The following is an excerpt from our new module on the recent XZ Utils backdoor, CVE-2024-3094.

On Mar 29, 2024, at 12:00PM ET, Andres Freund posted on the Openwall mailing list about a backdoor he discovered in the XZ Utils package. The backdoor targeted the OpenSSH binary, allowing remote code execution on impacted machines. This backdoor was not located in the GitHub repository, but only in release versions of the package, which hid its presence.

Given that XZ Utils had been installed (directly or indirectly) on billions of Linux systems worldwide, this finding stunned the international Linux and infosec communities.

Understanding the Timeline of the Attack

In late 2021,

... Read more »

The post Behind Enemy Lines: Understanding the Threat of the XZ Backdoor appeared first on OffSec.

Did you know that 95% of cybersecurity breaches are caused by human error? Traditional training methods often fail to address this critical factor, leaving organizations exposed. OffSec Versus, part of the Enterprise Cyber Range, is designed to change that. It’s a live-fire training environment where your Red and Blue teams learn by doing, battling head-to-head, and developing the essential collaboration skills needed to neutralize real-world attacks.

Versus Explained

OffSec Versus exists to bridge the gap between traditional cybersecurity training and the dynamic, collaborative teamwork needed to defend against modern threats.  

Versus is a realistic, adversarial training environment within the Enterprise Cyber Range, enabling Red and Blue teams to engage in realistic, scored tournaments.  In a real-world attack,

... Read more »

The post OffSec Versus: Revolutionizing Cybersecurity Training Through Live-Fire Collaboration appeared first on OffSec.

AT&T Cybersecurity’s head of evangelism, Theresa Lanowitz, is today's guest. Lanowitz has amazing and wide-ranging career achievements, from her time with analyst firms Gartner and Voke, work on Java’s JBuilder environment and strategic marketing for the Jini Project, which was proto-IoT going back to the late ‘90s! With all of these incredible stories, we talked far and wide about manufacturing security concerns, she breaks down the key pain points around edge computing and talks extensively about her love of both the English language and programming languages of all sorts. They all have grammar, they all have style, and if you’re a linguist or a lover of learning new languages, perhaps computer languages are an opportunity you hadn’t pursued? All that and a ton more – seriously, I could have talked to Lanowitz for hours – on today’s episode of Cyber Work.

0:00 - Manufacturing security 
 2:02 - Theresa Lanowitz’s early interest in computers
 3:52 - Learning programming languages in the early days
 6:12 - English language’s connection to programming language
 8:24 - Evolution of programming language
 11:55 - How language impacts programming
 13:52 - Lanowitz’s cybersecurity career
 17:20 - An average day as head of cybersecurity evangelism
 22:53 - Edge computing use in manufacturing
 26:35 - Biggest security issues in manufacturing
 30:02 - The bad actors in manufacturing security
 33:41 - Manufacturing cybersecurity technology
 39:02 - Skills needed to work in manufacturing cybersecurity
 41:00 - Biggest skills gaps in manufacturing security
 41:44 - Best cybersecurity career advice
 42:15 - Where are manufacturing security issues heading?
 45:06 - Security issues with third-party vendors
 47:53 - Learn more about AT&T cybersecurity 
 48:48 - Learn more about Theresa Lanowitz
 49:04 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

Horizon3.ai Breaks Down Fortinet Vulnerability

Zach Hanley, Horizon3.ai Chief Attack Engineer, and James Horseman, Exploit Developer, join John Furrier of theCUBE to discuss Fortinet CVE 2022 40864.

The post Horizon3.ai Breaks Down Fortinet Vulnerability appeared first on Horizon3.ai.

Many penetration tests are only point-in-time and/or manual. In this Horizon3.ai sponsored webcast from SANS, take a First Look at how Horizon3.ai’s NodeZero takes on the pen test problem. 

Listen to SANS Senior Instructor Dave Shackleford and Horizon3.ai’s CEO and Co-Founder Snehal Antani discuss the platform’s highlights and why it might be right for your organization.

The post SANS Webcast w/ Sponsor Horizon3.ai appeared first on Horizon3.ai.

Managed security service providers (MSSPs) and managed services providers (MSPs) tell us that in today’s cyber threat
environment, securing customer environments while still maintaining profit margins and growing adoption of their services is an ongoing challenge. The NodeZero^TM platform enables you to proactively and efficiently probe your customers’ networks for weaknesses that go beyond known and patchable vulnerabilities, such as credentials open to compromise, exposed data, misconfigurations, poor security controls, and weak policies.

The post NodeZero™ from Horizon3.ai Optimized for MSSPs and MSPs appeared first on Horizon3.ai.

State, local and education (SLED) organizations have unique cybersecurity pain points. Because they rely on taxpayer dollars, SLED organizations are often trying to do more with less.

The post SLED U.S. State, Local, & Education appeared first on Horizon3.ai.

Demand for #pentesting expertise is at an all-time high, and many orgs are struggling to meet their annual requirements for the PCI DSS v4.0. This webinar explains how our services fulfill your pentesting requirements and help you streamline your remediation efforts. You’ll learn about:

– Horizon3.ai’s human-machine teaming approach for compliance pentesting
– How we fully address requirement 11.4 of the PCI DSS and pentesting for the Self-Assessment Questionnaires (SAQs)
– A practitioner’s view of how #NodeZero helps orgs efficiently interpret and remediate their penetration test report

The post No waiting, no wondering: Streamline your PCI pentesting process with Horizon3.ai appeared first on Horizon3.ai.

The emphasis on technical skills and knowledge in cybersecurity has always been present. However, as the field becomes increasingly complex and intertwined with every facet of business operations, the spotlight has shifted to the indispensable role soft skills hold in cybersecurity leadership. 

This perspective was the focal point of our recent webinar, led by Thereasa Roy of OffSec and featuring the insights of Jason Haddix, CEO of Arcanum Information Security. Jason delved into the pivotal role that soft skills—such as strategic communication, empathy, and storytelling—play in navigating the challenges of cybersecurity. 

As we’ve seen with recent attacks like the one on casino giant MGM, cyber threats are technical but also deeply rooted in human behaviors and interactions.

... Read more »

The post Soft Skills for Cybersecurity Leaders: CISO’s Perspective appeared first on OffSec.

Long time no hear in terms of Evilginx updates. While I'm still working on the release of Evilginx Pro, I've decided to fix a few issues and add new features to the public version of Evilginx, in the meantime.

First of all, I wanted to thank everyone for the great feedback and insightful discussions in the BREAKDEV RED community Discord. All of the reported issues and suggestions led to the improvement of Evilginx and this update is the fruit of such great community feedback.

Additionally, I wanted to use this opportunity to thank everyone for sending their applications to access BREAKDEV RED. We've gathered an incredible number of security professionals (almost 850 at the time of writing) and every day I'm learning something new from you guys, which I'm super grateful for. Hell, I've even finally fully understood how to properly configure the SPF/DKIM/DMARC combo thanks to all the discussion on the subject.

Vetting the applications takes a lot of time and before I open the registrations again, to the public, I'd like to automate the verification process a bit. Once I do this, requesting access to the community should be more accessible to everyone.

Allowing access only to red teamers with a clean conscience is still of utmost importance to me and it is the base for creating a friendly atmosphere, which fuels guilt-free information sharing.

This time I have something special for you. Never before have I had a request so popular that it was mentioned in 90% of all BREAKDEV RED application forms. Let it be known that your pleas have been heard.

Evilginx has an official integration with GoPhish by Jordan Wright from now on!

That's right - you will finally be able to create phishing campaigns for sending emails with valid Evilginx lure URLs and enjoy all the benefits of GoPhish's lovely UI, seeing which emails were opened, which lure URLs were clicked and which clicks resulted in successful session capture.

Here is the full list of changes coming in Evilginx 3.3 together with a full guide on how to use all the new features.

GoPhish Support

I've forked GoPhish and added the integration with Evilginx in the cleanest way possible. If you were using your custom version of GoPhish, merging Evilginx integration with your own fork should be relatively easy.

I have made the integration in such a way that Evilginx will be notifying GoPhish of the following events, which occur:

• A hidden image tracker is triggered when the email is opened. The tracker image is just a lure URL with specific parameters to let Evilginx know it should be used as a tracker.
• A phishing link is clicked within the email message. The phishing link within the email message sent through GoPhish is just the lure URL with embedded parameters.
• The session is successfully captured with Evilginx. Once Evilginx gathers the credentials and logs the cookies, it will notify GoPhish that the data has been submitted.

I've exposed additional API endpoints in GoPhish to make it possible to change the results status for every sent email.

Now, when you create a new campaign in GoPhish, you do not have a "Landing Page" to select. Instead, you will generate a lure URL in Evilginx and paste it into the "Evilginx Lure URL" text box.

What's more, GoPhish will automatically generate the encrypted custom parameters with personalized content, retrievable by Evilginx, for each embedded link. The personalized values embedded with every phishing link embedded within the generated email message are the following:

• First Name (fname)
• Last Name (lname)
• Email (email)

This is super useful as you can use the custom parameters further to customize the content on your phishing pages within your js_inject scripts.

Let's say you wanted to pre-fill the email in the sign-in text box on the phishing page. Now you can just use the {email} placeholder within your injected script and you can be sure that GoPhish will deliver the right value for you. The same goes for {fname} and {lname}.

GoPhish will also embed the rid (Result ID) in the phishing link's parameters, so that Evilginx will know for which result it should update the status.

You can monitor the status of your mailing campaigns and check email deliverability, straight from GoPhish, but Evilginx will be the only side storing the credentials and authentication cookies.

How to set up GoPhish with Evilginx?

First of all, you need to get GoPhish from my forked GoPhish repository. You can either grab clone the source code and build it yourself or you can grab the binaries from releases.

Deploy GoPhish on the external server. It doesn't have to be the same server Evilginx is running on, but it will have to be reachable by your Evilginx instances. You can find out how to install GoPhish in its official documentation.

Once you have GoPhish running on a remote server and you also have Evilginx deployed and ready for action, you will need to tell Evilginx how it can communicate with your GoPhish server.

Configuring Evilginx

For this, you will need the Admin URL of your GoPhish instance and the API key. You can find the API key within the Account Settings in your GoPhish admin panel. To figure out the IP and port of your GoPhish instance, refer to the official documentation.

For example, if your GoPhish admin server is running on an IP 1.2.3.4 listening on port 3333, with TLS enabled, you can set it up as follows:

config gophish admin_url https://1.2.3.4:3333
config gophish api_key c60e5bce24856c2c473c4560772

If you do not use a valid TLS certificate for the exposed GoPhish instance, you may need to allow insecure TLS connections as well (such connections can be man-in-the-middled, so tread carefully):

config gophish insecure true

Once all this is configured, your Evilginx instance is ready to go. You can test if the communication with GoPhish works properly by issuing the command:

config gophish test

Configuring GoPhish

Here I am assuming you are familiar with how to use GoPhish. If not, feel free to check out the documentation on how to get started.

Make sure GoPhish is running either in a tmux session or you set it up to run as a daemon. You can find more information on how to do it in this GitHub issue.

Once you have everything properly set up, it is time to set up your Campaign. Create the new campaign and then select the Email Template, Sending Profile and the group of recipients. You may notice that instead of being asked for the Landing Page profile you need to provide the Evilginx Lure URL.

Open your Evilginx instance, create the lure and grab the lure URL you want to send out in your phishing campaign, using the command:

lures get-url <id>

Copy this URL and paste it into the Evilginx Lure URL text field of the campaign creation panel.

That's it! You can now send out the campaign emails while enjoying the full overview of your campaign progress within the GoPhish UI.

Custom TLS Certificates

Since the release of Evilginx 3.0, the tool has been using certmagic library for TLS certificate management with automated LetsEncrypt TLS certificate registration. Having to use only LetsEncrypt certificates is often not ideal as it may mark your phishing server, on an engagement, as suspicious.

Many people have requested support to use their own TLS certificates with Evilginx, including the wildcard certificates. This feature has finally been implemented.

To add your own TLS certificates, first, create a new directory under ~/.evilginx/crt/sites/ with the name of your website or hostname. The name does not matter and it can be anything you choose.

Evilginx will scan these directories looking for the public X509 certificate and the private key used to sign the certificate. The X509 certificate should have either the .pem or .crt extension, while the private key should have the .key extension.

For convenience, Evilginx will also recognize the keypair generated by CertBot, where the public certificate is named fullchain.pem and the private key is privkey.pem. You can copy both files into the same directory to add such a TLS certificate generated by CertBot.

Once you put your custom TLS certificates in the right place, don't forget to disable automated LetsEncrypt certificate retrieval with:

config autocert off

IMPORTANT! Make sure the private key files are not password-protected or otherwise Evilginx may fail to load them.

Example 1:

~/.evilginx/crt/sites/wildcard.domain.com/fullchain.pem
~/.evilginx/crt/sites/wildcard.domain.com/privkey.pem

Example 2:

~/.evilginx/crt/sites/my_certificate/public.crt
~/.evilginx/crt/sites/my_certificate/private.key

CertMagic library will automatically add the TLS certificates to the managed pool and it will automatically respond with a valid TLS certificate.

HTTP Proxy IP Detection

I know some of you use Caddy, Apache or Nginx as an additional proxy layer, sitting in front of the Evilginx instance. This created an issue for Evilginx to properly detect the origin IP address of incoming requests. Since all requests were proxied through a local web server, the origin IP would default to 127.0.0.1, completely ignoring the additional HTTP headers added by the proxies, with the correct origin IP addresses as values.

Since this update, Evilginx will properly recognize the origin IP address of all proxied HTTP requests. The list of monitored HTTP headers is as follows:

X-Forwarded-For
X-Real-IP
X-Client-IP
Connecting-IP
True-Client-IP
Client-IP

JSON support in force_post

Thanks to @yudasm_ contribution, you can now enjoy injecting your custom POST parameters within body contents transmitted in JSON format.

Check out Yehuda's recent blog post on how he used this feature to evade FIDO2 authentication when phishing MS365 accounts.

Fixed a bug used to detect Evilginx

Keanu Nys reported an issue, in the BREAKDEV RED channel, where he found that one of the online URL scanners he used was able to open the phishing page by visiting the URL with just a hostname, without a valid lure URL path.

There was a bug in Evilginx, which would only enforce valid lure URLs for phishing hostnames, which were defined with session: true in the proxy_hosts section of the phishlet file.

Upon closer inspection, I've decided that the session parameter never made sense and it is now obsolete. Every proxy_hosts entry is treated as if session was set to true.

Keanu wrote a great post-mortem post about the bug he found, so if you're interested in learning more about it, you can find it here.

Fixed the infinite redirection loop

Evilginx, since forever, had a very annoying bug, which would trigger the infinite redirection loop, whenever the lure URL path was set to be the same as the login path of the targeted website.

This has now been fixed and Evilginx will also make an additional check to compare if the lure URL contains the valid phishing domain used by the landing phishing page.

Added support for more TLDs

Over the years, there have been multiple new TLDs launched for registering domains. Evilginx will try hard to detect all URLs in proxied packets and convert them either from phishing domains to original domains or from original domains to phishing domains.

To be more efficient, it relies on the detection of URLs ending with known TLDs. Some of the newer TLDs have not been supported and this update changes that.

Here is the new list of all supported TLDs:

aero
arpa
art
biz
bot
cat
click
cloud
club
com
coop
edu
game
gov
inc
info
ink
int
jobs
live
lol
mil
mobi
museum
name
net
online
org
pro
root
shop
site
tech
tel
today
travel
vip
wiki
xyz
[all known 2 character TLDs]

Changelog

Here is the whole Evilginx 3.3 changelog with some additional changes and fixes I did not mention in this post:

3.3.0

• Feature: Official GoPhish integration, using the fork: https://github.com/kgretzky/gophish
• Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in ~/.evilginx/crt/sites/<hostname>/. Will load fullchain.pem and privkey.pem pair or a combination of a .pem/.crt (public certificate) and a .key (private key) file. Make sure to run without -developer flag and disable autocert retrieval with config autocert off.
• Feature: Added ability to inject force_post POST parameters into JSON content body (by @yudasm_).
• Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with config autocert <on/off>.
• Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
• Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
• Fixed: Added support for exported cookies with names prefixed with __Host- and __Secure-.
• Fixed: Global unauth_url can now be set to an empty string to have the server return 403 on unauthorized requests.
• Fixed: Unauthorized redirects and blacklisting would be ignored for proxy_hosts with session: false (default) making it easy to detect evilginx by external scanners.
• Fixed: IP address 127.0.0.1 is now ignored from being added to the IP blacklist.
• Fixed: Added support for more TLDs to use with phishing domains (e.g. xyz, art, tech, wiki, lol & more)
• Fixed: Credentials will now be captured also from intercepted requests.

Conclusion

I'm happy to have finally been able to include the most requested features, together with some quality-of-life improvements, before the Evilginx Pro release this year.

Please let me know your feedback about the update, either on Twitter @mrgretzky or in BREAKDEV RED Discord.

Looking forward to your opinion!

If you're reading this before 3rd April 2024, you can still get a 30% discount for the Evilginx Mastery course, which I am constantly updating and you get access for a lifetime. Expect to see the GoPhish integration guide added sometime in the future.

Happy phishing!

-- Kuba Gretzky

See your enterprise through the eyes of an attacker – More than a concept — a Proof of Value

The post NodeZero: More than a concept — a Proof of Value appeared first on Horizon3.ai.

Thomas Pace of NetRise talks about industrial control systems security. We’ll learn about Pace's time in the United States Marine Corps in cyber-intelligence, his move to forensics and then ICS and why the greatest asset a security professional can have is the ability to find, clearly see and create narratives. I always find ICS professionals to be fascinating, and Pace took us down some new paths, so if you’re also interested in ICS Security, keep it here for today’s episode of Cyber Work!

0:00 - Industrial Control Systems security
1:39 - How Pace got into cybersecurity
4:31 - The speed of cybersecurity's change
5:20 - Pace's career in cyber intelligence
10:08 - Importance of cybersecurity analysis
10:55 - Current state of ICS and infrastructure security in the U.S.
25:22 - How to work in ICS security
32:52 - Manufacturing security issues
38:00 - Security risks for cranes
40:51 - Best ICS security advice
44:09 - Best cybersecurity career advice
46:15 - What is NetRise?
47:40 - Learn more about Pace
48:25 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

In 2024, the cybersecurity landscape is bleak, with 62% of organizations acknowledging a pressing need for enhanced cybersecurity skills amidst growing digital threats. This statistic underscores the urgent demand for comprehensive training in modern cybersecurity practices​. In response to this critical need, OffSec is introducing a new suite of Cyber Ranges. 

OffSec’s Cyber Ranges – our solution for realistic, high-impact cybersecurity training. This suite delivers a powerful combination:

• Our Enterprise Cyber Range (ECR) with the groundbreaking live-fire capability in Versus, for Red vs. Blue training.
• Enhanced Offensive and Defensive Cyber Ranges for deep-dive, specialized skill development.

Together, these ranges create an unmatched training experience for your entire cybersecurity team.

OffSec’s Enterprise Cyber Range

Traditional cybersecurity training often falls short.

... Read more »

The post Transform Your Cybersecurity Training with OffSec’s Cyber Ranges appeared first on OffSec.

Pentesters are well known for their technical skill sets, they simulate cyber attacks on computer systems, networks, or applications in a controlled environment. And, their primary goal is to identify vulnerabilities and weaknesses to assess the security posture of a target system. Much of the work they do is technical in nature, but in order to help organizations understand and rectify their vulnerabilities before malicious hackers can exploit them, communicating that risk through report writing is nearly as important as finding the risk. 

This is where soft skills like report writing become just as important as their technical skills. 

In this blog post, we’ll address the value of report writing for penetration testers, show examples of reports, highlight some mistakes that are often made,

... Read more »

The post Importance of report writing for pen testers appeared first on OffSec.

Horizon3.ai delivers sophisticated and timely penetration testing services tailored to fulfill the internal and external pentesting requirements of your cardholder data environment outlined by the Payment Card Industry Data Security Standard (PCI DSS) v4.0. Our offerings are executed with comprehensive coverage and meticulous attention to detail to fully address these stringent pentesting requirements.

The post Horizon3.ai PCI 11.4 Pentesting Engagement appeared first on Horizon3.ai.

Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers and federal decrees

The attackers use phishing emails with seemingly legitimate documents and evade defenses by hosting the malicious payload on a remote server and limiting its downloads.

The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the number of downloads enables the attackers to bypass defenses.

Key findings

1. Cloud Werewolf leverages topics that appeal to its targets to increase the likelihood that the malicious attachments get opened.
2. The IT infrastructure of government organizations provides ample opportunities for adversaries to exploit even the old vulnerabilities. This is just another reminder of how crucial it is to proactively remediate vulnerabilities, especially those used in real attacks.
3. Placing the malicious payload on a remote server rather than inside of an attachment increases the chances to bypass the defenses.

Campaign

Cloud Werewolf uses Microsoft Office documents with information targeting employees of government organizations. For instance, the file titled Путевки на лечение 2024.doc contains information on spa vouchers.

Another document is a federal agency decree titled Приказ [redacted] № ВБ-52фс.doc.

Yet another document Инженерная записка.doc lists the requirements to an engineering memo for public works.

Opening the attachment triggers the transfer of a document template from a remote source, such as https://triger-working[.]com/en/about-us/unshelling. The template is an RTF file that enables the attackers to exploit the CVE-2017-11882 vulnerability.

The successful exploitation and the execution of the shell code allow the adversaries to do the following:

• decrypt the malicious payload within the shell code with the help of a 2-byte key XOR operation
• download an HTA file with a VBScript from a remote server and open the file

The script triggers actions that:

• reduce the size of the window and move it outside the screen boundaries
• retrieve the path to the AppData\Roaming folder by means of obtaining the value of the APPDATA parameter of the HKCU\Volatile Environment registry key
• create the rationalistic.xml file and write the following files to its alternate data streams:
   — rationalistic.xml:rationalistic.hxn, the file with malicious payload for connecting to the C2 server
   — rationalistic.xml:rationalistic.vbs, one of the files responsible for decrypting and executing the malicious payload
   — rationalistic.xml:rationalisticing.vbs, another file responsible for decrypting and executing the malicious payload
   — rationalistic.xml:rationalisticinit.vbs, the file responsible for purging all the files in the folder C:\Users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\ and in rationalistic.xml:rationalisticinit.vbs and rationalistic.xml:rationalisticing.vbs by opening the files in write mode.
• enable the autorun of rationalistic.xml:rationalistic.vbs by creating the defragsvc parameter with the value wscript /B “[path to the file rationalistic.xml:rationalistic.vbs]” in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• run rationalistic.xml:rationalisticing.vbs and rationalistic.xml:rationalisticinit.vbs with the help of the command wscript /B “[path to the file]”

By decrypting the malicious payload the adversaries can:

• obtain an object of interaction with network resources by accessing the registry hive CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}\ProgID
• use the proxy server whose address was retrieved from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
• verify the presence of the defragsvc parameter in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and create it if missing
• stay connected to the server in an infinite loop

To obtain additional VBS files from the C2 server, the attackers send a GET request to the server’s address (e.g., https://web-telegrama[.]org/podcast/accademia-solferino/backtracker) with the header User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) [domain name] Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0"=" Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0. The device's domain is retrieved from the USERDOMAIN parameter of the HKCU\Volatile Environment registry key. Files under 1 MB are executed in the program memory, otherwise saved to the file rationalistic.xml:rationalisticinit.vbs and launched with the help of wscript /B “[path to the file rationalistic.xml:rationalisticinit.vbs]”. If executed from rationalistic.xml:rationalisticing.vbs, the name will be rationalistic.xml:rationalisticinginit.vbs. After execution, the file is purged by being opened in write mode.

If rationalistic.xml:rationalistic.tmp (or rationalistic.xml:rationalisticing.tmp, depending on the active file) is available, the specified file is sent to the C2 server through a POST request. After sending, the file is purged by being opened in write mode.

More about Cloud Werewolf

• The cluster has been active since at least 2014 and also known as Inception and Cloud Atlas.
• Cloud Werewolf is a state-sponsored threat actor focused on spying.
• Attacks mostly government, industrial, and research organizations in Russia and Belarus.
• At the post-exploitation stage, Cloud Werewolf can employ unique tools, such as PowerShower and VBShower, as well as Python scripts.
• Uses LaZagne to receive authentication data.
• Uses Advanced IP Scanner to gather information about remote systems.
• Uses AnyDesk as a backup channel to access compromised IT infrastructures.
• Uses RDP and SSH to advance in compromised IT infrastructures.
• Uses 7-Zip to archive the files retrieved from the compromised systems.
• Deletes C2 server communication entries (e.g., from proxy server logs).

Indicators of compromise

• 5af1214fc0ca056e266b2d093099a3562741122f32303d3be7105ce0c2183821
• b4c0902a9fb29993bc7573d6e84547d0393c07e011f7b633f6ea3a67b96c6577
• 9d98bd1f1cf6442a21b6983c5c91c0c14cd98ed9029f224bdbc8fdf87c003a4b
• serverop-parametrs[.]com
• triger-working[.]com
• web-telegrama[.]org

MITRE ATT&CK

More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.

How to protect your company from such threats

Cloud Werewolf’s methods of gaining persistence on endpoints are hard to detect with preventive security solutions. Therefore we recommend that companies enhance their cybersecurity with endpoint detection and response practices, for instance, with the help of BI.ZONE EDR.

To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.

Winner, Security Today Govies for Autonomous Penetration Testing

The post Security Today Govies Award appeared first on Horizon3.ai.

Infosec and Cyber Work Hacks want you to pass the Cisco CCNA exam! To help you do that, Infosec’s CCNA Boot Camp instructor Wilfredo Lanz gives you his top tips and tricks for taking the CCNA exam! Lanz will give you some advice for narrowing down the right answer by eliminating the obviously wrong ones, common mistakes people make while taking the exam and what to do if, for some reason, you don’t pass on the first try. And most importantly, why you must take the practice exams before the test. And then retake them. And again! 

0:00 - CCNA exam tips 
1:43 - What does the CCNA cover? 
4:50 - Tricks for taking the CCNA exam 
5:55 - Common CCNA exam mistakes 
7:17 - What if you fail the CCNA exam? 
8:40 - Best piece of advice for CCNA exam day 
9:53 - Outro 

About Infosec 

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

The NodeZero^TM platform is easy-to-use, safe for production, and scales to support your largest networks. You are empowered to test a very broad scope in a single test, orchestrate tests concurrently, and simultaneously test your enterprise from different attacker perspectives.

The post Autonomous Penetration Testing with Horizon3.ai appeared first on Horizon3.ai.