An excellent report from Microsoft on DEV-1101, who is selling sophisticated Phishing kits for as little as $300.

These are being used in high-volume AiTM campaigns, capable of circumventing Captcha checks and MFA protections via an in-built reverse proxy that siphons Session Tokens.

The barrier for entry is pretty much on the floor at this point!

https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

#infosec #cyber #infosecnews #phishing #darkweb #MFA

Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.

We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?

North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.

A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.

#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.

Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.

#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;

The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #newsletter #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #mdm #dprk #FortiOS #FortiProxy

I am really having fun with these conversations about #podcasting!

After the first episode with Phillip Wylie, I couldn't think of a better one to follow than our common friend, legend, and overall awesome earthling, Chloé Messdaghi!!! 👏 ✨ 👏 ✨ 👏 ✨

So here you go!

Audio Signals Podcast With Marco Ciappelli

A Conversation About Podcasting with the Secure Your Strategy Podcast Host @ChloeMessdaghi

Unlocking the Power of Podcasting: Chloé Discusses the Importance of Sharing Knowledge and Creating Conversations in #Cybersecurity.

Please subscribe to @ITSPmagazine Youtube Channel if you enjoy this.

#podcast #contentmarketing #personalbranding #personalgrowth #infosec #infosecnews #infosecurity #tech #esg #philanthropy

👉 https://youtu.be/tgP67SOF-yw

The prolific #Emotet malware - tracked under the actor #MummySpider and #TA542 - is back after a 3 month break, delivering inflated (~500MB) macro-enabled Word documents via invoice-themed Phishing emails.

https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/

The Word documents are contained in a password protected archive, and once opened and the malicious content is enabled, will download the Emotet payload - a similarly bloated dll file, designed to bypass automated scanning solutions that typically can't process large files.

Malware analyst Max Malyutin has a great summary of the ATT&CK techniques and IOCs seen in this campaign so far: https://twitter.com/Max_Mal_/status/1633102894328168448?t=Kn9N3dUIcqul_TTCu1aqzQ&s=19

Analysts may find debloat - a tool that strips guff from intentionally bloated executables - useful in processing samples: https://github.com/Squiblydoo/debloat

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #security #technology #malware #soc #threatintel #threatintelligence #phishing

Last week's reporting gave a great insight into the level of innovation going on in the cyber crime ecosystem - C2 over MQTT, cryters delivering payloads over SQL connections, and UEFI bootkits that bypass Window's Secure Boot! We've pulled it all together, just for you:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-3fd

The BlackLotus #Bootkit has been upgraded to exploit a vulnerability in Microsoft's Secure Boot Mechanism, allowing it to persist on fully patched Windows 11 systems. This is enabled in no small part by the failure to update the UEFI revocation list, which allowed the bootkit author to simply load and exploit the vulnerable UEFI components on target systems.

Australia's cyber security laws were "bloody useless" in helping mitigate the Optus and Medibank breaches of 2022, according to the government's Home Affairs Minister. A new "national cyber office", reforms to Critical Infrastructure security laws, and a new Cyber Security Act are all on the table for discussion.

zScaler analysts have picked up on the Snip3 crypter, a Crypter-as-a-Sevice offering which uses multiple obfuscated stages; an AMSI Bypass, and SQL queries to circumvent security controls.

Sysdig share insights from a sophisticated #AWS-centric campaign; ESET have uncovered a new backdoor used by China's Mustang Panda (#APT27) which implements C2 over MQTT, and Team Cymru have again picked apart #IcedID's infrastructure to identify key TTPs.

Some interesting supply chain vulnerabilities this week, with bugs found in the ZK web app framework and Trusted Platform Module (TPM) having the potential to affect an untold number of applications and devices.

#Redteam members will get a kick out of DroppedConnection - a PoC that mimics Cisco AnyConnect VPN to siphon credentials and serve up malware to unwitting victims.

The #blueteam can look forward to some tips for GCP DFIR, bypassing malware geo-fencing, and tracking cyber criminal infrastructure.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-3fd

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #criticalinfrastructure #breach #privacy #Australia #crypter

Checkout this weeks #NewsYouShouldKnow

Including a look at ESET's overview of Russian faux- #ransomware #wiper and the #RussoUkrainian conflict as it relates to mobile network technology and #cybersecurity

The #NIST #CSF gets and update and #LastPass breach gets blamed on #Plex

#ThreatIntel #CTI #Infosec #Security #News #infosecnews

https://www.justinmcafee.com/2023/02/20230228news-you-should-know.html

Find your Monday motivation with a recap of last week's infosec news - with vulnerabilities to patch and new research to read up on, there's plenty to help warm up the old noggin' before diving into another week:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-991

#Microsoft have helpfully suggested patching a bunch of security exceptions it previously recommended making for earlier versions of #Exchange, as they're no longer necessary and - oh yeah - because actors have also been actively abusing it to drop backdoors for years!

Stealc is a new, and in-demand Malware-as-a-Service offering on the Dark Web. The infostealer has received three major updates in the month since its release, and comes with all the major features a cyber crim could wish for to pilfer data and deliver additional stages.

A personal favourite from last week - #LockBit realised a little too late that the Royal Mail negotiator had - in their words - "bamboozled" them throughout their extortion attempts. A real masterclass in how to handle a ransomware negotiation

VulnCheck have reported finding 7.5k #Grafana instances on the internet that were vulnerable to a 2021 directory traversal vulnerability. This was lost in the hysteria around Log4Shell which emerged just days later, but can still be abused to write content to disk, or simply wipe the entire database altogether.

The #FortiNAC vulnerability from the week before has come under widespread attack after a working exploit was released by researchers just two business days after the vulnerability was disclosed. Assume breach, patch, and hunt if you're not on top of this already.

For the #redteam, there's a cool BOF implementation of a Threadless process injection technique presented at Bsides Cyrus this year.

It's been a good week for the #blueteam, with research and tools to help in detecting Cobalt Strike's Fork&Run procedure, a number of malware families and FOSS C2 frameworks, and more.

Good luck, and happy hunting!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-991

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #Fortinet #CobaltStrike #DarkWeb

Security research company Horizon3 released a proof-of-concept (PoC) exploit for a vulnerability in the Fortinet FortiNAC appliance, just two business days after the vendor notified customers of its existence.

The PoC allows an attacker to write arbitrary files to disk, and was seized upon by malicious actors who - just one day later - were seen deploying web shells on vulnerable appliances in-the-wild.

While security research is an undeniably important component of Cyber Security, its participants are often on the bleeding edge of offensive tradecraft, and need to be cautious that their research isn't abused by bad actors.

Allowing organisations just two business days to patch a vulnerability before releasing a fully-functional exploit into the wild does not meet that standard.

This isn't a criticism of Horizon3 themselves, but a reminder that organisations take time to discover and patch vulnerabilities, and security researchers need to be mindful of this - especially when publishing offensive tooling.

https://opalsec.substack.com/p/poc-leak-swiftly-followed-by-widespread?sd=pf

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #redteam #soc #threatintel #threatintelligence #poc #exploit #Fortinet #FortiNAC #securityresearch

Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4fe

Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?

#GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.

Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!

Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.

A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!

#redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.

The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.

As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4fe

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure

This week's newsletter is hot off the press, get it here: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-b16

The #ESXiArgs escapades have gone from bad to okay and back to bad again, after attackers revised their encryption routine to bypass CISA's recovery script, and launched a 2nd wave of attacks that resulted in the reinfection of hundreds of hosts. Worst yet - we don't know how they're doing it, as the OpenSLP service (believed to be their method of ingress) has been disabled in a number of reported infections.

PowerShell isn't dead - The DFIR Report published their analysis of an apparent attack by Iran's Oilrig/APT34, whose initial infection relied exclusively on PowerShell and remained undetected for a significant period of time.

Proofpoint have unveiled #TA866, a savvy threat group that leverages the 404 Traffic Distribution System and little known AutoHotKey scripting language to cherry pick their targets.

#RedTeam members might find the BokuLoader Reflective Loader for #CobaltStrike useful in their next engagements, as well as #LocalPotato - the latest PrivEsc technique to join the Potato family.

#BlueTeam - check out a list of resources that popped up last week to help analyse #ASyncRAT malware and infections, as well as some helpful how-tos on hunting IIS backdoors and DLL abuse techniques

Happy reading, and happy Monday!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-b16

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #ESXi

This week's wrap-up of infosec news is out, just in time for your morning commute: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4af

#Qakbot have gotten in on the #OneNote action - turns out so too has every other threat actor under the sun.

Iran's #OilRig/#APT34 has been caught in the act, abusing the legitimate Password Filters feature to siphon creds, and exfiltrating them via compromised mail channels.

Some interesting techniques were observed in a recent #SocGholish campaign, including passively enumerating usera through event logs and disabling Restricted Admin mode to enable the theft of creds from memory.

A series of vulnerabilities in the Fortran GoAnywhere MFT file transfer application, QNAP NAS appliances, and VMWare ESXi servers should be top of your list this morning - make sure you're not exposed!

All that and much more, to help you shake off the cobwebs this Monday morning: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4af

#infosec #CyberAttack #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #poc

Hmmmmm.... 🤔

https://www.derstandard.at/story/2000143141877/hackerangriff-20-000-kundendaten-von-magenta-betroffen

#MagentaAustria #DataBreach #Hacked #InfoSecNews

This week's edition of SOC Goulash, our Weekend Wrap-Up of infosec news, is live and hot off the press!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1

Building on last week's flagging of the increase in abuse of #Malvertising, researchers have observed it being abused to deliver #ASyncRAT and #xworm payloads, as well as to harvest master passwords for Password Manager solutions like #Bitwarden and #1Password.

#Hive ransomware have had their infrastructure seized in a multi-national law enforcement operation. The authorities lurked in their infrastructure for six months, gathering communications & information on their members and stealing 1,300 decryption keys that enabled them to avert ~$130 million in potential ransom payments.

North Korea's crypto-hunting actors have been agile in adopting emerging tradecraft and developing novel payloads. With $1 billion worth of funds brought into the hermit kingdom in 2022, orgs in the #cryptocurrency and #DeFi space will need to be on guard coming into 2023.

#PlugX malware continues to be developed, with new variants spotted in the wild capable of spreading via USB, upgrading old installations, and pilfering documents from hosed computers.

#vulnerabilities in the Realtek SDK have been exploited nearly 130 million times between August and December last year alone by botnets seeking to grow their numbers.

Security researchers Horizon3 intend to release a PoC #exploit for CVSS 9.8 RCE vulnerabilities in VMWare's vRealize Log Insight product this week - make sure you're patched!

For our paid subscribers, we've got some additional articles on:
1. The adoption of OneNote for payload delivery, and tips for analysis;
2. An overview of CVE-2022-34689, a critical Windows vulnerability that could be abused to intercept & decrypt encrypted communications or spoof code-signing of malicious executables;
3. A vulnerability/not-vulnerability in #KeePass, with no patch and an unknown scope of impact, allowing attackers to dump plaintext credentials from the Password Manager.

As always, there's a tonne of additional goodies to be found in the newsletter that I couldn't cover here, so check it out here: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-be1

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #malvertising #passwordmanager #vmware #poc

Currently on a diet where my food choices are: beans, broccoli, and beef. So that means I have a lot of time of my hands, no longer having to do a bunch of food prep and cooking. Anybody got suggestions on RSS feeds I can add to keep up with #infosecnews or anything interesting, really.

Last week was a big one for infosec news, with a bumper crop of noteworthy vulnerabilities, some fantastic long-term analysis of trends in cyber criminal TTPs, and more. Here it is, all neatly packaged with a bow on top - just for you:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-c8a?sd=pf

SEO-Poisoning and Malicious Ads are being used more frequently by threat actors, and to great effect. We look at what this means for both enterprises and individual users, and how you can protect against it.

#LockBit is looking a bit wobbly, with recent missteps revealing a disorganised criminal collective led by a narcissistic leader. They've been without a developer for nearly a year and are primed for disruption.

We've collated and contextualised a number of updates on several noteworthy vulnerabilities in products from vendors including #Fortinet, #Sophos, #Zoho, and #Aruba that defenders and admins should know about.

Set yourself up for the week ahead - check out our newsletter, and don't forget to look at the other noteworthy Threat Actor reporting and Tradecraft section - there are some great nuggets in there that you won't want to miss!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-c8a?sd=pf

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #malvertising #seo #SEOPoisoning

I've read and analysed last week's infosec news, so you don't have to - get up to speed on the latest in hacks, malware, tradecraft and more with this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf

A vulnerability in the widely-used, open-source JsonWebToken package has highlighted the continued reliance on vendors for supply chain security.

It's not just APTs - cyber crims are eyeing off kernel space, with #ScatteredSpider/#UNC3944 abusing the #BYOVD technique in an attempt to load their malicious driver into kernel space and subvert EDR controls.

We take a look at research into #RaspberryRobin infrastructure - it's multi-tiered, growing, and highly flexible...but also vulnerable to takeover. Will this be the next #Andromeda, still spreading and hijacked by a 3rd-party in 10 years time?

#Fortinet warns an unknown, stealth-conscious actor with a "deep understanding of #FortiOS" has been seen exploiting the month-old FortiOS vulnerability (CVE-2022-42475) to drop additional malware & subvert logging.

There's a tonne more interesting reporting and tradecraft that I can't get to in this post, but you can find them in the newsletter - check it out, and subscribe to get the latest issues straight to your inbox, and support my work!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc

#infosecnews @Mastodon i really would like open discussion on this especially around integration points with Mastodon

Catch up on last week's infosec news with our latest newsletter: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-538

#RaspberryRobin continues to improve its evasion mechanisms, extracting more data from victims in the Financial sector.

#Dridex developers look to be dabbling in creating a Mac variant - but aren't quite there yet.

#HTMLSmuggling is being used increasingly over the past few months by heavy-hitting first stage malware such as Qakbot, IcedID and BumbleBee - make sure you understand how it works and how to spot it.

#infosec #CyberAttack #Hacked #cyber #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities

The #breach of #LastPass revealed a poorly maintained product riddled with flaws, delivered by a company unable to explain their own failings.

Attackers were able to steal unencrypted customer data including their IP addresses and site URLs, as well as the encrypted password vaults themselves.

The product - used by over 100,000 businesses and 33 million individuals - has left long-term customers with outdated security settings, which translates directly to an increased risk of their vaults being cracked.

It's time to jump ship if you haven't already, here's why: https://opalsec.substack.com/p/last-call-for-lastpass?sd=pf

Huge shoutout @WPalant for his detailed analysis of LastPass as a product, and dissecting the evasive language in their latest advisory.

#infosec #CyberAttack #Hacked #cyber #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #cybersecurity

Ransomware attacks hit 105 US local governments in 2022

https://securityaffairs.com/140242/cyber-crime/ransomware-attacks-emsisoft-report-2022.html

#ransomware #InfosecNews #infosec #government #cybersecurity #CyberAttacks