Infosec Press

Reader

Read the latest posts from Infosec Press.

from Not Simon 🐐

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage, Sabotage (Page last updated September 12, 2024)

Aliases (sorted alphabetically):

Sub-group:

  • DEV-0842 (Microsoft)
  • DEV-0861 (Microsoft) / Scarred Manticore (Check Point Research)
  • DEV-0166 (Microsoft) / IntrudingDivisor (Unit 42)
  • DEV-0133 (Microsoft)

Known Associates

  • Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
  • Farzin Karimi Mazlganchai: PwC

Vulnerabilities Exploited

  • CVE-2019-0604 (CVE, NVD. CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability Source: Microsoft
  • CVE-2017-11882 (CVE, NVD. CVSSv3.1: 7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Mandiant
  • CVE-2017-0199 (CVE, NVD, CVSS3v1: 7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Unit 42

Tactics, Techniques, and Procedures (TTPs)

Known Tools Used

As listed by MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

 
Read more...

from 📰wrzlbrmpft's cyberlights💥

Back after vacation – My weekly shortlist of cyber security highlights. (maybe I'll even redo the skipped weeks 😏) The short summaries are AI generated! If something is wrong, please let me know.


News For All

🕵️‍♂️ Ausweiskopie und persönliche Daten an Kriminelle weitergegeben? Das können Sie tun security news – Criminals exploit job offers and ads to steal personal data and ID copies, leading to identity theft, fraudulent accounts, and potential legal consequences for victims. https://www.watchlist-internet.at/news/umgang-mit-datendiebstahl/

✈️ SQL Injection Attack on Airport Security vulnerability – A serious SQL injection vulnerability allows unauthorized users to bypass airport security checks, risking safety by granting access to restricted areas like cockpits. https://www.schneier.com/blog/archives/2024/09/sql-injection-attack-on-airport-security.html

🛫 German air traffic control agency confirms cyberattack, says operations unaffected security news – Germany's air traffic control agency confirmed a cyberattack affecting administrative systems but assured that flight safety remains intact and operations were not disrupted. https://therecord.media/german-air-traffic-control-company-deutsche-flugsicherung-cyberattack

🚍 Transport for London (TfL) is dealing with an ongoing cyberattack security news – TfL is investigating a cyberattack affecting internal systems but reports no evidence of customer data compromise, assuring that services remain unaffected. https://securityaffairs.com/167946/hacking/transport-for-london-tfl-ongoing-cyberattack.html

🔑 Owners of 1-Time Passcode Theft Service Plead Guilty cybercrime – Three men pleaded guilty for operating OTP Agency, a service that intercepted one-time passcodes for account takeovers, affecting over 12,500 victims before its shutdown. https://krebsonsecurity.com/2024/09/owners-of-1-time-passcode-theft-service-plead-guilty/

🦠 Disinfo group Spamouflage more aggressively targeting U.S. elections, candidates cybercrime – The disinformation group Spamouflage has intensified efforts to impersonate U.S. voters, undermining political candidates and institutions, though its impact on engagement remains limited. https://cyberscoop.com/spamouflage-targeting-us-election-candidates/

📸 Sextortion Scams Now Include Photos of Your Home – Krebs on Security cybercrime – Sextortion scams are evolving, now featuring personalized threats with photos of victims' homes, increasing fear and urgency to pay ransoms, often near $2,000 in Bitcoin. https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/

💰 Data watchdog fines Clearview AI $33M privacy – The Dutch Data Protection Authority fined Clearview AI €30.5 million for illegally collecting images without consent, stating the company's practices violate GDPR and threaten individual privacy. https://www.theregister.com/2024/09/03/clearview_ai_dutch_fine/

🔒 Google releases Pixel update to get rid of surveillance vulnerability vulnerability – Google's latest Pixel update removes the insecure Showcase.apk, originally intended for Verizon demos, which posed risks of man-in-the-middle attacks and spyware, ensuring enhanced device security. https://www.theverge.com/2024/9/3/24235127/google-pixel-showcase-vulnerability-patch

🔑 YubiKeys have an unfixable security flaw — but it’s difficult to exploit vulnerability – A vulnerability in older YubiKey devices allows cloning but is hard to exploit, requiring physical access and additional knowledge. Devices prior to firmware version 5.7 remain permanently affected. https://www.theverge.com/2024/9/4/24235635/yubikey-unfixable-security-vulnerability-side-channel-explot

🚨 846 routers are affected by code execution flaws. Replace them! vulnerability – D-Link's discontinued DIR-846 routers are vulnerable to multiple critical remote code execution flaws (CVSS scores up to 9.8). Users are advised to replace these devices as they are no longer supported. https://securityaffairs.com/168041/security/d-link-dir-846-routers-code-execution-flaws.html

☢️ Zyxel warns of vulnerabilities in a wide range of its products vulnerability – Zyxel has disclosed nearly a dozen vulnerabilities across its products, with the most critical (CVE-2024-7261) allowing unauthenticated OS command execution, rated 9.8. Users are urged to patch immediately. https://arstechnica.com/?p=2047312

🗳️ Biden cracks down on Putin's election meddling cybercrime – The Biden administration seized 32 websites linked to Russian propaganda efforts and charged two RT employees in a $10 million scheme to influence the upcoming U.S. presidential election. https://www.theregister.com/2024/09/05/biden_cracks_down_on_putins/

🎣 Warning Against Phishing Emails Impersonating Netflix warning – AhnLab warns of phishing emails posing as Netflix, claiming payment failures and urging users to update payment methods via malicious links. Users are advised to verify URLs before clicking. https://asec.ahnlab.com/en/82969/

⚡ Quishing, an insidious threat to electric car owners security news – Quishing is a phishing attack using counterfeit QR codes at electric car charging stations to steal sensitive information. Users are urged to use recharge cards and verify URLs to protect against scams. https://securityaffairs.com/168059/hacking/quishing-electric-car-owners.html

♀️ New report shows ongoing gender pay gap in cybersecurity security news – The ISC2 Cybersecurity Workforce Study reveals a persistent gender pay gap in cybersecurity, with men earning more than women, and highlights the underrepresentation of women in the field, emphasizing the need for targeted DEI hiring initiatives. https://securityintelligence.com/articles/new-report-shows-gender-pay-gap-in-cybersecurity/

🦠 Predator spyware resurfaces with signs of activity, Recorded Future says security news – Recorded Future reports renewed activity from Predator spyware, linked to Intellexa, with new infrastructure identified and potential customers in Angola, Saudi Arabia, and the Democratic Republic of the Congo. https://cyberscoop.com/predator-spyware-resurfaces-with-signs-of-activity-recorded-future-says/

🔎 Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware security news – Colombian President Gustavo Petro announced an investigation into $11 million allegedly used by the previous administration to purchase Pegasus spyware, questioning the legality of the transactions. https://therecord.media/colombian-president-pegasus-spyware-israel-missing-money

📎 Telegram changes its tone on moderating private chats after CEO’s arrest security news – Following CEO Pavel Durov's arrest, Telegram revised its FAQ to allow reporting of illegal content in private chats, shifting from a previous stance of non-cooperation with moderation requests. https://www.theverge.com/2024/9/5/24237254/telegram-pavel-durov-arrest-private-chats-moderation-policy-change

🛋️ Therapy Sessions Exposed by Mental Health Care Firm’s Unsecured Database data breach – Confidant Health inadvertently exposed sensitive patient data, including therapy session recordings, due to an unsecured database. The incident highlights the urgent need for improved data security in healthcare organizations. https://www.wired.com/story/confidant-health-therapy-records-database-exposure/

🔓 Hackers Threaten to Leak Planned Parenthood Data cybercrime – RansomHub ransomware group claims to have hacked Planned Parenthood's Montana branch, threatening to leak 93 GB of sensitive data after a cybersecurity incident was reported on August 28. https://www.wired.com/story/hackers-threaten-to-leak-planned-parenthood-data/


Some More, For the Curious

🔍 Most interesting IR cases in 2023: insider threats and more security research – Kaspersky's Global Emergency Response Team highlights 2023's notable incident response cases, including insider fraud and advanced persistent threats, emphasizing the need for enhanced monitoring and threat intelligence. https://securelist.com/incident-response-interesting-cases-2023/113611/

🔒 Vulnerabilities in Microsoft apps for macOS allow stealing permissions vulnerability – Eight vulnerabilities in Microsoft apps for macOS could enable attackers to steal permissions, allowing unauthorized access to sensitive resources like cameras and microphones without user knowledge. https://securityaffairs.com/167973/hacking/microsoft-apps-for-macos-flaws.html

🛑 VMWare releases Fusion vulnerability with 8.8 rating vulnerability – A critical vulnerability in VMWare Fusion (CVE-2024-38811) allows code execution with standard user privileges, rated 8.8 on the CVSS scale, prompting a software patch. https://cyberscoop.com/vmware-vulnerability-fushion-cve-2024-38811/

💻 Rust in Linux lead retires rather than deal with more “nontechnical nonsense” security news – Wedson Almeida Filho, leader of the Rust for Linux project, retires citing frustration with nontechnical disputes, expressing concern that the Linux kernel must embrace memory-safe languages like Rust to remain relevant. https://arstechnica.com/?p=2046763

🧬 Evolution of Mallox: from private ransomware to RaaS security research – Mallox ransomware has evolved from targeted attacks to a Ransomware-as-a-Service model, with over 700 samples identified. Its affiliate program seeks experienced partners for cybercrime, indicating a shift in operational strategy. https://securelist.com/mallox-ransomware/113529/

🐍 Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk security research – The 'Revival Hijack' technique allows attackers to reclaim deleted PyPI packages, risking 22,000 packages and potentially leading to malicious downloads. JFrog has taken action to protect the community. https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/

📃 Validate your Windows Audit Policy Configuration with KQL cyber defense – Ensuring proper configuration of Windows audit policies is essential for security. This article discusses using Kusto Query Language (KQL) to validate and troubleshoot audit policy application across environments. https://blog.nviso.eu/2024/09/05/validate-your-windows-audit-policy-configuration-with-kql/

🦗 Cicada Ransomware – What You Need To Know security news – Cicada ransomware, discovered in June 2024, has targeted over 20 organizations primarily in North America and the UK. Written in Rust, it threatens to publish stolen data unless a ransom is paid. https://www.tripwire.com/state-of-security/cicada-ransomware-what-you-need-know

🪅 Veeam fixed a critical flaw in Veeam Backup & Replication software vulnerability – Veeam patched 18 high and critical vulnerabilities in its Backup & Replication software, including a critical RCE flaw (CVE-2024-40711) with a CVSS score of 9.8, requiring immediate attention. https://securityaffairs.com/168088/security/veeam-backup-replication-cve-2024-40711.html

🧱 SonicWall warns that SonicOS bug exploited in attacks vulnerability – SonicWall alerts users of a critical access control vulnerability (CVE-2024-40766) in SonicOS that may be actively exploited, urging immediate patching to prevent unauthorized access and potential firewall crashes. https://securityaffairs.com/168112/hacking/sonicwall-sonicos-bug-exploited.html

🔧 Building a Hardware Hacking Arsenal: The Right Bits for Every Byte security research – This article outlines essential tools for hardware hacking, emphasizing cost-effective options that support learning and experimentation in security assessments. Safety and accessibility are also highlighted. https://www.guidepointsecurity.com/blog/building-a-hardware-hacking-arsenal-the-right-bits-for-every-byte/


CISA Corner

⚠️ LOYTEC Electronics LINX Series vulnerability – Multiple vulnerabilities in LOYTEC's LINX series devices could allow attackers to exploit sensitive information and gain unauthorized access, with high CVSS scores indicating significant risks. https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01

⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog vulnerability – CISA has added three vulnerabilities, including two in Draytek VigorConnect and one in Kingsoft WPS Office, to its catalog due to active exploitation risks for federal networks. https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-exploited-vulnerabilities-catalog

⚙️ CISA Releases Four Industrial Control Systems Advisories vulnerability – On September 5, 2024, CISA released four advisories addressing security vulnerabilities in various Industrial Control Systems, urging users to review for technical details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2024/09/05/cisa-releases-four-industrial-control-systems-advisories

⚔️ Russian Military Cyber Actors Target US and Global Critical Infrastructure security news – The FBI, CISA, and NSA report that Russian GRU Unit 29155 is behind ongoing cyber operations targeting critical infrastructure, utilizing tools like WhisperGate malware and exploiting various vulnerabilities since at least 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a


While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

 
Read more...

from Not Simon 🐐

Country: People's Republic of China Organization: Loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology Objective: Espionage, Information theft, Financial crime (Page last updated: September 08, 2024)

Aliases (sorted alphabetically):

Subgroups

Identified Members

Associated Company

Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)

Vulnerabilities Exploited

  • CVE-2018-0824 (7.5 high, in CISA's KEV Catalog) Microsoft COM for Windows Remote Code Execution Vulnerability Source: Cisco
  • CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Sources: Clearsky, Fortinet, FireEye
  • CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability. Sources: FireEye, Fortinet
  • CVE-2015-1641 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Fortinet
  • CVE-2012-0158 (8.8 high, in CISA's KEV Catalog) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Fortinet, FireEye
  • CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: FireEye

The following 7 vulnerabilities have the same source: U.S. DOJ

  • CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog) Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability Additional sources: FireEye, Fortinet
  • CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog) Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
  • CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog) D-Link Multiple Routers Command Injection Vulnerability
  • CVE-2019-16278 (9.8 critical) Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
  • CVE-2019-1652 (7.2 high, in CISA's KEV Catalog) Cisco Small Business Routers Improper Input Validation Vulnerability. Additional source: FireEye
  • CVE-2019-1653 (7.5 high, in CISA's KEV Catalog) Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability. Additional source: FireEye
  • CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine Desktop Central File Upload Vulnerability. Additional sources: FireEye, Fortinet

The following 2 vulnerabilities have the same source: Mandiant

  • CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
  • CVE-2021-44207 (8.1 high) Acclaim USAHERDS Hard-Coded Credentials Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2013

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

 
Read more...

from Not Simon 🐐

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) Objective: Espionage, Sabotage, Assassinations, Influence Operations (Page last updated: September 07, 2024)

Aliases:

Identified Members

Vulnerabilities Exploited

  • CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Unit 42

The following 5 vulnerabilities have the same source: CISA

  • CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
  • CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
  • CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
  • CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog) Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
  • CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability

Exploitation Likely

CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:

  • CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog) Microsoft Netlogon Privilege Escalation Vulnerability
  • CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
  • CVE-2021-3156 (7.8 high, in CISA's KEV Catalog) Sudo Heap-Based Buffer Overflow Vulnerability
  • CVE-2021-4034 (7.8 high, in CISA's KEV Catalog) Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
  • CVE-2022-27666 (7.8 high) Red Hat: IPSec ESP Local Privilege Escalation Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

screenshot of Russia GRU Unit 29155 MITRE ATT&CK TTPs in a visual chart compiled using ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

 
Read more...

from Nicholas Spencer

The rapid advancement of generative AI is reshaping the cybersecurity industry. As AI capabilities grow exponentially, we're witnessing a swift evolution in how both defensive and offensive cybersecurity operations function. This transformation is not only changing the nature of cyber threats and defences but also significantly impacting the cybersecurity workforce.

AI in Defensive Cybersecurity

In the realm of defensive cybersecurity, AI is revolutionising how Security Operations Centres (SOCs) function, particularly in alert triage and investigation. Currently, SOC analysts face the repetitive task of sifting through countless alerts, many of which turn out to be false positives. This labour-intensive process has long been a bottleneck in effective threat response. However, the emergence of AI-powered services claiming to automate initial alert investigations is changing the game.

Traditionally, level-1 SOC analysts have been responsible for the initial triage, following established playbooks to investigate alerts and escalate when necessary. This repetitive work, while crucial, is ripe for automation. As AI systems become more sophisticated, it's increasingly likely that much of this level-1 work will be fully automated in the near future, with AI systems capable of escalating complex alerts to experienced human analysts when required.

AI in Offensive Cybersecurity

On the offensive side, AI is already making significant waves in how penetration testing and vulnerability assessments are conducted. AI-powered tools are automating many aspects of basic penetration testing. These sophisticated systems can efficiently scan for running services and exploit known vulnerabilities, tasks that previously required significant human intervention. Moreover, these AI tools are adept at examining websites and identifying a wide range of vulnerabilities, including those listed in the OWASP Top 10 – a critical benchmark in web application security.

Even in scenarios where AI tools can't autonomously exploit applications, they're proving to be invaluable assistants to human penetration testers. This AI augmentation is a game-changer, potentially elevating a novice penetration tester to perform at the level of someone with years of experience. For seasoned professionals, AI acts as a capability multiplier, enabling them to uncover more complex vulnerabilities and delve deeper into system weaknesses.

The AI Arms Race in Cybersecurity

The rapid growth in AI capabilities is evident in both defensive and offensive security domains. While major AI model creators are implementing safeguards to limit their systems' ability to assist with cybersecurity exploitation, numerous other models exist without such restrictions. This proliferation of unrestricted AI tools raises significant concerns about their potential misuse by malicious actors.

The same AI-powered tools that enhance the capabilities of ethical penetration testers and defensive analysts could equally empower cyber criminals. This dual-use nature of AI in cybersecurity is leading towards what appears to be an AI driven arms race. On one side, AI will be leveraged to bolster system defences, automate alert triage, and uncover vulnerabilities for patching. On the other, it will be weaponized to launch more sophisticated attacks that are harder to detect and remediate.

Impact on the Cybersecurity Workforce

While this automation of cyber defence promises increased efficiency and potentially improved threat response times, it also raises concerns about the future of the cybersecurity workforce, particularly entry-level roles. As AI takes over many tasks traditionally performed by junior analysts and penetration testers, we may see a significant reduction in entry-level positions, which have long served as a crucial stepping stone for aspiring cybersecurity professionals.

This shift could potentially exacerbate the existing cybersecurity skills gap. With fewer entry-level positions available, it may become increasingly challenging for interested individuals to gain the hands-on experience necessary to progress in the field. This bottleneck could lead to a shortage of mid-level and senior professionals in the long term, as the traditional career pipeline is disrupted.

However, it's important to note that as AI brings new efficiencies to cybersecurity, it also introduces new threats and challenges. The cybersecurity landscape is evolving rapidly, with AI-powered attacks becoming more sophisticated and prevalent. This evolution will inevitably create new roles and specialisations within the field, potentially offsetting some of the job losses in existing areas.

The Future of Cybersecurity

As we stand on the brink of this new era in cybersecurity, it's clear that AI will play a pivotal role in shaping the future of the field. The exact shape of the cybersecurity workforce remains uncertain. While AI will undoubtedly automate many current tasks, it will also create new opportunities and challenges that require human expertise.

While AI tools are making certain aspects of cybersecurity more accessible, they're also raising the bar for what constitutes advanced skills in both defensive and offensive security. Professionals in this field will need to adapt quickly, learning to work alongside AI tools effectively while also staying ahead of AI threats.

The key for professionals and students in this field will be to stay adaptable, continuously learning and evolving their skills to remain relevant in this AI augmented landscape. Embracing these new tools responsibly, using them to enhance our defensive capabilities while also preparing for the inevitable rise in AI assisted cyber attacks, will be crucial for the future of cybersecurity.

Disclaimer: While I developed the ideas and topics of this post, I used Claude AI (Sonnet 3.5) as a tool to help format and structure it for clarity and coherence.

 
Read more...

from Not Simon 🐐

Country: Islamic Republic of Iran Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) Objective: Espionage, Intelligence collection (Page last updated September 04, 2024)

Aliases:

Sub-group:

Vulnerabilities Exploited

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

2016

 
Read more...

from Not Simon 🐐

Country: People's Republic of China (PRC) Organization: Hainan State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage

Aliases:

  • Bronze Mohawk (Secureworks)
  • Leviathan/Kryptonite Panda (CrowdStrike)
  • Gadolinium (formerly used by Microsoft)
  • Gingam Typhoon (Microsoft)
  • FEVERDREAM, G0065, GreenCrash, Hellsing, Mudcarp, Periscope
  • Temp.Periscope/ Temp.Jumper (FireEye)

Front Company

  • Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun) (Note: disbanded)

Identified Members

  • Ding Xiaoyang (丁晓阳)
  • Cheng Qingmin (程庆民)
  • Zhu Yunmin (朱允敏)
  • Wu Shurong (吴淑荣)

References:

Links (Sorted in Chronological Order)

2021

2020

2019

 
Read more...

from Bruno Miguel

I got a job over a month ago. I mean, kinda. It's something I can do when I'm capable of, concerns writing (including reviewing and correcting other people's work), and pays around double the hourly minimum wage in my country.

I can usually work 2 hours a day, sometimes 3 or 4 hours, 5 or 6 days a week. There are also days when I'm in such pain that I can't do a thing.

I don't make a fortune (I wouldn't mind, though!), but at least it has been enough to be able to pay for my medications.

#Job #LifeUpdate

 
Read more...

from Tai Lam in Science

I think I'm overthinking this. I think I'll follow the instructions for Secure Boot for the Linux Surface project and see how that goes.

The GH project's wiki references following steps outlined in the ArchWiki.

Additionally, I came across the following sources:

  • Super User thread from Stack Exchange
  • GitHub gist from July 2022
  • A blog post from January 2022

I haven't been able to sit down and try this — but expect that this worked if I don't come back to follow up.

 
Read more...

from Tai Lam in Science

About three days ago, I was reading federal government online sources about online job scams.

There is resource page from the FTC and another FTC page to report online scams, as well as the the Internet Crime Complaint Center (IC3) page from the FBI.

Conclusion

Most traditional jobs don't advertise on Craigslist. I almost got burned, but luckily I smoked this scam out before I could even apply for it.

The particular one I was looking at struck me as strange, as it has been the only Craigslist posting (of any type) that didn't use Craigslist's prviate e-mail relay/address option. Due to this, I kept looking at the e-mail address (as it was a Yahoo e-mail address, instead of from an official e-mail address from a real American healthcare corporation) until I realized I was looking at a scam — it was very much like looking at a very well camoflauged animal for a long time before spotting it.

An offer that's “too good to be true” doesn't have to be hyperbolically exaggerated to the point of being comical and super obvious — it can also be a toned-down, realistic decoy.

Also, it is a good rule of thumb to cross-reference and check if the same online job listing you've stumbled upon on an aggregate site (such as Craigslist or Indeed) can be found on a better first-party source, such as the company website.

 
Read more...

from Tai Lam in Science

eBay is sometimes tedious to deal with. I use the site to buy electronic parts for repair, but some aspects of the site are annoying to deal with.

For example, if you use a password manager, then you should wait a few seconds (at least 5 seconds, if I had to pick name a number) before submitting your password. (Then, you will be prompted with an hCaptcha, if you are using a VPN; followed by an SMS message for 2FA.)

I received an error message, identical to that described in an EcommerceBytes article from January 2021. I think this was because I tried to log in very quickly, assisted by KeePassXC.

This YouTube video from August 2023 also shows the rate limiting.

This is sort of annoying, as checking my order status on eBay is currently my only way to check the shipping status of orders, since even the U.S. Postal Service completely blocks VPNs (at least Mullvad VPN) when I tried doing this about two days ago.

 
Read more...

from Tai Lam on a Bike

There is a site called Read Comic Online, which I first saw when I on a fellow student's laptop during my last year of undergraduate studies.

(This site is definitely violating copyright, but on the other hand there is probably no pragmatic way I could buy physical copies of any of the Stranger Things comics when I started reading those, except in collected book versions; though I'd have to go to the library to read those. Also, I have yet to explore in-person comic book stores.)

In early 2024, I was browsing the site when I discovered the webcomic Kill Six Billion Demons (or KSBD).

Fair warning: if you thought that reading a Boruto chapter monthly (or a Naruto manga chapter back during its publication run) was painful, then the anticipation of waitng for each page of KSBD to be released might be too much for you.

Anyways, I somehow started reading the middle of the series online and quickly read through all the books available on Read Comic Online. As some context: it has been a while since the series has collected the later books into print form with Image Comics, so you can get a lot further into the story by reading the webcomic.

I was immediately hooked. But then I went to the actual KSBD website and realized I had no idea what was happening in the story, as the webcomic site is much further along than the completed print books avaialbe on Read Comic Online. So, I caught up with the story, as of early 2024.

I was initially shocked at the outer appearance of protagonist Allison when I first opened the KSBD webcomic site. Initially, she was drawn in a way that made be believe she was a villian, which was not the case and at first confused me. However, after catching up with the story, I understand how Allison came to her current state in the story.

I just wanted to talk about KSBD, as there is not much (meta-)explanatory material on KSBD generally online, except for rather obscure places — such as the comments under each page of KSBD.

 
Read more...

from Kevin Neely's Security Notes

Critiques

  • The venue was too bright. Chillout rooms and talk tracks could have used a dimmer.
  • Speaking of the Chillout room, it was somewhat disappointing. (I’m talking about Chillout 2, as Chillout 1 felt like a giant hospital waiting room). I like a cavernous, dim, and ambient room for, you know, chilling out. #SomaFM was over in the hallway, the Chillout room had a live stage, and it was overall pretty small.

“Best-ofs”

These are the best things I personally saw or were close to. There’s so much going on that this just represents the best stuff I saw in my fractional DEFCON experience.

  • Best thing I learned: Gained a good bit of familiarity with InspectAI at the AI Village as a part of their CTF.
  • Best Talk: “Librarian in Broad Daylight: Fighting back against ever encroaching capitalism” by the Cyberpunk Librarian in the War Stories track.
  • Best Rant: Cory Doctorow on #enshittification
  • Best Tool or Technique: “MySQL honeypot that drops shells”
  • Best Research: “Watchers being watched: Exploiting the Surveillance System” in which the researchers exploited 4 different surveillance systems.
  • Best Real-World Impact: “Bastardo Grande: Hunting the Largest Black Market Bike Fence In The World” by Bryan Hance. Talk not up yet, see the related Wired article
  • Best Contest: There’s too many, but I loved the idea of Sn4ck3r, the machine that vends real items for captured flags.
  • Best Party: the 503 Party, of course!
  • Best Entertainment: DJ Jackalope brought an awesome set after Hacker Jeopardy. (and Skittish and Bus did a great job warming up the crowd just before)
  • Biggest Drama: the badge
  • Best Village: The Packet Hacking village due to the supreme DEFCON-y ambience and the well-run workshops they provided to people of all skill levels

Observations & Random Points

  1. I probably haven’t been to a main track talk in person for over 6 years. I decided to go to a few of them and really enjoyed the atmosphere. I’ll have to remember to put at least 2 on the agenda each year going forward.
  2. BlueTeam Village got a much larger space this year. I’m happy to see that, as they were nearly impossible to get into over at the Flamingo in recent years. BTV is doing good work and people should be able to experience it.
  3. There were a lot of contests.
  4. The Car-hacking village really brings it. They had a semi truck rig, a Rivian, and they gave away a Tesla. Well done, and my only ask is that we make it easier for people & mechanics to jail break their cars when the companies John Deere-ify them.

Next #DEFCON will be held Aug 7-10, 2025 at the LVCC. I hope to see you there!

 
Read more...

from Tai Lam on a Bike

East of West is probably the best self-contained story I've read recently in the general genre of comic series, graphic novel, and manga. It's longer than one collected book, yet isn't a series that feels like it's going on forever, such as Naruto or Boruto.

I will say that the very of East of West seems to be relatively anticlimactic compared to how it starts, yet it is still better than the ending of the original Matrix film trilogy.

Regardless, East of West still ends way better than The Empty Man, which I felt started really well but then ended in a rather mediocre fashion — much like the Matrix trilogy.

I sort of wished that production of the comic series Godslap, which was co-created by MoistCr1TiKaL, would release more frequently, as well as comic series of Outlast: The Murkoff Account and the vampire comic series Sucker.

(Though, to be fair, the continuation of the Murkoff Outlast comic that I am invested in can't finish anytime soon, as the game Outlast III hasn't been released yet.)

Apparently, as of November 2023, the third and final volume of Sucker is in production. I really liked this one because it had some rather sharp social commentary on Big Pharma... maybe too sharp, given that Volume 2 was released on March 2020, when the COVID-19 pandemic really started in the US.

(The following links are probably NSFW-risky links, though not completely explicit, for the Sucker comic: Volume 1 and Volume 2 are published by Polite Strangers. This series was originally crowdfunded on Kickstarter and IndieGoGo — I was able to find these links despite some difficulty.)

Conclusion

From my experiences, I think most time reading comic books and graphic novels should be done alone. It's how I discovered all of these unique stories that almost no one in mainstream media outlets (both in TV and film) would even consider exploring. It's not just online ARGs, analog horror, and SCP Foundation-esque entries that have more wildly creative ideas than even the most unfiltered indie film and TV projects.

I think some of my formative time spent in public libraries was reading graphic novels alone. You learn by osmosis how to form your own opinion regarding media literacy.

I would love to see The Private Eye comic adapted into a A24-like two-part miniseries, as this finished serialization by December 2015 and is really prescient in a post-Snowden era and the post-COVID technology chilling. The screenplay and basic storyboard is at least 50% towards MVP of a screenplay script, if you think about it.

Also, adapting Xombi Volume 2 as a stand-alone three-part miniseries for the character Xombi would be my highest personal cinematic adaptation goal. I think DC could consider exploring some “experimental” media entries, similar to that of the 2022 Werewolf by Night film special from Marvel; as much of its DC cinematic and television entries are pretty disconnected already.

I mean, Spider-Man: Homecoming completely avoided redoing Tom Holland's being bitten by the spider and yet the film did just fine. So, we wouldn't have to trudge through David Kim's origin story. If your story is good, then it's good. A superhero-like character doesn't always have to be an origin story to have a compelling story.

Lastly, there is some music (just two tracks) that was created for East of West, which is available on Bandcamp at a cost of “name your price” (including free).

Really random and funny postscript

Speaking of Bandcamp: Nathan Barnatt, the IRL actor who plays the character Dad, also has a Bandcamp for all of the original music and songs created for the Dad series.

 
Read more...

from 📰wrzlbrmpft's cyberlights💥

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!


News For All

🚫 Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen security news – The article discusses that videos featuring Van der Bellen and Assinger do not promote investment platforms, clarifying any misconceptions surrounding their appearances. https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-werben-nicht-fuer-investmentplattformen/

💸 Should Organizations Pay Ransom Demands? cybercrime – Organizations are urged to avoid paying ransomware demands as it funds cybercriminals and doesn't guarantee data recovery. Proactive cybersecurity measures are emphasized as a better defense. https://securityaffairs.com/166650/uncategorized/ransomware-organizations-should-avoid-paying-ransoms.html

📧 Users: Microsoft must update Outlook's friendly name feature security news – Users are urging Microsoft to change how Outlook displays sender names to combat phishing, as friendly names can mislead users into clicking malicious links. Calls for disabling aliases have grown. https://www.theregister.com/2024/08/06/users_call_for_microsoft_to/

🛑 Consumer Reports study finds data removal services are often ineffective privacy – A Consumer Reports study found that data removal services are largely ineffective, with only 35% of personal data removed from people-search sites within four months, raising concerns about their reliability. https://therecord.media/data-removal-services-mostly-worthless-study

💻 Report: Myths about tech still plaguing the IT world security news – A Kaspersky survey reveals widespread misconceptions about digital security among tech-savvy Brits, including beliefs about webcam safety, incognito mode, and the effectiveness of encryption, highlighting a need for better cybersecurity education. https://www.theregister.com/2024/08/08/report_tech_misconceptions_plague_the/

🪖 Russia's Kursk region suffers 'massive' DDoS attack amid Ukraine offensive cyber defense – Kursk, Russia, experienced a significant DDoS attack targeting government and business websites, coinciding with Ukraine's military advances, though critical infrastructure remained protected from damage. https://therecord.media/kursk-military-offensive-ddos-russia-ukraine

🐄 Crooks took control of a cow milking robot causing the death of a cow cybercrime – Cybercriminals hacked a farmer's milking robot, demanding a $10,000 ransom. The farmer refused to pay, leading to the death of a cow due to lost data on insemination dates. https://securityaffairs.com/166839/cyber-crime/cow-milking-robot-hacked.html

🔊 Sonos smart speakers flaw allowed to eavesdrop on users vulnerability – NCC Group discovered vulnerabilities in Sonos smart speakers, including CVE-2023-50809, allowing remote code execution and potential eavesdropping. Sonos released a patch to address the issues. https://securityaffairs.com/166823/hacking/sonos-smart-speakers-flaw.html

🔑 How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards security research – Researchers reveal a method to extract HID encoder keys, allowing easy cloning of keycards. https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/

🛡️ Security Tips for Modern Web Administrators security news – Website security is vital for user trust. Employ multi-layered defenses, keep software updated, and follow best practices to safeguard against attacks and protect sensitive data. https://blog.sucuri.net/2024/08/security-tips-for-modern-web-administrators.html

🆙 Mac and Windows users infected by software updates delivered over hacked ISP malware – Hackers compromised an ISP to deliver malware to users via tampered software updates. This attack exploited unencrypted connections, enabling malicious file downloads for Windows and macOS users. https://arstechnica.com/security/2024/08/hacked-isp-infects-users-receiving-unsecure-software-updates/

👁️ Illinois relaxes biometric privacy law, reduces penalties privacy – Illinois has amended its Biometric Information Privacy Act, reducing penalties for breaches by counting multiple data distributions as one violation, which critics say lowers potential damages. https://www.theregister.com/2024/08/06/illinois_bipa_amendment_reduces_penalties/

🔒 Google says Android zero-day was exploited in the wild vulnerability – Google has patched a high-severity Android vulnerability (CVE-2024-36971) allowing remote code execution, amid reports of targeted exploitation. This reflects a rising trend in zero-day attacks. https://therecord.media/android-zero-day-google-fix-august-patch

💻 Students scramble after security breach wipes 13,000 devices data breach – A security breach at Mobile Guardian led to the remote wiping of data from 13,000 school-issued devices in Singapore, prompting the Ministry of Education to halt its services and remove the app. https://arstechnica.com/security/2024/08/students-scramble-after-security-breach-wipes-13000-devices/

🐍 SharpRhino malware targets IT admins, Hunters Intl suspected malware – The SharpRhino malware, disguised as Angry IP Scanner, targets network admins and is linked to the Hunters International gang, known for ransomware-as-a-service tactics and double extortion. https://www.theregister.com/2024/08/07/sharprhino_malware_admins/

❎ Problems with Georgia’s Voter Registration Portal security news – Georgia's voter registration portal has security flaws allowing unauthorized cancellation of registrations and exposing sensitive voter data, highlighting challenges in balancing usability and security. https://www.schneier.com/blog/archives/2024/08/problems-with-georgias-voter-registration-portal.html

💰 US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks cybercrime – The U.S. State Department has offered a $10 million reward for information on six Iranian hackers linked to cyberattacks on U.S. water utilities, attributed to the CyberAv3ngers group. https://therecord.media/us-offers-reward-for-info-on-iranian-hackers-water-utilities

🧓 Researchers find decades-old vulnerability in major web browsers vulnerability – A zero-day vulnerability discovered by Oligo Security affects major browsers, allowing attackers to exploit network requests to 0.0.0.0, potentially breaching local networks and accessing private data. https://cyberscoop.com/browser-zero-day-oligo-security-0-0-0-0-day/

🧑‍🌾 Nashville man arrested for running “laptop farm” to get jobs for North Koreans cybercrime – Matthew Isaac Knoot was arrested for hosting laptops to deceive US companies into hiring North Korean nationals, funneling their earnings to fund North Korea’s weapons program. https://arstechnica.com/security/2024/08/nashville-man-arrested-for-running-laptop-farm-to-get-jobs-for-north-koreans/


Some More, For the Curious

⚡ Hacking a Virtual Power Plant hacking write-up – A security researcher exploited a vulnerability in a virtual power plant's API using weak 512-bit RSA keys, revealing how easily sensitive data could be accessed. https://rya.nc/vpp-hack.html

📊 State of Exploitation – A Peek into 1H-2024 Vulnerability Exploitation security research – In the first half of 2024, 390 new vulnerabilities were added to the Known Exploited Vulnerabilities Catalog, highlighting ongoing threats and trends in exploitation and weaponization. https://vulncheck.com/blog/state-of-exploitation-1h-2024

💼 Florida firm sued over theft of 2.9B personal records data breach – A lawsuit claims Jerico Pictures negligently failed to secure 2.9 billion records, leading to a data breach where personal information was sold on the dark web, risking identity theft. https://www.theregister.com/2024/08/05/national_public_data_lawsuit/

💰 Drama ‘Dark Angels’ Reap Record Ransoms cybercrime – The Dark Angels ransomware group made headlines after receiving a record $75 million ransom from a Fortune 50 company, focusing on massive data theft while avoiding disruption and publicity. https://krebsonsecurity.com/2024/08/low-drama-dark-angels-reap-record-ransoms/

🗽 Intelligence bill would elevate ransomware to a terrorist threat security news – A Senate proposal aims to treat ransomware attacks as terrorism, enhancing legal authority to combat cybercriminals and sanction states harboring them, despite concerns over effectiveness. https://cyberscoop.com/ransomware-terrorism-ndaa-2025/

🌮 Turning the screws: The pressure tactics of ransomware gangs cybercrime – Ransomware gangs are escalating pressure tactics, using media, legislation, and personal threats to coerce victims into paying ransoms, including targeting secondary victims for leverage. https://news.sophos.com/en-us/2024/08/06/turning-the-screws-the-pressure-tactics-of-ransomware-gangs/

➖ Best security practices for ESXi environments cyber defense – Organizations using VMware ESXi should implement ten security practices to mitigate risks, as native EDR is unavailable, including ensuring patching, enforcing strong passwords, and enabling lockdown modes. https://news.sophos.com/en-us/2024/08/07/best-security-practices-for-esxi-environments/

🧠 Mental Health – An Infosec Challenge security news – Cybersecurity professionals face unique mental health challenges like burnout and anxiety due to constant stress. The article offers tips for prevention, emphasizing self-care, communication, and community support. https://www.blackhillsinfosec.com/mental-health-an-infosec-challenge/

🤑 Hackers return $12 million taken during Ronin network breach cybercrime – Hackers returned $12 million stolen from the Ronin gaming blockchain, claiming to act as white-hats after exploiting a vulnerability. The company plans to enhance security and awarded the hackers a $500,000 bounty. https://therecord.media/hackers-return-12-million-taken-from-ronin-network

🎩 The top stories coming out of the Black Hat cybersecurity conference security news – At the Black Hat conference, AI's role in cybersecurity takes center stage, alongside vulnerabilities in car infotainment systems and the impact of upcoming elections on cybersecurity policy. https://blog.talosintelligence.com/threat-source-newsletter-aug-8-2024/


CISA Corner

⚠️ CISA Adds One Known Exploited Vulnerability to Catalog vulnerability – CISA has included CVE-2018-0824, a Microsoft vulnerability, in its catalog due to active exploitation, emphasizing the need for federal agencies to address such risks promptly. https://www.cisa.gov/news-events/alerts/2024/08/05/cisa-adds-one-known-exploited-vulnerability-catalog 🚨 CISA Adds Two Known Exploited Vulnerabilities to Catalog vulnerability – CISA has included CVE-2024-36971 and CVE-2024-32113 in its catalog due to active exploitation, highlighting risks to federal networks and the need for timely remediation. https://www.cisa.gov/news-events/alerts/2024/08/07/cisa-adds-two-known-exploited-vulnerabilities-catalog

🛠️ Delta Electronics DIAScreen vulnerability – A stack-based buffer overflow vulnerability in Delta Electronics DIAScreen could allow arbitrary code execution. Users are urged to update to version 1.4.2 to mitigate risks. https://www.cisa.gov/news-events/ics-advisories/icsa-24-219-01 🔍 Dorsett Controls InfoScan vulnerability – Dorsett Controls InfoScan has vulnerabilities allowing unauthorized access to sensitive information and path traversal. Users should update to version 1.38 or later to mitigate risks. https://www.cisa.gov/news-events/ics-advisories/icsa-24-221-01

🛒 Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem cyber defense – This guide empowers software customers to demand security in product design, offering questions to assess manufacturers' cybersecurity practices and ensuring resilience against cyber threats. https://www.cisa.gov/resources-tools/resources/secure-demand-guide

🔐 Best Practices for Cisco Device Configuration security news – CISA advises disabling the Cisco Smart Install feature and using type 8 password protection to secure configurations, reducing the risk of password cracking and unauthorized access. https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration


While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

 
Read more...