Hello and welcome back to another blog post. After some time of absence due to a lot of changes in my personal life ( finished university, started a new job, etc), I am happy to finally be able to present something new.
Chapter 1: Captcha-verified Victim
This story starts with a message by one of my long time internet contacts:
Figure 1: Shit hit the Fan
I assume, some of you can already tell from this message alone that something terrible had just happend to him.
The legitimate website of the German Association for International Law had redirected him to an apparent Cloudflare Captcha site asking him to execute a Powershell command on device that does a Webrequest (iwr = Invoke-WebRequest) to a remote website (amoliera[.]com) and then pipes the response into “iex” which stands for Invoke-Expression.
Thats a text-book example for a so called FakeCaptcha attack.
For those of you that do not know what the FakeCaptcha attack technique is, let me give you a short primer:
A Captcha in itself is a legitimate method Website Owners use to differentiate between bots (automated traffic) and real human users. It often involves at-least clicking a button but can additionally require the website visitor to solve different form of small tasks like clicking certain images out of a collection of random images or identifying a bunch of obscurely written letters. The goal is to only let users visit the website that are able to solve these tasks, which are often designed to be hard for computers but easy for human beings. Well, most of the times.
Bulletproof hosting services provide the infrastructure for cybercriminal activities, enabling criminals to evade legal constraints and are often used for malware, hacking attacks, fraudulent…
Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do.
If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.”
This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.
Now I know that ransomware attacks using cross-account KMS keys is already known (checkout the article below)— but even then, the CMK is managed by AWS and they can just block the attackers access to the CMK and decrypt data for the victim because the key is OWNED by AWS and attacker is just given API access to it under AWS TOS. Also there’s no way to delete the CMK but only schedule the key deletion (min 7 days) which means there’s ample time for AWS to intervene.(6 Months later CZAT 7 Server is offline or changed to another ip address , this post was written 6 months ago, published today 9/2/2024)
I’m a big fan of trains, i like them, but never tough that someday i would take over train traction power substation located in Poland from my home in Costa Rica.
I’m not a train expert/engineer and i had no idea how the train management works , I’m a cyber security professional doing research in the internet about OT Industrial equipment exposed potentially vulnerable or misconfigured.
Everything explained here is just what i learned reading official documentation from the Elester-pkp website . https://elester-pkp.com.pl/
Foreign nation-state cyber adversaries are tenacious. Their attacks are evolving to get around the industry’s most sophisticated defenses. Last year was exploitation of routers, and this year’s theme has been compromise of edge protection devices.
MITRE, a company that strives to maintain the highest cybersecurity possible, is not immune.
Despite our commitment to safeguarding our digital assets, we’ve experienced a breach that underscores the nature of modern threats. In this blog post, we provide an initial account of the incident, outlining the tactics, techniques, and procedures (TTPs) employed by the adversaries, as well as some of our ongoing incident response efforts and recommendations for future steps to fortify your defenses.
I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled “Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz.” This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you’re interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.)
We’ve seen spam campaigns in the open-source ecosystems in the past year, but this month was by far the worst one we’ve seen yet. Apparently, attackers found the unvetted open-source ecosystems as an…
On February 27, 2023, a “The Sandbox” employee was compromised, resulting in sending malspam which introduced them to “PureLand”. It leads to a RedLine Stealer and an unknown stealer for macOS. A…
Years-old domains, compromised JS libraries and worldwide-localized content among tactics of this sophisticated attacker.
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.
At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption. In fact, only 36% even support encryption. This puts PostgreSQL servers well behind the rest of the Internet in terms of security. In comparison, according to Google, over 96% of page loads in Chrome on a Mac are encrypted. The top 100 websites support encryption, and 97 of those default to encryption.
Continuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. The malware comes in form of an “Extended Stored Procedure” DLL, a…
Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero…
One, if not the main, challenge with producing good intelligence is to have access to the right information at the right moment. The right telemetry from the right angle helps you to detect and dig…
This investigation report contains an applications analysis of 7 different Apple developer accounts (identified so far — maybe there are…
If you use an Apple Macbook, it’s likely that you have a secret enclave for important secrets — such as your encryption keys. These keys define the core of the trust infrastructure on the device — and protect applications from stealing these secrets. The TEE also allows isolation between code which is fully trusted, and code that cannot be fully trusted. If this did not happen, we could install applications on our computer which would discover our login password and steal the encryption used used to key things secret and trusted.
A tracker to collate cyber groups engaged in cyber activities during the Russia-Ukraine war 2022.