submitted by /u/dimitrios_eLS
[link] [comments]

submitted by /u/tubularobot
[link] [comments]

No major incidents mixed with continuing gaps in implementation paint an improving, but still muddy, picture of cybersecurity in the federal government.

Thousands of customers’ credit card numbers, MoviePass card numbers, and sensitive data were left in an unprotected database.

submitted by /u/inf0junki3
[link] [comments]

New controls and threat detection capabilities built into Box aim to prevent accidental data leakage and misuse.

submitted by /u/magenta_placenta
[link] [comments]

submitted by /u/ghostnil
[link] [comments]

Cancer research is a particular target among Chinese espionage groups, says security firm FireEye.

Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked.

But ironically, many companies taking these proactive steps soon discover that their explanation as to why they’re doing it can get misinterpreted as more evidence of lax security. This post attempts to unravel what’s going on here.

There’s no indication that this vulnerability was ever used in the wild, but the code it was discovered in – Microsoft’s Text Services Framework – has been around since Windows XP….

submitted by /u/hunniccyber
[link] [comments]

As education is set to become an increasingly vital tool in companies security toolboxes, the question arises: How can they effectively implement security awareness training?

The post Education and privacy legislation at ChannelCon appeared first on WeLiveSecurity

submitted by /u/blackmafia009
[link] [comments]

Small organizations still face a long list of security threats. These threats and vulnerabilities should be top of mind.

In a move to protect its users based in Kazakhstan from government surveillance, Google and Mozilla finally today came forward and blocked Kazakhstan’s government-issued root CA certificate within their respective web browsing software.

Starting today, Firefox and Chrome users in Kazakhstan will see an error message stating that the certificate should not be trusted when attempting to access

Silence APT, a Russian-speaking cybercriminal group, known for targeting financial organizations primarily in former Soviet states and neighboring countries is now aggressively targeting banks in more than 30 countries across America, Europe, Africa, and Asia.

Active since at least September 2016, Silence APT group’s most recent successful campaign was against Bangladesh-based Dutch-Bangla

submitted by /u/jollheef
[link] [comments]

Most CISOs see the risk of cyberattacks growing and feel they’re falling behind in their ability to fight back, a new survey finds.

submitted by /u/inf0junki3
[link] [comments]

The attack, which has victimized mostly smaller local governments, is thought to have been unleashed by a single threat actor

The post Ransomware wave hits 23 towns in Texas appeared first on WeLiveSecurity

submitted by /u/The_Giant_Panda
[link] [comments]

submitted by /u/WoodenStable
[link] [comments]

Well, here we have great news for Facebook users, which is otherwise terrible for marketers and publishers whose businesses rely on Facebook advertisement for re-targeted conversations.

Following the Cambridge Analytica scandal, Facebook has taken several privacy measures in the past one year with an aim to give its users more control over their data and transparency about how the social

submitted by /u/Skullarkal
[link] [comments]

Excellent op-ed on the growing trend to tie humanitarian aid to surveillance. Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing for fraud requires entire populations to be tracked using their personal data. And that experimental technologies…

Financial institutions interacting with customers online must prepare for a broader, more sophisticated variety of threats.

submitted by /u/moneroplace3
[link] [comments]

submitted by /u/Eta-Meson
[link] [comments]

submitted by /u/Eta-Meson
[link] [comments]

submitted by /u/sandrozc
[link] [comments]

This advisory includes mitigations for an insufficiently protected credentials vulnerability in Zebra's Industrial Printers.

A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long timethanks to Apple.

Dubbed “unc0ver 3.5.0,” the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4.

submitted by /u/Ozi1992
[link] [comments]

submitted by /u/Edu_Guidance
[link] [comments]

So many software vulnerabilities, so little time. But failure to patch them can have serious consequences. Here’s help for overwhelmed security teams.

submitted by /u/ga-vu
[link] [comments]

Managing a WordPress website can sap a lot of your time and energy, which otherwise you’d spend on managing your business.

If you’re looking to cut down on the hours, you spend troubleshooting WordPress technical and security problems, better managing and monitoring your website and users, or your customers, you need a WordPress activity log plugin.

This post explains how to use the WP

Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project’s maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers.

Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build infrastructurethat surprisingly persisted into

submitted by /u/borisdan
[link] [comments]

In August 2019, FireEye released the Double Dragon report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days.

Our knowledge of this groups targets and activities are rooted in our Incident Response and Managed Defense services, where we encounter actors like APT41 on a regular basis. At each encounter, FireEye works to reverse malware, collect intelligence and hone our detection capabilities. This ultimately feeds back into our Managed Defense and Incident Response teams detecting and stopping threat actors earlier in their campaigns.

In this blog post, were going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41. Our goal is to display not only how dynamic this group can be, but also how the various teams within FireEye worked to thwart attacks within hours of detection protecting our clients networks and limiting the threat actors ability to gain a foothold and/or prevent data exposure.

GET TO DA CHOPPA!

In April 2019, FireEyes Managed Defense team identified suspicious activity on a publicly-accessible web server at a U.S.-based research university. This activity, a snippet of which is provided in Figure 1, indicated that the attackers were exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server that allowed for path traversal and remote code execution.

Figure 1: Snippet of PCAP showing attacker attempting CVE-2019-3396 vulnerability

This vulnerability relies on the following actions by the attacker:

• Customizing the _template field to utilize a template that allowed for command execution.
• Inserting a cmd field that provided the command to be executed.

Through custom JSON POST requests, the attackers were able to run commands and force the vulnerable system to download an additional file. Figure 2 provides a list of the JSON data sent by the attacker.

Figure 2: Snippet of HTTP POST requests exploiting CVE-2019-3396

As shown in Figure 2, the attacker utilized a template located at hxxps[:]//github[.]com/Yt1g3r/CVE-2019-3396_EXP/blob/master/cmd.vm. This publicly-available template provided a vehicle for the attacker to issue arbitrary commands against the vulnerable system. Figure 3 provides the code of the file cmd.vm.

Figure 3: Code of cmd.vm, used by the attackers to execute code on a vulnerable Confluence system

The HTTP POST requests in Figure 2, which originated from the IP address 67.229.97[.]229, performed system reconnaissance and utilized Windows certutil.exe to download a file located at hxxp[:]//67.229.97[.]229/pass_sqzr.jsp and save it as test.jsp (MD5: 84d6e4ba1f4268e50810dacc7bbc3935). The file test.jsp was ultimately identified to be a variant of a China Chopper webshell.

A Passive Aggressive Operation

Shortly after placing test.jsp on the vulnerable system, the attackers downloaded two additional files onto the system:

• 64.dat (MD5: 51e06382a88eb09639e1bc3565b444a6)
• Ins64.exe (MD5: e42555b218248d1a2ba92c1532ef6786)

Both files were hosted at the same IP address utilized by the attacker, 67[.]229[.]97[.]229. The file Ins64.exe was used to deploy the HIGHNOON backdoor on the system. HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins. This particular variant of HIGHNOON is tracked as HIGHNOON.PASSIVE by FireEye. (An exploration of passive backdoors and more analysis of the HIGHNOON malware family can be found in our full APT41 report).

Within the next 35 minutes, the attackers utilized both the test.jsp web shell and the HIGHNOON backdoor to issue commands to the system. As China Chopper relies on HTTP requests, attacker traffic to and from this web shell was easily observed via network monitoring. The attacker utilized China Chopper to perform the following:

• Movement of 64.dat and Ins64.exe to C:\Program Files\Atlassian\Confluence
• Performing a directory listing of C:\Program Files\Atlassian\Confluence
• Performing a directory listing of C:\Users

Additionally, FireEyes FLARE team reverse engineered the custom protocol utilized by the HIGHNOON backdoor, allowing us to decode the attackers traffic. Figure 4 provides a list of the various commands issued by the attacker utilizing HIGHNOON.

Figure 4: Decoded HIGHNOON commands issued by the attacker

Playing Their ACEHASH Card

As shown in Figure 4, the attacker utilized the HIGHNOON backdoor to execute a PowerShell command that downloaded a script from PowerSploit, a well-known PowerShell Post-Exploitation Framework. At the time of this blog post, the script was no longer available for downloading. The commands provided to the script privilege::debug sekurlsa::logonpasswords exit exit indicate that the unrecovered script was likely a copy of Invoke-Mimikatz, reflectively loading Mimikatz 2.0 in-memory. Per the observed HIGHNOON output, this command failed.

After performing some additional reconnaissance, the attacker utilized HIGHNOON to download two additional files into the C:\Program Files\Atlassian\Confluence directory:

• c64.exe (MD5: 846cdb921841ac671c86350d494abf9c)
• F64.data (MD5: a919b4454679ef60b39c82bd686ed141)

These two files are the dropper and encrypted/compressed payload components, respectively, of a malware family known as ACEHASH. ACEHASH is a credential theft and password dumping utility that combines the functionality of multiple tools such as Mimikatz, hashdump, and Windows Credential Editor (WCE).

Upon placing c64.exe and F64.data on the system, the attacker ran the command

c64.exe f64.data "9839D7F1A0 -m

This specific command provided a password of 9839D7F1A0 to decrypt the contents of F64.data, and a switch of -m, indicating the attacker wanted to replicate the functionality of Mimikatz. With the correct password provided, c64.exe loaded the decrypted and decompressed shellcode into memory and harvested credentials.

Ultimately, the attacker was able to exploit a vulnerability, execute code, and download custom malware on the vulnerable Confluence system. While Mimikatz failed, via ACEHASH they were able to harvest a single credential from the system. However, as Managed Defense detected this activity rapidly via network signatures, this operation was neutralized before the attackers progressed any further.

Key Takeaways From This Incident

• APT41 utilized multiple malware families to maintain access into this environment; impactful remediation requires full scoping of an incident.
• For effective Managed Detection & Response services, having coverage of both Endpoint and Network is critical for detecting and responding to targeted attacks.
• Attackers may weaponize vulnerabilities quickly after their release, especially if they are present within a targeted environment. Patching of critical vulnerabilities ASAP is crucial to deter active attackers.

Detecting the Techniques

FireEye detects this activity across our platform, including detection for certutil usage, HIGHNOON, and China Chopper.

Indicators

Looking for more? Join us for a webcast on August 29, 2019 where we detail more of APT41s activities. You can also find a direct link to the public APT41 report here.

Acknowledgements

Thanks to Raymond Leong of Advanced Practices and Willi Ballenthin of FLAREfor identification and reversing of the HIGHNOON.PASSIVE malware.

submitted by /u/raen120
[link] [comments]

submitted by /u/WhiteHatTX
[link] [comments]

Cybercrooks increasingly are anonymizing their malicious traffic by routing it through residential broadband and wireless data connections. Most often, those connections are hacked computers, mobile phones, or home routers. But this is the story of a sprawling “bulletproof residential VPN” service that appears to have been built by acquiring chunks of Internet addresses from some the largest ISPs and mobile data providers in the United States and abroad.

When we first investigated MyKings in 2017, we focused on how the cryptominer-dropping botnet malware usedWMI for persistence. Like Mirai, MyKings seems to be constantly undergoing changes to its infection routine. The variant we analyzed for this incident did not just have a single method of retaining persistence but multiple ones, as discussed in the previous section. In addition to WMI, it also used the registry, the task scheduler, and a bootkit the most interesting of which is the bootkit.

The post Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response appeared first on .

Influence operations are elusive to define. The Rand Corp.’s definition is as good as any: “the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.” Basically, we know it when we see it, from bots controlled by the Russian Internet Research Agency to Saudi attempts to…

submitted by /u/dunryc
[link] [comments]

Targeted attacks, malware campaigns and other security news in Q2 2019.

Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe, 217,843,293 unique URLs triggered Web Anti-Virus components.

submitted by /u/albinowax
[link] [comments]

submitted by /u/powershelltutorials
[link] [comments]

submitted by /u/htschad
[link] [comments]

submitted by /u/Ahm3d_H3sham
[link] [comments]

submitted by /u/hassan1234r
[link] [comments]

submitted by /u/FiroSolutions
[link] [comments]

submitted by /u/GenericBlueGemstone
[link] [comments]

Interesting research: The squid robot is powered primarily by compressed air, which it stores in a cylinder in its nose (do squids have noses?). The fins and arms are controlled by pneumatic actuators. When the robot wants to move through the water, it opens a value to release a modest amount of compressed air; releasing the air all at once…

submitted by /u/Hausec
[link] [comments]

submitted by /u/ZephrX112
[link] [comments]

submitted by /u/Eta-Meson
[link] [comments]

submitted by /u/Eta-Meson
[link] [comments]

This week, ESET researchers described an ongoing campaign that targets accountants in the Balkans and spreads both a backdoor and a remote access trojan

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

At Black Hat USA, Project Zero’s team lead shared details of projects it has accomplished and its influence on the security community.

The mobile platform is ubiquitous enabling users to make online transactions, run their everyday lives, or even use it in the workplace. Its no surprise that fraudsters and cybercriminals would want to cash in on it. Delivering adware, for example, enables them to monetize affected devices while attempting to be innocuous. And while they may be viewed as a nuisance at best, mobile ad fraud- and adware-related incidents became so rampant last year that it cost businesses hefty financial losses.

The post Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times appeared first on .

Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities: At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS…