Source: securityaffairs.com – Author: Pierluigi Paganini Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target European government agencies. ESET researchers discovered two previously unknown backdoors named LunarWeb and LunarMail that were exploited to breach European […]

La entrada Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Secure code review is a combination of automated and manual processes assessing an application/software’s source code. The main motive of this technique is to detect vulnerabilities in the code. This security assurance technique looks for logic errors and assesses style guidelines, specification implementation, and so on.  In an automated secure code review, the tool automatically […]

The post What is Secure Code Review and How to Conduct it? appeared first on Kratikal Blogs.

The post What is Secure Code Review and How to Conduct it? appeared first on Security Boulevard.

Source: securityboulevard.com – Author: Riddika Grover In today’s digital age, cybersecurity is more important than ever. Businesses that maintain the data of their clients are continually concerned about potential vulnerabilities that hackers may exploit to potentially misuse the data for wrong deeds.That is why organizations need to obtain a VAPT certificate for their organization. But […]

La entrada How to Get a VAPT Certificate? – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: securityaffairs.com – Author: Pierluigi Paganini North Korea-linked Kimsuky APT attack targets victims via Messenger North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware. Researchers at Genius Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & […]

La entrada North Korea-linked Kimsuky APT attack targets victims via Messenger – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

In today’s digital age, cybersecurity is more important than ever. Businesses that maintain the data of their clients are continually concerned about potential vulnerabilities that hackers may exploit to potentially misuse the data for wrong deeds.That is why organizations need to obtain a VAPT certificate for their organization. But what exactly is a VAPT certificate, […]

The post How to Get a VAPT Certificate? appeared first on Kratikal Blogs.

The post How to Get a VAPT Certificate? appeared first on Security Boulevard.

Source: securityaffairs.com – Author: Pierluigi Paganini Russia-linked APT28 targets government Polish institutions CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked APT28. CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group. The attribution […]

La entrada Russia-linked APT28 targets government Polish institutions – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

It takes 4.76 days between public disclosure of a vulnerability and its first exploitations to appear.

The post Fortinet Report Sees Faster Exploitations of New Vulnerabilities appeared first on Security Boulevard.

The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks.

The post US Says North Korean Hackers Exploiting Weak DMARC Settings  appeared first on SecurityWeek.

Cisco warns that nation state-backed hackers are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks.

The post Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms appeared first on SecurityWeek.

Data from a Chinese cybersecurity vendor that works for the Chinese government has exposed a range of hacking tools and services. Although the source is not entirely clear, it seems that a disgruntled staff member of the group leaked the information on purpose.

The vendor, i-Soon (aka Anxun) is believed to be a private contractor that operates as an Advanced Persistent Threat (APT)-for-hire, servicing China’s Ministry of Public Security (MPS).

The leaked data is organized in a few groups, such as complaints about the company, chat records, financial information, products, employee information, and details about foreign infiltration. According to the leaked data, i-Soon infiltrated several government departments, including those from India, Thailand, Vietnam, South Korea, and NATO.

Some of the tools that i-Soon used are impressive enough. Some highlights:

• Twitter (now X) stealer: Features include obtaining the user’s Twitter email and phone number, real-time monitoring, reading personal messages, and publishing tweets on the user’s behalf.
• Custom Remote Access Trojans (RATs) for Windows x64/x86: Features include process/service/registry management, remote shell, keylogging, file access logging, obtaining system information, disconnecting remotely, and uninstallation.
• The iOS version of the RAT also claims to authorize and support all iOS device versions without jailbreaking, with features ranging from hardware information, GPS data, contacts, media files, and real-time audio records as an extension. (Note: this part dates back to 2020)
• The Android version can dump messages from all popular Chinese chatting apps QQ, WeChat, Telegram, and MoMo and is capable of elevating the system app for persistence against internal recovery.
• Portable devices for attacking networks from the inside.
• Special equipment for operatives working abroad to establish safe communication.
• User lookup database which lists user data including phone number, name, and email, and can be correlated with social media accounts.
• Targeted automatic penetration testing scenario framework.

While some of the information is dated, the leaked data provide an inside look in the operations that go on in a leading spyware vendor and APT-for-hire.

It will certainly rattle some cages at the infiltrated entities and as such it could possibly cause a shift in international diplomacy and expose the holes in the national security of several countries.

Not all of the material has been examined yet. There is a lot available and translating is not an easy task. But we will keep you posted if anything else of interest shows up.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.

Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.

This joint guidance comes alongside a joint Cybersecurity Advisory (CSA) called PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.

These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.

The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat (APT) group known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.

In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.

As Jen Easterly, the director of CISA put it in a hearing before the House Select Committee

“We have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.”

And it’s not just the US. The Dutch Military Intelligence Service (MIVD) found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.

The Living of the Land (LOTL) guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.

So, it’s important to be aware of what your cybersecurity team, internal or managed (MDR) should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.

The guidance stipulates that LOTL is particularly effective because:

• Many organizations lack effective security and network management practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
• There is a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.
• It enables cyber threat actors to avoid investing in developing and deploying custom tools.

So, it provides some best practices for detecting and hardening that are all explained in detail.

• Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
• Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
• Build or acquire automation to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
• Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
• Leverage user and entity behavior analytics to identify abnormal and potentially dangerous user and device behavior.
• Apply and consult vendor-recommended guidance for security hardening.
• Implement application allowlisting and monitor use of common LOTL binaries (LOLBins).
• Enhance IT and OT network segmentation and monitoring.
• Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.

Understanding the context of LOTL activities is crucial for accurate detection and response. Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Further on, CISA  urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.

Insecure software allows threat actors to leverage flaws to enable LOTL techniques and the responsibility should not solely be on the end user. By using secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.

Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.