Research Saturday

Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, is discussing their work on "Threat actors ride the hype for newly released Arc browser." The Arc browser, newly released for Windows, has quickly garnered positive reviews but has also attracted cybercriminals who are using deceptive Google search ads to distribute malware disguised as the browser. These malicious campaigns exploit the hype around Arc, using techniques like embedding malware in image files and utilizing the MEGA cloud platform for command and control, highlighting the need for caution with sponsored search results and the effectiveness of Endpoint Detection and Response (EDR) systems. The research can be found here: Threat actors ride the hype for newly released Arc browser Learn more about your ad choices. Visit megaphone.fm/adchoices

Amit Malik, Director of Threat Research at Uptycs, is sharing their work on "New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware." The Uptycs Threat Research Team has discovered a large-scale Log4j campaign involving over 1700 IPs, aiming to deploy XMRig cryptominer malware. This ongoing operation was initially detected through the team's honeypot collection, prompting an in-depth analysis of the campaign. The research says "The JNDI plugin is particularly useful to attackers because it allows them not only to fetch the values of environment variables in the target system but also to freely define the URL and protocol resource for the JNDI network connection." The research can be found here: New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

Jon DiMaggio, a Chief Security Strategist at Analyst1, is sharing his work on "Ransomware Diaries Volume 5: Unmasking LockBit." On February 19, 2024, the National Crime Agency (NCA), a UK sovereign law enforcement agency, in collaboration with the FBI, Europol, and nine other countries under "Operation Cronos," disrupted the LockBit ransomware gang’s data leak site used for shaming, extorting, and leaking victim data. The NCA greeted visitors to LockBit’s dark web leak site with a seizure banner, revealing they had been controlling LockBit’s infrastructure for some time, collecting information, acquiring victim decryption keys, and even compromising the new ransomware payload intended for LockBit 4.0. The research can be found here: Ransomware Diaries Volume 5: Unmasking LockBit Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we are joined by Hosein Yavarzadeh from the University of California San Diego, as he is discussing his work on "Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor" This paper introduces new methods that let attackers read from and write to specific parts of high-performance CPUs, such as the path history register (PHR) and prediction history tables (PHTs). These methods allow two main types of attacks. One can reveal a program's control flow history, as shown by recovering a secret image through the libjpeg routines. The other enables detailed transient attacks, demonstrated by extracting an AES encryption key, highlighting significant security risks for these systems. The research can be found here: Graph: Growing number of threats leveraging Microsoft API Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec Threat Hunter team is discussing their research on “Graph: Growing number of threats leveraging Microsoft API.” The team observed an increasing number of threats that have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The research states "the technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes." The research can be found here: Graph: Growing number of threats leveraging Microsoft API Learn more about your ad choices. Visit megaphone.fm/adchoices

Adam Marré, CISO at Arctic Wolf, is diving deep into geopolitical tension with China including APT31, iSoon and TikTok with Dave this week. They also discuss some of the history behind China cyber operations. Adam shares information on how different APT groups are able to create spear phishing campaigns, and provides info on how to combat these groups. Learn more about your ad choices. Visit megaphone.fm/adchoices

Christopher Doman, Co-Founder and CTO at Cado Security, is talking about their research on "Cerber Ransomware: Dissecting the three heads." This research delves into Cerber ransomware being deployed onto servers running the Confluence application via the CVE-2023-22518 exploit. The research states "Cerber emerged and was at the peak of its activity around 2016, and has since only occasional campaigns, most recently targeting the aforementioned Confluence vulnerability." The research can be found here: Cerber Ransomware: Dissecting the three heads Learn more about your ad choices. Visit megaphone.fm/adchoices

Greg Lesnewich, senior threat researcher at Proofpoint, sits down to discuss "From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering." Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. The research states "While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling." The research can be found here: From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering Learn more about your ad choices. Visit megaphone.fm/adchoices

Tomer Peled, a Security & Vulnerability Researcher from Akamai is sharing their work on "What a Cluster: Local Volumes Vulnerability in Kubernetes." This research focuses on a high-severity vulnerability in Kubernetes, allowing for remote code execution with system privileges on all Windows endpoints within a Kubernetes cluster. The research states "The discovery of this vulnerability led to the discovery of two others that share the same root cause: insecure function call and lack of user input sanitization." The research can be found here: What a Cluster: Local Volumes Vulnerability in Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices

Noah Pack, a SANS Internet Storm Center Intern, sits down to discuss research on "What happens when you accidentally leak your AWS API keys?" This research is a guest diary from Noah and shares a project he worked on after seeing an online video of someone who created a python script that emailed colleges asking for free swag to be shipped to him. The research states "In this article, I will share some research, resources, and real-world data related to leaked AWS API keys." In this research, Noah shares what he learned while implementing his experiment. The research can be found here: What happens when you accidentally leak your AWS API keys? [Guest Diary] Learn more about your ad choices. Visit megaphone.fm/adchoices

Elad, a Senior Security Researcher from Cycode is sharing their research on "Cycode Discovers a Supply Chain Vulnerability in Bazel." This security flaw could let hackers inject harmful code, potentially affecting millions of projects and users, including Kubernetes, Angular, Uber, LinkedIn, Databricks, DropBox, Nvidia, Google, and many more. The research states "We reported the vulnerability to Google via its Vulnerability Reward Program, where they acknowledged our discovery and proceeded to address and fix the vulnerable components." Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: Cycode Discovers a Supply Chain Vulnerability in Bazel Learn more about your ad choices. Visit megaphone.fm/adchoices

Liviu Arsene from CrowdStrike joins to discuss their research "HijackLoader Expands Techniques to Improve Defense Evasion." The research has found that HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling. In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. Researchers state "this new approach has the potential to make defense evasion stealthier." Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: HijackLoader Expands Techniques to Improve Defense Evasion And be sure to join our live webinar: CISOs are the new Architects (of the Workforce) Join N2K’s Simone Petrella and Intuit’s Kim Jones on Wednesday, March 27th for an online discussion about the pivotal role security leaders play in shaping the security workforce landscape, and how we can start showing up for the future of our industry. Learn more and register on the event page. Learn more about your ad choices. Visit megaphone.fm/adchoices

Robert Duncan from Netcraft is sharing their research on "Phishception - SendGrid abused to host phishing attacks impersonating itself." Netcraft has recently observed that criminals abused Twilio SendGrid’s email delivery, API, and marketing services to launch a phishing campaign impersonating itself. Hackers behind this novel phishing campaign used SendGrid’s Tracking Settings feature, which allows users to track clicks, opens, and subscriptions with SendGrid. The malicious link was masked behind a tracking link hosted by SendGrid. Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: Phishception – SendGrid is abused to host phishing attacks impersonating itself Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by Jamie MacColl and Dr. Pia Hüsch from RUSI discussing their work on "Ransomware: Victim Insights on Harms to Individuals, Organisations and Society." The research reveals some of the harms caused by ransomware, including physical, financial, reputational, psychological and social harms. Researchers state "Based on interviews with victims and incident responders, this paper outlines the harm ransomware causes to organisations, individuals, the UK economy, national security and wider society." Please take a moment to fill out an audience survey! Let us know how we are doing! The research can be found here: Ransomware: Victim Insights on Harms to Individuals, Organisations and Society Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we are joined by, Selena Larson from Proofpoint, who is discussing their research, "Bumblebee Buzzes Back in Black." Bumblebee is a sophisticated downloader used by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing. After a four month hiatus, Proofpoint researchers found that the downloader returned. Its return aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware. The research can be found here: Bumblebee Buzzes Back in Black Learn more about your ad choices. Visit megaphone.fm/adchoices

Assaf Dahan and Daniel Frank from Palo Alto Networks Cortex sit down with Dave to talk about their research "Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor." From late 2020 to late 2022, Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union. The research states "They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites." The research can be found here: Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Learn more about your ad choices. Visit megaphone.fm/adchoices

Ori David from Akamai is sharing their research "Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal." FritzFrog takes advantage of the fact that only internet facing applications were prioritized for Log4Shell patching and targets internal hosts, meaning that a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation. The research states "FritzFrog has traditionally hopped around by using SSH brute force, and has successfully compromised thousands of targets over the years as a result." Over the years Akamai has seen more than 20,000 FritzFrog attacks, and 1,500+ victims. The research can be found here: Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal Learn more about your ad choices. Visit megaphone.fm/adchoices

Jon DiMaggio, Chief Security Strategist for Analyst1, is discussing his research on "Ransomware Diaries Volume 4: Ransomed and Exposed - The Story of RansomedVC." While there is evidence to support that RansomedVC runs cybercrime operations, Jon questions the claims it made regarding the authenticity of the data it stole and the methods it used to extort victims. The research states "I uncovered sensitive information about the group's leader, Ransomed Support (also known as Impotent), relating to secrets from his past." In this episode John shares his 6 key findings after spending months engaging with the lead criminal who runs RansomedVC. The research can be found here: Ransomware Diaries Volume 4: Ransomed and Exposed - The Story of RansomedVC Learn more about your ad choices. Visit megaphone.fm/adchoices

Johannes Ullrich from SANS talking about the Internet Storm Center and how they do research. Internet Storm Center was created as a mix of manual reports submitted by security analysts during Y2K and automated firewall collection started by DShield. The research shares how SANS used their "agile honeypots" to "zoom in" on events to more effectively collect data targeting specific vulnerabilities. Internet Storm Center has been noted on three separate attacks that were observed. The research can be found here: Jenkins Brute Force Scans Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887) Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527 Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaron Bradley from Jamf Threat Labs is sharing their work on "Jamf Threat Labs discovers new malware embedded in pirated applications." Jamf Threat Labs has detected a series of pirated macOS applications that have been modified to communicate to attacker infrastructure. The research states "These applications are being hosted on Chinese pirating websites in order to gain victims." The discovery marks new and advanced malware, similar to the ZuRu malware, first discovered by Objective-See in 2021 within the iTerm2 application. The research can be found here: Jamf Threat Labs discovers new malware embedded in pirated applications Learn more about your ad choices. Visit megaphone.fm/adchoices

Jon Williams from Bishop Fox is sharing their research on "It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable." SonicWall published advisories for CVE-2022-22274 and CVE-2023-0656 a year apart after finding that NGFW series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities. The research states "Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern." They also found that when they scanned SonicWall firewalls with management interfaces exposed to the internet, they found that 76% are vulnerable to one or both issues. The research can be found here: It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable Learn more about your ad choices. Visit megaphone.fm/adchoices

Ryan Westman, Senior Manager, Threat Intelligence, eSentire's Threat Response Unit (TRU), is discussing their research "Two Russian-speaking cyber gangs attack employees from 23 different companies." They are using malicious Google ads, promoting popular business software such as Zoom, Slack, and Adobe. The customers targeted are companies in the manufacturing, software, legal, retail and healthcare industries. The attacking threat actors belong to the Russian-speaking Malware-as-a-Service (MaaS) groups called BatLoader and FakeBat. The research can be found here: Two Competing, Russian-Speaking Cybercrime Groups Attack Employees from 23 Companies in the Manufacturing, Software, Legal, Retail, and Healthcare Sectors Using Malicious Google Ads Learn more about your ad choices. Visit megaphone.fm/adchoices

Guilherme Venere from Cisco Talos joins to discuss their research on "A deep dive into Phobos ransomware, recently deployed by 8Base group." Cisco Talos discovered that 8Base’s Phobos ransomware payload contains an embedded configuration, which is a significant difference between 8Base’s Phobos variant and other Phobos samples that have been observed in the wild since 2019. In this 2-part research series, Talos conducts a deep dive into the Phobos ransomware, including its affiliate structure, activity and capabilities, as well as the one private key that could enable decryption of all the samples analyzed. The research can be found here: A deep dive into Phobos ransomware, recently deployed by 8Base group Understanding the Phobos affiliate structure and activity Learn more about your ad choices. Visit megaphone.fm/adchoices

Israel Barak, CISO from Cybereason, sits down with Dave to discuss their research, "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation." Cybereason researchers recently found an attack lurking beneath the surface which was assessed to be the work of Chinese APT Winnti. Cybereason briefed the FBI and the DOJ on the investigation into the malicious campaign. The research states, "For years, the campaign had operated undetected, siphoning intellectual property and sensitive data." The team quickly made two reports on the campaign, one sharing an examination on the tactics and techniques. The second gives a detailed analysis of the malware and exploits used. The research can be found here: Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec's threat hunter team, joins Dave to discuss their work on "Stonefly: North Korea-linked spying operation continues to hit high-value targets." Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors. Symantec found that The attackers breached an engineering firm in February 2022, most likely by exploiting the Log4j vulnerability, Their research describes who these high value targets are and ways to prevent this malware from breaching any more companies as well as indications that you could be compromised. The research can be found here: Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Host of the CyberWire Daily podcast segment Threat Vector, David Moulton sits down with Mike "Siko" Sikorski from Palo Alto Networks Unit 42 to discuss their research on "Fighting Ursa Aka APT28: Illuminating a Covert Campaign." Unit 42 just published new threat intelligence on Fighting Ursa (aka APT28), a group associated with Russia's military intelligence, on how they are exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) to target organizations in NATO member countries, Ukraine, Jordan, and the UAE. These organizations are of strategic importance in defense, foreign affairs, economy, energy, transportation, and telecommunications. The research can be found here: Fighting Ursa Aka APT28: Illuminating a Covert Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

Dana Behling, researcher from Carbon Black, sharing their work on "Hunting Vulnerable Kernel Drivers." The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers, six of which allow kernel memory access, accepting firmware access. TAU reported the issues to the vendors whose drivers had valid signatures at the time of discovery, but only two vendors fixed the vulnerabilities. TAU is calling for more comprehensive approaches in the future than the current banned-list method used by Microsoft. The research states "By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges." The research can be found here: Hunting Vulnerable Kernel Drivers Learn more about your ad choices. Visit megaphone.fm/adchoices

Ryan from Bishop Fox joins to describe their work on "Building an Exploit for FortiGate Vulnerability CVE-2023-27997." After Lexfo published details of a pre-authentication remote code injection vulnerability in the Fortinet SSL VPN, Bishop Fox worked up a proof of concept demo. This research share how they were able to create that proof-of-concept exploit, step by step. The researchers state "Our debugging environment consisted of a FortiGate 7.2.4 virtual machine which we modified to disable some self-verification functionality. After bypassing these integrity checks, we were able to install an SSH server, BusyBox, and debugging tools such as GDB." The research can be found here: Building an Exploit for FortiGate Vulnerability CVE-2023-27997 Learn more about your ad choices. Visit megaphone.fm/adchoices

Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Research team has found a new malware that infected their honeypot, which they have dubbed KmsdBot. The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection. The research can be found here: KmsdBot: The Attack and Mine Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

Asheer Malhotra from Cisco Talos discussing their research and findings on "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan." Cisco Talos' research team, released research attributing the work of the espionage-focused threat actor, YoroTrooper, to individuals based in Kazakhstan. The research states "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region." They also found that the YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. The research can be found here: Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan Learn more about your ad choices. Visit megaphone.fm/adchoices

Jeremy Kennelly and Sulian Lebegue from Mandiant sit down with Dave to discuss their research "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind? One of the oldest and most successful banking fraud malwares, URSNIF, which caused an estimated “tens of millions of dollars in losses”, has been discovered by researchers to have been re-tooled into a generic backdoor, dubbed “LDR4”. This new variant was first observed in June 2022. Mandiant researchers believe that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. They say "given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely." The research can be found here: From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind Learn more about your ad choices. Visit megaphone.fm/adchoices

Aleksandar Milenkoski and JAGS from SentinelOne sits down to share their work on "Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit." After observing a new threat activity cluster by an unknown threat actor in August of this year, SentinelLabs dubbed it Sandman. The research states "Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent." Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, they call this malware "LuaDream," which exfiltrates system and user information, paving the way for further precision attacks. The research can be found here: Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit Learn more about your ad choices. Visit megaphone.fm/adchoices

Danny Adamitis from Lumen's Black Lotus Labs sits down to discuss their work on "No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action." Last March Lumen's Black Lotus Lab researchers discovered a novel malware called HiatusRAT that targeted business-grade routers. The research states "In the latest campaign, we observed a shift in reconnaissance and targeting activity; in June we observed reconnaissance against a U.S. military procurement system, and targeting of Taiwan-based organizations." This shift in information gathering and targeting preference exhibited in the latest campaign is synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment. The research can be found here: No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action Learn more about your ad choices. Visit megaphone.fm/adchoices

Sysdig's Alessandro Brucato and Michael Clark join Dave to discuss their work on "AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation." Attackers are targeting what are typically considered secure AWS services, like AWS Fargate and Amazon SageMaker. This means that defenders generally aren’t as concerned with their security from end-to-end. The research states "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances." This poses additional challenges targeting multiple services since it requires finding and killing all miners in each exploited service. The research can be found here: AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation Learn more about your ad choices. Visit megaphone.fm/adchoices

Amit Malik from Uptycs joins us to discuss their research titled "Unwanted Guests: Mitigating Remote Access Trojan Infection Risk." Uptycs threat research team identified a new threat referred to as QwixxRAT. The Uptycs team discovered this tool being widely distributed by the threat actor through Telegram and Discord platforms. The research states "QwixxRAT is meticulously designed to harvest an expansive range of information from browser histories and credit card details, to keylogging insights." This newly found tool poses a risk to both businesses and individual users The research can be found here: Unwanted Guests: Mitigating Remote Access Trojan Infection Risk Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai from Zscaler joins to take a look into their research about "DuckTail." In May of 2023, Zscaler ThreatLabz began an intelligence collection operation to decode DuckTail’s maneuvers. Through an intensive three-month period of monitoring, Zscaler was able obtain unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. The research states "DuckTail threat actors primarily target users working in the digital marketing and advertising space. Unfortunately, the tech layoffs occurring in 2022 and 2023 introduced more eager candidates into the digital market - meaning more prime targets for DuckTail." The research can be found here: A Look Into DuckTail Learn more about your ad choices. Visit megaphone.fm/adchoices

David Liebenberg from Cisco Talos joins to discussing Talos' discovery of cracked Microsoft Windows software being downloaded by enterprise users across the globe. Downloading and running this compromised software not only serves as an entry point for threat actors, but can serve as a gateway to access control systems and establish backdoors. Talos identified additional malware, including RATs, on endpoints running this cracked software, which allows an attacker to gain unauthorized remote access to the compromised system, providing the attacker with various capabilities, such as controlling the system, capturing screenshots, recording keystrokes and exfiltrating sensitive information. This research article was not published by Cisco Talos' team. Learn more about your ad choices. Visit megaphone.fm/adchoices

Maxim Zavodchik from Akamai joins Dave to discuss their research on "Xurum: New Magento Campaign Discovered." Akamai researchers have discovered an ongoing server-side template injection campaign that is exploiting digital commerce websites. This campaign targets Magento 2 shops, and was dubbed Xurum in reference to the domain name of the attacker’s command and control (C2) server. The research states "The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component." The research can be found here: Xurum: New Magento Campaign Discovered Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Manuel Hepfer from ISTARI shares his research on cyber resilience which includes discussions with 37 CEOs to gain insight into how they manage cybersecurity risk. ISTARI and Oxford University's Saïd Business School dive into the minds and experiences of CEOs on how they manage cybersecurity risk. Ask any CEO to name the issues that keep them awake at night and cybersecurity risk is likely near the top of the list – with good reason. With the accelerating digitalisation of business models comes vulnerability to cyberattack. And while spending on cybersecurity increases every year, so does the number of serious incidents. Even the largest and most technologically advanced companies are not immune. CEOs must formally answer to regulators, shareholders and board members for their organisation’s cybersecurity. Yet the majority (72%) of CEOs we interviewed as part of our research said they were not comfortable making cybersecurity-related decisions. The research and associated article can be found here: Research: The CEO Report on Cyber Resilience Article: Make Cybersecurity a Strategic Asset Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, our guest is Reece Baldwin from Kasada discussing their work on "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." The Kasada Threat Intelligence team has recently identified a malware campaign targeting users of OpenBullet, a tool popular within criminal communities to conduct credential stuffing attacks. This malware campaign was first uncovered when the team was digging around in a Telegram channel setup to share OpenBullet configurations. Reading through a few of the configurations they identified a function, ostensibly designed to bypass Google’s reCAPTCHA anti-bot solution. Th research states "While the versatility of OpenBullet’s configuration files enable complex attacks, they can also make it difficult for inexperienced attackers to fully understand what requests are being created and what data is being retrieved." The research can be found here: No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 join Dave to talk about Threat Group Assessment: Muddled Libra. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses. Posing threats to organizations in the software automation, BPO, telecommunications and technology industries, Muddled Libra is a threat group that favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals. The research can be found here: Threat Group Assessment: Muddled Libra Learn more about your ad choices. Visit megaphone.fm/adchoices

Tal Skverer from Astrix Security joins to discuss their work on "GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts." Astrix’s Security Research Group revealed a 0-day flaw in Google’s Cloud Platform (GCP) on June 19, 2022, which was found to affect all Google users. The research states "The vulnerability, dubbed “GhostToken”, could allow threat actors to change a malicious application to be invisible and unremovable, effectively leaving the victim’s Google account infected with a trojan app forever." Google issued a patch to this vulnerability in April of this year, but researchers explain why this can be severe. The research can be found here: GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts Learn more about your ad choices. Visit megaphone.fm/adchoices

Dmitry Bestuzhev from Blackberry joins to discuss their work on "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." Research suggests that the RomCom threat team has been tracked carefully following the geopolitical events surrounding the war in Ukraine, and are now targeting politicians in Ukraine who are working closely with Western countries. This group is different from others in that their focus is more on secrets or information which can be useful in geopolitics and specifically the war in Ukraine, instead of financial gain. The research says "Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software." The research can be found here: RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices

Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from compromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use." The research can be found here: Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP Learn more about your ad choices. Visit megaphone.fm/adchoices

Aleksandar Milenkoski from SentinelOne joins to discuss their work on "Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence." Researchers have been tracking the North Korean APT group Kimsuky and their attempt at a social engineering campaign targeting experts in North Korean affairs. The research states "The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware." Kimsuky has been tracked engaging in extensive email correspondence using spoofed URLs and extensive email correspondence, along with Office documents weaponized with the ReconShark malware. The research can be found here: Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence Learn more about your ad choices. Visit megaphone.fm/adchoices

Ashlee Benge from ReversingLabs discussing their research titled "Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks." Researchers recently discovered over a dozen malicious packages published to the npm open source repository. These packages are targeting Microsoft 365 users and appear to target application end users while also supporting email phishing campaigns. Research supports that the malicious campaign encompassed more than a dozen files designed to steal sensitive user credentials. The research states "This most recent campaign caught our attention because of a number of features and characteristics in related npm packages that correlate with malicious intent." The research can be found here: Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group. The research can be found here: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

Michael Clark from Sysdig joins with Dave to discuss their research on SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. New research from Sysdig threat researchers found that the group continues to thrive with improved tactics. Most recently, they gained access to AWS Fargate, a more sophisticated environment to breach, thanks to their upgraded attack tools. The research states "In their most recent activities, we saw a similar strategy to what was reported in the previous blog: compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers." Had Sysdig not thwarted SCARLETEEL's attack, they estimated that they would have mined $4,000 per day until they were stopped. The research can be found here: SCARLETEEL 2.0: Fargate,Kubernetes, and Crypto Learn more about your ad choices. Visit megaphone.fm/adchoices

Thomas Etheridge from CrowdStrike sits down to discuss their work on "Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft" In May of 2023, industry and government sources detailed China-nexus activity where they found the threat actor dubbed Volt Typhoon targeted U.S. based critical infrastructure entities. CrowdStrike's Intelligence team tracked this actor as VANGUARD PANDA. With CISA’s advisory on VANGUARD PANDA and its link to Chinese adversaries who are increasingly targeting US businesses and critical infrastructure, CrowdStrike’s blog dives deeper into the risks of VANGUARD PANDA. The research says "One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus." The research can be found here: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft Learn more about your ad choices. Visit megaphone.fm/adchoices

Daniel dos Santos, Forescout's Head of Security Research is sharing insights from a recent exercise his team conducted on AI-assisted attacks for OT and unmanaged devices. Using ChatGPT, Forescout’s research team converted an existing OT exploit developed in Python to run on Windows to demonstrate how easy it is to create an AI-assisted attack that converts the original exploit into alternative programming languages. The research states "our goal was to convert an existing OT exploit developed in Python to run on Windows to the Go language using ChatGPT." This would then allow it to run faster on Windows and run easily on a variety of embedded devices. The research can be found here: AI-Assisted Attacks Are Coming to OT and Unmanaged Devices – the Time to Prepare Is Now Learn more about your ad choices. Visit megaphone.fm/adchoices