Hackers target poorly secured MS #SQL servers to deploy #CobaltStrike and the new FreeWorld #ransomware.

https://thehackernews.com/2023/09/threat-actors-targeting-microsoft-sql.html

#cybersecurity #malware #informationsecurity

Good day to everyone, I hope that everyone is safe today! Researchers from Trend Micro provide intel on a group that they named #EarthEstries. They witnessed a cyberespionage campaign that targeted governments and technology industries around the world! Once they gained access they installed #CobaltStrike on the victims system, used backdoors for repeated access, and then collected PDFs and DDF files. They provide in-depth technical details on the other tools that were used on top of all the useful information in this article. Enjoy and Happy Hunting!

Earth Estries Targets Government, Tech for Cyberespionage
https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

SecurityOnline: CVE-2023-36874_BOF: Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE https://securityonline.info/cve-2023-36874_bof-weaponized-cobaltstrike-bof-for-cve-2023-36874-windows-error-reporting-lpe/ #PostExploitation #CVE-2023-36874 #cobaltstrike

Espionage Disguised as #Ransomware?

Ongoing cyber attacks traced back to China target Southeast Asian gambling. Learn how Bronze Starlight deploys #CobaltStrike beacons and hides motives behind ransomware smokescreens.

https://thehackernews.com/2023/08/china-linked-bronze-starlight-group.html

#cybersecurity #hacking

HackRead: South African Power Supplier Hit by DroxiDat Malware https://www.hackread.com/south-african-power-supplier-droxidat-malware/ #CyberAttacks #CobaltStrike #CyberAttack #SouthAfrica #Security #DroxiDat #security #SystemBC #Malware

#HappyMonday everyone and it's always a good start when the new The DFIR Report drops! This one includes #Truebot, #CobaltStrike, and ends in data exfiltration and the deployment of the #MBRKiller. Enjoy and Happy Hunting!

Link in the comments!

***I am going to leave one of the MITRE ATT&CK blank. I would like to see if any of you that see this can help FILL in that blank! If so, leave your thoughts in the comments OR send me a DM!***

TA0001 - Initial Access
T1566.002 - Phishing: Spearphishing Link

TA0002 - Execution
T1053.005 - Scheduled Task/Job: Scheduled Task
T1204.002 - User Execution: Malicious File

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task
T1078.003 - Valid Accounts: Local Accounts

TA0008 - Lateral Movement
[Here is your chance to fill in the blanks! Enjoy!]

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Researchers warn of rising #Geacon (a Golang #CobaltStrike variant) payloads on VirusTotal. Red teaming or malicious attacks?

Either way, it's time to tighten your #macOS defenses.

https://thehackernews.com/2023/05/hackers-using-golang-variant-of-cobalt.html

#informationsecurity #cybersecurity #InfoSec

⚠️ #Geacon #IOCs and breakdown provided by @SentinelOne ⚠️
Geacon Brings #CobaltStrike Capabilities to #macOS
Threat Actors
https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/?&web_view=true

#Hacking #ThreatIntelligence #AttackSurfaceReduction

Threat Alert! A Golang variant of #CobaltStrike, known as Geacon, is drawing attention in the #cybersecurity world due to a rise in Geacon payloads on VirusTotal.

https://thehackernews.com/2023/05/hackers-using-golang-variant-of-cobalt.html
#infosec

Digital Crimes Microsoft: stop all’abuso dei tools di sicurezza informatica per distribuire malware

Stop all’abuso e alle copie #crackate e #legacy di #CobaltStrike e del #software #Microsoft utilizzate dai #criminali per distribuire #malware.

Questo è l’obiettivo della Digital Crimes Unit (#DCU) di #Microsoft, che sta intraprendendo una nuova strategia – in sinergia con la società di #software per la sicurezza #informatica Fortra™ e l’Health Information Sharing and Analysis Center ( Health-#ISAC ) – per impedire ai #criminali #informatici di abusare degli strumenti di sicurezza.

#redhotcyber #informationsecurity #ethicalhacking #dataprotection #hacking #cybersecurity #cybercrime #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #privacy #infosecurity

https://www.redhotcyber.com/post/digital-crimes-microsoft-stop-cracking-dei-tools-sicurezza/

Microsoft and cybersecurity firm Forta have joined forces to take down the malicious infrastructure of #CobaltStrike, which is used in large-scale ransomware attacks.

Read: https://www.hackread.com/microsoft-fortra-cobalt-strike-infrastructure/

#Security #cybercrime #cybersecurity #ransomware #Microsoft

Uncover the Secrets of Targeted User Surveillance with WindowSpy, the ultimate tool for red teamers and ethical hackers! Read my latest article to learn more. #WindowSpy #CobaltStrike #Cybersecurity https://www.cyber-consult.org/targeted-user-surveillance-with-windowspy/

「マイクロソフトは、サイバー犯罪者による Cobalt Strike ツールの違法使用を阻止するために法的措置を講じます」： The Hackernews

「Microsoft は、Fortra および Health Information Sharing and Analysis Center (Health-ISAC) と協力して、ランサムウェアを含むマルウェアを配布するサイバー犯罪者による Cobalt Strike の悪用に取り組む」

いよいよ本腰。

https://thehackernews.com/2023/04/microsoft-takes-legal-action-to-disrupt.html

#prattohome #TheHackernews #CobaltStrike #Microsoft

Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.

We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?

North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.

A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.

#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.

Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.

#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;

The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy

This week's #infosec newsletter issue is out! Have a look at it. It includes, but not only:

• CISA warns of actively exploited #Plex bug after #LastPass breach
• Brazil seizing #FlipperZero shipments to prevent use in crime
• #IBM X-Force on defining the #CobaltStrike Reflective Loader
• Security researchers targeted with new #malware via job offers on #LinkedIn
• Alleged NetWire RAT Operator Arrested in Croatia as FBI Seizes Website
• Xenomorph #Android malware now steals data from 400 banks
• #GitHub makes 2FA mandatory next week for active developers
• The #Akuvox E11 door phone/intercom is riddled with security holes
• Custom Chinese Malware Found on #SonicWall Appliance
• Building Great OT Incident Response Tabletop Exercises, by @hacks4pancakes
• Warning: Don't Let #Google Manage Your #Passwords
• #Fortinet warns of new critical unauthenticated RCE #vulnerability
• #Veeam fixes bug that lets hackers breach #backup infrastructure
• AI-Powered '#BlackMamba' Keylogging Attack Evades Modern #EDR Security
• Hard-coded secrets up 67% as secrets sprawl threatens software supply chain
• #Emotet malware attacks return after three-month break

.. And many more. Subscribe to receive it directly in your inbox every Sunday!

#cybersecurity #security #newsletter

https://0x58.substack.com/p/my-shared-links-week-102023

Nice write-up on some cobalt strike functionality (reflective loader). I'm going to play with this a bit as I try to focus on red team tactics. I'm dusting off my knowledge in this area (and trying to improve it!) as I've got a couple cyber skills competitions upcoming that I'm scheduled on the red side!

I know cobalt strike is a little dated at this point. Any recommendations for the latest shiny new c2 tooling in the wild?

#cobaltstrike #cybersecuritystudent #cysec #redteam

https://securityintelligence.com/posts/defining-cobalt-strike-reflective-loader/

#CobaltStrike 4.8 is out -

“System Calls Support

This release sees the addition of support for direct and indirect #SystemCalls. We have added support for a number of system calls, specifically:

CloseHandle
CreateFileMapping
CreateRemoteThread
CreateThread
GetThreadContext
MapViewOfFile
OpenProcess
OpenThread
ResumeThread
SetThreadContext
UnmapViewOfFile
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualProtectEx
VirtualQuery”

https://www.cobaltstrike.com/blog/cobalt-strike-4-8-system-call-me-maybe/

#BlueTeam #ThreatIntel #ThreatIntelligence #Infosec #Cyber #RedTeam #CyberSecurity #InformationSecurity

Hackers had stolen the sensitive data of 2.1 million customers from this #DNA testing service.

https://hackread.com/dna-testing-service-data-breach/

#Security #Hacking #Breach #CobaltStrike #Malware

Find your Monday motivation with a recap of last week's infosec news - with vulnerabilities to patch and new research to read up on, there's plenty to help warm up the old noggin' before diving into another week:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-991

#Microsoft have helpfully suggested patching a bunch of security exceptions it previously recommended making for earlier versions of #Exchange, as they're no longer necessary and - oh yeah - because actors have also been actively abusing it to drop backdoors for years!

Stealc is a new, and in-demand Malware-as-a-Service offering on the Dark Web. The infostealer has received three major updates in the month since its release, and comes with all the major features a cyber crim could wish for to pilfer data and deliver additional stages.

A personal favourite from last week - #LockBit realised a little too late that the Royal Mail negotiator had - in their words - "bamboozled" them throughout their extortion attempts. A real masterclass in how to handle a ransomware negotiation

VulnCheck have reported finding 7.5k #Grafana instances on the internet that were vulnerable to a 2021 directory traversal vulnerability. This was lost in the hysteria around Log4Shell which emerged just days later, but can still be abused to write content to disk, or simply wipe the entire database altogether.

The #FortiNAC vulnerability from the week before has come under widespread attack after a working exploit was released by researchers just two business days after the vulnerability was disclosed. Assume breach, patch, and hunt if you're not on top of this already.

For the #redteam, there's a cool BOF implementation of a Threadless process injection technique presented at Bsides Cyrus this year.

It's been a good week for the #blueteam, with research and tools to help in detecting Cobalt Strike's Fork&Run procedure, a number of malware families and FOSS C2 frameworks, and more.

Good luck, and happy hunting!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-991

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #Fortinet #CobaltStrike #DarkWeb

📢 Hackers had stolen the sensitive data of 2.1 million customers from this #DNA testing service.

https://hackread.com/dna-testing-service-data-breach/

#Security #Hacking #Breach #CobaltStrike #Malware