Elevator pitch: full remote USA/Canada, the job is to team up with the other team members to hunt for state-aligned activity in the richest email-centric telemetry I know of in the whole security vendor space. You will triage, cluster, analyze and attribute suspected state-aligned activity to generate top-of-the-line threat intelligence and have a real day-to-day impact in keeping Proofpoint customers safe.
The #APT known as #Kimsuky strikes again, this time targeting think tanks, academia, and media organizations with a social engineering. The goal? Stealing Google and subscription credentials of a news and analysis service that focuses on North Korea. Enjoy and Happy Hunting!
Link in the comments!
This one is a little different. In this article, SentinelLabs mentioned ReconShark being used. Can you provide me with any TTPs that are associated with that #malware?
Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):
Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.
**Symantec:**new APT Grayling targets Taiwanese organizations in manufacturing, IT, and biomedical... as well as Pacific Island government org, Vietnam and U.S. orgs. Activity from February to May 2023. They exploit public facing applications, use DLL side-loading, and load custom malware and multiple publicly available tools. IOC provided. Link:https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
The Australian Cyber Security Centre (ACSC) Australian Signals Directorate (ASD) released the ASD Cyber Threat Report 2022-2023. Their executive summary notes that Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.
State actors focused on critical infrastructure, data theft, and disruption of business. Notably "The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs." They call out China and Russia specifically.
Australian critical infrastructure was targeted via increasingly interconnected systems.
Cybercriminals continued to adapt tactics to extract maximum payment from victims.
Data breaches impacted many Australians.
1 in 5 critical vulnerabilities was exploited within 48 hours.
Rumint is that the Change Healthcare was Chinese espionage that was caught and they overreacted and turned off all systems thinking ransomware was going to be deployed.
This fits with Chinese targeting of healthcare and pharmacies in the past. My assessment is that it could also be Russian long term staging or espionage as they are also known to target healthcare and pharmacies.
Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.
I updated to #Ubuntu 22.04 yesterday and got a little notification that my #apt Firefox was being switched to #snap. Weird flex, but okay.
Today, when I tried to open my local #Rust documentation with rustup doc --book, I got a page that said that the access to the file was denied.
It turns out that #snap prevents firefox opening files in hidden folders and the best workaround is to create a symbolic link to a non-hidden folder. WTH?
@manpacket I saw this last week and finally made the switch when I found that #snap#firefox could not open pages from the /tmp/ directory (snap: 2, me: 0)
Cloudflare blog on Thanksgiving 2023 security incident:
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."
A recent advisory from the Dutch #MIVD & #AIVD has exposed a new threat lurking within #FortiGate appliances: the #COATHANGER malware, a remote access trojan (RAT) that's as elusive as it is persistent. Here are the highlights taken from their released TLP-CLEAR advisory:
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances.
refer to the malware as COATHANGER based on a string present in the code.
It hides itself by hooking system calls that could reveal its presence.
It survives reboots and firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
high confidence that the malicious activity was conducted by a statesponsored actor from the People’s Republic of China
The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
initial access occurred through exploitation of the CVE-2022-42475 vulnerability
Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices.
MIVD & AIVD refer to this RAT as COATHANGER. The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’.
Please note that second-stage malware like COATHANGER are used in tandem with a vulnerability: the malware is used for persistence to a victim network after the actor gained access.
The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It does so by replacing them for any process that is forced to load preload.so.
Section 3.2 of the PDF has a detailed description of how COATHANGER malware behaves and interacts.
Communication to the C2 server is done over a TLS tunnel. COATHANGER first sends the following request to the HTTP GET request to the C2 server: GET / HTTP/2nHost: www.google.comnn
The COATHANGER malware drops the following files;
/bin/smartctl or /data/bin/smartctl<br></br>/data2/.bd.key/authd<br></br>/data2/.bd.key/httpsd<br></br>/data2/.bd.key/newcli<br></br>/data2/.bd.key/preload.so<br></br>/data2/.bd.key/sh<br></br>/lib/liblog.so<br></br>
Several methods have been identified to detect COATHANGER implants. A script was released by them for automated detection HERE These include a YARA-rule, a JA3-hash, different CLI commands, file checksums and a network traffic heuristic.
Two YARA rules are provided for detection on the COATHANGER samples.
The COATHANGER implant communicates to the C2 server using TLS. This TLS connection is fingerprintable using the following JA3-hash: 339f6adf54e6076d069dcaac54fddc25
With access to the CLI of a FortiGate device, the presence of COATHANGER can be detected in three ways.
Check if the files /bin/smartctl or /data/bin/smartctl exist and inspect the timestamps of smartctl and other files in the same directory. If smartctl was modified later than the majority of other files or is not a symlink, it is likely that the smartctl binary was tampered with.
Use the following command:
fnsysctl ls -la /bin<br></br>fnsysctl ls -la /data/bin<br></br>
The following command shows a list of active TCP sockets. Whenever the FortiGate device has internet access and the malware is active, the outgoing connection will appear in the results. Check the reputation of all outgoing contection IP's.diagnose sys tcpsock
The specific version of COATHANGER that this report describes uses the process name 'httpsd' to obfuscate itself. Therefore, any suspicious outgoing connections to external IP addresses from a process called httpsd is a strong indicator of the presence of COATHANGER:
The specific version of COATHANGER that this report describes uses the process name httpsd to obfuscate itself. All active processes can be listed using the following command:fnsysctl ps
Running the following command returns all PID's named 'httpsd'
diagnose sys process pidof httpsd<br></br>
Using the retrieved process IDs from the previous command yields process information for the processes named httpsd.
diagnose sys process dump <PID><br></br>
When the process has a GID set to 90, the device is infected with COATHANGER.
Hey friends! After a long hiatus, I'm starting #streaming again - as mentioned in an earlier post, I'm going to be figuring out how to create #apt / #yum repos. I've done some very simple #pypi in the past, and may do some work on that, too. We'll see what we can get done in the time I'll be spending.
🔐 #Microsoft discloses Russian #APT infiltrated its systems through a test account, stealing emails and attachments of senior executives and others in #cybersecurity and legal departments.
CISA, on behalf of the collective group of industry and government partners that comprise the Joint Cyber Defense Collaborative (JCDC), released JCDC’s 2024 Priorities. Similar to the 2023 JCDC Planning Agenda, JCDC’s 2024 Priorities will help focus the collective group on developing high-impact and collaborative solutions to the most pressing cybersecurity challenges.
2024 priorities are defined around three focus areas. The first focus area, Defend Against Advanced Persistent Threat (APT) Operations, aligns JCDC strategic and operational efforts to counter known and suspected APT campaigns that target critical infrastructure sectors with the potential to impact National Critical Functions. The second focus area, Raise the Baseline, encompasses JCDC efforts to improve the cybersecurity posture of critical infrastructure entities to reduce the frequency and impact of cyber incidents. The third focus area, Anticipate Emerging Technology and Risks, seeks to decrease the likelihood and impact of AI-related threats and vulnerabilities to critical infrastructure providers.