Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for New SSDs Provide Ran ...

 Security

Phison and Cigent unveiled a co-developed SSD platform that uses mechanisms built directly into the SSD's firmware to defend against ransomware and data theft. In the event of an attack, the drives automatically encrypt and shield data. This year, everybody will be able to access these self-defense drives,   show more ...

according to Tom's Hardware Report.   Antivirus software can detect known malware and analyze program activity to detect potentially illegal behavior patterns. Custom ransomware created by hacker groups, on the other hand, can go undetected until it is too late, leaving systems vulnerable to attack. In certain instances, it makes sense to encrypt data at the hardware level since it is typically safe from manipulation.   Cigent's Secure SSD K2 and Secure SSD Denali drives use Phison's PS5012-E12DC Crypto-SSD NVMe controllers. Their technology provides embedde... (read more)

image for New Banking Trojan D ...

 Security

Bizarro is a new banking trojan that is spreading through Europe and most of South America, trying to steal customer financial details and mobile crypto wallets.   If you have not come across one before, banking trojans are a type of malware used by cybercriminals to steal banking credentials and other information   show more ...

from unsuspecting customers.   According to Kaspersky Labs researchers, in the case of Bizarro, the malware has recently been used to attack customers of up to 70 different banks distributed throughout Italy, France, Spain, and Portugal, among other areas.  It was first discovered in South America and is believed to have originated in Brazil, where multiple families of banking trojans are known to proliferate.  Bizzaro is widespread in Europe and South America  According to Kaspersky researchers, “Based on our telemetry, we’ve seen victims... (read more)

image for Microsoft and Google ...

 Security

In the first quarter of 2021, cybercriminals sent 52 million malicious messages using storage services such as Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase.   During the pandemic, cybercriminals have been capitalizing on the rapid transition to cloud-based business services by concealing their email   show more ...

phishing scams behind ubiquitous, trusted services from Microsoft and Google.  Proofpoint security researchers discovered 7 million malicious emails sent from Microsoft 365 and a staggering 45 million sent from Google's infrastructure in the first three months of 2021 alone. In addition to that, they said that cybercriminals used Office 365, Azure, OneDrive, SharePoint, G-Suite, ... (read more)

image for Police Can Investiga ...

 Security

Forenza, an Israeli startup, has created a new subscription-based data platform to assist police departments and private investigators in solving crimes by using open sources, digital forensic evidence, and business intelligence from public social media channels. Police departments can view and coordinate public   show more ...

videos on Instagram, YouTube, and TikTok for $600 a month to help them solve crimes.  Forenza's co-founder Uri Boros stated that they can pinpoint all TikTok videos of people in cars or cars involved with criminal activity. The social media platform has a lot of criminal elements occurring on its website that police forces may use to help them locate individuals or places associated with reports.  “You start to realize there is a new social network (and) there are a lot of videos involving cars, cash money, or cars and license plates”. If the idea of a data platform used by government-operated services can be used to catch members of the public, privacy an... (read more)

image for DarkSide Disappeared ...

 Security

DarkSide, the group responsible for the notorious ransomware attack used in the attack on Colonial Pipeline, generated national panic and skyrocketing gas prices. While they announced a retirement, their platforms are still operational. By May 23, the DarkSide cybercriminal group agreed to provide decryptors for all   show more ...

ransomware targets and pay for outstanding financial obligations. While the news of the group's surrender is heartening, the threat posed by the bad actors that use its ransomware has not been eliminated.  According to RiskIQ, researchers discovered that some of the infrastructure associated with UNC2465, which the group used to deploy malware other than the DarkSide ransomware, is still operational and could pose a threat. 

image for AHK Rat Loader Used ...

 Security

An ongoing malware campaign that utilizes the AutoHotkey (AHK) scripting language to deliver a variety of RATs, including LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT, has been discovered. Since February, at least 4 separate versions have been identified.  According to Morphisec, The RAT distribution starts   show more ...

with an AutoHotKey (AHK) script. This is a standalone executable that contains the AHK interpreter, the AHK script, and any files that have been installed using the FileInstall order. In the campaign, the attackers use malicious scripts/executables alongside a legitimate application to conceal their intentions. The attackers encapsulated the dropped RAT with an AHK executable in the first version of the assault. The attack was spotted February 17 and disabled Microsoft Defender with the Batch script and a shortcut (.LNK) file pointing to that scr... (read more)

image for Vintage exploits in ...

 Business

Living off the Land–type attacks, which use legitimate programs or operating system features to cause harm, are nothing new, but with experts keeping track of LotL-susceptible modern software, cybercriminals have had to innovate. Researchers Jean-Ian Boutin and Zuzana Hromcova spoke about one such innovation, the   show more ...

use of legitimate Windows XP components and programs, at RSA Conference 2021. Living off the Land and vulnerable Windows XP components Studying the activity of the InvisiMole group, Boutin and Hromcova noted that InvisiMole tools’ use of files for the long-obsolete operating system helps them stay under the radar. The researchers gave those files the general name VULNBins, similar to the name LOLBins, which the security community applies to files used in Living off the Land attacks. Of course, downloading an outdated file to the victim’s computer requires access to the computer. But VULNBins are generally used to establish persistence in a targeted system without being noticed, not for actual penetration. Specific examples of using outdated programs and system components If an attacker fails to gain administrator rights, one tactic they may use to establish persistence involves the use of an old video player with a known buffer overflow vulnerability. Through the Task Scheduler, the cybercriminals create a regularly scheduled task that calls the player, whose configuration file has been modified to exploit the vulnerability, to load the code required for the next stage of the attack. If, however, InvisiMole attackers manage to obtain administrator rights, they can deploy another method that uses legitimate system component setupSNK.exe, Windows XP library wdigest.dll, and Rundll32.exe (also from the outdated system), necessary to execute the library. Then they manipulate the data that the library loads into memory. The library was created before the application of ASLR technology, so the cybercriminals know the exact address in memory where it will be loaded. They store most of the malicious payload in the registry in encrypted form, and all of the libraries and executables they use are legitimate. As such, all that betrays the presence of an enemy within is the file with the player settings and the small exploit that addresses the outdated libraries. As a rule, that’s not enough to raise a security system’s suspicion. How to stay safe To prevent cybercriminals from using old files and outdated system components (especially ones signed by a legitimate publisher), having a database of such files would be a good start. It would enable existing defenses to block or at least track them (if for some reason blocking is not possible). But that is looking ahead. Until such a list exists, use our EDR-class solution to: Detect and block the execution of Windows components located outside the system folder, Identify unsigned system files (some system files are signed with a catalog file instead of a unique digital signature, but a system file moved to a system that lacks the required .cat file is considered unsigned), Create a rule to detect the difference between the OS version and the version of each executable file, Create a similar rule for other applications — for example, to block the execution of files compiled more than 10 years ago. As we mentioned, to download something to a victim’s computer, attackers first need to gain access. To prevent any VULNBins from reaching your workstations, install security solutions on all Internet-enabled devices, raise employee awareness about modern cyberthreats, and closely monitor remote access tools.

image for How to Tell a Job Of ...

 Employment Fraud

One of the oldest scams around — the fake job interview that seeks only to harvest your personal and financial data — is on the rise, the FBI warns. Here’s the story of a recent LinkedIn impersonation scam that led to more than 100 people getting duped, and one almost-victim who decided the job offer   show more ...

was too-good-to-be-true. Last week, someone began began posting classified notices on LinkedIn for different design consulting jobs at Geosyntec Consultants, an environmental engineering firm based in the Washington, D.C. area. Those who responded were told their application for employment was being reviewed and that they should email Troy Gwin — Geosyntec’s senior recruiter — immediately to arrange a screening interview. Gwin contacted KrebsOnSecurity after hearing from job seekers trying to verify the ad, which urged respondents to email Gwin at a Gmail address that was not his. Gwin said LinkedIn told him roughly 100 people applied before the phony ads were removed for abusing the company’s terms of service. “The endgame was to offer a job based on successful completion of background check which obviously requires entering personal information,” Gwin said. “Almost 100 people applied. I feel horrible about this. These people were really excited about this ‘opportunity’.” Erica Siegel was particularly excited about the possibility of working in a creative director role she interviewed for at the fake Geosyntec. Siegel said her specialty — helping wealthy people develop their own personal brands — has been in low demand throughout the pandemic, so she’s applied to dozens of jobs and freelance gigs over the past few months. On Monday, someone claiming to work with Gwin contacted Siegel and asked her to set up an online interview with Geosyntec. Siegel said the “recruiter” sent her a list of screening questions that all seemed relevant to the position being advertised. Siegel said that within about an hour of submitting her answers, she received a reply saying the company’s board had unanimously approved her as a new hire, with an incredibly generous salary considering she had to do next to no work to get a job she could do from home. Worried that her potential new dream job might be too-good-to-be-true, she sent the recruiter a list of her own questions that she had about the role and its position within the company. But the recruiter completely ignored Siegel’s follow-up questions, instead sending a reply that urged her to get in touch with a contact in human resources to immediately begin the process of formalizing her employment. Which of course involves handing over one’s personal (driver’s license info) and financial details for direct deposit. Multiple things about this job offer didn’t smell right to Siegel. “I usually have six or seven interviews before getting a job,” Siegel said. “Hardly ever in my lifetime have I seen a role that flexible, completely remote and paid the kind of money I would ask for. You never get all three of those things.” So she called her dad, an environmental attorney who happens to know and have worked with people at the real Geosyntec Consultants. Then she got in touch with the real Troy Gwin, who confirmed her suspicions that the whole thing was a scam. “Even after the real Troy said they’d gotten these [LinkedIn] ads shut down, this guy was still emailing me asking for my HR information,” Siegel said. “So my dad said, ‘Troll him back, and tell him you want a signing bonus via money order.’ I was like, okay, what’s the worst that could happen? I never heard from him again.” HOW TO SPOT A JOB SCAM In late April, the FBI warned that technology is making these scams easier and more lucrative for fraudsters, who are particularly fond of impersonating recruiters. “Fake Job or Employment Scams occur when criminal actors deceive victims into believing they have a job or a potential job,” the FBI warned. “Criminals leverage their position as “employers” to persuade victims to provide them with personally identifiable information (PII), become unwitting money mules, or to send them money.” Last year, some 16,012 people reported being victims of employment scams with losses totaling more than $59 million, according to the FBI’s Internet Crime Complaint Center (IC3). But the real losses each year from employment scams are likely far higher; as the Justice Department often points out, relatively few victims of these crimes report the matter to the IC3. LinkedIn said its platform uses automated and manual defenses to detect and address fake accounts or fraudulent payments. “Any accounts or job posts that violate our policies are blocked from the site,” LinkedIn said in response to a request for comment. “The majority of fake job postings are stopped before going live on our site, and for those job postings that aren’t, whenever we find fake posts, we work to remove it quickly.” LinkedIn’s most recent transparency report says these automated defenses block or automatically remove 98.4% of the fake accounts. But the scam that ensnared Gwin and Siegel is more of a hybrid, in that the majority of it operates outside of LinkedIn’s control via email services like Gmail and Yahoo. This, by the way, should be a major red flag for anyone searching for a job, says the FBI: “Potential employers contact victims through non-company email domains and teleconference applications.” Here are some other telltale signs of a job scam, as per the FBI: -Interviews are not conducted in-person or through a secure video call. -Potential employers contact victims through non-company email domains and teleconference applications. -Potential employers require employees to purchase start-up equipment from the company. -Potential employers require employees to pay upfront for background investigations or screenings. -Potential employers request credit card information. -Potential employers send an employment contract to physically sign asking for PII. -Job postings appear on job boards, but not on the companies’ websites. -Recruiters or managers do not have profiles on the job board, or the profiles do not seem to fit their roles.

 Trends, Reports, Analysis

Two-thirds of senior-level decision-makers who participated in a 2019 survey said they didn’t believe the SMBs for which they’re responsible would fall victim to a digital attack.

 Threat Intel & Info Sharing

A domain-joined model allows a single compromised administrator account to obtain ADFS keys and certificates that would also provide access to cloud services including Azure and Office 365.

 Malware and Vulnerabilities

Security analysts at ESET identified 158 privacy and security issues in 58 Android stalkerware apps that could lead to account and device hijacking, data manipulation, and remote code execution, among others.

 Trends, Reports, Analysis

Researchers claim that the Cobalt Strike penetration testing kit, along with the Metasploit framework, was abused to host over 25% of malicious C2 servers deployed in 2020. Do you have a prepared strategy to protect organizations from this threat?

 Malware and Vulnerabilities

Researchers uncovered a new botnet malware purposed for DDoS attacks on gaming and other sectors. The malware operators created a Discord server and YouTube channel for its demonstration.

 Malware and Vulnerabilities

In the first week of May, security researchers raised an alarm about a decade-old supply chain flaw in the PHP package manager that could have put millions of websites at risk.

 Feed

Red Hat Security Advisory 2021-2085-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2021-2077-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer overflow, denial of service, and memory leak vulnerabilities.

 Feed

Red Hat Security Advisory 2021-2070-01 - Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.7 serves as a replacement for Red Hat   show more ...

Single Sign-On 7.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include an information leakage vulnerability.

 Feed

This Metasploit module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin by chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution. As a result, an unauthenticated attacker can execute   show more ...

arbitrary commands on Microsoft Exchange Server. This vulnerability affects Exchange 2013 versions below 15.00.1497.012, Exchange 2016 CU18 below 15.01.2106.013, Exchange 2016 CU19 below 15.01.2176.009, Exchange 2019 CU7 below 15.02.0721.013, and Exchange 2019 CU8 below 15.02.0792.010 . All components are vulnerable by default.

 Feed

Sifter is a osint, recon, and vulnerability scanner. It combines a plethora of tools within different module sets in order to quickly perform recon tasks, check network firewalling, enumerate remote and local hosts, and scan for the blue vulnerabilities within Microsoft systems and if unpatched, exploits them.

 Feed

Microsoft on Thursday warned of a "massive email campaign" that's pushing a Java-based STRRAT malware to steal confidential data from infected systems while disguising itself as a ransomware infection. "This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them," the Microsoft Security Intelligence team said in a

 Feed

U.S. insurance giant CNA Financial reportedly paid $40 million to a ransomware gang to recover access to its systems following an attack in March, making it one the most expensive ransoms paid to date. The development was first reported by Bloomberg, citing "people with knowledge of the attack." The adversary that staged the intrusion is said to have allegedly demanded $60 million a week after

2021-05
Aggregator history
Friday, May 21
SAT
SUN
MON
TUE
WED
THU
FRI
MayJuneJuly