cyber-attacks and places emphasis on both the technology-driven and the social engineering-driven aspects of an attack. A proper understanding of the model can help prevent various attacks such as data breaches, privilege escalation, phishing, malware, ransomware, social engineering, and many more. How do SOC analysts use the cyber kill chain? SOC systems are built within organizations to monitor, detect, investigate, and respond to various cyber-attacks. The teams are charged with protecting sensitive data and the organization's assets, such as personal data, business systems, brand integrity, and intellectual property. Amidst this, the cyber kill chain model can effectively help them identify and mitigate a myriad of cyber-attacks. The seven stages of the cyber kill model demonstrate a specific goal along with a threat actor's path. SOC teams can therefore use the Cyber Kill Chain model to understand these attacks and implement security controls to prevent and detect the cyber-attacks before it thoroughly infiltrates the organization's network in the following method: 1. Reconnaissance This is the first stage of the cyber kill chain and involves the threat actor researching the potential target before the actual attack. Since the threat actor is on the hunt for vulnerabilities within the organization's cybersecurity posture, SOC analysts can ensure security through various means. They can use threat intelligence and network Intrusion Detection System (IDS) to mitigate the attack. Moreover, to minimize the chances of an attack, SOC analysts can also maintain an | Ransomware Malware Hack Tool Threat | ||
 |
2022-07-07 09:47:33 | Hackers Using \'Brute Ratel C4\' Red-Teaming Tool to Evade Detection (lien direct) | The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool has been used by nation-state attackers to evade detection, according to security researchers at Palo Alto Networks. | Tool | ||
 |
2022-07-06 16:17:00 | Attacker groups adopt new penetration testing tool Brute Ratel (lien direct) | Security researchers have recently identified several attack campaigns that use APT-like targeting techniques and deploy Brute Ratel C4 (BRc4), a relatively new adversary simulation framework. While hackers abusing penetration testing tools is not a new development -- Cobalt Strike and Metasploit's Meterpreter have been used by threat groups for years -- Brute Ratel is focused on detection evasion techniques, so it might pose a real challenge to defense teams."The emergence of a new penetration testing and adversary emulation capability is significant," researchers from security firm Palo Alto Networks said in a new report analyzing several recent samples. "Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities."To read this article in full, please click here | Tool Threat | ||
|
2022-07-06 15:20:36 | Less popular, but very effective, Red-Teaming Tool BRc4 used in attacks in the wild (lien direct) | >Threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection. Researchers from Palo Alto Networks Unit 42 discovered that a sample uploaded to the VirusTotal database on May 19, 2022 and considered benign by almost all the antivirus, was containing a payload associated with Brute Ratel C4 (BRc4), a new red-teaming and […] | Tool | ||
|
2022-07-06 15:01:00 | Anomali Cyber Watch: Russian KillNet DDoSed Lithuania, Building Automation Systems Targeted to Install ShadowPad, China-Sponsored Group Jumps from Home Routers to Connected Machines, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Industrial Control Systems, Phishing, Russia, Toll fraud, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Toll Fraud Malware: How an Android Application Can Drain Your Wallet
(published: June 30, 2022)
Toll fraud malware (subcategory of billing fraud) subscribes users to premium services without their knowledge or consent. It is one of the most prevalent types of Android malware, accounting for 35% of installed harmful applications from the Google Play Store in the first quarter of 2022. Microsoft researchers describe evolution of the toll fraud malware techniques used to abuse the Wireless Application Protocol (WAP) billing. Toll malware can intercept one-time passwords (OTPs) over multiple protocols (HTTP, SMS, or USSD). It suppresses notifications and uses dynamic code loading to hide its malicious activities.
Analyst Comment: Mobile applications should only be downloaded from official trusted locations such as the Google Play Store. Users should be mindful when granting unusual, powerful permissions such as SMS permissions, notification listener access, or accessibility access. Replace older Android phones if they no longer receive updates.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Toll fraud, Android, Billing fraud, Wireless Application Protocol, WAP billing
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
(published: June 28, 2022)
Black Lotus Labs discovered a China-sponsored, years-long campaign that exploits small office/home office (SOHO) routers for initial access. When exploiting Ruckus JCG-Q20 routers in Hong Kong, the attackers leveraged CVE-2020-26878 and CVE-2020-26879 vulnerabilities. Other exploits are yet to be uncovered with the most targeted devices being from ASUS, Cisco, DrayTek and NETGEAR mostly in Canada, the UK, and the US. The attackers were installing a heavily modified version of Mirai botnet dubbed ZuoRAT. ZuoRAT collects information on target networks, collects traffic (credentials passed in the clear, browsing activity) and hijacks network communication. Then the attackers move laterally targeting Windows and other machines on the same network and installing one of the three agents: Cobalt Strike, CBeacon, or GoBeacon.
Analyst Comment: SOHO router users should regularly reboot routers and install security updates. Businesses should ensure robust detection on network-based communications.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Component Object Model Hijacking - T1122 |
Malware Tool Vulnerability Threat | ||
 |
2022-07-06 10:00:32 | Dynamic analysis of firmware components in IoT devices (lien direct) | We decided to discuss less obvious tools for working with firmware, including Renode and Qiling. Each of those tools has its own features, advantages, and limitations that make it effective for certain types of task. | Tool | ||
 |
2022-07-06 06:00:00 | Obtenez vos coups de pied sur la route Soixante-Sink: Identifier les vulnérabilités à l'aide d'une analyse statique automatisée Get Your Kicks on Route Sixty-Sink: Identifying Vulnerabilities Using Automated Static Analysis (lien direct) |
 Introduction
Aujourd'hui, nous publions route Soixante-Sink , un outil open-source qui permet aux défenseurs et aux chercheurs en sécurité d'identifier rapidement les vulnérabilités dans n'importe quel assemblage .NET en utilisant automatiséAnalyse source à casque. Route Soixty-Sink a déjà été utilisé pour trouver et exploiter des dizaines de problèmes de sécurité critiques, dont un exemple sera discuté dans cet article de blog.
Contexte: analyse source à casque
L'identification des vulnérabilités dans les binaires d'application ou le code source est souvent un processus long et fastidieux.Pour aider à cela, une analyse source-sink est utilisée - une forme de données
 Introduction
Today, we are releasing Route Sixty-Sink, an open-source tool that enables defenders and security researchers alike to quickly identify vulnerabilities in any .NET assembly using automated source-to-sink analysis. Route Sixty-Sink has already been used to find and exploit dozens of critical security issues, an example of which will be discussed in this blog post.
Background: Source-to-Sink Analysis
Identifying vulnerabilities within application binaries or source code is often a long and tedious process. To help with this, source-to-sink analysis is used-a form of data |
Tool Vulnerability | ★★★ | |
 |
2022-07-06 05:27:10 | Near-undetectable malware linked to Russia\'s Cozy Bear (lien direct) | The fun folk who attacked Solar Winds using a poisoned CV and tools from the murky world of commercial hackware Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.… | Malware Tool Threat | APT 29 | |
|
2022-07-06 04:40:27 | Hackers Abusing BRc4 Red Team Penetration Tool in Attacks to Evade Detection (lien direct) | Malicious actors have been observed abusing legitimate adversary simulation software in their attacks in an attempt to stay under the radar and evade detection. Palo Alto Networks Unit 42 said a malware sample uploaded to the VirusTotal database on May 19, 2022, contained a payload associated with Brute Ratel C4, a relatively new sophisticated toolkit "designed to avoid detection by endpoint | Tool | ||
|
2022-07-06 02:00:00 | How to keep attackers from using PowerShell against you (lien direct) | Living off the land is not the title of a gardening book. It's the goal of attackers going after your network. Rather than installing malicious software on your network that antivirus software might flag, attackers use the code already there to launch attacks. The tools that you use to monitor, maintain and access your network are often the same code that attackers use to attack your network. PowerShell is a prime example.The U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), New Zealand's NCSC, and the UK NCSC recently released a document called Keeping PowerShell: Security Measures to Use and Embrace. This guidance recommends keeping PowerShell in your network rather than blocking but offers the following advice to keep it secure.To read this article in full, please click here | Tool | ||
|
2022-07-05 23:56:37 | (Déjà vu) NIST Picks Four Quantum-Resistant Cryptographic Algorithms (lien direct) | The US Department of Commerce's National Institute of Standards and Technology (NIST) announced the first group of encryption tools that will become part of its post-quantum cryptographic standard. | Tool | ||
 |
2022-07-05 17:21:00 | NIST Acknowledges First Four Quantum-Resistant Encryption Tools (lien direct) | The four algorithms will now become part of NIST's post-quantum cryptographic standard | Tool | ||
|
2022-07-05 07:00:03 | GUEST ESSAY: Rising cyber risks make business intelligence gathering more vital than ever (lien direct) | Gathering intelligence has always been a key tool for organisational decision making – understanding the external operating environment is the '101' for business. How can you grasp the challenges and opportunities for your company without a deep understanding of all … (more…) | Tool | ||
|
2022-07-04 03:01:00 | The Need of Privacy Certifications for Lawyers (lien direct) | >The widespread adaptability and integration of tools and the professionals who can effectively use them to comply with the law will significantly impact the careers of both lawyers and other legal personnel. One of the fastest-growing areas in the legal profession in the United States is Privacy Law. Privacy certifications endorse attorneys as credentialed privacy […]… Read More | Tool | ||
|
2022-07-03 16:10:18 | Security Affairs newsletter Round 372 by Pierluigi Paganini (lien direct) | >A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs for free in your email box. The role of Social Media in modern society – Social Media Day 22 interview Experts shared PoC exploit code for RCE in Zoho ManageEngine ADAudit Plus tool A ransomware attack […] | Ransomware Tool | ||
|
2022-07-02 19:41:06 | Experts shared PoC exploit code for RCE in Zoho ManageEngine ADAudit Plus tool (lien direct) | >Researchers shared technical details and proof-of-concept exploit code for the CVE-2022-28219 flaw in Zoho ManageEngine ADAudit Plus tool. Security researchers from Horizon3.ai have published technical details and proof-of-concept exploit code for a critical vulnerability, tracked as CVE-2022-28219 (CVSS 9.8 out of 10), in the Zoho ManageEngine ADAudit Plus tool. The tool allows monitoring activities of […] | Tool | ||
 |
2022-07-01 17:15:07 | CVE-2022-31113 (lien direct) | Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens. This permits an attacker who recognised an HTTP-based Canarytoken (a URL) to execute Javascript in the Canarytoken's history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. The issue has been patched on Canarytokens.org and in the latest release. No signs of successful exploitation of this vulnerability have been found. Users are advised to upgrade. There are no known workarounds for this issue. | Tool Vulnerability | ||
|
2022-07-01 17:00:00 | Microsoft Spots Updated Cryptomining Malware Tool Targeting Linux Systems (lien direct) | The malware also reportedly features self-propagating capabilities | Malware Tool | ||
|
2022-07-01 05:27:57 | Case of Attack Exploiting AnyDesk Remote Tool (Cobalt Strike and Meterpreter) (lien direct) | MS-SQL servers are mainly the attack targets for Windows systems. Attackers scan vulnerable MS-SQL servers that are poorly managed and install malware upon gaining control. Malware strains installed by attackers include CoinMiner, ransomware, backdoor, etc., and may vary depending on the purpose of the attack. Most backdoor strains are remote control types such as Remcos RAT and Gh0st RAT, but there are also infiltration testing tools used to dominate companies’ internal systems such as Cobalt Strike and Meterpreter. The attack... | Malware Tool | ||
|
2022-07-01 02:03:44 | New \'SessionManager\' Backdoor Targeting Microsoft IIS Servers in the Wild (lien direct) | A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after | Malware Tool | ||
 |
2022-06-30 20:45:20 | USB installer tool removes Windows 11\'s Microsoft account requirements (and more) (lien direct) | Tool can also patch out the CPU, TPM, and Secure Boot install requirements. | Tool | ||
 |
2022-06-30 19:16:29 | How traditional security tools fail to protect companies against ransomware (lien direct) | >Most organizations surveyed by Titaniam have existing security prevention and backup tools, but almost 40% have still been hit by ransomware attacks in the last year. | Ransomware Tool | ||
|
2022-06-30 16:57:48 | Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion (lien direct) | Titaniam's 'State of Data Exfiltration & Extortion Report' also finds that while over 70% of organizations had heavy investments in prevention, detection, and backup solutions, the majority of victims ended up giving into attackers' demands. | Ransomware Tool | ||
|
2022-06-30 16:00:08 | Google battles bots, puts Workspace admins on alert (lien direct) | No security alert fatigue here Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.… | Tool | ||
|
2022-06-30 15:17:15 | Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration (lien direct) | An unauthenticated remote code execution vulnerability found in Zoho's compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows. | Tool Vulnerability | ||
 |
2022-06-30 12:33:39 | Augment your Windows and EDR telemetry with Sysmon (lien direct) | >by Bhabesh Raj Rai, Security ResearchSysmon (System Monitor) is one of the popular tools from Sysinternals for monitoring and logging system activity to the Windows event logs.Of course, you can say Windows already has its native event logs, so why bother? And, we already have an endpoint detection and response (EDR) solution installed on our [...] | Tool | ||
|
2022-06-30 10:00:00 | Dealing with the Cybersecurity Challenges of Digital Transformation (lien direct) | We’re back after a little hiatus with this week’s blog in the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number two on our list: Dealing with the speed and complexity of digital transformation. During the COVID-19 crisis, digital transformation became even more critical. To describe digital transformation in economic terms means integrating digital technologies into every aspect of a business, resulting in fundamental changes to how companies operate and provide value to their customers. Technology has changed from supporting business processes to becoming integral to a company’s customer value proposition. A study by McKinsey found that companies accelerated their digital transformation efforts by three to seven years within just months, fearing that they would lose their competitive advantage and be left behind by competitors already ahead. Organizations need to rethink what they mean when saying “digital transformation.” It’s not just about making your website responsive, adding digital capabilities, or creating a mobile app for your business. It’s about changing your mindset when thinking about your customers, empowering your staff, and powering business. And ensuring your security program can adapt to that mindset to ensure the security of your enterprise. Digital Transformation Increases Cyber Risk Security teams continue to face unique challenges daily. Their organization’s digital transformation initiatives continue to increase the complexity, expanding their attack surface with a distributed infrastructure. Because of this, cybersecurity postures should be updated and adjusted to support transformation goals to defend against this new level of complexity. In addition to the ever-changing threat landscape, security teams face more concerns due to a more distributed workforce. They also need to evaluate the risks associated with a growing number of connected devices and the disappearing perimeter. The increased adoption of cloud infrastructures also poses unique challenges to organizations, forcing them to transform their security posture to protect against cloud infrastructure vulnerabilities. Securing a Remote Work Force Remote work is here to stay and will only increase. Global Workplace Analytics calculates that 22% of the workforce (i.e., 36.2 million Americans) will work remotely by 2025. The significant uptick in remote work setups and digital business is pushing organizations to apply for secure access no matter where their users, applications, or devices are located. To provide the level of security necessary to protect the variety of new systems implemented, many enterprises are shifting to more cloud-friendly and behavior-based security approaches. New Challenges and Security Vulnerabilities As mentioned above, studies show that a large portion of those working from home will likely stay that way for the long term. Corporate leaders attempting to coax employees back to the office have broadly accepted the inevitability of the hybrid work model. To ensure their defensive measures remain in place and to maintain business as usual safely, it’s critical for IT teams to develop strategic plans to safeguard employees, facilities, data, | Tool Threat Studies Guideline | ||
 |
2022-06-29 18:35:27 | Falcon OverWatch Elite in Action: Tailored Threat Hunting Services Provide Individualized Care and Support (lien direct) | The threat presented by today's adversaries is as pervasive as it is dangerous - eCrime and state-nexus actors alike are attempting to infiltrate companies and organizations of all sizes and across all verticals. While technology is a powerful tool for performing routine or repeatable analysis, the only way to effectively hunt and contain sophisticated and […] | Tool Threat | ||
|
2022-06-29 17:00:00 | Cybersecurity Researchers Launch New Malware Hunting Tool YARAify (lien direct) | The defensive tool is designed to scan suspicious files against a large repository of YARA rules | Malware Tool | ||
 |
2022-06-29 16:24:35 | Minors Use Discord Servers To Earn Extra Pocket Money Through Spreading Malware (lien direct) | Avast, a global leader in digital security and privacy, has discovered an online community of minors constructing, exchanging and spreading malware, including ransomware and a mix of information stealers and cryptominers. The group lures young users by advertising access to different malware builders and tool kits that allow laypeople to construct malware easily. In some cases, people […] | Ransomware Malware Tool Guideline | ||
|
2022-06-29 15:16:14 | What are the top cross-platform app development frameworks in 2022? (lien direct) | >With so many cross-platform app development frameworks available, it can be overwhelming to find the best fit for you. We've compiled a list of five tools you can use within your organization. | Tool | ||
|
2022-06-29 10:47:40 | (Déjà vu) Evilnum Hackers Return With New Activity Targeting International Migration Campaigns (lien direct) | The Evilnum hacking group have been targeting European organisations that are involved in international migration, showing renewed signs of malicious activity within the group. Evilnum is an advanced persistent threat (APT) that has been active since at least 2019 and had its campaign and tools exposed in 2020. In 2020, ESET published a technical report […] | Tool Threat | ||
|
2022-06-29 04:57:36 | New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators (lien direct) | Cybersecurity researchers have documented a new information-stealing malware that targets YouTube content creators by plundering their authentication cookies. Dubbed "YTStealer" by Intezer, the malicious tool is likely believed to be sold as a service on the dark web, with it distributed using fake installers that also drop RedLine Stealer and Vidar. "What sets YTStealer aside from other | Malware Tool | ||
|
2022-06-28 19:15:09 | CVE-2022-31108 (lien direct) | Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks. | Tool Guideline | ||
|
2022-06-28 19:11:00 | Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: API hammering, APT, China, Phishing, Ransomware, Russia, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed
(published: June 24, 2022)
ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.
Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware
There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families
(published: June 24, 2022)
Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.
Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: malware:BazarLoad |
Ransomware Spam Malware Tool Vulnerability Threat | APT 28 APT 23 | |
|
2022-06-28 15:00:00 | Android Spyware \'Revive\' Upgraded to Banking Trojan (lien direct) | Dubbed 'Revive' because of its ability to automatically restart in case it stops working, the tool seems to be designed for persistent campaigns. | Tool | ||
|
2022-06-28 14:25:40 | How to use monday work management for project management (lien direct) | >Jack Wallen shows you how to set up monday work management as your next project management tool to keep your teams working efficiently and effectively. | Tool | ||
|
2022-06-28 13:19:02 | Best agile project management software for 2022 (lien direct) | >With so many agile project management tools available, it can be overwhelming to find the best fit for you. We've compiled a list of ten tools you can use to take advantage of agile within your organization. | Tool |
To see everything:
Our RSS (filtrered)
