Week 52, December 25-31, 2023

Week 52, December 25-31, 2023. Cybersecurity Weekly Updates.

This week in the world of cybersecurity:

Spear-phishing attacks dubbed ‘Cloud Atlas’ are specifically targeting Russian agro and research companies. Meanwhile, the infamous Carbanak banking malware has made a comeback, employing new ransomware tactics. A particularly alarming development is the discovery of a critical zero-day vulnerability in the Apache OfBiz ERP system, which leaves numerous businesses vulnerable to attacks.

In addition, Chinese hackers have exploited a new zero-day in Barracuda’s ESG appliances, and a fresh Android malware, known as Xamalicious, has impacted over 327,000 devices. Another concerning trend is the increased attacks on poorly secured Linux SSH servers for cryptocurrency mining purposes. Google Cloud has addressed a privilege escalation flaw in its Kubernetes service.

In terms of targeted attacks, the Albanian Parliament and One Albania Telecom have been hit by cyber-attacks, and CERT-UA has uncovered a new wave of malware distributing OCEANMAP, MASEPIE, and STEELHOOK. The Kimsuky hackers are deploying a variety of tools in their latest attacks, while Microsoft has taken action to disable the MSIX App Installer Protocol widely used in malware attacks. Lastly, there’s a rising threat from Scam-as-a-Service, which aids cybercriminals in draining crypto wallets.

Recent Tools and Techniques

These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.

PurpleOps is an open-source, self-hosted web application designed for purple team management. It streamlines the coordination and execution of cybersecurity testing by providing template engagements and test cases, as well as support for various frameworks. With a focus on security and efficiency, PurpleOps offers Role-based Access Control and Multi-Factor Authentication to ensure protected access. Its inbuilt DOCX reporting feature, alongside support for custom templates, makes documenting findings straightforward and adaptable to specific needs. Setting itself apart, PurpleOps is fully hackable with no restrictions on reverse engineering, and it simplifies the setup process by avoiding complex dependencies like Tomcat and manual database setups. The application is designed to be straightforward and user-friendly, removing unnecessary complications and providing a robust tool for cybersecurity professionals.

Ngocok is a free tool designed as an alternative to Burp Collaborator with the integration of ngrok. It requires an ngrok authentication token from your ngrok account to establish a secure tunnel. Once ngrok is set up on your machine, installation is a simple matter of using Go commands to either install directly from the repository or build the executable from the source. Its usage is straightforward — running ngocok captures out-of-band requests with various configurable flags for endpoints, tokens, header unstripping, and output logging. Users can prioritize the ngrok authentication token via command flags, environment variables, or configuration files, offering flexibility in setting up and securing their tunnel. With a focus on simplicity and adaptability, ngocok streamlines the process of capturing and analyzing external requests in a secure, efficient manner.

Mordor is a project focused on advanced process injection and function hooking techniques, named after the Black Gate of Mordor from “The Lord of the Rings.” It includes methods like Hell’s Gate, Halo’s Gate, and Tartarus’ Gate, which are used to retrieve system call numbers by analyzing the ntdll.dll module and adjusting for potential hooks placed by external software. FreshyCalls and SysWhispers2 are additional components, with FreshyCalls searching the Export Directory for functions starting with ‘Nt’ and sorting them by addresses to determine syscall numbers, while SysWhispers2 does a similar task but looks for ‘Zw’ functions. These techniques aim to directly call system APIs, bypass hooks, and ensure the execution flow of a program is not tampered with by external entities like anti-virus or anti-cheat systems. The project is currently under development, focusing on enhancing user-friendliness and expanding its capabilities.

That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.

To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.