Aggregator

Summary New research reveals a connection between the Lazarus Group and TFlower; specifically, TFlower's usage of a MATA framework variant in a recent campaign. Threat Type Malware, Backdoor, Ransomware Overview A report from Sygnia indicates a connection or collaboration between Lazarus and TFlower. The TFlower ransomware is deployed using the MATA backdoor, which is a well-known Lazarus commodity. The latest variant has not previously been seen in campaigns to this point. In addition to the MATA backdoor,

Summary The U.S. tax season is often taken advantage of as a source of phishing material for threat actors. Cofense reports on one such case of a file share link purporting to come from the IRS in order to steal Microsoft credentials. Threat Type Phishing Overview Cofense published a blog post analyzing a phishing campaign attempting to steal Microsoft credentials while capitalizing on the U.S. tax season. The sender email address and name have been spoofed in order to match that of a legitimate IRS tax rep

分享RapidDNS.io网站在实践中的应用。

Previously, I introduced the field of sensor systems architecture and posed a real world example scenario of the unnecessary resource costs and hazards that can happen when the deployment of sensors isn't carefully thought out.

While Unicast defines a single destination endpoint for a given IP, Anycast is an addressing technique in which the same IP is advertised from multiple servers simultaneously.

Summary The Russian-speaking RTM threat group has launched a new campaign against Russian transport and finance organizations. Kaspersky reports on their usage of new techniques to include ransomware and extortion. Threat Type Malware, Ransomware Overview Kaspersky has published a blog post analyzing a recent campaign carried out by the RTM threat group against Russian transport and finance organizations. The campaign, as with previous ones, begins with the distribution of a the RTM banker via business-them

Summary One method of hiding malware from detection is to embed it in a less suspicious file format, such as images. ReversingLabs reports on a few observed examples of this technique being used in conjunction with PHP malware. Threat Type Malware Overview ReversingLabs published a blog post analyzing various PHP malware samples embedded in image files. This method becomes particularly in handy with placing webshells on servers that allow the upload of image files but not executables. Two specific technique

Summary Beginning on March 2, 360Netlab observed attacks that attempt to exploit vulnerabilities in QNAP NAS devices running firmware released prior to August 2020. If a device was successfully compromised, the attackers installed cryptomining software. Threat Type Vulnerability, Malware, Cryptomining Overview A report from 360Netlab provides details on attacks that attempt to exploit two vulnerabilities ( CVE-2020-2506 and CVE-2020-2507 ) in QNAP NAS devices. If successfully exploited, the vulnerabilities

Summary Two security advisories have been published for Xen. The most serious vulnerability addressed in the advisories could potentially allow an attacker to cause a denial of service condition on the host system. Threat Type Vulnerability Overview Two security advisories have been published for Xen. The most serious vulnerability addressed in the advisories could potentially allow an attacker to cause a denial of service condition on the host system. Further details are available from the advisories linke

Summary Ocelot, the Offensive Security research team of Metabase Q, identified a new variant of Ploutus ATM malware in Latin America. The variant, Ploutus-I operates on ATMs from the Brazilian vendor Itautec. It allows for a jack-potting style attack where the money is stolen directly from the ATM but not an individual's account. Threat Type Malware Overview There has been a new variant of the Ploutus ATM malware seen in Latin America. The variant, Ploutus-I operates on ATMs from the Brazilian vendor Itaute

A recent Akamai Security blog post, Massive Campaign Targeting UK Banks Bypassing 2FA, written by my colleague Or Katz, is a great insight into how attackers used very simple techniques to bypass two-factor (2FA) authentication security to obtain access to U.K. consumers' bank accounts.

Akamai, the intelligent edge platform for securing and delivering digital experiences, continues to focus on innovation by launching Cohort 2 of the Akamai Startup program.

Summary KAMACITE is an ICS threat activity group that obtains access to victim networks and enables other actors to carry out attacks. Dragos revealed their findings on this threat group in a recent blog post. Threat Type Malware Overview Dragos has published a blog post detailing a newly identified threat activity group targeting electric utilities, oil and gas operations, and various manufacturing organizations since as early as 2014. The group has been tied to the BLACKENERGY2 campaign and both the 2015

嘿...

Summary Alexander Popov, a security researcher from Positive Technologies, discovered and fixed five security vulnerabilities in the Linux kernel, now uniquely identified as CVE-2021-26708. Threat Type Vulnerability Overview Alexander Popov, a security researcher from Positive Technologies, discovered and fixed five security vulnerabilities in the Linux kernel's virtual socket implementation that could lead to a Denial of Service and other actions. They are noted together within CVE-2021-26708. Popov develo

Summary Reuters is reporting on attacks against Indian biotech companies making a COVID-19 vaccine. Chinese state-sponsored group APT 10, also known as Stone Panda, are thought to be behind the attacks. Threat Type Targeting Overview Indian vaccine makers SII and Bharat Biotech have recently come under attack from Chinese hackers. The Chinese state-sponsored group APT 10, or Stone Panda, are suspected of the attacks on the biochemical companies. The group was able to identify vulnerabilities in the IT infra

1.命令替换 实现方法 替换系统中常见的进程查看工具（比如ps、top、lsof）的二进制程序 对抗方法 使用stat命令查看文件状态并且使用md5sum命令查看文件hash，从干净的系统上拷贝这些工具的备份至当前系统，对比hash是否一致，不一致，则说明被替换了。 注：需要在bin目录下执行。 2

2021年2月23日，VMware发布了一份公告（VMSA-2021-0002），公布了影响VMware ESXi、VMware vCenterServer和VMware Cloud Foundation的三个威胁