ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Telefónica promotes the digital transformation towards ‘Industria Conectada 4.0’ * This post was translated and originally published here (Spanish) within the framework of the I Congreso de Industria Conectada taking place in Madrid the 21st of September. The...
Innovation and Laboratory Area in ElevenPaths 4th Anniversary of No More Ransom: ElevenPaths, Partner Entity with Two Tools Discover the tools we contribute to this important initiative launched by Europol to help ransomware victims.
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Innovation and Laboratory Area in ElevenPaths Our Telegram channel CyberSecurityPulse has already a webpage Our Cybersecurity Pulse Telegram channel already has a website. Follow us to keep up to date with the most relevant cybersecurity news.
ElevenPaths Cybersecurity Weekly Briefing November 21-27 Qbot as a prelude to Egregor ransomware infections Researchers at Group-IB security company have issued a statement claiming to have found activity linking the Qbot banking trojan (also known as...
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cybersecurity Weekly Briefing November 7-13 Links between Vatet, PyXie and Defray777 Researchers from Palo Alto Networks have investigated the families of malware and operational methodologies used by a threat agent that has managed to go...
Cyber Security Weekly Briefing January 16-22ElevenPaths 22 January, 2021 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called UNC2452, to which the incident is attributed. This group uses a combination of techniques to move laterally in the Microsoft 365 cloud: the theft of token signing certificates in ADFS; the modification or addition of trust domains in Azure AD; the compromise of local user credentials with high privileges synchronized to M365; and finally, the abuse of a legitimate app’s permissions by installing a backdoor. Meanwhile, Symantec researchers have discovered an additional piece of malware that would have been used as a secondary payload on several of the systems compromised by UNC2452. This malware, called Raindrop, is a payload mainly intended for the installation of Cobalt Strike.The software company MalwareBytes has admitted in a statement to have been compromised by UNC2452, although not through SolarWinds Orion, but through the abuse of a third-party application with permissions within the corporate Office365. They point out, however, that the threat actor only accessed a limited number of emails.Microsoft researchers have provided more details on the mechanisms involved in the distribution of secondary payloads (Teardrop, Raindrop, etc.) from the Solorigate backdoor (SUNBURST, according to FireEye’s terminology), which is the origin of the compromises of public and private entities resulting from the trojanisation of the SolarWinds Orion software. The researchers show how the initial backdoor is only activated for specific victims by creating two files on disk: a VBScript, which is typically named after existing services or folders to simulate legitimate machine activities; and a DLL implant, which corresponds to a custom Cobalt Strike loader. The Cobalt Strike implant, however, is not executed directly, but instead the attackers generate an IFEO registry value for a commonly running process in Windows, thus making its activation completely detached from the backdoor, making it difficult to detect and ensuring that Solarigate remains hidden. Apart from Teardrop and Raindrop, Microsoft claims to have detected other custom Cobalt Strike beacons. These DLLs are mainly placed in existing Windows subdirectories and are assigned names similar to legitimate files and directories to camouflage themselves as much as possible with the environment. New data on Intrusion at the European Medicines Agency Further details of unauthorised access to the European Medicines Agency (EMA) by cybercriminals were revealed in December, when they gained access to confidential documentation on the vaccine developed by Pfizer-BioNtech. In the last statement issued by the Agency, it has been confirmed that the cybercriminals leaked some of the documents to which they had access in underground forums at the end of December, including internal emails related to the vaccine evaluation processes, Word documents, PDFs, etc. In addition, the EMA has reported that some of this correspondence was manipulated prior to publication, in order to undermine confidence in vaccines. More details: https://www.ema.europa.eu/en/news/cyberattack-ema-update-5 FBI Warns of New Vishing Attacks The Federal Bureau of Investigation (FBI) has issued a notice to the private industry warning of the detection of telephone social engineering techniques with the aim of acquiring corporate credentials that would allow access to the networks of national and international entities. The threat actors are reportedly using VoIP platforms (also known as IP telephone services) to contact employees of any category and guide them to access a fraudulent website (e.g. fake VPN interface) where they enter their login credentials. This first compromise provides them with an entry vector that is later used to gain greater privileges by finding other network users with permissions to create and modify e-mails and usernames. This is the second warning of active vishing attacks against employees issued by the FBI since the beginning of the pandemic, after a growing number of them became homeworkers. More information: https://beta.documentcloud.org/documents/20458329-cyber-criminals-exploit-network-access-and-privilege-escalation-bleepingcomputer-210115 DNSpooq: Seven Vulnerabilities that Allow DNS Hijacking Security consultant JSOF has revealed seven vulnerabilities in Dnsmasq, an open source DNS redirection software widely used to add capabilities in IoT devices and other embedded systems. Together, these flaws have been referred to as DNSpooq, and could be exploited for DNS cache poisoning, remote code execution or denial of service attacks against millions of affected devices. Three of the vulnerabilities (classified as CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) allow DNS spoofing attacks to be carried out by poisoning the cache. With this attack, the threat actors can redirect users to malicious servers under their control without them noticing. The rest are buffer overflow vulnerabilities (classified as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) that could allow remote code execution. While several workarounds exist, JSOF advises that the best and only full mitigation is to update Dnsmasq to version 2.83 or above. All the information: https://www.jsof-tech.com/disclosures/dnspooq/ Exposed RDP Services Used to Amplify DDoS Attacks Security researchers at Netscout have recently detected malicious exploitation of the Windows Remote Desktop Protocol (RDP) by threat actors as part of the infrastructure of stressers (on-demand DDoS tools). The RDP service is typically configured to receive requests on port 3389, TCP and/or UDP. When the second option is enabled, it is possible to achieve an amplification ratio of almost 86:1. The observed attacks range in size from 20 to 750 Gbps. All packets sent are consistent in size, 1,260 bytes. According to the researchers, there are more than 14,000 servers susceptible to this type of attack. More details: https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification Homeworking: Balancing Corporate Control and Employee Privacy (II)Laboratory Information Management System (LIMS) and its Mobile Applications
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Gonzalo Álvarez Marañón Functional Cryptography: The Alternative to Homomorphic Encryption for Performing Calculations on Encrypted Data — Here are the exact coordinates of each operative deployed in the combat zone.— How much?— 100.000.— That is too much.— And a code that displays on screen the...