404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor
www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html As noted in Rough Patch: I Promise It’ll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, weve recognized multiple groups of post-exploitation activity.
JhoneRAT: Cloud based python RAT targeting Middle Eastern countries
blog.talosintelligence.com/2020/01/jhonerat.html Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download
VB2019 paper: King of the hill: nation-state counterintelligence for victim deconfliction
www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-king-hill-nation-state-counterintelligence-victim-deconfliction/ Cyber situational awareness is the ultimate outcome of mature threat intelligence. Though we normally think of threat intelligence as a defender’s practice, extensive study of advanced cyberespionage operations reveals that attackers are engaged in a similar activity. Defenders apply threat intelligence insights to ensure that attackers don’t gain persistent access to their enterprise machines.
Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability
isc.sans.edu/forums/diary/Summing+up+CVE20200601+or+the+Lets+Decrypt+vulnerability/25720/ Last 24 hours have been extremely interesting this months patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the BlueKeep like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although its really critical so I guess Ill continue doing that in this diary . (but rest assured that we are keeping an eye on the RDG vulnerability as well).
Critical Cisco Flaws Now Have PoC Exploit
threatpost.com/cisco-dcnm-flaw-exploit/151949/ Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager (DCNM) tool for managing network platforms and switches.
Enter Dustman: New Wiper Takes After ZeroCleare, Likely Targets Organizations in Region
securityintelligence.com/posts/enter-dustman-new-wiper-takes-after-zerocleare-targets-organizations-in-saudi-arabia/ In December 2019, IBM X-Force Incident Response and Intelligence Services (IRIS) released a report on new malware from the Wiper class, used in a destructive attack in the Middle East. . At the time, we dubbed this malware ZeroCleare per the program database (PDB) pathname of its binary file. About a month later, a ZeroCleare offshoot has been reported by the Saudi National Cybersecurity Authority (NCA) in destructive attacks targeting the same region. This variation of ZeroCleare was dubbed Dustman, also per the PDB pathname of its binary file.
FBI shuts down website selling billions of stolen records
www.welivesecurity.com/2020/01/17/fbi-seizes-website-selling-stolen-personal-data/ US law enforcement has seized the WeLeakInfo.com domain name for peddling personal data stolen in data breaches. The shadowy website offered a pay-to-play scenario that allowed anyone to search for and access other peoples personal details, according to a statement from the Department of Justice (DOJ).. WeLeakInfo.com claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records, said the authorities
Stolen emails reflect Emotet’s organic growth
blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html Emotet continues to infect individuals and organizations all over the world, so to say that it is “targeted” would be a stretch. However, if a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization.
Travelex wont say if it has paid a ransom to its attackers
www.grahamcluley.com/travelex-wont-say-if-it-has-paid-a-ransom-to-its-attackers/ Travelex, the foreign currency exchange service whose services have been knocked offline since New Years eve by a cyber attack, is declining to say if it has paid a ransom to the criminals responsible.
Google Chrome Adds Protection for NSA’s Windows CryptoAPI Flaw
www.bleepingcomputer.com/news/security/google-chrome-adds-protection-for-nsas-windows-cryptoapi-flaw/ Google just released Chrome 79.0.3945.130, which will now detect certificates that attempt to exploit the NSA discovered CVE-2020-0601 CryptoAPI Windows vulnerability.
TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/ The TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it infects users without displaying any visible prompts.. A UAC bypass allows programs to be launched without displaying a User Account Control prompt that asks users to allow a program to run with administrative privileges.
Threatpost Poll: Are Published PoC Exploits a Good or Bad Idea?
threatpost.com/poll-published-poc-exploits-good-bad/151966/ Are publicly released proof-of-concept exploits more helpful for system defenders or bad actors?
Zen Cart PayPal Skimmer
blog.sucuri.net/2020/01/zen-cart-paypal-skimmer.html We recently found a case on a lesser known open source ecommerce platform named Zen Cart, which itself is a fork from the older OsCommerce. Credit card skimmers are not found as often for Zen Cart. This is because the Zen Cart user base is quite small (0.1%) when compared to other open source platforms like Magento (0.8%) or Prestashop (0.6%) according to W3s latest information.
Thoughts on the recent Red Team debate
blog.nviso.eu/2020/01/17/thoughts-on-the-recent-red-team-debate/ Around the end of November 2019, Florian Roth wrote a much-discussed post about problems he saw with todays red teaming. I considered writing a blog post to diverge some of my ideas and respond to his concerns.