Week 46, November 13-19, 2023
Week 46, November 13-19, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
A new ransomware group has emerged, utilizing Hive’s source code and infrastructure, signaling a significant threat in the cybersecurity landscape. Meanwhile, Chinese hackers have launched covert espionage attacks on 24 Cambodian organizations, showcasing their expanding cyber capabilities. In a notable success, the major Phishing-as-a-Service syndicate ‘BulletProofLink’ was dismantled by Malaysian authorities, marking a critical step in combating cybercrime.
The emergence of the BiBi-Windows Wiper targeting Windows systems in Pro-Hamas attacks and the CacheWarp attack exposing a new vulnerability in AMD SEV’s encrypted VMs highlight evolving cyber threats. A critical alert has been issued for the OracleIV DDoS Botnet targeting public Docker Engine APIs, which could lead to container hijacking.
In the Middle East, a new campaign using IronWind malware is targeting government entities, signifying a growing geopolitical dimension to cyber threats. CISA’s urgent deadline to patch Juniper Junos OS flaws before November 17th emphasizes the importance of timely responses to cybersecurity vulnerabilities.
In a significant law enforcement action, the U.S. has taken down the IPStorm botnet, with the Russian-Moldovan mastermind pleading guilty, reflecting increased international cooperation in cybercrime crackdowns. A new Intel CPU vulnerability named Reptar, affecting multi-tenant virtualized environments, raises concerns about the security of cloud infrastructures.
Russian hackers have been linked to a massive cyber attack on Danish critical infrastructure, one of the largest of its kind, demonstrating the ongoing risks posed by state-sponsored cyber activities.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
Discoshell (discovery-shell), is a streamlined script designed for the discovery of live subdomains. It integrates popular tools like subfinder, amass, puredns, massdns, and alterx to facilitate efficient subdomain discovery processes. The tool is capable of generating permutation wordlists and filtering wildcard subdomains. It requires either an input file name or a single domain for discovery. If an output file name is not specified, the results are displayed directly in the standard output. Additionally, there’s an option to remove the ‘www.’ prefix from subdomain strings. Functionality of Discoshell makes it a useful utility for subdomain discovery tasks in various network and security-related workflows.
BounceBack is a reverse proxy tool designed for enhancing operational security in red team activities. It operates as a stealth redirector, shielding C2, phishing, and other sensitive infrastructure from detection by blue teams, sandboxes, and scanners. The tool features a sophisticated and flexible filtering system that analyzes real-time traffic to distinguish between legitimate and unwanted visitors. This system is built upon a configurable pipeline of filters, using boolean-based rules to effectively conceal your tools from observant adversaries. Key features of BounceBack include a highly adaptable project structure allowing for easy rule additions, an extensive blacklist of IP addresses known to be affiliated with IT security vendors, and a Malleable C2 Profile parser that validates inbound HTTP(s) traffic. Additionally, it offers domain fronting support to further obscure infrastructure, IP geolocation and reverse lookup capabilities for precise visitor screening, configurable time-based access controls, support for multiple proxy configurations within a single instance, and a detailed logging mechanism for monitoring and analyzing interactions.
BestEDROfTheMarket is a user-mode EDR (Endpoint Detection and Response) software project designed for training and learning about EDR’s user-mode detection techniques. It focuses on dynamic analysis of a target process’s state, including memory and API calls. The project includes several defensive techniques like Multi-Levels API Hooking, SSN Hooking/Crushing, IAT Hooking, and more. It’s under development with features like Heap Monitoring and ROP Mitigation being added. The tool comes with a usage guide and is structured with an executable file, DLLs, and configuration files like TrigerringFunctions.json and YaroRules.json. These JSON files allow users to set patterns for thread call stack monitoring and describe the functions for various hooking methods. The software is adaptable, with some parts modifiable and others fixed for informational purposes. The tool’s primary purpose is to provide a practical platform for understanding and experimenting with EDR methods.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.