Security News

  • The Next Web
  • The Hackers News
  • Naked Security
  • HelpNet Security
  • Error
  • Security Week
  • Threat Post
  • Security Week
  • Security Affairs
  • Error
  • Fire Eye
  • Tech Channel
SpaceX’s success is built on the bones of tiny birds

There’s a bird killer on the loose, a vicious murderer with an insatiable bloodlust for endangered species. His name is Elon Musk. The Tesla tycoon hasn’t been doing the dirty work himself, but Musk’s SpaceX is reportedly decimating birds around the company’s facility in Boca Chica, Texas. The surrounding land hosts an array of endangered animals, including sea turtles, ocelots, and hundreds of bird species, including the federally threatened Piper Rover. Campaigners warn that SpaceX’s operations are destroying their habitats. According to an analysis by Coastal Bend Bays & Estuaries Program, the region’s Piping Plover population has shrunk by 54% in…This… [...]

This 4K drone packed with flight features is now on sale for less than $80

TLDR: This nifty 4K drone model brings together precision flying ability with a 4K-ready camera for stellar images and video at a price tag under $80. We could say the holidays are right around the corner and help you justify it that way. But seriously…do you really need justification to buy a drone?  Whether you’re looking for a craft to capture incredible video footage, one to ramp up your flying skills, or just one to fill out somebody else’s wishlist, drones are so capable and inexpensive now that you really don’t have to talk yourself into much before buying one.…This… [...]

These are the 5 highest-paying jobs for engineers in the UK

When you’re on the hunt for a new job, there are a number of things to consider. We all have our personal list of what we want from a job. It might be a great pension scheme, incredible annual leave allowances (this is a big one for me personally!), or a fantastic culture. However, one thing we can all pretty much agree on is the importance of the salary on offer.  We know money isn’t everything when it comes to choosing a job, but we can’t deny that it’s fairly important. The mortgage isn’t going to pay for itself at…This… [...]

Installing a smart doorbell? Here’s how to do it without being fined

As any local solicitor can tell you, some of the most bitter legal disputes originate from disagreements between neighbors. Whether it’s property boundaries, loud music, or parking spaces, what might initially be minor irritations can gradually lead to a full-blown court battle. A relatively recent development in neighbor conflicts are clashes centered on home surveillance products, such as CCTV cameras and smart doorbells. These technologies, which may capture footage beyond the householder’s property, can pit householders against neighbors who feel their homes and private lives are being unfairly spied upon. Indeed, a UK judge recently ruled that a man’s home…This… [...]

Zuckerberg, misinformation king, says the media is misinformed about Facebook

The Facebook Papers may be the biggest PR crisis the social media company has ever seen — and that’s saying something. I mean, this is a business that has been involved in election fixing for god’s sake. But if Zuckerberg is one thing, it’s an overachiever. This is a man not willing to rest on his laurels. Forever, he strives, on and on, for all time, striving. So what does a man of this calibre do when confronted with leaked Facebook documents that reveal the inner workings of the company? He does what any king worth their crown does: declare…This… [...]

The ultimate employee benefit you need to offer: Purpose

The world’s labor markets are currently bracing for a mass exodus of workers in what some experts are calling “the Great Resignation.” Recent surveys indicate more than a quarter of the global workforce, and perhaps as much as 40%, is considering quitting. Meanwhile, U.S. Labor Department data reveals Americans are already leaving their jobs at the highest rates in two decades. Why? Because with crisis comes perspective. As many around the world emerge from the most difficult year in their professional lives, a steady job with fair pay and decent benefits is no longer enough. Even work-from-home options aren’t enough,…This… [...]

How to transfer your WhatsApp chats from iPhone to Android

Welcome to TNW Basics, a collection of tips, guides, and advice on how to easily get the most out of your gadgets, apps, and other stuff. One of the biggest pain points of using WhatsApp for years has been the inability to transfer chats between an iPhone and an Android phone. Till now, if you decided to switch, you had to mostly start over with no chat history on the other platform, or use a bunch of tools to clumsily move your stuff over without a guarantee of success. Thankfully, WhatsApp is now rolling out a feature to easily transfer your…This… [...]

Scientists think they can finally speak to whales. Maybe they shouldn’t?

Imagine you’re a whale. No, not a person who holds vast amounts of cryptocurrency. An actual whale swimming in the ocean. You can think of it as a leadership or creative-thinking experiment if it helps. You’re swimming along and chatting with your pod as you do whale stuff. Everything is pretty much the same way it’s been for about 45 million years. And then suddenly a robot starts talking to you in your own language. You’re probably unaware that it’s a robot. I mean, it’s not like you know what artificial intelligence is or how underwater speakers work. Even if…This… [...]

4 improvements Google Maps should make for cyclists

Google Maps has recently added a number of cycling features as more people have taken to riding bikes, ebikes, and electric scooters during the coronavirus pandemic. And yet as much as I appreciate some of these updates, as I’ve started to explore other cycling-oriented applications, Google Maps‘ limitations have become increasingly obvious. Here are just a few changes that I believe could make Google Maps far more appealing to cyclists. Let me plan and save routes ahead of time I get it, Google Maps is mostly aimed at commuters and people taking the occasional impromptu trip. It’s meant to get…This… [...]

What could you do with Hertz’s 100,000 Teslas? We did the math

Tesla’s deal with car-rental giant Hertz has generated some jaw-dropping numbers. The order of 100,000 Tesla Model 3s is potentially the largest ever purchase of electric vehicles. The announcement drove Tesla’s market value beyond $1 trillion on Monday and pumped up Elon Musk’s personal wealth up by $36 billion. The tycoon is now worth an eye-watering $289 billion. Our thoughts and prayers are with Jeff Bezos at this difficult time. These figures, however, barely scratch the surface. To understand the true enormity of the deal, you’d need a team of math whizzes. Unfortunately, I’m all you’ve got — so strap…This… [...]

Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike

A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems. "These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed [...]

[eBook] The Guide to Centralized Log Management for Lean IT Security Teams

One of the side effects of today’s cyber security landscape is the overwhelming volume of data security teams must aggregate and parse. Lean security teams don’t have it any easier, and the problem is compounded if they must do it manually. Data and log management are essential for organizations to gain real-time transparency and visibility into security events.  XDR provider Cynet has offered [...]

Cyber Attack in Iran Reportedly Cripples Gas Stations Across the Country

A cyber attack in Iran left petrol stations across the country crippled, disrupting fuel sales and defacing electronic billboards to display messages challenging the regime's ability to distribute gasoline. Posts and videos circulated on social media showed messages that said, "Khamenei! Where is our gas?" — a reference to the country's supreme leader Ayatollah Ali Khamenei. Other signs read, " [...]

Latest Report Uncovers Supply Chain Attacks by North Korean Hackers

Lazarus Group, the advanced persistent threat (APT) group attributed to the North Korean government, has been observed waging two separate supply chain attack campaigns as a means to gain a foothold into corporate networks and target a wide range of downstream entities. The latest intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed BLINDINGCAN  [...]

Microsoft Warns of Continued Supply-Chain Attacks by the Nobelium Hacker Group

Nobelium, the threat actor behind the SolarWinds compromise in December 2020, has been behind an ongoing wave of attacks that compromised 14 downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations, illustrating the adversary's continuing interest in targeting the supply chain via the "compromise-one-to-compromise-many" [...]

Over 10 Million Android Users Targeted With Premium SMS Scam Apps

A global fraud campaign has been found leveraging 151 malicious Android apps with 10.5 million downloads to rope users into premium subscription services without their consent and knowledge. The premium SMS scam campaign — dubbed "UltimaSMS" — is believed to commenced in May 2021 and involved apps that cover a wide range of categories, including keyboards, QR code scanners, video and photo [...]

Malicious Firefox Add-ons Block Browser From Downloading Security Updates

Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users who had installed them from downloading updates, accessing updated blocklists, and updating remotely [...]

Hackers Exploited Popular BillQuick Billing Software to Deploy Ransomware

Cybersecurity researchers on Friday disclosed a now-patched critical vulnerability in multiple versions of a time and billing system called BillQuick that's being actively exploited by threat actors to deploy ransomware on vulnerable systems. CVE-2021-42258, as the flaw is being tracked as, concerns an SQL-based injection attack that allows for remote code execution and was successfully [...]

New Attack Lets Hackers Collect and Spoof Browser's Digital Fingerprints

A "potentially devastating and hard-to-detect threat" could be abused by attackers to collect users' browser fingerprinting information with the goal of spoofing the victims without their knowledge, thus effectively compromising their privacy. Academics from Texas A&M University dubbed the attack system "Gummy Browsers," likening it to a nearly 20-year-old "Gummy Fingers" technique that can [...]

Hardware-grade enterprise authentication without hardware: new SIM security solution for IAM

The average cost of a data breach, according to the latest research by IBM, now stands at USD 4.24 million, the highest reported. The leading cause? Compromised credentials, often caused by human error. Although these findings continue to show an upward trend in the wrong direction, the challenge itself is not new. What is new is the unprecedented and accelerated complexity of securing the [...]

NYT Journalist Repeatedly Hacked with Pegasus after Reporting on Saudi Arabia

The iPhone of New York Times journalist Ben Hubbard was repeatedly hacked with NSO Group's Pegasus spyware tool over a three-year period stretching between June 2018 to June 2021, resulting in infections twice in July 2020 and June 2021. The University of Toronto's Citizen Lab, which publicized the findings on Sunday, said the "targeting took place while he was reporting on Saudi Arabia, and [...]

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining and password-stealing malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to get rid of three rogue packages that were found to mimic the same library. The supply-chain attack targeting the open-source [...]

Microsoft Warns of TodayZoo Phishing Kit Used in Extensive Credential Stealing Attacks

Microsoft on Thursday disclosed an "extensive series of credential phishing campaigns" that takes advantage of a custom phishing kit that stitched together components from at least five different widely circulated ones with the goal of siphoning user login information. The tech giant's Microsoft 365 Defender Threat Intelligence Team, which detected the first instances of the tool in the wild in [...]

Feds Reportedly Hacked REvil Ransomware Group and Forced it Offline

The Russian-led REvil ransomware gang was felled by an active multi-country law enforcement operation that resulted in its infrastructure being hacked and taken offline for a second time earlier this week, in what's the latest action taken by governments to disrupt the lucrative ecosystem. The takedown was first reported by Reuters, quoting multiple private-sector cyber experts working with the [...]

Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks

The financially motivated FIN7 cybercrime gang has masqueraded as yet another fictitious cybersecurity company called "Bastion Secure" to recruit unwitting software engineers under the guise of penetration testing in a likely lead-up to a ransomware scheme. "With FIN7's latest fake company, the criminal group leveraged true, publicly available information from various legitimate cybersecurity [...]

Malicious NPM Packages Caught Running Cryptominer On Windows, Linux, macOS Devices

Three JavaScript libraries uploaded to the official NPM package repository have been unmasked as crypto-mining malware, once again demonstrating how open-source software package repositories are becoming a lucrative target for executing an array of attacks on Windows, macOS, and Linux systems. The malicious packages in question — named okhsa, klow, and klown — were published by the same [...]

'Lone Wolf' Hacker Group Targeting Afghanistan and India with Commodity RATs

A new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-year-old flaw affecting Microsoft Office to deploy an array of commodity remote access trojans (RATs) that allow the adversary to gain complete control over the compromised endpoints. Cisco Talos attributed the cyber campaign to a "lone wolf" threat actor operating a Lahore-based fake IT company called Bunse [...]

Researchers Discover Microsoft-Signed FiveSys Rootkit in the Wild

A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targeting online gamers in China. Bucharest-headquartered cybersecurity technology company Bitdefender named the malware "FiveSys," calling out its possible credential theft and in-game-purchase hijacking [...]

Two Eastern Europeans Sentenced for Providing Bulletproof Hosting to Cyber Criminals

Two Eastern European nationals have been sentenced in the U.S. for offering "bulletproof hosting" services to cybercriminals, who used the technical infrastructure to distribute malware and attack financial institutions across the country between 2009 to 2015. Pavel Stassi, 30, of Estonia, and Aleksandr Shorodumov, 33, of Lithuania, have been each sentenced to 24 months and 48 months in prison, [...]

Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer

A new security weakness has been disclosed in the WinRAR trialware file archiver utility for Windows that could be abused by a remote attacker to execute arbitrary code on targeted systems, underscoring how vulnerabilities in such software could beсome a gateway for a roster of attacks. Tracked as CVE-2021-35052, the bug impacts the trial version of the software running version 5.70. "This [...]

Before and After a Pen Test: Steps to Get Through It

An effective cybersecurity strategy can be challenging to implement correctly and often involves many layers of security. Part of a robust security strategy involves performing what is known as a penetration test (pen test). The penetration test helps to discover vulnerabilities and weaknesses in your security defenses before the bad guys discover these. They can also help validate remedial [...]

Product Overview: Cynet SaaS Security Posture Management (SSPM)

Software-as-a-service (SaaS) applications have gone from novelty to business necessity in a few short years, and its positive impact on organizations is clear. It’s safe to say that most industries today run on SaaS applications, which is undoubtedly positive, but it does introduce some critical new challenges to organizations.  As SaaS application use expands, as well as the number of [...]

U.S. Government Bans Sale of Hacking Tools to Authoritarian Regimes

The U.S. Commerce Department on Wednesday announced new rules barring the sales of hacking software and equipment to authoritarian regimes and potentially facilitate human rights abuse for national security (NS) and anti-terrorism (AT) reasons. The mandate, which is set to go into effect in 90 days, will forbid the export, reexport and transfer of "cybersecurity items" to countries of "national [...]

Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder. That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting [...]

Researchers Break Intel SGX With New 'SmashEx' CPU Attack Technique

A newly disclosed vulnerability affecting Intel processors could be abused by an adversary to gain access to sensitive information stored within enclaves and even run arbitrary code on vulnerable systems. The vulnerability (CVE-2021-0186, CVSS score: 8.2) was discovered by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense [...]

Banking scam uses Docusign phish to thieve 2FA codes

This scam is obviously inapplicable to 999 people in every 1000... but there are LOTS of 1-in-1000 people in the world! [...]

Cybersecurity Awareness Month: Listen up – CYBER­SECURITY FIRST!

Fraser Howard of SophosLabs is truly a world expert in fighting malware. Read now, and learn from the best! [...]

Listen up 2 – CYBERSECURITY FIRST! How to protect yourself from supply chain attacks

Everyone remembers this year's big-news supply chain attacks on Kaseya and SolarWinds. Sophos expert Chester Wisniewski explains how to control the risk. [...]

Listen up 3 – CYBERSECURITY FIRST! Cyberinsurance, help or hindrance?

Dr Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, takes on the controversial topic of cyberinsurance. [...]

Listen up 4 – CYBERSECURITY FIRST! Purple teaming – learning to think like your adversaries

Michelle Farenci knows her stuff, because she's a cybersecurity practitioner inside a cybersecurity company! Learn why thinking like an attacker makes you a better defender. [...]

S3 Ep55: Live malware, global encryption, dating scams, and secret emanations [Podcasts]

Latest episode - listen now! (And sign up for our forthcoming Live Malware Demo at the same time.) [...]

“To the moon!” Cryptocurrency hamster Mr Goxx trades online 24/7

Here's a happy cryptocurrency story for once, with not a cybercrook in sight. [...]

Cybersecurity Awareness Month: Building your career

Explore. Experience. Share. How to get into cybersecurity... [...]

LANtenna hack spies on your data from across the room! (Sort of)

Are your network cables acting as undercover wireless transmitters? What can you do if they are? [...]

As cybercrime threatens businesses of all sizes, industries and locations, organizations have realized that the status quo is no longer tenable and that implementing zero trust is necessary. Zero trust is a security model that can be summed up as “Never trust, always verify.” In other words, whether a connection to a system or data is attempted from inside or outside the organization’s network, no access is granted without verification. Many companies may promise zero … More → The post Four key tenets of zero trust security appeared first on Help Net Security. [...]

The blistering post-pandemic pace of digital transformation has put the urgent demand for cybersecurity professionals in the spotlight. Simultaneously, more testing taking place online has meant that certification providers are now under increased pressure to ensure the integrity of remote cybersecurity examinations. When candidates present credentials that they have been awarded online, recruiters want to trust their validity. Artificial Intelligence (AI)-powered remote proctoring tools are the solution for the cybersecurity industry and certification providers, especially … More → The post The fast-expanding world of online proctoring: What cybersecurity industry leaders must know appeared first on Help Net Security. [...]

In this interview with Help Net Security, George Finney, CSO at Southern Methodist University, explains what good security habits are, how to successfully implement them and why are they important. He also talks about his book Well Aware and what inspired him to write it. As technology progresses, so do cybersecurity risks. Is the awareness about them on the right path or is there still a long way to go? There is more awareness about … More → The post Good security habits: Leveraging the science behind how humans develop habits appeared first on Help Net Security. [...]

(ISC)² released the findings of its 2021 (ISC)² Cybersecurity Workforce Study. The study reveals updated figures for both the Cybersecurity Workforce Estimate and the Cybersecurity Workforce Gap in 2021, provides key insights into the makeup of the profession and explores the challenges and opportunities that exist for professionals and hiring organizations. The study reveals a decrease in the global workforce shortage for the second consecutive year from 3.12 million down to 2.72 million cybersecurity professionals. … More → The post How to close the cybersecurity workforce gap appeared first on Help Net Security. [...]

With the National Security Agency recently issuing guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques, it has many organizations and enterprise leaders wondering: What are the odds of a wildcard certificate being compromised and/or leading to serious consequences, and how can this prevented? Before IT leaders can truly respond to and mitigate wildcard certificate security risks – and manage wildcard certificates – it’s essential to … More → The post The dangers behind wildcard certificates: What enterprises need to know appeared first on Help Net Security. [...]

The vast majority of organizations are increasing their investment in application security this year, but they continue to struggle to fully embrace secure innovation. A market study released by Invicti Security examines how companies are contending with the strategic need to innovate and the existential risk posed by cyber threats. The report is based on a survey of 600 executives and hands-on-keyboard practitioners across security, development and DevOps spanning over 20 industries including manufacturing, technology, … More → The post Organizations making security trade-offs in the push to innovate appeared first on Help Net Security. [...]

Dynatrace announced the findings from an independent global survey of 1,300 development and DevOps leaders, which revealed the primary challenges organizations are facing as they attempt to keep up with demand for digital innovation. The research highlighted that scaling DevOps and SRE practices is critical to accelerating the release of high-quality digital services. However, siloed teams, manual approaches, and increasingly complex tooling slow innovation and make teams more reactive than proactive, impeding their ability to … More → The post Manual tasks still a barrier to accelerating innovation through DevOps appeared first on Help Net Security. [...]

Avast launched a premium version of its free secure and private browser, Avast Secure Browser PRO. A Chromium-based browser for Windows PCs includes an integrated VPN and Adblock technology for people who need a suite of security, privacy and performance services to tackle web-based threats. The built-in VPN, which provides access to 30 locations worldwide covering every continent except Antarctica, helps to ensure the highest levels of privacy protection by encrypting all inbound and outbound … More → The post Avast Secure Browser PRO protects devices and operating systems from web-based threats appeared first on Help Net Security. [...]

Perception Point announced the availability of the Perception Point Free Plan comes with no usage limits: unlimited number of users, any scale and no time limit. The Perception Point Free Plan is a free email security plan that protects organizations from any inbound threat via email and other cloud collaboration channels. Supported applications include Google Gmail, Microsoft 365, OneDrive, SharePoint, Teams, Google Drive, Dropbox, and Salesforce. “Email security is inaccurately regarded as a solved problem. … More → The post Perception Point Free Plan allows interception of advanced threats missed by other services appeared first on Help Net Security. [...]

Socure announced an identity fraud solution, Socure Sigma Identity Fraud. Sigma Identity Fraud delivers an identity fraud classification model by utilizing over 17,000 features that analyze every dimension of a consumer’s identity—name, email, phone, address, IP, device, velocity, network intelligence, and real-time consortium feedback data—all in a single product. Socure Sigma Identity Fraud enables enterprises and government agencies to increase auto-approval rates and reduce fraud losses, false positives, friction, and costs associated with manual reviews. … More → The post Socure Sigma Identity Fraud enables enterprises to reduce fraud losses and false positives appeared first on Help Net Security. [...]

RSS Error: WP HTTP Error: cURL error 60: SSL certificate problem: unable to get local issuer certificate

Washington Secretary of State Appointed CISA’s Senior Election Security Lead

The United States Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced the appointment of Washington Secretary of State Kim Wyman as its Senior Election Security Lead. read more [...]

North Korean Hackers Targeting IT Supply Chain: Kaspersky

The North Korea-linked state-sponsored hacking group Lazarus has started to target the IT supply chain in recent attacks, according to cybersecurity firm Kaspersky. read more [...]

Fuji Electric Patches Vulnerabilities in Factory Monitoring Software

Japanese electrical equipment company Fuji Electric has patched half a dozen types of vulnerabilities in its Tellus factory monitoring and operating product. read more [...]

SolarWinds Outlines 'Triple Build' Software Development Model to Secure Supply Chain

When FireEye (now Mandiant) disclosed the SolarWinds breach in December 2020, the security world was forced to accept the reality that given the motivation, time and resources, an advanced attacker can breach any organization. And if the breached organization is part of an important supply chain, the potential damage could be devastating. read more [...]

Apple Patches 22 Security Flaws Haunting iPhones

Apple has released another IOS 15 update with patches for 22 serious security defects in a wide range of iPhone and iPad software components. The vulnerabilities are serious enough to expose iPhone and iPad users to malicious hacker attacks via rigged PDF or image files. read more [...]

Yubico Launches New Security Key With USB-C and NFC

Yubico on Tuesday announced the launch of Security Key C NFC, a new hardware security key that includes NFC capabilities in a USB-C form factor. read more [...]

Quantum Cybersecurity Provider QuintessenceLabs Raises $18 Million

Quantum cybersecurity solutions provider QuintessenceLabs this week announced that it has raised A$25 million (roughly US$18.8 million) in a Series B funding round. To date, the company has raised A$61.4 million (US$45 million). The new funding round was led by Main Sequence and TELUS Ventures, with contributions from InterValley Ventures and Capital Property Group. read more [...]

Many Ransomware Attacks on OT Organizations Involved Ryuk: IBM

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit. read more [...]

Iran Struggles to Relaunch Petrol Stations After Cyberattack

Iran struggled Wednesday to restart its petrol distribution system after it was hit by an unprecedented cyber-attack which security officials said was launched from abroad. read more [...]

150 People Arrested in US-Europe Darknet Drug Probe

Law enforcement officials in the U.S. and Europe have arrested 150 people and seized more than $31 million in an international drug trafficking investigation stemming from sales on the darknet, the Justice Department said Tuesday. read more [...]

Adobe Patches Gaping Security Flaws in 14 Software Products

Adobe on Tuesday released a slew of urgent patches with fixes for more than 90 documented vulnerabilities that expose Windows, macOS and Linux users to malicious hacker attacks. The security defects affect a wide range of popular products, including Adobe Photoshop, Adobe InDesign, Adobe Illustrator and Adobe Premiere. read more [...]

Illumio Brings Visibility, Zero Trust Principles to Hybrid Cloud

A new product seeks to solve the two primary security issues that come with moving to the cloud: the danger of accidental misconfigurations and the loss of visibility.  read more [...]

Iran Blames Cyberattack as Fuel Supply Hit

Iranian authorities on Tuesday blamed a mysterious cyber attack for unprecedented disruption to the country's fuel distribution network. read more [...]

Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

The open-source Mozilla Foundation says it blocked a series of malicious Firefox add-ons that misused the proxy API that extensions use to proxy web requests. The API allows add-ons to control the manner in which the browser connects to the Internet, and some extensions were found to abuse this. read more [...]

Researcher Explains Wi-Fi Password Cracking at Scale

A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment. read more [...]

Targets and Prizes Announced for 2022 ICS-Themed Pwn2Own

The Zero Day Initiative (ZDI) on Monday announced the targets and prizes for the next Pwn2Own Miami hacking contest, which focuses on industrial control system (ICS) products and associated protocols. read more [...]

Cloud Security Company Sonrai Raises $50 Million

Public cloud security provider Sonrai Security today announced that it has raised $50 million in Series C funding, which brings the total raised by the company to $88.5 million. The new funding round was led by ISTARI, but existing investors Menlo Ventures, New Brunswick Innovation Fund, Polaris Partners, and TenEleven Ventures also contributed. read more [...]

Enterprise Data Privacy Startup Piiano Emerges From Stealth Mode

Tel Aviv, Israel-based Piiano emerged from stealth mode on Tuesday with $9 million in seed funding and a data engineering solution designed to help enterprises centralize and secure personal and other sensitive information. read more [...]

BillQuick Billing Software Exploited to Hack U.S. Engineering Company

Hackers abused the BillQuick Web Suite billing software to compromise the network of an engineering company in the United States and deploy ransomware, threat detection firm Huntress reports. read more [...]

UK Spy Chiefs Seal Cloud Data Deal With Amazon: FT

UK intelligence agencies have entrusted classified data to Amazon's cloud computing arm AWS in a deal designed to vastly speed up their espionage capabilities, the Financial Times reported on Tuesday. read more [...]

Logging and Security Analytics Firm Devo Raises $250 Million at $1.5 Billion Valuation

Cambridge, MA-based cloud-native logging, SIEM and security analytics company Devo Technology on Tuesday announced that it has achieved unicorn status after raising $250 million. read more [...]

US State Department Sets Up Cyber Bureau, Envoy Amid Hacking Alarm

US Secretary of State Antony Blinken announced Monday that the State Department will establish a new bureau and envoy to handle cyber policy, revamping amid alarm over rising hacking attacks. In a memo to staff, Blinken said that a review showed a need for structural changes on "how the State Department should adapt to 21st-century challenges." read more [...]

Kansas Man Admits Hacking Public Water Facility

Roughly seven months after being indicted for his actions, a Kansas man admitted in court to tampering with the systems at the Post Rock Rural Water District. read more [...]

CISA Raises Alarm on Critical Vulnerability in Discourse Forum Software

The United States Cybersecurity and Infrastructure Security Agency (CISA) over the weekend issued an alert on a critical vulnerability in open source discussion platform Discourse. read more [...]

Russia-Linked SolarWinds Hackers Continue Supply Chain Attack Rampage

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday. read more [...]

Apple Patches Critical iOS Bugs; One Under Attack

Researchers found that one critical flaw in question is exploitable from the browser, allowing watering-hole attacks. [...]

Cyber Attack Cripples Iranian Fuel Distribution Network

The incident triggered shutdowns at pumps across the country as attackers flashed the phone number of Supreme Leader Ali Khamenei across video screens. [...]

SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike

Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader. [...]

Public Clouds & Shared Responsibility: Lessons from Vulnerability Disclosure

Much is made of shared responsibility for cloud security. But Oliver Tavakoli, CTO at Vectra AI, notes there's no guarantee that Azure or AWS are delivering services in a hardened and secure manner. [...]

Lazarus Attackers Turn to the IT Supply Chain

Kaspersky researchers saw The North Korean state APT use a new variant of the BlindingCan RAT to breach a Latvian IT vendor and then a South Korean think tank. [...]

Why the Next-Generation of Application Security Is Needed

New software and code stand at the core of everything we do, but how well is all of this new code tested? Luckily, autonomous application security is here. [...]

Attackers Hijack Craigslist Emails to Bypass Security, Deliver Malware

Manipulated Craigslist emails that abuse Microsoft OneDrive warn users that their ads contain "inappropriate content.” [...]

Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users

The misbehaving Firefox add-ons were misusing an API that controls how Firefox connects to the internet. [...]

Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads

UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service. [...]

Defending Assets You Don’t Know About, Against Cyberattacks

No security defense is perfect, and shadow IT means no company can inventory every single asset that it has. David “moose” Wolpoff, CTO at Randori, discusses strategies for core asset protection given this reality. [...]

Washington Secretary of State Appointed CISA’s Senior Election Security Lead

The United States Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced the appointment of Washington Secretary of State Kim Wyman as its Senior Election Security Lead. read more [...]

North Korean Hackers Targeting IT Supply Chain: Kaspersky

The North Korea-linked state-sponsored hacking group Lazarus has started to target the IT supply chain in recent attacks, according to cybersecurity firm Kaspersky. read more [...]

Fuji Electric Patches Vulnerabilities in Factory Monitoring Software

Japanese electrical equipment company Fuji Electric has patched half a dozen types of vulnerabilities in its Tellus factory monitoring and operating product. read more [...]

SolarWinds Outlines 'Triple Build' Software Development Model to Secure Supply Chain

When FireEye (now Mandiant) disclosed the SolarWinds breach in December 2020, the security world was forced to accept the reality that given the motivation, time and resources, an advanced attacker can breach any organization. And if the breached organization is part of an important supply chain, the potential damage could be devastating. read more [...]

Apple Patches 22 Security Flaws Haunting iPhones

Apple has released another IOS 15 update with patches for 22 serious security defects in a wide range of iPhone and iPad software components. The vulnerabilities are serious enough to expose iPhone and iPad users to malicious hacker attacks via rigged PDF or image files. read more [...]

Yubico Launches New Security Key With USB-C and NFC

Yubico on Tuesday announced the launch of Security Key C NFC, a new hardware security key that includes NFC capabilities in a USB-C form factor. read more [...]

Quantum Cybersecurity Provider QuintessenceLabs Raises $18 Million

Quantum cybersecurity solutions provider QuintessenceLabs this week announced that it has raised A$25 million (roughly US$18.8 million) in a Series B funding round. To date, the company has raised A$61.4 million (US$45 million). The new funding round was led by Main Sequence and TELUS Ventures, with contributions from InterValley Ventures and Capital Property Group. read more [...]

Many Ransomware Attacks on OT Organizations Involved Ryuk: IBM

Many attacks that impacted organizations with operational technology (OT) networks in 2021 involved ransomware, and operators of the Ryuk ransomware in particular appear to gravitate towards this type of target, according to research conducted by IBM’s X-Force cybersecurity unit. read more [...]

Iran Struggles to Relaunch Petrol Stations After Cyberattack

Iran struggled Wednesday to restart its petrol distribution system after it was hit by an unprecedented cyber-attack which security officials said was launched from abroad. read more [...]

150 People Arrested in US-Europe Darknet Drug Probe

Law enforcement officials in the U.S. and Europe have arrested 150 people and seized more than $31 million in an international drug trafficking investigation stemming from sales on the darknet, the Justice Department said Tuesday. read more [...]

Adobe Patches Gaping Security Flaws in 14 Software Products

Adobe on Tuesday released a slew of urgent patches with fixes for more than 90 documented vulnerabilities that expose Windows, macOS and Linux users to malicious hacker attacks. The security defects affect a wide range of popular products, including Adobe Photoshop, Adobe InDesign, Adobe Illustrator and Adobe Premiere. read more [...]

Illumio Brings Visibility, Zero Trust Principles to Hybrid Cloud

A new product seeks to solve the two primary security issues that come with moving to the cloud: the danger of accidental misconfigurations and the loss of visibility.  read more [...]

Iran Blames Cyberattack as Fuel Supply Hit

Iranian authorities on Tuesday blamed a mysterious cyber attack for unprecedented disruption to the country's fuel distribution network. read more [...]

Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

The open-source Mozilla Foundation says it blocked a series of malicious Firefox add-ons that misused the proxy API that extensions use to proxy web requests. The API allows add-ons to control the manner in which the browser connects to the Internet, and some extensions were found to abuse this. read more [...]

Researcher Explains Wi-Fi Password Cracking at Scale

A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment. read more [...]

Targets and Prizes Announced for 2022 ICS-Themed Pwn2Own

The Zero Day Initiative (ZDI) on Monday announced the targets and prizes for the next Pwn2Own Miami hacking contest, which focuses on industrial control system (ICS) products and associated protocols. read more [...]

Cloud Security Company Sonrai Raises $50 Million

Public cloud security provider Sonrai Security today announced that it has raised $50 million in Series C funding, which brings the total raised by the company to $88.5 million. The new funding round was led by ISTARI, but existing investors Menlo Ventures, New Brunswick Innovation Fund, Polaris Partners, and TenEleven Ventures also contributed. read more [...]

Enterprise Data Privacy Startup Piiano Emerges From Stealth Mode

Tel Aviv, Israel-based Piiano emerged from stealth mode on Tuesday with $9 million in seed funding and a data engineering solution designed to help enterprises centralize and secure personal and other sensitive information. read more [...]

BillQuick Billing Software Exploited to Hack U.S. Engineering Company

Hackers abused the BillQuick Web Suite billing software to compromise the network of an engineering company in the United States and deploy ransomware, threat detection firm Huntress reports. read more [...]

UK Spy Chiefs Seal Cloud Data Deal With Amazon: FT

UK intelligence agencies have entrusted classified data to Amazon's cloud computing arm AWS in a deal designed to vastly speed up their espionage capabilities, the Financial Times reported on Tuesday. read more [...]

Logging and Security Analytics Firm Devo Raises $250 Million at $1.5 Billion Valuation

Cambridge, MA-based cloud-native logging, SIEM and security analytics company Devo Technology on Tuesday announced that it has achieved unicorn status after raising $250 million. read more [...]

US State Department Sets Up Cyber Bureau, Envoy Amid Hacking Alarm

US Secretary of State Antony Blinken announced Monday that the State Department will establish a new bureau and envoy to handle cyber policy, revamping amid alarm over rising hacking attacks. In a memo to staff, Blinken said that a review showed a need for structural changes on "how the State Department should adapt to 21st-century challenges." read more [...]

Kansas Man Admits Hacking Public Water Facility

Roughly seven months after being indicted for his actions, a Kansas man admitted in court to tampering with the systems at the Post Rock Rural Water District. read more [...]

CISA Raises Alarm on Critical Vulnerability in Discourse Forum Software

The United States Cybersecurity and Infrastructure Security Agency (CISA) over the weekend issued an alert on a critical vulnerability in open source discussion platform Discourse. read more [...]

Russia-Linked SolarWinds Hackers Continue Supply Chain Attack Rampage

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday. read more [...]

I’m proud to announce the release of the 9th edition of the ENISA Threat Landscape (ETL) on the state of the cybersecurity threat landscape. The Europen Agency for cybersecurity ENISA releases its ENISA Threat Landscape 2021 (ETL) report, which is the annual analysis on the state of the cybersecurity threat landscape. This edition reports events and analyses […] The post The 9th edition of the ENISA Threat Landscape (ETL) report is out! appeared first on Security Affairs. [...]

North Korea-linked Lazarus APT group is extending its operations and started targeting the IT supply chain on new targets. North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns. The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. […] The post North Korea-linked Lazarus APT targets the IT supply chain appeared first on Security Affairs. [...]

A cyberattack has disrupted gas stations from the National Iranian Oil Products Distribution Company (NIOPDC) across Iran. A cyber attack has disrupted gas stations from the state-owned National Iranian Oil Products Distribution Company (NIOPDC) across Iran. The attack also defaced the screens at the gas pumps and gas price billboards. In multiple cities, the billboards […] The post Operations at Iranian gas stations were disrupted today. Cyber attack or computer glitch? appeared first on Security Affairs. [...]

Dark HunTOR: Police arrested 150 people in dark web drug bust

Dark HunTOR: Police corps across the world have arrested 150 individuals suspected of buying or selling illicit goods on the dark web marketplace DarkMarket. A joint international operation, tracked as Dark HunTOR, conducted by law enforcement across the world resulted in the arrest of 150 suspects allegedly involved in selling and buying illicit goods in […] The post Dark HunTOR: Police arrested 150 people in dark web drug bust appeared first on Security Affairs. [...]

Expert managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv

A researcher from the security firm CyberArk has managed to crack 70% of Tel Aviv’s Wifi Networks starting from a sample of 5,000 gathered WiFi. CyberArk security researcher Ido Hoorvitch demonstrated how it is possible to crack WiFi at scale by exploiting a vulnerability that allows retrieving a PMKID hash. Hoorvitch has managed to crack […] The post Expert managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv appeared first on Security Affairs. [...]

The FBI published a flash alert to warn of the activity of the Ranzy Locker ransomware that had already compromised tens of US companies. The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year. The gang has been active since at […] The post Ranzy Locker ransomware hit tens of US companies in 2021 appeared first on Security Affairs. [...]

UltimaSMS subscription fraud campaign targeted millions of Android users

UltimaSMS, a massive fraud campaign is using Android apps with million of downloads to subscribe victims to premium subscription services. Researchers from Avast have uncovered a widespread premium SMS scam on the Google Play Store, tracked as UltimaSMS, the name comes from the first apps they discovered called Ultima Keyboard 3D Pro. Threat actors used at […] The post UltimaSMS subscription fraud campaign targeted millions of Android users appeared first on Security Affairs. [...]

Kansas man Wyatt Travnichek admitted in court to tampering with the computer systems at the Post Rock Rural Water District. Kansas man Wyatt A. Travnichek pleaded guilty to tampering with the computer system at a drinking water treatment facility at the Post Rock Rural Water District. The man also pleaded guilty to one count of […] The post Kansas Man pleads guilty to hacking the Post Rock Rural Water District appeared first on Security Affairs. [...]

Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware

An unknown ransomware gang leverages a critical SQL injection flaw in the BillQuick Web Suite time and billing solution to deploy ransomware. An unknown ransomware gang is exploiting a critical SQL injection flaw, tracked as CVE-2021-42258, in the popular billing software suite BillQuick Web Suite time to deploy ransomware. The attacks were first spotted this month […] The post Unknown ransomware gang uses SQL injection bug in BillQuick Web Suite to deploy ransomware appeared first on Security Affairs. [...]

A critical RCE flaw affects Discourse software, patch it now!

US CISA urges administrators to address a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs. Discourse is a popular open-source Internet forum and mailing list management software application. The US CISA published a security advisory to urge administrators to fix a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs. The […] The post A critical RCE flaw affects Discourse software, patch it now! appeared first on Security Affairs. [...]

RSS Error: WP HTTP Error: cURL error 60: SSL certificate problem: certificate has expired

ELFant in the Room – capa v3

Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format (ELF) files, such as those used on Linux and other Unix-like operating systems. This blog post describes the extended analysis and other improvements. You can download capa v3 standalone binaries from the project’s release page and checkout the source code on GitHub. ELF File Format Support capa finds capabilities in programs by parsing executable file formats, disassembling code, and then recognizing… [...]

Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms,
Websites, and Forums in at Least Seven Languages, Attempted to
Physically Mobilize Protesters in the U.S.

In June 2019, Mandiant Threat Intelligence first reported to customers a pro-People’s Republic of China (PRC) network of hundreds of inauthentic accounts on Twitter, Facebook, and YouTube, that was at that time primarily focused on discrediting pro-democracy protests in Hong Kong. Since then, the broader activity set has rapidly expanded in size and scope and received widespread public attention following Twitter’s takedown of related accounts in August 2019. Numerous other researchers have published investigations into various aspects of this activity set, including Google’s Threat Analysis Group, Graphika, the Australian Strategic Policy Institute, the Stanford Internet Observatory and the Hoover Institution,… [...]

PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell. The ProxyShell vulnerabilities consist of three CVEs (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the following versions of on-premises Microsoft Exchange Servers. Exchange Server 2013 (Cumulative Update 23 and below) Exchange Server 2016 (Cumulative Update 20 and below) Exchange Server 2019 (Cumulative Update 9 and below) The vulnerabilities are being tracked in the following CVEs: CVE Risk Rating Access Vector Exploitability Ease of Attack Mandiant Intel CVE-2021-34473 High Network Functional Easy Link CVE-2021-34523 Low Local Functional Easy Link CVE-2021-31207 Medium Network Functional Easy… [...]

Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth

The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed with the support of FLARE analysts. We will also share sample detection rules, and hunting recommendations to find similar activity in your environment. Mandiant has yet to observe PRIVATELOG or STASHLOG in any customer environments or to recover any second-stage payloads launched by PRIVATELOG. This may indicate malware that is still in development,… [...]

Detecting Embedded Content in OOXML Documents

On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique. OOXML File Format Beginning with Microsoft Office 2007, the default file format for Excel, PowerPoint, and Word documents switched from an Object Linking and Embedding (OLE) based format to OOXML. For now, the only part of this that’s important to understand is OOXML… [...]

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. At the time of writing this blog post,… [...]

UNC215: Spotlight on a Chinese Espionage Campaign in Israel

This blog post details the post-compromise tradecraft and operational tactics, techniques, and procedures (TTPs) of a Chinese espionage group we track as UNC215. While UNC215’s targets are located throughout the Middle East, Europe, Asia, and North America, this report focuses on intrusion activity primarily observed at Israeli entities. This report comes on the heels of the July 19, 2021, announcements by governments in North America, Europe, and Asia and intragovernmental organizations, such as the North Atlantic Treaty Organization (NATO), and the European Union, condemning widespread cyber espionage conducted on behalf of the Chinese Government. These coordinated statements attributing sustained cyber espionage… [...]

Announcing the Eighth Annual Flare-On Challenge

The FLARE team is once again hosting its annual Flare-On challenge, now in its eighth year. Take this opportunity to enjoy some extreme social distancing by solving fun puzzles to test your mettle and learn new tricks on your path to reverse engineering excellence. The contest will begin at 8:00 p.m. ET on Sept. 10, 2021. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 22, 2021. This year’s contest will consist of 10 challenges and feature… [...]

capa 2.0: Better, Faster, Stronger

We are excited to announce version 2.0 of our open-source tool called capa. capa automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. If you haven’t heard of capa before, or need a refresher, check out our first blog post. You can download capa 2.0 standalone binaries from the project’s release page and checkout the source code on GitHub. capa 2.0 enables anyone to contribute rules more easily, which makes the existing ecosystem even more vibrant. This blog post details the following major improvements included in capa 2.0:… [...]

Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse
Secure VPN Devices

On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our findings, give additional recommendations to network defenders, and discuss potential implications for U.S.-China strategic relations. Mandiant continues to gather evidence and respond to intrusions involving compromises of Pulse Secure VPN appliances at organizations across the defense, government, high tech, transportation, and financial sectors in the U.S. and Europe (Figure 1). Reverse engineers on the FLARE team have identified four additional code families specifically designed to manipulate Pulse Secure… [...]

Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. As reported in the Mandiant post, "Shining a Light on DARKSIDE Ransomware Operations," Mandiant Consulting has investigated intrusions involving several DARKSIDE affiliates. UNC2465 is one of those DARKSIDE affiliates that Mandiant believes has been active since at least March 2020. The intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported… [...]

Crimes of Opportunity: Increasing Frequency of Low Sophistication
Operational Technology Compromises

Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. The activity is typically not sophisticated and is normally not targeted against specific organizations. Rather, the compromises appear to be driven by threat actors who… [...]

Shining a Light on DARKSIDE Ransomware Operations

Update (May 14): Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers, and would be closing their service. Decrypters would also be provided for companies who have not paid, possibly to their affiliates to distribute. The post cited law enforcement pressure and pressure from the United States for this decision. We have not independently validated these claims and there is some speculation by other actors that this could… [...]

Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass
Techniques and Pulse Secure Zero-Day

Executive Summary Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells. The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector. Pulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to… [...]

The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of the malware, this threat actor appears experienced and well resourced. This blog post will discuss the phishing campaign, identification of three new malware families, DOUBLEDRAG, DOUBLEDROP and DOUBLEBACK, provide a deep dive into their functionality, present an overview of the actor’s modus operandi and our conclusions. A future blog post will focus on the backdoor communications and the differences between… [...]

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly. UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums. UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade… [...]

Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise

In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall’s Email Security (ES) product that were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network. The vulnerabilities are being tracked in the following CVEs: CVE-2021-20021 9.8 Unauthorized administrative account creation CVE-2021-20022 7.2 Post-authentication arbitrary file upload CVE-2021-20023 4.9 Post-authentication arbitrary file read Mandiant has been coordinating… [...]

In July 2020, Mandiant Threat Intelligence released a public report detailing an ongoing influence campaign we named “Ghostwriter.” Ghostwriter is a cyber-enabled influence campaign which primarily targets audiences in Lithuania, Latvia and Poland and promotes narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe. Since releasing our public report, we have continued to investigate and report on Ghostwriter activity to Mandiant Intelligence customers. We tracked new incidents as they happened and identified activity extending back years before we formally identified the campaign in 2020. A new report by our Information Operations analysis, Cyber Espionage analysis, and… [...]

Abusing Replication: Stealing AD FS Secrets Over the Network

Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased focus on long-term persistent access to Microsoft 365 as one of their primary objectives. The focus on developing novel and hard to detect methods to achieve this goal was highlighted with the recent detection of UNC2452 and their access to Microsoft 365. One of this group's key TTPs was to steal the Token Signing Certificate from an organization’s AD FS server to enable them to bypass MFA and access cloud services as any… [...]

Hacking Operational Technology for Defense: Lessons Learned From OT Red
Teaming Smart Meter Control Infrastructure

High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks—such as the Internet. In Mandiant’s experience, the concept of an ‘air gap’ separating OT assets from external networks rarely holds true in practice. In 2018, we released a blog post presenting the tools and techniques that TEMP.Veles used during the TRITON incident to traverse from an external compromise of the information technology (IT) network of a critical infrastructure organization to the safety systems located… [...]

We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to escalate the sophistication and aggressiveness of their attacks, while in parallel leveraged unexpected global events to their advantage. We discuss all of this and much more in the full report, which is available for download today. But first, here is a sneak preview of the most popular M-Trends metric where we answer the critical question:… [...]

Back in a Bit: Attacker Use of the Windows Background Intelligent
Transfer Service

In this blog post we will describe: How attackers use the Background Intelligent Transfer Service (BITS) Forensic techniques for detecting attacker activity with data format specifications Public release of the BitsParser tool A real-world example of malware using BITS persistence Introduction Microsoft introduced the Background Intelligent Transfer Service (BITS) with Windows XP to simplify and coordinate downloading and uploading large files. Applications and system components, most notably Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal user disruption. Applications interact with the Background Intelligent Transfer Service by creating jobs with one… [...]

Monitoring ICS Cyber Operation Tools and Software Exploit Modules To
Anticipate Future Threats

There has only been a small number of broadly documented cyber attacks targeting operational technologies (OT) / industrial control systems (ICS) over the last decade. While fewer attacks is clearly a good thing, the lack of an adequate sample size to determine risk thresholds can make it difficult for defenders to understand the threat environment, prioritize security efforts, and justify resource allocation. To address this problem, FireEye Mandiant Threat Intelligence produces a range of reports for subscription customers that focus on different indicators to predict future threats. Insights from activity on dark web forums, anecdotes from the field, ICS vulnerability… [...]

UPDATE (Mar. 18): Mandiant recently observed targeted threat actors modifying mailbox folder permissions of user mailboxes to maintain persistent access to the targeted users' email messages. This stealthy technique is not usually monitored by defenders and provides threat actors a way to access the desired email messages using any compromised credentials. The white paper, blog post and Azure AD Investigator tool have been updated to reflect these findings. Mandiant would like to thank the members of Microsoft’s Detection and Response Team (DART) for their collaboration on this research. In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is… [...]

Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities

Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server’s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process… [...]

5/31/18 Androids with Pre-installed Malware & The Markley Quiz [...]

5/31/18 New Speculative Execution Vulnerability [...]

5/24/18 Satori scanning for Etherium mining rigs [...]

5/17/18 GandCrab Hides on Legitimate Websites [...]

4/26/18 Book Review: The Car Hacker’s Handbook by Craig Smith [...]