Nov 02 2023

Implementation Guide ISO/IEC 27001:2022

Category: ISO 27kdisc7 @ 9:00 am

Implementation Guide ISO/IEC 27001:2022 by ISACA Germany Chapter.

About This Guide
Practical guide for the implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001:2022

About ISO/IEC 27001:2022
ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.

ISACA Germany Chapter
Homepage can be found here

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Implementation Guide ISO/IEC 27001:2022

Nov 01 2023

Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files

Category: Hacking,Information Securitydisc7 @ 9:31 am

Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.

This can give them unauthorized access and control over a system or application, enabling various types of attacks like:- 

  • Privilege escalation
  • Data theft
  • System compromise

An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.

The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.

Malicious DLL With Legitimate EXE Files

Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.

Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.

Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.

Distribution of the malware via webpages (Source - ASEC)
Distribution of the malware via webpages (Source – ASEC)

Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.

For malware to work, the following elements are required to be placed in the same folder:-

  • Data
  • EXE
  • Modified DLL

Unzipping the password-protected file with the code “2023” gives you the following files:-

Contents of compressed file (Source - ASEC)
Contents of compressed file (Source – ASEC)

The following two files are genuine VLC files with valid signatures:-

  • Setup.exe
  • libvlc.dll

The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.

Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.

It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it. 

A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.

Process tree of malware execution (Source - ASEC)

LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2. 

The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.


IOCs (Source - ASEC)
IOCs (Source – ASEC)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Malicious DLL

Oct 31 2023


Category: Cyber surveillance,Mobile Securitydisc7 @ 7:23 am

Mobile network data might be one of our most recent and thorough dossiers. Our mobile phones are linked to these networks and expose our demographics, social circles, purchasing habits, sleeping patterns, where we live and work, and travel history. Technical weaknesses in mobile communications networks threaten this aggregate data. Such vulnerabilities may reveal private information to numerous varied players and are closely tied to how mobile phones roam among cell providers for travel. These vulnerabilities are usually related to signalling signals carried across telecommunications networks, which expose phones to possible location disclosure.

Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.

Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as ‘surveillance actors’ throughout this paper since they are interested in mobile geolocation surveillance.

Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.

The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a user’s position using mobile signalling networks. They may use numerous strategies to do this.

The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phone’s geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.

However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.

The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a user’s location.

Active Surveillance:

  • In active surveillance, actors use software to interact with mobile networks and get a response with the target phone’s location.
  • Vulnerable networks without proper security controls are susceptible to active attacks.
  • Actors can access networks through lease arrangements to carry out active surveillance.

Passive Surveillance:

  • In passive surveillance, a collection device is used to obtain phone locations directly from the network.
  • Surveillance actors might combine active and passive methods to access location information.

Active Attacks:

  • Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
  • They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.

Vulnerabilities in Home Location Register (HLR) Lookup:

  • Commercial HLR lookup services can be used to check the status of mobile phone numbers.
  • Surveillance actors can pay for these services to gather information about the target phone’s location, country, and network.
  • Actors with access to the SS7 network can perform HLR lookups without intermediary services.

Domestic Threats:

  • Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
  • Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
  • In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.

Passive Attacks:

  • Passive location attacks involve collecting usage or location data using network-installed devices.
  • Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
  • Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.

Packet Capture Examples of Location Monitoring:

  • Packet captures show examples of signaling messages used for location tracking.
  • Location information, such as GPS coordinates and cell information, can be exposed through these messages.
  • User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.

The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.

Is My Cell Phone Bugged?: Everything You Need to Know to Keep Your Mobile Conversations Private

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Oct 30 2023

Proactive Boards Lead to Flexible CISOs as Companies Prepare for What’s to Come

Category: CISO,vCISOdisc7 @ 1:25 pm

In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for What’s to Come?, and more!

Visit for all the latest episodes!

Show Notes:

Oct 30 2023


Category: Cyber Attackdisc7 @ 10:39 am

IT Army of Ukraine hacktivists have temporarily disrupted internet services in some of the territories that have been occupied by Russia.

Ukrainian hacktivists belonging to the IT Army of Ukraine group have temporarily disabled internet services in some of the territories that have been occupied by the Russian army.

After the invasion of the Crimea and the eastern Ukraine, Ukrainian telecommunications infrastructure was disable by Russian soldiers.

The hacktivists carried out DDoS attacks against the three Russian internet providers “Miranda-media,” “Krimtelekom,” and “MirTelekom.” The IT Army is inviting supporters to joint its operations by installing their software.

“We continue targeting internet and telecom providers to disrupt enemy communications. Today, our intel orchestrated a “thousand proxies” strike, disabling “Miranda-media,” “Krimtelekom,” and “MirTelekom.” This affects not only Crimea but also occupied parts of Kherson, Zaporizhia, Donetsk, and Luhansk regions. Another blow by our cyber army disrupting enemy military communication at the frontlines.” reads the message published by the group IT Army of Ukraine on its Telegram channel.

The Miranda Media ISP announced on Friday that is was facing a massive DDoS attack.

“Digital services operator Miranda-Media has been recording an unprecedented level of DDoS attacks from Ukrainian hacker groups since 9.05 am on October 27, 2023. As a result, there is a temporary unavailability of the services of Miranda-Media, Krymtelecom and MirTelecom.” reads the announcement.

“All technical and IT services of the company have been placed on high alert. All necessary measures are being taken to restore the network’s functionality. We will inform you further about the progress of the work.”

The Russian ISP managed to mitigate the attack by the end of Friday, it partially restored its services on Friday evening.

Telecommunication infrastructure and internet services are critical infrastructure and were targeted by both Russian and Ukrainian threat actors.

The Russia-linked APT group Sandworm (UAC-0165) has compromised eleven telecommunication service providers in Ukraine between May and September 2023, reported the Ukraine’s Computer Emergency Response Team (CERT-UA).

According to public sources, the threat actors targeted ICS of at least 11 Ukrainian telecommunications providers leading to the disruption of their services.

“According to public sources, for the period from 11.05.2023 to 27.09.2023, an organized group of criminals tracked by the identifier UAC-0165 interfered with the information and communication systems (ICS) of no less than 11 telecommunications providers of Ukraine, which, among other things, led to interruptions in the provision of services to consumers.” reads the advisory published by the CERT-UA.

Internet Provider Security A Complete Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Internet Provider Security, INTERNET PROVIDERS

Oct 27 2023


Category: APT,Information Securitydisc7 @ 1:19 pm

According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russia’s military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.

Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.

In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.

As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.

ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.

In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.

APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.

The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:

Protecting the privacy of email communications and preventing their disclosure via 
adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Oct 26 2023

Most Important Network Penetration Testing Checklist

Category: Cheat Sheet,Information Security,Pen Testdisc7 @ 9:25 am

Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.

The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.

You should test in all ways to guarantee there is no security loophole.

Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.

The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.

Let’s see how we conduct step-by-step Network penetration testing by using some famous network scanners.

1. Host Discovery

Footprinting is the first and most important phase where one gathers information about their target system.

DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.

  • A – A record is used to point the domain name such as to the IP address of its hosting server.
  •  MX – Records responsible for Email exchange.
  • NS – NS records are to identify DNS servers responsible for the domain.
  • SRV – Records to distinguish the service hosted on specific servers.
  • PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
  • SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
  • CNAME – Cname record maps a domain name to another domain name.

We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.

Ping&Ping Sweep:

root@kali:~# nmap -sn nmap -sn To ScanRange of IProot@kali:~# nmap -sn 192.168.169.* Wildcardroot@kali:~# nmap -sn Entire Subnet

Whois Information 

To obtain Whois information and the name server of a websiteroot@kali:~# whois



Network Diagonastic tool that displays route path and transit delay in packetsroot@kali:~# traceroute

Online Tools


2. Port Scanning

Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.

root@kali:~# nmap –open             To find all open ports

root@kali:~# nmap -p 80           Specific Port

root@kali:~# nmap -p 80-200   Range of ports

root@kali:~# nmap -p “*”          To scan all ports

Online Tools


3. Banner Grabbing/OS Fingerprinting

Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.

Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.

root@kali:~# nmap -A nmap -v -A with high verbosity level

IDserve is another good tool for Banner Grabbing.

Networkpentesting Flowchart

Online Tools


4. Scan For Vulnerabilities

Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.

These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.


It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.


Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.

  • Data gathering.
  • Host identification.
  • Port scan.
  • Plug-in selection.
  • Reporting of data.

5. Draw Network Diagrams

Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.

The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.

6. Prepare Proxies

Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.

With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.

Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.

6. Document All Findings

The last and very important step is to document all the findings from penetration testing.

This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.

You can download the rules and scope Worksheet here: Rules and Scope sheet 

Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.

important tools

Important Tools Used For Network Pentesting


Kali Linux, Backtrack5 R3, Security Onion


Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft


Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager

Port Scanning

Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap


Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena,DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan


Nessus, GFI Languard, Retina,SAINT, Nexpose

Password Cracking

Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack


Wireshark, Ettercap, Capsa Network Analyzer

MiTM Attacks

Cain & Abel, Ettercap


 Metasploit, Core Impact

These are the Most important checklist you should concentrate with Network penetration Testing .

Also Read:

Penetration Testing – Protecting Networks and Systems

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Network Penetration Testing Checklist

Oct 26 2023


Category: HackingDISC @ 7:13 am

During the Day 1 of the Pwn2Own Toronto 2023 hacking contest, the organization has awarded a total of $438,750 in prizes!

Team Orca of Sea Security received the greatest rewards of the day, the researchers chained two issues using an OOB Read and UAF against the Sonos Era 100. They earned $60,000 and 6 Master of Pwn points.

Researchers from Pentest Limited demonstrated an Improper Input Validation against the Samsung Galaxy S23. They earned $50,000 and 5 Master of Pwn points.

The team STAR Labs SG exploited a permissive list of allowed inputs against the Samsung Galaxy S23 and earned $25,000 and 5 Master of Pwn points.

Pentest Limited also earned $40,000 and 4 Master of Pwn points by executing a 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and server-side request forgery (SSRF).

Team Viettel demonstrated a single-bug attack against the Xiaomi 13 Pro and earned $40,000 and 4 Master of Pwn points.

Team ECQ also earned $40,000 and 4 Master of Pwn points by executing a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464.

Binary Factory and Synacktiv demonstrated working attacks against the Synology BC500 and earned $30,000 and 3 Master of Pwn points and $15,000 and 3 Master of Pwn points respectively.

Compass Security also executed a stack overflow attack against the Synology BC500, but the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

Other successful attacks were demonstrated against Canon imageCLASS MF753Cdw and Lexmark CX331adwe.

Below is the leaderboard after Pwn2Own Toronto 2023 Day 1.

Tags: pwn2own

Oct 23 2023

10 Best Hacker-Friendly Search Engines Of 2023

Category: Hacking,Information Security,Web Search Enginedisc7 @ 8:33 am

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

Best Hackers Search EnginesKey Features
ShodanIt is very useful and easy to use
Freely available
GreyNoise VisualizerTargeted scan and attack traffic.
WiGLEWireless network mapping
It has web applications
CensysEnhance general security
It helps to find open ports
HunterThis is the most dynamic
It is also accessible along with their API
PiplThis is the world’s largest people search engine.
PublicWWWIt has API  also for developers for integration
Shows millions of results for any search request
Zoom EyeIt is very useful for investigators
It is used in cyberspace as wayfinding
HIBPIt is one of the most powerful tools
OSINT FrameworkOpen Source Intelligence framework
Easy to use

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacker-Friendly Search Engines

Oct 20 2023

Hackers Using Secure USB Drives To Attack Government Entities

Category: Cyber Attack,Hacking,Information Securitydisc7 @ 9:36 am

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.

The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.

The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.

Cyber Espionage Via Secure USBs

According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives. 

On the infected computers, the attacks can also carry out additional harmful files.

The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.

BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.

BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.

The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.

APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.

Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.

Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.

“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.

Kingston Ironkey Locker+ 50 16GB Encrypted USB Flash Drive | USB 3.2 Gen 1 | XTS-AES Protection | Multi-Password Security Options | Automatic Cloud Backup

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: encrypted usb drive, USB Drives To Attack

Oct 18 2023

XorDDoS Infects Linux Devices And Uses Them To Carry Out DDoS Attacks

Category: DDoS,Information Securitydisc7 @ 9:00 am

A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.

Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.

Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.

However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.

Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.

As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.

Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.

XorDDoS Infects Linux Devices

XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/, the OS version, malware version, memory status, and CPU information.

The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,

  • ppp.gggatat456[.]com:53
  • ppp.xxxatat456[.]com:53
  • p5.dddgata789[.]com:53
  • P5.lpjulidny7[.]com:53
C2 decryption function
C2 decryption function (Source: Palo Alto Unit42)


As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.

Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.

C2 Network Infrastructure

A list of C2 domains that were registered and used by the threat actors is as follows:

C2 DomainsName ServerC2 SubdomainsIP AddressesAutonomous System

Source: Palo Alto Unit42

Complete Network Infrastructure
Complete Network Infrastructure (Source: Palo Alto Unit42)

Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.

Indicators Of Compromises (IOCs)

XorDDoS Binaries

  • b8c4d68755d09e9ad47e0fa14737b3d2d5ad1246de5ef1b3c794b1339d8fe9f8
  • 265a38c6dee58f912ff82a4e7ce3a32b2a3216bffd8c971a7414432c5f66ef11
  • 1e823ae1e8d2689f1090b09dc15dc1953fa0d3f703aec682214750b9ef8795f1
  • 989a371948b2c50b1d45dac9b3375cbbf832623b30e41d2e04d13d2bcf76e56b
  • 20f202d4a42096588c6a498ddb1e92f5b7531cb108fca45498ac7cd9d46b6448
  • 9c5fc75a453276dcd479601d13593420fc53c80ad6bd911aaeb57d8da693da43
  • ce0268e14b9095e186d5d4fe0b3d7ced0c1cc5bd9c4823b3dfa89853ba83c94f
  • aeb29dc28699b899a89c990eab32c7697679f764f9f33de7d2e2dc28ea8300f5

Ethical Hacking Volume 10: DoS/DDoS Attacks: Protecting Network and Services

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DDoS attacks, XorDDoS

Oct 17 2023


Category: Network securitydisc7 @ 9:10 am

Cisco IOS XE is a robust and flexible operating system, optimized for the evolving landscape of enterprise networking and technology. It enables model-driven programmability, application hosting, and automated configuration management, thus simplifying many day-to-day tasks. IOS XE is integral in providing consistency across Cisco’s array of switching, routing, and wireless network devices.


A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.

Exploitation in the Wild
Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.

Affected Devices and Systems
The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:

  1. Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
  2. Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.

Cisco’s Response
Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):

  1. System logs containing messages indicating programmatic configuration by unfamiliar users, such as:
  • %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
  • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address].
  1. System logs containing messages about unknown file installation actions, like:
  • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.
  1. Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:
  • curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.

Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.

CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.

Zero Trust Architecture (Networking Technology: Security)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cisco, CVE-2023-20198, Zero Trust Architecture

Oct 16 2023


Category: Cyber Espionage,Security Toolsdisc7 @ 9:36 am


ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.


ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.


  • Disposable Malware: Utilized to enhance stealth and evasion capabilities.
  • Data Exfiltration: Malware designed to access and extract sensitive information.
  • Lateral Movement: Techniques employed to expand reach and access within compromised environments.


  1. Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
  2. LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
  3. Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
  4. Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.



  • Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
  • Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).


The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:

  • Managing running processes
  • File system management
  • Managing multiple reverse shell sessions
  • Injecting code into arbitrary processes
  • Loading additional modules during runtime
  • Proxy functionality to forward TCP packets between the C2 and a remote host


LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.


This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.


Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.


The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.


  • Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
  • User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
  • Regular Patching: Keeping all systems regularly patched and updated.
  • Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.

ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.

Spy Secrets That Can Save Your Life: A Former CIA Officer Reveals Safety and Survival Techniques to Keep You and Your Family Protected

100 Deadly Skills: The SEAL Operative’s Guide to Eluding Pursuers, Evading Capture, and Surviving Any Dangerous Situation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ToddyCat’s Group

Oct 14 2023

HackerGPT: A ChatGPT Empowered Penetration Testing Tool

Category: ChatGPT,Hackingdisc7 @ 4:59 pm

HackerGPT is a ChatGPT-enabled penetrating testing tool that can help with network hacking, mobile hacking, different hacking tactics, and other specific tasks.

The main foundation of HackerGPT is the training data that has been offered. It does not use a jailbreak technique. Particularly, it generates replies using ChatGPT with a specified request while conforming to ethical rules.

Obtaining a 14-day trial is an option available. With this trial, you get access to GPT-4, an unlimited amount of messages for HackerGPT, quicker answers, and other advantages.

“No logs, no cost, anonymous login. Trained on a ton of hacking reports”, the company said.

“HackerGPT is only available in your web browser. Making it into an app will take some time, but with your feedback, we can make progress faster”.

Responses of HackerGPT

For instance, what if we asked HackerGPT to provide a step-by-step tutorial on conducting ARP spoofing

Threat Sentry Security, the Cyber Security Analyst, said, “Hacker-GPT. This is a pentester dream, my job just became 100 times easier. I told it to create an XSS payload & it did it without hesitation”.

According to users, HackerGPT is provided with numerous bug bounty reports and might be helpful to you in your job. A big-time saver.

It utilizes GPT-3 and GPT-4 and is aware of most attack routes and methodologies.

As of this writing, the company provides the users with the following:

  • Plus, the subscription is now at HALF the price!
  • Free users: 1.5x more messages with HackerGPT.
  • Plus users: 2.5x more messages with GPT4.
  • Plus bonus: Unlimited messages with HackerGPT.

Ethical hacking may use this tool to improve security evaluation and mitigation elements. The difficulty of communicating complicated technological results to both technical and non-technical audiences is a problem ethical hackers frequently face. 

ChatGPT’s capacity to produce logical and understandable explanations may make the communication of vulnerabilities simpler, hence facilitating organizations’ comprehension of possible risks and the adoption of the necessary countermeasures.

A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: A Hacker's Mind, HackerGPT

Oct 14 2023

Best implementers of InfoSec program

Category: CISO,Security program,vCISOdisc7 @ 11:48 am

Best implementers of InfoSec program (ISMS) are those who possess both management and leadership capabilities…

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

2020 Cybersecurity CANON Hall of Fame Winner

Todd Fitzgerald, co-author of the ground-breaking (ISC)2 CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.

CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.

The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.

Previous articles on the subject of Chief Information Security Officers (CISOs)

Previous articles on the subject of Virtual Chief Information Security Officers (vCISOs).

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: isms, security program

Oct 13 2023



The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandora’s box of potential cyber-attacks and exploitations.


The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting users’ data and privacy at substantial risk.


CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.


Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned ‘freed’ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.


The exploitation of CVE-2023-5218 could have a multifold impact:

  • Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
  • System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
  • Malware Spread: By redirecting browsers to malicious websites, malware could be injected into users’ systems, further expanding the impact of the attack.


  • Vulnerability Class: Use After Free
  • Impact: Confidentiality, Integrity, and Availability
  • Disclosure Date: 10/11/2023
  • AdvisoryChrome Releases Blog

The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.


The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:

  • Regularly update and patch software to safeguard against known vulnerabilities.
  • Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
  • Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.


The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.

The Google Workspace Bible: [14 in 1] The Ultimate All-in-One Guide from Beginner to Advanced | Including Gmail, Drive, Docs, Sheets, and Every Other App from the Suite

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome

Oct 12 2023

Adobe, Cisco IOS, Skype, WordPad, and HTTP/2 Rapid Reset Flaws Actively Exploited: CISA Warns

Category: Security vulnerabilitiesdisc7 @ 9:25 am

The US cybersecurity organization CISA has updated its Known Exploited Vulnerabilities catalog to include five new security flaws that are currently being actively exploited.

This means that attackers are using these vulnerabilities to gain unauthorized access to computer systems, steal sensitive data, or cause damage to critical infrastructure.

It is crucial for organizations to be aware of these vulnerabilities and take immediate steps to mitigate the risk of exploitation.

Earlier this year, several vulnerabilities were reported in popular software applications such as Acrobat, Cisco IOS, WordPad, Skype, and HTTP/2 Rapid Reset.

As a precautionary measure, businesses are advised by CISA to be wary of these vulnerabilities and take necessary steps to secure their systems against potential cyber-attacks.

Malicious cyber actors often exploit these vulnerabilities as they are commonly found in the federal enterprise, posing significant threats to their security.

Five Actively Exploited Flaws

  • CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability

A Use After Free vulnerability in Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier), and 20.005.30418 (and earlier) might lead to arbitrary code execution in the context of the current user.

This vulnerability can only be exploited if the victim opens a malicious file that involves user involvement. Adobe patched the vulnerability in January 2023, and the PoC exploit code for this issue is available.

An authenticated, remote attacker with administrative access to a group member or a key server could exploit a vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.

A successful exploit might give the attacker complete control of the targeted system and the ability to run arbitrary code, or it could force the target system to reload, resulting in a DoS attack. Cisco fixed the flaw at the end of September.

  • CVE-2023-41763 Microsoft Skype for Business Privilege Escalation Vulnerability

An elevation of privilege vulnerability in Skype for Business is identified as CVE-2023-41763.

“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker”, Microsoft warns.

The attacker may obtain certain private, sensitive data, and in some situations, the information that was revealed could provide the attacker access to internal networks. Microsoft patched the flaw in its October Patch Tuesday release.

  • CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

This is an information disclosure vulnerability in Microsoft WordPad. Because of the flaw, NTLM hashes can be revealed under certain circumstances. 

To exploit the issue, an attacker would need to be able to get into the system, but if a footing is gained, the adversary could then launch a specially crafted application and seize control of an affected machine.

“The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.

Microsoft patched the flaw in its October Patch Tuesday release.

The HTTP/2 protocol flaw CVE-2023-44487 has recently been utilized to execute massive DDoS attacks against several targets. The HTTP/2 protocol’s handling of request cancellations or resets is the source of the issue.

When a client makes a reset for an HTTP/2 request, it consumes server resources by canceling the relevant stream. 

However, the client can start a new stream right away after initiating a reset. The quick opening and closing of HTTP/2 streams brings on the denial of service.

This vulnerability may affect many web platforms because HTTP/2 has been implemented into so many of them.

CISA urges all organizations to prioritize promptly repairing Catalogue vulnerabilities as part of their vulnerability management procedures to reduce their exposure to attacks.

Cybersecurity and Infrastructure Security Agency (CISA) TIPS

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cybersecurity and Infrastructure Security Agency

Oct 11 2023


Category: Cybercrime,Security Toolsdisc7 @ 8:58 am

Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  


The latest release, version 4.9, introduces several significant features and improvements:

  • User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
  • Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
  • Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
  • Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
  • Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
  • WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
  • Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.


Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.


Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.


Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.


Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.


To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).

The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.

Cobalt Strike, a Defender’s Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cobalt Strike

Oct 10 2023

eBook: Cybersecurity career hacks for newcomers

Category: Cyber careerdisc7 @ 3:47 pm

Are you excited to pursue a cybersecurity career but unsure where to begin? Whether you’re a student, an incoming professional, or ready to work in a different field, the tried-and-tested career hacks in this eBook will help you get your start in cybersecurity

Inside the eBook

  • Cybersecurity Is Hot! Current Market Conditions
  • Where Entry-Level Lands You
  • Cybersecurity Career Hacks for Students, Incoming Professionals and Career-Changers
  • How to Get a Certified Advantage

Download – eBook: Cybersecurity career hacks for newcomers

Explore Cybersecurity Career

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: career hacks, ISC2

Oct 10 2023


Category: Malwaredisc7 @ 8:40 am


In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.


In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’


WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”

Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.


WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.

Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.


Webwyrm has indiscriminately targeted a plethora of industries, including:

  • IT Services
  • Software Development
  • Mobile App Development
  • User Experience Design
  • Digital Marketing
  • Web Development
  • SEO
  • E-Commerce


Effective defense against Webwyrm necessitates the adoption of several countermeasures:

  • Origin Tracing of Malefactors via Employment Portals
  • Collaborative Defensive Initiatives
  • Deployment of Rapid Response Teams
  • Implementation of Domain Blacklisting Protocols
  • Asset Seizure
  • Launch of Educational Awareness Campaigns

With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


« Previous PageNext Page »