What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-05-25 18:00:46 | How to back up a database with Borgmatic (lien direct) | >Jack Wallen shows you how to configure the Borgmatic tool to back up your databases with ease. | Tool | ||
|
2022-05-25 15:52:23 | How to install the Apache Druid real-time analytics database on Ubuntu-based Linux distributions (lien direct) | >If you're looking for a real-time data analytics platform, Jack Wallen thinks Apache Druid is hard to beat. Find out how to get this tool up and running and then how to load sample data. | Tool | ||
|
2022-05-25 15:30:13 | RapidMiner vs Alteryx: Compare data science software (lien direct) | >RapidMiner and Alteryx are tools that offer unique capabilities to help users with their data processing. | Tool | ||
|
2022-05-24 21:34:37 | KNIME vs Alteryx: Data science software comparison (lien direct) | >KNIME and Alteryx are top data science tools with ETL capabilities that can help with the challenge of working with a high data volumes. Compare the features to see which software is best for your business. | Tool | ||
 |
2022-05-24 19:15:09 | CVE-2022-22977 (lien direct) | VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure. | Tool Guideline | ||
|
2022-05-24 18:31:10 | TIBCO vs MuleSoft: Data science software comparison (lien direct) | >Compare the features of TIBCO and MuleSoft, which are software tools that help users build and maintain their data pipelines. | Tool | ★★★★ | |
 |
2022-05-24 17:29:00 | Anomali Cyber Watch: Conti\'s Talent Goes to Other Ransom Groups, China-Based Espionage Targets Russia, XorDdos Stealthy Linux Trojan is on the Rise, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Conti Ransomware, Disinformation, Internet of things, Phishing, VMware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
(published: May 20, 2022)
In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation.
Analyst Comment: Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: VMware, Perl Shellbot, Stealth Shellbot, Godzilla Webshell, Gafgyt, Mirai, XMRig, Coinminer, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2017-17215, CVE-2022-22961, CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22973, CVE-2022-22972, Linux, Server-side template injection, RCE
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
(published: May 20, 2022)
Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity |
Ransomware Malware Tool Vulnerability Threat | ||
|
2022-05-24 15:00:58 | You can now combine Power Virtual Agents and the Azure Bot Framework Composer (lien direct) | >New tools make it easy for low code users and pro code developers to work together on a project and take the Power Platform to the next level. | Tool | ||
 |
2022-05-24 13:59:51 | LimaCharlie Banks $5.45 Million in Seed Funding (lien direct) | LimaCharlie, a California company supplying tools to run an MSSP or SOC on a pay-as-you-use model, has attracted $5.45 million in seed round financing. | Tool | ||
 |
2022-05-24 13:29:37 | Meet BlackByte Ransomware (lien direct) | FortiGuard Labs is aware of a relatively new ransomware family "BlackByte" is in the wild, infecting organizations around the globe. BlackByte was first observed as early as July 2021. In February 2022, the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) issued a joint advisory that "multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture) were targeted by BlackByte ransomware affiliates. In common with other ransomware, BlackByte encrypts and steals files on the compromised machines, and demands ransom from the victim to recover the files and not to leak the stolen information to the public.Why is this Significant?This is significant as the BlackByte ransomware family reportedly compromised organizations around the globe including multiple US and foreign businesses and US critical infrastructure sectors. Also, ProxyShell, an exploit attack chain involving three vulnerabilities in Microsoft Exchange Server, widely used in enterprise email application, were reported to have been used as an infection vector. Microsoft issued patches for ProxyShell in May and July 2021. BlackByte ransomware infection may indicate that some organizations have not yet applied those fixes or workaround.FortiGuard Labs previously published multiple Threat Signals on ProxyShell. See the Appendix section for links to New Threat Actor Leverages ProxyShell Exploit to Serve RansomwareVulnerable Microsoft Exchange Servers Actively Scanned for ProxyShellBrand New LockFile Ransomware Distributed Through ProxyShell and PetitPotamWhat is BlackByte?BlackByte is a ransomware-as-a-service (RaaS), which runs a business of leasing necessary ransomware services to its affiliates. Such ransomware services including developing ransomware, creating and maintaining necessary infrastructures (i.e., ransom payment portal), ransom negotiation with victims as well as provides support service to the affiliates. Attacks are typically carried out by BlackByte affiliates, who rent and use those services. Once a victim is compromised and ransom is paid, BlackByte developers take a portion of the ransom as a service fee.How does the Attack Work?Typically attacks that deliver ransomware arrive in emails, however the join advisory reported that BlackByte threat actors, in some case, exploited known Microsoft Exchange Server vulnerabilities including ProxyShell to gain access to the victim's network. Once the attacker gains a foothold in the victim's network, the attacker deploys tools such as oft-abused Cobalt Strike to move laterally across the network and escalate privileges before exfiltrating and encrypting files. Some BlackByte ransomware variants may have worm functionality, which allows itself to self-propagate through the victim's network.Files that are encrypted by BlackByte ransomware typically have a ".blackbyte" file extension.BlackByte ransomware reportedly avoids encrypting files if the ransomware detects compromised systems that use Russian and ex-USSR languages.What is ProxyShell?ProxyShell is a name for a Microsoft Exchange Server exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows an attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against currently available Indicator-of-Compromises (IOCs) associated with BlackByte ransomware:RTF/BlackByte.DC56!tr.ransomW64/BlackByte.DC56!tr.ransomW32/Agent.CH!trW32/CobaltStrike.NV!trJS/Agent.49CC!trW32/PossibleThreatFortiGuard Labs provides the following IPS coverage against three vulnerabilities that are leveraged in ProxyShell:MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)FortiEDR detects and blocks ProxyShell attacks out of the box without any prior knowledge | Ransomware Tool Threat | ||
 |
2022-05-23 13:35:52 | Attacker Scanning for jQuery-File-Upload, (Mon, May 23rd) (lien direct) | Recently, I noticed some requests hitting our honeypots that appear to attempt to exploit jQuery-File-Upload. jQuery-File-Upload is a popular tool for implementing file uploads. It has been around for a while and has had a few vulnerabilities in the past, but nothing recent as far as I can tell [1]. Allowing users to upload files securely is tricky. And jQuery-File-Upload is tempting faith by allowing uploads into the document root. The walk-through by Kristian Bremberg explaining past jQuery-File-Upload vulnerabilities is an excellent summary of all the things that can go wrong [2]. | Tool | ||
|
2022-05-21 00:15:11 | CVE-2022-29216 (lien direct) | TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the `safe=False` argument, so all parsing is done without calling `eval`. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4. | Tool | ||
|
2022-05-20 22:18:07 | Jenkins vs GitLab: DevOps software comparison (lien direct) | >Jenkins and GitLab are popular tools for continuous integration and continuous development, but which software is right for you? Learn how features of these DevOps tools compare. | Tool | ||
|
2022-05-20 21:15:10 | CVE-2022-29186 (lien direct) | Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files. | Tool | ★★ | |
|
2022-05-20 16:15:09 | CVE-2022-29159 (lien direct) | Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available. | Tool | ||
|
2022-05-20 16:15:09 | CVE-2022-24906 (lien direct) | Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available. | Tool | ||
|
2022-05-20 15:15:10 | CVE-2022-29165 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable. | Tool Vulnerability | Uber | |
|
2022-05-20 14:15:09 | CVE-2022-24904 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround. | Tool Vulnerability | Uber | |
|
2022-05-20 14:15:09 | CVE-2022-24905 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds. | Tool Vulnerability | Uber | |
|
2022-05-19 20:56:32 | Visio: From a simple IT tool to the universal business diagram app it was always meant to be (lien direct) | >Everyone using Microsoft 365 now gets access to Visio, but what can you do with it – and which diagramming features do you still have to pay more for? | Tool | ||
 |
2022-05-19 00:00:00 | Cyber risk management: Attribution strategies (lien direct) | Discover the importance of cyber attribution, the benefits, and the right tools to assist your efforts so you can better manage cyber risk across your digital attack surface. | Tool | ||
 |
2022-05-18 20:04:37 | Microsoft warns of attacks targeting MSSQL servers using the tool sqlps (lien direct) | >Microsoft warns of brute-forcing attacks targeting Microsoft SQL Server (MSSQL) database servers exposed online. Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary). Microsoft warned of […] | Tool Threat | ||
|
2022-05-18 17:16:21 | How storytelling can make you a more effective presenter (lien direct) | >Our natural human instinct for sharing and hearing stories can be a highly effective tool for presenting information of all sorts. | Tool | ||
 |
2022-05-18 15:41:53 | Hacking the Microsoft Sculpt keyboard (lien direct) |  In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional). Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.Under the wrist rest are anot |
Malware Tool | ||
|
2022-05-18 15:15:10 | CVE-2022-29518 (lien direct) | Screen Creator Advance2, HMI GC-A2 series, and Real time remote monitoring and control tool Screen Creator Advance2 versions prior to Ver.0.1.1.3 Build01, HMI GC-A2 series(GC-A22W-CW, GC-A24W-C(W), GC-A26W-C(W), GC-A24, GC-A24-M, GC-A25, GC-A26, and GC-A26-J2), and Real time remote monitoring and control tool(Remote GC) allows a local attacker to bypass authentication due to the improper check for the Remote control setting's account names. This may allow attacker who can access the HMI from Real time remote monitoring and control tool may perform arbitrary operations on the HMI. As a result, the information stored in the HMI may be disclosed, deleted or altered, and/or the equipment may be illegally operated via the HMI. | Tool | ||
 |
2022-05-18 09:45:06 | Microsoft warns partners to revoke unused authorizations that drive your software (lien direct) | June debut of zero trust GDAP tool should make it harder for crims to attack through MSPs and resellers Microsoft has advised its reseller community it needs to pay attention to the debut of improve security tooling aimed at making it harder for attackers to worm their way into your systems through partners.… | Tool | ||
 |
2022-05-18 09:03:33 | Privileged pod escalations in Kubernetes and GKE (lien direct) | Posted by GKE and Anthos Platform Security Teams At the KubeCon EU 2022 conference in Valencia, security researchers from Palo Alto Networks presented research findings on “trampoline pods”-pods with an elevated set of privileges required to do their job, but that could conceivably be used as a jumping off point to gain escalated privileges.The research mentions GKE, including how developers should look at the privileged pod problem today, what the GKE team is doing to minimize the use of privileged pods, and actions GKE users can take to protect their clusters.Privileged pods within the context of GKE securityWhile privileged pods can pose a security issue, it's important to look at them within the overall context of GKE security. To use a privileged pod as a “trampoline” in GKE, there is a major prerequisite – the attacker has to first execute a successful application compromise and container breakout attack. Because the use of privileged pods in an attack requires a first step such as a container breakout to be effective, let's look at two areas:features of GKE you can use to reduce the likelihood of a container breakoutsteps the GKE team is taking to minimize the use of privileged pods and the privileges needed in them.Reducing container breakoutsThere are a number of features in GKE along with some best practices that you can use to reduce the likelihood of a container breakout:Use GKE Sandbox to strengthen the container security boundary. Over the last few months, GKE Sandbox has protected containers running it against several newly discovered Linux kernel breakout CVEs.Adopt GKE Autopilot for new clusters. Autopilot clusters have default policies that prevent host access through mechanisms like host path volumes and host network. The container runtime default seccomp profile is also enabled by default on Autopilot which has prevented several breakouts.Subscribe to GKE Release Channels and use autoupgrade to keep nodes patched automatically against kernel vulnerabilities.Run Google's Container Optimized OS, the minimal and hardened container optimized OS that makes much of the disk read-only.Incorporate binary authorization into your SDLC to require that containers admitted into the cluster are from trusted build systems and up-to-date on patching.Use Secure Command Center's Container Threat Detection or supported third-party tools to detect the most common runtime attacks.More information can be found in the GKE Hardening Guide.How GKE is reducing the use of privileged pod | Tool Threat | Uber | |
 |
2022-05-18 04:22:22 | Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang (lien direct) | The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. "Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT said in a new report shared with The | Tool | ||
|
2022-05-17 21:15:08 | CVE-2022-29162 (lien direct) | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. | Tool | ★★★ | |
|
2022-05-17 15:01:00 | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 15 APT 34 | |
 |
2022-05-17 13:00:36 | Zero Trust and SASE: Better Together for Financial Institutions (lien direct) | >A Zero Trust cybersecurity model, enabled by a modern Secure Access Services Edge (SASE) architecture, gives financial institutions powerful tools to support new ways of working without compromising their ability to compete and innovate. | Tool | ||
 |
2022-05-17 10:30:19 | Hackers can steal your Tesla Model 3, Y using new Bluetooth attack (lien direct) | Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices. [...] | Tool | ||
|
2022-05-17 09:05:52 | Use Your Browser Internal Password Vault... or Not?, (Tue, May 17th) (lien direct) | Passwords... a so hot topic&#;x26;#;x21; Recently big players (Microsoft, Apple &#;x26; Google) announced that they would like to suppress (or, at least, reduce)&#;xc2;&#;xa0;the use of classic passwords&#;x5b;1&#;x5d;. In the meantime, they remain the most common way to authenticate users against many online services. Modern Browsers offer lightweight password management tools ("vaults")&#;xc2;&#;xa0;that help users to save their passwords in a central repository. So they don&#;x26;#;39;t have to remember them, and they follow the golden rule that we, infosec people, are recommending for a long time: to not&#;xc2;&#;xa0;share passwords across services.&#;xc2;&#;xa0;But it is really safe? | Tool | ||
|
2022-05-17 01:50:51 | U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (lien direct) | The U.S. Justice Department on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit sharing arrangements. Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the | Ransomware Tool | ||
|
2022-05-16 17:31:54 | Gradle vs. Maven: DevOps tools comparison (lien direct) | >Gradle and Maven are two of the top build automation tools available for developers. Learn how these tools differ to find the right DevOps tool for your projects. | Tool | ||
|
2022-05-16 17:21:06 | Researchers Devise New Type of Bluetooth LE Relay Attacks (lien direct) | Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations. | Tool | ||
|
2022-05-15 10:00:00 | Windows admins frustrated by Quick Assist moving to Microsoft Store (lien direct) | Windows admins have been expressing their dismay at Microsoft's decision to move the Quick Assist remote assistance tool to the Microsoft Store. [...] | Tool | ||
|
2022-05-13 21:16:51 | (Déjà vu) Google Created \'Open Source Maintenance Crew\' to Help Secure Critical Projects (lien direct) | Google on Thursday announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers | Tool Vulnerability | ||
|
2022-05-13 05:26:14 | Google Created \'Open-Source Maintenance Crew\' to Help Secure Critical Projects (lien direct) | Google on Thursday announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers | Tool Vulnerability | ||
 |
2022-05-12 22:13:56 | 5 Tips For Creating Bulletproof Passwords (lien direct) | >
While biometric tools like facial ID and fingerprints have become more common when it comes to securing our data and...
|
Tool | ||
|
2022-05-12 12:55:35 | How Innovation Turns 5G Security from a Reactive to Proactive Tool (lien direct) | >5G security for enterprise rides on the viability of enterprise-grade security that safeguards the new business-critical operations against cyber threats. | Tool | ||
 |
2022-05-12 09:48:04 | NCSC launches free email security check (lien direct) | The UK’s National Cyber Security Centre (NCSC) has released a free tool designed to help organisations check whether their email security settings are sufficient. The Email Security Check service was released yesterday by the NCSC, an offshoot of the UK spy agency GCHQ. The tool works to look up publicly available information on anti-spoofing standards such as […] | Tool | ★★ | |
 |
2022-05-11 16:05:43 | Mettre les choses en contexte |Campagnes de menace de temps Putting Things in Context | Timelining Threat Campaigns (lien direct) |
La visualisation des données fait partie intégrante de la recherche sur les menaces.Voyez comment nous avons utilisé cet outil d'analyse de la chronologie pour suivre l'activité dans le cyber-conflit ukrainien.
Visualizing data is integral to threat research. See how we used this timeline analysis tool to track activity in the Ukrainian cyber conflict. |
Tool Threat | ★★ | |
|
2022-05-11 15:15:08 | CVE-2021-34605 (lien direct) | A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vulnerability can be triggered by manually opening an infected project file, or by initiating an upload program request from an infected Xinje PLC. This can result in remote code execution, information disclosure and denial of service of the system running the XINJE XD/E Series PLC Program Tool. | Tool Vulnerability | ||
|
2022-05-11 15:15:08 | CVE-2021-34606 (lien direct) | A vulnerability exists in XINJE XD/E Series PLC Program Tool in versions up to v3.5.1 that can allow an authenticated, local attacker to load a malicious DLL. Local access is required to successfully exploit this vulnerability. This means the potential attacker must have access to the system and sufficient file-write privileges. If exploited, the attacker could place a malicious DLL file on the system, that when running XINJE XD/E Series PLC Program Tool will allow the attacker to execute arbitrary code with the privileges of another user's account. | Tool Vulnerability | ||
|
2022-05-10 17:08:00 | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
Ransomware Malware Tool Vulnerability Threat | APT 29 APT 28 | ★★★ |
 |
2022-05-10 03:00:00 | Cohesity launches FortKnox to protect data from ransomware attacks (lien direct) | Data management specialist Cohesity is launching a new data isolation and recovery tool called FortKnox, in a bid to help customers protect their data from ransomware attacks.FortKnox provides an additional layer of off-site protection for customers by keeping data in a secure 'vault,' with physical separation, network and management isolation to keep threat actors from accessing sensitive data.An object lock requires a minimum of two or more people to approve critical actions, such as changes of vault policy, and access can be managed using granular role-based access control, multi-factor authentication, and encryption both in-flight and at rest.To read this article in full, please click here | Ransomware Tool Threat | ||
 |
2022-05-09 10:49:02 | A scanning tool for open-sourced software packages? Yes, please! (lien direct) | OpenSSF recently introduced a dynamic analysis tool for all OSS packages when uploaded to open source repositories. | Tool | ||
 |
2022-05-09 08:29:06 | New tool release: Discovering the origin host to bypass web application firewalls (lien direct) | Pas de details / No more details | Tool | ||
|
2022-05-05 20:26:37 | Vagrant vs Docker: Compare DevOps tools (lien direct) | Finding the right DevOps tool can be tricky. There are a variety of factors to weigh in deciding what solution will work best for your projects. Learn more about two of the top solutions: Vagrant and Docker. | Tool |
To see everything:
Our RSS (filtrered)
