Found 226 bookmarks
Custom sorting
Shikitega - New stealthy malware targeting Linux
Shikitega - New stealthy malware targeting Linux
AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.
#cybersecurity.att.com#AT&T-Alien-Labs#Shikitega#EN#2022#Linux#malware#Analysis
·cybersecurity.att.com·
Shikitega - New stealthy malware targeting Linux
TA505 Hackers Using TeslaGun Panel to Manage ServHelper Backdoor Attacks
TA505 Hackers Using TeslaGun Panel to Manage ServHelper Backdoor Attacks
Cybersecurity researchers have offered insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505. "The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."
#thehackernews#EN#2022#PRODAFT#TeslaGun#ServHelper#Backdoor#Analysis
·thehackernews.com·
TA505 Hackers Using TeslaGun Panel to Manage ServHelper Backdoor Attacks
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000 "...the extensions also track the user’s browsing activity."
#mcafee#2022#EN#malicious#extensions#Chrome#Analysis#privacy#browser#cookie#Stuffing
·mcafee.com·
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users
Break me out of sandbox in old pipe - CVE-2022-22715 Windows Dirty Pipe
Break me out of sandbox in old pipe - CVE-2022-22715 Windows Dirty Pipe
In February 2022, Microsoft patched the vulnerability I used in TianfuCup 2021 for escaping Adobe Reader sandbox, assigned CVE-2022-22715. The vulnerability existed in Named Pipe File System nearly 10 years since the AppContainer was born. We called it "Windows Dirty Pipe". In this article, I will share the root cause and exploitation of Windows Dirty Pipe. So let's start our journey.
#whereisk0shl#EN#2022#CVE-2022-22715#Windows#Dirty-Pipe#PoC#ANALYSIS
·whereisk0shl.top·
Break me out of sandbox in old pipe - CVE-2022-22715 Windows Dirty Pipe
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...
#cybereason#EN#2022#THREAT#ANALYSIS#REPORT#Bumblebee#Loader#CobaltStrike
·cybereason.com·
THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control
Making Sense of the Killnet, Russia’s Favorite Hacktivists
Making Sense of the Killnet, Russia’s Favorite Hacktivists
Killnet makes three announcements The past month seemed to be a turning point for the pro-Russian hacktivist group “Killnet”—and it was very eager to tell the world about it.  First, on July 27, “Killmilk”—the founder and the head of the group who led its transformation from a DDoS-for-hire outlet i
#flashpoint#EN#2022#Killnet#Russia#hacktivism#Analysis
·linkedin.com·
Making Sense of the Killnet, Russia’s Favorite Hacktivists
A Detailed Analysis of the RedLine Stealer
A Detailed Analysis of the RedLine Stealer
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.
#securityscorecard#EN#2022#RedLine#Stealer#analysis
·securityscorecard.com·
A Detailed Analysis of the RedLine Stealer
LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware
#trendmicro#EN#2022#analysis#lockbit#blackmatter#malware
·trendmicro.com·
LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
[CVE-2022-34918] A crack in the Linux firewall
[CVE-2022-34918] A crack in the Linux firewall
In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04.
#randorisec#EN#2022#CVE-2022-34918#Linux#netfilter#Vulnerability#analysis
·randorisec.fr·
[CVE-2022-34918] A crack in the Linux firewall
How to Assess an E-voting System
How to Assess an E-voting System
If I can shop and bank online, why can’t I vote online? David Jefferson explained in 2011 why internet voting is so difficult to make secure, I summarized again in 2021 why internet voting is still inherently insecure, and many other experts have explained it too. Still, several countries and several U.S. states have offered e-voting to some of their citizens. In many cases they plunge forward without much consideration of whether their e-voting system is really secure, or whether it could be hacked to subvert democracy. It’s not enough just to take the software vendor’s word for it.
#freedom-to-tinker#EN#2022#e-vôté#CH#assessment#analysis
·freedom-to-tinker.com·
How to Assess an E-voting System
Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’
Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’
For years, activists and academics have been raising concerns that facial analysis software that claims to be able to identify a person’s age, gender and emotional state can be biased, unreliable or invasive — and shouldn’t be sold.
#nytimes#2022#EN#facial-analysis#privacy#Face#Analysis#Responsible#AI#recognition
·nytimes.com·
Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’
Emotet SMB spreader overview
Emotet SMB spreader overview
Emotet is back in business and it’s revealing some new tricks. Not long ago, Emotet introduced a new module, the Google Chrome’s credit card grabber. More recently, the SMB spreader module has been brought back and is now, once again, part of the infection chain.
#reversing.fun#Emotet#2022#SMB#analysis#module
·reversing.fun·
Emotet SMB spreader overview
BRATA is evolving into an Advanced Persistent Threat
BRATA is evolving into an Advanced Persistent Threat
Here we go with another episode about our (not so) old friend, BRATA. In almost one year, threat actors (TAs) have further improved the capabilities of this malware. In our previous blog post [1] we defined three main BRATA variants, which appeared during two different waves detected by our telemetries at the very end of 2021. However, during the last months we have observed a change in the attack pattern commonly used.
#cleafy#2022#EN#malware#BRATA#APT#phishing#analysis#IOCs#banker
·cleafy.com·
BRATA is evolving into an Advanced Persistent Threat
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
#malwarebytes#EN#2022#analysis#email#threat#email-threat#Review#TrickBot#ASyncRat#Dridex
·blog.malwarebytes.com·
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Google Online Security Blog: The Package Analysis Project: Scalable detection of malicious open source packages
Google Online Security Blog: The Package Analysis Project: Scalable detection of malicious open source packages
Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.
#google#2022#EN#opensource#Package#Analysis#Project#malicious#packages
·security.googleblog.com·
Google Online Security Blog: The Package Analysis Project: Scalable detection of malicious open source packages
Introducing Package Analysis: Scanning open source packages for malicious behavior
Introducing Package Analysis: Scanning open source packages for malicious behavior
Today we’re pleased to announce the initial prototype version of the Package Analysis project, an OpenSSF project addressing the challenge of identifying malicious packages in popular open source repositories. In just one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm.
#openssf#EN#2022#Analysis#Scan#opensource#packages#Package#behavior
·openssf.org·
Introducing Package Analysis: Scanning open source packages for malicious behavior
Lapsus$: when kiddies play in the big league
Lapsus$: when kiddies play in the big league
You may not have missed all the noises recently caused by Lapsus$, a group that seems to specialize in extortion without necessarily leveraging ransomware. At first glance, Lapsus$ check marks all elements that would make researchers put them in the low priority threats, especially considering their readiness to make dramas and OpSec failures. Except that the group has successfully managed to significantly enrich its victim list with high profile corporations, thus drawing all our attention. In the following, we will describe the threat actor profile that was drawn by our investigations based either on OSINT, dark web or infrastructure analysis.
#sekoia#EN#2022#analysis#Lapsus$#group
·sekoia.io·
Lapsus$: when kiddies play in the big league
An update on the threat landscape
An update on the threat landscape
Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.
#google#threat#analysis#2022#EN#Ukraine#TAG#GoogleTAG#informations#APT28#UNC1151#Ghostwriter#FancyBear#MustangPanda
·blog.google·
An update on the threat landscape
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection
We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. The sample was first uploaded to VT on November 23, 2022 and tagged by the VT community as a possible variant of the Pandora Ransomware. The assumed connection to the Pandora Ransomware was due to some similarities between the CatB and Pandora ransom notes. However, the similarities pretty much end there. The CatB ransomware implements several anti-VM techniques to verify execution on a “real machine”, followed by a malicious DLL drop and DLL hijacking to evade detection.
#minerva-labs#EN#2022#CatB#analysis#DLL#Hijacking#Ransomware
·minerva-labs.com·
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection