Suspected N. Korean Hackers Target S. Korea-US Drills

North Korea-linked "Kimsuky" hackers carried out "continuous malicious email attacks" on contractors working at the war simulation centre.

The post Suspected N. Korean Hackers Target S. Korea-US Drills appeared first on SecurityWeek.

Four Juniper Junos OS flaws can be chained to remotely hack devices

Juniper Networks addressed multiple flaws in the J-Web component of Junos OS that could be chained to achieve remote code execution. Juniper Networks has released an “out-of-cycle” security update to address four vulnerabilities in the J-Web component of Junos OS. The vulnerabilities could be chained to achieve remote code execution on vulnerable appliances. The vulnerabilities […]

The post Four Juniper Junos OS flaws can be chained to remotely hack devices appeared first on Security Affairs.

Cybersecurity: CASB vs SASE

Understanding cybersecurity aspects addressed by Cloud Access Security Broker (CASB) and Secure Access Service Edge (SASE) In an increasingly digital world, where businesses rely on cloud services and remote access, cybersecurity has become paramount. As organizations strive to safeguard their data, applications, and networks, two prominent concepts have emerged as vital components of modern cybersecurity: […]

The post Cybersecurity: CASB vs SASE appeared first on Security Affairs.

Security Affairs newsletter Round 433 by Pierluigi Paganini – International edition

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection WinRAR flaw enables remote […]

The post Security Affairs newsletter Round 433 by Pierluigi Paganini – International edition appeared first on Security Affairs.

Data Fabric: The Intricate Shield Against Evolving Cyber Threats

By Waqas

Data is indeed useful in cybersecurity. Many tools or platforms harness data in various forms including threat intelligence,…

This is a post from HackRead.com Read the original post: Data Fabric: The Intricate Shield Against Evolving Cyber Threats

Cynomi Study Reveals Number of MSPs Providing Virtual CISO Services Will Grow Fivefold By Next Year

By Owais Sultan

The State of the Virtual CISO 2023” report, conducted by Global Surveys on behalf of Cynomi, reveals critical insights into MSPs and MSSPs’ recent shift towards vCISO services.

This is a post from HackRead.com Read the original post: Cynomi Study Reveals Number of MSPs Providing Virtual CISO Services Will Grow Fivefold By Next Year

Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection

Threat actors are using Android Package (APK) files with unsupported compression methods to prevent malware analysis. On June 28th, researchers from Zimperium zLab researchers observed that Joe Sandbox announced the availability of an Android APK that could not be analyzed from most of the anti-decompilation tools. The APT could be installed on Android devices running […]

The post Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection appeared first on Security Affairs.

Cellebrite asks cops to keep its phone hacking tech ‘hush hush’

For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and obtain the data within. And the company has been keen on keeping the use of its technology “hush hush.” As part of the deal with government agencies, Cellebrite asks users to […]

Inside a Live Pirate IPTV Blocking Order Protecting UEFA’s Champions League

Football bodies and broadcasters including the Premier League, Sky and UEFA, recently obtained permission to continue their ISP blocking programs to limit access to pirate IPTV streams. While almost no information relating to these secret processes appears in public, today we're able to take a look inside one of several blocking orders active right now in Europe.

From: TF, for the latest news on copyright battles, piracy and more.

Rust devs push back as Serde project ships precompiled binaries

Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary.

The move has generated a fair amount of push back among developers who worry about its future legal and technical implications, along with a potential for supply chain attacks, should the maintainer account publishing these binaries be compromised.

According to the Rust package registry, crates.io, serde has been downloaded over 196 million times over its lifetime, whereas the serde_derive macro has scored more than 171 million downloads, attesting to the project's widespread circulation.

Serde macro goes precompiled: there's no way to opt-out

About three weeks ago, a Rust programmer using the Serde project in their application noticed something odd.

"I'm working on packaging serde for Fedora Linux, and I noticed that recent versions of serde_derive ship a precompiled binary now," wrote Fabio Valentini, a Fedora Packaging Committee member.

"This is problematic for us, since we cannot, under no circumstances (with only very few exceptions, for firmware or the like), redistribute precompiled binaries."

Serde is a commonly used _ser_ialization and _de_serialization framework for Rust data structures that, according to its website, is designed to conduct these operations "efficiently and generically."

"The Serde ecosystem consists of data structures that know how to serialize and deserialize themselves along with data formats that know how to serialize and deserialize other things," states the project's website. Whereas, "derive" is one of its macros.

Valentini further inquired to the project maintainers, how were these new binaries "actually produced," and if it would be possible for him to recreate the binaries, as opposed to consuming precompiled versions.

David Tolnay, who is the primary Serde maintainer, responded with potential workarounds at the time. But, that's not to say that everyone is pleased.

Following an influx of comments from developers as to why the decision wasn't best suited for the project, Tolnay acknowledged the feedback, prior to closing the GitHub issue.

His justification for shipping precompiled binaries is reproduced in whole below.

"The precompiled implementation is the only supported way to use the macros that are published in serde_derive.

If there is implementation work needed in some build tools to accommodate it, someone should feel free to do that work (as I have done for Buck and Bazel, which are tools I use and contribute significantly to) or publish your own fork of the source code under a different name.

Separately, regarding the commentary above about security, the best path forward would be for one of the people who cares about this to invest in a Cargo or crates.io RFC around first-class precompiled macros so that there is an approach that would suit your preferences; serde_derive would adopt that when available."

BleepingComputer has approached Tolnay with additional questions prior to publishing.

"First .NET's Moq and now this."

Some Rust developers request that precompiled binaries be kept optional and separate from the original "serde_derive" crate, while others have likened the move to the controversial code change to the Moq .NET project that sparked backlash.

"Please consider moving the precompiled serde_derive version to a different crate and default serde_derive to building from source so that users that want the benefit of precompiled binary can opt-in to use it," requested one user.

"Or vice-versa. Or any other solution that allows building from source without having to patch serde_derive."

"Having a binary shipped as part of the crate, while I understand the build time speed benefits, is for security reasons not a viable solution for some library users."

Users pointed out how the change could impact entities that are "legally not allowed to redistribute pre-compiled binaries, by their own licenses," specifically mentioning government-regulated environments.

"...First .NET's Moq and now this," said Jordan Singh, an Australia-based developer, in a comment that was later removed.

"If this is to force cargo devs to support a feature then this is terrible way around doing it. At-least give us reproducible binaries. I'm sick of devs of popular crates/libraries taking everyone hostage with absurd decisions."

Philadelphia-based Donald Stufft cautioned against the risks of getting into the business of "shipping binaries" on social media:

Developer cautions against the "shipping binaries" business

Rust programmer Nathan West, who goes by Lucretiel, specifically highlighted the supply-chain risks posed by precompiled binaries, should the maintainer account get compromised:

Supply chain risks associated with shipping precompiled binaries

"Is not this the exact way they'd go about it? Ship it silently as a semi-plausible change to how serde works, intransigently ignore all criticism of the decision," wrote West.

"This is *exactly* the reason that everyone has such a reflexive opposition to moves like this."

"Trust on the internet isn't perfect; we *don't* know that that's really [the maintainer] posting in GitHub. That's why we have layers and proxies of defense; sketchy sh*t is rejected because it's not worth the risk.

Technologist Sanket Kanjalkar called the transition to ship binaries without a way of opting-out "a step backward."

But, a security professional who goes by Lander, has a slightly different take:

"This Rust drama about serde_derive shipping a precompiled binary is kind of funny," writes Lander.

"On one hand, I understand people's concern. On the other hand, who cares? nobody's reading proc macro code/build.rs code for every project they pull in anyways. An opt-out would be a good idea tho."

Whether you agree with the project's decision to serve its macros precompiled or not, it is a good practice to routinely inspect any source code and software binaries prior to incorporating these into your projects.

Thanks to Michael Kearns for the tip off.

WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams

Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that's engineered to conduct tech support scams. The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve

Re: Anomaly in Fedora dnf update: md5 mismatch of result

Posted by Matthew Fernandez on Aug 19

If the VM had no access to the internet even a retry would fail, no?

If an attempted update based on a delta-rpm fails, dnf falls back to
downloading a full rpm and using this instead.

Re: Anomaly in Fedora dnf update: md5 mismatch of result

Posted by Michael Lazin on Aug 19

I would test it using sha256 instead of md5 before you jump to conclusions
but dnf doesn't use https by default and you need to jump through hoops to
get it working. I would say if you are a fedora user open a feature
request for https for dnf with the fedora team if you can repeat this with
sha256.

Peace,

Michael

Re: Anomaly in Fedora dnf update: md5 mismatch of result

Posted by Adrean Boyadzhiev on Aug 19

Probably a completely different root cause, but I have noticed similar
behavior with a Debian-based distribution during `# apt upgrade` and
when there are many packages for update and the internet connection is
not so good. I haven't investigated, but my assumptions were either Race
Conditions within verification logic or some logic related to the timestamp.

To my knowledge `md5` should be ok for calculating hash sums, many
prefer it...

New Juniper Junos OS Flaws Expose Devices to Remote Attacks - Patch Now

Networking hardware company Juniper Networks has released an "out-of-cycle" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series. "By

Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection

Threat actors are using Android Package (APK) files with unknown or unsupported compression methods to elude malware analysis. That's according to findings from Zimperium, which found 3,300 artifacts leveraging such compression algorithms in the wild. 71 of the identified samples can be loaded on the operating system without any problems. There is no evidence that the apps were available on the

WinRAR flaw enables remote code execution of arbitrary code

A flaw impacting the file archiver utility for Windows WinRAR can allow the execution of commands on a computer by opening an archive. WinRAR is a popular file compression and archival utility for Windows operating systems. The utility is affected by a now-fixed high-severity vulnerability, tracked as CVE-2023-40477 (CVSS score 7.8), that can allow remote […]

The post WinRAR flaw enables remote code execution of arbitrary code appeared first on Security Affairs.

The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice

While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggio's third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation.

For some time, LockBit has been at the top of the ransomware "industry," usually leading the pack in the number of victims based on the operation's data leak site.

However, as explained by DiMaggio, the LockBit operation appears to be slipping, with the gang having a serious storage infrastructure problem that impacts its ability to release stolen data and extort victims.

Like all enterprise-targeting ransomware operations, when conducting attacks, the threat actors first breach a network and quietly harvest data to be used in later extortion demands. Only after all the valuable data has been stolen and backups deleted do the threat actors deploy the ransomware to begin encrypting files.

This stolen data is used as leverage while extorting victims by publishing it on a data leak site if a ransom is not paid.

However, DiMaggio has learned that LockBit has a serious storage issue, preventing the operation from properly leaking data and frustrating affiliates who want to use the data leak site as part of their extortion strategy.

"It has used propaganda on its leak site and a strong narrative across criminal forums to hide the fact it often cannot consistently publish stolen data," the researcher explained in his report.

"Instead, it relies on empty threats and its public reputation to convince victims to pay. Somehow, no one but affiliate partners noticed. This problem is due to limitations in its backend infrastructure and available bandwidth.

To make matters worse, the public-facing LockBit representative, LockBitSupp, disappeared for a while, not appearing on Tox or answering questions from affiliates.

This led to affiliates being concerned the operation was compromised, with some telling DiMaggio that they had begun to switch to new ransomware operations.

This chaos in the LockBit operation has not gone unnoticed by other security analysts, with Allan Liska also warning there has been a sharp decrease in the operation's activity.

Other ransomware news

In other ransomware news, we saw some great research released this deep dives on new encryptors:

• Microsoft shared some info on BlackCat's Sphynx encryptor.
• SecureScoreCard shared a technical analysis of the Underground ransomware.
• Trend Micro shared news of a new Linux/VMware ESXi encryptor for Monti.
• Will Thomas released a report on how the Oktapus gang may be working with BlackCat.

The MOVEit data theft attacks continue to be a thorn in the side of organizations worldwide, with Colorado warning that the data of 4 million people was stolen as part of these attacks.

Finally, a new phishing campaign was discovered, pushing the new Knight ransomware as TripAdvisor complaints.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @LawrenceAbrams, @fwosar, @BleepinComputer, @billtoulas, @serghei, @Seifreed, @demonslay335, @Jon__DiMaggio, @security_score, @vxunderground, @MsftSecIntel, @TrendMicro, @IBMSecurity, @felixw3000, @uptycs, @BushidoToken, @adlumin, and @pcrisk.

August 12th 2023

Knight ransomware distributed in fake Tripadvisor complaint emails

The Knight ransomware is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints.

August 14th 2023

Monti ransomware targets VMware ESXi servers with new Linux locker

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations.

Colorado warns 4 million of data stolen in IBM MOVEit breach

The Colorado Department of Health Care Policy & Financing (HCPF) is alerting more than four million individuals of a data breach that impacted their personal and health information.

Underground Ransomware deployed by Storm-0978 that exploited CVE-2023-36884

The Underground ransomware is the successor of the Industrial Spy ransomware and was deployed by a threat actor called Storm-0978. The malware stops a target service, deletes the Volume Shadow Copies, and clears all Windows event logs.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .tasa and .taoy extensions.

August 15th 2023

Ransomware Diaries: Volume 3 – LockBit’s Secrets

In this volume of the Ransomware Diaries, I will share interesting, previously unknown details of the LockBit ransomware operation that LockBit has tried very hard to cover up. Until now, you have been lied to about LockBit’s true capability. Today, I will show you the actual current state of its criminal program and demonstrate with evidence-backed analysis that LockBit has several critical operational problems, which have gone unnoticed.

New Allahu Akbar ransomware variant

PCrisk found a new STOP ransomware variant that appends the .allahuakbar extension and drops a ransom note named how_to_decrypt.txt.

New Retch ransomware variant

PCrisk found a new ransomware variant that appends the .Retch extension and drops a ransom note named HOW TO RECOVER YOUR FILES.txt.

August 16th 2023

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention.

August 17th 2023

Microsoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom

Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.

PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers

The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.

New Retch ransomware variant

PCrisk found a new ransomware variant that appends the .Retch extension and drops a ransom note named HOW TO RECOVER YOUR FILES.txt.

That's it for this week! Hope everyone has a nice weekend!

Friday Squid Blogging: Squid Brand Fish Sauce

Squid Brand is a Thai company that makes fish sauce:

It is part of Squid Brand’s range of “personalized healthy fish sauces” that cater to different consumer groups, which include the Mild Fish Sauce for Kids and Mild Fish Sauce for Silver Ages.

It also has a Vegan Fish Sauce.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

CyCognito Finds Large Volume of Personal Identifiable Information in Vulnerable Cloud and Web Applications

ProjectDiscovery Announces $25M Series A Financing and Launch of Cloud Platform

Phishing Attack Targets Hundreds of Zimbra Customers in Four Continents

A good chunk of the entire user base of a particular email service is being targeted for sensitive credentials.

#OpFukushima: Anonymous group protests against the plan to dump Fukushima RADIOACTIVE wastewater into Pacific

#OpFukushima: The famous collective Anonymous has launched cyberattacks against Japan nuclear websites over Fukushima water plan. The hacker collective Anonymous has launched cyberattacks against nuclear power-linked groups in Japan as part of an operation called #OpFukushima. The campaign was launched to protest against the Government’s plan to release the treated radioactive water from the Fukushima […]

The post #OpFukushima: Anonymous group protests against the plan to dump Fukushima RADIOACTIVE wastewater into Pacific appeared first on Security Affairs.

Tel Aviv Stock Exchange CISO: Making Better Use Of Your SIEM

If rule writing for SIEMs isn't managed properly, it can lead to false positives and misconfigurations, which create extra work for the SOC team.

Expand Your Definition of ‘Endpoint,’ Get a Better Handle On Cloud Threats

In this Dark Reading News Desk segment, Sysdig's Anna Belak discusses how the boom in cloud services and applications expanded the definition of what constitutes an endpoint.