Spotting the Red Team on VirusTotal!, (Sat, Mar 6th)Sat, 06 Mar 2021 07:12:32 GMT Many security researchers&#;x26;#;xc2;&#;x26;#;xa0;like to use the&#;x26;#;xc2;&#;x26;#;xa0;VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but...&#;x26;#;xc2;&#;x26;#;xa0;VirusTotal remains a cloud service.&#;x26;#;xc2;&#;x26;#;xa0;It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people&#;x26;#;x21; In the SANS FOR610 training ("Reverse Engineering&#;x26;#;xc2;&#;x26;#;xa0;Malware"), we insist on the fact that you should avoid uploading a file to VT&#;x26;#;x21; &#;x26;#;xc2;&#;x26;#;xa0;The best practice is to compute the file hash then&#;x26;#;xc2;&#;x26;#;xa0;search for it to see if someone else already uploaded the same sample. If you&#;x26;#;39;re the first to upload a file, its creator can be notified about the upload and learn that he has been detected. Don&#;x26;#;39;t be fooled: attackers have also access to VirusTotal and monitor activity around their malware&#;x26;#;x21; Note that I mention VirusTotal because it is very popular but is not the only service providing repositories of malicious files, they are plenty of alternative services to scan and store malicious files.
Spam Farm Spotted in the Wild, (Fri, Mar 5th)Fri, 05 Mar 2021 06:16:23 GMT If there is a place where you can always find juicy information, it&#;x26;#;39;s your spam folder! Yes, I like spam and I don&#;x26;#;39;t delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That&#;x26;#;39;s why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The "good" point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That&#;x26;#;39;s what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:
From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th)Thu, 04 Mar 2021 07:21:33 GMT VBS files are interesting to deliver malicious content to a victim&#;x26;#;39;s computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name "Procurement - Attached RFQ 202102.vbs". If you filter attachments based on the MIME type, this file won&#;x26;#;39;t be detected as suspicious:
D-Link, IoT Devices Under Attack By Tor-Based Gafgyt VariantFri, 05 Mar 2021 15:55:41 +0000 A new variant of the Gafgyt botnet - that's actively targeting vulnerable D-Link and Internet of Things devices - is the first variant of the malware to rely on Tor communications, researchers say.
Cyberattackers Target Top Russian Cybercrime ForumsThu, 04 Mar 2021 21:42:51 +0000 Elite Russian forums for cybercriminals have been hacked in a string of breaches, leaving hackers edgy and worried about law enforcement.
National Surveillance Camera Rollout Roils Privacy ActivistsThu, 04 Mar 2021 17:21:34 +0000 TALON, a network of smart, connected security cameras developed by the Atlanta-based startup and installed by law enforcement around the country, raises surveillance-related privacy concerns.
CISA Orders Federal Agencies to Patch Exchange ServersThu, 04 Mar 2021 17:08:36 +0000 Espionage attacks exploiting the just-patched remote code-execution security bugs in Microsoft Exchange servers are quickly spreading.
COVID-19 Vaccine Spear-Phishing Attacks Jump 26 PercentThu, 04 Mar 2021 16:01:15 +0000 Cybercriminals are using the COVID-19 vaccine to steal Microsoft credentials, infect systems with malware and bilk victims out of hundreds of dollars.
# Reddit netsec
# Krebs On Security
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email SoftwareFri, 05 Mar 2021 21:07:07 +0000 At least 30,000 organizations across the United States -- including a significant number of small businesses, towns, cities and local governments -- have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
Three Top Russian Cybercrime Forums HackedThu, 04 Mar 2021 15:01:59 +0000 Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums' user databases, including email and Internet addresses and hashed passwords.
Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder EmailsTue, 02 Mar 2021 21:19:17 +0000 Microsoft Corp. today released software updates to plug four critical security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.