What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-04-22 15:47:16 | Cellebrite \'s forensics tool affected by arbitrary code execution issue (lien direct) | Cellebrite mobile forensics tool Ufed contains multiple flaws that allow arbitrary code execution on the device, SIGNAL creator warns. Moxie Marlinspike, the creator of the popular encrypted messaging app Signal, announced that Cellebrite mobile forensics tools developed by Cellebrite are affected by multiple vulnerabilities that could be exploited to achieve arbitrary code execution. Cellebrite develops […] | Tool | ||
 |
2021-04-22 15:46:00 | How AIOps can help IT developers manage applications (lien direct) | IBM's new OEM Application Resource Management offers a tool to improve applications by using automation. | Tool | ||
|
2021-04-22 14:30:52 | How to get real-time network statistics for your Linux servers with Guider (lien direct) | Jack Wallen introduces you to a tool that will help you to better troubleshoot network issues on Linux servers. | Tool | ||
 |
2021-04-22 12:43:02 | Reporting Live From Collision Conference 2021: Part One! (lien direct) |  This week, Collision (virtually) kicked off its annual conference, bringing together creatives, builders, influencers, innovators, and other great minds to cover some of the hottest topics in business and technology. Known as ???America???s fastest-growing tech conference,??? this year Collision featured over 450 speakers with more than 100 hours of content to consume across the three-day event.
With a sizable group of 40,000-plus attendees to entertain, the team behind Collision came prepared with a packed schedule. The lineup included speakers from some brand heavy-hitters ??? Amazon, Twitter, TikTok, and PayPal to name a few ??? as well as our very own Chris Wysopal representing the application security (AppSec) space for Veracode!
AI, AI??ヲOh!
Chris first led a hodgepodge of talent from security and tech to moderate Collision???s AI, AI??ヲ Oh!: AI, Security and Privacy in Online Society session. For this roundtable, Chris was joined by Jeff Moss of DEF CON, Jordan Fisher of Standard Cognition, Katie Moussouris of Luta Security, Alexander Vindman of Lawfare, Gary Harbison of Bayer, and Window Snyder of Thistle Technologies. The topic at hand? Just how major the impacts of AI and machine learning are on all industries today, and the risks this technology can bring if left unchecked.
The roundtable dug into important issues like allocating organizational resources to security, privacy, and transparency to monitor AI, as well as what can go wrong when companies don???t quite get it right. Chris kicked off the conversation by asking, how can we have technology figure out exactly what algorithms are doing so that we know when something is going awry, and who is to blame when it does? Gary Harbison brought up the idea of self-driving cars, which take data from their environment and make decisions in the moment. At some point, if there is a decision made by the algorithm that pits the safety of the driver against a pedestrian, who is to blame and what is the ramification? Gary followed up that we as an industry need to think this through sooner rather than later.
Another risky implication of this technology, the group suggested, is that in cases where AI is used to track consumer behavior, such a tool can quickly become an invasion of privacy. Window Snyder noted that implementing security (and being able to measure it) is a critical first step. She posed the question, how are we going to measure efficacy and improvements in security around AI technologies so that we can see what is actually providing value to consumers? ???Consumers will feel understandably uncomfortable knowing that a brand is tracking what they do inside of a store, and they may feel like they???re being watched everywhere they go,??? she said.
Window went on to explain that, if we want to create a trust between technology companies and the people we???re observing, we need to make sure that we???re creating clear business requirements and metrics, reducing the scope and time for tracking, and doing as much as possible to reduce the granularity of the data that is collected. Another important step, she says, is that when you build a mechanism to collect data, you also need to build a mechanism to remove it after extracting as much granularity as possible. Doing so tells consumers that the technology was built with their privacy in mind.ツ?
There???s an economic and geopolitical aspect to the risks of AI te |
Tool | ||
 |
2021-04-22 00:00:00 | Travailler à domicile: une année en revue les entreprises sont obligées de permettre à leurs employés de travailler à distance, la surface d'attaque devient plus large. Working From Home: A Year in ReviewAs companies are obliged to allow their employees to work remotely, the attack surface becomes broader.Read More (lien direct) |
Cyber Trends, Risks and the Global PandemicAs we mark a year of working from home through the global pandemic, this is a good time to discuss and delve into the IT changes and trends in our day-to-day work environment and their implications for user privacy, corporate cyber security and cyber insurance. The 3 main categories of software and applications that saw a significant increase in usage over the past year include:Video Conferencing and online communication platformsVPNs and Remote Desktop (RDP) softwaresTwo Factor (2FA) and Multiple Factor Authentication (MFA) applicationsWorking from home has increased the usage of the aforementioned technologies as well as other similar applications, broadened the attack surface and provided new opportunities for various malicious actors as there are more external-internal connections compared to the past, meaning more types of services to keep track of and monitor. This also implies a heavier traffic load due to video streaming, database connections and more. âEasier communication, but at what cost?Away from our colleagues and offices, employees have had to adapt quickly to various methods of online communication and meetings in order to keep things running, whether itâs Zoom, Webex, Microsoft Teams, Google meet or any other platform, co-workers are now able to chat, share video and documents easily from computers and phones. Right from the start of the pandemic, Zoom solidified itself as the dominant platform for video conferencing with an increase of 67% in usage between January and the middle of March 2020. By April 2020 it already had more than 300 million daily Zoom meeting participants in comparison to 10 million meeting participants in December 2019.(1)Number of daily Zoom users, December 2019 - April 2020This convenience comes with significant underlying risks to users and corporate networks, as poorly implemented encryption protocols and other security measures can result in unauthorized participants access to otherwise personal or confidential calls. This sort of intrusion, commonly referred to as âZoom Bombingâ, can be at best innocent trolling and cause annoyance but at worst allow access to a malicious actor who can gather sensitive information on the company for espionage purposes(2), harvest participants\' credentials and other PII and leak the callâs content and video as well as use the meeting chat to send phishing links which could escalate to a full-blown ransomware attack on the company\'s network(3). This sort of attack can be carried out by an attacker exploiting vulnerabilities such as (or similar to) CVE-2019-13450(4) which would allow them to forcefully join a meeting. âMultiple Factor Authentication - double the safety but not without risks Multiple Factor Authentication (MFA) and Two Factor Authentication (2FA) have been adopted in recent years as an additional security tool to ensure the safety of oneâs accounts and personal information. As previously mentioned, the migration to a remote work routine necessitated a secure and verified method for each employee to access their companyâs assets online on a daily basis. This basic work necessity came with restrictions and guidelines such as remote desktop applications to create a virtual work environment and 2FA applications in an attempt to strengthen the companyâs cybersecurity posture. By May 2020, around 70% of British businesses were already using some type of MFA and a VPN for better cyber security risk management of the changed work environment(5).There are numerous ways by which MFA or 2FA methods can be bypassed, either through brute force (if the requested code is between 4-6 numbers), social engineering or a conventional session management in which attackers use the password reset function. This is due to the fact that 2FA is often not implemented on the systemâs login page after a password reset.VPNs and RDPs - work from anywhere and be attacked from anywhereVi | Ransomware Data Breach Malware Tool Vulnerability | ★★★ | |
 |
2021-04-21 13:12:39 | Instagram debuts new tool to stop abusive message salvos made through new accounts (lien direct) | DMs are the next area the firm wants to focus on in controlling abusive behavior. | Tool | ||
 |
2021-04-20 12:17:02 | Why To Codecov Breach? Experts Weigh In (lien direct) | Following media reports that hackers who tampered with a software development tool from a company called Codecov used that program to gain restricted access to hundreds of networks belonging to the San… | Tool | ||
|
2021-04-20 12:00:04 | VMware announces new Anywhere Workspace tool to help businesses make remote work easier (lien direct) | The new platform is a combination of SASE, access control and cloud-native endpoint security that the company said is the only solution of its kind on the market. | Tool | ||
 |
2021-04-19 19:00:00 | How VPNs Are Changing to Manage Zero Trust Network Access (lien direct) | What do a growing number of cyberattacks, emerging tech, such as artificial intelligence, and cloud adoption have in common? They’re all helping fuel the rise of zero trust. Zero trust network access is, in turn, changing the way we access the internet for work. Let’s take a look at how another common tool today — the […] | Tool | ||
|
2021-04-19 13:48:50 | Nonprofit provides help to hospitals battling ransomware (lien direct) | The Center for Internet Security recently launched a free tool for private U.S. hospitals to block malicious activity. | Ransomware Tool | ||
|
2021-04-19 09:05:28 | DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle (lien direct) |  You???ve heard of DevOps. And by now, you???ve probably also heard of DevSecOps, which extends DevOps principles into the realm of security. In DevSecOps, security breaks out of its ???silo??? and becomes a core part of the DevOps lifecycle.
That, at least, is the theory behind DevSecOps. What???s often more challenging for developers to figure out is how to apply DevSecOps in practice. Which tools and processes actually operationalize DevSecOps? Until you can answer that question, DevSecOps will be just another buzzword.
To help bridge the gap between theory and practice, let???s walk through what DevSecOps means from a practical perspective, and how to go about embedding it into your development workflows.
DevSecOps, defined
If you???re familiar with DevOps (which encourages collaboration between developers and IT operations engineers in order to speed application delivery), then the meaning of DevSecOps is easy enough to understand. DevSecOps adds security operations teams into the equation so that they can collaborate seamlessly with developers and IT engineers.
DevSecOps places a DevOps spin on basic security concepts. Just as DevOps encourages continuous delivery, DevSecOps is all about continuous security ??? meaning the constant and holistic management of security across the software development lifecycle. Similarly, DevSecOps encourages continuous improvement in the realm of security ??? meaning that no matter how secure you believe your environment is, you should always be looking for ways to improve your security posture even further.
DevSecOps in practice
These are all great ideas to talk about, and it???s easy to see why they are valuable. Security postures are indeed stronger when developers, IT engineers, and security engineers work together, rather than working in isolation. It???s much easier to optimize security when developers prioritize security with every line of code they write, and when IT engineers think about the security implications of every deployment they push out, rather than viewing security as something that someone else will handle down the line.
The big question for teams that want to embrace DevSecOps, though, is how to go about putting these ideas into practice. That???s where things can get tougher. There is no simple methodology that allows you to ???do??? DevSecOps. Nor is there a specific tool that you can deploy or a particular role that you can add to your team.
Instead, operationalizing DevSecOps means building holistic combinations of processes and tools that make it possible to integrate security into DevOps workflows. While the best approach to this will vary from team to team, the following are some general best practices for implementing DevSecOps.
Scanning early and often
One basic step toward implementing DevSecOps is to ensure that you perform security tests and audits at the beginning of the software delivery pipeline. You don???t want to wait until code is written and built to start testing it for flaws (and you certainly don???t want to let it get into production before testing it). Instead, you should be scanning code as it is written, by integrating security tooling directly into your IDEs if possible.
Importantly, security scanning should continue as code ???flows??? down the pipeline. You should scan your test builds and application release candidates before deployment. Security monitoring and auditing should also continue once code is in production.
Automation
Automation is a founding principle of DevOps, and it???s just as important to DevSecOps. Automation not only makes processes faster and more efficient, but also helps reduce friction between the different stakeholders in DevSecOps |
Tool | Uber | ★★★ |
 |
2021-04-16 20:07:24 | Backdoored developer tool that stole credentials escaped notice for 3 months (lien direct) | AWS credentials and private repository tokens could allow self-perpetuating attacks. | Tool | ||
 |
2021-04-16 10:44:37 | Popular Codecov code coverage tool hacked to steal dev credentials (lien direct) | Codecov online platform for hosted code testing reports and statistics announced on Thursday that a threat actor had modified its Bash Uploader script, exposing sensitive information in customers' continuous integration (CI) environment. [...] | Tool Threat | ||
 |
2021-04-16 10:00:00 | Considerations for performing IoMT Risk Assessments (lien direct) | What are Internet of Medical Things (IoMT) products? Internet of Medical Things (IoMT) products refer to a combination of medical applications and devices connected to healthcare information technology systems through an online computer network or a wireless network. IoMT devices rely heavily on biosensors, critical in detecting an individual's tissue, respiratory, and blood characteristics. Non-bio sensors are also used to measure other patient characteristics such as heart and muscle electrical activity, motion, and body temperature. IoMT product classifications One needs to gain insight into what makes a device a medical device. In the U.S., the sale of medical devices is regulated by the Food and Drug Administration (FDA). As required by the FDA, medical devices are classified as being Class I, Class II, or Class III based on the risk posed by the device. Therefore, one must understand the risk level of a medical device and its intended use and indications of use. IoMT layers and the threat-driven approach to security Like IoT, IoMT has several layers, including the business, application, application, middleware, network, and perception layers. Notably, the perception layer in IoMT is tasked with the transfer of medical data acquired from sensors to the network layer. Medical things types that fall under the perception layer can be classified as: wearable (muscle activity sensors, pressure and temperature sensors, smartwatches); implantable (implantable cardioverter defibrillators (ICD); swallowable (camera capsule); ambient (vibration and motion sensors), and; stationary devices (surgical devices, CT scan). Likewise, IoMT devices are subject to attacks based on their architecture or application. That is, IoMT devices can suffer layer-specific attacks. While hackers can target any layer for an attack, they typically focus on either the perception or network layer attacks. Perception layer attacks focus on devices that acquire data from sensors. Hackers use perception layer attacks to defeat the device administrator's ability to track the sensor and discover that it has been cloned or otherwise tampered with. Conversely, at the network layer, IoMT devices can be subject to DoS attacks, Rogue access, Man-in-the-Middle (MiTM), replay, and Eavesdropping. Common IoMT vulnerabilities arise from the challenges experienced during IoMT device development, such as the lack of a threat-driven approach to security. The threat-driven approach to security corresponds to modeling the relationship between threats, the risk to the asset, and the security controls that should govern them. For example, Bluetooth Low Energy (BLE) technology, whose applications range from home entertainment to healthcare, is associated with many threats such as network communication decryption, replay attacks, and Man-in-the-Middle attacks. Primary considerations in performing IoMT Risk Assessments Threat modeling is the tool best fitted for addressing perception and network-layer threats. Cybersecurity practitioners commonly use the STRIDE threat modeling technique to help solve IoMT-related security challenges at both layers. STRIDE is a threat model suitably fitted for helping cybersecurity practitioners identify and analyze threats in an IoMT environment. More specifically, STRIDE is the most adept tool for answering the question 'what can go wrong in the IoMT environment that can adversely affect patient safety?' The STRIDE model allows cybersecurity practitioners to determine what threat is a violation of a desirable property for an IoMT system. Desirable properties preserve privacy, data protection and contribute to the security of an IoMT asset. Desirable properties align with the STRIDE model as illustrated below: | Tool Threat | ||
 |
2021-04-16 02:47:55 | Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack (lien direct) | Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world. | Hack Tool | ||
|
2021-04-15 21:39:18 | Popular software development tool Docker gets Apple M1 support (lien direct) | Another one of the most popular development tools now supports the M1. | Tool | ||
 |
2021-04-15 12:18:29 | Outpost24 report finds Top 10 US Credit Unions all have web application issues (lien direct) | A report released this week by Outpost24, that examined the security posture of web applications amongst the Top 10 US Credit Unions, has revealed that they all have security issues. Using Outpost24's attack surface discovery tool called Scout, Outpost24 was able to analyse each Credit Union's public-facing web security environments against the seven most common attack vectors […] | Tool | ★★★★ | |
 |
2021-04-15 11:13:33 | DNI\'s Annual Threat Assessment (lien direct) | The office of the Director of National Intelligence released its “Annual Threat Assessment of the U.S. Intelligence Community.” Cybersecurity is covered on pages 20-21. Nothing surprising: Cyber threats from nation states and their surrogates will remain acute. States’ increasing use of cyber operations as a tool of national power, including increasing use by militaries around the world, raises the prospect of more destructive and disruptive cyber activity. Authoritarian and illiberal regimes around the world will increasingly exploit digital tools to surveil their citizens, control free expression, and censor and manipulate information to maintain control over their populations. ... | Tool Threat | ||
|
2021-04-14 10:00:00 | Phishing towards failed trust (lien direct) | This blog was written by an independent guest blogger. Phishing exercises are an important tool towards promoting security awareness in an organization. Phishing is effective, simply because it works. However, any social engineer can devise a marvelously deceptive message with an irresistible link that only the most tech-savvy person would spot as a phishing test. Sometimes, the phish can be sent at a time of day that catches the recipient off-guard, which causes a person to click the malicious link. These techniques are so effective, that even the most experienced people have gotten fooled, not only by phishing tests, but also by real scams. As social engineers, it is easy to play on people’s vulnerabilities; their fears, hopes, and dreams. Fears, such as those used in scams against the elderly; hopes, such as those used against the optimistically trusting; and dreams, such as those used against the wistfully romantic. However, with any security practice, we have to temper our thrill of victory, that is, the adrenaline rush of the “gotcha” moment when a person falls for our brilliantly crafted phishing test, with the reality of our true purpose, which is to educate, and build trust. With that in mind, we must ask ourselves, when have we gone too far? For example, according to a report that was published at the height of the pandemic, Covid-related scams rose to an all-time high. The cybercriminals have been hard at work, trying to capitalize on our fears, and our desires to seek information, and more recently, our desire to become vaccinated. Has your organization used the pandemic in any recent phishing exercises? How effective were they? Was the “hit” rate high? More importantly, did the people who failed the test thank you for showing them the error of their ways? I doubt it. I am not stating this merely to make enemies in the security community. As a 20+ year veteran in the industry, I too understand the struggles and the frustrations of building a security culture in an organization. However, let’s look to the legal profession for a moment to try to understand why Covid-based phishing exercises are simply wrong. The problem at hand is one of our freedom to act recklessly. If we look to the landmark U.S. Supreme Court case of Schenck v. United States, we are met with the famous quote about how freedom of speech does not give one the right to “Yell ‘Fire!’ in a crowded theater”. In a later case, Rochin v. California, the phrase “Shocks the conscience” became part of legal doctrine. An action is understood to "shock the conscience" if it is "grossly unjust to the observer." Contrary to helping an already stressed staff, does a Covid-based phishing exercise succeed in anything other than violating the senses, as well as bordering on a cavalier abuse of our “expertise”? There are so many ways to educate | Tool | ||
 |
2021-04-13 10:00:00 | Piratage de la technologie opérationnelle pour la défense: leçons apprises de l'infrastructure de contrôle des compteurs intelligents en équipe d'OT Red Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure (lien direct) |
Les incidents de sécurité très médiatisés au cours de la dernière décennie ont apporté un examen minutieux à la cybersécurité pour la technologie opérationnelle (OT).Cependant, il existe une perception continue entre les organisations d'infrastructures critiques que les réseaux OT sont isolés de réseaux publics tels que Internet.Dans l'expérience de mandiant, le concept d'un \\ 'Air Gap \' séparant les actifs des réseaux externes est rarement vrai dans la pratique.
En 2018, nous avons publié un article de blog présentant les outils et techniques qui Temp.veles utilisé pendant l'incident de Triton pour traverser un compromis externe des informations
High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks-such as the Internet. In Mandiant\'s experience, the concept of an \'air gap\' separating OT assets from external networks rarely holds true in practice. In 2018, we released a blog post presenting the tools and techniques that TEMP.Veles used during the TRITON incident to traverse from an external compromise of the information |
Tool Industrial | ★★★★ | |
|
2021-04-12 12:00:03 | Oracle adds employee experience product to its HCM suite (lien direct) | Citing the growing importance of worker happiness, Oracle's HR suite is adding Oracle Journeys, a workflow tool tailored to individuals. | Tool | ||
|
2021-04-09 19:05:56 | Microsoft unveils 64-bit version of OneDrive (lien direct) | Compatible with the 64-bit version of Windows, the new flavor of Microsoft's file backup and syncing tool will better handle large files. | Tool | ||
|
2021-04-09 16:55:31 | CISA Releases Tool to Detect Microsoft 365 Compromise (lien direct) | The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments. | Tool | ||
|
2021-04-09 12:41:09 | (Déjà vu) CISA releases post-compromise tool Aviary to review Microsoft 365 (lien direct) | CISA released a Splunk-based dashboard for post-compromise activity in Microsoft Azure Active Directory (AD), Office 365, and MS 365 environments. The Cybersecurity and Infrastructure Security Agency (CISA) has released a Splunk-based dashboard, dubbed Aviary, that could be used by administrators in the post-compromise analysis of Microsoft Azure Active Directory (AD), Office 365 (O365), and Microsoft 365 (M365) environments. […] | Tool | ||
|
2021-04-08 17:39:27 | CISA releases tool to review Microsoft 365 post-compromise activity (lien direct) | The Cybersecurity and Infrastructure Security Agency (CISA) has released a companion Splunk-based dashboard that helps review post-compromise activity in Microsoft Azure Active Directory (AD), Office 365 (O365), and Microsoft 365 (M365) environments. [...] | Tool | ||
|
2021-04-07 13:00:00 | Robin launches Office Pass to help companies address 15% employee bounce rate as offices reopen (lien direct) | Research from Robin shows that employees want flexibility in their workspaces and the software maker has a new tool to help companies reshape their offices to meet the new normal of hybrid work. | Tool | ||
|
2021-04-07 06:00:00 | Android malware infects wannabe Netflix thieves via WhatsApp (lien direct) | Newly discovered Android malware found on Google's Play Store disguised as a Netflix tool is designed to auto-spread to other devices using WhatsApp auto-replies to incoming messages. [...] | Malware Tool | ||
 |
2021-04-06 19:15:14 | CVE-2021-21423 (lien direct) | `projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. Users of projen's `NodeProject` project type (including any project type derived from it) include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the "main" repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the "main" repository. The rebuild-bot workflow is triggered by comments including `@projen rebuild` on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an `issue_comment` event, and thus always executes with a `GITHUB_TOKEN` belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by `pull_request` events, which always execute with a `GITHUB_TOKEN` belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically `main` or `master`) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed `GITHUB_TOKEN` would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch. | Tool | ||
 |
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
|
2021-04-06 09:32:33 | This service allows checking if your mobile is included in the Facebook leak (lien direct) | Security researcher implemented a service to verify if your mobile number is included in the recent Facebook data leak. Security researcher Yaser Alosefer developed a new tool to help users to determine if their mobile numbers are included within the recent Facebook data leak that impacted 553 million users of the social networking giant. The […] | Tool | ||
|
2021-04-06 07:20:39 | (Déjà vu) Experts found critical flaws in Rockwell FactoryTalk AssetCentre (lien direct) | Rockwell Automation has recently addressed nine critical vulnerabilities in its FactoryTalk AssetCentre product with the release of version v11. The American provider of industrial automation Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product. FactoryTalk AssetCentre provides customers with a centralized tool for securing, managing, versioning, […] | Tool | ||
|
2021-04-05 18:28:38 | Adult content from hundreds of OnlyFans creators leaked online (lien direct) | After a shared Google Drive was posted online containing the private videos and images from many OnlyFans accounts, a researcher has created a tool allowing content creators to check if they are part of the leak. [...] | Tool | ||
|
2021-04-03 12:39:48 | Activision warns of Call of Duty Cheat tool used to deliver RAT (lien direct) | The popular video game publisher Activision is warning gamers that threat actors are actively disguising a remote-access trojan (RAT) in Duty Cheat cheat tool. Activision, the company behind Call of Duty: Warzone and Guitar Hero series, is warning gamers that a threat actor is advertising cheat tools that deliver remote-access trojan (RAT). The company reported that […] | Tool Threat | ||
 |
2021-04-02 23:49:52 | How Cyrebro Can Unify Multiple Cybersecurity Defenses to Optimize Protection (lien direct) | Many enterprises rely on more than one security tool to protect their technology assets, devices, and networks. This is particularly true for organizations that use hybrid systems or a combination of cloud and local applications. Likewise, companies whose networks include a multitude of smartphones and IoT devices are likely to deploy multiple security solutions suitable for different scenarios. |
Tool | ||
|
2021-04-02 11:00:05 | Malware Hidden in Call of Duty Cheating Software (lien direct) | News article: Most troublingly, Activision says that the “cheat” tool has been advertised multiple times on a popular cheating forum under the title “new COD hack.” (Gamers looking to flout the rules will typically go to such forums to find new ways to do so.) While the report doesn’t mention which forum they were posted on (that certainly would’ve been helpful), it does say that these offerings have popped up a number of times. They have also been seen advertised in YouTube videos, where instructions were provided on how gamers can run the “cheats” on their devices, and the report says that “comments [on the videos] seemingly indicate people had downloaded and attempted to use the tool.”... | Tool | ||
|
2021-04-01 15:22:17 | Secure Coding Urban Myths and Their Realities (lien direct) |  ???Science and technology revolutionize our lives, but memory, tradition, and myth frame our response.??? ??? Author Arthur M. Schlesinger
Urban myths rely on their communities of origin to thrive and survive. Perpetuated by offhand anecdotes, sensational news stories, and friend-of-a-friend legends, urban myths about secure coding are no different; as developers share tidbits of information around common struggles and issues in application security, those conundrums quickly become myths that can make secure coding seem daunting.
Schlesinger???s quote is even more important today as so much of the world is powered by modern applications, yet at the same time myths clouding the development community often frame how developers respond to (or avoid) issues with their code. The reality is clear: when you take ownership over your code and rally around your team???s security efforts to squash these myths, your apps carry far less risk than before. And once you recognize these myths for what they are, you have the power to reframe how you approach similar challenges in the future.
Popular myths in programming
So what are some of the common urban myths in software development? They can range from the security of open source code to relying solely on developer tools and why PHP is considered a ???dying language??? ??? did you know 80% of all websites built on known programming languages are powered by PHP? Some of today???s heavyweights like Etsy, Facebook, and Wikipedia were built on PHP, and PHP-based publishing platforms like WordPress and Drupal are still extremely popular. It isn???t going anywhere anytime soon.
Maybe you???ve also heard the urban myth that fixing flaws in your open source code is too time-consuming? Myth busted: almost 75 percent of known vulnerabilities in open source code are fixable with a simple library update to patch the exploits. Even better, tools like Veracode Software Composition Analysis provide immediate and actionable guidance to help you remediate flaws in your open source code before they add risk to your organization.
Or, perhaps you???ve seen comments on Reddit that your favorite developer tool is all you need to secure your code, but security features in basic developer tools typically lack the comprehensiveness required for ample coverage. In reality, you need the right testing types in the right places throughout your SDLC, ensuring coverage for your CI/CD pipeline and giving you peace of mind while you work. ツ?
 ???
We???ve only scratched the surface when it comes to urban myths about secure coding! To learn more about some of these common conundrums (and their realities), download our eBook: 6 Urban Myths About Secure Coding. |
Tool | ||
|
2021-03-31 17:23:10 | How to use Google\'s Password Checkup tool (lien direct) | Google offers a password checking service that will check all of your Chrome-saved passwords for weaknesses and against known breaches. Jack Wallen shows you how to use this tool. | Tool | ||
|
2021-03-31 14:33:43 | Electric vehicle company announces first open charging platform (lien direct) | EVPassport unveiled a tool that helps drivers find charger locations and click directly through to start a charging session without having to download an additional app or create a separate account. | Tool | ||
|
2021-03-30 17:07:00 | Anomali Cyber Watch: Malware, Phishing, Ransomware and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackKingdom, Chrome Extensions, Microsoft, REvil, PurpleFox, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google removes privacy-focused ClearURLs Chrome extension
(published: March 24, 2021)
Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of using modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
Tags: Google, Chrome, browser extension, privacy, Firefox, ClearURL
Purple Fox Malware Targets Windows Machines With New Worm Capabilities
(published: March 24, 2021)
Purple Fox, which first appeared in 2018, is an active malware campaign that targeted victims through phishing and exploit kits, it required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims' systems on its own, according to new research from Guardicore Labs. The researchers identified a new infection vector through Server Message Block (SMB) password brute force and the addition of a rootkit, allowing the actors to hide the malware on a machine making it more difficult to detect and remove. Purple Fox is believed to have compromised around 3,000 servers, the vast majority of which were old versions of Windows Server IIS version 7.5. It was very active in Spring and Summer 2020 before going quiet and then ramping up activity in early 2021.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: |
Ransomware Malware Tool Vulnerability Threat | ||
|
2021-03-30 15:59:00 | CyberPanel makes one-click installing of web-hosted apps and services simple (lien direct) | If you're looking for a replacement for cPanel, CyberPanel might be exactly what you need. Jack Wallen shows you how easy this tool is to deploy. | Tool | ★★★★★ | |
 |
2021-03-28 19:24:07 | TCPView v4.0 Released, (Sun, Mar 28th) (lien direct) | TCPView is a Sysinternals&#;x26;#;39; tool that displays information about the TCP and UDP endpoints on a system. It&#;x26;#;39;s like netstat, but with a GUI. | Tool | ||
|
2021-03-28 09:53:41 | Security Affairs newsletter Round 307 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the international press subscribe here. CISA releases CHIRP, a tool to detect SolarWinds malicious activity Microsoft Defender can now protect servers against ProxyLogon […] | Tool | ||
|
2021-03-26 13:00:37 | Amazon\'s new machine learning tool will help businesses spot flagging KPIs (lien direct) | Lookout for Metrics is a fully-managed machine learning tool for monitoring business metrics and tackling dips in business performance. | Tool | ||
|
2021-03-26 08:17:18 | FBI published a flash alert on Mamba Ransomware attacks (lien direct) | The Federal Bureau of Investigation (FBI) issued an alert to warn that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives. The Federal Bureau of Investigation (FBI) published an alert to warn that the Mamba ransomware is abusing the DiskCryptor open-source tool (aka HDDCryptor, HDD Cryptor) to encrypt entire drives. […] | Ransomware Tool | ||
|
2021-03-25 22:15:12 | CVE-2021-27372 (lien direct) | Realtek xPON RTL9601D SDK 1.9 stores passwords in plaintext which may allow attackers to possibly gain access to the device with root permissions via the build-in network monitoring tool and execute arbitrary commands. | Tool | ||
|
2021-03-25 22:07:54 | Another Critical RCE Flaw Discovered in SolarWinds Orion Platform (lien direct) | IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE).
Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via |
Tool | ||
|
2021-03-25 19:15:14 | CVE-2021-26597 (lien direct) | An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value. | Tool | ||
|
2021-03-25 15:36:05 | Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns (lien direct) | The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system. | Ransomware Tool | ||
 |
2021-03-24 15:19:38 | Comprehensive Guide to AutoRecon (lien direct) | The AutoRecon tool is designed as a network reconnaissance tool. It is a multi-threaded tool that performs automated enumeration of services. The purpose of this tool is to save time while cracking CTFs and other penetration testing environments or exams. It is useful in real-world engagements as well. Table of | Tool | ||
|
2021-03-23 14:00:00 | Anomali Cyber Watch: APT, Malware, Vulnerabilities and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackRock, CopperStealer, Go, Lazarus, Mirai, Mustang Panda, Rust, Tax Season, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Bogus Android Clubhouse App Drops Credential-Swiping Malware
(published: March 19, 2021)
Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one.
Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105
Tags: LokiBot, BlackRock, Banking, Android, Clubhouse
Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers
(published: March 18, 2021)
Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors.
Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
(published: March 18, 2021)
Cybereason detected a new campaig |
Ransomware Malware Tool Threat Patching Medical | APT 38 APT 28 |
To see everything:
Our RSS (filtrered)
