Cyber Security News — Past 24 hours | 25.06.2021

Pakistan-linked hackers targeted Indian power company with ReverseRat

A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research.

The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.

At the same time, the group has been careful to hide their activity by modifying the registry keys, granting them the ability to surreptitiously maintain persistence on the target device without attracting attention.

The lure documents largely describe events catering to India, disguising as a user manual for registering and booking an appointment for COVID-19 vaccine through the CoWIN online portal, while a few others masquerade as the Bombay Sappers, a regiment of the Corps of Engineers of the Indian Army.

Irrespective of the PDF document displayed to the victim, the HTA file — itself a JavaScript code based on a GitHub project called CactusTorch — is leveraged to inject a 32-bit shellcode into a running process to ultimately install a .NET backdoor called ReverseRat that runs the typical spyware gamut, with capabilities to capture screenshots, terminate processes, execute arbitrary executables, perform file operations, and upload data to a remote server.

Source —

Python Package Index Repository Detected With Multiple Malicious Packages

All malicious packages were uploaded on the very same account and the developers tried to install them by using the wrong names for the genuine Python projects, thousands of times. Python software repository is stylized as PyPI and is also referred to as the Cheese Shop. Some package managers, notably pip, use PyPI for packages as the default source. In April, a total of six harmful packages were infiltrated with the Python Package Index — maratlib, maratlib1, matplatlib-plus, mllearnlib, mplatlib, learning lab.

He said the packages were utilized for other malicious components to make them dependent. The researcher writes, «For each of these packages, the malicious code is contained in the setup. » Attackers routinely target open-source code repositories such as PyPI , NPM for NodeJS , or RubyGems. Although the detection is minimal when there is are low downloads, as usual, there is a major risk that developers would incorporate the malicious code occasionally utilized in applications.

Source —

Intrusion Prevention System (IPS) In-depth Analysis — A Detailed Guide

Like an intrusion detection system , an intrusion prevention system screens network traffic. An Intrusion Prevention System is a framework that screens a network for evil exercises, for example, security dangers or policy compliance.

Vulnerability exploits normally come in the form of malicious inputs to an objective application or resources that attacker uses to block and pick up control of an application or System.

Intrusion prevention systems are considered increment, since they both screen the network traffic and system activities for malicious activity.

The fundamental contrasts are, dissimilar to an Intrusion detection system, Intrusion prevention systems are set in-line and can effectively anticipate or hinder intrusions that are recognized.

Organizations used to deploy a sensor for each network segment, but now a single sensor can monitor several network segments simultaneously.

n order to monitor key network segments throughout an organization, IPS sensors are often deployed wherever networks with different security policies connect, such as Internet connection points, or where internal user networks connect to internal server networks.

In addition to hardware appliance sensors, some vendors also offer virtual appliance sensors.

Source —

Flaws in Dell BIOSConnect feature affect 128 device models

Researchers from cybersecurity firm Eclypsium discovered multiple vulnerabilities affecting the BIOSConnect feature of Dell Client BIOS that could be exploited by a privileged attacker to execute arbitrary code at the BIOS/UEFI level of the affected device. “This chain of vulnerabilities has a cumulative CVSS score of 8.3 because it allows a privileged network adversary to impersonate Dell. Com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.” reads the post published by Eclypsium. “Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls”.

The flaw affects 129 models of consumer and business Dell laptops, desktops, and tablets, it also impacts devices protected by Secure Boot and Dell Secured-core PCs. BIOSConnect provides network-based boot recovery, it allows users to recover their computer’s recovery partition in case of hard drive failure or corruption of the original partition. It allows the BIOS to connect to Dell’s servers via HTTPS to download an image of the operating system. The PC maker released client-side BIOS firmware updates to address the other two flaws.

Dell also provides workarounds to disable both the BIOSConnect and HTTPS Boot features.

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store