CERT-UA warns of malspam attacks distributing the Jester info stealer

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of attacks spreading info-stealing malware Jester Stealer.

The Computer Emergency Response Team of Ukraine (CERT-UA) has detected malspam campaigns aimed at spreading an info-stealer called Jester Stealer.

The malicious messages spotted by the Ukrainian CERT have the subject line “chemical attack” and contain a link to a weaponized Microsoft Excel file. Upon opening the Office documents and activating the embedded macro, the infection process starts.

Government experts observed that malicious executables are downloaded from compromised web resources.

“The government’s team for responding to computer emergencies in Ukraine CERT-UA revealed the fact of mass distribution of e-mails on the topic of “chemical attack” and a link to an XLS-document with a macro.” reads the report published by CERT-UA. “If you open the document and activate the macro, the latter will download and run the EXE file, which will later damage the computer with the malicious program JesterStealer.” 

Jester Stealer

The Jester stealer is able to steal credentials and authentication tokens from Internet browsers, MAIL/FTP / VPN clients, cryptocurrency wallets, password managers, messengers, game programs, and more. 

The info-stealer implements anti-analysis capabilities (anti-VM/debug/sandbox), but it doesn’t implement any persistence mechanism. The threat actors exfiltrare data via Telegram using statically configured proxy addresses.

“Stolen data through statically defined proxy addresses (including in the TOR network) is transmitted to the attacker in the Telegram.” continues the report.

The report includes Indicators of Compromise (IoCs).

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

1000s of phishing emails sent from NHS inboxes

New research from the email security firm Inky has revealed that more than 1000 emails were sent from NHS inboxes over a six month period.

The firm has claimed that the campaign, beginning October 2021, escalated “dramatically” in March of this year.

After the findings were reported to the NHS on April 13, Inky reported that the volume of attacks fell significantly to just a “few”.

“The majority were fake new document notifications with malicious links to credential harvesting sites that targeted Microsoft credentials. All emails also had the NHS email footer at the bottom,” Inky explained.

fishing pole

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails 

Scams: Learn valuable skills to avoid being scammed by frauds. Real experiences of fraud detection, Fraud Examination, phishing emails, scam calls & more.

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

As data privacy laws expand, businesses must employ protection methods

Data protection is challenging for many businesses because the United States does not currently have a national privacy law  —  like the EU’s GDPR  —  that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.

For companies doing business in California, Virginia, Colorado and Utah*  —  or any combination of the four —  it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times. 

Understanding how data privacy laws intersect is challenging

While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments  —  audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.

Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments. 

Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).

The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury  —  Colorado only recognizes its assessment requirements to meet compliance.

Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.

There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.

The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.

Overcoming ambiguity through proactive data privacy protection

Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips. 

It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies. 

Identify data risk 

From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.

Create policies for data protection

Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.

Integrate data protection in the analytics pipeline

The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.

Implement privacy-enhanced computation

Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights. 

The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.  

*Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.

Data Privacy Law: A Practical Guide to the GDPR

Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

A zero-day vulnerability in uClibc and uClibc-ng, a popular C standard library, could enable a malicious actor to launch DNS poisoning attacks on vulnerable IoT devices.

The bug, tracked as ICS-VU-638779, which has yet to be patched, could leave users exposed to attack, researchers have warned.

DNS poisoning

In a DNS poisoning attack, the target domain name is resolved to the IP address of a server that’s under an attacker’s control.

This means at if a malicious actor were to send a ‘forgotten password’ request, they could direct it to their own email address and intercept it – allowing them to change the victim’s password and access their account.

For an IoT device, this attack could potentially be used to intercept a firmware update request and instead directing it to download malware.

The DNS poisoning vulnerability was discovered by researchers at Nozomi Networks, who revealed that the issue remains unpatched, potentially exposing multiple users to attack.

Nozomi Networks states that uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo. uClibc-ng is a fork specifically designed for OpenWRT, a common operating system for web routers.

The library maintainer was unable to provide a fix, according to Nozomi. The researchers said they would refrain from sharing technical details or listing vulnerable devices until a patch is available.

“It’s important to note that a vulnerability affecting a C standard library can be a bit complex,” the team wrote in a blog post this week.

“Not only would there be hundreds or thousands of calls to the vulnerable function in multiple points of a single program, but the vulnerability would affect an indefinite number of other programs from multiple vendors configured to use that library.”

Source: https://portswigger.net/daily-swig/zero-day-bug-in-uclibc-library-could-leave-iot-devices-vulnerable-to-dns-poisoning-attacks

Managing Mission – Critical Domains and DNS: Demystifying nameservers, DNS, and domain names

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Vulnerable Docker Installations Are A Playhouse for Malware Attacks

Uptycs researchers identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API.

The Uptycs Threat Research team has identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API port 2375. The attacks are related to crypto miners and reverse shells on the vulnerable servers using base64-encoded commands in the cmdline, built to evade defense mechanisms. This article briefly discusses three types of attacks which we observed lately in our Docker honeypot.

  • Coinminer attacks
  • Reverse shell attacks
  • Kinsing malware attacks

Case 1 – Coinminer Attacks 

The coinminer attack chain involves several shell scripts to drop malicious components via deployment of legitimate Docker images on the vulnerable servers (the servers exposed to Docker API). 

Malicious Shell Scripts Involved In The Campaign

The threat actors tried to run the Alpine Docker image with chroot command to gain full privileges on the vulnerable server host (a common misconfiguration). The attacker passed curl utility as an argument to the Alpine image which downloads and runs the malicious shell script (hash: 

) on the vulnerable server host as shown below (see Figure 1).

Figure 1: honeypot log – command ran by attacker on the vulnerable server

Cronb.sh (the miner script)

Securing Docker: The Attack and Defense Way

Securing Docker: The Attack and Defense Way by [Nitin Sharma, Jeremy Martin, Daniel Traci]

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

7 threat detection challenges CISOs face and what they can do about it

Security operations (SecOps) teams continue to be under a constant deluge of new attacks and malware variants. In fact, according to recent research, there were over 170 million new malware variants in 2021 alone. As a result, the burden on CISOs and their teams to identify and stop these new threats has never been higher. But in doing so, they’re faced with a variety of challenges: skills shortages, manual data correlation, chasing false positives, lengthy investigations, and more. In this article, I’d like to explore some of the threat detection program challenges CISOs are facing and provide some tips on how they can improve their security operations.

CISOs ensure the security operations program for threat detection, investigation and response (TDIR) is executing at peak performance. Let’s look at seven key issues that can affect TDIR programs and some questions CISOs should consider asking their organization, security operations team, and the vendors providing solutions to resolve them.

1. There are too many indicators of compromise (IoCs) or security events happening across a network to properly identify malicious activity. As a result, CISOs are looking for advanced tools that can correlate and analyze this data effectively to eliminate false positives. The last thing any CISO wants is for his/her team to waste time on an event that might simply be a failed login associated with a user incorrectly typing their password multiple times.

Questions to ask: Can I correlate data from any source (such as logs, cloud, applications, network, endpoints, etc.), no matter what it is? Can I fully monitor all these systems, ingest all the telemetry needed, and perform correlation automatically? And what is it costing me to correlate all that data (i.e., what is my solution provider charging)?

2. Correlating data over time is hard. It’s like putting puzzle pieces together from a box filled with multiple puzzles. An attack that occurs once can be difficult enough to identify. But once threat actors are inside an environment, they’ll often do a little activity spread over a longer period (sometimes days, weeks or months later). This makes is almost impossible for a human analyst to take these seemingly disparate events across time and connect them to complete the puzzle.

Most tools also struggle to correlate those seemingly independent events as part of the same attack because they seem unrelated over time. CISOs are responsible for making sure the team has everything it needs (based on constrained budgets) to put that puzzle together before damage is done.

Questions to ask: Do I have a wide variety of data sources and analytics that can process events and correlate them across time effectively? Is out-of-the-box threat content included for real-time attack detection?

3. When piecing together an attack campaign, manual correlation and investigation of disparate security sources drastically extends the time and resources required from a CISO and his/her team. Pulling data from several systems at once is necessary to get the contextual information needed to find out what’s wrong (and how to respond). But in the time this takes, the damage could already be done. This challenge can easily frustrate CISOs that have invested so much time and money in building up the security operations program.

Questions to ask: Does your current team have to do a lot of manual correlation, and how are they able to accomplish that with events that span weeks or even months? Does your team have to search through multiple tools and put together context on their own to see patterns that will help formulate a better response when working with other IT teams?

4. The skills gap remains a problem. However, as more seasoned practitioners who were fundamentally trained across networking, servers, and other aspects of IT are aging out of the workforce, CISOs are being forced to hire more security focused analysts, but with less broad practitioner experience. This is impacting the amount of on-the-job training and experience required (and offered) for them to be effective. There are just not enough skilled cybersecurity professionals in the market today.

Questions to ask: How can my TDIR platform automate certain tasks and bring the right context to the forefront. How can it provide the necessary context that can help a less experienced analyst learn over time and increasingly add value?

5. Vendors are overpromising and underdelivering. When it comes to threat detection, too many vendors falsely claim or exaggerate that they have machine learning (ML), artificial intelligence (AI), multicloud support, and/or apply risk metrics. CISOs are barraged with vendors claiming to offer a silver bullet at worst or using questionable marketing claims at best. Neither delivers what’s promised.

Questions to ask: Does the solution use rule-based ML/AI (which is important to understand considering it’s static in nature, requires updating, and is ineffective at identifying new attacks and variants)? Does multicloud just do correlation (leaving it up to the analyst to determine if an attack is occurring across multi-cloud)? Is risk scoring just aggregated scores from public sources (not leveraging an enterprise-class risk engine powered by analytics)?

6. The tradeoff of cost and budget versus better security visibility can be a painful choice. CISOs often are presented with platforms (like a SIEM) that charge organizations based on volume of data ingested. As an organization grows, charging by data ingested is unpredictable and can quickly lead to rapidly escalating costs in licensing and storage. As a result, CISOs should be looking for solutions that reduce this cost burden, while still allowing the organization to pull in and ingest as much data as possible. The result is better SOC visibility and more effective TDIR.

Questions to ask: For a solution that employs true machine learning, the more data that can be pulled in the better. Does my solution penalize me for bringing in more data? Or does it embrace more data ingestion to offer better visibility and do so by providing flexible licensing? How can my provider help reduce storage costs?

7. Automation can drive efficiency and speed threat detection. This can free up security team members to focus their attention on more intensive tasks. When done effectively, this provides OPEX savings – which means less time and resources spent on simple and manual tasks of low value, while also shrinking the time for high-value tasks. It can also provide better experience for junior analysts, especially when your analytics and automation are transparent, allowing them to learn and improve.

But not all automation is created equal. Solutions that produce too much noise and too many false positives make it difficult to prioritize investigation and automate responses. The more accurate the threat detection is, the more targeted the automated response can be.

Questions to ask: Is automation in the solution inherent across my entire SOC lifecycle? If so, how do I know it’s working and how can I trust that it’s optimizing my operations (for example, can it show that I’m stopping threats earlier in the kill chain)?

As CISOs and their security operations teams look to improve threat detection they’ll face a variety of issues around visibility, cost, flexibility (especially into cloud environments), analytics, prioritization, contextual data and much more. But by working together to understand these challenges – and by arming ourselves with knowledge and the right questions – our industry can continue to evolve and deliver better security operations for our organizations.


Latest CISO’s titles…..

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

General Access Control Guidance for cloud system


Role Based Access Control in Cloud Computing: Role Based Access Control Using Policy Specification and Ontology on Clouds

Leave a Comment

Do You Need to Rethink AppSec With 5G?

It’s not quite everywhere yet, but 5G connectivity is growing rapidly. That’s a great thing for remote workers and anyone depending on a fast connection, but what kind of impact will 5G have on application security?

“The explosion of 5G is only going to put more pressure on teams to harden their application security practice,” said Mark Lambert, vice president of products at ArmorCode, via email. The reason is the increase in the attack surface.

More devices with high bandwidth will be connecting to your network systems and services. At the same time, Lambert pointed out, business leaders are demanding an increase in the pace of software delivery. As 5G use becomes the norm, so does the risk of apps without the security to support faster connectivity.

“Application security teams need ways to quickly identify vulnerabilities within the DevSecOps pipeline and collaborate with development teams to escalate remediation,” said Lambert.

The IoT Dilemma

5G will accelerate the use of IoT devices, which in turn will accelerate app development for IoT devices. Based on the lack of priority for security in the application development process today, there is no indication that IoT software will be designed to handle the challenges of 5G security in the future. And there will be challenges.

The 5G systems won’t just connect phones, sensors and software to the internet. “On a high level, a 5G system comprises a device connected to a 5G access network which, in turn, is connected to the rest of the system called a 5G core network,” according to a whitepaper from Ericsson.

So, it won’t simply be all the new connections that are expanding the attack surface and creating an increased application security risk, but also the change in how 5G connects to the network. Rather than the one-way network that was in place under 4G, 5G brings a two-way communication capability, and, according to a Cyrex blog post, would “be linked in this two-way network and effectively would be public to those with the skills to exploit the link.”

5G, AppSec and the Cloud

Expect to see 5G lead to an increase in the adoption of cloud applications, said Kevin Dunne, president at Pathlock, in an email interview.

“Increased connectivity and connection speeds from anywhere will drive companies to invest in infrastructure that can be accessed from anywhere,” said Dunne. “Providing accessible applications will increase employee productivity, but it will also introduce new threats. With critical resources now on the public network, bad actors can access them from anywhere, increasing the number of threats to sensitive data and business processes.”

IT security teams will need to shift their focus from network-based perimeter protection to more modern approaches that look beyond what users can do in an application to what they are doing, Dunne added. “This helps to defend against modern attacks like phishing and ransomware which are increasingly common in cloud environments.”

It’s not all gloom and doom for 5G and application security. 5G can enhance app security, allowing developers to create more intelligent software and allowing them to use virtual hardware. 5G can also improve identity management and authentication that will make it more difficult for threat actors to infiltrate applications.

5G is expected to transform business reliance on IoT devices and cloud applications. Expect new threats and risks to go hand-in-hand with the innovations that 5G brings. Those responsible for application security will need to prepared with cybersecurity systems that will adapt to those threats.

5G SASE Security

5G Wireless: A Comprehensive Introduction

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Pro-Ukraine attackers compromise Docker images to launch DDoS attacks on Russian sites

Pro-Ukraine hackers are using Docker images to launch distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites.

Pro-Ukraine hackers, likely linked to Ukraine IT Army, are using Docker images to launch distributed denial-of-service (DDoS) attacks against a dozen websites belonging to government, military, and media. The DDoS attacks also targeted three Lithuanian media websites.

The attacks were monitored by cybersecurity firm CrowdStrike, who discovered that the Docker Engine honeypots deployed between February 27 and March 1 were compromised and used in the DDoS attacks.

The attackers attempt to exploit misconfigured Docker installs through exposed APIs and takeover them to abuse their computational resources.

“Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets.” reported Crowdstrike. “Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service (DoS) attack.”

The technique to compromise Dockers containers is widely adopted by financially-motivated threat actors, like LemonDuck or TeamTNT to abuse their resources and mine cryptocurrencies.

The experts noticed that the Docker images’ target lists overlap with domains shared by the Ukraine IT Army (UIA). The attacks involved the two images that have been downloaded over 150,000 times, but the threat intelligence firm confirmed that CrowdStrike Intelligence cannot determine the exact number of downloads originating from compromised infrastructure. 

The list of targeted websites includes the Kremlin and Tass agency websites.

DDoS Docker images Ukraine

The two images used by the attackers are named “erikmnkl/stoppropaganda” and “abagayev/stop-russia”.

“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites.” concludes the report that includes Indicators of Compromise (IoCs) along with Snort detection rule.

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

A DNS flaw impacts a library used by millions of IoT devices

A vulnerability in the domain name system (DNS) component of the uClibc library impacts millions of IoT products.

Nozomi Networks warns of a vulnerability, tracked as CVE-2022-05-02, in the domain name system (DNS) component of the uClibc library which is used by a large number of IoT products. The flaw also affects DNS implementation of all versions of the uClibc-ng library, which is a fork specifically designed for OpenWRT, a common OS for routers used in various critical infrastructure sectors.

An attacker can exploit the vulnerability for DNS poisoning or DNS spoofing and redirect the victim to a malicious website instead of the legitimate one.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.” reads the advisory published by Nozomi Networks.

The uClibc library is used by major vendors, including Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo.

Security experts did not disclose the details of the flaw because the vendor has yet to address it.

The researchers from Nozomi discovered the issue by reviewing the trace of DNS requests performed by an IoT device in their test environment. They were able to determine the pattern of DNS requests performed from the output of Wireshark, the transaction ID is first incremental, then resets to the value 0x2, then is incremental again. The transaction ID of the requests was predictable, a circumstance that could allow an attacker to perform DNS poisoning under certain circumstances.


“A source code review revealed that the uClibc library implements DNS requests by calling the internal “__dns_lookup” function, located in the source file “/libc/inet/resolv.c”.” continues the advisory. “Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server. Exploitability of the issue depends exactly on these factors. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port.”

If the OS uses randomization of the source port, the only way to exploit the issue is to bruteforce the 16-bit source port value by sending multiple DNS responses, while simultaneously winning the race against the legitimate response.

“As anticipated, as of the publication of this blog, the vulnerability is still unpatched. As stated in a public conversation, the maintainer was unable to develop a fix for the vulnerability, hoping for help from the community. The vulnerability was disclosed to 200+ vendors invited to the VINCE case by CERT/CC since January 2022, and a 30-day notice was given to them before the public release.” concludes Nozomi.

Managing Mission – Critical Domains and DNS: Demystifying nameservers, DNS, and domain names

DNSSEC Mastery

Leave a Comment

Most Important Python Tools for Ethical Hackers & Penetration Testers 2022

Python Tools

By Balaji N

There are a variety of python tools are using in the cybersecurity industries and the python is one of the widely used programming languages to develop the penetration testing tools.

Anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out the mastering in Python For Hacking From Scratch.

It has a highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to advanced level.

The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc. Here you can also find 1000 ofhacking tools.

Best Python Tools for Pentesters

Python Course & Papers


  • ScapyScapy3k: send, sniff and dissect and forge network packets. Usable interactively or as a library
  • pypcapPcapy and pylibpcap: several different Python bindings for libpcap
  • libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
  • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
  • Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
  • pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
  • Dirtbags py-pcap: read pcap files without libpcap
  • flowgrep: grep through packet payloads using regular expressions
  • Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
  • SubBrute, fast subdomain enumeration tool
  • Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly
  • Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
  • Spoodle: A mass subdomain + poodle vulnerability scanner
  • SMBMap: enumerate Samba share drives across an entire domain
  • Habu: python network hacking toolkit

Debugging and Reverse Engineering

  • Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
  • Immunity Debugger: scriptable GUI and command line debugger
  • mona.py: PyCommand for Immunity Debugger that replaces and improves on pvefindaddr
  • IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
  • PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
  • pefile: read and work with Portable Executable (aka PE) files
  • pydasm: Python interface to the libdasm x86 disassembling library
  • PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
  • uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
  • diStorm: disassembler library for AMD64, licensed under the BSD license
  • Frida: A dynamic instrumentation framework which can inject scripts into running processes
  • python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
  • vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
  • Androguard: reverse engineering and analysis of Android applications
  • Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings
  • Keystone: lightweight multi-platform, multi-architecture assembler framework with Python bindings
  • PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library
  • CHIPSEC: framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.


  • afl-python: enables American fuzzy lop fork server and instrumentation for pure-Python code
  • Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
  • Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
  • antiparser: fuzz testing and fault injection API
  • TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
  • untidy: general purpose XML fuzzer
  • Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
  • Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
  • Fuzzbox: multi-codec media fuzzer
  • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
  • Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
  • WSBang: perform automated security testing of SOAP based web services
  • Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
  • fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano
  • Fusil: Python library used to write fuzzing programs


  • Requests: elegant and simple HTTP library, built for human beings
  • lxml: easy-to-use library for processing XML and HTML; similar to Requests
  • HTTPie: human-friendly cURL-like command line HTTP client
  • ProxMon: processes proxy logs and reports discovered issues
  • WSMap: find web service endpoints and discovery files
  • Twill: browse the Web from a command-line interface. Supports automated Web testing
  • Ghost.py: webkit web client written in Python
  • Windmill: web testing tool designed to let you painlessly automate and debug your web application
  • FunkLoad: functional and load web tester
  • spynner: Programmatic web browsing module for Python with Javascript/AJAX support
  • python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions
  • mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
  • pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
  • spidy: simple command-line web crawler with page downloading and word scraping


  • Volatility: extract digital artifacts from volatile memory (RAM) samples
  • Rekall: memory analysis framework developed by Google
  • LibForensics: library for developing digital forensics applications
  • TrIDLib, identify file types from their binary signatures. Now includes Python binding
  • aft: Android forensic toolkit

Malware Analysis

  • pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
  • Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
  • pyClamAV: add virus detection capabilities to your Python software
  • jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities
  • yara-python: identify and classify malware samples
  • phoneyc: pure Python honeyclient implementation
  • CapTipper: analyse, explore and revive HTTP malicious traffic from PCAP file


  • peepdf: Python tool to analyse and explore PDF files to find out if they can be harmful
  • Didier Stevens’ PDF tools: analyse, identify and create PDF files (includes PDFiDpdf-parser and make-pdf and mPDF)
  • Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
  • Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
  • pyPDF2: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt…
  • PDFMiner: extract text from PDF files
  • python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support


  • InlineEgg: toolbox of classes for writing small assembly programs in Python
  • Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
  • RevHosts: enumerate virtual hosts for a given IP address
  • simplejson: JSON encoder/decoder, e.g. to use Google’s AJAX API
  • PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • Hachoir: view and edit a binary stream field by field
  • py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • wmiexec.py: execute Powershell commands quickly and easily via WMI
  • Pentestly: Python and Powershell internal penetration testing framework
  • hacklib: Toolkit for hacking enthusiasts: word mangling, password guessing, reverse shell and other simple tools

Other Useful Libraries and Tools

  • IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
  • Beautiful Soup: HTML parser optimized for screen-scraping
  • matplotlib: make 2D plots of arrays
  • Mayavi: 3D scientific data visualization and plotting
  • RTGraph3D: create dynamic graphs in 3D
  • Twisted: event-driven networking engine
  • Suds: lightweight SOAP client for consuming Web Services
  • M2Crypto: most complete OpenSSL wrapper
  • NetworkX: graph library (edges, nodes)
  • Pandas: library providing high-performance, easy-to-use data structures and data analysis tools
  • pyparsing: general parsing module
  • lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
  • Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
  • Pexpect: control and automate other programs, similar to Don Libes `Expect` system
  • Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
  • PyQt and PySide: Python bindings for the Qt application framework and GUI library


Talks, slides and articles

Mastering Python for Networking and Security

Mastering Python for Networking and Security: Leverage the scripts and  libraries of Python version 3.7 and beyond to overcome networking and  security issues, 2nd Edition: 9781839217166: Computer Science Books @  Amazon.com

Leave a Comment

How Log4j Reshaped Cloud Security Thinking

A report from IT security firm Valtix has revealed how IT leaders are changing the way they secure cloud workloads in the aftermath of the Log4j vulnerability.

Log4j is a logging library and part of the Apache Software Foundation’s Apache Logging Services project. It is pretty much ubiquitous in applications and services built using Java. 

It is used to record all manner of digital activities that run under the hoods of millions of computers. In December 2021, the Log4j vulnerability—aka CVE-2021-44228—was publicly announced and rapidly flagged as one of the most critical security vulnerabilities in recent years.

Once hackers discovered it was vulnerable to attack, they opened a dangerous vulnerability for IT teams across every industry.

Valtix surveyed 200 cloud security leaders to better understand how they protect every app across every cloud in the aftermath of Log4j. The survey found that 95% of IT leaders said Log4j and Log4Shell was a wake-up call for cloud security and that the vulnerability changed it permanently.

Log4j Changed Security Thinking

Log4j impacted not only the security posture of organizations across the globe but the very way IT leaders think about security.

The survey found 83% of IT leaders felt that the response to Log4j has impacted their ability to address business needs and that Log4j taught IT leaders the status quo isn’t good enough.

Respondents said they felt the security protections in place now are insufficient, that other high severity open source vulnerabilities will emerge and they worry that cloud service providers themselves might have vulnerabilities that could impact their teams.

In addition, 85% of respondents said poor integration between cloud security tools often slows down security processes and caused security lapses, while 82% of IT leaders said visibility into active security threats in the cloud is usually obscured. 

Just over half (53%) said they felt confident that all their public cloud workloads and APIs were fully secured against attacks from the internet, and less than 75% said they were confident that all of their cloud workloads were fully segmented from the public internet.

“Security leaders are still dealing with the impacts of Log4Shell,” explained Davis McCarthy, principal security researcher at Valtix. “Although many have lost confidence in their existing approach to cloud workload protection, the research shows they are taking action in 2022 by prioritizing new tools, process changes and budget as it relates to cloud security.”

Changing Cloud Security Priorities

The survey also revealed that Log4j shuffled cloud security priorities, with 82% of IT leaders admitting their priorities have changed and 77% of leaders said they are still dealing with Log4j patching.

Vishal Jain, co-founder and CTO at Valtix, added that the research echoed what the company is hearing from organizations daily: Log4Shell was a catalyst for many who realized that—even in the cloud—defense-in-depth is essential because there is no such thing as an invulnerable app.

“Log4Shell exposed many of the cloud providers’ workload security gaps as IT teams scrambled to mitigate and virtually patch while they could test updated software,” he said. “They needed more advanced security for remote exploit prevention, visibility into active threats or ability to prevent data exfiltration.”

According to the report, as a result of Log4j, security leaders are prioritizing additional tools, process changes and budgets, with industries from financial services to manufacturing reprioritizing their cloud security initiatives after Log4j.

The top five industries where confidence is still negatively impacted due to Log4j are energy, hospitality/travel, automotive, government and financial services, the survey found. 

The majority (96%) of enterprises said their cloud security threats grow more complex every year as new players, threats, tools, business models and requirements keep IT teams busier and more important than ever.

Security leaders also indicated that they recognize there’s no such thing as an invulnerable cloud workload and that defense-in-depth is needed, with 97% of IT leaders viewing defense-in-depth as essential in the cloud.

However, budget constraints slow tech adoption, with lack of funding the top challenge to adequate protection, followed by concerns that preventative security will slow down the business.

Survey respondents also indicated it is difficult to operationalize cloud workload protection solutions, with 79% of IT leaders agreeing that agent-based security solutions are difficult to operationalize in the cloud.

Meanwhile, 88% of IT leaders said they think bringing network security appliances to the cloud is challenging to the cloud computing operating model and 90% of IT leaders said open network paths to cloud workloads from the public internet can create security risks. 

Free and open source software (FOSS) will continue to present a risk to organizations as hackers focus on exploiting security flaws in the code, a report from Moody’s Investors Service found.

In the case of Log4j, for example, three to five years could elapse before organizations are finished patching security flaws, and with recent estimates indicating open source makes up 80% to 90% of the average piece of software, the persistent security threats FOSS presents is significant. 

Log4j Computer Security Change is Necessary

Log4Shell 2 Hours Hands-On Log4j Vulnerability: For Java engineers

Leave a Comment

3 Ways to Boost Pentesting ROI

If you’re a car owner, it can be tempting to put off an oil change, tire rotation or other recommended vehicle tune-up. But reality becomes all too clear when you’re sitting on the side of the highway waiting for AAA. And it’s even more painful when you’re hit with a massive repair bill a few days later that far exceeds any short-lived savings. 

Like many frustrated drivers, businesses are currently learning this lesson the hard way with cybersecurity. Last year, data breaches at organizations increased by 68% to reach their highest volume ever, according to Identity Theft Resource Center’s 2021 Data Breach Report

Even as data breaches become more prevalent and costly, many organizations continue to hold off on vital cybersecurity measures, as well as neglect routine pentesting and provisioning maintenance. This short-sighted approach costs organizations more in the long run. 

In order to prevent hacks and breaches, businesses must act quickly and treat cybersecurity as a long-term investment; learning how to drive the most value from security testing instead of waiting for a cyberattack to occur.  

Pentesting: A Proactive Approach to Cybersecurity

One of the most effective ways to increase your cybersecurity readiness is penetration testing (pentesting, for short)—a simulated cyberattack designed to discover vulnerabilities in an organization’s IT systems. 

Pentesting involves stepping into hackers’ shoes to identify weak spots. By role-playing how a hacker might breach your security configurations, this process helps identify potential vulnerabilities and threats, test security responses and capabilities and measure ongoing improvements to your cybersecurity system. 

Your pentesters can come from either your internal security experts or from a third-party team. They dig into your security systems one by one, starting with a set of objectives to carry out an attack. Most teams combine black-box and white-box testing: For black, the pentester acts as a true external hacker with little or no knowledge of the IT landscape; for white, the pentester acts as an internal developer with complete knowledge of the landscape. 

Here’s what the process typically looks like:

  • Pentesters begin with low-privilege identity credentials from someone in a network, but they also look for vulnerabilities from any unauthenticated perspectives. After gaining remote access, pentesters explore your system and search for exploitable security gaps.
  • Based on what they find, pentesters develop and carry out a cyberattack. The aim is to gain escalating privileges and a greater ability to modify your systems, which packs a bigger punch than stealing data alone.
  • Once an attack commences, pentesters report their findings, rank vulnerabilities in terms of severity and advise you on remedies. After changes are implemented, pentesters test again to ensure you’ve properly closed all gaps. 

How to Get the Most out of Pentesting

For most organizations, reservations about pentesting aren’t rooted in a lack of understanding about the strategy’s benefits; instead, it comes down to time and money. In fact, 74% of IT professionals and security leaders said they would test their systems more frequently if it wasn’t so cumbersome, while 71% said it was too expensive.

So, how can you ensure your investment pays off? 

Here are three ways to achieve greater ROI on pentesting that are worth your resources: 

  1. Don’t skimp on scope or substance. On average, a high-quality pentest costs between $30,000 and $60,000 depending on the size and complexity of your organization. Large enterprises, for example, may spend closer to $100,000.  While it’s tempting to choose the cheapest option available on the market, low-cost alternatives often sacrifice test quality and deliver results that are far too narrow to provide meaningful remedies. Pay for a test that looks at your cybersecurity system comprehensively and is capable of producing results that benefit your security team in the long term.
  2. Set clear objectives and test cases. Most CISOs have a laundry list of security concerns that keeps them up at night. Pentesting is a great way to put those scenarios to rest. You can assemble a detailed list of top security concerns for pentesters to target first, which ensures that testing is specific to your industry, your company and your security framework.
  3. Incorporate testing (and retesting) as part of your cybersecurity routine. Security systems—and threats that aim to compromise them—are constantly changing. Routine testing on an annual or semiannual basis ensures your cybersecurity remains up-to-date and provides a metric for constant improvement. In fact, 85% of cybersecurity pros reported conducting such tests at least once a year. Retesting verifies that issues you’ve identified in the past have been fixed. 

The consequences of a cyberattack are more devastating than ever: In 2021, the average cost of a data breach reached a record $4.24 million, according to IBM’s annual Cost of a Data Breach Report.

Yet the average cybersecurity budget only constitutes 15% of a business’s overall IT budget. It often takes a catastrophe to galvanize organizations to update and improve cybersecurity measures. But by that time, the damage is done—loss of business, broken trust with customers, damage to your reputation and even regulatory fines.

Rather than waiting for a security incident, incorporate routine pentesting to ensure your cybersecurity defenses are ready for a potential attack. For cars, every 5,000 miles is a good rule of thumb for an oil change or tire rotation. For cybersecurity teams, an annual pentest is a solid start to boost your organization’s cybersecurity maintenance and drive sustained improvements that are well worth the cost. 

The Pentester BluePrint: Starting a Career as an Ethical Hacker

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Keep your digital banking safe: Tips for consumers and banks

Digital banking has been a reality for quite a while now, particularly pushed forward in these last few years. Is security keeping up the pace?

Online banking and mobile banking apps have made great security strides in recent years. In fact, some of today’s most well-respected banks are improving security measures by offering SMS or email alerts for financial transactions, multi-factor authentication, fraud monitoring and alerts, and two-step verification for large money transfers. When these features are set up correctly, they exponentially increase the security for personal banking accounts.

Unfortunately, not all consumers use these critical safeguards on their accounts. Our recent Retail Banking Survey found that 30% of those relying on a password only change it one to two times a year, and 23% admit to never changing their password. Despite banks working to improve online security protocols, consumers must also do their part in taking advantage of enhanced security features to keep their accounts safe.

What makes digital banking vulnerable the most?

Instead of physically walking into a bank to manage finances, consumers can now access their account effortlessly on a banking website or mobile app. However, since banks strive to make the digital banking experience as intuitive and frictionless as possible for users, this can also present an opportunity for hackers to access unwitting consumers’ bank accounts.

Since authenticating a consumer’s true identity is so important to the online banking experience, if a bank does not offer strong identity verification, or if consumers are not practicing proper cyber hygiene on their mobile devices and computers, they can be socially engineered into giving up access to their bank account. Considering the majority (45%) of bank customers continue to use traditional username and password to log in, as opposed to more secure methods like thumbprint (20%), facial recognition (17%) or two-factor authentication (16%), consumer’s financial information is more vulnerable than they may realize.

What are the common mistakes consumers make when using digital banking?

The biggest mistake is that many customers still use the same username and password combination to access their online bank account, as they would for other websites. Since websites are constantly being breached (and then their entire password databases are bought and sold on hacker forums), today’s fraudsters are well-versed in testing stolen credentials to log into as many other sensitive websites (like emails, bank accounts and cloud storage accounts) as possible. This is why consumers must use a lengthy and unique password for their online banking accounts, one that can also easily be created and managed through a password manager.

Another common mistake is when consumers don’t set up secure multi-factor authentication, which is necessary in protecting oneself in today’s online world, because simple credentials can be stolen or guessed by a hacker at any time. This protocol is easy to set up and makes it exponentially more difficult for hackers to gain access to a banking account, as it requires additional security measures like FaceID and TouchID, coupled with the consumer’s login credentials, to authenticate to the online bank.

Finally, banking customers should take advantage of security alerts to keep their financial information secure. Many banks allow customers to set up monitoring and security alerts in their banking profiles, so they know when someone is either accessing their account or performing any financial transactions with their funds. This can help them take action much quicker against potential hacks, as well as keep a closer eye on their financial information.

How aware are consumers of the possible threats to their bank accounts and data and how proactive have they become in protecting them?

Many people are still not aware of how easily a fraudster can convince the average person to unknowingly give up their bank account details. Furthermore, many don’t know that poor cyber hygiene on their computers and mobile devices can lead to them inadvertently exposing their personal information.

Some good cyber hygiene practices include keeping devices and all automatically installed apps up to update, installing only trusted apps from the App Store, running anti-virus software and being suspicious of unsolicited calls, texts and emails from banks.

Hackers are using fake emails, texts and phone calls to trick people into thinking their bank is directly contacting them to take some kind of ‘urgent action,’ by coaxing them to verify fake fraudulent activity, or their personal details. Furthermore, there have been cases of fake banking apps distributed on the Google Play Store that look identical to legitimate Android banking apps, but were actually designed to steal victims’ banking credentials.

Banks also educate their customers about the dangers of online banking, as well as actively encourage them to set up features such as multi-factor authentication and security alerts on their accounts.

Consumers should be routinely checking their bank accounts for fraudulent activity, and according to our survey, 41% people check their bank accounts almost every day. Security is a team sport, and it involves active participation by everyone involved to ensure that bank accounts remain safe. In addition to monitoring their accounts, consumers can do their part by making sure they turn on the various security features in their bank account profile.

What can banks do to strengthen their cyber resiliency while offering a satisfactory customer experience?

Banks should continue to communicate to customers how easy it is to enable multi-factor authentication and security alerts for their accounts. This will mitigate many security issues, even if the consumer decides to continue using the same credentials on their banking site, as they do on other websites.

Additionally, banks can strengthen their cyber resiliency using a superior digital insights platform, to ensure that the process and flow for setting up online banking security controls, such as multi-factor authentication and alerts, are seamless and easy to activate. This allows banks to monitor visitors’ digital banking experience, identify and resolve specific pain points consumers face when trying to set up better security controls on their profile, either due to technical errors or confusing UX designs.

If they have any setup issues, and back out of turning features on, banks can pinpoint exactly where that occurred so they can address it, and people are more encouraged in the future to finish the setup process. Real-time monitoring of web and mobile banking applications can also help flag fraudulent activity, so that action can be taken against it and prevent it in the future.

OAuth 2 in Action

Leave a Comment

CloudFlare blocked a record HTTPs DDoS attack peaking at 15 rps

Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS).

Cloudflare announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS), which is one of the largest HTTPS DDoS attacks blocked by the company.

The company blocked the attack earlier this month, the experts pointed out that HTTPS DDoS attacks are more expensive because require higher computational resources for establishing a secure TLS encrypted connection. On the other side, HTTPS DDoS attacks cost more to the victim to mitigate. 

“Earlier this month, Cloudflare’s systems automatically detected and mitigated a 15.3 million request-per-second (rps) DDoS attack — one of the largest HTTPS DDoS attacks on record.” reads the post published by CloudFlare. “We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”

DDoS attack

The attack was launched by a botnet composed of approximately 6,000 unique bots that was monitored by Cloudflare experts and that was involved in other massive attacks that peaked at 10M rps.

The DDoS attack blocked by the company lasted less than 15 seconds and targeted an unnamed customer operating a crypto launchpad. Crypto launchpads are platforms for launching new coins, crypto projects, and raising liquidity.

Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.

The analysis of the malicious traffic revealed that it mostly originated from data centers, it originated from 112 countries around the world. 15% of the malicious traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.

“Within those countries, the attack originated from over 1,300 different networks. The top networks included the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), OVH in France (ASN 16276), as well as other cloud providers.” concludes the post.

In August, the web infrastructure and website security company announced that it has mitigated the largest ever volumetric distributed denial of service (DDoS) attack at the time. The malicious traffic reached a record high of 17.2 million requests-per-second (rps), a volume three times bigger than previously reported HTTP DDoS attacks. Be aware, that the attack that the company blocked in August was an HTTP DDoS and not an HTTPS one.

In November 2021, the company mitigated a distributed denial-of-service (DDoS) attack that peaked just below 2 terabytes per second (Tbps), which is the largest attack Cloudflare has seen to date.

Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Linux Nimbuspwn flaws could allow attackers to deploy sophisticated threats

Microsoft disclosed two Linux privilege escalation flaws, collectively named Nimbuspwn, that could allow conducting various malicious activities.

The Microsoft 365 Defender Research Team has discovered two Linux privilege escalation flaws (tracked as CVE-2022-29799 and CVE-2022-29800) called “Nimbuspwn,” which can be exploited by attackers to conduct various malicious activities, including the deployment of malware.

“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” reads the advisory published by Microsoft.

The flaws can be exploited by attackers to achieve root access to the target systems and deploy by more sophisticated threats, such as ransomware.

The flaws reside in the systemd component called networked-dispatcher, which is dispatcher daemon for systemd-networkd connection status changes.

The review of the code flow for networkd-dispatcher revealed multiple security issues, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues.

The researchers started enumerating services that run as root and listen to messages on the System Bus, performing both code reviews and dynamic analysis.

Chaining the issues, an attacker in control of a rogue D-Bus service that can send an arbitrary signal, can deploy backdoors on the compromised final touches.

Linux Nimbuspwn flaws

he researchers were able to develop their own exploit that runs an arbitrary script as root. The exploit also copies /bin/sh to the /tmp directory, sets /tmp/sh as a Set-UID (SUID) executable, and then invokes “/tmp/sh -p”. (the “-p” flag is necessary to force the shell to not drop privileges)

Researchers recommend users of networkd-dispatcher to update their installs.

“To address the specific vulnerabilities at play, Microsoft Defender for Endpoint’s endpoint detection and response (EDR) capabilities detect the directory traversal attack required to leverage Nimbuspwn.” concludes the post.

Mastering Linux Security and Hardening

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Nation-state Hackers Target Journalists with Goldbackdoor Malware

A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.

Sophisticated hackers believed to be tied to the North Korean government are actively targeting journalists with novel malware dubbed Goldbackdoor. Attacks have consisted of multistage infection campaign with the ultimate goal of stealing sensitive information from targets. The campaign is believed to have started in March and is ongoing, researchers have found.

Researchers at Stairwell followed up on an initial report from South Korea’s NK News, which revealed that a North Korean APT known as APT37 had stolen info from the private computer of a former South Korean intelligence official. The threat actor–also known as Ricochet Collima, InkySquid, Reaper or ScarCruft—attempted to impersonate NK News and distributed what appeared to be a novel malware in an attempt to target journalists who were using the official as a source, according to the report.

NK News passed details to Stairwell for further investigation. Researchers from the cybersecurity firm uncovered specific details of the malware, called Goldbackdoor. The malware is likely a successor of the Bluelight malware, according to a report they published late last week.

“The Goldbackdoor malware shares strong technical overlaps with the Bluelight malware,” researchers wrote. “These overlaps, along with the suspected shared development resource and impersonation of NK News, support our attribution of Goldbackdoor to APT37.”

APT37 was previously seen using Bluelight as a secondary payload last August in a series of watering hole attacks against a South Korean newspaper that used known Internet Explorer vulnerabilities.

As Stairwell researchers noted, journalists are “high-value targets for hostile governments,” and often the target of cyber-espionage attacks. In fact, one of the biggest security stories of last year was various governments’ use of the NGO Group’s Pegasus spyware against journalists, among other targets.

“[Journalists] often are aggregators of stories from many individuals–sometimes including those with sensitive access,” Stairwell researchers wrote. “Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources.”

Multi-Stage Malware

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Leave a Comment

Phishing goes KISS: Don’t let plain and simple messages catch you out!

We’re sure you’ve heard of the KISS principle: Keep It Simple and Straightforward.

In cybersecurity, KISS cuts two ways.

KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.

For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.

Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)…

…all these lead us instantly and unerringly to the [Delete] button.

If you don’t know our name, don’t know our bank, don’t know which languages we speak, don’t know our operating system, don’t know how to spell “respond immediately”, heck, if you don’t realise that Riyadh is not a city in Austria, you’re not going to get us to click.

That’s not so much because you’d stand out as a scammer, but simply that your email would advertise itself as “clearly does not belong here”, or as “obviously sent to the wrong person”, and we’d ignore it even if you were a legitimate business. (After that, we’d probably blocklist all your emails anyway, given your attitude to accuracy, but that’s an issue for another day.)

Indeed, as we’ve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.

KISS, plain and simple

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails

Leave a Comment

Anomaly Six, a US surveillance firm that tracks roughly 3 billion devices in real-time

An interesting article published by The Intercept reveals the secretive business of a US surveillance firm named Anomaly Six.

When we speak about the secretive business of surveillance businesses we often refer to the powerful tools developed by Israeli firms like NSO Group and Candiru, but many other firms operates in the shadow like the US company Anomaly Six (aka A6).

According to an interesting analysis published by The Intercept, Anomaly Six is a secretive government contractor that claims to monitor billions of phones worldwide.

While Russia was invading Ukraine in February, two unknown surveillance startups, Anomaly Six and Zignal Labs joined forces to provide powerful surveillance services.

Zignal Labs is a company that provides social media surveillance, combining its analysis with capabilities of A6, the U.S. government was able to spy on Russian the army before the invasion.

“According to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population.” reads the article published by The Intercept. “The staggering surveillance capacity was cited during a pitch to provide A6’s phone-tracking capabilities to Zignal Labs, a social media monitoring firm that leverages its access to Twitter’s rarely granted “firehose” data stream to sift through hundreds of millions of tweets per day without restriction.”

The capabilities claimed by the surveillance firm are worrisome, a government contractor can spy on Americans and pass gathered data to the US intelligence agencies.

The source that provided the information on the secretive surveillance firms to The Intercept said that Zignal Labs violated Twitter’s terms of service to gather intelligence, but the company refused any accusation.

A6, unlike other surveillance firms, harvests only GPS pinpoints and data it provides allows to surveil roughly 230 million devices on an average day. A6 is able to access GPS measurements gathered through covert partnerships with “thousands” of apps. A6 also claimed to have amassed a huge quantity of information on people, it has gathered over 2 billion email addresses and other personal details for these individuals.

These data were voluntarily shared by mobile users when signing up for smartphone apps, a company spokesman explained that users agree on everything without reading the end-user license agreement.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Leave a Comment

BlackCat Ransomware gang breached over 60 orgs worldwide

At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.

The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.

“The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.”

The list of the victims of the gang includes Moncler, the Swissport, and Inetum.

The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

According to the alert, many of the developers and money launderers for gang are linked to
Darkside/Blackmatter operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.

Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.

The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.

The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.

Below are recommended mitigations included in the alert:

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.

Ransomware Protection Playbook

Leave a Comment