research

Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike

Posted on by Admin
Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike

Tactic / Technique Notes TA0001 Initial Access T1566.001 Phishing: Spear phishing Attachment Victims receive spear phishing emails with attached malicious zip files – typically password protected or HTML file. That file contains an ISO file. T1566.001 Phishing: Spear phishing Link QAKBOT has spread through emails with newly created malicious links. TA0002 Execution T1204.001 User Execution: Malicious Link QAKBOT has gained execution through users accessing malicious link T1204.002 User Execution: Malicious Link QAKBOT has gained execution…

Read More

How Water Labbu Exploits Electron-Based Applications

Posted on by Admin
How Water Labbu Exploits Electron-Based Applications

We discovered that the Cobalt Strike instance added a persistence registry key to load an exploit file from an online code repository controlled by Water Labbu. The repository hosted multiple exploit files of  CVE-2021-21220 (a Chromium vulnerability affecting versions before 89.0.4389.128) to execute a Cobalt Strike stager. It also contained files designed to target Meiqia (美洽), a Chinese desktop-based live chat app for online customer support that is used on websites. MeiQia (美洽) was developed…

Read More

Water Labbu Abuses Malicious DApps to Steal Cryptocurrency

Posted on by Admin
Water Labbu Abuses Malicious DApps to Steal Cryptocurrency

Water Labbu Abuses Malicious DApps to Steal Cryptocurrency Cyber Crime The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency. By: Joseph C Chen, Jaromir Horejsi October 03, 2022 Read time:  ( words) We discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques,  interacting with victims to…

Read More

Stronger Cloud Security in Azure Function Using Custom Cloud Container

Posted on by Admin
Stronger Cloud Security in Azure Function Using Custom Cloud Container

Stronger Cloud Security in Azure Function Using Custom Cloud Container Cloud In this entry, we discuss how developers can use custom cloud container image and the distroless approach to minimize security gaps in Azure Functions. By: David Fiser, Alfredo Oliveira September 29, 2022 Read time:  ( words) We have written extensively on the security gaps in Azure Functions and Azure App Services, including their consequences. One way developers can enhance cloud security and minimize these…

Read More

How Underground Groups Use Stolen Identities and Deepfakes

Posted on by Admin
How Underground Groups Use Stolen Identities and Deepfakes

These deepfake videos are already being used to cause problems for public figures. Celebrities, high-ranking government officials, well-known corporate figures, and other people who have many high-resolution images and videos online are the most easily targeted. We see that social engineering scams using their faces and voices are already being proliferated.  Given the tools and available deepfake technology, we can expect to see even more attacks and scams aimed at manipulating victims through voice and…

Read More

Security Risks in Logistics APIs Used by E-Commerce Platforms

Posted on by Admin
Security Risks in Logistics APIs Used by E-Commerce Platforms

Security Risks in Logistics APIs Used by E-Commerce Platforms Our research examines the security flaws that we found in the logistics API implementation of e-commerce platforms that can potentially expose the consumers’ personal information. We discuss the security risks that such flaws present for software engineers, e-commerce platform providers, and consumers. By: Ryan Flores, Charles Perine, Lord Alfred Remorin, Roel Reyes September 20, 2022 Read time:  ( words) The connectivity that we’ve experienced of late…

Read More

The Risk of Ransomware Supply Chain Attacks

Posted on by Admin
The Risk of Ransomware Supply Chain Attacks

Ransomware has been a major threat to cybersecurity throughout the years, dominating boardroom discussions. It is a type of malware that prevents or limits users from accessing their systems. Malicious actors lock the system’s screen or user files until a hefty ransom is paid. First seen in Russia between 2005 and 2006, ransomware’s popularity as a business model spread across the globe. By 2012, Trend Micro has observed a continuous spread of infections across Europe…

Read More

A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities

Posted on by Admin
A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities

Using Workload Security to detect WebLogic vulnerability exploitation Workload Security’s correlation of telemetry and detections provided the initial security context in this campaign, which allowed security teams and analysts to track and monitor the malicious actor’s activities. The following Workload Security modules worked to detect the exploitation of CVE-2020-14882 on vulnerable systems: Intrusion prevention system module Workload Security’s intrusion prevention system module can tap into incoming traffic and effectively block and detect malicious network traffic….

Read More

How Malicious Actors Abuse Native Linux Tools in Their Attacks

Posted on by Admin
How Malicious Actors Abuse Native Linux Tools in Their Attacks

Based on real-world attacks and our honeypots, we observed that malicious actors use a variety of enabled tools that come bundled with Linux distributions, such as curl, wget, chmod, chattr, ssh, base64, chroot, crontab, ps, and pkill, that are abused by attackers for nefarious purposes. We have seen malicious actors abusing these tools in the wild. The presence of these utilities, especially inside container environments, should be at least considered, since they provide additional avenues…

Read More

Enhancing Cloud Security by Reducing Container Images Through Distroless Techniques

Posted on by Admin
Enhancing Cloud Security by Reducing Container Images Through Distroless Techniques

Figure 1 shows that there are 96 packages installed in this image. We can also use Grype, also an increasingly popular tool, to analyze the SBOM generated by Syft to scan the original image for vulnerabilities. The extent of the risk of using Debian-based images is plain to see: The more packages there are, the larger the attack surface becomes. This also results in a bigger disk and bandwidth footprint, which has pushed many developers…

Read More
1 6 7 8 9 10 18