CISA and the DOJ are seeking comment on rules whose goal is to protect the personal data of Americans against foreign adversaries.
The post CISA, DOJ Propose Rules for Protecting Personal Data Against Foreign Adversaries appeared first on SecurityWeek.
SecurityWeek – Read More
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a vulnerability related to ScienceLogic SL1, previously known as EM7, to its Known Exploited Vulnerabilities (KEV) catalog.
The specific vulnerability in question, designated as CVE-2024-9537, has been classified as critical. It relates to a third-party utility included with the ScienceLogic SL1 package. Notably, the name of this utility has not been disclosed to prevent providing insights to potential threat actors.
The newly identified vulnerability, designated CVE-2024-9537, has a critical CVSS score of 9.3. It involves a remote code execution issue linked to a third-party component within ScienceLogic SL1.
This specific vulnerability has attracted many users and cybersecurity professionals, particularly those who follow it on social media, where users have reported that the flaw, a zero-day remote code execution vulnerability, was exploited.
ScienceLogic SL1 is a vital IT operations management platform that supports critical functions such as monitoring, automation, and optimization of hybrid cloud environments. However, the recent vulnerability related to a bundled third-party component highlights significant security concerns. Organizations should prioritize evaluating and securing these components to protect against vulnerabilities that could compromise their overall security framework.
“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria”, says the Cybersecurity and Infrastructure Security Agency (CISA).
To mitigate the risks associated with this critical vulnerability, organizations are urged to take the following steps:
Ensure that all software and hardware systems are updated with the latest patches released by official vendors. Establish a routine schedule for applying critical patches immediately to protect against potential exploits.
Create a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Where feasible, automate these processes to enhance consistency and efficiency.
Implement proper network segmentation to isolate critical assets from less secure areas. Utilizing firewalls, VLANs, and access controls can significantly reduce the attack surface exposed to potential threats.
Develop and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates of this plan are essential to ensure its effectiveness.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Using Security Information and Event Management (SIEM) systems can facilitate real-time threat detection and response.
Proactively identify and evaluate the criticality of End-of-Life (EOL) products within the organization. Timely upgrades or replacements are crucial to minimizing security risks.
The recent identification of the CVE-2024-9537 vulnerability in ScienceLogic SL1 highlights rising cybersecurity challenges. With a critical CVSS score of 9.3, this remote code execution flaw emphasizes the risks associated with third-party components in IT operations management platforms.
To mitigate these risks, organizations must prioritize timely software updates, establish robust patch management processes, and enhance network segmentation. Implementing comprehensive incident response plans and utilizing monitoring tools like SIEM systems will further strengthen security measures.
The post CISA Adds ScienceLogic SL1 Vulnerability to Known Exploited Vulnerabilities (KEV) Catalog appeared first on Cyble.
Blog – Cyble – Read More
A file-encrypting malware family posing as the LockBit ransomware has been observed targeting macOS systems.
The post NotLockBit Ransomware Can Target macOS Devices appeared first on SecurityWeek.
SecurityWeek – Read More
Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding newly discovered vulnerabilities in Microsoft SharePoint, specifically addressing a deserialization vulnerability now included in CISA’s Known Exploited Vulnerability (KEV) catalog.
The vulnerability in question, identified as CVE-2024-38094, has a CVSSv3.1 score of 7.2, which indicates a high-severity risk. It affects several SharePoint products, including Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016.
An authenticated attacker with Site Owner permissions could exploit this vulnerability to inject and execute arbitrary code within the SharePoint environment. The risk of such exploitation is exacerbated by the availability of proof-of-concept (PoC) code in the public domain, heightening the urgency for organizations to act swiftly.
CISA’s inclusion of vulnerabilities in the Known Exploited Vulnerabilities (KEV) catalog highlights that these issues are actively being exploited in real-world scenarios, indicating a threat to organizations.
Specifically, high-severity vulnerabilities like CVE-2024-38094 allow authenticated users with Site Owner permissions to inject arbitrary code into SharePoint Server, leading to potential consequences such as data breaches, ransomware attacks, and privilege escalation.
Organizations using affected SharePoint versions must prioritize timely patching and implement security measures to combat these threats. This advisory aligns with the established Common Vulnerabilities and Exposures (CVE) framework and the Common Vulnerability Scoring System (CVSS), which categorizes vulnerabilities into high (7.0-10.0), medium (4.0-6.9), and low (0.0-3.9) based on their severity. Importantly, a patch for CVE-2024-38094 is available, and its exploitation in the public domain underscores the urgency for organizations to act.
CISA urges organizations to take the following steps to mitigate risks associated with CVE-2024-38094 and similar vulnerabilities:
Organizations should promptly apply the latest patches released by Microsoft. Regular updates of all software and hardware systems are crucial for minimizing vulnerabilities and defending against potential exploits.
Develop a comprehensive patch management strategy encompassing inventory management, patch assessment, testing, deployment, and verification. Where feasible, automate these processes to enhance consistency and efficiency.
Properly segment networks to protect critical assets from exposure to less secure areas. Employ firewalls, VLANs, and strict access controls to limit access and reduce the overall attack surface.
Create and maintain an effective incident response plan. This plan should detail the procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates to the plan will help ensure its alignment with evolving threats.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM), systems can facilitate real-time threat detection and improve response capabilities.
Organizations should proactively assess the criticality of any End-of-Life (EOL) products in their infrastructure, planning timely upgrades or replacements to mitigate security risks.
CISA’s advisory highlights the ongoing threats posed by vulnerabilities such as CVE-2024-38094 in Microsoft SharePoint. Organizations must not only recognize the seriousness of these vulnerabilities but also take decisive action to fortify their defenses.
By implementing timely patches and security measures, organizations can reduce their risk of exploitation and maintain the integrity of their systems. Prompt attention to these vulnerabilities is not just advisable; it is essential for protecting sensitive data and maintaining operational security.
The post CISA Warns About New Microsoft SharePoint Vulnerability CVE-2024-38094: High Risks and Immediate Patching Needed appeared first on Cyble.
Blog – Cyble – Read More
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.
“Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware,” Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. “However, such is
The Hacker News – Read More
It may come as a surprise to learn that 34% of security practitioners are in the dark about how many SaaS applications are deployed in their organizations. And it’s no wonder—the recent AppOmni 2024 State of SaaS Security Report reveals that only 15% of organizations centralize SaaS security within their cybersecurity teams. These statistics not only highlight a critical security blind spot,
The Hacker News – Read More
Cybersecurity researchers have shed light on a new adversarial technique that could be used to jailbreak large language models (LLMs) during the course of an interactive conversation by sneaking in an undesirable instruction between benign ones.
The approach has been codenamed Deceptive Delight by Palo Alto Networks Unit 42, which described it as both simple and effective, achieving an average
The Hacker News – Read More
Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on X and LinkedIn.
In this malware analysis report, we take an in-depth look at how the Remote Access Trojan (RAT) DarkComet has been used by attackers to remotely control systems, steal sensitive data, and execute various malicious activities.
DarkComet is a Remote Access Trojan (RAT) initially developed by Jean-Pierre Lesueur in 2008. This malware runs silently in the background, collecting sensitive information about the system, users, and network activity.
It attempts to steal stored credentials, usernames, passwords, and other personal data, transmitting this information to a destination specified by the attacker.
Backdoor.DarkComet allows attackers to install further malicious software on the infected machine or enlist it in a botnet for sending spam or other malicious activities.
Symptoms of an infection may not be noticeable to the user, as it can disable antivirus programs and other Windows security features.
Bundling with free software.
Disguising as harmless programs in emails.
Exploiting software vulnerabilities on websites.
DarkComet became widely used due to its user-friendly graphical interface, which contributed to its popularity.
Let’s run a sandbox analysis session using ANY.RUN to discover the technical details of this malware.
DarkComet uses a command-line operation to alter file attributes, making its components more difficult to detect.
It uses attrib to display or change file attributes
+s (System Attribute): Marks the file as a system file, making it appear as a critical part of the operating system.
+h (Hidden Attribute): Hides the file from regular view in Windows Explorer, making it invisible to most users.
It drops an executable at C:UsersadminDocumentsMSDCSCmsdcsc.exe and executes it, making it harder to detect.
The malware establishes communication with a specified malicious domain, enabling remote control and data exfiltration.
The malware interacts with the Windows APIs LookupPrivilegeValueA and AdjustTokenPrivileges to modify the privileges associated with the current process’s access token (not the process itself).
This is done by obtaining a handle to the process’s access token, which allows the malware to modify its security context.
If a2 is 0, the privilege is removed (Attributes = 0).
If a2 is 1, the privilege is enabled (Attributes = 2).
DarkComet uses the GetCurrentHwProfileA API to collect detailed information about the infected system’s hardware:
Hardware Profile ID (HWID): A Globally Unique Identifier (GUID) that identifies the current hardware profile, allowing the malware to uniquely recognize the system.
Dock State: Extracted through the dwDockInfo field, this information reveals whether the system is docked (e.g., connected to a docking station) or undocked. This helps the malware adapt its behavior based on the system’s hardware configuration.
The malware also gets the date and time of the victim device.
It also checks the computer’s location settings by querying the registry key associated with the current user’s Security Identifier (SID):
REGISTRYUSER{SID}Control PanelInternationalGeoNation
DarkComet uses a function called sub_4735E8 multiple times with different strings as parameters.
This function carries out resource management and processes various pieces of data, including:
C2 Domain Information: The Command and Control server the malware communicates with.
SID (Security Identifier): Identifies the user profile associated with the malware’s activity.
Mutex Values: Used to ensure that only one instance of the malware runs on the infected system at a time.
This function helps obfuscate key information, preventing it from appearing directly in the strings section of the malware.
With this function, the malware loops through DARKCOMET DATA to retrieve specific attributes based on the provided parameter strings.
Here is the loop that the malware uses to iterate through DARKCOMET DATA:
Within sub_4735E8, DarkComet iterates through its internal data set, known as DARKCOMET DATA, to match specific parameters and extract corresponding attributes. This process involves looping through data entries to retrieve the needed values based on the provided strings.
Extracted DARKCOMET DATA:
#BEGIN DARKCOMET DATA —
MUTEX={DC_MUTEX-D1SPNDG}
SID={Sazan}
FWB={0}
NETDATA={8.tcp.eu.ngrok.io:27791}
GENCODE={fKTZRKdv0Nij}
INSTALL={1}
COMBOPATH={7}
EDTPATH={MSDCSC\msdcsc.exe}
KEYNAME={MicroUpdate}
EDTDATE={16/04/2007}
PERSINST={0}
MELT={0}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
FAKEMSG={1}
EF={1}
MSGCORE={{42696C67697361796172FD6EFD7A20332073616E6979652069E7696E64652079656E6964656E206261FE6C6174FD6C6163616B74FD722E2E2E}
MSGICON={48}
SH1={1}
CHIDEF={1}
CHIDED={1}
PERS={1}
OFFLINEK={1}
#EOF DARKCOMET DATA —
From this data, the malware extracts and processes key attributes, including:
C2 domain: Specifies where the malware sends stolen data.
EDTDATE: The date associated with the malware’s installation (e.g., 16/04/2007), indicating that it does not alter the date of the dropped executable.
Mutex: Ensures that only one copy of DarkComet runs on the system.
Campaign name: Used for identifying specific attacks or operations.
It also processes the attributes of the malware that define how it behaves and interacts with the system:
EDTPath: Path of the executable (MSDCSCmsdcsc.exe)
Registry Key (KEYNAME): MicroUpdate, used to maintain persistence in the system’s registry.
From the DARKCOMET DATA, we can also notice that the malware does not change the original creation date of the dropped executable. The CHANGEDATE attribute is set to 0, indicating that the date remains unchanged, which can help the malware blend in with other files and avoid raising suspicion during forensic analysis.
DarkComet drops a file named msdcsc.exe in the C:UsersadminDocumentsMSDCSC directory and executes it from there.
This dropped file is identical to the original malware executable.
This means it can start itself from another location. By doing so, the malware can better evade detection, as running from a new path makes it more challenging for security tools to track its activity.
To maintain persistence on the infected system, DarkComet:
Adds Run key: It creates a registry entry at SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate with the path of the executable.
Modifies the WinLogon registry key: It alters REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit for persistance.
DarkComet retrieves handles to the modules (DLLs) such as kernel32.dll and user32.dll for further manipulation and execution of its malicious functions.
DarkComet has various capabilities that allow it to manipulate the infected system and gather information. These include functions for simulating user input, capturing data, and interacting with the system’s display and clipboard.
DarkComet uses the mouse_event function to simulate mouse motion and button clicks.
This helps the attacker to interact with the system as if a user is controlling the mouse.
This malware also uses Keyboard Event Simulation, particularly, the keybd_event function to allow the malware to manipulate the user’s environment, input data, or perform actions without the user’s knowledge.
The malware calls GetKeyboardType(0) to determine the type of the primary keyboard. If it returns 7, it indicates that the keyboard is a “language” keyboard, which is often a Unicode keyboard.
The next function captures keystrokes from the user, allowing the malware to record input without detection.
The function used by DarkComet processes each character input (ch), which could represent a keyboard key or a specific command. It applies a series of conditional checks and actions based on the character’s value.
This malware utilizes the VkKeyScanA(ch) function to convert the character into a virtual key code. This conversion allows the malware to accurately interpret and simulate keyboard actions, making it easier to log keystrokes or execute commands.
The malware uses EnumDisplayDevicesA function to retrieve information about display devices connected to the system.
DarkComet attempts to access data from the clipboard, focusing on format 0xE, which is used for enhanced metafiles (EMF) – a vector graphics format. By doing so, the RAT can exfiltrate or manipulate clipboard data, such as copied images or text.
DarkComet receives instructions from its Command and Control (C2) server, allowing it to perform various remote tasks. These commands enable the attacker to control the malware’s behavior and may include actions like:
Data exfiltration: Extracting files or information from the infected system.
System manipulation: Modifying system settings or terminating processes.
Additional payload delivery: Deploying additional malicious software into the infected system.
See Appendix I for the extracted commands that the C2 server sends to the malware.
These commands help control the malware’s behavior remotely and may provide insight into the attacker’s objectives and tactics.
DarkComet is a highly capable Remote Access Trojan (RAT) that continues to be a threat due to its stealthy behavior and extensive feature set. It allows attackers to manipulate infected systems remotely, steal sensitive information, and install additional malware.
This analysis has demonstrated DarkComet’s ability to evade detection by modifying file attributes, manipulating registry keys for persistence, and escalating privileges. It gathers system information, including hardware profiles and location settings, and communicates with a command-and-control (C2) server to execute a variety of commands, from capturing keystrokes to controlling display devices.
The malware’s functionality, including its ability to modify system settings, simulate user input, and manage services, makes it a versatile tool for attackers. Its ease of use, coupled with a rich set of RAT functionalities, has contributed to its widespread deployment, especially in targeted cyberattacks.
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Detect malware in seconds.
Interact with samples in real time.
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior.
Collaborate with your team
Scale as you need.
md5: 1b540a732f2d75c895e034c56813676a
sha1: 0dd8c542fd46dd5b55eefcf35382ee8903533703
sha256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
8[.]tcp[.]eu[.]ngrok[.]io[:]27791
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit = “C:\Windows\system32\userinit.exe,C:\Users\Admin\Documents\MSDCSC\msdcsc.exe”
REGISTRYUSERUSER SIDSOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate = “C:\Users\Admin\Documents\MSDCSC\msdcsc.exe”
C:UsersadminDocumentsMSDCSCmsdcsc.exe
TACTIC
TECHNIQUE
MITRE ATT&CK ID
Persistence
Boot or Logon Autostart Execution
T1547
Adds Run key to start application
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
Boot or Logon Autostart Execution
T1547
Adds Run key to start application
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Discovery
Query Registry
T1012
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Command and Control
Web Service
T1102
GetSIN
RefreshSIN
RunPrompt
GetDrives
GetSrchDrives
GetFileAttrib
KillProcess
GetAppList
GetServList
StartServices
StopServices
RemoveServices
InstallService
GetStartUpList
ActiveOnlineKeylogger
ActiveOfflineKeylogger
GetOfflineLogs
Shutdown
RestartComp
LogOffComp
PowerOff
GetFullInfo
GetSystemInfo
OpenWebPage
PrintText
GetTorrent
GetPrivilege
TraceRoute
#BOT#VisitUrl
#BOT#OpenUrl
#BOT#Ping
#BOT#RunPrompt
#BOT#CloseServer
#BOT#SvrUninstall
#BOT#URLUpdate
DOWNLOADFILE
UPLOADFILE
ACTIVEREMOTESHELL
DESKTOPCAPTURE
WEBCAMLIVE
WIFI
CHAT
FTPFILEUPLOAD
The post DarkComet RAT: <br>Technical Analysis of Attack Chain appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Dutch police arrested four individuals for selling stolen personal data via Telegram groups, seizing devices and firearms in…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More