Normal view
VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi
Singapore Police Extradites Malaysians Linked to Android Malware Fraud
Are We Turning the Corner in the Fight Against Cybercrime? It’s Complicated.
Cybercriminals are not about to give up – this is how they make their living. So it’s up to cybersecurity professionals to stay vigilant and learn as much as they can about the forces they face.
The post Are We Turning the Corner in the Fight Against Cybercrime? It’s Complicated. appeared first on Security Boulevard.
Runtime Enforcement: Software Security After the Supply Chain Ends
Runtime enforcement is the future of software security, if we can only make it accessible to the developers that understand their applications the best.
The post Runtime Enforcement: Software Security After the Supply Chain Ends appeared first on Security Boulevard.
Key Takeaways From Horizon3.ai’s Analysis of an Entra ID Compromise
As enterprises shift from on-premises to cloud systems, hybrid cloud solutions have become essential for optimizing performance, scalability, and user ease. However, risks arise when poorly configured environments connect to the cloud. A compromised Microsoft Active Directory can fully compromise a synchronized Microsoft Entra ID tenant, undermining the integrity and trust of connected services.
The post Key Takeaways From Horizon3.ai’s Analysis of an Entra ID Compromise appeared first on Security Boulevard.
- Cybersecurity News and Magazine
- Linux Malware Campaign Uses Discord Emojis in Attack on Indian Government Targets
Linux Malware Campaign Uses Discord Emojis in Attack on Indian Government Targets
Threat Actor ‘UTA0137’ Linked to Campaign
Volexity researchers connected the campaign to a Pakistan-based threat actor they call UTA0137. The researchers said they have “high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.” The researchers say they have “moderate confidence” that UTA0137 is a Pakistan-based threat actor because of the group’s targets and a few other reasons:- The Pakistani time zone was hardcoded in one malware sample.
- There are weak infrastructure links to SideCopy, a known Pakistan-based threat actor.
- The Punjabi language was used in the malware.
Attack Starts With DSOP PDF
The malware is delivered via a DSOP.pdf lure, which claims to be a beneficiary document of India’s Defence Service Officer Provident Fund (screenshot below). [caption id="attachment_77503" align="alignnone" width="750"] The DSOP lure that downloads the malware[/caption] The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, clawsindia[.]in. The payload is an instance of the DISGOMOJI malware and is dropped in a hidden folder named .x86_64-linux-gnu in the user’s home directory. DISGOMOJI, a UPX-packed ELF written in Golang, uses Discord for C2. “An authentication token and server ID are hardcoded inside the ELF, which are used to access the Discord server,” they wrote. “The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim. The attacker can then interact with every victim individually using these channels.” On startup, DISGOMOJI sends a check-in message in the channel that contains information like the internal IP, the user name, host name, OS and current working directory. The malware can survive reboots through the addition of a @reboot entry to the crontab, and it also downloads a script named uevent_seqnum.sh to copy files from any attached USB devices.Discord Emojis Used for C2 Communication
C2 communication uses an emoji-based protocol, “where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable.” A Clock emoji in the command message lets the attacker know a command is being processed, while a Check Mark emoji confirms that the command was executed. The researchers summarized the emoji commands in a table: [caption id="attachment_77505" align="alignnone" width="750"] The Discord emojis used to communicate with attackers (source: Volexity)[/caption] Post-exploitation activities include use of the Zenity utility to display malicious dialog boxes to socially engineer users into giving up their passwords. Open source tools such as Nmap, Chisel and Ligolo are also used, and the DirtyPipe exploit suggests increasing sophistication of the atacker's methods, the researchers said. Indicators of compromise (IoCs) can be downloaded from the Volexity GitHub page:- Cybersecurity News and Magazine
- Akira Ransomware Claims the TETRA Technologies, 40GB of Sensitive Data at Risk
Akira Ransomware Claims the TETRA Technologies, 40GB of Sensitive Data at Risk
Decoding the TETRA Technologies Cyberattack Claim by Akira Ransomware
[caption id="attachment_77529" align="alignnone" width="716"] Source: Dark Web[/caption] The Cyber Express has reached out to the organization to learn more about this TETRA Technologies cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the TETRA Technologies cyberattack unconfirmed. While the company’s public-facing website appears to be operational, it is speculated that the attack may have targeted internal systems or backend infrastructure rather than causing a visible disruption like a DDoS attack or website defacement. The threat actor behind this attack, Akira ransomware, has emerged as a significant threat in cybersecurity, highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) warning and its widespread impact across various industries worldwide. Known for a dual extortion tactic involving data exfiltration and encryption, Akira ransomware demands ransom payments to prevent data publication on their dark website and to receive decryption keys. The group's name references a 1988 anime film, and they use specific strings like "*.akira" and "akira_readme.txt" for detection.TETRA Technologies Releases New Processes for Managing Cybersecurity Risks and Governance
In their recent regulatory filings, specifically the 10-K filed on 2024-02-27, TETRA Technologies detailed their cybersecurity risk management and governance processes. These include ongoing risk assessments, incident response planning, and the implementation of cybersecurity training programs for employees. The company acknowledges the persistent evolution of cyber threats and emphasizes the importance of maintaining robust defenses against potential attacks. The Vice President of Information Technology leads TETRA Technologies’ cybersecurity initiatives, supported by a comprehensive framework to assess, identify, and manage cybersecurity risks across their operations. Regular updates and enhancements to their security protocols are integral to adapting to emerging threats and complying with regulatory standards. The Board of Directors and Audit Committee of TETRA Technologies provide oversight on cybersecurity matters, receiving periodic updates on the company’s cybersecurity risk profile and incident response capabilities. Management highlighted its commitment to safeguarding sensitive information and maintaining operational continuity despite the challenges posed by cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- Phishing Attack at Los Angeles County Department of Public Health Leads to Major Data Breach
Phishing Attack at Los Angeles County Department of Public Health Leads to Major Data Breach
Data Breach at Los Angeles County DPH: What Happened
The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others. The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes:- First and last names
- Dates of birth
- Diagnosis and prescription details
- Medical record numbers/patient IDs
- Medicare/Med-Cal numbers
- Health insurance information
- Social Security numbers
- Other financial information
Data Breach at Los Angeles County DPH Notification
DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources. The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers. However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.” To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response. “To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice.Response and Preventive Measures
Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future. Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats. The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations.Steps for Individuals to Protect Themselves
While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include:- Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan.
- Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228.
- Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus.
- Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests.
- SANS ISC InfoSec News Feed
- ISC Stormcast For Tuesday, June 18th, 2024 https://isc.sans.edu/podcastdetail/9028, (Tue, Jun 18th)
ISC Stormcast For Tuesday, June 18th, 2024 https://isc.sans.edu/podcastdetail/9028, (Tue, Jun 18th)
Bug Bounty Programs, Hacking Contests Power China's Cyber Offense
Enhancing Enterprise Browser Security
TechSpective Podcast Episode 133 Nick Edwards, Vice President of Product Management at Menlo Security joins me for this insightful episode of the TechSpective Podcast. Nick brings decades of cybersecurity experience to the table, offering a deep dive into the […]
The post Enhancing Enterprise Browser Security appeared first on TechSpective.
The post Enhancing Enterprise Browser Security appeared first on Security Boulevard.
- Security Boulevard
- From Risk to Resolution: OX Security’s Integrations with KEV and EPSS Drive Smarter Vulnerability Prioritization
From Risk to Resolution: OX Security’s Integrations with KEV and EPSS Drive Smarter Vulnerability Prioritization
In June 2023, a critical vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer software was exploited by adversaries, resulting in a series of high-profile data breaches. Despite the availability of patches, and the vulnerability being publicly known and actively exploited, many organizations failed to prioritize its remediation. This lapse allowed attackers to gain unauthorized access […]
The post From Risk to Resolution: OX Security’s Integrations with KEV and EPSS Drive Smarter Vulnerability Prioritization appeared first on OX Security.
The post From Risk to Resolution: OX Security’s Integrations with KEV and EPSS Drive Smarter Vulnerability Prioritization appeared first on Security Boulevard.
- Security Boulevard
- USENIX Security ’23 – No Linux, No Problem: Fast and Correct Windows Binary Fuzzing via Target-embedded Snapshotting
USENIX Security ’23 – No Linux, No Problem: Fast and Correct Windows Binary Fuzzing via Target-embedded Snapshotting
Authors/Presenters:Leo Stone, Rishi Ranjan, Stefan Nagy, Matthew Hicks
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – No Linux, No Problem: Fast and Correct Windows Binary Fuzzing via Target-embedded Snapshotting appeared first on Security Boulevard.
Randall Munroe’s XKCD ‘Broken Model’
The post Randall Munroe’s XKCD ‘Broken Model’ appeared first on Security Boulevard.
- Security Boulevard
- USENIX Security ’23 – Extended Hell(o): A Comprehensive Large-Scale Study on Email Confidentiality and Integrity Mechanisms in the Wild
USENIX Security ’23 – Extended Hell(o): A Comprehensive Large-Scale Study on Email Confidentiality and Integrity Mechanisms in the Wild
Authors/Presenters:Birk Blechschmidt, Ben Stock
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Extended Hell(o): A Comprehensive Large-Scale Study on Email Confidentiality and Integrity Mechanisms in the Wild appeared first on Security Boulevard.
Malvertising Campaign Leads to Execution of Oyster Backdoor
The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.
Executive Summary
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster
, aka Broomstick
. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.
In this blog post, we will examine the delivery methods of the Oyster
backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.
Overview
Initial Access
In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.
Figure 1 - Fake Microsoft Teams Website
In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/
, which led to the download of the binary MSTeamsSetup_c_l_.exe
. Initial analysis of the binary MSTeamsSetup_c_l_.exe
showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.
Figure 2 - MSTeamsSetup_c_l_.exe
File Information
Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:
Figure 3 - VirusTotal Signature Search Results
The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.
In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe
, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.
VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe
indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.
What is Oyster/Broomstick?
Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer
, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main
. Oyster Main
was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.
In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main
backdoor, CleanUpLoader
.
In recent incidents, Rapid7 has observed Oyster Main
being delivered without the Oyster Installer
.
Technical Analysis
Initial analysis of the binary MSTeamsSetup_c_l_.exe
revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA
to locate the binaries, followed by LoadResource
to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe
were CleanUp30.dll
and MSTeamsSetup_c_l_.exe
(the legitimate Microsoft Teams installer).
After dropping the binary CleanUp30.dll
into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test
to the function CreateProcessA
, where %s
stores the value CleanUp30.dll
.
Figure 4 - Execution of CleanUp30.dll
After the execution of CleanUp30.dll
, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe
, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.
CleanUp30.dll Analysis
During the execution of CleanUp30.dll
, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1
. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.
After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA
. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs
. The scheduled task is created using the function ShellExecuteExW
, passing the following as the command line:
schtasks.exe /create /tn ClearMngs /tr "rundll32 '<location of binary>\CleanUp30.dll',Test" /sc hourly /mo 3 /f
The purpose of the scheduled task ClearMngs
is to execute the binary <location of binary>\CleanUp30.dll
with the exported function of Test
using rundll32.exe every three hours.
After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.
Figure 5 - The DLL’s Decoding Loop
Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.
The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.
We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll
binaries, including previous versions. The Python script can be found in our GitHub repository.
Figure 6 - Sample Output from Python Script
Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:
Hex Encoded String | Decoded String |
---|---|
2ec6a676766fc6f4960e86 | api/connect |
50b0aea6747686b64eaef69e2ec6a64e96262ea64e | supfoundrysettlers.us |
50b0b6f6c674a646a6b6f6164ea66ea64ea616ee | whereverhomebe.com |
50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaece | retdirectyourman.eu |
76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2 | Content-Type: application/json |
76f696cece65cef4960e86 | api/session |
a61ea67426b6c63a346ceaf2eace9eca3a | \SysWOW64\cmd.exe |
a61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a | \SysWOW64\rundll32.exe |
d2f2 | OK |
3a0eb6a62a3a | \Temp\ |
445c442696fa267686b6b6f6c6443444 | ","command_id":" |
be44 | "} |
445c44649644de | {"id":" |
445c442e36aecea64e443444 | ","result":" |
445c442696fa76f696cecea6ce443444 | ","session_id":" |
445c44ceae2e862ece443444 | ","status":" |
2e1e2e740eae7686a636c63a | \cleanup.txt |
445c44a6b68676fa4e652eae0eb6f6c6443444 | ","computer_name":" |
0ccc445c4476f696ce72a66efa363626443444 | ","dll_version":"30 |
445c44769686b6f626443444 | ","domain":" |
be44 | "} |
445c44649644de | {"id":" |
445c443686c6f636fa0e96443444 | ","ip_local":" |
445c44cef6443444 | ","os":" |
445c44263696ae46facef6443444 | ","os_build":" |
445c44a6e6a636656e964e0e443444 | ","privilege":" |
After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:
Function | Description |
---|---|
DsRoleGetPrimaryDomainInformation | Used to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name. |
GetUserNameW | Provides the name of the user in which the program is running under. |
NetUserGetInfo | Provides details of the user under which the program is running. In this case, the program is querying if the user is admin or user. |
GetComputerNameW | Provides the name of the compromised machine in which the binary is running on. |
RtlGetVersion | Returns version information about the currently running operating system including name and version number. |
Figure 7 - A Selection of Contents of the CleanUp30.dll
Code that Outline the Collection of System Information
While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.
Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains
The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.
After the information is encoded, it is sent to the domains whereverhomebe[.]com/
, supfoundrysettlers[.]us/
, and retdirectyourman[.]eu/
via HTTP POST method. Rapid7 determined that CleanUp30.dll
uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.
Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/
and supfoundrysettlers[.]us/
Following the Execution of CleanUp30.dll
Follow-on Activity
In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll
, CleanUp.dll
. CleanUp.dll
, similar to CleanUp30.dll
, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe
, which dropped the binary into the AppData/Local/Temp directory as well.
Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk
The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk
within C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
. By doing so, this ensured that the LNK file DiskCleanUp.lnk
would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll
using rundll32.exe, passing the export Test
.
Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:
- k1.ps1
- main.dll
- getresult.exe
Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:
Enumeration | Description |
---|---|
systeminfo | Provides information about the system's software and hardware configuration |
arp -a | Shows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses |
net group 'domain computers' /domain | Lists the "Domain Computers" group within an Active Directory domain |
"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com | Determines the external IP address |
whoami /all | Provides detailed information about the current user including user's privileges, group memberships, and security identifiers (SIDs) |
nltest /dclist:<domain_name> | Lists all the domain controllers (DCs) for a specific domain |
net user admin | Provides detailed information about the user 'admin' including profile information, group memberships, local group memberships, etc |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s | Queries the registry to find information about installed software |
findstr "DisplayName" | Used to filter information, showing only items contained under "DisplayName" |
Rapid7 Customers
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:
- Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
- Suspicious Process: RunDLL32 launching CMD or PowerShell
- Persistence - Schtasks.exe Creating Task That Executes RunDLL32
- Network Discovery - Nltest Enumerate Domain Controllers
- Attacker Technique - Determining External IP Via Command Line
- Suspicious Process - .lnk in PowerShell Command Line
MITRE ATT&CK Techniques
Tactic | Technique | Description |
---|---|---|
Resource Development | Acquire Infrastructure: Domains (T1583.001) | Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe |
Execution | Command and Scripting Interpreter: Powershell (T1059.001) | Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1 |
Execution | User Execution: Malicious File (T1204.002) | User executes the binary MSTeamsSetup_c_l_.exe |
Persistence | Scheduled Task (T1053.005) | CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs |
Defense Evasion | Masquerading: Match Legitimate Name or Location (T1036.005) | MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer |
Defense Evasion | Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003) | Execution delays are performed by several stages throughout the attack flow |
Collection | Data from Local System (T1005) | Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL's |
Command and Control | Data Encoding - Non Standard Encoding (T1132.002) | CleanUp DLL's send encoded data to C2's using unique encoding function |
IOCs
IOC | Hash | Description |
---|---|---|
TMSSetup.exe | 9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43 | The malicious executable downloaded from prodfindfeatures[.]com/ |
MSTeamsSetup_c_l_.exe | 574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822 | The malicious executable downloaded from prodfindfeatures[.]com/ |
CleanUp30.dll | CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4 | The .dll file that is run by run32dll.exe following the execution of MSTeamsSetup_c_l_.exe |
CleanUp.dll | 82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94 | The .dll file that is run by run32dll.exe following the execution of TMSSetup.exe |
DiskCleanUp.lnk | b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa | An .lnk file that was created following the execution of CleanUp30.dll |
prodfindfeatures[.]com/ | - | The domain hosting the malicious files TMSSetup (1).exe and MSTeamsSetup_c_l_.exe |
micrsoft-teams-download[.]com/ | - | The typo-squatted domain that users visited |
impresoralaser[.]pro/ | - | Part of the domain redirect chain for downloads of TMSSetup (1).exe and MSTeamsSetup_c_l_.exe |
whereverhomebe[.]com/ | - | Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
supfoundrysettlers[.]us/ | - | Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
retdirectyourman[.]eu/ | - | Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with |
149.248.79[.]62 | - | Resolving IP for whereverhomebe[.]com/ |
64.95.10[.]243 | - | Resolving IP for supfoundrysettlers[.]us/ |
206.166.251[.]114 | - | Resolving IP for retdirectyourman[.]eu/ |
References
Article | URL |
---|---|
Broomstick Malware Profile | https://exchange.xforce.ibmcloud.com/malware-analysis/guid:08822f57c12416bc3e74997c473d1889 |
Twitter Mention of CleanUpLoader | https://x.com/RussianPanda9xx/status/1757932257765945478 |
California’s Facial Recognition Bill Is Not the Solution We Need
California Assemblymember Phil Ting has introduced A.B. 1814, a bill that would supposedly regulate police use of facial recognition technology. The problem is that it would do little to actually change the status quo of how police use this invasive and problematic technology. Police use of facial recognition poses a massive risk to civil liberties, privacy, and even our physical health as the technology has been known to wrongfully sic armed police on innocent people–particularly Black men and women. That’s why this issue is too important to throw inadequate or half-measures like A.B. 1814 to try to fix it.
The bill dictates that police should examine facial recognition matches “with care” and that a match should not be the sole basis for the probable cause for an arrest or search warrant. And while we agree it is a big issue that police seem to repeatedly use the matches spit out by a computer as the only justification for arresting people, theoretically the limit this bill imposes is already the limit. Police departments and facial recognition companies alike both maintain that police cannot justify an arrest using only algorithmic matches–so what would this bill really change? It only gives the appearance of doing something to address face recognition technology's harms, while inadvertently allowing the practice to continue.
Additionally, A.B. 1814 gives defendants no real recourse against police who violate its requirements. There is neither a suppression remedy nor a usable private cause of action. The bill lacks transparency requirements which would compel police departments to reveal if they used face recognition in the first place. This means if police did arrest someone wrongfully because a computer said they looked similar to the subject, someone would likely not even know they could sue the department over damages, unless they uncovered it while being prosecuted.
Despite these attempts at creating leaky bureaucratic reforms, police may continue to use this technology to identify people at protests, track marginalized individuals when they visit doctors or have other personal encounters, as well as any other number of civil liberties-chilling uses police might overtly or inadvertently deploy. It is this reason that EFF continues to advocate for a complete ban on government use of face recognition–an approach that has also resulted in cities across the United States standing up for themselves and enacting bans. Until the day comes that California lawmakers realize the urgent need to ban government use of face recognition, we will continue to differentiate between bills that will make a serious difference in the lives of the surveilled, and those that do not. That is why we are urging Assemblymembers to vote no on A.B. 1814.
The Surgeon General's Fear-Mongering, Unconstitutional Effort to Label Social Media
Surgeon General Vivek Murthy’s extraordinarily misguided and speech-chilling call this week to label social media platforms as harmful to adolescents is shameful fear-mongering that lacks scientific evidence and turns the nation’s top physician into a censor. This claim is particularly alarming given the far more complex and nuanced picture that studies have drawn about how social media and young people’s mental health interact.
The Surgeon General’s suggestion that speech be labeled as dangerous is extraordinary. Communications platforms are not comparable to unsafe food, unsafe cars, or cigarettes, all of which are physical products—rather than communications platforms—that can cause physical injury. Government warnings on speech implicate our fundamental rights to speak, to receive information, and to think. Murthy’s effort will harm teens, not help them, and the announcement puts the surgeon general in the same category as censorial public officials like Anthony Comstock.
There is no scientific consensus that social media is harmful to children's mental health. Social science shows that social media can help children overcome feelings of isolation and anxiety. This is particularly true for LBGTQ+ teens. EFF recently conducted a survey in which young people told us that online platforms are the safest spaces for them, where they can say the things they can't in real life ‘for fear of torment.’ They say these spaces have improved their mental health and given them a ‘haven’ to talk openly and safely. This comports with Pew Research findings that teens are more likely to report positive than negative experiences in their social media use.
Additionally, Murthy’s effort to label social media creates significant First Amendment problems in its own right, as any government labeling effort would be compelled speech and courts are likely to strike it down.
Young people’s use of social media has been under attack for several years. Several states have recently introduced and enacted unconstitutional laws that would require age verification on social media platforms, effectively banning some young people from them. Congress is also debating several federal censorship bills, including the Kids Online Safety Act and the Kids Off Social Media Act, that would seriously impact young people’s ability to use social media platforms without censorship. Last year, Montana banned the video-sharing app TikTok, citing both its Chinese ownership and its interest in protecting minors from harmful content. That ban was struck down as unconstitutionally overbroad; despite that, Congress passed a similar federal law forcing TikTok’s owner, ByteDance, to divest the company or face a national ban.
Like Murthy, lawmakers pushing these regulations cherry-pick the research, nebulously citing social media’s impact on young people, and dismissing both positive aspects of platforms and the dangerous impact these laws have on all users of social media, adults and minors alike.
We agree that social media is not perfect, and can have negative impacts on some users, regardless of age. But if Congress is serious about protecting children online, it should enact policies that promote choice in the marketplace and digital literacy. Most importantly, we need comprehensive privacy laws that protect all internet users from predatory data gathering and sales that target us for advertising and abuse.
Scattered Spider Boss Cuffed in Spain Boarding a Flight to Italy
Emojis Control the Malware in Discord Spy Campaign
- Dark Reading
- DataBee Launches Innovations for Enhanced Threat Monitoring and Zero Trust Implementation
KnowBe4 Launches PhishER Plus Threat Intel Feature
Aim Security Closes $18M Series A to Secure Generative AI Enterprise Adoption
LA County Dept. of Public Health Data Breach Impacts 200K
Some Skills Should Not Be Ceded to AI
Chariot Continuous Threat Exposure Management (CTEM) Updates
Our engineering team has been hard at work, reworking our flagship platform to enhance the Chariot platform to remain the most comprehensive and powerful CTEM platform on the market. So what’s new? Here are several new features recently added to Chariot: 1. Unmanaged Platform Chariot, Praetorian’s Continuous Threat Exposure Management (CTEM) solution, is now available […]
The post Chariot Continuous Threat Exposure Management (CTEM) Updates appeared first on Praetorian.
The post Chariot Continuous Threat Exposure Management (CTEM) Updates appeared first on Security Boulevard.
APIs: The Silent Heroes of Data Center Management
In the intricate ecosystem of data center operations, managing and optimizing infrastructure is a complex, continuous task. Data Center Infrastructure Management (DCIM) software has emerged as a vital tool in this arena, providing real-time monitoring, management, and analytical capabilities. Yet, the true potential of DCIM software is unlocked when it can seamlessly integrate with ...
The post APIs: The Silent Heroes of Data Center Management appeared first on Hyperview.
The post APIs: The Silent Heroes of Data Center Management appeared first on Security Boulevard.
Leveraging ASNs and Pivoting to Uncover Malware Campaigns
Identifying and Mitigating Complex Malware Campaigns with ASNs
This week, I spent a good deal of time going down some rabbit holes - all of which were fascinating. However, this is an example where some of the work we do we would like to share but aren't always able. In this instance, we found confidential information related to a hacked mail server within malware we detonated. The malware was configured to use a government mail server as a relay to email out keylogger data.
In each case of the malware, there were essentially two victims, the victim(s) of the malware, and the operators of the mail server being used in the attacks. We've notified the department that manages the mail server of the compromise, and of the credentials used to send mail with their server.
This brings me to the "how" of it all. Cyber threat intelligence (CTI) experts and investigators face the daunting challenge of identifying and mitigating complex malware campaigns. These campaigns, orchestrated by sophisticated threat actors, often leverage diverse infrastructure and techniques to evade detection and compromise targets.
In this blog, we'll explore in detail how CTI experts can harness the power of Autonomous System Numbers (ASNs) and employ pivoting techniques to uncover and analyze malware campaigns. By understanding the nuances of ASNs and mastering effective pivoting strategies, CTI professionals can enhance their capabilities in threat detection, attribution, and response.
Understanding ASNs
Autonomous System Numbers (ASNs) serve as unique identifiers assigned to networks participating in the global routing system. Each ASN corresponds to an organization or entity that controls a portion of the internet's IP address space. By analyzing ASNs, CTI experts can gain valuable insights into the infrastructure utilized by threat actors to conduct malicious activities.
These insights include identifying the origins of malicious traffic, pinpointing hosting providers associated with malware distribution, and tracing connections between seemingly disparate cyber threats.
Pivoting with ASNs
Pivoting is a fundamental investigative technique that involves using known information or indicators of compromise (IOCs) as a starting point to uncover additional related data and connections. When investigating malware campaigns, CTI experts can pivot using ASNs to expand their understanding of the threat landscape and uncover hidden relationships.
Here's a step-by-step breakdown of how pivoting with ASNs can be accomplished:
1. Initial Investigation: The process begins with collecting IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign. These IOCs serve as the starting point for the investigation.
2. ASN Enumeration: CTI experts utilize specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This mapping provides crucial insights into the ownership and affiliations of the networks involved in the malware campaign.
3. ASNs Analysis: Once the ASNs associated with the collected IOCs are identified, CTI professionals conduct a detailed analysis to uncover patterns, anomalies, and potential relationships between different malware campaigns. They look for commonalities such as shared infrastructure or hosting providers used by multiple threats.
4. Expand Investigation: Armed with insights from the ASNs analysis, CTI experts pivot further to gather additional IOCs associated with the same ASNs. This may involve exploring related IP ranges, domains hosted on the same infrastructure, or other ASNs controlled by the same organization.
5. Threat Attribution: The final step involves analyzing the gathered data to attribute the malware campaigns to specific threat actors or groups. By tracing connections between different ASNs and malware activities, CTI experts can uncover the broader infrastructure and operations of malicious actors.
Using ASNs to Uncover a Malware Campaign
To illustrate the effectiveness of this approach, let's consider a hypothetical scenario where a CTI team investigates a ransomware campaign targeting a financial institution. By analyzing the ransomware samples and associated IOCs, the team identifies several IP addresses used as command and control (C2) servers.
Through ASN enumeration and analysis, they discover that these IP addresses belong to a hosting provider known for harboring malicious activities. Pivoting with the identified ASN leads them to uncover additional C2 servers, domains, and IP ranges used by the same threat actor across multiple campaigns. This comprehensive view enables the CTI team to attribute the ransomware campaign to a sophisticated cybercriminal group and take proactive measures to disrupt their operations.
Conclusion
In conclusion, the strategic utilization of ASNs and pivoting techniques with HYAS Insight threat intelligence is indispensable for CTI experts and investigators in their efforts to combat malware campaigns. By leveraging ASNs to trace connections and employing pivoting to uncover hidden relationships, CTI professionals can gain deeper insights into the tactics, techniques, and procedures (TTPs) employed by threat actors.
This enhanced understanding enables organizations to better protect their assets, mitigate risks, and respond effectively to evolving cyber threats. With a proactive and strategic approach to threat intelligence, CTI experts can stay ahead of adversaries and safeguard the digital ecosystem against malicious activities.
Is your security program prepared to defend against advanced malware and other sophisticated cyberthreats? Learn how HYAS can optimize your defenses. Request a HYAS demo today.
The post Leveraging ASNs and Pivoting to Uncover Malware Campaigns appeared first on Security Boulevard.
Enhancing Vulnerability Management: Integrating Autonomous Penetration Testing
Traditional vulnerability scanning tools are enhanced with NodeZero's autonomous penetration testing, revolutionizing Vulnerability Management by providing comprehensive risk assessment, exploitability analysis, and cross-host vulnerability chaining, empowering organizations to prioritize and mitigate security weaknesses strategically.
The post Enhancing Vulnerability Management: Integrating Autonomous Penetration Testing appeared first on Horizon3.ai.
The post Enhancing Vulnerability Management: Integrating Autonomous Penetration Testing appeared first on Security Boulevard.
Leadership Expansion: Introducing Our New SVP of Sales and SVP of Customer
It’s an exciting time here at Hyperproof! We are thrilled to announce that two new senior leaders have joined Hyperproof: Jay Hussein, Senior Vice President of Customer, and Mike Johnson, Senior Vice President of Sales. Both Mike and Jay have a wealth of experience serving larger enterprises and will support Hyperproof as we scale our...
The post Leadership Expansion: Introducing Our New SVP of Sales and SVP of Customer appeared first on Hyperproof.
The post Leadership Expansion: Introducing Our New SVP of Sales and SVP of Customer appeared first on Security Boulevard.
Finding mispriced opcodes with fuzzing
By Max Ammann Fuzzing—a testing technique that tries to find bugs by repeatedly executing test cases and mutating them—has traditionally been used to detect segmentation faults, buffer overflows, and other memory corruption vulnerabilities that are detectable through crashes. But it has additional uses you may not know about: given the right invariants, we can use […]
The post Finding mispriced opcodes with fuzzing appeared first on Security Boulevard.
Mobile SDK Security: Effective Testing Methodology
In mobile penetration testing, third-party modules or libraries are often considered out of scope for several reasons, although it’s worth noting that the decision to include or exclude third-party components can vary depending on the specific requirements of the assessment […]
The post Mobile SDK Security: Effective Testing Methodology appeared first on WeSecureApp :: Securing Offensively.
The post Mobile SDK Security: Effective Testing Methodology appeared first on Security Boulevard.
Optimizing SCA Use in CI Pipelines for Advanced DevSecOps
... Read more »
The post Optimizing SCA Use in CI Pipelines for Advanced DevSecOps appeared first on Deepfactor.
The post Optimizing SCA Use in CI Pipelines for Advanced DevSecOps appeared first on Security Boulevard.
Strengthening the Shield: Cybersecurity Strategies for SMEs
Employee Education and Training
One of the most critical cybersecurity strategies for SMEs is ensuring that employees are educated and trained in cybersecurity best practices. Human error remains a significant factor in cyber incidents, making cybersecurity awareness training indispensable. Employees should be educated on recognizing phishing attempts, creating strong passwords, and understanding the importance of software updates. Importance: Employees serve as the first line of defence against cyber threats, they are also the weakest links in cybersecurity. By educating them, SMEs can significantly reduce the risk of successful cyberattacks. Solutions: Implement regular cybersecurity training sessions for all employees, covering topics such as identifying suspicious emails, safe internet browsing practices, and responding to security incidents. Utilize online training resources and simulations to reinforce learning effectively. You can develop internal cybersecurity awareness materials using free or low cost presentation tools such as Google Slides or Microsoft PowerPoint. Create engaging presentations covering topics like identifying phishing emails, password best practices, and responding to security incidents. Additionally, leverage free online resources such as cybersecurity blogs, webinars, and tutorials to supplement employee training efforts. Encourage participation in online courses offered by reputable cybersecurity organizations, some of which may be available at no cost.Implementing Multi-Factor Authentication (MFA)
Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive data or systems. This strategy helps mitigate the risk of unauthorized access, even if passwords are compromised. Importance: Passwords alone are no longer sufficient to protect against cyber threats. MFA significantly enhances security by requiring additional authentication factors, such as biometric data or one-time codes. Solutions: Implement MFA for all accounts with access to sensitive information or critical systems. Many cloud-based services and software applications offer built-in MFA capabilities, making implementation relatively straightforward and cost effective. Utilize built-in MFA features provided by cloud-based services and software applications, many of which offer MFA functionality at no additional cost. Implement open source MFA solutions that can be customized to fit the organization's specific needs without incurring licensing fees. Alternatively, explore low-cost MFA options offered by third-party providers, ensuring compatibility with existing systems and scalability as the business grows.Regular Data Backups
Data loss can have devastating consequences for SMEs, ranging from financial losses to reputational damage. Regularly backing up data is essential for mitigating the impact of ransomware attacks, hardware failures, or accidental deletions. Importance: Data backups serve as a safety net, allowing SMEs to recover quickly in the event of a cyber incident. Without backups, businesses risk permanent loss of valuable information. Solutions: Automate regular backups of critical data to secure cloud storage or offline storage devices. Utilize backup solutions that offer versioning capabilities, allowing businesses to restore data to previous states if necessary. Utilize cloud based backup solutions that offer affordable storage options and automated backup scheduling. Leverage free or low cost backup software with basic features for backing up critical data to secure cloud storage or external hard drives. Implement a combination of full and incremental backups to optimize storage space and minimize backup times. Explore open source backup solutions that provide flexibility and customization options without the need for expensive proprietary software.Network Security Measures
Securing the network infrastructure is crucial for protecting against external threats and unauthorized access. SMEs should implement robust network security measures, such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs). Importance: Networks are prime targets for cyberattacks, making network security measures essential for preventing unauthorized access and data breaches. Solutions: Deploy firewalls to monitor and control incoming and outgoing network traffic. Implement IDS to detect and respond to suspicious activities within the network. Utilize VPNs to encrypt data transmissions and establish secure connections for remote workers. Implement open source firewall solutions that provide robust network protection without the high cost associated with commercial firewalls. Utilize free or low cost intrusion detection system (IDS) software that offers essential features such as real time monitoring and threat detection. Explore cost effective virtual private network (VPN) solutions tailored to SMEs' needs, such as subscription based services with affordable pricing plans and easy deployment for remote workers.Regular Security Assessments and Updates
Cyber threats are constantly evolving, requiring SMEs to stay vigilant and proactive in their cybersecurity efforts. Regular security assessments and updates help identify vulnerabilities and ensure that systems and software are up to date with the latest security patches. Importance: Cyber threats are continuously evolving, making regular security assessments and updates essential for maintaining strong cybersecurity posture. Solutions: Conduct regular security assessments to identify potential vulnerabilities in systems, networks, and applications. Develop and implement a patch management strategy to ensure that software and firmware updates are applied promptly. Conduct internal security assessments using free or low cost vulnerability scanning tools to identify potential weaknesses in systems and networks. Utilize open source penetration testing frameworks to simulate cyberattacks and assess the effectiveness of existing security measures. Implement a systematic approach to applying security patches and updates, leveraging free tools provided by software vendors or community driven initiatives. Additionally, establish internal processes for monitoring security advisories and alerts issued by relevant authorities to stay informed about emerging threats and vulnerabilities. In conclusion, cybersecurity is a critical concern for SMEs in today's digital landscape. By implementing the strategies explained above, SMEs can significantly enhance their cybersecurity posture without breaking the bank. Investing in cybersecurity is not only essential for protecting sensitive data and maintaining business operations but also for safeguarding the long-term viability and reputation of SMEs in an increasingly interconnected world. About Author: Abhilash Radhadevi, a seasoned cybersecurity leader, serves as the Head of Cybersecurity at OQ Trading, bringing over two decades of comprehensive experience in the Banking, Financial, Oil and Energy sectors. Widely recognized for his adept leadership, Abhilash has effectively steered international organizations through intricate security challenges. His illustrious career includes spearheading pioneering cybersecurity strategies, resulting in prestigious awards and acclaim. Beyond his professional achievements, Abhilash maintains a global influence and demonstrates unwavering commitment to mentoring, showcasing his dedication to shaping the future landscape of cybersecurity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Understanding Cyberconflict in the Geopolitical Context
The Role of Misinformation and Disinformation in Cyberconflict
Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the detrimental impact of false information on democratic societies, emphasizing the need for informed citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the pervasive risk of encountering disinformation across various media platforms, with statistics indicating a significant trust deficit in media and an increase in the manipulation of news consumption. The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are echoed globally, as a survey found that over 85% of people worry about the impact of online disinformation on their country's politics. The intertwining of misinformation, disinformation, and cyberconflict presents a complex challenge that requires a multifaceted approach, including media literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard information integrity.The Role of Big Tech in Cyberconflict Interplay
The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even participants. For instance, during civil conflicts, digital technologies have been used to recruit followers, finance activities, and control narratives, posing additional challenges for peacemakers. The explosive growth of digital technologies has also opened new potential domains for conflict, with state and non-state actors capable of carrying out attacks across international borders, affecting critical infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their significant influence during times of conflict. Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions.Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts
In response to the growing threat of election misinformation, various initiatives have been undertaken globally. The World Economic Forum has identified misinformation as a top societal threat and emphasized the need for a concerted effort to combat it, especially in an election year with a significant global population going to the polls. The European Union has implemented a voluntary code of practice for online platforms to take proactive measures against disinformation, including the establishment of a Rapid Alert System and the promotion of fact-checking and media literacy programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false election information and collaboration with internet companies to curb digital disinformation. Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to critically assess the credibility of election news sources and encourages the use of reputable outlets. These initiatives represent a multifaceted approach to safeguarding the integrity of elections by enhancing public awareness, improving digital literacy, and fostering collaboration between governments, tech companies, and civil society. In the ongoing battle against election misinformation, several key alliances and actions have been formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security Conference on February 16, 2024. This accord represents a commitment by technology companies to combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on February 26, 2024, to address disinformation and the misuse of AI leading up to the European Parliament elections. Furthermore, the Federal Communications Commission (FCC) in the United States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to prevent their use in misleading voters. These measures reflect a growing recognition of the need for collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy amidst the challenges posed by advanced technologies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- Cybersecurity News and Magazine
- The Snowballing of the Snowflake Breach: All About the Massive Snowflake Data Breach
The Snowballing of the Snowflake Breach: All About the Massive Snowflake Data Breach
Why the Snowflake Breach Matters
Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.Ongoing Investigation and Preliminary Results in Snowflake Breach
On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.Compromised Employee Account
Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.Test Environments Targeted
Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.Attack Path
The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.Possible Reasons for the Breach
Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.Unconfirmed Threat Actor Claims
The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.Affected Customers from Snowflake Breach
The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:- Santander Group: The company confirmed a compromise without mentioning Snowflake.
- Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.
- TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
- Impact: 560 Million TicketMaster user details and card info potentially at risk.
- LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
- Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.
- Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
- Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.
- Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
- Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.
Security Measures and Customer Support
Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.Key Recommendations for Snowflake Customers:
- Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
- Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
- Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
- Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.
BreachForums Returns With a New Owner After ShinyHunters Retires
ShinyHunters Alludes to BreachForums Issues
ShinyHunters alluded to those issues in a post announcing the forum’s new owner (screenshot below). “It's hard to maintain motivation when you're constantly getting accused of being a honeypot and at this point I'm burned out, hollow is burned out and we just want to move on to bigger things rather than the constant onslaught of users complaining about how we ran our forum,” ShinyHunters wrote. “Baphomet has done an incredible job of building new features for everyone, keeping everything together and maintaining the forum. Couldn't have done it without him. We hope the forum can live on without us for a long time. Thank you all for your support. Goodbye.” [caption id="attachment_77484" align="alignnone" width="750"] The announcement of a new BreachForums owner[/caption] While “User-Anastasia” is a new account, ShinyHunters referred to the new owner as “an OG some of you may remember.” Cyble threat researchers reported that Anastasia also goes by “Anastasia Belshaw.”BreachForums Returns, Hackers Raise Suspicions
BreachForums was seized by the FBI and the U.S. Department of Justice in mid-May, with help from international law enforcement agencies, and Baphomet was allegedly arrested in that action. However, just two weeks later, the forum returned, leading to suspicion among some threat actors that the site was operating as a “honeypot” or a sting operation under the control of the FBI. To further complicate matters, the site went down again last week, possibly due to technical issues, and its associated Telegram channels disappeared too amid reports that ShinyHunters was retiring. A few days later came the announcement that Anastasia would take over the forum. It remains to be seen what direction the forum will take under new ownership, but given the site’s volatile history, whatever is in store is certain to be eventful.Los Angeles Public Health Department Discloses Large Data Breach
Addressing Misinformation in Critical Infrastructure Security
China's 'Velvet Ant' APT Nests Inside Multiyear Espionage Effort
Name That Toon: Future Shock
- Malwarebytes Labs
- (Almost) everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13
(Almost) everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13
This week on the Lock and Code podcast…
Ready to know what Malwarebytes knows?
Ask us your questions and get some answers.
What is a passphrase and what makes it—what’s the word?
Strong?
Every day, countless readers, listeners, posters, and users ask us questions about some of the most commonly cited topics and terminology in cybersecurity. What are passkeys? Is it safer to use a website or an app? How can I stay safe from a ransomware attack? What is the dark web? And why can’t cybercriminals simply be caught and stopped?
For some cybersecurity experts, these questions may sound too “basic”—easily researched online and not worth the time or patience to answer. But those experts would be wrong.
In cybersecurity, so much of the work involves helping people take personal actions to stay safe online. That means it’s on cybersecurity companies and practitioners to provide clarity when the public is asking for it. it’s on us to provide clarity. Without this type of guidance, people are less secure, scammers are more successful, and clumsy, fixable mistakes are rarely addressed.
This is why, this summer, Malwarebytes is working harder on meeting people where they are. For weeks, we’ve been collecting questions from our users about WiFi security, data privacy, app settings, device passcodes, and identity protection.
All of these questions—no matter their level of understanding—are appreciated, as they help the team at Malwarebytes understand where to improve its communication. In cybersecurity, it is critical to create an environment where, for every single person seeking help, it’s safe to ask. It’s safe to ask what’s on their mind, safe to ask what confuses them, and safe to ask what they might even find embarrassing.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes Product Marketing Manager Tjitske de Vries about the modern rules around passwords, the difficulties of stopping criminals on the dark web, and why online scams hurt people far beyond their financial repercussions.
“We had [an] 83-year-old man who was afraid to talk to his wife for three days because he had received… a sextortion scam… This is how they get people, and it’s horrible.”
Tune in today to listen to the full conversation.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.
Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.
Open Source Licensing 101: Everything You Need to Know
With the right license, you can protect your open-source project and ensure proper usage. This article provides a clear overview of open-source licensing for developers and users.
The post Open Source Licensing 101: Everything You Need to Know appeared first on Security Boulevard.
Microsoft Recall delayed after privacy and security concerns
Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.
The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.
However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.
Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.
“Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”
Microsoft didn’t see the problem, with its vice chair and president, Brad Smith even using Recall as an example to demonstrate how Microsoft is secure during the Committee Hearing: A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.
But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.
Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.
In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.
“This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”
Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
The Ultimate Guide to Troubleshooting Vulnerability Scan Failures
Vulnerability scans evaluate systems, networks, and applications to uncover security vulnerabilities. Leveraging databases of known vulnerabilities, these scans detect your weakest spots. These are the points most likely to be exploited by cybercriminals. Scans also help prioritize the order of importance in remediating and patching vulnerabilities. Vulnerability assessment scans are critical for maintaining the security […]
The post The Ultimate Guide to Troubleshooting Vulnerability Scan Failures appeared first on Centraleyes.
The post The Ultimate Guide to Troubleshooting Vulnerability Scan Failures appeared first on Security Boulevard.
Using LLMs to Exploit Vulnerabilities
Interesting research: “Teams of LLM Agents can Exploit Zero-Day Vulnerabilities.”
Abstract: LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
In this work, we show that teams of LLM agents can exploit real-world, zero-day vulnerabilities. Prior agents struggle with exploring many different vulnerabilities and long-range planning when used alone. To resolve this, we introduce HPTSA, a system of agents with a planning agent that can launch subagents. The planning agent explores the system and determines which subagents to call, resolving long-term planning issues when trying different vulnerabilities. We construct a benchmark of 15 real-world vulnerabilities and show that our team of agents improve over prior work by up to 4.5×...
The post Using LLMs to Exploit Vulnerabilities appeared first on Security Boulevard.
Ubuntu 23.10 Reaches End of Life on July 11, 2024
Ubuntu 23.10, codenamed “Mantic Minotaur,” was released on October 12, 2023, nearly nine months ago. Since it is an interim release, its support period is now approaching with the end of life scheduled on July 11, 2024. After this date, Ubuntu 23.10 will no longer receive software and security updates from Canonical. As a result, […]
The post Ubuntu 23.10 Reaches End of Life on July 11, 2024 appeared first on TuxCare.
The post Ubuntu 23.10 Reaches End of Life on July 11, 2024 appeared first on Security Boulevard.
How Automated Linux Patching Boosts Healthcare Security
Healthcare organizations worldwide are facing a surge in cyberattacks. The healthcare industry is grappling with increasingly sophisticated cyberattacks, often exploiting known vulnerabilities that should have been addressed much earlier. Automated Linux patching helps ensure that systems are continuously updated with the latest security patches. These days, healthcare organizations are increasingly relying on advanced technologies like […]
The post How Automated Linux Patching Boosts Healthcare Security appeared first on TuxCare.
The post How Automated Linux Patching Boosts Healthcare Security appeared first on Security Boulevard.