German users targeted with Gootkit banker or REvil ransomware
blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/ On November 23, we received an alert from a partner about a resurgence of Gootkit infections in Germany. Gootkit is a very capable banking Trojan that has been around since 2014 and possesses a number of functionalities such as keystroke or video recording designed to steal financially-related information. In this latest campaign, threat actors are relying on compromised websites to socially engineer users by using a decoy forum template instructing them to download a malicious file. While analyzing the complex malware loader we made a surprising discovery. Victims receive Gootkit itself or, in some cases, the REvil (Sodinokibi) ransomware.
Credit card skimmer fills fake PayPal forms with stolen order info
Single Sign-On Security: Security Analysis of real-life OpenID Connect Implementations
web-in-security.blogspot.com/2020/11/single-sign-on-security-security.html This post outlines the lessons learned during the research on the security of real-life OpenID Connect implementations that were roughly performed between April and October 2020. We presume basic knowledge of OpenID Connect 1.0 and OAuth 2.0 for this post. First, we describe the attacker models that will be applied in this post. Afterward, we outline a high-level overview of the selection criteria for real-life OpenID Connect implementations. Furthermore, we describe patterns that were regularly observed during the analysis of real-life OpenID Connect Service Provider and Identity Provider implementations
DNS data mining case study – skidmap
blog.netlab.360.com/security-with-dns-data_en/ As the foundation and core protocol of the Internet, the DNS protocol carries data that, to a certain extent, reflects a good deal of the user behaviors, thus security analysis of DNS data can cover a decent amount of the malicious activities. In the early days, typical scenarios for early security practices using DNS data include DGA and fastflux. Although the specific methods for detecting these two types of malicious behavior vary, the core of the detection is still based on pure DNS data.
Chaos Engineering: Building the Next Generation of Cyber Ranges
securityintelligence.com/posts/chaos-engineering-building-next-generation-cyber-ranges/ In one of our past posts on the same subject, we discussed how to apply chaos engineering principles to cyber war-games and team simulation exercises in broad brush strokes. In short, chaos engineering is the discipline of working and experimenting with new features and changes on a system thats already in live production. The purpose is, among others, to test the systems ability to implement changes and remain resilient.
Shadows From the Past Threaten Italian Enterprises
yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ The modern cyber threat landscape hides nasty surprises for companies, especially for the most structured and complex companies. Many times, threat actors develop very dangerous and effective techniques using tools and technologies in a smart, unattended way. This is the case of a particular cyber criminal group operating cyber intrusion against one of the most targeted and cyber-mature industry sectors: the Banking sector.
MacOS Users Targeted By OceanLotus Backdoor
threatpost.com/macos-users-targeted-oceanlotus-backdoor/161655/ A macOS backdoor variant has been uncovered that relies of multi-stage payloads and various updated anti-detection techniques. Researchers linked it to the OceanLotus advanced persistent threat (APT) group. The Vietnam-backed OceanLotus (also known as APT 32) has been around since at least 2013, and previously launched targeted attacks against media, research and construction companies. Researchers said that in this case the attackers behind the malware variant appear to be hitting users from Vietnam, because the name of the lure document from the campaign is in Vietnamese.. Also:
Four years after the Dyn DDoS attack, critical DNS dependencies have only gone up
www.zdnet.com/article/four-years-after-the-dyn-ddos-attack-critical-dns-dependencies-have-only-gone-up/ In 2016, Dyn, a provider of managed DNS servers, was the victim of a massive DDoS attack that crippled the company’s operations and took down domain-name-resolving operations for more than 175,000 websites. While some sites managed to stay up by activating a redundancy and switching DNS resolving to secondary servers, many websites were not prepared and remained down for almost a day as Dyn dealt with the attack.. Four years later, a team of academics from Carnegie Mellon University have conducted a large-scale study of the top 100,000 websites on the internet to see how website operators reacted to this attack and how many are still operating with one single DNS provider and no other backup.. Academic paper:
Whac-A-Mole: Six Years of DNS Spoofing
arxiv.org/abs/2011.12978 DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already . DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data.. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points.