What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-01-15 11:23:03 | Le rapport ForeScout découvre de nouveaux détails dans le piratage d'énergie danoise Forescout Report Uncovers New Details in Danish Energy Hack (lien direct) |
> Par deeba ahmed
Les attaques, potentiellement liées au ver de sable russe, ont exploité les vulnérabilités dans les pare-feu zyxel.
Ceci est un article de HackRead.com Lire le post original: Le rapport de ForeScout découvre les nouveaux détails dans le piratage de l'énergie danoise
>By Deeba Ahmed The attacks, potentially linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. This is a post from HackRead.com Read the original post: Forescout Report Uncovers New Details in Danish Energy Hack |
Hack Vulnerability Industrial Technical | ★★★★ | |
 |
2024-01-15 11:18:00 | Catalogue de la bibliothèque britannique en ligne après une attaque de ransomware British Library Catalogue Back Online After Ransomware Attack (lien direct) |
Le principal catalogue de la bibliothèque britannique sera de retour en ligne le lundi 15 janvier, alors que l'institution poursuit sa reconstruction technique après l'attaque des ransomwares l'année dernière
The main British Library catalogue will be back online on Monday, January 15, as the institution continues its technical rebuild following the ransomware attack last year |
Ransomware Technical | ★★ | |
 |
2024-01-14 14:37:00 | Les nouveaux résultats défient l'attribution dans les cyberattaques du secteur de l'énergie du Danemark New Findings Challenge Attribution in Denmark\\'s Energy Sector Cyberattacks (lien direct) |
Les cyberattaques ciblant le secteur de l'énergie au Danemark l'année dernière n'ont peut-être pas eu l'implication du groupe de piratage de ver de sable lié à la Russie, & NBSP; Nouvelles conclusions et NBSP; de ForeScout Show.
Les intrusions, qui & nbsp; ciblaient environ 22 organisations de l'énergie danoise et NBSP; en mai 2023, se sont produites dans deux vagues distinctes, une qui a exploité une faille de sécurité dans le pare-feu zyxel (CVE-2023-28771) et un
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a |
Industrial Technical | ★★★★ | |
 |
2024-01-13 23:09:46 | 2 petits secrets de scriptrunner.exe 2 little secrets of ScriptRunner.exe (lien direct) |
Scriptrunner.exe est un lolbin connu, mais le projet lolbas ne couvre pas toutes ces fonctionnalités de programme.Timeout Il peut exécuter les processus enfants et les tuer après un certain délai d'attente f.ex.: Scriptrunner.exe -appvscript cmd.exe -appvscriptrunnerParameters -imeout = 5 invocations multiples Il peut exécuter & # 8230; | Technical | ★★★ | |
|
2024-01-12 23:39:35 | Ajout de caractères (s) au traitement de la ligne de commande Adding character(s) to Command Line processing (lien direct) |
Dans mon ancien article sur CerUtil, j'ai mentionné qu'il accepte un certain nombre de caractères Unicode moins connus transmis à sa ligne de commande.PowerShell acceptant un certain nombre de caractères Unicode représentant & # 8220; - & # 8221;Et ses variations sont également un fait très connu.& # 8230; Continuer la lecture &# 8594;
In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing “-” and its variations is a very well-known fact too. … Continue reading → |
Technical | ★★★★ | |
|
2024-01-11 14:19:03 | Moyen facile de générer une coque inversée Easy way to Generate Reverse Shell (lien direct) |
Dans cet article, nous apprendrons à obtenir un revers en quelques étapes faciles.Habituellement, le problème lorsque les commandes de shell inversé sont de
In this article, we will learn how to get a reverse in a few easy steps. Usually, the problem when reverse shell commands is to |
Technical | ★★★ | |
 |
2024-01-10 23:15:50 | La Chine prétend avoir fissuré la fonction aérienne d'Apple \\ China Claims To Have Cracked Apple\\'s AirDrop Feature (lien direct) |
Une institution chinoise soutenue par l'État aurait élaboré un moyen d'identifier le numéro de téléphone, l'adresse e-mail et le nom des expéditeurs qui partagent du contenu via la fonction de lagramme aérien d'Apple. . Cette décision fait partie des efforts plus larges du gouvernement de Pékin \\ pour éliminer & # 8220; contenu indésirable & # 8221;. Pour ceux qui ne le savent pas, AirDrop est un outil crypté de bout en bout qui permet aux utilisateurs d'envoyer sans fil des photos, des vidéos, des documents, et plus encore aux autres appareils iOS et ordinateurs Mac, ce qui signifie que même Apple ne peut pas décrypter le contenu de laMatériaux que vous transférez. Pendant les transferts, la fonctionnalité ne partage que le nom de l'appareil (qui peut être défini sur n'importe quoi) et ne divulgue pas le numéro de téléphone et l'adresse e-mail associés au téléphone. selon un nouveau bloomberg report , Le Pékin Wangshendongjian, le Pékin de Chine, l'institut d'évaluation judiciaire de Wangshendongjian a développé une méthode pour faire un journal des appareils cryptés d'un iPhone \\ pour identifier les chiffres et les e-mails des expéditeurs qui partagent le contenu Airdrop. «Le cas des informations incorrectes diffusées via« Airdrop »sur les téléphones mobiles a permis les difficultés techniques de la traçabilité anonyme par Airdrop, a amélioré l'efficacité et la précision de la détection de cas, et a empêché la propagation des remarques inappropriées et une mauvaise influence potentielle,"Le Bureau municipal de la justice de Pékin a déclaré dans un | Tool Mobile Technical | ★★★★ | |
 |
2024-01-10 17:59:58 | Txone reconnu par TSMC pour la collaboration OT de cybersécurité dans l'industrie des semi-conducteurs TXOne recognized by TSMC for OT cybersecurity collaboration in semiconductor industry (lien direct) |
> Txone Networks, un fournisseur de sécurité des systèmes cyber-physiques (CPS), a été reconnu par TSMC pour sa technique exceptionnelle ...
>TXOne Networks, a provider of cyber-physical systems (CPS) security, has been acknowledged by TSMC for its exceptional technical... |
Industrial Technical | ★★ | |
|
2024-01-10 17:59:41 | Industrial Defender nomme Patrick Miller comme conseiller technique stratégique Industrial Defender appoints Patrick Miller as strategic technical advisor (lien direct) |
> Industrial Defender, un fournisseur de solutions de données et de cybersécurité OT pour les organisations industrielles, annonce la nomination de ...
>Industrial Defender, a provider of OT asset data and cybersecurity solutions for industrial organizations, announces the appointment of... |
Industrial Technical | ★★ | |
 |
2024-01-09 10:02:04 | IP criminel et partenaire tenable pour la détection de vulnérabilité rapide Criminal IP and Tenable Partner for Swift Vulnerability Detection (lien direct) |
Le moteur de recherche Cyber Threat Intelligence (CTI) Criminal IP a établi un partenariat technique avec Tenable.En savoir plus sur Criminal IP sur la façon dont ce partenariat peut aider à la vulnérabilité en temps réel et aux analyses de malveillance.[...]
Cyber Threat Intelligence (CTI) search engine Criminal IP has established a technical partnership with Tenable. Learn more from Criminal IP about how this partnership can assist in real-time vulnerability and maliciousness scans. [...] |
Vulnerability Threat Technical | ★★ | |
 |
2024-01-09 00:00:00 | Campagne de spam Pikabot de Water Water Black Basta. Black Basta-Affiliated Water Curupira\\'s Pikabot Spam Campaign (lien direct) |
Pikabot est un chargeur avec des similitudes avec Qakbot qui a été utilisé dans les campagnes de spam pendant la majeure partie de 2023. Notre entrée de blog fournit une analyse technique de ce malware.
Pikabot is a loader with similarities to Qakbot that was used in spam campaigns during most of 2023. Our blog entry provides a technical analysis of this malware. |
Spam Malware Technical | ★★ | |
 |
2024-01-08 06:00:19 | ProofPoint reconnu en 2023 Gartner & Reg;Guide du marché pour les solutions de gestion des risques d'initiés Proofpoint Recognized in 2023 Gartner® Market Guide for Insider Risk Management Solutions (lien direct) |
It\'s easy to understand why insider threats are one of the top cybersecurity challenges for security leaders. The shift to remote and hybrid work combined with data growth and cloud adoption has meant it\'s easier than ever for insiders to lose or steal data. Legacy systems simply don\'t provide the visibility into user behavior that\'s needed to detect and prevent insider threats. With so much potential for brand and financial damage, insider threats are now an issue for the C-suite. As a result, businesses are on the lookout for tools that can help them to better manage these threats. To help businesses understand what to look for, Gartner has recently released Market Guide for Insider Risk Management Solutions. In this report, Gartner explores what security and risk leaders should look for in an insider risk management (IRM) solution. It also provides guidance on how to implement a formal IRM program. Let\'s dive into some of its highlights. Must-have capabilities for IRM tools Gartner states that IRM “refers to the use of technical solutions to solve a fundamentally human problem.” And it defines IRM as “a methodology that includes the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts in the organization.” Gartner identifies three distinct types of users-careless, malicious and compromised. That, we feel, is in line with our view at Proofpoint. And the 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that most insider risks can be attributed to errors and carelessness, followed by malicious and compromised users. In its Market Guide, Gartner identifies the mandatory capabilities of enterprise IRM platforms: Orchestration with other cybersecurity tooling Monitoring of employee activity and assimilating into a behavior-based risk model Dashboarding and alerting of high-risk activity Orchestration and initiation of intervention workflows This is the third consecutive year that Proofpoint is a Representative Vendor in the Market Guide. Proofpoint was an early and established leader in the market for IRM solutions. Our platform: Integrates with a broad ecosystem of cybersecurity tools. Our API-driven architecture means it\'s easy for you to feed alerts into your security tools. That includes security information and event management (SIEM) as well as SOAR and service management platforms, such as Splunk and ServiceNow. That, in turn, helps you gain a complete picture of potential threats. Provides a single lightweight agent with a dual purpose. With Proofpoint, you get the benefit of data loss prevention (DLP) and ITM in a single solution. This helps you protect against data loss and get deep visibility into user activities. With one agent, you can monitor everyday users. That includes low-risk and regular business users, risky users, such as departing employees, privileged users and targeted users. Offers one centralized dashboard. This saves you time and effort by allowing you to monitor users, correlate alerts and triage investigations from one place. You no longer need to waste your time switching between tools. You can quickly see your riskiest users, top alerts and file exfiltration activity in customizable dashboards. Includes tools to organize and streamline tasks. Proofpoint ITM lets you change the status of events with ease, streamline workflows and better collaborate with team members. Plus, you can add tags to help group and organize your alerts and work with more efficiency. DLP and IRM are converging In its latest Market Guide, Gartner says: “Data loss prevention (DLP) and insider risk strategies are increasingly converging into a unified solution. The convergence is driven by the recognition that preventing data loss and managing insider risks are interconnected goals.” A legacy approach relies on tracking data activity. But that approach is no longer sufficient because the modern way of working is more complex. Employees and third parties have access to more data than ever before. And ex | Tool Threat Cloud Technical | ★★★ | |
 |
2024-01-05 11:00:00 | Chardeur asyncrat: obscurcissement, DGA, leurres et Govno AsyncRAT loader: Obfuscation, DGAs, decoys and Govno (lien direct) |
Executive summary
AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
Key takeaways:
The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the US.
The loader uses a fair amount of obfuscation and anti-sandboxing techniques to elude automatic detections.
As part of the obfuscation, the attacker also uses a lot of variable’s names and values, which are randomly generated to harden pivot/detection by strings.
DGA domains are recycled every week and decoy redirections when a VM is identified to avoid analysis by researchers.
The ongoing registration of new and active domains indicates this campaign is still active.
There is an OTX pulse with more information.
Analysis
AsyncRAT is an open-source remote access tool released in 2019 and is still available in Github. As with any remote access tool, it can be leveraged as a Remote Access Trojan (RAT), especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include: Keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.
Since it was initially released, this RAT has shown up in several campaigns with numerous alterations due to its open-sourced nature, even used by the APT Earth Berberoka as reported by TrendMicro.
In early September, AT&T Alien Labs observed a spike in phishing emails, targeting specific individuals in certain companies. The gif attachment led to a svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client. This peculiarity was also reported by some users in X (formerly Twitter), like reecDeep and Igal Lytzki. Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023. The registration of domains and subsequent AsyncRAT samples is still being observed at the time of writing this blog.
Figure1: Number of samples observed by Alien Labs in this campaign.
The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control (C&C) server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. In particular, when the C&C server doesn’t rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.
Figure 2. Execution flow.
During the whole campaign, JavaScript files have been delivered to targete |
Malware Tool Threat Technical | ★★ | |
|
2024-01-01 19:30:00 | Nouvelle variante de la commande de recherche DLL Rijacking contourne les protections Windows 10 et 11 New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections (lien direct) |
Les chercheurs en sécurité ont détaillé une nouvelle variante d'une technique de détournement d'ordre de recherche de liens dynamiques (DLL) qui pourrait être utilisée par les acteurs de la menace pour contourner les mécanismes de sécurité et réaliser l'exécution d'un code malveillant sur les systèmes exécutant Microsoft Windows 10 et Windows 11.
L'approche "exploite les exécutables couramment trouvés dans le dossier de fiducie WINSXS et les exploite via la DLL classique
Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11. The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL |
Threat Technical | ★★★ | |
|
2024-01-01 17:23:21 | Bitmap Hunting in SPL (lien direct) | L'un des exercices de chasse les plus ennuyeux est de détecter une séquence d'échecs suivis d'un succès.Les attaques de force brute, les attaques de dictionnaires et enfin les attaques par pulvérisation de mot de passe ont tout cela en commun: beaucoup d'échecs, parfois suivis d'un succès.Le & # 8230; Continuer la lecture & # 8594;
One of the most annoying hunting exercises is detecting a sequence of failures followed by a success. Brute-force attacks, dictionary attacks, and finally password spray attacks have all this in common: lots of failures, sometimes followed by a success. The … Continue reading → |
Technical | ★★★★ | |
|
2024-01-01 13:21:53 | 1 Secret peu connu de hdwwiz.exe 1 little known secret of hdwwiz.exe (lien direct) |
Il existe un certain nombre de fichiers .cpl qui peuvent être chargés à l'aide de leurs équivalents exécutables natifs OS F.ex hdwwiz.exe charge hdwwiz.cpl.En tant que tel, nous pouvons copier hdwwiz.exe dans un autre dossier F.Ex.C: \ Tester et charger malveillant hdwwiz.cpl du même & # 8230; Continuer la lecture & # 8594;
There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test and load malicious hdwwiz.cpl from the very same … Continue reading → |
Technical | ★★★ | |
|
2023-12-31 10:21:41 | 1 Secret peu connu de Forfiles.exe 1 little known secret of forfiles.exe (lien direct) |
Le programme Forfiles.exe est un lolbin bien connu.Sa puissance provient de l'argument de la ligne de commande / C qui aide à spécifier une commande que nous souhaitons exécuter pour chaque élément trouvé par le programme lorsqu'il énumère les répertoires.Le moins & # 8230; | Technical | ★★★ | |
|
2023-12-28 23:14:48 | 1 Secret peu connu du regsvr32.exe, prenez trois 1 little known secret of regsvr32.exe, take three (lien direct) |
Dans le passé, j'ai écrit plusieurs fois sur l'effet secondaire d'avoir 2 binaires nommés de la même manière et résidant dans les répertoires System32 et Syswow64 respectifs.Regsvr32.exe n'est pas différent.Si vous exécutez un regsvr32.exe 32 bits avec une commande & # 8230; Continuer la lecture & # 8594;
In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command … Continue reading → |
Technical | ★★★ | |
|
2023-12-28 14:18:07 | Concevoir un indice de texte mutable à l'échelle de la pétaoctet rentable Designing a Cost-Efficient, Petabyte-Scale Mutable Full Text Index (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. At Proofpoint, running a cost-effective, full-text search engine for compliance use cases is an imperative. Proofpoint customers expect to be able to find documents in multi-petabyte archives for legal and compliance reasons. They also need to index and perform searches quickly to meet these use cases. However, creating full-text search indexes with Proofpoint Enterprise Archive can be costly. So we devote considerable effort toward keeping those costs down. In this blog post, we explore some of the ways we do that while still supporting our customers\' requirements. Separating mutable and immutable data One of the most important and easiest ways to reduce costs is to separate mutable and immutable data. This approach doesn\'t always fit every use case, but for the Proofpoint Enterprise Archive it fits well. For archiving use cases-and especially for SEC 17a-4 compliance-data that is indexed can\'t be modified. That includes data-like text in message bodies and attachments. The Proofpoint Enterprise Archive has features that require the storage and mutation of data alongside a message, in accordance with U.S. Securities and Exchange Commission (SEC) compliance. (For example, to which folders a message is a member, and to which legal matters a message pertains.) To summarize, we have: Large immutable indexes Small mutable indexes By separating data into mutable and immutable categories, we can index these datasets separately. And we can use different infrastructure and provisioning rules to manage that data. The use of different infrastructure allows us to optimize the cost independently. Comparing the relative sizes of mutable and immutable indexes. Immutable index capacity planning and cost Normally, full-text search indexes must be provisioned to handle the load of initial write operations, any subsequent update operations and read operations. By indexing immutable data separately, we no longer need to provision enough capacity to handle the subsequent update operations. This requires less IO operations overall. To reduce IO needs further, the initial index population is managed carefully with explicit IO reservation. Sometimes, this will mean adding more capacity (nodes/servers/VMs) so that the IO needs of existing infrastructure are not overloaded. When you mutate indexes, it is typically best practice to leave an abundance of disk space to support the index merge operations when updates occur. In some cases, this can be as much as 50% free disk space. But with immutable indexes, you don\'t need to have so much spare capacity-and that helps to reduce costs. In summary, the following designs can help keep costs down: Reduce IO needs because documents do not mutate Reduce disk space requirements because free space for mutation isn\'t needed Careful IO planning on initial population, which reduces IO requirements Mutable index capacity planning and cost Meanwhile, mutable indexes benefit from standard practices. They can\'t receive the same reduced capacity as immutable indexes. However, given that they\'re a fraction of the size, it\'s a good trade-off. Comparing the relative free disk space of mutable and Immutable indexes. Optimized join with custom partitioning and routing In a distributed database, join operations can be expensive. We often have 10s to 100s of billions of documents for the archiving use case. When both sides of the join operation have large cardinality, it\'s impractical to use a generalized approach to join the mutable and immutable data. To make this high-cardinality join practical, we partition the data in the same way for both the mutable and immutable data. As a result, we end up with a one-t | Cloud Technical | ★★★ | |
|
2023-12-26 15:22:47 | 1 Secret peu connu de Runonce.exe (32 bits) 1 little known secret of runonce.exe (32-bit) (lien direct) |
Lorsque vous exécutez une version 32 bits de Runonce.exe sur une version 64 bits de Windows et passez à l'argument / RunOnceEx6432, vous ferez le chargement de la bibliothèque iernonce.dll et exécuterez son API RunOnceExprocess & # 8230;Étant donné que la bibliothèque Iernonce.dll est chargée à l'aide de & # 8230; Continuer la lecture & # 8594;
When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceExProcess API… Since the iernonce.dll library is loaded using … Continue reading → |
Technical | ★★★ | |
|
2023-12-25 11:15:35 | 2 Secrets moins connus des outils de ligne de commande de commande Windows Command… 2 less known secrets of Windows command command-driven line tools… (lien direct) |
De nombreuses commandes de prise en charge des outils Windows F.Ex.: Nous sommes très habitués à leurs invocations dans une forme de commande d'outils, mais il existe un autre moyen de les invoquer en utilisant des citations autour de ces commandes f.ex.: Cela rompt de nombreuses détections codées durs.& # 8230; Continuer la lecture & # 8594;
Many Windows tools support commands f.ex.: We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.: This breaks many hard-coded detections. … Continue reading → |
Tool Technical | ★★★★ | |
 |
2023-12-25 08:00:00 | Chisel – Le tunnel sécurisé TCP/UDP via HTTP et SSH en un clin d\'œil (lien direct) | Chisel est un tunnel TCP/UDP écrit en Go qui permet de traverser des firewalls et d'accéder à des services en réseau local via HTTP/Socks5. Il s'utilise en mode serveur avec Docker et en mode client sur votre machine. Configurez votre navigateur avec l'IP 127.0.0.1 et le port 1080 pour établir un tunnel sécurisé et accéder à vos services locaux. | Technical | ★★★★ | |
|
2023-12-23 08:00:00 | Nosey Parker – L\'outil incontournable pour détecter les secrets dans vos dépôts Git (lien direct) | Des développeurs laissent parfois des identifiants et clés API visibles sur GitHub. Nosey Parker est un outil permettant de les détecter dans les dépôts Git en scannant fichiers, répertoires et historiques. Il organise les résultats dans un datastore pour faciliter les audits de code et la vérification de la sécurité du code personnel. Disponible pour Docker, macOS et Linux, il simplifie la recherche de fuites de données dans les dépôts Git. | Technical | ★★★★ | |
|
2023-12-21 20:54:09 | La nouvelle campagne de phishing vole les codes de sauvegarde Instagram New Phishing Campaign Steals Instagram Backup Codes (lien direct) |
Trustwave SpiderLabs a découvert une nouvelle souche d'e-mails de phishing "de violation du droit d'auteur" Instagram qui visent à voler les codes de sauvegarde Instagram de la victime en contournant l'authentification à deux facteurs (2FA) offerte sur le compte.
L'authentification à deux facteurs est une méthode d'ajout de sécurité supplémentaire qui nécessite deux formes d'identification pour accéder aux ressources et aux données lors de la connexion au compte.
Cette couche supplémentaire de sécurité est un moyen efficace de protéger votre compte contre de nombreuses menaces de sécurité qui volent des informations personnelles, telles que le phishing, les attaques brute-force, l'exploitation des informations d'identification, et plus encore.
Lors de la configuration de l'authentification à deux facteurs sur Instagram, le site génère également des codes de sauvegarde à huit chiffres pour les utilisateurs comme moyen alternatif d'accéder au compte, au cas où vous ne pouvez pas vérifier votre compte en utilisant 2FA.
Dans cette dernière tentative de phishing, le message électronique, qui prétend provenir de la société mère d'Instagram \\, Meta, dit que le compte Instagram du destinataire \\ a enfreint les droits d'auteur.Il exhorte en outre le destinataire à déposer un appel dans les 12 heures en cliquant sur le bouton «Formulaire d'appel» dans l'e-mail, sinon le compte sera supprimé en permanence.
Cliquez sur le bouton emmène le destinataire à un faux portail central pour violations, où ils cliquent sur le bouton «Accédez au formulaire de confirmation (confirmez mon compte)», qui les redirige ensuite vers le réelsite Web de phishing.
Le site de phishing, qui se présente comme un faux portail de méta du «centre d'appel», est hébergé sur un domaine nouvellement créé.Une fois que l'utilisateur clique sur le bouton «Continuer», les destinataires sont invités à saisir son nom d'utilisateur et son mot de passe (deux fois).
Après avoir fourni les mots de passe, le site de phishing demande à l'utilisateur si l'authentification à deux facteurs est activée sur le compte Instagram et, après confirmation, il demande le code de sauvegarde à 8 chiffres.
Le résultat final est que les acteurs de la menace ont obtenu toutes les informations nécessaires pour se connecter au compte de la victime.Ces informations volées peuvent être utilisées par les cybercriminels et vendues sous terre ou utilisées pour reprendre le compte.
«Pour empêcher que cela ne se produise, ne partagez pas de mots de passe ou de codes et ne soyez pas prudent sur la façon dont ces données sont stockées.En cas de compromis, modifiez immédiatement le mot de passe ou régénérez immédiatement de nouveaux codes de sauvegarde »./ "data-wpel-link =" external "rel =" nofollow noopener noreferrer "> conseille Trustwave spiderLabs dans un article de blog.
Trustwave SpiderLabs has discovered a new strain of Instagram “Copyright Infringement” phishing emails that aim to steal the victim\'s Instagram backup codes by bypassing the two-factor authentication (2FA) offered on the account. Two-factor authentication is a method of adding additional security that requires two forms of identification to access resources and data when logging into the account. This extra layer of security is an effective way to protect your account against many security threats that steal personal information, such as phishing, brute-force attacks, credential exploitation, and more. When configuring two-factor authentication on Instagram, the site also generates eight-digit backup codes for users as an alternative means of accessing the account, in case you are unable to verify your account using 2FA. In this latest phishing attempt, the email message, which claims to be from Instagram\'s parent company, Meta, says that the recipient\'s Instagram account has infringed copy |
Threat Technical | ★★★★ | |
|
2023-12-21 13:58:50 | How Human Elements Impact Email Security (lien direct) | >By Owais Sultan
Cybersecurity has been a hot topic in 2023 due to the rising number of cyber events and the…
This is a post from HackRead.com Read the original post: How Human Elements Impact Email Security
>By Owais Sultan Cybersecurity has been a hot topic in 2023 due to the rising number of cyber events and the… This is a post from HackRead.com Read the original post: How Human Elements Impact Email Security |
Technical | ★★★ | |
|
2023-12-21 11:00:00 | Violations de données: analyse approfondie, stratégies de récupération et meilleures pratiques Data breaches: In-depth analysis, recovery strategies, and best practices (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In the dynamic landscape of cybersecurity, organizations face the ever-present risk of data breaches. This article provides a detailed exploration of data breaches, delving into their nuances, and offers comprehensive recovery strategies along with best practices. A data breach occurs when unauthorized threat actors gain access to sensitive information, jeopardizing data integrity and confidentiality. There are some common causes behind major data breaches: Cyber-attacks: Sophisticated cyber-attacks, techniques such as spear phishing, ransomware, and advanced persistent threats, are predominant causes behind data breaches. Insider threats: Whether arising from employee errors, negligence, or intentional malicious actions, insider threats contribute significantly to data breaches. Third-party incidents: Weaknesses in the security protocols of third-party vendors or service providers can expose organizations to the risk of data breaches. Learnings acquired Rapid detection and response: The criticality of swift detection and response cannot be overstated. Delayed identification prolongs the impact and complicates the recovery process. Comprehensive incident response: Organizations must establish a robust incident response plan, encompassing communication strategies, legal considerations, and meticulous technical remediation steps. Regulatory compliance: Adherence to regulatory requirements and industry standards is not only essential for legal compliance but is also a fundamental aspect of maintaining trust and credibility. Employee training: Ongoing training initiatives that elevate employees\' awareness of security threats and best practices play a pivotal role in preventing data breaches. Continuous security audits: Regular security audits and assessments serve as proactive measures, identifying vulnerabilities before they can be exploited. Best practices for recovery Detailed incident communication: Provide a comprehensive and transparent communication plan, detailing the incident\'s scope, impact, and the organization\'s proactive steps for resolution. Stakeholder engagement: Engage with stakeholders, including customers, employees, and regulatory bodies. Keep them informed about the incident\'s progress and the measures being taken for recovery. Comprehensive cyber insurance coverage: Cyber insurance can be a strategic asset, covering a range of costs related to the incident, including investigation, legal proceedings, and potential regulatory fines. Strengthen cybersecurity measures: Advanced threat detection: Implement advanced threat detection mechanisms that can identify anomalous behavior and potential threats in real-time. Encryption and access controls: Enhance data protection by implementing robust encryption protocols and access controls, limiting unauthorized access to sensitive information. Regular system updates: Maintain an agile cybersecurity posture by regularly updating and patching systems to address known vulnerabilities. Law enforcement partnership: Collaborate with law enforcement agencies and relevant authorities, leveraging their expertise to aid in the investigation and apprehension of cybercriminals. Legal counsel engagement: Engage legal counsel to navigate the legal intricacies associated with the breach, ensuring compliance with regulations and m | Ransomware Data Breach Vulnerability Threat Patching Technical | ★★ | |
 |
2023-12-20 20:47:57 | L'évaluation technique indépendante de Technology Advancement Center trouve la défense de la mission Federal Cyber AI Darktrace offre une visibilité et une détection complètes pour les environnements et les environnements OT Independent Technical Evaluation from Technology Advancement Center Finds Darktrace Federal Cyber AI Mission Defense Provides Comprehensive Visibility and Detection for IT and OT Environments (lien direct) |
L'évaluation technique indépendante de Technology Advancement Center trouve la défense de la mission fédérale de Cyber AI Darktrace offre une visibilité et une détection complètes pour les environnements et les environnements OT
Darktrace Federal Cyber Mission Defense conçue pour lutter contre les attaques sophistiquées, y compris les attaques nationales, les menaces d'initiés et les zéro jours en utilisant l'auto-apprentissage AI
-
nouvelles commerciales
Independent Technical Evaluation from Technology Advancement Center Finds Darktrace Federal Cyber AI Mission Defense Provides Comprehensive Visibility and Detection for IT and OT Environments Darktrace Federal Cyber AI Mission Defense designed to combat sophisticated attacks including nation state attacks, insider threats, and zero-days using Self-Learning AI - Business News |
Industrial Technical | ★★ | |
 |
2023-12-19 15:52:08 | Développer et exécuter une chasse à la menace OT entièrement informée Developing and Executing a Fully Informed OT Threat Hunt (lien direct) |
> Écrit en partenariat avec Michael Gardner, qui a précédemment travaillé comme responsable des comptes techniques de renseignement chez Dragos, Inc. Hunting à la menace ...
Le post développer et exécuter une chasse à la menace OT entièrement informée est apparu pour la première fois sur dragos .
>Written in partnership with Michael Gardner, who previously worked as an Intelligence Technical Account Manager at Dragos, Inc. Threat hunting... The post Developing and Executing a Fully Informed OT Threat Hunt first appeared on Dragos. |
Threat Industrial Technical | ★★★ | |
|
2023-12-18 22:51:00 | Dans les coulisses: la frappe coordonnée de Jaskago \\ sur macOS et Windows Behind the Scenes: JaskaGO\\'s Coordinated Strike on macOS and Windows (lien direct) |
Executive summary
In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems.
As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary.
Key takeaways:
The malware is equipped with an extensive array of commands from its Command and Control (C&C) server.
JaskaGO can persist in different methods in infected system.
Users face a heightened risk of data compromise as the malware excels at exfiltrating valuable information, ranging from browser credentials to cryptocurrency wallet details and other sensitive user files.
Background
JaskaGO contributes to a growing trend in malware development leveraging the Go programming language. Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors seeking to create versatile and sophisticated threats.
While macOS is often perceived as a secure operating system, there exists a prevalent misconception among users that it is impervious to malware. Historically, this misbelief has stemmed from the relative scarcity of macOS-targeted threats compared to other platforms. However, JaskaGO serves as a stark reminder that both Windows and macOS users are constantly at risk of malware attacks.
As the malware use of file names resembling well-known applications (such as “Capcut_Installer_Intel_M1.dmg”, “Anyconnect.exe”) suggest a common strategy of malware deployment under the guise of legitimate software in pirated application web pages.
The first JaskaGo sample was observed in July 2023, initially targeting Mac users. Following this opening assault, dozens of new samples have been identified as the threat evolved its capabilities and developed in both macOS and to Windows versions; its low detection rate is evident by its recent sample by anti-virus engines. (Figure 1)
 .
Figure 1. As captured by Alien Labs: Anti-virus detection for recent JaskaGO samples within VirusTotal.
Analysis
Upon initial execution, the malware cunningly presents a deceptive message box, displaying a fake error message, claiming a missing file. This is strategically designed to mislead the user into believing that the malicious code failed to run. (Figure 2)
Figure 2. As captured by Alien Labs: Fake error message.
Anti-VM
The malware conducts thorough checks to determine if it is operating within a virtual machine (VM). This process begins with the examination of general machine information, where specific criteria such as the number of processors, system up-time, available system memory, and MAC addresses are checked. The presence of MAC addresses associated with well-known VM software, such as VMware or VirtualBox, is a key indicator. (Figure 3)
Figure 3. As captured by Alien Labs: Looking for VM related MAC addresses.
Additionally, the malware\'s Windows version searches for VM-related traces in both the registry and the file system. (Figure 4)
|
Malware Vulnerability Threat Prediction Technical | ★★★ | |
|
2023-12-18 21:13:00 | Attention: les experts révèlent de nouveaux détails sur les exploits Outlook RCE sur zéro clique Beware: Experts Reveal New Details on Zero-Click Outlook RCE Exploits (lien direct) |
Des détails techniques ont émergé environ deux défauts de sécurité désormais paralysés dans Microsoft Windows qui pourraient être enchaînés par les acteurs de la menace pour réaliser l'exécution de code distant sur le service de messagerie Email Outlook sans toute interaction utilisateur.
"Un attaquant sur Internet peut enchaîner les vulnérabilités pour créer un exploit complet de code distant (RCE) à zéro cliquez sur des clients d'Outlook", akamai la sécurité
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security |
Vulnerability Threat Technical | ★★★ | |
|
2023-12-15 00:00:00 | Décodage CVE-2023-50164: dévoiler l'exploit de téléchargement de fichiers Apache Struts Decoding CVE-2023-50164: Unveiling the Apache Struts File Upload Exploit (lien direct) |
Dans cette entrée de blog, nous discutons des détails techniques du CVE-2023-50164, une vulnérabilité critique qui affecte Apache Struts 2 et permet une traversée de chemin non autorisée.
In this blog entry, we discuss the technical details of CVE-2023-50164, a critical vulnerability that affects Apache Struts 2 and enables unauthorized path traversal. |
Vulnerability Threat Technical | ★★ | |
|
2023-12-14 11:00:00 | Protéger l'entreprise des fuites de mot de passe Web sombres Protecting the enterprise from dark web password leaks (lien direct) |
Referenced in popular films and television programs, “The Dark Web” has achieved what many cyber security concerns fail to do in that it has entered the public consciousness. It is generally understood that the dark web is a collection of on-line sites and marketplaces, notorious for facilitating illegal activities and harboring stolen information. The details of how this underground economy function, the various levels of sophistication of its participants, and how information ends up in these forums is less broadly understood. The trade in compromised passwords in dark web markets is particularly damaging. Cybercriminals often exploit password leaks to access sensitive data, commit fraud or launch further attacks. Let’s explore the various ways passwords are leaked to the dark web and discuss strategies for using dark web data to protect your organization. Data breaches One of the most common ways passwords are leaked to the dark web is through data breaches. Cybercriminals target organizations and gain unauthorized access to their systems and databases. Once inside, they can steal large volumes of user data, including passwords, which are then sold or traded on the dark web. A “first party” data breach is when that breach occurs in a network you are responsible for (i.e. your company). This is typically a top-of-mind concern for security and IT professionals. However, breaches of third parties that hold information about your users can be equally damaging. Because users often reuse passwords across multiple services, or use slight variations or formulaic passwords, these disclosures are critical. They result in threat actors gaining access to your network or SaaS services by simply logging or through brute forcing a greatly reduced key space which may go unnoticed. Phishing attacks Phishing attacks are another prevalent method used by cybercriminals to obtain passwords. These attacks involve sending deceptive emails, text messages, or social media messages that trick users into revealing their login credentials. Once the attacker has the victim\'s password, they can easily access their accounts or sell the information on the dark web. Keyloggers and malware Keyloggers and malware are stealthy tools used by cybercriminals to record a user\'s keystrokes, including passwords. These can be installed on a victim\'s device through malicious emails, downloads, or infected websites. This is particularly concerning in cases where the endpoints in question are not fully managed by the company. Contractors, network devices provided by service providers, users with BYOD equipment or other semi-public or public devices users might access a cloud service from are all examples of devices which can result in loss of credentials because of malware infection - regardless of the endpoint security measures taken on company owned devices. What is particularly insidious about these infections is that, unless addressed, they continue to report current credentials up to the command-and-control services across password changes and platforms. Insider threats Sometimes, passwords are leaked to the dark web through insider threats. Disgruntled employees, contractors, or other individuals with access to sensitive information may intentionally leak passwords as an act of revenge or for financial gain. Protecting Your Passwords: Best Practices While the risks associated with password leaks on the dark web are real, there are steps you can take to protect your organization from being impacted by these disclosures: Educate users: By now it is difficult to find an organization that doesn’t have a policy and technical controls to enforce the use of strong passwords in their environment. Building on that to train users when it is acceptable to use a company provide email address for service | Data Breach Malware Tool Threat Cloud Technical | ★★ | |
|
2023-12-14 09:44:32 | Atténuation des menaces d'initié: 5 meilleures pratiques pour réduire le risque Insider Threat Mitigation: 5 Best Practices to Reduce Risk (lien direct) |
(This is an updated version of a blog that was originally published on 1/28/21.) Most security teams focus on detecting and preventing external threats. But not all threats come from the outside. The shift to hybrid work, accelerated cloud adoption and high rates of employee turnover have created a perfect storm for data loss and insider threats over the past several years. Today, insider threats rank amongst the top concerns for security leaders-30% of chief information security officers report that insider threats are their biggest cybersecurity threat over the next 12 months. It\'s easy to understand why. Insider threats have increased 44% since 2020 due to current market dynamics-and security teams are struggling to keep pace. According to the Verizon 2023 Data Breach Investigations Report, 74% of all breaches involve the human element. In short, data doesn\'t lose itself. People lose it. When the cybersecurity risk to your company\'s vital systems and data comes from the inside, finding ways to mitigate it can be daunting. Unlike with tools that combat external threats, security controls for data loss and insider threats can impact users\' daily jobs. However, with the right approach and insider threat management tools, that doesn\'t have to be the case. In this blog post, we\'ll share best practices for insider threat mitigation to help your business reduce risk and overcome common challenges you might face along the way. What is an insider threat? But first, let\'s define what we mean by an insider threat. In the cybersecurity world, the term “insider” describes anyone with authorized access to a company\'s network, systems or data. In other words, it is someone in a position of trust. Current employees, business partners and third-party contractors can all be defined as insiders. As part of their day-to-day jobs, insiders have access to valuable data and systems like: Computers and networks Intellectual property (IP) Personal data Company strategy Financial information Customer and partner lists All insiders pose a risk given their position of trust-but not all insiders are threats. An insider threat occurs when someone with authorized access to critical data or systems misuses that access-either on purpose or by making a mistake. The fallout from an insider threat can be dire for a business, including IP loss, legal liability, financial consequences and reputational damage. The challenge for security firms is to determine which insiders are threats, and what type of threats they are, so they know how to respond. There are three insider threat types: Careless. This type of risky insider is best described as a user with good intentions who makes bad decisions that can lead to data loss. The 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that careless users account for more than half (56%) of all insider-led incidents. Malicious. Some employees-or third parties, like contractors or business partners-are motivated by personal gain. Or they might be intent on harming the business. In either case, these risky users might want to exfiltrate trade secrets or take IP when they leave the company. Industrial espionage and sabotage are examples of malicious insider activity. Ponemon research shows malicious insiders account for 26% of insiders. Compromised. Sometimes, external threat actors steal user login information or other credentials. They then use those credentials to access applications and systems. Ponemon reports that compromised users account for 18% of insiders. Insider threat mitigation best practices Companies can minimize brand and financial damage by detecting and stopping insider threats. How each security team approaches insider threats will vary depending on the industry, maturity and business culture. However, every organization can use the five best practices we\'ve outlined below to improve their insider threat prevention. 1. Identify your risky users Most insiders fall into the “care | Data Breach Tool Threat Industrial Cloud Technical | ★★ | |
|
2023-12-14 00:08:10 | Problèmes de chemin d'installation et de portabilité personnalisés Custom Install Path & portability issues (lien direct) |
Si vous lisez mon blog depuis un certain temps, vous saurez que j'aime défier mon jeu de chasse aux menaces avec beaucoup d'err & # 8230;.banalités.Et pas les banalités que je peux ignorer, mais beaucoup d'entre elles & # 8230; Continuer la lecture & # 8594;
If you’ve been reading my blog for a while now you will know that I love to challenge my threat hunting game with a lot of err…. banalities. And not the banalities I can ignore, but a lot of these … Continue reading → |
Threat Technical | ★★★★ | |
 |
2023-12-13 19:14:05 | Pandora Hvnc silencieuse, mais puissante, l'outil de cybercriminalité populaire qui vole sous le radar Silent, Yet Powerful Pandora hVNC, The Popular Cybercrime Tool That Flies Under the Radar (lien direct) |
> Pandora HVNC est un cheval de Troie (rat) d'accès à distance qui est annoncé sur les forums de cybercriminalité depuis 2021. Étonnamment, il a reçu peu d'attention de la communauté de la cybersécurité.Malgré cela, il reste un outil largement utilisé et est favorisé par de nombreux acteurs de menace.Pandora HVNC permet aux attaquants d'obtenir un contrôle secrète sur un ordinateur victime.Ce [& # 8230;]
Le post Silencieux, mais mais encorePuissant Pandora Hvnc, le populaire outil de cybercriminalité qui vole sous le radar est apparu pour la première fois sur slashnext .
>Pandora hVNC is a remote access trojan (RAT) that has been advertised on cybercrime forums since 2021. Surprisingly, it has received little attention from the cybersecurity community. Despite this, it remains a widely used tool and is favoured by many threat actors. Pandora hVNC enables attackers to gain covert control over a victim’s computer. This […] The post Silent, Yet Powerful Pandora hVNC, The Popular Cybercrime Tool That Flies Under the Radar first appeared on SlashNext. |
Tool Threat Technical | ★★★★ | |
 |
2023-12-13 17:00:00 | Floss pour gophers et crabes: extraire les chaînes de go et les exécutables de rouille FLOSS for Gophers and Crabs: Extracting Strings from Go and Rust Executables (lien direct) |
 Le paysage évolutif du développement de logiciels a introduit de nouveaux langages de programmation comme Go et Rust.Les binaires compilés à partir de ces langues fonctionnent différemment aux programmes classiques (C / C ++) et remettent en question de nombreux outils d'analyse conventionnels.Pour soutenir l'analyse statique des exécutables GO et Rust, la soie dentaire extrait désormais les chaînes de programme à l'aide d'algorithmes améliorés.Où les algorithmes d'extraction traditionnels fournissent un composé et une sortie de chaîne déroutante récupèrent les chaînes individuelles de go et de rouille telles qu'elles sont utilisées dans un programme. Pour commencer à utiliser le fil de fil Téléchargez l'un des binaires autonomesDe notre releas
 The evolving landscape of software development has introduced new programming languages like Go and Rust. Binaries compiled from these languages work differently to classic (C/C++) programs and challenge many conventional analysis tools. To support the static analysis of Go and Rust executables, FLOSS now extracts program strings using enhanced algorithms. Where traditional extraction algorithms provide compound and confusing string output FLOSS recovers the individual Go and Rust strings as they are used in a program.To start using FLOSS download one of the standalone binaries from our releas |
Tool Technical | ★★★★ | |
|
2023-12-12 12:43:11 | Les États-Unis s'adressent à la sécurisation de la chaîne d'approvisionnement des logiciels pour la gestion des logiciels open source, SBOM US addresses securing software supply chain for managing open-source software, SBOM (lien direct) |
U.S.Les agences de sécurité ont publié un rapport technique de cybersécurité (CTR) qui développe un mémo de juin 2023 du ...
U.S. security agencies published a cybersecurity technical report (CTR) that expands on a June 2023 memo from the... |
Technical | ★★★ | |
|
2023-12-09 12:46:00 | Les chercheurs déverrouillent les dernières techniques anti-analyse de Guloader. Researchers Unveal GuLoader Malware\\'s Latest Anti-Analysis Techniques (lien direct) |
Les chasseurs de menaces ont démasqué les dernières astuces adoptées par une souche malveillante appelée & nbsp; Guloder & nbsp; dans le but de rendre l'analyse plus difficile.
"Alors que la fonctionnalité principale de Guloader \\ n'a pas changé radicalement au cours des dernières années, ces mises à jour constantes dans leurs techniques d'obscurcissement font de l'analyse de Guloder un processus long et à forte intensité de ressources", Elastic Security Labs
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging. "While GuLoader\'s core functionality hasn\'t changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs |
Malware Threat Technical | ★★★★ | |
|
2023-12-08 16:38:00 | Ransomware-as-a-Service: la menace croissante que vous ne pouvez pas ignorer Ransomware-as-a-Service: The Growing Threat You Can\\'t Ignore (lien direct) |
Les attaques de ransomwares et NBSP; sont devenues une menace importante et omniprésente dans le domaine en constante évolution de la cybersécurité.Parmi les différentes itérations des ransomwares, une tendance qui a pris de l'importance est le ransomware en tant que service (RAAS).Ce développement alarmant a transformé le paysage de la cybercriminalité, permettant aux personnes ayant une expertise technique limitée de mener des attaques dévastatrices.
Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks. |
Ransomware Threat Prediction Technical | ★★ | |
|
2023-12-07 11:00:00 | Casinos de Las Vegas ciblés par des attaques de ransomwares Las Vegas casinos targeted by ransomware attacks (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Introduction: Ever since the invention of internet browsers for personal computers came about in the 1990s, cybercrime has been on the rise. Almost 30 years after the invention of the Worldwide Web, cybercriminals have a variety of different methodologies and toolkits that they use on a daily basis to leverage vulnerabilities and commit crime. One of the most popular types of attacks that is used by threat actors is a ransomware attack. Most recently, several Las Vegas Casinos fell victim to a series of ransomware attacks. Las Vegas hacks: In mid-September 2023, two of the biggest Las Vegas casino and hotel chains found themselves to be victims of ransomware attacks. The two organizations that were targeted were Caesars Entertainment and MGM Resorts International. MGM Resorts International: The attack against MGM was first reported on September 11, 2023, when MGM personnel put out a public statement stating that a “cyber security incident” had affected some of its systems. On the days following this statement many guests reported numerous problems with the casino and the hotel operations of the company. On the casino side, many guests reported problems with slot machines and payout receipts. The slot machines in some of the MGM casinos were completely inoperable and, in the casinos, where they were operational, the machines were not able to print out the cash-out vouchers. On the hotel side, many of the organization\'s websites were inaccessible for a while after the attack. Guests across multiple MGM hotels reported issues with their mobile room keys not functioning, and new arrivals reported wait times of up to six hours to check in. A hacking group known as Scattered Spider has taken credit for the ransomware attack against MGM Resorts International. Scattered Spider first appeared in the cyber threat landscape in May 2022 and is thought to be individuals ages 19-22 and based out of the UK and USA. The attackers carried this attack out in three phases. The first phase was reconnaissance, in which they stalked the company’s LinkedIn Page and the employees that work there. The second phase of the attack was a vishing attack against MGM’s IT help desk. A vishing attack is when someone uses phone calls or voice communication to trick the victim into sharing personal information, credit card numbers, or credentials. Using the information they gathered on LinkedIn; the attackers were able to impersonate an MGM employee and tricked the help desk into giving them credentials into MGM systems. The attack\'s third phase was launching ransomware developed by another hacker group, ALPHAV. Scattered Spider rendered multiple systems throughout the organization useless unless the ransom is paid. Currently it is not known if MGM paid the ransom, but all casinos are once again fully operational. Caesars Entertainment: Days after MGM reported it had been hacked, Caesars Entertainment group disclosed to the SEC that they were also victims of a cyberattack around the same time as MGM. In a statement to the SEC, Caesar’s reported that confidential information about members of its customer loyalty program was stolen. Caesar’s representatives stated that the hackers were able to break into computer systems through a social engineering attack on an IT support contractor. Not much information is available about the execution of this attack. The use of a social engineering attack has led many people to believe that Scattered Spider was also behind this attack. The hackers demanded that Caesar’s pay a ransom of $30 million. It is reported that the organization paid $15million to the hackers and the company has “taken steps to ensure the stolen information is deleted by the hacker but canno | Ransomware Vulnerability Threat Mobile Technical | ★★★ | |
|
2023-12-05 11:00:00 | Aperçu des systèmes de détection de fraude modernes Insights into modern fraud detection systems (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Information security requirements and standards are in a constant state of evolution. Recent issues, such as COVID-19 and the growing global reliance on mobile devices and remote work solutions, have played important roles in this ongoing transformation. At the same time, the increasing sophistication of cyber attackers has added new layers of complexity to the cybersecurity landscape. In this article, I will explore the importance of implementing fraud detection systems as a crucial measure to mitigate the impact of both traditional and emerging fraudulent schemes. Challenges faced by financial institutions The landscape of user behavior has undergone significant shifts, primarily driven by external factors such as the COVID-19 pandemic. This factor led to an increase in online transactions, coupled with reduced income streams for many individuals, resulting in decreased spending in specific user categories. Additionally, local conflicts, like the war in Ukraine and Israel, influence spending patterns in particular regions. The implementation of restrictive measures and the resulting increase in stress levels have provided cyber crooks with more opportunities to exploit social engineering techniques through acts of intimidation. One prevalent scam involves fraudsters posing as bank security officials to deceive unsuspecting individuals. Another concerning trend is the rise of legitimate channels that drive people to scam schemes via mainstream advertising platforms like Google and Facebook. Furthermore, the economic hardships some people face have led them to seek alternative income sources, driving them to engage in various forms of online criminal activities. Some individuals become involved in schemes where they act as money mules or work in illegal call centers. It is challenging for financial institutions to guarantee absolute safety. Malicious individuals can present counterfeit identification to authorize transactions that were initially denied by the anti-fraud system. While financial institutions strive to know as much as possible about their clients and run transactions carefully, they are constrained by data retention limitations (typically several months) and the need to respond within seconds, as stipulated by Service Level Agreements. So, again, achieving complete certainty about every transaction remains a huge problem. Detecting suspicious activities becomes even more challenging when malicious employees request details about a specific client or transaction, as this falls within their routine work tasks. Some fraud detection systems use computer webcams or video surveillance cameras to monitor employee behavior. Modern surveillance systems have become more intelligent, leveraging artificial intelligence and historical data to perform comprehensive risk assessments and take action when unusual employee behavior is detected. However, these cameras may not always be effective in identifying deceitful behavior when employees remain almost motionless. Understanding fraud detection systems Fraud detection systems are designed to detect and prevent various forms of fraudulent activities, ranging from account hijacking and | Tool Threat Mobile Prediction Technical | ★★★ | |
|
2023-12-02 00:06:39 | Preuve de vie… Proof of life… (lien direct) |
& # 8216; Blade Runner & # 8217;& # 8211;Le film Cult Classic & # 8211;nous enseigne que les (non) traits / comportements humains peuvent être détectés avec un soi-disant test de Voight-Kampff.Cet article consiste à discuter (de ne pas encore concevoir) un test similaire à nos fins de chasse aux menaces & # 8230;La clé & # 8230; Continuer la lecture & # 8594;
‘Blade Runner’ – the cult classic movie – teaches us that the (non-)human traits/behaviors can be detected with a so-called Voight-Kampff test. This post is about discussing (not designing yet) a similar test for our threat hunting purposes… The key … Continue reading → |
Threat Technical | ★★★ | |
 |
2023-11-29 13:01:45 | DET.Eng.Hebdomadaire # 49 - il n'y a pas de niveau de vache Det. Eng. Weekly #49 - There Is No Cow Level (lien direct) |
Imaginez un botnet de vaches. Imaginez
Imagine a botnet of cows.. IMAGINE |
Technical | ★★★ | |
 |
2023-11-27 22:00:00 | The Role of the CISO in Digital Transformation (lien direct) | Un CISO réussi devrait jouer un rôle de premier plan dans les initiatives de transformation numérique et de migration du cloud dans leur organisation.Le CISO est chargé de s'assurer que les contrôles de sécurité technique sont conçus et mis en œuvre de manière appropriée, et les modifications sont correctement gérées, en pensant à la sécurité dès le début.
A successful CISO should play a leading role in digital transformation and cloud migration initiatives in their organization. The CISO is responsible for making sure technical security controls are designed and implemented appropriately, and changes are properly managed, with security in mind from the very start. |
Cloud Technical | ★★ | |
 |
2023-11-27 16:31:36 | Sous la surface: comment les pirates tournent Netsupport contre les utilisateurs Beneath the Surface: How Hackers Turn NetSupport Against Users (lien direct) |
> 
Les variantes de logiciels malveillants de NetSupport ont été une menace persistante, démontrant l'adaptabilité et les techniques d'infection en évolution.Dans cette analyse technique, nous plongeons ...
> 
NetSupport malware variants have been a persistent threat, demonstrating adaptability and evolving infection techniques. In this technical analysis, we delve...
|
Malware Threat Technical | ★ | |
 |
2023-11-21 21:19:53 | Agent Tesla: le format d'archive ZPAQ inhabituel fournit des logiciels malveillants Agent Tesla: Unusual ZPAQ Archive Format Delivers Malware (lien direct) |
#### Description
Une nouvelle variante de l'agent Tesla a été découverte qui utilise l'extension de fichier archive ZPAQ et .wav pour infecter les systèmes et voler des informations à environ 40 navigateurs Web et divers clients de messagerie.ZPAQ est un format de compression de fichiers qui offre un meilleur rapport de compression et une fonction de journalisation par rapport à des formats largement utilisés comme ZIP et RAR.Cependant, le ZPAQ a un support logiciel limité, ce qui rend difficile le travail, en particulier pour les utilisateurs sans expertise technique.Le fichier exécutable .NET est gonflé avec zéro octets, ce qui permet aux acteurs de menace de contourner les mesures de sécurité traditionnelles et d'augmenter l'efficacité de leur attaque.
L'utilisation du format de compression ZPAQ soulève plus de questions que de réponses.Les hypothèses ici sont que les acteurs de la menace ciblent un groupe spécifique de personnes qui ont des connaissances techniques ou utilisent des outils d'archives moins connus, ou ils testent d'autres techniques pour diffuser plus rapidement les logiciels malveillants et contourner les logiciels de sécurité.
Le malware utilise Telegram en tant que C&C en raison de son utilisation juridique généralisée et du fait que son trafic est souvent autorisé à travers des pare-feu, ce qui en fait un support utile pour une communication secrète.Comme tout autre voleur, l'agent Tesla peut nuire non seulement aux particuliers mais aussi aux organisations.Il a gagné en popularité parmi les cybercriminels pour de nombreuses raisons, notamment la facilité d'utilisation, la polyvalence et l'abordabilité sur le Dark Web.
#### URL de référence (s)
1. https://www.gdatasoftware.com/blog/2023/11/37822-agent-Tesla-zpaq
#### Date de publication
20 novembre 2023
#### Auteurs)
Anna Lvova
#### Description A new variant of Agent Tesla has been discovered that uses the ZPAQ archive and .wav file extension to infect systems and steal information from approximately 40 web browsers and various email clients. ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR. However, ZPAQ has limited software support, making it difficult to work with, especially for users without technical expertise. The .NET executable file is bloated with zero bytes, which allows threat actors to bypass traditional security measures and increase the effectiveness of their attack. The usage of the ZPAQ compression format raises more questions than answers. The assumptions here are that either threat actors target a specific group of people who have technical knowledge or use less widely known archive tools, or they are testing other techniques to spread malware faster and bypass security software. The malware uses Telegram as a C&C due to its widespread legal usage and the fact that its traffic is often allowed through firewalls, making it a useful medium for covert communication. Like any other stealer, Agent Tesla can harm not only private individuals but also organizations. It has gained popularity among cybercriminals for many reasons including ease of use, versatility, and affordability on the Dark Web. #### Reference URL(s) 1. https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq #### Publication Date November 20, 2023 #### Author(s) Anna Lvova |
Malware Tool Threat Technical | ★★★ | |
|
2023-11-21 20:45:00 | Le rôle du CISO dans la transformation numérique The Role of the CISO in Digital Transformation (lien direct) |
Un CISO réussi devrait jouer un rôle de premier plan dans les initiatives de transformation numérique et de migration du cloud dans leur organisation.Le CISO est chargé de s'assurer que les contrôles de sécurité technique sont conçus et mis en œuvre de manière appropriée, et les modifications sont correctement gérées, en pensant à la sécurité dès le début.
A successful CISO should play a leading role in digital transformation and cloud migration initiatives in their organization. The CISO is responsible for making sure technical security controls are designed and implemented appropriately, and changes are properly managed, with security in mind from the very start. |
Cloud Technical | ★★ | |
 |
2023-11-21 13:15:00 | Résultats de l'étude comparative sur les attaques de ransomware Linux et Windows, explorant les tendances notables et la montée des attaques sur les systèmes Linux Comparative Study Results on Linux and Windows Ransomware Attacks, Exploring Notable Trends and Surge in Attacks on Linux Systems (lien direct) |
> Fait saillie: & # 160;Évolution du paysage: Check Point Research (RCR) dévoile une étude complète explorant la surtension des attaques de ransomwares contre les systèmes Linux, faisant des comparaisons avec leurs homologues Windows.Tendance de simplification: L'analyse de la RCR en RCR révèle une tendance notable vers la simplification parmi les familles de ransomwares ciblant les linux.Les fonctionnalités de base réduites aux processus de cryptage de base, rendant ces menaces insaisissables et difficiles à détecter les informations de chiffrement: un examen comparatif des techniques de chiffrement entre Windows et Linux expose une préférence pour les algorithmes Chacha20 / RSA et AES / RSA dans les ransomwares de Linux.& # 160;Dans une étude récente menée par Check Point Research (RCR), un examen approfondi des attaques de ransomwares contre Linux et Windows [& # 8230;]
>Highlights: Evolving Landscape: Check Point Research (CPR) unveils a comprehensive study exploring the surge in ransomware attacks on Linux systems, drawing comparisons to their Windows counterparts. Simplification Trend: CPR’s analysis reveals a notable trend towards simplification among Linux-targeting ransomware families. Core functionalities reduced to basic encryption processes, making these threats elusive and challenging to detect Encryption Insights: A comparative examination of encryption techniques between Windows and Linux exposes a preference for ChaCha20/RSA and AES/RSA algorithms in Linux ransomware. In a recent study conducted by Check Point Research (CPR), an in-depth examination of ransomware attacks on Linux and Windows […] |
Ransomware Studies Prediction Technical | ★★★★ | |
|
2023-11-21 08:35:02 | Prévenir les attaques de fatigue du MFA: sauvegarder votre organisation Preventing MFA Fatigue Attacks: Safeguarding Your Organization (lien direct) |
Gaining access to critical systems and stealing sensitive data are top objectives for most cybercriminals. Social engineering and phishing are powerful tools to help them achieve both. That\'s why multifactor authentication (MFA) has become such an important security measure for businesses and users. Without MFA as part of the user authentication process, it is much less challenging for an attacker with stolen credentials to authenticate a user\'s account. The primary goal of MFA is to reduce the risk of unauthorized access, especially in situations where passwords alone may not provide enough protection. Even if an attacker steals a user\'s password, with MFA they still need the second factor (and maybe others) to gain access to an account. Examples of MFA factors include biometrics, like fingerprints, and signals from user devices, like GPS location. MFA isn\'t a perfect solution, though-it can be bypassed. Adversaries are relentless in their efforts to undermine any security defenses standing in the way of their success. (The evolution of phish kits for stealing MFA tokens is evidence of that.) But sometimes, attackers will choose to take an in-your-face approach that is not very creative or technical. MFA fatigue attacks fall into that category. What are MFA fatigue attacks-and how do they work? MFA fatigue attacks, also known as MFA bombing or MFA spamming, are a form of social engineering. They are designed to wear down a user\'s patience so that they will accept an MFA request out of frustration or annoyance-and thus enable an attacker to access their account or device. Many people encounter MFA requests daily, or even multiple times per day, as they sign-in to various apps, sites, systems and platforms. Receiving MFA requests via email, phone or other devices as part of that process is a routine occurrence. So, it is logical for a user to assume that if they receive a push notification from an account that they know requires MFA, it is a legitimate request. And if they are very busy at the time that they receive several push notifications in quick succession to authenticate an account, they may be even more inclined to accept a request without scrutinizing it. Here\'s an overview of how an MFA attack works: A malicious actor obtains the username and password of their target. They can achieve this in various ways, from password-cracking tactics like brute-force attacks to targeted phishing attacks to purchasing stolen credentials on the dark web. The attacker then starts to send MFA notifications to the user continuously, usually via automation, until that individual feels overwhelmed and approves the login attempt just to make the requests stop. (Usually, the push notifications from MFA solutions require the user to simply click a “yes” button to authenticate from the registered device or email account.) Once the attacker has unauthorized access to the account, they can steal sensitive data, install malware and do other mischief, including impersonating the user they have compromised-taking their actions as far as they can or want to go. 3 examples of successful MFA fatigue attacks To help your users understand the risk of these attacks, you may want to include some real-world examples in your security awareness program on this topic. Here are three notable incidents, which are all associated with the same threat actor: Uber. In September 2022, Uber reported that an attacker affiliated with the threat actor group Lapsus$ had compromised a contractor\'s account. The attacker may have purchased corporate account credentials on the dark web, Uber said in a security update. The contractor received several MFA notifications as the attacker tried to access the account-and eventually accepted one. After the attacker logged in to the account, they proceeded to access other accounts, achieving privilege escalation. One action the attacker took was to reconfigure Uber\'s OpenDNS to display a graphic image on some of the company\'s internal sites. Cisco. Cisco suffer | Ransomware Data Breach Malware Tool Threat Technical | Uber | ★★★ |
|
2023-11-20 22:01:00 | Les logiciels malveillants utilisent la trigonométrie pour suivre les traits de souris Malware Uses Trigonometry to Track Mouse Strokes (lien direct) |
La dernière version de l'infosaler Lummac2 comprend une nouvelle astuce anti-sandbox pour éviter de faire exploser lorsqu'aucun mouvement de souris humain n'est détecté.
The latest LummaC2 infostealer version includes a novel anti-sandbox trick to avoid detonating when no human mouse movements are detected. |
Malware Technical | ★★★ |
To see everything:
Our RSS (filtrered)
