What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-10-04 19:15:08 | CVE-2021-41118 (lien direct) | The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. In affected versions unsanitised input of regular expression date within the parameters of the DPL parser function, allowed for the possibility of ReDoS (Regex Denial of Service). This has been resolved in version 3.3.6. If you are unable to update you may also set `$wgDplSettings['functionalRichness'] = 0;` or disable DynamicPageList3 to mitigate. | Tool | ||
|
2021-10-04 18:15:09 | CVE-2021-32762 (lien direct) | Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. | Tool Vulnerability | ||
 |
2021-10-04 11:00:00 | The Need for Intelligence-Driven XDR to Address Security Team Challenges (lien direct) | As organizations continue to expand and evolve their digital footprint, security staff struggle to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. These challenges are even more difficult due to limited staff and expertise. Enter extended detection and response or XDR. Depending on who you ask, you'll get differing opinions about what XDR is, where it came from, and whether or not you need it. The fact is security teams continue to struggle with too many security tools from different vendors, with little integration of data or relevant threat intelligence. These tools generate an alarming volume of alerts, leading to analysts chasing false positives or not looking into data because they lack the intelligence and expertise to prioritize the alerts that matter. They’re also working in siloed environments, which makes it hard to collaborate and leads to more problems, including: Overwhelming volumes of data make it difficult to prioritize security efforts and response They lack insight into global threats and incidents and are unable to recognize the potential impact of known and unknown threats The detection technologies they’ve installed are riddled with false positives that waste staff time The reliance on a single vendor and the inability to tune security controls across multi-vendor security stacks makes it harder to prioritize investigations and incident response efforts This is where XDR solutions come into play. We’ve aligned ourselves with Gartner’s definition of XDR, which states: "XDR is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components." In layman's terms: XDR provides a holistic, more straightforward view of threats across an organization's entire technology landscape, providing the real-time information needed to deliver threats to the right people for better, faster outcomes. Security teams can no longer only rely on the same tools they’ve used for threat detection and response. Automation and big data management are needed to collect data across all installed security telemetry, along with advanced intelligence to understand and correlate threats. The improved automation allows teams to sift through the never-ending deluge of data to pinpoint relevant threats and quickly respond to those that matter before they turn into something catastrophic. Anomali’s XDR solution combines our global threat intelligence with extended detection capabilities to stop breaches and attackers. Anomali XDR delivers: Unified threat detection utilizing all installed security telemetry Precision detection with timely alerts to stop threats earlier Increased ROI with less administrative overhead Higher fidelity alerts to reduce false positives and empower stretched IT teams Retrospective search capabilities across 5+ years Take a look at our webinar to learn more about how we can help you Pinpoint Relevant Threats w | Tool Threat Guideline | ||
 |
2021-10-03 15:39:54 | Video: CVE-2021-40444 Maldocs: Extracting URLs, (Sun, Oct 3rd) (lien direct) | In this video, reacting to a reader&#;x26;#;39;s comment, I explain how you can add your own regex to my re-search.py tool (without changing the code). | Tool | ★★★★ | |
|
2021-10-01 10:15:09 | New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st) (lien direct) | LOLBAS (“Living Off the Land Binaries And Scriptsâ€) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation). | Tool | ||
 |
2021-10-01 09:55:31 | Android, Java bug bunting tool Mariana Trench goes open source (lien direct) | Mariana Trench originated as an internal Facebook tool. | Tool | ||
 |
2021-09-30 20:25:27 | How to run network diagnostic tests on Chrome OS (lien direct) | Is your Chromebook having networking issues? Jack Wallen introduces you to a tool that could help you solve those problems. | Tool | ||
 |
2021-09-30 15:32:05 | Fake Amnesty International Pegasus scanner used to infect Windows (lien direct) | Threat actors are trying to capitalize on the recent revelations on Pegasus spyware from Amnesty International to drop a less-known remote access tool called Sarwent. [...] | Tool Threat | ||
 |
2021-09-30 14:22:27 | .NET 5, Source Generators, and Supply Chain Attacks (lien direct) | IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it. Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar. Source Generators introduction Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code. Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency. Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…; As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file. Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect. Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet. Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ using System; using System.Collections.Generic; using System.Text; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Text; namespace SourceGeneratorSamples { [Generator] public class HelloWorldGenerator : ISourceGenerator { public void Execute(SourceGeneratorContext context) { // begin creating the source we'll inject into the users compilation var sourceBuilder = new StringBuilder(@" using System; namespace HelloWorldGenerated { public static class HelloWorld { public static void SayHello() { Console.WriteLine(""Hello from generated code!""); Console.WriteLine(""The following syntax trees existed in the compilation that created this program:""); "); // using the context, get a list of syntax trees in the users compilation var syntaxTrees = context.Compilation.SyntaxTrees; // add the filepath of each tree to the class we're building foreach (SyntaxTree tree in syntaxTrees) { sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");"); } // finish creating the source to inject sourceBuilder.Append(@" } } }"); // inject the created source into the users compilation context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8)); } public void Initialize(InitializationContext context) { // No initialization required for thi | Malware Tool Threat | ||
 |
2021-09-30 13:25:16 | New CISA Tool Helps Organizations Assess Insider Threat Risks (lien direct) | The United States Cybersecurity and Infrastructure Security Agency (CISA) this week released a tool to help organizations assess their insider threat risk posture. | Tool Threat | ||
 |
2021-09-30 07:19:56 | (Déjà vu) CISA releases Insider Risk Mitigation Self-Assessment Tool (lien direct) | The US CISA has released a new tool that allows to assess the level of exposure of organizations to insider threats and devise their own defense plans against such risks. The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Insider Risk Mitigation Self-Assessment Tool, a new tool that allows organizations to assess their […] | Tool | ||
|
2021-09-30 06:22:42 | Facebook released Mariana Trench tool to find flaws in Android and Java apps (lien direct) | Facebook released Mariana Trench, an internal open-source tool that can be used to identify vulnerabilities in Android and Java applications. The Facebook security team has open-sourced the code for Mariana Trench, an internal open-source tool used by the company experts to identify vulnerabilities in Android and Java applications. The name comes from the Mariana Trench, the […] | Tool | ||
|
2021-09-29 19:32:34 | Facebook Open-Sources \'Mariana Trench\' Code Analysis Tool (lien direct) | Facebook's security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications. | Tool | ||
 |
2021-09-29 17:00:40 | Google Maps tracks global warming with new “Fire” layer, tree canopy tool (lien direct) | "Fire" will be a top-level layer just like traffic, satellite, and transit maps. | Tool | ||
|
2021-09-29 16:11:22 | Facebook open-sources tool to find Android app security flaws (lien direct) | Facebook today open-sourced a static analysis tool its software and security engineers use internally to find potentially dangerous security and privacy flaws in the company's Android and Java applications. [...] | Tool | ||
|
2021-09-29 14:17:43 | CISA releases tool to help orgs fend off insider threat risks (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool that allows public and private sector organizations to assess their vulnerability to insider threats and devise their own defense plans against such risks. [...] | Tool Vulnerability Threat | ||
 |
2021-09-29 10:59:29 | Facebook Releases New Tool That Finds Security and Privacy Bugs in Android Apps (lien direct) | Facebook on Wednesday announced it's open-sourcing Mariana Trench, an Android-focused static analysis platform the company uses to detect and prevent security and privacy bugs in applications created for the mobile operating system at scale.
"[Mariana Trench] is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production," the |
Tool | ||
 |
2021-09-29 10:51:00 | FoggyWeb malware latest tool of dangerous Nobelium APT (lien direct) | Pas de details / No more details | Malware Tool | ||
|
2021-09-28 11:19:08 | ImmuniWeb Launches Free Tool for Identifying Unprotected Cloud Storage (lien direct) | Switzerland-based web and application security company ImmuniWeb on Tuesday announced the launch of a free online tool designed to help organizations identify unprotected cloud storage. | Tool | ★★★ | |
|
2021-09-28 01:32:38 | New BloodyStealer Trojan Steals Gamers\' Epic Games and Steam Accounts (lien direct) | A new advanced trojan sold on Russian-speaking underground forums comes with capabilities to steal users' accounts on popular online video game distribution services, including Steam, Epic Games Store, and EA Origin, underscoring a growing threat to the lucrative gaming market.
Cybersecurity firm Kaspersky, which coined the malware "BloodyStealer," said it first detected the malicious tool in |
Malware Tool Threat | ||
|
2021-09-23 20:48:44 | Urgent Apple iOS and macOS Updates Released to Fix Actively Exploited Zero-Days (lien direct) | Apple on Thursday released security updates to fix multiple security vulnerabilities in older versions of iOS and macOS that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users.
Chief among them is CVE-2021-30869, a type confusion flaw |
Tool | ||
 |
2021-09-22 16:00:00 | How to Build a Winning Cybersecurity Resume (lien direct) | Career advancement is an art form with many facets. One vital tool is your cybersecurity resume, the quality of which can mean the difference between getting an interview for your dream job and not being considered at all. Following the standard advice on building a resume will give you a standard resume that won’t set […] | Tool | ||
|
2021-09-21 21:57:41 | How to use the FILTER() dynamic array function in Excel (lien direct) | Microsoft Excel's new FILTER() function is a great tool for reporting and dashboards. We'll show you how to use it to get more done. | Tool | ||
 |
2021-09-21 19:57:00 | Automation in Reverse Engineering C++ STL/Template Code (lien direct) | There are three major elements to reverse engineering C++ code that uses STL container classes: Determining in the first place that an STL container is being used, and which category, i.e., std::list vs. std::vector vs. std::set Determining the element type, i.e., T in the categories above Creating data types in your reverse engineering tool of choice, and applying those types to the decompilation or disassembly listing. Though all of those elements are important, this entry focuses on the last one: creating instantiated STL data types, and more specifically, types that can be used in Hex-Rays. The main contribution of this entry is simply its underlying idea, as I have never seen it published anywhere else; the code itself is simple enough, and can be adapted to any reverse engineering framework with a type system that supports user-defined structures. I have spent the pandemic working on a new training class on C++ reverse engineering; the images and concepts in this blog entry are taken from the class material. The class goes into much more depth than this entry, such as by material on structure and type reconstruction, and having individual sections on each of the common STL containers. (If you are interested in the forthcoming C++ training class, it will be completed early next year, and available for in-person delivery when the world is more hospitable. If you would like to be notified when public in-person classes for the C++ course is ready, please sign up on our no-spam, very low-volume, course notification mailing list. (Click the button that says "Provide your email to be notified of public course availability".) ) Overview and MotivationAt a language level, C++ templates are one of the most complex features of any mainstream programming language. Their introduction in the first place -- as opposed to a restricted, less-powerful version -- was arguably a bad mistake. They are vastly overcomplicated, and in earlier revisions, advanced usage was relegated to true C++ experts. Over time, their complexity has infested other elements of the language, such as forming the basis for the C++11 auto keyword. However, the basic, original ideas behind C++ templates were inconspicuous enough, and are easy to explain to neophytes. Moreover, reverse engineers do not need to understand the full complexity of C++ templates for day-to-day work. Let's begin with a high-level overview of which problems in C software development that C++ templates endeavored to solve, and roughly how they solved them. Put simply, many features of C++ were designed to alleviate situations where common practice in C was to copy and paste existing code and tweak it slightly. In particular, templates alleviate issues with re-using code for different underlying data types. C does offer one alternative to copy-and-paste in this regard -- the macro preprocessor -- though it is a poor, cumbersome, and limited solution. Let's walk through a small real-world example. Suppose we had code to shuffle the contents of a char array, and we wanted to re-use it to shuffle int arrays. | Tool Guideline | ||
|
2021-09-21 16:09:00 | Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam Malware Tool Vulnerability Threat | ||
|
2021-09-21 14:54:13 | Microsoft PC Health Check adds detailed Windows 11 compatibility info (lien direct) | Microsoft has released an updated PC Health Check tool that provides detailed information about whether a device's hardware is compatible with Windows 11. [...] | Tool | ||
|
2021-09-21 10:49:49 | MPT\'s Value at Veracode (lien direct) | You finally have some budget to buy tools for your application security (AppSec) program! GREAT! Purchasing the correct tools for your AppSec pogram can be overwhelming. Even when looking only at point solutions, there still may be some confusion on the value that various tools can provide. Sometimes you'll find the perfect tool, but others may offer you a similar tool with added manual penetration testing (MPT) as part of the overall bundle. That seems like a great idea for the budget. Let's dive in and see what these types of value these other offerings really provide. First, let's cover the shortcoming of other Automated Tools + Manual Penetration Testing bundles. This is going to be pretty high level and will avoid comprehensive dives for ease of consumption. If you read anything, read the short bulleted list! Who is doing your MPT as part of this engagement? Veracode has world-famous authors and hackers on their MPT teams. Please reach out and ask for our MPT team profile and then google them! Chances are that your bundled MPT is being conducted by offshore teams to provide cost savings. Apps don't get great coverage with MPT This is a light MPT engagement when bundled. Ask for regular pricing so you can see the difference. Typically you can gauge the effectiveness of the offering by comparing the 1-day retail price of MPT to what is offered in the bundled offering. Cheap MPT and any other labor-intensive-based offerings DO NOT SCALE! Think about it. MPT on demand? Do they have people staffed and waiting for you to make a request? How is it that the queue is not long? Also, claimed less than 1% FP rates due to manual labor scrubbing DO NOT SCALE. Remember, anything labor-intensive requires people being on payroll and WORKING. If they are not WORKING, they are on stand-by. We all know that no one is hired to be on stand-by. Why Veracode's Manual Penetration Testing value can NOT be beaten Veracode's value in MPT can be summarized into four major points. Single Pane Looking Glass reports Comprehensive Security Analysis Value, Remediation and AppSec Program Assistance, and scalability. Single pane looking glass report Veracode has a single pane looking glass capability that is unmatched in the industry. You can purchase Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration testing. Then you can generate a report with all the findings on one PDF in the context of a single application. With our big data analytics tools, you can then generate views on the entire organization portfolio or per team application's security posture. Comprehensive security analysis value If you already are a customer of our automated tools, then MPT with Veracode generates a value proposition that CAN NOT be beaten. For example, if you are running daily/weekly SAST, DAST, and SCA checks. MPT will skip all the findings in those reports. This allows us to find more complex and nefarious things that automated tools simply can not do. With other MPT offerings, the vendors must use the hours and will not know to skip the low-hanging fruit that our tools already caught such as SQL Injections, cross-site scripting, etc. Since other vendors don't have access to the same analysis, they must generate as many findings as they can per hour. When you compare hour for hour MPT offerings against Veracode- you will find that Veracode can do more with an hour of MPT than any other vendor can. Remediation and AppSec program assistance Other vendors won't have the experience in providing remediation advice or AppSec program assistance that Veracode has. Don't spend hours looking for answers. Speak to one of our services experts to help you fix the findings we generate or help manage your application security program. This is not an extra add-on, this is included upfront so it is easy to forecast and budget. If your security or dev teams have questions- Veracode is there to help. Scalability No other Vendor can scale like Veracode. In our automated tools, we don't lean on manual labor to generate better findings. I | Tool | ||
|
2021-09-20 19:00:00 | Zero Trust: Follow a Model, Not a Tool (lien direct) | The zero trust model is going mainstream, and for good reason. The rise in advanced attacks, plus IT trends that include the move to hybrid cloud and remote work, demand more exacting and granular defenses. Zero trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This […] | Tool | ||
 |
2021-09-17 16:24:00 | (Déjà vu) Free REvil Decryptor Launched (lien direct) | New Bitdefender tool unlocks many files encrypted by REvil ransomware prior to July 13 | Ransomware Tool | ||
|
2021-09-16 15:49:03 | (Déjà vu) Bitdefender offers free decryptor for REvil ransomware victims (lien direct) | The free decryption tool will help victims restore their encrypted files from attacks made before July 13, 2021, says Bitdefender. | Ransomware Tool | ||
|
2021-09-15 19:15:09 | CVE-2021-33701 (lien direct) | DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability. | Tool Guideline | ||
|
2021-09-15 17:15:10 | CVE-2021-39392 (lien direct) | The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. | Tool | ||
 |
2021-09-14 22:44:26 | ELFant in the Room – capa v3 (lien direct) | Since our initial public
release of capa, incident responders and reverse engineers have
used the tool to automatically identify capabilities in Windows
executables. With our newest code and ruleset updates, capa v3 also
identifies capabilities in Executable and Linkable Format (ELF) files,
such as those used on Linux and other Unix-like operating systems.
This blog post describes the extended analysis and other improvements.
You can download capa v3 standalone binaries from the project's release page and
checkout the source code on GitHub.
ELF File Format Support
capa finds capabilities in programs by parsing executable file
formats, disassembling code, and then recognizing features in
functions. In versions v1 and v2, capa only understood the PE file
format, so its analysis was restricted to Windows programs. Thanks to
our colleagues at Intezer, capa
now recognizes ELF files! This means you can use the tool to identify
behaviors in malware that targets Linux computers. Figure 1 shows a
rule that describes techniques to fetch the current user on Linux.
Figure 1: capa rule identifying
capabilities on Linux
We're excited Intezer leverages capa and thrilled they are sharing
their improvements with the community. In addition to the code
updates, Intezer proposed 36 capa rules to identify various
capabilities in ELF files, such as reconnaissance, persistence, and
host interaction techniques. Please read Intezer's
blog post for more details.
New Features capa Can Recognize
As we taught capa to recognize ELF files, we also wanted rule
authors to tune their rules to find behaviors specific to different
operating systems (OS), CPU architectures, and file formats. For
example, the APIs exposed by Windows are very different from those
found on Linux systems; therefore, rules should clearly designate
which pattern to use on Windows versus Linux.
Based on discussions and feedback collected from users and
contributors, we've extended capa's rule format to describe OSes, CPU
architectures, and file formats. The rule shown in Figure 2 uses os features to distinguish techniques used to get
networking interface information on Windows and Linux. Note that the
rule is explicit about which APIs are found on each OS, making it easy
for both humans and machines to interpret the matching logic.
Figure 2: capa rule using the os feature
to distinguish OS specific features
We've also added arch (such as arch: i386 for 32-bit Intel code) and format (such as format:
elf for ELF files) features to distinguish between CPU
architectures and file formats. To learn more about these and capa's
rule syntax see the rule
format documentation on GitHub.
Unfortunately, rules with these new features are not backwards
compatible with older versions of capa. Therefore, you should prefer
to upgrade your capa installation to take advantage of our enhanced rules.
Substring Features
To make many rules easier to read, we've added a convenience feature
named substring that acts |
Malware Tool Guideline | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
|
2021-09-14 14:30:00 | How to configure Invoice Plane for in-app invoice mailing (lien direct) | Invoice Plane is a powerful open-source invoicing tool perfectly suited for small-business data centers. Jack Wallen shows you how to add invoice emailing to the application. | Tool | ||
|
2021-09-14 06:00:39 | Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks (lien direct) | Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild. Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack […] | Tool Threat | ||
|
2021-09-13 20:42:07 | Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide (lien direct) | Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild.
The as-yet undetected version of the penetration testing tool - codenamed "Vermilion Strike" - marks one of the rare Linux ports, which has been |
Tool | ||
|
2021-09-09 14:00:00 | Optimizing Your Cybersecurity with Intelligence-Powered Detection (lien direct) | The recent large-scale cyberattacks have shown that any organization, regardless of size or industry, may be targeted at any time. Despite deploying multiple tools, security teams struggle to pinpoint relevant threats, wasting time sifting through incoming data and false positives and cannot act swiftly to real threats facing their business. A recent Dark Reading study revealed that while many organizations have improved their threat detection capabilities over the last few years, they lack threat visibility and are still reliant on too many manual processes. These shortcomings in combating cyber threats result in alert fatigue, smoldering fires, and siloed threat intelligence. The question then becomes: “How can my organization optimize its threat detection system?” Threat Detection as Process There are multiple ways to detect a potential threat. These can include global threat intelligence, human expertise in threat identification, and advanced tools for identifying malicious activity. While all are essential elements, they need to working effectively to create an optimized security program. Too often, the security process goes in one direction, from threat intelligence gathering to analysis and monitoring by the security operations center (SOC) and then on to security engineering to prioritize remediation. Creating a collaborative system with feedback loops between security teams and other key stakeholders is a much more effective way to avoid siloed intelligence and rapidly identify relevant threats. In this security ecosystem approach, the threat intel team automates intelligence gathering, prioritizes against intelligence initiatives, and incorporates any new requirements coming from security engineering. The SOC then monitors and prioritizes the continually updating threat requirements to help the threat team find relevant attacks. Security engineering prioritizes remediation and then feeds the revised intelligence requirements back to the SOC, reflecting any changes in vulnerabilities. Intelligence-Powered Threat Detection Implementing an effective collaborative system with two-way fluid communication requires intelligence-powered threat detection. Detection enables intelligent orchestration through your security organization and ensures that the global intelligence is relevant. Machine learning is leveraged to make sure severity scoring is conducted quickly and effectively. An intelligence-driven platform can process millions of indicators of compromise (IoCs) and billions of internal log entries, operationalizing threat data and automatically showing security teams what is relevant to them and which data are actionable intelligence. The identified indicators of interest can then be fed directly to the endpoints and firewalls for blocking. Extended Detection and Response or XDR Extended detection and response or XDR is a security framework that unifies threat detection and response into a single platform. It collects and correlates data automatically from disparate security components installed in a customer's environment. XDR can provide better security than isolated tools by reducing the complexity of security configuration and incident response. For example, you can extinguish smoldering fires using XDR, as big data support on the backend enables quick indexing and searches going back years. Alert fatigue is relieved by the automated updating of IRs and allowing threat intelligence teams to focus on relevant IoCs. And, because it bridges different tools and systems, XDR can also facilitate feedback loops between cybersecurity teams and stakeholders. Vendor-agnostic XDR platforms | Tool Threat | ||
|
2021-09-08 21:15:10 | CVE-2021-30605 (lien direct) | Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls. | Tool | ||
|
2021-09-08 18:43:43 | Machine learning is a great tool for cybersecurity, but be cautious, expert says (lien direct) | Supervised and unsupervised machine learning are good ways to detect threats. But what's the difference? | Tool | ||
|
2021-09-08 17:15:09 | CVE-2021-28571 (lien direct) | Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | Tool Vulnerability | ★★ | |
|
2021-09-08 16:57:12 | Canonical announces new Anbox Cloud Appliance on AWS Marketplace (lien direct) | The tool can be used by developers for prototyping, sandboxing and putting Android apps into production on 5G devices. | Tool | ||
|
2021-09-08 01:42:01 | US-built Databases a Potential Tool of Taliban Repression (lien direct) | Over two decades, the United States and its allies spent hundreds of millions of dollars building databases for the Afghan people. The nobly stated goal: Promote law and order and government accountability and modernize a war-ravaged land. | Tool | ||
|
2021-09-07 20:15:07 | CVE-2021-37631 (lien direct) | Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle. It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9. If you are unable to update it is advised to disable the Deck plugin. | Tool | ||
|
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
 |
2021-09-07 12:00:00 | Pharmacies Stepped Up During Covid-and Changed for Good (lien direct) | Pharmacies have long been perceived as commodities. Now, they're a central tool for removing barriers to health care. | Tool | ||
|
2021-09-06 13:42:08 | New Chainsaw tool helps IR teams analyze Windows event logs (lien direct) | Incident responders and blue teams have a new tool called Chainsaw that speeds up searching through Windows event log records to identify threats. [...] | Tool | ||
|
2021-09-04 02:08:38 | Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash (lien direct) | Apple is temporarily hitting the pause button on its controversial plans to screen users' devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.
"Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the |
Tool | ||
|
2021-09-02 14:00:00 | What Is a Cyber Fusion Center? (lien direct) | Drive Organization-Wide Visibility, Reduce Time to Detection, and Protect Critical Assets With a Cyber Fusion Center The continual and evolving threats to information systems are a constant battle that prompted the creation of cyber intelligence analysts who provide contextualized data, information, and intelligence to those tasked with detecting and defending against attacks. Cyber defense systems need to become more responsive to internal vulnerabilities and adapt to external threats as attack methods evolve more quickly. It is this intelligence that enables them to do so. The cyber fusion center is the hub for actionable threat intelligence. Structurally, it pulls together information and coordinates efforts across security teams; SOC, IT, physical security, fraud, etc. It also integrates multiple automation tools, collecting data from internal and external sources, curating data, and providing actionable intelligence to stakeholders to make informed decisions. Designing a Cyber Fusion Center Organizational Considerations When Creating Your Cyber Fusion Center The primary goal and advantage of having a cyber fusion center is making cybersecurity an integral part of your organization. It allows you to manage risk holistically. Keeping this in mind, processes that produce actionable intel should be modeled first before creating organizational and system structures. Acknowledging that existing systems are managed by different groups and integrating competing priorities is essential. Systems will also need to be integrated, with redundancies identified and streamlined. Finally, each organization will have its own culture that should be taken into consideration throughout this process. Teams: Is Your Cyber Fusion Center Communicating Cross-Functionally? Resilient cyber fusion centers start with a circular flow of communication with priority intelligence requirement (PIR)-driven inputs. This cyber intelligence provides the most timely and comprehensive intelligence on external threats to the security operations center (SOC) for detection, monitoring, threat hunting, and, when needed, incident response. In return, those acting on the threats can recommend adjustments to PIRs that continually improve the necessary intelligence to inform proactive threat detection and respond better. That feedback ensures that the threat intelligence team remains focused on collecting and delivering threat intelligence aligned to organizational PIRs. In addition, this flow of intelligence should be infused with relevant information from functional areas with high-risk vulnerabilities (e.g., Human Resources, Finance, Fraud, etc.). For example, a cyber intelligence team might discover a new ransomware campaign utilizing a specific tool and architecture. That intelligence is reported to the SOC with additional context of the group most likely responsible for the campaign, their other known tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). The likelihood that the newly discovered campaign could impact the organization is based on a deeper understanding of the culprits’ motives, objectives, and previous actions. This type of intelligence empowers the SOC to prioritize response actions proactively to improve the organization’s security posture against both the immediate threat posed by the indicators of compromise (IOCs) and future threats posed by the same actor and their campaigns. Tools: Managing Your Security Stack With a Cyber Fusion Center While organizational processes are the basis for creating an effective cyber fusion center, automation tools are also essential. The risks of not automating can include missed threats, dormant threats, siloed threat intel, and unaligned intel. You can enrich global threat intelligence through associated intelligence, peer sharing, and local telemetry; this enrichment begins | Ransomware Tool Threat | ||
|
2021-08-31 16:40:00 | Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities, and XSS . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the "Anomali Cyber Watch" tag.
Trending Cyber News and Threat Intelligence
Widespread Credential Phishing Campaign Abuses Open Redirector Links
(published: August 26, 2021)
Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.
Analyst Comment: Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Domain Trust Discovery - T1482
Tags: Phishing, Microsoft, North America, Anomali Cyber Watch
FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware
(published: August 25, 2021)
FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.
Analyst Comment: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit |
Ransomware Malware Tool Vulnerability Threat Guideline |
To see everything:
Our RSS (filtrered)
