The all in one place for non-profit security aid.
Leta McCollough Seletsky joins Andrew Hammond to share the story of her father, the famous “Kneeling Man” – The man knelt next to Dr. Martin Luther King Jr. at his assassination at the Lorraine Motel in 1968. Leta is a litigator turned essayist and memoirist. Read More
The CyberWire
Malwarebytes Premium Security earns “Product of the Year” from AVLab
[[{“value”:”
After blocking 100% of “in-the-wild” malware samples that were deployed in multiple, consecutive third-party tests conducted by the AVLab Cybersecurity Foundation, Malwarebytes Premium Security has earned “Product of the Year.”
The recognition cements Malwarebytes Premium Security’s perfect record of repeatable, trusted, and proven protection for users. It also comes alongside an additional AVLab certification for “Top Remediation Time.”
The latest results are part of AVLab’s regular “Advanced In-The-Wild Malware Test.”
For the March 2024 evaluation, AVLab tested 459 unique malware samples against 13 cybersecurity products. Malwarebytes Premium Security detected 459/459 malware samples, with a remediation time of 20 seconds—a full 13 seconds faster than the industry average.
ThreatDown, powered by Malwarebytes, also participated in AVLab’s March evaluation, where it similarly blocked 100% of malware samples with a remediation time of 17 seconds.
Three cybersecurity vendors failed to block 100% of the malware samples deployed: Bitdefender, ESET, and Panda.
AVLab’s evaluations, which are performed every other month by a team of cybersecurity and information security experts, are constructed to test and compare cybersecurity vendors against the latest malware that is currently being used by adversaries and threat actors. To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps:
Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints.
Simulating a real-world scenario in testing: To recreate how a real-life cyberattack would occur, AVLab uses the Firefox web browser to engage with the known, malicious URLs collected in the step prior. In the most recent test, AVLab emphasized the potential for these URLs to be sent over instant messaging platforms, including Discord and Telegram.
Incident recovery time assessment: With the various cybersecurity products installed, AVLab measures whether the evaluated product detects a malware sample, when it detects a sample, and how long it took to detect that sample. The last metric is referred to as “Remediation Time.”
Malwarebytes is proud to receive “Product of the Year” and “Top Remediation Time” from AVLab, and is thankful to the third-party tester for its important work in the industry.
“}]] Read More
Malwarebytes
Linux Admins Beware! Fake PuTTY Client That Rhadamanthys Stealer
[[{“value”:”
PuTTY is among the most popular targets of hackers due to several reasons.
Firstly, it is used for remote access to servers and systems at large, hence a great ground for infiltration.
Exploiting vulnerabilities or misconfigurations in PuTTY can expose sensitive data or allow code execution on targeted machines.
By hacking into PuTTY installs, hackers can set up persistent backdoors and transit networks sideways to extend their scope and influence.
Cybersecurity researchers at Malwarebytes Labs recently warned Linux admins of a fake PuTTY client dubbed “Rhadamanthys” Stealer.
Hackers utilize malicious advertisements impersonating legitimate software like PuTTY to distribute malware loaders.
These loaders aim to compromise systems and deploy additional payloads while evading detection.
Document
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
In this case, the threat actor purchased an ad falsely claiming to be the PuTTY homepage, appearing at the top of search results before the official site.
While the unrelated domain raised suspicions here, many advertisements closely mimic trusted brands, making them effective lures for distributing stealthy malware loaders that enable further exploitation.
Potential victims from the United States are redirected to a fake putty.org, while others are shown a legitimate page that bypasses security checks.
This redirection chain is multi-staged and possibly probes for proxies as well as logs victims’ IPs before serving a final malware payload.
Acting like the PuTTY program, this dropper is written in Go, which provides the attackers with an entry point into compromised systems for future exploitation.
The deceptions of such a campaign and the complexity of its payload delivery scheme reveal the extent to which threat actors can spread malware without being noticed.
This is done to show that, the victim did follow the deceptive ad campaign and downloaded it from a fake PuTTY site.
In case IP matches, it fetches a follow-on payload from the CnC server; as a result, it further propagates the multi-stage infection chain.
As such, this process of IP verification helps them distinguish potential researchers or honeypots who may have been lured into participating in this campaign.
This keeps additional payloads from being sent to any other system violated through their fraudulent advertisement campaigns.
The Go-based dropper uses SSH protocol in secret to pull the following-stage payload, probably Rhadamanthys malware, from some command and control server, reads the report.
This multiple-component infection chain, which offers malware deployment services ranging from malicious ads to loaders and final payloads, demonstrates a sophisticated malvertising infrastructure controlled by the same bad actor.
Although this particular campaign was reported to Google, it shows how threat actors are always changing their techniques to evade security controls.
To counter such stealthy malware distribution schemes, proactive defense mechanisms like strong malware detection and ad-blocking are crucial.
Decoy ad domain
arnaudpairoto[.]com
Fake site
puttyconnect[.]info
PuTTY
astrosphere[.]world
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d
IP check
zodiacrealm[.]info
Rhadamanthys
192.121.16[.]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Linux Admins Beware! Fake PuTTY Client That Rhadamanthys Stealer appeared first on Cyber Security News.
“}]] Read More
Cyber Security News