Varonis Introduces Athena AI to Transform Data Security and Incident Response - https://www.redpacketsecurity.com/varonis-introduces-athena-ai-to-transform-data-security-and-incident-response/
"Sierra:21" vulnerabilities impact critical infrastructure routers - https://www.redpacketsecurity.com/sierra-vulnerabilities-impact-critical-infrastructure-routers/
Atlassian patches critical RCE flaws across multiple products - https://www.redpacketsecurity.com/atlassian-patches-critical-rce-flaws-across-multiple-products/
Navy contractor Austal USA confirms cyberattack after data leak - https://www.redpacketsecurity.com/navy-contractor-austal-usa-confirms-cyberattack-after-data-leak/
US senator: Govts spy on Apple, Google users via mobile notifications - https://www.redpacketsecurity.com/us-senator-govts-spy-on-apple-google-users-via-mobile-notifications/
New SLAM attack steals sensitive data from AMD, future Intel CPUs - https://www.redpacketsecurity.com/new-slam-attack-steals-sensitive-data-from-amd-future-intel-cpus/
Nissan is investigating cyberattack and potential data breach - https://www.redpacketsecurity.com/nissan-is-investigating-cyberattack-and-potential-data-breach/
LockBit Remains Top Global Ransomware Threat - https://www.redpacketsecurity.com/lockbit-remains-top-global-ransomware-threat/
Russian APT28 Exploits Outlook Bug to Access Exchange - https://www.redpacketsecurity.com/russian-apt-exploits-outlook-bug-to-access-exchange/
78% of CISOs Concerned About AppSec Manageability - https://www.redpacketsecurity.com/of-cisos-concerned-about-appsec-manageability/
Sellafield Accused of Covering Up Major Cyber Breaches - https://www.redpacketsecurity.com/sellafield-accused-of-covering-up-major-cyber-breaches/
Disney+ Cyber Scheme Exposes New Impersonation Attack Tactics - https://www.redpacketsecurity.com/disney-cyber-scheme-exposes-new-impersonation-attack-tactics/
US Federal Agencies Miss Deadline for Incident Response Requirements - https://www.redpacketsecurity.com/us-federal-agencies-miss-deadline-for-incident-response-requirements/
UK FCA Warns of Christmas Loan Fee Fraud Surge - https://www.redpacketsecurity.com/uk-fca-warns-of-christmas-loan-fee-fraud-surge/
Porn Age Checks Threaten Security and Privacy, Report Warns - https://www.redpacketsecurity.com/porn-age-checks-threaten-security-and-privacy-report-warns/
Police Arrest 1000 Suspected Money Mules - https://www.redpacketsecurity.com/police-arrest-suspected-money-mules/
SpyLoan Scams Target Android Users With Deceptive Apps - https://www.redpacketsecurity.com/spyloan-scams-target-android-users-with-deceptive-apps/
Deutsche Wohnen Ruling Set to Drive Up GDPR Fines - https://www.redpacketsecurity.com/deutsche-wohnen-ruling-set-to-drive-up-gdpr-fines/
Trojan-Proxy Threat Expands Across macOS, Android and Windows - https://www.redpacketsecurity.com/trojan-proxy-threat-expands-across-macos-android-and-windows/
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog - https://www.redpacketsecurity.com/cisa-cisa-adds-two-known-exploited-vulnerabilities-to-catalog-07-12-2023-2/
CISA: CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs - https://www.redpacketsecurity.com/cisa-cisa-and-partners-release-joint-advisory-on-irgc-affiliated-cyber-actors-exploiting-plcs-07-12-2023/
CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog - https://www.redpacketsecurity.com/cisa-cisa-adds-four-known-exploited-vulnerabilities-to-catalog-07-12-2023/
CISA: CISA Releases Two Industrial Control Systems Advisories - https://www.redpacketsecurity.com/cisa-cisa-releases-two-industrial-control-systems-advisories-07-12-2023/
CISA: CISA Releases Joint Guide for Software Manufacturers: The Case for Memory Safe Roadmaps - https://www.redpacketsecurity.com/cisa-cisa-releases-joint-guide-for-software-manufacturers-the-case-for-memory-safe-roadmaps-07-12-2023/
CISA: Multiple Vulnerabilities Affecting Web-Based Court Case and Document Management Systems - https://www.redpacketsecurity.com/cisa-multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systems-07-12-2023/
CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog - https://www.redpacketsecurity.com/cisa-cisa-adds-two-known-exploited-vulnerabilities-to-catalog-07-12-2023/
CISA: Apple Releases Security Updates for Multiple Products - https://www.redpacketsecurity.com/cisa-apple-releases-security-updates-for-multiple-products-07-12-2023/
CISA: CISA Removes One Known Exploited Vulnerability From Catalog - https://www.redpacketsecurity.com/cisa-cisa-removes-one-known-exploited-vulnerability-from-catalog-07-12-2023/
CISA: CISA Releases Advisory on Threat Actors Exploiting CVE-2023-26360 Vulnerability in Adobe ColdFusion - https://www.redpacketsecurity.com/cisa-cisa-releases-advisory-on-threat-actors-exploiting-cve-vulnerability-in-adobe-coldfusion-07-12-2023/
PassBreaker - Command-line Password Cracking Tool Developed In Python - https://www.redpacketsecurity.com/passbreaker-command-line-password-cracking-tool-developed-in-python/
CISA: CISA Releases Joint Guide for Software Manufacturers: The Case for Memory Safe Roadmaps - https://www.redpacketsecurity.com/cisa-cisa-releases-joint-guide-for-software-manufacturers-the-case-for-memory-safe-roadmaps-06-12-2023/
@CISAgov released an article on Physical Security Performance goals for Faith Based Communitys
I applaud them for releasing this guidance. I just wish we didn't need this in America and people could be free, without worry, of fearing for their life at their respective place of worship.
By me @Forbes: This Lockdown Mode trick replaces the original on a victim’s iPhone for additional stealth longevity. Advice is to update to iOS 17 which gives LM kernel protection.
CISA: CISA Removes One Known Exploited Vulnerability From Catalog - https://www.redpacketsecurity.com/cisa-cisa-removes-one-known-exploited-vulnerability-from-catalog-06-12-2023/
CISA: Multiple Vulnerabilities Affecting Web-Based Court Case and Document Management Systems - https://www.redpacketsecurity.com/cisa-multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systems-06-12-2023/
CISA: CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs - https://www.redpacketsecurity.com/cisa-cisa-and-partners-release-joint-advisory-on-irgc-affiliated-cyber-actors-exploiting-plcs-06-12-2023/
CISA: CISA Releases Four Industrial Control Systems Advisories - https://www.redpacketsecurity.com/cisa-cisa-releases-four-industrial-control-systems-advisories-06-12-2023/
Time to update my TA422 (APT28, Fancy Bear) intelligence gaps.
Looking for studies, reports and articles detailing the "real" threat posed by attackers leveraging typosquatting as part of the attack chain.
If you are aware of any such reports I would greatly appreciate a nudge towards where I might find them.
Trying to understand how common the problem is and the characteristics of these attacks.
CISA Releases Advisory on Threat Actors Exploiting CVE-2023-26360 Vulnerability in Adobe ColdFusion to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution.
Time to test @frameworkcomputer and Insyde to see how fast they can release a BIOS upgrade for this!
US Health Department Urges Hospitals to Patch Critical Citrix Bleed Bug https://www.bleepingcomputer.com/news/security/us-health-dept-urges-hospitals-to-patch-critical-citrix-bleed-bug/?&web_view=true #ThreatIntel&InfoSharing
Does anyone actively use AlienVault OTX for Intel feeds?
I haven’t used it in years but I’m thinking of setting up a feed again.
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks - https://www.redpacketsecurity.com/over-vulnerable-microsoft-exchange-servers-exposed-to-attacks/
Cyber Toufan are back wiping companies who do business with Israel.
I think they realised companies have been restoring using their dumps (they also wipe backups). #threatintel
BlackBerry reported on a new commercial cyberespionage group called AeroBlade specifically targeting the U.S. Aerospace industry. With network infrastructure and weaponization that became operational in September 2022 and an offensive phase that began July 2023, this threat actor has improved their toolset for successful data exfiltration. IOC provided.
Okay, my toot about the PLC thing has an update - I see two ransomware groups now exploiting PLCs to gain internal network access to critical infrastructure. #threatintel
Happy Friday! I hope the week was kind to you!
The Cisco Talos Intelligence Group researchers discovered a new remote access trojan (#RAT) that they dubbed "SugarGh0st". The adversary was "targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korean".
In one of the attacks, the adversary used a shortcut file with a double extension, which is a technique adversaries use to abuse the default settings of Windows, which is to hide the extensions, so the user may not suspect anything. Some of the capabilities include video and screen capture as well as the ability to clear tracks by deleting event logs. Check out the rest of the technical details and the second infection chain in the article! Enjoy and Happy Hunting!
New SugarGh0st RAT targets Uzbekistan government and South Korea
Ukraine’s CERT-UA put out a threat actor profile on the financially motivated cybercriminal group it tracked since 2013 as UAC-0006. Known tools/malware used are listed, as well as the typical attack chain. They included past CERT-UA articles on UAC-0006, and attached IOC.
Unit 42 reported a series of related attacks against the Middle East and Africa and the United States. They assess with medium confidence that this threat activity cluster aligns to nation-state related threat actors. Tools used in the attacks include a new backdoor called Agent Racoon and a new malware called Ntospy. IOC provided.
I’ve seen another ransomware group exploiting Qlik Sense. Currently it is a very low number of attacks so you might want to patch. #threatintel
FjordPhantom Android malware uses virtualization to evade detection - https://www.redpacketsecurity.com/fjordphantom-android-malware-uses-virtualization-to-evade-detection/
Staples confirms cyberattack behind service outages, delivery issues - https://www.redpacketsecurity.com/staples-confirms-cyberattack-behind-service-outages-delivery-issues/
WhatsApp's new Secret Code feature hides your locked chats - https://www.redpacketsecurity.com/whatsapp-s-new-secret-code-feature-hides-your-locked-chats/
As an industry when are we going to start sharing honeypot data more openly? The honeypot explosion is insane. Every threat intel org seems to spin up their own generic honeypots that are the same as everyone else's. Of the ~13,000 f5 big-ip TMUI pages I can find exposed to the open internet - ~12,300 are easily detectable honeypots... #threatintel #cti #intel #f5 #honeypot
Happy Thursday everyone!
I can't believe #BlackHatEurope is starting on Monday! That means this is the last week to register for Cyborg Security's Threat Hunter training delivered by me! We will cover some resources that we can use for researching prior to our hunt, we will demonstrate how to extract key artifacts from an intel report and turn those artifacts into something useful, and then we will get into the data to hunt for evidence of malicious adversary behavior! It's going to be a fun time, good discussions, and a great chance to get some hands on experience hunting and pivoting through an investigation. I can't wait! Until then, Happy Hunting!
Registration ends on December 2nd, so don't miss out! Link below 👇 !
Cisco Talos: Chinese-speaking threat actor (assessed w/ low confidence) is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea with SugarGh0st RAT, assessed w/ high confidence to be a variant of Gh0st RAT. Two infection chains described, IOC provided.
CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack https://www.securityweek.com/cisa-warns-of-unitronics-plc-exploitation-following-water-utility-hack/?&web_view=true #ThreatIntel&InfoSharing
Dollar Tree hit by third-party data breach impacting 2 million people - https://www.redpacketsecurity.com/dollar-tree-hit-by-third-party-data-breach-impacting-million-people/
Remember the Okta breach a few months ago, where they explained it only impacted 1% of customers?
Turns it out is 100% of customers. They also stole data about Okta's staff, but they apparently didn't tell themselves either.
ArcticWolf are reporting "Qlik Sense Exploited in Cactus Ransomware Campaign" https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/
Thread time as there's some additional detail I want to add: 🧵
Reminder that history repeats itself and so do binaries. Finger is back!
Why have trolls have been attacking me since April?
...And why have those same trolls been attacking the same victim, sci-fi author Patrick Tomlinson, for five years?
Watch 👀 or listen to my Conference Keynote:
"Psychologically-Motivated Threat Actors"
InfectedSlurs Botnet Resurrects Mirai With Zero-Days - https://www.redpacketsecurity.com/infectedslurs-botnet-resurrects-mirai-with-zero-days/
ATT&CK Workbench is an impressive piece of software for #threatintel, the missing piece to actually make the topologies usable.
I hope a #D3FEND integration will be available in the future.
My RSS feed grows stronger every day.
#ThreatIntel #RSS #InfoSec
Bloomberg report ICBC have been able to recover treasury trading in the US as a key system runs Novell Netware, and LockBit didn’t have a payload to encrypt it. #threatintel https://www.bloomberg.com/news/articles/2023-11-22/icbc-partners-wary-to-resume-trading-with-bank-after-cyberattack
Kaspersky reports on hrserv.dll, a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Based on the compile timestamps, its origins date back to at least 2021. "the malware’s characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior." Without explicitly writing it, Kaspersky suggests that the threat actor is a China-based APT. IOC included.
Unit 42 discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with North Korea. The first campaign “Contagious Interview,” has threat actors pose as employers to lure software developers into installing malware through the interview process (attributed with moderate confidence to North Korean state-sponsored actor). The second campaign "Wagemole" has threat actors seek unauthorized employment with organizations based in the US and other parts of the world, with potential for both financial gain and espionage (attributed with high confidence to North Korean state-sponsorship). Attack chains and IOC included.
Adlumin reports that Play ransomware (aka PlayCrypt) is now being offered as Ransomware-as-a-Service (RaaS). Play ransomware has been responsible for attacks on companies and government organizations worldwide since it was first discovered in 2022. Adlumin recently identified and stopped PlayCrypt attacks that had nearly identical tactics, techniques and procedures (TTPs). The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it. IOC shared.
Links: https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/ See related The Hacker News reporting.
Trend Micro reports active exploitation of the Apache ActiveMQ vulnerability CVE-2023-46604 (CVSS: 10.0 critical severity, reported exploited as a zero-day since at least 10 October 2023, disclosed 26 October by Apache, Proof of Concept available, added to CISA's KEV Catalog on 02 November) to download and infect Linux systems with the Kinsing malware (also known as h2miner) and cryptocurrency miner. Trend Micro describes the Kinsing attack chain and provide IOC.
Check Point analyzed a USB propagating worm named “LitterDrifter” linked to Russia state-sponsored Gamaredon (aka Primitive Bear, ACTINIUM, and Shuckworm) assessed by Security Service of Ukraine to be Russian Federal Security Service(FSB) officers. Gamaredon continues to focus on wide variety Ukrainian targets, but Check Point notes that LitterDrifter have spread beyond its intended targets. They provide a technical analysis of LitterDrifter, comprised of a spreading module and C2 module. IOC provided.
One week ago,@cyentiainst and Tidal Cyber published a study that provides a consensus view of the top ATT&CK techniques reported across 22 popular sources.
It's been well-received so far, but I'm sure there are many #infosec professionals out there who don't know about it yet and would benefit from it to build a more threat-informed defense. If you find this research valuable, please share it with your networks - thanks!
Fortinet also provided an extensive analysis of the Rhysida Ransomware Group. The Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed around 50 victims so far in 2023. In a 17 page report, Fortinet described Rhysida's TTPs, threat hunting queries, IOC and MITRE ATT&CK mapping.
CISA, FBI, and MS-ISAC Release a joint cybersecurity advisory #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.
Super handy detection for #GootLoader and others: for some reason, they think it's cute to make scheduled tasks using a changed working directory and the DOS shortname of the executable. But since no
human would stack books like this regular scheduled task does this, an explicit DOS shortname with a
~1 in the task execution is a fairly solid detection signal.
FBI and CISA released an update to joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware. The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.
If you present Outlook Web App to the internet, make sure you are fully up to date with Microsoft Exchange Server including both the latest Cumulative Update and the latest Security Update on top.
One of my honeypot orgs has been owned using a vulnerability I’ve not seen before, post authentication to OWA. Actor went hands on keyboard, looks ransomwaresque. #threatintel
DP World cyber attack thread. It’s ransomware, entry point is Citrix Netscaler #CitrixBleed. https://www.theage.com.au/national/ports-to-remain-closed-as-afp-investigates-cybersecurity-breach-20231111-p5ej9i.html
FT and Bloomberg are reporting the Industrial and Commercial Bank of China US trading arm Citrix ransomware incident is Lockbit. #threatintel
A ransomware attack on the Industrial and Commercial Bank of China has disrupted the US Treasury market #threatintel https://www.ft.com/content/8dd2446b-c8da-4854-9edc-bf841069ccb8
Mandiant has a new blog out on #CitrixBleed which backs up a key point from my blog https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966
The initial exploit string isn’t logged.. at all.
There’s some good hunting stuff in the blog (ICA sessions) - I’d say combine it with the GetUserName thing in my blog for assurance.
The other big take away is a ton of orgs have been compromised and don’t know yet. #threatintel
Getting ready for this weeks Show and Tell!
If not, heres a helpful guide to help you start your own!
CitrixBleed in Citrix Netscaler/ADC is under mass exploitation. A ransomware group has distributed an exploit to their operators too.
Gonna write this up better later. But thanks to @tbaraki , we found a fluke in Microsoft's SignonLogs table. Sometime in the last few days they made UserPrincipalName case sensitive.
So our alerts looking for breakglassadmin@CompanyName.onmicrosoft.com started failing because we were using (==) instead of (has).
Would highly recommend you check your alerting and see which operands you're using in your queries.
Interesting Citrix Netscaler bug being mass exploited in the wild for about a month.
This is the HTTP request:
GET /oauth/idp/.well-known/openid-configuration HTTP/1.1
Host: a <repeated 24812 times>
It replies with system memory, which includes session tokens that you can use it gain remote access, bypassing authentication including MFA.
I think this one may have more legs than people realise. #threatintel
Something I didn’t know - Microsoft have finally started surfacing Graph API query logs in the past month or two. Previously this wasn’t available.
Threat actors are definitely already abusing Graph API, had incidents for it as it’s a detection evasion (including in MS own security stack). The US State department might want to collect these and look for anomalous activity, you should too. I don’t know the limitations on it yet. #threatintel
The Cisco IOS XE zero day CVE-2023-20198 doing the rounds is legit - it looks like thousands of boxes were backdoored before Cisco disclosed - so even if you patch, you’re still owned.
Reconfigure your boxes with the Cisco instructions and look for unknown local accounts. #threatintel
During a recent investigation, Sophos X-Ops discovered a trojanized Windows installer for CloudChat, an instant messaging application. Looking into this supply chain attack further, we found that the official distribution server for the application had been compromised, and delivered a Window installer modified to load an additional, malicious DLL. This DLL contained an encrypted payload that connected back to a C2 server to download and execute the next stage malware. We contacted the vendor when we found this issue, but at the time of posting haven’t received a response.
RansomedVC are apparently going after cybersecurity people today. They forgot to redact the username of the Accenture account they compromised (it’s in the Chrome tag).
BTW the Accenture compromise looks like a single user, evilginx2 MFA session token theft. #threatintel
Apparently RansomedVC couldn’t go 4 minutes without sticking their dick in something again. #threatintel
Everest ransomware group want to cut out middleman fees, asking to buy corporate access directly. #threatintel
The #Fairphone is the closest thing I found to what I am searching for, but it seems to have troubles with performance/overheating and I am pretty sure it is not as secure as a #Google #Pixel or #SamsungGalaxy.
Lyca Mobile’s announcement page for their ransomware data breach is back, HT @carlypage
They confirm data exfil including customer details, passport scans and card payment information.
I can't see the announcement on their actual website frontpage, I might be missing it though.
I think it's a wake up call for telcos.
There's a zero day in Confluence being exploited in the wild, to bypass authentication. Vendor aren't calling it zero day (of course) but it is.
CVE-2023-22515 - allows you to use /setup URL to create a new admin user on existing instance.
Lyca Mobile (UK telco) offline since Saturday, ransomware. https://www.ispreview.co.uk/index.php/2023/10/lyca-mobile-uk-confirm-cyber-attack-responsible-for-disruption.html #threatintel
An org hit by ransomware is telling me the threat actor got in via WS_FTP, for infos, so you might want to prioritise patching that. #threatintel
PSA: you will want to identify SharePoint servers at your network boundary and get them patched for CVE-2023-29357 and CVE-2023–24955.
Those are vulns from earlier this year which I expect to see in the wild exploitation by ransomware groups in coming weeks.
Also, if you think you are patched you might want to actually check. OS patching doesn’t work - your SharePoint admins need to manually patch the cluster. #threatintel
Okay, for those tracking CVE-2023-5129, aka the #Libwebp fiasco, here's how to validate if your Electron app is vulnerable.
The patched version of Electron is
v26.2.1. To confirm what version of Electron your app is using, you need to run
strings against the executable. The version is in the app's User-Agent, so:
strings app.exe | grep "Electron/"
Will do the trick. The attached image shows this method for Teams, which tracks with their published version listings.
I'd love it if folks who try this with updated apps post their results as replies here, so we can collect this #ThreatIntel.
#CVE20235129 #InfoSec #CyberSecurity