1010.TEAM 🇺🇦

Made in the USA: Defense companies tense as Congress pressures them to buy domestic

5/17/2024

·

defenseone.com

A draft version of the 2025 defense authorization act has several provisions targeting China-made critical materials.
Go to source

¶¶¶¶¶

Defense Systems

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Defense One Radio, Ep. 153: Behind the rise in global defense spending, Part 2: China and the Indo-Pacific

5/17/2024

·

defenseone.com

Why is the region in the middle of an arms race? And what do analysts think China is really spending on its military?
Go to source

¶¶¶¶¶

Policy

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Defense One Radio, Ep. 153: Behind the rise in global defense spending, Part 2: China and the Indo-Pacific

5/17/2024

·

defenseone.com

Why is the region in the middle of an arms race? And what do analysts think China is really spending on its military?
Go to source

¶¶¶¶¶

Policy

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Defense One Radio, Ep. 152: Behind the rise in global defense spending, Part 1: Russia

5/17/2024

·

defenseone.com

Russia is spending as much on its military as it did in the 1980s. How sustainable is that?
Go to source

¶¶¶¶¶

Policy

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
NATO trainers to Ukraine?; Blackouts return to Kyiv; Gaza push continues; F-35s pile up on tarmac; And a bit more…

5/17/2024

·

defenseone.com

Go to source

¶¶¶¶¶

THREATS

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

5/17/2024

·

thehackernews.com

The cryptojacking group known as Kinsing has demonstrated its ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to exploit arsenal and expand its botnet. The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining
Go to source

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

5/17/2024

·

thehackernews.com

A new report from XM Cyber has found – among other insights – a dramatic gap between where most organizations focus their security efforts, and where the most serious threats actually reside. The new report, Navigating the Paths of Risk: The State of Exposure Management in 2024, is based on hundreds of thousands of attack path assessments conducted by the XM Cyber
Go to source

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

5/17/2024

·

thehackernews.com

Cybersecurity researchers have shed more light on a remote access trojan (RAT) known as Deuterbear used by the China-linked BlackTech hacking group as part of a cyber espionage campaign targeting the Asia-Pacific region this year. “Deuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as including support for shellcode plugins, avoiding handshakes
Go to source

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

5/17/2024

·

gbhackers.com
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS) based VPN solutions, like SSLVPN and WebVPN, should be replaced with safer options.

Bad people are still taking advantage of flaws in these VPN services, which is why this suggestion was made.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Critical Vulnerabilities in SSLVPN

The NCSC has long known that SSLVPN systems have major security holes and has been reporting them.

People have used these flaws many times, which is why the NCSC is pushing for a switch to safer remote access technologies, as per reports by NSM.

Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) is suggested as an alternative.

This is also what cybersecurity authorities in other countries propose.

This suggestion’s main goal is to reduce the attack area and vulnerabilities of secure remote access.

The NCSC says new vulnerabilities that haven’t been seen before will likely appear in SSLVPN products.

IPsec has some flaws with IKEv2, but it has a smaller attack area and can handle more configuration mistakes.

The NCSC suggests that companies make a plan to gradually stop using SSLVPN and switch to IPsec IKEv2 to lower the risks that come with using VPNs for remote access.

How difficult this transition will be will depend on factors such as the size of the business, the number of employees, the network architecture, the choice of supplier, and the area where it will be used.

By the end of 2025, all companies will have switched from SSLVPN to IPsec IKEv2.

Businesses affected by the Security Act or considered socially important should have made the change by the end of 2024.

Steps for Implementation

Change how existing VPN solutions are set up: Set VPNs up now to work with IPsec IKEv2.

If that’s not possible, make plans for a backup.
- Move systems and users: Change all servers and users from SSLVPN to IPsec IKEv2.
- Turn Off SSLVPN Features: Ensure SSLVPN features are off, and destinations are not responding.
- Stop All TLS Traffic From Coming In: Stop all TLS traffic from entering the VPN server.
- Use Certificate identification: To make things safer, use certificate-based identification.
The NCSC suggests the following steps to keep things safe during the changeover period:
- Centralized Logging: Make sure that VPN services log all of your actions to a central system so that you can quickly find and stop any suspicious activity.
- Geofencing: Only let traffic from the countries you need come in.
- Block Unsafe Infrastructure: Don’t let people in from unsafe sources like VPN providers, Tor exit nodes, and VPS providers that offer anonymization services.
The NCSC recommends using 5G mobile or mobile broadband instead of setting up an IPsec link when that is impossible.

Also, modern, safe built-in solutions for operating systems are suggested, like Always On VPN (not DirectAccess) on Windows or solutions based on the WireGuard protocol, as long as they include security features like managing users and machines and keeping a central log of logins and activity.

In its suggestion, the NCSC stresses how important it is for businesses to improve their security by switching from SSLVPN to safer options like IPsec IKEv2.

By doing this, organizations can protect their remote access systems and make themselves much less vulnerable to cyberattacks.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The post Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source
¶¶¶¶¶

Cyber Attack / cyber security / Cyber Security News

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New Linux Backdoor Attacking Linux Users Via Installation Packages

5/17/2024

·

gbhackers.com
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target for gaining unauthorized access or spreading malware.

Besides this, its open-source nature allows threat actors to study the code and identify new vulnerabilities in it closely.

Cybersecurity researchers at Symantec recently identified a new Linux backdoor actively attacking Linux users via installation packages.

New Linux Backdoor

Symantec unveiled a new Linux backdoor named Linux.Gomir, which had been developed by the Springtail hacking group from North Korea has reportedly been connected with recent malware attacks on South Korean targets.

Gomir is similar to the GoBear backdoor, which was found in previous Springtail campaigns where Trojanized software was used.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Springtail believed to be a tight-knit organization within the North Korean military intelligence, has carried out cyber espionage missions before, including the 2014 disk wiper attack on Korea Hydro and Nuclear Power.

They recently misused DMARC policies for social engineering purposes, impersonating experts on issues concerning North Korea.

The Springtail group launched a campaign delivering the new Troll Stealer malware, a Go-based information stealer with overlapping code from previous Springtail malware like GoBear or BetaSeed backdoors.

Troll Stealer was distributed via Trojanized software installers, including those for TrustPKI, NX_PRNMAN from SGA Solutions, and Wizvera VeraPort, which was previously compromised in 2020.

Targeting government agencies by copying GPKI data, the campaign exploited legitimate websites requiring a login.

GoBear was also spread, masquerading as a Korean transport org’s app installer with a stolen cert.

Symantec noticed Linux.Gomir, a Linux version of Springtail’s GoBear Windows backdoor, which shares much code similarity.

If run with the “install” argument, Gomir checks its privileges by copying itself to /var/log/syslogd and creating a persistent systemd service if it is root or else configuring a crontab entry.

When installed, it communicates over HTTP POST with its C&C server, sending an infection ID after hashing the hostname and the username and receiving Base64-encoded commands.

Gomir’s structure and installation routines, which are remarkably similar to those of GoBear, also highlight the group’s cross-platform targeting capabilities.

Gomir employs custom encryption to decode received commands, with this ensuring that the system can support 17 GoBear-like operations.

This campaign reveals North Korean groups’ inclination toward software supply chain vectors such as Trojanized installers, fake apps, and compromised update channels.

Springtail carefully chooses popular software among desired South Korean audiences to Trojanize them on third-party websites where they must be installed.

The group’s developing tactics exhibit a sophisticated and targeted approach to cyber espionage operations.

IOCs
- 30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213 – Linux.Gomir
- 7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0 – GoBear Dropper
- d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b – Troll Stealer
- 36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc – Troll Stealer
- 8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd – Troll Stealer
- 6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339 – Troll Stealer
- 47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822 – Troll Stealer
- 8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4 – Troll Stealer
- 380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81 – Troll Stealer
- ff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd – Troll Stealer
- cc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc – Troll Stealer
- 8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8 – Troll Stealer
- ecab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20 – Troll Stealer
- d05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4 – Troll Stealer
- a98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c – Troll Stealer
- 831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0 – Troll Stealer
- bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d – Troll Stealer
- 5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98 – Troll Stealer
- 216.189.159[.]34
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The post New Linux Backdoor Attacking Linux Users Via Installation Packages appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source
¶¶¶¶¶

Cyber Attack / Cyber Security News / Linux malware / Linux.Gomir / Springtail / Trojanized Installers

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

Critical Vulnerabilities in SSLVPN

Steps for Implementation

New Linux Backdoor

IOCs