Dec 09 2023

PowerShell Tips and Tricks

Category: PowerShell Securitydisc7 @ 11:10 am

Powershell Tips & Tricks – via Hadess | حادث

PowerShell Pocket Reference: Portable Help for PowerShell Scripters

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: PowerShell Tips and Tricks

Dec 08 2023

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Category: Hacking,Security vulnerabilitiesdisc7 @ 11:18 am

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. 

Outlook vulnerabilities offer:-

  • Access to sensitive emails 
  • Access to sensitive information

WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim’s system.

Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.

Exploiting Of Patched Vulnerabilities

Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America. The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-

While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors. 

Besides this, the operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.

TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-

  • Europe
  • North America

Earlier, they targeted Ukrainian entities in April 2022 using the same exploit. Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023. 

It’s unclear if this was a mistake or a deliberate effort to gather target credentials. TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets. 

In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router. 

This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.

Late summer 2023 sample of TA422 phishing email. (Source – Proofpoint)

Proofpoint’s tracking of Portugalmail addresses revealed more TA422 activity. In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities. 

Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a .cmd file. 

The file modified proxy settings downloaded a lure document, and connected to an IP-literal Responder server. The server, likely a compromised Fortigate FortiOS Firewall, initiated the NTLM credential exchange.

Lure document from the September 1, 2023 campaign. (Source – Proofpoint)

Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.

Mockbin campaign lure documents. (Source – Proofpoint)

Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains. After browser fingerprinting, victims were directed to InfinityFree, initiating a chain of activity.

Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.


IOCs (Source – Proofpoint)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Outlook Vulnerabilities, WinRAR Vulnerabilities

Dec 07 2023

How Malicious Insiders Use Known Vulnerabilities Against Their Organizations

Category: Insider Threatdisc7 @ 4:17 pm
  • Between January 2021 and April 2023, CrowdStrike Counter Adversary Operations and the CrowdStrike Falcon® Complete managed detection and response (MDR) team identified multiple incidents in which an internal user either exploited or sought to exploit a known vulnerability, or deploy offensive security tooling against their enterprise environment.
  • Approximately 55% of the identified insider threat incidents involved unauthorized use or attempted use of privilege escalation exploits.
  • Approximately 45% of insider threat incidents involved insiders who unwittingly introduced risk to their environment through the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes.
  • Given overlaps in vulnerability use and typical actions on objectives, many methods that detect and mitigate targeted intrusion and eCrime activity are also applicable to insider threat activity.

We are well aware of the devastating effect insiders can have when using their legitimate access and knowledge to target their own organization. These incidents can result in significant monetary and reputational damages. Entities small and large, across all sectors, can fall victim to insider threats

Insider-led cybersecurity incidents are growing more frequent — and more expensive: Reports report from the Ponemon Institute state the number of insider threat events increased by 44% from 2020 to 2022. The average cost per malicious and non-malicious incident climbed to $648,000 USD and $485,000 USD, respectively.1 These incidents can also result in brand and reputational damages that, while hard to quantify, have a significant impact.

What Is an Insider Threat?

For the purposes of this article, an insider threat is defined as an individual with the potential to wittingly or unwittingly use their access to negatively affect the confidentiality, integrity or availability of their organization’s  information or information technology (IT) systems. Within this context, an unauthorized user leveraging a privilege escalation exploit — to gain the permissions necessary to delete network logs or conceal their hands-on-keyboard activity — represents an example of a willing insider threat. Meanwhile, an individual who has permission to use exploits as part of their duties but inadvertently uses the wrong computer/system, or fails to follow the proper safe-handling standard operating procedures, represents an example of an unwitting insider threat.


Since 2021, CrowdStrike Intelligence has observed insider threats achieve their goals through the exploitation of known vulnerabilities. While these activities are hard to detect, not all is doom and gloom. An intelligence-driven review of known cases shows that many defensive actions used to detect and mitigate targeted intrusion and eCrime adversaries are also effective at stopping insider threat activity, given overlaps in vulnerability usage and post-exploitation activity. Falcon Complete can help detect and contain these threats, protecting customers from both insider threats and external adversaries.

Insiders’ Commonly Exploited Vulnerabilities

CrowdStrike Counter Adversary Operations and CrowdStrike Falcon Complete analyzed incidents from January 2021 to April 2023 to deduce the most prevalent vulnerabilities leveraged without authorization by internal users in their enterprise environment. This is a high-confidence qualitative assessment based on observed behaviors consistent with attempted or successful exploitation based on Falcon Complete incident data. These incidents fall into two broad categories: 

  • Unauthorized exploitation to escalate privileges and support follow-on objectives
  • Unauthorized testing of exploits or downloading of offensive tools for defensive or training purposes

While this article covers specific vulnerabilities, it is not intended to conclusively identify all vulnerabilities potentially related to insider threat activities. Depending on the intended target and objectives, numerous other vulnerabilities with existing public proof-of-concept exploits could accomplish similar objectives.

Unauthorized Exploitation to Escalate Privileges and Support Follow-on Objectives

Privilege escalation is typically the intermediate step between initial access and reaching the actual objective in a cyber intrusion. It is considered a critical stage in the attack chain, since many of the subsequent steps — such as defense evasion and manipulating sensitive programs/systems — require an elevated privilege level. This is especially relevant to insiders who usually possess low-level access to the target environment as part of their duties. 

An insider user that escalates privileges without authorization is abusing their access and, at a minimum, attempting to bypass the principle of least privilege (POLP). According to this principle, users and processes are only granted the minimum permissions required to perform their assigned tasks. POLP is widely considered to be one of the most effective practices for strengthening an organization’s cybersecurity posture, and it allows organizations to control and monitor network and data access.2 

Fifty-five percent of the insider threat incidents identified by CrowdStrike Counter Adversary Operations involved attempted local privilege escalation (LPE) to support follow-on actions. For example, insiders sought higher privileges to download unauthorized software, remove forensic evidence or troubleshoot IT systems. By attempting to escalate privileges, these internal users wittingly or unwittingly introduced risk to their network, and as a result, these incidents fall under the insider threat umbrella regardless of malicious intent (see Figure 1).

Figure 1. Hypothetical example of an insider threat leveraging a local privilege escalation (LPE)

These incidents leveraged six well-known vulnerabilities that have publicly available exploit proof-of-concept (POC) code on GitHub and are included in the United States Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEV). The broad range of vulnerabilities used highlights the large number of potential attack vectors and the breadth of the attack surface.  

CVE NumberCVE NameTargeted OSIn CISA KEV
CVE-2017-0213Windows Component Object Model (COM) Elevation of Privilege VulnerabilityWindowsYes
CVE-2022-0847Linux Kernel Privilege Escalation Vulnerability (aka DirtyPipe)LinuxYes
CVE-2021-4034Polkit Out-of-Bounds Read and Write Vulnerability (aka PwnKit)LinuxYes
CVE-2019-13272Linux Kernel Improper Privilege Management VulnerabilityLinuxYes
CVE-2015-1701Microsoft Win32k Privilege Escalation VulnerabilityWindowsYes
CVE-2014-4113Microsoft Win32k Privilege Escalation VulnerabilityWindowsYes

Table 1. Vulnerabilities observed being leveraged by insiders to escalate privileges

CVE-2017-0213 Incidents

In early April 2023, CrowdStrike Falcon Complete detected and blocked an internal user’s attempt to exploit a Windows Component Object Model (COM) privilege escalation vulnerability (CVE-2017-0213) at a Western Europe-based retail entity. Specifically, the internal user leveraged the WhatsApp messenger application to download an exploit targeting CVE-2017-0213 in an attempt to escalate privileges and install the uTorrent file-sharing application as well as unauthorized games. 

Successful exploitation of CVE-2017-0213 allows an authenticated attacker to run arbitrary code with elevated privileges. Since April 2022, CrowdStrike Falcon Complete has detected six other incidents involving internal users attempting to leverage CVE-2017-0213 to conduct unauthorized follow-on activities. Notably, in late July 2022, a terminated employee at a U.S.-based media entity unsuccessfully attempted to leverage this vulnerability to conduct unauthorized activities.  

Other Incidents

The remaining incidents involved internal users leveraging five privilege escalation vulnerabilities to gain elevated privileges in order to conduct unauthorized follow-on operations. Notably, in mid-July 2022, an internal user at an Australia-based technology entity attempted to execute an exploit for CVE-2021-4034 (PwnKit) to gain administrative rights and troubleshoot their host machine. Also, in mid-October 2022, an internal user at a U.S.-based technology entity leveraged CVE-2015-1701, a Microsoft Win32k privilege escalation vulnerability, to gain the necessary permissions to bypass internal controls and allow for the unauthorized installation of a Java virtual machine.  

How Insider Threats Unintentionally Put Organizations At Risk

Forty-five percent of the insider threat incidents identified by CrowdStrike Counter Adversary Operations involved insiders who unwittingly introduced risk to their environment via the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes. In these incidents, the insiders, who may be responsible for using exploits and offensive tools as part of their regular duties, unwittingly introduced risk to their environment by not following safe-handling procedures (see Table 2). For example, in some of the incidents, the insider users should have downloaded the exploits in virtual machines or other specific hosts to provide better network segmentation between testing and production environments. 

There are several ways this could cause damage. Testing exploits on unauthorized systems could disrupt operations, as some exploits could cause system crashes or other unintended negative actions. Additionally, an adversary with a foothold on the insider threats’ network could leverage these exploits or tools to support their own malicious activity.  Finally, downloading unvetted code can introduce backdoors or other malicious artifacts into the internal user’s network. 

Below are some of the vulnerabilities involved in cases of insider threats unintentionally putting their organization at risk. 

CVE NumberCVE NameTargeted OSIn CISA KEV
CVE-2021-42013Apache HTTP Server 2.4.49 and 2.4.50 Path TraversalMacYes
CVE-2021-4034Polkit Out-of-Bounds Read and Write Vulnerability (aka PwnKit)LinuxYes
CVE-2020-0601Windows CryptoAPI Spoofing VulnerabilityWindowsYes
CVE-2016-3309Windows Kernel Privilege Escalation VulnerabilityWindowsYes
CVE-2022-21999Windows Print Spooler Elevation of Privilege VulnerabilityWindowsYes
N/AMetasploit FrameworkN/AN/A

Table 2. Vulnerabilities observed being leveraged by insiders for testing/defensive purposes

CVE-2021-42013 Incident

In October 2022, CrowdStrike Falcon Complete detected and contained a script leveraging CVE-2021-42013 to launch an Apache reverse shell at a U.S.-based technology entity. Successful exploitation of CVE-2021-42013 allows an unauthenticated attacker to execute code remotely. In this incident, the internal user leveraged this vulnerability without permission to exploit a server as part of a Capture-the-Flag (CTF) competition. This incident highlights the importance of properly scoping and communicating any restrictions regarding CTF and similar exercises in corporate networks.

Other Vulnerability Incidents

Other incidents involved internal users exploiting individual vulnerabilities for testing and/or training purposes. While these users — often in security roles — are permitted to test exploits as part of their job duties, they were not authorized to conduct that activity in the specific hosts that triggered the CrowdStrike Falcon® sensor.  For example, in February 2023, an internal user at a United States-based technology entity attempted to download an exploit for CVE-2016-3309, a Windows kernel privilege escalation vulnerability, on their corporate computer instead of on the approved system for these types of activities (a separate virtual machine). The Falcon Complete team was able to quickly triage event logs recorded using Falcon’s Endpoint Activity Monitoring (EAM) application to provide additional context surrounding the initial download of the CVE-2016-3309 exploit. 

Metasploit Framework

From May 2022 to February 2023, Falcon Complete observed multiple incidents involving the unauthorized deployment of the Metasploit Framework on Windows and Linux hosts by insider users. The Metasploit Framework is a well-known penetration testing framework that can be used for exploitation, enumeration, post-exploitation and other offensive activities. This tool is commonly used by security teams for testing and executing exploits — however, it can also provide insiders a readily available mechanism for conducting pre- and post-exploitation activities. While each incident was assessed to be related to defense-focused testing activity, the unauthorized deployment of the Metasploit Framework by an internal user introduces risks to the enterprise network.


In December 2022, Falcon Complete observed an incident involving an internal user downloading and staging ElevateKit, a privilege escalation framework commonly leveraged alongside Cobalt Strike. ElevateKit registers modules with the Cobalt Strike Beacon payload to allow for privilege escalation using publicly available exploits.3 In addition to ElevateKit, the user also staged Mimikatz and PowerLurk, two tools also commonly used in penetration testing engagements for credential dumping and establishing persistence via Windows Management Instrumentation (WMI). While this incident was later determined to be related to unauthorized security testing preparation, a threat actor could potentially abuse these previously deployed tools to escalate privileges, move laterally or establish persistence. 

Non-Exploit Based Insider Threat Activity

Internal users are not limited to exploiting vulnerabilities to achieve their results. In addition to using their own credentials, insider threats could leverage various other methods to escalate privileges, evade defenses and/or execute arbitrary code. The following is a non-exhaustive list of other potential approaches and methods:

  • DLL hijacking
  • Insecure file system permissions
  • Insecure service configurations
  • Exploitation through removable media
  • Windows accessibility features bypass 
  • Image file execution options injection


The inherent difficulty in identifying insider threat activity, and the limited sample size, preclude definitive and granular observations. However, a review of the incidents and vulnerabilities associated with insider threats from January 2021 to April 2023 highlights several factors that may aid in preventing and detecting future insider threat activity. 

Many of the vulnerabilities described in this article have also been exploited by targeted intrusion and eCrime adversaries. Thus, many of the popular defense-in-depth measures applied by network defenders to detect and mitigate targeted intrusion or eCrime activity will help identify and neutralize insider threats, given similar overlaps in observed tactics, techniques and procedures and desired actions on objective (e.g., data exfiltration, data destruction, etc.).

CrowdStrike Counter Adversary Operations assesses that more than half of the identified insider threat incidents involved internal users unauthorized use or attempted use of privilege escalation exploits to support follow-on objectives. This assessment is made with high confidence based on available forensic data and observed hands-on-keyboard activity.  While each user’s individual calculus for selecting specific vulnerabilities to leverage remains unknown, the chosen vulnerabilities have publicly available exploits on GitHub and have been exploited in the wild. As such, restricting or monitoring the download of exploits from GitHub and other online code repositories from personnel who do not require that access as part of their regular duties could mitigate this threat — limiting access to ready-to-use exploits can hinder insider threats from conducting malicious activity.

The use of older vulnerabilities, some disclosed as early as 2015, underscores that vulnerabilities can remain useful to all attackers (internal or external) until patched or mitigated. This is particularly relevant to internal systems that may be under a slower patching cycle than that of internet-exposed systems. Internal users are particularly well positioned to leverage older local privilege escalation vulnerabilities, as they often already possess the low-level privileges and/or credentials needed to successfully run these exploits,  have a better understanding of the host environment and can conduct basic reconnaissance commands with lesser risk of discovery than a remote attacker. 

Approximately 45% of the insider threat incidents involved insiders ostensibly expected to leverage exploits and offensive tools as part of their regular duties who unwittingly introduced risk to their environment by the unauthorized download of exploits or other offensive security tools. Not following proper procedures related to the handling of exploits and other offensive tooling can cause system crashes or other negative effects to the host environment. Although CrowdStrike Counter Adversary Operations has not observed this so far, a resourceful adversary with a foothold in the internal user’s network could also leverage these offensive tools or exploits for their own operations. 

Mitigation Options 

Vulnerability Management 

It is critical to ensure timely vulnerability patching in order to protect enterprise devices. CrowdStrike Falcon Exposure Management provides real-time, instant visibility into new and emerging vulnerabilities by using scanless vulnerability assessment technology integrated with the CrowdStrike Falcon® sensor. This prioritizes risks based on an advanced AI model and integrates threat intelligence provided by the CrowdStrike Intelligence team to provide insight into trending threats.

Insider threats can also leverage non-exploit based attack vectors, suggesting timely patching is alone insufficient to address the potential threats. This is why it’s essential for organizations to implement multiple layers of defense such as Falcon Complete MDR and CrowdStrike® Falcon OverWatch™ managed threat hunting. 

The Falcon Complete team actively monitors for and remediates exploitation and post-exploitation behaviors by analyzing suspicious process characteristics and behaviors, utilizing machine learning to detect malicious payloads, monitoring script execution and more. In addition, the Falcon OverWatch 24/7 threat hunting service provides early indicators of threat actor activity and exploitation attempts. Falcon Overwatch integrates indicators of compromise (IOCs) and threat intelligence provided by CrowdStrike Intelligence to identify, prevent and provide attribution for emerging threats. 

User Behavior Analysis to Detect Insider Threat Activity

User behavior analysis is also a key technique that CrowdStrike Falcon® Complete Identity Threat Protection leverages to detect an adversary that may be using stolen credentials of a legitimate user or identify suspicious activity from an insider. By baselining normal behavior for every user based on authentication/historical data (which machines the user typically accesses, for example), utilizing advanced algorithms and machine learning technologies to auto-classify accounts (users and servers) — such as privileged, stealthy, service accounts, server types like VDI, etc. — and correlating with possible AD attack paths and escalation of privileges, we build detailed behavioral profiles for every entity, ultimately helping the analyst (and the detection engine) understand what is considered normal behavior and what is not. Any deviation from this baseline user behavior would set off a detection of an adversary in the environment or an insider with malicious intent, which can trigger automated responses (alert, multifactor authentication or block) based on pre-created policies.

Tailored User Training

Given the unwitting nature of many of the incidents discussed in this article, tailored training — for both new and existing employees) on how to properly download, store and execute exploits and offensive tooling for testing and training purposes could almost certainly reduce these occurrences in the future. Multiple incidents involved new employees that were not well-versed on specific company policies related to exploit handling and use of external/virtual machines for testing purposes, suggesting that it is paramount to ensure new employees — particularly those in cybersecurity roles — receive the necessary training during their onboarding process. 

Additionally, many of these incidents occurred at organizations in the technology sector, suggesting more tailored training for tech-savvy employees can also help mitigate future occurrences of these types of incidents. Nonetheless, organizations should ensure new and existing security procedures to prevent these types of incidents are not overly restrictive and cumbersome as to drive internal users to find ways to bypass them.  

Additional Resources


  1. |

Managing the Insider Threat: No Dark Corners and the Rising Tide Menace

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Insider Threat

Dec 06 2023

API Security Cheat Sheet

Category: API securitydisc7 @ 10:59 am

API Security in Action

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API security checklist, API Security in Action

Dec 06 2023

Your car is probably harvesting your data. Here’s how you can wipe it

Category: Information Security,Mobile Securitydisc7 @ 8:16 am

It is so easy to vacuum up private data from vehicles that Andrea Amico taught his daughter how to extract text messages from her mom’s car when she was only eight years old.

Blue-haired and an engineer by training, Amico has a hacker’s mentality, which has manifested in giving drivers a way to protect their data and beat the system at no cost.

Amico is the founder and CEO of Privacy4Cars, the outfit behind a free app that lets individuals erase the astonishing amount of personal data — including text messages, biometrics and geolocation — that many automakers collect, store and often share with law enforcement, insurers and even data brokers.

Privacy4Cars also allows consumers to pull a full report on exactly what data their own car is scooping up, using nothing but a vehicle identification number.

Amico worked on car data privacy for years on what he called a “passion project” basis. After running a large car inspection business, he came to understand the scale of the problem — and the stakes — and founded Privacy4Cars in 2019.

Consumers can use the app to delete data retroactively, but there is no way to block its collection moving forward so those especially concerned about privacy have to regularly wipe the car’s data, which usually primarily resides in the infotainment system, Amico said.

The process for deletion is unique for most car models and types. Amico says the company has amassed step-by-step delete instructions for tens of thousands of vehicles, whose settings often differ by model, make, year manufactured and even how many extras customers pay for to enhance a given model.

The app typically works for four out of five cars. Wiping data can take as few as three commands, or as many as 50, Amico said. If a car owner has not downloaded a given car’s software updates, that can complicate matters.

Data linked to more than a million cars has been deleted using the app to date, Amico said.

With car data privacy in the spotlight recently, the demand is likely to rise.

Last month a Seattle-based federal judge declined to revive a class action lawsuit alleging four auto manufacturers had broken Washington state privacy laws by gathering and storing customers’ private text messages and mobile phone call logs.

The judge ruled the practice did not meet the threshold for an illegal privacy violation under state law, which requires plaintiffs prove that “his or her business, his or her person, or his or her reputation” has been threatened by the harvesting of private data.

Despite the ruling, car data privacy concerns are growing as more consumers become aware of their exposure, and even some industry figures concede more needs to be done to educate car owners about data practices.

Running the report

Privacy4Cars offers a website feature which allows users to search their vehicle identification number and quickly learn the data their car gathers, pulling and crystallizing information from the small print manufacturers typically disclose in complex, dense and lengthy terms and conditions and privacy disclosures.

A recent search of what Privacy4Cars calls its “Vehicle Privacy Report” showed a variety of automakers disclosing they can or do pull, store and even sell a wide range of data, including:

  • Personal identifiers, which can include data as granular as a driver’s signature; Social Security number; passport number; insurance policy number; employment history and medical information, among other things
  • Biometrics, which can identify individuals, including through fingerprint mapping, facial recognition and retina scans
  • Geolocation data
  • Data collected and used to create profiles on drivers
  • Consumer data collected from synced phones like text messages and call logs. Often manufacturers don’t disclose whether they also gather data from drivers’ connected smart devices when third-party apps run on or sync with the infotainment system, the report said.

Many automakers also acknowledge they share data with law enforcement, insurers and data brokers.

While some cars searched on the Privacy4Cars website were silent on whether they collect data from synced phones, Sean McKeever, a senior security researcher at GRIMM, a cybersecurity company with an automotive division, said most cars do gather and store phone data.

“If the vehicle offers phone connectivity, you can assume there is some level of data being stored on the vehicle,” McKeever said via email.

Amico estimated that about two-thirds of U.S. auto manufacturers declare they collect data from synced phones, at least for some models.

“They’re also very quick to say that it’s none of their responsibility and essentially it’s the consumers’ fault if they leave this data behind,” he said in an interview.

To use the Privacy4Cars’ Vehicle Privacy Report search tool, drivers must have their vehicle identification number (VIN). A recent random check of the privacy report’s portal, using VIN numbers linked to used vehicles on Carmax, showed that many cars collect all of the data listed above and more.

Vehicles collecting synced phone data, for example, included a 2018 Vokswagen Atlas, a 2023 Audi Q4, a 2019 Volvo XC90 and a 2020 Honda Civic. All of these vehicles also collect location data and some gather biometric data along with compiling personal identifiers and user profiles.

None of the automakers offered comment except for Volkswagen. A spokesperson said that “when a customer syncs their phone via Bluetooth, the car can access phone data as granted by the customer and all of this data is stored within the vehicle.”

They added that customers can delete this data at any time through a factory reset and noted that “while the car itself will access the data, the car does not transmit this data beyond the car.”

Vehicle Privacy Report screenshot.jpgA privacy report for a 2020 Volkswagen Tiguan.

Many of the cars Recorded Future News searched in the Vehicle Privacy Report also allowed data to be collected from Android Auto, Apple Carplay and Amazon Alexa.

Amico said that if your car uses Android Auto, for example: “Guess what? Google collects data from you as well.” Google does not have an Android Auto-specific privacy policy or data disclosure, Amico said. The data can also potentially be sold by Google for targeted advertising. Google did not respond to a request for comment.

Privacy4Cars also takes on data brokers, offering a way for consumers to easily reach them and tell them not to sell their data. An “Assert Your Rights” button on the upper right corner of the company’s homepage takes users to a place to share their information so that Privacy4Cars can submit consumer privacy requests to first-party businesses, data brokers, and third parties on their behalf.

Consumers in the dark

Most drivers have no idea what data their car is collecting because other than through Privacy4Cars it can be very hard to track down and digest the information. The privacy disclosures for the four cars mentioned above involved between nine and 12 unique documents, and each ran between 55,00 and 60,000 words, according to the Privacy4Cars site.

Older cars appear not to be immune. A check for a 2012 Honda Odyssey, for example, revealed the vehicle collects data from synced phones, geolocation information and compiles personal identifiers and user profiles.

Car owners should use the app to wipe data particularly when they buy or sell a used car and return vehicles to car rental agencies or leasing companies, Amico said, although most people don’t know they should do so.

Four out of five used cars contain the data of previous owners since most owners and subsequently car dealers don’t wipe them clean, he said.

In some cases cars even store pieces of code from previous drivers that can allow old owners to access new owners’ data. Most cars’ infotainment systems also store text messages and other unencrypted data.

Amico’s services aren’t foolproof. The FBI, for instance, still might be able to hack into the car’s systems and extract data. But they do make it a “hell of a lot harder” for them or anyone else to do so.

Even those unworried about getting entangled with the FBI have serious reasons to delete their data, he said.

“If you have a navigation system, you have about a 50/50 chance that you can press two buttons and show up inside the house of somebody because you press ‘go home’ and then you pop the garage open,” Amico said.

This is Part 1 of a three-part series on automobile privacy that will run through the month of December.

Automated Vehicle Law: Legal Liability, Regulation, and Data Security

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Automated Vehicle, Car Security

Dec 05 2023

Hackers Use Weaponized Documents To Attack U.S. Aerospace Industry

Category: Cyberweapon,Cyberweapons,Hackingdisc7 @ 12:33 pm

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.

The threat actor employed spear-phishing as the means of distribution mechanism.

A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.

AeroBlade Execution Chain

The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence. 

Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.

There were two campaigns found, and there were a few similarities between them, such as:

  • Both lure documents were named “[redacted].docx.”
  • The final payload is a reverse shell.
  • The command-and-control (C2) server IP address is the same.

There were a few differences between the two campaigns, such as:

  • The final payload of the attack is stealthier and uses more obfuscation and anti-analysis techniques.
  • The campaign’s final payload includes an option to list directories from infected victims.
AeroBlade execution chain

A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.

When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.
Malicious document displays text in a scrambled font

The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.

When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.

“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.

An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell.  With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.
Example of information collected from infected system

An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber weapon

Dec 04 2023

CyberAv3ngers hit Unitronics PLCs at multiple US-based water facilities

Category: OT/ICSdisc7 @ 11:28 am

CyberAv3ngers targeting Unitronics PLCs

CISA has recently confirmed that Iran-affiliated attackers took over a Unitronics Vision Series PLC at a water system facility in Pennsylvania, and urged other water authorities to promptly secure their Unitronics PLCs.

The agency has advised them to change the default password and port used by the PLC, disconnect it from the open internet or secure remote access by using firewall, VPN and multi-factor authentication (MFA), create configuration backups, and update the PLC/HMI to the latest available version.

CyberAv3ngers has previously claimed responsibility for numerous attacks against critical infrastructure organizations in Israel working in the water, energy, shipping, and distribution sectors, and only recently targeted Unitronics PLCs deployed by multiple US-based water and wastewater facilities.

In the latest advisory, the agencies shared additional information about the APT group’s activites and indicators of compromise (IoCs) associated with their most recent attacks.

“These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment,” the advisory explains.

“It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.”

The UK National Cyber Security Centre (NCSC) says that the compromise of the PLCs is “highly unlikely” to disrupt routine operations of affected organizations. “There is a very low potential risk, if the threat is unmitigated, to some small suppliers,” they noted.

The agencies repeated CISA’s initial risk mitigation advice and urged organizations to apply it to all internet-facing PLCs, not just those manufactured by Unitronics (which, it has been pointed out, may also be rebranded and appear as made by different manufacturers).

Finally, they called on device manufacturers to do their part in securing OT devices by:

  • Not shipping products with default passwords
  • Avoiding the exposure of administrative interfaces to the internet
  • Not imposing additional fees for security features
  • Making sure the devices support MFA

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: PLCs vulnerability

Dec 03 2023

OWASP API Security Top 10 2023

Category: API securitydisc7 @ 10:57 am

API Security in Action

If you want to learn more, you can check the link below

Understanding API Security and Implications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security, OWASP Top 10

Dec 03 2023

Introduction to Cyber Security

Category: cyber security,Information Securitydisc7 @ 10:41 am

Introducing to Cybersecurity | Cyber Writes ✍

Introduction to Cyber Security: Basic to Advance Techniques

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Intro to Cyber Security

Dec 02 2023

AI is about to completely change how you use computers

Category: AIdisc7 @ 2:33 pm

I still love software as much today as I did when Paul Allen and I started Microsoft. But—even though it has improved a lot in the decades since then—in many ways, software is still pretty dumb.

To do any task on a computer, you have to tell your device which app to use. You can use Microsoft Word and Google Docs to draft a business proposal, but they can’t help you send an email, share a selfie, analyze data, schedule a party, or buy movie tickets. And even the best sites have an incomplete understanding of your work, personal life, interests, and relationships and a limited ability to use this information to do things for you. That’s the kind of thing that is only possible today with another human being, like a close friend or personal assistant.

In the next five years, this will change completely. You won’t have to use different apps for different tasks. You’ll simply tell your device, in everyday language, what you want to do. And depending on how much information you choose to share with it, the software will be able to respond personally because it will have a rich understanding of your life. In the near future, anyone who’s online will be able to have a personal assistant powered by artificial intelligence that’s far beyond today’s technology.

This type of software—something that responds to natural language and can accomplish many different tasks based on its knowledge of the user—is called an agent. I’ve been thinking about agents for nearly 30 years and wrote about them in my 1995 book The Road Ahead, but they’ve only recently become practical because of advances in AI.

Agents are not only going to change how everyone interacts with computers. They’re also going to upend the software industry, bringing about the biggest revolution in computing since we went from typing commands to tapping on icons.

A personal assistant for everyone

Some critics have pointed out that software companies have offered this kind of thing before, and users didn’t exactly embrace them. (People still joke about Clippy, the digital assistant that we included in Microsoft Office and later dropped.) Why will people use agents?

The answer is that they’ll be dramatically better. You’ll be able to have nuanced conversations with them. They will be much more personalized, and they won’t be limited to relatively simple tasks like writing a letter. Clippy has as much in common with agents as a rotary phone has with a mobile device.

An agent will be able to help you with all your activities if you want it to. With permission to follow your online interactions and real-world locations, it will develop a powerful understanding of the people, places, and activities you engage in. It will get your personal and work relationships, hobbies, preferences, and schedule. You’ll choose how and when it steps in to help with something or ask you to make a decision.

“Clippy was a bot, not an agent.”

To see the dramatic change that agents will bring, let’s compare them to the AI tools available today. Most of these are bots. They’re limited to one app and generally only step in when you write a particular word or ask for help. Because they don’t remember how you use them from one time to the next, they don’t get better or learn any of your preferences. Clippy was a bot, not an agent.

Agents are smarter. They’re proactive—capable of making suggestions before you ask for them. They accomplish tasks across applications. They improve over time because they remember your activities and recognize intent and patterns in your behavior. Based on this information, they offer to provide what they think you need, although you will always make the final decisions.

Imagine that you want to plan a trip. A travel bot will identify hotels that fit your budget. An agent will know what time of year you’ll be traveling and, based on its knowledge about whether you always try a new destination or like to return to the same place repeatedly, it will be able to suggest locations. When asked, it will recommend things to do based on your interests and propensity for adventure, and it will book reservations at the types of restaurants you would enjoy. If you want this kind of deeply personalized planning today, you need to pay a travel agent and spend time telling them what you want.

The most exciting impact of AI agents is the way they will democratize services that today are too expensive for most people. They’ll have an especially big influence in four areas: health care, education, productivity, and entertainment and shopping.

Health care

Today, AI’s main role in healthcare is to help with administrative tasks. AbridgeNuance DAX, and Nabla Copilot, for example, can capture audio during an appointment and then write up notes for the doctor to review.

The real shift will come when agents can help patients do basic triage, get advice about how to deal with health problems, and decide whether they need to seek treatment. These agents will also help healthcare workers make decisions and be more productive. (Already, apps like Glass Health can analyze a patient summary and suggest diagnoses for the doctor to consider.) Helping patients and healthcare workers will be especially beneficial for people in poor countries, where many never get to see a doctor at all.

These clinician-agents will be slower than others to roll out because getting things right is a matter of life and death. People will need to see evidence that health agents are beneficial overall, even though they won’t be perfect and will make mistakes. Of course, humans make mistakes too, and having no access to medical care is also a problem.

“Half of all U.S. military veterans who need mental health care don’t get it.”

Mental health care is another example of a service that agents will make available to virtually everyone. Today, weekly therapy sessions seem like a luxury. But there is a lot of unmet need, and many people who could benefit from therapy don’t have access to it. For example, RAND found that half of all U.S. military veterans who need mental health care don’t get it.

AI agents that are well trained in mental health will make therapy much more affordable and easier to get. Wysa and Youper are two of the early chatbots here. But agents will go much deeper. If you choose to share enough information with a mental health agent, it will understand your life history and your relationships. It’ll be available when you need it, and it will never get impatient. It could even, with your permission, monitor your physical responses to therapy through your smart watch—like if your heart starts to race when you’re talking about a problem with your boss—and suggest when you should see a human therapist.

AI is about to completely change how you use computers

AI Made Simple: A Beginner’s Guide to Generative Intelligence

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ChatGPT

Dec 01 2023

Bridging the gap between cloud vs on-premise security

Category: Cloud computingdisc7 @ 9:56 am

The widespread adoption of SaaS applications, remote work, and shadow IT compels organizations to adopt cloud-based cybersecurity. This is essential as corporate resources, traffic, and threats are no longer restricted to the office premises.

Cloud-based security initiatives, such as Secure Access Service Edge (SASE) and Security Service Edge (SSE), comprising Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA), effectively push security to wherever the corporate users, devices, and resources are – all via the cloud. With all security functions now delivered over the cloud and managed through a single pane of glass, the incoming and outgoing traffic (aka, the north-south traffic) is all but secure.

However, the east-west traffic — i.e., traffic that traverses the internal network and data centers and does not cross the network perimeter — is never exposed to these cloud-based security checks.

One way around it is to maintain a legacy data center firewall that monitors and controls the east-west traffic specifically. For starters, this hybrid security architecture adds up the cost and complexity of managing disparate security solutions, something organizations desperately attempt to overcome with cloud-based converged security stacks.

Secondly, the absence of unified visibility across cloud and on-premise security components can result in a loss of shared context, which renders security loopholes inevitable. Even Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) solutions can’t address the complexity and operational overhead of maintaining a hybrid security stack for different kinds of traffic. As such, organizations still need that single, integrated security stack that offers ubiquitous protection for incoming, outgoing, and internal traffic, managed via a unified dashboard.

Extending cloud-native security to east-west traffic

Organizations need a security solution that offers both north-south and east-west protection, but it must all be orchestrated from a unified, cloud-based console. There are two ways to achieve this:

1. Via WAN firewall policy

Cloud-native security architectures like SASE and SSE can offer the east-west protection typically delivered by a data center firewall by rerouting all internal traffic through the closest point of presence (PoP). Unlike a local firewall that comes with its own configuration and management constraints, firewall policies configured in the SSE PoP can be managed via the platform’s centralized management console. Within the unified console, admins can create access policies based on ZTNA principles. For instance, they can allow only authorized users connected to the corporate VLAN and running an authorized, Active Directory-registered device to access sensitive resources hosted within the on-premise data center.

In some cases, however, organizations may need to implement east-west traffic protection locally without redirecting the traffic to the PoP.

2. Via LAN firewall policy

Consider a situation where a CCTV camera connected to an IoT VLAN needs to access an internal CCTV server.

Given the susceptibility of the IoT camera to be compromised by a malicious threat actor and controlled over the internet via a remote C2 server, the camera’s internet or WAN access should be disabled by default. If the data center firewall policy is implemented in the PoP, the traffic from internet-disabled IoT devices will naturally be exempt from such policies. To bridge this gap, SASE and SSE platforms can allow admins to configure firewall policies at the local SD-WAN device.

Typically, organizations connect to the SASE or SSE PoPs through an SD-WAN device, also known as a socket, installed at the site. The centralized dashboard can allow admins to configure rules for allowing or blocking internal or LAN traffic directly at the SD-WAN device, without ever sending it to the PoP over WAN.

In this scenario, if the traffic matches the pre-configured LAN firewall policies, the rules can be enforced locally. For instance, admins can allow corporate VLAN users to access printers connected to the printer VLAN while denying such access to guest Wi-Fi users. If the traffic does not match pre-defined policies, the traffic can be forwarded to the PoP for further classification.

Cloud-based east-west protection is the way to go

As security functions move increasingly to the cloud, it’s crucial not to lose sight of the controls and security measures needed on-site.

Cloud-native protections aim to increase coverage while reducing complexities and boosting convergence. As critical as it is to enable east-west traffic protection within SASE and SSE architectures, it’s equally important to maintain the unified visibility, control, and management offered by such platforms. To achieve this, organizations must avoid getting carried away by emerging threats and adding back disparate security solutions.

As such, any on-premise security measures added within cloud-based security paradigms should maintain a unified dashboard for granular policy configuration and end-to-end visibility across LAN and WAN traffic. This is the only way organizations can reliably bridge the gap between cloud and on-premise security and enable a sustainable, adaptable, and future-proof security stack.

The Azure Cloud Native Architecture Mapbook: Explore Microsoft Cloud’s infrastructure, application, data, and security architecture

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cloud security, The Azure Cloud Native Architecture

Nov 29 2023

Chrome Zero-Day Vulnerability That Exploited In The Wild

Category: Information Security,Web Search Engine,Web Securitydisc7 @ 8:13 am

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this year. The flaw, identified as CVE-2023-6345, is classified as an integer overflow in Skia, an open-source 2D graphics library written in C++.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” Google said.

There are several potential risks associated with this high-severity zero-day vulnerability, including the execution of arbitrary code and crashes.

On November 24, 2023, Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group reported the issue.

Google has upgraded the Stable channel version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, addressing the year’s sixth actively exploited zero-day vulnerability. This upgrade will be rolled out over the next few days/weeks.

Additionally, Google has fixed six high-severity security vulnerabilities with this update.

Details Of The Vulnerabilities Addressed

Type Confusion in Spellcheck is a high-severity bug that is being tracked as CVE-2023-6348. Mark Brand from Google Project Zero reported the issue.

Use after free in Mojo is the next high-severity bug, tagged as CVE-2023-6347. 360 Vulnerability Research Institute’s Leecraso and Guang Gong reported the issue, and they were rewarded with a bounty of $31,000.

Use after free in WebAudio is a high-severity issue identified as CVE-2023-6346. Following Huang Xilin of Ant Group Light-Year Security Lab’s disclosure, a $10,000 prize was given out.

A High severity bug in libavif, Out-of-bounds memory access, is tagged as CVE-2023-6350. Fudan University reported it, and $7000 was given out.

Use after free in libavif is a high-severity bug identified as CVE-2023-6351. Fudan University reported it, and $7000 was given out.

Update Now

To stop exploitation, Google highly advises users to update their Chrome web browser right away. The following are the easy procedures that you must follow to update the Chrome web browser:-  

  • Go to the Settings option.
  • Then select About Chrome.
  • Wait, as Chrome will automatically fetch and download the latest update.
  • Once the installation process completes, you have to restart Chrome.
  • That’s it. Now you are done.

Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Chrome zero-day

Nov 28 2023

Stop panic buying your security products and start prioritizing

Category: Security Toolsdisc7 @ 2:12 pm

In the realm of cybersecurity, where a constant influx of new “essential” products occurs, it’s tempting to be influenced into investing in unnecessary tools that not only expand your vulnerability but also provide minimal, if any, value. Let’s delve into the intricacies of security expenditure and the advantages of optimization, especially in times of economic uncertainty as we plan for the 2024 budget.

The culture of panic buying is real

This is an industry that uses fear, uncertainty, and doubt (FUD) as a selling tactic, making security leaders feel like every product is make-or-break for the wellbeing of their organization. The promise of a fix-it-all solution (the mythical silver bullet) is particularly tempting in this environment, especially for smaller organizations that most likely don’t have the budgets to implement a multitude of security tools or hire cyber specialists in-house. Vendors play on that desperation to make profits, and a lot of them are very good at it.

The fear mongering may also lead to impulsive decisions to invest in products that won’t configure correctly with the buyer’s current technology stack, thus introducing even more risk. The name of the game in a lean operation is a solution that is customizable and adaptable, and that will grow with the changing needs of an organization’s security team.  

The consequences can cost millions

According to IBM’s 2023 Cost of a Data Breach Report, organizations are now paying $4.5 million to deal with breaches – a 15% increase over the last three years. Aside from spending cash to purchase the product, panic buying can result in a wider attack surface, costly auto-renews and misconfigurations.

There is no doubt that taking advantage of new technological solutions (with AI and machine learning being fan favorites right now), can be extremely beneficial from both a technological and reputational perspective. But without looking at the big picture and calculating the actual value of the product in question, it’s nearly impossible to make a well-informed investment decision.

To assess the value of a product, security leaders should examine whether it adds or minimizes organizational risk and whether their current cybersecurity personnel and tools will be able to interact with it effectively.

Calculating the value of a product doesn’t have to be a guessing game. Risk = likelihood x impact is a great equation to use to solve for the value of a product or service.

To calculate likelihood of an attack, examine the degree of difficulty to execute an attack and the exposure of your assets. Determine your organization’s acceptable risk and use that equation to work backwards to identify the monetary impact of an attack. If that impact is significantly higher than the price of the product or service, it may be worth looking elsewhere.

It’s easy to fall into the trap of impulse buying cybersecurity products that don’t improve security but instead leave you vulnerable to costly attacks. Organizations should aim to protect their most valuable assets and prioritize addressing threats to those critical puzzle pieces of their business.

The solution is possible, and relatively simple

Look inward and optimize. Companies need to understand what inside their networks and data is most attractive and most vulnerable to attackers. Get visibility into what you have, calculate the value of your tools, and use the information to move forward.

Understanding risk by gaining full visibility into what you already have can allow companies to communicate better with investors and the public in the case of an attack or breach. For example, they will be able to give clear information about the impact (or lack of impact) on the business when an attack occurs and lay out clear steps for remediation, not having to guess the next best course of action.

‘Tis the season to prioritize your security investments

It is important to remember that the goal is not to buy more tools to chase the growing number of vulnerabilities that experts find every day, but to protect the assets that are most relevant to overall vital business operations and limit the fallout of inevitable cyber incidents.

By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.

When budgets are tight, every purchase must be accounted for with a clear indication of its value to the business operation. This is especially true for security purchases, which tend to be costly line items.

In today’s economic climate, proving ROI for security spend is a big part of security leaders’ jobs. It is crucial that before purchasing a new cybersecurity tool, investing in a service, or hiring specialists, you understand their functionality and purpose.

Cyber Security Program and Policy Using NIST Cybersecurity Framework: NIST Cybersecurity Framework (CSF)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: security products

Nov 25 2023

Stuxnet techniques used

Category: Cyber War,Digital cold war,Malwaredisc7 @ 2:55 pm

Stuxnet: The Revenge of Malware: How the Discovery of Malware from the Stuxnet Family Led to the U.S. Government Ban of Kaspersky Lab Anti-Virus Software

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Stuxnet

Nov 25 2023

CISSP Study Guide

Category: CISSP,Information Securitydisc7 @ 2:44 pm

CISSP Study Guide | Cyber Press

CISSP Study Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CISSP study guide

Nov 21 2023

Increasingly prevalent NetSupport RAT infections reported

Category: Malware,Remote codedisc7 @ 9:30 am

Attacks involving the NetSupport RAT have become increasingly common, The Hacker News reports. More than 15 infections have been observed mostly in organizations in the education, government, and business sectors, in recent weeks, according to a report from VMware Carbon Black researchers. Fraudulent browser updates have been leveraged by threat actors to facilitate the distribution of the SocGholish downloader malware, also known as FakeUpdates, which then uses PowerShell to establish a remote server connection and facilitate the retrieval of a NetSupport RAT-containing ZIP archive file. Researchers also noted that the installation of NetSupport would then enable behavior tracking, file transfers, computer setting alterations, and lateral network movement. “The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said researchers. NetSupport RAT, which was once a remote access tool, was previously reported by Sucuri to have been spread through fake Cloudflare distributed denial-of-service protection pages.

Rat : Remote Access Trojan – Launching Virus Remotely

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NetSupport RAT

Nov 20 2023

Cyber Attack Forces World’s Biggest Bank to Trade via USB Stick

Category: Cyber Attackdisc7 @ 11:17 am

Cyber Attack Forces World’s Biggest Bank to Trade via USB Stick

On Thursday, trades handled by the world’s largest bank in the globe’s biggest market traversed Manhattan on a USB stick.

Industrial & Commercial Bank of China Ltd.’s U.S. unit had been hit by a cyberattack, rendering it unable to clear swathes of U.S. Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems. That forced ICBC to send the required settlement details to those parties by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage.

The workaround — described by market participants — followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing Co., ION Trading U.K. and the U.K.’s Royal Mail. The strike caused immediate disruption as market-makers, brokerages and banks were forced to reroute trades, with many uncertain when access would resume.

The incident spotlights a danger that bank leaders concede keeps them up at night — the prospect of a cyber attack that could someday cripple a key piece of the financial system’s wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.

“This is a true shock to large banks around the world,” said Marcus Murray, the founder of Swedish cybersecurity firm Truesec. “The ICBC hack will make large banks around the globe race to improve their defenses, starting today.”

As details of the attack emerged, employees at the bank’s Beijing headquarters held urgent meetings with the lender’s U.S. division and notified regulators as they discussed next steps and assessed the impact, according to a person familiar with the matter. ICBC is considering seeking help from China’s Ministry of State Security in light of the risks of potential attack on other units, the person said.

Late Thursday, the bank confirmed it had experienced a ransomware attack a day earlier that disrupted some systems at its ICBC Financial Services unit. The company said it isolated the affected systems and that those at the bank’s head office and other overseas units weren’t impacted, nor was ICBC’s New York branch.

The extent of the disruption wasn’t immediately clear, though Treasury market participants reported liquidity was affected. The Securities Industry and Financial Markets Association, or Sifma, held calls with members about the matter Thursday.

ICBC FS offers fixed-income clearing, Treasuries repo lending and some equities securities lending. The unit had $23.5 billion of assets at the end of 2022, according to its most recent annual filing with U.S. regulators.

The attack is only the latest to snarl parts of the global financial system. Eight months ago, ION Trading U.K. — a little-known company that serves derivatives traders worldwide — was hit by a ransomware attack that paralyzed markets and forced trading shops that clear hundreds of billions of dollars of transactions a day to process deals manually. That has put financial institutions on high alert.

ICBC, the world’s largest lender by assets, has been improving its cybersecurity in recent months, highlighting increased challenges from potential attacks amid the expansion of online transactions, adoption of new technologies and open banking.

“The bank actively responded to new challenges of financial cybersecurity, adhered to the bottom line for production safety and deepened the intelligent transformation of operation and maintenance,” ICBC said in its interim report in September.

Ransomware attacks against Chinese firms appear rare in part because China has banned crypto-related transactions, according to Mattias Wåhlén, a threat intelligence specialist at Truesec. That makes it harder for victims to pay ransom, which is often demanded in cryptocurrency because that form of payment provides more anonymity. 

But the latest attack likely exposes weaknesses in ICBC’s defenses, Wåhlén said. 

“It appears ICBC has had a less effective security,” he said, “possibly because Chinese banks have not been tested as much as their Western counterparts in the past.” 

Record levels

Ransomware hackers have become so prolific that attacks may hit record levels this year. 

Blockchain analytics firm Chainalysis had recorded roughly $500 million of ransomware payments through the end of September, an increase of almost 50% from the same period a year earlier. Ransomware attacks surged 95% in the first three quarters of this year, compared with the same period in 2022, according to Corvus Insurance.

In 2020, the website of the New Zealand Stock Exchange was hit by a cyberattack that throttled traffic so severely that it couldn’t post critical market announcements, forcing the entire operation to shut down. It was later revealed that more than 100 banks, exchanges, insurers and other financial firms worldwide were targets of the same type of so-called DDoS attacks simultaneously.

Caesars Entertainment Inc., MGM Resorts International and Clorox Co. are among companies that have been hit by ransomware hackers in recent months.

ICBC was struck as the Securities and Exchange Commission works to reduce risks in the financial system with a raft of proposals that include mandating central clearing of all U.S. Treasuries. Central clearing platforms are intermediaries between buyers and sellers that assume responsibility for completing transactions and therefore prevent a default of one counterparty from causing widespread problems in the marketplace.

The incident underscores the benefits of central clearing in the $26 trillion market, said Stanford University finance professor Darrell Duffie.

“I view it as one example of why central clearing in the U.S. Treasuries market is a very good idea,” he said, “because had a similar problem occurred in a not-clearing firm, it’s not clear how the default risk that might result would propagate through the market.”

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

In the Lair of the Cozy Bear: Cyberwarfare with APT 29 Up Close and Personal

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: The Hacker and the State, Trade via USB Stick

Nov 20 2023


Category: APTdisc7 @ 8:54 am

Russia-linked cyberespionage group APT29 has been observed leveraging the CVE-2023-38831 vulnerability in WinRAR in recent attacks.

The Ukrainian National Security and Defense Council (NDSC) reported that APT29 (aka SVR groupCozy BearNobeliumMidnight Blizzard, and The Dukes) has been exploiting the CVE-2023-38831 vulnerability in WinRAR in recent attacks.

APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The Russia-linked APT group was observed using a specially crafted ZIP archive that runs a script in the background to show a PDF lure while downloading PowerShell code to fetch and execute a payload.

The APT group targeted multiple European nations, including Azerbaijan, Greece, Romania, and Italy, with the primary goal of infiltrating embassy entities.

The threat actors used a lure document (“DIPLOMATIC-CAR-FOR-SALE-BMW.pdf”) containing images of a BMW car available for sale to diplomatic entities. The weaponized documents embedded malicious content that exploited the WinRAR vulnerability.


“In the context of this particular attack, a script is executed, generating a PDF file featuring the lure theme of a BMW car for sale. Simultaneously, in the background, a PowerShell script is downloaded and executed from the next-stage payload server.” reads the report published by NDSC. “Notably, the attackers introduced a novel technique for communicating with the malicious server, employing a Ngrok free static domain to access their server hosted on their Ngrok instance.”

In this attack scheme, Ngrok has been used to host their next-stage PowerShell payloads and establish covert communication channels.

Threat actors use the tool to obfuscate their communications with compromised systems and evade detection.

“What makes this campaign particularly noteworthy is the synthesis of old and new techniques. APT29 continues to employ the BMW car for sale lure theme, a tactic that’s been seen in the past. However, the deployment of the CVE-2023-38831 WinRAR vulnerability, a novel approach, reveals their adaptability to the evolving threat landscape. Additionally, their use of Ngrok services to establish covert communications emphasizes their determination to remain concealed.” concludes the NDSC that also published indicators of compromise (IoCs) for these attacks.

In April, Google observed Russia-linked FROZENBARENTS APT (aka SANDWORM) impersonates Ukrainian drone training school to deliver the Rhadamanthys infostealer.

The threat actors used a lure themed as an invitation to join the school, the email included a link to an anonymous file-sharing service, fex[.]net. The file-sharing service was used to deliver a benign decoy PDF document with a drone operator training curriculum and specially crafted ZIP archive (“Навчальна-програма-Оператори.zip” (Training program operators)) that exploits the flaw CVE-2023-38831.

In September, CERT-UA observed the FROZENLAKE group exploitingthe WinRAR flaw to deploy malware in attacks aimed at energy infrastructure.

Google TAG experts also observed the Russia-linked ATP28 group exploiting the flaw in attacks against Ukraine users. The state-sponsored hackers employed a malicious PowerShell script (IRONJAW) to steal browser login data and local state directories.

The China-linked APT40 group was observed exploiting the CVE-2023-38831 vulnerability in attacks against targets in Papua New Guinea.

Last week, researchers at cybersecurity firm NSFOCUS analyzed DarkCasino attack pattern exploiting the WinRAR zero-day vulnerability tracked as CVE-2023-38831. The economically motivated APT group used specially crafted archives in phishing attacks against forum users through online trading forum posts.

In the Lair of the Cozy Bear: Cyberwarfare with APT 29 Up Close and Personal

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: APT29

Nov 18 2023

Review: Cyberbunker: The Criminal Underworld

Category: Cyber crime,Cybercrimedisc7 @ 11:41 am

Written and directed by Kilian Lieb and Max Rainer, Cyberbunker is a Netflix documentary about a group of hackers that enabled the proliferation of dark web forums where illegal materials were bought and sold.

Cyberbunker: The Criminal Underworld

The documentary begins with a special police unit performing a raid in what looks like a military bunker. We are then shown a thin individual with glasses and long, gray hair: Herman Johan Xennt.

The (now) 64-year-old Dutchman, who is currently serving a prison sentence in Germany, is a bunker aficionado, having been fascinated with them since he visited a WWII bunker in Arnhem when he was a kid.

Understanding the possibilities of computer technology and the internet, he first opened a profitable computer store in the early 90s. In 1995, with the money earned from this business, he was able to buy a former NATO bunker in the southern part of the Netherlands, which ended up being the location of the first Cyberbunker – a company that provides internet and web hosting services to questionable operations.

In 2002, a fire broke in the bunker and revealed the existence of an MDMA lab. Xennt claimes that he knew nothing about the lab and that he was simply subletting part of the bunker to another group. For many years after, the company’s servers were located above ground, in Amsterdam. In 2013, Xennt found and purchased a 5-level underground Cold War-era bunker in Traben-Trarbach, a small town in the South of Germany.

But the town’s mayor soon grew suspicious of the activities going on in the bunker and decided to contact the authorities, which started telephone surveillance in 2015. The group communicated in codes, though, which made crime identification impossible. In 2017, the authories began monitoring the network node to identify illegal data traffic.

This led to the discovery of evidence of criminal activity: Cyberbunker provided hosting for dark web marketplaces, a forum for exchanging illegal drugs, counterfeit money and fake identification, and more.

The undercover operation provided crucial information to the police, helping them to plan and execute a successful raid. Xennt and his criminal colleagues were arrested, and over 280 servers hosting websites for up to 200 customers were shut down.

The idea of “freedom of the internet”

Cyberbunker was know among cybercriminals as a “bulletproof hoster”, which meant that the servers hosting the content stayed online no matter what (i.e., even if the authorities requested sites’ removal). It also guaranteed privacy, which was very convenient for anyone who wanted to host questionable or illegal content.

Cyberbunker advertised that it would host everything except child pornography and terrorism-related content, but the group later claimed that they didn’t really know what the clients were using their servers for.

The group was driven by the idea of “freedom of the internet” and, during the interviews with all the members of the group (including Xennt), we can see that they have a twisted idea of what it should be.

They went so far as to declare the Republic of Cyberbunker, with its “administration” and hierarchy, and perpetuated the delusion that what they were doing was good.

Does it strike the right chord?

The documentary is suitable for a wide audience and does not burden the spectator with technical details. Instead, it has a movie-like format that’s captivating and easy to follow.

The timeline of the events is well presented and clear, complemented with historical data about the main “character” – Xennt – and original private and police footage.

The authors tried to create a tense and scary atmosphere, though the characters at times act bizarrely and seem out of touch with reality that, on occasion, you might almost feel sorry for them. It’s hard to believe these individuals thought they were untouchable and that, even after getting arrested, they were still convinced they were making the world a better place.

Codes of the Underworld: How Criminals Communicate

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Codes of the Underworld, Cyberbunker

Nov 17 2023

Why cyber war readiness is critical for democracies

Category: Cyber War,Digital cold war,Information Security,OT/ICSdisc7 @ 9:41 am

The skills employed, the hacktivists and other threat actors are not going anywhere. Right now, Russia might be overwhelmingly interested in Ukraine, but their aims and goals remain global.

“These skills will be turned in other directions and other targets in the future, they will be shared in threat actor groups online. This is the world you need to be preparing for right now,” he added.

His warning echoed a similar one by Viktor Zhora, Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine.

Russia’s attack force consists of “hackers in uniform”, cybercriminals and hacktivists congregating in various Telegram channels, but the nation is also working on engaging ever more younger people in their cyber offensive campaigns. They are seeking talented individuals in schools (and not just tech universities), selecting the most talented and training them, he shared.

“The Russians are in it for the long run,” Zhora warned during his IRISSCON talk, and called on countries that are – or expect to be – targeted by cyber aggressive nations to create a cyber coalition so they can prepare, share their experiences, and exchange information.

OT under attack

We can’t talk about the war in Ukraine and not mention cyber attacks aimed at disrupting operational technology (OT) used by companies that are part of the country’s critical infrastructure (CI).

In his talk, Ferguson briefly passed through the known attacks that hit CI entities with OT-specific malware, starting with Stuxnet in 2010 and ending with CosmicEnergy in 2023.

Some of the attacks are believed to be the work of the US and Israel (Stuxnet), cybercriminals (EKANS ransomware, 2020) or are still unattributed (the destructive 2014 attack against a steel plant in Germany). But the rest, he noted, are all believed to have been mounted by Russian state-backed attackers.

And, he says, they are getting better at it. Mirroring the development of attacks against IT systems, they have recently begun exploiting legitimate tools found in OT environments, so they don’t need to develop customized malware.

Many attackers are scanning for OT-specific protocols and probing OT devices, Ferguson noted. While their actual exploitation hinges on the skills of the attackers, some modes of attack (e.g., DDoS and phishing) are available to those who are less skilled, but eager. Hacktivists can target critical infrastructure that’s exposed on the internet as it’s easily discoverable via online tools.

Unfortunately, securing OT systems comes with a host of challenges: a complex infrastructure; an increasing number of endpoints; OT devices insecure by design (and generally not meant to be connected to the internet); rarely integrated OT and IT security teams, a lack of visibility into the OT infrastructure – to name just a few.

A new level of cyber conflict

Since the start of the war, Russian hackers have been trying to shut down electrical power in the country, have gone after government agencies, IT companies, telecoms, software development firms, media houses, editors, and media personalities, Zhora noted.

While the initial attacks were mostly geared towards destruction, Russian cyber attackers are now also trying to get their hands on information that can help them determine the effectiveness of their kinetic attacks, discover whether their spies have been flagged by the Ukrainian authorities, and see what evidence those authorities have gathered about war crimes.

Clever and subtle psy-ops online campaigns are, as well, a favorite tactic employed by the Russian state to manipulate enemies. And, since the advent of generative AI, it has became easier to mount them, Ferguson added.

All these things should be taken in consideration by governments when preparing for the future. Looking at the cyber component of the unfolding wars in Ukraine and Israel, they can see what future conflicts will look like.

Zhora says that Ukraine is becoming more and more confident of its capacity to counter future attacks, but that each democracy needs to ask themselves: Are we prepared for a global cyber war? “And they need to be honest with the answer,” he noted.

If they are not, they should immediately begin investing in cyber defense and intensifying cooperation, he added.

All the War They Want: Special Operations Techniques for Winning in Cyber Warfare, Business, and Life

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: OT/ICS critical infrastructure

Next Page »