After invasion of Ukraine, a reckoning on Russian influence in Austria
“Polizei!” barked the officers who stormed a third-floor apartment in the Austrian capital, moving to intercept a thickset man standing near a kitchen nook. The suspect — a long-serving official in Austria’s security services — sprang toward his cellphone and tried to break it in two, according to Austrian police reports.
China Police Database Was Left Open Online for Over a Year, Enabling Leak
Cybersecurity experts say the error enabled the theft of records of nearly 1 billion people, including senior officials, leading to a $200,000 ransom note.
Why the Equation Group (EQGRP) is NOT the NSA | xorl %eax, %eax
I had covered this topic in my 2021 talk “In nation-state actor’s shoes” but after my recent blog post I saw again people referring to the EQGRP as the NSA which is not entirely c…
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine
A Lugano, le plus jeune ministre de Volodymyr Zelensky a révélé une nouvelle facette de l’Ukraine aux yeux du monde: celle d’un pays digital qui se bat contre l’invasion russe grâce à une e-armée, aussi
When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
Unit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. On May 19, one such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.
Heap memory corruption with RSA private key operation (CVE-2022-2274)
Severity: High The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.
Dutch university wins big after Bitcoin ransom returned
Maastricht University has doubled its money thanks to a ransomware attack three years ago. The university plans to help struggling students with its new funds.
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.
Flubot: the evolution of a notorious Android Banking Malware
Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the victim’s credentials, by detecting when the official banking application is open to show a fake web injection, a phishing website similar to the login form of the banking application. An important part of the popularity of Flubot is due to the distribution strategy used in its campaigns, since it has been using the infected devices to send text messages, luring new victims into installing the malware from a fake website. In this article we detail its development over time and recent developments regarding its disappearance, including new features and distribution campaigns.
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.
ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks
Black Lotus Labs, is currently tracking elements of what appears to be a sophisticated campaign leveraging infected SOHO routers to target predominantly NA and European networks of interest.
Facing reality? Law enforcement and the challenge of deepfakes
‘Facing reality? Law enforcement and the challenge of deepfakes’ is the first report produced through the Observatory function of the Europol Innovation Lab. The Europol Innovation Lab’s Observatory function monitors technological developments that are relevant for law enforcement and reports on the risks, threats and opportunities of these emerging technologies. The report provides a detailed overview of the criminal use...
Unrar Path Traversal Vulnerability affects Zimbra Mail
We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar.
Conti vs. LockBit: A Comparative Analysis of Ransomware Groups
We compare the targeting and business models of the Conti and LockBit ransomware groups using data analysis approaches. This will be presented in full at the 34th Annual FIRST Conference on June 27, 2022.
LockBit 3.0 introduces the first ransomware bug bounty program
The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks.
Windows RPC enumeration, discovery, and auditing via NtObjectManager. We will audit the vulnerable RPC interfaces that lead to PetitPotam, discover how they have changed over the past year, and overcome some common RPC auditing pitfalls.
Conti ransomware finally shuts down data leak, negotiation sites
The Conti ransomware operation has finally shut down its last public-facing infrastructure, consisting of two Tor servers used to leak data and negotiate with victims, closing the final chapter of the notorious cybercrime brand.
NSA, Partners Recommend Properly Configuring, Monitoring PowerShell in New Report
The National Security Agency (NSA) and partner cybersecurity authorities released a Cybersecurity Information Sheet today recommending that Microsoft Windows® operators and administrators properly
7-zip now supports Windows ‘Mark-of-the-Web’ security feature
7-zip has finally added support for the long-requested 'Mark-of-the-Web' Windows security feature, providing better protection from malicious downloaded files.
The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP
I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what …
