Posts

Showing posts from March, 2023

Rapid 7 - Metasploit Weekly Wrap-up

Image
Windows 11 ADF WinSock Priv Esc The new windows/local/cve_2023_21768_afd_lpe exploit makes use of a brand new Windows kernel exploitation technique that leverages the new I/O ring feature introduced in Windows 11 21H2. This technique comes from Yarden Shafir research and provides a full read/write primitive on Windows 11. This exploit is a write-where bug that allows arbitrary write of one byte in kernel memory. This is enough to modify the I/O ring internal structures and get remote code execution as the NT AUTHORITY\SYSTEM user. The Metasploit module is based on the exploit PoC authored by chompie1337 and b33f . Example running with Windows 11 Version 22H2 Build 22621.963 x64: msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true [*] Started reverse TCP handler on 192.168.100.9:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Windows Build Number = 22621.963 [+] The target appears to be vulnerable. [*] Launching netsh to...

Rapid 7 - What’s New in InsightVM and Nexpose: Q1 2023 in Review

Image
In Q1, our team continued to focus on driving better customer outcomes with InsightVM and Nexpose by further improving efficiency and performance. While many of these updates are under the hood, you may have started to notice faster vulnerability checks available for the recent ETRs or an upgraded user interface for the console Admin page. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q1. [InsightVM and Nexpose] View expiration date for Scan Assistant digital certificates Scan Assistant , a lightweight service deployed on the asset, leverages the Scan Engine and digital certificates to securely deliver the core benefits of authenticated scanning without the need to manage traditional account-based credentials. Customers can now easily determine the validity of a Scan Assistant digital certificate by viewing the Expiration Date on the Shared Scan Credential Configuration page. [InsightVM and Nexpose] A new look for the Console Administration page We...

The Hacker News - Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability

The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign. "TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint  from The Hacker News https://thehackernews.com/2023/03/winter-vivern-apt-targets-european.html

KnowBe4 - The New Face of Fraud: FTC Sheds Light on AI-Enhanced Family Emergency Scams

Image
The Federal Trade Commission is alerting consumers about a next-level, more sophisticated family emergency scam that uses AI that imitates the voice of a "family member in distress". from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/the-new-face-of-fraud-ftc-sheds-light-on-ai-enhanced-family-emergency-scams

The Hacker News - Deep Dive Into 6 Key Steps to Accelerate Your Incident Response

Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents. The SANS Institute provides research and education on information security. In the upcoming webinar, we’ll outline, in detail, six components of a SANS incident response plan, from The Hacker News https://thehackernews.com/2023/03/deep-dive-into-6-key-steps-to.html

The Hacker News - 3CX Supply Chain Attack — Here's What We Know So Far

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack. The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS. The company said it's engaging the services of Google-owned Mandiant to review the incident. In the from The Hacker News https://thehackernews.com/2023/03/3cx-supply-chain-attack-heres-what-we.html

Rapid 7 - Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign

Image
Emergent threats evolve quickly. We will update this blog with new information as it comes to light and we are able to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Caitlin Condon, Stephen Fewer, and Christiaan Beek all contributed to this blog. On Wednesday, March 29, 2023, multiple security firms issued warnings about malicious activity coming from a legitimate, signed binary from communications technology company 3CX. The binary, 3CXDesktopApp, is popular video-conferencing software available for download on all major platforms. Several analyses have attributed the threat campaign to state-sponsored threat actors. Rapid7’s threat research teams analyzed the 3CXDesktopApp Windows binary and confirmed that the 3CX MSI installer drops the following files: 3CXDesktopApp.exe , a benign file that loads the backdoored ffmpeg.dll , which reads an RC4-encrypted blob after the hexadecimal demarcation of fe ed fa ce in d3dcompiler.dll . The RC4-encrypted blob in d3dcompiler.dll i...

TrustedSec - What You Need to Know About SBOM

Image
What is an SBOM? A Software Bill of Materials (SBOM) is a hierarchical, itemized list of all dependencies, their version numbers and provenance for a given piece of software. It may also include other data, such as the license type or details about which database to query for vulnerability disclosure. SBOMs are not restricted to applications and can be created for many things, such as a Docker image, an operating system, or even hardware components. What is an SBOM Used For? While highly dependent on your goals, SBOMs can have many uses. Having all the relevant data at hand can lead to faster outcomes during incident response, better policy decisions backed by facts, and a greater awareness of your software security at large. SBOMs are valuable during the entire lifetime of a security program and are in some cases pivotal in customer acquisition. When should you begin collecting, creating, and using SBOMs? Now. Or right after you read through this blog. SBOMs are the sort of re...

The Hacker News - Cyberstorage: Leveraging the Multi-Cloud to Combat Data Exfiltration

Multi-cloud data storage, once merely a byproduct of the great cloud migration, has now become a strategy for data management. "Multi-cloud by design," and its companion the supercloud, is an ecosystem in which several cloud systems work together to provide many organizational benefits, including increased scale and overall resiliency.And now, even security teams who have long been the holdout from The Hacker News https://thehackernews.com/2023/03/cyberstorage-leveraging-multi-cloud-to.html

The Hacker News - AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security from The Hacker News https://thehackernews.com/2023/03/alienfox-malware-targets-api-keys-and.html

The Hacker News - 3CX Desktop App Targeted in Supply Chain Cyber Attack, Affecting Millions of Users

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers. "The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls from The Hacker News https://thehackernews.com/2023/03/3cx-desktop-app-targeted-in-supply.html

Schneier - The Security Vulnerabilities of Message Interoperability

Jenny Blessing and Ross Anderson have evaluated the security of systems designed to allow the various Internet messaging platforms to interoperate with each other: The Digital Markets Act ruled that users on different platforms should be able to exchange messages with each other. This opens up a real Pandora’s box. How will the networks manage keys, authenticate users, and moderate content? How much metadata will have to be shared, and how? In our latest paper, One Protocol to Rule Them All? On Securing Interoperable Messaging , we explore the security tensions, the conflicts of interest, the usability traps, and the likely consequences for individual and institutional behaviour. Interoperability will vastly increase the attack surface at every level in the stack ­ from the cryptography up through usability to commercial incentives and the opportunities for government interference. It’s a good idea in theory, but will likely result in the overall security being the worst of each...

The Hacker News - Trojanized TOR Browser Installers Spreading Crypto-Stealing Clipper Malware

Trojanized installers for the TOR anonymity browser are being used to target users in Russia and Eastern Europe with clipper malware designed to siphon cryptocurrencies since September 2022. "Clipboard injectors [...] can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a crypto wallet address," Vitaly Kamluk, director of from The Hacker News https://thehackernews.com/2023/03/trojanized-tor-browser-installers.html

The Hacker News - North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations

A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang's geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43, said the group's motives are both espionage- and financially-motivated, leveraging techniques like credential from The Hacker News https://thehackernews.com/2023/03/north-korean-apt43-group-uses.html

The Hacker News - Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader. "The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report from The Hacker News https://thehackernews.com/2023/03/stealthy-dbatloader-malware-loader.html

The Hacker News - President Biden Signs Executive Order Restricting Use of Commercial Spyware

U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies. The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person." It also seeks to ensure that the government's use of from The Hacker News https://thehackernews.com/2023/03/president-biden-signs-executive-order.html

The Hacker News - U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals

In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground. "All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to from The Hacker News https://thehackernews.com/2023/03/uk-national-crime-agency-sets-up-fake.html

The Hacker News - THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps

Any app that can improve business operations is quickly added to the SaaS stack. However, employees don't realize that this SaaS-to-SaaS connectivity, which typically takes place outside the view of the security team, significantly increases risk. Whether employees connect through Microsoft 365, Google Workspace, Slack, Salesforce, or any other app, security teams have no way to quantify their from The Hacker News https://thehackernews.com/2023/03/thn-webinar-inside-high-risk-of-3rd.html

KnowBe4 - The Dangers of Vishing Campaigns and How To Protect Yourself

Image
In recent years, cybercrime has evolved to become more sophisticated than ever before. One of the up and coming methods used by criminals is vishing (voice phishing ). This is where an attacker phones up a victim to simulate a trusted source such as a bank to phish for sensitive information. No one is immune from a vishing attack, even the Social Security Administration. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/vishing-campaign-dangers

The Hacker News - GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or from The Hacker News https://thehackernews.com/2023/03/github-swiftly-replaces-exposed-rsa-ssh.html

Schneier - Exploding USB Sticks

In case you don’t have enough to worry about, people are hiding explosives —actual ones—in USB sticks: In the port city of Guayaquil, journalist Lenin Artieda of the Ecuavisa private TV station received an envelope containing a pen drive which exploded when he inserted it into a computer, his employer said. Artieda sustained slight injuries to one hand and his face, said police official Xavier Chango. No one else was hurt. Chango said the USB drive sent to Artieda could have been loaded with RDX, a military-type explosive. More : According to police official Xavier Chango, the flash drive that went off had a 5-volt explosive charge and is thought to have used RDX. Also known as T4, according to the Environmental Protection Agency ( PDF ), militaries, including the US’s, use RDX, which “can be used alone as a base charge for detonators or mixed with other explosives, such as TNT.” Chango said it comes in capsules measuring about 1 cm, but only half of it was activated in the dri...

The Hacker News - Researchers Uncover Chinese Nation State Hackers' Deceptive Attack Strategies

A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor, active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a from The Hacker News https://thehackernews.com/2023/03/researchers-uncover-chinese-nation.html

The Hacker News - Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. Put differently, the issue could permit from The Hacker News https://thehackernews.com/2023/03/critical-woocommerce-payments-plugin.html

KnowBe4 - Facebook and Microsoft Top the List of Most Impersonated Brands in 2022

Image
As scammers continue to see massive returns on their phishing attacks, the use of impersonation with well-known brands continues to circle around the dominant players. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/facebook-microsoft-most-impersonated-brands-2022

The Hacker News - 2023 Cybersecurity Maturity Report Reveals Organizational Unpreparedness for Cyberattacks

In 2022 alone, global cyberattacks increased by 38%, resulting in substantial business loss, including financial and reputational damage. Meanwhile, corporate security budgets have risen significantly because of the growing sophistication of attacks and the number of cybersecurity solutions introduced into the market. With this rise in threats, budgets, and solutions, how prepared are industries from The Hacker News https://thehackernews.com/2023/03/2023-cybersecurity-maturity-report.html

Schneier - Mass Ransomware Attack

A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack : TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward. However, while the number of victims of the mass-hack is widening, the known impact is murky at best. Since the attack in late January or early February—the exact date is not known—Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files. from Schneier on Security https://www.schneier.com/blog/archives/2023/03/mass-ransomware-attack.html

The Hacker News - Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers

Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023. The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell based on tooling overlaps. "The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy from The Hacker News https://thehackernews.com/2023/03/operation-soft-cell-chinese-hackers.html

The Hacker News - German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS from The Hacker News https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html

Krebs - Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

Image
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones. In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device. Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question. On Feb. 28, 2023, researchers at the Chinese security firm DarkNavy published a blog post purporting to sho...

The Hacker News - Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware

The NuGet repository is the target of a new "sophisticated and highly-malicious attack" aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. "The packages contained a PowerShell script that would execute upon installation and trigger a download of a ' from The Hacker News https://thehackernews.com/2023/03/rogue-nuget-packages-infect-net.html

The Hacker News - New NAPLISTENER Malware Used by REF2924 Group to Evade Network Detection

The threat group tracked as REF2924 has been observed deploying previously unseen malware in its attacks aimed at entities in South and Southeast Asia. The malware, dubbed NAPLISTENER by Elastic Security Labs, is an HTTP listener programmed in C# and is designed to evade "network-based forms of detection." REF2924 is the moniker assigned to an activity cluster linked to attacks against an entity from The Hacker News https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html

The Hacker News - BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum

In a sudden turn of events, Baphomet, the current administrator of BreachForums, said in an update on March 21, 2023, that the hacking forum has been officially taken down but emphasized that "it's not the end." "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all," Baphomet noted in a message posted on the BreachForums Telegram from The Hacker News https://thehackernews.com/2023/03/breachforums-administrator-baphomet.html

The Hacker News - From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The  from The Hacker News https://thehackernews.com/2023/03/from-ransomware-to-cyber-espionage-55.html

The Hacker News - Hackers Steal Over $1.6 Million in Crypto from General Bytes Bitcoin ATMs Using Zero-Day Flaw

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges," the company said in an advisory published over the from The Hacker News https://thehackernews.com/2023/03/hackers-steal-over-16-million-in-crypto.html

KnowBe4 - Warning Customers About Social Engineering.

Image
It’s a familiar story: scam artists impersonate a trusted brand, a trusted business or a trusted authority in emails and on bogus sites designed to exploit that very trust to commit fraud. Generally, this isn’t the fault of the person or organization being impersonated. But it’s worth remembering that there are practices and policies an organization can take to help keep their customers and other stakeholders protected from this kind of fraud. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/warning-customers-about-social-engineering

KnowBe4 - A 240% Rise in Dynamic Phishing

Image
Attackers are increasingly using techniques to prevent their phishing pages from being detected by security firms, a new report from BlueVoyant has found. The report found that in 2022 there was a 240% increase in phishing pages that attempted to redirect potential security researchers and bots away from the sites. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/a-240-rise-in-dynamic-phishing

KnowBe4 - [Black Eye] The Lesson We Learned. Don't Let this Happen to You. #DMARC

Image
Mea Culpa. When you make a mistake, admit you made a mistake. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/black-eye-the-lesson-we-learned.-dont-let-this-happen-to-you.-dmarc

The Hacker News - Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack

The zero-day exploitation of a now-patched medium-security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. from The Hacker News https://thehackernews.com/2023/03/chinese-hackers-exploit-fortinet-zero.html

The Hacker News - FakeCalls Vishing Malware Targets South Korean Users via Popular Financial Apps

An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target South Korean users under the guise of over 20 popular financial apps. "FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim's device," cybersecurity firm Check Point said. from The Hacker News https://thehackernews.com/2023/03/fakecalls-vishing-malware-targets-south.html

TrustedSec - Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

Image
Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of Microsoft Outlook users with minimal complexity or effort. This vulnerability can be exploited by sending an email to a target user but does not require that user to open the email. It poses a dire threat to vulnerable organizations, as threat actors can repeatedly execute this attack and commandeer user accounts while the user is none the wiser. How it Works CVE-2023-23397 functions from a network-based attack vector. It starts with a specially crafted email containing a malicious calendar or meeting invite. A custom notification sound is added that bypasses the default WAV file and instead contains a path to ...