China has banned U.S. chip maker Micron from selling its products to Chinese companies working on key infrastructure projects, citing national security risks.
The development comes nearly two months after the country’s cybersecurity authority initiated a probe in late March 2023 to assess potential network security risks.
“The purpose of this network security review of Micron’s products is to Read More
Related Posts
FIN7 Hackers Employ New Tools to Bypass EDR & Conduct Automated Attacks
FIN7 Hackers Employ New Tools to Bypass EDR & Conduct Automated Attacks
The notorious cybercrime group FIN7 has once again made headlines with the development of new tools designed to bypass Endpoint Detection and Response (EDR) solutions and conduct automated attacks. This revelation underscores the group’s continued evolution and sophistication in the cybercrime landscape.
FIN7, also known as Carbanak, has been active since at least 2012 and is known for its financially motivated cyberattacks targeting various industry sectors, including hospitality, energy, finance, high-tech, and retail.
The group initially focused on Point of Sale (POS) malware for financial fraud but has since shifted towards ransomware operations, affiliating with notorious Ransomware-as-a-Service (RaaS) groups such as REvil and Conti and launching its own RaaS programs like Darkside and BlackMatter.
Are you from SOC/DFIR Teams? – Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
New EDR Bypass Tools
Recent investigations have uncovered that FIN7 has developed a highly specialized tool known as AvNeutralizer (also referred to as AuKill). This tool is designed to tamper with security solutions and has been marketed in the criminal underground, used by multiple ransomware groups.
Tools Used by FIN7 Hackers to Bypass EDR Solutions and Conduct Automated Attacks
1. AvNeutralizer (aka AuKill)
FIN7 developed a specialized tool to tamper with security solutions. It has been marketed in the criminal underground and used by multiple ransomware groups.
The tool leverages the Windows built-in driver ProcLaunchMon.sys to disable endpoint security solutions by creating a denial of service condition in protected processes.
2. Powertrash
A heavily obfuscated PowerShell script designed to load an embedded PE file in memory reflectively. This allows FIN7 to execute backdoor payloads, evading defenses stealthily. Powertrash has been used in various FIN7 intrusions to load other malicious tools.
3. Diceloader (aka Lizar, IceBot)
A minimal backdoor that establishes a command-and-control (C2) channel, allowing attackers to control the system by sending position-independent code modules. It is typically deployed through Powertrash loaders and is used to load additional modules on compromised systems.
4. Core Impact
A penetration testing tool used for exploitation activities. It offers a library of commercial-grade exploits and generates Position Independent Code (PIC) implants to take control of exploited systems. FIN7 uses Core Impact loaders delivered through Powertrash in their campaigns.
5. SSH-based Backdoor
A persistence tool based on OpenSSH and 7zip, used by FIN7 to maintain access to compromised systems. It sets up an SFTP server through a reverse SSH tunnel, allowing attackers to exfiltrate files stealthily. This tool is typically used in intrusions aimed at gathering sensitive information.
SentinelLabs discovered a new version of AvNeutralizer that employs a previously unseen technique to disable security solutions. It leverages the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver).
In addition to EDR evasion tools, FIN7 has adopted automated attack methods, particularly automated SQL injection attacks targeting public-facing applications.
The group has developed a platform called Checkmarks, which conducts extensive scanning and exploitation of vulnerabilities in Microsoft Exchange servers using the ProxyShell exploit. This platform also includes an Auto-SQLi module for SQL Injection attacks, providing remote access to victim systems.
FIN7’s operations are marked by their use of multiple pseudonyms to mask their identity and sustain criminal activities in underground markets. The group has been linked to various ransomware families, including Black Basta, Cl0p, DarkSide, and LockBit, indicating their extensive reach and collaboration with other cybercriminal entities.
The group’s ability to innovate and adapt their tactics, techniques, and procedures (TTPs) makes them a persistent threat in the cybersecurity landscape.
Recent campaigns by FIN7 have targeted the U.S. automotive industry through spear-phishing attacks, delivering the Carbanak backdoor and leveraging living-off-the-land binaries, scripts, and libraries (LOLBAS) to gain initial footholds in target networks.
The group has also been observed using malicious Google Ads to deliver NetSupport RAT and DiceLoader malware, further demonstrating their versatility and resourcefulness in attack vectors.
FIN7’s continuous innovation in developing sophisticated tools to bypass security measures and conduct automated attacks highlights the group’s technical expertise and adaptability.
Their use of multiple pseudonyms and collaboration with other cybercriminal entities complicates attribution efforts and demonstrates their advanced operational strategies. As FIN7 continues to evolve, it remains crucial for organizations to stay vigilant and adopt comprehensive security measures to mitigate the risks posed by such advanced threat actors.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post FIN7 Hackers Employ New Tools to Bypass EDR & Conduct Automated Attacks appeared first on Cyber Security News.
Truist bank confirms data breach
Truist bank confirms data breach
On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant amount of data allegedly stolen from Truist Bank for sale.
Truist is a US bank holding company and operates 2,781 branches in 15 states and Washington DC. By assets, it is in the top 10 of US banks. In 2020, Truist provided financial services to about 12 million consumer households.
The online handle of the seller immediately raised the suspicion that this was yet another Snowflake related data breach.
Post by Sp1d3r on breach forum
The post also mentions Suntrust bank because Truist Bank arose after SunTrust Banks and BB&T (Branch Banking and Trust Company) merged in December 2019.
For the price of $1,000,000, other cybercriminals can allegedly get their hands on:
Employee Records: 65,000 records containing detailed personal and professional information.
Bank Transactions: Data including customer names, account numbers, and balances.
IVR Source Code: Source code for the bank’s Interactive Voice Response (IVR) funds transfer system.
IVR is a technology that allows telephone users to interact with a computer-operated telephone system through the use of voice and Dual-tone multi-frequency signaling (DTMF aka Touch-Tone) tones input with a keypad. Access to the source code may enable criminals to find security vulnerabilities they can abuse.
Given the source and the location where the data were offered, we decided at the time to keep an eye on things but not actively report on it. But now a spokesperson for Truist Bank told BleepingComputer:
“In October 2023, we experienced a cybersecurity incident that was quickly contained.”
Further, the spokesperson stated that after an investigation, the bank notified a small number of clients and denied any connection with Snowflake.
“That incident is not linked to Snowflake. To be clear, we have found no evidence of a Snowflake incident at our company.”
But the bank disclosed that based on new information that came up during the investigation, it has started another round of informing affected customers.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Check your exposure
While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Surprise! The Latest ‘Comprehensive’ US Privacy Bill Is Doomed
Surprise! The Latest ‘Comprehensive’ US Privacy Bill Is Doomed
Gutted of civil rights protections by Democrats to woo pro-business Republicans, the American Privacy Rights Act was pulled from a key congressional hearing—and appears unlikely to receive a full vote. Read More