My Weekly Roundup #138
Threat Advisory: Cyclops Blink
Cisco Talos is aware of the recent reporting around a new modular malware family, Cyclops Blink, that targets small and home office (SOHO) devices, similar to previously observed threats like VPNFilter.
Ukraine calls for volunteer hackers to protect its critical infrastructure and spy on Russian forces
The government of Ukraine is calling on the hacking community to volunteer its expertise and capabilities, following the invasion of the country by Russian forces.
White House Denies Mulling Massive Cyberattacks Against Russia
The options reportedly included tampering with trains, electric service and internet connectivity, hampering Russia’s military operations in Ukraine.
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077.
Biden has been presented with options for massive cyberattacks against Russia
President Joe Biden has been presented with a menu of options for the U.S. to carry out massive cyberattacks designed to disrupt Russia’s ability to sustain its military operations in Ukraine, four people familiar with the deliberations tell NBC News. Two U.S.
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
Executive Summary On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations.
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
The ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting MS-SQL servers that are vulnerable to malware attacks. MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past.
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
In 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba Ransomware, exemplifies this trend.
Ukraine: Disk-wiping Attacks Precede Russian Invasion
A new form of disk-wiping malware (Trojan.Killdisk) was used to attack organizations in Ukraine shortly before the launch of a Russian invasion this morning (February 24). Symantec, a division of Broadcom Software, has also found evidence of wiper attacks against an organization in Lithuania.
The Bvp47 - a Top-tier Backdoor of US NSA Equation Group
Full Report Download: The Bvp47 Technical Paper (PDF) In a certain month of 2013, during an in-depth forensic investigation of a host in a key domestic department, researchers from the Pangu Lab extracted a set of advanced backdoors on the Linux platform, which used advanced covert channel behavior
Stealing a few more GitHub Actions secrets
In a previous blogpost, I wrote about a security bug I found in GitHub, which would have allowed an attacker to get write access to almost any public repository. As a quick recap: This post describes a different security bug I found in GitHub, using a similar attack strategy.
Steal Credentials & Bypass 2FA Using noVNC
Steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client that has a browser running in kiosk mode. Recently I was on an engagement where all the users had 2FA enabled on their email. I quickly setup the great Evilginx2 as I usually would.
A Good Old Equation Editor Vulnerability Delivering MalwareA Good Old Equation Editor Vulnerability Delivering Malware, Author
Here is another sample demonstrating how attackers still rely on good old vulnerabilities… In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882.
Chinese hackers linked to months-long attack on Taiwanese financial sector
Taiwanese security firm links APT10 Chinese espionage group to attacks on local financial sector. Attacks targeted a vulnerability in a security product used by roughly 80% of the Taiwanese financial sector.
Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network
It should be noted that the site e4ppgzueqjiam3qvhzffwraakvcgzrjp5dzl3xzv24w6q5rjr7kq.b32.i2p:4545 can only be accessed through I2P. We looked for other similar samples in VirusTotal and our sample collection using TLSH, Yara, and other tools.
Chasing the Silver Petit Potam
I want to start this post by calling out to @NotMedic and telling the world he is a wizard who knows so much about protocol attacks. This post takes the work he has done on NetNTLMtoSilverTicket and adds in a different initial vector of Petit Potam.
Ukraine Says Chernobyl Radiation Has Exceeded Safe Levels, Staff Held Hostage, Fears ‘Planetary Environmental Disaster’
Russia has seized control over the nuclear and radiation facilities at Chernobyl, a move that Ukrainian officials told Motherboard constitutes a war crime and has already kicked up radioactive dust.
Ukrainian government calls on hackers to help defend against Russia
The government of Ukraine is asking for volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project.
Ukraine Warned Over Danger Of Russian Spying On ‘Unencrypted’ Telegram
Moxie Marlinspike, the founder of encrypted comms app Signal Moxie Marlinspike, has warned about the use of Telegram as a form of secure communications, as Ukraine makes heavy use of the app in the midst of war with Russia.
Netflix is testing its curated stream of comedy clips on TVs
Netflix is testing Fast Laughs, a stream of comedy clips hand-picked by Netflix, on its TV app.