cRyPtHoN™ INFOSEC (EN)
15 Oct 2023 06:41
DarkGate Opens Organizations for Attack via Skype, Teams
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.
From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA) abusing instant messaging platforms to deliver a VBA loader script to victims. This script downloaded and executed a second-stage payload consisting of a AutoIT scripting containing the DarkGate malware code. It’s unclear how the originating accounts of the instant messaging applications were compromised,
https://www.trendmicro.com/en_ph/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:50
“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts
“EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.
Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down.
https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:45
After hackers distribute malware in-game updates, Steam adds SMS-based security check for developers
Valve, the company behind the Steam video game platform, has announced a new security feature after multiple reports of game updates being poisoned with malware.
Last month, some game players reported receiving messages from Steam's support team telling them that updated games they played via the platform had contained malware.
Valve claimed that fewer than 100 people had downloaded the malware-laced games - a figure that, of course, is impossible to independently verify
https://www.bitdefender.com/blog/hotforsecurity/after-hackers-distribute-malware-in-game-updates-steam-adds-sms-based-security-check-for-developers/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:41
New Phishing Campaign Uses LinkedIn Smart Links in Blanket Attack
Email security provider Cofense has discovered a new phishing campaign comprising over 800 emails and using LinkedIn Smart Links.
The campaign was active between July and August 2023 and involved various subject themes, such as financial, document, security, and general notification lures, reaching users’ inboxes across multiple industries.
https://www.infosecurity-magazine.com/news/new-phishing-campaign-uses/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:33
Ubuntu kills release 23.10 after 'hate speech' discovered in it
Ubuntu, the most popular Linux distribution, has pulled its Desktop release 23.10 after its Ukrainian translations were discovered to contain hate speech.
According to the Ubuntu project, a malicious contributor is behind anti-Semitic, homophobic, and xenophobic slurs that were injected into the distro via a "third party tool" that lives outside of the Ubuntu Archive.
Ukrainian translations laced with 'insulting' strings
This week, Ubuntu took down its Desktop installer 23.10 after spotting insulting strings buried in its Ukrainian release.
"We have identified hate speech from a malicious contributor in some of our translations submitted as part of a third party tool outside of the Ubuntu Archive," announced the project.
https://www.bleepingcomputer.com/news/security/ubuntu-kills-release-2310-after-hate-speech-discovered-in-it/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:31
Phylum Discovers SeroXen RAT in Typosquatted NuGet Package
On October 6, 2023, Phylum’s automated risk detection platform alerted us to a suspicious publication on NuGet. After working through several layers of obfuscation we ultimately discovered that this package was delivering SeroXen RAT.
Background
The package in question is Pathoschild.Stardew.Mod.Build.Config published by a user called Disti. The package is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig. Notice that lack of dots in the “ModBuildConfig” part — the legitimate package does NOT contain the dots.
https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:26
elementary OS
The thoughtful, capable, and ethical replacement for Windows and macOS
What’s New in elementary OS 7.1
Made with care with you in mind. OS 7.1 provides new personalization options that make it more inclusive and accessible, protects your privacy and ensures apps always operate with your explicit consent, and addresses your feedback with over 200 bug fixes, design changes, and new features
https://elementary.io/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:16
That day you find you’re suddenly in charge of Facebook’s official UK account
According to media reports, Facebook’s official UK account was compromised on Friday evening.
And, it seems, whoever gained the unexpected ability to push out messages from Facebook’s official UK account was as baffled as to what was going on as the thousands of people who saw the post.
https://grahamcluley.com/that-day-you-find-youre-suddenly-in-charge-of-facebooks-official-uk-account/
https://www.dailymail.co.uk/news/article-12604017/Facebook-account-hacked-Social-media-bizarre-posts-ex-Pakistani-prime-minister-Imran-Khan.html
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:09
55 Vulnerabilities in Squid Caching Proxy and 35 0days
In 2021, I performed a security audit of The Squid Caching Proxy. Squid is by far the most well known open-source forwarding HTTP proxy, and is used in many contexts, like corporations that want to filter or cache content, companies that claim to provide a “VPN”, hobbyists, and even a few website use Squid as a reverse proxy. There are currently over 2.5 million instances available on the internet.
Using various techniques such as fuzzing, manual code review and static analysis, I discovered 55 security vulnerabilities (as well as 26 non-security bugs). Along the way, I also added Leak Sanitizer (LSAN) support to AFL++, and had some fun with some new techniques like setting up parallel fuzzing using network files systems.
https://joshua.hu/squid-security-audit-35-0days-45-exploits
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:04
European Police Hackathon Hunts Down Traffickers
Law enforcers from 26 countries came together recently in a hackathon designed to enhance intelligence gathering on human trafficking gangs, according to Europol.
The three-day operation took place in the Dutch municipality of Apeldoorn, with officers from all 22 EU member states and four “third countries” taking part, alongside representatives from Interpol, the European Labour Authority and other organizations.
https://www.infosecurity-magazine.com/news/european-police-hackathon-hunts/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 07:59
Why Your Privacy Score Matters More than Ever
Not so long ago, a report stated that ‘130 million Aadhaar numbers were exposed online’ by just a handful of websites. In light of this and other similar headlines that hit the news daily, there is no denying that safeguarding online privacy has become critical. Startling statistics such as these serve as alarming wake-up calls, reminding us that every personal detail shared or stored online provides a limitless goldmine for cybercriminals. It is apparent that safeguarding data and digital identity is paramount in our interconnected world, and protecting personal information is more critical than ever before.
https://blogs.quickheal.com/why-your-privacy-score-matters-more-than-ever/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 07:30
Resurgence of LinkedIn Smart Links Identified in Sizable Credential Phishing Campaign
In 2022, the Cofense Phishing Defense Center (PDC) detected phishing campaigns that used LinkedIn links called Smart Links or “slink” to bypass security email gateway or SEG to deliver credential phishing, which was covered previously in the smart links LinkedIn blog. Smart links are links utilized by a LinkedIn team or business account connected to LinkedIn Sales Navigator services that provide content and track engagement metrics. A year later, in late July into August, a resurgence of Smart Links was identified in a sizable credential phishing campaign targeting Microsoft Office credentials creeping into inboxes once again.
https://cofense.com/blog/linkedin-smart-links-credential-phishing-campaign/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 06:39
AdGuard Home-Network-wide ads & trackers blocking DNS server
Privacy protection center for you and your devices
Free and open source, powerful network-wide ads & trackers blocking DNS server.
AdGuard Home is a network-wide software for blocking ads and tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that.
It operates as a DNS server that re-routes tracking domains to a “black hole”, thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers, and both share a lot of code.
https://github.com/AdguardTeam/AdGuardHome
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
12 Oct 2023 11:46
Brave Browser 1.59 is here with security and crash fixes
Brave Browser 1.59 is the new desktop version of the Chromium-based web browser. The release revamps the main menu of the browser, introduces a few new options and fixes security issues and crashes next to that.
The new version is in distribution already and most installations of Brave Browser on the desktop should receive it automatically.
You can check the version by selecting Menu > Help > About Brave. The browser runs a check for updates when the page is opened. It should download and install any new version that it finds during the check automatically.
https://www.ghacks.net/2023/10/12/brave-browser-1-59-is-here-with-security-and-crash-fixes/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
12 Oct 2023 11:40
Long-awaited curl vulnerability flops
The flaw in the widely used open source software package was expected to be the next great catastrophe in computer security.
A pair of highly anticipated vulnerabilities revealed on Wednesday in a ubiquitous piece of open source software appear to be far less threatening than many researchers feared.
The two vulnerabilities impact the curl and libcurl programs, which are believed to have been installed some 50 billion times and are used to transfer files using network protocols. The two programs represent basic building blocks of the internet, and a sufficiently severe bug impacting them might impact nearly anything connecting to a web server.
https://cyberscoop.com/curl-vulnerability-open-source/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:52
Edge 118: updated on-page search may send data to Microsoft
Microsoft has released Microsoft Edge 118, a new stable version of the Chromium-based web browser. The new browser version fixes security issues in Edge and introduces a handful of changes.
One of the important ones is an improved Find on page feature. All browsers support an option to search for text on the active website. It is a useful feature, especially if a website is large, as it may help you find specific words or phrases that you are interested in.
It works by using Ctrl-F to open a search field and typing text. The browser processes the page locally and highlights any matches.
https://www.ghacks.net/2023/10/14/edge-118-updated-on-page-search-may-send-data-to-microsoft/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:48
Access Key Used in Voice Messaged Phishing Campaign
Found in environments protected by: Microsoft EOP
A method of communication that remains important in our modern world is that of the voice message. The PDC recently observed a phishing campaign where threat actors included an access key in the body as a way to entice the user to access the voice message that had been left for them to review.
In Figure 1, we can see the email notifying the user of the messages available.
We note the use of a Zoom-esque domain. The attachment, which includes the date in the name, is an HTML file that will act as the first stage of the attack. The convincing aspect of this stage of the attack is the use of the access key. It is an attempt by the threat actors to personalize the email for the user.
https://cofense.com/blog/access-key-used-in-voice-messaged-phishing/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:43
ChatGPT at work: how chatbots help employees, but threaten business
Only a few months ago, ChatGPT and other chatbots based on large language models (LLMs) were still a novelty. Users enjoyed using them to compose poems and lyrics in the style of famous artists (which left Nick Cave, for example, decidedly unimpressed), researchers debated blowing up data centers to prevent super AI from unleashing Armageddon, while security specialists persuaded a stubborn chatbot to give them phone-tapping and car-jacking instructions.
Fast forward to today, and many people are already reliant on ChatGPT in their jobs. So much so, in fact, that whenever the service is down (which attracts media coverage), users take to social networks to moan about having to use their brains again.
https://securelist.com/llm-based-chatbots-privacy/110733/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
14 Oct 2023 13:36
Understanding DNS Tunneling Traffic in the Wild
We present a study on why and how domain name system (DNS) tunneling techniques are used in the wild. Motivated by our findings, we present a system to automatically attribute tunneling domains to tools and campaigns.
Attackers adopt DNS tunneling techniques to bypass security policies in enterprise networks because most enterprises implement relatively permissive policies for DNS traffic. Previous research has shown that malware campaigns such as SUNBURST and OilRig use DNS tunneling for command and control (C2).
However, many aspects of how attackers use DNS tunneling in the wild remain unknown. For example, do they use DNS tunneling techniques exclusively for C2? How do they implement and host these techniques?
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild/
#oscp #iocteams #spread #snortteams
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:33
Password Manager KeePass 2.55 warns users about weak security settings
A new version of the password manager KeePass is now available. KeePass 2.55 is a smaller release that improves security, imports and introduces some new features to the application.
The new version is already available for download. Users still have the choice between an installer and a portable version. The installer may update any existing installation to the latest version.
Selecting Help > About KeePass in the interface displays the current version. There is also Help > Check for updates, which runs a check for updates. KeePass does not include automatic update capabilities though.
https://www.ghacks.net/2023/10/13/password-manager-keepass-2-55-warns-users-about-weak-security-settings/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:29
New Clues Suggest Stolen FTX Funds Went to Russia-Linked Money Launderers
Whoever looted FTX on the day of its bankruptcy has now moved the stolen money through a long string of intermediaries—and eventually some that look Russian in origin.
As the criminal trial of FTX founder Sam Bankman-Fried unfolds in a Manhattan courtroom, some observers in the cryptocurrency world have been watching a different FTX-related crime in progress: The still-unidentified thieves who stole more than $400 million out of FTX on the same day that the exchange declared bankruptcy have, after nine months of silence, been busy moving those funds across blockchains in an apparent attempt to cash out their loot while covering their tracks.
https://www.wired.com/story/ftx-hack-400-million-crypto-laundering/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:22
Indian state government fixes website bug that revealed Aadhaar numbers and fingerprints
A security researcher says a bug on an Indian state government website inadvertently revealed documents containing residents’ Aadhaar numbers, identity cards, and copies of their fingerprints.
The bug was fixed last week after the security researcher disclosed the bug to local authorities.
Sourajeet Majumder found the bug in the West Bengal government’s e-District web portal that allows state residents to access government services online, like obtaining birth and death certificates and building applications. Majumder said the website bug meant it was possible to obtain land deeds, which contain records about the owners of a piece of land, from the e-District website by guessing sequential deed application numbers.
https://techcrunch.com/2023/10/12/india-aadhaar-fingerprints-west-bengal/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:13
ToddyCat: Keep calm and check logs
ToddyCat is an advanced APT actor that we described in a previous publication last year. The group started its activities in December 2020 and has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia.
Our first publication was focused on their main tools, Ninja Trojan and Samurai Backdoor, and we also described the set of loaders used to launch them. We described how the attacker compromised publicly exposed servers using a vulnerability in Microsoft Exchange, how they targeted desktops by sending malicious loaders, and how they guarantee their persistence using a multi-stage loading scheme.
https://securelist.com/toddycat-keep-calm-and-check-logs/110696/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:05
FBI shares AvosLocker ransomware technical details, defense tips
The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts.
In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) also share a YARA rule for detecting malware in the guise of a legitimate network monitoring tool.
Mixing in open-source and legitimate software
AvosLocker ransomware affiliates are known to use legitimate software and open-source code for remote system administration to compromise and exfiltrate data from enterprise networks.
https://www.bleepingcomputer.com/news/security/fbi-shares-avoslocker-ransomware-technical-details-defense-tips/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 08:02
Stayin’ Alive – Targeted Attacks Against Telecoms and Government Ministries in Asia
In the last few months, Check Point Research has been tracking “Stayin’ Alive”, an ongoing campaign that has been active since at least 2021. The campaign operates in Asia, primarily targeting the Telecom industry, as well as government organizations.
The “Stayin’ Alive” campaign consists of mostly downloaders and loaders, some of which are used as an initial infection vector against high-profile Asian organizations. The first downloader found called CurKeep, targeted Vietnam, Uzbekistan, and Kazakhstan. As we conducted our analysis, we realized that this campaign is part of a much wider campaign targeting the region.
https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 07:57
Apple fixes iOS Kernel zero-day vulnerability on older iPhones
Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory.
The first zero-day (tracked as CVE-2023-42824) is a privilege escalation vulnerability caused by a weakness in the XNU kernel that can let local attackers elevate privileges on vulnerable iPhones and iPads.
https://www.bleepingcomputer.com/news/security/apple-fixes-ios-kernel-zero-day-vulnerability-on-older-iphones/
https://www.securityweek.com/apple-releases-ios-16-update-to-patch-exploited-vulnerability/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
13 Oct 2023 07:28
10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows
Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in an industrial cellular router.
Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.
The one other security issue Talos has disclosed over the past two weeks is a use-after-free vulnerability in an open-source port of WebKit, a popular content rendering engine used in popular web browsers like Apple Safari.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org,
https://blog.talosintelligence.com/vulnerability-roundup-webkit-and-yifan-router/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
12 Oct 2023 14:32
Shadow PC warns of data breach as hacker tries to sell gamers' info
Shadow PC, a provider of high-end cloud computing services, is warning customers of a data breach that exposed customers' private information, as a threat actor claims to be selling the stolen data for over 500,000 customers.
Shadow (Shadow) is a cloud gaming service providing users with high-end Windows PCs streamed to their local devices (PCs, laptops, smartphones, tablets, smart TVs), allowing them to run demanding AAA games on a virtual computer.
According to multiple tips sent to BleepingComputer yesterday from Shadow customers, the company has begun sending data breach notifications following a successful social engineering attack targeting its employees.
https://www.bleepingcomputer.com/news/security/shadow-pc-warns-of-data-breach-as-hacker-tries-to-sell-gamers-info/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
12 Oct 2023 11:45
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits
📡@
📡@
📡@
📡@
📡@
Читать полностью…
cRyPtHoN™ INFOSEC (EN)
12 Oct 2023 11:37
Using Velociraptor for large-scale endpoint visibility and rapid threat hunting
Introduction
Velociraptor is an open source and free-to-use Digital Forensics tool from Rapid7. It can be used to assist in the collection, analysis and monitoring on Windows, Linux and Mac systems. It is designed to handle large-scale deployments, making it suitable for enterprise networks.
Essentially, Velociraptor provides precision optics in a minefield. You can have sight of an entire stack of endpoints and cut through all the noise to find the single malicious process on a handful of malicious endpoints, all in a matter of commands. To do this manually, using traditional digital forensics methods just isn’t possible when you’re under an active breach.
https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-scale-endpoint-visibility-and-rapid-threat-hunting/
📡@
📡@
📡@
📡@
📡@
Читать полностью…
4200