-
The heavy-lift rocketβs upper stage might extend its service as a tug or defender.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
One soldier helped create a voice-cloning program using off-the-shelf AI.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Security crises drove year-over-year growth to its highest level in a decade.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. “The documents contained VBA code to drop and run an executable with the name ‘ctrlpanel.exe,'”
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified as CVE-2024-3400.
This zero-day flaw, found in the GlobalProtect Gateway, is currently under active exploitation by attackers.
CVE-2024-3400 allows attackers to execute arbitrary OS commands on the affected systems without proper authentication.
The threat actors are now actively exploiting this Palo Alto ZeroDay in the wild following the PoC release.
Palo Alto ZeroDay Exploited
Researchers identified vulnerabilities and developed an exploit for GlobalProtect in three days that targeted Palo Alto VPN-SSL solutions.Β
WatchTowr explained a path traversal bug with a command injection resulting in a PoC via POST request to “…/ssl-vpn/hipreport.esp”.
It permits command injection through the SESSID cookie, which can potentially drop webshells as cron jobs.
Rapid7’s and WatchTowr’s PoCs spread quickly, followed by TrustedSec and ShadowServer reporting on some real attacks, while some of the earlier PoCs were fake or malicious.Β
Expect widespread attacks soon since Palo Alto solutions are not audited enough.
Palo Alto increased the risk level to 5 out of 5 (CVE-2024-3400), requiring either patches be applied or specific Threat Prevention signatures configured in counteraction.Β
This modification will help prevent devices from becoming overloaded due to command execution attempts. They shared additional IOC and CLI commands, which mainly focused on recent vulnerabilities and not the original threat actor.Β
Onyphe developed a query tool that can help identify GlobalProtect versions, which can aid patch confirmation activity. However, this will expose vulnerable servers to threat actors.Β
EmergingThreats unveiled a Suricata rule designed explicitly to detect WatchTowr PoC usage. Rapid7 observed constant exploit attempts and documented them via multiple logs.
Palo Alto released patches for the critical 0day CVE-2024-3400 on April 14, with three fixes available for affected branches. On April 19, patches for the older versions will be released.
Another mass compromise has not been directed by adversaries, indicating a targeted campaign called MidnightEclipse.
Volexity established that the adversary had moved laterally into internal systems using a Python backdoor named βupdate.pyβ and additional payloads designed to exfiltrate valuable data.
Although some infrastructure is still online, no definite public PoC exists, and expert researchers might use the patched 0day for advanced research.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post Palo Alto ZeroDay Exploited in The Wild Following PoC Release appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). “FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights,” the BlackBerry research and intelligence team said in a new write-up. “They
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
IT employees in the automotive industry are often targeted by hackers because they have access to sensitive information such as customer data, intellectual property, and critical systems.
The connected technologies’ dependence on the automotive industry and the value of their data make them attractive targets for threat actors.
BlackBerry analysts recently discovered that the FIN7 hackers are actively attacking the IT employees of the automotive industry.
FIN7 Attacking IT Employees
According to some BlackBerry evaluations at the end of 2023, there was a spear-phishing campaign against a major United States-based car manufacturer by FIN7 hackers.
FIN7 used a free IP scanning tool as bait to exploit IT staff with admin rights and then deployed their Anunak backdoor.
It has been reported that these attacks were part of a broader campaign by FIN7, a financially motivated APT group from Russia known to be focused on sectors such as transportation and defense.Β
However, before this happened, the Blackberry team interrupted before they could perform a ransomware attack.
This demonstrates the importance of detecting early intrusion to mitigate possible losses.
FIN7 then shifted to hunting big game that could pay bigger ransoms, with great detailed plans for maximizing the impacts of attacks.
They are scouts who select and study targets carefully, zooming in for employees with high access rights and delivering payloads such as “WsTaskLoad.exe” via spear-phishing emails containing malicious URLs.
These attacks take advantage of trust in legitimate sites, highlighting the necessity for strong cyber security measures to mitigate such advanced threats.
.webp)
Attack chain (Source – BlackBerry) WsTaskLoad.exe executes the final payload of Anunak/Carbanak in multiple stages. It is called jutil.dll, and it then executes the exported function “SizeSizeImage.”
jutil.dll now reads and decrypts infodb\audio.wav; its decrypted blob is shellcode that gets copied to mspdf.dll, and it runs as code there.
This shellcode also reads and decrypts infodb\audio.wav again; this decrypted blob is a loader that can be loaded and run later by the same shellcode.
The loader identifies files in the current directory with dmxl.bin and dfm\open.db matching a certain mark.
The decrypted dmxml.bin constitutes the Anunak payload, having “rabt4201_x86” as the campaign ID.
Besides this, the WsTaskLoad.exe performs scripting dissemination and persistence establishment. The first thing it does is run an obfuscated PowerShell script called powertrash.
This is established by the persistent installation of OpenSSH, scheduled as a job that opens up firewall ports.
The fake lure website “advanced-ip-sccanner[.]com” was pointed at “myipscanner[.]com”, and several other domains were registered too.
Post compromise, OpenSSH is utilized for external access with an SSH tunnel proxy server using a common fingerprint.
The target was a large multinational automobile manufacturer whose IT department had been deliberately pointed against.
The obfuscation and tool employed resemble FIN7 POWERTRASH tactics, confirming that the actor behind this incident was likely FIN7.
Recommendations
Here below we have mentioned all the recommendations:-
- Conduct Regular Security Training
- Social Engineering Awareness
- Phishing Report System
- Multi-Factor Authentication
- Password hygiene
- Security Updates and Patch Management
- Endpoint Security Solutions
- Monitor Suspicious Behavior
- Data Protection and Encryption
- Email Filtering and Authentication
- Incident Response
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post FIN7 Hackers Attacking IT Employees Of Automotive Industry appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
As Russia’s invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS, APT44) cyber threat group remains highly active and increasingly integrated with Russian conventional military operations in support of Moscow’s war aims.
However, Sandworm’s disruptive operations now span globally across Russian political, military, and economic interests.
With 2024 seeing record participation in national elections, the group’s history of attempting to interfere in democratic processes elevates potential near-term threats.
Recently, cybersecurity researchers at Google’s Threat Intelligence team unveiled that Russian APT44 is the most notorious cyber sabotage group globally.
Russian APT44 Most Notorious Gang
The operationally mature APT44 (Sandworm) which is sponsored by Russian military intelligence infrastructure, carries out the full range of spying, warfare, and influencing operations β something that is quite unique to state groups who often specialize.
.webp)
APT44βs spectrum of operations (Source – Google Cloud) Russia’s “information confrontation” cyber warfare doctrine necessitates these abilities.
In pursuit of this, APT44 has actively sought to create several initiatives that would end up giving Russia an upper hand during times of war, Mandiant said.
During the early stages of the invasion, it ran a fierce campaign with wiper malware against Ukrainian critical infrastructure, sometimes aligned with kinetic strikes.
As the war proceeded, APT44 switched its interest towards intelligence gathering and launched campaigns to extract data from captured devices that could be used as intelligence sources for Russian forces at the front line.
The groupβs changing strategy illustrates flexibility in support of Moscowβs military goals.
.webp)
APT44βs wartime disruptive activity (Source – Google Cloud) As an arm of Russian military intelligence, APT44’s sabotage operations extend beyond military objectives to support the Kremlin’s broader national interests like political signaling, crisis response, and preserving perceived global reputation.
This has resulted in historically consequential attacks like disrupting Ukraine’s power grid in 2015-2016, the global NotPetya strike on Ukraine’s Constitution Day 2017, and the disruption of the 2018 Pyeongchang Olympics opening ceremony over Russia’s doping ban.Β
With high capabilities, risk tolerance, and a far-reaching mandate backing Russian foreign policy across governments, civil society, and critical infrastructure globally, APT44 presents a severe, persistent threat wherever Russian interests intersect.
Its aggressive cyber offense increases new attack concepts, likely lowering barriers for other state and non-state actors, a risk Russia itself appears concerned about based on observed defensive exercises.
APT44 is a well-known Russian-based advanced persistent threat group constituting a critical and growing international cyber threat.
For ten years, this group has been at the forefront when it comes to conducting cyber-attacks that are aimed at promoting the nationalist agenda of Russia, which focuses mainly on elections, sports events, and geopolitics.
The Ukraine war still continues, but APT44 has not shifted its concentration from the region as it may further the Kremlinβs global strategic goals, consequently perhaps impacting political dynamics, elections, and matters surrounding Russian neighboring countries.
Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.The post Russian APT44 – The Most Notorious Cyber Sabotage Group Globally appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A new banker, SoumniBot, has recently been identified. It targets Korean users and is incredible by using an unusual method to evade investigation and detection, notably obfuscating the Android manifest.
In addition to its unique obfuscation, SoumniBot stands out for its ability to steal Korean online banking keysβsomething Android bankers hardly do.Β
This capability enables malicious actors to bypass bank authentication procedures and empty the wallets of unintentional victims.Β
Researchers say SoumniBot’s creators sadly succeeded because the Android manifest parser code’s validations were not strictly enough.
Techniques Used By SoumniBot
The Kaspersky researchers explain that the standard unarchiving function in the libziparchive library only allows the following two values for the Compression method in the record header: 0x0000 (STORED, which is uncompressed) and 0x0008 (DEFLATED, which is compressed using the zlib library’s deflate), else it returns an error.
However, the Android developers choose to provide a different scenario in which the value of the Compression method field is checked wrongly rather than utilizing this function.
βIf the APK parser comes across any Compression method value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.
xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into Compression method and write uncompressed dataβ, researchers said.
Invalid Compression method value followed by uncompressed data The Android APK parser successfully identifies the manifest and permits application installation, even though any unpacker that correctly implements compression method validation would consider a manifest like that invalid.
Secondly, the size of the manifest file is indicated in the header of the AndroidManifest.xml entry within the ZIP archive.
Even though the entry’s size is indicated inaccurately, it will be copied from the archive unaltered if stored uncompressed.Β
The manifest parser ignores any overlay or information after the payload that isn’t connected to the manifest.
This is exploited by the malware, which adds some of the archive content to the unpacked manifest due to the archived manifest’s reported size exceeding its real size.Β
Finally, the names of the XML namespaces are represented by very long strings included in the manifest.
These kinds of strings make manifests unreadable for both people and programs, which might not have enough memory allocated to handle them.
βWhen run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victimβs device to mainsite every 15 secondsβ, researchers said.
The information contains the victim’s ID, which was created using the trust device-android library, contact and account lists, the country inferred from the IP address, SMS and MMS messages, and other data.
The Trojan subscribes to messages from the MQTT server to receive commands.
If you want to avoid becoming a victim of malware of that kind, it is advised to use a reputable security app on your smartphone to identify the Trojan and stop it from installing despite all of its tactics.
Indicators of compromise
MD5
0318b7b906e9a34427bf6bbcf64b6fc8
00aa9900205771b8c9e7927153b77cf2
b456430b4ed0879271e6164a7c0e4f6e
fa8b1592c9cda268d8affb6bceb7a120C&C
https[://]google.kt9[.]site
https[://]dbdb.addea.workers[.]devThe post SoumniBot Exploiting Android Manifest Flaws to Evade Detection appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
CYBERSECURITY / DEFENSE / INTELLIGENCE
