The Mirai-based Murdoc botnet has been actively targeting Avtech and Huawei devices for roughly half a year.
The post Murdoc Botnet Ensnaring Avtech, Huawei Devices appeared first on SecurityWeek.
SecurityWeek – Read More
ABB has patched building control product vulnerabilities that can expose many facilities to remote attacks.
The post Researcher Says ABB Building Control Products Affected by 1,000 Vulnerabilities appeared first on SecurityWeek.
SecurityWeek – Read More
Cloudflare saw a 53% increase in DDoS attack frequency last year, when it blocked a record-breaking 5.6 Tbps attack.
The post Record-Breaking DDoS Attack Reached 5.6 Tbps appeared first on SecurityWeek.
SecurityWeek – Read More
The growing dependence on digital technology of modern businesses makes them vulnerable to cyber threats. For three years in a row, manufacturing has stayed the sector most targeted by cyberattacks, IBM reports. Industrial companies suffered from more than 25% of security incidents recorded last year, the majority of them being ransomware attacks.
Investing in comprehensive cybersecurity infrastructure helps prevent substantial financial loss and reputation damage. But enforcing the perimeter is not enough: a proactive approach to threat management is essential.
Cyber Threat Intelligence (CTI) is about gathering and analyzing data to spot, understand, and stop current and future threats. Even with strong security teams, just reacting to threats is not enough. Using current, detailed information from outside sources is key to responding effectively.
Cyber threat intelligence provides security teams with data about threats, attacks, and adversaries. It powers decision-making on all levels: operational, tactical, and strategic.
By analyzing threat indicators, tactics, techniques, and procedures of attackers, companies can anticipate attacks rather than just react to them. Vulnerabilities get identified before they can be exploited.
There are plenty of reasons why industrial enterprises and manufacturing companies may require threat intelligence. Mostly, these reasons relate to the critical role of such companies in the economy on one hand and their specific risks and vulnerabilities on the other:
A sadly large share of enterprise companies prioritizes operational efficiency over cybersecurity due to limited budgets, lack of expertise, and a focus on physical security. But it is a short-sighted approach.
Industrial companies have low tolerance for downtime: in the case of a ransomware attack they often prefer to pay adversaries than to permit a production halt. Research by Siemens in 2022 found that unplanned downtime costs Fortune Global 500 companies about US$1.5tn, which is 11% of their yearly turnover.
Threat Intelligence Lookup is a key tool in the cybersecurity stockpile. It is a special-purpose search engine that helps navigate and research threat data.
The data is extracted from malware samples uploaded via ANY.RUN’s Interactive Sandbox by over 500,000 security professionals.
One of the latest and most dangerous malware campaigns that targeted the industrial sector unfolded this autumn. The attack was based on Lumma and Amadey malware.
Analysts in ANY.RUN explored the attack’s anatomy with the aid of the Interactive Sandbox found a number of IOCs associated with the malware. These IOCs can be used as TI Lookup search requests to analyze the attack further in pursuit of actionable insights for arming corporate security systems against it.
The following query consists of the name of the malware and the path to one of the malicious files used in the attack:
filePath:”dbghelp.dll” AND threatName:”lumma”
TI Lookup finds files associated with an attack and shows sandbox sessions featuring analysis of samples belonging to the same campaign.
By investigating, collecting, and analyzing threat data, security experts and management ensure:
Early detection and prevention of threats. By knowing what IOCs to look for, companies can set up systems to monitor these signs continuously. Early detection can lead to quicker response times before significant damage occurs.
Improved Incident Response. Security teams can more rapidly identify when an incident has occurred or is in progress. This speeds up the process of containment, eradication, and recovery.
Enhanced threat hunting. IOC research lets focus threat-hunting efforts by looking for signs of similar or related threats that might not have been detected by automated systems. It also helps to distinguish benign anomalies from actual threats and reduce the noise from false positives, which can overwhelm security teams.
Validation of security measures. Indicators can be used to test the effectiveness of current security controls by simulating or analyzing known threat patterns for fine-tuning security solutions.
Understanding of vulnerabilities and attack vectors. IOCs provide insights into the tactics, techniques, and procedures (TTPs) used by attackers, allowing companies to better understand where they are vulnerable and how adversaries operate.
Prioritization of security efforts and recourse management on the basis of understanding which threats are most likely to impact the organization.
Forensic Analysis. Post-incident analysis facilitates understanding the scope of the compromise, how the attack was executed, what was accessed, and how to prevent similar attacks in the future.
Training and awareness. Threat Intelligence Lookup can be used in training programs for educating staff to watch for suspicious activities or anomalies in system behavior.
Threat intelligence objectives are closely connected with key business goals and metrics.
Significant cost savings can be achieved by preventing data breaches and minimizing mitigation efforts. By avoiding data losses and leaks, businesses can sidestep the expenses associated with incident response, legal fees, and regulatory fines.
Threat analysis by tools like ANY.RUN’s TI Lookup provides insights that allow to focus the resources and security efforts on the most relevant threats, critical areas, topical vulnerabilities.
A pillar of enterprise efficiency, operational stability suffers immensely from even a brief downtime. Threat intelligence tools and methods like TI Lookup help automate threat detection, make it both wider and more accurate, and reduce downtime caused by breaches.
In manufacturing and industrial enterprises, regulatory compliance is critically important. Besides, such businesses often operate in multiple jurisdictions with varying rules and requirements. Plants and manufacturing facilities can be located in different countries with their own laws. Apart from improved threat detection, TI helps document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.
Customer and counterparty trust is one of the most valuable business assets in enterprise or elsewhere. Early detection of threats reduces the likelihood of incidents that could damage a company’s name and negatively impact shareholder value.
Cyber resilience must be a business priority for enterprise companies with their critical role in the economy, low tolerance for downtime and complex digital environments. Threat intelligence builds a basis for proactive threat management and informed decisions, helps allocate resources, and avoid ineffective costs. Professional solutions like ANY.RUN’s Threat Intelligence Lookup power security teams for meeting the demands of business security.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Request free trial of ANY.RUN’s services →
The post How Threat Intelligence Lookup Helps Enterprises appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
U.S. President Donald Trump on Tuesday granted a “full and unconditional pardon” to Ross Ulbricht, the creator of the infamous Silk Road drug marketplace, after spending 11 years behind bars.
“I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and
The Hacker News – Read More
As GenAI tools and SaaS platforms become a staple component in the employee toolkit, the risks associated with data exposure, identity vulnerabilities, and unmonitored browsing behavior have skyrocketed. Forward-thinking security teams are looking for security controls and strategies to address these risks, but they do not always know which risks to prioritize. In some cases, they might have
The Hacker News – Read More
The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government’s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.
BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.
The term “bulletproof” is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.
BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.
A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.
Another distinctive feature of BPH providers is their location. They often operate from countries with permissive cyber regimes, where local laws either lack the framework to tackle malicious cyber activities or are weakly enforced. This makes it even more challenging for law enforcement, such as the ACSC, to take decisive action.
The consequences of BPH’s involvement in cybercrime are damaging, with Australian businesses and individuals often finding themselves targeted by cybercriminals using these services. Ransomware attacks, data extortion, and the theft of sensitive customer information are just some of the incidents that have been traced back to BPH providers.
The presence of these illicit services is not only a local problem but a global one. As these networks expand and evolve, they provide cybercriminals with an easy-to-use platform to launch attacks on a global scale. A single BPH provider can facilitate the activities of hundreds or even thousands of cybercriminals, allowing them to target victims across the globe.
In response to this growing threat, law enforcement agencies, including the ACSC, have been stepping up their efforts to identify and dismantle BPH providers. Through enhanced collaboration with global law enforcement, governments, and private sector cybersecurity experts, authorities are targeting these malicious services with increasing frequency. This collective effort aims to disrupt the underlying infrastructure that allows cybercriminals to thrive while complicating their ability to operate securely.
One of the primary methods being employed to target BPH providers is defensive measures, such as proactively blocking internet traffic originating from known BPH services. By identifying and isolating the infrastructure that facilitates cybercrime, investigators can reduce the impact of cybercriminal activities on Australian networks and businesses. In addition, legitimate ISPs and upstream infrastructure providers are being encouraged to adopt practices that prevent BPH providers from accessing their networks.
While BPH providers are a crucial part of the Cybercrime-as-a-Service landscape, they are not the only providers enabling malicious cyber activities. Other illicit services in this underground ecosystem allow cybercriminals to purchase malware, tools for evading security measures, and access to compromised networks. The removal of these services is critical to dismantling the cybercriminal ecosystem and reducing the scope of attacks targeting Australia.
The Australian Cyber Security Centre’s efforts to target Bulletproof Hosting Providers (BPH) highlight the need for a coordinated approach to disrupt the infrastructure enabling cybercrime. By addressing vulnerabilities in BPH services, authorities can disrupt cybercriminal operations and bolster overall cybersecurity resilience.
Australia’s organizations are urged to stay vigilant by updating software, strengthening security protocols, and using multi-layered defenses. Collaboration with law enforcement and cybersecurity experts is essential for detecting and preventing attacks from BPH providers.
To further protect against cyber threats, Cyble, a leader in threat intelligence, offers AI-powered solutions like Cyble Vision to provide real-time insights and enhance cybersecurity efforts. By integrating Cyble’s tools, businesses can strengthen their defenses and stay protected against cybercriminals.
The post Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks appeared first on Cyble.
Blog – Cyble – Read More
A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET.
“The attackers replaced the legitimate installer with one that also deployed the group’s signature implant that we have named SlowStepper – a
The Hacker News – Read More
President Donald Trump has pardoned Ross Ulbricht, the founder of Silk Road, an underground website for selling drugs.
The post Trump Pardons Founder of Silk Road Website appeared first on SecurityWeek.
SecurityWeek – Read More
Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.
The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.
The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.
Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.
Cyble looked at 13 of the largest enterprise security vendors—along with some of the bigger consumer security companies like McAfee—and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.
Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.
Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.
The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls. The vendors included:
All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.
Trend Micro and Sophos have large consumer security businesses, as does McAfee, which exited the enterprise business in 2021. McAfee, for example, has had more than 600 credential leaks since the start of the year, almost all for consumers’ account access, likely harvested from info stealer attacks on the consumers’ personal devices.
CrowdStrike has had more than 300 credentials exposed since the start of the year, although some of those may be duplicates offered for sale across multiple forums. Most of those appear to be customer Falcon account credentials, again likely harvested from info stealers on customer endpoints. As some of those customers are high-tech companies and others with sensitive data, including a pharmaceutical giant and a large financial firm, they have a strong interest in keeping those accounts secure.
Some internal CrowdStrike accounts also appear to have been exposed this year, but those largely appear to be web marketing accounts, data that would likely have value only for competitors.
Palo Alto Networks and some other vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial. Palo Alto has had nearly 400 credential exposures so far this year, most of them from customer leaks.
Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.
Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.
Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.
Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.
If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks.
The post Cyble Finds Thousands of Security Vendor Credentials on Dark Web appeared first on Cyble.
Blog – Cyble – Read More