Feed aggregator

Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage

The Hacker News - Thu, 08/04/2022 - 06:24
A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch
Categories: Cyber Security News

Three Common Mistakes That May Sabotage Your Security Training

The Hacker News - Thu, 08/04/2022 - 04:20
Phishing incidents are on the rise. A report from IBM shows that phishing was the most popular attack vector in 2021, resulting in one in five employees falling victim to phishing hacking techniques. The Need for Security Awareness Training  Although technical solutions protect against phishing threats, no solution is 100% effective. Consequently, companies have no choice but to involve their
Categories: Cyber Security News

Cisco addressed critical flaws in Small Business VPN routers

Security Affairs - Thu, 08/04/2022 - 03:37
Cisco fixes critical remote code execution vulnerability, tracked as CVE-2022-20842, impacting Small Business VPN routers.

Cisco addressed a critical security vulnerability, tracked as CVE-2022-20842, impacting Small Business VPN routers.

The flaw resides in the web-based management interface of several Small Business VPN routers, including Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. An unauthenticated, remote attacker can exploit the flaw to execute arbitrary code or trigger a denial of service (DoS) condition by causing an affected device to restart unexpectedly.

“This vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition.” reads the advisory published by the company.

The flaw received a CVSS Score of 9.8, the IT giant pointed out that there are no workarounds that address this vulnerability.

Cisco also fixed a vulnerability, tracked as CVE-2022-20827, in the web filter database update feature of Cisco Small Business that could allow an unauthenticated, remote attacker to perform a command injection and execute commands on the underlying operating system with root privileges.

The issue affects RV160, RV260, RV340, and RV345 Series Routers, it received a CVSS Score of 9.0.

“This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by submitting crafted input to the web filter database update feature. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” reads the advisory.

Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.

The third issue addressed by Cisco is a command injection vulnerability, tracked as CVE-2022-20841, in the Open Plug and Play (PnP) module of Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers.

An unauthenticated, remote attacker can exploit the flaw to inject and execute arbitrary commands on the underlying operating system.

The company’s Product Security Incident Response Team (PSIRT) revealed it is unaware of active exploitation or publicly available exploits in the wild.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Small Business VPN routers)

The post Cisco addressed critical flaws in Small Business VPN routers appeared first on Security Affairs.

Categories: Cyber Security News

Cisco Business Routers Found Vulnerable to Critical Remote Hacking Flaws

The Hacker News - Thu, 08/04/2022 - 01:11
Cisco on Wednesday rolled out patches to address eight security vulnerabilities, three of which could be weaponized by an unauthenticated attacker to gain remote code execution (RCE) or cause a denial-of-service (DoS) condition on affected devices. The most critical of the flaws impact Cisco Small Business RV160, RV260, RV340, and RV345 Series routers. Tracked as CVE-2022-20842 (CVSS score: 9.8)
Categories: Cyber Security News

Chrome łata podatności jak oszalały. Tym razem nowa wersja z 27 poprawkami bezpieczeństwa.

Sekurak.pl - Wed, 08/03/2022 - 18:14

W skrócie: łatajcie się do wersji: 104.0.5112.79 (Mac/Linux) / 104.0.5112.79/80/81 (Windows). Mamy tu aż 7 luk o ryzyku „Wysokim”, a w sumie: This update includes 27 security fixes. Co ciekawe, sporo zgłaszających ma dość podobnie brzmiące nicki / nazwiska: Guang Gong of 360 Alpha Lab, Looben Yang, Nan Wang, … ~ms

Artykuł Chrome łata podatności jak oszalały. Tym razem nowa wersja z 27 poprawkami bezpieczeństwa. pochodzi z serwisu Sekurak.

Power semiconductor component manufacturer Semikron suffered a ransomware attack

Security Affairs - Wed, 08/03/2022 - 14:34
Semikron, a German-based independent manufacturer of power semiconductor components, suffered a ransomware cyberattck.

Semikron is a German-based independent manufacturer of power semiconductor components, it employs more than 3,000 people in 24 subsidiaries worldwide, with production sites in Germany, Brazil, China, France, India, Italy, Slovakia and the USA.

The company confirmed it has suffered a cyberattack conducted by a professional hacker group

“The SEMIKRON Group has become a victim of a cyber-attack by a professional hacker group. As part of this attack, the perpetrators have claimed to have exfiltrated data from our system. Whether this is the case and which data are concerned is currently subject to investigation.” reads a data breach notice published by the company.

The attackers have infiltrated data from the company systems before encrypting a portion of the internal network.

The company is investigating the security breach with the help of external cyber security and forensic experts.

The German manufacturer didn’t share details about the attack or the family of ransomware that infected its systems. However, BleepingComputer, which viewed a ransom note dropped to one of the encrypted systems, states that LV Ransomware group is behind the attack.

BleepingComputer also reported that the ransomware gang also claimed to have stolen 2TB of data from the company.

According to Semikron, the hackers claimed to have stolen data from its systems, which the company is currently working to confirm.

No additional information has been shared by the company about the attack itself, but Bleeping Computer reported that the ransomware known as LV appears to have been involved, with the attackers claiming to have stolen 2Tb of files from Semikron systems.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Semikron)

The post Power semiconductor component manufacturer Semikron suffered a ransomware attack appeared first on Security Affairs.

Categories: Cyber Security News

Manjusaka, a new attack tool similar to Sliver and Cobalt Strike

Security Affairs - Wed, 08/03/2022 - 13:15
Researchers spotted a Chinese threat actors using a new offensive framework called Manjusaka which is similar to Cobalt Strike.

Talos researchers observed a Chinese threat actor using a new offensive framework called Manjusaka (which can be translated to “cow flower” from the Simplified Chinese writing) that is similar to Sliver and Cobalt Strike tools.

The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.

The experts uncovered a campaign using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. The weaponized documents were crafted to start the infection process and led to the installation of Cobalt Strike beacons on infected systems.

“A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.” reads the analysis published by Cisco Talos. “We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.”

The researchers believe that the Manjusaka tool has the potential to become a popular post-exploitation tool like Slive and Cobal Strike.

The researchers states that malware implant is a RAT family called “Manjusaka,” while the C2 is an ELF binary written in GoLang available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” The C2 server and admin panel are built on the Gin Web Framework which allows operators to issue commands to the Rust-based implants/stagers. The implants support multiple capabilities, including executing arbitrary commands on the infected systems. Below is the full list of supported features:

  • Execute arbitrary commands
  • Get file information for a specified file: Creation and last write times, size, volume serial number and file index.
  • Get information about the current network connections (TCP and UDP) established on the system, including Local network addresses, remote addresses and owning Process IDs (PIDs).
  • Collect browser credentials: Specifically for Chromium-based browsers using the query: SELECT signon_realm, username_value, password_value FROM logins ; Browsers targeted: Google Chrome, Chrome Beta, Microsoft Edge, 360 (Qihoo), QQ Browser (Tencent), Opera, Brave and Vivaldi.
  • Collect Wi-Fi SSID information, including passwords using the command: netsh wlan show profile <WIFI_NAME> key=clear
  • Obtain Premiumsoft Navicat credentials
  • Take screenshots of the current desktop.
  • Obtain comprehensive system information from the endpoint
  • Activate the file management module to carry out file-related activities

The experts discovered both EXE and ELF versions of the implant.

The attribution of this campaign to Chinese threat actors is based on the following evidence:

  • the maldoc refers to a COVID-19 outbreak in Golmud City.
  • the Rust-based implant does not use the standard crates.io library repository for the dependency resolving. Instead, it was manually configured by the developers to use the mirror located at the University Science and Technology of China (ustc[.]edu[.]cn).
  • the C2 menus and options are all written in Simplified Chinese.
  • our OSINT suggests that the author of this framework is located in the GuangDong region of China.

“The availability of the Manjusaka offensive framework is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators. This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages.” concluded the analysis. “The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Manjusaka)

The post Manjusaka, a new attack tool similar to Sliver and Cobalt Strike appeared first on Security Affairs.

Categories: Cyber Security News

Single-Core CPU Cracked Post-Quantum Encryption Candidate Algorithm in Just an Hour

The Hacker News - Wed, 08/03/2022 - 12:09
A late-stage candidate encryption algorithm that was meant to withstand decryption by powerful quantum computers in the future has been trivially cracked by using a computer running Intel Xeon CPU in an hour's time. The algorithm in question is SIKE — short for Supersingular Isogeny Key Encapsulation — which made it to the fourth round of the Post-Quantum Cryptography (PQC) standardization
Categories: Cyber Security News

Google fixed Critical Remote Code Execution flaw in Android

Security Affairs - Wed, 08/03/2022 - 11:45

Google addressed a critical vulnerability in Android OS, tracked as CVE-2022-20345, that can be exploited to achieve remote code execution over Bluetooth.

Google has fixed a critical vulnerability, tracked as CVE-2022-20345, that affects the Android System component. The IT giant has fixed the flaw with the release of Android 12 and 12L updates.

Google did not disclose additional details about the vulnerability.

“The most severe vulnerability in this section could lead to remote code execution over Bluetooth with no additional execution privileges needed.” reads the security bulletin published by Google.

Google addressed the issue with the release of security patch levels ‘2022-08-01’ and ‘2022-08-05’.

The CVE-2022-20345 flaw is the only issue rated as critical fixed by Google this month.

All the remaining vulnerabilities have been rated as ‘high severity’. The flaws impact Framework, Media Framework, System, Kernel, Imagination Technologies, MediaTek, Unisoc and Qualcomm components.

Google also patched tens of security vulnerabilities in Google Pixel devices, including four critical remote code execution flaws tracked as:

CVEReferencesTypeSeverityComponentCVE-2022-20237A-229621649 *RCECriticalModemCVE-2022-20400A-225178325*RCECriticalModemCVE-2022-20402A-218701042 *RCECriticalModemCVE-2022-20403A-207975764 *RCECriticalModem

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

The post Google fixed Critical Remote Code Execution flaw in Android appeared first on Security Affairs.

Categories: Cyber Security News

VirusTotal Reveals Most Impersonated Software in Malware Attacks

The Hacker News - Wed, 08/03/2022 - 08:36
Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack. Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed. "One of the
Categories: Cyber Security News

On-Demand Webinar: New CISO Survey Reveals Top Challenges for Small Cyber Security Teams

The Hacker News - Wed, 08/03/2022 - 08:13
The only threat more persistent to organizations than cyber criminals? The cyber security skills crisis.  Nearly 60% of enterprises can’t find the staff to protect their data (and reputations!) from new and emerging breeds of cyber-attacks, reports the Information Systems Security Association (ISSA) in its 5th annual global industry study.  The result? Heavier workloads, unfilled positions, and
Categories: Cyber Security News

Researchers Warns of Large-Scale AiTM Attacks Targeting Enterprise Users

The Hacker News - Wed, 08/03/2022 - 05:03
A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts. "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report. "The campaign is
Categories: Cyber Security News

Busting the Myths of Hardware Based Security

Security Affairs - Wed, 08/03/2022 - 03:22
Many experts often overlook hardware based security and its vital importance in establishing a secure workspace.

When it comes to cybersecurity, everyone likes to talk about software and the dangers that it poses. However, people often overlook hardware-based security and its vital importance in establishing a secure workspace. This is attributed to a general lack of knowledge when it comes to hardware security and how it works. So, it’s time to bust some myths that you might think are true when it comes to hardware security.  

Myth #1: We never hear about hardware-based attacks, they don’t exist!  

Just because you don’t hear about the problem frequently, it doesn’t mean that it doesn’t exist. Usually, cyberattacks that make the headlines are those involving large corporations that have fallen victim to a software-based attack carried out by infamous cybercrime syndicates. These stories are juicy and scandalous and entice audiences to read the article, generating more clicks onto the media outlet’s website. Additionally, many businesses choose to withhold information pertaining to hardware-based attacks as it indicates insufficient physical security, which reflects negatively upon the business. Another reason why you don’t often hear about hardware-based attacks is that enterprises who fall victim to them are oblivious to it. When an enterprise gets breached, the natural assumption is that it was due to a software vulnerability or phishing scam. Such misunderstanding, coupled with a lack of resources to detect a hardware attack tool, results in the attack method getting misconstrued.

However, that is not to say that hardware-based attacks don’t receive any media attention. A great example that receives public resonance concerns ATMs. These cash dispensing machines are becoming a go-to target for cybercriminals because of the instant payout. Instead of using brute force attacks on ATMs, cybercriminals can now just attach a hardware attack tool, known as a Black Box, to the internal computer to trick it into releasing cash through a MiTM attack. Since 2021, Black Box attacks have been on the rise and have amounted to losses of 1.5 million Euros in Europe alone.  

Myth #2: We have security measures in place, and all our employees use VPNs – we are protected!

Yes, your security measures like NAC, IDS/IDP, firewalls and VPNs definitely provide some level of protection. However, malicious actors are continually evolving and finding new attack methods, which means exploiting blind spots, one of which is the hardware domain. Existing security solutions lack visibility into the Physical Layer (Layer 1), leaving them unfit to defend against, let alone identify, hardware-based attack tools. These malicious devices are designed to evade detection by operating on the Physical Layer and mimic human-like commands and executions, making them extremely dangerous as they can carry out a variety of harmful attacks without any obstacles in their way. If you are unable to determine all your assets’ hardware information within 10 seconds, you are, in fact, not protected.

Myth #3: “We don’t use USBs, so why should it concern us”   

That’s a line we’ve heard many times before, but here’s the thing: you do, and it should!  

Sure, your organization might not use flash drives and there might be some authorization capabilities in EPS/EDR solutions that block phones, keyboards and mice with certain VID/PIDs. That’s great, but what about the keyboards employees use to type? And the mice they use to navigate? Correct, those are USBs. They might be authorized, but that doesn’t mean they can’t get impersonated by a covert spoofing device. So long as there are HIDs in the work environment, there is the risk that one (or more) may be illegitimate. And without Physical Layer visibility, there’s no mechanism in place to determine what’s legitimate or not.

Myth #4: Why would anyone want to hack us; we aren’t an interesting target?

That’s where you’re wrong. In today’s day and age, almost anything that has data is of value and there is someone out there who wants to access it, no matter how mundane it could be. Not all hackers target large nuclear facilities or governmental institutions; the risk is usually too high for most cybercriminals. Your company, however, is a prime target – there’s data and it’s accessible. Whether the perpetrator wants to steal information for monetary gain, access it to gain a competitive advantage, or encrypt it in a ransomware attack, your company provides that opportunity and a hardware attack tool can do the job.

In short, every enterprise is a target for malicious actors; it can happen to anyone for any number of reasons. The important thing to remember is that you can prepare and build your company’s resistance to these attacks by gaining visibility on the Physical Layer through hardware-based security.

About the author: Julien Katzenmaier, Content Writer at Sepio

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Hardware Based Security)

The post Busting the Myths of Hardware Based Security appeared first on Security Affairs.

Categories: Cyber Security News

VMware Releases Patches for Several New Flaws Affecting Multiple Products

The Hacker News - Wed, 08/03/2022 - 00:49
Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8) affect the VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager
Categories: Cyber Security News

VMware fixed critical authentication bypass vulnerability

Security Affairs - Tue, 08/02/2022 - 13:29
VMware patched a critical authentication bypass security flaw, tracked as CVE-2022-31656, impacting local domain users in multiple products.

VMware has addressed a critical authentication bypass security flaw, tracked as CVE-2022-31656, impacting local domain users in multiple products. An unauthenticated attacker can exploit the vulnerability to gain admin privileges.

“A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” reads the advisory published by the virtualization giant.

The flaw impacts Workspace ONE Access, Identity Manager, and vRealize Automation products.

The flaw has been rated as critical and received a CVSS v3 base score of 9.8.

Organizations that cannot immediately address the flaw can use workarounds for this flaw which are detailed in the Knowledge Base articles.

The company acknowledged PetrusViet from VNG Security for reporting this flaw to them.

VMware also addressed these security flaws:

  • CVE-2022-31657 – URL Injection Vulnerability
  • CVE-2022-31658 – JDBC Injection Remote Code Execution Vulnerability
  • CVE-2022-31659 – SQL injection Remote Code Execution Vulnerability
  • CVE-2022-31660 – Local Privilege Escalation Vulnerability
  • CVE-2022-31661 – Local Privilege Escalation Vulnerability
  • CVE-2022-31662 – Path traversal vulnerability
  • CVE-2022-31663 – Cross-site scripting (XSS) vulnerability
  • CVE-2022-31664 – Local Privilege Escalation Vulnerability
  • CVE-2022-31665 – JDBC Injection Remote Code Execution Vulnerability

The above issues impact the following products:

  • VMware Workspace ONE Access (Access)
  • VMware Workspace ONE Access Connector (Access Connector)
  • VMware Identity Manager (vIDM)
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

“These vulnerabilities are authentication bypass, remote code execution, and privilege escalation vulnerabilities.” reads a post published by the company. “An authentication bypass means that an attacker with network access to Workspace ONE Access, VMware Identity Manager, and vRealize Automation can obtain administrator access. Remote code execution (RCE) means that an attacker can trick the components into executing commands that aren’t authorized. Privilege escalation means that an attacker with local access can become root on the virtual appliance. It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments.”

Manager (vIDM), and vRealize Automation.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, virtualization)

The post VMware fixed critical authentication bypass vulnerability appeared first on Security Affairs.

Categories: Cyber Security News

Chinese Hackers Using New Manjusaka Hacking Framework Similar to Cobalt Strike

The Hacker News - Tue, 08/02/2022 - 12:03
Researchers have disclosed a new offensive framework called Manjusaka that they call a "Chinese sibling of Sliver and Cobalt Strike." "A fully functional version of the command-and-control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this
Categories: Cyber Security News

LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender

Security Affairs - Tue, 08/02/2022 - 08:30
An affiliate of the LockBit 3.0 RaaS operation has been abusing the Windows Defender command-line tool to deploy Cobalt Strike payloads.

During a recent investigation, SentinelOne researchers observed threat actors associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

The attackers initially compromise the target networks by exploiting the Log4j vulnerability affecting an unpatched VMWare Horizon Server. The attackers modified the Blast Secure Gateway component of the application by installing a web shell using PowerShell code that is detailed here.

Once gained a foothold in the target system, the attackers performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and used a new technique to side-load Cobalt Strike.

“In particular, when attempting to execute Cobalt Strike we observed a new legitimate tool used for side-loading a malicious DLL, that decrypts the payload.” reads the analysis published by SentinelOne. “Previously observed techniques to evade defenses by removing EDR/EPP’s userland hooks, Event Tracing for Windows and Antimalware Scan Interface were also observed.”

SentinelOne highlights the importance of sharing information on the exploitation of novel “living off the land” tools to drop Cobalt Strike beacons and evade detection of common security solutions.

MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

“Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.” concludes the analysis.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, LockBit 3.0)

The post LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender appeared first on Security Affairs.

Categories: Cyber Security News

New 'ParseThru' Parameter Smuggling Vulnerability Affects Golang-based Applications

The Hacker News - Tue, 08/02/2022 - 08:05
Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications. "The newly discovered vulnerability allows a threat actor to bypass validations under certain conditions, as a result of the use of unsafe URL parsing methods built in the language," Israeli cybersecurity firm
Categories: Cyber Security News

What is ransomware and how can you defend your business from it?

The Hacker News - Tue, 08/02/2022 - 07:25
Ransomware is a kind of malware used by cybercriminals to stop users from accessing their systems or files; the cybercriminals then threaten to leak, destroy or withhold sensitive information unless a ransom is paid. Ransomware attacks can target either the data held on computer systems (known as locker ransomware) or devices (crypto-ransomware). In both instances, once a ransom is paid, threat
Categories: Cyber Security News

Bezpłatne szkolenie o cyberbezpieczeństwie dla wszystkich. Nie daj się cyberzbójom! Zapisz się tutaj.

Sekurak.pl - Tue, 08/02/2022 - 06:16

Zapraszamy Was na wrześniową edycję szkolenia: nie daj się cyberzbójom! W trakcie ~75 minut omówimy najnowsze warianty cyberataków na internautów w Polsce. Nie zabraknie również konkretnych rad w temacie ochrony przed atakami. Szkolenie jest dostosowane do poziomu wiedzy osób nietechnicznych, a prowadzi je Michał Sajdak. Kiedy? Gdzie? Jak? 14. września...

Artykuł Bezpłatne szkolenie o cyberbezpieczeństwie dla wszystkich. Nie daj się cyberzbójom! Zapisz się tutaj. pochodzi z serwisu Sekurak.

Pages