Six discontinued D-Link router models are affected by a remote code execution (RCE) vulnerability that will not be patched.
The post D-Link Warns of RCE Vulnerability in Legacy Routers appeared first on SecurityWeek.
SecurityWeek – Read More
Dual-use drone startup Tekever has raised €70 million ($74 million) to develop its product and expand into new markets, specifically the U.S.. The news is part of a trend of smaller tech-driven startups moving into markets normally dominated by large ‘defense primes’. It also shows that unmanned aerial drones are becoming far more sophisticated, in […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
The frequency and sophistication of modern cyberattacks are surging, making it increasingly challenging for organizations to protect sensitive data and critical infrastructure. When attackers compromise a non-human identity (NHI), they can swiftly exploit it to move laterally across systems, identifying vulnerabilities and compromising additional NHIs in minutes. While organizations often take
The Hacker News – Read More
Cybersecurity firm Sekoia has discovered a new variant of Helldown ransomware. The article details their tactics and how…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Australia and New Zealand’s cyber threat landscape has become increasingly complex, with challenges affecting critical infrastructure, healthcare, finance, and more. The Threat Landscape Report 2024 by Cyble stresses the growing dangers posed by cybercriminals and state-sponsored threat actors alike while highlighting the proactive measures that businesses, especially CISOs (Chief Information Security Officers), can take to strengthen their defenses.
Cyble has found a notable soar in cyberattacks targeting Australia and New Zealand (ANZ). The Threat Landscape Report 2024 has identified these trends as a high priority. Among these, the rise in Ransomware-as-a-Service (RaaS) models and increasing cyberattacks targeting critical sectors such as healthcare, government, and finance stand out. Geopolitical tensions have also intensified the threat, with state-sponsored cyber actors from countries like China and Russia targeting Australian networks for espionage, financial gain, and geopolitical influence.
In FY2023-24, the Australian Signals Directorate (ASD) responded to over 1,100 cyber incidents, with 11% of these attacks focused on critical infrastructure. Furthermore, there was a 12% increase in calls to the Australian Cyber Security Hotline, with more than 36,700 inquiries related to cyber threats.
This surge reflects the growing concern about cybersecurity vulnerabilities across sectors. Data breaches, ransomware attacks, and politically motivated Distributed Denial of Service (DDoS) attacks have been prevalent, underlining the urgent need for more robust security measures across organizations in Australia and New Zealand.
For CISOs, these developments are not just concerning; they accentuate the importance of proactively identifying threats, implementing security protocols in place, and continuously updating cybersecurity strategies to protect against cyber threats.
Several key findings stand out in the ANZ Threat Landscape Report 2024, providing critical insights into the nature of cybersecurity threats facing organizations in the region:
CISOs across Australia and New Zealand must prioritize cybersecurity strategies that address both immediate and long-term risks. Here are several strategic takeaways for CISOs based on the Threat Landscape Report 2024:
The ANZ Threat Landscape Report 2024 highlights the escalating sophistication of cyber threats targeting organizations in Australia and New Zealand, ranging from RaaS attacks to IoT and ICS systems vulnerabilities. To fight against these threats, CISOs need a comprehensive, proactive approach to cybersecurity. Cyble, a leading threat intelligence provider, offers several cybersecurity solutions to help organizations understand and fight against these challenges.
Cyble’s Attack Surface Management (ASM) solution helps organizations gain visibility into their digital footprint, identifying potential vulnerabilities before they can be exploited. Cyble’s ASM tools can detect exposed assets, including software vulnerabilities like those detailed in the Threat Landscape Report 2024, such as CVE-2024-21887, by continuously monitoring and analyzing an organization’s attack surface. With real-time alerts and actionable insights, ASM allows CISOs to stay ahead of threats and ensure timely remediation.
One of the most significant takeaways from the report is the increasing complexity and scale of cyber threats. To stay ahead of attackers, organizations need actionable threat intelligence. Cyble’s Cyber Threat Intelligence (CTI) solutions provide real-time insights into emerging threats, from RaaS to politically motivated attacks. By aggregating data from various sources, including the dark web and hacker forums, Cyble’s CTI platform helps organizations understand threat actors employ tactics, techniques, and procedures (TTPs), enabling a faster, more targeted response to potential attacks.
As data breaches and ransomware attacks become more common, compromised information is often sold or traded on the dark web. Cyble’s Dark Web Monitoring solution helps organizations continuously scan for leaked data, stolen credentials, and other sensitive information that may be used in attacks. For CISOs, this means enhanced visibility into the risk of data exfiltration and the ability to take swift action to mitigate the potential impact of a breach.
The ANZ Threat Landscape Report 2024 highlights that supply chain threats and data breaches raise business concerns. In a cyberattack, quick and efficient incident response is crucial. Cyble’s Digital Forensics & Incident Response (DFIR) services help organizations investigate and recover from cyber incidents. By identifying the root cause of an attack and mitigating its impact, Cyble’s expert team ensures that businesses can resume operations with minimal downtime.
Cyble’s Vulnerability Management solution provides advanced scanning and remediation strategies that give organizations a comprehensive view of exploitable vulnerabilities. According to the Threat Landscape Report 2024, flaws like CVE-2024-56789, which affects cloud platforms and virtual machines, are increasingly exploited. With Cyble’s solution, businesses can proactively identify and address vulnerabilities, reducing the likelihood of successful cyberattacks and minimizing the risk of exploitation.
Another key area highlighted in the Threat Landscape Report 2024 is the rise in brand impersonation, phishing attacks, and fraudulent domains targeting businesses. Cyble’s Brand Intelligence services help protect organizations from these threats by identifying fraudulent activities that could damage a company’s reputation or lead to financial losses. By monitoring fake websites, social media impersonation, and phishing attempts, Cyble helps companies safeguard their digital presence.
Cyble’s Executive Monitoring Solution offers comprehensive protection for executives by actively monitoring and tracking impersonations, deepfake content, and leaks of personally identifiable information (PII) across social media, dark web platforms, and cybercrime forums. Utilizing advanced AI technology, the solution can quickly identify and remove manipulated media, including deepfakes, in real time. This helps protect the reputation and integrity of key personnel by preventing identity theft, reputation damage, and the exploitation of sensitive information.
Cyble cybersecurity solutions offer comprehensive threat management that provides real-time updates to identify and address potential physical security risks proactively. Designed to protect assets and personnel, the solution ensures that security measures are always up-to-date and effective. With a centralized oversight platform, organizations can easily manage security across multiple locations, including offices and warehouses, from one unified interface. This streamlined approach by Cyble’s physical security intelligence helps improve operational efficiency while ensuring security remains a top priority across diverse environments.
Cyble offers powerful tools to combat online fraud and cybercrime by identifying and removing malicious content. These takedown services ensure that fraudulent activities and harmful online threats are promptly addressed, helping to protect organizations from reputational damage and financial loss. Cyble’s solution provides a critical layer of defense by disrupting cybercrime operations and protecting digital environments from online threats.
Cyble offers advanced intelligence on compromised hosts within your network, providing detailed insights into infected devices communicating with known command-and-control infrastructures. This bot shield solution helps detect and mitigate botnet activities by identifying and isolating compromised devices, preventing further exploitation. By monitoring and addressing threats in real-time, Cyble enhances network security and protects your organization from potential cyberattacks driven by botnet infections.
Cyble’s Third-Party Risk Management (TPRM) solution helps identify and mitigate risks associated with third-party collaborations, ensuring secure business operations. By assessing the security posture of vendors and partners, Cyble enables organizations to proactively manage potential vulnerabilities in their supply chain and external relationships.
Cyble’s Cloud Security Posture Management (CSPM) solution continuously monitors cloud environments to identify misconfigurations and ensure compliance with security policies. Consistent evaluation of cloud infrastructure helps businesses secure their cloud platforms, mitigate potential security gaps, and enhance the overall security posture, providing real-time protection against cloud threats.
The ANZ Threat Landscape Report 2024 vividly describes the growing cybersecurity threats facing organizations across Australia and New Zealand. With ransomware attacks, politically motivated cybercrimes, and critical infrastructure vulnerabilities on the rise, CISOs must be more vigilant than ever in strengthening their organizations’ defenses.
Cyble offers a suite of cybersecurity solutions for organizations in Australia and New Zealand, including Cyble Vision for real-time threat intelligence and vulnerability management, Cyble Hawk for national security insights, Odin for internet scanning and vulnerability detection, AmIBreached for dark web risk mitigation, and The Cyber Express for expert cybersecurity news. These tools help organizations proactively address threats and enhance security in a complex cyberspace.
The post CISOs’ Key Takeaways from the ANZ (Australia and New Zealand) Threat Landscape Report 2024 appeared first on Cyble.
Blog – Cyble – Read More
AI-generated influencers based on stolen images of real-life adult content creators are flooding social media.
Security Latest – Read More
Data security firm Cyera has raised $300 million in Series D funding, which brings the total investment in the company to $760 million.
The post Cyera Raises $300 Million at $3 Billion Valuation appeared first on SecurityWeek.
SecurityWeek – Read More
Persistence mechanisms are techniques used by attackers to keep malware active, even after log-offs, reboots, or restarts. In other words, they’re techniques that make malware tougher to detect and even harder to remove once it’s on a system.
Let’s dive into a few of the common mechanisms attackers use to keep their malware persistent, quietly doing its work in the background.
In cybersecurity, persistence refers to the ability of malware or an attacker to maintain access to a compromised system over time.
Persistence mechanisms are tools or techniques that allow malware or unauthorized users to stay embedded within a system without needing to reinitiate the attack every time the system restarts.
For cyber attackers, persistence can be useful for activities like data theft, surveillance, and further spreading of malware.
These mechanisms can be simple, such as adding files to the system’s startup folder. They also get more complicated, like modifying system registry keys or even embedding code into core system processes
Let’s explore some of the most common malware persistence mechanisms attackers use and detect them with the help of ANY.RUN’s Interactive Sandbox.
MITRE ATT&CK ID: T1547.001
One of the go-to techniques for malware persistence is dropping files in the Startup directory.
When a program is placed in the Startup folder on a Windows system, it automatically runs every time the user logs in.
It’s a straightforward, built-in function. Windows lets you put programs there for convenience, so your favorite apps or tools can launch without you having to click anything.
Attackers know this and use it to their advantage. They sneak a malicious file into the Startup folder, so each time the computer boots up, their malware launches too, right along with everything else.
Why is this technique effective? Well, most people don’t ever look in their Startup folder, so it’s easy for these files to go unnoticed. Plus, it doesn’t take a lot of effort for malware to blend in here. It just quietly restarts itself with every logon or reboot without raising obvious alarms.
We can observe this persistence mechanism inside the following sandbox session. Here, the Snake Keylogger malware adds malicious files inside the Startup directory of the Windows system.
To see this in the ANY.RUN sandbox, check the Process Tree on the right side of the screen, where you’ll find the malware’s actions demonstrated.
Click on it to get further details.
In this case, the file is created in the following location C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup, which is the Startup folder on a Windows system.
MITRE ATT&CK ID: T1547.001
Creating files in the Startup directory is a simpler approach. It doesn’t require any changes to the system’s registry or deep permissions, and it’s a method users could technically spot by checking their Startup folder.
On the other hand, Registry Autorun key modification dives a bit deeper. By creating or modifying specific registry keys, malware can make sure it runs automatically every time the system starts.
Malware achieves this type of persistence by altering the registry keys in one of ASEPs (AutoStart Extension Points).
Malware targeting user-level persistence will typically modify these registry keys:
But this is not all. If the malware gains admin privilege it can access and alter system-level registry keys:
In the following analysis session, Njrat changes the registry key at the User level: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
MITRE ATT&CK ID: T1547.004
Windows has built-in “helper” paths in the registry that handle tasks during login and logoff. They’re meant to run specific programs or scripts to assist with the user’s session start or end, like running a script that sets up a network drive when you log in.
Attackers know this, and they’ve figured out that by tweaking these paths, they can set up their malware to launch every time someone logs in or out of the system.
How does it work? By altering registry keys that manage these login/logoff helpers, like the ones in HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon, malware can slip itself into the sequence of programs that automatically run during these key moments.
This means every time you log in, the malware gets a fresh start without needing to infect the system repeatedly.
For instance, the following analysis session shows how malware uses this technique to achieve persistence.
MITRE ATT&CK ID: T1547.006
In Linux, the kernel, the core part of the operating system, is responsible for handling essential functions like managing system resources and hardware interactions.
Kernel modules are pieces of code that can be loaded and run within the kernel to extend its capabilities, like adding support for new hardware.
Normally, these modules are legitimate and provide helpful functions, but attackers have found a way to use them to their advantage.
Here’s how this malware persistence mechanism works.
Loading the malicious module
Malware can install a malicious kernel module, giving it the ability to load directly into the kernel.
To achieve this, malware usually requires root (administrator) privileges. Once these privileges are obtained, the malware can use commands like insmod, modprobe, or depmod to load the malicious module into the kernel.
Maintaining high privilege access
Since kernel modules run in kernel space, the malware operates with high privilege levels, which means it has almost unrestricted access to system resources.
This includes access to the network stack, filesystem, memory, and hardware devices, which allows it to monitor or intercept communications, manipulate data, and hide its presence.
Stealth and evasion
It’s a highly stealthy technique because, once loaded, the malware becomes part of the core system functions.
Once loaded, the malicious module can camouflage itself by removing signs of its presence, like clearing log entries or hooking into kernel functions to hide processes or files. Since standard antivirus and security tools operate at the user level, they often can’t detect or interact with kernel-level threats.
MITRE ATT&CK ID: T1137
Microsoft Office applications, like Word or Excel, have certain startup files or templates they load whenever you open them. Attackers know that Office is used widely, especially in workplaces, so they take advantage of this feature to get their malware up and running whenever someone opens an Office app.
Office offers various mechanisms that attackers can manipulate to ensure their malware relaunches every time an Office application starts up.
Two common methods for achieving persistence in Office applications include:
In the following malware analysis session, the attackers used a macro to achieve persistence in Office applications. It’s immediately detected by the ANY.RUN sandbox:
The infected Office file in displayed inside the virtual machine:
MITRE ATT&CK ID: T1037
Adversaries often leverage scripts that automatically run during system boot or user logon to establish persistence. These initialization scripts are typically used for administrative tasks, like launching other programs or sending logs to an internal server. Because of this, they’re a convenient target for attackers looking to maintain a foothold on a system.
The details of these scripts vary by operating system and setup—they can be applied either locally on a single machine or across multiple systems in a network. By modifying these scripts, attackers ensure their malware executes at every startup or login, keeping it active without requiring user interaction.
In the example above, attackers modified RC scripts to achieve persistence in the system.
To spot persistence mechanisms used by attackers, ANY.RUN integrates the MITRE ATT&CK Matrix framework.
Simply click the ATT&CK button on the right side of the screen, and ANY.RUN sandbox will display all the techniques and sub-techniques observed in that specific analysis session, making it fast and easy to see exactly what’s in play.
Attackers use various methods to keep their malware active on infected systems. These methods range from simple, like putting malicious files in the Startup directory, to complex, such as changing registry keys or targeting kernel modules. Each technique uses built-in system features to avoid detection and stay in control. With ANY.RUN’s Interactive Sandbox you can identify these persistence methods and put into a larger context of the attack, seeing how it plays out at every stage.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Request free trial of ANY.RUN’s products →
The post 6 Common Persistence Mechanisms in Malware appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes spread, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes).
QR codes are a 2-dimensional matrix bar code that can hold encode just over seven thousand numeric characters, or up to approximately four thousand three hundred alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs.
Cisco Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up as little as .01% up to .2% of all email, worldwide. This equates to roughly 1 out of every 500 email messages. This is not a very big number. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.
Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, roughly 60% of all email containing a QR code is spam.
Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication requests used for phishing user credentials.
One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate Wi-Fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred.
Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this.
As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters. Below is an example of an email containing a Unicode art QR code.
The graphical parts of the image are contained within a PDF file. The PDF metadata indicates was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code.
When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, or to add brackets [] around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging”. Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims.
The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. To make malicious QR codes safe for consumption, they should be defanged.
There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code’s orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners.
For years security professionals have encouraged users not to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL.
To complicate the situation even more, there are QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it. Below are some QR codes found online by Talos which illustrate a range of artistic possibilities.
Note: these images have been created by third parties and posted online. Talos is not responsible for the artwork, nor the linked content.
QR codes have become ubiquitous, appearing in email, on restaurant menus, at events, on retail packaging, in museums, even public parks and trails. The perfect defense is to avoid scanning *any* QR codes, however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand.
There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will enable you more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never EVER enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party.
Cisco Talos Blog – Read More
Ford has completed its investigation into recent data breach claims and determined that its systems and customer data have not been compromised.
The post Ford Says Leaked Data Comes From Supplier and Is Not Sensitive appeared first on SecurityWeek.
SecurityWeek – Read More