Select Page
New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts.

“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday.

“The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”

The malicious activity, discovered in August 2022, attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office, that allows an attacker to take control of an affected system.

The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.

images from Hacker News

Why Organisations Need Both EDR and NDR for Complete Network Protection

Why Organisations Need Both EDR and NDR for Complete Network Protection

Endpoint devices like desktops, laptops, and mobile phones enable users to connect to enterprise networks and use their resources for their day-to-day work. However, they also expand the attack surface and make the organisation vulnerable to malicious cyberattacks and data breaches.

Why Modern Organisations Need EDR

According to the 2020 global risk report by Ponemon Institute, smartphones, laptops, mobile devices, and desktops are some of the most vulnerable entry points that allow threat actors to compromise enterprise networks. Security teams must assess and address the security risks created by these devices before they can damage the organisation. And for this, they require Endpoint Detection & Response (EDR).

EDR solutions provide real-time visibility into endpoints and detect threats like malware and ransomware. By continuously monitoring endpoints, they enable security teams to uncover malicious activities, investigate threats, and initiate appropriate responses to protect the organisation.

The Limitations of EDR

Modern enterprise networks are complex webs of users, endpoints, applications, and data flows distributed across on-premises and multi-cloud environments. As EDR solutions only provide visibility into endpoints, many security gaps and challenges remain, significantly increasing the risk of cyberattacks going unnoticed.

images from Hacker News

North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

A “highly operational, destructive, and sophisticated nation-state activity group” with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022.

Microsoft’s threat intelligence teams, alongside LinkedIn Threat Prevention and Defence, attributed the intrusions with high confidence to Zinc, a threat group affiliated with Lazarus which is also tracked under the name Labyrinth Chollima.

Attacks targeted employees in organizations across multiple industries, including media, defence and aerospace, and IT services in the U.S., the U.K., India, and Russia.

The tech giant said it observed Zinc leveraging a “wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.”

According to CrowdStrike, Zinc “has been active since 2009 in operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries and conducting currency generation campaigns.”

images from Hacker News

Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild

Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild

Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation.

“The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker,” the tech giant said.

The company also confirmed that it’s aware of “limited targeted attacks” weaponizing the flaws to obtain initial access to targeted systems, but emphasized that authenticated access to the vulnerable Exchange Server is required to achieve successful exploitation.

The attacks detailed by Microsoft show that the two flaws are stringed together in an exploit chain, with the SSRF bug enabling an authenticated adversary to remotely trigger arbitrary code execution.

images from Hacker News

Researchers Uncover Covert Attack Campaign Targeting Military Contractors

Researchers Uncover Covert Attack Campaign Targeting Military Contractors

A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines.

The highly-targeted intrusions, dubbed STEEP#MAVERICK by Securonix, also targeted a strategic supplier to the F-35 Lightning II fighter aircraft.

“The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies,” Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in an analysis.

Infection chains begin with a phishing mail with a ZIP archive attachment containing a shortcut file that claims to be a PDF document about “Company & Benefits,” which is then used to retrieve a stager — an initial binary that’s used to download the desired malware — from a remote server.

This PowerShell stager sets the stage for a “robust chain of stagers” that progresses through seven more steps, when the final PowerShell script executes a remote payload “header.png” hosted on a server named “terma[.]app.”

images from Hacker News