Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.

We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?

North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.

A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.

#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.

Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.

#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;

The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy

"Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW" published by Mandiant. #UNC2970, #LIGHTSHIFT, #LIGHTSHOW, #BYOVD, #YARA, #CTI, #OSINT, #LAZARUS https://www.mandiant.com/resources/blog/lightshift-and-lightshow

"Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970" published by Mandiant. #UNC2970, #LIGHTSHOW, #BYOVD, #YARA, #CTI, #OSINT, #LAZARUS https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970

BlackLotus brings legit but vulnerable binaries to the victim’s system (#BYOVD) to exploit #CVE-2022-21894 and bypass UEFI Secure Boot on up-to-date Windows systems. In some samples, these binaries are downloaded directly from the MS Symbol Store. cve.mitre.org/cgi-bin/cvenam… 2/11

ESET's Martin Smolár (@smolar_m) analyses the BlackLotus UEFI bootkit, which bypasses UEFI Secure Boot even on fully updated Windows 11 systems. BlackLotus brings legitimate but vulnerable binaries to the victim’s system (#BYOVD) to exploit #CVE-2022-21894 and bypass UEFI Secure Boot. https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

"공공 기관 및 대학 등에 널리 사용하는 공인인증서 소프트웨어 취약점을 이용한 Lazarus 공격 그룹 공격 사례" published by Ahnlab. #BYOVD, #Lazardoor, #CTI, #OSINT, #LAZARUS https://asec.ahnlab.com/ko/48416/

I've read and analysed last week's infosec news, so you don't have to - get up to speed on the latest in hacks, malware, tradecraft and more with this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf

A vulnerability in the widely-used, open-source JsonWebToken package has highlighted the continued reliance on vendors for supply chain security.

It's not just APTs - cyber crims are eyeing off kernel space, with #ScatteredSpider/#UNC3944 abusing the #BYOVD technique in an attempt to load their malicious driver into kernel space and subvert EDR controls.

We take a look at research into #RaspberryRobin infrastructure - it's multi-tiered, growing, and highly flexible...but also vulnerable to takeover. Will this be the next #Andromeda, still spreading and hijacked by a 3rd-party in 10 years time?

#Fortinet warns an unknown, stealth-conscious actor with a "deep understanding of #FortiOS" has been seen exploiting the month-old FortiOS vulnerability (CVE-2022-42475) to drop additional malware & subvert logging.

There's a tonne more interesting reporting and tradecraft that I can't get to in this post, but you can find them in the newsletter - check it out, and subscribe to get the latest issues straight to your inbox, and support my work!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc

How a Microsoft blunder opened millions of PCs to potent malware attacks

https://arstechnica.com/?p=1889745

#bringyourownvulnerabledriver #windowsdriverblocking #microsoft #Features #Biz&IT #byovd

How a Microsoft blunder opened millions of PCs to potent malware attacks - Enlarge (credit: Getty Images)

For almost two years, Microsoft... - https://arstechnica.com/?p=1889745 #bringyourownvulnerabledriver #windowsdriverblocking #microsoft #features #biz&it #byovd