Nov 25 2023

Stuxnet techniques used

Category: Cyber War,Digital cold war,Malwaredisc7 @ 2:55 pm

Stuxnet: The Revenge of Malware: How the Discovery of Malware from the Stuxnet Family Led to the U.S. Government Ban of Kaspersky Lab Anti-Virus Software

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Stuxnet


Apr 13 2021

Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again)

Category: Malware,TrojanDISC @ 4:08 pm

What’s the craic? Aunty Beeb’s anonymous scribblers sit back and wonder why—“Iran says key Natanz nuclear facility hit by sabotage”:

 The country’s top nuclear official … Ali Akbar Salehi, did not say who was to blame for the “terrorist act”, which caused a power failure … a day after it unveiled new uranium enrichment equipment. … Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack.

On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. … It represented another breach of the country’s undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it.

Later state TV read out a statement by … Atomic Energy Organisation of Iran (AEOI) … head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism.” … Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.

Thorn in my side? Ronen Bergman, Rick Gladstone, Farnaz Fassihi, David E. Sanger, Eric Schmitt, Lara Jakes, Gerry Mullany and Patrick Kingsley tag-team thuswise—“Blackout Hits Iran Nuclear Site in What Appears to Be Israeli Sabotage”:

 [The] power failure … appeared to have been caused by a deliberately planned explosion. … American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed the … power system that supplies the underground centrifuges.

The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iran’s ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss.

The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iran’s nuclear program. The best-known operation under this collaboration … was a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.

Source: Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again)

Tags: Stuxnet


Apr 21 2019

Stuxnet Malware Analysis

Category: MalwareDISC @ 6:15 pm

Stuxnet Malware Analysis By Amr Thabet


 Subscribe in a reader




Tags: advanced malware, Advanced persistent threat, Stuxnet


Oct 24 2011

New Stuxnet-Like Worm Discovered

Category: MalwareDISC @ 12:42 pm

By Jeff James : Twitter at @jeffjames3
In June 2010, security experts, analysts, and software providers were warning IT managers about Stuxnet, a new computer worm that was spreading rapidly over the internet. Stuxnet was distributed by Windows machines, and the intent of the worm wasn’t immediately clear. After a few months it was revealed that the vast majority of Stuxnet infections were in Iran, and Stuxnet seemed to have been specifically targeting the Siemens industrial control equipment used in the Iranian nuclear program.

German security expert Ralph Langner was interviewed by NPR reporter Tom Gjelten earlier this year about Stuxnet, and Gjelten reported that Langner told him that the worm was so complex and sophisticated that it was “almost alien in design” and believed that only the United States had the resources required to create Stuxnet and orchestrate the attack. As more details emerged, it became clear that Stuxnet was likely developed by either Israeli or American intelligence agencies in an attempt to impede Iran’s nuclear program.

Both Israeli and American security officials have sidestepped questions about their involvement, but Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, stated at a December 2010 conference on Iran that “we’re glad they [the Iranians] are having trouble with their centrifuge machine and that we – the US and its allies – are doing everything we can to make sure that we complicate matters for them.” [Source: NPR’s Need to Know]

Now security researchers from Symantec have revealed that they’ve discovered a new Stuxnet-like worm called W32.Duqu that shares much of the same code with Stuxnet. Symantec’s Security Research blog posted details about Duqu yesterday:

“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.
According to Symantec, Duqu also functions as a keylogger designed to “capture information such as keystrokes and system information” but lacks the specific code related to “industrial control systems, exploits, or self-replication.” Symantec’s research team believes that Duqu is collecting information for a possible future attack, and seem to point the finger at the original creators of Stuxnet, since the creators of Duqu seem to have direct access to Stuxnet source code:

The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.
The arrival of Stuxnet signaled that cyberattacks have entered a new phase, with nation states and professional, highly-skilled programmers helping elevate cyberwarfare to a new, more sophisticated (and dangerous) level. Microsoft Technical Fellow Mark Russinovich offers up a fictional account of what can happen when terrorist groups turn to cyberwarfare in his novel Zero Day, and it’s a chilling preview of what the future of warfare could look like.

While many fingers are pointing at U.S. and Israeli intelligence service for creating Stuxnet – and possibly Duqu — what happens when a hostile nation or well-organized terrorists develop the same level of cyberwarfare capability? Questions like these are undoubtedly keeping IT security professionals and experts at government security agencies awake at night.

For more technical information on the Duqu worm, see Symantec’s W32.Duqu: The Precursor to the Next Stuxnet whitepaper [PDF] and a Symantec post that provides additional Duqu technical details.

The New Face of War: How War Will Be Fought in the 21st Century

Has Israel Begun A Cyber War On Iran With The Stuxnet ‘Missile’?: An article from: APS Diplomat News Service





Jan 06 2011

The Basics of Stuxnet Worm and How it infects PLCs

Category: MalwareDISC @ 1:01 pm
Future of Mobile Malware & Cloud Computing Key...
Image by biatch0r via Flickr

Considered to be the most intricately designed piece of malware ever, Stuxnet leverages attack vectors onto industrial control systems, a territory rarely ventured into by traditional malware. Stuxnet targets industries, power plants and other facilities that use automation and control equipment from the leading German industrial vendor, Siemens. The term, critical infrastructure refers to industrial systems that are essential for the functioning and safety of our societies. Considering the profound dependence of critical infrastructure on industrial control and automation equipment, it is essential to reassess the impact this new generation of malware on the stability and security of our society.

Download WhitePaper

Has Israel Begun A Cyber War On Iran With The Stuxnet ‘Missile’?: An article from: APS Diplomat News Service

The New Face of War: How War Will Be Fought in the 21st Century




Tags: Business, Control system, Critical infrastructure, Industrial control systems, Iran, Malware, Siemens, Symantec


Nov 22 2010

Stuxnet virus could target many industries

Category: MalwareDISC @ 1:25 pm
I constructed this image using :image:Computer...
Image via Wikipedia

By LOLITA C. BALDOR, Associated Press

A malicious computer attack that appears to target Iran’s nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday.

They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer.

The complex code is not only able to infiltrate and take over systems that control manufacturing and other critical operations, but it has even more sophisticated abilities to silently steal sensitive intellectual property data, experts said.

Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the “real-world implications of Stuxnet are beyond any threat we have seen in the past.”

Analysts and government officials told the senators they remain unable to determine who launched the attack. But the design and performance of the code, and that the bulk of the attacks were in Iran, have fueled speculation that it targeted Iranian nuclear facilities.

Turner said there were 44,000 unique Stuxnet computer infections worldwide through last week, and 1,600 in the United States. Sixty percent of the infections were in Iran, including several employees’ laptops at the Bushehr nuclear plant.

Iran has said it believes Stuxnet is part of a Western plot to sabotage its nuclear program, but experts see few signs of major damage at Iranian facilities.

A senior government official warned Wednesday that attackers can use information made public about the Stuxnet worm to develop variations targeting other industries, affecting the production of everything from chemicals to baby formula.

“This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected,” said Sean McGurk, acting director of Homeland Security’s national cybersecurity operations center.

Stuxnet specifically targets businesses that use Windows operating software and a control system designed by Siemens AG. That combination, said McGurk, is used in many critical sectors, from automobile assembly to mixing products such as chemicals.

Turner added that the code’s highly sophisticated structure and techniques also could mean that it is a one-in-a-decade occurrence. The virus is so complex and costly to develop “that a select few attackers would be capable of producing a similar threat,” he said.

Experts said governments and industries can do much more to protect critical systems.

Michael Assante, who heads the newly created, not-for-profit National Board of Information Security Examiners, told lawmakers that control systems need to be walled off from other networks to make it harder for hackers to access them. And he encouraged senators to beef up government authorities and consider placing performance requirements and other standards on the industry to curtail unsafe practices and make systems more secure.

“We can no longer ignore known system weaknesses and simply accept current system limitations,” he said. “We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts to address” cybersecurity challenges.

The panel chairman, Sen. Joe Lieberman, I-Conn., said legislation on the matter will be a top priority after lawmakers return in January.




Tags: anti virus, Associated Press, Dean Turner, Industrial control systems, Iran, Joe Lieberman, Siemens, United States


Oct 01 2010

Stuxnet, world’s first “cyber superweapon,” attacks China

Category: CybercrimeDISC @ 2:01 pm
Computer worm
Image by toastiest via Flickr

Stuxnet, the most sophisticated malware ever designed, could make factory boilers explode, destroy gas pipelines, or even cause a nuclear plant to malfunction; experts suspect it was designed by Israeli intelligence programmers to disrupt the operations of Iran’s nuclear facilities — especially that country’s centrifuge farms and the nuclear reactor in Bushehr; it has now infected Chinese industrial control systems as well; one security expert says: “The Stuxnet worm is a wake-up call to governments around the world— It is the first known worm to target industrial control systems”

To read the remaining article …..




Tags: Bushehr, Business, Computer worm, Control system, Iran, Israel, Malware, Nuclear


Nov 17 2023

Why cyber war readiness is critical for democracies

Category: Cyber War,Digital cold war,Information Security,OT/ICSdisc7 @ 9:41 am

The skills employed, the hacktivists and other threat actors are not going anywhere. Right now, Russia might be overwhelmingly interested in Ukraine, but their aims and goals remain global.

“These skills will be turned in other directions and other targets in the future, they will be shared in threat actor groups online. This is the world you need to be preparing for right now,” he added.

His warning echoed a similar one by Viktor Zhora, Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine.

Russia’s attack force consists of “hackers in uniform”, cybercriminals and hacktivists congregating in various Telegram channels, but the nation is also working on engaging ever more younger people in their cyber offensive campaigns. They are seeking talented individuals in schools (and not just tech universities), selecting the most talented and training them, he shared.

“The Russians are in it for the long run,” Zhora warned during his IRISSCON talk, and called on countries that are – or expect to be – targeted by cyber aggressive nations to create a cyber coalition so they can prepare, share their experiences, and exchange information.

OT under attack

We can’t talk about the war in Ukraine and not mention cyber attacks aimed at disrupting operational technology (OT) used by companies that are part of the country’s critical infrastructure (CI).

In his talk, Ferguson briefly passed through the known attacks that hit CI entities with OT-specific malware, starting with Stuxnet in 2010 and ending with CosmicEnergy in 2023.

Some of the attacks are believed to be the work of the US and Israel (Stuxnet), cybercriminals (EKANS ransomware, 2020) or are still unattributed (the destructive 2014 attack against a steel plant in Germany). But the rest, he noted, are all believed to have been mounted by Russian state-backed attackers.

And, he says, they are getting better at it. Mirroring the development of attacks against IT systems, they have recently begun exploiting legitimate tools found in OT environments, so they don’t need to develop customized malware.

Many attackers are scanning for OT-specific protocols and probing OT devices, Ferguson noted. While their actual exploitation hinges on the skills of the attackers, some modes of attack (e.g., DDoS and phishing) are available to those who are less skilled, but eager. Hacktivists can target critical infrastructure that’s exposed on the internet as it’s easily discoverable via online tools.

Unfortunately, securing OT systems comes with a host of challenges: a complex infrastructure; an increasing number of endpoints; OT devices insecure by design (and generally not meant to be connected to the internet); rarely integrated OT and IT security teams, a lack of visibility into the OT infrastructure – to name just a few.

A new level of cyber conflict

Since the start of the war, Russian hackers have been trying to shut down electrical power in the country, have gone after government agencies, IT companies, telecoms, software development firms, media houses, editors, and media personalities, Zhora noted.

While the initial attacks were mostly geared towards destruction, Russian cyber attackers are now also trying to get their hands on information that can help them determine the effectiveness of their kinetic attacks, discover whether their spies have been flagged by the Ukrainian authorities, and see what evidence those authorities have gathered about war crimes.

Clever and subtle psy-ops online campaigns are, as well, a favorite tactic employed by the Russian state to manipulate enemies. And, since the advent of generative AI, it has became easier to mount them, Ferguson added.

All these things should be taken in consideration by governments when preparing for the future. Looking at the cyber component of the unfolding wars in Ukraine and Israel, they can see what future conflicts will look like.

Zhora says that Ukraine is becoming more and more confident of its capacity to counter future attacks, but that each democracy needs to ask themselves: Are we prepared for a global cyber war? “And they need to be honest with the answer,” he noted.

If they are not, they should immediately begin investing in cyber defense and intensifying cooperation, he added.

All the War They Want: Special Operations Techniques for Winning in Cyber Warfare, Business, and Life

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: OT/ICS critical infrastructure


Aug 16 2023

APTs use of lesser-known TTPs are no less of a headache

Category: APT,Attack Matrixdisc7 @ 9:48 am

Initially perceived as primarily targeting large corporations, advanced persistent threat (APT) attacks, often backed by state actors, have witnessed a notable surge in incidents against small and medium-sized enterprises. This expanding scope signifies that no entity is exempt, as the dynamic evolution of attack methods demands a proactive stance and ongoing fortification of security measures. This endeavor places a persistent burden on resources, especially when factoring in the diverse array of tactics, techniques, and procedures (TTPs) employed within these attacks.

Uncommon TTPs

With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.

While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:

Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.

Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.

Fileless malware: Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.

Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.

Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.

Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.

DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.

Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.

Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.

Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.

APTs are here to stay

Organizations can make APT groups’ lives more difficult. Here’s how:

  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.

Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.

Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: APT, Attacks, TTP, TTPS


Jul 23 2023

Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519)

Category: CISA,Zero daydisc7 @ 9:40 am

The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).

“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,” the agency shared in an advisory published on Thursday.

IoCs, IR and mitigation advice

The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.

The security bulletin mentioned that “exploits of CVE-2023-3519 on unmitigated appliances have been observed,” but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.

A list of indicators of compromise (IoCs) had been shared with select organizations, under the understanding that the info would not be widely shared (i.e., that the contents would be restricted to those organization and shared with its clients “on a need-to-know basis”).

“As we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time,” German IT consultant Manuel Winkel said on July 19.

He shared advice on how to check whether one’s organization has been hit, and advised on what to do if the result is positive.

CISA’s advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.

In-the-wild exploitation of CVE-2023-3519

Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections.

Standalone and Nmap scripts for identifying vulnerable installations have been published on GitHub.

If what Winkel says is true – namely, that first exploits for CVE-2023-3519 have been available for purchase on the dark web for a while – it’s possible that there are many compromised organizations out there who didn’t manage to block the attackers’ lateral movement.

It’s currently impossible to say what the attackers’ ultimate goal is, but affected organizations may discover it soon if they don’t react quickly.

UPDATE (July 22, 2023, 10:55 a.m. ET):

Technical analyses of the flaw are now public and threat actors could use them to create a reliable exploit soon. Patch quickly!

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon


InfoSec books
 | InfoSec tools | InfoSec services

Tags: Citrix ADC, Countdown to Zero Day, CVE-2023-3519, Stuxnet, zero Day


Feb 15 2022

Google fixes a Chrome zero-day flaw actively exploited in attacks

Category: Zero dayDISC @ 10:10 am

Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.

The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.

“Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group on 2022-02-10 [$TBD][1285449]” reads the security advisory published by Google. “Google is aware of reports that an exploit for 

 exists in the wild.”

The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.

Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Tags: Chrome zero-day, Countdown to Zero Day


Nov 12 2021

macOS Zero-Day exploited in watering hole attacks on users in Hong Kong

Category: Security vulnerabilitiesDISC @ 9:54 am

Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina

The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.

The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.

The attack was discovered in late August, the nature of the targets and the level of sophistication of the attack suggests the involvement of a China-linked threat actor.

“To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.” reads the analysis published by Google. “As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.”

HD. Alex Gibney directed this documentary about Stuxnet–a self-replicating computer malware that has opened a Pandora’s box of cyber-warfare.

Tags: macOS Zero-Day, Stuxnet, Zero day attack, zero-day


Oct 25 2021

Released: MITRE ATT&CK v10

Category: Attack MatrixDISC @ 7:14 am

MITRE Corporation has released the tenth version of ATT&CK, its globally accessible (and free!) knowledge base of cyber adversary tactics and techniques based on real-world observations.

Version ten comes with new Data Source objects, new and changed techniques in its various matrices, key changes to facilitate hunting in ICS environments, and more.

MITRE ATT&CK v10

MITRE ATT&CK v10

The most prominent change in this newest version of the framework is new objects with aggregated information about data sources.

“The data source object features the name of the data source as well as key details and metadata, including an ID, a definition, where it can be collected (collection layer), what platform(s) it can be found on, and the data components highlighting relevant values/properties that comprise the data source,” MITRE ATT&CK Content Lead Amy L. Robertson and cybersecurity engineers Alexia Crumpton and Chris Ante explained.

“These data sources are available for all platforms of Enterprise ATT&CK, including our newest additions that cover OSINT-related data sources mapped to PRE platform techniques.”

Changes in ATT&CK for ICS and the Mobile matrices are focused on providing all the features currently provided in the Enterprise matrices.

“v10 also includes cross-domain mappings of Enterprise techniques to software that were previously only represented in the ICS Matrix, including Stuxnet, Industroyer, and several others. The fact that adversaries don’t respect theoretical boundaries is something we’ve consistently emphasized, and we think it’s crucial to feature Enterprise-centric mappings for more comprehensive coverage of all the behaviors exhibited by the software,” they added.

The complete release notes for MITRE ATT&CK v10 can be found here.

Tags: cyber attack, MITRE ATT&CK, MITRE ATT&CK v10


Jul 15 2021

China Taking Control of Zero-Day Exploits

Category: Zero dayDISC @ 11:39 am

Countdown to #ZeroDay: #Stuxnet and the Launch of the World’s First #DigitalWeapon

Tags: china, cybersecurity, cyberweapons, Digital Weapons, disclosure, Stuxnet, vulnerabilities, zero-day, Zero-Day Exploits


Apr 28 2021

Ransomware: don’t expect a full recovery, however much you pay

Category: Information Security,RansomwareDISC @ 1:37 pm

When it comes to all the various types of malware out there, none has ever dominated the headlines quite as much as ransomware.

Sure, several individual malware outbreaks have turned into truly global stories over the years.

The LoveBug mass-mailing virus of 2000 springs to mind, which blasted itself into hundreds of millions of mailboxes within a few days; so does CodeRed in 2001, the truly fileless network worm that squeezed itself into a single network packet and spread worldwide literally within minutes.

There was Conficker, a globally widespread botnet attack from 2008 that was programmed to deliver an unknown warhead on April Fool’s Day, but never did. (Conficker remains a sort-of unsolved mystery: no one ever figured out what it was really for.)

And, there was Stuxnet, discovered in 2010 but probably secretively active for years before that, carefully orchestrated to spread via hand-carried USB drives in the hope of making it across security airgaps and into undislosed industrial plantrooms (allegedly Iran’s uranium enrichment facility at Natanz).

But none of these stories, as dramatic and as alarming as they were at the time, ever held the public’s attention as durably or as dramatically as ransomware has done since the early 2010s.


Apr 11 2021

Google’s Project Zero Finds a Nation-State Zero-Day Operation

Category: Zero day,Zero trustDISC @ 9:44 am

Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”:

The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed.

Zero Days

Review: 'Zero Days' Examines Cyberwarfare's Potential Online Apocalypse -  The New York Times

The Stuxnet virus cyber-attack launched by the U.S. and Israel unleashed malware with unforeseen consequences. Delve deep into the burgeoning world of digital warfare in this documentary thriller from Academy Award® winning filmmaker Alex Gibney.

Tags: Stuxnet, watering hole attacks


Feb 22 2021

NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Category: APT,Cyber Espionage,Cybercrime,HackingDISC @ 10:51 am

The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.

Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool years before it was leaked online by Shadow Brokers hackers.

In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with  sophisticated zero-day malware.

The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware. 

Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.

Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ‘s arsenal for years before it was addressed by the IT giant. 

In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.

One of these zero-day flaws, tracked as CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,

“In this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT was able to access.” reads the analysis published by CheckPoint. ““EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 – four years before APT31 was caught exploiting this vulnerability in the wild.”

Source: NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Tags: Chinese hackers, NSA Equation Group tool, Spy war, Tiger trap


Jul 03 2020

Alleged cyber attacks caused explosions at facilities in Iran

Category: Cyber AttackDISC @ 12:01 pm

The root cause of a series of explosions at important Iranian facilities may be cyberattacks allegedly launched by Israel.

Source: Alleged cyber attacks caused explosions at facilities in Iran

Stuxnet 2? Iran Hints Nuclear Site Explosion Could Be A Cyberattack

Stuxnet 0.5: The Missing Link

How Israel Rules The World Of Cyber Security | VICE on HBO
httpv://www.youtube.com/watch?v=ca-C3voZwpM

Israel said to be behind cyber attack on Iranian port
httpv://www.youtube.com/watch?v=9XVIrXHtpeg

Explore the subject of Cyber Attack

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles





Jan 04 2013

Controls against industrial Malware

Category: MalwareDISC @ 11:43 pm

Malicious software is called a malware and malware may include viruses, worms and trojans. A virus is a piece of code which is capable of replicating itself and mainly it depends on a host file (a document) to reach its target. However worm does not rely on the host file to reach the target but it does replicate. Main property of Trojan is concealment of code and ultimately used to get control of target system.

Modern day malware Stuxnet can manipulate Programmable Logic Controllers (PLCs) of critical infrastructure. Industrial Control System (ICS), SCADA, and manufactruing insdutry infrastructure is controled by the PLCs. Another malware, named Duqu, Flame by its discoverers, is similar to Stuxnet in many respects. Like modern trojans Duqu communicates with a command and control server in encrypted form which gives you an idea of sophistication to develop this malware. In the past year the discovery of the Stuxnet malware – and subsequently of the Flame, Duqu and most recently Gauss malware – has brought the issue of state-sponsored cyberwarfare into sharp focus in security community which are simply known as modern day (WMD) weapon of mass destruction.

The discovery of these modern day malware caused an uproar among the security community when it was found that these malware had been specifically designed as a highly targeted industrial espionage tool. Perhaps this create a frenzy out there to deveop these kind of tools but that bring out some questions which I’m unable to answer. Is it legal for a state to develop these tools? Is it legal for a state to use these tools in offense? do we have any international charter on the legality of these tools, otherwise Stuxnet, Duqu and Flame may set a wrong legal precedence of what’s good for the goose is good for the gander.

Main sources of malware infection may be USB drive, CD Rom, internet and unaware users but basically malware can install itself on your computer by simply visiting an infected/implanted website (pirated software, web sites with illegal content)

An organization should perform a comprehensive risk assessment on their malware policy to determine if they will accept the risk of adobe attachment and other executable files to pass through their perimeter gateway. Organization may need to consider all the possible sources of malware threats in their risk assessment which may include but not limited to spyware.

Malware Controls:
• High level formal malware policy and procedure. There should be a formal policy and procedure for USB drives if risk assessment determines that USB drive risk is not acceptable to business. Then there is a need to implement a control (policy, procedure, technical or training) or multiple of these controls to mitigate this risk to acceptable level.
• Anti-Virus policy which makes it mandatory to install, and signature file updates should take place on a regular interval (daily)
• Patch policy for all the latest patches, fixes and service packs that are published by the vendors
• Regular audit or review of anti-malware software and data file on the system
• All email attachment, software downloads should be checked for malware at the perimeter and adobe attachment and executable treated based on the risk assessment (drop, pass)
• User awareness training to possible infected email, spyware and infected website
• There should be a business continuity plan to recover from a possible malware attack

Related Books

Malware Titles from DISC InfoSec Store
Anti-Malware Software from DISC Infosec store
Anti-Virus software from DISC InfoSec Store
Anti-Malware Titles from eBay

Free Online Virus Scan

Norton Virus Scan | McAfee Virus Scan | Analyze suspicious files




Tags: anti virus, Malicious Software, Malware, Security, Spyware and Adware, trojan, Trojan Horses, Viruses


Jun 04 2012

Learn how to tackle the Flame

Category: cyber security,CybercrimeDISC @ 9:25 pm

A vicious piece of malware (known as Flame) was uncovered this week and is believed to have infected over 600 targets, be 20 times larger than Stuxnet and to have been backed by state sponsorship.
Realize the underground economy of hacking and crimeware with this handy pocket guide. It will provide you with a valuable list of up-to-date, authoritative sources of information, so you can stay abreast of new developments and safeguard your business.

An Introduction to Hacking & Crimeware: A Pocket Guide (eBook)

Know your enemy: An Introduction to Hacking & Crimeware is a comprehensive guide to the most recent and the more serious threats. Knowing about these threats will help you understand how to ensure that your computer systems are protected and that your business is safe, enabling you to focus on your core activities.

Fighting back
In this pocket guide, the author:

• defines exactly what crimeware is – both intentional and unintentional – and gives specific, up-to-date examples to help you identify the risks and protect your business
• explores the increasing use of COTS tools as hacking tools, exposing the enemy’s tactics gives practical suggestions as to how you can fight back
• provides a valuable list of up-to-date, authoritative sources of information, so you can stay abreast of new developments and safeguard your business.