Breaking industry news, cyber security resources, trends and more.
Hi,Sunday (October 30th , 2022) we will perform a scheduled update to the platform.This update will include multiple items which require a maintenance window of about 2 hours.During this time access to some of the platform’s capabilities and assessments may be unavailable.The Maintenance time for Customers deployed at the EU Region are: 3:00PM GMT - 5:00PM GMT (30/10/2022) The Maintenance time for Customers deployed at the USA Region are: 4:00AM EST - 6:00AM EST (30/10/2022)Thank you! Cymulate Team
Text4Shell–Validate Detection and Protection now with CymulateNews
Maintained by the Apache Software Foundation (ASF), Apache is by far the most common web server run in the world. Doing a quick Shodan lookup as of this article’s publish date finds over 25 million Internet-reachable instances globally. Thus, the discovery of a remote code executable capable vulnerability this week in its Apache Common text library in its default configuration and dubbed Text4Shell should be taken seriously.The vulnerability discovered by cybersecurity researcher Alvaro Munoz was discussed in his blog post and tracked as CVE-2022-42889 with a CVSS score of 9.8 out of 10. It affects versions 1.5 through 1.9 of the Apache Common text libraries with only the latest 1.10 not having the issue. The issue can be found within its variable interpolation capabilities, specifically within its “script”, “DNS” and “URL” functionality. Apache has not provided a workaround for the affected variants but has recommended upgrading Apache Common text libraries to the latest 1.10.For inst
Gsuite connection changesNews
Google has updated their GSUITE API and no longer support basic authentication (username + password).It means that clients that has configured GSUITE connection in the agent will no longer be able to connect to it.All clients must generate ‘APP PASSWORD’ and use it instead of their account password.The agent UI is already updated.More details can be found here: Sign in with App Passwords - Gmail Help (google.com) (this link is also in the agent UI) The relevant part is this:
Shikitega - New stealthy malware targeting LinuxNews
AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems.Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.The malware downloads and executes the Metasploit's "Mettle" meterpreter to maximize its control on infected machines.Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.Shikitega abuse legitimate cloud services to store some of its command and control servers (C&C).
Microsoft Defender falsely detects Electron apps in Google Chrome as Win32/Hive.ZYNews
Windows Defender is alerting people of a "threat detected" for "Behavior:Win32/Hive.ZY". The issue is tied to a recent listing in Microsoft's Defender update file, which is making a wrong detection. The trigger seems tied to Defender detecting "Electron-based or Chromium-based applications as malware"Microsoft Defender falsely detecting Win32/Hive.ZYSource: TwitterIn order to address this issue, Microsoft released an update and advised that customers using automatic updates for Microsoft Defender are not required to take any additional action.In addition Microsoft shared that enterprise customers managing their updates should ensure they are using detection build 1.373.1537.0 or newer.
A Tale of PivNoxy and Chinoxy Puppeteer
An attack against a telecommunications agency in South Asia began with a simple email that initially appeared to be a standard malicious spam email message.However, the attached Word doc was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).While a payload was unavailable at the time of the investigation, OSINT research points to the Poison Ivy RAT, which FortiGuard Labs has previously highlighted.Based on analysis, Asian organizations, and potentially some in Mexico, were a reconnaissance target of a threat actor that we believe was also involved in Operation NightScout in 2021.This threat actor, who uses Chinoxy and PivNoxy in their arsenal, has been active since at least mid-2016.
Continuous Security Validation Testing with Dr. Chase Cunningham
With threats changing constantly, new and existing vulnerabilities stacking up, and the dynamic nature of enterprises adding new misconfigurations and security gaps daily we must take a continuous approach to security validation testing to truly keep ahead. Join Dave Klein and Dr. Chase Cunningham as they discuss.Join this conversation to learn:• Why is it important to truly understand both technical and business impact when looking at outcomes?• What is the relation to segmentation, access and privileges, and cloud controls?• What is the importance of both continuous security validation and breach feasibility testing?• How does this help minimize threat exposure and validate Zero Trust?Dr. Chase Cunningham is a retired Navy Chief Cryptologist with more than 20 years of experience in Cyber Forensic and Analytic Operations and forensic analysis. He gained his operations experience by being "on pos" doing cyber forensics, analytics, and offensive and defensive cyber operations while func
Solving a Capture the Flag Challenge - Step by StepBlog
IntroductionThanks to everyone who took part in Cymulate’s Capture the Flag (CTF) challenge, “Binushka”. The challenge was created for the Blackhat 2022 event and everyone who solved it was able to claim a prize at Cymulate‘s Blackhat booth. For anyone who was curious about the full solution, this article will go through it step by step. The Binushka Challenge (Reversing) A rule of thumb is that before beginning to solve a CTF challenge, you should see if the name of the challenge hints to its solution. The name of this one was “Binushka”, which can be split into two parts: “bin” and “ushka”.The first part of the name is clear. “Bin” stands for binary. Something that also hints to this is that the name of the file is “bin_bin_bin”.The second part of the name, “ushka” is from the second half of the word “babushka.” Apart from the literal meaning of “babushka” (grandmother in Russian), there is also a doll named thebabushka doll—whose official name is actually the matryoshka doll. The ma
LockBit Ransomware Abuses Legitimate Windows Defender UtilityNews
The LockBit ransomware-as-a-service was identified using a legitimate Windows Defender command line utility to decrypt and side-load a Cobalt Strike payload.Initial entry was made using the Log4j vulnerability, CVE-2021-44228, which allowed the threat actors to gain access, attempt to run post exploitation tools like Meterpreter, Empire and Cobalt Strike and collect data from the infected device to exfiltrate to the attacker controlled C2.
Manjusaka: A Chinese sibling of Sliver and Cobalt StrikeNews
Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
macOS Targeted With The CloudMensis Multi-Staged MalwareNews
ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators.Following analysis, ESET named it CloudMensis.Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures.
Attackers Target Ukraine With GoMet BackdoorNews
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks.Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine - this time aimed at a large software development company whose software is used in various state organizations within Ukraine.Cisco Talos believes that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests.As this firm is involved in software development, Cisco Talos assesses that there is a possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time Cisco Talos do not have any evidence that they were successful.
Understanding the Differences Between IoCs (indicators of compromise) and TTPs (Tactics, Techniques and Proceedures).
We had a great conversation with @dan_lisichkin on truly understanding the differences between IoCs and TTPs. Really helpful in understanding how to better inoculate against attackers. What do you think? More importantly - what should we talk about next? Tell me! Even better if you want you can come join me on a broadcast if you want - no pressure on that but can do that too! 😃
Cymulate’s Security Assurance
Our customers’ security is at the forefront of every decision, every updated feature, and every new initiativewe take as a company. Trust is never something we take for granted.That’s why we’re rigorous about requiring Cymulate employees to follow the latest in cyber hygiene. Westrive to be as informed and confident as possible in every decision we make when it comes to our customers data privacy.This brochure describes Cymulate Security Measures & Data Processing.
Trello From the Other Side: APT29 Phishing CampaignsNews
Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic entity.During the investigation, Mandiant identified the deployment and use of the BEATDROP and BOOMMIC downloaders.Shortly following the identification of this campaign, Mandiant discovered APT29 targeting multiple additional diplomatic and government entities through a series of phishing waves.
Advanced Scenario - TA505 (CL0P)
TA505 - "Clop" (sometimes stylized as "Cl0p") has been one of the most prolific ransomware families in the past three years. It has gained infamy for compromising high-profile organizations in various industries worldwide using multilevel extortion techniques that resulted in huge payouts estimated at US$500 million.
Follina to Rozena - Leveraging Discord to Distribute a BackdoorNews
In May 2022, Microsoft published an advisory about CVE-2022-30190, which is about a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability.Attackers can inject a malicious external link to an OLE Object in a Microsoft Office document, then lure victims to click or simply preview the document in order to trigger this exploit.It will then execute a payload on the victim's machine.During Forti tracking last month, they found a document that exploited CVE-2022-30190, aka Follina, then downloaded Rozena to deploy a fileless attack and leverage the public Discord CDN attachment service.Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine.
Measuring Return on Security Investments (ROSI) with CymulateBlog
As for any organization, the security department needs to measure cost-effectiveness, justify budget usage, and support its next budget claim. But organizations often have difficulty accurately measuring the effectiveness and cost of their information security activities. This is because security is not usually an investment that provides profit – it provides loss prevention. What is the amount an organization should invest in protecting information and how can we quantify the return on this investment? There are many good articles about the term "ROSI" – Return On Security Investment. The ROSI calculation uses a simple formula that relies on the following parameters: Annual Loss Expectancy (ALE) - The total annual financial loss from security incidents. Mitigation Ratio and mALE - The modified ALE is the same as above but includes losses that were prevented by implementing a security solution. The value of prevented losses can be obtained by determining the mitigation ratio, whi
Red-Teaming Tool Being Abused by Malicious ActorsNews
Unit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics.One such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it.Beyond the obvious detection concerns, specialists believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.
The SessionManager IIS backdoor
During 2022 ESET noticed a trend among several threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities within Microsoft Exchange servers.Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure.
AstraLocker 2.0 infects users directly from Word attachmentsBlog
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.According to ReversingLabs, which has been following AstraLocker operations, the adversaries don't seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.
US CERT Alert - MedusaLockerNews
The FBI, the CISA, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware.Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims' networks.
Bronze starlight Ransomware Operations Use HUI LoaderNews
The BRONZE RIVERSIDE threat group is likely responsible for stealing intellectual property from Japanese organizations.The other cluster involves deployment of LockFile, AtomSilo, Rook, Night Sky, and Pandora post-intrusion ransomware.CTU researchers attribute this activity to the Chinese BRONZE STARLIGHT threat group
Already have an account? Login
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.