2023-Threat-Report-Compilation
View the Project on GitHub jwennekers/2023-Threat-Report-Compilation
Threat Report Compilation | November 2023
| ID | Publisher | Report | Summary | Tags | |
|---|---|---|---|---|---|
| 1 | Akamai | Defeat Web Shell WSO-NG | Akamai provides insights on the web shell “WSO-NG” and its advanced features and capabilities, including its history and evolution (as it is a well-established web shell that has been around for at least 14 years), and its latest update in 2021, the stealth and reconnaissance capabilities of WSO-NG (such as displaying a 404 error page to conceal the login form, integrating with VirusTotal and SecurityTrails to gather threat intelligence, retrieving AWS metadata and searching for Redis database connections to access sensitive data and cloud resources), as well as detailing the offensive and user-friendly features of WSO-NG (such as exploiting web vulnerabilities and FastCGI exploits to escalate privileges, and introducing breadcrumb navigation, keyboard shortcuts, syntax highlighting, and more). The blog has a call to action to update patches, leverage innovative security tools (such as web application firewalls that can detect and block initial web vulnerability exploitation attempts and web shell uploads), and maintain a proactive security stance to ensure a more secure web environment for all users. | #webshell #WSO #webshellbyoRb | |
| 2 | amatas | Cyber Threat Report: October 2023 - AMATAS | Monthly report summarising events occurred and reports made, such as updates on the cyberwar between Russia and Ukraine, cybersecurity justice (news on e.g. Europol, FBI and the CyberPeace Institute), and updates related to AMATAS as a company. | #monthlyreport #Smokeloader #MATA #BlackBasta #Grayling #southkorea #palestina #china #russia #israel #ukraine #northkorea #japan #finland #moldova #netherlands #chile #taiwan #vietnam #US #bulgaria | |
| 3 | Aqua | The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets | Blog post explaining the critical threat of exposed Kubernetes secrets and how researchers from Aqua Nautilus discovered and analyzed hundreds of them in public GitHub repositories. The researchers focused on two types of secrets: dockercfg and dockerconfigjson, which store credentials for access to external registries. They used the GitHub API to search for and retrieve these secrets, and performed complex regular expressions to filter out plaintext passwords and tokens. They found 438 records that potentially held valid credentials, of which 203 contained valid credentials for private container images hosted on various registries, such as Red Hat, Quay, Docker Hub, and SAP Artifacts. These credentials allowed for pulling and pushing privileges, and in some cases, full access to the registries. The researchers reported these issues to the relevant stakeholders and helped them secure their registries. They also demonstrated that most secrets scanners failed to detect these encoded secrets, and suggested the need for open-source tools and secret scanners that can include encoded secrets in their detection capabilities. They emphasized the profound implications of these findings for individual developers and large organizations, as they could expose sensitive data, compromise security, and enable supply chain attacks. | #kubernetes #kubernetessecrets #supplychainattack | |
| 4 | ASD (Australian Signals Directorate) | ASD Cyber Threat Report 2022-23 | Annual threat report created by the ASD (Australian Signals Directorate), highlighting that malicious cyber activity continued to pose a risk to Australia’s security and prosperity in FY 2022–231. State actors, cybercriminals and issue-motivated groups targeted government and critical infrastructure networks, as well as businesses and individuals. Cybercrime reports increased by 23%, and the average cost of cybercrime per report also rose by 14%. State actors focused on critical infrastructure for data theft and disruption. Cybercriminals adapted their tactics to extort maximum payment from victims, using ransomware, business email compromise and denial-of-service attacks. Data breaches impacted millions of Australians. One in five critical vulnerabilities was exploited within 48 hours of patching or mitigation advice being available. The ASD responded to over 1,100 cyber security incidents and published 64 alerts, advisories and reports to help Australian entities protect themselves. The ASD also increased its cyber threat intelligence sharing, critical infrastructure uplift, and national incident response capability, emphasising the importance of genuine partnerships across the public and private sectors, and the need to consider secure-by-design and secure-by-default products. | #annualreport #australia | |
| 5 | Australian Government | 2023-2030 Australian Cyber Security Strategy | Explanation of the 2023-2030 Australian Cyber Security Strategy and its implementation plan, the Action Plan, released by the Australian Government on 22 November 2023, aiming to become a world leader in cyber security by 2030 and protect Australians from cyber threats. They use six cyber shields to provide additional layers of defence and place citizens and businesses at their core. The Strategy and Action Plan are game-changing for Australia’s cyber security, shifting from a technical topic to a whole-of-nation endeavour, focusing on providing better support to civilians and industry, and harnessing the whole country to tackle cyber problems. The Action Plan details the key initiatives that will commence over the next two years to achieve the vision. | #cybersecuritystrategy #nationalcybersecuritystrategy | |
| 6 | Bitdefender | Hive Ransomware’s Offspring: Hunters International Takes the Stage | Article providing in-depth analysis of the Hunters International ransomware group, a new ransomware group, acquired the source code and infrastructure from Hive (one of the most notorious ransomware groups taken down in January 2023 by the FBI and other law enforcement agencies) and claimed to focus on data exfiltration rather than encryption. Hunters International’s ransomware code is similar to Hive’s, but with some simplifications and modifications, such as using Rust language, embedding the key within the encrypted file, and reducing the command-line arguments. Some mitigation strategies are provided, as well as additional steps to be taken to reduce the risk of data exfiltration. | #Hive #HuntersInternational #ransomware #dataexfiltration #ransomwareasaservice #unitedstates #USA #US #unitedkingdom #uk #germany #namibia | |
| 7 | Blackwing Intelligence | A Touch of Pwn - Part I) | Blog post by Blackwing Intelligence summarising their research on Windows Hello fingerprint authentication, a biometric technology that allows users to log in to their devices with their fingerprints. The authors were hired by Microsoft’s Offensive Research and Security Engineering (MORSE) group to evaluate the security of the top three fingerprint sensors embedded in laptops and used for Windows Hello. The sensors were from Goodix, Synaptics, and ELAN, and were embedded in Dell, Lenovo, and Microsoft laptops respectively. The authors aimed to find vulnerabilities that would allow them to bypass Windows Hello authentication on these devices, and describe their vulnerability research process and the exploits they developed for each target device. They reveal multiple logical and cryptographic flaws in the implementation of SDCP and the custom protocols used by the sensors. They also demonstrate how they were able to enroll rogue fingerprints, spoof valid IDs, and intercept and rewrite USB packets to bypass Windows Hello authentication. They also discuss the challenges and limitations of existing USB man-in-the-middle tools and how they developed their own solutions using Raspberry Pi and USB armory. The authors conclude that they were able to achieve full bypass of Windows Hello authentication on all three target devices in three months. They recommend that vendors of biometric authentication solutions enable SDCP, have their implementation audited by qualified experts, and consider the broader attack surface of their devices. They also suggest some future research directions, such as firmware security, hidden functionality, direct hardware attacks, and side channel attacks. | #cryptography #exploitdevelopment #Exploits #Postgresql #RCE #reverseengineering #vulnerabilityresearch | |
| 8 | BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany) | Die Lage der IT-Sicherheit in Deutschland 2023 | Report published by the Federal Office for Information Security (BSI) that provides a comprehensive overview of the threats in cyberspace. The report for 2023 concludes that the threat in cyberspace is higher than ever before, and ransomware is and remains the greatest threat. | #annualreport #germany | |
| 9 | BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany) | The State of IT Security in Germany | Report published by the Federal Office for Information Security (BSI) that provides a comprehensive overview of the threats in cyberspace. The report for 2023 concludes that the threat in cyberspace is higher than ever before, and ransomware is and remains the greatest threat. | #annualreport #germany | |
| 10 | Check Point | The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks | Report on the analysis of 12 recent ransomware families that target Linux systems, especially ESXi virtualization systems. They get compared to Windows ransomware, resulting in the finding that Linux ransomware is more simplified, dependent on external scripts, and focused on exploiting vulnerabilities in exposed services. The study examines the infection vectors, persistence methods, encryption schemes, and system impacts of Linux ransomware, and reveals that most of them use OpenSSL and AES/RSA for encryption, create mutex files or log files, and run commands to interact with ESXi systems. The study provides some indicators of compromise and detection rules for some of the Linux ransomware families. | #ransomware #linux #threatresearch | |
| 11 | Check Point | Malware Spotlight - Into the Trash: Analyzing LitterDrifter | Analysis of the malware LitterDrifter, a USB propagating worm developed by the Russian espionage group Gamaredon to target a wide variety of Ukrainian entities. The report 1) describes the two main functionalities of LitterDrifter: spreading over USB drives and establishing a command and control (C2) channel to Gamaredon’s infrastructure, 2) explains the orchestration component (Deobfuscoder) that runs the malware and maintains persistence and communication with the attacker C&C server, 3) shows the spreader module that recursively accesses subfolders and creates LNK decoy shortcuts with random names and hidden copies of trash.dll, the malware’s main component 4) demonstrates the C2 module that queries a WMI to retrieve a Gamaredon-owned domain as the C2 IP address and constructs the HTTP request with a custom user-agent and tailored headers, and 5) analyzes the fail count options and the payload execution process, and reveals the patterns and domains used by Gamaredon in this operation. | #malware #LitterDrifter #russia #Gamaredon #ukraine #usbpropagation | |
| 12 | Checkmarx | Python Obfuscation Traps | Analysis of observed behaviour of distributed fake Python packages that pretend to be code obfuscation tools, but actually contain a harmful payload called BlazeStealer. This malware downloads and executes a script from an external source that runs a Discord bot, which gives the attacker full control over the victim’s computer, allowing them to perform actions such as shutting down the PC, forcing a BSOD error, capturing webcam images, and sending mocking messages to the victim. The attackers are likely targeting developers who use code obfuscation to protect their valuable and sensitive information. | #unitedstates #us #china #russia #ireland #hongkong #croatia #france #spain #blazestealer #malware | |
| 13 | Checkmarx | The Mosaic of 2023’s Software Supply Chain Threats | Blog discussing the evolving and complex strategies of cyber adversaries who exploit open-source software, social engineering, and abandoned digital assets to compromise systems and cause damage. Discussing deceptive and obscure tactics of attackers, such as using fake profiles, false commits, selective droppers, and multiple packages to evade detection and infiltrate targets, Checkmarx emphasizes the need for predictive threat modeling, intelligence sharing, and collaboration among the cybersecurity community to anticipate and neutralize emergent attack methods. | #opensourcesoftwareattack #supplychainattack #softwaresupplychainattack #softwaresupplychainthreat | |
| 14 | CISA (Cybersecurity & Infrastructure Security Agency, the United States of America) | # StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | Advisory providing information on how LockBit 3.0 ransomware affiliates exploit CVE-2023-4966, a vulnerability in Citrix NetScaler ADC and Gateway appliances, to bypass MFA and hijack user sessions. The advisory also includes IOCs, TTPs, and detection methods for network defenders, and recommends applying patches, isolating NetScaler appliances, implementing application controls, limiting RDP and PowerShell use, and updating passwords. It also advises organizations to report any compromise to FBI, CISA, or ASD’s ACSC and follow the ransomware response checklist. | #Lockbit #CVE-2023-4966 | |
| 15 | CISA (Cybersecurity & Infrastructure Security Agency, the United States of America), FBI (Federal Bureau of Investigation, the United States of America) | # StopRansomware: Royal Ransomware Update (Update November 13) | Joint Cybersecurity Advisory (CSA) from the FBI and CISA about the Royal ransomware (a type of ransomware that encrypts data partially and demands ransom for decryption and non-disclosure) threat, specifically for various critical infrastructure sectors, such as Manufacturing, Communications, Healthcare, and Education. Threat actors have made ransom demands ranging from $1 million to $11 million USD in Bitcoin. Some of tactics, techniques, and procedures (TTPs) used by Royal actors to gain initial access, establish command and control, move laterally, exfiltrate data, and encrypt systems include phishing, RDP compromise, public-facing application exploitation, Cobalt Strike, Chisel, PsExec, Mimikatz, and Nirsoft tools. The report provides IOCs associated with Royal ransomware (such as malicious IP addresses, domains, files, and hashes), as well as a downloadable copy of IOCs in STIX format and a table of tools used by Royal operators. Recommendations from the FBI and CISA to reduce the likelihood and impact of ransomware incidents are implementing a recovery plan, requiring multifactor authentication, segmenting networks, keeping systems updated, and reporting incidents. | #RoyalRansomware #industry_manufacturing #industry_communications #industry_healthcare #industry_education | |
| 16 | CISA (Cybersecurity & Infrastructure Security Agency, the United States of America), FBI (Federal Bureau of Investigation, the United States of America) | Scattered Spider | Joint cybersecurity advisory by the FBI and CISA to inform network defenders about the Scattered Spider threat group that targets the commercial facilities sectors and subsectors, containing TTPs and IOCs based on FBI investigations as recently as November 2023. Scattered Spider actors use various social engineering techniques, such as phishing, push bombing, and SIM swap attacks, to obtain credentials, install remote access tools, and/or bypass MFA. They also register their own MFA tokens after compromising a user’s account to establish persistence. Scattered Spider actors engage in data theft for extortion and have also been known to use BlackCat/ALPHV ransomware alongside their usual TTPs. They encrypt data using a 4096-bit RSA key with a ChaCha20 algorithm and append a .blackcat extension to encrypted files. They drop a PDF ransom note named “CriticalBreachDetected” and demand ransom payments in Bitcoin. The report recommends several mitigations to reduce the likelihood and impact of a cyberattack by Scattered Spider actors, such as maintaining offline backups, enabling phishing-resistant MFA, implementing application controls, and segmenting networks. The document also urges organizations to report any suspicious or criminal activity related to Scattered Spider to the FBI, CISA, or the MS-ISAC. | #ScatteredSpider #socialengineering #BlackCat #ALPHV #malware #ransomware #aptgroups | |
| 17 | CISA (Cybersecurity & Infrastructure Security Agency, the United States of America), FBI (Federal Bureau of Investigation, the United States of America), MS-ISAC (Multi-State Information Sharing and Analysis Center, the United States of America) | # StopRansomware: Rhysida Ransomware | Joint cybersecurity advisory by the FBI, CISA, and the MS-ISAC on Rhysida ransomware, an emerging variant that targets various sectors since May 2023. containing IOCs and TTPs based on incident response investigations and malware analysis. Rhysida actors use external-facing remote services, such as VPNs and Netlogon, to gain initial access to victim networks, often using compromised valid credentials. They also use native Windows tools, such as PowerShell, RDP, and PsExec, to perform reconnaissance, lateral movement, and remote execution. Rhysida ransomware injects a PE file into running processes and encrypts data using a 4096-bit RSA key with a ChaCha20 algorithm. It appends a .rhysida extension to encrypted files and drops a PDF ransom note named “CriticalBreachDetected”. The actors demand ransom payments in Bitcoin and threaten to publish exfiltrated data. The report recommends several mitigations to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents, such as patching known exploited vulnerabilities, enabling multifactor authentication, segmenting networks, maintaining offline backups, and implementing a recovery plan. The report also urges organizations to report any suspicious or criminal activity related to Rhysida ransomware to the FBI, CISA, or the MS-ISAC. | #Rhysida #ransomware #malware | |
| 18 | Control | Iran hacks US water system: Observation and implications of a terrorist attack on US soil | A group of Iranian hackers compromised a PLC of a water booster station in Pennsylvania, affecting more than 6,000 customers. The hackers wanted to be discovered and did not cause any physical damage. The incident is being investigated by the state police, the FBI and CISA. The PLC that was hacked is a Unitronics V570, which is used by many critical infrastructure systems, not just water utilities. A Shodan search shows more than 2,200 Unitronics systems in the U.S. and worldwide. The hack raises the question of who else has been hacked or will be attacked by the same group or others. The hack exposes the lack of focus, training and information sharing on control system cyber incidents3. It also shows the need for minimum cybersecurity best practices and regulations in the water sector. The author suggests a public-private collaboration model to advance cybersecurity in the water sector and prevent future attacks. The hack is not only a domestic issue, but also an international one, as the hackers have targeted Israeli water and energy sites before. The author also warns about the media providing too much information about the equipment and systems that could be used by adversaries. | #OTSecurity #iran #US #USA #unitedstates #industry_water #israel | |
| 19 | CrowdStrike | IMPERIAL KITTEN Deploys Novel Malware Families | Imperial Kitten, an Iranian cyber threat group that targets organizations in the transportation, logistics and technology sectors, uses social engineering, web compromise and custom malware to conduct espionage and data theft. In order to accomplish their objectives, they utilise SWC operations, where they lure victims to malicious websites that serve malware or collect information about their systems. The group has compromised several Israeli websites and redirected visitors to their domains. Imperial Kitten uses the IMAPLoader malware family and related malware, using email for command and control. The malware is delivered as a DLL that injects into a legitimate process and communicates with Yandex email addresses. The group also uses other malware families, such as StandardKeyboard and a RAT that uses Discord for C2. CrowdStrike Intelligence attributes the activity to IMPERIAL KITTEN with moderate to low confidence, based on the use of SWC infrastructure, email-based C2, target scope and job-themed lures. The report also maps the group’s tactics, techniques and procedures to the MITRE ATT&CK framework and provides indicators of compromise. | #ImperialKitten #iran #inudstry_transportation #industry_logistics #industry_technology #espionage #infostealer #datatheft #SWCOperations #IMAPLoader #StandardKeyboard #remoteaccesstool | |
| 20 | Cyentia, TidalCyber | Multi Source Analysis of Top MITRE ATT&CK Technique | Report on the MultiSource Analysis of the Top MITRE ATT&CK Techniques. It aims to address the fundamental question of how adversaries attack and which defenses to prioritize in cybersecurity, using data from 22 public sources. The report analyses data to identify common trends and variations in reporting methods among sources, as well as challenges for security professionals and analysts in leveraging ATT&CK, such as rapid updates, ambiguity, under-reporting, and lack of specific segments. It also provides recommendations for building more threat-informed and effective cybersecurity defenses, based on comprehensive threat-informed defense needs, and outlines future studies to expand the research and collect more data from different sources and segments. | #mitre #mitreattck #topmitreattcktechniques | |
| 21 | Cynet | Static Analysis: EARTH GRASS Ransomware | Report on a new malware variant that pretends to be a Windows OneDrive application and encrypts the files on the infected host. It demands payment in crypto currency for decryption. A static analysis of the malware file and its strings is provided, revealing its capabilities and intentions, as well as links to a dynamic analysis and a demonstration of how Cynet stops the threat. Earth Grass can delete backup images and services, use cryptography functions, create registry Run key, and display a ransom note. It also contains a base64 encoded image file code that may be used to create executable files. The malware can cause irreversible damage to the host and its data. It can also evade detection by mimicking a legitimate application. Paying the ransom may not guarantee recovery and may encourage further attacks. | #ransomware #threatresearch #EarthGrass #detectionevasion | |
| 22 | Cynet | Static Analysis: Stealc Infostealer | Analysis of Stealc, an emerging MaaS infostealer based on the Vidar, Raccoon, Mars and Redline stealers, detailing Stealc’s communication with its C2 server (sending and receiving system information, configuration, and hardware ID), data extraction (from web browser files, crypto wallets, and apps, using strings and configuration data provided by the C2 server), use of external dll files to perform some operations that require additional functionality, and where they are downloaded to the host, and finally Stealc’s file exfiltration method, which does not archive the stolen data as a file, but sends it as base64 strings in POST requests, and deletes all traces of itself and the dll files after completion. | #Stealc #infostealer | |
| 23 | Cynet | What security leaders should know about the critical zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateway | Blog providing details on what CVE 2023-4966 is, how hackers exploit it, and how to mitigate it. CVE 2023-4966 is a critical information disclosure vulnerability in the web application firewall (WAF) of Citrix NetScaler ADC and NetScaler Gateway. It allows hackers to access sensitive data, such as session tokens, and hijack authenticated sessions. Hackers can exploit this vulnerability by sending specially crafted HTTP requests that cause a buffer overflow and leak data from memory. They then use the session tokens to access internal resources and data, install malware, or impersonate users. The blog recommends applying the patches released by Citrix, which fix the buffer overflow vulnerability, and terminating all active and persistent sessions on the patched devices, which invalidate any compromised session tokens. | #CVE-2023-4966 #vulnerability #vulnerabilityresearch | |
| 24 | Dragos | Dragos Industrial Ransomware Analysis: Q3 2023 | 2023 Q3 OT security report by Dragos, highlighting that 1) ransomware groups continued to impact industrial entities and critical infrastructure, causing operational disruptions and economic losses. Some groups used zero-day vulnerabilities and known, unpatched vulnerabilities to launch their attacks. The most active groups were Cl0p and Lockbit 3.0, 2) that North America and Europe were the most affected regions, with the U.S. receiving the highest number of ransomware incidents. The manufacturing sector was the most impacted industry, followed by the ICS equipment and engineering sector. The transportation, oil and gas, electric, mining, renewable energy, defense, and water sectors also experienced ransomware incidents. 3) Some ransomware groups appeared to target specific industries and regions, such as Moneymessage targeting the defense sector and Rancoz and Akira targeting the U.S. Dragos observed 30 active ransomware groups out of 72 that have historically attacked industrial organizations. Cl0p, Lockbit 3.0, 8base, Play, and Cactus were the most used ransomware variants, and 4) Dragos assesses that ransomware will remain a major threat to industrial organizations in Q4 2023 and beyond, and that ransomware groups will likely prioritize zero-day vulnerabilities in their operations. Dragos also expects new ransomware variants to emerge and existing ones to evolve. | #quarterlyreport #OTSecurity #Lockbit #Cl0p #US #USA #unitedstates #industry_manufacturing #industry_transportation #industry_oilandgas #industry_electric #industry_mining #industry_energy #industry_defense #industry_water #ransomware #8Base #Play #Cactus #zeroday | |
| 25 | Elastic | Elastic catches DPRK passing out KANDYKORN | Elastic Security Labs reveals a novel intrusion targeting blockchain engineers of a crypto exchange platform by DPRK and Lazarus Group actors, leveraging a combination of custom and open source capabilities for initial access and post-exploitation. Researchers discovered this intrusion when analyzing attempts to reflectively load a binary into memory on a macOS endpoint. The intrusion set was traced to a Python application posing as a cryptocurrency arbitrage bot delivered via a direct message on a public Discord server. The attacker social-engineered their initial victim into downloading and decompressing the malicious file, which initiated a multi-stage malware execution flow involving SUGARLOADER, KANDYKORN, and HLOADER. SUGARLOADER connects to a Command and Control server and downloads a final stage payload (KANDYKORN) from it, using reflective binary loading to execute it directly in memory. KANDYKORN has a full-featured set of capabilities to access and exfiltrate data from the victim’s computer, and waits for commands from the server instead of polling for them, reducing the number of endpoint and network artifacts. The researchers provide additional information about the network infrastructure, code-signing certificates, and custom Lazarus Group detection rules that track this intrusion set as REF7001. | #northkorea #LazarusGroup #AppleMacOS #socialengineering #SugarLoader #KandyKorn #HLoader | |
| 26 | ESET | Who killed Mozi? Finally putting the IoT zombie botnet in its grave | Report by ESET Research that explains how it discovered a kill switch that took down the notorious Mozi botnet in August 2023. A sudden drop in Mozi activity was observed globally, in India, and in China, and a control payload inside a UDP message was found that instructed the bots to download and install an update of themselves via HTTP. The kill switch’s code and functionality was analysed, showing a strong connection between the original Mozi source code and recently used binaries, and the use of the correct private keys to sign the control payload. The report suggests two possible originators of the takedown: the Mozi botnet creators, or Chinese law enforcement forcing their cooperation. A timeline of the Mozi botnet’s demise is provided as well, indicating a deliberate and sequential targeting of bots in India and then in China. ESET Research is continuing to investigate the case and will publish a detailed analysis in the coming months. | #botnet #Mozi #india #china | |
| 27 | Fortinet | GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ | Threat research article by FortiGuard Labs, about the ongoing exploitation of a vulnerability in Apache ActiveMQ, a message broker software. The article explains the technical details of the vulnerability, the exploitation process, and the malware associated with the attacks. It also provides recommendations for mitigation and protection. The vulnerability is identified as CVE-2023-46604, which involves the deserialization of untrusted data in Apache ActiveMQ. It allows remote attackers to execute arbitrary code on vulnerable servers by sending a crafted packet and loading a malicious XML file from a remote URL. The vulnerability affects Apache ActiveMQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3. The article introduces several malware strains that have been distributed by exploiting CVE-2023-46604, including: 1) GoTitan: A newly discovered Golang-based botnet that can launch distributed denial-of-service (DDoS) attacks using various methods, 2) Sliver: An open-source penetration testing tool that can be misused by threat actors to compromise and control multiple targets across various platforms and architectures, 3) PrCtrl Rat: A .NET program that provides remote control capabilities to the attacker, such as running commands, uploading and downloading files, and getting file system information, 4) Kinsing: A well-known cryptojacking malware that modifies system parameters, terminates competing processes, and downloads a miner binary, and 5) Ddostf: A DDoS malware that has a history of targeting China and supports 13 attack methods. The article recommends applying the latest patches for Apache ActiveMQ and monitoring security advisories to prevent exploitation. | #CVE-2023-46604 #GoTitan #Golang #botnet #ddos #Sliver #PrCtrlRAT #Kinsing #rat #Ddostf | |
| 28 | Google (GCAT (Google Cybersecurity Action Team)) | Threat Horizons: Q3 2023 Threat Horizons Report | Q3 threat report by GCAT, which provides strategic intelligence about threats to cloud enterprise users. The report covers 1) the importance of good cloud hygiene ( such as using strong passwords, enabling security logs, and applying least privilege principles) to prevent common and opportunistic cloud compromises,2) SaaS Threats such as multi-SaaS exploitation, supply chain compromise, and malicious OAuth applications, and provides risk mitigation recommendations, 3) a proof of concept tool that uses Google Calendar events for command and control of malware, and warns of the potential abuse of legitimate cloud services by threat actors, 4) the trend of cybersquatting and typosquatting attacks on cloud storage platforms (e.g. Google Cloud Storage, Amazon S3, and Azure Blob), and mitigation approaches, and 5) a cloud dndustry review for the Healthcare industry. | #quarterlyreport #threatresearch #remoteaccesstool #rat #cloudsecurity #industry_healthcare | |
| 29 | Google (GTAG (Google Threat Analysis Group)) | Zimbra 0-day used to target international government organizations | Blog post reporting on a Zimbra Collaboration 0-day exploit that was actively used to target international government organizations in June and July 2023. TAG discovered the exploit as a reflected cross-site scripting (XSS) vulnerability in Zimbra’s email server and observed four different groups exploiting it for various purposes, such as stealing email data, user credentials, and authentication tokens. TAG advises users and organizations to keep software fully up-to-date and apply security updates as soon as they become available to protect against these types of exploits. TAG also provides links to safe browsing for the identified websites and domains. TAG acknowledges Zimbra’s response and patching of the vulnerability and urges users and organizations to apply patches quickly for their protection. | #greece #moldova #tunisia #WinterVivern #UNC4907 #vietnam #CVE-2023-37580 #CVE-2022-24682 #CVE-2023-5631 #pakistan #zeroday #vulnerability #industry_government | |
| 30 | Huntress | Navigating the SMB Threat Landscape: Key Insights from Huntress’ SMB Threat Report | Snapshot of the security landscape from Huntress’ perspective and insights in the threats specifically targeting SMBs. This report details the trends, patterns, and tactics we’re seeing against SMBs in Q3 2023, based on data collected from the 2.4 million endpoints and over 1 million Microsoft 365 user entities under Huntress’ purview. Some key observations are 1) more than half of the incidents in Q3 2023 involved attackers using legitimate tools or scripting frameworks to evade detection and gain access to SMBs’ networks, 2) remote monitoring and management software, which is essential for IT administrators, was hijacked by adversaries in 65% of the incidents for persistence or remote access, 3) attackers targeted cloud services and communication channels, such as Microsoft 365, to steal information or conduct business email compromise. Malicious inbox rules and logons from unusual locations were common tactics, and 4) LockBit was the most prevalent ransomware strain affecting SMBs, but 60% of the ransomware incidents involved unknown or defunct strains. Ransomware is a serious threat for SMBs regardless of the strain’s popularity. | #quarterlyreport #threatresearch | |
| 31 | Intel471 | Phishing Emails Abusing QR Codes Surge | Report detailing how QR code phishing has surged in the second quarter of 2023, driven by cybercriminals’ improvement of return on investment and use of legitimate logos to lure users into scanning malicious links. The report provides observations and analysis of a major email phishing campaign that used QR codes to redirect victims to Microsoft Office 365 phishing pages and steal login credentials from various industries and countries, and describes new tools and methods of QR code phishing, such as EvilQR and QRLJacking, that exploit the dynamic nature of QR codes to capture session tokens and take over accounts. Insights from the underground on the trends and techniques of QR code phishing, as well as the insights from a PhaaS provider and a security researcher on their approaches and challenges. Intel471 provides recommendations and best practices for organizations, namely to avoid providing sensitive information, inform employees not to interact with QR codes, verify the domain and content of QR codes, review email security technologies, train employees to identify phishing emails, monitor mobile devices, and track long-term phishing campaigns. | #phishing #qrcode #qrcodephishing #spain #accounttakeover #industry_aviation #industry_retail #industry_telecommunications #industry_engineering #industry_power #industry_oilandgas #industry_hospitality #industry_industrialautomation #industry_realestate #industry_professionalservices #canada #uk #unitedkingdom #US #USA #unitedstates | |
| 32 | Intel471 | Bulletproof Hosting Landscape: Status Update on Actor yalishanda | Snapshot of the prolific bulletproof hoster Yalishanda, a threat actor who operates one of the most popular BPH services in the world. The actor provides a “top-tier” service that is more mature and expansive than other offerings. Bulletproof hosting (BPH) services are web hosting services that are more resistant to complaints and takedown requests from law enforcement. They enable and facilitate various cybercriminal activities, such as phishing sites and malware download servers. BPH services are the biggest enabler of cybercrime within the underground. By tracking BPH services and actors, organizations can better monitor and block malicious activity, while law enforcement agencies can refine their efforts to disrupt BPH infrastructure. | #bulletproofhosting #threatactor #threatactorprofile | |
| 33 | Intel471 | Actor yalishanda: A snapshot of a prolific bulletproof hoster | Snapshot of the prolific bulletproof hoster Yalishanda, a threat actor who operates one of the most popular BPH services in the world. The actor provides a “top-tier” service that is more mature and expansive than other offerings. Bulletproof hosting (BPH) services are web hosting services that are more resistant to complaints and takedown requests from law enforcement. They enable and facilitate various cybercriminal activities, such as phishing sites and malware download servers. BPH services are the biggest enabler of cybercrime within the underground. By tracking BPH services and actors, organizations can better monitor and block malicious activity, while law enforcement agencies can refine their efforts to disrupt BPH infrastructure. | #bulletproofhosting #threatactor #threatactorprofile | |
| 34 | Jamf | BlueNoroff strikes again with new macOS malware | Report detailing the discovery and characteristics of a new malware variant from the BlueNoroff APT group, with details on how the malware, labeled ProcessRequest, communicates with a malicious domain and sends POST messages to the attacker server with information about the macOS version and app details. An explanation is provided on how the malware executes shell commands from the attacker server and logs the responses, and an indication is given that the malware is likely a later stage in a multi-stage malware delivered via social engineering, targeting cryptocurrency exchanges, venture capital firms, and banks. ProcessRequest can be linked to the RustBucket campaign previously seen by Jamf Threat Labs. Indicators of Compromise are provided for further analysis. | #BlueNoroff #malware #ProcessRequest #industry_financial #RustBucket | |
| 35 | Johsua Penny | HostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED | HostingHunter is a series of blogs where Joshua Penny explores various hosting providers on the internet to uncover malicious or interesting activity conducted on them. The author starts with little knowledge and uses different tools and techniques to find out more. The first hosting provider that the author investigates is “Chang Way Technologies”, a company registered in Hong Kong that has an ASN with over 3,000 IPv4 addresses. The author finds connections between the company and a persona named “processor” who sells bulletproof hosting services called “UNDERGROUND” and “BearHost”. The author documents some of the findings on the hosting provider, such as: 1) a server that receives credentials from compromised Citrix VPN gateways using a webshell exploit, 2) a phishing page that impersonates the National Crime Records Bureau of India and demands payment from victims, 3) several servers that host C2s for malware such as Hydra, Hookbot, aXedroid, Rusty droid, and BlackByte ransomware, 4) some servers that run tools such as Nessus, Metasploit, and Cobalt Strike, possibly for penetration testing or malicious purposes, 5) some servers that are part of the 404 TDS, a traffic distribution system that delivers different malware to victims based on criteria, and 6) a server that runs Tactical RMM, a remote monitoring and management tool that can be abused by threat actors for persistent access. The author concludes that Chang Way is a hosting provider that hosts a lot of criminal activities and has some interesting connections to bulletproof hosting services. | #phishing #C2 #malware #ransomware #bulletproofhosting | |
| 36 | Joshua Penny, Michael Koczwara | Infrastructure Analysis: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023–4966 Citrix Bleed Vulnerability | Blog post containing an analysis of the indicators of compromise (IOCs) provided by Boeing in a joint report by CISA, FBI and ACSC related to LockBit 3.0 ransomware affiliates who exploited a vulnerability in Citrix devices. The authors used various tools and techniques in their analysis to identify and cluster the IP addresses, domains and files associated with the first table of IOCs. They found connections to Chang Way Technologies, a hosting provider linked to malicious activity, and Covenant, a .NET command and control framework. They also found a TeamViewer IP address that shared a SSH banner hash with many other servers hosting different malware and services. The authors focused on two IP addresses that shared a SSH hash with a group they called ShadowSyndicate, which they had previously reported on. They found that these IP addresses were running OpenVPN servers and were linked to LockBit ransomware. They also found connections to other ransomware groups, such as 8Base and Avaddon, and a data leak site hosted on one of the IPs. The authors conclude that their analysis reveals a plethora of findings and connections to other ransomware groups, malware and infrastructure from the IOCs provided by Boeing, and they recommend that these indicators should be treated as malicious and validated before taking any action. | #Lockbit #ransomware #malware #ShadowSyndicate #8Base #Avaddon | |
| 37 | Kaspersky | Analysis of a spy module inside a WhatsApp mod | Research explaining how a WhatsApp mod with a spy module has been spreading through Telegram channels and dubious websites dedicated to WhatsApp modifications. The mod provides 1) malicious components of the spy module, which include a service and a broadcast receiver that communicate with a command-and-control server and send information about the device, contacts, and accounts to the operator, 2) the command-and-control server that receives the device information and orders from the spy module and sends back responses in Arabic, and 3) distribution channels that include Telegram channels in Arabic and Azeri languages, as well as dubious websites that offer the mod for download.Statistics and attack numbers show how the spy module has been active since mid-August 2023 and has infected more than 340,000 devices across more than a hundred countries, with Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt being the top five countries. Kaspersky recommends to avoid using unofficial instant messaging apps and security solutions that may fail to detect and block the malware, and to use official instant messaging clients and reliable security solutions instead. | #spymodule #spyware #azerbaijan #saudiarabia #yemen #turkey #egypt | |
| 38 | Kaspersky | Modern Asia APT groups TTPs | A report about the activities and threats of Asian APT groups, targeting various organizations for political or economic motives. The report covers four main topics: an overview of Asian APT groups, an analysis of Asian APT campaigns and the malware, tools, and techniques used by these groups (such as PlugX, Cobalt Strike, Mimikatz, and ZeroCleare), recommendations for defense and mitigation (e.g. implementing multi-factor authentication, patching vulnerabilities, monitoring network traffic, and conducting threat intelligence), and future outlook and challenges (such as artificial intelligence being leveraged, exploitation of supply chain attacks, the targeting of critical infrastructure and detection evasion). | #russia #belarus #indonesia #pakistan #malaysia #argentina #APT10 #APT28 #APT41 #LazarusGroup #CloudHopper #RedOctober #ShadowHammer #Sharpshooter #threatresearch #aptgroups #advancedpersistentthreat | |
| 39 | Kaspersky | Ducktail malware spreading through fake clothing job ads | Report on the Ducktail malware campaign that targeted marketing professionals in 2023, describing how the malware used Delphi as the programming language and sent fake ads for jobs with major clothing companies in archive files with PDF icons. The report explains how the malware opened a real PDF file that contained the job details when started, and saved a PowerShell script and a malicious library to the device, as well as how the malware launched a browser extension that disguised itself as Google Docs Offline and stole Facebook business and ads accounts, cookies, and details. Kaspersky reveals how the malware communicated with a C&C server in Vietnam and forwarded the stolen credentials and cookies, and states that the malware mainly attacked users in India and that Kaspersky solutions stopped infection attempts on devices of users in 19 other countries. Finally, the report provides a link to another report on Operation Triangulation that covers similar Asian APT groups and their activities. | #industry_fashion #Ducktail #malware #industry_communications #infostealer #india #kazakhstan #ukraine #germany #portugal #ireland #greece #jordan #pakistan #vietnam #uae #unitedarabemirates #US #USA #unitedstates #peru #chile | |
| 40 | Kroll | Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage | A summary of main cyber threats and trends observed by Kroll in 2023 Q3, highlighting that 1) social engineering was the dominant threat in Q3 (with a variety of tactics such as phishing, vishing, valid accounts and others, and different sectors (especially professional services, manufacturing and health care) being targeted), 2) Business email compromise(BEC) continued to grow steadily, with both established and new threat actor groups using it to access data and demand ransom (with professional services as the most targeted sector, followed by manufacturing and construction), and 3) ransomware remained an ever-present threat, despite a drop in the percentage of cases, with the most active groups being Lockbit and Blackcat, while newer groups (e.g. Rhysida and Cactus) emerged, and Qakbot being disrupted by law enforcement in August. | #quarterlyreport #Lockbit #BlackCat #Rhysida #Cactus #Qakbot | |
| 41 | Levi Gundert and Megan Keeling | Cyber Silk Road: Tracing China’s Stealth Turn | Blog discussing China’s cyber shift: The article argues that China has changed its cyber tactics from noisy and careless to quiet and stealthy, in response to its growing geo-political ambitions and challenges, providing examples of how China has been using code signing certificates, trojanized applications, DNS tunneling, living-off-the-land techniques, zero-day vulnerabilities, and supply chain compromises to obfuscate its cyber intrusions and avoid attribution. The article discusses how different types of organizations may face different risks from China’s cyber activities, such as data theft, service disruption, or network persistence., and suggests that CISOs should adjust their technical controls and communicate the risk impacts to business executives. A timeline of Chinese state-sponsored cyber activity from 2019 to 2023 is also included, showing how it is related to geo-political events such as the US-China trade war, the COVID-19 pandemic, the BRICS expansion, and the Taiwan Strait crisis. | #nationstate #china #aptgroups #iran #saudiarabia #uae #unitedarabemirates #egypt #unitedstates #USA #US #russia #TAG-67 #vaticancity #india #criticalinfrastructure | |
| 42 | Malwarebytes | Credit card skimming on the rise for the holiday shopping season | Blog post warning about a card skimming (hackers inserting malicious code (often hidden and hard to detect by shoppers) into merchant websites to steal credit card information from customers) campaign that targets online shoppers. The blog post describes a specific skimming campaign that has been active since March 2023 and has increased in October 2023. The campaign uses customized and localized skimmers that mimic the look and feel of the victim websites. The skimmers also show a video of the material partially levitating to trick customers into thinking it is a legitimate feature. The blog post advises online shoppers to be extra careful when shopping on smaller or less secure websites, especially during the holiday season. It also recommends using web protection tools that can detect and block malicious domains, IP addresses, and JavaScript snippets. The blog post provides a list of domain names and IP addresses that are associated with the skimming campaign, which can be used by community blocklists and third-party products to prevent access to the malicious sites. | #ioc #indicatorofcompromise #cardskimming #securityawareness | |
| 43 | Malwarebytes | Atomic Stealer distributed to Mac users via fake browser updates | Report going in-depth on Atomic Stealer for Mac (a.k.a. AMOS), a malware that steals passwords and files from Mac users, previously distributed through malicious ads. A new social engineering scheme (branded “ClearFake”) uses compromised websites to deliver fake browser updates to Mac and Windows users containing the Atomic Stealer malware, through a DMG file pretending to be a Safari or Chrome update that runs commands to grab credentials and files of interest from the victim’s machine. Recommendations specifically provided to Mac users are to be careful about fake browser updates and use web protection tools to block the malicious infrastructure associated with ClearFake. IoCs are provided in the report as well. | #atomicstealer #AMOS #malware #ClearFake #socialengineering #MicrosoftWindows #AppleMacOS | |
| 44 | Mandiant | Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Threat intelligence report on a cyber physical incident by the Russia-linked threat actor Sandworm that targeted a Ukrainian critical infrastructure organization in late 2022. The report 1) describes how Sandworm used living off the land (LotL) techniques to access and exploit an OT system through a hypervisor and an ISO image, and how it deployed a new variant of CADDYWIPER in the IT environment to remove forensic artifacts, 2) analyzes the OT attack lifecycle and the OT capability developed by Sandworm, which leveraged a native MicroSCADA binary to execute unauthorized commands to switch off substations, 3) examines the novel OT techniques and the streamlined approach of Sandworm, which reduced the time and resources required to conduct the attack and avoided detection by using generic and lightweight tools, 4) links the incident to Russia’s ongoing investment and offensive cyber capabilities in OT systems, and suggests that Sandworm may have been waiting for a specific moment to deploy the capability during a multi-day set of coordinated missile strikes on critical infrastructure across Ukraine, and 5) urges OT asset owners to take action to mitigate and detect this threat, and provides detections, hunting and hardening guidance, MITRE ATT&CK mappings and more in the appendices of the report. | #russia #ukraine #criticalinfrastructure #threatresearch #sandworm #CaddyWiper #OTSecurity | |
| 45 | Microsoft | CVE-2023-36036 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Microsoft advisory on CVE 2023 36036, affecting Microsoft Edge and Internet Explorer browsers. The vulnerability is caused by a memory corruption error in the scripting engine of the browsers, which could allow an attacker to execute arbitrary code on the target system if a user views a specially crafted web page. The vulnerability is rated as critical by Microsoft, as it could lead to a remote code execution scenario, which means an attacker could gain complete control of the affected system. The vulnerability affects all supported versions of Windows 10, Windows 8.1, Windows 7, and Windows Server. Microsoft has released a security update to address the vulnerability as part of its monthly Patch Tuesday release on November 14, 2023. Users are advised to apply the update as soon as possible, or use an alternative browser until the update is installed. | #CVE-2023-36036 #vulnerability #codeexecution #MicrosoftWindows | |
| 46 | Microsoft | CVE-2023-36025 - Windows SmartScreen Security Feature Bypass Vulnerability | CVE-2023-36025 allows an attacker to bypass security checks and prompts via Windows Defender SmartScreen, by tricking a user into clicking on a malicious Internet Shortcut or hyperlink. | #CVE-2023-36025 #WindowsDefender | |
| 47 | Microsoft (Microsoft Threat Intelligence) | Diamond Sleet supply chain compromise distributes a modified CyberLink installer | Blog post explaining a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) using a modified CyberLink installer as a delivery mechanism for a second-stage payload. The malicious file, signed with a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure and checks the time window for execution and evades detection by security products. The attack has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. Microsoft attributes this activity with high confidence to Diamond Sleet, a known espionage and data theft group. The second-stage payload communicates with compromised domains and downloads the payload embedded in a PNG file. The blog post provides code, hashes, reports, and indicators to help customers identify and respond to this threat. It also recommends mitigations such as using Microsoft Defender Antivirus, enabling network protection, and investigating the device timeline. | #northkorea #DiamondSleet #ZINC #aptgroups #threatactor #threatresearch | |
| 48 | Microsoft (MTI (Microsoft Threat Intelligence)) | Microsoft shares threat intelligence at CYBERWARCON 2023 | Summary of the content of the presentations by Microsoft and LinkedIn analysts at the CYBERWARCON 2023 conference, covering various aspects of threat intelligence and cyber operations. The presentations 1) compare and contrast Iranian groups before and after the Israel-Hamas war, highlighting their reactive and opportunistic cyber activities, their use of existing access and infrastructure, and their information operations to inflate their impact and notoriety, 2) provide an update on Volt Typhoon, a Chinese threat actor linked to the military, and how Microsoft tracked and assessed its activity against critical infrastructure and key resources in the U.S. and its territories, revealing its operational security and stealthy attempts to return to previously compromised victims and target new sectors, 3) profile Storm-0978, a Russian state-aligned actor that combines cybercrime and espionage, and explores the possible motivations and objectives behind this dual role, as well as the challenges and gaps in tracking and mitigating this threat actor, and 4) share what LinkedIn’s Threat Prevention and Defense team has learned from its investigations of cyber mercenaries, focusing on Black Cube, and how this actor uses honeypot profiles, fake jobs, and fake companies to conduct reconnaissance and HUMINT operations against targets of interest and concern to its clients. | #israel #palestine #VoltTyphoon #china #SeashellBlizzard #IRIDIUM #russia #Storm-0978 #BlackCube #iran | |
| 49 | NCSC-UK | UK and Republic of Korea issue warning about DPRK state-linked cyber actors attacking software supply chains | Article warning about the growing threat of software supply chain attacks by DPRK state-linked cyber actors, who use sophisticated techniques and exploits to access victims’ systems. It is a joint advisory by the UK’s National Cyber Security Centre (NCSC) and the Republic of Korea’s National Intelligence Service (NIS), who provide technical details, case studies, and mitigation actions for organisations. The advisory explains how the actors leverage zero-day vulnerabilities and exploits in third-party software to target specific or indiscriminate organisations, and how these attacks align with DPRK-state priorities of revenue generation, espionage, and technology theft. Organisations are urged to follow the recommended actions to improve their resilience to supply chain attacks and reduce the risk of compromise, and to refers to the NCSC’s supply chain security guidance for more advice. | #uk #unitedkingdom #southkorea #northkorea #supplychainattack #zeroday | |
| 50 | NCSC-UK (National Cyber Security Centre, United Kingdom) | NCSC Annual Review 2023 | NCSC Annual Review 2023, reflecting the NCSC’s work and achievements in its seventh year since 2016. The review covers the period between 1 September 2022 and 31 August 2023 and highlights the NCSC’s role as the UK’s technical authority for cyber security, working to make the UK the safest place to live and work online. The review also looks ahead to future challenges and the need for inclusive, diverse, and open cyber security solutions. The front cover of the review, designed using an AI-generated image prompt, reflects the NCSC’s vision of an open and resilient digital society and the ethical, legal, and existential questions that AI poses for society. The review stresses the importance of using AI responsibly and ensuring that cyber security is thoroughly considered during the development and adoption of new AI technologies. | #annualreport #unitedkingdom #uk | |
| 51 | netcraft | Donation fraud: scammers exploit generosity in Gaza conflict | Article describing how cybercriminals use the current situation in Gaza to carry out donation fraud and cryptocurrency scams, using various tactics to trick users into sending funds to fake causes or malicious websites. The article gives examples of donation fraud emails that impersonate different parties involved in the conflict, such as Israel, Palestine, Lebanon, and Egypt. These emails direct victims to websites that either ask for cryptocurrency donations or use crypto drainers to empty their wallets. The article also explains how crypto drainers work and how they exploit the convenience of connecting a wallet to the browser, and how phishing sites mimic legitimate organizations, such as Crypto Aid Israel and Palestine Children’s Relief Fund, to solicit donations. | #palestine #lebanon #egypt #donationfraud #cryptocurrency #israel | |
| 52 | NIS (National Intelligence Service, Republic of Korea) | ROK-UK Joint Cyber Security Advisory (DPRK S/W supply chain attacks) | Joint Cybersecurity Advisory (CSA) by the National Intelligence Service (NIS) of the Republic of Korea (ROK) and the National Cyber Security Centre (NCSC) of the United Kingdom (UK) to warn about DPRK state-linked cyber actors’ global supply chain attacks on software products used by government, financial, and defence organisations. The CSA provides TTPs, preventative measures, and detailed information on the attacks. | #uk #unitedkingdom #southkorea #northkorea #supplychainattack #zeroday | |
| 53 | Outpost24 | Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection | Deep dive into a new anti-sandbox technique LummaC2 v4.0 stealer (a malware-as-a-service (MaaS) information stealer that targets login credentials, credit card details, and other sensitive data) is using to avoid detonation if no human mouse activity is detected, by capturing five cursor positions and calculating the angles between the vectors formed by them. If any angle is bigger than 45 degrees, it restarts the process. | #infostealer #LummaC2 #MaaS #malwareasaservice | |
| 54 | Palo Alto / Unit42 | IOCs for TA577 pushing IcedID variant) | IoCs for detection of TA577 pushing ICEDID (BOKBOT) variant | #ioc #indicatorofcompromise #TA577 #bokbot #icedid | |
| 55 | Palo Alto / Unit42 | Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors | Unit 42 researchers explains the destructive cyberattacks by the Iranian-linked Agonizing Serpens APT group targeting the education and technology sectors in Israel from January to October 2023. The report 1) describes the attack stages and the web shells used by the attackers to gain initial access, map the network, and execute reconnaissance commands, 2) shows how the attackers used various scanners to scan the network for hosts of interest and obtain credentials of users with administrative privileges, 3) explains how the attackers used Plink to create remote tunneling and move laterally in the environment, and how they tried to steal information from databases and critical servers using sqlextractor and other tools, 4) details how the attackers used a custom wiper called MultiLayer to cover their tracks and wipe the system by corrupting, overwriting, and timestomping files, deleting logs, and wiping the boot sector, 5) identifies similarities and overlaps between MultiLayer and other custom tools previously used by Agonizing Serpens, such as Apostle, IPsec Helper, and Fantasy, 6) mentions that the Cortex XDR platform blocked the execution of MultiLayer and prevented data restoration, and 7) indicates that the attackers attempted to use a second wiper called PartialWasher or PW, but it was also prevented by Cortex XDR. | #iran #AgonizingSerpens #Agrius #industry_education #industry_technology #israel | |
| 56 | Palo Alto / Unit42 | Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific | Details on three Stately Taurus cyberespionage campaigns (as observed by Unit42) targeting the Philippines government and other entities in the South Pacific in August 2023, each campaign using a different ZIP file name and containing a malicious DLL that side-loads and connects to a malicious C2 server. IP addresses are identified as a known Stately Taurus infrastructure since June 2023 and shows how the actors disguised the C2 traffic as legitimate Microsoft traffic in the POST statements. The report assesses that at least one campaign directly targeted the Philippines government and that the actors compromised a government entity for five days in August 2023. It also highlights the persistent cyberespionage operations of Stately Taurus as one of the most active Chinese APTs and the need for protective measures to defend against this threat group. | #china #philippines #StatelyTaurus | |
| 57 | Palo Alto / Unit42 | IOCs for TA577 Pikabot activity | IoCs for TA577 Pikabot activity | #ioc #indicatorofcompromise #TA577 #pikabot | |
| 59 | Palo Alto / Unit42 | Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors | Article detailing two campaigns by North Korea state-sponsored threat actors targeting job-seeking activities linked to software development. The first campaign, “Contagious Interview”, uses GitHub abuse to lure and infect software developers with malicious NPM packages that contain BeaverTail malware, a cross-platform backdoor that steals cryptocurrency and credit card information, and retrieves additional malware as a second-stage payload. The second campaign, “Wagemole”, uses job-seeking platforms to find and hire unauthorized workers for financial gain and espionage. Both campaigns have high confidence of being run by North Korea, and the US Department of Justice and FBI have reported similar activity by North Korean threat actors. The article provides analysis and insight into the two new malware families, BeaverTail and InvisibleFerret, and how they evade detection and compromise targets. It also offers recommendations and protections for both job applicants and employers to consider when interviewing or applying for remote jobs. | #northkorea #contagiousinterview #wagemole #BeaverTail #InvisibleFerret | |
| 58 | Palo Alto / Unit42 | IOCs for DarkGate infection | IoCs for DarkGate infections. | #DarkGate #malware #ioc #indicatorofcompromise | |
| 59 | Proofpoint | TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities | TA402, a Middle Eastern APT group, used a new downloader called IronWind to target government entities in the region with a complex infection chain. TA402 changed its delivery methods from Dropbox links to XLL and RAR file attachments, likely to evade detection. The APT group used geofencing techniques and decoy documents to make its malicious activity harder to detect, and used the Israel-Hamas conflict as a lure, but did not change its targeting or mandate significantly. | #TA402 #apt #IronWind #industry_government #israel #palestine #Molerats #WIRTE #Frankenstein | |
| 60 | QuoIntelligence | Decoding Disinformation: The Spanish Election Information Operation Targeting Russian-Speakers | Blog post discussing a recent operation that targeted the Russian-speaking population in Spain before the general elections in July 2023. The campaign used Telegram messages and fake websites to spread false information about a planned terrorist attack by ETA and discourage the recipients from voting. A technical analysis of the campaign is provided, including the narrative, the influencer, the audience, the capabilities, the infrastructure, and the techniques used by the threat actors. The post also uses the DISARM framework to categorize the techniques and the Diamond Model to visualize the campaign. Finally, QuoIntelligence discusses the implications of the campaign for CISOs and CIOs, and provides some recommendations to protect their organizations from disinformation campaigns and other types of cyber threats. These include awareness, education, collaboration, security measures, and threat intelligence. | #russia #spain #germany #disinformation | |
| 61 | QuoIntelligence | Analysis of The Red Cross’ Rules Of Engagement For Hacktivists | In October 2023, the International Committee of the Red Cross (ICRC) released for the first time rules of engagement for hacktivists amid conflicts. This blog is an analysis of the Red Cross’ rules of engagement for hacktivists and the obligations of states to observe them. The Red Cross proposes the eight rules for civilian hackers who participate in cyber operations during wars, based on international humanitarian law; the rules aim to protect civilians and civilian objects from harm, and to prevent hacktivists from becoming targets or violators of the law themselves. The Red Cross also suggests four obligations for states to restrain hacktivists on their territory or under their control, based on the UN Group of Governmental Experts’ recommendations. The obligations include not using proxies, not encouraging violations, preventing and prosecuting war crimes, and suppressing other violations. The analysis mentions the case of KillNet, a pro-Russia hacktivist group involved in the Russia-Ukraine conflict, which claimed to comply with the Red Cross’ rules after initially rejecting them. However the analysis shows that KillNet continued to target civilian objects, such as banks, airports, and Israeli websites, after its announcement. The analysis assesses that KillNet’s declarations were likely a publicity stunt and that states will probably continue to sponsor hacktivist groups for their own interests. | #KillNet #aptgroups #threatactor #hactivist #rulesofengagement #russia #ukraine | |
| 62 | Recorded Future, Insikt Group | Charting China’s Climb as a Leading Cyber Power | Report on the evolution of Chinese cyber-espionage activity. The Insikt group states that Chinese cyber operations have evolved into a more mature and coordinated threat, exploiting both known and zero-day vulnerabilities in public-facing security and network appliances, having improved their operational security and anonymity, making detection harder, while shifting from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals. Insikt states that a vulnerability-centric defense approach is inadequate - instead organisations, governments, and the cybersecurity community need better defensive in-depth measures to detect post-exploitation activities. China is likely to exploit zero-day vulnerabilities in cloud services as well, and is poised to become a dominant global force in cyber espionage and information warfare. China’s cyber capabilities are influenced by both internal and external factors, such as military restructuring, domestic regulations, and reporting by Western governments and the cybersecurity community. China’s cyber activities support its efforts to project power in the South China Sea and Taiwan, and prepare for potential future actions. China has a significant commitment of resources to offensive cyber operations and the evident enhancement of their capabilities. | #nationstate #aptgroups #china #threatresearch #zeroday #vulnerability #cyberespionage | |
| 63 | Red Canary | Adversaries exploit Confluence vulnerability to deploy ransomware | Blog post explaining how to detect and respond to exploitation of Atlassian Confluence CVE-2023-22518 by adversaries who aim to deploy Cerber ransomware. The post 1) describes how the vulnerability, an Improper Authorization Vulnerability, allows unauthenticated users to restore from backup with arbitrary .zip files, potentially enabling remote code execution and data loss, 2) provides the exploitation steps and commands observed by Red Canary, which involve downloading a Cerber ransomware executable, running reconnaissance, and deleting volume shadow copies, 3) identifies the Cerber ransomware sample as likely derived from materials exposed in the Conti ransomware leaks, and explains how it encrypts files using ChaCha, AES, and RC4, and drops ransom notes, 4) advises organizations running vulnerable, on-premise Confluence installations to update those systems as soon as possible, and offers pseudo-detection analytics to help security teams identify suspicious activity related to the vulnerability and the ransomware. | #CVE-2023-22518 #vulnerability #remotecodeexecution #Cerber #ransomware | |
| 64 | Red Canary | Intelligence Insights: November 2023 | Monthly threat report by Red Canary that analyzes the most prevalent and emerging threats encountered by Red Canary customers and the broader infosec community. It contains a ranking of the most common threats based on the number of unique customer environments affected, including old and new threats such as Yellow Cockatoo, LummaC2, FakeBat, and Qbot. A detection opportunity through a sample detection analytic that can identify Qbot persistence mechanisms based on regsvr32.exe silently executing code from the AppData\Roaming directory is also discussed Finally, a link to download the 2023 Threat Detection Report (covering the top 10 threats of 2022) and more is provided | #monthlyreport #YellowCockatoo #LummaC2 #FakeBat #Qbot | |
| 65 | RedHat | State of Kubernetes security report 2023 | State of Kubernetes security report, based on the responses of 600 DevOps, engineering, and security professionals from various organizations, revealing the most frequent security issues organisations encounter during their cloud-native adoption journey, and the effects on their businesses, as well as new, emerging trends in container, Kubernetes, and cloud-native security. | #annualreport #kubernetes | |
| 66 | ReliaQuest | Citrix Bleed Vulnerability: Background and Recommendations | Explanation of the background of and recommendations for Citrix Bleed (CVE-2023-4966), a critical vulnerability affecting Citrix Netscaler Gateway and ADC products that could enable attackers to retrieve sensitive information and hijack user sessions. The blog describes supported versions of NetScaler ADC and NetScaler Gateway that are vulnerable and affected by the flaw, the exploitation process, and the MITRE ATT&CK techniques observed in the wild. Remedial action is urged, e.g. by installing updated versions of Netscaler Gateway and ADC and killing active sessions, as strongly recommended by CISA and Cloud Software Group. Some detection rules based on the Citrix ADC Syslog logging capability and a sigma rule to detect a concurrent Citrix user session from different IPs are included as well. States that NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway or an AAA virtual server and related products such as NetScaler ADM and Citrix SD-WAN are not affected. | #CitrixBleed #CVE-2023-4966 #vulnerability | |
| 67 | ReliaQuest | Scattered Spider Attack Analysis | Analysis of a Scattered Spider attack, describing how the group infiltrated the cloud environment via Okta single sign-on (SSO) and MFA fatigue attacks, and how they pivoted to the on-premises environment in less than one hour, using Citrix VDI sessions and AD Explorer to discover and access resources. The report highlights the group’s advanced knowledge and operational security, using internal IT documentation as a lateral move tool, and evading typical alert rules that raise suspicion. Recommended mitigations measures are MFA fatigue rules, help-desk challenge-response policies, and privileged identity management to protect organizations from similar attacks. | #ScatteredSpider #aptgroup | |
| 68 | Resecurity | Ransomware Attacks against the Energy Sector on the rise | Article examining the alarming rise of ransomware attacks against the energy sector, including nuclear facilities and related research entities, by cybercriminals from Russia, Ukraine, and other regions. It provides data on the number and scope of ransomware attacks in the U.S., Europe, and Asia, and the increasing ransom demands from attackers, as well as insights from the Department of Homeland Security on the return of big-game hunting and the use of modern languages and encryption by ransomware actors. The article provides an analysis of high-profile ransomware attacks on energy firms and related entities in North America, Europe, and Asia, and their attributions to Russian-nexus threat groups, as well as evidence from HUNTER (HUMINT) research on Dark Web solicitations for energy sector access by Initial Access Brokers (IABs) and cybercriminal forums. Furthermore, details from undercover ransom negotiations with Black Basta, a Russian-nexus ransomware group, a timeline of all significant energy-sector ransomware attacks over the last year, with attributions to their corresponding perpetrators, and a warning about the destabilizing implications of ransomware attacks targeting the energy sector for geopolitical relations, capital markets, public safety, and national security are provided in this article. | #russia #ukraine #US #USA #unitedstates #ransomware #initialaccessbrokers #BlackBasta #industry_energy | |
| 69 | Reuters | How an Indian startup hacked the world | Special report by Reuters that investigates the activities of Appin, an Indian cyberespionage firm that hacked targets around the world for private investigators, governments, and corporate clients. The report reveals how Appin grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites. It also exposes how Appin alumni formed other firms that are still active in the cybermercenary market. The report follows the stories of several victims of Appin’s hacking, highlights the features and changes that Appin introduced to evade security products and analysis tools, such as encryption, obfuscation, packers, process injection, and rootkit techniques. The report presents the statistics and patterns of Appin’s detection hits across the globe, based on Reuters’ own analysis and data from security firms. It also provides the guidelines and recommendations to prevent Appin’s infection using antivirus software, firewall settings, and email security practices. | #india #hackforhire | |
| 70 | Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng Lü, Andreas Kogler | CacheWarp: Software-based Fault Injection using Selective State Reset | This paper introduces CacheWarp (a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state) is introduced. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. | #CacheWarp | |
| 71 | Russian Panda (Ann P.) | MetaStealer - Redline’s Doppelgänger | Research blog post by RussianPanda, who analyzes a malware variant called MetaStealer, which is based on Redline Stealer. The post provides a technical analysis of MetaStealer’s features, code, and network communication. A comparison is made between MetaStealer and Redline, showcasing that they share many functionalities, such as stealing browser data, credentials, files, and system information. However, MetaStealer also has some differences, such as using different object names, encryption keys, and registry paths. The article also shows how to differentiate the two stealers based on their traffic patterns and binary signatures, and provides a Yara rule that can detect MetaStealer based on some unique strings. RussianPanda lists some hashes of MetaStealer samples and the C2 domain as indicators of compromise. | #MetaStealer #Redline #malware #ioc #indicatorofcompromise | |
| 72 | Security Break (Thomas Roccia) | 🛡️ The Intel Brief #8 | Newsletter by Thomas Roccia (cybersecurity researcher and speaker), discussing GPTs for cybersecurity (MagicUnprotect, which is connected to the Unprotect.it database, and a list of other GPTs for cybersecurity on Github), preparations for the Hack.Sydney conference where Thomas Roccia will present his research on Prompt Engineering for Threat Intelligence, a summary and a visual for the top five threat reports of the week, covering topics such as APT29, TA402, IMPERIAL KITTEN, C3RB3R ransomware, and MarsStealer malware, and reference to an article that explains how to use emulation for malware analysis and triage, and a demonstration of the use of emulation to deobfuscate strings and analyze the functionality of MarsStealer malware. | #weeklyreport #APT29 #TA402 #ImperialKitten #C3RB3R #MarsStealer #malware #ransomware #aptgroups | |
| 73 | Security Joes | BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group | Report on a new Linux Wiper malware (BiBi-Linux Wiper), discovered by Security Joes’ incident response team during forensic investigations of Israeli companies affected by a Hamas-affiliated hacktivist group. The malware is an x64 ELF executable with no obfuscation or protective measures, and it targets specific folders with root permissions to destroy the entire operating system if run. It produces extensive output to stdout, which can be mitigated by using the nohup command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files with useless data, renaming them with a random string containing “BiBi”, and excluding certain file types from corruption. The malware’s name and string hardcoded in the binary indicate its political motive and its target of Israeli Prime Minister Benjamin Netanyahu, as “BiBi” is a common nickname for him in the Middle East. | #malware #BiBiLinuxWiper #palestina #palestine #israel | |
| 74 | SecurityScoreCard | Cyber Threat Intelligence Update: New Claims of Attacks Against Israeli SCADA Systems | Report on the collection of data from pro-Palestinian hacktivist channels that target Israeli and allied organizations with cyberattacks, such as DDoS, website defacements, and data leaks. These groups are mainly from Indonesia and Malaysia and claim religious solidarity with Palestine. Some hacktivist groups claim to have accessed Israeli water utilities’ SCADA systems, which could have serious real-world impact1. SecurityScorecard investigates these claims by analyzing NetFlow data and scan data from Israeli water and wastewater systems sector, but did not find clear evidence of compromise or exposure of SCADA services in the Israeli organizations involved. However, they did find some traffic involving anonymizing services that may indicate reconnaissance or interest by threat actors. | #palestina #israel #hactivist #ddos #OTSecurity #indonesia #malaysia | |
| 75 | Sekoia.io | Game Over: gaming community at risk with information stealers | The report on how cybercriminals use social engineering tactics to trick gamers into downloading malicious software that can steal their personal data, in-game assets, and credentials, focussing on a specific campaign spreading via Discord messages and fake download websites. Several information stealer families among the strains were observed in this campaign (such as Doenerium, Epsilon Stealer, BBy Stealer, and Nova Sentinel). The report provides details on their features, communication, and detection opportunities, as well as advise to users to only access official and trusted sources when downloading software and games, to avoid cracked or pirated content, to educate themselves about the tactics used by cybercriminals, and to use password managers. The report also suggests resetting the infected computer and changing all the passwords as soon as possible. | #malware #infostealer #industry_gaming #Doenerium #EpsilonStealer #BByStealer #NovaSentinel | |
| 76 | Sekoia.io | DarkGate Internals | Technical report on DarkGate, a malware-as-a-service (MaaS) loader that operates covertly and evades detection by antivirus systems. The report 1) describes the configuration and obfuscation of DarkGate, using base64 encoding, custom alphabets, and XOR operations to store and decode data, and to communicate with the command and control (C2) servers, 2) explains the reverse shell functionality of DarkGate, which allows the attacker to interact with the victim’s system, execute PowerShell commands, and download and execute additional payloads, 3) shows how DarkGate implements keylogging and Discord token collection activities, using Windows API functions and custom encoding to capture keystrokes and extract tokens, 4) demonstrates how DarkGate provides remote desktop access using hidden Virtual Network Computing (hVNC), and how it elevates its privileges using embedded executables, token thief, and parent PID spoofing techniques, 5) describes the persistent methods of DarkGate, which include setting the registry key CurrentVersion\Run with the LNK file, and raising a critical error (BSOD) if removed or deleted by antivirus software, 6) discusses the anti-virus evasion techniques of DarkGate, such as using the Union API to lazy load DLLs, and using APC injection to execute arbitrary code within another process, and 7) provides detailed code examples and diagrams to illustrate the techniques and methods used by DarkGate, and cites relevant sources and reports for further information. | #DarkGate #malware #malwareasaservice #keylogging #RastaFarEye #TA577 #Ducktail #remoteaccesstrojan #trojan | |
| 77 | Sekoia.io | Unmasking the latest trends of the Financial Cyber Threat Landscape | Report highlighting the latest trends of the financial cyber threat landscape, and providing an analysis of evolutions observed in campaigns against financial organisations worldwide, covering 1) principal tactics, techniques and procedures used by lucrative and state-sponsored intrusion sets to compromise financial organisations (such as phishing, ransomware, supply chain attacks, data breach incidents, crypto-related attacks and DDoS campaigns), 2) the increasing use of QR code phishing campaigns associated with Phishing-as-a-Service (PhaaS) platforms (such as Dadsec OTT, Tycoon and W3LL Panel), to target banks and other financial entities with malicious links and attachments, 3) the growing threat of BEC campaigns, which leverage novel TTPs such as third party targeting and indirect proxy use, to impersonate executives and obtain financial information or transfers, 4) the explosion of software supply chain attacks leveraging open source components, especially the npm platform, to exploit critical vulnerabilities and compromise financial systems and organisations, and 5) the persistent threat of banking malware, especially mobile banking trojans, which target users and organisations in Brazil and Mexico, and aim at retrieving financial and cryptocurrency data from banks and other financial institutions. | #brazil #mexico #threatresearch #financialindustry #bec #PhaaS #phishingasaservice #ransomware #malware #trojan | |
| 78 | SektorCert | The attack against Danish critical infrastructure | In May 2023, Danish critical infrastructure was exposed to the most extensive cyber-related attack experienced in Denmark to date, potentially with the involvement of a state actor. 22 Companies that operate parts of the Danish energy infrastructure, were compromised in a coordinated attack. The result was that the attackers gained access to some of the companies’ industrial control systems and several companies had to go into island mode operation. This report provides an analysis and timeline of the attack, as well as a top 25 of recommendations which are relevant in connection to the concrete attack techniques. | #OTSecurity #industry_energy #nationstate #sandworm | |
| 79 | SentinelOne | Elephant Hunting: Inside an Indian Hack-For-Hire Group | New insights on the hack-for-hire activities of Appin Security Group, a renowned entity in the realm of offensive security services, covering numerous global cyber intrusions, spanning espionage, surveillance, and disruptive actions, and a high confidence in attributing intrusions in various countries, including Norway, Pakistan, China, and India, among others. The report provides unique, non-public, and technically-verified data into the Appin business, including internal communications, customer lists, malware samples, and exploit services, and reveals a noteworthy customer base of government organizations and private businesses spread globally, and a high level of technical sophistication and operational efficiency of Appin’s hacking operations. The report also details the intricate processes underlying the creation of malware, exploits, and network infrastructure, and how Appin acquired and managed them over the years, providing crucial insights into the landscape of hack-for-hire enterprises. | #india #norway #pakistan #china #hackforhire | |
| 80 | SentinelOne | Predator AI: ChatGPT-Powered Infostealer Takes Aim at Cloud Platforms | Analysis of a new Python-based infostealer and hacktool called ‘Predator AI’, which uses ChatGPT to automate data enrichment and add context to scanner results. The report details Predator AI developer’s background, goals, and features, and how the tool is advertised through Telegram channels related to hacking, and explains the Predator AI chat-like interface that connects the user to Predator’s features, and how it queries the OpenAI API for relevant information and handles edge cases. Predetermined and custom utilities that Predator AI offers are (amongst others) checking AWS credentials, Twilio account status, IP reputation, and social media profiles, and how they can be used to perform web application attacks. The report also demonstrates the stealer build process and the configuration options for Predator AI, and how the tool can be used to insert the infostealer code into an existing executable. SentinelOne provides a forecast of the expected evolution of Predator AI and the challenges and limitations of the AI integration, and describes how organizations can reduce the impacts from these tools by keeping web services patched and up to date, using cloud security posture management tools, and logging and detecting anomalous behaviors. | #infostealer #PredatorAI | |
| 81 | SentinelOne | Arid Viper: APT’s Nest of SpyC23 Malware Continues to Target Android Devices | Analysis of the SpyC23 Android spyware family developed by Arid Viper, a Hamas-aligned threat actor, detailing 1) historical and current context on Arid Viper’s mobile malware activities and interests, 2) the SpyC23 Android spyware family’s multi-platform toolkit and consistent use of mobile spyware since 2017, 3) two identified unique themes of the SpyC23 Android spyware family (mimicking Telegram and mimicking Skipped Messenger, a former dating app), and 4) the social engineering approach used by Arid Viper to deliver the spyware through pretexts that allow operators to engage closer to their intended victims. An analysis of the application permissions and anti-analysis techniques employed by the SpyC23 Android spyware family to complicate analysis and evade detection is provided, as well as a showcase of the class names and methods of the SpyC23 Android spyware family, highlighting the overlap with older Arid Viper spyware families and the connection between SpyC23 versions. C2 servers used by the SpyC23 Android spyware family are disclosed, following the hyphenated domain naming scheme of Arid Viper. The report emphasises the recent focus on Arabic speakers by Arid Viper, which is considered an interesting development given the actor’s historical penchant for targeting Israeli military personnel. Finally, SentinelOne advises users to avoid installing applications from outside of the Google Play Store and to remain wary when installing new apps from any source. | #AridViper #SpyC23 #Android #malware | |
| 82 | Simone Kraus | Top Cy-X Threat Actors impacting Germany in 2023 and how to defend against them | Exploration of the top 5 Cy-X (a form of computer crime that involves compromising and exploiting a corporate digital asset to extort a payment) threat actors and tools in Germany for 2023, based on research and data from German authorities and other sources, LockBit3 being the most dangerous group with 25% of all attacks. The article includes an analysis of the top tools used by the threat actors, such as Rclone, WinSCP, and FileZilla, and maps them to MITRE ATT&CK techniques for each group. | #cy-x #Lockbit #germany #Rclone #WinSCP #FileZilla | |
| 83 | Synopsys | Top Software Vulnerabilities in 2023 | “Software Vulnerability Snapshot” report, which reveals persistent vulnerabilities in commercial software systems and applications based on three years of anonymized data from Synopsys tests. The report covers 16 industry verticals and includes tests such as penetration testing, dynamic application security testing, and mobile application security testing. It shows why a full spectrum of AppSec testing is essential to manage software risk, as some vulnerabilities cannot be detected by static or automated tools and require human oversight. The report also provides valuable insights for security and development strategies. | #vulnerability #vulnerabilityresearch #threatresearch | |
| 84 | SysAid | SysAid On-Prem Software CVE-2023-47246 Vulnerability | Report on a zero-day vulnerability in the SysAid on-premise software that was exploited by a group called DEV-0950 (Lace Tempest). Investigation SysAid and Profero provides a description of the vulnerability, its exploitation path, the malware loader, and the evidence removal. Recommendations for SysAid customers are to update their software to version 23.3.36, conduct a comprehensive compromise assessment, review their credentials and logs, and monitor for signs of exploitation. Indicators to look for concern the SysAid webroot directory, the NTFS journal and shadow copies, the PowerShell execution logs, and the targeted processes to identify abnormal behavior or code injection. | #DEV-0950 #LaceTempest #CVE-2023-47246 #malware #zeroday | |
| 85 | The DFIR Report | FTP Exploit Activity leads to Sliver | Private report from The DFIR Report on the WS_FTP (CVE-2023-40044) vulnerability. The report details the TTPs used in intrusion, spanning initial access, reconnaissance, elevated privileges, and defense evasion activities. | #CVE-2023-40044 #vulnerability #vulnerabilityresearch | |
| 86 | ThreatMon | The Anatomy of a Sidecopy Attack: From RAR Exploits to AllaKore RAT | Analysis of a cyberattack attributed to Pakistani APT group “Sidecopy”, where a malicious RAR file was used to deliver a remote access trojan (RAT) called AllaKore to Indian government entities. The report highlights some key findings of the analysis, such as the exploitation of a WinRAR vulnerability (CVE-2023-38831), the features of the AllaKore RAT, MITRE ATT&CK techniques used, indicators of compromise (IOCs), and a YARA rule for detection. | #CVE-2023-38831 #sidecopy #allakore #trojan #india #pakistan #rat | |
| 87 | ThreatMon | The Anatomy of a Sidecopy Attack From RAR Exploits to AllaKore RAT - IoCs | IoC’s identified during the analysis of a cyberattack attributed to Pakistani APT group “Sidecopy”, where a malicious RAR file was used to deliver a remote access trojan (RAT) called AllaKore to Indian government entities. | #CVE-2023-38831 | #sidecopy #allakore #trojan #india #pakistan #rat #ioc #indicatorofcompromise |
| 88 | Trellix | Akira Ransomware | Blog post by Trellix, that analyzes the inner workings, victimology, and TTPs of a ransomware family named Akira, which has been active since early 2023 and employs a double extortion scheme. The blog post provides statistics and charts on the countries, states, sectors, and frequency of the victims of Akira, based on their blog posts. The majority of the victims are from the United States and its allies, and the most targeted sectors are services & goods and manufacturing. The blog post describes the encryption mechanism, the command-line arguments, the file structure, and the MITRE ATT&CK techniques of Akira ransomware. It also compares it to Conti ransomware, which shares some similarities in the code and the encryption algorithm. | #uk #unitedkingdom #canada #australia #southkorea #akira #malware #us #USA #unitedstates #industry_manufacturing #industry_servicesandgoods #ransomware #conti | |
| 89 | Trellix | The CyberThreat Report: November 2023 | Latest CyberThreat Report from the Trellix Advanced Research Center revealed signs of cooperation between nation-state-backed advanced persistent threat (APT) actors and ransomware groups, malware written in uncommon programming languages, and the creation of Generative AI (GenAI) tools by cybercriminals. Some top threat actor groups were APT40, MustangPanda and Lazarus. | #monthlyreport #threatresearch #APT40 #MustangPanda #Lazarus #APT10 #Gamaredon #Kimsuky #APT29 | |
| 90 | Trellix | CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability | Blog post by Trellix, about a recent security vulnerability, known as CVE-2023-38831, allows remote code execution by exploiting a flaw in WinRAR’s handling of ZIP archives that contain files and directories with the same name. The blog post explains how the vulnerability can be triggered by viewing a malicious ZIP file in WinRAR, which causes the application to execute a spoofed file within the directory. The blog post also provides a video of the exploit in action, analyzes the security patch released by RARLabs to fix the vulnerability, and shows how it prevents the exploitation by changing the way WinRAR uses the Temp directory. | #CVE-2023-38831 #remotecodeexecution | |
| 91 | Trellix | The Continued Evolution of the DarkGate Malware-as-a-Service (trellix.com) | Article describing the DarkGate malware, a remote access trojan (RAT) that is sold as malware-as-a-service (MaaS) by an actor named RastaFarEye. The article traces the history and development of DarkGate from its first discovery in 2018 to its latest version 5 released in October 2023. It highlights the features and changes that RastaFarEye introduced to evade security products and analysis tools, such as encryption, obfuscation, packers, process injection, and rootkit techniques. It also explains how DarkGate is distributed through phishing emails or collaborative applications such as Microsoft Teams, and how it uses multiple stages of VBS scripts, MSI files, AutoIT scripts, shellcodes, and loaders to execute the final payload in memory. The article further details the various commands and modules that DarkGate implements to fully compromise victim systems, such as credential theft, keylogging, screen capturing, file manager, cryptomining, and ransomware. It also describes the configuration parameters that DarkGate uses to enable or disable different features and checks. | #DarkGate #malwareasaservice #RastaFarEye #remoteaccesstool #remoteaccesstrojan #trojan #threatresearch | |
| 92 | Trend Micro | CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits | Description of a security flaw (CVE-2023-46604 ) in Apache ActiveMQ (a popular messaging platform), that allows remote code execution by unmarshalling OpenWire commands without validating the class type of Throwable objects. Threat actors are actively exploiting CVE-2023-46604 to download and infect Linux systems with Kinsing malware, also known as h2miner, which is a cryptocurrency miner that competes with other miners and malware on the infected host. Kinsing also uses a rootkit to achieve persistence and compromise the system. It is advised that users upgrade their ActiveMQ brokers and clients to the latest versions that fix the vulnerability., as well as to use security solutions to detect and block malicious content and activity. The report also provides some rules and filters for additional protection, as well as indicators of compromise for Kinsing malware. | #CVE-2023-46604 #Kinsing #h2miner | |
| 93 | Unciphered | Randstorm: You Can’t Patch a House of Cards | Report discussing a vulnerability named “Randstorm” in BitcoinJS (a javascript library for Bitcoin, affected the generation of cryptocurrency wallets from 2011 to 2015), caused by the use of a weak random number generator from JSBN library and the failure of window.crypto.random function in browsers. The vulnerability could allow an attacker to recover the private keys of affected wallets by exploiting the weaknesses in Math.random function in browsers. The amount of work required to exploit the wallets depends on the time and method of generation, and the additional entropy sources used. The vulnerability affects not only Bitcoin wallets, but also other cryptocurrencies that used BitcoinJS or its derivatives, such as Dogecoin, Litecoin, and Zcash. The vulnerability was fixed by BitcoinJS in March of 2014, but some projects continued to use the vulnerable code until 2015. | #Randstorm #vulnerability #cryptocurrency #industry_financial | |
| 94 | Uptycs | GhostSec offers Ransomware-as-a-Service Possibly Used to Target Israel (uptycs.com) | Hacker’s collective GhostSec (emerged from Anonymous and focused on counterterrorism efforts against ISIS, recently shifted their attention to cyberattacks on Israel in support of Palestine)launched a Ransomware-as-a-Service (RaaS) framework called GhostLocker, offered to customers through a Telegram channel. GhostLocker is a Python-based ransomware that uses Nuitka compiler to create executable files that are smaller and harder to reverse engineer. It encrypts files with Fernet module and appends .ghost extension. It also has options to kill processes, disable services, delay execution, escalate privileges, and use a watchdog process to ensure persistence. Uptycs recommends some best practices to protect against ransomware, such as using antivirus software, patching systems, filtering emails, backing up data, and observing network traffic. | #threatresearch #ransomware #GhostSec #GhostLocker #israel | |
| 95 | Venation | Wanna trade your crusty old SIM card for my brand new shiny one? | Blog post by Venation, discussing SIM swapping and how it works. As a type of social engineering attack that involves tricking mobile operators into transferring a victim’s phone number to a SIM card controlled by the attacker, it allows the attacker to intercept calls and text messages, and access the victim’s accounts that use SMS-based two-factor authentication (2FA). SIM swapping can affect anyone who uses a phone number as a means of identity verification, such as bank accounts, cryptocurrency wallets, email, social media, and more. SIM swapping can result in financial losses, identity theft, data breaches, and reputational damage. SIM swapping has also drawn the attention of governments and regulators, who may impose stricter rules on mobile providers and 2FA systems. The post suggests some steps to reduce the risk of SIM swapping, such as reviewing and adjusting the methods of multi-factor authentication, training employees to recognize and report lost network connection, strengthening the security of mobile accounts, setting up alerts for changes in mobile accounts, and using threat scenarios to understand the mindset and tactics of the attackers | #simswapping #socialengineering | |
| 96 | VMware | Jupyter Rising: An Update on Jupyter Infostealer | Report on the new variants of Jupyter Infostealer, a malware that targets the Education and Health sectors. The malware author has made some changes to the PowerShell command and the signatures of private keys to avoid detection and establish persistence. The Carbon Black MDR Team (having detected and contained many Jupyter Infostealer infections over the years), has noticed a recent increase in the number of attacks, a trend supported by observations of other malware researchers. The report discusses certificate manipulation, common delivery methods, a fake installer, IoCs and Carbon Black threat hunting details. | #infostealer #Jupyter #industry_education #industry_healthcare #malware | |
| 97 | VulnCheck | Executing from Memory Using ActiveMQ CVE-2023-46604 | Blog post that explores how an attacker can exploit CVE-2023-46604 (a vulnerability in ActiveMQ that allows attackers to execute arbitrary code from memory and avoid most detections), by using ClassPathXmlApplicationContext to launch a new process via cmd.exe or bash. However, a stealthier method is to use FileSystemXmlApplicationContext and SpEL to execute code via Nashorn javascript engine. ActiveMQ logs may show BeanCreationException with Nashorn in the nested exception. Patching ActiveMQ and removing it from the internet are recommended. | #CVE-2023-46604 | |
| 98 | Zolder | Storm-1575 AITM platform used to target cybersecurity experts | Blog post from Zolder, discussing phishing mail with QR codes - The company received a phishing mail that contained a QR code and mentioned their company name multiple times. The mail bypassed their spam filter and seemed to be a targeted attack. The QR code led to a website that used an open-redirect vulnerability on a legitimate mailserver of a security expo, which made the URL look trustworthy, but it actually redirected the victim to another malicious domain. The malicious domain presented a fake Microsoft login page with the company branding, and was classified by Microsoft as part of the Storm-1575 group, which provides a phishing-as-a-service platform. This platform can proxy the requests between the victim and Microsoft and take over the victim’s account, even if MFA is enabled. The company was skeptical about the phishing mail and did not fall for it. They shared their findings on their blog to raise awareness about this type of attack and how to protect against it. | #Storm-1575 #phishing #netherlands #thenetherlands #holland #qrcode #qrcodephishing #phishingasaservice | |
| 99 | Zscaler | ThreatLabz 2023 Enterprise IoT & OT Threat Report | Research report by Zscaler, providing insights into the state of IoT threats and the best practices for protecting IoT and OT environments. IoT device traffic and malware attacks has increased, Mirai and Gafgyt botnets prevail, the dominance of routers as targets and sources of attacks, the manufacturing sector as the most impacted by malware, and the need for visibility, encryption, patching, and zero trust security for IoT devices. Some important stats: 18% growth in IoT device traffic, 400% growth in IoT malware attacks, 66% share of Mirai and Gafgyt payloads, 75% share of command injection vulnerabilities, 54.5% share of manufacturing in malware attacks, and 96.2% share of the U.S. in IoT traffic destinations. Zscaler provides a detailed analysis of the IoT devices and traffic passing through the Zscaler cloud, covering the device categories, traffic volume, encryption status, vertical distribution, and geographic distribution. The report also provides a snapshot of the OT industry and the challenges it faces due to the convergence of IoT and OT. | #OTSecurity #IOTSecurity #Mirai #Gafgyt #malware #industry_manufacturing |