BuzzSec

Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name. According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administratio n (CISA), Snatch was originally named Team Truniger , based on the nickname of the group’s founder and organizer — Truniger. The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab , an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims . GandCrab dissolved in July 2019, and is thought to have become “ REvil ,” one of the most ruthless and rapacious Russian ransomware groups of all

The U.S. Federal Bureau of Investigation (FBI) is warning of a new trend of dual ransomware attacks targeting the same victims, at least since July 2023. "During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal," the FBI said in an alert. "Variants from The Hacker News https://thehackernews.com/2023/09/fbi-warns-of-rising-trend-of-dual.html

Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy  from The Hacker News https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html

Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week. DoubleFinger was first from The Hacker News https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html

On September 27, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting the Ad Hoc Transfer module in WS_FTP Server , a secure file transfer solution. There are a number of vulnerabilities in the advisory, two of which are critical (CVE-2023-40044 and CVE-2023-42657). Rapid7 is not aware of any exploitation in the wild as of September 29, 2023. Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget. The vulnerabilities in the advisory span a range of affected versions, and several affect only WS_FTP servers that have the Ad Hoc Transfer module enabled. Nevertheless, Progress Software’s advisory urges all customers to update to WS_FTP Server 8.8.2, which is the latest version of the software. Rapid7 echoes this recommendation.The vendor advisory has guidance on upgrading, along with inf

Check out the 66 new pieces of training content added in September, alongside the always fresh content update highlights, events and new features. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-content-updates-september-2023

Nearly 70% of companies that are breached are likely to get breached again within twelve months ( CPO ). Effective remediation and addressing attacks at the root is key to staying ahead of threats and recurring breaches on the endpoint. Strong Digital Forensics and Incident Response (DFIR) ready to go when any incident occurs is a critical piece of a security team’s toolkit and drives successful response and remediation. With this in mind, we’re excited to announce the integration of Velociraptor , Rapid7’s leading open-source DFIR framework, into the Insight Platform for InsightIDR Ultimate users — all with no additional deployment or configurations required. Already utilized in the field by our Incident Response experts on behalf of Managed Detection and Response (MDR) customers, InsightIDR Ultimate users can now experience the power of Velociraptor, from daily threat monitoring and hunting to swift threat response. Key benefits of Velociraptor in InsightIDR: Hunt for threats a

The North Korea-linked Lazarus Group has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta. "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding from The Hacker News https://thehackernews.com/2023/09/lazarus-group-impersonates-recruiter.html

Most people are barely thinking about basic cybersecurity, let alone post-quantum cryptography. But the impact of a post-quantum world is coming for them regardless of whether or not it's keeping them up tonight.  Today, many rely on encryption in their daily lives to protect their fundamental digital privacy and security, whether for messaging friends and family, storing files and photos, or from The Hacker News https://thehackernews.com/2023/09/post-quantum-cryptography-finally-real.html

Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools. The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Introduced by Microsoft in February 2023, Bing Chat is an  from The Hacker News https://thehackernews.com/2023/09/microsofts-ai-powered-bing-chat-ads-may.html

Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as CVE-2023-40044, the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a from The Hacker News https://thehackernews.com/2023/09/progress-software-releases-urgent.html

Attackers are using zero-point fonts to make phishing emails appear as though they’ve been verified by security scanners, BleepingComputer reports. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/zero-point-fonts-phishing-emails

The latest cyber claims report from Coalition , a digital risk insurance provider, finds a 12% increase in cyber insurance claims in the first half of 2023 over the second half of 2022, due to surging attack frequency and severity. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyber-insurance-claims-increase

Researchers at NSFOCUS are tracking a phishing campaign by a new threat actor called “AtlasCross” that’s impersonating the Red Cross in order to deliver malware. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/red-cross-impersonation-malware

Do you need an easy, automated way to provide real-time feedback the moment your users make risky mistakes to help reinforce the training campaigns you manage today? from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/live-demo-securitycoach-october-2023

When asked why he robbed banks, Willie Sutton, one of the first fugitives named to the U.S. FBI’s most wanted list, reportedly replied, “Because that’s where the money is.”  As any infosec professional working for a financial institution can tell you, loads of cybercriminals will likely agree with that sentiment.  from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/exploring-dora-takeways-eu-financial-sector-regulation

The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle from The Hacker News https://thehackernews.com/2023/09/the-dark-side-of-browser-isolation-and.html

Government and telecom entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset. The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, with the adversary deploying an improved version of its SysUpdate toolkit, the Symantec Threat Hunter Team, from The Hacker News https://thehackernews.com/2023/09/china-linked-budworm-targeting-middle.html

The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams , Adobe Reader , Mozilla Thunderbird , and Discord . First spotted in 2018 , the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor . The victim shaming website for the Snatch ransomware gang. KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes information about th

Both Apple and Google have recently reported critical vulnerabilities in their systems—iOS and Chrome, respectively—that are ultimately the result of the same vulnerability in the libwebp library: On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images. Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems that developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under act

A new malware strain called ZenRAT has emerged in the wild that's distributed via bogus installation packages of the Bitwarden password manager. "The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page," enterprise security firm Proofpoint said in a technical report. "The malware is a modular remote access trojan (RAT) with information from The Hacker News https://thehackernews.com/2023/09/new-zenrat-malware-targeting-windows.html

Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially from The Hacker News https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html

from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-13-39-how-chinese-bad-actors-infected-networks-with-thumb-stick-malware

In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July... from HACKMAGEDDON https://www.hackmageddon.com/2023/09/26/1-15-august-2023-cyber-attacks-timeline/

A "multi-year" Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations. Recorded Future's Insikt Group, which is tracking the activity under the moniker TAG-74, said the adversary has been linked to "Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, from The Hacker News https://thehackernews.com/2023/09/chinese-hackers-tag-74-targets-south.html

A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6, from The Hacker News https://thehackernews.com/2023/09/critical-jetbrains-teamcity-flaw-could.html

Seen Christopher Nolan's movie Inception ? If you haven't, it's about a thief who is given the task of planting an idea into the mind of a CEO. The technology of implanting ideas is nothing new. Communist regimes were the very early countries developing mind control technologies. American psychologists have also experimented with subliminal messaging including in advertising . from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/yikes-ai-now-enables-subliminal-image-inception

Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed Deadglyph employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign. "Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET said in a new report shared with The Hacker News. "This combination from The Hacker News https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html

The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023. "The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the from The Hacker News https://thehackernews.com/2023/09/latest-apple-zero-days-used-to-hack.html

The post Talkin’ About Infosec News – 9/18/2023 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/talkin-about-infosec-news-9-18-2023/

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example: msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f64924fb50be1e23978 domain_sid=S-1-5-21-1242350107-3695253863-3717863007 USER_RID=500 domain=demo.local user=Administrator action=FORGE_GOLDEN [*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230915213733_default_unknown_mit.kerberos.cca_219182.bin [*] Primary Principal: Administrator@DEMO.LOCAL Ccache version: 4 .... Pac Requestor: SID: S-1-5-21-1242350107-3695253863-3717863007-500 Pac Attributes: Flag length: 2

An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called BBTok, particularly users in Brazil and Mexico. "The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," from The Hacker News https://thehackernews.com/2023/09/new-variant-of-banking-trojan-bbtok.html

Thorough, independent tests are a vital resource for analyzing provider’s capabilities to guard against increasingly sophisticated threats to their organization. And perhaps no assessment is more widely trusted than the annual MITRE Engenuity ATT&CK Evaluation.  This testing is critical for evaluating vendors because it’s virtually impossible to evaluate cybersecurity vendors based on their own from The Hacker News https://thehackernews.com/2023/09/how-to-interpret-2023-mitre-att.html

Israeli organizations were targeted as part of two different campaigns orchestrated by the Iranian nation-state actor known as OilRig in 2021 and 2022. The campaigns, dubbed Outer Space and Juicy Mix, entailed the use of two previously documented first-stage backdoors called Solar and Mango, which were deployed to collect sensitive information from major browsers and the Windows Credential from The Hacker News https://thehackernews.com/2023/09/iranian-nation-state-actor-oilrig.html

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. The Australian software services provider said that the four high-severity flaws were fixed in new versions shipped last month. This includes - CVE-2022-25647 (CVSS score: 7.5) - A deserialization from The Hacker News https://thehackernews.com/2023/09/high-severity-flaws-uncovered-in.html

I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request Forgery (CSRF) vulnerability. The client was unsure of the best approach to prevent CSRF in the context of using Basic Authentication. In this blog post, I will examine the security deficiencies of Basic Authentication, compare it to token-based and JWT-based authentication and authorization, and explore strategies for mitigating CSRF vulnerabilities while utilizing Basic Authentication. The Deficiencies of Basic Authentication Basic Authentication has been a foundational method of user authentication on the web for decades. However, as technology and security threats evolve, the deficiencies of Basic Authentication have become increasingly apparent. Let’s examine the inherent weaknesses of Basic Authentication and why it’s important to consider alternative authentication methods. One (1) of the most critical deficiencies of Basi

Jake Appelbaum’s PhD thesis contains several new revelations from the classified NSA documents provided to journalists by Edward Snowden. Nothing major, but a few more tidbits. Kind of amazing that that all happened ten years ago. At this point, those documents are more historical than anything else. And it’s unclear who has those archives anymore. According to Appelbaum, The Intercept destroyed their copy. I recently published an essay about my experiences ten years ago. from Schneier on Security https://www.schneier.com/blog/archives/2023/09/new-revelations-from-the-snowden-documents.html

Security teams are familiar with threats emanating from third-party applications that employees add to improve their productivity. These apps are inherently designed to deliver functionality to users by connecting to a “hub” app, such as Salesforce, Google Workspace, or Microsoft 365. Security concerns center on the permission scopes that are granted to the third party apps, and the potential from The Hacker News https://thehackernews.com/2023/09/the-rise-of-malicious-app.html

China's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries. In a message posted on WeChat, the government authority said U.S. intelligence agencies have "done everything possible" to conduct surveillance, secret theft, and intrusions on from The Hacker News https://thehackernews.com/2023/09/china-accuses-us-of-decade-long-cyber.html

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated from The Hacker News https://thehackernews.com/2023/09/cyber-group-gold-melody-selling.html

The maintainers of Free Download Manager (FDM) have acknowledged a security incident dating back to 2020 that led to its website being used to distribute malicious Linux software. "It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," it said in an alert last week. "Only a small subset of users, specifically from The Hacker News https://thehackernews.com/2023/09/ukrainian-hacker-suspected-to-be-behind.html

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as from The Hacker News https://thehackernews.com/2023/09/beware-fake-exploit-for-winrar.html

The latest data from IBM shows that the average cost of a data breach has gone up by 2% to a whopping $4.45 million. You would think that in the cybersecurity industry, people would be all about safety and security, right? I mean, it's literally in the name. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/data-breach-costs-rise-cybersecurity-pros-take-risks

Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH). "With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current from The Hacker News https://thehackernews.com/2023/09/signal-messenger-introduces-pqxdh.html

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. "It was possible for an attacker to run pipelines as an arbitrary user via scheduled from The Hacker News https://thehackernews.com/2023/09/gitlab-releases-urgent-security-patches.html

Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted from The Hacker News https://thehackernews.com/2023/09/trend-micro-releases-urgent-fix-for.html

Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers from The Hacker News https://thehackernews.com/2023/09/operation-rusty-flag-azerbaijan.html

XWorm is a relatively new representative of the remote access trojan cohort that has already earned its spot among the most persistent threats across the globe.  Since 2022, when it was first observed by researchers, it has undergone a number of major updates that have significantly enhanced its functionality and solidified its staying power.  The analyst team at ANY.RUN came across the newest from The Hacker News https://thehackernews.com/2023/09/inside-code-of-new-xworm-variant.html

The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on from The Hacker News https://thehackernews.com/2023/09/earth-luscas-new-sprysocks-linux.html

There are no reliable ways to distinguish text written by a human from text written by an large language model. OpenAI writes : Do AI detectors work? In short, no. While some (including OpenAI) have released tools that purport to detect AI-generated content, none of these have proven to reliably distinguish between AI-generated and human-generated content. Additionally, ChatGPT has no “knowledge” of what content could be AI-generated. It will sometimes make up responses to questions like “did you write this [essay]?” or “could this have been written by AI?” These responses are random and have no basis in fact. To elaborate on our research into the shortcomings of detectors, one of our key findings was that these tools sometimes suggest that human-written content was generated by AI. When we at OpenAI tried to train an AI-generated content detector, we found that it labeled human-written text like Shakespeare and the Declaration of Independence as AI-generated. There were also i

The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security from The Hacker News https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets from The Hacker News https://thehackernews.com/2023/09/microsoft-ai-researchers-accidentally.html

For a long time, Red Teamers have been preaching the mantra “Don’t make Domain Admin the goal of the assessment” and it appears that customers are listening. Now, you’re much more likely to see objectives focused on services critical to an organization, with many being hosted in the cloud. With this shift in delegating some of the security burden to cloud services, it’s commonplace to find Identity Providers (IDP) like Microsoft Entra ID or Okta being used. This means that our attention as attackers also needs to shift to encompass these services too. In this blog post, I’ll discuss some of the post-exploitation techniques that I’ve found to be useful against one such provider, Okta, which has been one of the more popular solutions found in customer environments. It should be noted that everything in this post is by design. You’ll find no 0dayz here, and many of the techniques require administrative access to pull off. However, to say that the methods demonstrated in this post have