CYBERSECURITY / DEFENSE / INTELLIGENCE

  • Instead, the president should take a page from his former boss’ playbookβ€”and seek the money the military needs.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • This year’s spending caps will boost future costs, acting Air Force undersecretary adds.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Researchers from ANY.RUN reported a new wave of DCRat malware, known for its wide array of harmful functions, selling the membership for the low cost of $5.

    The detailed report covers the distribution, dynamic, and static analysis of DCRat, also known as Dark Crystal RAT, which is both a Remote Access Trojan (RAT) and an information stealer.

    DCRat’s modular architecture allows for customization and mutation to bypass signature-based detection, making it a formidable tool for cybercriminals.

    The malware’s low price point has made it accessible to many threat actors, from novices to organized groups.

    You can analyze DCRat malware file, network, module, and registry activity with theΒ ANY.RUN malware sandbox.

    ANY.RUN is a cloud-based environment for analyzing Windows malware and Linux-based samples.Β Malware analysts, SOC, DFIR teamsΒ can safely examine threats, simulate different scenarios, and gain insights into malware behavior to improve cybersecurity strategies.

    ANY.RUNΒ also allows researchers to understand malware behavior, collect IOCs, and easily map malicious actions to TTPsβ€”all in our interactive sandbox.

    Β TheΒ Threat Intelligence Lookup platformΒ helps security researchers find relevant threat data from sandbox tasks of ANY.RUN.

    Infection Flow

    ANY.RUN’s analysis reveals that DCRat is sold via a Telegram group, operating on a subscription model with prices ranging from $5 for two months to $39 for a lifetime subscription.

    • They do all communication through Telegram.Β 
    • They only accept crypto payments to burner wallets. 
    • They use crystalpay[.]io to further anonymize transactions. 
    infection Flaw

    The ANY.RUN Malware Trends Tracker ranks DCRat as the 9th most prevalent malware as of January 18, 2024, indicating its rising trajectory.

    The malware is distributed through a Telegram bot, which also provides support and facilitates transactions through the crystalpay[.]io payment platform, demonstrating the DCRat team’s high level of operational security (OPSEC).

    Document
    Analyse Shopisticated Malware with ANY.RUN

    Try ANY.RUN Yourself with a 14-day Free Trial

    More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

    DCRat Malware Dynamic Analysis

    The surface analysis of DCRat, identifying it as a password-protected Self-Extracting Archive (SFX) file, often used to evade detection.

    Dynamic analysis in ANY.RUN’s controlled environment revealed the malware’s behavior, including the execution of a digitally signed executable file disguised as a printer driver and the dropping of multiple executables to ensure persistence.

    Static Analysis

    Static analysis provided insights into the malware’s functions, Indicators of Compromise (IOCs), and configuration details.

    The analysis utilized tools such as Detect It Easy (DIE) and decompilers like dnSpy or ILSpy for .NET applications to deobfuscate the executable and understand the malware’s operational logic.

    The ANY.RUN team also recommends using Flare FLOSS for extracting strings from binaries to identify hidden information.

    Researchers also noted that the malware is stealing the following data.

    • Screen Capture 
    • Webcam 
    • Microphone 
    • Steam specific data 
    • Telegram specific data 
    • Discord specific data 
    • .NET specific data 

    The analysis concludes with the mapping of DCRat’s tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, aiding SOC analysts in understanding the threat quickly. ANY.RUN’s service is invaluable for rapid threat identification and in-depth malware research.

    ANY.RUN encourages cybersecurity professionals to access the full analysis on their platform to better understand DCRat’s capabilities and strengthen their cybersecurity posture.

    About ANY.RUN

    ANY.RUN is an interactive cybersecurity service that enables professionals to analyze malware and understand its behavior in a safe, controlled environment. The service is dedicated to providing comprehensive analysis tools to combat digital threats.

    Trusted by over 400,000 security specialists,Β ANY.RUNΒ empowers SOC and DFIR teams to investigate threats efficiently through its cloud-based malware sandbox.

    The post Hackers Selling DCRat Malware Subscriptions For $5 on Telegram appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Researchers from ANY.RUN reported a new wave of DCRat malware, known for its wide array of harmful functions, selling the membership for the low cost of $5.

    The detailed report covers the distribution, dynamic, and static analysis of DCRat, also known as Dark Crystal RAT, which is both a Remote Access Trojan (RAT) and an information stealer.

    DCRat’s modular architecture allows for customization and mutation to bypass signature-based detection, making it a formidable tool for cybercriminals.

    The malware’s low price point has made it accessible to many threat actors, from novices to organized groups.

    You can analyze DCRat malware file, network, module, and registry activity with theΒ ANY.RUN malware sandbox.

    ANY.RUN is a cloud-based environment for analyzing Windows malware and Linux-based samples.Β Malware analysts, SOC, DFIR teamsΒ can safely examine threats, simulate different scenarios, and gain insights into malware behavior to improve cybersecurity strategies.

    ANY.RUNΒ also allows researchers to understand malware behavior, collect IOCs, and easily map malicious actions to TTPsβ€”all in our interactive sandbox.

    Β TheΒ Threat Intelligence Lookup platformΒ helps security researchers find relevant threat data from sandbox tasks of ANY.RUN.

    Infection Flow

    ANY.RUN’s analysis reveals that DCRat is sold via a Telegram group, operating on a subscription model with prices ranging from $5 for two months to $39 for a lifetime subscription.

    • They do all communication through Telegram.Β 
    • They only accept crypto payments to burner wallets. 
    • They use crystalpay[.]io to further anonymize transactions. 
    infection Flaw

    The ANY.RUN Malware Trends Tracker ranks DCRat as the 9th most prevalent malware as of January 18, 2024, indicating its rising trajectory.

    The malware is distributed through a Telegram bot, which also provides support and facilitates transactions through the crystalpay[.]io payment platform, demonstrating the DCRat team’s high level of operational security (OPSEC).

    Document
    Analyse Shopisticated Malware with ANY.RUN

    Try ANY.RUN Yourself with a 14-day Free Trial

    More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

    DCRat Malware Dynamic Analysis

    The surface analysis of DCRat, identifying it as a password-protected Self-Extracting Archive (SFX) file, often used to evade detection.

    Dynamic analysis in ANY.RUN’s controlled environment revealed the malware’s behavior, including the execution of a digitally signed executable file disguised as a printer driver and the dropping of multiple executables to ensure persistence.

    Static Analysis

    Static analysis provided insights into the malware’s functions, Indicators of Compromise (IOCs), and configuration details.

    The analysis utilized tools such as Detect It Easy (DIE) and decompilers like dnSpy or ILSpy for .NET applications to deobfuscate the executable and understand the malware’s operational logic.

    The ANY.RUN team also recommends using Flare FLOSS for extracting strings from binaries to identify hidden information.

    Researchers also noted that the malware is stealing the following data.

    • Screen Capture 
    • Webcam 
    • Microphone 
    • Steam specific data 
    • Telegram specific data 
    • Discord specific data 
    • .NET specific data 

    The analysis concludes with the mapping of DCRat’s tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, aiding SOC analysts in understanding the threat quickly. ANY.RUN’s service is invaluable for rapid threat identification and in-depth malware research.

    ANY.RUN encourages cybersecurity professionals to access the full analysis on their platform to better understand DCRat’s capabilities and strengthen their cybersecurity posture.

    About ANY.RUN

    ANY.RUN is an interactive cybersecurity service that enables professionals to analyze malware and understand its behavior in a safe, controlled environment. The service is dedicated to providing comprehensive analysis tools to combat digital threats.

    Trusted by over 400,000 security specialists,Β ANY.RUNΒ empowers SOC and DFIR teams to investigate threats efficiently through its cloud-based malware sandbox.

    The post Hackers Selling DCRat Malware Subscriptions For $5 on Telegram appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1. “This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • FortiGuard Labs has released a report detailing the emergence and impact of the Abyss Locker ransomware, which has been targeting Microsoft Windows and Linux platforms.

    Abyss Locker, believed to be based on the HelloKitty ransomware source code, has been stealing and encrypting victims’ files, demanding ransom for file decryption, and preventing the release of stolen data.

    The Abyss Locker ransomware’s wallpaper
    The Abyss Locker ransomware’s wallpaper

    The severity level of this ransomware is classified as high. The first Abyss Locker sample was detected in July 2023, but the ransomware’s origins may date even further.

    The Windows version of Abyss Locker was discovered in January 2024, with a second version shortly after. The Linux variant, which targets VMware ESXi systems, has also been identified.

    You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

    Attack Method

    The Windows version of Abyss Locker performs several actions to ensure the successful encryption of files. It deletes Volume Shadow Copies and system backups using commands like vssadmin.exe delete shadows /all /quiet and wmic SHADOWCOPY DELETE.

    It also sets the boot status policy to disable automatic repair and ignore all boot failures.

    The ransomware encrypts files and changes the file extension to β€œ.abyss” or a random five-letter extension for the version 1 variant.

    A ransom note titled β€œWhatHappened.txt” is dropped, and the desktop wallpaper is replaced with a message demanding a ransom.

    The Linux version of Abyss Locker uses the esxcli command-line tool to manage VMware ESXi systems. It attempts to gracefully shut down running VMs before encrypting files with a β€œ.crypt” extension.

    A ransom note with the β€œ.README_TO_RESTORE” extension is created for each encrypted file.

    Both versions of the ransomware avoid encrypting specific file extensions and directories to maintain the system’s operability and ensure the victim can communicate with the attackers for ransom negotiation, reads Fortinet report.

    Infection Vector

    The infection vector for Abyss Locker is not specified, but it is likely similar to other ransomware groups.

    Abyss Locker ransomware’s ransom negotiation site
    Abyss Locker ransomware’s ransom negotiation site

    The ransomware samples have been submitted from various regions, indicating a widespread attack.

    While no current data leak site exposes victims’ names, a ransom negotiation site on TOR is available. The ransom demands vary, with higher amounts typically set for consumers.

    The Abyss Locker ransomware poses a significant threat to Windows and Linux users, particularly those utilizing VMware ESXi systems.

    IOCs

    Abyss Locker Ransomware File IOCs

    SHA2Note
    72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462Abyss Locker v2 (Linux)
    3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6dAbyss Locker v2 (Windows)
    9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdcAbyss Locker v1 (Windows)
    0763e887924f6c7afad58e7675ecfe34ab615f4bd8f569759b1c33f0b6d08c64Abyss Locker v1 (Windows)
    dee2af08e1f5bb89e7bad79fae5c39c71ff089083d65da1c03c7a4c051fabae0Abyss Locker v1 (Windows)
    e6537d30d66727c5a306dc291f02ceb9d2b48bffe89dd5eff7aa2d22e28b6d7cAbyss Locker v1 (Windows)
    1d04d9a8eeed0e1371afed06dcc7300c7b8ca341fe2d4d777191a26dabac3596Abyss Locker v1 (Windows)
    1a31b8e23ccc7933c442d88523210c89cebd2c199d9ebb88b3d16eacbefe4120Abyss Locker v1 (Windows)
    25ce2fec4cd164a93dee5d00ab547ebe47a4b713cced567ab9aca4a7080afcb7Abyss Locker v1 (Windows)
    b524773160f3cb3bfb96e7704ef31a986a179395d40a578edce8257862cafe5fAbyss Locker v1 (Windows)
    362a16c5e86f13700bdf2d58f6c0ab26e289b6a5c10ad2769f3412ec0b2da711Abyss Locker v1 (Windows)
    e5417c7a24aa6f952170e9dfcfdf044c2a7259a03a7683c3ddb72512ad0cd5c7Abyss Locker v1 (Windows)
    056220ff4204783d8cc8e596b3fc463a2e6b130db08ec923f17c9a78aa2032daAbyss Locker v1 (Windows)
    877c8a1c391e21727b2cdb2f87c7b0b37fb7be1d8dd2d941f5c20b30eb65ee97Abyss Locker v1 (Windows)
    2e42b9ded573e97c095e45dad0bdd2a2d6a0a99e4f7242695054217e2bba6829Abyss Locker v1 (Windows)

    You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Abyss Locker Ransomware Attacks Microsoft Windows and Linux Users appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Hackers have exploited a vulnerability in a 14-year-old Content Management System (CMS) editor, FCKeditor, to launch SEO poisoning attacks against government and educational websites worldwide.

    This campaign has compromised numerous sites, redirecting unsuspecting users to malicious or scam websites through open redirects and poisoned search results.

    Open redirects are a critical flaw where websites redirect users to external URLs without proper validation, making them a prime target for cybercriminals.

    These redirects are particularly dangerous because they originate from legitimate domains, allowing attackers to bypass security filters and trick users into visiting malicious sites.

    This technique has been effectively used to perform phishing attacks, distribute malware, and scam users while maintaining the appearance of legitimacy.

    You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

    FCKeditor: The Target of Choice

    The focal point of this campaign is the outdated FCKeditor plugin, a web text editor popular for editing HTML content directly within web pages.

    Despite being rebranded as CKEditor in 2009 with significant improvements, many sites continue to use the deprecated version, especially in the education and government sectors.

    Cybersecurity researcher @g0njxa uncovered the campaign after noticing Google Search results for ‘Free V Bucks’ generators hosted on university sites, revealing the extent of the exploitation.

    Malicious Google Search results
    Malicious Google Search results 

    Educational and Government Sites Compromised

    The campaign has not spared prestigious institutions and government entities. Among the affected are MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of HawaiΚ»i.

    Government and corporate sites, including those belonging to Virginia, Austin, Texas, Spain, and Yellow Pages Canada, have also been targeted, utilizing a combination of static HTML pages and redirects to malicious sites.

    In SEO poisoning, attackers manipulate search engine results to promote malicious websites.

    By leveraging the trust and authority of compromised domains, these actors can poison search engine results, leading unsuspecting users to scam sites, fake news articles, phishing pages, and malicious browser extensions.

    This not only endangers users but also tarnishes the reputation of the compromised sites.

    FCKeditor Deprecated

    The software maker has responded to the open redirects campaign, emphasizing that FCKeditor has been deprecated since 2010 and should no longer be in use.

    However, the persistence of this outdated software on critical sites highlights the broader issue of legacy systems and their vulnerabilities.

    It’s a stark reminder for organizations to update and patch their systems to protect against such exploits.

    The software maker responded to the open redirects campaign report on X, saying that FCKeditor has been deprecated since 2010 and nobody should be using it anymore.
    The software maker responded to the open redirects campaign report on X, saying that FCKeditor has been deprecated since 2010 and nobody should use it anymore.

    This campaign underscores the importance of maintaining up-to-date software and the need for vigilance against sophisticated cyber threats.

    As attackers continue to exploit vulnerabilities in outdated systems, website administrators and users are responsible for ensuring the security of their digital environments.

    You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post 14-Year-Old CMS Editor Flaw Exploited to Hack Govt & Edu Sites appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Four new vulnerabilities have been discovered in some of the Zyxel Firewall and access point (AP) versions that are associated with Denial of Service, OS Command Injection, and Remote code execution.

    These vulnerabilities have been assigned with CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, and CVE-2023-6764.

    The severity of these vulnerabilities ranges between 6.5 (Medium) and 8.1 (High). However, Zyxel networks have fixed these vulnerabilities, and a security advisory has been released to address these vulnerabilities.

    Zyxel Firewall Flaw

    CVE-2023-6397: Null Pointer Dereference vulnerability in Zyxel

    This vulnerability could allow a LAN-based threat actor to cause a denial-of-service condition by downloading a crafted RAR compressed file onto a LAN-side host if the firewall has “Anti-Malware” feature enabled.

    The severity for this vulnerability has been given as 6.5 (Medium).

    CVE-2023-6398: Post-authentication Command Injection vulnerability

    This vulnerability exists in the file upload binary in Zyxel ATP series devices that could allow an authentication threat actor to execute operating system commands on the affected device via FTP with administrative privileges.

    The severity for this vulnerability has been given as 7.2 (High).

    CVE-2023-6399: Format String Vulnerability in Zyxel

    This vulnerability allows an authenticated IPSec VPN user to perform a denial of service condition against the deviceid daemon.

    Successful exploitation of this vulnerability involves sending a crafted hostname to an affected device if the device has the “Device Insight” feature enabled.

    The severity for this vulnerability has been given as 5.7 (Medium).

    CVE-2023-6764: Format String Vulnerability in Zyxel leading to Unauthenticated RCE

    This vulnerability exists in one of the functions of the IPSec VPN feature that could allow a threat actor to achieve unauthenticated remote code execution on the affected device by sending a sequence of specially crafted payloads with an invalid pointer.Β 

    However, this attack requires a detailed knowledge of the affected device’s memory layout and configuration. The severity for this vulnerability has been given as 8.1 (High).

    Affected Products And Versions

    Users of these products are recommended to upgrade to the latest versions in order to prevent these vulnerabilities from getting exploited by threat actors.

    You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Zyxel Firewall Flaw Let Attackers Execute Remote Code appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ