Privacy
- “Google is indexing the phone numbers of WhatsApp users that could be abused by threat actors for malicious activities. Even if Google Search only revealed the phone numbers and not the identities of associated users, ill-intentioned attackers could be able to see users’ profile pictures on WhatsApp and performing a reverse-image search the user’s profile picture to gather additional info on the potential victim (i.e. mining social media accounts where the victim use the same profile picture).” https://securityaffairs.co/wordpress/104445/digital-id/google-indexed-whatsapp-numbers.html
- “Singapore’s announcement that it is developing a wearable for contact tracing has caused citizens to voice concern for the technology’s impact on their data privacy, with more than 35,000 signing a petition against the devices.” https://threatpost.com/singapore-contact-tracing-wearable-privacy/156397/
Standards, Guidelines, Solutions
- “NIST SP 1800-23 is a response to the growing digital security challenges confronting organizations with operational technology (OT) assets. The issue for those types of entities is that many of their industrial control systems (ICS) are becoming increasingly interconnected. This development presents an opportunity for attackers insofar as they can abuse those connections to attack an ICS. Depending on the nature of the attack, malicious actors could undermine the functionality of an organization’s assets, systems and networks. Such damages could subsequently produce broader negative effects for society, especially if that organization plays a part in managing their respective host country’s critical energy infrastructure.” https://www.tripwire.com/state-of-security/regulatory-compliance/final-version-nist-sp-1800-23-guides-identification-threats-assets/
- “IBM has released open-source toolkits implementing fully homomorphic encryption (FHE) that allow researchers to process data while it’s still encrypted.” https://securityaffairs.co/wordpress/104438/security/ibm-fhe-toolkits.html
- “The addition of secure copy (SCP) capability removes one of the obstacles encountered by users adopting the AWS Session Manager. Cloud asset console access was provided within the AWS management console, but until now, there was no simple way to move files onto the remote systems. In many scenarios, development or administration of a live system may require copying patches or other data onto your live instances, and now Session Manager allows this without the need for additional solutions such as firewalls, bastions or intermediate S3 usage.” https://www.tripwire.com/state-of-security/security-data-protection/cloud/aws-session-manager-enhanced-ssh-scp-capability/
- “Cyber-attacks are evolving as you are reading this article; according to a study by the University of Maryland, hackers are now attacking computers and networks at a rate of one attack every 39 seconds. The 2020 Cyberthreat Defense Report by CyberEdge Group says that 81% of surveyed organizations were a?ected by a successful cyber-attack in 2019. No organization is safe; cybercriminals are constantly coming up with new ways to compromise organizations. Furthermore, the cost of a successful cyber-attack can be quite hefty.” https://www.threathunting.se/2020/06/08/how-artificial-intelligence-improves-cyber-security-defense/
Red/Blue Teaming
- “Dcshadow is a feature in mimikatz that manipulating Active Directory (AD) data, including objects and schemas, by registering and replicating the behaviour of a Domain Controller (DC). It simulates the behaviour of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz)” https://www.hackingarticles.in/domain-persistence-dc-shadow-attack/
- “Reviewing a series of tools commonly used on pentests to identify flaws in Active Directory and general network design and implementation.” https://www.blackhillsinfosec.com/webcast-a-blue-teams-perspective-on-red-team-hack-tools/
- “7 Dos And Don’ts For Zeek Scripting” https://zeek.org/2020/06/08/7-dos-and-donts-for-zeek-scripting/
Bug Bounty
- “Defense Advanced Research Projects Agency (DARPA) — is turning the hardware over to elite white-hat hackers who can earn up to $25,000 for bugs they find. The goal is to throw an array of attacks at the hardware so its foundations are more secure before production.” https://www.cyberscoop.com/darpa-bug-bounty-hardware-synack/
Vulnerabilities
- “A vulnerability has been discovered in IBM WebSphere Application Server that could allow for remote code execution. Successful exploitation of this vulnerability could allow an attacker to execute remote code in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition. https://www.cisecurity.org/advisory/a-vulnerability-in-ibm-websphere-application-server-could-allow-for-remote-code-execution_2020-078/
Active Threats
- “Akamai researchers uncovered a malware campaign spreading a Golang-based malicious code tracked as Stealthworker. The malware targets Windows and Linux servers running popular web services and platforms including (i.e. cPanel / WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL, Brixt, SSH, and FTP).” https://securityaffairs.co/wordpress/104427/malware/stealthworker-botnet.html
- “The phishing links were designed to direct executives to fake Microsoft login pages to steal their credentials and send them to accounts hosted on Yandex, a Russian email service. If successful, that data could be used to gather valuable information on the company’s procurement of PPE, which governments have fought over as the virus has raged.” https://www.cyberscoop.com/germany-ppe-coronavirus-hackers-ibm/
- “The dropper is constantly updated: we see new versions with sandbox evasion techniques, code randomization features, C&C URL encryption, and additional payload encryption. As a result, we can reasonably assume that behind GuLoader there is a major new service aiming to replace traditional packers and crypters.” https://research.checkpoint.com/2020/guloader-cloudeye/
- “A relatively common ransomware strain, STOP Djvu was involved in various digital attacks over the past year or so. Back in January 2019, STOP used adware installers disguised as cracks as a new method of distributing itself to unsuspecting users. That was just a couple of months before researchers spotted a variant of the STOP ransomware family downloading the Azorult infostealer onto victim’s machines as part of its infection process.” https://www.tripwire.com/state-of-security/security-data-protection/zorab-ransomware-disguised-as-stop-djvu-ransomware-decryptor/
- “The release of a PoC for the Windows flaw known as “SMBGhost” could set off cyberattack waves, CISA warned.” https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/
- “While the Japanese car manufacturer is tight-lipped about these events, a security researcher named Milkream has found a sample of the SNAKE (EKANS) ransomware submitted to VirusTotal today that checks for the internal Honda network name of “mds.honda.com”.” https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/
- “With a wink and a smile, the new Avaddon Ransomware has come alive in a massive spam campaign targeting users worldwide. Avaddon was launched at the beginning of this month and is actively recruiting hackers and malware distributors to spread the ransomware by any means possible. As its first known attack, the Avaddon Ransomware is being distributed in a spam campaign reminiscent of February’s Nemty Ransomware Love Letter campaign.” https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/
- “U.S. energy providers were targeted by spear-phishing campaigns delivering a new remote access trojan (RAT) capable of providing attackers with full control over infected systems. The attacks took place between July and November 2019, and the threat actor behind it — tracked as TA410 by Proofpoint researchers who spotted the campaigns — used portable executable (PE) attachments and malicious macro laden Microsoft Word document to deliver the malicious payload.” https://www.bleepingcomputer.com/news/security/us-energy-providers-hit-with-new-malware-in-targeted-attacks/
- “The Korean threat actor Higaisa, has been using malicious LNK files in recent attacks aimed at organizations that use the Zeplin collaboration platform. The group is believed to be a nation-state actor that has been active since at least 2016, but remained under the radar since 2019. The arsenal of the group includes common RAT such as Gh0st and PlugX that were employed in attacks against government officials and human rights organizations.” https://securityaffairs.co/wordpress/104469/apt/higaisa-hacking-group.html
Remediated
- “The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially let a remote attacker bypass mobile one-time passwords (OTP) and sign in as other users.” https://thehackernews.com/2020/06/aadhar-digilocker-hacked.html
#security #cybersecurity #itsecurity #privacy #risk #compliance #nist #ot #ics #nccoe #malware #stealthworker #aws #scp #mimikatz #guloader #darkeye #digilocker #ai #stopdjvu #zorab #sname #ekans #avaddon #darpa #flowcloud #rat #ta410 #higaisa #gh0st #plugx