What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-01-26 21:18:12 | CVE-2023-22482 (lien direct) | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds. | Tool Vulnerability | Uber | |
 |
2023-01-26 00:37:55 | ChatGPT: A Scammer\'s Newest Tool (lien direct) | >
ChatGPT: Everyone's favorite chatbot/writer's-block buster/ridiculous short story creator is skyrocketing in fame. 1 In fact, the AI-generated content “masterpieces” (by...
|
Tool | ChatGPT | ★★ |
 |
2023-01-26 00:00:00 | New Mimic Ransomware Abuses Everything APIs for its Encryption Process (lien direct) | Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. | Ransomware Tool Prediction | ★★ | |
 |
2023-01-25 21:43:55 | Exploit released for Microsoft bug allowing attacker to masquerade as legitimate entity (lien direct) |  Researchers from Akamai have released a proof-of-concept for a vulnerability affecting a Microsoft tool that allows the Windows' application programming interface to deal with cryptography. The vulnerability, CVE-2022-34689, was discovered by the United Kingdom’s National Cyber Security Centre and the National Security Agency. It affects a tool called CryptoAPI and allows an attacker to masquerade [… |
Tool Vulnerability | ★★ | |
 |
2023-01-25 04:31:00 | Chinese threat actor DragonSpark targets East Asian businesses (lien direct) | Organizations in Taiwan, HongKong, Singapore and China have been recently facing attacks from a Chinese threat actor DragonSpark. The threat actor was observed using open source tool SparkRAT for its attacks, according to a report by SentinelOne. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the Remote Access Trojan (RAT) attractive to threat actors.To read this article in full, please click here | Tool Threat | ★★ | |
 |
2023-01-24 16:30:00 | Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Banking trojans, DNS hijacking, China, Infostealers, Malvertising, Phishing, and Smishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022
(published: January 19, 2023)
In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains.
Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software.
MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure
Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android
Hook: a New Ermac Fork with RAT Capabilities
(published: January 19, 2023)
ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones.
Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive |
Malware Tool Threat Guideline | APT 15 APT 25 | ★★★ |
 |
2023-01-24 10:55:22 | Dragonspark |Les attaques échappent à la détection avec l'interprétation du code source Sparkrat et Golang DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (lien direct) |
Un groupe d'attaques Sentinelabs suit comme Dragonspark utilise une nouvelle technique, l'interprétation du code source de Golang, pour éviter la détection tout en déploiement d'un outil peu connu appelé Sparkrat.
A cluster of attacks SentinelLabs tracks as DragonSpark uses a novel technique, Golang source code interpretation, to avoid detection while also deploying a little-known tool called SparkRAT. |
Tool | ★★★ | |
|
2023-01-24 02:15:09 | CVE-2022-45639 (lien direct) | OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. | Tool Vulnerability | ||
 |
2023-01-23 20:14:17 | Blast from the Past: How Attackers Compromised Zimbra With a Patched Vulnerability (lien direct) | Last year, I worked on a vulnerability in Zimbra (CVE-2022-41352 - my AttackerKB analysis for Rapid7) that turned out to be a new(-ish) exploit path for a really old bug in cpio - CVE-2015-1194. But that was patched in 2019, so what happened? (I posted this as a tweet-thread awhile back, but I decided to flesh it out and make it into a full blog post!) cpio is an archive tool commonly used for system-level stuff (firmware images and such). It can also extract other format, like .tar, which we'll use since it's more familiar. cpio has a flag (--no-absolute-filenames), off by default, that purports to prevent writing files outside of the target directory. That's handy when, for example, extracting untrusted files with Amavis (like Zimbra does). The problem is, symbolic links can point to absolute paths, and therefore, even with --no-absolute-filenames, there was no safe way to extract an untrusted archive (outside of using a chroot environment or something similar, which they really ought to do). Much later, in 2019, the cpio team released cpio version 2.13, which includes a patch for CVE-2015-1194, with unit tests and everything. Some (not all) modern OSes include the patched version of cpio, which should be the end of the story, but it's not! I'm currently writing this on Fedora 35, so let's try exploiting it. We can confirm that the version of cpio installed with the OS is, indeed, the fixed version: ron@fedora ~ $ cpio --version cpio (GNU cpio) 2.13 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Phil Nelson, David MacKenzie, John Oleynick, and Sergey Poznyakoff. That means that we shouldn't be able to use symlinks to write outside of the target directory, so let's create a .tar file that includes a symlink and a file written through that symlink (this is largely copied from this mailing list post: ron@fedora ~ $ mkdir cpiotest ron@fedora ~ $ cd cpiotest ron@fedora ~/cpiotest $ ln -s /tmp/ ./demo ron@fedora ~/cpiotest $ echo 'hello' > demo/imafile ron@fedora ~/cpiotest $ tar -cvf demo.tar demo demo/imafile demo demo/imafile ron@fedora ~/cpiotest $ | Tool Vulnerability | APT 17 | ★★★★ |
 |
2023-01-23 18:00:00 | Hackers Deploy Open-Source Tool Sliver C2, Replacing Cobalt Strike, Metasploit (lien direct) | Sliver is gaining popularity due to its modular capabilities and cross-platform support | Tool | ★★ | |
 |
2023-01-19 14:22:50 | New version of Remcos RAT uses direct syscalls to evade detection. (lien direct) | Remcos is a legitimate commercial Remote Access Tool (RAT) created by the security company Breaking Security. It was first released in 2016 but started being used for malicious purposes during 2017. This is a powerful tool that grants the capability of comprehensive remote surveillance including keylogging, activating cameras, taking screenshots, capturing audio, and monitoring clipboard […] | Tool | ★★★★★ | |
 |
2023-01-19 11:03:00 | Mailchimp Suffers Another Security Breach Compromising Some Customers\' Information (lien direct) | Popular email marketing and newsletter service Mailchimp has disclosed yet another security breach that enabled threat actors to access an internal support and account admin tool to obtain information about 133 customers. "The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee | Tool Threat | ★ | |
|
2023-01-18 16:35:00 | Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware
(published: January 16, 2023)
On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.
Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores
Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows
Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd
(published: January 11, 2023)
In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.
Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.
MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host
Tags: FG-IR-22-398, CVE-2022-42 |
Malware Tool Vulnerability Threat Guideline | LastPass | ★★ |
|
2023-01-18 02:00:00 | Why it\'s time to review your on-premises Microsoft Exchange patch status (lien direct) | We start the patching year of 2023 looking at one of the largest releases of vulnerability fixes in Microsoft history. The January 10 Patch Tuesday update patched one actively exploited zero-day vulnerability and 98 security flaws. The update arrives at a time when short- and long-term technology and budget decisions need to be made.This is particularly true for organizations using on-premises Microsoft Exchange Servers. Start off 2023 by reviewing the most basic communication tool you have in your business: your mail server. Is it as protected as it could be from the threats that lie ahead of us in the coming months? The attackers know the answer to that question.To read this article in full, please click here | Tool Vulnerability Patching | ★★ | |
|
2023-01-17 22:15:10 | CVE-2022-41953 (lien direct) | Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources. | Tool | ||
 |
2023-01-17 14:22:28 | Action1 Provides Free Tool to Eliminate Organizations\' Exposure to Compromise after LastPass Breach (lien direct) | Action1 Provides Free Tool to Eliminate Organizations' Exposure to Compromise after LastPass Breach Action1's free offering enables IT teams to gain visibility into all browsers on which LastPass extension is installed, helping them mitigate the risks to their environments posed by the infamous breach. - Product Reviews | Tool | LastPass | ★★★ |
|
2023-01-17 10:14:00 | BrandPost: Optimize Your Security Investments with the Right MDR Provider (lien direct) | Traditionally, Managed Detection and Response (MDR) providers deliver MDR in one of two ways. The first is to use the customer's existing technology with select and heavily curated third-party technology integrations.“They are what we call 'bring your own technology' providers,” says Eric Kokonas, Global Head of Analyst Relations with Sophos. “Those providers take advantage of a customer's existing tool set. They say, you've made investments in security tools. We're going to provide the people and processes, and we're going to help you leverage those tools to detect and respond to advanced threats.”To read this article in full, please click here | Tool | ★ | |
|
2023-01-16 15:39:59 | A Detailed Guide on Evil-Winrm (lien direct) | Background Evil-winrm tool is originally written by the team Hackplayers. The purpose of this tool is to make penetration testing easy as possible especially in | Tool | ★★★★ | |
|
2023-01-16 02:00:00 | How AI chatbot ChatGPT changes the phishing game (lien direct) | ChatGPT, OpenAI's free chatbot based on GPT-3.5, was released on 30 November 2022 and racked up a million users in five days. It is capable of writing emails, essays, code and phishing emails, if the user knows how to ask.By comparison, it took Twitter two years to reach a million users. Facebook took ten months, Dropbox seven months, Spotify five months, Instagram six weeks. Pokemon Go took ten hours, so don't break out the champagne bottles, but still, five days is pretty impressive for a web-based tool that didn't have any built-in name recognition.To read this article in full, please click here | Tool | ChatGPT | ★★ |
|
2023-01-14 01:15:14 | CVE-2023-22471 (lien direct) | Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the Nextcloud Deck app is upgraded to 1.6.5 or 1.7.3 or 1.8.2. | Tool | ||
|
2023-01-14 01:15:13 | CVE-2023-22470 (lien direct) | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated potentially causing a DoS when performed multiple times. There are currently no known workarounds. It is recommended that the Nextcloud Server is upgraded to 1.6.5 or 1.7.3 or 1.8.2. | Tool | ||
 |
2023-01-13 09:23:21 | Threat Actors Exploit CVE-2022-44877 RCE Vulnerability in CentOS Web Panel (CWP) (lien direct) | The recently patched critical vulnerability in Control Web Panel (CWP), a server management tool known as... | Tool Vulnerability Threat | ★★★ | |
|
2023-01-13 00:52:34 | Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack (lien direct) | The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware... | Malware Tool Threat | ★★ | |
 |
2023-01-12 18:00:00 | Donner un sens à la gestion externe de la surface des attaques: l'état actuel et futur de la catégorie Making Sense of External Attack Surface Management: The Current and Future State of the Category (lien direct) |
La catégorie externe de gestion de la surface d'attaque (EASM) a vu le jour alors que les fournisseurs de sécurité ont cherché à améliorer les lacunes de la visibilité des actifs et de l'énumération de la vulnérabilité créée par l'héritageDes outils qui n'ont pas réussi à s'adapter à l'évolution de la dynamique de l'informatique et à la croissance des écosystèmes numériques.Parmi les défis liés à la visibilité sur les actifs inconnus, les organisations sont confrontées au risque introduit par les actifs tiers, y compris les applications.Le Équipe d'action de cybersécurité Google (GCAT) prédit des actifs et des dépendances tiers dans le cloud nécessitera des mises à jour de la gestion des risques
The external attack surface management (EASM) category came into existence as security vendors sought to improve the gaps in asset visibility and vulnerability enumeration created by legacy tools that failed to adapt to the evolving dynamics of enterprise IT and the growth of digital ecosystems. Among challenges with gaining visibility into unknown assets, organizations are faced with risk introduced by third party assets, including applications. The Google Cybersecurity Action Team (GCAT) predicts third-party assets and dependencies within the cloud will necessitate updates to risk management |
Tool Vulnerability Cloud | ★★★ | |
|
2023-01-12 03:57:00 | CloudSek launches free security tool that helps users win bug bounty (lien direct) | Cybersecurity firm CloudSek has launched BeVigil, a tool that can tell users how safe the apps installed on their phone are, and helps users and developers win bug bounty by helping them identify and report bugs in the code.BeVigil scans all the apps installed on a user's phone and rates them as dangerous, risky, or safe. Running as a web application for the past one year, BeVigil has already scanned over a million apps and rated them. The tool also alerts software companies and app developers about vulnerabilities found through the app, and helps users and developers win bug bounty contests from various software companies by giving them access to the code of apps running on their phone and reporting bugs.To read this article in full, please click here | Tool | ★★ | |
|
2023-01-11 13:45:01 | EfficientIP Launches Free Tool to Detect Enterprises Risk of Data Exfiltration (lien direct) | EfficientIP Launches Free Tool to Detect Enterprises Risk of Data Exfiltration New tool enables organisations to ethically hack their own network and test DNS Robustness - Business News | Hack Tool | ★★ | |
|
2023-01-10 22:15:16 | CVE-2023-21725 (lien direct) | Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability. | Tool | ||
|
2023-01-10 21:15:12 | CVE-2023-22469 (lien direct) | Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2. | Tool | ||
|
2023-01-10 18:02:16 | GDB Tricks: Tricking the Application into Generating Test Data (lien direct) | While reverse engineering a Linux binary, I ran into a fairly common situation: I wanted to understand how a decompression function works, but I didn't have compressed data to test with. In this blog, I'll look at how to we can manipulate the instruction pointer in the GNU debugger (gdb) to trick the software into generating test data for us! I posted this on Mastodon awhile back, but I cleaned it up and expanded it a bit to make it a full blog post. I did this work in the context of my research team at Rapid7 - you can check out all of our work on the Rapid7 Research Blog (secret rss link!)! Anyway, while working on an application, I ran into a function called LZ4_decompress_safe. I wanted to learn how it worked, but EVERYTHING I tried to decompress returned an error - even test data generated by a legitimtae LZ4 library! I'm not sure why it didn't work - maybe they modified it? Maybe it's a different version? Maybe the lz4 CLI tool has more or less file headers? - Dunno! But let's make the application create its own test data! I know (from Googling) that the signatures for the decompress and compress functions are: int __fastcall LZ4_decompress_safe(const char *src, char *dst, int compressedSize, int dstCapacity) int __fastcall LZ4_compress(const char *src, char *dst, int srcSize, int dstCapacity) The calling code looks like: mov ecx, dword ptr [rsp+80h+capacity] ; dstCapacity mov edx, dword ptr [rsp+88h+size] ; compressedSize mov rsi, cs:buffer ; dst mov rdi, [rsp+88h+out_buffer] ; src call LZ4_decompress_safe ; I can't figure out how to get this to work :( The functions have the exact same signature, which is super handy! I put a breakpoint on the function LZ4_decompress_safe, which will stop execution when the application attempts to decompress data: (gdb) b *LZ4_decompress_safe Breakpoint 4 at 0x40bc40 (gdb) run Starting program: [...] Then I sent a message to the server with the “this message is compressed!” flag set, but with uncompressed data (specifically, the contents of /etc/passwd - my go-to for longer test data). So basically, the server will think the data is compressed, but it's actually not. When the service tries to decompress the packet, it'll hit the breakpoint: (gdb) run Starting program: [...] Breakpoint 4, 0x000000000040bc40 in LZ4_decompress_safe () The calling convention on x64 Linux means that the first three arguments are placed in the rdi, rsi, and rdx registers. We want the dst buffer, which is the second argument, so we print out rsi: (gdb) print/x $rsi $63 = 0x6820f0 | Tool | ★★★★ | |
 |
2023-01-10 17:00:00 | Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL (lien direct) | The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments. | Tool | Uber | ★★ |
|
2023-01-10 16:30:00 | Anomali Cyber Watch: Turla Re-Registered Andromeda Domains, SpyNote Is More Popular after the Source Code Publication, Typosquatted Site Used to Leak Company\'s Data (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Artificial intelligence, Expired C2 domains, Data leak, Mobile, Phishing, Ransomware, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
OPWNAI : Cybercriminals Starting to Use ChatGPT
(published: January 6, 2023)
Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool.
Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware.
MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System
Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP
Turla: A Galaxy of Opportunity
(published: January 5, 2023)
Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022.
Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated |
Ransomware Malware Tool Threat | ChatGPT APT-C-36 | ★★ |
 |
2023-01-10 12:18:55 | ChatGPT-Written Malware (lien direct) | I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild. …within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. “It's still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,” company researchers wrote. “However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.”... | Malware Tool Prediction | ChatGPT | ★★ |
 |
2023-01-09 21:15:11 | Python Package Index found stuffed with AWS keys and malware (lien direct) | British developer uses homegrown scanning tool to check for risks The Python Package Index, or PyPI, continues to surprise and not in a good way.… | Malware Tool | ★★ | |
 |
2023-01-09 18:47:58 | MITRE ATT&CK and the Art of Building Better Defenses (lien direct) |
MITRE's Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a critical tool for security practitioners seeking to understand how attackers move, operate, and conduct their attacks. Designed to look at attacks from the attacker's perspective, it catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations. |
Tool | ★★ | |
|
2023-01-09 14:15:10 | CVE-2023-22472 (lien direct) | Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. | Tool | ||
|
2023-01-09 02:00:00 | 11 top XDR tools and how to evaluate them (lien direct) | Little in the modern IT world lends itself to manual or siloed management, and this is doubly true in the security realm. The scale of modern enterprise computing and modern application stack architecture requires security tools that can bring visibility into the security posture of modern IT components and integrate tightly to bring real-time threat detection, possibly even automating aspects of threat mitigation. This need has given rise to extended detection and response (XDR) tools.What is XDR and what does it do? XDR is a relatively new class of security tool that combines and builds on the strongest elements of security incident and event management (SIEM), endpoint detection and response (EDR), and even security orchestration and response (SOAR). In fact, some XDR platforms listed here are the fusion of existing tools the vendor has offered for some time.To read this article in full, please click here | Tool Threat | ★★ | |
|
2023-01-08 18:03:09 | A Detailed Guide on Kerbrute (lien direct) | Background Kerbrute is a tool used to enumerate valid Active directory user accounts that use Kerberos pre-authentication. Also, this tool can be used for password | Tool | ★★★★ | |
|
2023-01-06 15:15:09 | CVE-2023-22475 (lien direct) | Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens prior to sha-fb61290. An attacker who discovers an HTTP-based Canarytoken (a URL) can use this to execute Javascript in the Canarytoken's trigger history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. This vulnerability is similar to CVE-2022-31113, but affected parameters reported differently from the Canarytoken trigger request. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. Canarytokens Docker images sha-fb61290 and later contain a patch for this issue. | Tool Vulnerability | ||
|
2023-01-05 23:47:00 | Distribution of NetSupport RAT Malware Disguised as a Pokemon Game (lien direct) | NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environments. Even though they may... | Malware Tool Threat | ★★ | |
 |
2023-01-05 17:26:49 | New malware campaign exploits Windows error reporting tool (lien direct) | K7 Security Labs reports that unidentified threat actors are using a DLL sideloading technique to deploy malware into victims' systems after gaining entry through abuse of the Windows Problem Reporting tool, according to BleepingComputer. | Malware Tool Threat | ★★ | |
|
2023-01-05 16:21:00 | Mitigate the LastPass Attack Surface in Your Environment with this Free Tool (lien direct) | The latest breach announced by LastPass is a major cause for concern to security stakeholders. As often occurs, we are at a security limbo – on the one hand, as LastPass has noted, users who followed LastPass best practices would be exposed to practically zero to extremely low risk. However, to say that password best practices are not followed is a wild understatement. The reality is that there | Tool | LastPass | ★★★ |
|
2023-01-05 05:50:00 | Focusing on Your Adversary (lien direct) | Every day, we hear news stories or read articles about data breaches and other cyber security threats. As malicious threat actors and the risk of cyber threats increase, protecting networks and valuable information becomes more critical. So what can organizations do to ensure their networks remain secure? Organizations must understand their adversaries’ identities to keep data safe and protect it from cyber-attacks. This article will explore the different types of threats facing enterprise organizations and what they can do to stay ahead of them. Evolving Cyber Attacks Cyber attacks are constantly evolving as attackers continue to find new ways to exploit vulnerabilities. This includes: Increased use of artificial intelligence (AI) and machine learning: Attackers are using AI and machine learning to automate and improve the effectiveness of their attacks. For example, AI can be used to generate convincing phishing emails or to bypass security systems. Rise of ransomware: Ransomware attacks, which involve encrypting a victim’s data and demanding a ransom to decrypt it, have become increasingly common in recent years. Ransomware attacks can significantly impact businesses, disrupting operations and resulting in financial losses. More targeted attacks: Rather than broad-based attacks that aim to compromise as many systems as possible, attackers are increasingly using targeted attacks designed to exploit a particular organization’s vulnerabilities. Increased focus on mobile devices: Mobile devices, such as smartphones and tablets, are becoming increasingly vulnerable to cyber-attacks. As a result, attackers focus more on exploiting these devices’ vulnerabilities. Increased use of cloud services: As more organizations move to the cloud, attackers are finding new ways to exploit vulnerabilities in these systems. For example, attackers may try to gain access to an organization’s cloud-based data or disrupt its cloud-based operations. It’s not only crucial for organizations to stay up-to-date on the latest trends in cyber attacks and to implement appropriate security measures to protect against them. It’s even more important to pinpoint your adversaries to understand their TTPs to protect and predict their next attack. Types of Adversaries There are many different types of cybersecurity adversaries that organizations have to deal with. Some common types of adversaries include: Hackers: Individuals or groups who attempt to gain unauthorized access to systems or networks for various reasons, such as stealing data, disrupting operations, or causing damage. Cybercriminals: Individuals or groups who use the internet to commit crimes, such as identity theft, fraud, or extortion. Cyber Terrorists: A group that’s goal is to disrupt operations, cause harm, and destroy data. Increasingly targeting critical infrastructures such as power plants, water treatment facilities, transportation systems, and healthcare providers. Nation-state actors: Governments or government-sponsored organizations that use cyber attacks as part of their foreign policy or military operations. Insider threats: Individuals with legitimate access to an organization’s systems or networks use that access to cause harm or steal sensitive information. Malicious insiders: These are individuals who are intentionally malicious and seek to cause harm to an organization’s systems or networks. Hacktivists: The term “hacktivists” refers to people who use hacking techniques to disrupt computer systems and networks in pursuit of political goals. Hackers often work alone, though some groups do exist. Script Kiddies: Originally used to describe young hackers, it now refer | Ransomware Malware Tool Vulnerability Threat Industrial Prediction | ★★★ | |
|
2023-01-04 16:30:00 | Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Data breaches, North Korea, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays
(published: January 1, 2023)
Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.
Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.
MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel
Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux
Linux Backdoor Malware Infects WordPress-Based Websites
(published: December 30, 2022)
Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.
Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use |
Malware Tool Vulnerability Threat Patching Medical | APT 38 LastPass | ★★ |
|
2023-01-04 15:19:00 | Attackers use stolen banking data as phishing lure to deploy BitRAT (lien direct) | In a case that highlights how attackers can leverage information from data breaches to enhance their attacks, a group of attackers is using customer information stolen from a Colombian bank in phishing attacks with malicious documents, researchers report. The group, which might have been responsible for the data breach in the first place, is distributing an off-the-shelf Trojan program called BitRAT that has been sold on the underground market since February 2021.Stolen data used to add credibility to future attacks Researchers from security firm Qualys spotted the phishing lures that involved Excel documents with malicious documents but appeared to contain information about real people. Looking more into the information, it appeared the data was taken from a Colombian cooperative bank. After looking at the bank's public web infrastructure, researchers found logs that suggested the sqlmap tool was used to perform an SQL injection attack. They also found database dump files that attackers created.To read this article in full, please click here | Data Breach Tool | ★ | |
|
2023-01-04 14:15:00 | New Phishing Campaign Impersonates Flipper Zero to Target Cyber Professionals (lien direct) | The threat actor is using an angler phishing technique to leverage the shortage of the popular hacking tool | Tool Threat | ★★★★ | |
 |
2023-01-04 12:16:37 | Hackers abuse Windows error reporting tool to deploy malware (lien direct) | Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique. [...] | Malware Tool | ★★ | |
 |
2023-01-03 17:07:44 | Can these researchers help defend satellite systems targeted by hackers? (lien direct) | >As threats against space systems increase, a new tool aims to improve efforts to defend against cyberattacks. | Tool | ★★ | |
|
2022-12-29 16:30:00 | Anomali Cyber Watch: Zerobot Added New Exploits and DDoS Methods, Gamaredon Group Bypasses DNS, ProxyNotShell Exploited Prior to DLL Side-Loading Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, Bypassing DNS, DDoS, Infostealers, Layoffs, Spearphishing, Supply chain, and Zero-day vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New RisePro Stealer Distributed by the Prominent PrivateLoader
(published: December 22, 2022)
RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies.
Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform).
MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | |
Malware Tool Threat | ★★ | |
 |
2022-12-29 07:36:08 | HardCIDR – Network CIDR and Range Discovery Tool (lien direct) | HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. | Tool | ★★★ | |
|
2022-12-26 20:15:10 | CVE-2019-9011 (lien direct) | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames. | Tool |
To see everything:
Our RSS (filtrered)
