-
A forensic analysis of a graph dataset containing transactions on the Bitcoin blockchain has revealed clusters associated with illicit activity and money laundering, including detecting criminal proceeds sent to a crypto exchange and previously unknown wallets belonging to a Russian darknet market. The findings come from Elliptic in collaboration with researchers from the&
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. “Wpeeper is a typical backdoor Trojan for Android
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
There’s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you’ve got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard,
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it’s based on, indicating that it’s being actively developed. “The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the original infection,” Zscaler ThreatLabz researcher Santiago
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In the ever-evolving cybersecurity landscape, Google is continually striving to protect user data from malicious actors. In a recent blog post, the tech giant revealed a novel method to detect browser data theft using Windows Event Logs.
This approach aims to make data theft more observable, thereby enabling antivirus software, endpoint detection agents, and system administrators to flag and thwart such attempts.
Chromium’s Sandboxed Process Model
Chromium, the open-source browser project that forms the basis of Google Chrome, Microsoft Edge, and other browsers, employs a sandboxed process model to defend against malicious web content.
This model isolates different browser processes, such as rendering, scripting, and networking, to prevent a single compromised process from affecting the entire system.
However, there are limits to how well an application can protect itself from malware already present on the computer.
Cookies and other credentials remain high-value targets for attackers, and Google is tackling this ongoing threat through multiple strategies.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
One of the methods Google is exploring involves using Windows Event Logs to detect when a process other than the browser itself is attempting to access protected browser data.
According to Wills Harris from the Google Chrome security team, this approach is based on the fact that browsers use the Data Protection API (DPAPI) to encrypt and secure sensitive information such as cookies, passwords, and authentication tokens.
When a process attempts to decrypt DPAPI-secured data, it generates a specific event in the Windows Event Log. Monitoring for these events can detect when a malicious process is trying to steal browser data.
The DataDescription field, for instance, indicates the type of data being decrypted. Since each Chromium-based browser tags its data with the product name (e.g., Google Chrome or Microsoft Edge), it is possible to distinguish browser data from other DPAPI-secured data.
When a process attempts to decrypt browser data, two key events are generated in the Windows Event Logs:
- Event 16385: This event indicates that a process is decrypting a specific browser’s key, identified by the “DataDescription” field (e.g., “Google Chrome”).
- Event 4688: This event provides information about the process performing the decryption, including the process ID.
The event generated by the decryption attempt, Event ID 16385, contains several pieces of information that can be used to identify the nature of the attempt.
By correlating these two events, system administrators or endpoint detection agents can determine whether the decryption attempt is legitimate (i.e., performed by the browser itself) or potentially malicious (i.e., performed by an unauthorized process).
Google has tested this method using a public script to decrypt passwords taken from a public blog.
The script generated two events, as expected: the 16385 event, showing that a process was decrypting the “Google Chrome” key, and the 4688 event, which revealed the process ID of the script.
The provided content outlines a method for enabling system logging to detect unauthorized access to DPAPI (Data Protection API) activities, specifically targeting the decryption of browser data like passwords.
Here’s a concise summary of the steps involved:
Enable Logging:
Activate “Audit DPAPI Activity” within the system’s security settings to log DPAPI events, particularly event ID 4693 in the Security Log and a new event ID 16385 in the Debug channel.
The 4693 event looks like:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{...}" /> <EventID>4693</EventID> <Version>0</Version> <Level>0</Level> <Task>13314</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" /> <EventRecordID>175809</EventRecordID> <Correlation /> <Execution ProcessID="520" ThreadID="1340" /> <Channel>Security</Channel> <Computer>DC01.contoso.local</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> <Data Name="SubjectUserName">dadmin</Data> <Data Name="SubjectDomainName">CONTOSO</Data> <Data Name="SubjectLogonId">0x30d7c</Data> <Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data> <Data Name="RecoveryReason">0x5c005c</Data> <Data Name="RecoveryServer">DC01.contoso.local</Data> <Data Name="RecoveryKeyId" /> <Data Name="FailureId">0x380000</Data> </EventData> </Event>A 16385 event looks like this:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Crypto-DPAPI" Guid="{...}" /> <EventID>16385</EventID> <Version>0</Version> <Level>4</Level> <Task>64</Task> <Opcode>0</Opcode> <Keywords>0x2000000000000040</Keywords> <TimeCreated SystemTime="2024-03-28T20:06:42.1772585Z" /> <EventRecordID>826993</EventRecordID> <Correlation ActivityID="{777bf68d-7757-0028-b5f6-7b775777da01}" /> <Execution ProcessID="1392" ThreadID="57108" /> <Channel>Microsoft-Windows-Crypto-DPAPI/Debug</Channel> <Computer>WIN-GG82ULGC9GO.contoso.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="OperationType">SPCryptUnprotect</Data> <Data Name="DataDescription">Google Chrome</Data> <Data Name="MasterKeyGUID">{4df0861b-07ea-49f4-9a09-1d66fd1131c3}</Data> <Data Name="Flags">0</Data> <Data Name="ProtectionFlags">16</Data> <Data Name="ReturnValue">0</Data> <Data Name="CallerProcessStartKey">32651097299526713</Data> <Data Name="CallerProcessID">97964</Data> <Data Name="CallerProcessCreationTime">133561300019253302</Data> <Data Name="PlainTextDataSize">32</Data> </EventData> </Event>Collect Events:
- Focus on collecting two specific event types from the logs:
- Event 16385 from the Debug log, detailing DPAPI operations.
- Event 4688 from the Security log, indicating process creation.
Write Detection Logic:
Develop logic to map process IDs from event 4688 to active processes and cross-reference these with the process IDs from event 16385. This helps identify unauthorized applications attempting to decrypt data.
Test the System:
Implement a test scenario using a known script (e.g., a Python script for password stealing) to ensure the system correctly logs and identifies unauthorized DPAPI access attempts.
This method leverages detailed event tracking and logging to safeguard sensitive data against unauthorized access and potential theft.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for FreeThe post Google Guide! How to Detect Browser Data Theft Using Windows Event Logs appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In a startling revelation, nearly 20% of Docker Hub repositories have been identified as conduits for malware and phishing scams, underscoring the sophisticated tactics employed by cybercriminals to exploit the platform’s credibility.
The investigation unveiled that attackers had been operating under the radar for over three years, creating almost three million malicious repositories on Docker Hub.
Unlike direct attacks that target developers and organizations, these malicious entities leveraged the trusted platform of Docker Hub, making the phishing and malware distribution schemes harder to detect.
The domains failhostingpolp[.]ru and gts794[.]com were implicated in disseminating these harmful repositories.
In partnership with Docker, JFrog’s security research team has diligently monitored open-source software registries to identify and mitigate potential threats proactively.
This collaborative effort is part of a broader initiative to fortify the software ecosystem against cyber threats.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Unveiling the Malware Campaigns
Recent findings highlight three major malware campaigns targeting Docker Hub, all of which involve creating “imageless” repositories.
These repositories, devoid of container images, contain malicious metadata to exploit the platform’s functionalities.
The campaigns, identified as “Downloader,” “eBook Phishing,” and “Website SEO,” employed varied tactics for distributing the malicious content.
While some campaigns rapidly created fake repositories in batches, others opted for a gradual approach, making a few repositories daily over an extended period.
Swift Response and Ongoing Vigilance
Upon discovery, the JFrog research team promptly reported their findings to the Docker security team, which acted swiftly to remove all malicious and unwanted repositories from Docker Hub.
JFrog commended this quick and professional response, highlighting the importance of collaboration in ensuring the continued safety of the Docker ecosystem.
The exposure of millions of malicious repositories on Docker Hub serves as a stark reminder of the persistent threats lurking within digital platforms.
As cybercriminals evolve their tactics, the collective efforts of security teams and platform providers are crucial in safeguarding the integrity of the software ecosystem.
This incident underscores the need for constant vigilance and proactive measures to combat the ever-present risk of malware and phishing scams.
“While the Docker Hub maintainers currently moderate many of the uploaded repositories, and the repositories we found have been taken down after our disclosure, these attacks show that blocking 100% of malicious uploads is immensely challenging.” researchers said.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for FreeThe post Millions of Malicious “Imageless” Docker Hub Repositories Drop Malware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A former employee of the U.S. National Security Agency (NSA) has been sentenced to nearly 22 years (262 months) in prison for attempting to transfer classified documents to Russia. “This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust,” said FBI Director Christopher Wray.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Kubernetes (K8s) is an open-source container orchestration platform designed to automate application container deployment, scaling, and running.
Containers are isolated software packages that are lightweight and contain everything required for running an app.
In Kubernetes, a “sidecar” refers to an additional container that runs alongside the main application container in the same pod to enhance its capabilities.
However, cybersecurity researchers at TrendMicro recently discovered that threat actors can leverage the Sidecar Container injection technique to remain stealthily.
Sidecar Container Injection Technique
Sidecar containers help modularize features and functionalities that do not directly relate to the main application logic but which are necessary for efficient operation.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Here below, we have mentioned the ways to use sidecar containers for logging purposes legitimately:-
- The sidecar container directs application logs to its standard output:
.webp)
Streaming sidecar container (Source – Trend Micro) - The sidecar container operates a logging agent to retrieve logs from the application container:
.webp)
Sidecar container with a logging agent (Source – Trend Micro) The Kubernetes threat matrix provides a structured understanding of the TTPs that may be employed by threat actors against Kubernetes installations as inspired by MITRE ATT&CK.
One technique, like MS-TA9011 Sidecar Injection, allows an attacker to inject a malicious sidecar container into a valid pod for unauthorized code execution and hiding operations rather than deploying another pod altogether.
This is related to MITRE’s Deploy Container (T1610) technique, which allows attackers to deploy containers onto systems they have compromised or gained access to.
They can also compromise the behavior of an already installed sidecar container, install malware, or execute unauthorized binaries such as cryptocurrency miners through API or kubectl tool.
When threatening Kubernetes clusters, this method helps them remain unnoticed within victims’ infrastructures.
Valid sidecar containers increase the difficulty of managing and detecting compromises in a Kubernetes cluster.
It is essential to consider them as any other container and watch out for strange operations. So, it is advisable to introduce a fresh MITRE ATT&CK technique that concentrates on sidecar injection.
Mitigations And Recommendations
Here below we have mentioned all the mitigations provided by the cybersecurity researchers:-
- MS-M9003: Adhere to least-privilege principle
- MS-M9013: Restrict over permissive containers
- MS-M9005.003: Gate images deployed to Kubernetes cluster
Here below we have mentioned all the recommendations:-
- Ensure there’s a valid justification for segregating the containers.
- Aim for concise, modular designs.
- Be mindful of resource boundaries.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->Try Free DemoThe post Attackers Leverage Sidecar Container Injection Technique To Stay Stealthy appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft’s Azure platform is a highly acclaimed and widely recognized solution that organizations worldwide are leveraging.
It is regarded as a game-changer in the industry and has emerged as a dependable and efficient platform that helps businesses achieve their goals effectively.
With its robust logging and monitoring tools, Azure offers a comprehensive suite of capabilities designed to detect anomalies, respond to security incidents, and safeguard sensitive data and assets in the cloud.
A recent exploration into the strategies, methodologies, and log analysis techniques by Microsoft’s security experts sheds light on how to effectively utilize Azure Logs to identify and counteract threat actor actions.
At the heart of Azure’s defense mechanism is efficiently comprehending and utilizing logs for threat hunting.
Document Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Microsoft emphasizes integrating best practices for log management, analysis, and incident response to stay ahead of evolving cyber threats.
Microsoft describes a hypothetical attack scenario involving a “Pass the Cookie” assault, where an adversary steals a user’s session cookie to gain unauthorized access to their account.
Attack Scenario (Source: Microsoft) This example underscores the necessity of vigilant monitoring and analysis of Azure logs to detect such sophisticated attacks.
Log Analysis Techniques
To combat the complexities of cyber threats, Microsoft advocates for using Azure Log Analytics.
This tool plays a pivotal role in investigating security incidents within Azure subscriptions.
Investigation Flow (Source: Microsoft) By directing both Microsoft Entra ID Audit logs and Azure Activity logs to Log Analytics, organizations can consolidate these logs in the CloudAppEvents table.
At the same time, Log Analytics organizes this data into the AuditLogs and AzureActivity tables, respectively.
Microsoft provides examples of Log Analytics queries, such as hunting for Azure Role assignments to newly added guest user accounts, demonstrating the practical application of log analysis in identifying potential security threats and vulnerabilities.
Understanding the scope and complexity of threat actor actions is crucial in fortifying defenses against cyberattacks.
The detailed analysis of logs enables organizations to trace attackers’ steps, from the initial breach to their movements within the Azure environment.
This insight is invaluable in developing strategies to prevent future attacks and enhance the security posture of cloud subscriptions.
Scope and Complexity
The investigation of cloud environments in Azure subscriptions reveals the multi-faceted nature of maintaining a secure and resilient cloud environment.
Microsoft’s guidance on utilizing logs effectively, and ideally centralizing them, empowers organizations to enhance their threat hunting capabilities.
This proactive approach is essential in identifying potential security threats before they can cause significant damage.
The utilization of Azure Logs for identifying threats is a testament to Microsoft’s commitment to providing advanced tools and methodologies for cybersecurity.
By leveraging these insights and techniques, organizations can significantly improve their ability to detect and respond to cyber threats, ensuring the security and resilience of their cloud environments.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->Try Free DemoThe post How to Utilize Azure Logs to Identify Threats: Insights From Microsoft appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
CYBERSECURITY / DEFENSE / INTELLIGENCE
