Cybersecurity

🐛 NEW SECURITY CONTENT 🐛

⌚ watchOS 10.6.1This update has no published CVE entries. - no CVE entries
📺 tvOS 17.6.1This update has no published CVE entries. - no CVE entries
💻 macOS Ventura 13.6.9This update has no published CVE entries. - no CVE entries
💻 macOS Sonoma 14.6.1This update has no published CVE entries. - no CVE entries
📱 iOS and iPadOS 17.6.1This update has no published CVE entries. - no CVE entries
📱 iOS and iPadOS 16.7.10This update has no published CVE entries. - no CVE entries

#apple #cybersecurity #infosec #security #ios

🧪 NEW BETA RELEASE 🧪

🥽 visionOS 2 beta 9 (22N5319a)
https://developer.apple.com/news/releases

#apple #cybersecurity #infosec #security #ios

Happy Tuesday all!

A hacktivist group named Head Mare is making its presence known in Russia and Belarus and Kaspersky shares the technical details they discovered. Recently the group has been abusing CVE-2023-38831 (a vulnerability in WinRAR) to gain initial access and to execute arbitrary code on the victim's machine. Once on the machine the group uses different strains of ransomware, off the shelf toolkits (Sliver), and good ol' Mimikatz.

As far as the techniques, well, there is one that cannot be ignored, the Registry Run key used for Persistence but what was interesting was the defense evasion techniques they showed, which they accomplished in a two-step fashion. First, they created scheduled tasks that had names that hinted they are part of legitimate operations (MicrosoftUpdateCore and MicrosoftUpdateCoree) and then had the malware that was dropped imitate legitimate software names (OneDrive.exe and VLC.exe) which were stored in the C:\ProgramData\ directory, which is a more trust-worthy directory, unlike the AppData or Users\Public directory.

As usual, read further for more interesting TTPs and stand by for the Threat Hunting Tip of the Day! Enjoy and Happy Hunting!

Head Mare: adventures of a unicorn in Russia and Belarus
https://securelist.com/head-mare-hacktivists/113555/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Uh-oh. Bakerloo blues? Piccadilly panic? Circle Line chaos?

Transport for London (TfL) says it is currently dealing with an “ongoing cyber security incident”

https://www.independent.co.uk/news/uk/home-news/tfl-web-account-jamcam-cyber-security-news-b2605854.html

#cybersecurity #ransomware

IT worker charged over $750,000 cyber extortion plot against former employer.

Read more in my article on the Bitdefender blog: https://www.bitdefender.com/blog/hotforsecurity/it-worker-charged-over-750-000-cyber-extortion-plot-against-former-employer/

#cybersecurity #blackmail #insiderthreat #extortion

IT worker charged over $750,000 cyber extortion plot against former employer.

Read more in my article on the Bitdefender blog: https://www.bitdefender.com/blog/hotforsecurity/it-worker-charged-over-750-000-cyber-extortion-plot-against-former-employer/

#cybersecurity #blackmail #insiderthreat #extortion

'Big-game hunting' - Ransomware gangs are focusing on more lucrative attacks.

Read more in my article on the Exponential-e blog: https://www.exponential-e.com/blog/big-game-hunting-ransomware-gangs-are-focusing-on-more-lucrative-attacks

#cybersecurity #ransomware #malware #extortion #databreach

Good day everyone!

Microsoft brings us the #readoftheday with a threat group known as #PeachSandstorm. Believed to be operating out of Iran the group deployed a new custom malware, the Tickler backdoor and it sounds like they conduct espionage campaigns.

Looking at the behaviors, we can see a tried and true persistence mechanism (throw your answer in the comments if you spotted it as well, its something I have mentioned too many times to count!) and then another technique used by many adversaries: drop a LEGIT remote monitoring and management (RMM) tool, in this case, AnyDesk. But I am going to leave you guessing where we are going with this one! Enjoy the article and Happy Hunting!

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

$2.5 million reward offered for hacker linked to notorious Angler Exploit Kit.

Read more in my article on the Tripwire blog:

https://www.tripwire.com/state-of-security/25-million-reward-offered-cyber-criminal-linked-notorious-angler-exploit-kit

#malware #cybersecurity #vulnerability

Crypto scammers who hacked McDonald's Instagram account say they stole $700,000.

Read more in my article on the Bitdefender blog: https://www.bitdefender.com/blog/hotforsecurity/crypto-scammers-who-hacked-mcdonalds-instagram-account-say-they-stole-700-000/

#cybersecurity #twitter #cryptocurrency #scam

🧪 NEW BETA RELEASES 🧪

📱 iOS 18 beta 8 (22A5350a)
📱 iOS 18.1 beta 3 (22B5034e)
📱 iPadOS 18 beta 8 (22A5350a)
📱 iPadOS 18.1 beta 3 (22B5034e)
💻 macOS 15 beta 8 (24A5331b)
💻 macOS 15.1 beta 3 (24B5035e)
📺 tvOS 18 beta 8 (22J5356a)
🥽 visionOS 2 beta 8 (22N5318a)
https://developer.apple.com/news/releases

#apple #cybersecurity #infosec #security #ios

Happy Wednesday everyone!

Today's #readoftheday is a tale of victims getting compromised when they tried to download pirated movies! Mandiant (part of Google Cloud) reports that it all started with a zip file whos title hinted that it would be a movie but really contained a malicious LNK (Microsoft Shortcut files) that executes a PowerShell downloader script which leads to the #PEAKLIGHT malware, another PowerShell-based downloader.

Interestingly, one of the variations uses an executable named Setup.exe which appears to be masquerading as a legitimate application, which is a common technique that is used by threat actors to gain trust from their victims!

As always, enjoy the rest of the article, I hope you have time to read it for yourself, and stay tuned for your Threat Hunting Tip of the Day!

PEAKLIGHT: Decoding the Stealthy Memory-Only Malwarehttps://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Today's #readoftheday is brought to you by AnyRun and describes a campaign that has targeted Chinese-speaking users and distributing the malware known as #ValleyRAT. A RAT, which stands for remote access trojan, is a type of malware that is designed to allow the attacker to access and control a victim's machine. This one targets the Windows operating system and employs a range of techniques to evade detection and is delivered when the first-stage loader is disguised as a legitimate application like Microsoft Office. When the unsuspecting victim executes the malware a decoy document is deployed and the executable loads the shellcode that advances the attack to the next stage.

Attackers have long since used files that are masqueraded as legitimate process, executables, and so on as well as using the technique of dropping a decoy document when the user executes malware. The idea here is a layered effect: one, the adversary abuses the trust a user has for legitimate file names and THEN provides something that the victim may have been expecting, basically giving the victim something as to not raise an alarm. This may be the delay that the attacker needs to get a stronger foothold in the environment and gain persistence.

Stay tuned for your threat hunting tip of the day, but until then, Happy Hunting!

New ValleyRAT Campaign Spotted with Advanced Techniques
https://any.run/cybersecurity-blog/new-valleyrat-campaign/?utm_source=linkedin&utm_medium=post&utm_campaign=threat-intelligence-explained&utm_content=blog&utm_term=220824/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Monday, or should I say, Happy #DFIRDay!

That's right, The DFIR Report has dropped another one of their awesome reports, this time covering an attack that involved the #BlackSuit ransomware. There was a dash of #CobaltStrike, #SystemBC, some encoded Powershell commands for defense evasion (and to keep you guessing on what the command really is!), LSASS access for credentials, and ultimately led to the ransomware being deployed. This report provides a great example of all the things the adversary needs to do to be successful in an attack and all the information they need from your environment to do it!

Stay tuned for your Threat Hunting Tip of the Day but while you wait, enjoy the article! Happy Hunting!

And I promise you I am not going to take the easy way out and hit you with the AutoRun registry key hunt package again!

BlackSuit Ransomware
https://thedfirreport.com/2024/08/26/blacksuit-ransomware/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Friday all!

My #readoftheday is brought to you by Palo Alto Networks Unit 42! In this article, the researchers focus on a threat actor known as #BlingLIbra who is the group behind the #ShinyHunters ransomware and their Tactics, Techniques, and Procedures (TTPs) and behaviors. They do a great job at breaking down each MITRE ATT&CK Tactic and provide relevant artifacts and information on how the adversary accomplished that goal.

As always, once I am completely done with it I will provide my Threat Hunting Tip of the day, so stay tuned and enjoy! Happy Hunting!

Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

In der IT kann es schon mal stürmisch werden! 🌪 Ihr wollt Cyberkriminelle von der Party ausschließen? Hier verraten wir euch, wie ihr eure digitalen Fenster und Türen absichert: 👉 https://www.bsi.bund.de/dok/131400

Ihr habt noch einen? Wir freuen uns eure liebsten IT-Flachwitze in den Kommentaren! 😜

#DeutschlandDigitalSicherBSI #IT #ITSicherheit #Sicherheit #CyberSecurity #ITSecurity #InfoSec #CyberCrime

Good day everyone!

Check Point Software researchers provide us a detailed report on a newly discovered malware the #StyxStealer! It is capable of "stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency" and contains defense evasion techniques. While the malware may be new, one technique that stood out isn't! The use of the Windows run registry key for persistence (Software\Microsoft\Windows\CurrentVersion\Run) is not.

This registry key is abused because of the function it carries with it: you can reference an executable or script or whatever you want in the registry details and it will execute once a user logs in. This removes the need for the adversary to have to social engineer or compromise a host over and over again.

Knowing that, enjoy the article and stay tuned for your Threat Hunting Tip of the Day!

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Hacker leaks upcoming episodes of Netflix shows online following security breach.

Read more in my article on the Bitdefender blog: https://www.bitdefender.com/blog/hotforsecurity/hacker-leaks-upcoming-episodes-of-netflix-shows-online-following-security-breach/

#cybersecurity #anime #databreach #netflix

Over 100,000 Oregon Zoo visitors warned that their payment card details were stolen in security breach.

Read more in my article on the Bitdefender blog: https://www.bitdefender.com/blog/hotforsecurity/over-100-000-oregon-zoo-visitors-warned-that-their-payment-card-details-were-stolen-in-security-breach/

#cybersecurity #databreach #paymentcard

Microsoft’s Windows Recall feature, which stores a timeline of activity snapshots on your PC, has a new release date.

Microsoft unveiled the feature to much fanfare at Build 2024 in May, only to delay it indefinitely after security researchers called the feature a “privacy nightmare.” Now, having added some extra security measures, the company has said it will roll out Recall to beta testers using Copilot+ PCs in October. @engadget@press.coop has more.

https://flip.it/g.zCu9

#Microsoft #MicrosoftRecall #Recall #Cybersecurity #Tech

Happy Wednesday!

Taking time to read another great article from Cisco Talos this time focused on North Korean actors that are using the MoonPeak malware which is a new remote access trojan (RAT) that appears to be under development. This report covers a LOT of information surrounding the Command and Control (C2) traffic and infrastructure.

Looking at the report, there is a lot of ways you can handle hunting for this threat but the best approach I would take is an unstructured hunt first. The report mentions ports being used that are non-standard (with some standard ones as well). Without directly hunting for Port 8936, or 9936, you can start to see what is normal in your environment. What ports appear the most in the data and can be tied to a legitimate process. Exclude those and start seeing what else you can find. Work through this "rinse-and-repeat" method to reduce the noise by removing the "normal" and then see what is left! Should be abnormal or just strange business processes! Enjoy and Happy Hunting!

MoonPeak malware from North Korean actors unveils new details on attacker infrastructure
https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #HappyHunting #readoftheday

There are two ways to get online at the library:

1. bring your own device → wifi
2. use the library’s Windows PCs

I needed to grab content from http://$host:$highPortNum/$path…

The connection worked on the library’s own PCs, but kept dying part way into the fetch at very different points on the different repeated attempts.

So I tried a BYOD (laptop) over wifi. This was a non-starter with immediate failure:

$ wget $URL
Connecting to $HOST:$largePort... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

This behavior breaks many of the Internet radio stations I listen to, as well as more important fetches. The workaround I found was to simply prefix wget with torsocks to go over the Tor network.

Apparently the library’s network decides “this PC is untrusted, so only allow certain ports (e.g. 80)”. Questions:

1. What is the rationale? What security problem is the library trying to control by blocking uncommon ports?
2. Are there more clever circumventions than using Tor? Streaming radio over Tor is perhaps a bit needlessly wasteful.

One thought is to configure tor (if possible) to have just one hop, which would give up the needless anonymity in order to put less burden on the tor network. Is that possible? Otherwise, a VPN is the other thought but that has other downsides.

Webauthn (Passkeys) are only going to become more important in the future and as this grows, deployments with higher security risks and criticality are going to need to start to understand and embrace attestation of their keys.

In their current form, almost all software products and IDM's today allow you to enroll any cryptographic authenticator. It doesn't matter what make or model it is, it will be allowed.

However, not all authenticators are made equal. They each have different properties, security features, and some even have security issues affecting their hardware or software. Because webauthn is a self contained multiple factor authenticator, this means we need to be even more careful to ensure these devices are secure.

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.

Windows laptop manufacturers will likely need to fix this one.