How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities
Volexity regularly prioritizes memory forensics when responding to incidents. This strategy improves investigative capabilities in many ways across Windows, Linux, and macOS. This blog post highlights some specific ways memory forensics played a key role in determining how two zero-day vulnerabilities were being chained together to achieve unauthenticated remote code execution in Ivanti Connect Secure VPN devices.
DarkGate malware delivered via Microsoft Teams - detection and response
While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users outside the organization to their Teams chats. Perhaps predictably, this feature has provided malicious actors a new avenue by which to exploit untrained or unaware users.
The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It
If you ever troubleshooted anything on Windows or investigated a suspicious event, you know that Windows store various types of events in Windows Event Log. An application crashed and you want to know more about it? Launch the Event Viewer and check the Application log. A service behaving strangely? See the System log. A user account got unexpectedly blocked? The Security log may reveal who or what blocked it. All these events are getting stored to various logs through the Windows Event Log service. Unsurprisingly, this service's description says: "Stopping this service may compromise security and reliability of the system." The Windows Event Log service performs many tasks. Not only is it responsible for writing events coming from various source to persistent file-based logs (residing in %SystemRoot%\System32\Winevt\Logs), it also provides structured access to these stored events through applications like Event Viewer. Furthermore, this service also performs "event forwarding" if you want your events sent to a central log repository like Splunk or Sumo Logic, an intrusion detection system or a SIEM server. Therefore, Windows Event Log service plays an important role in many organizations' intrusion detection and forensic capabilities. And by extension, their compliance check boxes.
Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver
In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.
Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog()
The Qualys Threat Research Unit (TRU) has recently unearthed four significant vulnerabilities in the GNU C Library, a cornerstone for countless applications in the Linux environment. Before diving into the specific details of the vulnerabilities discovered by the Qualys Threat Research Unit in the GNU C Library, it’s crucial to understand these findings’ broader impact and importance. The GNU C Library, or glibc, is an essential component of virtually every Linux-based system, serving as the core interface between applications and the Linux kernel. The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications.
GGerman police seizes $2.17 billion in bitcoin in 'most extensive' action ever
German police have confiscated 50,000 bitcoin worth $2.17 billion in the country's 'most extensive' cryptocurrency seizure ever, it said in a statement on Tuesday. "This is the most extensive seizure of bitcoins by law enforcement authorities in the Federal Republic of Germany to date," police in the city of Dresden said. The investigation was supported by the Federal Criminal Police Office (BKA), the FBI and a Munich-based forensic IT expert company, it said.
Hundreds of network operators’ credentials found circulating in Dark Web
Following a recent and highly disruptive cyberattack on telecom carrier Orange España the cybersecurity community needs to rethink its approach to safeguarding the digital identity of staff involved in network engineering and IT infrastructure management. Orange España is the second-largest mobile operator in Spain. In early January, an attacker going by the alias ‘Snow’ hijacked Orange España’s RIPE Network Coordination Centre (NCC) account. RIPE is Europe’s regional Internet registry. After this initial breach, Snow sabotaged the telecommunications firm’s border gateway protocol (BGP) and resource public key infrastructure (RPKI) configurations.
Public SSH keys can leak your private infrastructure
This article describes a minor security flaw in the SSH authentication protocol that can lead to unexpected private infrastructure disclosure. It also provides a PoC written in Python.
Exclusive: US disabled Chinese hacking network targeting critical infrastructure
The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, according to two Western security officials and one person familiar with the matter. The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters.
Energy giant Schneider Electric hit by Cactus ransomware attack
Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter.
Trello API abused to link email addresses to 15 million accounts
An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.
Researchers Say the Deepfake Biden Robocall Was Likely Made With Tools From AI Startup ElevenLabs
Two fake-audio experts say that the deepfake robocall of President Biden received by some voters last week was likely created with technology from Silicon Valley’s favorite voice-cloning startup.
As we move further into 2024, we must be cautious (maybe even fearful!) of ransomware cases increasing even more than in previous years. Though governments around the world are taking more interest in the worldwide threat, we can see from the increase of cases that our actions have not been enough to thwart the ransomware threat. As new groups continue to form, former groups continue to evolve into new brands, and the big players continue to ramp up their efforts, we must remain vigilant and focus on our preparation and early detection capabilities.
Midnight Blizzard: Guidance for responders on nation-state attack
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM.
23andMe data breach: Hackers stole raw genotype data, health reports
Genetic testing provider 23andMe confirmed that hackers stole health reports and raw genotype data of customers affected by a credential stuffing attack that went unnoticed for five months, from April 29 to September 27. #23andMe #Breach #Computer #Credential #DNA #Data #Genetics #Health #InfoSec #Leak #Security #Stuffing
Inside a Global Phone Spy Tool Monitoring Billions
A wide-spanning investigation by 404 Media reveals more details about a secretive spy tool that can tracks billions of phone profiles through the advertising industry called Patternz. Google has taken action in response to 404 Media's inquiries.
X is being flooded with graphic Taylor Swift AI images
Fake sexually explicit images of Taylor Swift have been circulating on X over the last day in the latest example of the proliferation of AI-generated pornography.
.png?width=92&height=69&ar=&mode=crop&format=avif&dpr=2)
%2Fcloudfront-us-east-2.images.arcpublishing.com%2Freuters%2FZTUXGF5APVKW5KVYICVZLNLZUQ.jpg?width=92&height=69&ar=&mode=crop&format=avif&dpr=2)
%2Fcloudfront-us-east-2.images.arcpublishing.com%2Freuters%2FKT4T34WKHNKQ3HH6KRGVWKGA3Q.jpg?width=92&height=69&ar=&mode=crop&format=avif&dpr=2)
%2Fcdn.vox-cdn.com%2Fuploads%2Fchorus_asset%2Ffile%2F24805885%2FSTK160_X_Twitter_003.jpg?width=92&height=69&ar=&mode=crop&format=avif&dpr=2)
