InfoSec News 20230126
Top News
-
Yandex denies hack, blames source code leak on former employee
"A Yandex source code repository allegedly stolen by a former employee of the Russian technology company has been leaked as a Torrent on a popular hacking forum.
Yesterday, the leaker posted a magnet link that they claim are 'Yandex git sources' consisting of 44.7 GB of files stolen from the company in July 2022. These code repositories allegedly contain all of the company's source code besides anti-spam rules."
TLP1 : Green
-
Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA
"Proof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year.
Tracked as CVE-2022-34689 (CVSS score: 7.5), the spoofing vulnerability was addressed by the tech giant as part of Patch Tuesday updates released in August 2022, but was only publicly disclosed two months later on October 11, 2022.
"An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate," Microsoft said in an advisory released at the time."
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
Hive ransomware dark web sites seized by law enforcement
"Today, the Hive ransomware Tor payment and data leak sites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service, Europol, and Germany's BKA and Polizei.
The seizure notice on the Tor sites also lists a wide range of other countries involved in the law enforcement operation, including Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom.
Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, likely to be a warning for other ransomware gangs."
TLP1 : Green
-
Researchers Uncover Connection b/w Moses Staff and Emerging Abraham's Ax Hacktivists Group
"New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named Abraham's Ax that emerged in November 2022.
This is based on "several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.
Moses Staff, tracked by the cybersecurity firm under the moniker Cobalt Sapling, made its first appearance on the threat landscape in September 2021 with the goal of primarily targeting Israeli organizations."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
CISA: Federal agencies hacked using legitimate remote desktop tools
"CISA, the NSA, and MS-ISAC warned today in a joint advisory that attackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes.
More worryingly, CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after the release of a Silent Push report in mid-October 2022.
This activity was linked to the "widespread, financially motivated phishing campaign" reported by Silent Push and was detected on "many other FCEB networks" after first being spotted on a single FCEB network in mid-September 2022."
TLP1 : Green
-
Zacks Investment Research data breach impacted hundreds of thousands of customers
"Zacks Investment Research (Zacks) disclosed a data breach, the security incident may have affected the personal information of its 820,000 customers.
“On December 28, 2022, Zacks learned that an unknown third-party had gained unauthorized access to certain customer records described below. We believe the unauthorized access occurred sometime between November 2021 and August 2022.” reads the notice of data breach. “Upon this discovery, Zacks took immediate action to implement additional security measures to our network, and to investigate and understand the scope of the incident.”"
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
Google Chrome 109 update addresses six security vulnerabilities
"Google released Chrome version 109.0.5414.119 for Mac and Linux and 109.0.5414.119/.120 for Windows to address a total of six vulnerabilities.
Four of the addressed flaws were reported by external researchers that were awarded for more than $26,500 for their findings. "
TLP1 : Green
-
Trellix automates tackling open source vulnerabilities at scale
"Trellix has patched over 61,000 open source projects against a severe Python bug with the help of an automated tool that dramatically accelerated the process.
Last year, the Trellix Advanced Research Center team stumbled upon a 15-year-old vulnerability embedded in Python’s tarfile module. Tracked as CVE-2007-4559, the vulnerability is described as a path traversal issue leading to “user-assisted remote attackers” being able to overwrite arbitrary files via “a .. (dot dot) sequence in filenames in a TAR archive”."
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
Mapping Threat Intelligence to the NIST Compliance Framework Part 2
"The NIST compliance framework consists of 5 core functions: identify, protect, detect, respond and recover. In my previous column, I mapped threat intelligence capabilities to the NIST core function of Identify. In this column, I will continue the discussion by mapping threat intelligence to the additional functions of Protect, Detect and Respond. By doing so, I will highlight how threat intelligence is critical when justifying budget, not only for governance, risk and compliance (GRC) personnel, but also for threat intelligence, incident response, security operations, CISO and third-party risk buyers.
Concerns such as data leakage, IOCs, credential theft, third-party vendor suppliers and the selling of intellectual property are all relevant to the NIST framework. As CTI teams prioritize the intelligence requirements of their business stakeholders, it is beneficial to provide context by mapping the impact of cybersecurity threat intelligence programs to the following NIST core functions."
TLP1 : Green
-
The Definitive Browser Security Checklist
"Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore, more and more security teams are now turning to the emerging category of purpose-built Browser Security Platform as the answer to the browser's security challenges.
However, as this security solution category is still relatively new, there is not yet an established set of browser security best practices, nor common evaluation criteria. LayerX, the User-First Browser Security Platform, is addressing security teams' need with the downable Browser Security Checklist, that guides its readers through the essentials of choosing the best solution and provides them with an actionable checklist to use during the evaluation process."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration
"Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022.
"This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report shared with The Hacker News.
The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it's being actively developed and maintained.
The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver's license."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.