Cyber Security News — Past 24 hours | 06.07.2021
WildPressure APT Emerges With New Malware Targeting Windows and macOS
A malicious campaign that has set its sights on industrial-related entities in the Middle East since 2019 has resurfaced with an upgraded malware toolset to strike both Windows and macOS operating systems, symbolizing an expansion in both its targets and its strategy around distributing threats. Russian cybersecurity firm attributed the attacks to an advanced persistent threat it tracks as «WildPressure,» with victims believed to be in the oil and gas industry. WildPressure first came to light in March 2020 based off of a malware operation distributing a fully-featured C++ Trojan dubbed «Milum» that enabled the threat actor to gain remote control of the compromised device. The Python-based multi-OS Trojan, which extensively makes of publicly available third-party code, is engineered to beacon the victim machine’s hostname, machine architecture, and OS release name to a remote server and check for installed anti-malware products, following which it awaits commands from the server that allow it to download and upload arbitrary files, execute commands, update the Trojan, and erase its traces from the infected host.
The VBScript version of the malware, named «Tandis,» features similar capabilities to that of Guard and Milum, while leveraging encrypted XML over HTTP for command-and-control communications. To date, there’s neither clear visibility regarding the malware spreading mechanism nor any strong code- or victim-based similarities with other known threat actors
Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform
An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process.
In light of the growing number of cyber incidents that target the software supply chain, there is an urgent need to assess such third-party modules for any security risks and minimize the attack surface, ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.
Stack Overflow Teams
“All identified precompiled software components in our research were different versions of 7Zip, WinSCP and PuTTYgen, programs that provide complex compression and network functionality,” Zanki explained. “They are continuously updated to improve their functionality and to address known security vulnerabilities. However, sometimes it happens that other software packages get updated but still keep using several years old dependencies containing known vulnerabilities.”
n one instance, it was found that “WinSCPHelper” — a remote server file management library and which has been downloaded more than 35,000 times — use an old and vulnerable WinSCP version 5.11.2, whereas WinSCP version 5.17.10 released earlier this January addresses a critical arbitrary execution flaw , thus exposing users of the package to the vulnerability.
Furthermore, the researchers established that more than 50,000 software components extracted from NuGet packages were statically linked to a vulnerable version of “zlib” data compression library, rendering them vulnerable to a number of known security issues such as CVE-2016–9840, CVE-2016–9841, CVE-2016–9842, and CVE-2016–9843.
[Whitepaper] XDR vs. NDR/NTA — What do Organizations Truly Need to Stay Safe?
Most teams will have to choose between deploying either a network traffic analysis or network detection and response tool or an endpoint detection and response tool to supplement their existing stacks. On the other hand, some organizations are getting the best of both options by switching to extended detection and response tools which often provide all these tools in one solution. This is the key takeaway of a new whitepaper by security provider Cynet . NDR tools can detect a wide range of malicious activities and anomalous behaviors.
Network-based reconnaissance activities
They do not require endpoint installation and don’t impact live network traffic. They can also be ideal for organizations where users are not expected to install agents. On the other hand, network analytics tools fall short when it comes to protecting the individual endpoints in an environment. They aren’t equipped to detect malicious file activity, process execution, and other indicators of endpoint compromise.
This removes the multiple panes of glass issue and lets organizations work with single panes.
Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability
Tracked as CVE-2021–34527 , the remote code execution flaw impacts all supported editions of Windows. «The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,» the CERT Coordination Center said of the issue. It’s worth noting that PrintNightmare includes both remote code execution and a local privilege escalation vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines. «The Microsoft update for CVE-2021–34527 only appears to address the Remote Code Execution variants of the PrintNightmare, and not the Local Privilege Escalation variant,» CERT/CC vulnerability analyst Will Dormann said.
Windows 8. Windows RT 8.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT