In so many penetration tests or assessments, the client gives you a set of subnets and says “go for it”. This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name.…
Tag: FIREWALL
Summary: This content discusses the features of Fail2Ban, an open-source tool that monitors log files and blocks IP addresses that exhibit repeated failed login attempts.
Threat Actor: N/A
Victim: N/A
Key Point :
Fail2Ban is a versatile tool that can block common attacks using community-driven filters with minimal configuration.…Summary: This content discusses criminal campaigns that exploit cloud storage services to redirect users to malicious websites and steal their information using SMS messages.
Threat Actor: Unnamed threat actors | Unnamed Threat Actors Victim: Users targeted by the criminal campaigns | Users Targeted by Criminal Campaigns
Key Point :
Security researchers have identified criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage.…
Introduction
Read More Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features.…
This post is also available in: 日本語 (Japanese)
Executive SummaryA Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and Asia since at least late 2022.…
Summary: This content discusses an authentication bypass vulnerability (CVE-2024-4985) recently fixed by GitHub, which impacts GitHub Enterprise Server instances using SAML single sign-on authentication.
Threat Actor: N/A Victim: GitHub Enterprise Server instances
Key Point :
An authentication bypass vulnerability (CVE-2024-4985) was fixed by GitHub, impacting GitHub Enterprise Server instances using SAML single sign-on authentication.…Written by: Michael Raggi
Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers.…
Summary: The cryptojacking group known as Kinsing has been actively orchestrating illicit cryptocurrency mining campaigns since 2019, continuously evolving and adapting by integrating newly disclosed vulnerabilities to expand its botnet.
Threat Actor: Kinsing | Kinsing Victim: Various victims | Kinsing victim
Key Point :
Kinsing, also known as H2Miner, is a cryptojacking group that has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet.…On May 10, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.…
Summary: This report examines the threat posed by Russia-linked advanced persistent threat (APT) groups on operational technology (OT) by analyzing key cyber attacks from the past 12 months, providing detection rules and recommendations for network defenders.
Threat Actor: Russia-linked APT groups | Russia-linked APT groups Victim: Various industries and specifically a manufacturing industry customer | manufacturing industry
Key Points:
This report analyzes cyber attacks conducted by Russia-linked APT groups on operational technology (OT) in the past year, providing useful detection rules and recommendations for network defenders.…ESET researchers discovered two previously unknown backdoors – which we named LunarWeb and LunarMail – compromising a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. We believe that the Lunar toolset has been used since at least 2020 and, given the similarities between the tools’ tactics, techniques, and procedures (TTPs) and past activities, we attribute these compromises to the infamous Russia-aligned cyberespionage group Turla, with medium confidence.…
Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Palo Alto Networks released an advisory and threat protection signature for the vulnerability with 48 hours of Volexity’s disclosure of the issue to Palo Alto Networks, with official patches and fixes following soon after.…
More than 30.6 billion records have been exposed in 2024 so far based on 8,839 publicly disclosed incidents. Intensifying cybersecurity efforts has thus become more critical than ever for organizations the world over. But that requires having the whole picture on hand, and that’s only possible if users can take a closer look inside and outside their networks.…
Executive Summary
Read More This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
Malicious actors occasionally employ DNS tunneling as a covert communications channel, because it can bypass conventional network firewalls.…
Juniper Threat Labs has been monitoring exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities. We have observed instances of Mirai botnet delivery in the wild, using this exploit with remote code execution capabilities. This exploit facilitates malware delivery, posing a significant threat to compromise entire networks.…
Summary: This content discusses a novel attack called TunnelVision that targets virtual private network (VPN) applications, compromising their ability to protect user traffic.
Threat Actor: Researchers have discovered this attack technique.
Victim: Users of VPN applications.
Key Point:
TunnelVision is an attack that forces VPN applications to send and receive traffic outside of the encrypted tunnel, undermining their purpose of protecting user data.…Summary: The content discusses the rise of offensive AI as a tool for cybercriminals and the expectations of security leaders regarding AI-driven attacks.
Threat Actor: Cybercriminals | Cybercriminals Victim: Businesses | Businesses
Key Point :
93% of security leaders expect to face daily AI-driven attacks. 65% of security leaders expect offensive AI to be the norm for cybercriminals in most cyberattacks.…
In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID.
IcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion.
The threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of malicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment.…
Read More This blog contains an excerpt of our new paper that unveils a previously unpublished multi-year operation using Domain Name System (DNS) queries, open DNS resolvers, and China’s Great Firewall. We detail what is known about the operation today and how to identify it in DNS logs.…
Foreword
Read More This cyber security advisory is intended for IT professionals and managers within government and all sectors.
Effective DateThis publication takes effect on April 24, 2024
Revision HistoryFirst release. April 24, 20241 BackgroundSince early 2024, the Canadian Centre for Cyber Security (Cyber Centre), Australian Signals Directorate’s Australian Cyber Security Centre and The UK’s National Cyber Security Centre (NCSC) have been evaluating ongoing malicious cyber activity targeting virtual private network (VPN) services used by government and critical national infrastructure networks globally.…