Breaking industry news, cyber security resources, trends and more.
The Hopper is now able to authenticate to Linux machines using Active Directory credentials via SSH.This capability allows the Hopper to use cleartext credentials to spread to Active Directory connected Linux machines during an attack.As we can see in the screenshot below, the Hopper is able to spread to a Linux machine using cleartext AD credentials via SSH:The Hopper can spread from a Linux machine to other Linux machines via SSH. The Hopper can spread back from a Linux machine to Windows machines via SMB.
We would like to announce the start of the deprecation process of the Cymulate (legacy) agent and the transition to the use of the service-based agent. Due to its scalable and modular architecture, the service-based agent offers users a better overall experience and improved performance for running assessments in the platform.The service-based agent offers the following benefits:With the service-based agent, the user will no longer need to be logged in to run assessments. Agents can have multiple profiles with different permission levels, offering more control over what each agent can test. Agents can be configured easily from the Agents page in the platform. The agent’s automatic recovery mechanism will continue running the assessment from where it left off in the case that an assessment crashes.When will this change take place?We will deprecate the legacy agent using a phased approach. The following timeline describes the phases of the legacy agent deprecation:November 20th, 2022 –
We have created an OpenSSL Advanced Scenario Test for latest OpenSSL Vulnerability. To use: 1. Open the Cymulate interface2. go to Advanced Scenarios 3. go to Resources4. search for “OpenSSL CVE-2022-3786”Note: the test will test for both CVE-2022-3786 and CVE-2022-3602
Microsoft has announced that as of October 1, 2022, they have begun the process of removing basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used. For more information on this announcement, see this article.How does this affect Cymulate users?Cymulate users that have configured the SMTP connection via Office365 basic authentication will need to reconfigure the SMTP connection. The previous Office365 option which supported basic authentication has been removed, and the Office365MFA option, which supports all Office365 accounts, has been renamed Office365. Reconfiguring the Office365 connection (Service-based agent)To reconfigure the SMTP connection, follow the instructions below.Open the CMD and enter: For Client type, enter 3 to select Office365. If an interactive browser is found on your system, it will automatically open and prompt you to log in to your account. Otherwise, continue with the
Hi,Sunday (October 30th , 2022) we will perform a scheduled update to the platform.This update will include multiple items which require a maintenance window of about 2 hours.During this time access to some of the platform’s capabilities and assessments may be unavailable.The Maintenance time for Customers deployed at the EU Region are: 3:00PM GMT - 5:00PM GMT (30/10/2022) The Maintenance time for Customers deployed at the USA Region are: 4:00AM EST - 6:00AM EST (30/10/2022)Thank you! Cymulate Team
Maintained by the Apache Software Foundation (ASF), Apache is by far the most common web server run in the world. Doing a quick Shodan lookup as of this article’s publish date finds over 25 million Internet-reachable instances globally. Thus, the discovery of a remote code executable capable vulnerability this week in its Apache Common text library in its default configuration and dubbed Text4Shell should be taken seriously.The vulnerability discovered by cybersecurity researcher Alvaro Munoz was discussed in his blog post and tracked as CVE-2022-42889 with a CVSS score of 9.8 out of 10. It affects versions 1.5 through 1.9 of the Apache Common text libraries with only the latest 1.10 not having the issue. The issue can be found within its variable interpolation capabilities, specifically within its “script”, “DNS” and “URL” functionality. Apache has not provided a workaround for the affected variants but has recommended upgrading Apache Common text libraries to the latest 1.10.For inst
Google has updated their GSUITE API and no longer support basic authentication (username + password).It means that clients that has configured GSUITE connection in the agent will no longer be able to connect to it.All clients must generate ‘APP PASSWORD’ and use it instead of their account password.The agent UI is already updated.More details can be found here: Sign in with App Passwords - Gmail Help (google.com) (this link is also in the agent UI) The relevant part is this:
AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems.Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.The malware downloads and executes the Metasploit's "Mettle" meterpreter to maximize its control on infected machines.Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).
Windows Defender is alerting people of a "threat detected" for "Behavior:Win32/Hive.ZY". The issue is tied to a recent listing in Microsoft's Defender update file, which is making a wrong detection. The trigger seems tied to Defender detecting "Electron-based or Chromium-based applications as malware"Microsoft Defender falsely detecting Win32/Hive.ZYSource: TwitterIn order to address this issue, Microsoft released an update and advised that customers using automatic updates for Microsoft Defender are not required to take any additional action.In addition Microsoft shared that enterprise customers managing their updates should ensure they are using detection build 1.373.1537.0 or newer.
An attack against a telecommunications agency in South Asia began with a simple email that initially appeared to be a standard malicious spam email message.However, the attached Word doc was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).While a payload was unavailable at the time of the investigation, OSINT research points to the Poison Ivy RAT, which FortiGuard Labs has previously highlighted.Based on analysis, Asian organizations, and potentially some in Mexico, were a reconnaissance target of a threat actor that we believe was also involved in Operation NightScout in 2021.This threat actor, who uses Chinoxy and PivNoxy in their arsenal, has been active since at least mid-2016.
With threats changing constantly, new and existing vulnerabilities stacking up, and the dynamic nature of enterprises adding new misconfigurations and security gaps daily we must take a continuous approach to security validation testing to truly keep ahead. Join Dave Klein and Dr. Chase Cunningham as they discuss.Join this conversation to learn:• Why is it important to truly understand both technical and business impact when looking at outcomes?• What is the relation to segmentation, access and privileges, and cloud controls?• What is the importance of both continuous security validation and breach feasibility testing?• How does this help minimize threat exposure and validate Zero Trust?Dr. Chase Cunningham is a retired Navy Chief Cryptologist with more than 20 years of experience in Cyber Forensic and Analytic Operations and forensic analysis. He gained his operations experience by being "on pos" doing cyber forensics, analytics, and offensive and defensive cyber operations while func
IntroductionThanks to everyone who took part in Cymulate’s Capture the Flag (CTF) challenge, “Binushka”. The challenge was created for the Blackhat 2022 event and everyone who solved it was able to claim a prize at Cymulate‘s Blackhat booth. For anyone who was curious about the full solution, this article will go through it step by step. The Binushka Challenge (Reversing) A rule of thumb is that before beginning to solve a CTF challenge, you should see if the name of the challenge hints to its solution. The name of this one was “Binushka”, which can be split into two parts: “bin” and “ushka”.The first part of the name is clear. “Bin” stands for binary. Something that also hints to this is that the name of the file is “bin_bin_bin”.The second part of the name, “ushka” is from the second half of the word “babushka.” Apart from the literal meaning of “babushka” (grandmother in Russian), there is also a doll named thebabushka doll—whose official name is actually the matryoshka doll. The ma
The LockBit ransomware-as-a-service was identified using a legitimate Windows Defender command line utility to decrypt and side-load a Cobalt Strike payload.Initial entry was made using the Log4j vulnerability, CVE-2021-44228, which allowed the threat actors to gain access, attempt to run post exploitation tools like Meterpreter, Empire and Cobalt Strike and collect data from the infected device to exfiltrate to the attacker controlled C2.
Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators.Following analysis, ESET named it CloudMensis.Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures.
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks.Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine - this time aimed at a large software development company whose software is used in various state organizations within Ukraine.Cisco Talos believes that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests.As this firm is involved in software development, Cisco Talos assesses that there is a possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time Cisco Talos do not have any evidence that they were successful.
Understanding the Differences Between IoCs (indicators of compromise) and TTPs (Tactics, Techniques and Proceedures).
We had a great conversation with @dan_lisichkin on truly understanding the differences between IoCs and TTPs. Really helpful in understanding how to better inoculate against attackers. What do you think? More importantly - what should we talk about next? Tell me! Even better if you want you can come join me on a broadcast if you want - no pressure on that but can do that too! 😃
We at Cymulate believe that when people come together, nothing can stop them.A core goal of the group is to create a global community of diverse professionals who will identify, challenge, and inspire one another through knowledge sharing, networking, ideation, and more.You are encouraged to share your knowledge, ask questions, participate in discussions, and become a key member of this community. I would appreciate hearing from you, answering any questions you have, or getting more involved by emailing me at firstname.lastname@example.org.Take a moment to introduce yourself and let everyone know who you are.
Our customers’ security is at the forefront of every decision, every updated feature, and every new initiativewe take as a company. Trust is never something we take for granted.That’s why we’re rigorous about requiring Cymulate employees to follow the latest in cyber hygiene. Westrive to be as informed and confident as possible in every decision we make when it comes to our customers data privacy.This brochure describes Cymulate Security Measures & Data Processing.
Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic entity.During the investigation, Mandiant identified the deployment and use of the BEATDROP and BOOMMIC downloaders.Shortly following the identification of this campaign, Mandiant discovered APT29 targeting multiple additional diplomatic and government entities through a series of phishing waves.
TA505 - "Clop" (sometimes stylized as "Cl0p") has been one of the most prolific ransomware families in the past three years. It has gained infamy for compromising high-profile organizations in various industries worldwide using multilevel extortion techniques that resulted in huge payouts estimated at US$500 million.
In May 2022, Microsoft published an advisory about CVE-2022-30190, which is about a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability.Attackers can inject a malicious external link to an OLE Object in a Microsoft Office document, then lure victims to click or simply preview the document in order to trigger this exploit.It will then execute a payload on the victim's machine.During Forti tracking last month, they found a document that exploited CVE-2022-30190, aka Follina, then downloaded Rozena to deploy a fileless attack and leverage the public Discord CDN attachment service.Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine.
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.