Campaigns abusing corporate trusted infrastructure
hunt for corporate credentials on ICS networks
https://ics-cert.kaspersky.com/publications/reports/2022/01/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks
]-> Guide to ICS Security
(NIST SP800-82 rev.2, .pdf):
https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
#SCADA
@IotPenetrationTesting
hunt for corporate credentials on ICS networks
https://ics-cert.kaspersky.com/publications/reports/2022/01/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks
]-> Guide to ICS Security
(NIST SP800-82 rev.2, .pdf):
https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
#SCADA
@IotPenetrationTesting
Kaspersky ICS CERT | Kaspersky Industrial Control Systems Cyber Emergency Response Team
Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks | Kaspersky ICS CERT
Targets of spyware attacks in which each malware sample has a limited-scope and a short lifetime include industrial enterprises. Victim organizations’ SMTP services are abused to send phishing emails and collect stolen data.
#Malware_analysis
1. Technical Analysis of the WhisperGate Malicious Bootloader
https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware
]-> https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate
2. MoonBounce: the dark side of UEFI firmware
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468
3. AVADDON Ransomware
https://www.mandiant.com/resources/chasing-avaddon-ransomware
@IotPenetrationTesting
1. Technical Analysis of the WhisperGate Malicious Bootloader
https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware
]-> https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate
2. MoonBounce: the dark side of UEFI firmware
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468
3. AVADDON Ransomware
https://www.mandiant.com/resources/chasing-avaddon-ransomware
@IotPenetrationTesting
#Malware_analysis
1. BlackCat Ransomware: Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims
2. Custom Previews For Malicious Attachments:
A phishing technique that allows attackers to create fake previews for their malicious attachment with GMail
https://mrd0x.com/phishing-google-users-by-spoofing-previews
@IotPenetrationTesting
1. BlackCat Ransomware: Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims
2. Custom Previews For Malicious Attachments:
A phishing technique that allows attackers to create fake previews for their malicious attachment with GMail
https://mrd0x.com/phishing-google-users-by-spoofing-previews
@IotPenetrationTesting
SentinelOne
BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
With victims in the US, Australia and India, BlackCat is a new RaaS making a big impact. Learn more about this unique ransomware's behavior and IoCs.
#Malware_analysis
1. DTPacker - a .NET Packer with a Curious Password
https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
2. Deep Dive into Trickbot's Web Injection
https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection
@IotPenetrationTesting
1. DTPacker - a .NET Packer with a Curious Password
https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
2. Deep Dive into Trickbot's Web Injection
https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection
@IotPenetrationTesting
Proofpoint
DTPacker – a .NET Packer with a Curious Password | Proofpoint US
Key Findings Proofpoint identified a malware packer which researchers have dubbed DTPacker. The payload decoding uses a fixed password containing former U.S. president Donald
#Malware_analysis
1. Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
https://securelist.com/owowa-credential-stealer-and-remote-access/105219
2. Evolved phishing:
Device registration trick adds to phishers’ toolbox for victims without MFA
https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
3. Watering hole deploys new macOS malware, DazzleSpy, in Asia
https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia
@IotPenetrationTesting
1. Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
https://securelist.com/owowa-credential-stealer-and-remote-access/105219
2. Evolved phishing:
Device registration trick adds to phishers’ toolbox for victims without MFA
https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
3. Watering hole deploys new macOS malware, DazzleSpy, in Asia
https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia
@IotPenetrationTesting
Securelist
Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
We found a suspicious binary and determined it as an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. We named the malicious module ‘Owowa’,
#Malware_analysis
1. Lazarus APT leverages Windows Update client, GitHub in latest campaign
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign
2. The Cookies Parasite
https://www.perimeterx.com/tech-blog/2022/cookies-parasite
3. Unknown Info Stealer Distributed via Compromised Discord Accounts
https://github.com/captainGeech42/malware/tree/main/samples/2022-01-29_unknown_stealer
@IotPenetrationTesting
1. Lazarus APT leverages Windows Update client, GitHub in latest campaign
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign
2. The Cookies Parasite
https://www.perimeterx.com/tech-blog/2022/cookies-parasite
3. Unknown Info Stealer Distributed via Compromised Discord Accounts
https://github.com/captainGeech42/malware/tree/main/samples/2022-01-29_unknown_stealer
@IotPenetrationTesting
ThreatDown by Malwarebytes
North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign
How one of North Korea’s most sophisticated APTs tries to avoid detection by using legitiate tools during its attacks.
The BotenaGo malware source code is published on GitHub
The BotenaGo malware source code is published on the GitHub web service. Millions of routers and IoT devices are at risk.
According to experts from AT&T Alien Labs, uploading the source code to GitHub “has the potential to lead to a significant increase in the number of new malware variants, since developers will be able to use the source code and adapt it for their own purposes.
Now any attacker can use, modify and update the malware, "or even just compile it as is and use the source code as a BotenaGo exploit kit to attack vulnerable devices."
Alien Labs called the malware's source code "simple but effective" capable of carrying out malicious attacks using just 2,891 lines of code in total (including blank lines and comments). BotenaGo is written in the open source Golang programming language and can exploit 33 initial access vulnerabilities. The malware automatically sets up 33 exploits, providing an attacker with a "ready state" to attack a vulnerable target and install the appropriate payload depending on the type of target or operating system.
#BotenaGo
@IotPenetrationTesting
The BotenaGo malware source code is published on the GitHub web service. Millions of routers and IoT devices are at risk.
According to experts from AT&T Alien Labs, uploading the source code to GitHub “has the potential to lead to a significant increase in the number of new malware variants, since developers will be able to use the source code and adapt it for their own purposes.
Now any attacker can use, modify and update the malware, "or even just compile it as is and use the source code as a BotenaGo exploit kit to attack vulnerable devices."
Alien Labs called the malware's source code "simple but effective" capable of carrying out malicious attacks using just 2,891 lines of code in total (including blank lines and comments). BotenaGo is written in the open source Golang programming language and can exploit 33 initial access vulnerabilities. The malware automatically sets up 33 exploits, providing an attacker with a "ready state" to attack a vulnerable target and install the appropriate payload depending on the type of target or operating system.
#BotenaGo
@IotPenetrationTesting
AT&T Cybersecurity
BotenaGo strikes again - malware source code uploaded to GitHub
Executive summary
In November 2021, AT&T Alien Labs™ first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware “BotenaGo.” (Read previous article here.) In this article, Alien…
In November 2021, AT&T Alien Labs™ first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware “BotenaGo.” (Read previous article here.) In this article, Alien…
Watch "HUGE Crypto Theft Happens Again; UEFI Has Vulnerabilities - ThreatWire" on YouTube
https://youtu.be/DRCg66RsmdU
@IotPenetrationTesting
https://youtu.be/DRCg66RsmdU
@IotPenetrationTesting
YouTube
HUGE Crypto Theft Happens Again; UEFI Has Vulnerabilities - ThreatWire
Cisco Finds Critical Vulnerabilities in their small business routers, even more vulns for found in UEFI firmware shared by multiple vendors, and another huge crypto theft! All that coming up now on ThreatWire. #threatwire #hak5
Weekly security and privacy…
Weekly security and privacy…
Dragos ICS/OT Ransomware Analysis: Q4 2021
https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021
@IotPenetrationTesting
https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021
@IotPenetrationTesting
#Malware_analysis
1. xRAT/Quasar RAT
https://asec.ahnlab.com/en/31089
2. MyloBot 2022 - Evasive botnet
https://blog.minerva-labs.com/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails
@IotPenetrationTesting
1. xRAT/Quasar RAT
https://asec.ahnlab.com/en/31089
2. MyloBot 2022 - Evasive botnet
https://blog.minerva-labs.com/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails
@IotPenetrationTesting
ASEC
Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed - ASEC
Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed ASEC
#Malware_analysis
1. Attackers Disguise RedLine Stealer as a Windows 11 Upgrade
https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade
2. ShadowPad Malware Analysis
https://www.secureworks.com/research/shadowpad-malware-analysis
3. PrivateLoader to Anubis Loader
https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e
@IotPenetrationTesting
1. Attackers Disguise RedLine Stealer as a Windows 11 Upgrade
https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade
2. ShadowPad Malware Analysis
https://www.secureworks.com/research/shadowpad-malware-analysis
3. PrivateLoader to Anubis Loader
https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e
@IotPenetrationTesting
HP Wolf Security
Attackers Disguise RedLine Stealer as a Windows 11 Upgrade | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Attackers Disguise RedLine Stealer as a Windows 11 Upgrade, to learn more about cyber threats and cyber security.
#Threat_Research
1. Western Digital My Cloud Pro Series PR4100 RCE
https://www.iot-inspector.com/blog/advisory-western-digital-my-cloud-pro-series-pr4100-rce
2. "Ice phishing" on the blockchain
https://www.microsoft.com/security/blog/2022/02/16/ice-phishing-on-the-blockchain
@IotPenetrationTesting
1. Western Digital My Cloud Pro Series PR4100 RCE
https://www.iot-inspector.com/blog/advisory-western-digital-my-cloud-pro-series-pr4100-rce
2. "Ice phishing" on the blockchain
https://www.microsoft.com/security/blog/2022/02/16/ice-phishing-on-the-blockchain
@IotPenetrationTesting
Onekey
Advisory: Western Digital My Cloud Pro Series PR4100 RCE | ONEKEY Research | Research | ONEKEY
The IoT Inspector Research Lab uncovered a command injection vulnerability on Western Digital My Cloud Pro Series PR4100.
#Malware_analysis
1. Tracking SugarLocker ransomware & operator
https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49
2. Analysis - Sugar Ransomware:
New Ransomware Group Conducting Low-Profile Attacks
https://blog.cyble.com/2022/02/17/analysis-sugar-ransomware
@IotPenetrationTesting
1. Tracking SugarLocker ransomware & operator
https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49
2. Analysis - Sugar Ransomware:
New Ransomware Group Conducting Low-Profile Attacks
https://blog.cyble.com/2022/02/17/analysis-sugar-ransomware
@IotPenetrationTesting
Medium
Tracking SugarLocker ransomware & operator
Author: S2W TALON
https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure
@IotPenetrationTesting
@IotPenetrationTesting
Microsoft News
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
The Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot’s C2 infrastructure. In this blog, we share the analysis of this method and provide insights on how attackers gain access…
Pwning MS Azure Defender for IoT
Multiple Flaws Allow RCE for All
https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all
@IotPenetrationTesting
Multiple Flaws Allow RCE for All
https://www.sentinelone.com/labs/pwning-microsoft-azure-defender-for-iot-multiple-flaws-allow-remote-code-execution-for-all
@IotPenetrationTesting
SentinelOne
Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All
As if IoT & OT aren't hard enough to defend, we dive into five critical vulnerabilities in Microsoft Defender for IoT that leave the door wide open.
WCam.pdf
4.3 MB
#Whitepaper
#IoT_Security
"Vulnerabilities Identified in Wyze Cam IoT Device", 2022.
@IotPenetrationTesting
#IoT_Security
"Vulnerabilities Identified in Wyze Cam IoT Device", 2022.
@IotPenetrationTesting
#SCADA_Security
The Old SWITCHEROO:
Hiding Code on Rockwell Automation PLCS
https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automation-plcs
@IotPenetrationTesting
The Old SWITCHEROO:
Hiding Code on Rockwell Automation PLCS
https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automation-plcs
@IotPenetrationTesting
Claroty
The Old Switcheroo: Hiding Code on Rockwell Automation PLCs
Discover the vulnerabilities found in Rockwell programmable logic controllers (PLCs) and engineering workstation software. Learn more with Claroty.