Post Content Read More
Related Posts
![BlackTech Targets Tech, Research, and Gov Sectors New ‘Deuterbear’ Tool](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiGcUfhx1obbm71p9PknFOHSDt0JpRZAWhi6TYuS25Y_b9wL3NjX4nFwVEwHk6fetkwlUFBefLK2jaLL-lTiiX76QsZjJkjYfQFIuJkeIg8yEwHV_wfbjAAhFW4_b6gCAJnT-ky8oCMocwqZtiBNnt7APGxKNsBGioNBJ1NcnUUspJODg4nojqtpyFRTHT/s72-c/exploit.png)
BlackTech Targets Tech, Research, and Gov Sectors New ‘Deuterbear’ Tool
BlackTech Targets Tech, Research, and Gov Sectors New ‘Deuterbear’ Tool
[[{“value”:”Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called BlackTech as part of a recent cyber attack wave.
The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear.
"Waterbear is known for its complexity, as it”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Hackers Trick Windows Users With Malicious Ads to Deliver Malware
Hackers Trick Windows Users With Malicious Ads to Deliver Malware
Malvertising campaigns often trick victims with near-perfect replicas of software vendor sites.
To easily trick their victims and achieve their malicious purposes, threat actors target popular software vendors like-
Webex
AnyDesk
KeePass
Cybersecurity researchers at Malwarebytes recently identified a malicious campaign that mimics the WindowsReport[.]com portal to distribute a malicious CPU-Z installer. The targeted site attracts geeks and admins seeking:-
Computer reviews
Computer tips
Computer software
In this malicious campaign, hackers actively target Windows users with malicious ads to deliver malware.
Hackers Trick Windows Users
Threat actors replicated the content of Windows Report for deceptive purposes, but the portal is still secure.
Windows Report Clone (Source – Malwarebytes)
This is part of a broader malvertising campaign targeting utilities like:-
Citrix
VNC Viewer
Besides this, cybersecurity analysts at Malwarebytes have already alerted Google about this incident for an immediate takedown.
An advertiser using Scott Cooper’s likely spoof or hacked name appears in a misleading advertisement for the Windows program CPU-Z.
Threat actors use cloaking to evade detection. While the non-target clicks show a standard blog, for victims, the “corporatecomf[.]online” site redirects to “workspace-app[.]online.”
A mimic domain, resembling WindowsReport[.]com, deceives users searching for CPU-Z. The download page may seem legitimate, but the URL doesn’t match.
Several domains are hosted at the IP address 74.119.192.188 as part of malvertising activities. Apart from this, a malicious PowerShell script, along with the FakeBat loader, is included in the payload, which is a signed MSIX installer.
The actor mimicked Windows Report as users often download utilities from such sites. Legitimacy is increased by the signed MSI installer, and by replacing a PowerShell script, MSI loaders provide simple modifications to the final payload.
In enterprises, verifying a file’s checksum through its SHA256 hash sum can ensure it’s flawless, matching the website of the vendor.
Document
Protect Your Storage With SafeGuard
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
IOCs
Ad Domains
argenferia[.]com
realvnc[.]pro
corporatecomf[.]online
cilrix-corp[.]pro
thecoopmodel[.]com
winscp-apps[.]online
wireshark-app[.]online
cilrix-corporate[.]online
workspace-app[.]online
Payload URLs
thecoopmodel[.]com/CPU-Z-x86.msix
kaotickontracting[.]info/account/hdr.jpg
ivcgroup[.]in/temp/Citrix-x64.msix
robo-claim[.]site/order/team.tar.gpg
argenferia[.]com/RealVNC-x64.msix
Payloads
55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1
9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88
419e06194c01ca930ed5d7484222e6827fd24520e72bfe6892cfde95573ffa16
cf9589665615375d1ad22d3b84e97bb686616157f2092e2047adb1a7b378cc95
C2s
11234jkhfkujhs[.]site
11234jkhfkujhs[.]top
94.131.111[.]240
81.177.136[.]179
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The post Hackers Trick Windows Users With Malicious Ads to Deliver Malware appeared first on Cyber Security News.
Cyber Security News
FBI and CISA publish guide to Living off the Land techniques
FBI and CISA publish guide to Living off the Land techniques
[[{“value”:”
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other authoring agencies have released a joint guidance about common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.
Living Off The Land (LOTL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.
This joint guidance comes alongside a joint Cybersecurity Advisory (CSA) called PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure.
These publications are a reaction to recent warnings about attacks on critical infrastructure by groups allegedly connected to the Chinese (PRC) government.
The FBI recently used a court order to remove malware from hundreds of routers across the US because it believed the attack was the work of an Advanced Persistent Threat (APT) group known as Volt Typhoon. US officials said the botnet was designed to give Chinese attackers persistent access to critical infrastructure. Routing their traffic through these gateways would hide the actual origin of malicious attempts to reach inside utilities and other targets.
In May of 2023, Microsoft uncovered stealthy and targeted malicious activity by Volt Typhoon. The activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.
As Jen Easterly, the director of CISA put it in a hearing before the House Select Committee
“We have seen a deeply concerning evolution of Chinese targeting of US critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here.”
And it’s not just the US. The Dutch Military Intelligence Service (MIVD) found a Remote Access Trojan (RAT) on one of their networks which they identified as Chinese malware.
The Living of the Land (LOTL) guide does not exclusively focus on Chinese state actors though. It also includes methods deployed by Russian Federation state-sponsored actors, and will likely apply to Ransomware-as-a-Service (RaaS) gangs that leverage legitimate tools to evade detection too.
So, it’s important to be aware of what your cybersecurity team, internal or managed (MDR) should be looking for when it comes to suspicious use of legitimate tools, unusual network connections, and other signs of malicious activities.
The guidance stipulates that LOTL is particularly effective because:
Many organizations lack effective security and network management practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavioral analytics, anomaly detection, and proactive hunting.
There is a general lack of conventional indicators of compromise (IOCs) associated with the activity, complicating network defenders’ efforts to identify, track, and categorize malicious behavior.
It enables cyber threat actors to avoid investing in developing and deploying custom tools.
So, it provides some best practices for detecting and hardening that are all explained in detail.
Implement write once, read many detailed logging to avoid the risk of attackers modifying or erasing logs.
Establish and continuously maintain baselines of network, user, administrative, and application activity and least privilege restrictions.
Build or acquire automation to continually review all logs to compare current activities against established behavioral baselines and alert on specified anomalies.
Reduce alert noise by fine-tuning via priority (urgency and severity) and continuously review detections based on trending activity.
Leverage user and entity behavior analytics to identify abnormal and potentially dangerous user and device behavior.
Apply and consult vendor-recommended guidance for security hardening.
Implement application allowlisting and monitor use of common LOTL binaries (LOLBins).
Enhance IT and OT network segmentation and monitoring.
Implement authentication and authorization controls for all human-to-software and software-to-software interactions regardless of network location.
Understanding the context of LOTL activities is crucial for accurate detection and response. Many of the tips that Malwarebytes provides for avoiding ransomware will prove to be useful in state sponsored attacks as well, although the latter can be even more targeted in some situations.
Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Further on, CISA urges software manufacturers to implement secure by design rules in their software, to reduce the prevalence of weak default configurations and passwords, recognize the need for low or no-cost enhanced logging, and other exploitable issues identified in the guide.
Insecure software allows threat actors to leverage flaws to enable LOTL techniques and the responsibility should not solely be on the end user. By using secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
Living off the Land is one of six cyberthreats that resource-constrained IT teams need to be ready to combat in 2024, covered in our 2024 State of Malware report.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
“}]] Read More
Malwarebytes